chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!

ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/limits.conf.j2

@@ -0,0 +1,2 @@
+*   soft    core    0
+*   hard    core    0

ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/login.defs.j2

@@ -0,0 +1,40 @@
+# Based on Debian 12 manual
+CHFN_RESTRICT           rwh
+DEFAULT_HOME            yes
+ENCRYPT_METHOD          YESCRYPT
+ENV_PATH                PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+ENV_SUPATH              PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ERASECHAR               0177
+FAILLOG_ENAB            yes
+FTMP_FILE               /var/log/btmp
+GID_MAX                 60000
+GID_MIN                 1000
+HOME_MODE               0700
+HUSHLOGIN_FILE          .hushlogin
+KILLCHAR                025
+LOGIN_RETRIES           3
+LOGIN_TIMEOUT           60
+LOG_OK_LOGINS           yes
+LOG_UNKFAIL_ENAB        no
+MAIL_DIR                /var/mail
+NONEXISTENT             /nonexistent
+PASS_MAX_DAYS           99999
+PASS_MIN_DAYS           0
+PASS_WARN_AGE           7
+PREVENT_NO_AUTH         yes
+SUB_GID_COUNT           65536
+SUB_GID_MAX             600100000
+SUB_GID_MIN             100000
+SUB_UID_COUNT           65536
+SUB_UID_MAX             600100000
+SUB_UID_MIN             100000
+SU_NAME                 su
+SYSLOG_SG_ENAB          yes
+SYSLOG_SU_ENAB          yes
+TTYGROUP                tty
+TTYPERM                 0600
+UID_MAX                 60000
+UID_MIN                 1000
+UMASK                   027
+USERGROUPS_ENAB         yes
+YESCRYPT_COST_FACTOR    10

ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2

@@ -0,0 +1,36 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define ansible_controllers_ip4 = {
+    {{ security_firewall_supervisors_ip4 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% if security_firewall_supervisors_ip6 %}
+define ansible_controllers_ip6 = {
+    {{ security_firewall_supervisors_ip6 | join(", ") | wordwrap(40, wrapstring="\n    ", break_long_words=False) }}
+}
+{% endif %}
+{% if security_firewall_dns4_servers -%}
+define dns_servers = {
+    {{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
+}
+{% endif -%}
+{% if security_firewall_dns6_servers -%}
+define dns_servers6 = {
+    {{ security_firewall_dns6_servers | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
+}
+{% endif -%}
+define private_nets = {
+    10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
+    192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
+}
+define reserved_nets = {
+    {{ security_firewall_reserved_nets_ip4 | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
+}
+define ssh_localport = {{ security_ssh_port }}
+
+include "/etc/nftables.d/01-nat.table"
+include "/etc/nftables.d/02-mangle.table"
+include "/etc/nftables.d/03-filter.table"
+
+include "/etc/nftables.d/*.nft"

ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/resolv.conf.j2

@@ -0,0 +1,12 @@
+{% set dns4_servers = hostvars[inventory_hostname]["global_dns_{}_dns4".format(global_dns_type)] | default([]) %}
+{% set dns6_servers = hostvars[inventory_hostname]["global_dns_{}_dns6".format(global_dns_type)] | default([]) %}
+{% if dns4_servers is defined and dns4_servers | length > 0 -%}
+{% for server in dns4_servers -%}
+nameserver {{ server }}
+{% endfor %}
+{% endif %}
+{% if global_ip_dualstack | default(false) and dns6_servers is defined and dns6_servers | length > 0 -%}
+{% for server in dns6_servers -%}
+nameserver {{ server }}
+{% endfor %}
+{% endif %}

ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2

@@ -0,0 +1,3 @@
+{% for item in security_sysctl_configuration.keys() -%}
+    {{ item }} = {{ security_sysctl_configuration[item] }}
+{% endfor %}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/egress_http.nft.j2

@@ -0,0 +1,5 @@
+table inet filter {
+    chain output {
+        meta nfproto { ipv4, ipv6 } tcp dport { http, https } accept
+    }
+}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/egress_icmp.nft.j2

@@ -0,0 +1,14 @@
+table inet filter {
+    chain output {
+        icmp type {
+            echo-reply, destination-unreachable, source-quench, redirect, echo-request,
+            time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
+            info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
+        } accept
+        icmpv6 type {
+            destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
+            mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
+            nd-neighbor-advert, parameter-problem, mld2-listener-report
+        } accept
+    }
+}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/ingress_icmp.nft.j2

@@ -0,0 +1,14 @@
+table inet filter {
+    chain input {
+        icmp type {
+            echo-reply, destination-unreachable, source-quench, redirect, echo-request,
+            time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
+            info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
+        } accept
+        icmpv6 type {
+            destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
+            mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
+            nd-neighbor-advert, parameter-problem, mld2-listener-report
+        } accept
+    }
+}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2

@@ -0,0 +1,18 @@
+# Setup
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority -100; policy {{ security_firewall_nat_policy_prerouting }};
+    }
+
+    chain input {
+        type nat hook input priority 100; policy {{ security_firewall_nat_policy_input }};
+    }
+
+    chain output {
+        type nat hook output priority -100; policy {{ security_firewall_nat_policy_output }};
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority 100; policy {{ security_firewall_nat_policy_postrouting }};
+    }
+}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2

@@ -0,0 +1,59 @@
+# Setup
+table inet mangle {
+    chain prerouting {
+        type filter hook prerouting priority -150; policy {{ security_firewall_mangle_policy_prerouting }};
+        ip protocol icmp accept
+        ip frag-off & 0x1fff != 0 counter drop
+        ct state invalid counter drop
+        tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
+        tcp flags & (fin|syn) == fin|syn counter drop
+        tcp flags & (syn|rst) == syn|rst counter drop
+        tcp flags & (fin|rst) == fin|rst counter drop
+        tcp flags & (fin|ack) == fin counter drop
+        tcp flags & (ack|urg) == urg counter drop
+        tcp flags & (fin|ack) == fin counter drop
+        tcp flags & (psh|ack) == psh counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
+        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
+
+        {% if security_firewall_supervisors_ip6 -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        {% endif -%}
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
+
+        {% if security_firewall_mangle_drop_privatenets -%}
+        ip saddr $private_nets counter drop
+        {% endif -%}
+        {% if security_firewall_mangle_drop_reservednets -%}
+        ip saddr $reserved_nets counter drop
+        {%  endif -%}
+        iifname != "lo" ip saddr 127.0.0.0/8 counter drop
+    }
+
+    chain output {
+        type route hook output priority -150; policy {{ security_firewall_mangle_policy_output }};
+    }
+
+    chain forward {
+        type filter hook forward priority -150; policy {{ security_firewall_mangle_policy_forward }};
+    }
+
+    chain postrouting {
+        type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }};
+
+        {% if security_firewall_supervisors_ip6 -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        {% endif -%}
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
+    }
+}

ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2

@@ -0,0 +1,39 @@
+# Setup
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }};
+
+        {% if security_firewall_supervisors_ip6 -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        {% endif -%}
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
+
+        iifname "lo" counter accept
+        ct state related,established counter accept
+        tcp dport $ssh_localport limit rate 10/hour burst 5 packets counter accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
+        {% if security_firewall_supervisors_ip6 -%}
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        {% endif -%}
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
+
+        oifname "lo" counter accept
+        ct state related,established counter accept
+        tcp sport $ssh_localport counter accept
+
+        # Allow DNS queries using UDP, DoT and DoH
+        {% if security_firewall_dns4_servers -%}
+        ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
+        {%- endif +%}
+        {% if security_firewall_dns6_servers -%}
+        ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
+        {%- endif +%}
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy {{ security_firewall_filter_policy_forward }};
+    }
+}