refactor!: switch hosts variables to a flat layout

2024-01-21 00:00:00 +00:00 · 2024-01-21 00:00:00 +00:00 · 779f2766f2
commit 779f2766f2
parent f669dea62a
33 changed files with 270 additions and 322 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
@ -1,30 +1,18 @@
 ---
-security:
-  apt:
-    force_https: true
-    https_ignore_list: []
-  clamav:
-    version: 1.2.1
-  firewall:
-    enable: true
-    nat:
-      policy:
-        prerouting: accept
-        input: accept
-        output: accept
-        postrouting: accept
-    mangle:
-      drop_privatenets: true
-      policy:
-        prerouting: accept
-        output: accept
-        forward: drop
-        postrouting: accept
-    filter:
-      policy:
-        input: drop
-        output: drop
-        forward: drop
-
-custom_security: {}
-recursive_combine: true
+security_apt_force_https: true
+security_apt_https_ignore_list: []
+security_clamav_version: 1.2.1
+security_firewall_enabled: true
+security_firewall_filter_policy_forward: drop
+security_firewall_filter_policy_input: drop
+security_firewall_filter_policy_output: drop
+security_firewall_mangle_drop_privatenets: true
+security_firewall_mangle_policy_forward: drop
+security_firewall_mangle_policy_output: accept
+security_firewall_mangle_policy_postrouting: accept
+security_firewall_mangle_policy_prerouting: accept
+security_firewall_nat_policy_input: accept
+security_firewall_nat_policy_output: accept
+security_firewall_nat_policy_postrouting: accept
+security_firewall_nat_policy_prerouting: accept
+security_ssh_port: 22
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
@ -8,16 +8,17 @@
 - name: get supervisor IP address
  ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1"
  register: ssh_client
+  when: ansible_connection is not match("local")
  changed_when: false
  failed_when: ssh_client.stdout is falsy

 - name: set fact
  ansible.builtin.set_fact:
-    supervisor_ip: "{{ ssh_client.stdout }}"
+    security_firewall_supervisor_ip: "{{ ssh_client.get('stdout', None) }}"
  changed_when: false

 - name: install and configure nftables
-  when: security.firewall.enable is truthy
+  when: security_firewall_enabled is truthy
  become: true
  notify:
    - 'security : [firewall] restart service'
@ -39,6 +40,12 @@
        mode: '0700'
        state: directory

+    - name: set firewall templates facts
+      ansible.builtin.set_fact:
+        security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}"
+        security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}"
+        security_firewall_supervisor_has_ip6: "{{ true if security_firewall_supervisor_ip is defined and security_firewall_supervisor_ip and security_firewall_supervisor_ip | ansible.utils.ipv6 else false }}"
+
    - name: base config file
      ansible.builtin.template:
        src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
@ -50,8 +57,6 @@
        src: "../templates/system/nftables/{{ item }}.table.j2"
        dest: "/etc/nftables.d/{{ item }}.table"
        mode: '0600'
-      vars:
-        firewall: "{{ security.firewall }}"
      loop:
        - 01-nat
        - 02-mangle
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml
@ -4,16 +4,11 @@
    gather_subset:
      - distribution

- name: '[setup] merge with custom vars'
-  ansible.builtin.set_fact:
-    security: "{{ security | combine(custom_security, recursive=recursive_combine) }}"
-  changed_when: false
-
 - include_tasks: firewall.yml

 - name: '[apt] force HTTPS sources'
  become: true
-  when: security.apt.force_https is truthy
+  when: security_apt_force_https is truthy
  block:
    - name: '[apt] fetch apt information'
      ansible.builtin.command:
@ -25,7 +20,7 @@
        path: "{{ item }}"
        regexp: 'http://'
        replace: 'https://'
-      loop: "{{ apt_source_files.stdout_lines | difference(security.apt.https_ignore_list) }}"
+      loop: "{{ apt_source_files.stdout_lines | difference(security_apt_https_ignore_list) }}"
      notify:
        - 'security : [apt] update sources'

@ -98,7 +93,7 @@
  block:
    - name: '[clamav] retrieve and install clamav package'
      ansible.builtin.apt:
-        deb: https://www.clamav.net/downloads/production/clamav-{{ security.clamav.version }}.linux.x86_64.deb
+        deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
        force_apt_get: true
        state: present
    - name: '[clamav] add clamav group'
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
@ -2,14 +2,19 @@

 flush ruleset

-define ansible_controller_ip = {{ supervisor_ip | default('127.0.0.1', true) }}
-define ansible_controller_ip6 = {{ supervisor_ip6 | default('fe80::', true) }}
+{% if security_firewall_supervisor_ip -%}
+define ansible_controller_ip = {{ security_firewall_supervisor_ip }}
+{% endif -%}
+{% if security_firewall_dns4_servers -%}
 define dns_servers = {
-    {{ dns[dns.type].dns4 | default(["9.9.9.9", "149.112.112.112"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }}
+    {{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }}
 }
+{% endif -%}
+{% if security_firewall_dns6_servers -%}
 define dns_servers6 = {
-    {{ dns[dns.type].dns6 | default(["2620:fe::fe", "2620:fe::9"], true) | join(", ") | wordwrap(40, wrapstring="\n\t") }}
+    {{ security_firewall_dns6_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }}
 }
+{% endif -%}
 define private_nets = {
    10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
    192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
@ -19,7 +24,7 @@ define reserved_nets = {
    192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24,
    224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4
 }
-define ssh_localport = {{ ssh_localport | default(22, true) }}
+define ssh_localport = {{ security_ssh_port }}

 include "/etc/nftables.d/01-nat.table"
 include "/etc/nftables.d/02-mangle.table"
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2
@ -1,18 +1,18 @@
 # Setup
 table inet nat {
    chain prerouting {
-        type nat hook prerouting priority -100; policy {{ firewall.nat.policy.prerouting }};
+        type nat hook prerouting priority -100; policy {{ security_firewall_nat_policy_prerouting }};
    }

    chain input {
-        type nat hook input priority 100; policy {{ firewall.nat.policy.input }};
+        type nat hook input priority 100; policy {{ security_firewall_nat_policy_input }};
    }

    chain output {
-        type nat hook output priority -100; policy {{ firewall.nat.policy.output }};
+        type nat hook output priority -100; policy {{ security_firewall_nat_policy_output }};
    }

    chain postrouting {
-        type nat hook postrouting priority 100; policy {{ firewall.nat.policy.postrouting }};
+        type nat hook postrouting priority 100; policy {{ security_firewall_nat_policy_postrouting }};
    }
 }
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
@ -1,7 +1,7 @@
 # Setup
 table inet mangle {
    chain prerouting {
-        type filter hook prerouting priority -150; policy {{ firewall.mangle.policy.prerouting }};
+        type filter hook prerouting priority -150; policy {{ security_firewall_mangle_policy_prerouting }};
        ip protocol icmp accept
        ip frag-off & 0x1fff != 0 counter drop
        ct state invalid counter drop
@ -22,12 +22,17 @@ table inet mangle {
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop

+        {% if security_firewall_supervisor_ip -%}
+        {% if security_firewall_supervisor_has_ip6 -%}
+        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
+        {% else -%}
        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
+        {%- endif +%}
+        {% endif -%}

-        {% if firewall.mangle.drop_privatenets -%}
+        {% if security_firewall_mangle_drop_privatenets -%}
        ip saddr $private_nets counter drop
        {% endif -%}
        ip saddr $reserved_nets counter drop
@ -35,18 +40,24 @@ table inet mangle {
    }

    chain output {
-        type route hook output priority -150; policy {{ firewall.mangle.policy.output }};
+        type route hook output priority -150; policy {{ security_firewall_mangle_policy_output }};
    }

    chain forward {
-        type filter hook forward priority -150; policy {{ firewall.mangle.policy.forward }};
+        type filter hook forward priority -150; policy {{ security_firewall_mangle_policy_forward }};
    }

    chain postrouting {
-        type filter hook postrouting priority -150; policy {{ firewall.mangle.policy.postrouting }};
+        type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }};
+
+        {% if security_firewall_supervisor_ip -%}
+        {% if security_firewall_supervisor_has_ip6 -%}
+        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
+        {%- else -%}
        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
+        {%- endif +%}
+        {% endif -%}
    }
 }
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
@ -1,9 +1,15 @@
 # Setup
 table inet filter {
    chain input {
-        type filter hook input priority 0; policy {{ firewall.filter.policy.input }};
+        type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }};
+
+        {% if security_firewall_supervisor_ip -%}
+        {% if security_firewall_supervisor_has_ip6 -%}
+        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
+        {%- else -%}
        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip6 saddr $ansible_controller_ip6 tcp dport $ssh_localport accept
+        {%- endif +%}
+        {% endif -%}

        iifname "lo" counter accept
        ct state related,established counter accept
@ -11,20 +17,29 @@ table inet filter {
    }

    chain output {
-        type filter hook output priority 0; policy {{ firewall.filter.policy.output }};
+        type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
+        {% if security_firewall_supervisor_ip -%}
+        {% if security_firewall_supervisor_has_ip6 -%}
+        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
+        {%- else -%}
        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        ip6 daddr $ansible_controller_ip6 tcp sport $ssh_localport accept
+        {%- endif +%}
+        {% endif -%}

        oifname "lo" counter accept
        ct state related,established counter accept
        tcp sport $ssh_localport counter accept

        # Allow DNS queries using UDP, DoT and DoH
+        {% if security_firewall_dns4_servers -%}
        ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
+        {%- endif +%}
+        {% if security_firewall_dns6_servers -%}
        ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
+        {%- endif +%}
    }

    chain forward {
-        type filter hook forward priority 0; policy {{ firewall.filter.policy.forward }};
+        type filter hook forward priority 0; policy {{ security_firewall_filter_policy_forward }};
    }
 }