testing

.gitignore

@@ -1,12 +1,3 @@
 .vagrant
 .playbook
-/*.yml
-/*.yaml
-!backup.yml
-!moxie.yml
-!docker.yml
-!dockerbox.yml
-!hypervisor.yml
-!minecraft.yml
-!unifi.yml
 /environments/

README.md

@@ -1,25 +1,39 @@
-# Project Moxie
+# Homelab
+This repository contains Ansible to automate Debian GNU/Linux servers, deploying
+server technologies that are either useful in a personal capacity or provide
+educational value on automating enterprise infrastructure.
 
-Project Moxie is a personal IT homelab project written in Ansible and executed by Jenkins. It is a growing collection of infrastructure as code (IaC) I write out of curiosity and for reference purposes, keeping a handful of beneficial projects managed and secured.
+Development is accomplished using Vagrant to allow easy reproducibility in an
+isolated virtual environment that be ran on your local machine.
 
 ## Quick Start
-
-To configure a local virtual machine for testing, follow these simple steps.
+These steps assume a basic understanding of GNU/Linux, Hypervisors, Vagrant, and Ansible.
 
 ### Prerequisites
-
-Vagrant and VirtualBox are used to develop Project Moxie. You will need to install these before continuing.
+- [Vagrant](https://developer.hashicorp.com/vagrant/docs/installation)
+- [Supported hypervisor](https://developer.hashicorp.com/vagrant/docs/providers)
+- Ansible
 
 ### Installation
 
 1. Clone this repository
    ```
-   git clone https://github.com/krislamo/moxie
+   git clone https://git.krislamo.org/kris/homelab
+   ```
+   OR download from the mirror on GitHub:
+   ```
+   git clone https://github.com/krislamo/homelab
    ```
-2. Set the `PLAYBOOK` environmental variable to a development playbook name in the `dev/` directory
 
-   The following `PLAYBOOK` names are available: `dockerbox`, `hypervisor`, `minecraft`, `bitwarden`, `nextcloud`, `nginx`
+2. Find available playbooks for development
+   ```
+   cd homelab
+   ```
+   ```
+   find dev -maxdepth 1 -name "*.yml" -exec basename {} .yml \;
+   ```
 
+3. Set the `PLAYBOOK` environmental variable to a value listed in the last step, e.g.,
    ```
    export PLAYBOOK=dockerbox
    ```
@@ -29,11 +43,10 @@ Vagrant and VirtualBox are used to develop Project Moxie. You will need to insta
    ```
 
 #### Copyright and License
-Copyright (C) 2020-2021  Kris Lamoureux
+Copyright (C) 2020-2022  Kris Lamoureux
 
 [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
 
-
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
 
 This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

dev/proxy.yml

@@ -5,7 +5,7 @@
     - host_vars/proxy.yml
   roles:
     - base
-    - postgresql
+    - mariadb
     - proxy
     - docker
     - gitea

dockerbox.yml

@@ -20,7 +20,6 @@
     - docker
     - traefik
     - nextcloud
-    - gitea
     - jenkins
     - prometheus
     - nginx

proxy.yml

@@ -0,0 +1,11 @@
+- name: Install Proxy Server
+  hosts: proxyhosts
+  become: true
+  roles:
+    - base
+    - jenkins
+    - mariadb
+    - proxy
+    - docker
+    - gitea
+    - bitwarden

roles/.gitignore

@@ -7,6 +7,7 @@
 !gitea*/
 !jenkins*/
 !libvirt*/
+!mariadb*/
 !minecraft*/
 !nextcloud*/
 !nginx*/

roles/base/defaults/main.yml

@@ -3,6 +3,7 @@ network_type: static
 allow_reboot: true
 
 packages:
+  - apache2-utils
   - cryptsetup
   - curl
   - dnsutils

roles/base/files/buster-backports.list

@@ -1 +0,0 @@
-deb http://deb.debian.org/debian buster-backports main

roles/base/handlers/main.yml

@@ -10,3 +10,9 @@
     name: wg-quick@wg0
     state: restarted
   listen: restart_wireguard
+
+- name: Restart Fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  listen: restart_fail2ban

roles/base/tasks/ansible.yml

@@ -13,6 +13,7 @@
   loop:
     - aptitude
     - python3-docker
+    - python3-pymysql
     - python3-psycopg2
 
 - name: Create Ansible's temporary remote directory

roles/base/tasks/firewall.yml

@@ -3,6 +3,11 @@
     name: ufw
     state: present
 
+- name: Install Fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
 - name: Deny incoming traffic by default
   ufw:
     default: deny
@@ -18,6 +23,24 @@
     name: ssh
     rule: limit
 
+- name: Remove Fail2ban defaults-debian.conf
+  file:
+    path: /etc/fail2ban/jail.d/defaults-debian.conf
+    state: absent
+
+- name: Install OpenSSH's Fail2ban jail
+  template:
+    src: fail2ban-ssh.conf.j2
+    dest: /etc/fail2ban/jail.d/sshd.conf
+  notify: restart_fail2ban
+
+- name: Install Fail2ban IP allow list
+  template:
+    src: fail2ban-allowlist.conf.j2
+    dest: /etc/fail2ban/jail.d/allowlist.conf
+  when: fail2ban_ignoreip is defined
+  notify: restart_fail2ban
+
 - name: Enable firewall
   ufw:
     state: enabled

roles/base/tasks/wireguard.yml

@@ -27,3 +27,10 @@
     name: wg-quick@wg0
     state: started
     enabled: true
+
+- name: Add WireGuard firewall rule
+  ufw:
+    rule: allow
+    port: "{{ wireguard.listenport }}"
+    proto: tcp
+  when: wireguard.listenport is defined

roles/base/templates/fail2ban-allowlist.conf.j2

@@ -0,0 +1,2 @@
+[DEFAULT]
+ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}

roles/base/templates/fail2ban-ssh.conf.j2

@@ -0,0 +1,3 @@
+[sshd]
+mode = aggressive
+enabled = true

roles/bitwarden/defaults/main.yml

@@ -1,5 +1,7 @@
 bitwarden_name: bitwarden
 bitwarden_root: "/var/lib/{{ bitwarden_name }}"
+bitwarden_logs_identity: "{{ bitwarden_root }}/bwdata/logs/identity/Identity"
+bitwarden_logs_identity_date: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
 bitwarden_database: "{{ bitwarden_name }}"
 bitwarden_realips: "172.16.0.0/12"
 bitwarden_standalone: false

roles/bitwarden/tasks/main.yml

@@ -70,6 +70,7 @@
     path: "{{ bitwarden_root }}/bwdata/config.yml"
     line: "- {{ bitwarden_realips }}"
     insertafter: "^real_ips"
+  notify: rebuild_bitwarden
 
 - name: Install Bitwarden systemd service
   template:
@@ -78,6 +79,24 @@
   register: bitwarden_systemd
   notify: rebuild_bitwarden
 
+- name: Create Bitwarden's initial logging directory
+  file:
+    path: "{{ bitwarden_logs_identity }}"
+    state: directory
+  register: bitwarden_logs
+
+- name: Create Bitwarden's initial log file
+  file:
+    path: "{{ bitwarden_logs_identity }}/{{ bitwarden_logs_identity_date }}.txt"
+    state: touch
+  when: bitwarden_logs.changed
+
+- name: Install Bitwarden's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/bitwarden.conf
+  notify: restart_fail2ban
+
 - name: Reload systemd manager configuration
   systemd:
     daemon_reload: true

roles/bitwarden/templates/fail2ban-jail.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+[bitwarden]
+enabled = true
+filter = bitwarden
+logpath = {{ bitwarden_root }}/bwdata/logs/identity/Identity/*
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports

roles/gitea/defaults/main.yml

@@ -5,11 +5,11 @@ gitea_webport: "3000"
 gitea_ssh: "127.0.0.1:{{ gitea_sshport }}"
 gitea_web: "127.0.0.1:{{ gitea_webport }}"
 gitea_volume: "{{ gitea_name }}"
-gitea_rooturl: "http://{{ gitea_domain }}"
+gitea_rooturl: "https://{{ gitea_domain }}"
 gitea_signup: true
 
 # database settings
-gitea_dbtype: postgres
+gitea_dbtype: mysql
 gitea_dbhost: host.docker.internal
 gitea_dbname: "{{ gitea_name }}"
 gitea_dbuser: "{{ gitea_name }}"

roles/gitea/tasks/main.yml

@@ -4,18 +4,19 @@
     state: directory
 
 - name: Create Gitea database
-  postgresql_db:
+  mysql_db:
     name: "{{ gitea_dbname }}"
-  become: true
-  become_user: postgres
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
 
 - name: Create Gitea database user
-  postgresql_user:
-    db: "{{ gitea_dbname }}"
+  mysql_user:
     name: "{{ gitea_dbuser }}"
     password: "{{ gitea_dbpass }}"
-  become: true
-  become_user: postgres
+    host: '%'
+    state: present
+    priv: "{{ gitea_dbname }}.*:ALL"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
 
 - name: Create git user
   user:
@@ -81,6 +82,28 @@
     dest: "{{ gitea_root }}/.env"
   notify: restart_gitea
 
+- name: Create Gitea's logging directory
+  file:
+    name: /var/log/gitea
+    state: directory
+
+- name: Create Gitea's initial log file
+  file:
+    name: /var/log/gitea/gitea.log
+    state: touch
+
+- name: Install Gitea's Fail2ban filter
+  template:
+    src: fail2ban-filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+  notify: restart_fail2ban
+
+- name: Install Gitea's Fail2ban jail
+  template:
+    src: fail2ban-jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+  notify: restart_fail2ban
+
 - name: Start and enable Gitea service
   service:
     name: "{{ docker_compose_service }}@{{ gitea_name }}"

roles/gitea/templates/docker-compose.yml.j2

@@ -12,6 +12,7 @@ services:
     environment:
       - USER_UID={{ getent_passwd.git[1] }}
       - USER_GID={{ getent_group.git[1] }}
+      - GITEA__log__MODE=file
       - GITEA__server__ROOT_URL=${gitea_rooturl}
       - GITEA__server__DOMAIN=${gitea_domain}
       - GITEA__server__SSH_DOMAIN=${gitea_domain}
@@ -20,12 +21,14 @@ services:
       - GITEA__database__NAME=${gitea_dbname}
       - GITEA__database__USER=${gitea_dbuser}
       - GITEA__database__PASSWD=${gitea_dbpass}
+      - GITEA__security__INSTALL_LOCK=true
       - GITEA__security__REVERSE_PROXY_LIMIT=${gitea_proxy_limit}
       - GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES=${gitea_trusted_proxies}
       - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration}
     volumes:
       - {{ gitea_volume }}:/data
-      - /home/git/.ssh/:/data/git/.ssh
+      - /home/git/.ssh:/data/git/.ssh
+      - /var/log/gitea:/data/gitea/log
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
 

roles/gitea/templates/fail2ban-filter.conf.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+[Definition]
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =

roles/gitea/templates/fail2ban-jail.conf.j2

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+[gitea]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+
+[gitea-docker]
+enabled = true
+filter = gitea
+logpath = /var/log/gitea/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports[chain="FORWARD"]

roles/jenkins/files/ansible.list

@@ -1 +0,0 @@
-deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main

roles/jenkins/tasks/agent.yml

@@ -1,8 +1,3 @@
-- name: Install GnuPG
-  apt:
-    name: gnupg
-    state: present
-
 - name: Create Jenkins user
   user:
     name: "{{ jenkins_user }}"
@@ -25,16 +20,6 @@
     validate: "visudo -cf %s"
     mode: 0440
 
-- name: Install Ansible source
-  copy:
-    src: ansible.list
-    dest: /etc/apt/sources.list.d/ansible.list
-
-- name: Add Ansible source key
-  apt_key:
-    keyserver: keyserver.ubuntu.com
-    id: 93C4A3FD7BB9C367
-
 - name: Install Ansible
   apt:
     name: ansible

roles/mariadb/defaults/main.yml

@@ -0,0 +1,3 @@
+mariadb_trust:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"

roles/mariadb/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: Install MariaDB
+  apt:
+    name: mariadb-server
+    state: present
+
+- name: Change the bind-address to allow Docker
+  lineinfile:
+    path: /etc/mysql/mariadb.conf.d/50-server.cnf
+    regex: "^bind-address"
+    line: "bind-address            = 0.0.0.0"
+  register: mariadb_conf
+
+- name: Restart MariaDB
+  service:
+    name: mariadb
+    state: restarted
+  when: mariadb_conf.changed
+
+- name: Allow database connections
+  ufw:
+    rule: allow
+    port: "3306"
+    proto: tcp
+    src: "{{ item }}"
+  loop: "{{ mariadb_trust }}"

roles/nginx/tasks/main.yml

@@ -29,9 +29,9 @@
       - "{{ nginx_html }}:/usr/share/nginx/html:ro"
     labels:
       traefik.http.routers.nginx.rule: "Host(`{{ nginx_domain }}`)"
-      traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
+      #traefik.http.middlewares.nginxauth.basicauth.users: "{{ nginx_auth }}"
       traefik.http.routers.nginx.entrypoints: websecure
-      traefik.http.routers.nginx.tls.certresolver: letsencrypt
-      traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
+      #traefik.http.routers.nginx.tls.certresolver: letsencrypt
+      #traefik.http.routers.nginx.middlewares: "securehttps@file,nginxauth"
       traefik.docker.network: traefik
       traefik.enable: "true"

roles/postgresql/defaults/main.yml

@@ -1,2 +1,5 @@
 postgresql_config: /etc/postgresql/13/main/pg_hba.conf
 postgresql_listen: "*"
+postgresql_trust:
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"

roles/postgresql/tasks/main.yml

@@ -3,15 +3,16 @@
     name: postgresql
     state: present
 
-- name: Trust connections to PostgreSQL from Docker
+- name: Trust connections to PostgreSQL
   postgresql_pg_hba:
     dest: "{{ postgresql_config }}"
     contype: host
     databases: all
     users: all
-    address: "172.16.0.0/12"
+    address: "{{ item }}"
     method: trust
   register: postgresql_hba
+  loop: "{{ postgresql_trust }}"
 
 - name: Change PostgreSQL listen addresses
   postgresql_set:
@@ -33,9 +34,10 @@
     state: restarted
   when: postgresql_config.changed
 
-- name: Allow database connections from Docker
+- name: Allow database connections
   ufw:
     rule: allow
     port: "5432"
     proto: tcp
-    src: "172.16.0.0/12"
+    src: "{{ item }}"
+  loop: "{{ postgresql_trust }}"

roles/proxy/tasks/main.yml

@@ -10,6 +10,11 @@
     state: started
     enabled: true
 
+- name: Generate DH Parameters
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
 - name: Install nginx base configuration
   template:
     src: nginx.conf.j2
@@ -78,7 +83,9 @@
             --email "{{ proxy.dns_cloudflare.email }}" \
             --dns-cloudflare \
             --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
+            -d "*.{{ item }}" \
+            -d "{{ item }}" \
+            {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"

roles/proxy/templates/nginx.conf.j2

@@ -21,6 +21,14 @@ http {
   keepalive_timeout 65;
   server_names_hash_bucket_size 128;
 
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_dhparam /etc/ssl/dhparams.pem;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+
   include           /etc/nginx/conf.d/*.conf;
   include           /etc/nginx/sites-enabled/*;
 }

roles/proxy/templates/server-nginx.conf.j2

@@ -1,12 +1,13 @@
 server {
-    listen 80;
-
-    server_name {{ item.domain }};
-    return 301 https://{{ item.domain }}$request_uri;
+  listen 80;
+  listen [::]:80;
+  server_name {{ item.domain }};
+  return 301 https://{{ item.domain }}$request_uri;
 }
 
 server {
-  listen              443 ssl;
+  listen              443      ssl http2;
+  listen              [::]:443 ssl http2;
   server_name         {{ item.domain }};
   access_log          /var/log/nginx/{{ item.domain }}.log main;
 {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
@@ -26,11 +27,31 @@ server {
 {% else %}
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+{% endif %}
+{% if item.hsts is defined %}
+  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
+{% if item.client_max_body_size is defined %}
+  client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
+{% if item.restrict is defined and item.restrict  %}
+    auth_basic "{{ item.restrict_name | default('Restricted Access') }}";
+    auth_basic_user_file {{ item.restrict_file | default('/etc/nginx/.htpasswd') }};
+    proxy_set_header Authorization "";
+{% endif %}
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass {{ item.proxy_pass }};
+{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
+    proxy_ssl_verify off;
+{% endif %}
+{% if item.websockets is defined and item.websockets %}
+    proxy_http_version 1.1;
+    proxy_set_header Connection $http_connection;
+    proxy_set_header Origin http://$host;
+    proxy_set_header Upgrade $http_upgrade;
+{% endif %}
   }
 }

roles/traefik/defaults/main.yml

@@ -3,8 +3,10 @@ traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_localonly: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8"
 traefik_production: false
+traefik_hsts_enable: false
 traefik_hsts_preload: false
 traefik_hsts_seconds: 0
+traefik_http_redirect: false
 traefik_ports:
   - "80:80"
   - "443:443"

roles/traefik/tasks/main.yml

@@ -42,10 +42,10 @@
       - name: traefik
     labels:
       traefik.http.routers.traefik.rule: "Host(`{{ traefik_domain }}`)"
-      traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
-      traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
-      traefik.http.routers.traefik.tls.certresolver: letsencrypt
-      traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
+      #traefik.http.middlewares.auth.basicauth.users: "{{ traefik_auth }}"
+      #traefik.http.middlewares.localonly.ipwhitelist.sourcerange: "{{ traefik_localonly }}"
+      #traefik.http.routers.traefik.tls.certresolver: letsencrypt
+      #traefik.http.routers.traefik.middlewares: "securehttps@file,auth@docker,localonly"
       traefik.http.routers.traefik.service: "api@internal"
       traefik.http.routers.traefik.entrypoints: websecure
       traefik.http.routers.traefik.tls: "true"

roles/traefik/templates/external.yml.j2

@@ -10,10 +10,12 @@ http:
 {% elif item.middlewares is defined %}
       middlewares: "{{ item.middlewares }}"
 {% endif %}
+{% if traefik_acme_email is defined %}
       tls:
         certResolver: letsencrypt
         domains:
           - main: "{{ item.domain }}"
+{% endif %}
       entryPoints:
         - "websecure"
   services:

roles/traefik/templates/security.yml.j2

@@ -11,6 +11,8 @@ http:
         sslRedirect: true
         browserXssFilter: true
         contentTypeNosniff: true
+{% if traefik_hsts_enable is defined and traefik_hsts_enable %}
         stsPreload: {{ traefik_hsts_preload }}
         stsSeconds: {{ traefik_hsts_seconds }}
+{% endif %}
         customFrameOptionsValue: SAMEORIGIN

roles/traefik/templates/traefik.yml.j2

@@ -10,12 +10,14 @@ providers:
 entrypoints:
   web:
     address: ':80'
+{% if traefik_http_redirect is defined and traefik_http_redirect %}
     http:
       redirections:
         entrypoint:
           to: websecure
           scheme: https
           permanent: true
+{% endif %}
   websecure:
     address: ':443'
     http: