From f89bc503c92058283b04cadfec40ffc326c85e07 Mon Sep 17 00:00:00 2001 From: = Date: Mon, 27 Mar 2023 12:49:51 +0200 Subject: [PATCH 01/11] added promethus exporter for fail2ban --- fail2ban/init.sls | 1 + fail2ban/prometheus.sls | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 fail2ban/prometheus.sls diff --git a/fail2ban/init.sls b/fail2ban/init.sls index 1385ded..0c1be13 100644 --- a/fail2ban/init.sls +++ b/fail2ban/init.sls @@ -1,3 +1,4 @@ include: - fail2ban.install - fail2ban.jails + - fail2ban.prometheus diff --git a/fail2ban/prometheus.sls b/fail2ban/prometheus.sls new file mode 100644 index 0000000..a7aae9a --- /dev/null +++ b/fail2ban/prometheus.sls @@ -0,0 +1,35 @@ +Define firewalld service for fail2ban exporter: + firewalld.service: + - name: fail2ban_exporter + - ports: + - 9191/tcp + +Addinge fail2ban exporter fw service: + firewalld.present: + - name: public + - services: + - fail2ban_exporter + +create fail2ban-exporter container: + cmd.run: + - name: podman container create --name fail2ban-exporter -v /var/run/fail2ban:/var/run/fail2ban:ro -p 9191:9191 registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest + - unless: podman container exists fail2ban-exporter + +create fail2ban-exporter container unit file: + cmd.run: + - name: podman generate systemd --name fail2ban-exporter > /etc/systemd/system/fail2ban-exporter.service + - onchanges: + - cmd: create fail2ban-exporter container + +run daemon reload for fail2ban-exporter container unit file: + cmd.run: + - name: systemctl daemon-reload + - onchanges: + - cmd: create fail2ban-exporter container unit file + +start fail2ban-exporter container: + service.running: + - name: fail2ban-exporter + - enable: true + - watch: + - cmd: create fail2ban-exporter container unit file -- 2.45.2 From 8639806c33b36c6fa32545a9eb39f29b6ae29fa4 Mon Sep 17 00:00:00 2001 From: = Date: Mon, 27 Mar 2023 16:05:34 +0200 Subject: [PATCH 02/11] added nextcloud to fail2ban --- fail2ban/files/filter.d/nextcloud.local | 6 ++++++ fail2ban/jails.sls | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 fail2ban/files/filter.d/nextcloud.local diff --git a/fail2ban/files/filter.d/nextcloud.local b/fail2ban/files/filter.d/nextcloud.local new file mode 100644 index 0000000..f1ac53c --- /dev/null +++ b/fail2ban/files/filter.d/nextcloud.local @@ -0,0 +1,6 @@ +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" + diff --git a/fail2ban/jails.sls b/fail2ban/jails.sls index be42d07..00841db 100644 --- a/fail2ban/jails.sls +++ b/fail2ban/jails.sls @@ -1,3 +1,4 @@ +# SSH configure sshd jail: file.managed: - name: /etc/fail2ban/jail.d/sshd.local @@ -8,10 +9,30 @@ configure sshd jail: - onlyif: - pkg.is_installed: openssh +# Nextcloud +configure nextcloud jail: + file.managed: + - name: /etc/fail2ban/jail.d/nextcloud.local + - source: salt://fail2ban/files/jail.d/nextcloud.local + - user: root + - group: root + - mode: "0644" + - onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea' +configure nextcloud filter: + file.managed: + - name: /etc/fail2ban/filter.d/nextcloud.local + - source: salt://fail2ban/files/filter.d/nextcloud.local + - user: root + - group: root + - mode: "0644" + - onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea' +###### realod fail2ban config: cmd.run: - name: fail2ban-client reload - onchanges: - file: configure sshd jail + - file: configure nextcloud jail + - file: configure nextcloud filter -- 2.45.2 From e5be7ccdeeb63e54b19995538d8008506443d558 Mon Sep 17 00:00:00 2001 From: = Date: Mon, 27 Mar 2023 17:24:56 +0200 Subject: [PATCH 03/11] added fail2ban jail for nextcloud --- fail2ban/files/jail.d/nextcloud.local | 10 ++++++++++ fail2ban/files/jail.local | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 fail2ban/files/jail.d/nextcloud.local diff --git a/fail2ban/files/jail.d/nextcloud.local b/fail2ban/files/jail.d/nextcloud.local new file mode 100644 index 0000000..d75d693 --- /dev/null +++ b/fail2ban/files/jail.d/nextcloud.local @@ -0,0 +1,10 @@ +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 1w +findtime = 1d +logpath = /srv/podman/containers/storage/volumes/nextcloud-data/_data/data/nextcloud.log diff --git a/fail2ban/files/jail.local b/fail2ban/files/jail.local index 6bbdc66..b361868 100644 --- a/fail2ban/files/jail.local +++ b/fail2ban/files/jail.local @@ -89,7 +89,7 @@ before = paths-opensuse.conf # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. -#ignoreip = 127.0.0.1/8 ::1 +ignoreip = 127.0.0.1/8 ::1 10.2.0.101 10.0.10.156 10.0.10.174 # External command that will take an tagged arguments to ignore, e.g. , # and return true if the IP is to be ignored. False otherwise. -- 2.45.2 From 1b187ff8a6c4f3a8081f4edac109920d344d00d0 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 28 Mar 2023 10:26:23 +0200 Subject: [PATCH 04/11] added home-assistant --- podman/hass.sls | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 podman/hass.sls diff --git a/podman/hass.sls b/podman/hass.sls new file mode 100644 index 0000000..ca7dbd4 --- /dev/null +++ b/podman/hass.sls @@ -0,0 +1,3 @@ +{% from 'lib.sls' import container_deploy with context %} + +{{ container_deploy('hass') }} -- 2.45.2 From a1b81835b05383f2cd013367efc13a7e14ea100c Mon Sep 17 00:00:00 2001 From: = Date: Tue, 28 Mar 2023 15:39:58 +0200 Subject: [PATCH 05/11] redirected home to pooblano --- dnsmasq/files/rre.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsmasq/files/rre.conf b/dnsmasq/files/rre.conf index 43eaa94..380f969 100644 --- a/dnsmasq/files/rre.conf +++ b/dnsmasq/files/rre.conf @@ -6,7 +6,7 @@ domain=rre.nu # public cnames cname=push.rre.nu,cl2-ingress-public.rre.nu. cname=git.rre.nu,cl2-ingress-public.rre.nu -cname=home.rre.nu,cl2-ingress-public.rre.nu +cname=home.rre.nu,poblano.rre.nu cname=nextcloud.rre.nu,cl2-ingress-public.rre.nu cname=nodered.rre.nu,cl2-ingress-public.rre.nu cname=rre.nu,cl2-ingress-public.rre.nu -- 2.45.2 From 5b0fed4c96fdad2eec216e345ebeba07888bc83c Mon Sep 17 00:00:00 2001 From: = Date: Tue, 28 Mar 2023 15:57:56 +0200 Subject: [PATCH 06/11] added run option to container --- podman/files/container.sh.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/podman/files/container.sh.jinja b/podman/files/container.sh.jinja index 090921b..88ae559 100644 --- a/podman/files/container.sh.jinja +++ b/podman/files/container.sh.jinja @@ -46,7 +46,9 @@ function create_container() { --device {{ key }}:{{ value}} \ {%- endfor %} {%- endif %} - {{ args['image'] }}:{{ args['tag'] }} + {{ args['image'] }}:{{ args['tag'] }}{%- if args['run'] is defined %} \ + {{ args['run'] }} + {%- endif %} fi } -- 2.45.2 From f15a8c5308016f608d3b9a1f6e63fc6f8e35d7b1 Mon Sep 17 00:00:00 2001 From: = Date: Tue, 28 Mar 2023 15:58:14 +0200 Subject: [PATCH 07/11] added nginx-exporter --- podman/nginx-exporter.sls | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 podman/nginx-exporter.sls diff --git a/podman/nginx-exporter.sls b/podman/nginx-exporter.sls new file mode 100644 index 0000000..7c5fb63 --- /dev/null +++ b/podman/nginx-exporter.sls @@ -0,0 +1,4 @@ +{% from 'lib.sls' import container_deploy with context %} + +{{ container_deploy('nginx-exporter') }} + -- 2.45.2 From c517b166b687a7fafec067f76c5eafab4a38420f Mon Sep 17 00:00:00 2001 From: = Date: Thu, 30 Mar 2023 09:41:41 +0200 Subject: [PATCH 08/11] added loki --- podman/loki.sls | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 podman/loki.sls diff --git a/podman/loki.sls b/podman/loki.sls new file mode 100644 index 0000000..8f3aa16 --- /dev/null +++ b/podman/loki.sls @@ -0,0 +1,4 @@ +{% from 'lib.sls' import container_deploy with context %} + +{{ container_deploy('loki') }} + -- 2.45.2 From 390f1e200b0d9464034d6a1c905db709634d9ade Mon Sep 17 00:00:00 2001 From: = Date: Thu, 30 Mar 2023 09:42:16 +0200 Subject: [PATCH 09/11] added loki dns --- dnsmasq/files/rre.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsmasq/files/rre.conf b/dnsmasq/files/rre.conf index 380f969..ecf422e 100644 --- a/dnsmasq/files/rre.conf +++ b/dnsmasq/files/rre.conf @@ -18,3 +18,4 @@ cname=unifi.rre.nu,cl2-ingress-public.rre.nu cname=rancher.rre.nu,cl1.rre.nu cname=prometheus.rre.nu,poblano.rre.nu cname=unpoller.rre.nu,poblano.rre.nu +cname=loki.rre.nu,poblano.rre.nu -- 2.45.2 From e832fc8e03b489a4a290184f2f00e9f717d3c345 Mon Sep 17 00:00:00 2001 From: = Date: Thu, 30 Mar 2023 09:42:35 +0200 Subject: [PATCH 10/11] added promtail --- promtail/files/promtail.conf.jinja | 20 ++++++++++ promtail/init.sls | 61 ++++++++++++++++++++++++++++++ top.sls | 1 + 3 files changed, 82 insertions(+) create mode 100644 promtail/files/promtail.conf.jinja create mode 100644 promtail/init.sls diff --git a/promtail/files/promtail.conf.jinja b/promtail/files/promtail.conf.jinja new file mode 100644 index 0000000..4a60ad8 --- /dev/null +++ b/promtail/files/promtail.conf.jinja @@ -0,0 +1,20 @@ +server: + http_listen_port: {{ http_listen_port }} + grpc_listen_port: 0 + +positions: + filename: /tmp/positions.yaml + +clients: + - url: "{{ client_url }}" + +scrape_configs: + - job_name: journal + journal: + max_age: 12h + path: /var/log/journal + labels: + job: systemd-journal + relabel_configs: + - source_labels: ['__journal__systemd_unit'] + target_label: 'unit' diff --git a/promtail/init.sls b/promtail/init.sls new file mode 100644 index 0000000..31f36bb --- /dev/null +++ b/promtail/init.sls @@ -0,0 +1,61 @@ +{%- set client_url = "http://loki.rre.nu:3100/loki/api/v1/push" %} +{%- set http_listen_port = 9080 %} +{%- set zone = "public" %} + + +Create promtail configuration folder: + file.directory: + - name: /etc/promtail + - user: root + - group: root + - mode: "0755" + +Create promtail configuration: + file.managed: + - name: /etc/promtail/promtail.conf + - source: salt://promtail/files/promtail.conf.jinja + - template: jinja + - user: root + - group: root + - mode: "0644" + - require: + - file: Create promtail configuration folder + - context: + client_url: {{ client_url }} + http_listen_port: {{ http_listen_port }} + +Define firewall service for promtail: + firewalld.service: + - name: promtail + - ports: + - {{ http_listen_port }}/tcp + +adding fw service for promtail in {{ zone }} zone: + firewalld.present: + - name: {{ zone }} + - services: + - promtail + +Create promtail container: + cmd.run: + - name: podman container create --name promtail -p {{ http_listen_port }}:{{ http_listen_port}} -v /etc/promtail:/etc/promtail:ro -v /var/log/journal:/var/log/journal:ro docker.io/grafana/promtail:latest -config.file=/etc/promtail/promtail.conf + - unless: podman container exists promtail + +Create promail unit file: + cmd.run: + - name: podman generate systemd --name promtail > /etc/systemd/system/promtail.service + - onchanges: + - cmd: Create promtail container + +Run daeom-reload for promtail: + cmd.run: + - name: systemctl daemon-reload + - onchanges: + - cmd: Create promail unit file + +start promail service: + service.running: + - name: promtail + - enable: true + - watch: + - cmd: Create promail unit file diff --git a/top.sls b/top.sls index 1ddb57a..af35162 100644 --- a/top.sls +++ b/top.sls @@ -10,6 +10,7 @@ base: - restic - cockpit - fail2ban + - promtail 'pepper.rre.nu': - dnsmasq -- 2.45.2 From 2b46f1e9ed4ab20f0ea81bc41e5a2fbe7e1fb79f Mon Sep 17 00:00:00 2001 From: = Date: Thu, 30 Mar 2023 10:23:32 +0200 Subject: [PATCH 11/11] added hostname label --- promtail/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/promtail/init.sls b/promtail/init.sls index 31f36bb..8063111 100644 --- a/promtail/init.sls +++ b/promtail/init.sls @@ -38,7 +38,7 @@ adding fw service for promtail in {{ zone }} zone: Create promtail container: cmd.run: - - name: podman container create --name promtail -p {{ http_listen_port }}:{{ http_listen_port}} -v /etc/promtail:/etc/promtail:ro -v /var/log/journal:/var/log/journal:ro docker.io/grafana/promtail:latest -config.file=/etc/promtail/promtail.conf + - name: podman container create --name promtail -p {{ http_listen_port }}:{{ http_listen_port}} -v /etc/promtail:/etc/promtail:ro -v /var/log/journal:/var/log/journal:ro docker.io/grafana/promtail:latest -config.file=/etc/promtail/promtail.conf --client.external-labels=hostname={{ grains['fqdn'] }} - unless: podman container exists promtail Create promail unit file: -- 2.45.2