Adding ansible section

ansible/roles/bastion/README.md

@@ -0,0 +1,56 @@
+# Bastion deployment role
+
+## Description
+
+Ce rôle a pour but de créer un bastion ssh avec des configurations sécurisées au niveau réseau (nftables et fail2ban) et système (ssh,sudoers).
+- Déploie les utilisateurs et leur clé publique.
+- Déploie les clés publiques autorisés à se connecter au compte root et limité au connexion depuis 10.17.0.0/16.
+- Déploie la configuration sudoers pour que les utilisateurs puissent se connecter au compte root.
+- Déploie la configuration nftables et fail2ban.
+- Déploie la configuration ssh.
+
+## Variables
+
+- private_networks: Réseaux privés utilisés pour l'administration.
+- allowed_networks: Réseaux en liste blanche dans fail2ban.
+- admin_users: Liste des utilisateurs autorisés à se connecter avec leur clé publique.
+- rundeck_user: Clé publique de rundeck_inf
+- dev_users: Liste des utilisateurs normaux à créer
+- fail2ban_ignore_ips : Liste des IPs/network à ignorer pour fail2ban
+
+## Installation
+
+1. Installer la machine à partir d'un template existant.
+2. Désactiver la configuration par DHCP sur l'interface privée
+```bash
+vim /etc/network/interfaces
+iface <interface> inet static
+    address <private_ip/netmask>
+```
+3. ansible-playbook -i hosts-dmz playbooks/bastion.yml -t all -l <hostname>
+
+## Usage
+
+- Déployer un bastion complet
+```
+ansible-playbook -i hosts-dmz playbooks/bastion.yml -t all
+```
+- Modifier les configurations de pare-feu
+```
+vim roles/bastion/templates/nftables.conf.j2
+ansible-playbook -i hosts-dmz playbooks/bastion.yml -t firewall
+```
+- Modifier/Ajouter un utilisateur
+```
+vim group_vars/all
+ansible-playbook -i hosts-dmz playbooks/bastion.yml -t users,ssh
+```
+- Modifier la configuration SSH
+```
+vim roles/bastion/templates/sshd_config.j2
+ansible-playbook -i hosts-dmz playbooks/bastion.yml -t ssh
+```
+
+## Questions/TODO
+
+- SSH 2FA

ansible/roles/bastion/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+private_networks: ""
+allowed_networks: ""
+fail2ban_ignore_ips: ""
+
+dev_users: []
+admin_users: []
+rundeck_users: []
+log_server: ""

ansible/roles/bastion/handlers/main.yml

@@ -0,0 +1,25 @@
+---
+- name: reload nftables
+  ansible.builtin.systemd:
+    name: nftables
+    state: reloaded
+
+- name: reload fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: reloaded
+
+- name: restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restart
+
+- name: restart ssh
+  ansible.builtin.systemd:
+    service: sshd
+    state: restarted
+
+- name: restart rsyslog
+  ansible.builtin.systemd:
+    service: rsyslog
+    state: restarted

ansible/roles/bastion/tasks/firewall.yml

@@ -0,0 +1,44 @@
+- name: ensure nftables service is started and enabled
+  ansible.builtin.systemd:
+    name: nftables
+    state: started
+    enabled: true
+  tags: all,firewall
+
+- name: deploying nftables configuration
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: '0755'
+    backup: true
+    validate: "nft -c -f %s"
+  notify:
+    - reload nftables
+    - restart fail2ban
+  tags: all,firewall
+
+- name: ensure fail2ban is installed
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+    update_cache: true
+  tags: all,firewall
+
+- name: ensure fail2ban is enabled and running
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: started
+    enabled: true
+  tags: all,firewall
+
+- name: deploying fail2ban ssh conf
+  ansible.builtin.template:
+    src: sshd.conf.j2
+    dest: /etc/fail2ban/jail.d/sshd.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: reload fail2ban
+  tags: all,firewall

ansible/roles/bastion/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: user deployment related tasks
+  include_tasks: users.yml
+  tags: all,users,rootonly
+
+- name: firewall deployment related tasks
+  include_tasks: firewall.yml
+  tags: all,firewall
+
+- name: ssh deployment related tasks
+  include_tasks: ssh.yml
+  tags: all,ssh

ansible/roles/bastion/tasks/ssh.yml

@@ -0,0 +1,28 @@
+---
+
+- name: ensure sshd is enabled
+  ansible.builtin.systemd:
+    name: sshd
+    enabled: true
+  tags: all,ssh
+
+- name: deploy sshd_config
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0644
+    validate: "sshd -T -f %s"
+  notify: restart ssh
+  tags: all,ssh
+
+- name: deploy rsyslog conf
+  ansible.builtin.template:
+    src: auth.conf.j2
+    dest: /etc/rsyslog.d/auth.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart rsyslog
+  tags: all,ssh

ansible/roles/bastion/tasks/users.yml

@@ -0,0 +1,53 @@
+---
+
+- name: installing sudo
+  ansible.builtin.apt:
+    name: sudo
+    update_cache: true
+    state: present
+  tags: all,users
+
+- name: adding targetpw directive for sudo
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    line: "{{ item }}"
+    state: present
+  with_items:
+    - "Defaults        targetpw"
+    - "Defaults        insults"
+  tags: all,users
+
+- name: creating admin users
+  ansible.builtin.user:
+    name: "{{ item.username }}"
+    shell: /bin/bash
+    groups: sudo
+  with_items: "{{ admin_users }}"
+  tags: all,users
+
+- name: creating dev users
+  ansible.builtin.user:
+    name: "{{ item.username }}"
+    shell: /bin/bash
+    groups: sudo
+  with_items: "{{ dev_users }}"
+  tags: all,users
+
+- name: adding authorized_keys for regular users
+  ansible.builtin.authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ item.public_key }}"
+    state: "{{ item.state | default('present') }}"
+  with_items:
+    - "{{ admin_users }}"
+    - "{{ dev_users }}"
+  tags: all,users
+
+- name: adding authorized_keys for root users
+  ansible.builtin.authorized_key:
+    user: "root"
+    key: "{{ item.public_key }}"
+    key_options: 'from="{{ private_networks }}"'
+    state: "{{ item.state }}"
+  with_items: "{{ admin_users }}"
+  tags: all,users,rootonly

ansible/roles/bastion/templates/auth.conf.j2

@@ -0,0 +1,2 @@
+#{{ ansible_managed }}
+auth,authpriv.* @{{ log_server }}

ansible/roles/bastion/templates/nftables.conf.j2

@@ -0,0 +1,32 @@
+#{{ ansible_managed }}
+
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+        chain input {
+                type filter hook input priority 0; policy drop;
+                iifname lo accept;
+
+                tcp dport 22 accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept
+        }
+        chain forward {
+                type filter hook forward priority 0; policy drop;
+        }
+        chain output {
+                type filter hook output priority 0; policy drop;
+
+                iifname lo accept;
+                tcp dport 22 accept;
+                tcp dport {80, 443, 9200} accept;
+                tcp dport {53, 123} accept;
+                udp dport {53, 123, 1514} accept;
+                icmp type echo-request accept;
+                # established/related connections
+                ct state established,related accept;
+        }
+}

ansible/roles/bastion/templates/sshd.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[DEFAULT]
+ignoreip = {{ fail2ban_ignore_ips }}
+findtime = 3600
+bantime = 86400
+maxretry = 3
+banaction = nftables-multiport
+banaction_allports = nftables-allports
+
+[sshd]
+enabled = true

ansible/roles/bastion/templates/sshd_config.j2

@@ -0,0 +1,95 @@
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#LoginGraceTime 2m
+PermitRootLogin without-password
+#StrictModes yes
+#MaxAuthTries 3
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 300
+ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+{% for item in admin_users -%}
+Match User {{ item.username }}
+{% endfor %}
+{% for item in dev_users -%}
+Match User {{ item.username }}
+{% endfor %}