aufbau tor-relay (#221)

Co-authored-by: Michael Grote <michael.grote@posteo.de> Reviewed-on: mg/ansible#221 Co-authored-by: mg <michael.grote@posteo.de> Co-committed-by: mg <michael.grote@posteo.de>
2021-10-17 19:40:18 +02:00 · 2021-10-17 19:40:18 +02:00 · 2572f97fbc
commit 2572f97fbc
parent 640ecffecd
20 changed files with 246 additions and 9 deletions
--- a/group_vars/acng.yml
+++ b/group_vars/acng.yml
@ -12,7 +12,7 @@
      comment: 'munin'
      from_ip: 192.168.2.144/24
    - rule: allow
-      to_port: 9999
+      to_port: "{{ acng_server_port }}"
      comment: 'acng'
      from_ip: 0.0.0.0/0
  ### mgrote.acng
@ -35,3 +35,10 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/acng
      config: |
        env.logfile /var/log/apt-cacher-ng/apt-cacher.log
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -28,6 +28,13 @@
      config: |
        [lvm_*]
        user root
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
  ### mgrote.dotfiles
  dotfiles_repo_url: https://git.mgrote.net/mg/dotfiles
  dotfiles_repo_path: /home/mg/dotfiles
@ -130,6 +137,7 @@
        - acng
        - ansible
        - physical
        - tor
        - gitea
        - laptop
        - vmtest
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@ -44,6 +44,12 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
    - name: docker_volumes
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/docker_
-
+    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
  ### mgrote.docker-compose-deploy
  docker_compose_base_dir: /home/mg/docker
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -9,12 +9,12 @@
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
-      to_port: 3000
+      to_port: "{{ gitea_http_port }}"
      protocol: tcp
      comment: 'gitea'
      from_ip: 0.0.0.0/0
    - rule: allow
-      to_port: 2222
+      to_port: "{{ gitea_ssh_port }}"
      protocol: tcp
      comment: 'gitea'
      from_ip: 0.0.0.0/0
--- a/group_vars/pihole.yml
+++ b/group_vars/pihole.yml
@ -57,3 +57,10 @@
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_blocked_domains
    - name: pihole_ads_percentage
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/pihole/pihole_ads_percentage
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
--- a/group_vars/proxmox.yml
+++ b/group_vars/proxmox.yml
@ -61,7 +61,13 @@
        group root
    - name: zfs_count
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/zfs_count
-
+    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
  # Ansible Variablen
  ### sudo
  sudo: false
--- a/group_vars/tor.yml
+++ b/group_vars/tor.yml
@ -0,0 +1,93 @@
 ---
  ### mgrote.tor-node
  tor_relay_name: tor1mgrote
  tor_or_port: 9001
  tor_socks_port: 0
  tor_control_socket: 0
  tor_contact_info: webmaster(at)mgrote(dot)net
  tor_control_port: 9051
  tor_bandwidth_rate: 350 MBits
  tor_bandwidth_burst: 350 MBits
  ### oefenweb.ufw
  ufw_rules:
    - rule: allow
      to_port: 22
      protocol: tcp
      comment: 'ssh'
      from_ip: 0.0.0.0/0
    - rule: allow
      to_port: 4949
      protocol: tcp
      comment: 'munin'
      from_ip: 0.0.0.0/0
    - rule: allow
      to_port: "{{ tor_or_port }}"
      protocol: tcp
      comment: 'tor'
      from_ip: 0.0.0.0/0
  ### geerlingguy.munin-node
  munin_node_bind_port: "4949"
  munin_node_allowed_cidrs: [0.0.0.0/0]
  munin_node_plugins:
    - name: chrony
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/chrony
    - name: fail2ban
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
      config: |
        [fail2ban]
        env.client /usr/bin/fail2ban-client
        env.config_dir /etc/fail2ban
        user root
    - name: systemd_status
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/systemd_status
    - name: lvm_
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/lvm_
      config: |
        [lvm_*]
        user root
    - name: tor_traffic
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
      config: |
        [tor_*]
        user root
        group root
        env.torcachefile munin_tor_country_stats.json
        env.torconnectmethod port
        env.torgeoippath /usr/share/GeoIP/GeoIP.dat
        env.tormaxcountries 15
        env.torport {{ tor_control_port }}
        env.torsocket /var/run/tor/control
    - name: tor_bandwidth
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
    - name: tor_connections
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
    - name: tor_countries
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
    - name: tor_dormant
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
    - name: tor_routers
      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/tor_
  ### mgrote.ntp_chrony_server
  ntp_chrony_timezone: "Europe/Berlin"
  ntp_chrony_servers:
    - address: ptbtime1.ptb.de
      options: iburst
    - address: ntp0.ewetel.de
      options: iburst
  ### mgrote.tmux
  tmux_conf_destination: "/home/mg/.tmux.conf"
  tmux_bashrc_destination: "/home/mg/.bashrc"
  tmux_standardsession_name: "default"
  ### mgrote.apt_install_packages
  programs_extra:
    - python3-stem # für munin-tor_
    - geoip-bin # für munin-tor_
    - geoip-database # für munin-tor_
    - geoipupdate # für munin-tor_
    - python3-geoip # für munin-tor_
    - nyx # tor-cli-monitoring
  ### mgrote.fail2ban
  f2b_bantime: 3600
  f2b_findtime: 600
  f2b_maxretry: 3
  f2b_send_email_report: false
--- a/host_vars/docker2.grote.lan.yml
+++ b/host_vars/docker2.grote.lan.yml
@ -63,7 +63,7 @@
      config: |
        [nextcloud_mgrote.next-cloud.org]
        env.username munin
-        env.password "{{ lookup('keepass', 'nextcloud_munin_user', 'password') }}"
+        env.password {{ lookup('keepass', 'nextcloud_munin_user', 'password') }}
        env.api_path /ocs/v2.php/apps/serverinfo/api/v1/info
        env.scheme https
    - name: docker_cpu
--- a/7
+++ b/7
@ -4,6 +4,11 @@ all:
      hosts:
        dokuwiki2.grote.lan:
        dokuwiki-test.grote.lan:
    tor:
      hosts:
        tor1-test.grote.lan:
        tor1.internet:
          ansible_host: 19d8ffe.online-server.cloud
    fileserver:
      hosts:
        fileserver2.grote.lan:
@ -65,6 +70,7 @@ all:
        docker2.grote.lan:
        docker3.grote.lan:
        docker4.grote.lan:
        tor1.internet:
    test:
      hosts:
        dokuwiki-test.grote.lan:
@ -77,3 +83,4 @@ all:
        pihole2-test.grote.lan:
        ntp-server-test.grote.lan:
        fileserver2-test.grote.lan:
        tor1-test.grote.lan:
--- a/playbooks/3_service/tor.yml
+++ b/playbooks/3_service/tor.yml
@ -0,0 +1,4 @@
 ---
 - hosts: tor
  roles:
    - { role: mgrote.tor-node, tags: "tor", become: true }
--- a/playbooks/base/apt_sources.yml
+++ b/playbooks/base/apt_sources.yml
@ -1,5 +1,8 @@
 ---
  - hosts: all
    roles:
-      - { role: mgrote.apt_manage_sources, tags: "apt_sources",
+      - role: mgrote.apt_manage_sources
-          when: "not 'laptop' in group_names" }
+        tags: "apt_sources"
        when:
          - "not 'laptop' in group_names"
          - "not 'tor' in group_names"
--- a/playbooks/base/restic.yml
+++ b/playbooks/base/restic.yml
@ -1,4 +1,4 @@
 ---
  - hosts: all
    roles:
-      - { role: mgrote.restic, tags: "restic" }
+      - { role: mgrote.restic, tags: "restic", when: "not 'tor' in group_names" }
--- a/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
+++ b/roles/mgrote.deactivate_ssh_password_login/tasks/main.yml
@ -8,3 +8,24 @@
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
  - name: prohibit ssh login with password
    become: yes
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: 'PasswordAuthentication yes'
      line: 'PasswordAuthentication no'
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
  - name: prohibit ssh root login with password
    become: yes
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: 'PermitRootLogin yes'
      line: 'PermitRootLogin no'
      state: present
      validate: "/usr/sbin/sshd -T -f %s"
    notify: restart_sshd
--- a/roles/mgrote.fail2ban/defaults/main.yml
+++ b/roles/mgrote.fail2ban/defaults/main.yml
@ -5,3 +5,4 @@
  f2b_maxretry: 5
  f2b_destemail: michael.grote@posteo.de
  f2b_sender: info@mgrote.net
  f2b_send_email_report: true
--- a/roles/mgrote.fail2ban/templates/jail.local
+++ b/roles/mgrote.fail2ban/templates/jail.local
@ -14,7 +14,10 @@ sender = {{ f2b_sender }}
 #action = %(action_mw)s
 # same as action_mw but also send relevant log lines
 {% if f2b_send_email_report %}
 action = %(action_mwl)s
 {% endif %}
 # JAILS
 [sshd]
--- a/roles/mgrote.tor-node/README.md
+++ b/roles/mgrote.tor-node/README.md
@ -0,0 +1,14 @@
 ## mgrote.tor-node
 ### Beschreibung
 Setzt ein tor-relay auf.
 ORPort muss in Firewall freigeschaltet sein.
 Es muss eine Portfreigabe im Router existieren.
 ### getestet auf
 - [x] Ubuntu (>=20.04)
 - [ ] Debian
 - [ ] ProxMox 6.1
 ### Variablen + Defaults
 see [defaults](./defaults/main.yml)
--- a/roles/mgrote.tor-node/defaults/main.yml
+++ b/roles/mgrote.tor-node/defaults/main.yml
@ -0,0 +1,13 @@
 ---
  # required
  # [a-zA-Z0-9]
  tor_relay_name: tor1name
  tor_or_port: 443
  tor_socks_port: 0
  tor_control_socket: 0
  tor_contact_info: webmaster@domain.local
  tor_control_port: 9051
  # optional
  # tor_my_family: name
  # tor_bandwidth_rate:
  # tor_bandwidth_burst:
--- a/roles/mgrote.tor-node/handlers/main.yml
+++ b/roles/mgrote.tor-node/handlers/main.yml
@ -0,0 +1,7 @@
 ---
  - name: restart tor
    become: yes
    systemd:
      name: tor
      enabled: yes
      state: restarted
--- a/roles/mgrote.tor-node/tasks/main.yml
+++ b/roles/mgrote.tor-node/tasks/main.yml
@ -0,0 +1,14 @@
 ---
  - name: install packages
    become: yes
    ansible.builtin.package:
      name: tor
      state: present
    notify: restart tor
  - name: templating torrc
    become: yes
    ansible.builtin.template:
      src: "torrc"
      dest: "/etc/tor/torrc"
    notify: restart tor
--- a/roles/mgrote.tor-node/templates/torrc
+++ b/roles/mgrote.tor-node/templates/torrc
@ -0,0 +1,23 @@
 {{ file_header | default () }}
 Nickname {{ tor_relay_name }}
 ORPort {{ tor_or_port }}
 ExitRelay 0
 SocksPort {{ tor_socks_port }}
 ControlSocket {{ tor_control_socket }}
 ContactInfo {{ tor_contact_info }}
 ControlPort {{ tor_control_port }}
 CookieAuthentication 1
 ExitPolicy reject *:*
 {% if tor_bandwidth_rate is defined %}
 BandwidthRate {{ tor_bandwidth_rate }}
 {% endif %}
 {% if tor_bandwidth_burst is defined %}
 BandwidthBurst {{ tor_bandwidth_burst }}
 {% endif %}
 {% if tor_my_family is defined %}
 MyFamily {{ tor_my_family }}
 {% endif %}