Add Fail2ban to Gitea and Bitwarden

roles/base/handlers/main.yml

@@ -10,3 +10,9 @@
     name: wg-quick@wg0
     state: restarted
   listen: restart_wireguard
+
+- name: Restart Fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  listen: restart_fail2ban

roles/base/tasks/firewall.yml

@@ -0,0 +1,28 @@
+- name: Install the Uncomplicated Firewall
+  apt:
+    name: ufw
+    state: present
+
+- name: Install Fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
+- name: Deny incoming traffic by default
+  ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow outgoing traffic by default
+  ufw:
+    default: allow
+    direction: outgoing
+
+- name: Allow OpenSSH with rate limiting
+  ufw:
+    name: ssh
+    rule: limit
+
+- name: Enable firewall
+  ufw:
+    state: enabled

roles/base/tasks/main.yml

@@ -4,6 +4,9 @@
 - import_tasks: system.yml
   tags: system
 
+- import_tasks: firewall.yml
+  tags: firewall
+
 - import_tasks: network.yml
   tags: network
   when: manage_network

roles/base/tasks/network.yml

@@ -12,8 +12,3 @@
     dest: "/etc/network/interfaces.d/{{ item.name }}"
   loop: "{{ interfaces }}"
   notify: reboot_host
-
-- name: Install bridge utilities
-  apt:
-    name: bridge-utils
-    state: present

roles/base/tasks/system.yml

@@ -10,12 +10,6 @@
     dest: /root/.ssh/authorized_keys
   when: authorized_keys is defined
 
-- name: Install btrfs-tools
-  apt:
-    name: btrfs-tools
-    state: present
-  when: btrfs_support is defined and btrfs_support | bool == true
-
 - name: Manage filesystem mounts
   mount:
     path: "{{ item.path }}"

roles/base/tasks/wireguard.yml

@@ -1,25 +1,3 @@
-# Copyright (C) 2021  Kris Lamoureux
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 3 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-- name: Add Debian Buster backports
-  copy:
-    src: buster-backports.list
-    dest: /etc/apt/sources.list.d/buster-backports.list
-    owner: root
-    group: root
-    mode: '0644'
-
 - name: Install WireGuard
   apt:
     name: wireguard

roles/bitwarden/defaults/main.yml

@@ -1,5 +1,6 @@
 bitwarden_name: bitwarden
-bitwarden_root: "{{ docker_root }}/{{ bitwarden_name }}"
+bitwarden_root: "/var/lib/{{ bitwarden_name }}"
 bitwarden_database: "{{ bitwarden_name }}"
+bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false
 bitwarden_production: false

roles/bitwarden/tasks/main.yml

@@ -65,6 +65,12 @@
   when: not bitwarden_standalone
   notify: rebuild_bitwarden
 
+- name: Define reverse proxy servers
+  lineinfile:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    line: "- {{ bitwarden_realips }}"
+    insertafter: "^real_ips"
+
 - name: Install Bitwarden systemd service
   template:
     src: bitwarden.service.j2
@@ -72,6 +78,12 @@
   register: bitwarden_systemd
   notify: rebuild_bitwarden
 
+- name: Install Bitwarden's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/bitwarden.conf
+  notify: restart_fail2ban
+
 - name: Reload systemd manager configuration
   systemd:
     daemon_reload: true

roles/bitwarden/templates/fail2ban-jail.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+[bitwarden]
+enabled = true
+filter = bitwarden
+logpath = /var/lib/bitwarden/bwdata/logs/identity/Identity/*
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports

roles/docker/defaults/main.yml

@@ -1,3 +1,3 @@
-docker_root: /var/lib/docker-compose
+docker_compose_root: /var/lib/compose
 docker_compose: /usr/bin/docker-compose
 docker_compose_service: compose

roles/docker/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: Create docker-compose root
   file:
-    path: "{{ docker_root }}"
+    path: "{{ docker_compose_root }}"
     state: directory
 
 - name: Install docker-compose systemd service

roles/docker/templates/docker-compose.service.j2

@@ -6,7 +6,7 @@ After=docker.service
 [Service]
 Type=oneshot
 RemainAfterExit=true
-WorkingDirectory={{ docker_root }}/%i
+WorkingDirectory={{ docker_compose_root }}/%i
 ExecStart={{ docker_compose }} up -d --remove-orphans
 ExecStop={{ docker_compose }} down
 

roles/gitea/defaults/main.yml

@@ -14,5 +14,9 @@ gitea_dbhost: host.docker.internal
 gitea_dbname: "{{ gitea_name }}"
 gitea_dbuser: "{{ gitea_name }}"
 
+# proxy settings
+gitea_proxy_limit: "1"
+gitea_trusted_proxies: "172.16.0.0/12"
+
 # host
-gitea_root: "{{ docker_root }}/{{ gitea_name }}"
+gitea_root: "{{ docker_compose_root }}/{{ gitea_name }}"

roles/gitea/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Restart Gitea
+  service:
+    name: "{{ docker_compose_service }}@{{ gitea_name }}"
+    state: restarted
+  listen: restart_gitea

roles/gitea/tasks/main.yml

@@ -46,16 +46,22 @@
     src: /home/git/.ssh/id_rsa.pub
   register: git_rsapub
 
+- name: Get stats on git's authorized_keys file
+  stat:
+    path: /home/git/.ssh/authorized_keys
+  register: git_authkeys
+
 - name: Create git's authorized_keys file
   file:
     path: /home/git/.ssh/authorized_keys
     state: touch
+  when: not git_authkeys.stat.exists
 
 - name: Add git's public SSH key to authorized_keys
   lineinfile:
     path: /home/git/.ssh/authorized_keys
+    regex: "^ssh-rsa"
     line: "{{ git_rsapub['content'] | b64decode }}"
-    insertbefore: BOF
 
 - name: Create Gitea host script for SSH
   template:
@@ -67,11 +73,25 @@
   template:
     src: docker-compose.yml.j2
     dest: "{{ gitea_root }}/docker-compose.yml"
+  notify: restart_gitea
 
 - name: Install Gitea's docker-compose variables
   template:
     src: compose-env.j2
     dest: "{{ gitea_root }}/.env"
+  notify: restart_gitea
+
+- name: Install Gitea's Fail2ban filter
+  template:
+    src: fail2ban-filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Install Gitea's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+  notify: restart_fail2ban
 
 - name: Start and enable Gitea service
   service:

roles/gitea/templates/compose-env.j2

@@ -10,6 +10,8 @@ gitea_dbhost={{ gitea_dbhost }}
 gitea_dbname={{ gitea_dbname }}
 gitea_dbuser={{ gitea_dbuser }}
 gitea_dbpass={{ gitea_dbpass }}
+gitea_proxy_limit={{ gitea_proxy_limit }}
+gitea_trusted_proxies={{ gitea_trusted_proxies }}
 {% if not gitea_signup %}
 gitea_disable_registration=true
 {% else %}

roles/gitea/templates/docker-compose.yml.j2

@@ -12,6 +12,7 @@ services:
     environment:
       - USER_UID={{ getent_passwd.git[1] }}
       - USER_GID={{ getent_group.git[1] }}
+      - GITEA__log__MODE=file
       - GITEA__server__ROOT_URL=${gitea_rooturl}
       - GITEA__server__DOMAIN=${gitea_domain}
       - GITEA__server__SSH_DOMAIN=${gitea_domain}
@@ -20,10 +21,13 @@ services:
       - GITEA__database__NAME=${gitea_dbname}
       - GITEA__database__USER=${gitea_dbuser}
       - GITEA__database__PASSWD=${gitea_dbpass}
+      - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
+      - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
       - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
     volumes:
       - {{ gitea_volume }}:/data
-      - /home/git/.ssh/:/data/git/.ssh
+      - /home/git/.ssh:/data/git/.ssh
+      - /var/log/gitea:/data/gitea/log
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
 

roles/gitea/templates/fail2ban-filter.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

roles/gitea/templates/fail2ban-jail.conf.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]

roles/postgresql/tasks/main.yml

@@ -32,3 +32,10 @@
     name: postgresql
     state: restarted
   when: postgresql_config.changed
+
+- name: Allow database connections from Docker
+  ufw:
+    rule: allow
+    port: "5432"
+    proto: tcp
+    src: "172.16.0.0/12"

roles/proxy/tasks/main.yml

@@ -84,3 +84,12 @@
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
   when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
   notify: reload_nginx
+
+- name: Add HTTP and HTTPS firewall rule
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - "80"
+    - "443"

roles/proxy/templates/server-nginx.conf.j2

@@ -30,6 +30,7 @@ server {
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass {{ item.proxy_pass }};
   }
 }