Import friwall role from network ansible scripts

To reuse alpine and nginx roles. Probably going to merge repos at some point.
2024-07-04 15:01:47 +02:00 · 2024-07-04 15:01:47 +02:00 · 973522c373
parent bacfc66f7c
commit 973522c373
14 changed files with 249 additions and 1 deletions
--- a/inventory.yml
+++ b/inventory.yml
@ -11,7 +11,8 @@ device_query_filters:
 query_filters:
  - tenant: 'fri-it'
  - role: 'compute-node'
-  - role: 'storage-node'
+  - role: 'firewall'
  - role: 'server'
  - role: 'storage-node'
 group_by:
  - cluster
--- a/roles/friwall/files/friwall.ini
+++ b/roles/friwall/files/friwall.ini
@ -0,0 +1,16 @@
 [uwsgi]
 uid = friwall
 gid = friwall
 socket = /run/friwall.socket
 chown-socket = friwall:nginx
 chmod-socket = 660
 plugin = python3
 chdir = /srv/friwall/app
 mount = /=wsgi:app
 env = PYTHONUSERBASE=/srv/friwall/.local
 env = HOME=/srv/friwall
 # Microsoft OIDC endpoint sends some fat‐ass headers.
 buffer-size = 16384
--- a/roles/friwall/files/motd
+++ b/roles/friwall/files/motd
@ -0,0 +1 @@
 Welcome to the wall. Trespassers will be shot. Survivors will be shot again.
--- a/roles/friwall/files/pusher.initd
+++ b/roles/friwall/files/pusher.initd
@ -0,0 +1,18 @@
 #!/sbin/openrc-run
 command="/srv/friwall/app/$RC_SVCNAME"
 command_background="yes"
 command_user="friwall"
 command_group="nogroup"
 directory="/srv/friwall"
 pidfile="/run/$RC_SVCNAME.pid"
 depend() {
 	need net
 }
 stop() {
 	ebegin "Stopping $RC_SVCNAME"
 	pkill -INT -g $(cat "$pidfile") && rm -f "$pidfile"
 	eend $?
 }
--- a/roles/friwall/files/uwsgi.ini
+++ b/roles/friwall/files/uwsgi.ini
@ -0,0 +1,2 @@
 [uwsgi]
 emperor = /etc/uwsgi/conf.d
--- a/roles/friwall/handlers/main.yml
+++ b/roles/friwall/handlers/main.yml
@ -0,0 +1,23 @@
 - name: reload nginx
  service:
    name: nginx
    state: reloaded
  when: "'handler' not in ansible_skip_tags"
 - name: restart pusher
  service:
    name: pusher
    state: restarted
  when: "'handler' not in ansible_skip_tags"
 - name: reload uwsgi
  service:
    name: uwsgi
    state: reloaded
  when: "'handler' not in ansible_skip_tags"
 - name: restart uwsgi
  service:
    name: uwsgi
    state: restarted
  when: "'handler' not in ansible_skip_tags"
--- a/roles/friwall/tasks/main.yml
+++ b/roles/friwall/tasks/main.yml
@ -0,0 +1,113 @@
 - name: Create friwall group
  group:
    name: friwall
    system: yes
 - name: Create friwall user
  user:
    name: friwall
    system: yes
    home: /srv/friwall
    shell: /sbin/nologin
    generate_ssh_key: yes
    ssh_key_comment: "{{ inventory_hostname }}"
    ssh_key_type: ed25519
 - name: Install packages
  package:
    name: git,inotify-tools,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools
 - name: Clone web files
  become: yes
  become_user: friwall
  become_method: su
  become_flags: "-s /bin/sh"
  git:
    repo: '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="friwall_repo") }}'
    dest: /srv/friwall/app
    force: yes
  notify: reload uwsgi
 - name: Install requirements
  become: yes
  become_user: friwall
  become_method: su
  become_flags: '-s /bin/sh'
  pip:
    requirements: /srv/friwall/app/requirements.txt
    extra_args: --user --break-system-packages --no-warn-script-location
  register: result
 - name: Configure base settings
  template:
    dest: "/srv/friwall/{{ item }}"
    src: "{{ item }}.j2"
    owner: friwall
    group: friwall
    mode: 0600
    force: no
  loop:
    - nodes.json
    - settings.json
  notify: restart uwsgi
 - name: Configure list of networks
  template:
    dest: "/srv/friwall/networks.json"
    src: "networks.json.j2"
    owner: friwall
    group: friwall
    mode: 0600
 - name: Configure uwsgi
  copy:
    dest: /etc/uwsgi/
    src: uwsgi.ini
  notify: restart uwsgi
 - name: Configure uwsgi instance
  copy:
    dest: /etc/uwsgi/conf.d/
    src: friwall.ini
    owner: friwall
    group: friwall
 - name: Enable uwsgi
  service:
    name: uwsgi
    enabled: yes
    state: started
 - name: Configure nginx instance
  template:
    dest: /etc/nginx/http.d/friwall.conf
    src: nginx.conf.j2
  notify: reload nginx
 - name: Install config pusher initscript
  copy:
    dest: /etc/init.d/pusher
    src: pusher.initd
    mode: 0755
  notify: restart pusher
 - name: Enable config pusher service
  service:
    name: pusher
    enabled: true
    state: started
 - name: Regenerate config daily
  cron:
    name: "regenerate config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
    user: friwall
    hour: "3"
    minute: "33"
 - name: Try (re-)pushing config periodically
  cron:
    name: "push config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
    user: friwall
    minute: "*/15"
--- a/roles/friwall/templates/interfaces.j2
+++ b/roles/friwall/templates/interfaces.j2
@ -0,0 +1,14 @@
 auto lo
 iface lo inet loopback
 {% for iface in interfaces %}
 auto {{ iface.name }}
 iface {{ iface.name }} inet static
 {% for address in iface.ip_addresses %}
    address {{ address.address }}
 {% endfor %}
 {% if iface.custom_fields.gateway %}
    gateway {{ iface.custom_fields.gateway.address | ipaddr('address') }}
 {% endif %}
 {% endfor %}
--- a/roles/friwall/templates/networks.json.j2
+++ b/roles/friwall/templates/networks.json.j2
@ -0,0 +1,10 @@
 {
 {% for vlan, addrs in prefixes | selectattr('vrf')
        | selectattr('vlan') | selectattr('vlan.id', 'in', vlans|map(attribute='id'))
        | sort(attribute='vlan.vid') | groupby('vlan.vid') %}
  "{{ addrs[0].vlan.name }}": {
    "ip": {{ addrs | selectattr('family.value', '==', 4) | map(attribute='prefix') | to_json }},
    "ip6": {{ addrs | selectattr('family.value', '==', 6) | map(attribute='prefix') | to_json }}
  }{% if not loop.last %},{% endif +%}
 {% endfor %}
 }
--- a/roles/friwall/templates/nginx.conf.j2
+++ b/roles/friwall/templates/nginx.conf.j2
@ -0,0 +1,13 @@
 server {
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	server_name {{ dns_name }};
 	ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem;
 	location / {
 		uwsgi_pass unix:/run/friwall.socket;
 		include uwsgi_params;
 	}
 }
--- a/roles/friwall/templates/nodes.json.j2
+++ b/roles/friwall/templates/nodes.json.j2
@ -0,0 +1,11 @@
 {% set nodes = query('netbox.netbox.nb_lookup', 'devices', api_filter='role=firewall', raw_data=true)
    | selectattr('config_context') | selectattr('config_context', 'contains', 'master')
    | selectattr('config_context.master', '==', inventory_hostname)
    | map(attribute='name') -%}
 {
 {% for node in nodes %}
  "{{ hostvars[node] | device_address | selectattr('family.value', '==', 4)
          | map(attribute='address') | ipaddr('address') | first }}": -1{{ '' if loop.last else ',' }}
 {% endfor %}
 }
--- a/roles/friwall/templates/settings.json.j2
+++ b/roles/friwall/templates/settings.json.j2
@ -0,0 +1,10 @@
 {
  "ldap_host": "{{ domain }}",
  "ldap_user": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }}",
  "ldap_pass": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}",
  "ldap_base_dn": "{{ ldap_base_dn }}",
  "oidc_server": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_server") }}",
  "oidc_client_id": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_id") }}",
  "oidc_client_secret": "{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="oidc_client_secret") }}",
  "wg_net": "{{ wg_net }}"
 }
--- a/roles/opensmtpd/tasks/main.yml
+++ b/roles/opensmtpd/tasks/main.yml
@ -0,0 +1,9 @@
 - name: Install mail server
  package:
    name: opensmtpd
 - name: Enable mail server
  service:
    name: smtpd
    enabled: yes
    state: started
--- a/setup.yml
+++ b/setup.yml
@ -3,6 +3,13 @@
  roles:
    - facts
 - hosts: zid
  roles:
    - alpine
    - opensmtpd
    - nginx
    - friwall
 - hosts: ceph-*
  roles:
    - debian
		`@ -0,0 +1 @@`
							`Welcome to the wall. Trespassers will be shot. Survivors will be shot again.`