Initial commit

add plenty of stuff

README.md

@@ -0,0 +1,14 @@
+# Base ansible role
+
+This installs a bunch of packages that I will probably need quite soon,
+and configures some services such as:
+
+* Fail2ban
+* cronie
+* paccache cron
+* sslh (with a default config that is only sent if there is none already available)
+* nftables (with a default config that is only sent if there is none already available)
+* uptimed
+* vnstat
+
+It also installs yay.

files/local.conf

@@ -0,0 +1,2 @@
+[sshd]
+enabled = true

files/nftables.conf

@@ -0,0 +1,48 @@
+#!/usr/bin/nft -f
+# ipv4/ipv6 Simple & Safe Firewall
+# you can find examples in /usr/share/nftables/
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # allow established/related connections
+    ct state {established, related} accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    meta l4proto ipv6-icmp accept
+
+    # Accept from VPN
+    iifname overlay accept;
+
+    # allow ssh
+    tcp dport {ssh, http, https, tinc} accept
+    udp dport {tinc} accept
+
+    tcp dport 53 accept
+    udp dport 53 accept
+
+    udp dport 60000-61000 accept
+
+    # everything else
+    reject with icmpx type port-unreachable
+    drop;
+  }
+  chain forward {
+    type filter hook forward priority 0;
+    drop
+  }
+  chain output {
+    type filter hook output priority 0;
+  }
+
+}
+
+# vim:set ts=2 sw=2 et:

files/sslh.cfg

@@ -0,0 +1,31 @@
+# Default Arch configuration
+# You can find more examples in /usr/share/doc/sslh
+
+verbose: false;
+foreground: true;
+inetd: false;
+numeric: false;
+transparent: false;
+timeout: 2;
+user: "sslh";
+#pidfile: "/run/sslh.pid";
+
+
+listen:
+(
+    { host: "::0"; port: "443"; },
+    { host: "0.0.0.0"; port: "443"; },
+);
+
+protocols:
+(
+     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },
+     #{ name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
+     { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; },
+     #{ name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
+     { name: "tls"; host: "localhost"; port: "8443"; probe: "builtin"; },
+     { name: "tinc"; host: "localhost"; port: "655"; probe: "builtin"; },
+     { name: "anyprot"; host: "localhost"; port: "8443"; probe: "builtin"; }
+);
+
+# vim:set ts=4 sw=4 et:

tasks/main.yml

@@ -0,0 +1,106 @@
+---
+
+- name: Install packages
+  community.general.pacman:
+    state: present
+    name:
+    - base-devel
+    - borg
+    - cronie
+    - dfc
+    - fail2ban
+    - firejail
+    - git
+    - htop
+    - iftop
+    - inetutils
+    - iotop
+    - mlocate
+    - mosh
+    - neovim
+    - nethogs
+    - nftables
+    - nginx
+    - nmap
+    - nsd
+    - pacman-contrib
+    - prometheus-node-exporter
+    - sslh
+    - strace
+    - sudo
+    - tinc
+    - tmux
+    - tree
+    - uptimed
+    - vim
+    - vnstat
+    - wget
+    - zsh
+
+- name: install fail2ban conf
+  copy:
+    dest: /etc/fail2ban/jail.d/local.conf
+    src: local.conf
+
+- name: Enable fail2ban
+  systemd:
+    enabled: true
+    state: started
+    name: fail2ban
+
+- name: Enable cronie
+  systemd:
+    enabled: true
+    state: started
+    name: cronie
+
+- name: Enable vnstat
+  systemd:
+    enabled: true
+    state: started
+    name: vnstat
+
+- name: Enable uptimed
+  systemd:
+    state: started
+    enabled: true
+    name: uptimed
+
+- name: Install default nftables conf
+  copy:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+    force: no
+
+- name: Enable nftables
+  systemd:
+    state: started
+    enabled: true
+    name: nftables
+
+- name: Add paccache cron
+  cron:
+    name: paccache
+    job: paccache -rk2
+    hour: "1"
+    minute: "30"
+
+- name: Add pkg user
+  user:
+    name: pkg
+    group: users
+    create_home: yes
+
+- name: Install sslh config
+  copy:
+    dest: /etc/sslh.cfg
+    src: sslh.cfg
+    force: no
+
+- name: Enable sslh
+  systemd:
+    enabled: true
+    state: started
+    name: sslh-select
+
+- include: yay.yml

tasks/yay.yml

@@ -0,0 +1,32 @@
+# Yay building & install task
+---
+
+- name: Clone yay pkg
+  become: yes
+  become_user: pkg
+  git:
+    repo: https://aur.archlinux.org/yay.git
+    dest: /home/pkg/yay
+    clone: yes
+    update: yes
+
+- name: Build yay
+  become: yes
+  become_user: pkg
+  command:
+    chdir: /home/pkg/yay
+    cmd: makepkg -f
+    creates: "*.pkg.*"
+
+- name: Find pkg
+  find:
+    paths: /home/pkg/yay
+    file_type: file
+    patterns: '*.pkg*'
+  register: yay_pkgs
+
+- name: Install yay
+  community.general.pacman:
+    name: "{{ yay_pkgs.files[0].path }}"
+    state: present
+