Remove f2b gateway bouncer
To be replaced by something more sensible
This commit is contained in:
parent
43051235bd
commit
393a947cb7
18 changed files with 0 additions and 168 deletions
|
@ -1,6 +1,5 @@
|
||||||
nebula_is_lighthouse: true
|
nebula_is_lighthouse: true
|
||||||
nebula_listen_port: "{{ nebula_lighthouse_port }}"
|
nebula_listen_port: "{{ nebula_lighthouse_port }}"
|
||||||
ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }} f2b@{{ tailscale_cidr }}
|
|
||||||
|
|
||||||
nginx_https_redirect: true
|
nginx_https_redirect: true
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,4 @@ traefik_provider_homeassistant: true
|
||||||
traefik_provider_grafana: true
|
traefik_provider_grafana: true
|
||||||
traefik_provider_uptime_kuma: true
|
traefik_provider_uptime_kuma: true
|
||||||
|
|
||||||
with_fail2ban: true
|
|
||||||
|
|
||||||
db_backups_dir: /mnt/tank/files/db-backups
|
db_backups_dir: /mnt/tank/files/db-backups
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
- gateway
|
- gateway
|
||||||
- nebula
|
- nebula
|
||||||
- headscale
|
- headscale
|
||||||
- fail2ban_ssh
|
|
||||||
- restic
|
- restic
|
||||||
- artis3n.tailscale
|
- artis3n.tailscale
|
||||||
- glinet_vpn
|
- glinet_vpn
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
f2b_user: f2b
|
|
|
@ -1,8 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# Remove `-c` argument
|
|
||||||
shift
|
|
||||||
|
|
||||||
sudo fail2ban-client $@
|
|
|
@ -1,10 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
65656562376262323162613131353164623832616263313530383838623161333739393037363362
|
|
||||||
3332616430663862363566613532396230643636376537620a356261383430643566323264343437
|
|
||||||
39333034643632316130303136326433613333383738386531353530633539616661626664626430
|
|
||||||
3230666237616165650a326536313835643135626135316437356363623562343538383132306539
|
|
||||||
38366339356565393336396133616261363232356139623164623738633138363963353637353734
|
|
||||||
33333334313864376131653535653132626366306630393764353464636331316564616230396663
|
|
||||||
31363463643765386538643761666265383166353765633233323934663235316331346465653234
|
|
||||||
31396139633936363738383766356135656434343338623137663436626436663866366663363534
|
|
||||||
3364
|
|
|
@ -1,34 +0,0 @@
|
||||||
- name: Make user
|
|
||||||
user:
|
|
||||||
name: "{{ f2b_user }}"
|
|
||||||
comment: "{{ me.user }}"
|
|
||||||
shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
|
||||||
system: false
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Give user sudo access to client
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers
|
|
||||||
line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Allow custom shell
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/shells
|
|
||||||
line: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Create entrypoint
|
|
||||||
template:
|
|
||||||
src: files/f2b-entrypoint.sh
|
|
||||||
dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
|
||||||
mode: "755"
|
|
||||||
become: true
|
|
||||||
register: sshd_config
|
|
||||||
|
|
||||||
- name: Set up authorized keys
|
|
||||||
ansible.posix.authorized_key:
|
|
||||||
user: "{{ f2b_user }}"
|
|
||||||
state: present
|
|
||||||
key: "{{ lookup('file', 'files/f2b_key.pub') }}"
|
|
||||||
become: true
|
|
|
@ -2,5 +2,3 @@ traefik_provider_jellyfin: false
|
||||||
traefik_provider_homeassistant: false
|
traefik_provider_homeassistant: false
|
||||||
traefik_provider_grafana: false
|
traefik_provider_grafana: false
|
||||||
traefik_provider_uptime_kuma: false
|
traefik_provider_uptime_kuma: false
|
||||||
|
|
||||||
with_fail2ban: false
|
|
||||||
|
|
|
@ -8,7 +8,6 @@ services:
|
||||||
- CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
|
- CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
|
||||||
- GANDIV5_API_KEY={{ vault_gandi_api_key }}
|
- GANDIV5_API_KEY={{ vault_gandi_api_key }}
|
||||||
volumes:
|
volumes:
|
||||||
- /tmp/traefik-logs:/var/log/traefik
|
|
||||||
- ./traefik:/etc/traefik
|
- ./traefik:/etc/traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
62333161626439326166306363343866616336646134376134326265386134343338313164653334
|
|
||||||
3131633561363730376161323034643836333738303361320a613764383135373933636537333331
|
|
||||||
32633335663462653361643538656533313633666666303830363533616263663135323635613235
|
|
||||||
3738396530363130370a323338663966353333373862353964636333343436613932303765373035
|
|
||||||
61353363633836613830346631323565326338616331353665653333383065376565626164306266
|
|
||||||
32346133643635626632326133333933656333346336336232613536386661366537383439646632
|
|
||||||
35323838633266633263646563323834363066336432663665616433303632646234326266653036
|
|
||||||
35666532383261663430303764383833396336393031316361633563336538663931333736633161
|
|
||||||
33333230343731663038626362353163663363396134303431393061333136393664643535393662
|
|
||||||
65333561623335656635393364666135343462646237316138393637356261303634383830636462
|
|
||||||
63336231643030643636643431616434643765373037393832613563323132383864383365316365
|
|
||||||
35663930373938653163363436373236313162353661646531333461643463663336383332633431
|
|
||||||
63633938306533343561646663393165353633306131336135633762306666326465306335343665
|
|
||||||
34323261623531646566626561643465333737323562646137366235363339663163656566383266
|
|
||||||
39326637373739623338653633633237396362633062303033366530383334353032643434623339
|
|
||||||
38633563396432326430386638333837343733633364336536626563363932646636343333326333
|
|
||||||
63326566663265346537633134653636636436323738396530326332656165396635316634653133
|
|
||||||
31373137636233323563343433383837633132636434303134313431343364313735316633343732
|
|
||||||
62663537616663356133636337373630616134363262333332303965393463643833343561386639
|
|
||||||
62316136363661653430336566323539643239346539353535346539646138366462346634336165
|
|
||||||
37343737656564333365346538656661343165623037613030356233626534306533303738646363
|
|
||||||
35396566303561366333363265373733636138336533336534393262643831613836326639623633
|
|
||||||
62313830626264323965303933393466643433373136353232383262323963613432313139303062
|
|
||||||
34373236363635623337
|
|
|
@ -1,6 +0,0 @@
|
||||||
[Definition]
|
|
||||||
actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik banip <ip>
|
|
||||||
actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /etc/fail2ban/f2b_key.key set traefik unbanip <ip>
|
|
||||||
actioncheck =
|
|
||||||
actionstart =
|
|
||||||
actionstop =
|
|
|
@ -1,4 +0,0 @@
|
||||||
[Definition]
|
|
||||||
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
|
|
||||||
ignoreregex =
|
|
||||||
mode = normal
|
|
|
@ -1,10 +0,0 @@
|
||||||
[traefik]
|
|
||||||
enabled = true
|
|
||||||
bantime = 6000
|
|
||||||
findtime = 300
|
|
||||||
maxretry = 5
|
|
||||||
filter = traefik
|
|
||||||
logpath = /tmp/traefik-logs/access.log
|
|
||||||
port = http,https
|
|
||||||
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
|
|
||||||
action = gateway
|
|
|
@ -1,8 +0,0 @@
|
||||||
/tmp/traefik-logs/access.log {
|
|
||||||
daily
|
|
||||||
rotate 7
|
|
||||||
missingok
|
|
||||||
compress
|
|
||||||
nodateext
|
|
||||||
notifempty
|
|
||||||
}
|
|
|
@ -86,9 +86,3 @@ tls:
|
||||||
|
|
||||||
pilot:
|
pilot:
|
||||||
dashboard: false
|
dashboard: false
|
||||||
|
|
||||||
accessLog:
|
|
||||||
filePath: "/var/log/traefik/access.log"
|
|
||||||
filters:
|
|
||||||
statusCodes:
|
|
||||||
- "400-600"
|
|
||||||
|
|
|
@ -2,9 +2,3 @@
|
||||||
shell:
|
shell:
|
||||||
chdir: /opt/traefik
|
chdir: /opt/traefik
|
||||||
cmd: "{{ docker_update_command }}"
|
cmd: "{{ docker_update_command }}"
|
||||||
|
|
||||||
- name: restart fail2ban
|
|
||||||
service:
|
|
||||||
name: fail2ban
|
|
||||||
state: restarted
|
|
||||||
become: true
|
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
- name: Create jail
|
|
||||||
template:
|
|
||||||
src: files/fail2ban/traefik-jail.conf
|
|
||||||
dest: /etc/fail2ban/jail.d/traefik.conf
|
|
||||||
mode: "644"
|
|
||||||
become: true
|
|
||||||
notify: restart fail2ban
|
|
||||||
|
|
||||||
- name: Create filter
|
|
||||||
template:
|
|
||||||
src: files/fail2ban/traefik-filter.conf
|
|
||||||
dest: /etc/fail2ban/filter.d/traefik.conf
|
|
||||||
mode: "644"
|
|
||||||
become: true
|
|
||||||
notify: restart fail2ban
|
|
||||||
|
|
||||||
- name: Create action
|
|
||||||
template:
|
|
||||||
src: files/fail2ban/remote-action.conf
|
|
||||||
dest: /etc/fail2ban/action.d/gateway.conf
|
|
||||||
mode: "644"
|
|
||||||
become: true
|
|
||||||
notify: restart fail2ban
|
|
||||||
|
|
||||||
- name: Create SSH key
|
|
||||||
copy:
|
|
||||||
src: files/fail2ban/f2b_key.key
|
|
||||||
dest: /etc/fail2ban/f2b_key.key
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0600"
|
|
||||||
become: true
|
|
|
@ -100,14 +100,3 @@
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_uptime_kuma
|
when: traefik_provider_uptime_kuma
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
- name: logrotate config
|
|
||||||
template:
|
|
||||||
src: files/logrotate.conf
|
|
||||||
dest: /etc/logrotate.d/traefik
|
|
||||||
mode: "0600"
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: fail2ban
|
|
||||||
include_tasks: fail2ban.yml
|
|
||||||
when: with_fail2ban
|
|
||||||
|
|
Loading…
Reference in a new issue