jonas/salt-states_old
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

created fail2ban state #2

Closed
jonas wants to merge 12 commits from master into fail2ban
pull from: master
merge into: jonas:fail2ban
Conversation 0 Commits 12 Files Changed 14 +172 -3
14 changed files with 172 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
dnsmasq/files/rre.conf
View File

@ -6,7 +6,7 @@ domain=rre.nu
# public cnames
cname=push.rre.nu,cl2-ingress-public.rre.nu.
cname=git.rre.nu,cl2-ingress-public.rre.nu
cname=home.rre.nu,cl2-ingress-public.rre.nu
cname=home.rre.nu,poblano.rre.nu
cname=nextcloud.rre.nu,cl2-ingress-public.rre.nu
cname=nodered.rre.nu,cl2-ingress-public.rre.nu
cname=rre.nu,cl2-ingress-public.rre.nu
@ -18,3 +18,4 @@ cname=unifi.rre.nu,cl2-ingress-public.rre.nu
cname=rancher.rre.nu,cl1.rre.nu
cname=prometheus.rre.nu,poblano.rre.nu
cname=unpoller.rre.nu,poblano.rre.nu
cname=loki.rre.nu,poblano.rre.nu

6
fail2ban/files/filter.d/nextcloud.local Normal file
View File

@ -0,0 +1,6 @@
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

10
fail2ban/files/jail.d/nextcloud.local Normal file
View File

@ -0,0 +1,10 @@
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 1w
findtime = 1d
logpath = /srv/podman/containers/storage/volumes/nextcloud-data/_data/data/nextcloud.log

2
fail2ban/files/jail.local
View File

@ -89,7 +89,7 @@ before = paths-opensuse.conf
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1
ignoreip = 127.0.0.1/8 ::1 10.2.0.101 10.0.10.156 10.0.10.174
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.

1
fail2ban/init.sls
View File

@ -1,3 +1,4 @@
include:
- fail2ban.install
- fail2ban.jails
- fail2ban.prometheus

21
fail2ban/jails.sls
View File

@ -1,3 +1,4 @@
# SSH
configure sshd jail:
file.managed:
- name: /etc/fail2ban/jail.d/sshd.local
@ -8,10 +9,30 @@ configure sshd jail:
- onlyif:
- pkg.is_installed: openssh
# Nextcloud
configure nextcloud jail:
file.managed:
- name: /etc/fail2ban/jail.d/nextcloud.local
- source: salt://fail2ban/files/jail.d/nextcloud.local
- user: root
- group: root
- mode: "0644"
- onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea'
configure nextcloud filter:
file.managed:
- name: /etc/fail2ban/filter.d/nextcloud.local
- source: salt://fail2ban/files/filter.d/nextcloud.local
- user: root
- group: root
- mode: "0644"
- onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea'
######
realod fail2ban config:
cmd.run:
- name: fail2ban-client reload
- onchanges:
- file: configure sshd jail
- file: configure nextcloud jail
- file: configure nextcloud filter

35
fail2ban/prometheus.sls Normal file
View File

@ -0,0 +1,35 @@
Define firewalld service for fail2ban exporter:
firewalld.service:
- name: fail2ban_exporter
- ports:
- 9191/tcp
Addinge fail2ban exporter fw service:
firewalld.present:
- name: public
- services:
- fail2ban_exporter
create fail2ban-exporter container:
cmd.run:
- name: podman container create --name fail2ban-exporter -v /var/run/fail2ban:/var/run/fail2ban:ro -p 9191:9191 registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
- unless: podman container exists fail2ban-exporter
create fail2ban-exporter container unit file:
cmd.run:
- name: podman generate systemd --name fail2ban-exporter > /etc/systemd/system/fail2ban-exporter.service
- onchanges:
- cmd: create fail2ban-exporter container
run daemon reload for fail2ban-exporter container unit file:
cmd.run:
- name: systemctl daemon-reload
- onchanges:
- cmd: create fail2ban-exporter container unit file
start fail2ban-exporter container:
service.running:
- name: fail2ban-exporter
- enable: true
- watch:
- cmd: create fail2ban-exporter container unit file

4
podman/files/container.sh.jinja
View File

@ -46,7 +46,9 @@ function create_container() {
--device {{ key }}:{{ value}} \
{%- endfor %}
{%- endif %}
{{ args['image'] }}:{{ args['tag'] }}
{{ args['image'] }}:{{ args['tag'] }}{%- if args['run'] is defined %} \
{{ args['run'] }}
{%- endif %}
fi
}

3
podman/hass.sls Normal file
View File

@ -0,0 +1,3 @@
{% from 'lib.sls' import container_deploy with context %}
{{ container_deploy('hass') }}

4
podman/loki.sls Normal file
View File

@ -0,0 +1,4 @@
{% from 'lib.sls' import container_deploy with context %}
{{ container_deploy('loki') }}

4
podman/nginx-exporter.sls Normal file
View File

@ -0,0 +1,4 @@
{% from 'lib.sls' import container_deploy with context %}
{{ container_deploy('nginx-exporter') }}

20
promtail/files/promtail.conf.jinja Normal file
View File

@ -0,0 +1,20 @@
server:
http_listen_port: {{ http_listen_port }}
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: "{{ client_url }}"
scrape_configs:
- job_name: journal
journal:
max_age: 12h
path: /var/log/journal
labels:
job: systemd-journal
relabel_configs:
- source_labels: ['__journal__systemd_unit']
target_label: 'unit'

61
promtail/init.sls Normal file
View File

@ -0,0 +1,61 @@
{%- set client_url = "http://loki.rre.nu:3100/loki/api/v1/push" %}
{%- set http_listen_port = 9080 %}
{%- set zone = "public" %}
Create promtail configuration folder:
file.directory:
- name: /etc/promtail
- user: root
- group: root
- mode: "0755"
Create promtail configuration:
file.managed:
- name: /etc/promtail/promtail.conf
- source: salt://promtail/files/promtail.conf.jinja
- template: jinja
- user: root
- group: root
- mode: "0644"
- require:
- file: Create promtail configuration folder
- context:
client_url: {{ client_url }}
http_listen_port: {{ http_listen_port }}
Define firewall service for promtail:
firewalld.service:
- name: promtail
- ports:
- {{ http_listen_port }}/tcp
adding fw service for promtail in {{ zone }} zone:
firewalld.present:
- name: {{ zone }}
- services:
- promtail
Create promtail container:
cmd.run:
- name: podman container create --name promtail -p {{ http_listen_port }}:{{ http_listen_port}} -v /etc/promtail:/etc/promtail:ro -v /var/log/journal:/var/log/journal:ro docker.io/grafana/promtail:latest -config.file=/etc/promtail/promtail.conf --client.external-labels=hostname={{ grains['fqdn'] }}
- unless: podman container exists promtail
Create promail unit file:
cmd.run:
- name: podman generate systemd --name promtail > /etc/systemd/system/promtail.service
- onchanges:
- cmd: Create promtail container
Run daeom-reload for promtail:
cmd.run:
- name: systemctl daemon-reload
- onchanges:
- cmd: Create promail unit file
start promail service:
service.running:
- name: promtail
- enable: true
- watch:
- cmd: Create promail unit file

1
top.sls
View File

@ -10,6 +10,7 @@ base:
- restic
- cockpit
- fail2ban
- promtail
'pepper.rre.nu':
- dnsmasq