From bec00118c027918237635275abbdacb084b5b578 Mon Sep 17 00:00:00 2001 From: Thomas Kleinendorst Date: Sun, 14 Apr 2024 10:58:41 +0200 Subject: [PATCH] Add a non working setup for ip forwarding --- playbook.yml | 32 +++++++------ roles/actual/tasks/main.yml | 2 +- roles/pi-hole/handlers/main.yml | 5 ++ roles/pi-hole/tasks/main.yml | 83 +++++++++++++++++++++++++++++++-- 4 files changed, 104 insertions(+), 18 deletions(-) diff --git a/playbook.yml b/playbook.yml index 425654d..f3b4763 100644 --- a/playbook.yml +++ b/playbook.yml @@ -9,16 +9,16 @@ roles: # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again. # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though. - - role: devsec.hardening.os_hardening - become: true - - role: devsec.hardening.ssh_hardening - become: true - - role: snapcraft - - role: user + # - role: devsec.hardening.os_hardening + # become: true + # - role: devsec.hardening.ssh_hardening + # become: true + # - role: snapcraft + # - role: user + # - role: cloudflare-ddns + # - role: reverse-proxy + # - role: actual - role: pi-hole - - role: cloudflare-ddns - - role: reverse-proxy - - role: actual vars: # devsec.hardening.os_hardening vars: os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs. @@ -27,6 +27,7 @@ - squashfs # Used by Snapcraft which is installed on the Raspberry Pi at some moment sysctl_overwrite: vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs. + net.ipv4.ip_forward: 1 # We're specifically going to allow ufw forwarding in the playbook. # devsec.hardening.ssh_hardening vars: ssh_allow_users: 'thomas' ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN. @@ -39,18 +40,23 @@ # dest: './.ansible_facts.json' # content: "{{ ansible_facts }}" # mode: "0600" - - name: Configure hostname - become: true - ansible.builtin.hostname: - name: "{{ hostname }}" - name: Add FQDN name in /etc/hosts become: true ansible.builtin.lineinfile: path: /etc/hosts line: "{{ ansible_facts['default_ipv4']['address'] }} {{ hostname }}.kleinendorst.info {{ hostname }}" + # For some reason sudo becomes very slow when this isn't correctly configured. Fixing the configuration as suggested + # here: https://www.linuxquestions.org/questions/linux-newbie-8/fedora-11-sudo-has-a-20-second-start-delay-732291/#post3575840 + # fixed the problem for me. We could try to remove the default hostname variable which was added by using the "ansible_facts['hostname']" + # variable which is fetched in the special "Gathering facts" step. + - name: Configure hostname + become: true + ansible.builtin.hostname: + name: "{{ hostname }}" # TODO: Replace this with setup that sets up unnattended updates on the machine itself. - name: Update all packages to their latest version # noqa: package-latest become: true ansible.builtin.apt: name: "*" state: latest +# TODO: install vim on the system diff --git a/roles/actual/tasks/main.yml b/roles/actual/tasks/main.yml index 9a7eb75..e691a04 100644 --- a/roles/actual/tasks/main.yml +++ b/roles/actual/tasks/main.yml @@ -24,7 +24,7 @@ containers.podman.podman_container: name: actual-server image: docker.io/actualbudget/actual-server:24.4.0 - restart_policy: on-failure + restart_policy: on-failure # TODO: Doesn't restart containers on reboot for some reason... publish: - 127.0.0.1:5006:5006 volumes: diff --git a/roles/pi-hole/handlers/main.yml b/roles/pi-hole/handlers/main.yml index d78a686..2100479 100644 --- a/roles/pi-hole/handlers/main.yml +++ b/roles/pi-hole/handlers/main.yml @@ -4,3 +4,8 @@ ansible.builtin.systemd: name: nginx.service state: restarted +- name: Restart ufw + become: true + ansible.builtin.systemd: + name: ufw.service + state: restarted diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index 93d2338..a953969 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -19,6 +19,7 @@ mode: '0700' register: command_result failed_when: + - command_result.changed == false - command_result.rc != 0 # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume # changes the user of the folder to a UID only known within the container. This command basically doesn't need to @@ -32,6 +33,7 @@ state: directory mode: '0700' failed_when: + - command_result.changed == false - command_result.rc != 0 # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume # changes the user of the folder to a UID only known within the container. This command basically doesn't need to @@ -43,7 +45,7 @@ containers.podman.podman_container: name: pi-hole image: docker.io/pihole/pihole:2024.03.2 - restart_policy: on-failure + restart_policy: on-failure # TODO: Doesn't restart containers on reboot for some reason... publish: # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426. # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port. @@ -53,9 +55,11 @@ env: TZ: 'Europe/Amsterdam' WEBPASSWORD: "{{ pi_hole_web_password }}" - FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}" + # VIRTUAL_HOST: 'pi-hole.kleinendorst.info' + # FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}" PIHOLE_DNS_: 1.1.1.1;1.0.0.1 - DNSMASQ_USER: "{{ pi_hole_username }}" + DNSMASQ_USER: root + INTERFACE: tap0 volumes: - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole" - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d" @@ -75,4 +79,75 @@ - name: Debug ansible.builtin.debug: msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}." -# TODO: Install and configure ufw to forward the DNS port (53) to the 5053 podman container port. +- name: Install ufw + become: true + ansible.builtin.apt: + name: ufw + state: present +- name: Set default policy (incoming) + become: true + community.general.ufw: + direction: incoming + policy: deny +- name: Set default policy (outgoing) + become: true + community.general.ufw: + direction: outgoing + policy: allow +- name: Allow forwarding in ufw + become: true + ansible.builtin.lineinfile: + path: /etc/ufw/sysctl.conf + regexp: '^#net/ipv4/ip_forward=1$' + line: 'net/ipv4/ip_forward=1' +- name: Configure firewall to allow forward requests + become: true + ansible.builtin.lineinfile: + path: /etc/default/ufw + regexp: '^DEFAULT_FORWARD_POLICY="DROP"$' + line: 'DEFAULT_FORWARD_POLICY="ACCEPT"' + notify: Restart ufw +- name: Add forwarding rules for ufw + become: true + ansible.builtin.blockinfile: + path: /etc/ufw/before.rules + insertafter: "^COMMIT$" + block: |- + *nat + :PREROUTING ACCEPT [0:0] + -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5053 + -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5053 + COMMIT + notify: Restart ufw +- name: Allow all access to ssh + become: true + community.general.ufw: + rule: allow + port: ssh + proto: tcp + notify: Restart ufw +- name: Allow all access to https + become: true + community.general.ufw: + rule: allow + port: https + proto: tcp + notify: Restart ufw +- name: Allow all access to port 53 (udp) + become: true + community.general.ufw: + rule: allow + port: '53' + proto: udp + notify: Restart ufw +- name: Allow all access to port 53 (tcp) + become: true + community.general.ufw: + rule: allow + port: '53' + proto: tcp + notify: Restart ufw +- name: Enable ufw + become: true + community.general.ufw: + state: enabled