parent
3b32e1147c
commit
cf4e8273d1
16 changed files with 256 additions and 15 deletions
@ -0,0 +1,15 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
# Version of the firewall bouncer to install |
||||||
|
cs_fw_version: 0.0.10 |
||||||
|
# URL of the firewall bouncer archive |
||||||
|
cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz |
||||||
|
# Expected sha1 of the archive |
||||||
|
cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d |
||||||
|
|
||||||
|
# API on which the bouncer should listen for alerts |
||||||
|
cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}" |
||||||
|
# If not defined, ansible will try to register the bouncer on the Local API server |
||||||
|
# cs_lapi_server must be defined in this case |
||||||
|
# cs_fw_lapi_key: aaabbbccc |
||||||
|
|
@ -0,0 +1,4 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: restart cs-firewall-bouncer |
||||||
|
service: name=cs-firewall-bouncer state=restarted |
@ -0,0 +1,8 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Remove temp and obsolete files |
||||||
|
file: path={{ item }} state=absent |
||||||
|
loop: |
||||||
|
- /tmp/cs-firewall-bouncer.tgz |
||||||
|
- /tmp/cs-firewall-bouncer-v{{ cs_fw_version }} |
||||||
|
tags: cs |
@ -0,0 +1,6 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Deploy configuration |
||||||
|
template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600 |
||||||
|
notify: restart cs-firewall-bouncer |
||||||
|
tags: cs |
@ -0,0 +1,9 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Create needed directories |
||||||
|
file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }} |
||||||
|
loop: |
||||||
|
- dir: /etc/crowdsec/cs-firewall-bouncer |
||||||
|
- dir: /etc/crowdsec/meta |
||||||
|
mode: 700 |
||||||
|
tags: cs |
@ -0,0 +1,72 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- include_vars: "{{ item }}" |
||||||
|
with_first_found: |
||||||
|
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml |
||||||
|
- vars/{{ ansible_distribution }}.yml |
||||||
|
- vars/{{ ansible_os_family }}.yml |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Check if API key is available |
||||||
|
stat: path=/etc/crowdsec/meta/bouncer_fw_api_key |
||||||
|
register: cs_fw_lapi_key_file |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0) |
||||||
|
block: |
||||||
|
- name: Register the bouncer |
||||||
|
shell: | |
||||||
|
cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall |
||||||
|
cscli bouncers add {{ inventory_hostname }}-firewall -o raw |
||||||
|
register: cs_bouncer_add |
||||||
|
failed_when: cs_bouncer_add.rc not in [0,1] |
||||||
|
changed_when: cs_bouncer_add.rc == 0 |
||||||
|
delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}" |
||||||
|
|
||||||
|
- name: Record the API key for later use |
||||||
|
copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600 |
||||||
|
|
||||||
|
tags: cs |
||||||
|
|
||||||
|
- when: cs_fw_lapi_key is not defined |
||||||
|
block: |
||||||
|
- name: Read the API key |
||||||
|
slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key |
||||||
|
register: cs_fw_lapi_generated_key |
||||||
|
- set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }} |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Set initial facts |
||||||
|
block: |
||||||
|
- set_fact: cs_fw_current_version='' |
||||||
|
- set_fact: cs_fw_install_mode='none' |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Check if the bouncer is installed |
||||||
|
stat: path=/usr/local/bin/cs-firewall-bouncer |
||||||
|
register: cs_fw_bin |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- when: cs_fw_bin.stat.exists |
||||||
|
block: |
||||||
|
- name: Detect installed version |
||||||
|
shell: | |
||||||
|
cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1' |
||||||
|
register: cs_fw_current_version |
||||||
|
changed_when: False |
||||||
|
|
||||||
|
- set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }} |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Set install mode |
||||||
|
set_fact: cs_fw_install_mode='install' |
||||||
|
when: not cs_fw_bin.stat.exists |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Set upgrade mode |
||||||
|
set_fact: cs_fw_install_mode='upgrade' |
||||||
|
when: |
||||||
|
- cs_fw_bin.stat.exists |
||||||
|
- cs_fw_current_version != cs_fw_version |
||||||
|
tags: cs |
||||||
|
|
@ -0,0 +1,70 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Install needed tools |
||||||
|
package: |
||||||
|
name: |
||||||
|
- ipset |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- when: cs_fw_install_mode != 'none' |
||||||
|
block: |
||||||
|
|
||||||
|
- name: Download the bouncer |
||||||
|
get_url: |
||||||
|
url: "{{ cs_fw_archive_url }}" |
||||||
|
dest: /tmp |
||||||
|
checksum: sha1:{{ cs_fw_archive_sha1 }} |
||||||
|
|
||||||
|
- name: Extract the archive |
||||||
|
unarchive: |
||||||
|
src: /tmp/cs-firewall-bouncer.tgz |
||||||
|
dest: /tmp |
||||||
|
remote_src: True |
||||||
|
|
||||||
|
- name: Install or upgrade |
||||||
|
command: ./{{ cs_fw_install_mode }}.sh |
||||||
|
args: |
||||||
|
chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }} |
||||||
|
notify: restart cs-firewall-bouncer |
||||||
|
|
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Create systemd unit snippet dir |
||||||
|
file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Create iptables snippet dir |
||||||
|
file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Create ipsets before iptables starts |
||||||
|
copy: |
||||||
|
content: | |
||||||
|
[Service] |
||||||
|
ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 |
||||||
|
ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6 |
||||||
|
dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf |
||||||
|
register: cs_iptable_unit |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Tune cs-firewall-bouncer service |
||||||
|
copy: |
||||||
|
content: | |
||||||
|
[Unit] |
||||||
|
# The bouncer should start after crowdsec to be able to register on the API |
||||||
|
After=crowdsec.service |
||||||
|
|
||||||
|
[Service] |
||||||
|
# Restart on failure |
||||||
|
Restart=on-failure |
||||||
|
StartLimitInterval=0 |
||||||
|
RestartSec=30 |
||||||
|
dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf |
||||||
|
register: crodwsec_fw_unit |
||||||
|
notify: restart cs-firewall-bouncer |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Reload systemd |
||||||
|
systemd: daemon_reload=True |
||||||
|
when: crodwsec_fw_unit.changed or cs_iptable_unit.changed |
||||||
|
tags: cs |
@ -0,0 +1,17 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Ensure ipsets exist |
||||||
|
shell: | |
||||||
|
ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300 |
||||||
|
ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6 |
||||||
|
changed_when: False |
||||||
|
tags: cs |
||||||
|
|
||||||
|
- name: Add DROP rules |
||||||
|
iptables_raw: |
||||||
|
name: cs_blacklist |
||||||
|
weight: 9 |
||||||
|
rules: | |
||||||
|
-A INPUT -m set --match-set crowdsec-blacklists src -j DROP |
||||||
|
-A FORWARD -m set --match-set crowdsec-blacklists src -j DROP |
||||||
|
tags: cs |
@ -0,0 +1,10 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- include: directories.yml |
||||||
|
- include: facts.yml |
||||||
|
- include: install.yml |
||||||
|
- include: conf.yml |
||||||
|
- include: iptables.yml |
||||||
|
when: iptables_manage | default(True) |
||||||
|
- include: services.yml |
||||||
|
- include: cleanup.yml |
@ -0,0 +1,5 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Start and enable the service |
||||||
|
service: name=cs-firewall-bouncer state=started enabled=True |
||||||
|
tags: cs |
@ -0,0 +1,12 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
mode: iptables |
||||||
|
piddir: /var/run/ |
||||||
|
update_frequency: 10s |
||||||
|
daemonize: true |
||||||
|
log_mode: stdout |
||||||
|
log_level: info |
||||||
|
api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }} |
||||||
|
api_key: {{ cs_fw_lapi_key }} |
||||||
|
disable_ipv6: false |
||||||
|
|
Loading…
Reference in new issue