From 53cc3ddad325962122160929f5d1e3232f1491a4 Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Fri, 5 Sep 2025 00:21:16 -0400 Subject: [PATCH] Removed a bunch of files from bootstrap role to start it from scratch --- .ansible/roles/bootstrap/README.md | 38 - .../bootstrap/defaults/core_images@podman.yml | 58 -- .../bootstrap/defaults/core_pkgs@Debian.yml | 233 ----- .../defaults/custom_images@podman.yml | 4 - .../bootstrap/defaults/custom_pkgs@Debian.yml | 4 - .../roles/bootstrap/defaults/main/general.yml | 11 - .../bootstrap/defaults/options/certbot.yml | 3 - .../bootstrap/defaults/options/crowdsec.yml | 2 - .../roles/bootstrap/defaults/options/git.yml | 4 - .../roles/bootstrap/defaults/options/gpg.yml | 2 - .../bootstrap/defaults/options/proftpd.yml | 16 - .../roles/bootstrap/defaults/options/ssh.yml | 5 - .../bootstrap/files/clamav/clamav-milter.conf | 297 ------ .../roles/bootstrap/files/clamav/clamd.conf | 885 ------------------ .../bootstrap/files/clamav/freshclam.conf | 214 ----- .../roles/bootstrap/files/fail2ban/ftp.local | 11 - .../bootstrap/files/fail2ban/override.conf | 11 - .../roles/bootstrap/files/fail2ban/sshd.local | 9 - .../bootstrap/files/git/gitignore.sample | 5 - .ansible/roles/bootstrap/files/git/gitmessage | 6 - .../bootstrap/files/repos.Debian/charm.list | 1 - .../roles/bootstrap/files/sshd/denyroot.conf | 1 - .../roles/bootstrap/files/sshd/nopass.conf | 1 - .ansible/roles/bootstrap/handlers/main.yml | 3 - .../bootstrap/handlers/update@Debian.yml | 6 - .ansible/roles/bootstrap/meta/main.yml | 35 - .../roles/bootstrap/meta/requirements.yml | 8 - .ansible/roles/bootstrap/tasks/auth@ssh.yml | 19 - .../roles/bootstrap/tasks/config@corepkgs.yml | 19 - .../tasks/configure_core/certbot.yml | 42 - .../bootstrap/tasks/configure_core/clamav.yml | 94 -- .../tasks/configure_core/crowdsec.yml | 53 -- .../tasks/configure_core/fail2ban.yml | 76 -- .../bootstrap/tasks/configure_core/git.yml | 123 --- .../bootstrap/tasks/configure_core/gpg.yml | 89 -- .../tasks/configure_core/proftpd.yml | 19 - .../bootstrap/tasks/core_installations.yml | 7 - .../tasks/core_installations@Debian.yml | 44 - .../tasks/core_installations@podman.yml | 8 - .ansible/roles/bootstrap/tasks/denyroot.yml | 34 - .../roles/bootstrap/tasks/denyroot@ssh.yml | 10 - .../bootstrap/tasks/extra_installations.yml | 7 - .../tasks/extra_installations@podman.yml | 8 - .ansible/roles/bootstrap/tasks/groups.yml | 9 - .ansible/roles/bootstrap/tasks/main.yml | 3 - .../roles/bootstrap/tasks/upgrade@Debian.yml | 7 - .../roles/bootstrap/tasks/users@Debian.yml | 45 - .../templates/certbot/porkbun.ini.j2 | 2 - .../templates/proftpd/proftpd.conf.j2 | 93 -- .../bootstrap/templates/proftpd/vhost.conf.j2 | 31 - .ansible/roles/bootstrap/tests/inventory | 3 - .ansible/roles/bootstrap/tests/test.yml | 6 - .../roles/bootstrap/vars/main/general.yml | 12 - .../roles/bootstrap/vars/options/certbot.yml | 3 - .../roles/bootstrap/vars/options/crowdsec.yml | 2 - .ansible/roles/bootstrap/vars/options/git.yml | 4 - .ansible/roles/bootstrap/vars/options/gpg.yml | 2 - .../roles/bootstrap/vars/options/proftpd.yml | 16 - .ansible/roles/bootstrap/vars/options/ssh.yml | 5 - 59 files changed, 2768 deletions(-) delete mode 100644 .ansible/roles/bootstrap/README.md delete mode 100644 .ansible/roles/bootstrap/defaults/core_images@podman.yml delete mode 100644 .ansible/roles/bootstrap/defaults/core_pkgs@Debian.yml delete mode 100644 .ansible/roles/bootstrap/defaults/custom_images@podman.yml delete mode 100644 .ansible/roles/bootstrap/defaults/custom_pkgs@Debian.yml delete mode 100644 .ansible/roles/bootstrap/defaults/main/general.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/certbot.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/crowdsec.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/git.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/gpg.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/proftpd.yml delete mode 100644 .ansible/roles/bootstrap/defaults/options/ssh.yml delete mode 100644 .ansible/roles/bootstrap/files/clamav/clamav-milter.conf delete mode 100644 .ansible/roles/bootstrap/files/clamav/clamd.conf delete mode 100644 .ansible/roles/bootstrap/files/clamav/freshclam.conf delete mode 100644 .ansible/roles/bootstrap/files/fail2ban/ftp.local delete mode 100644 .ansible/roles/bootstrap/files/fail2ban/override.conf delete mode 100644 .ansible/roles/bootstrap/files/fail2ban/sshd.local delete mode 100644 .ansible/roles/bootstrap/files/git/gitignore.sample delete mode 100644 .ansible/roles/bootstrap/files/git/gitmessage delete mode 100644 .ansible/roles/bootstrap/files/repos.Debian/charm.list delete mode 100644 .ansible/roles/bootstrap/files/sshd/denyroot.conf delete mode 100644 .ansible/roles/bootstrap/files/sshd/nopass.conf delete mode 100644 .ansible/roles/bootstrap/handlers/main.yml delete mode 100644 .ansible/roles/bootstrap/handlers/update@Debian.yml delete mode 100644 .ansible/roles/bootstrap/meta/main.yml delete mode 100644 .ansible/roles/bootstrap/meta/requirements.yml delete mode 100644 .ansible/roles/bootstrap/tasks/auth@ssh.yml delete mode 100644 .ansible/roles/bootstrap/tasks/config@corepkgs.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/certbot.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/clamav.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/git.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/gpg.yml delete mode 100644 .ansible/roles/bootstrap/tasks/configure_core/proftpd.yml delete mode 100644 .ansible/roles/bootstrap/tasks/core_installations.yml delete mode 100644 .ansible/roles/bootstrap/tasks/core_installations@Debian.yml delete mode 100644 .ansible/roles/bootstrap/tasks/core_installations@podman.yml delete mode 100644 .ansible/roles/bootstrap/tasks/denyroot.yml delete mode 100644 .ansible/roles/bootstrap/tasks/denyroot@ssh.yml delete mode 100644 .ansible/roles/bootstrap/tasks/extra_installations.yml delete mode 100644 .ansible/roles/bootstrap/tasks/extra_installations@podman.yml delete mode 100644 .ansible/roles/bootstrap/tasks/groups.yml delete mode 100644 .ansible/roles/bootstrap/tasks/main.yml delete mode 100644 .ansible/roles/bootstrap/tasks/upgrade@Debian.yml delete mode 100644 .ansible/roles/bootstrap/tasks/users@Debian.yml delete mode 100644 .ansible/roles/bootstrap/templates/certbot/porkbun.ini.j2 delete mode 100644 .ansible/roles/bootstrap/templates/proftpd/proftpd.conf.j2 delete mode 100644 .ansible/roles/bootstrap/templates/proftpd/vhost.conf.j2 delete mode 100644 .ansible/roles/bootstrap/tests/inventory delete mode 100644 .ansible/roles/bootstrap/tests/test.yml delete mode 100644 .ansible/roles/bootstrap/vars/main/general.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/certbot.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/crowdsec.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/git.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/gpg.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/proftpd.yml delete mode 100644 .ansible/roles/bootstrap/vars/options/ssh.yml diff --git a/.ansible/roles/bootstrap/README.md b/.ansible/roles/bootstrap/README.md deleted file mode 100644 index 225dd44..0000000 --- a/.ansible/roles/bootstrap/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/.ansible/roles/bootstrap/defaults/core_images@podman.yml b/.ansible/roles/bootstrap/defaults/core_images@podman.yml deleted file mode 100644 index ce3c4ae..0000000 --- a/.ansible/roles/bootstrap/defaults/core_images@podman.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -#@TODO: additional self-hosted services to consider for images: -#@NOTE https://awesome-selfhosted.net -core_cimages: - #@NOTE bash ssh service - #@NOTE https://hub.docker.com/r/linuxserver/openssh-server - - uri: docker.io/linuxserver/openssh-server - tag: latest - #@NOTE the below should only be used if not using caddy on host for webdev - # #@NOTE Apache web service with PHP - # #@NOTE https://hub.docker.com/_/php - # #@NOTE https://hub.docker.com/_/httpd - # - uri: docker.io/php - # tag: apache - #@NOTE cloud service - #@NOTE https://nextcloud.com/blog/how-to-install-the-nextcloud-all-in-one-on-linux/ - #@NOTE https://github.com/nextcloud/all-in-one/blob/main/compose.yaml - - uri: docker.io/nextcloud/aio-postgresql - tag: latest - #@NOTE OpenPGP public keyservice - #@NOTE https://hockeypuck.io/install-docker.html - - uri: docker.io/hockeypuck/hockeypuck - tag: 2.0.14 -recc_cimages: - #@NOTE livestreaming web service - #@NOTE https://owncast.online/quickstart/container/ - - uri: docker.io/owncast/owncast - tag: latest - #@NOTE XMPP chat service - #@NOTE https://prosody.im/doc/docker - - uri: docker.io/prosody/prosody - tag: latest - #@NOTE matrix chat service - #@NOTE https://element-hq.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks - - uri: docker.io/matrixdotorg/synapse - tag: latest - #@NOTE budgeting web service - #@NOTE https://actualbudget.org/docs/install/docker - - url: docker.io/actualbudget/actual-server - tag: latest-alpine - #@NOTE grocery and household management web service - #@NOTE https://hub.docker.com/r/linuxserver/grocy - - url: docker.io/linuxserver/grocy - tag: latest - #@NOTE workout management web service - #@NOTE https://wger.readthedocs.io/en/latest/production/docker.html - - url: docker.io/wger/server - tag: latest - #@NOTE recipe management web service - #@NOTE https://docs.mealie.io/documentation/getting-started/installation/installation-checklist/ - - url: docker.io/hkotel/mealie - tag: latest - #@NOTE IRC service - - url: docker.io/inspircd/inspircd-docker - tag: latest - #@NOTE anope IRC services - - url: docker.io/anope/anope - tag: latest \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/core_pkgs@Debian.yml b/.ansible/roles/bootstrap/defaults/core_pkgs@Debian.yml deleted file mode 100644 index 18ab143..0000000 --- a/.ansible/roles/bootstrap/defaults/core_pkgs@Debian.yml +++ /dev/null @@ -1,233 +0,0 @@ ---- -#@TODO: packages needed: mail server, URL shortener, music player daemon -server_pkgs: - #@NOTE version control - - package: git-all - version: ~ - #@NOTE reverse proxy - - package: caddy - version: ~ - #@NOTE database management service - - package: sqlite3 - version: ~ - #@NOTE database management service - - package: postgresql - version: ~ - #@NOTE onion router, relay or server - - package: tor - version: ~ - #@NOTE FTP service - - package: proftpd-core - version: ~ - #@NOTE antivirus module for extending FTP service - - package: proftpd-mod-clamav - version: ~ - #@NOTE cryptographic module for extending FTP service - - package: proftpd-mod-crypto - version: ~ - #@NOTE postgresql module for extending FTP service - - package: proftpd-mod-pgsql - version: ~ - #@NOTE sqlite module for extending FTP service - - package: proftpd-mod-sqlite - version: ~ - # #@NOTE IRC chat service - # - package: inspircd - # version: ~ - # #@NOTE IRC extended services - # - package: anope - # version: ~ - - package: gnunet - version: ~ - #@NOTE CLI download manager service - - package: aria2 - version: ~ - #@NOTE crowdsourced security stack - - package: crowdsec - version: ~ - # #@NOTE TURN and STUN server - # - package: coturn - # version: ~ - #@NOTE email server - - package: postfix - version: ~ -server_pkgs_ext: - #@NOTE VPN tunnel - - package: tailscale - version: ~ - key_orig_is_url: yes - key: https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg - key_dest: /usr/share/keyrings/tailscale-archive-keyring.gpg - repo_orig_is_url: yes - repo: https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list - repo_dest: /etc/apt/sources.list.d/tailscale.list -virtualization_pkgs: - #@NOTE container engine - - package: podman - version: ~ - #@NOTE container engine configuration manager - - package: podman-compose - version: ~ - #@NOTE container engine - - package: distrobox - version: ~ -pkgmanager_pkgs: - - package: snapd - version: ~ - - package: flatpak - version: ~ -cli_pkgs: - #@NOTE terminal - - package: kitty - version: ~ - #@NOTE vi/vim-based text editor - - package: neovim - version: ~ - #@NOTE antivirus client - - package: clamav - version: ~ - #@NOTE intrusion prevention software framework - - package: fail2ban - version: ~ - #@NOTE SSL certificate tool - - package: certbot - version: ~ - #@NOTE Overlay file encryption tool - - package: gocryptfs - version: ~ - #@NOTE these should be available on the system by default - # #@NOTE encryption, authentication and signature key manager - # - package: gnupg - # version: ~ - # - package: gnupg-agent - # version: ~ - # - package: gnupg-l10n - # version: ~ - # - package: gnupg-utils - # version: ~ - # #@NOTE userspace filesystem utility - # - package: fuse3 - # version: ~ - # #@NOTE version control utility - # - package: git - # version: ~ -cli_pkgs_ext: - #@NOTE markdown rendering or syntax highlighting - - package: glow - version: ~ - key_orig_is_url: yes - key: https://repo.charm.sh/apt/gpg.key - key_dest: /etc/apt/keyrings/charm.gpg - repo_orig_is_url: no - repo: repos.Debian/charm.list - repo_dest: /etc/apt/sources.list.d/charm.list -transcoding_pkgs: - #@NOTE media-handling suite - - package: ffmpeg - version: ~ - #@NOTE VP9 video codec - - package: libvpx9 - version: ~ -media_pkgs: - #@NOTE media playtime synchronization server - - package: syncplay-server - version: ~ -coding_pkgs: - #@NOTE NodeJS Javascript runtime environment - - package: nodejs - version: ~ - #@NOTE NodeJS documentation - - package: nodejs-doc - version: ~ - #@NOTE NodeJS package manager - - package: npm - version: ~ - #@NOTE NodeJS Reactjs web framework - - package: node-react - version: ~ - #@NOTE NodeJS expressjs web framework - - package: node-express - version: ~ - #@NOTE Erlang virtualized programming language - - package: erlang - version: ~ - #@NOTE Elixir virtualized programming language - - package: elixir - version: ~ - #@NOTE Elixir/ErLand package manager - - package: erlang-hex - version: ~ - - package: pandoc - version: ~ - #@NOTE Crystal programming language - - package: crystal - version: ~ - #@NOTE Crystal documentation - - package: crystal-doc - version: ~ - #@NOTE Crystal package manager - - package: shards - version: ~ - #@NOTE Python programming language - - package: python3 - version: ~ - #@NOTE Python package manager - - package: python3-pip - version: ~ - #@NOTE Python web framework - - package: python3-flask - version: ~ - #@NOTE Ruby programming language - - package: ruby-standalone - version: ~ - #@NOTE Ruby package manager - - package: ruby-rubygems - version: ~ - #@NOTE Ruby web framework - - package: ruby-rails - version: ~ - #@NOTE Rust programming language - - package: rustc - version: ~ - #@NOTE Rust documentation - - package: rust-doc - version: ~ - #@NOTE Rust package manager - - package: cargo - version: ~ - #@NOTE Rust package manager documentation - - package: cargo-doc - version: ~ - #@NOTE Rust toolchain - - package: rustup - version: ~ - #@NOTE Lua programming language - - package: lua5.1 - version: ~ - #@NOTE Lua documentation - - package: lua5.1-doc - version: ~ - #@NOTE Lua package manager - - package: luarocks - version: ~ - #@NOTE LLVM to Javascript compiler (needed for WASMoon module) - - package: emscripten - version: ~ - #@NOTE LLVM to Javascript compiler (needed for WASMoon module) - - package: emscripten-doc - version: ~ - #@NOTE R programming language - - package: r-base - version: ~ - #@NOTE R programming language - - package: r-base - version: ~ - #@NOTE PHP programming language - - package: php - version: ~ - #@NOTE PHP interpreter server - - package: php-fpm - version: ~ - #@NOTE PHP dependency manager - - package: composer - version: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/custom_images@podman.yml b/.ansible/roles/bootstrap/defaults/custom_images@podman.yml deleted file mode 100644 index f2df0b2..0000000 --- a/.ansible/roles/bootstrap/defaults/custom_images@podman.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -#@NOTE list your packages consistent with format of 'core_images@podman.yml' -#@NOTE no other keys/variables at top-level allowed than 'my_cimages' -my_cimages: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/custom_pkgs@Debian.yml b/.ansible/roles/bootstrap/defaults/custom_pkgs@Debian.yml deleted file mode 100644 index 4cfbc53..0000000 --- a/.ansible/roles/bootstrap/defaults/custom_pkgs@Debian.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -#@NOTE list your packages consistent with format of 'core_pkgs@Debian.yml' -#@NOTE no other keys/variables at top-level allowed than 'my_pkgs' -my_pkgs: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/main/general.yml b/.ansible/roles/bootstrap/defaults/main/general.yml deleted file mode 100644 index 7c77d63..0000000 --- a/.ansible/roles/bootstrap/defaults/main/general.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# defaults file for bootstrap -admins: ~ -guests: ~ -users: ~ -roots: ~ -enrollment_key: ~ -gcfs_password: ~ -gpg_sign_id: ~ -official_name: ~ -official_email: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/certbot.yml b/.ansible/roles/bootstrap/defaults/options/certbot.yml deleted file mode 100644 index 1e5f653..0000000 --- a/.ansible/roles/bootstrap/defaults/options/certbot.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dns_secret: ~ -dns_key: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/crowdsec.yml b/.ansible/roles/bootstrap/defaults/options/crowdsec.yml deleted file mode 100644 index 678e3cb..0000000 --- a/.ansible/roles/bootstrap/defaults/options/crowdsec.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enrollment_key: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/git.yml b/.ansible/roles/bootstrap/defaults/options/git.yml deleted file mode 100644 index dc37218..0000000 --- a/.ansible/roles/bootstrap/defaults/options/git.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -gpg_sign_id: ~ -official_name: ~ -official_email: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/gpg.yml b/.ansible/roles/bootstrap/defaults/options/gpg.yml deleted file mode 100644 index 945b5aa..0000000 --- a/.ansible/roles/bootstrap/defaults/options/gpg.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -gcfs_password: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/proftpd.yml b/.ansible/roles/bootstrap/defaults/options/proftpd.yml deleted file mode 100644 index c8058f0..0000000 --- a/.ansible/roles/bootstrap/defaults/options/proftpd.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -welcome_msg_path: /etc/proftpd/welcome.msg -goodbye_msg_path: /etc/proftpd/bye.msg -transfer_msg_path: /etc/proftpd/transfer.msg -default_umask: 0022 0022 -users_allowed: root -servername: ~ -admin_email: ~ -serveralias: localhost -ftp_protocols: ftps -ftp_port: 990 -sec_cert_path: /etc/srv/domain.cert.pem -sca_cert_path: /etc/srv/domain.cert.pem -key_cert_path: /etc/srv/private.key.pem -ftp_auth_user_path: /etc/proftpd/ftp.passwd -ftp_auth_group_path: /etc/proftpd/ftpd.group \ No newline at end of file diff --git a/.ansible/roles/bootstrap/defaults/options/ssh.yml b/.ansible/roles/bootstrap/defaults/options/ssh.yml deleted file mode 100644 index 5ab549d..0000000 --- a/.ansible/roles/bootstrap/defaults/options/ssh.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -pubkeys: ~ -primary_root_acct: ~ -nonlogin_method: ~ -roots: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/clamav/clamav-milter.conf b/.ansible/roles/bootstrap/files/clamav/clamav-milter.conf deleted file mode 100644 index 1a4999b..0000000 --- a/.ansible/roles/bootstrap/files/clamav/clamav-milter.conf +++ /dev/null @@ -1,297 +0,0 @@ -## -## Example config file for clamav-milter -## - -# Comment or remove the line below. - - -## -## Main options -## - -# Define the interface through which we communicate with sendmail -# This option is mandatory! Possible formats are: -# [[unix|local]:]/path/to/file - to specify a unix domain socket -# inet:port@[hostname|ip-address] - to specify an ipv4 socket -# inet6:port@[hostname|ip-address] - to specify an ipv6 socket -# -# Default: no default -#MilterSocket /run/clamav/clamav-milter.sock -#MilterSocket /tmp/clamav-milter.sock -#MilterSocket inet:7357 - -# Define the group ownership for the (unix) milter socket. -# Default: disabled (the primary group of the user running clamd) -#MilterSocketGroup virusgroup - -# Sets the permissions on the (unix) milter socket to the specified mode. -# Default: disabled (obey umask) -#MilterSocketMode 660 - -# Remove stale socket after unclean shutdown. -# -# Default: yes -#FixStaleSocket yes - -# Run as another user (clamav-milter must be started by root for this option -# to work) -# -# Default: unset (don't drop privileges) -#User clamav - -# Waiting for data from clamd will timeout after this time (seconds). -# Value of 0 disables the timeout. -# -# Default: 120 -#ReadTimeout 300 - -# Don't fork into background. -# -# Default: no -#Foreground yes - -# Chroot to the specified directory. -# Chrooting is performed just after reading the config file and before -# dropping privileges. -# -# Default: unset (don't chroot) -#Chroot /newroot - -# This option allows you to save a process identifier of the listening -# daemon. -# This file will be owned by root, as long as clamav-milter was started by -# root. It is recommended that the directory where this file is stored is -# also owned by root to keep other users from tampering with it. -# -# Default: disabled -#PidFile /run/clamav/clamav-milter.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -# -#TemporaryDirectory /var/tmp - -## -## Clamd options -## - -# Define the clamd socket to connect to for scanning. -# This option is mandatory! Syntax: -# ClamdSocket unix:path -# ClamdSocket tcp:host:port -# The first syntax specifies a local unix socket (needs an absolute path) e.g.: -# ClamdSocket unix:/run/clamav/clamd.sock -# The second syntax specifies a tcp local or remote tcp socket: the -# host can be a hostname or an ip address; the ":port" field is only required -# for IPv6 addresses, otherwise it defaults to 3310, e.g.: -# ClamdSocket tcp:192.168.0.1 -# -# This option can be repeated several times with different sockets or even -# with the same socket: clamd servers will be selected in a round-robin -# fashion. -# -# Default: no default -#ClamdSocket tcp:scanner.mydomain:7357 -#ClamdSocket unix:/run/clamav/clamd.sock - - -## -## Exclusions -## - -# Messages originating from these hosts/networks will not be scanned -# This option takes a host(name)/mask pair in CIRD notation and can be -# repeated several times. If "/mask" is omitted, a host is assumed. -# To specify a locally originated, non-smtp, email use the keyword "local" -# -# Default: unset (scan everything regardless of the origin) -#LocalNet local -#LocalNet 192.168.0.0/24 -#LocalNet 1111:2222:3333::/48 - -# This option specifies a file which contains a list of basic POSIX regular -# expressions. Addresses (sent to or from - see below) matching these regexes -# will not be scanned. Optionally each line can start with the string "From:" -# or "To:" (note: no whitespace after the colon) indicating if it is, -# respectively, the sender or recipient that is to be allowed. -# If the field is missing, "To:" is assumed. -# Lines starting with #, : or ! are ignored. -# -# Default unset (no exclusion applied) -#AllowList /etc/allowed_addresses - -# Messages from authenticated SMTP users matching this extended POSIX -# regular expression (egrep-like) will not be scanned. -# As an alternative, a file containing a plain (not regex) list of names (one -# per line) can be specified using the prefix "file:". -# e.g. SkipAuthenticated file:/etc/good_guys -# -# Note: this is the AUTH login name! -# -# Default: unset (no allowing based on SMTP auth) -#SkipAuthenticated ^(tom|dick|henry)$ - -# Messages larger than this value won't be scanned. -# Make sure this value is lower or equal than StreamMaxLength in clamd.conf -# -# Default: 25M -#MaxFileSize 10M - - -## -## Actions -## - -# The following group of options controls the delivery process under -# different circumstances. -# The following actions are available: -# - Accept -# The message is accepted for delivery -# - Reject -# Immediately refuse delivery (a 5xx error is returned to the peer) -# - Defer -# Return a temporary failure message (4xx) to the peer -# - Blackhole (not available for OnFail) -# Like Accept but the message is sent to oblivion -# - Quarantine (not available for OnFail) -# Like Accept but message is quarantined instead of being delivered -# -# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ -# For Postfix this causes the message to be placed on hold -# -# Action to be performed on clean messages (mostly useful for testing) -# Default: Accept -#OnClean Accept - -# Action to be performed on infected messages -# Default: Quarantine -#OnInfected Quarantine - -# Action to be performed on error conditions (this includes failure to -# allocate data structures, no scanners available, network timeouts, -# unknown scanner replies and the like) -# Default: Defer -#OnFail Defer - -# This option allows to set a specific rejection reason for infected messages -# and it's therefore only useful together with "OnInfected Reject" -# The string "%v", if present, will be replaced with the virus name. -# Default: MTA specific -#RejectMsg - -# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an -# "X-Virus-Status" headers will be attached to each processed message, possibly -# replacing existing headers. -# If it is set to Add, the X-Virus headers are added possibly on top of the -# existing ones. -# Note that while "Replace" can potentially break DKIM signatures, "Add" may -# confuse procmail and similar filters. -# Default: no -#AddHeader Replace - -# When AddHeader is in use, this option allows to arbitrary set the reported -# hostname. This may be desirable in order to avoid leaking internal names. -# If unset the real machine name is used. -# Default: disabled -#ReportHostname my.mail.server.name - -# Execute a command (possibly searching PATH) when an infected message is -# found. -# The following parameters are passed to the invoked program in this order: -# virus name, queue id, sender, destination, subject, message id, message date. -# Note #1: this requires MTA macroes to be available (see LogInfected below) -# Note #2: the process is invoked in the context of clamav-milter -# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to -# avoid unnecessary delays in email delivery -# Default: disabled -#VirusAction /usr/local/bin/my_infected_message_handler - -## -## Logging options -## - -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# -# Default: disabled -#LogFile /tmp/clamav-milter.log - -# By default the log file is locked for writing - the lock protects against -# running clamav-milter multiple times. -# This option disables log file locking. -# -# Default: no -#LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# -# Default: no -#LogTime yes - -# Use system logger (can work together with LogFile). -# -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows to tune what is logged when a message is infected. -# Possible values are Off (the default - nothing is logged), -# Basic (minimal info logged), Full (verbose info logged) -# Note: -# For this to work properly in sendmail, make sure the msg_id, mail_addr, -# rcpt_addr and i macroes are available in eom. In other words add a line like: -# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i -# to your .cf file. Alternatively use the macro: -# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') -# Postfix should be working fine with the default settings. -# -# Default: disabled -#LogInfected Basic - -# This option allows to tune what is logged when no threat is found in -# a scanned message. -# See LogInfected for possible values and caveats. -# Useful in debugging but drastically increases the log size. -# Default: disabled -#LogClean Basic - -# This option affects the behaviour of LogInfected, LogClean and VirusAction -# when a message with multiple recipients is scanned: -# If SupportMultipleRecipients is off (the default) -# then one single log entry is generated for the message and, in case the -# message is determined to be malicious, the command indicated by VirusAction -# is executed just once. In both cases only the last recipient is reported. -# If SupportMultipleRecipients is on: -# then one line is logged for each recipient and the command indicated -# by VirusAction is also executed once for each recipient. -# -# Note: although it's probably a good idea to enable this option, the default -# value -# is currently set to off for legacy reasons. -# Default: no -#SupportMultipleRecipients yes \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/clamav/clamd.conf b/.ansible/roles/bootstrap/files/clamav/clamd.conf deleted file mode 100644 index a08e742..0000000 --- a/.ansible/roles/bootstrap/files/clamav/clamd.conf +++ /dev/null @@ -1,885 +0,0 @@ -## -## Example config file for the Clam AV daemon -## Please read the clamd.conf(5) manual before editing this file. -## - - -# Comment or remove the line below. - -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# Default: disabled -#LogFile /tmp/clamd.log - -# By default the log file is locked for writing - the lock protects against -# running clamd multiple times (if want to run another clamd, please -# copy the configuration file, change the LogFile variable, and run -# the daemon with --config-file option). -# This option disables log file locking. -# Default: no -#LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Also log clean files. Useful in debugging but drastically increases the -# log size. -# Default: no -#LogClean yes - -# Use system logger (can work together with LogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# Enable Prelude output. -# Default: no -#PreludeEnable yes -# -# Set the name of the analyzer used by prelude-admin. -# Default: ClamAV -#PreludeAnalyzerName ClamAV - -# Log additional information about the infected file, such as its -# size and hash, together with the virus name. -#ExtendedDetectionInfo yes - -# This option allows you to save a process identifier of the listening -# daemon. -# This file will be owned by root, as long as clamd was started by root. -# It is recommended that the directory where this file is stored is -# also owned by root to keep other users from tampering with it. -# Default: disabled -#PidFile /run/clamav/clamd.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -#TemporaryDirectory /var/tmp - -# Path to the database directory. -# Default: hardcoded (depends on installation options) -#DatabaseDirectory /var/lib/clamav - -# Path to the ClamAV CA certificates directory for verifying CVD signature -# archive digital signatures. -# Default: hardcoded (depends on installation options) -#CVDCertsDirectory /etc/clamav/certs - -# Only load the official signatures published by the ClamAV project. -# Default: no -#OfficialDatabaseOnly no - -# Return with a nonzero error code if the virus database is older than -# the specified number of days. -# Default: -1 -#FailIfCvdOlderThan 7 - -# The daemon can work in local mode, network mode or both. -# Due to security reasons we recommend the local mode. - -# Path to a local socket file the daemon will listen on. -# Default: disabled (must be specified by a user) -#LocalSocket /run/clamav/clamd.sock -#LocalSocket /tmp/clamd.sock - -# Sets the group ownership on the unix socket. -# Default: disabled (the primary group of the user running clamd) -#LocalSocketGroup virusgroup - -# Sets the permissions on the unix socket to the specified mode. -# Default: disabled (socket is world accessible) -#LocalSocketMode 660 - -# Remove stale socket after unclean shutdown. -# Default: yes -#FixStaleSocket no - -# TCP port address. -# Default: no -#TCPSocket 3310 - -# TCP address. -# By default we bind to INADDR_ANY, probably not wise. -# Enable the following to provide some degree of protection -# from the outside world. This option can be specified multiple -# times if you want to listen on multiple IPs. IPv6 is now supported. -# Default: no -#TCPAddr localhost - -# Enable or disable certain commands. -# Disabling some commands like SHUTDOWN may improve the security of the daemon. -# When a client sends one of the following commands but it is disabled, -# clamd responds with COMMAND UNAVAILABLE. -# -# Enable the SHUTDOWN command. -# Setting this to no prevents a client to stop clamd via the protocol. -# Default: yes -#EnableShutdownCommand no -# -# Enable the RELOAD command -# Setting this to no prevents a client to reload the database. -# Default: yes -#EnableReloadCommand no -# -# Enable the STATS command -# Setting this to no prevents a client from querying statistics. -# Default: yes -#EnableStatsCommand no -# -# Enable the VERSION command -# Setting this to no prevents a client from querying version information. -# Default: yes -#EnableVersionCommand no - -# Maximum length the queue of pending connections may grow to. -# Default: 200 -#MaxConnectionQueueLength 30 - -# Clamd uses FTP-like protocol to receive data from remote clients. -# If you are using clamav-milter to balance load between remote clamd daemons -# on firewall servers you may need to tune the options below. - -# Close the connection when the data size limit is exceeded. -# The value should match your MTA's limit for a maximum attachment size. -# Default: 100M -#StreamMaxLength 25M - -# Limit port range. -# Default: 1024 -#StreamMinPort 30000 -# Default: 2048 -#StreamMaxPort 32000 - -# Maximum number of threads running at the same time. -# Default: 10 -#MaxThreads 20 - -# Waiting for data from a client socket will timeout after this time (seconds). -# Default: 120 -#ReadTimeout 300 - -# This option specifies the time (in seconds) after which clamd should -# timeout if a client doesn't provide any initial command after connecting. -# Default: 30 -#CommandReadTimeout 30 - -# This option specifies how long to wait (in milliseconds) if the send buffer -# is full. -# Keep this value low to prevent clamd hanging. -# -# Default: 500 -#SendBufTimeout 200 - -# Maximum number of queued items (including those being processed by -# MaxThreads threads). -# It is recommended to have this value at least twice MaxThreads if possible. -# WARNING: you shouldn't increase this too much to avoid running out of file -# descriptors, the following condition should hold: -# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual -# max is 1024). -# -# Default: 100 -#MaxQueue 200 - -# Waiting for a new job will timeout after this time (seconds). -# Default: 30 -#IdleTimeout 60 - -# Don't scan files and directories matching regex -# This directive can be used multiple times -# Default: scan all -#ExcludePath ^/proc/ -#ExcludePath ^/sys/ - -# Maximum depth directories are scanned at. -# Default: 15 -MaxDirectoryRecursion 20 - -# Follow directory symlinks. -# Default: no -#FollowDirectorySymlinks yes - -# Follow regular file symlinks. -# Default: no -#FollowFileSymlinks yes - -# Scan files and directories on other filesystems. -# Default: yes -#CrossFilesystems no - -# Perform a database check. -# Default: 600 (10 min) -#SelfCheck 600 - -# Enable non-blocking (multi-threaded/concurrent) database reloads. -# This feature will temporarily load a second scanning engine while scanning -# continues using the first engine. Once loaded, the new engine takes over. -# The old engine is removed as soon as all scans using the old engine have -# completed. -# This feature requires more RAM, so this option is provided in case users are -# willing to block scans during reload in exchange for lower RAM requirements. -# Default: yes -#ConcurrentDatabaseReload no - -# Execute a command when virus is found. -# Use the following environment variables to identify the file and virus names: -# - $CLAM_VIRUSEVENT_FILENAME -# - $CLAM_VIRUSEVENT_VIRUSNAME -# In the command string, '%v' will also be replaced with the virus name. -# Note: The '%f' filename format character has been disabled and will no longer -# be replaced with the file name, due to command injection security concerns. -# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. -# For the same reason, you should NOT use the environment variables in the -# command directly, but should use it carefully from your executed script. -# Default: no -#VirusEvent /opt/send_virus_alert_sms.sh - -# Run as another user (clamd must be started by root for this option to work) -# Default: don't drop privileges -User clamav - -# Stop daemon when libclamav reports out of memory condition. -#ExitOnOOM yes - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Do not remove temporary files (for debug purposes). -# Default: no -#LeaveTemporaryFiles yes - -# Record metadata about the file being scanned. -# Scan metadata is useful for file analysis purposes and for debugging scan behavior. -# The JSON metadata will be printed after the scan is complete if Debug is enabled. -# A metadata.json file will be written to the scan temp directory if LeaveTemporaryFiles is enabled. -# Default: no -#GenerateMetadataJson yes - -# Store URIs found in html files to the json metadata. -# URIs will be stored in an array with the tag 'URIs' -# GenerateMetadataJson is required for this feature. -# Default: yes (if GenerateMetadataJson is used) -#JsonStoreHTMLURIs no - -# Store URIs found in pdf files to the json metadata. -# URIs will be stored in an array with the tag 'URIs' -# GenerateMetadataJson is required for this feature. -# Default: yes (if GenerateMetadataJson is used) -#JsonStorePDFURIs no - -# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject -# any ALLMATCHSCAN command as invalid. -# Default: yes -#AllowAllMatchScan no - -# Detect Possibly Unwanted Applications. -# Default: no -DetectPUA yes - -# Exclude a specific PUA category. This directive can be used multiple times. -# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for -# the complete list of PUA categories. -# Default: Load all categories (if DetectPUA is activated) -#ExcludePUA NetTool -#ExcludePUA PWTool - -# Only include a specific PUA category. This directive can be used multiple -# times. -# Default: Load all categories (if DetectPUA is activated) -#IncludePUA Spy -#IncludePUA Scanner -#IncludePUA RAT - -# This option causes memory or nested map scans to dump the content to disk. -# If you turn on this option, more data is written to disk and is available -# when the LeaveTemporaryFiles option is enabled. -#ForceToDisk yes - -# This option allows you to disable the caching feature of the engine. By -# default, the engine will store an MD5 in a cache of any files that are -# not flagged as virus or that hit limits checks. Disabling the cache will -# have a negative performance impact on large scans. -# Default: no -#DisableCache yes - -# This option allows you to set the number of entries the cache can store. -# The value should be a square number or will be rounded up to the nearest -# square number. -#CacheSize 65536 - -# In some cases (eg. complex malware, exploits in graphic files, and others), -# ClamAV uses special algorithms to detect abnormal patterns and behaviors that -# may be malicious. This option enables alerting on such heuristically -# detected potential threats. -# Default: yes -HeuristicAlerts yes - -# Allow heuristic alerts to take precedence. -# When enabled, if a heuristic scan (such as phishingScan) detects -# a possible virus/phish it will stop scan immediately. Recommended, saves CPU -# scan-time. -# When disabled, virus/phish detected by heuristic scans will be reported only -# at the end of a scan. If an archive contains both a heuristically detected -# virus/phish, and a real malware, the real malware will be reported -# -# Keep this disabled if you intend to handle "Heuristics.*" viruses -# differently from "real" malware. -# If a non-heuristically-detected virus (signature-based) is found first, -# the scan is interrupted immediately, regardless of this config option. -# -# Default: no -#HeuristicScanPrecedence yes - - -## -## Heuristic Alerts -## - -# With this option clamav will try to detect broken executables (both PE and -# ELF) and alert on them with the Broken.Executable heuristic signature. -# Default: no -AlertBrokenExecutables yes - -# With this option clamav will try to detect broken media file (JPEG, -# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. -# Default: no -AlertBrokenMedia yes - -# Alert on encrypted archives _and_ documents with heuristic signature -# (encrypted .zip, .7zip, .rar, .pdf). -# Default: no -AlertEncrypted yes - -# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, -# .rar). -# Default: no -AlertEncryptedArchive yes - -# Alert on encrypted archives with heuristic signature (encrypted .pdf). -# Default: no -AlertEncryptedDoc yes - -# With this option enabled OLE2 files containing VBA macros, which were not -# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". -# Default: no -AlertOLE2Macros yes - -# Alert on SSL mismatches in URLs, even if the URL isn't in the database. -# This can lead to false positives. -# Default: no -#AlertPhishingSSLMismatch yes - -# Alert on cloaked URLs, even if URL isn't in database. -# This can lead to false positives. -# Default: no -#AlertPhishingCloak yes - -# Alert on raw DMG image files containing partition intersections -# Default: no -AlertPartitionIntersection yes - - -## -## Executable files -## - -# PE stands for Portable Executable - it's an executable file format used -# in all 32 and 64-bit versions of Windows operating systems. This option -# allows ClamAV to perform a deeper analysis of executable files and it's also -# required for decompression of popular executable packers such as UPX, FSG, -# and Petite. If you turn off this option, the original files will still be -# scanned, but without additional processing. -# Default: yes -ScanPE yes - -# Certain PE files contain an authenticode signature. By default, we check -# the signature chain in the PE file against a database of trusted and -# revoked certificates if the file being scanned is marked as a virus. -# If any certificate in the chain validates against any trusted root, but -# does not match any revoked certificate, the file is marked as trusted. -# If the file does match a revoked certificate, the file is marked as virus. -# The following setting completely turns off authenticode verification. -# Default: no -#DisableCertCheck yes - -# Executable and Linking Format is a standard format for UN*X executables. -# This option allows you to control the scanning of ELF files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -ScanELF yes - - -## -## Documents -## - -# This option enables scanning of OLE2 files, such as Microsoft Office -# documents and .msi files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -ScanOLE2 yes - -# This option enables scanning within PDF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -ScanPDF yes - -# This option enables scanning within SWF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -ScanSWF yes - -# This option enables scanning xml-based document files supported by libclamav. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -ScanXMLDOCS yes - -# This option enables scanning of HWP3 files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -ScanHWP3 yes - -# This option enables scanning of OneNote files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -ScanOneNote yes - - -## -## Other file types -## - -# This option enables scanning of image (graphics). -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -#ScanImage no - -# This option enables detection by calculating a fuzzy hash of image (graphics) -# files. -# Signatures using image fuzzy hashes typically match files and documents by -# identifying images embedded or attached to those files. -# If you turn off this option, then some files may no longer be detected. -# Default: yes -#ScanImageFuzzyHash no - - -## -## Mail files -## - -# Enable internal e-mail scanner. -# If you turn off this option, the original files will still be scanned, but -# without parsing individual messages/attachments. -# Default: yes -#ScanMail no - -# Scan RFC1341 messages split over many emails. -# You will need to periodically clean up $TemporaryDirectory/clamav-partial -# directory. -# WARNING: This option may open your system to a DoS attack. -# Never use it on loaded servers. -# Default: no -#ScanPartialMessages yes - -# With this option enabled ClamAV will try to detect phishing attempts by using -# HTML.Phishing and Email.Phishing NDB signatures. -# Default: yes -#PhishingSignatures no - -# With this option enabled ClamAV will try to detect phishing attempts by -# analyzing URLs found in emails using WDB and PDB signature databases. -# Default: yes -#PhishingScanURLs no - - -## -## Data Loss Prevention (DLP) -## - -# Enable the DLP module -# Default: No -#StructuredDataDetection yes - -# This option sets the lowest number of Credit Card numbers found in a file -# to generate a detect. -# Default: 3 -#StructuredMinCreditCardCount 5 - -# With this option enabled the DLP module will search for valid Credit Card -# numbers only. Debit and Private Label cards will not be searched. -# Default: no -#StructuredCCOnly yes - -# This option sets the lowest number of Social Security Numbers found -# in a file to generate a detect. -# Default: 3 -#StructuredMinSSNCount 5 - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxx-yy-zzzz -# Default: yes -#StructuredSSNFormatNormal no - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxxyyzzzz -# Default: no -#StructuredSSNFormatStripped yes - - -## -## HTML -## - -# Perform HTML normalisation and decryption of MS Script Encoder code. -# Default: yes -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -ScanHTML yes - - -## -## Archives -## - -# ClamAV can scan within archives and compressed files. -# If you turn off this option, the original files will still be scanned, but -# without unpacking and additional processing. -# Default: yes -ScanArchive yes - - -## -## Limits -## - -# The options below protect your system against Denial of Service attacks -# using archive bombs. - -# This option sets the maximum amount of time to a scan may take. -# In this version, this field only affects the scan time of ZIP archives. -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result allow scanning -# of certain files to lock up the scanning process/threads resulting in a -# Denial of Service. -# Time is in milliseconds. -# Default: 120000 -#MaxScanTime 300000 - -# This option sets the maximum amount of data to be scanned for each input -# file. Archives and other containers are recursively extracted and scanned -# up to this value. -# Value of 0 disables the limit -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 400M -#MaxScanSize 1000M - -# Files larger than this limit won't be scanned. Affects the input file itself -# as well as files contained inside it (when the input file is an archive, a -# document or some other kind of container). -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Technical design limitations prevent ClamAV from scanning files greater than -# 2 GB at this time. -# Default: 100M -#MaxFileSize 400M - -# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR -# file, all files within it will also be scanned. This options specifies how -# deeply the process should be continued. -# Note: setting this limit too high may result in severe damage to the system. -# Default: 17 -# Maximum: 100 -#MaxRecursion 10 - -# Number of files to be scanned within an archive, a document, or any other -# container file. -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10000 -#MaxFiles 15000 - -# Maximum size of a file to check for embedded PE. Files larger than this value -# will skip the additional analysis step. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 40M -#MaxEmbeddedPE 100M - -# Maximum size of a HTML file to normalize. HTML files larger than this value -# will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 40M -#MaxHTMLNormalize 100M - -# Maximum size of a normalized HTML file to scan. HTML files larger than this -# value after normalization will not be scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 8M -#MaxHTMLNoTags 16M - -# Maximum size of a script file to normalize. Script content larger than this -# value will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 20M -#MaxScriptNormalize 50M - -# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger -# than this value will skip the step to potentially reanalyze as PE. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 1M -#MaxZipTypeRcg 1M - -# This option sets the maximum number of partitions of a raw disk image to be -# scanned. -# Raw disk images with more partitions than this value will have up to -# the value number partitions scanned. Negative values are not allowed. -# Note: setting this limit too high may result in severe damage or impact -# performance. -# Default: 50 -#MaxPartitions 128 - -# This option sets the maximum number of icons within a PE to be scanned. -# PE files with more icons than this value will have up to the value number -# icons scanned. -# Negative values are not allowed. -# WARNING: setting this limit too high may result in severe damage or impact -# performance. -# Default: 100 -#MaxIconsPE 200 - -# This option sets the maximum recursive calls for HWP3 parsing during -# scanning. HWP3 files using more than this limit will be terminated and -# alert the user. -# Scans will be unable to scan any HWP3 attachments if the recursive limit -# is reached. -# Negative values are not allowed. -# WARNING: setting this limit too high may result in severe damage or impact -# performance. -# Default: 16 -#MaxRecHWP3 16 - -# This option sets the maximum calls to the PCRE match function during -# an instance of regex matching. -# Instances using more than this limit will be terminated and alert the user -# but the scan will continue. -# For more information on match_limit, see the PCRE documentation. -# Negative values are not allowed. -# WARNING: setting this limit too high may severely impact performance. -# Default: 100000 -#PCREMatchLimit 20000 - -# This option sets the maximum recursive calls to the PCRE match function -# during an instance of regex matching. -# Instances using more than this limit will be terminated and alert the user -# but the scan will continue. -# For more information on match_limit_recursion, see the PCRE documentation. -# Negative values are not allowed and values > PCREMatchLimit are superfluous. -# WARNING: setting this limit too high may severely impact performance. -# Default: 2000 -#PCRERecMatchLimit 10000 - -# This option sets the maximum filesize for which PCRE subsigs will be -# executed. Files exceeding this limit will not have PCRE subsigs executed -# unless a subsig is encompassed to a smaller buffer. -# Negative values are not allowed. -# Setting this value to zero disables the limit. -# WARNING: setting this limit too high or disabling it may severely impact -# performance. -# Default: 100M -#PCREMaxFileSize 400M - -# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or -# MaxRecursion limit will be flagged with the virus name starting with -# "Heuristics.Limits.Exceeded". -# Default: no -#AlertExceedsMax yes - -## -## On-access Scan Settings -## - -# Don't scan files larger than OnAccessMaxFileSize -# Value of 0 disables the limit. -# Default: 5M -#OnAccessMaxFileSize 10M - -# Max number of scanning threads to allocate to the OnAccess thread pool at -# startup. These threads are the ones responsible for creating a connection -# with the daemon and kicking off scanning after an event has been processed. -# To prevent clamonacc from consuming all clamd's resources keep this lower -# than clamd's max threads. -# Default: 5 -#OnAccessMaxThreads 10 - -# Max amount of time (in milliseconds) that the OnAccess client should spend -# for every connect, send, and receive attempt when communicating with clamd -# via curl. -# Default: 5000 (5 seconds) -# OnAccessCurlTimeout 10000 - -# Toggles dynamic directory determination. Allows for recursively watching -# include paths. -# Default: no -#OnAccessDisableDDD yes - -# Set the include paths (all files inside them will be scanned). You can have -# multiple OnAccessIncludePath directives but each directory must be added -# in a separate line. -# Default: disabled -#OnAccessIncludePath /home -#OnAccessIncludePath /students - -# Set the exclude paths. All subdirectories are also excluded. -# Default: disabled -#OnAccessExcludePath /home/user - -# Modifies fanotify blocking behaviour when handling permission events. -# If off, fanotify will only notify if the file scanned is a virus, -# and not perform any blocking. -# Default: no -OnAccessPrevention no - -# When using prevention, if this option is turned on, any errors that occur -# during scanning will result in the event attempt being denied. This could -# potentially lead to unwanted system behaviour with certain configurations, -# so the client defaults this to off and prefers allowing access events in -# case of scan or connection error. -# Default: no -#OnAccessDenyOnError yes - -# Toggles extra scanning and notifications when a file or directory is -# created or moved. -# Requires the DDD system to kick-off extra scans. -# Default: no -OnAccessExtraScanning yes - -# Set the mount point to be scanned. The mount point specified, or the mount -# point containing the specified directory will be watched. If any directories -# are specified, this option will preempt (disable and ignore all options -# related to) the DDD system. This option will result in verdicts only. -# Note that prevention is explicitly disallowed to prevent common, fatal -# misconfigurations. (e.g. watching "/" with prevention on and no exclusions -# made on vital system directories) -# It can be used multiple times. -# Default: disabled -OnAccessMountPath / -#OnAccessMountPath /home/user - -# With this option you can exclude the root UID (0). Processes run under -# root with be able to access all files without triggering scans or -# permission denied events. -# Note that if clamd cannot check the uid of the process that generated an -# on-access scan event (e.g., because OnAccessPrevention was not enabled, and -# the process already exited), clamd will perform a scan. Thus, setting -# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the -# root user from triggering a scan (unless OnAccessPrevention is enabled). -# Default: no -#OnAccessExcludeRootUID no - -# With this option you can exclude specific UIDs. Processes with these UIDs -# will be able to access all files without triggering scans or permission -# denied events. -# This option can be used multiple times (one per line). -# Using a value of 0 on any line will disable this option entirely. -# To exclude the root UID (0) please enable the OnAccessExcludeRootUID -# option. -# Also note that if clamd cannot check the uid of the process that generated an -# on-access scan event (e.g., because OnAccessPrevention was not enabled, and -# the process already exited), clamd will perform a scan. Thus, setting -# OnAccessExcludeUID is not *guaranteed* to prevent every access by the -# specified uid from triggering a scan (unless OnAccessPrevention is enabled). -# Default: disabled -#OnAccessExcludeUID -1 - -# This option allows exclusions via user names when using the on-access -# scanning client. It can be used multiple times. -# It has the same potential race condition limitations of the -# OnAccessExcludeUID option. -# Default: disabled -OnAccessExcludeUname clamav - -# Number of times the OnAccess client will retry a failed scan due to -# connection problems (or other issues). -# Default: 0 -#OnAccessRetryAttempts 3 - -## -## Bytecode -## - -# With this option enabled ClamAV will load bytecode from the database. -# It is highly recommended you keep this option on, otherwise you'll miss -# detections for many new viruses. -# Default: yes -Bytecode yes - -# Set bytecode security level. -# Possible values: -# None - No security at all, meant for debugging. -# DO NOT USE THIS ON PRODUCTION SYSTEMS. -# This value is only available if clamav was built -# with --enable-debug! -# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert -# runtime safety checks for bytecode loaded from other sources. -# Paranoid - Don't trust any bytecode, insert runtime checks for all. -# Recommended: TrustSigned, because bytecode in .cvd files already has these -# checks. -# Note that by default only signed bytecode is loaded, currently you can only -# load unsigned bytecode in --enable-debug mode. -# -# Default: TrustSigned -#BytecodeSecurity TrustSigned - -# Allow loading bytecode from outside digitally signed .c[lv]d files. -# **Caution**: You should NEVER run bytecode signatures from untrusted sources. -# Doing so may result in arbitrary code execution. -# Default: no -#BytecodeUnsigned yes - -# Set bytecode timeout in milliseconds. -# -# Default: 10000 -# BytecodeTimeout 1000 \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/clamav/freshclam.conf b/.ansible/roles/bootstrap/files/clamav/freshclam.conf deleted file mode 100644 index 77d95b2..0000000 --- a/.ansible/roles/bootstrap/files/clamav/freshclam.conf +++ /dev/null @@ -1,214 +0,0 @@ -## -## Example config file for freshclam -## Please read the freshclam.conf(5) manual before editing this file. -## - - -# Comment or remove the line below. - -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# WARNING: It must already exist, be an absolute path, be writeable by -# freshclam, and be readable by clamd/clamscan. -# Default: hardcoded (depends on installation options) -#DatabaseDirectory /var/lib/clamav - -# Path to the ClamAV CA certificates directory for verifying CVD signature -# archive digital signatures. -# WARNING: It must match clamd.conf's directive! -# WARNING: It must already exist, be an absolute path, be readable by -# freshclam, clamd, clamscan and sigtool. -# Default: hardcoded (depends on installation options) -#CVDCertsDirectory /etc/clamav/certs - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -#UpdateLogFile /var/log/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, -# log rotation (the LogRotate option) will always be enabled. -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# Default: no -#LogTime yes - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# Write the daemon's pid to the specified file. -# You must run freshclam with --daemon (-d) for freshclam to run as a daemon. -# This file will be owned by root, as long as freshclam was started by root. -# It is recommended that the directory where this file is stored is -# also owned by root to keep other users from tampering with it. -# Default: disabled -#PidFile /run/clamav/freshclam.pid - -# By default when started freshclam drops privileges and switches to the -# "clamav" user. This directive allows you to change the database owner. -# Default: clamav (may depend on installation options) -#DatabaseOwner clamav - -# Use DNS to verify virus database version. FreshClam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# database.clamav.net is now the primary domain name to be used world-wide. -# Now that CloudFlare is being used as our Content Delivery Network (CDN), -# this one domain name works world-wide to direct freshclam to the closest -# geographic endpoint. -# If the old db.XY.clamav.net domains are set, freshclam will automatically -# use database.clamav.net instead. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# With this option you can provide custom sources for database files. -# This option can be used multiple times. Support for: -# http(s)://, ftp(s)://, or file:// -# Default: no custom URLs -#DatabaseCustomURL http://myserver.example.com/mysigs.ndb -#DatabaseCustomURL https://myserver.example.com/mysigs.ndb -#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb -#DatabaseCustomURL ftp://myserver.example.com/example.ldb -#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb -#DatabaseCustomURL file:///mnt/nfs/local.hdb - -# This option allows you to easily point freshclam to private mirrors. -# If PrivateMirror is set, freshclam does not attempt to use DNS -# to determine whether its databases are out-of-date, instead it will -# use the If-Modified-Since request or directly check the headers of the -# remote database files. For each database, freshclam first attempts -# to download the CLD file. If that fails, it tries to download the -# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo -# and ScriptedUpdates. It can be used multiple times to provide -# fall-back mirrors. -# Default: disabled -#PrivateMirror mirror1.example.com -#PrivateMirror mirror2.example.com - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind -# of proxy is used. -# http:// HTTP Proxy. Default when no scheme or proxy type is specified. -# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS) -# socks4:// SOCKS4 Proxy. -# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname. -# socks5:// SOCKS5 Proxy. -# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname. -# Default: disabled -#HTTPProxyServer https://proxy.example.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# As of ClamAV 0.103.3, this setting may not be used when updating from the -# clamav.net CDN and can only be used when updating from a private mirror. -# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...) -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Use EXIT_1 to return 1 after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. 0 means no timeout. -# Default: 60 -#ReceiveTimeout 300 - -# With this option enabled, freshclam will attempt to load new databases into -# memory to make sure they are properly handled by libclamav before replacing -# the old ones. -# Tip: This feature uses a lot of RAM. If your system has limited RAM and you -# are actively running ClamD or ClamScan during the update, then you may need -# to set `TestDatabases no`. -# Default: yes -#TestDatabases no - -# This option enables downloading of bytecode.cvd, which includes additional -# detection mechanisms and improvements to the ClamAV engine. -# Default: yes -#Bytecode no - -# Include an optional signature databases (opt-in). -# This option can be used multiple times. -#ExtraDatabase dbname1 -#ExtraDatabase dbname2 - -# Exclude a standard signature database (opt-out). -# This option can be used multiple times. -#ExcludeDatabase dbname1 -#ExcludeDatabase dbname2 \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/fail2ban/ftp.local b/.ansible/roles/bootstrap/files/fail2ban/ftp.local deleted file mode 100644 index d971fe5..0000000 --- a/.ansible/roles/bootstrap/files/fail2ban/ftp.local +++ /dev/null @@ -1,11 +0,0 @@ -[proftpd] -enabled = true -allowipv6 = true -banaction = iptables-multiport -findtime = 1200 -maxretry = 3 -bantime = 1h -bantime.increment = true -bantime.factor = 24 -bantime.maxtime = 5w -ignoreip = 127.0.0.1/8 \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/fail2ban/override.conf b/.ansible/roles/bootstrap/files/fail2ban/override.conf deleted file mode 100644 index 55624a2..0000000 --- a/.ansible/roles/bootstrap/files/fail2ban/override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -PrivateDevices=yes -PrivateTmp=yes -ProtectHome=read-only -ProtectSystem=strict -ReadWritePaths=-/var/run/fail2ban -ReadWritePaths=-/var/lib/fail2ban -ReadWritePaths=-/var/log/fail2ban.log -ReadWritePaths=-/var/spool/postfix/maildrop -ReadWritePaths=-/run/xtables.lock -CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/fail2ban/sshd.local b/.ansible/roles/bootstrap/files/fail2ban/sshd.local deleted file mode 100644 index 6ce554b..0000000 --- a/.ansible/roles/bootstrap/files/fail2ban/sshd.local +++ /dev/null @@ -1,9 +0,0 @@ -[sshd] -enabled = true -filter = sshd -banaction = iptables -findtime = 1d -allowipv6 = true -maxretry = 4 -bantime = 1w -ignoreip = 127.0.0.1/8 \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/git/gitignore.sample b/.ansible/roles/bootstrap/files/git/gitignore.sample deleted file mode 100644 index 5e54107..0000000 --- a/.ansible/roles/bootstrap/files/git/gitignore.sample +++ /dev/null @@ -1,5 +0,0 @@ -*.asc -*.gpg -*.enc -*.pem -*.secret \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/git/gitmessage b/.ansible/roles/bootstrap/files/git/gitmessage deleted file mode 100644 index 8df7935..0000000 --- a/.ansible/roles/bootstrap/files/git/gitmessage +++ /dev/null @@ -1,6 +0,0 @@ -[optional scope]: - -Multi-line description of commit, -can be detailed. - -[Issue: X] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/repos.Debian/charm.list b/.ansible/roles/bootstrap/files/repos.Debian/charm.list deleted file mode 100644 index 6a62a57..0000000 --- a/.ansible/roles/bootstrap/files/repos.Debian/charm.list +++ /dev/null @@ -1 +0,0 @@ -deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * * \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/sshd/denyroot.conf b/.ansible/roles/bootstrap/files/sshd/denyroot.conf deleted file mode 100644 index 4888ff9..0000000 --- a/.ansible/roles/bootstrap/files/sshd/denyroot.conf +++ /dev/null @@ -1 +0,0 @@ -PermitRootLogin no \ No newline at end of file diff --git a/.ansible/roles/bootstrap/files/sshd/nopass.conf b/.ansible/roles/bootstrap/files/sshd/nopass.conf deleted file mode 100644 index 693eadb..0000000 --- a/.ansible/roles/bootstrap/files/sshd/nopass.conf +++ /dev/null @@ -1 +0,0 @@ -PasswordAuthentication no \ No newline at end of file diff --git a/.ansible/roles/bootstrap/handlers/main.yml b/.ansible/roles/bootstrap/handlers/main.yml deleted file mode 100644 index 5693e0c..0000000 --- a/.ansible/roles/bootstrap/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for bootstrap diff --git a/.ansible/roles/bootstrap/handlers/update@Debian.yml b/.ansible/roles/bootstrap/handlers/update@Debian.yml deleted file mode 100644 index cd30749..0000000 --- a/.ansible/roles/bootstrap/handlers/update@Debian.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Update repositories cache - apt: - update_cache: yes - register: apt_refreshed - listen: update \ No newline at end of file diff --git a/.ansible/roles/bootstrap/meta/main.yml b/.ansible/roles/bootstrap/meta/main.yml deleted file mode 100644 index 36b9858..0000000 --- a/.ansible/roles/bootstrap/meta/main.yml +++ /dev/null @@ -1,35 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: your name - description: your role description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) - - min_ansible_version: 2.1 - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/.ansible/roles/bootstrap/meta/requirements.yml b/.ansible/roles/bootstrap/meta/requirements.yml deleted file mode 100644 index a284879..0000000 --- a/.ansible/roles/bootstrap/meta/requirements.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -collections: - - name: containers.podman - version: ">=1.16.3" - - name: ansible.posix - version: ">=2.0.0" - - name: community.general - version: ">=10.6.0" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/auth@ssh.yml b/.ansible/roles/bootstrap/tasks/auth@ssh.yml deleted file mode 100644 index 0f92f4c..0000000 --- a/.ansible/roles/bootstrap/tasks/auth@ssh.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Add authorized keys for SSH access to accounts - ansible.posix.authorized_keys: - user: "{{ item[0] }}" - key: "{{ item[1] }}" - state: present - validate_certs: no - loop: "{{ pubkeys }}" - register: pubkeys_assigned - tags: ['default', 'assign_pubkeys'] -- name: Disable SSH password authentication - copy: - src: sshd/nopass.conf - dest: /etc/ssh/sshd_config.d/nopass.conf - owner: "{{ primary_root_acct }}" - group: "{{ primary_root_acct }}" - force: yes - register: ssh_passauth_disabled - tags: ['default', 'disable_ssh_passauth'] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/config@corepkgs.yml b/.ansible/roles/bootstrap/tasks/config@corepkgs.yml deleted file mode 100644 index 1d2c4fa..0000000 --- a/.ansible/roles/bootstrap/tasks/config@corepkgs.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Configure gnupg and gocryptfs - import_tasks: - file: configure_core/gpg.yml -- name: Configure git - import_tasks: - file: configure_core/git.yml -- name: Configure fail2ban - import_tasks: - file: configure_core/fail2ban.yml -- name: Configure ClamAV - import_tasks: - file: configure_core/clamav.yml -- name: Configure crowdsec - import_tasks: - file: configure_core/crowdsec.yml -# - name: Configure certbot and its plugins -# import_tasks: -# file: configure_core/certbot.yml \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/certbot.yml b/.ansible/roles/bootstrap/tasks/configure_core/certbot.yml deleted file mode 100644 index 72807d6..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/certbot.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: Create a settings file for Porkbun DNS API - become: yes - become_method: sudo - template: - src: certbot/porkbun.ini.j2 - dest: "{{ web_root }}/porkbun.ini" - force: yes - backup: yes - register: porkbun_api_created -- name: Initiate DNS Acme challenge using Porkbun API plugin - become: yes - become_method: sudo - command: - argv: - - certbot - - certonly - - --non-interactive - - --agree-tos - - --email=ajt95@prole.biz - - --preferred-challenges=dns - - --authenticator=dns-porkbun - - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini" - - --dns-porkbun-propagation-seconds=60 - - -d="sukaato.moe" - when: porkbun_api_created.rc == 0 -- name: Initiate DNS Acme challenge using Porkbun API plugin - become: yes - become_method: sudo - command: - argv: - - certbot - - certonly - - --non-interactive - - --agree-tos - - --email=ajt95@prole.biz - - --preferred-challenges=dns - - --authenticator=dns-porkbun - - "--dns-porkbun-credentials={{ web_root }}/porkbun.ini" - - --dns-porkbun-propagation-seconds=60 - - -d="*.sukaato.moe" - when: porkbun_api_created.rc == 0 \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/clamav.yml b/.ansible/roles/bootstrap/tasks/configure_core/clamav.yml deleted file mode 100644 index 358787f..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/clamav.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- -#@TODO write handlers for configuring clamav -#@NOTE https://wiki.archlinux.org/title/ClamAV -- name: Create freshclam file - become: yes - become_method: sudo - copy: - src: clamav/freshclam.conf - dest: /etc/clamav/freshclam.conf - force: yes - backup: yes -- name: Create clamd file - become: yes - become_method: sudo - copy: - src: clamav/clamd.conf - dest: /etc/clamav/clamd.conf - force: yes - backup: yes -- name: Create clamd file - become: yes - become_method: sudo - copy: - src: clamav/clamav-milter.conf - dest: /etc/clamav/clamav-milter.conf - force: yes - backup: yes -- name: Update clamav virus definitions - become: yes - become_method: sudo - command: freshclam -- name: Start and enable clamav service - service: - name: clamav-daemon - state: started - enabled: yes -- name: Start and enable clamav onaccess service - become: yes - become_method: sudo - service: - name: clamav-clamonacc - state: started - enabled: yes -- name: Restart clamav service - become: yes - become_method: sudo - service: - name: clamav-daemon - state: restarted -- name: Restart clamav onaccess service - become: yes - become_method: sudo - service: - name: clamav-clamonacc - state: restarted -- name: Create freshclam log file - become: yes - become_method: sudo - file: - path: /var/log/clamav/freshclam.log - state: touch - mode: 600 - owner: clamav -- name: Start and enable freshclam virus definition update service - become: yes - become_method: sudo - service: - name: clamav-freshclam - state: started - enabled: yes -- name: Restart freshclam virus definition update service - become: yes - become_method: sudo - service: - name: clamav-freshclam - state: restarted -- name: Install Fangfrisch - become: yes - become_method: sudo - package: - name: fangfrisch - state: present -- name: Create database structure for fangfrisch - become_user: clamav - become_method: sudo - command: - argv: [/usr/bin/fangfrisch, --conf, /etc/fangfrisch/fangfrisch.conf, initdb] -- name: Start and enable fangfrisch virus definition updates - become: yes - become_method: sudo - service: - name: fangfrisch.timer - state: started - enabled: yes \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml b/.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml deleted file mode 100644 index 6475c61..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -#@TODO write handlers for configuring crowdsec -- name: Enroll your crowdsec installation - become: yes - become_method: sudo - command: - argv: [cscli, console, enroll -e, context, "{{ enrollment_key }}"] - register: crowdsec_enrolled -- name: Install caddy crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/caddy] -- name: Install proftpd crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/proftpd] -- name: Install sshd crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/sshd] -- name: Install postgresql crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/pgsql] -- name: Install denial-of-service HTTP crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/http-dos] -- name: Install HTTP crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/base-http-scenarios] -- name: Install Postfix crowdsec collection - become: yes - become_method: sudo - command: - argv: [cscli, collections, install, crowdsecurity/postfix] -- name: Update crowdsec objects - become: yes - become_method: sudo - command: - argv: [cscli, hub, update] -- name: Upgrade crowdsec objects - become: yes - become_method: sudo - command: - argv: [cscli, hub, upgrade] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml b/.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml deleted file mode 100644 index 5d660c4..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Check if path to fail2ban configuration files exists - stat: - path: /etc/fail2ban/jail.d - register: fail2path -- name: Check if path to systemd fail2ban service configuration files exists - stat: - path: /etc/systemd/system/fail2ban.service.d - register: fail2serve_path -- name: Create relevant fail2ban configuration directory - become: yes - become_method: sudo - file: - path: /etc/fail2ban/jail.d - state: directory - register: fail2bandir_created - when: not fail2path.stat.exists -- name: Create relevant fail2ban configuration directory - become: yes - become_method: sudo - file: - path: /etc/systemd/system/fail2ban.service.d - state: directory - register: fail2servdir_created - when: not fail2serve_path.stat.exists -- name: Copy protftpd jail file - become: yes - become_method: sudo - copy: - src: ftp.local - dest: /etc/fail2ban/jail.d/ftp.local - force: yes - backup: yes - when: fail2path.stat.exists -- name: Copy sshd jail file - become: yes - become_method: sudo - copy: - src: sshd.local - dest: /etc/fail2ban/jail.d/sshd.local - force: yes - backup: yes - when: fail2path.stat.exists -- name: Copy fail2ban modified service configuration - become: yes - become_method: sudo - copy: - src: override.conf - dest: /etc/systemd/system/fail2ban.service.d/sshd.local - force: yes - backup: yes - when: fail2serve_path.stat.exists -- name: Reload fail2ban service - become: yes - become_method: sudo - service: - name: fail2ban - state: reloaded - register: fail2ban_reloaded -- name: Start and enable fail2ban service - become: yes - become_method: sudo - service: - name: fail2ban - state: started - enabled: yes - register: fail2ban_running - when: fail2ban_reloaded -- name: Restart fail2ban service - become: yes - become_method: sudo - service: - name: fail2ban - state: restarted - register: fail2ban_restarted - when: fail2ban_reloaded \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/git.yml b/.ansible/roles/bootstrap/tasks/configure_core/git.yml deleted file mode 100644 index 6c9347c..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/git.yml +++ /dev/null @@ -1,123 +0,0 @@ ---- -- name: Set default branch name - become: yes - become_method: sudo - community.general.git_config: - name: init.defaultBranch - value: main - scope: system - add_mode: replace_all - state: present - register: gitedit_set -- name: Set default git text editor - become: yes - become_method: sudo - community.general.git_config: - name: core.editor - value: vim - scope: system - add_mode: replace_all - state: present - register: gitedit_set -- name: Create directory for some git files - file: - path: "{{ ansible_facts['user_dir'] }}/.config/git" - state: directory - register: gitdir_created -- name: Create git commit message template file - copy: - src: git/gitmessage - dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage" - force: yes - backup: yes - register: gittemp_created -- name: Set a commit template file for git - community.general.git_config: - name: commit.template - value: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage" - scope: global - add_mode: replace_all - state: present - register: gittemp_set -- name: Set git key format to OpenPGP - community.general.git_config: - name: gpg.format - value: "openpgp" - scope: global - add_mode: replace_all - state: present - register: gitkeyformat_set - #@TODO: Add a gpg section to group_var or host_var vaults -- name: Set a user signing key for git - community.general.git_config: - name: user.signingkey - value: "{{ gpg_sign_id }}" - scope: global - add_mode: replace_all - state: present - register: gitsignkey_registered -- name: Set key signage to occur for commits by default in git - community.general.git_config: - name: commit.gpgSign - value: "true" - scope: global - add_mode: replace_all - state: present -- name: Set key signage to occur for tagging by default in git - community.general.git_config: - name: tag.gpgSign - value: "true" - scope: global - add_mode: replace_all - state: present -- name: Create a boilerplate gitignore file for git - copy: - src: git/gitignore.sample - dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore" - force: yes - backup: yes - register: gitgignore_created -- name: Set boilerplate gitignore file in global scope - community.general.git_config: - name: core.excludesfile - value: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore" - scope: global - add_mode: replace_all - state: present - register: gitgignore_set -- name: Set autocorrect for git - become: yes - become_method: sudo - community.general.git_config: - name: help.autocorrect - value: 0 - scope: system - add_mode: replace_all - state: present - register: gitautocorr_set -- name: Set git to replace CRLF endings when pulling - become: yes - become_method: sudo - community.general.git_config: - name: core.autocrlf - value: input - scope: system - add_mode: replace_all - state: present - register: gitcrlf_set -- name: Set git username - community.general.git_config: - name: user.name - value: "{{ official_name | default(ansible_facts['user_id'], true) }}" - scope: global - add_mode: replace_all - state: present - register: gituser_set -- name: Set git user email - community.general.git_config: - name: user.email - value: "{{ official_email | default('admin@' ~ domain_name, true) }}" - scope: global - add_mode: replace_all - state: present - register: gitemail_set \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/configure_core/gpg.yml b/.ansible/roles/bootstrap/tasks/configure_core/gpg.yml deleted file mode 100644 index 6dc9e59..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/gpg.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -- name: Copy and import GPG keypairs to remote host - block: - - name: Create cipher directory for gocryptfs - file: - path: "{{ ansible_facts['user_dir'] }}/.ciphers" - state: directory - - name: Create a gocryptfs vault - command: - argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/.ciphers"] - stdin: "{{ gcfs_password }}" - register: gcfs_masterkey_created - - name: Create temporary file for password - tempfile: - prefix: gcfs_passfile - state: file - register: tempfile_created - - name: Put password in temporary file - lineinfile: - path: "{{ tempfile_created.path }}" - line: "{{ gcfs_password }}" - state: present - when: tempfile_created - - name: Create directory for storing gocryptfs decryption configuration files - file: - path: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers" - state: directory - - name: Get gocryptfs decryption configuration file metadata - stat: - path: "{{ ansible_facts['user_dir'] }}/.ciphers" - when: gcfs_masterkey_created.rc == 0 - register: gcfs_vault - - name: Copy gocryptfs decryption configuration to another directory - copy: - remote_src: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf" - dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf" - force: yes - backup: yes - register: gocryptfs_conf_copied - when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0 - - name: Remove gocryptfs decryption configuration from source directory - file: - path: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf" - state: absent - register: gocryptfs_orig_conf_removed - when: gocryptfs_conf_copied - - name: Mount the gocryptfs vault - ansible.posix.mount: - src: "{{ ansible_facts['user_dir'] }}/.ciphers" - path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain" - state: ephemeral - fstype: fuse./usr/bin/gocryptfs - opts: "nofail,passfile={{ tempfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf" - register: gcfs_mounted - when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0 - - name: Create directory in decrypted gocryptfs vault - file: - path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg" - state: directory - when: gcfs_mounted - - name: Copy GPG keypair - copy: - src: "gpg/{{ ansible_facts['user_id'] }}/{{ item }}" - dest: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}" - force: yes - backup: yes - loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}" - register: gpgkeys_copied - when: gcfs_mounted - - name: Import GPG keypair - become: yes - become_method: sudo - command: - argv: [gpg, --import, "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"] - loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}" - register: gpgkeys_imported - when: gpgkeys_copied and gcfs_mounted - #@TODO create handler that sends copy of gcfs_masterkey_created somehow - - name: Unmount the gocryptfs vault - ansible.posix.mount: - path: "{{ ansible_facts['user_dir'] }}/.mnt/plains" - state: unmounted - register: gcfs_unmounted - when: gpgkeys_copied and gcfs_mounted - # - name: Unmount the gocryptfs vault - # command: - # argv: [fusermount, -u, "{{ ansible_facts['user_dir'] }}/.mnt/plains"] - # when: gpgkeys_copied and gcfs_mounted - register: gpg_keypair_copy diff --git a/.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml b/.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml deleted file mode 100644 index 47acdde..0000000 --- a/.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Configure ProFTPd - block: - - name: Apply proftpd configuration template - become: yes - become_method: sudo - template: - src: proftpd/proftpd.conf.j2 - dest: /etc/proftpd/proftpd.conf - force: yes - backup: yes - - name: Apply proftpd virtualhost configuration template - become: yes - become_method: sudo - template: - src: proftpd/vhost.conf.j2 - dest: /etc/proftpd/conf.d/hosts.conf - force: yes - backup: yes \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/core_installations.yml b/.ansible/roles/bootstrap/tasks/core_installations.yml deleted file mode 100644 index 72e5fcf..0000000 --- a/.ansible/roles/bootstrap/tasks/core_installations.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install natively available core system packages - package: - name: "{{ item.package }}" - state: present - loop: "{{ combine(server_pkgs, virtualization_pkgs, pkgmanager_pkgs, cli_pkgs, coding_pkgs, media_pkgs) }}" - register: native_done \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/core_installations@Debian.yml b/.ansible/roles/bootstrap/tasks/core_installations@Debian.yml deleted file mode 100644 index 4f3b525..0000000 --- a/.ansible/roles/bootstrap/tasks/core_installations@Debian.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -- name: Register new repositories - block: - - name: Grab keys for foreign package repositories - get_url: - url: "{{ item.key }}" - dest: "{{ item.key_dest }}" - group: root - owner: root - force: true - when: item.key is defined and item.key_orig_is_url - - name: Add (i.e., render native) the foreign package repositories - get_url: - url: "{{ item.repo }}" - dest: "{{ item.repo_dest }}" - group: root - owner: root - force: true - when: item.repo is defined and item.repo_orig_is_url - - name: Grab keys for foreign package repositories - copy: - src: "{{ item.key }}" - dest: "{{ item.key_dest }}" - group: root - owner: root - force: true - when: item.key is defined and not item.key_orig_is_url - - name: Add (i.e., render native) the foreign package repositories - copy: - src: "{{ item.repo }}" - dest: "{{ item.repo_dest }}" - group: root - owner: root - force: true - when: item.repo is defined and not item.repo_orig_is_url - loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}" - register: repos_added - notify: update -- name: Install newly available packages - package: - name: "{{ item.package }}{{ item.version }}" - state: latest - loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}" - register: foreign_pkgs_done \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/core_installations@podman.yml b/.ansible/roles/bootstrap/tasks/core_installations@podman.yml deleted file mode 100644 index f088645..0000000 --- a/.ansible/roles/bootstrap/tasks/core_installations@podman.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Pull necessary images for containers - containers.podman.podman_image: - name: "{{ item.uri }}" - tag: "{{ item.tag }}" - pull: yes - state: present - loop: "{{ core_cimages }}" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/denyroot.yml b/.ansible/roles/bootstrap/tasks/denyroot.yml deleted file mode 100644 index 5c1b64d..0000000 --- a/.ansible/roles/bootstrap/tasks/denyroot.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- name: Disable shell session root login - user: - name: "{{ item.username }}" - shell: /sbin/nologin - loop: "{{ roots }}" - register: root_deshelled - when: nonlogin_method == 'deshell' - tags: ['default', 'root_deshelling'] -- name: Lock the root account - user: - name: "{{ item.username }}" - password_lock: yes - loop: "{{ roots }}" - register: root_locked - when: nonlogin_method == 'lock' or nonlogin_method == 'all' - tags: ['default', 'root_locking'] -- name: Disable root account password - user: - name: "{{ item.username }}" - password: "*" - loop: "{{ roots }}" - register: root_closed - when: nonlogin_method == 'close' - tags: ['default', 'root_closing'] -- name: Disable root account password and shell login - user: - name: "{{ item.username }}" - password: "*" - shell: /sbin/nologin - loop: "{{ roots }}" - register: root_delogged - when: nonlogin_method == 'delog' or nonlogin_method == 'all' - tags: ['default', 'root_locking'] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/denyroot@ssh.yml b/.ansible/roles/bootstrap/tasks/denyroot@ssh.yml deleted file mode 100644 index 24d57bb..0000000 --- a/.ansible/roles/bootstrap/tasks/denyroot@ssh.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Disable remote login for root - copy: - src: sshd/denyroot.conf - dest: /etc/ssh/sshd_config.d/denyroot.conf - owner: "{{ primary_root_acct }}" - group: "{{ primary_root_acct }}" - force: yes - register: sshroot_disabled - tags: ['default', 'deny_sshroot'] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/extra_installations.yml b/.ansible/roles/bootstrap/tasks/extra_installations.yml deleted file mode 100644 index b1ef7ee..0000000 --- a/.ansible/roles/bootstrap/tasks/extra_installations.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install natively available core system packages - package: - name: "{{ item.package }}" - state: present - loop: "{{ my_pkgs }}" - register: extra_done \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/extra_installations@podman.yml b/.ansible/roles/bootstrap/tasks/extra_installations@podman.yml deleted file mode 100644 index 848005a..0000000 --- a/.ansible/roles/bootstrap/tasks/extra_installations@podman.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Pull recommended images for containers - containers.podman.podman_image: - name: "{{ item.uri }}" - tag: "{{ item.tag }}" - pull: yes - state: present - loop: "{{ recc_cimages }}" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/groups.yml b/.ansible/roles/bootstrap/tasks/groups.yml deleted file mode 100644 index 5ca46f4..0000000 --- a/.ansible/roles/bootstrap/tasks/groups.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Create system groups - group: - name: "{{ item.group_name }}" - system: yes - state: present - loop: "{{ sys_groups }}" - register: groups_created - tags: ['default'] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/main.yml b/.ansible/roles/bootstrap/tasks/main.yml deleted file mode 100644 index b30b745..0000000 --- a/.ansible/roles/bootstrap/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for bootstrap diff --git a/.ansible/roles/bootstrap/tasks/upgrade@Debian.yml b/.ansible/roles/bootstrap/tasks/upgrade@Debian.yml deleted file mode 100644 index 350ff02..0000000 --- a/.ansible/roles/bootstrap/tasks/upgrade@Debian.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Update repositories cache - apt: - update_cache: yes - upgrade: "{{ upgrade_type }}" - register: system_upgraded - tags: ['upgrade_pkgs'] \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tasks/users@Debian.yml b/.ansible/roles/bootstrap/tasks/users@Debian.yml deleted file mode 100644 index 8d7e2b8..0000000 --- a/.ansible/roles/bootstrap/tasks/users@Debian.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Create administrative user - user: - name: "{{ item.username }}" - system: no - create_home: yes - append: yes - groups: - - sudo - shell: /bin/bash - password: "{{ item.password }}" - password_expire_max: 186 - password_expire_min: 93 - password_expire_warn: 15 - state: present - loop: "{{ admins }}" - register: admins_created - when: admins is defined - tags: ['default', 'add_admins'] -- name: Create guest user - user: - name: "{{ item.username }}" - system: no - create_home: yes - shell: /bin/bash - state: present - loop: "{{ guests }}" - register: guests_created - when: guests is defined - tags: ['add_guests'] -- name: Create standard users - user: - name: "{{ item.username }}" - system: no - create_home: yes - shell: "/bin/bash" - password: "{{ item.password }}" - password_expire_max: 93 - password_expire_min: 30 - password_expire_warn: 7 - state: present - loop: "{{ users }}" - register: users_created - when: users is defined - tags: ['default', 'add_users'] diff --git a/.ansible/roles/bootstrap/templates/certbot/porkbun.ini.j2 b/.ansible/roles/bootstrap/templates/certbot/porkbun.ini.j2 deleted file mode 100644 index 3f44ebb..0000000 --- a/.ansible/roles/bootstrap/templates/certbot/porkbun.ini.j2 +++ /dev/null @@ -1,2 +0,0 @@ -dns_porkbun_secret={{ dns_secret }} -dns_porkbun_key={{ dns_key }} \ No newline at end of file diff --git a/.ansible/roles/bootstrap/templates/proftpd/proftpd.conf.j2 b/.ansible/roles/bootstrap/templates/proftpd/proftpd.conf.j2 deleted file mode 100644 index 192c9c8..0000000 --- a/.ansible/roles/bootstrap/templates/proftpd/proftpd.conf.j2 +++ /dev/null @@ -1,93 +0,0 @@ -ServerType standalone -ServerName ProFTPd -ServerAdmin ftp@sukaato -ServerIdent on "Currently on the fallback server..." -Protocols ftp -DefaultServer on -Port 21 - -User ftpd -Group nogroup - -TransferLog /var/log/proftpd/transfer.log -SystemLog /var/log/proftpd/proftpd.log - - - LoadModule mod_tls.c - - - - LoadModule mod_ifsession.c - - - - LoadModule mod_auth_file.c - - - - DenyAll - - - - AuthOrder mod_auth_file.c mod_auth_pam.c mod_auth_unix.c - RootLogin off - RequireValidShell off - UseFtpUsers off - PersistentPassword off - AllowEmptyPasswords off - DisplayConnect {{ welcome_msg_path }} - DisplayQuit {{ goodbye_msg_path }} - DisplayFileTransfer {{ transfer_msg_path }} - Umask {{ default_umask }} - MaxClients 35 - MaxClientsPerUser 5 - MaxLoginAttempts 4 - TimeoutSession 28800 - TimeoutNoTransfer 900 - TimeoutStalled 900 - TimeoutIdle 1200 - TimeoutLinger 120 - ListOptions "" maxdepth 3 - AllowOverwrite on - ShowSymlinks on - - - IdentLookups off - - - - QuotaEngine off - - - - Ratios off - - - - DelayEngine on - - - - DenyAll - - - - AllowUser OR {{ users_allowed }} - DenyAll - - - DirFakeUser on ~ - DirFakeGroup on ~ - - DefaultRoot ~ - - - HideFiles ^\. - - - IgnoreHidden on - - - - -Include /etc/proftpd/conf.d/*.conf \ No newline at end of file diff --git a/.ansible/roles/bootstrap/templates/proftpd/vhost.conf.j2 b/.ansible/roles/bootstrap/templates/proftpd/vhost.conf.j2 deleted file mode 100644 index 9907d4b..0000000 --- a/.ansible/roles/bootstrap/templates/proftpd/vhost.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ - - - ServerName {{ servername }} - ServerAdmin {{ admin_email }} - ServerAlias {{ serveralias }} - ServerIdent on "Welcome to %v!" - Protocols {{ ftp_protocols }} - Port {{ ftp_port }} - {# PassivePorts 49152 65534 #} - DisplayChdir .category.msg - DisplayLogin .welcome.msg - - TLSEngine on - TLSLog /var/log/proftpd/tls.log - TLSProtocol SSLv23 - TLSOptions AllowClientRenegotiations - TLSVerifyClient off - TLSRequired on - TLSRenegotiate required off - - TLSECCertificateFile {{ sec_cert_path }} - TLSCACertificateFile {{ sca_cert_path }} - TLSECCertificateKeyFile {{ key_cert_path }} - - - AuthUserFile {{ ftp_auth_user_path }} - AuthGroupFile {{ ftp_auth_group_path }} - AuthFileOptions SyntaxCheck - - - \ No newline at end of file diff --git a/.ansible/roles/bootstrap/tests/inventory b/.ansible/roles/bootstrap/tests/inventory deleted file mode 100644 index 03ca42f..0000000 --- a/.ansible/roles/bootstrap/tests/inventory +++ /dev/null @@ -1,3 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -localhost - diff --git a/.ansible/roles/bootstrap/tests/test.yml b/.ansible/roles/bootstrap/tests/test.yml deleted file mode 100644 index e5df577..0000000 --- a/.ansible/roles/bootstrap/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -- hosts: localhost - remote_user: root - roles: - - bootstrap diff --git a/.ansible/roles/bootstrap/vars/main/general.yml b/.ansible/roles/bootstrap/vars/main/general.yml deleted file mode 100644 index 13d0393..0000000 --- a/.ansible/roles/bootstrap/vars/main/general.yml +++ /dev/null @@ -1,12 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# vars file for bootstrap -admins: ~ -guests: ~ -users: ~ -roots: ~ -enrollment_key: "{{ crowdsec_key }}" -gcfs_password: "{{ gocrypt_password }}" -gpg_sign_id: ~ -official_name: ~ -official_email: ~ diff --git a/.ansible/roles/bootstrap/vars/options/certbot.yml b/.ansible/roles/bootstrap/vars/options/certbot.yml deleted file mode 100644 index 17a530f..0000000 --- a/.ansible/roles/bootstrap/vars/options/certbot.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dns_secret: "{{ porkbun_api_secret }}" -dns_key: "{{ porkbun_api_key }}" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/vars/options/crowdsec.yml b/.ansible/roles/bootstrap/vars/options/crowdsec.yml deleted file mode 100644 index 90372ec..0000000 --- a/.ansible/roles/bootstrap/vars/options/crowdsec.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enrollment_key: "{{ crowdsec_key }}" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/vars/options/git.yml b/.ansible/roles/bootstrap/vars/options/git.yml deleted file mode 100644 index dc37218..0000000 --- a/.ansible/roles/bootstrap/vars/options/git.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -gpg_sign_id: ~ -official_name: ~ -official_email: ~ \ No newline at end of file diff --git a/.ansible/roles/bootstrap/vars/options/gpg.yml b/.ansible/roles/bootstrap/vars/options/gpg.yml deleted file mode 100644 index de243c2..0000000 --- a/.ansible/roles/bootstrap/vars/options/gpg.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -gcfs_password: "{{ gocrypt_password }}" \ No newline at end of file diff --git a/.ansible/roles/bootstrap/vars/options/proftpd.yml b/.ansible/roles/bootstrap/vars/options/proftpd.yml deleted file mode 100644 index 850cdea..0000000 --- a/.ansible/roles/bootstrap/vars/options/proftpd.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -welcome_msg_path: /etc/proftpd/welcome.msg -goodbye_msg_path: /etc/proftpd/bye.msg -transfer_msg_path: /etc/proftpd/transfer.msg -default_umask: "0022 0022" -users_allowed: cybersmuggler webmaster -servername: ftp.sukaato.moe -admin_email: admin@sukaato.moe -serveralias: sukaato -ftp_protocols: ftps -ftp_port: 990 -sec_cert_path: /etc/srv/domain.cert.pem -sca_cert_path: /etc/srv/domain.cert.pem -key_cert_path: /etc/srv/private.key.pem -ftp_auth_user_path: /etc/proftpd/ftp.passwd -ftp_auth_group_path: /etc/proftpd/ftpd.group \ No newline at end of file diff --git a/.ansible/roles/bootstrap/vars/options/ssh.yml b/.ansible/roles/bootstrap/vars/options/ssh.yml deleted file mode 100644 index 5546866..0000000 --- a/.ansible/roles/bootstrap/vars/options/ssh.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -pubkeys: "{{ user_pubkeys }}" -primary_root_acct: "{{ root_auths[0] }}" -nonlogin_method: delog -roots: "{{ root_auths }}" \ No newline at end of file