diff --git a/lotus-land-story/miniflux.yml b/lotus-land-story/miniflux.yml index 28030e8..ab73413 100644 --- a/lotus-land-story/miniflux.yml +++ b/lotus-land-story/miniflux.yml @@ -53,8 +53,7 @@ - name: Run Miniflux community.docker.docker_container: - # recreate: true - # restart: true + restart: true name: miniflux image: miniflux/miniflux:{{ miniflux.version }} env: @@ -72,4 +71,8 @@ etc_hosts: host.docker.internal: host-gateway + handlers: + - name: Import restarts + ansible.builtin.import_tasks: restarts.yml + # vim: ft=yaml.ansible diff --git a/lotus-land-story/postgres.yml b/lotus-land-story/postgres.yml index c5b0f58..5a5b56a 100644 --- a/lotus-land-story/postgres.yml +++ b/lotus-land-story/postgres.yml @@ -25,6 +25,30 @@ state: present notify: Restart postgres + - name: Allow access from localhost + community.general.ufw: + rule: allow + port: 5432 + proto: tcp + from_ip: 127.0.0.1 + notify: Reload ufw + + - name: Allow access from docker + notify: Reload ufw + block: + + - name: Get docker network + community.docker.docker_network: + name: lotus_land_story + register: docker_network + - name: Allow access from docker network + community.general.ufw: + rule: allow + port: 5432 + proto: tcp + from_ip: "{{ docker_network.network.IPAM.Config[0].Subnet }}" + notify: Reload ufw + handlers: - name: Import restarts ansible.builtin.import_tasks: restarts.yml diff --git a/lotus-land-story/restarts.yml b/lotus-land-story/restarts.yml index 27b44ff..4ef4e97 100644 --- a/lotus-land-story/restarts.yml +++ b/lotus-land-story/restarts.yml @@ -8,4 +8,13 @@ name: docker state: restarted +- name: Reload ufw + community.general.ufw: + state: reloaded + +- name: Restart ssh + ansible.builtin.service: + name: ssh + state: restarted + # vim: ft=yaml.ansible diff --git a/on-fire-within/main.yml b/on-fire-within/main.yml index 852c057..e7018fd 100644 --- a/on-fire-within/main.yml +++ b/on-fire-within/main.yml @@ -1,9 +1,10 @@ - import_playbook: pi.yml +- import_playbook: tailscale.yml - import_playbook: hass-io.yml - import_playbook: pi-hole.yml + become: true - hosts: on-fire-within - become: yes vars_files: - vars.private tasks: diff --git a/on-fire-within/pi-hole.yml b/on-fire-within/pi-hole.yml new file mode 100644 index 0000000..df927b4 --- /dev/null +++ b/on-fire-within/pi-hole.yml @@ -0,0 +1,66 @@ +- hosts: on-fire-within + become: yes + vars_files: + - vars.private + tasks: + + # Workaround for https://github.com/pi-hole/docker-pi-hole/issues/1048 + # - https://github.com/pi-hole/docker-pi-hole/issues/1042#issuecomment-1086728157 + # - https://github.com/pi-hole/docker-pi-hole/issues/1043#issuecomment-1086936352 + - name: Work around a Docker libseccomp issue w/Pi-Hole + block: + - apt_key: + keyserver: keyserver.ubuntu.com + id: "{{ item }}" + loop: + - 0E98404D386FA1D9 + - 6ED0E7B82643E131 + - apt_repository: + repo: deb http://deb.debian.org/debian buster-backports main + filename: buster-backports + state: present + - shell: apt-cache policy libseccomp2 | grep buster-backports -B1 | head -n1 | sed -e 's/^\s*\**\s*\(\S*\).*/\1/' + register: libseccomp2_version + - apt: + update_cache: yes + name: libseccomp2={{ libseccomp2_version.stdout_lines[0] }} + + # https://docs.pi-hole.net/guides/dns/unbound/ + - name: Set up Pi-hole as recursive DNS server + block: + - name: Install unbound + apt: + name: unbound + - name: Configure unbound + ansible.builtin.copy: + src: unbound.conf + dest: /etc/unbound/unbound.conf.d/pi-hole.conf + notify: Restart unbound + - name: Use the same limit for FTL as unbound + ansible.builtin.lineinfile: + path: /etc/dnsmasq.d/99-edns.conf + line: edns-packet-max=1232 + create: true + + - name: Disable resolvconf.conf entry for unbound + block: + - name: Disable unbound-resolvconf.service + service: + name: unbound-resolvconf + enabled: false + - name: Disable resolvconf_resolvers.conf from being generated + ansible.builtin.replace: + path: /etc/resolvconf.conf + regexp: '^unbound_conf=' + replace: '#unbound_conf=' + - name: Remove resolvconf_resolvers.conf + ansible.builtin.file: + path: /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf + state: absent + notify: Restart unbound + + handlers: + - name: Restart unbound + ansible.builtin.service: + name: unbound + state: restarted diff --git a/on-fire-within/tailscale.yml b/on-fire-within/tailscale.yml index 4d74ed5..9e64972 100644 --- a/on-fire-within/tailscale.yml +++ b/on-fire-within/tailscale.yml @@ -1,5 +1,6 @@ # https://tailscale.com/download/linux/rpi +# TODO Conditionalize this on the OS and merge into ../playbooks/tailscale.yml - name: Install Tailscale hosts: on-fire-within become: true @@ -18,7 +19,7 @@ state: present # curl -fsSL https://pkgs.tailscale.com/stable/raspbian/buster.list | sudo tee /etc/apt/sources.list.d/tailscale.list - - name: Add Tailsale apt repo + - name: Add Tailscale apt repo ansible.builtin.apt_repository: repo: deb https://pkgs.tailscale.com/stable/raspbian buster main state: present @@ -34,3 +35,33 @@ ansible.builtin.package: name: tailscale state: present + +- name: Restrict tailscaled logging + hosts: on-fire-within + become: true + tasks: + + - name: Create systemd override dir for tailscaled + ansible.builtin.file: + path: /etc/systemd/system/tailscaled.service.d + state: directory + mode: "0644" + + - name: Create systemd override + ansible.builtin.copy: + content: | + [Service] + LogLevelMax=notice + dest: /etc/systemd/system/tailscaled.service.d/override.conf + mode: "0644" + notify: + - Restart Tailscale + + handlers: + + - name: Restart Tailscale + ansible.builtin.systemd: + name: tailscaled + state: restarted + daemon_reload: true + diff --git a/on-fire-within/unbound.conf b/on-fire-within/unbound.conf new file mode 100644 index 0000000..cb2ee53 --- /dev/null +++ b/on-fire-within/unbound.conf @@ -0,0 +1,66 @@ +server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 1 + + interface: 127.0.0.1 + port: 5335 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 diff --git a/playbooks/tailscale.yml b/playbooks/tailscale.yml index bf80080..0dfb9b6 100644 --- a/playbooks/tailscale.yml +++ b/playbooks/tailscale.yml @@ -9,6 +9,7 @@ ansible.builtin.get_url: url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg dest: /usr/share/keyrings/tailscale-archive-keyring.gpg + mode: "0644" # curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list - name: Add Tailscale repository @@ -27,61 +28,33 @@ name: tailscale state: present -# https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/ -- name: Only allow connections over Tailscale +- name: Restrict tailscaled logging hosts: all become: true tasks: - - name: Get Tailscale status - ansible.builtin.command: tailscale status --json - register: tailscale_status - changed_when: false - - - name: Only allow connections over Tailscale - when: _tailscale_status.BackendState == "Running" - vars: - _tailscale_status: "{{ tailscale_status.stdout | from_json }}" - block: - - - name: Install ufw - ansible.builtin.package: - name: ufw - state: present - - - name: Allow access over tailscale - community.general.ufw: - state: enabled - rule: allow - interface_in: tailscale0 - - - name: Restrict incoming traffic - community.general.ufw: - default: deny - direction: "{{ item }}" - loop: - - incoming - - - name: Allow access to HTTP(S) - community.general.ufw: - rule: allow - port: "{{ item }}" - proto: tcp - loop: - - http - - https - + - name: Create systemd override dir for tailscaled + ansible.builtin.file: + path: /etc/systemd/system/tailscaled.service.d + state: directory + mode: "0644" + + - name: Create systemd override + ansible.builtin.copy: + content: | + [Service] + LogLevelMax=notice + dest: /etc/systemd/system/tailscaled.service.d/override.conf + mode: "0644" notify: - - Reload ufw - - Restart ssh + - Restart Tailscale handlers: - - name: Reload ufw - ansible.builtin.service: - name: ufw - state: reloaded - - name: Restart ssh - ansible.builtin.service: - name: ssh + - name: Restart Tailscale + ansible.builtin.systemd: + name: tailscaled state: restarted + daemon_reload: true + +# vim: ft=yaml.ansible