AniNIX/Kapisi
3
0
Fork 0
Code Issues 31 Pull Requests 1 Projects 1 Releases Wiki Activity

Adding geoip module and instituting a deny variable for vhosts to consume #45

Open
DarkFeather wants to merge 10 commits from geoip into main
pull from: geoip
merge into: AniNIX:main
Conversation 0 Commits 10 Files Changed 29 +248 -70
29 changed files with 248 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
examples/msn0.yml
View File

@@ -43,6 +43,8 @@ all:
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
Aether_nodes:
- DedSec.msn0.aninix.net
operational_countries:
- 'US'
children:
managed:

1
precommit-hooks/find-passwords-in-files
View File

@@ -30,6 +30,7 @@ if [ $? -ne 1 ]; then
fi
IFS="
"
for i in `ansible-vault decrypt --output - ${ANSIBLE_VAULT_FILE} | sed 's/\s\?-\?\s\?[A-Za-z0-9_]\+://' | grep -vE '\||password|^\s\?$|#|https://' | sed "s/^ \+['\"]\?//" | sed "s/[\"']\s\?//" | sort | uniq`; do
grep -rlF "${i}" .
if [ $? -ne 1 ]; then

6
roles/Foundation/files/web-snippets/martialarts/index
View File

@@ -57,9 +57,9 @@
<p>
<ul style="text-align: left;">
<li><b>Cost:</b> Free</li>
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
<li><b>Open-mat:</b> Tuesdays 6-7 p.m.</li>
<li><b>Lessons:</b> Tuesdays 7-8:30 p.m.</li>
<li><b>Shaolin Workouts:</b> Saturday mornings at 9 a.m. </li>
<li><b>Location:</b> <a href="https://g.page/aninix-martial-arts?share">225 Blaser Drive, Belleville, WI</a></li>
<li><b>What to bring:</b> Exercise clothes and water</li>
<li id='contact-insert'>

30
roles/GeoIP/README.md Normal file
View File

@@ -0,0 +1,30 @@
Geolocation by IP is a methodology
# Etymology
GeoIP is a shortening of geolocation by IP.
# Relevant Files and Software
This content is derived & packed by Arch, pulling regularly from [MaxMind](https://maxmind.com).
# Available Clients
The Python `geoip2` library can be used with snippets like below:
```
#!/usr/bin/env python3
import geoip2.database
import sys
with geoip2.database.Reader('/etc/nginx/conf/maxmind-geoip2.mmdb') as reader:
response = reader.country(sys.argv[1])
print(response.country.iso_code)
```
We also install the `geoiplookup` client from the GeoIP client.
# Equivalents or Competition
Whois and other tools can also provide corroboration or alternate responses for these queries.

22
roles/GeoIP/tasks/main.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Install components
become: yes
package:
name: "{{ item }}"
state: present
loop:
- geoip
- geoip-database
- geoip-database-extra
- libmaxminddb
# This is a hack while geoip-database only provides the legacy version.
- name: Ensure GeoIP2 database is present
become: yes
file:
path: /usr/share/GeoIP/GeoIP2.mmdb
owner: root
group: root
mode: 0755
state: file

12
roles/SSL/files/certbot.service
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Certbot
[Service]
ExecStart=certbot renew -w /var/lib/letsencrypt/ --preferred-chain "ISRG Root X1"
ExecStartPost=-/usr/bin/systemctl reload nginx
ExecStartPost=-/usr/bin/systemctl reload inspircd
KillMode=process
Type=oneshot
RemainAfterExit=no
User=root
Group=root

41
roles/SSL/tasks/main.yml
View File

@@ -7,26 +7,51 @@
- certbot
- openssl
- name: LetsEncrypt directory
- name: LetsEncrypt directories
become: yes
file:
path: /etc/letsencrypt
path: "{{ item }}"
owner: root
group: ssl
mode: 0750
loop:
- /etc/letsencrypt
- /etc/certbot
- name: Services
- name: Service timer
become: yes
register: services
copy:
src: "{{ item }}"
dest: /usr/lib/systemd/system
src: "certbot.timer"
dest: /usr/lib/systemd/system/certbot.timer
owner: root
group: root
mode: 0644
loop:
- "certbot.service"
- "certbot.timer"
# per https://www.cloudns.net/wiki/article/448/
- name: ClouDNS configuration
become: yes
template:
src: "certbot.conf.j2"
dest: /etc/certbot/certbot.conf
owner: root
group: root
mode: 0600
- name: Create virtual environment and install package
become: yes
command:
cmd: "python3 -m venv /etc/certbot/venv && /etc/certbot/venv/bin/pip3 install certbot-dns-cloudns"
creates: /etc/certbot/venv
- name: Service
become: yes
template:
src: "certbot.service.j2"
dest: /usr/lib/systemd/system/certbot.service
owner: root
group: root
mode: 0600
- name: Enable timer
when: services.changed

2
roles/SSL/templates/certbot.conf.j2 Normal file
View File

@@ -0,0 +1,2 @@
dns_cloudns_auth_id={{ secrets.certbot.authid }}
dns_cloudns_auth_password={{ secrets.certbot.passphrase }}

12
roles/SSL/templates/certbot.service.j2 Executable file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Certbot
[Service]
ExecStart=/bin/bash -c "source /etc/certbot/venv/bin/activate; certbot renew --authenticator dns-cloudns --dns-cloudns-credentials /etc/certbot/certbot.conf --dns-cloudns-nameserver {{ secrets.certbot.nameserver }}"
ExecStartPost=-/usr/bin/systemctl reload nginx
ExecStartPost=-/usr/bin/systemctl reload inspircd
KillMode=process
Type=oneshot
RemainAfterExit=no
User=root
Group=root

8
roles/Sharingan/files/monit/checks/domain Normal file
View File

@@ -0,0 +1,8 @@
check program domain-tlsa with path "/etc/monit.d/scripts/check-domain aninix.net tlsa aninix.net-0002"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical TLSA records do not match -- regenerate and update"
check program domain-sshfp with path "/etc/monit.d/scripts/check-domain aninix.net sshfp"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical SSHFP records do not match -- regenerate and update"
check program domain-caa with path "/etc/monit.d/scripts/check-domain aninix.net caa"
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CAA record does not match -- regenerate and update"

1
roles/Sharingan/files/monit/hostdefs/Yggdrasil
View File

@@ -3,3 +3,4 @@ include "/etc/monit.d/checks/watcher-of-watchers"
include "/etc/monit.d/checks/warrant-canary"
include "/etc/monit.d/checks/grimoire"
include "/etc/monit.d/checks/automated_response"
include "/etc/monit.d/checks/domain"

32
roles/Sharingan/files/monit/scripts/check-domain Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
source /opt/aninix/Uniglot/Bash/dns.bash
domain="$1"
function checkTLSA() {
### Usage: $0 "${domain}" tlsa _443._tcp
identity="$1"
git diff --no-index <(GenerateTLSA "${identity}" | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig _443._tcp."${domain}" TLSA +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
}
function checkSSHFP() {
git diff --no-index <(GenerateSSHFP | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig "${domain}" SSHFP +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
}
function checkCAA() {
### Usage: $0 "${domain}" caa
caa="$(dig "${domain}" CAA +short)"
if [ "$caa" != '128 issue "letsencrypt.org"' ]; then
exit 1
else
exit 0
fi
}
case "$2" in
"tlsa") checkTLSA "$3" ;;
"sshfp") checkSSHFP ;;
"caa") checkCAA ;;
esac

2
roles/Sharingan/tasks/eval.yml
View File

@@ -3,7 +3,7 @@
- name: Generate monitoring from inventory
delegate_to: localhost
run_once: true
command: "python3 ../bin/generate-monitoring.py {{ inventory_file }}"
command: "../bin/generate-monitoring.py {{ inventory_file }}"
- name: Sharingan-Eval service copy
become: yes

9
roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf
View File

@@ -1,5 +1,6 @@
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name default_server;
include conf/sec.conf;
@@ -7,6 +8,9 @@ server {
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) { return 503; }
location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
@@ -65,7 +69,8 @@ server {
}
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name foundation.aninix.net;
include conf/sec.conf;
include conf/letsencrypt.conf;

12
roles/WebServer/files/conf.d/Yggdrasil/adhan.conf
View File

@@ -1,12 +0,0 @@
server {
listen 443 ssl http2;
server_name adhan.aninix.net;
include conf/sec.conf;
include conf/default.csp.conf;
location /
{
root /srv/adhan/;
}
}

3
roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf
View File

@@ -2,6 +2,9 @@ server {
listen 443 ssl;
server_name cyberbrain.aninix.net;
# GeoIP block
if ($deny) { return 503; }
location ^~ /admin {
deny all;
}

18
roles/WebServer/files/conf.d/Yggdrasil/graylog.conf
View File

@@ -1,18 +0,0 @@
server {
#listen 443 ssl http2;
listen 444 ssl http2;
server_name sharingan.aninix.net;
include conf/sec.conf;
# include conf/default.csp.conf;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://10.0.1.5:9000;
}
}

6
roles/WebServer/files/conf.d/Yggdrasil/irc.conf
View File

@@ -1,11 +1,15 @@
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name irc.aninix.net;
include conf/sec.conf;
include conf/default.csp.conf;
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) { return 503; }
location /
{
root /usr/share/kiwiirc;

3
roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf
View File

@@ -4,6 +4,9 @@ server {
# include conf/local.conf;
# GeoIP block
if ($deny) { return 503; }
root /usr/share/webapps/;
client_max_body_size 5m;

6
roles/WebServer/files/conf.d/Yggdrasil/maat.conf
View File

@@ -1,11 +1,15 @@
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name maat.aninix.net;
include conf/sec.conf;
include conf/default.csp.conf;
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) { return 503; }
location /
{
proxy_set_header Host $http_host;

6
roles/WebServer/files/conf.d/Yggdrasil/password.conf
View File

@@ -1,11 +1,15 @@
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name password.aninix.net;
include conf/sec.conf;
include conf/default.csp.conf;
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) { return 503; }
location / {
root /usr/share/webapps/self-service-password/htdocs/;

7
roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf
View File

@@ -1,6 +1,7 @@
server {
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name sharingan.aninix.net;
include conf/sec.conf;
@@ -8,6 +9,10 @@ server {
include conf/local.conf;
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) {
return 503;
}
location /
{

3
roles/WebServer/files/conf.d/Yggdrasil/singularity.conf
View File

@@ -8,6 +8,9 @@ server {
include conf.d/fastcgi.config;
# GeoIP block
if ($deny) { return 503; }
root /usr/share/webapps/tt-rss/;
index index.php;

6
roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf
View File

@@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade {
}
server {
#listen 443 ssl http2;
listen 443 ssl;
server_name superintendent.aninix.net;
@@ -13,6 +13,10 @@ server {
# include conf/local.conf;
include conf/letsencrypt.conf;
# GeoIP block
if ($deny) { return 503; }
# Handle the location
location /
{
proxy_set_header Host $http_host;

3
roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf
View File

@@ -6,6 +6,9 @@ server {
include conf/letsencrypt.conf;
include conf.d/fastcgi.config;
# GeoIP block
if ($deny) { return 503; }
root /opt/travelpawscvt;
client_max_body_size 5m;

7
roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf
View File

@@ -1,12 +1,15 @@
server {
#listen 443 ssl http2;
listen 443 ssl http2;
listen 443 ssl;
http2 on;
server_name yggdrasil.aninix.net;
include conf/sec.conf;
include conf/letsencrypt.conf;
# include conf/default.csp.conf;
# GeoIP block
if ($deny) { return 503; }
location /
{
proxy_set_header Host $http_host;

3
roles/WebServer/files/nginx.conf
View File

@@ -7,6 +7,7 @@ error_log logs/error.log notice;
error_log logs/error.log info;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
events {
worker_connections 1024;
@@ -24,6 +25,8 @@ http {
keepalive_timeout 65;
gzip on;
include conf/geoip.conf;
# Redirect all HTTP to HTTPS
server {

27
roles/WebServer/tasks/main.yml
View File

@@ -9,6 +9,7 @@
- nginx
- libmodsecurity
- nginx-mod-modsecurity
- nginx-mod-geoip2
- php
- php-fpm
@@ -43,14 +44,11 @@
- name: Copy conf.d
become: yes
copy:
become_user: http
ansible.posix.synchronize:
src: "conf.d/{{ inventory_hostname }}/"
dest: /etc/nginx/conf.d/
owner: http
group: http
mode: 0660
directory_mode: 0770
follow: true
delete: true
register: confd
- name: Copy conf
@@ -103,6 +101,16 @@
mode: 0660
register: secconf
- name: Populate GeoIP config
become: yes
template:
src: conf/geoip.conf.j2
dest: /etc/nginx/conf/geoip.conf
owner: http
group: http
mode: 0660
register: geoipconf
- name: Clone OWASP-CRS
ignore_errors: true
become: yes
@@ -146,9 +154,14 @@
#validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
register: baseconf
- name: Safety test on nginx
become: yes
command: 'nginx -t'
ignore_errors: false
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
when: conf.changed or confd.changed or geoipconf.changed or secconf.changed or baseconf.changed or modsecconf.changed
service:
name: "{{ item }}"
enabled: yes

28
roles/WebServer/templates/conf/geoip.conf.j2 Normal file
View File

@@ -0,0 +1,28 @@
# Load database and set variables from the database.
geoip2 /usr/share/GeoIP/GeoIP2.mmdb {
auto_reload 60m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code country iso_code;
$geoip2_data_country_name country names en;
}
fastcgi_param COUNTRY_CODE $geoip2_data_country_code;
fastcgi_param COUNTRY_NAME $geoip2_data_country_name;
# Allow LAN and operational countries.
geo $lan {
default 0;
{{ main_subnet }}/{{ netmask }} 1;
}
map $geoip2_data_country_code $allowed_country {
default 0;
{% for country in operational_countries %}
{{ country }} 1;
{% endfor %}
}
# Define the deny variable such that LAN & country requests are allowed.
# Thanks to https://stackoverflow.com/a/64071860 for the example
map $lan$allowed_country $deny {
default 0;
00 1;
}