Verified Commit 5a5eeca0 authored by aguestuser's avatar aguestuser
Browse files

[101] add ansible tooling for splash page

parent 7860fbb1
......@@ -26,6 +26,7 @@
*retry
*/inventory
# text editors
.idea/*
/.vscode/settings.json
......@@ -44,3 +45,5 @@ signal_data
/ansible/files/deploy_keys/signalboost_ssh_key.pub
/ansible/inventory.tmpl
/splash/ansible/inventory.tmpl
/splash/.env
/splash/ansible/inventory
......@@ -4,4 +4,5 @@ ansible/files/deploy_keys/signalboost_ssh_key
ansible/files/deploy_keys/signalboost_ssh_key.pub
ansible/inventory.tmpl
bin/get-machine
splash/.env
splash/ansible/inventory.tmpl
[defaults]
#stdout_callback = json
#stdout_callback = debug
stdout_callback = unixy
../../docker
\ No newline at end of file
# Fail2Ban configuration file.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
bantime = 10800
maxretry = 3
ignoreip = 127.0.0.1
findtime = 600
#
# JAILS
#
[sshd]
enabled = true
port = ssh
[sshd-ddos]
enabled = true
---
- name: Deploy Splash
become: true
hosts: splash
environment:
NODE_ENV: production
vars:
homedir: /srv/splash
env_file: "files/.env"
secrets_method: copy
tasks:
#########
# CLONE #
#########
- name: Pull signalboost repository from 0xacab
git:
repo: https://0xacab.org/team-friendo/signalboost
dest: "{{ homedir }}"
force: true
version: "{{ branch | default('master') }}"
tags: clone
- name: Deploy environment file using blackbox
command: ./bin/blackbox/postdeploy
args:
chdir: "{{ homedir }}"
tags: clone
when: secrets_method == "blackbox"
- name: Deploy environment file by copying local file
copy:
src: "{{ env_file }}"
dest: "{{ homedir }}/.env"
tags: clone
when: secrets_method == "copy"
#######################
# BUILD DOCKER IMAGES #
#######################
- name: Load base dockerfiles
copy:
src: files/docker/
dest: /srv/splash/docker/
tags: docker
- name: Build splash container
command: docker build -f /srv/splash/docker/sigbalboost_splash.dockerfile -t signalboost_splash:latest /srv/splash
register: build_output
tags: docker
########
# STOP #
########
- name: Stop app
command: ./bin/shutdown
args:
chdir: "{{ homedir }}"
tags: stop
###########
# PREPARE #
###########
- name: Install node packages
command: "docker-compose run --entrypoint 'yarn install' splash"
args:
chdir: "{{ homedir }}"
tags: prepare
- name: Stop container used for install
command: "docker-compose down"
args:
chdir: "{{ homedir }}"
tags: prepare
#########
# START #
#########
- name: Start app
docker_service:
project_src: "{{ homedir }}"
state: present
register: docker_up_result
# - debug:
# var: docker_up_result
######################
# AVAILABILITY CHECK #
######################
- name: Ping nextcloud instance until it is available
shell: ./bin/check-availability
args:
chdir: "{{ homedir }}"
register: health_check_output
changed_when: false
failed_when: health_check_output.rc != 0
tags: health_check
../files
\ No newline at end of file
---
- name: Perform Advanced Hardening
hosts: signalboost
become: true
tasks:
- name: Run dev-sec os-hardening role
import_role:
name: dev-sec.os-hardening
---
- import_playbook: provision.yml
- import_playbook: deploy.yml
- import_playbook: harden.yml
---
- name: Provision system dependencies & users, perform basic hardening
become: true
hosts: splash
vars:
ansible_user: root
secrets_method: copy
# docker dependencies (pip packages)
pip_install_packages:
- name: docker
- name: docker-compose
# docker dependencies (ansible roles)
roles:
- geerlingguy.pip
- geerlingguy.docker
handlers:
- name: restart fail2ban
service: name=fail2ban state=restarted
- name: restart ssh
service: name=ssh state=restarted
- name: reload ufw
ufw:
state: reloaded
tasks:
#######################
# SYSTEM DEPENDENCIES #
#######################
- name: update apt packages
apt:
update_cache: yes
cache_valid_time: 3600
tags: packages
- name: upgrade apt packages
apt: upgrade=yes
tags: packages
- name: Install basic packages
apt:
cache_valid_time: 3600
name:
- sudo
- curl
- gnupg
- fail2ban
- ufw
- tmux
- git
- htop
- lsof
- rsync
- python3
- emacs-nox
tags: packages
######################
# ENABLE SWAP MEMORY #
######################
- name: Allocate 1GB to /swapfile
command: dd if=/dev/zero of=/swapfile bs=1M count=1024
register: write_swapfile
args:
creates: /swapfile
- name: Set swapfile permissions
file: path=/swapfile mode=600
- name: Create swapfile
command: mkswap /swapfile
register: create_swapfile
when: write_swapfile.changed
- name: Enable swapfile
command: swapon /swapfile
when: create_swapfile.changed
- name: Add swapfile to /etc/fstab
lineinfile:
path: /etc/fstab
line: "/swapfile none swap sw 0 0"
state: present
##########
# ADMINS #
##########
- name: Make sure we have a sshusers groups
group:
name: sshusers
state: present
- name: Add admin users
user:
name: "{{ item.name }}"
groups:
- sudo
- sshusers
append: yes
shell: /bin/bash
with_items: "{{ admins }}"
- name: Set authorized keys
authorized_key:
user: "{{ item.name }}"
state: present
key: "{{ item.ssh_key }}"
with_items: "{{ admins }}"
- name: Allow sudo group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: visudo -cf %s
###################
# BASIC HARDENING #
###################
# ssh
- name: ssh hardening
import_role:
name: dev-sec.ssh-hardening
vars:
ssh_allow_groups: sshusers
- name: unlock admin users
become: yes
command: "usermod -p '*' {{ item.name }}"
ignore_errors: True
changed_when: False
loop: "{{ admins }}"
# firewall
- ufw: state=enabled policy=allow
tags: ufw
- name: default (incoming) policy
ufw:
policy: deny
direction: incoming
notify: reload ufw
tags: ufw
- name: default (outgoing) policy
ufw:
policy: allow
direction: outgoing
notify: reload ufw
tags: ufw
- name: limit ssh
ufw:
rule: limit
port: ssh
proto: tcp
notify: reload ufw
tags: ufw
- name: allow http
ufw:
rule: allow
port: http
notify: reload ufw
tags: ufw
- name: allow https
ufw:
rule: allow
port: https
notify: reload ufw
tags: ufw
# fail2ban
- name: Copy fail2ban configuration into place
become: true
copy:
src: "files/jail.local"
dest: /etc/fail2ban/jail.local
notify: restart fail2ban
tags: hardening
- name: Ensure fail2ban is started
service: name=fail2ban state=started
tags: hardening
#!/usr/bin/env bash
echo "--- checking if splash page available..."
check-until-available(){
echo "--- check #$1"
count=$1
if [ ${count} -gt 300 ];then
echo "--- splash page not available after 5 minutes. exiting"
exit 0
else
status=$(curl -s https://signalboost.info | sed -n 1p | awk '{print $2}')
if [ ${status} != "200" ] && [ ${status} != "302" ];then
echo "--- not available. checking again in 5sec..."
let new_count=$count+1
sleep 5
check-until-available $new_count
else
echo "--- splash page available! continuing."
fi
fi
}
check-until-available 0
#!/usr/bin/env bash
pushd `pwd`> /dev/null # store current dir
cd `dirname "$0"` # cd to script path
echo "--- loading secrets..."
cd ..
../../bin/blackbox/postdeploy
set -a && source .env && set +a
echo "--- deploying..."
cd ansible
ansible-playbook \
-i inventory \
playbooks/deploy.yml
pushd > /dev/null
#!/usr/bin/env bash
docker ps -aq | xargs -I docker_id docker rm -f docker_id
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment