WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: base configuration automation

Browse source
This commit is contained in:
NaeiKinDus 2023-11-08 00:00:00 +00:00
commit e4770a7343
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
70 changed files with 2489 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
collections/ansible_collections/nullified/infrastructure/roles/common/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
custom_github_token: ""

1
collections/ansible_collections/nullified/infrastructure/roles/common/handlers/main.yml Normal file
View file

@ -0,0 +1 @@
---

22
collections/ansible_collections/nullified/infrastructure/roles/common/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Setup common tasks (e.g. users, CLI tools)
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

60
collections/ansible_collections/nullified/infrastructure/roles/common/tasks/main.yml Normal file
View file

@ -0,0 +1,60 @@
---
- name: '[APT] install dependencies and tools'
become: yes
ansible.builtin.apt:
update_cache: yes
force_apt_get: true
cache_valid_time: 3600
pkg:
- bzip2
- cron
- emacs-nox
- git
- jq
- less
- libdata-dump-perl # inxi
- libxml-dumper-perl # inxi
- ncdu
- openssh-server
- procps
- rsync
- zsh
state: present
- name: '[GitHub] install tools'
become: yes
tags:
- molecule-idempotence-notest
nullified.infrastructure.github_artifact:
github_token: '{{ custom_github_token }}'
artifacts:
- repository: smxi/inxi
asset_type: tag
cmds:
- tar -zxf {asset_dirname}/{asset_filename}
- install --group=root --mode=755 --owner=root smxi-inxi-*/inxi /usr/local/bin
- install --group=root --mode=644 --owner=root smxi-inxi-*/inxi.1 /usr/share/man/man1
- repository: sharkdp/bat
asset_name: bat_{version}_amd64.deb
asset_type: release
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- repository: aristocratos/btop
asset_name: btop-x86_64-linux-musl.tbz
asset_type: release
cmds:
- tar -xjf {asset_dirname}/{asset_filename}
- install --group=root --mode=755 --owner=root btop/bin/btop /usr/bin
- mkdir /usr/share/btop || true
- cp -pr btop/themes /usr/share/btop
- repository: eza-community/eza
asset_name: eza_x86_64-unknown-linux-gnu.tar.gz
asset_type: release
cmds:
- tar -zxf {asset_dirname}/{asset_filename}
- install --group=root --mode=755 --owner=root eza /usr/bin
- repository: muesli/duf
asset_name: duf_{version}_linux_amd64.deb
asset_type: release
cmds:
- dpkg -i {asset_dirname}/{asset_filename}

2
collections/ansible_collections/nullified/infrastructure/roles/common/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

1
collections/ansible_collections/nullified/infrastructure/roles/common/vars/main.yml Normal file
View file

@ -0,0 +1 @@
---

2
collections/ansible_collections/nullified/infrastructure/roles/development/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
custom_github_token: ""

2
collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# handlers file for development

22
collections/ansible_collections/nullified/infrastructure/roles/development/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Install tools for development environment
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

146
collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml Normal file
View file

@ -0,0 +1,146 @@
---
- name: '[APT] install dependencies and tools'
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- autoconf
- bc
- ca-certificates # docker-ce
- curl
- g++
- gcc
- git
- gnupg # docker-ce
- jq
- libasound2 # draw.io
- libatspi2.0-0 # draw.io
- libgtk-3-0 # draw.io
- libnotify4 # draw.io
- libnss3 # draw.io
- libsecret-1-0 # draw.io
- libxss1 # draw.io
- libxtst6 # draw.io
- make
- shellcheck
- valgrind
- xdg-utils # draw.io
state: present
- name: '[GitHub] install tools'
become: true
tags:
- molecule-idempotence-notest
nullified.infrastructure.github_artifact:
github_token: '{{ custom_github_token }}'
artifacts:
- asset_name: dive_{version}_linux_amd64.deb
asset_type: release
repository: wagoodman/dive
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- asset_name: kubeconform-linux-amd64.tar.gz
asset_type: release
repository: yannh/kubeconform
cmds:
- tar -zxf {asset_dirname}/{asset_filename}
- install --group=root --mode=755 --owner=root kubeconform /usr/local/bin
- asset_name: git-delta_{version}_amd64.deb
asset_type: release
repository: dandavison/delta
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- asset_name: docker-compose-linux-x86_64
asset_type: release
repository: docker/compose
cmds:
- install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/docker-compose
- test -d /usr/local/lib/docker/cli-plugins && (rm /usr/local/lib/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/local/lib/docker/cli-plugins) || true
- test -d /usr/local/libexec/docker/cli-plugins && (rm /usr/local/libexec/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/local/libexec/docker/cli-plugins) || true
- test -d /usr/lib/docker/cli-plugins && (rm /usr/lib/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/lib/docker/cli-plugins) || true
- test -d /usr/libexec/docker/cli-plugins && (rm /usr/libexec/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/libexec/docker/cli-plugins) || true
- asset_name: buildx-{version}.linux-amd64
asset_type: release
repository: docker/buildx
cmds:
- install --group=root --mode=755 --owner=root {asset_dirname}/{asset_filename} /usr/local/bin/docker-buildx
- test -d /usr/local/lib/docker/cli-plugins && (rm /usr/local/lib/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/local/lib/docker/cli-plugins) || true
- test -d /usr/local/libexec/docker/cli-plugins && (rm /usr/local/libexec/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/local/libexec/docker/cli-plugins) || true
- test -d /usr/lib/docker/cli-plugins && (rm /usr/lib/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/lib/docker/cli-plugins) || true
- test -d /usr/libexec/docker/cli-plugins && (rm /usr/libexec/docker/cli-plugins/docker-compose; ln -s /usr/local/bin/docker-compose /usr/libexec/docker/cli-plugins) || true
- asset_name: drawio-amd64-{version}.deb
asset_type: release
repository: jgraph/drawio-desktop
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- asset_name: OpenLens-{version}.amd64.deb
asset_type: release
repository: MuhammedKalkan/OpenLens
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- asset_name: stern_{version}_linux_amd64.tar.gz
asset_type: release
repository: stern/stern
cmds:
- tar -zxf {asset_dirname}/{asset_filename}
- install --group=root --mode=755 --owner=root stern /usr/local/bin
- asset_name: tofu_{version}_amd64.deb
asset_type: release
repository: opentofu/opentofu
cmds:
- dpkg -i {asset_dirname}/{asset_filename}
- name: '[Custom] install latest kubectl'
become: yes
tags:
- molecule-idempotence-notest
ansible.builtin.shell: |
kubeVersion=$(curl -sSL -f https://storage.googleapis.com/kubernetes-release/release/stable.txt 2> /dev/null)
kubeVersion=${kubeVersion:-v1.28.2}
curl --silent --compressed -L -XGET https://storage.googleapis.com/kubernetes-release/release/${kubeVersion}/bin/linux/amd64/kubectl -o kubectl
install --group=root --mode=755 --owner=root kubectl /usr/local/bin && rm kubectl
- name: '[Custom] install latest Helm'
become: yes
tags:
- molecule-idempotence-notest
ansible.builtin.shell: |
helmVersion=$(curl -sSL https://api.github.com/repos/helm/helm/releases/latest | jq -r '.tag_name')
helmVersion=${helmVersion:-v3.13.0}
curl --silent --compressed -L -XGET https://get.helm.sh/helm-${helmVersion}-linux-amd64.tar.gz -o helm.tar.gz
tar -zxf helm.tar.gz
install --group=root --mode=755 --owner=root linux-amd64/helm /usr/local/bin && rm -rf linux-amd64 helm.tar.gz
- name: '[custom] install Docker CE repository'
block:
- name: '[apt key] retrieve GPG key'
tags:
- molecule-idempotence-notest
ansible.builtin.shell: |-
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
- name: '[apt key] add source'
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
- name: '[Apt Key] refresh repository'
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 0
- name: '[Apt] install Docker CE'
become: yes
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
state: present

2
collections/ansible_collections/nullified/infrastructure/roles/development/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

2
collections/ansible_collections/nullified/infrastructure/roles/development/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for development

2
collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
security_clamav_version: 1.2.1

28
collections/ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml Normal file
View file

@ -0,0 +1,28 @@
---
- name: '[ssh] restart service'
ansible.builtin.systemd_service:
name: sshd.service
enabled: true
state: restarted
- name: '[clamav] daemon reload'
ansible.builtin.systemd_service:
daemon_reload: true
- name: '[freshclam] restart service'
ansible.builtin.systemd_service:
name: sshd.service
enabled: true
state: restarted
- name: '[clamd] wait for signatures'
ansible.builtin.wait_for:
path: /var/lib/clamav/bytecode.cvd
timeout: 600
state: present
- name: '[clamd] restart service'
ansible.builtin.systemd_service:
name: sshd.service
enabled: true
state: restarted

22
collections/ansible_collections/nullified/infrastructure/roles/security/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Deploy security tweaks to systems
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

166
collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml Normal file
View file

@ -0,0 +1,166 @@
---
- name: '[setup] gather facts is not already done'
setup:
gather_subset:
- distribution
- name: '[ssh] hardening sshd'
become: yes
block:
- name: '[ssh] setup sshd_config'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.j2
dest: /etc/ssh/sshd_config
mode: 644
notify:
- '[ssh] restart service'
- name: '[ssh] setup sshd_config.d'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
dest: /etc/ssh/sshd_config.d/encryption.conf
mode: 644
notify:
- 'security : [ssh] restart service'
- name: '[utils] install security and audit tools'
become: yes
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- lsof # rkhunter
- rkhunter
- unhide # rkhunter
state: present
- name: '[system] configure rkhunter'
become: yes
block:
- name: '[rkhunter] create include dir'
ansible.builtin.file:
path: /etc/rkhunter.d
state: directory
mode: '0750'
- name: '[rkhunter] copy configuration'
ansible.builtin.template:
src: ../templates/rkhunter/rkhunter.conf.local.j2
dest: /etc/rkhunter.conf.local
mode: '0640'
- name: '[rkhunter] setup cronjob'
ansible.builtin.cron:
name: rkhunter check
minute: 0
hour: 4
day: "*/3"
job: "/usr/bin/rkhunter -c 2>&1"
state: present
- name: '[system] clamav'
become: yes
block:
- name: '[clamav] retrieve and install clamav package'
ansible.builtin.apt:
deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
force_apt_get: true
state: present
- name: '[clamav] add clamav group'
ansible.builtin.group:
name: clamav
system: true
state: present
- name: '[clamav] add clamav user'
ansible.builtin.user:
name: clamav
comment: clamav
create_home: false
expires: -1
group: clamav
shell: /bin/false
system: true
state: present
- name: '[clamav] setup directories'
block:
- name: '[clamav] ensure /etc/clamav dir exists'
ansible.builtin.file:
path: /etc/clamav
state: directory
owner: clamav
group: clamav
mode: '0750'
- name: '[clamav] ensure /var/lib/clamav dir exists'
ansible.builtin.file:
path: /var/lib/clamav
state: directory
owner: clamav
group: clamav
mode: '0750'
- name: '[clamav] ensure /var/lib/clamav/quarantine dir exists'
ansible.builtin.file:
path: /var/lib/clamav/quarantine
state: directory
owner: clamav
group: clamav
mode: '0750'
- name: '[clamav] ensure /var/log/clamav dir exists'
ansible.builtin.file:
path: /var/log/clamav
state: directory
owner: clamav
group: clamav
mode: '0750'
- name: '[clamav] copy clamd.conf'
ansible.builtin.template:
src: '../templates/clamav/clamd.conf.j2'
dest: /etc/clamav/clamd.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] copy freshclam.conf'
ansible.builtin.template:
src: '../templates/clamav/freshclam.conf.j2'
dest: /etc/clamav/freshclam.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] setup freshclam service'
block:
- name: '[clamav] copy freshclam service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-freshclam.service.j2'
dest: /usr/lib/systemd/system/clamav-freshclam.service
mode: '0644'
- name: '[clamav] setup clamd service'
block:
- name: '[clamav] copy clamd service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-clamd.service.j2'
dest: /usr/lib/systemd/system/clamav-clamd.service
mode: '0644'
- name: '[clamav] setup cron job'
ansible.builtin.cron:
name: clamav full system scan
minute: 30
hour: 5
weekday: 0
job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1"
state: present
notify:
- 'security : [clamav] daemon reload'
- 'security : [freshclam] restart service'
- 'security : [clamd] wait for signatures'
- 'security : [clamd] restart service'
- name: '[system] hardening system'
become: yes
block:
- name: '[system] login.defs'
ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/login.defs.j2'
dest: /etc/login.defs
mode: '0644'
- name: '[system] limits.conf'
ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/limits.conf.j2'
dest: /etc/security/limits.conf
mode: '0644'

22
collections/ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-clamd.service.j2 Normal file
View file

@ -0,0 +1,22 @@
[Unit]
Description=ClamAV virus scanner
Documentation=man:clamd(1) man:clamd.conf(5) https://docs.clamav.net/
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
Wants=network-online.target
After=network-online.target
[Service]
User=clamav
Group=clamav
Type=simple
ExecStart=/usr/local/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf
ExecReload=/bin/kill -USR2 $MAINPID
TimeoutStartSec=300
RuntimeDirectory=clamav
RuntimeDirectoryMode=0755
LogsDirectory=clamav
LogsDirectoryMode=0750
[Install]
WantedBy=multi-user.target

14
collections/ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-freshclam.service.j2 Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5) https://docs.clamav.net/
ConditionPathExists=!/etc/cron.d/clamav-freshclam
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/freshclam -d --foreground=true --config-file=/etc/clamav/freshclam.conf
LogsDirectory=clamav
LogsDirectoryMode=0750
[Install]
WantedBy=multi-user.target

298
collections/ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-milter.conf.j2 Normal file
View file

@ -0,0 +1,298 @@
##
## Example config file for clamav-milter
##
# Comment or remove the line below.
Example
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket /run/clamav/clamav-milter.sock
#MilterSocket /tmp/clamav-milter.sock
#MilterSocket inet:7357
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
#MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option
# to work)
#
# Default: unset (don't drop privileges)
#User clamav
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before
# dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon.
# This file will be owned by root, as long as clamav-milter was started by
# root. It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
#
# Default: disabled
#PidFile /run/clamav/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
#TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/run/clamav/clamd.sock
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.
#
# Default: no default
#ClamdSocket tcp:scanner.mydomain:7357
#ClamdSocket unix:/run/clamav/clamd.sock
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally originated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be allowed.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#AllowList /etc/allowed_addresses
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no allowing based on SMTP auth)
#SkipAuthenticated ^(tom|dick|henry)$
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
#MaxFileSize 10M
##
## Actions
##
# The following group of options controls the delivery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delivery
# - Reject
# Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
#OnClean Accept
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
#OnFail Defer
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
#RejectMsg
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
#AddHeader Replace
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
#ReportHostname my.mail.server.name
# Execute a command (possibly searching PATH) when an infected message is
# found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delivery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /tmp/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
#LogInfected Basic
# This option allows to tune what is logged when no threat is found in
# a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
#LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default
# value
# is currently set to off for legacy reasons.
# Default: no
#SupportMultipleRecipients yes

250
collections/ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamd.conf.j2 Normal file
View file

@ -0,0 +1,250 @@
LogFile /var/log/clamav/clamd.log
LogFileUnlock no
LogFileMaxSize 2M
LogTime yes
LogClean no
LogSyslog no
LogFacility LOG_LOCAL6
LogVerbose no
LogRotate no
PreludeEnable no
PreludeAnalyzerName ClamAV
ExtendedDetectionInfo yes
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
#FailIfCvdOlderThan 7
User clamav
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
#LocalSocket /tmp/clamd.sock
# Default: disabled (the primary group of the user running clamd)
LocalSocketGroup clamav
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
#FixStaleSocket yes
# Default: no
#TCPSocket 3310
# Default: no
#TCPAddr localhost
# Default: 200
#MaxConnectionQueueLength 30
# Default: 100M
#StreamMaxLength 25M
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Default: 10
#MaxThreads 20
# Default: 120
#ReadTimeout 300
CommandReadTimeout 30
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Default: 30
#IdleTimeout 60
# Default: scan all
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
# Default: no
#FollowDirectorySymlinks yes
# Default: no
#FollowFileSymlinks yes
CrossFilesystems yes
SelfCheck 600
# Default: yes
#ConcurrentDatabaseReload no
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
#ExitOnOOM yes
# Default: no
#Foreground yes
# Default: no
#Debug yes
# Default: no
#LeaveTemporaryFiles yes
# Default: no
#GenerateMetadataJson yes
# Default: yes
#AllowAllMatchScan no
DetectPUA yes
# Default: Load all categories (if DetectPUA is activated)
ExcludePUA Tool
ForceToDisk no
# Default: no
#DisableCache yes
#CacheSize 65536
HeuristicAlerts yes
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# Default: no
#AlertBrokenExecutables yes
# Default: no
#AlertBrokenMedia yes
# Default: no
#AlertEncrypted yes
# Default: no
#AlertEncryptedArchive yes
# Default: no
#AlertEncryptedDoc yes
# Default: no
AlertOLE2Macros yes
# Default: no
#AlertPhishingSSLMismatch yes
# Default: no
#AlertPhishingCloak yes
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# Default: yes
ScanPE yes
# Default: no
#DisableCertCheck yes
# Default: yes
ScanELF yes
##
## Documents
##
ScanOLE2 yes
ScanPDF yes
ScanSWF yes
ScanXMLDOCS yes
ScanHWP3 yes
##
## Mail files
##
ScanMail yes
# Default: no
#ScanPartialMessages yes
PhishingSignatures yes
PhishingScanURLs yes
##
## Data Loss Prevention (DLP)
##
# Default: No
#StructuredDataDetection yes
# Default: 3
StructuredMinCreditCardCount 5
# Default: no
#StructuredCCOnly yes
# Default: 3
StructuredMinSSNCount 5
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped yes
##
## HTML
##
ScanHTML yes
##
## Archives
##
ScanArchive yes
##
## Limits
##
# Default: 120000
#MaxScanTime 300000
# Default: 400M
MaxScanSize 500M
# Default: 100M
MaxFileSize 400M
# Default: 17
#MaxRecursion 10
# Default: 10000
#MaxFiles 15000
# Default: 40M
MaxEmbeddedPE 80M
# Default: 40M
#MaxHTMLNormalize 100M
# Default: 8M
#MaxHTMLNoTags 16M
# Default: 20M
#MaxScriptNormalize 50M
# Default: 1M
#MaxZipTypeRcg 1M
# Default: 50
#MaxPartitions 128
# Default: 100
#MaxIconsPE 200
# Default: 16
#MaxRecHWP3 16
# Default: 100000
#PCREMatchLimit 20000
# Default: 2000
#PCRERecMatchLimit 10000
# Default: 100M
#PCREMaxFileSize 400M
# Default: no
AlertExceedsMax yes
##
## On-access Scan Settings
##
# Default: 5M
#OnAccessMaxFileSize 10M
# Default: 5
#OnAccessMaxThreads 10
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Default: no
#OnAccessDisableDDD yes
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Default: disabled
#OnAccessExcludePath /home/user
# Default: no
OnAccessPrevention yes
# Default: no
#OnAccessDenyOnError yes
# Default: no
#OnAccessExtraScanning yes
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# Default: no
#OnAccessExcludeRootUID no
# Default: disabled
#OnAccessExcludeUID -1
# Default: disabled
OnAccessExcludeUname clamav
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeUnsigned no
# Default: 10000
# BytecodeTimeout 1000

23
collections/ansible_collections/nullified/infrastructure/roles/security/templates/clamav/freshclam.conf.j2 Normal file
View file

@ -0,0 +1,23 @@
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

4
collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.d/encryption.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com

24
collections/ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.j2 Normal file
View file

@ -0,0 +1,24 @@
AcceptEnv LANG LC_*
AddressFamily inet
AllowAgentForwarding no
ChallengeResponseAuthentication no
ClientAliveCountMax 2
ClientAliveInterval 300
HostKey /etc/ssh/ssh_host_ed25519_key
IgnoreRhosts yes
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 3
PermitEmptyPasswords no
PermitRootLogin no
PrintMotd yes
Protocol 2
PubkeyAuthentication yes
Port 22
TCPKeepAlive no
UseDNS no
UsePAM yes
X11Forwarding no
Subsystem sftp /usr/lib/openssh/sftp-server
Include /etc/ssh/sshd_config.d/*.conf

76
collections/ansible_collections/nullified/infrastructure/roles/security/templates/rkhunter/rkhunter.conf.local.j2 Normal file
View file

@ -0,0 +1,76 @@
# No end-of-line comments;
# No quotes around path names;
# To unset previous configuration, set it to "" (empty) beforehand;
# Some options allow multiple definitions, leads to a concatenation;
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING=naeikindus@pounce.tech
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
BINDIR=/bin /usr/bin /sbin /usr/sbin
BINDIR=+/usr/local/bin +/usr/local/sbin
UPDATE_LANG="en"
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
USE_SYSLOG=authpriv.warning
AUTO_X_DETECT=0
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS=ALL
DISABLE_TESTS=NONE
HASH_CMD=SHA256
PKGMGR=NONE
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
EXISTWHITELIST=""
ATTRWHITELIST=""
WRITEWHITELIST=""
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/which.debianutils
SCRIPTWHITELIST=/usr/sbin/adduser
IMMUTABLE_SET=0
SKIP_INODE_CHECK=0
ALLOWPROMISCIF=""
SCAN_MODE_DEV=THOROUGH
ALLOWDEVFILE=""
ALLOW_SYSLOG_REMOTE_LOGGING=0
### Needs update to add user-controller dirs like upload and user generated content dirs from webserver
SUSPSCAN_DIRS=/tmp /var/tmp
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=1024000
SUSPSCAN_THRESH=200
SUSPSCAN_WHITELIST=""
# Examples:
#
# PORT_WHITELIST=TCP:2001 UDP:32011
# PORT_PATH_WHITELIST=/usr/sbin/squid
# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
PORT_WHITELIST=""
PORT_PATH_WHITELIST=""
WARN_ON_OS_CHANGE=1
USE_LOCKING=1
LOCK_TIMEOUT=300
SCANROOTKITMODE=""
SHOW_SUMMARY_WARNINGS_NUMBER=1
GLOBSTAR=0
INSTALLDIR=/usr

2
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/limits.conf.j2 Normal file
View file

@ -0,0 +1,2 @@
* soft core 0
* hard core 0

40
collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/login.defs.j2 Normal file
View file

@ -0,0 +1,40 @@
# Based on Debian 12 manual
CHFN_RESTRICT rwh
DEFAULT_HOME yes
ENCRYPT_METHOD YESCRYPT
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ERASECHAR 0177
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
GID_MAX 60000
GID_MIN 1000
HOME_MODE 0700
HUSHLOGIN_FILE .hushlogin
KILLCHAR 025
LOGIN_RETRIES 3
LOGIN_TIMEOUT 60
LOG_OK_LOGINS yes
LOG_UNKFAIL_ENAB no
MAIL_DIR /var/mail
NONEXISTENT /nonexistent
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
PREVENT_NO_AUTH yes
SUB_GID_COUNT 65536
SUB_GID_MAX 600100000
SUB_GID_MIN 100000
SUB_UID_COUNT 65536
SUB_UID_MAX 600100000
SUB_UID_MIN 100000
SU_NAME su
SYSLOG_SG_ENAB yes
SYSLOG_SU_ENAB yes
TTYGROUP tty
TTYPERM 0600
UID_MAX 60000
UID_MIN 1000
UMASK 027
USERGROUPS_ENAB yes
YESCRYPT_COST_FACTOR 10

2
collections/ansible_collections/nullified/infrastructure/roles/security/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

1
collections/ansible_collections/nullified/infrastructure/roles/security/vars/main.yml Normal file
View file

@ -0,0 +1 @@
---

2
collections/ansible_collections/nullified/infrastructure/roles/server/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# defaults file for tooling

1
collections/ansible_collections/nullified/infrastructure/roles/server/handlers/main.yml Normal file
View file

@ -0,0 +1 @@
---

22
collections/ansible_collections/nullified/infrastructure/roles/server/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Install server related configuration and tooling
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

2
collections/ansible_collections/nullified/infrastructure/roles/server/tasks/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# TODO: Add monitoring roles

2
collections/ansible_collections/nullified/infrastructure/roles/server/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

1
collections/ansible_collections/nullified/infrastructure/roles/server/vars/main.yml Normal file
View file

@ -0,0 +1 @@
---

2
collections/ansible_collections/nullified/infrastructure/roles/workstation/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
custom_base_user_account: "root"

2
collections/ansible_collections/nullified/infrastructure/roles/workstation/handlers/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# handlers file for development

22
collections/ansible_collections/nullified/infrastructure/roles/workstation/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Install workstation environment
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

25
collections/ansible_collections/nullified/infrastructure/roles/workstation/tasks/main.yml Normal file
View file

@ -0,0 +1,25 @@
---
- name: '[APT] install dependencies and tools'
become: yes
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- curl
- flatpak
- gnupg
- pwgen
- sudo
state: present
- name: '[Setup] setup Flatpak'
become: yes
become_user: "{{ custom_base_user_account }}"
become_method: su
tags:
- molecule-idempotence-notest
ansible.builtin.shell: |
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install --noninteractive flathub com.discordapp.Discord
flatpak install --noninteractive flathub md.obsidian.Obsidian

2
collections/ansible_collections/nullified/infrastructure/roles/workstation/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

1
collections/ansible_collections/nullified/infrastructure/roles/workstation/vars/main.yml Normal file
View file

@ -0,0 +1 @@
---