Alpha Chen 1 year ago
parent dbe8bd5f14
commit 7d1b92a9da
Signed by: alpha
SSH Key Fingerprint: SHA256:3fOT8fiYQG/aK9ntivV3Bqtg8AYQ7q4nV6ZgihOA20g

@ -53,8 +53,7 @@
- name: Run Miniflux - name: Run Miniflux
community.docker.docker_container: community.docker.docker_container:
# recreate: true restart: true
# restart: true
name: miniflux name: miniflux
image: miniflux/miniflux:{{ miniflux.version }} image: miniflux/miniflux:{{ miniflux.version }}
env: env:
@ -72,4 +71,8 @@
etc_hosts: etc_hosts:
host.docker.internal: host-gateway host.docker.internal: host-gateway
handlers:
- name: Import restarts
ansible.builtin.import_tasks: restarts.yml
# vim: ft=yaml.ansible # vim: ft=yaml.ansible

@ -25,6 +25,30 @@
state: present state: present
notify: Restart postgres notify: Restart postgres
- name: Allow access from localhost
community.general.ufw:
rule: allow
port: 5432
proto: tcp
from_ip: 127.0.0.1
notify: Reload ufw
- name: Allow access from docker
notify: Reload ufw
block:
- name: Get docker network
community.docker.docker_network:
name: lotus_land_story
register: docker_network
- name: Allow access from docker network
community.general.ufw:
rule: allow
port: 5432
proto: tcp
from_ip: "{{ docker_network.network.IPAM.Config[0].Subnet }}"
notify: Reload ufw
handlers: handlers:
- name: Import restarts - name: Import restarts
ansible.builtin.import_tasks: restarts.yml ansible.builtin.import_tasks: restarts.yml

@ -8,4 +8,13 @@
name: docker name: docker
state: restarted state: restarted
- name: Reload ufw
community.general.ufw:
state: reloaded
- name: Restart ssh
ansible.builtin.service:
name: ssh
state: restarted
# vim: ft=yaml.ansible # vim: ft=yaml.ansible

@ -1,9 +1,10 @@
- import_playbook: pi.yml - import_playbook: pi.yml
- import_playbook: tailscale.yml
- import_playbook: hass-io.yml - import_playbook: hass-io.yml
- import_playbook: pi-hole.yml - import_playbook: pi-hole.yml
become: true
- hosts: on-fire-within - hosts: on-fire-within
become: yes
vars_files: vars_files:
- vars.private - vars.private
tasks: tasks:

@ -0,0 +1,66 @@
- hosts: on-fire-within
become: yes
vars_files:
- vars.private
tasks:
# Workaround for https://github.com/pi-hole/docker-pi-hole/issues/1048
# - https://github.com/pi-hole/docker-pi-hole/issues/1042#issuecomment-1086728157
# - https://github.com/pi-hole/docker-pi-hole/issues/1043#issuecomment-1086936352
- name: Work around a Docker libseccomp issue w/Pi-Hole
block:
- apt_key:
keyserver: keyserver.ubuntu.com
id: "{{ item }}"
loop:
- 0E98404D386FA1D9
- 6ED0E7B82643E131
- apt_repository:
repo: deb http://deb.debian.org/debian buster-backports main
filename: buster-backports
state: present
- shell: apt-cache policy libseccomp2 | grep buster-backports -B1 | head -n1 | sed -e 's/^\s*\**\s*\(\S*\).*/\1/'
register: libseccomp2_version
- apt:
update_cache: yes
name: libseccomp2={{ libseccomp2_version.stdout_lines[0] }}
# https://docs.pi-hole.net/guides/dns/unbound/
- name: Set up Pi-hole as recursive DNS server
block:
- name: Install unbound
apt:
name: unbound
- name: Configure unbound
ansible.builtin.copy:
src: unbound.conf
dest: /etc/unbound/unbound.conf.d/pi-hole.conf
notify: Restart unbound
- name: Use the same limit for FTL as unbound
ansible.builtin.lineinfile:
path: /etc/dnsmasq.d/99-edns.conf
line: edns-packet-max=1232
create: true
- name: Disable resolvconf.conf entry for unbound
block:
- name: Disable unbound-resolvconf.service
service:
name: unbound-resolvconf
enabled: false
- name: Disable resolvconf_resolvers.conf from being generated
ansible.builtin.replace:
path: /etc/resolvconf.conf
regexp: '^unbound_conf='
replace: '#unbound_conf='
- name: Remove resolvconf_resolvers.conf
ansible.builtin.file:
path: /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
state: absent
notify: Restart unbound
handlers:
- name: Restart unbound
ansible.builtin.service:
name: unbound
state: restarted

@ -1,5 +1,6 @@
# https://tailscale.com/download/linux/rpi # https://tailscale.com/download/linux/rpi
# TODO Conditionalize this on the OS and merge into ../playbooks/tailscale.yml
- name: Install Tailscale - name: Install Tailscale
hosts: on-fire-within hosts: on-fire-within
become: true become: true
@ -18,7 +19,7 @@
state: present state: present
# curl -fsSL https://pkgs.tailscale.com/stable/raspbian/buster.list | sudo tee /etc/apt/sources.list.d/tailscale.list # curl -fsSL https://pkgs.tailscale.com/stable/raspbian/buster.list | sudo tee /etc/apt/sources.list.d/tailscale.list
- name: Add Tailsale apt repo - name: Add Tailscale apt repo
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: deb https://pkgs.tailscale.com/stable/raspbian buster main repo: deb https://pkgs.tailscale.com/stable/raspbian buster main
state: present state: present
@ -34,3 +35,33 @@
ansible.builtin.package: ansible.builtin.package:
name: tailscale name: tailscale
state: present state: present
- name: Restrict tailscaled logging
hosts: on-fire-within
become: true
tasks:
- name: Create systemd override dir for tailscaled
ansible.builtin.file:
path: /etc/systemd/system/tailscaled.service.d
state: directory
mode: "0644"
- name: Create systemd override
ansible.builtin.copy:
content: |
[Service]
LogLevelMax=notice
dest: /etc/systemd/system/tailscaled.service.d/override.conf
mode: "0644"
notify:
- Restart Tailscale
handlers:
- name: Restart Tailscale
ansible.builtin.systemd:
name: tailscaled
state: restarted
daemon_reload: true

@ -0,0 +1,66 @@
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 1
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

@ -9,6 +9,7 @@
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg
dest: /usr/share/keyrings/tailscale-archive-keyring.gpg dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
mode: "0644"
# curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list # curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
- name: Add Tailscale repository - name: Add Tailscale repository
@ -27,61 +28,33 @@
name: tailscale name: tailscale
state: present state: present
# https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/ - name: Restrict tailscaled logging
- name: Only allow connections over Tailscale
hosts: all hosts: all
become: true become: true
tasks: tasks:
- name: Get Tailscale status - name: Create systemd override dir for tailscaled
ansible.builtin.command: tailscale status --json ansible.builtin.file:
register: tailscale_status path: /etc/systemd/system/tailscaled.service.d
changed_when: false state: directory
mode: "0644"
- name: Only allow connections over Tailscale
when: _tailscale_status.BackendState == "Running" - name: Create systemd override
vars: ansible.builtin.copy:
_tailscale_status: "{{ tailscale_status.stdout | from_json }}" content: |
block: [Service]
LogLevelMax=notice
- name: Install ufw dest: /etc/systemd/system/tailscaled.service.d/override.conf
ansible.builtin.package: mode: "0644"
name: ufw
state: present
- name: Allow access over tailscale
community.general.ufw:
state: enabled
rule: allow
interface_in: tailscale0
- name: Restrict incoming traffic
community.general.ufw:
default: deny
direction: "{{ item }}"
loop:
- incoming
- name: Allow access to HTTP(S)
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: tcp
loop:
- http
- https
notify: notify:
- Reload ufw - Restart Tailscale
- Restart ssh
handlers: handlers:
- name: Reload ufw
ansible.builtin.service:
name: ufw
state: reloaded
- name: Restart ssh - name: Restart Tailscale
ansible.builtin.service: ansible.builtin.systemd:
name: ssh name: tailscaled
state: restarted state: restarted
daemon_reload: true
# vim: ft=yaml.ansible

Loading…
Cancel
Save