aufbau tor-relay (#221)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#221 Co-authored-by: mg <michael.grote@posteo.de> Co-committed-by: mg <michael.grote@posteo.de>
2021-10-17 19:40:18 +02:00 · 2021-10-17 19:40:18 +02:00 · 2572f97fbc
commit 2572f97fbc
parent 640ecffecd
20 changed files with 246 additions and 9 deletions
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@ -12,7 +12,7 @@
      comment: 'munin'
      from_ip: 192.168.2.144/24
    - rule: allow
-      to_port: 9999
+      to_port: "{{ acng_server_port }}"
      comment: 'acng'
      from_ip: 0.0.0.0/0
  ### mgrote.acng
@ -35,3 +35,10 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/acng
      config: |
        env.logfile /var/log/apt-cacher-ng/apt-cacher.log
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -28,6 +28,13 @@
      config: |
        [lvm_*]
        user root
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
  ### mgrote.dotfiles
  dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
  dotfiles_repo_path: /home/mg/dotfiles
@ -130,6 +137,7 @@
        - acng
        - ansible
        - physical
+        - tor
        - gitea
        - laptop
        - vmtest
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -44,6 +44,12 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
    - name: docker_volumes
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
-
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
  ### mgrote.docker-compose-deploy
  docker_compose_base_dir: /home/mg/docker
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -9,12 +9,12 @@
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
-      to_port: 3000
+      to_port: "{{ gitea_http_port }}"
      protocol: tcp
      comment: 'gitea'
      from_ip: 0.0.0.0/0
    - rule: allow
-      to_port: 2222
+      to_port: "{{ gitea_ssh_port }}"
      protocol: tcp
      comment: 'gitea'
      from_ip: 0.0.0.0/0
--- a/group_vars/pihole.yml
+++ b/group_vars/pihole.yml
@ -57,3 +57,10 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_blocked_domains
    - name: pihole_ads_percentage
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_ads_percentage
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
--- a/group_vars/proxmox.yml
+++ b/group_vars/proxmox.yml
@ -61,7 +61,13 @@
        group root
    - name: zfs_count
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_count
-
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
  # Ansible Variablen
  ### sudo
  sudo: false
--- a/group_vars/tor.yml
+++ b/group_vars/tor.yml
@ -0,0 +1,93 @@
+---
+  ### mgrote.tor-node
+  tor_relay_name: tor1mgrote
+  tor_or_port: 9001
+  tor_socks_port: 0
+  tor_control_socket: 0
+  tor_contact_info: webmaster(at)mgrote(dot)net
+  tor_control_port: 9051
+  tor_bandwidth_rate: 350 MBits
+  tor_bandwidth_burst: 350 MBits
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: 4949
+      protocol: tcp
+      comment: 'munin'
+      from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: "{{ tor_or_port }}"
+      protocol: tcp
+      comment: 'tor'
+      from_ip: 0.0.0.0/0
+  ### geerlingguy.munin-node
+  munin_node_bind_port: "4949"
+  munin_node_allowed_cidrs: [0.0.0.0/0]
+  munin_node_plugins:
+    - name: chrony
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/chrony
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
+    - name: systemd_status
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/systemd_status
+    - name: lvm_
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/lvm_
+      config: |
+        [lvm_*]
+        user root
+    - name: tor_traffic
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+      config: |
+        [tor_*]
+        user root
+        group root
+        env.torcachefile munin_tor_country_stats.json
+        env.torconnectmethod port
+        env.torgeoippath /usr/share/GeoIP/GeoIP.dat
+        env.tormaxcountries 15
+        env.torport {{ tor_control_port }}
+        env.torsocket /var/run/tor/control
+    - name: tor_bandwidth
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_connections
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_countries
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_dormant
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_routers
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin"
+  ntp_chrony_servers:
+    - address: ptbtime1.ptb.de
+      options: iburst
+    - address: ntp0.ewetel.de
+      options: iburst
+  ### mgrote.tmux
+  tmux_conf_destination: "/home/mg/.tmux.conf"
+  tmux_bashrc_destination: "/home/mg/.bashrc"
+  tmux_standardsession_name: "default"
+  ### mgrote.apt_install_packages
+  programs_extra:
+    - python3-stem # für munin-tor_
+    - geoip-bin # für munin-tor_
+    - geoip-database # für munin-tor_
+    - geoipupdate # für munin-tor_
+    - python3-geoip # für munin-tor_
+    - nyx # tor-cli-monitoring
+  ### mgrote.fail2ban
+  f2b_bantime: 3600
+  f2b_findtime: 600
+  f2b_maxretry: 3
+  f2b_send_email_report: false
--- a/host_vars/docker2.grote.lan.yml
+++ b/host_vars/docker2.grote.lan.yml
@ -63,7 +63,7 @@
      config: |
        [nextcloud_mgrote.next-cloud.org]
        env.username munin
-        env.password "{{ lookup('keepass', 'nextcloud_munin_user', 'password') }}"
+        env.password {{ lookup('keepass', 'nextcloud_munin_user', 'password') }}
        env.api_path /ocs/v2.php/apps/serverinfo/api/v1/info
        env.scheme https
    - name: docker_cpu
--- a/7
+++ b/7
@ -4,6 +4,11 @@ all:
      hosts:
        dokuwiki2.grote.lan:
        dokuwiki-test.grote.lan:
+    tor:
+      hosts:
+        tor1-test.grote.lan:
+        tor1.internet:
+          ansible_host: 19d8ffe.online-server.cloud
    fileserver:
      hosts:
        fileserver2.grote.lan:
@ -65,6 +70,7 @@ all:
        docker2.grote.lan:
        docker3.grote.lan:
        docker4.grote.lan:
+        tor1.internet:
    test:
      hosts:
        dokuwiki-test.grote.lan:
@ -77,3 +83,4 @@ all:
        pihole2-test.grote.lan:
        ntp-server-test.grote.lan:
        fileserver2-test.grote.lan:
+        tor1-test.grote.lan:
--- a/playbooks/3_service/tor.yml
+++ b/playbooks/3_service/tor.yml
@ -0,0 +1,4 @@
+---
+- hosts: tor
+  roles:
+    - { role: mgrote.tor-node, tags: "tor", become: true }
--- a/playbooks/base/apt_sources.yml
+++ b/playbooks/base/apt_sources.yml
@ -1,5 +1,8 @@
 ---
  - hosts: all
    roles:
-      - { role: mgrote.apt_manage_sources, tags: "apt_sources",
-          when: "not 'laptop' in group_names" }
+      - role: mgrote.apt_manage_sources
+        tags: "apt_sources"
+        when:
+          - "not 'laptop' in group_names"
+          - "not 'tor' in group_names"
--- a/playbooks/base/restic.yml
+++ b/playbooks/base/restic.yml
@ -1,4 +1,4 @@
 ---
  - hosts: all
    roles:
-      - { role: mgrote.restic, tags: "restic" }
+      - { role: mgrote.restic, tags: "restic", when: "not 'tor' in group_names" }
--- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
@ -8,3 +8,24 @@
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
+
+  - name: prohibit ssh login with password
+    become: yes
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: 'PasswordAuthentication yes'
+      line: 'PasswordAuthentication no'
+      state: present
+      validate: "/usr/sbin/sshd -T -f %s"
+    notify: restart_sshd
+
+
+  - name: prohibit ssh root login with password
+    become: yes
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: 'PermitRootLogin yes'
+      line: 'PermitRootLogin no'
+      state: present
+      validate: "/usr/sbin/sshd -T -f %s"
+    notify: restart_sshd
--- a/roles/mgrote.fail2ban/defaults/main.yml
+++ b/roles/mgrote.fail2ban/defaults/main.yml
@ -5,3 +5,4 @@
  f2b_maxretry: 5
  f2b_destemail: michael.grote@posteo.de
  f2b_sender: info@mgrote.net
+  f2b_send_email_report: true
--- a/roles/mgrote.fail2ban/templates/jail.local
+++ b/roles/mgrote.fail2ban/templates/jail.local
@ -14,7 +14,10 @@ sender = {{ f2b_sender }}
 #action = %(action_mw)s

 # same as action_mw but also send relevant log lines
+{% if f2b_send_email_report %}
 action = %(action_mwl)s
+{% endif %}
+

 # JAILS
 [sshd]
--- a/roles/mgrote.tor-node/README.md
+++ b/roles/mgrote.tor-node/README.md
@ -0,0 +1,14 @@
+## mgrote.tor-node
+
+### Beschreibung
+Setzt ein tor-relay auf.
+ORPort muss in Firewall freigeschaltet sein.
+Es muss eine Portfreigabe im Router existieren.
+
+### getestet auf
+- [x] Ubuntu (>=20.04)
+- [ ] Debian
+- [ ] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
--- a/roles/mgrote.tor-node/defaults/main.yml
+++ b/roles/mgrote.tor-node/defaults/main.yml
@ -0,0 +1,13 @@
+---
+  # required
+  # [a-zA-Z0-9]
+  tor_relay_name: tor1name
+  tor_or_port: 443
+  tor_socks_port: 0
+  tor_control_socket: 0
+  tor_contact_info: webmaster@domain.local
+  tor_control_port: 9051
+  # optional
+  # tor_my_family: name
+  # tor_bandwidth_rate:
+  # tor_bandwidth_burst:
--- a/roles/mgrote.tor-node/handlers/main.yml
+++ b/roles/mgrote.tor-node/handlers/main.yml
@ -0,0 +1,7 @@
+---
+  - name: restart tor
+    become: yes
+    systemd:
+      name: tor
+      enabled: yes
+      state: restarted
--- a/roles/mgrote.tor-node/tasks/main.yml
+++ b/roles/mgrote.tor-node/tasks/main.yml
@ -0,0 +1,14 @@
+---
+  - name: install packages
+    become: yes
+    ansible.builtin.package:
+      name: tor
+      state: present
+    notify: restart tor
+
+  - name: templating torrc
+    become: yes
+    ansible.builtin.template:
+      src: "torrc"
+      dest: "/etc/tor/torrc"
+    notify: restart tor
--- a/roles/mgrote.tor-node/templates/torrc
+++ b/roles/mgrote.tor-node/templates/torrc
@ -0,0 +1,23 @@
+{{ file_header | default () }}
+
+Nickname {{ tor_relay_name }}
+ORPort {{ tor_or_port }}
+ExitRelay 0
+SocksPort {{ tor_socks_port }}
+ControlSocket {{ tor_control_socket }}
+ContactInfo {{ tor_contact_info }}
+ControlPort {{ tor_control_port }}
+CookieAuthentication 1
+ExitPolicy reject *:*
+
+{% if tor_bandwidth_rate is defined %}
+BandwidthRate {{ tor_bandwidth_rate }}
+{% endif %}
+
+{% if tor_bandwidth_burst is defined %}
+BandwidthBurst {{ tor_bandwidth_burst }}
+{% endif %}
+
+{% if tor_my_family is defined %}
+MyFamily {{ tor_my_family }}
+{% endif %}