From 2572f97fbc128ae66ab884ef6547782694ca0974 Mon Sep 17 00:00:00 2001
From: mg <michael.grote@posteo.de>
Date: Sun, 17 Oct 2021 19:40:18 +0200
Subject: [PATCH] aufbau tor-relay (#221)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: https://git.mgrote.net/mg/ansible/pulls/221
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>
---
 group_vars/acng.yml                           |  9 +-
 group_vars/all.yml                            |  8 ++
 group_vars/docker.yml                         |  8 +-
 group_vars/gitea.yml                          |  4 +-
 group_vars/pihole.yml                         |  7 ++
 group_vars/proxmox.yml                        |  8 +-
 group_vars/tor.yml                            | 93 +++++++++++++++++++
 host_vars/docker2.grote.lan.yml               |  2 +-
 inventory                                     |  7 ++
 playbooks/3_service/tor.yml                   |  4 +
 playbooks/base/apt_sources.yml                |  7 +-
 playbooks/base/restic.yml                     |  2 +-
 .../tasks/main.yml                            | 21 +++++
 roles/mgrote.fail2ban/defaults/main.yml       |  1 +
 roles/mgrote.fail2ban/templates/jail.local    |  3 +
 roles/mgrote.tor-node/README.md               | 14 +++
 roles/mgrote.tor-node/defaults/main.yml       | 13 +++
 roles/mgrote.tor-node/handlers/main.yml       |  7 ++
 roles/mgrote.tor-node/tasks/main.yml          | 14 +++
 roles/mgrote.tor-node/templates/torrc         | 23 +++++
 20 files changed, 246 insertions(+), 9 deletions(-)
 create mode 100644 group_vars/tor.yml
 create mode 100644 playbooks/3_service/tor.yml
 create mode 100644 roles/mgrote.tor-node/README.md
 create mode 100644 roles/mgrote.tor-node/defaults/main.yml
 create mode 100644 roles/mgrote.tor-node/handlers/main.yml
 create mode 100644 roles/mgrote.tor-node/tasks/main.yml
 create mode 100644 roles/mgrote.tor-node/templates/torrc

diff --git a/group_vars/acng.yml b/group_vars/acng.yml
index f07f9f0b..37b28645 100644
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@@ -12,7 +12,7 @@
       comment: 'munin'
       from_ip: 192.168.2.144/24
     - rule: allow
-      to_port: 9999
+      to_port: "{{ acng_server_port }}"
       comment: 'acng'
       from_ip: 0.0.0.0/0
   ### mgrote.acng
@@ -35,3 +35,10 @@
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/acng
       config: |
         env.logfile /var/log/apt-cacher-ng/apt-cacher.log
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
diff --git a/group_vars/all.yml b/group_vars/all.yml
index c817e0c1..5fab21a0 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -28,6 +28,13 @@
       config: |
         [lvm_*]
         user root
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
   ### mgrote.dotfiles
   dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
   dotfiles_repo_path: /home/mg/dotfiles
@@ -130,6 +137,7 @@
         - acng
         - ansible
         - physical
+        - tor
         - gitea
         - laptop
         - vmtest
diff --git a/group_vars/docker.yml b/group_vars/docker.yml
index 3754cdad..3f719414 100644
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@@ -44,6 +44,12 @@
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
     - name: docker_volumes
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
-
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
   ### mgrote.docker-compose-deploy
   docker_compose_base_dir: /home/mg/docker
diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml
index 9556ffc4..0e7cef26 100644
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@@ -9,12 +9,12 @@
       comment: 'ssh'
       from_ip: 0.0.0.0/0
     - rule: allow
-      to_port: 3000
+      to_port: "{{ gitea_http_port }}"
       protocol: tcp
       comment: 'gitea'
       from_ip: 0.0.0.0/0
     - rule: allow
-      to_port: 2222
+      to_port: "{{ gitea_ssh_port }}"
       protocol: tcp
       comment: 'gitea'
       from_ip: 0.0.0.0/0
diff --git a/group_vars/pihole.yml b/group_vars/pihole.yml
index bf90dbeb..145d2322 100644
--- a/group_vars/pihole.yml
+++ b/group_vars/pihole.yml
@@ -57,3 +57,10 @@
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_blocked_domains
     - name: pihole_ads_percentage
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_ads_percentage
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
diff --git a/group_vars/proxmox.yml b/group_vars/proxmox.yml
index 5f95e991..fe8ba6e1 100644
--- a/group_vars/proxmox.yml
+++ b/group_vars/proxmox.yml
@@ -61,7 +61,13 @@
         group root
     - name: zfs_count
       src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_count
-
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
   # Ansible Variablen
   ### sudo
   sudo: false
diff --git a/group_vars/tor.yml b/group_vars/tor.yml
new file mode 100644
index 00000000..3d7f39d7
--- /dev/null
+++ b/group_vars/tor.yml
@@ -0,0 +1,93 @@
+---
+  ### mgrote.tor-node
+  tor_relay_name: tor1mgrote
+  tor_or_port: 9001
+  tor_socks_port: 0
+  tor_control_socket: 0
+  tor_contact_info: webmaster(at)mgrote(dot)net
+  tor_control_port: 9051
+  tor_bandwidth_rate: 350 MBits
+  tor_bandwidth_burst: 350 MBits
+  ### oefenweb.ufw
+  ufw_rules:
+    - rule: allow
+      to_port: 22
+      protocol: tcp
+      comment: 'ssh'
+      from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: 4949
+      protocol: tcp
+      comment: 'munin'
+      from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: "{{ tor_or_port }}"
+      protocol: tcp
+      comment: 'tor'
+      from_ip: 0.0.0.0/0
+  ### geerlingguy.munin-node
+  munin_node_bind_port: "4949"
+  munin_node_allowed_cidrs: [0.0.0.0/0]
+  munin_node_plugins:
+    - name: chrony
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/chrony
+    - name: fail2ban
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
+      config: |
+        [fail2ban]
+        env.client /usr/bin/fail2ban-client
+        env.config_dir /etc/fail2ban
+        user root
+    - name: systemd_status
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/systemd_status
+    - name: lvm_
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/lvm_
+      config: |
+        [lvm_*]
+        user root
+    - name: tor_traffic
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+      config: |
+        [tor_*]
+        user root
+        group root
+        env.torcachefile munin_tor_country_stats.json
+        env.torconnectmethod port
+        env.torgeoippath /usr/share/GeoIP/GeoIP.dat
+        env.tormaxcountries 15
+        env.torport {{ tor_control_port }}
+        env.torsocket /var/run/tor/control
+    - name: tor_bandwidth
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_connections
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_countries
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_dormant
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+    - name: tor_routers
+      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
+  ### mgrote.ntp_chrony_server
+  ntp_chrony_timezone: "Europe/Berlin"
+  ntp_chrony_servers:
+    - address: ptbtime1.ptb.de
+      options: iburst
+    - address: ntp0.ewetel.de
+      options: iburst
+  ### mgrote.tmux
+  tmux_conf_destination: "/home/mg/.tmux.conf"
+  tmux_bashrc_destination: "/home/mg/.bashrc"
+  tmux_standardsession_name: "default"
+  ### mgrote.apt_install_packages
+  programs_extra:
+    - python3-stem # für munin-tor_
+    - geoip-bin # für munin-tor_
+    - geoip-database # für munin-tor_
+    - geoipupdate # für munin-tor_
+    - python3-geoip # für munin-tor_
+    - nyx # tor-cli-monitoring
+  ### mgrote.fail2ban
+  f2b_bantime: 3600
+  f2b_findtime: 600
+  f2b_maxretry: 3
+  f2b_send_email_report: false
diff --git a/host_vars/docker2.grote.lan.yml b/host_vars/docker2.grote.lan.yml
index 3f1fd4bc..fc855ca0 100644
--- a/host_vars/docker2.grote.lan.yml
+++ b/host_vars/docker2.grote.lan.yml
@@ -63,7 +63,7 @@
       config: |
         [nextcloud_mgrote.next-cloud.org]
         env.username munin
-        env.password "{{ lookup('keepass', 'nextcloud_munin_user', 'password') }}"
+        env.password {{ lookup('keepass', 'nextcloud_munin_user', 'password') }}
         env.api_path /ocs/v2.php/apps/serverinfo/api/v1/info
         env.scheme https
     - name: docker_cpu
diff --git a/inventory b/inventory
index c62aaec5..dd202108 100644
--- a/inventory
+++ b/inventory
@@ -4,6 +4,11 @@ all:
       hosts:
         dokuwiki2.grote.lan:
         dokuwiki-test.grote.lan:
+    tor:
+      hosts:
+        tor1-test.grote.lan:
+        tor1.internet:
+          ansible_host: 19d8ffe.online-server.cloud
     fileserver:
       hosts:
         fileserver2.grote.lan:
@@ -65,6 +70,7 @@ all:
         docker2.grote.lan:
         docker3.grote.lan:
         docker4.grote.lan:
+        tor1.internet:
     test:
       hosts:
         dokuwiki-test.grote.lan:
@@ -77,3 +83,4 @@ all:
         pihole2-test.grote.lan:
         ntp-server-test.grote.lan:
         fileserver2-test.grote.lan:
+        tor1-test.grote.lan:
diff --git a/playbooks/3_service/tor.yml b/playbooks/3_service/tor.yml
new file mode 100644
index 00000000..32973ab8
--- /dev/null
+++ b/playbooks/3_service/tor.yml
@@ -0,0 +1,4 @@
+---
+- hosts: tor
+  roles:
+    - { role: mgrote.tor-node, tags: "tor", become: true }
diff --git a/playbooks/base/apt_sources.yml b/playbooks/base/apt_sources.yml
index 36d568e1..d9296d77 100644
--- a/playbooks/base/apt_sources.yml
+++ b/playbooks/base/apt_sources.yml
@@ -1,5 +1,8 @@
 ---
   - hosts: all
     roles:
-      - { role: mgrote.apt_manage_sources, tags: "apt_sources",
-          when: "not 'laptop' in group_names" }
+      - role: mgrote.apt_manage_sources
+        tags: "apt_sources"
+        when:
+          - "not 'laptop' in group_names"
+          - "not 'tor' in group_names"
diff --git a/playbooks/base/restic.yml b/playbooks/base/restic.yml
index f592f96c..c2a58785 100644
--- a/playbooks/base/restic.yml
+++ b/playbooks/base/restic.yml
@@ -1,4 +1,4 @@
 ---
   - hosts: all
     roles:
-      - { role: mgrote.restic, tags: "restic" }
+      - { role: mgrote.restic, tags: "restic", when: "not 'tor' in group_names" }
diff --git a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
index 8c7a0e9a..c24c65f1 100644
--- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
@@ -8,3 +8,24 @@
       state: present
       validate: "/usr/sbin/sshd -T -f %s"
     notify: restart_sshd
+
+  - name: prohibit ssh login with password
+    become: yes
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: 'PasswordAuthentication yes'
+      line: 'PasswordAuthentication no'
+      state: present
+      validate: "/usr/sbin/sshd -T -f %s"
+    notify: restart_sshd
+
+
+  - name: prohibit ssh root login with password
+    become: yes
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: 'PermitRootLogin yes'
+      line: 'PermitRootLogin no'
+      state: present
+      validate: "/usr/sbin/sshd -T -f %s"
+    notify: restart_sshd
diff --git a/roles/mgrote.fail2ban/defaults/main.yml b/roles/mgrote.fail2ban/defaults/main.yml
index fb532d00..476f0c81 100644
--- a/roles/mgrote.fail2ban/defaults/main.yml
+++ b/roles/mgrote.fail2ban/defaults/main.yml
@@ -5,3 +5,4 @@
   f2b_maxretry: 5
   f2b_destemail: michael.grote@posteo.de
   f2b_sender: info@mgrote.net
+  f2b_send_email_report: true
diff --git a/roles/mgrote.fail2ban/templates/jail.local b/roles/mgrote.fail2ban/templates/jail.local
index 594f0e81..812036b3 100644
--- a/roles/mgrote.fail2ban/templates/jail.local
+++ b/roles/mgrote.fail2ban/templates/jail.local
@@ -14,7 +14,10 @@ sender = {{ f2b_sender }}
 #action = %(action_mw)s
 
 # same as action_mw but also send relevant log lines
+{% if f2b_send_email_report %}
 action = %(action_mwl)s
+{% endif %}
+
 
 # JAILS
 [sshd]
diff --git a/roles/mgrote.tor-node/README.md b/roles/mgrote.tor-node/README.md
new file mode 100644
index 00000000..7e4b82ae
--- /dev/null
+++ b/roles/mgrote.tor-node/README.md
@@ -0,0 +1,14 @@
+## mgrote.tor-node
+
+### Beschreibung
+Setzt ein tor-relay auf.
+ORPort muss in Firewall freigeschaltet sein.
+Es muss eine Portfreigabe im Router existieren.
+
+### getestet auf
+- [x] Ubuntu (>=20.04)
+- [ ] Debian
+- [ ] ProxMox 6.1
+
+### Variablen + Defaults
+see [defaults](./defaults/main.yml)
diff --git a/roles/mgrote.tor-node/defaults/main.yml b/roles/mgrote.tor-node/defaults/main.yml
new file mode 100644
index 00000000..b3c1149d
--- /dev/null
+++ b/roles/mgrote.tor-node/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+  # required
+  # [a-zA-Z0-9]
+  tor_relay_name: tor1name
+  tor_or_port: 443
+  tor_socks_port: 0
+  tor_control_socket: 0
+  tor_contact_info: webmaster@domain.local
+  tor_control_port: 9051
+  # optional
+  # tor_my_family: name
+  # tor_bandwidth_rate:
+  # tor_bandwidth_burst:
diff --git a/roles/mgrote.tor-node/handlers/main.yml b/roles/mgrote.tor-node/handlers/main.yml
new file mode 100644
index 00000000..b22db5b7
--- /dev/null
+++ b/roles/mgrote.tor-node/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+  - name: restart tor
+    become: yes
+    systemd:
+      name: tor
+      enabled: yes
+      state: restarted
diff --git a/roles/mgrote.tor-node/tasks/main.yml b/roles/mgrote.tor-node/tasks/main.yml
new file mode 100644
index 00000000..f3df8062
--- /dev/null
+++ b/roles/mgrote.tor-node/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+  - name: install packages
+    become: yes
+    ansible.builtin.package:
+      name: tor
+      state: present
+    notify: restart tor
+
+  - name: templating torrc
+    become: yes
+    ansible.builtin.template:
+      src: "torrc"
+      dest: "/etc/tor/torrc"
+    notify: restart tor
diff --git a/roles/mgrote.tor-node/templates/torrc b/roles/mgrote.tor-node/templates/torrc
new file mode 100644
index 00000000..b433b731
--- /dev/null
+++ b/roles/mgrote.tor-node/templates/torrc
@@ -0,0 +1,23 @@
+{{ file_header | default () }}
+
+Nickname {{ tor_relay_name }}
+ORPort {{ tor_or_port }}
+ExitRelay 0
+SocksPort {{ tor_socks_port }}
+ControlSocket {{ tor_control_socket }}
+ContactInfo {{ tor_contact_info }}
+ControlPort {{ tor_control_port }}
+CookieAuthentication 1
+ExitPolicy reject *:*
+
+{% if tor_bandwidth_rate is defined %}
+BandwidthRate {{ tor_bandwidth_rate }}
+{% endif %}
+
+{% if tor_bandwidth_burst is defined %}
+BandwidthBurst {{ tor_bandwidth_burst }}
+{% endif %}
+
+{% if tor_my_family is defined %}
+MyFamily {{ tor_my_family }}
+{% endif %}