1.0.0 Release IaaS

ansible/roles/fw/tasks/services/set_bind.yaml

@@ -0,0 +1,103 @@
+---
+- name: Check bind9 installation
+  ansible.builtin.shell: |
+    command -v named
+  become: true # named is located in /usr/sbin, which means root permission is needed.
+  changed_when: false
+  failed_when: false
+  register: "is_bind_installed"
+  ignore_errors: true
+
+- name: Set bind9 zone files
+  ansible.builtin.set_fact:
+    bind_zone_files:
+      - "db.ilnmors.internal"
+      - "db.ilnmors.com"
+      - "db.1.168.192.in-addr.arpa"
+      - "db.10.168.192.in-addr.arpa"
+      - "db.1.00df.ip6.arpa"
+      - "db.10.00df.ip6.arpa"
+
+- name: Install bind9
+  ansible.builtin.apt:
+    name: "bind9"
+    state: "present"
+  become: true
+  when: is_bind_installed.rc != 0
+
+- name: Deploy acem.key
+  ansible.builtin.copy:
+    content: "{{ hostvars['console']['bind']['acme_key'] }}"
+    dest: "/etc/bind/acme.key"
+    owner: "bind"
+    group: "bind"
+    mode: "0640"
+  become: true
+  notify: "notification_restart_bind"
+  no_log: true
+
+- name: Deploy db files
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/bind/lib/{{ item }}"
+    dest: "/var/lib/bind/{{ item }}"
+    owner: "bind"
+    group: "bind"
+    mode: "0640"
+  loop: "{{ bind_zone_files }}"
+  become: true
+  notify: "notification_restart_bind"
+  no_log: true
+
+- name: Clean BIND journal files
+  ansible.builtin.file:
+    path: "/var/lib/bind/{{ item }}.jnl"
+    state: absent
+  loop: "{{ bind_zone_files }}"
+  become: true
+  notify: "notification_restart_bind"
+  no_log: true
+
+- name: Deploy named.conf
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/bind/etc/named.conf.j2"
+    dest: "/etc/bind/named.conf"
+    owner: "root"
+    group: "bind"
+    mode: "0640"
+    validate: "/usr/bin/named-checkconf -z %s"
+  become: true
+  notify: "notification_restart_bind"
+  no_log: true
+
+- name: Create named.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/named.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set named.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/named.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_bind"
+
+- name: Enable bind9 service
+  ansible.builtin.systemd:
+    name: "named.service"
+    state: "started"
+    enabled: true
+  become: true
+
+# Verify working
+# dig A fw.ilnmors.internal @fd00:10::3
+# dig AAAA fw.ilnmors.internal @fd00:10::3

ansible/roles/fw/tasks/services/set_blocky.yaml

@@ -0,0 +1,117 @@
+---
+- name: Gather system facts (hardware)
+  ansible.builtin.setup:
+    gather_subset:
+      - hardware
+  become: true
+
+- name: Create blocky group
+  ansible.builtin.group:
+    name: "blocky"
+    gid: 953
+    state: "present"
+  become: true
+
+- name: Create blocky user
+  ansible.builtin.user:
+    name: "blocky"
+    uid: 953
+    group: "blocky"
+    shell: "/usr/sbin/nologin"
+    password_lock: true
+    comment: "Blocky DNS User"
+    state: "present"
+  become: true
+
+- name: Create blocky etc directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "blocky"
+    group: "blocky"
+    mode: "0750"
+    state: "directory"
+  loop:
+    - "/etc/blocky"
+    - "/etc/blocky/ssl"
+  become: true
+
+- name: Deploy blocky binary file (x86_64)
+  ansible.builtin.unarchive:
+    src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    dest: "/usr/local/bin/"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+    extra_opts:
+      - "--strip-components=0"
+      - "--wildcards"
+      - "blocky"
+  become: true
+  when: ansible_facts['architecture'] == "x86_64"
+  notify: "notification_restart_blocky"
+
+- name: Deploy blocky binary file (aarch64)
+  ansible.builtin.unarchive:
+    src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    dest: "/usr/local/bin/"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+    extra_opts:
+      - "--strip-components=0"
+      - "--wildcards"
+      - "blocky"
+  become: true
+  when: ansible_facts['architecture'] == "aarch64"
+  notify: "notification_restart_blocky"
+
+- name: Deploy blocky config
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/blocky/etc/config.yaml.j2"
+    dest: "/etc/blocky/config.yaml"
+    owner: "blocky"
+    group: "blocky"
+    mode: "0640"
+  become: true
+  notify: "notification_restart_blocky"
+  no_log: true
+
+- name: Deploy blocky certificate and key
+  ansible.builtin.copy:
+    content: |
+      {{ item.value }}
+    dest: "/etc/blocky/ssl/{{ item.name }}"
+    owner: "blocky"
+    group: "blocky"
+    mode: "{{ item.mode }}"
+  loop:
+    - name: "blocky.crt"
+      value: |
+        {{ hostvars['console']['blocky']['crt'] | trim }}
+        {{ hostvars['console']['ca']['intermediate']['crt'] }}
+      mode: "0440"
+    - name: "blocky.key"
+      value: "{{ hostvars['console']['blocky']['key'] }}"
+      mode: "0400"
+  become: true
+  notify: "notification_restart_blocky"
+  no_log: true
+
+- name: Deploy blocky service
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/blocky/blocky.service"
+    dest: "/etc/systemd/system/blocky.service"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/systemd-analyze verify %s"
+  become: true
+  notify: "notification_restart_blocky"
+
+- name: Enable blocky service
+  ansible.builtin.systemd:
+    name: "blocky.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true

ansible/roles/fw/tasks/services/set_chrony.yaml

@@ -0,0 +1,55 @@
+---
+- name: Check chrnoy installation
+  ansible.builtin.shell: |
+    command -v chronyc
+  changed_when: false
+  failed_when: false
+  register: "is_chrony_installed"
+  ignore_errors: true
+
+- name: Install chrony
+  ansible.builtin.apt:
+    name: "chrony"
+    state: "present"
+  become: true
+  when: is_chrony_installed.rc != 0
+
+- name: Deploy local acl file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/chrony/local-acl.conf.j2"
+    dest: "/etc/chrony/conf.d/local-acl.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_chrony"
+
+- name: Create chrony.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/chrony.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set chrony.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/chrony.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_chrony"
+
+- name: Enable chrony service
+  ansible.builtin.systemd:
+    name: "chrony.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true

ansible/roles/fw/tasks/services/set_ddns.yaml

@@ -0,0 +1,41 @@
+---
+- name: Create ddns secret env file
+  ansible.builtin.copy:
+    content: |
+      ZONE_ID={{ hostvars['console']['ddns']['zone_id'] }}
+      API_KEY={{ hostvars['console']['ddns']['api_key'] }}
+    dest: "/etc/secrets/{{ node['uid'] }}/ddns.env"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0400"
+  become: true
+  no_log: true
+
+- name: Deploy ddns script
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/ddns.sh"
+    dest: "/usr/local/bin"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0711"
+  become: true
+
+- name: Deploy ddns service files
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}"
+    dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+    validate: "/usr/bin/systemd-analyze verify %s"
+  loop:
+    - "ddns.service"
+    - "ddns.timer"
+
+- name: Register ddns timer
+  ansible.builtin.systemd:
+    name: "ddns.timer"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"

ansible/roles/fw/tasks/services/set_kea.yaml

@@ -0,0 +1,57 @@
+---
+- name: Check Kea dhcp4 installation
+  ansible.builtin.shell: |
+    command -v kea-dhcp4
+  become: true # kea-dhcp4 is located in /usr/sbin, which means root permission is needed.
+  changed_when: false
+  failed_when: false
+  register: "is_kea4_installed"
+  ignore_errors: true
+
+- name: Install kea dhcp 4
+  ansible.builtin.apt:
+    name:
+      - "kea-dhcp4-server"
+    state: "present"
+  become: true
+  when: is_kea4_installed.rc != 0
+
+- name: Deploy kea dhcp4 conf
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/kea/kea-dhcp4.conf.j2"
+    dest: "/etc/kea/kea-dhcp4.conf"
+    owner: "_kea"
+    group: "_kea"
+    mode: "0600"
+  become: true
+  notify: "notification_restart_kea4"
+
+- name: Create kea-dhcp-server.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/kea-dhcp4-server.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set kea-dhcp-server.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/kea-dhcp4-server.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify:
+    - "notification_restart_kea4"
+
+- name: Enable kea service
+  ansible.builtin.systemd:
+    name: "kea-dhcp4-server.service"
+    state: "started"
+    enabled: true
+  become: true

ansible/roles/fw/tasks/services/set_suricata.yaml

@@ -0,0 +1,141 @@
+---
+- name: Check suricata installation
+  ansible.builtin.shell: |
+    command -v suricata
+  changed_when: false
+  failed_when: false
+  register: "is_suricata_installed"
+  ignore_errors: true
+
+- name: Install suricata
+  ansible.builtin.apt:
+    name:
+      - "suricata"
+      - "suricata-update"
+    state: "present"
+  become: true
+  when: is_suricata_installed.rc != 0
+
+- name: Deploy suricata-update service files
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/systemd-analyze verify %s"
+  loop:
+    - "suricata-update.service"
+    - "suricata-update.timer"
+  become: true
+
+- name: Deploy suricata custom configurations
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/{{ item }}"
+    dest: "/etc/suricata/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  loop:
+    - "disable.conf"
+    - "enable.conf"
+  become: true
+  notify:
+    - "notification_update_suricata_rules"
+    - "notification_restart_suricata"
+
+- name: Deploy suricata custom rules
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/local.rules"
+    dest: "/etc/suricata/rules/local.rules"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify:
+    - "notification_update_suricata_rules"
+    - "notification_restart_suricata"
+
+- name: Check suricata rules
+  ansible.builtin.stat:
+    path: "/var/lib/suricata/rules/suricata.rules"
+  register: "is_suricata_rules_file"
+
+- name: Update suricata rules
+  ansible.builtin.command:
+    suricata-update
+  become: true
+  when: not is_suricata_rules_file.stat.exists
+  changed_when: true
+
+- name: Enable auto suricata rules update
+  ansible.builtin.systemd:
+    name: "suricata-update.timer"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true
+
+- name: Deploy suricata.yaml
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/suricata.yaml.j2"
+    dest: "/etc/suricata/suricata.yaml"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/suricata -T -c %s"
+  become: true
+  notify: "notification_restart_suricata"
+
+- name: Create suricata.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/suricata.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set suricata.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/suricata.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify:
+    - "notification_restart_suricata"
+
+- name: Enable suricata service
+  ansible.builtin.systemd:
+    name: "suricata.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true
+
+- name: Set suricata logs logrotate
+  ansible.builtin.copy:
+    content: |
+      /var/log/suricata/*.log /var/log/suricata/*.json {
+          weekly
+          missingok
+          rotate 4
+          compress
+          delaycompress
+          notifempty
+          maxsize 500M
+          sharedscripts
+          postrotate
+              /usr/bin/systemctl reload suricata > /dev/null 2>/dev/null || true
+          endscript
+      }
+    dest: "/etc/logrotate.d/suricata"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true