xenobyte/sukaato-ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added new ansible home directory, moving roles into its 'roles' subdirectory

Browse Source
This commit is contained in:
Alex Tavarez
2025-07-27 00:04:39 -04:00
parent 16430af533
commit bffe44b5a7
60 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
.ansible/.lock Normal file
View File

38
.ansible/roles/bootstrap/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

58
.ansible/roles/bootstrap/defaults/core_images@podman.yml Normal file
View File

@@ -0,0 +1,58 @@
---
#@TODO: additional self-hosted services to consider for images:
#@NOTE https://awesome-selfhosted.net
core_cimages:
#@NOTE bash ssh service
#@NOTE https://hub.docker.com/r/linuxserver/openssh-server
- uri: docker.io/linuxserver/openssh-server
tag: latest
#@NOTE the below should only be used if not using caddy on host for webdev
# #@NOTE Apache web service with PHP
# #@NOTE https://hub.docker.com/_/php
# #@NOTE https://hub.docker.com/_/httpd
# - uri: docker.io/php
# tag: apache
#@NOTE cloud service
#@NOTE https://nextcloud.com/blog/how-to-install-the-nextcloud-all-in-one-on-linux/
#@NOTE https://github.com/nextcloud/all-in-one/blob/main/compose.yaml
- uri: docker.io/nextcloud/aio-postgresql
tag: latest
#@NOTE OpenPGP public keyservice
#@NOTE https://hockeypuck.io/install-docker.html
- uri: docker.io/hockeypuck/hockeypuck
tag: 2.0.14
recc_cimages:
#@NOTE livestreaming web service
#@NOTE https://owncast.online/quickstart/container/
- uri: docker.io/owncast/owncast
tag: latest
#@NOTE XMPP chat service
#@NOTE https://prosody.im/doc/docker
- uri: docker.io/prosody/prosody
tag: latest
#@NOTE matrix chat service
#@NOTE https://element-hq.github.io/synapse/latest/setup/installation.html#docker-images-and-ansible-playbooks
- uri: docker.io/matrixdotorg/synapse
tag: latest
#@NOTE budgeting web service
#@NOTE https://actualbudget.org/docs/install/docker
- url: docker.io/actualbudget/actual-server
tag: latest-alpine
#@NOTE grocery and household management web service
#@NOTE https://hub.docker.com/r/linuxserver/grocy
- url: docker.io/linuxserver/grocy
tag: latest
#@NOTE workout management web service
#@NOTE https://wger.readthedocs.io/en/latest/production/docker.html
- url: docker.io/wger/server
tag: latest
#@NOTE recipe management web service
#@NOTE https://docs.mealie.io/documentation/getting-started/installation/installation-checklist/
- url: docker.io/hkotel/mealie
tag: latest
#@NOTE IRC service
- url: docker.io/inspircd/inspircd-docker
tag: latest
#@NOTE anope IRC services
- url: docker.io/anope/anope
tag: latest

233
.ansible/roles/bootstrap/defaults/core_pkgs@Debian.yml Normal file
View File

@@ -0,0 +1,233 @@
---
#@TODO: packages needed: mail server, URL shortener, music player daemon
server_pkgs:
#@NOTE version control
- package: git-all
version: ~
#@NOTE reverse proxy
- package: caddy
version: ~
#@NOTE database management service
- package: sqlite3
version: ~
#@NOTE database management service
- package: postgresql
version: ~
#@NOTE onion router, relay or server
- package: tor
version: ~
#@NOTE FTP service
- package: proftpd-core
version: ~
#@NOTE antivirus module for extending FTP service
- package: proftpd-mod-clamav
version: ~
#@NOTE cryptographic module for extending FTP service
- package: proftpd-mod-crypto
version: ~
#@NOTE postgresql module for extending FTP service
- package: proftpd-mod-pgsql
version: ~
#@NOTE sqlite module for extending FTP service
- package: proftpd-mod-sqlite
version: ~
# #@NOTE IRC chat service
# - package: inspircd
# version: ~
# #@NOTE IRC extended services
# - package: anope
# version: ~
- package: gnunet
version: ~
#@NOTE CLI download manager service
- package: aria2
version: ~
#@NOTE crowdsourced security stack
- package: crowdsec
version: ~
# #@NOTE TURN and STUN server
# - package: coturn
# version: ~
#@NOTE email server
- package: postfix
version: ~
server_pkgs_ext:
#@NOTE VPN tunnel
- package: tailscale
version: ~
key_orig_is_url: yes
key: https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg
key_dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
repo_orig_is_url: yes
repo: https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list
repo_dest: /etc/apt/sources.list.d/tailscale.list
virtualization_pkgs:
#@NOTE container engine
- package: podman
version: ~
#@NOTE container engine configuration manager
- package: podman-compose
version: ~
#@NOTE container engine
- package: distrobox
version: ~
pkgmanager_pkgs:
- package: snapd
version: ~
- package: flatpak
version: ~
cli_pkgs:
#@NOTE terminal
- package: kitty
version: ~
#@NOTE vi/vim-based text editor
- package: neovim
version: ~
#@NOTE antivirus client
- package: clamav
version: ~
#@NOTE intrusion prevention software framework
- package: fail2ban
version: ~
#@NOTE SSL certificate tool
- package: certbot
version: ~
#@NOTE Overlay file encryption tool
- package: gocryptfs
version: ~
#@NOTE these should be available on the system by default
# #@NOTE encryption, authentication and signature key manager
# - package: gnupg
# version: ~
# - package: gnupg-agent
# version: ~
# - package: gnupg-l10n
# version: ~
# - package: gnupg-utils
# version: ~
# #@NOTE userspace filesystem utility
# - package: fuse3
# version: ~
# #@NOTE version control utility
# - package: git
# version: ~
cli_pkgs_ext:
#@NOTE markdown rendering or syntax highlighting
- package: glow
version: ~
key_orig_is_url: yes
key: https://repo.charm.sh/apt/gpg.key
key_dest: /etc/apt/keyrings/charm.gpg
repo_orig_is_url: no
repo: repos.Debian/charm.list
repo_dest: /etc/apt/sources.list.d/charm.list
transcoding_pkgs:
#@NOTE media-handling suite
- package: ffmpeg
version: ~
#@NOTE VP9 video codec
- package: libvpx9
version: ~
media_pkgs:
#@NOTE media playtime synchronization server
- package: syncplay-server
version: ~
coding_pkgs:
#@NOTE NodeJS Javascript runtime environment
- package: nodejs
version: ~
#@NOTE NodeJS documentation
- package: nodejs-doc
version: ~
#@NOTE NodeJS package manager
- package: npm
version: ~
#@NOTE NodeJS Reactjs web framework
- package: node-react
version: ~
#@NOTE NodeJS expressjs web framework
- package: node-express
version: ~
#@NOTE Erlang virtualized programming language
- package: erlang
version: ~
#@NOTE Elixir virtualized programming language
- package: elixir
version: ~
#@NOTE Elixir/ErLand package manager
- package: erlang-hex
version: ~
- package: pandoc
version: ~
#@NOTE Crystal programming language
- package: crystal
version: ~
#@NOTE Crystal documentation
- package: crystal-doc
version: ~
#@NOTE Crystal package manager
- package: shards
version: ~
#@NOTE Python programming language
- package: python3
version: ~
#@NOTE Python package manager
- package: python3-pip
version: ~
#@NOTE Python web framework
- package: python3-flask
version: ~
#@NOTE Ruby programming language
- package: ruby-standalone
version: ~
#@NOTE Ruby package manager
- package: ruby-rubygems
version: ~
#@NOTE Ruby web framework
- package: ruby-rails
version: ~
#@NOTE Rust programming language
- package: rustc
version: ~
#@NOTE Rust documentation
- package: rust-doc
version: ~
#@NOTE Rust package manager
- package: cargo
version: ~
#@NOTE Rust package manager documentation
- package: cargo-doc
version: ~
#@NOTE Rust toolchain
- package: rustup
version: ~
#@NOTE Lua programming language
- package: lua5.1
version: ~
#@NOTE Lua documentation
- package: lua5.1-doc
version: ~
#@NOTE Lua package manager
- package: luarocks
version: ~
#@NOTE LLVM to Javascript compiler (needed for WASMoon module)
- package: emscripten
version: ~
#@NOTE LLVM to Javascript compiler (needed for WASMoon module)
- package: emscripten-doc
version: ~
#@NOTE R programming language
- package: r-base
version: ~
#@NOTE R programming language
- package: r-base
version: ~
#@NOTE PHP programming language
- package: php
version: ~
#@NOTE PHP interpreter server
- package: php-fpm
version: ~
#@NOTE PHP dependency manager
- package: composer
version: ~

4
.ansible/roles/bootstrap/defaults/custom_images@podman.yml Normal file
View File

@@ -0,0 +1,4 @@
---
#@NOTE list your packages consistent with format of 'core_images@podman.yml'
#@NOTE no other keys/variables at top-level allowed than 'my_cimages'
my_cimages: ~

4
.ansible/roles/bootstrap/defaults/custom_pkgs@Debian.yml Normal file
View File

@@ -0,0 +1,4 @@
---
#@NOTE list your packages consistent with format of 'core_pkgs@Debian.yml'
#@NOTE no other keys/variables at top-level allowed than 'my_pkgs'
my_pkgs: ~

11
.ansible/roles/bootstrap/defaults/main/general.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# defaults file for bootstrap
admins: ~
guests: ~
users: ~
roots: ~
enrollment_key: ~
gcfs_password: ~
gpg_sign_id: ~
official_name: ~
official_email: ~

3
.ansible/roles/bootstrap/defaults/options/certbot.yml Normal file
View File

@@ -0,0 +1,3 @@
---
dns_secret: ~
dns_key: ~

2
.ansible/roles/bootstrap/defaults/options/crowdsec.yml Normal file
View File

@@ -0,0 +1,2 @@
---
enrollment_key: ~

4
.ansible/roles/bootstrap/defaults/options/git.yml Normal file
View File

@@ -0,0 +1,4 @@
---
gpg_sign_id: ~
official_name: ~
official_email: ~

2
.ansible/roles/bootstrap/defaults/options/gpg.yml Normal file
View File

@@ -0,0 +1,2 @@
---
gcfs_password: ~

16
.ansible/roles/bootstrap/defaults/options/proftpd.yml Normal file
View File

@@ -0,0 +1,16 @@
---
welcome_msg_path: /etc/proftpd/welcome.msg
goodbye_msg_path: /etc/proftpd/bye.msg
transfer_msg_path: /etc/proftpd/transfer.msg
default_umask: 0022 0022
users_allowed: root
servername: ~
admin_email: ~
serveralias: localhost
ftp_protocols: ftps
ftp_port: 990
sec_cert_path: /etc/srv/domain.cert.pem
sca_cert_path: /etc/srv/domain.cert.pem
key_cert_path: /etc/srv/private.key.pem
ftp_auth_user_path: /etc/proftpd/ftp.passwd
ftp_auth_group_path: /etc/proftpd/ftpd.group

5
.ansible/roles/bootstrap/defaults/options/ssh.yml Normal file
View File

@@ -0,0 +1,5 @@
---
pubkeys: ~
primary_root_acct: ~
nonlogin_method: ~
roots: ~

297
.ansible/roles/bootstrap/files/clamav/clamav-milter.conf Normal file
View File

@@ -0,0 +1,297 @@
##
## Example config file for clamav-milter
##
# Comment or remove the line below.
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket /run/clamav/clamav-milter.sock
#MilterSocket /tmp/clamav-milter.sock
#MilterSocket inet:7357
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
#MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option
# to work)
#
# Default: unset (don't drop privileges)
#User clamav
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before
# dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon.
# This file will be owned by root, as long as clamav-milter was started by
# root. It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
#
# Default: disabled
#PidFile /run/clamav/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
#TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/run/clamav/clamd.sock
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.
#
# Default: no default
#ClamdSocket tcp:scanner.mydomain:7357
#ClamdSocket unix:/run/clamav/clamd.sock
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally originated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be allowed.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#AllowList /etc/allowed_addresses
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no allowing based on SMTP auth)
#SkipAuthenticated ^(tom|dick|henry)$
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
#MaxFileSize 10M
##
## Actions
##
# The following group of options controls the delivery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delivery
# - Reject
# Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
#OnClean Accept
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
#OnFail Defer
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
#RejectMsg
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
#AddHeader Replace
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
#ReportHostname my.mail.server.name
# Execute a command (possibly searching PATH) when an infected message is
# found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delivery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /tmp/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
#LogInfected Basic
# This option allows to tune what is logged when no threat is found in
# a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
#LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default
# value
# is currently set to off for legacy reasons.
# Default: no
#SupportMultipleRecipients yes

885
.ansible/roles/bootstrap/files/clamav/clamd.conf Normal file
View File

@@ -0,0 +1,885 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Enable Prelude output.
# Default: no
#PreludeEnable yes
#
# Set the name of the analyzer used by prelude-admin.
# Default: ClamAV
#PreludeAnalyzerName ClamAV
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon.
# This file will be owned by root, as long as clamd was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the ClamAV CA certificates directory for verifying CVD signature
# archive digital signatures.
# Default: hardcoded (depends on installation options)
#CVDCertsDirectory /etc/clamav/certs
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# Return with a nonzero error code if the virus database is older than
# the specified number of days.
# Default: -1
#FailIfCvdOlderThan 7
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /run/clamav/clamd.sock
#LocalSocket /tmp/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket no
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr localhost
# Enable or disable certain commands.
# Disabling some commands like SHUTDOWN may improve the security of the daemon.
# When a client sends one of the following commands but it is disabled,
# clamd responds with COMMAND UNAVAILABLE.
#
# Enable the SHUTDOWN command.
# Setting this to no prevents a client to stop clamd via the protocol.
# Default: yes
#EnableShutdownCommand no
#
# Enable the RELOAD command
# Setting this to no prevents a client to reload the database.
# Default: yes
#EnableReloadCommand no
#
# Enable the STATS command
# Setting this to no prevents a client from querying statistics.
# Default: yes
#EnableStatsCommand no
#
# Enable the VERSION command
# Setting this to no prevents a client from querying version information.
# Default: yes
#EnableVersionCommand no
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 100M
#StreamMaxLength 25M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging.
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems no
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Enable non-blocking (multi-threaded/concurrent) database reloads.
# This feature will temporarily load a second scanning engine while scanning
# continues using the first engine. Once loaded, the new engine takes over.
# The old engine is removed as soon as all scans using the old engine have
# completed.
# This feature requires more RAM, so this option is provided in case users are
# willing to block scans during reload in exchange for lower RAM requirements.
# Default: yes
#ConcurrentDatabaseReload no
# Execute a command when virus is found.
# Use the following environment variables to identify the file and virus names:
# - $CLAM_VIRUSEVENT_FILENAME
# - $CLAM_VIRUSEVENT_VIRUSNAME
# In the command string, '%v' will also be replaced with the virus name.
# Note: The '%f' filename format character has been disabled and will no longer
# be replaced with the file name, due to command injection security concerns.
# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
# For the same reason, you should NOT use the environment variables in the
# command directly, but should use it carefully from your executed script.
# Default: no
#VirusEvent /opt/send_virus_alert_sms.sh
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Record metadata about the file being scanned.
# Scan metadata is useful for file analysis purposes and for debugging scan behavior.
# The JSON metadata will be printed after the scan is complete if Debug is enabled.
# A metadata.json file will be written to the scan temp directory if LeaveTemporaryFiles is enabled.
# Default: no
#GenerateMetadataJson yes
# Store URIs found in html files to the json metadata.
# URIs will be stored in an array with the tag 'URIs'
# GenerateMetadataJson is required for this feature.
# Default: yes (if GenerateMetadataJson is used)
#JsonStoreHTMLURIs no
# Store URIs found in pdf files to the json metadata.
# URIs will be stored in an array with the tag 'URIs'
# GenerateMetadataJson is required for this feature.
# Default: yes (if GenerateMetadataJson is used)
#JsonStorePDFURIs no
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
# This option allows you to set the number of entries the cache can store.
# The value should be a square number or will be rounded up to the nearest
# square number.
#CacheSize 65536
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only
# at the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as trusted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanELF yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanHWP3 yes
# This option enables scanning of OneNote files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanOneNote yes
##
## Other file types
##
# This option enables scanning of image (graphics).
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanImage no
# This option enables detection by calculating a fuzzy hash of image (graphics)
# files.
# Signatures using image fuzzy hashes typically match files and documents by
# identifying images embedded or attached to those files.
# If you turn off this option, then some files may no longer be detected.
# Default: yes
#ScanImageFuzzyHash no
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail no
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# With this option enabled the DLP module will search for valid Credit Card
# numbers only. Debit and Private Label cards will not be searched.
# Default: no
#StructuredCCOnly yes
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal no
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
ScanArchive yes
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a
# Denial of Service.
# Time is in milliseconds.
# Default: 120000
#MaxScanTime 300000
# This option sets the maximum amount of data to be scanned for each input
# file. Archives and other containers are recursively extracted and scanned
# up to this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 400M
#MaxScanSize 1000M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Technical design limitations prevent ClamAV from scanning files greater than
# 2 GB at this time.
# Default: 100M
#MaxFileSize 400M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 17
# Maximum: 100
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 40M
#MaxEmbeddedPE 100M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 40M
#MaxHTMLNormalize 100M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 8M
#MaxHTMLNoTags 16M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 20M
#MaxScriptNormalize 50M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 100M
#PCREMaxFileSize 400M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus name starting with
# "Heuristics.Limits.Exceeded".
# Default: no
#AlertExceedsMax yes
##
## On-access Scan Settings
##
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Max number of scanning threads to allocate to the OnAccess thread pool at
# startup. These threads are the ones responsible for creating a connection
# with the daemon and kicking off scanning after an event has been processed.
# To prevent clamonacc from consuming all clamd's resources keep this lower
# than clamd's max threads.
# Default: 5
#OnAccessMaxThreads 10
# Max amount of time (in milliseconds) that the OnAccess client should spend
# for every connect, send, and receive attempt when communicating with clamd
# via curl.
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# Default: no
#OnAccessDisableDDD yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line.
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# Default: no
OnAccessPrevention no
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
# potentially lead to unwanted system behaviour with certain configurations,
# so the client defaults this to off and prefers allowing access events in
# case of scan or connection error.
# Default: no
#OnAccessDenyOnError yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# Default: no
OnAccessExtraScanning yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt (disable and ignore all options
# related to) the DDD system. This option will result in verdicts only.
# Note that prevention is explicitly disallowed to prevent common, fatal
# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
# made on vital system directories)
# It can be used multiple times.
# Default: disabled
OnAccessMountPath /
#OnAccessMountPath /home/user
# With this option you can exclude the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can exclude specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To exclude the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# This option allows exclusions via user names when using the on-access
# scanning client. It can be used multiple times.
# It has the same potential race condition limitations of the
# OnAccessExcludeUID option.
# Default: disabled
OnAccessExcludeUname clamav
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Allow loading bytecode from outside digitally signed .c[lv]d files.
# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
# Doing so may result in arbitrary code execution.
# Default: no
#BytecodeUnsigned yes
# Set bytecode timeout in milliseconds.
#
# Default: 10000
# BytecodeTimeout 1000

214
.ansible/roles/bootstrap/files/clamav/freshclam.conf Normal file
View File

@@ -0,0 +1,214 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# WARNING: It must already exist, be an absolute path, be writeable by
# freshclam, and be readable by clamd/clamscan.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the ClamAV CA certificates directory for verifying CVD signature
# archive digital signatures.
# WARNING: It must match clamd.conf's directive!
# WARNING: It must already exist, be an absolute path, be readable by
# freshclam, clamd, clamscan and sigtool.
# Default: hardcoded (depends on installation options)
#CVDCertsDirectory /etc/clamav/certs
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Write the daemon's pid to the specified file.
# You must run freshclam with --daemon (-d) for freshclam to run as a daemon.
# This file will be owned by root, as long as freshclam was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /run/clamav/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav
# Use DNS to verify virus database version. FreshClam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# As of ClamAV 0.103.3, this setting may not be used when updating from the
# clamav.net CDN and can only be used when updating from a private mirror.
# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Use EXIT_1 to return 1 after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server. 0 means no timeout.
# Default: 60
#ReceiveTimeout 300
# With this option enabled, freshclam will attempt to load new databases into
# memory to make sure they are properly handled by libclamav before replacing
# the old ones.
# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
# are actively running ClamD or ClamScan during the update, then you may need
# to set `TestDatabases no`.
# Default: yes
#TestDatabases no
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

11
.ansible/roles/bootstrap/files/fail2ban/ftp.local Normal file
View File

@@ -0,0 +1,11 @@
[proftpd]
enabled = true
allowipv6 = true
banaction = iptables-multiport
findtime = 1200
maxretry = 3
bantime = 1h
bantime.increment = true
bantime.factor = 24
bantime.maxtime = 5w
ignoreip = 127.0.0.1/8

11
.ansible/roles/bootstrap/files/fail2ban/override.conf Normal file
View File

@@ -0,0 +1,11 @@
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

9
.ansible/roles/bootstrap/files/fail2ban/sshd.local Normal file
View File

@@ -0,0 +1,9 @@
[sshd]
enabled = true
filter = sshd
banaction = iptables
findtime = 1d
allowipv6 = true
maxretry = 4
bantime = 1w
ignoreip = 127.0.0.1/8

5
.ansible/roles/bootstrap/files/git/gitignore.sample Normal file
View File

@@ -0,0 +1,5 @@
*.asc
*.gpg
*.enc
*.pem
*.secret

6
.ansible/roles/bootstrap/files/git/gitmessage Normal file
View File

@@ -0,0 +1,6 @@
<commit-type>[optional scope]: <description, what and why change>
Multi-line description of commit,
can be detailed.
[Issue: X]

1
.ansible/roles/bootstrap/files/repos.Debian/charm.list Normal file
View File

@@ -0,0 +1 @@
deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *

1
.ansible/roles/bootstrap/files/sshd/denyroot.conf Normal file
View File

@@ -0,0 +1 @@
PermitRootLogin no

1
.ansible/roles/bootstrap/files/sshd/nopass.conf Normal file
View File

@@ -0,0 +1 @@
PasswordAuthentication no

2
.ansible/roles/bootstrap/handlers/main.yml Normal file
View File

@@ -0,0 +1,2 @@
#SPDX-License-Identifier: MIT-0
---

6
.ansible/roles/bootstrap/handlers/update@Debian.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Update repositories cache
apt:
update_cache: yes
register: apt_refreshed
listen: update

35
.ansible/roles/bootstrap/meta/main.yml Normal file
View File

@@ -0,0 +1,35 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: Alex Tavarez
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

8
.ansible/roles/bootstrap/meta/requirements.yml Normal file
View File

@@ -0,0 +1,8 @@
---
collections:
- name: containers.podman
version: ">=1.16.3"
- name: ansible.posix
version: ">=2.0.0"
- name: community.general
version: ">=10.6.0"

19
.ansible/roles/bootstrap/tasks/auth@ssh.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Add authorized keys for SSH access to accounts
ansible.posix.authorized_keys:
user: "{{ item[0] }}"
key: "{{ item[1] }}"
state: present
validate_certs: no
loop: "{{ pubkeys }}"
register: pubkeys_assigned
tags: ['default', 'assign_pubkeys']
- name: Disable SSH password authentication
copy:
src: sshd/nopass.conf
dest: /etc/ssh/sshd_config.d/nopass.conf
owner: "{{ primary_root_acct }}"
group: "{{ primary_root_acct }}"
force: yes
register: ssh_passauth_disabled
tags: ['default', 'disable_ssh_passauth']

19
.ansible/roles/bootstrap/tasks/config@corepkgs.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Configure gnupg and gocryptfs
import_tasks:
file: configure_core/gpg.yml
- name: Configure git
import_tasks:
file: configure_core/git.yml
- name: Configure fail2ban
import_tasks:
file: configure_core/fail2ban.yml
- name: Configure ClamAV
import_tasks:
file: configure_core/clamav.yml
- name: Configure crowdsec
import_tasks:
file: configure_core/crowdsec.yml
# - name: Configure certbot and its plugins
# import_tasks:
# file: configure_core/certbot.yml

42
.ansible/roles/bootstrap/tasks/configure_core/certbot.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Create a settings file for Porkbun DNS API
become: yes
become_method: sudo
template:
src: certbot/porkbun.ini.j2
dest: "{{ web_root }}/porkbun.ini"
force: yes
backup: yes
register: porkbun_api_created
- name: Initiate DNS Acme challenge using Porkbun API plugin
become: yes
become_method: sudo
command:
argv:
- certbot
- certonly
- --non-interactive
- --agree-tos
- --email=ajt95@prole.biz
- --preferred-challenges=dns
- --authenticator=dns-porkbun
- "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
- --dns-porkbun-propagation-seconds=60
- -d="sukaato.moe"
when: porkbun_api_created.rc == 0
- name: Initiate DNS Acme challenge using Porkbun API plugin
become: yes
become_method: sudo
command:
argv:
- certbot
- certonly
- --non-interactive
- --agree-tos
- --email=ajt95@prole.biz
- --preferred-challenges=dns
- --authenticator=dns-porkbun
- "--dns-porkbun-credentials={{ web_root }}/porkbun.ini"
- --dns-porkbun-propagation-seconds=60
- -d="*.sukaato.moe"
when: porkbun_api_created.rc == 0

94
.ansible/roles/bootstrap/tasks/configure_core/clamav.yml Normal file
View File

@@ -0,0 +1,94 @@
---
#@TODO write handlers for configuring clamav
#@NOTE https://wiki.archlinux.org/title/ClamAV
- name: Create freshclam file
become: yes
become_method: sudo
copy:
src: clamav/freshclam.conf
dest: /etc/clamav/freshclam.conf
force: yes
backup: yes
- name: Create clamd file
become: yes
become_method: sudo
copy:
src: clamav/clamd.conf
dest: /etc/clamav/clamd.conf
force: yes
backup: yes
- name: Create clamd file
become: yes
become_method: sudo
copy:
src: clamav/clamav-milter.conf
dest: /etc/clamav/clamav-milter.conf
force: yes
backup: yes
- name: Update clamav virus definitions
become: yes
become_method: sudo
command: freshclam
- name: Start and enable clamav service
service:
name: clamav-daemon
state: started
enabled: yes
- name: Start and enable clamav onaccess service
become: yes
become_method: sudo
service:
name: clamav-clamonacc
state: started
enabled: yes
- name: Restart clamav service
become: yes
become_method: sudo
service:
name: clamav-daemon
state: restarted
- name: Restart clamav onaccess service
become: yes
become_method: sudo
service:
name: clamav-clamonacc
state: restarted
- name: Create freshclam log file
become: yes
become_method: sudo
file:
path: /var/log/clamav/freshclam.log
state: touch
mode: 600
owner: clamav
- name: Start and enable freshclam virus definition update service
become: yes
become_method: sudo
service:
name: clamav-freshclam
state: started
enabled: yes
- name: Restart freshclam virus definition update service
become: yes
become_method: sudo
service:
name: clamav-freshclam
state: restarted
- name: Install Fangfrisch
become: yes
become_method: sudo
package:
name: fangfrisch
state: present
- name: Create database structure for fangfrisch
become_user: clamav
become_method: sudo
command:
argv: [/usr/bin/fangfrisch, --conf, /etc/fangfrisch/fangfrisch.conf, initdb]
- name: Start and enable fangfrisch virus definition updates
become: yes
become_method: sudo
service:
name: fangfrisch.timer
state: started
enabled: yes

53
.ansible/roles/bootstrap/tasks/configure_core/crowdsec.yml Normal file
View File

@@ -0,0 +1,53 @@
---
#@TODO write handlers for configuring crowdsec
- name: Enroll your crowdsec installation
become: yes
become_method: sudo
command:
argv: [cscli, console, enroll -e, context, "{{ enrollment_key }}"]
register: crowdsec_enrolled
- name: Install caddy crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/caddy]
- name: Install proftpd crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/proftpd]
- name: Install sshd crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/sshd]
- name: Install postgresql crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/pgsql]
- name: Install denial-of-service HTTP crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/http-dos]
- name: Install HTTP crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/base-http-scenarios]
- name: Install Postfix crowdsec collection
become: yes
become_method: sudo
command:
argv: [cscli, collections, install, crowdsecurity/postfix]
- name: Update crowdsec objects
become: yes
become_method: sudo
command:
argv: [cscli, hub, update]
- name: Upgrade crowdsec objects
become: yes
become_method: sudo
command:
argv: [cscli, hub, upgrade]

76
.ansible/roles/bootstrap/tasks/configure_core/fail2ban.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Check if path to fail2ban configuration files exists
stat:
path: /etc/fail2ban/jail.d
register: fail2path
- name: Check if path to systemd fail2ban service configuration files exists
stat:
path: /etc/systemd/system/fail2ban.service.d
register: fail2serve_path
- name: Create relevant fail2ban configuration directory
become: yes
become_method: sudo
file:
path: /etc/fail2ban/jail.d
state: directory
register: fail2bandir_created
when: not fail2path.stat.exists
- name: Create relevant fail2ban configuration directory
become: yes
become_method: sudo
file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
register: fail2servdir_created
when: not fail2serve_path.stat.exists
- name: Copy protftpd jail file
become: yes
become_method: sudo
copy:
src: ftp.local
dest: /etc/fail2ban/jail.d/ftp.local
force: yes
backup: yes
when: fail2path.stat.exists
- name: Copy sshd jail file
become: yes
become_method: sudo
copy:
src: sshd.local
dest: /etc/fail2ban/jail.d/sshd.local
force: yes
backup: yes
when: fail2path.stat.exists
- name: Copy fail2ban modified service configuration
become: yes
become_method: sudo
copy:
src: override.conf
dest: /etc/systemd/system/fail2ban.service.d/sshd.local
force: yes
backup: yes
when: fail2serve_path.stat.exists
- name: Reload fail2ban service
become: yes
become_method: sudo
service:
name: fail2ban
state: reloaded
register: fail2ban_reloaded
- name: Start and enable fail2ban service
become: yes
become_method: sudo
service:
name: fail2ban
state: started
enabled: yes
register: fail2ban_running
when: fail2ban_reloaded
- name: Restart fail2ban service
become: yes
become_method: sudo
service:
name: fail2ban
state: restarted
register: fail2ban_restarted
when: fail2ban_reloaded

123
.ansible/roles/bootstrap/tasks/configure_core/git.yml Normal file
View File

@@ -0,0 +1,123 @@
---
- name: Set default branch name
become: yes
become_method: sudo
community.general.git_config:
name: init.defaultBranch
value: main
scope: system
add_mode: replace_all
state: present
register: gitedit_set
- name: Set default git text editor
become: yes
become_method: sudo
community.general.git_config:
name: core.editor
value: vim
scope: system
add_mode: replace_all
state: present
register: gitedit_set
- name: Create directory for some git files
file:
path: "{{ ansible_facts['user_dir'] }}/.config/git"
state: directory
register: gitdir_created
- name: Create git commit message template file
copy:
src: git/gitmessage
dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
force: yes
backup: yes
register: gittemp_created
- name: Set a commit template file for git
community.general.git_config:
name: commit.template
value: "{{ ansible_facts['user_dir'] }}/.config/git/gitmessage"
scope: global
add_mode: replace_all
state: present
register: gittemp_set
- name: Set git key format to OpenPGP
community.general.git_config:
name: gpg.format
value: "openpgp"
scope: global
add_mode: replace_all
state: present
register: gitkeyformat_set
#@TODO: Add a gpg section to group_var or host_var vaults
- name: Set a user signing key for git
community.general.git_config:
name: user.signingkey
value: "{{ gpg_sign_id }}"
scope: global
add_mode: replace_all
state: present
register: gitsignkey_registered
- name: Set key signage to occur for commits by default in git
community.general.git_config:
name: commit.gpgSign
value: "true"
scope: global
add_mode: replace_all
state: present
- name: Set key signage to occur for tagging by default in git
community.general.git_config:
name: tag.gpgSign
value: "true"
scope: global
add_mode: replace_all
state: present
- name: Create a boilerplate gitignore file for git
copy:
src: git/gitignore.sample
dest: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
force: yes
backup: yes
register: gitgignore_created
- name: Set boilerplate gitignore file in global scope
community.general.git_config:
name: core.excludesfile
value: "{{ ansible_facts['user_dir'] }}/.config/git/gitignore"
scope: global
add_mode: replace_all
state: present
register: gitgignore_set
- name: Set autocorrect for git
become: yes
become_method: sudo
community.general.git_config:
name: help.autocorrect
value: 0
scope: system
add_mode: replace_all
state: present
register: gitautocorr_set
- name: Set git to replace CRLF endings when pulling
become: yes
become_method: sudo
community.general.git_config:
name: core.autocrlf
value: input
scope: system
add_mode: replace_all
state: present
register: gitcrlf_set
- name: Set git username
community.general.git_config:
name: user.name
value: "{{ official_name | default(ansible_facts['user_id'], true) }}"
scope: global
add_mode: replace_all
state: present
register: gituser_set
- name: Set git user email
community.general.git_config:
name: user.email
value: "{{ official_email | default('admin@' ~ domain_name, true) }}"
scope: global
add_mode: replace_all
state: present
register: gitemail_set

89
.ansible/roles/bootstrap/tasks/configure_core/gpg.yml Normal file
View File

@@ -0,0 +1,89 @@
---
- name: Copy and import GPG keypairs to remote host
block:
- name: Create cipher directory for gocryptfs
file:
path: "{{ ansible_facts['user_dir'] }}/.ciphers"
state: directory
- name: Create a gocryptfs vault
command:
argv: [/usr/bin/gocryptfs, -init, "{{ ansible_facts['user_dir'] }}/.ciphers"]
stdin: "{{ gcfs_password }}"
register: gcfs_masterkey_created
- name: Create temporary file for password
tempfile:
prefix: gcfs_passfile
state: file
register: tempfile_created
- name: Put password in temporary file
lineinfile:
path: "{{ tempfile_created.path }}"
line: "{{ gcfs_password }}"
state: present
when: tempfile_created
- name: Create directory for storing gocryptfs decryption configuration files
file:
path: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers"
state: directory
- name: Get gocryptfs decryption configuration file metadata
stat:
path: "{{ ansible_facts['user_dir'] }}/.ciphers"
when: gcfs_masterkey_created.rc == 0
register: gcfs_vault
- name: Copy gocryptfs decryption configuration to another directory
copy:
remote_src: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
dest: "{{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
force: yes
backup: yes
register: gocryptfs_conf_copied
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
- name: Remove gocryptfs decryption configuration from source directory
file:
path: "{{ ansible_facts['user_dir'] }}/.ciphers/gocryptfs.conf"
state: absent
register: gocryptfs_orig_conf_removed
when: gocryptfs_conf_copied
- name: Mount the gocryptfs vault
ansible.posix.mount:
src: "{{ ansible_facts['user_dir'] }}/.ciphers"
path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain"
state: ephemeral
fstype: fuse./usr/bin/gocryptfs
opts: "nofail,passfile={{ tempfile_created.path }},config={{ ansible_facts['user_dir'] }}/.fskeys/ciphers/gocryptfs.conf"
register: gcfs_mounted
when: gcfs_vault.stat.exists and gcfs_masterkey_created.rc == 0
- name: Create directory in decrypted gocryptfs vault
file:
path: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg"
state: directory
when: gcfs_mounted
- name: Copy GPG keypair
copy:
src: "gpg/{{ ansible_facts['user_id'] }}/{{ item }}"
dest: "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"
force: yes
backup: yes
loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
register: gpgkeys_copied
when: gcfs_mounted
- name: Import GPG keypair
become: yes
become_method: sudo
command:
argv: [gpg, --import, "{{ ansible_facts['user_dir'] }}/.mnt/ciphers.plain/gpg/{{ item }}"]
loop: "{{ query('fileglob', roles_path ~ 'bootstrap/files/gpg/' ~ ansible_facts['user_id'] ~ '/*') }}"
register: gpgkeys_imported
when: gpgkeys_copied and gcfs_mounted
#@TODO create handler that sends copy of gcfs_masterkey_created somehow
- name: Unmount the gocryptfs vault
ansible.posix.mount:
path: "{{ ansible_facts['user_dir'] }}/.mnt/plains"
state: unmounted
register: gcfs_unmounted
when: gpgkeys_copied and gcfs_mounted
# - name: Unmount the gocryptfs vault
# command:
# argv: [fusermount, -u, "{{ ansible_facts['user_dir'] }}/.mnt/plains"]
# when: gpgkeys_copied and gcfs_mounted
register: gpg_keypair_copy

19
.ansible/roles/bootstrap/tasks/configure_core/proftpd.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: Configure ProFTPd
block:
- name: Apply proftpd configuration template
become: yes
become_method: sudo
template:
src: proftpd/proftpd.conf.j2
dest: /etc/proftpd/proftpd.conf
force: yes
backup: yes
- name: Apply proftpd virtualhost configuration template
become: yes
become_method: sudo
template:
src: proftpd/vhost.conf.j2
dest: /etc/proftpd/conf.d/hosts.conf
force: yes
backup: yes

7
.ansible/roles/bootstrap/tasks/core_installations.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Install natively available core system packages
package:
name: "{{ item.package }}"
state: present
loop: "{{ combine(server_pkgs, virtualization_pkgs, pkgmanager_pkgs, cli_pkgs, coding_pkgs, media_pkgs) }}"
register: native_done

44
.ansible/roles/bootstrap/tasks/core_installations@Debian.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Register new repositories
block:
- name: Grab keys for foreign package repositories
get_url:
url: "{{ item.key }}"
dest: "{{ item.key_dest }}"
group: root
owner: root
force: true
when: item.key is defined and item.key_orig_is_url
- name: Add (i.e., render native) the foreign package repositories
get_url:
url: "{{ item.repo }}"
dest: "{{ item.repo_dest }}"
group: root
owner: root
force: true
when: item.repo is defined and item.repo_orig_is_url
- name: Grab keys for foreign package repositories
copy:
src: "{{ item.key }}"
dest: "{{ item.key_dest }}"
group: root
owner: root
force: true
when: item.key is defined and not item.key_orig_is_url
- name: Add (i.e., render native) the foreign package repositories
copy:
src: "{{ item.repo }}"
dest: "{{ item.repo_dest }}"
group: root
owner: root
force: true
when: item.repo is defined and not item.repo_orig_is_url
loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
register: repos_added
notify: update
- name: Install newly available packages
package:
name: "{{ item.package }}{{ item.version }}"
state: latest
loop: "{{ combine(server_pkgs_ext, cli_pkgs_ext) }}"
register: foreign_pkgs_done

8
.ansible/roles/bootstrap/tasks/core_installations@podman.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Pull necessary images for containers
containers.podman.podman_image:
name: "{{ item.uri }}"
tag: "{{ item.tag }}"
pull: yes
state: present
loop: "{{ core_cimages }}"

34
.ansible/roles/bootstrap/tasks/denyroot.yml Normal file
View File

@@ -0,0 +1,34 @@
---
- name: Disable shell session root login
user:
name: "{{ item.username }}"
shell: /sbin/nologin
loop: "{{ roots }}"
register: root_deshelled
when: nonlogin_method == 'deshell'
tags: ['default', 'root_deshelling']
- name: Lock the root account
user:
name: "{{ item.username }}"
password_lock: yes
loop: "{{ roots }}"
register: root_locked
when: nonlogin_method == 'lock' or nonlogin_method == 'all'
tags: ['default', 'root_locking']
- name: Disable root account password
user:
name: "{{ item.username }}"
password: "*"
loop: "{{ roots }}"
register: root_closed
when: nonlogin_method == 'close'
tags: ['default', 'root_closing']
- name: Disable root account password and shell login
user:
name: "{{ item.username }}"
password: "*"
shell: /sbin/nologin
loop: "{{ roots }}"
register: root_delogged
when: nonlogin_method == 'delog' or nonlogin_method == 'all'
tags: ['default', 'root_locking']

10
.ansible/roles/bootstrap/tasks/denyroot@ssh.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Disable remote login for root
copy:
src: sshd/denyroot.conf
dest: /etc/ssh/sshd_config.d/denyroot.conf
owner: "{{ primary_root_acct }}"
group: "{{ primary_root_acct }}"
force: yes
register: sshroot_disabled
tags: ['default', 'deny_sshroot']

7
.ansible/roles/bootstrap/tasks/extra_installations.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Install natively available core system packages
package:
name: "{{ item.package }}"
state: present
loop: "{{ my_pkgs }}"
register: extra_done

8
.ansible/roles/bootstrap/tasks/extra_installations@podman.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Pull recommended images for containers
containers.podman.podman_image:
name: "{{ item.uri }}"
tag: "{{ item.tag }}"
pull: yes
state: present
loop: "{{ recc_cimages }}"

9
.ansible/roles/bootstrap/tasks/groups.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Create system groups
group:
name: "{{ item.group_name }}"
system: yes
state: present
loop: "{{ sys_groups }}"
register: groups_created
tags: ['default']

3
.ansible/roles/bootstrap/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for common

7
.ansible/roles/bootstrap/tasks/upgrade@Debian.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Update repositories cache
apt:
update_cache: yes
upgrade: "{{ upgrade_type }}"
register: system_upgraded
tags: ['upgrade_pkgs']

45
.ansible/roles/bootstrap/tasks/users@Debian.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: Create administrative user
user:
name: "{{ item.username }}"
system: no
create_home: yes
append: yes
groups:
- sudo
shell: /bin/bash
password: "{{ item.password }}"
password_expire_max: 186
password_expire_min: 93
password_expire_warn: 15
state: present
loop: "{{ admins }}"
register: admins_created
when: admins is defined
tags: ['default', 'add_admins']
- name: Create guest user
user:
name: "{{ item.username }}"
system: no
create_home: yes
shell: /bin/bash
state: present
loop: "{{ guests }}"
register: guests_created
when: guests is defined
tags: ['add_guests']
- name: Create standard users
user:
name: "{{ item.username }}"
system: no
create_home: yes
shell: "/bin/bash"
password: "{{ item.password }}"
password_expire_max: 93
password_expire_min: 30
password_expire_warn: 7
state: present
loop: "{{ users }}"
register: users_created
when: users is defined
tags: ['default', 'add_users']

2
.ansible/roles/bootstrap/templates/certbot/porkbun.ini.j2 Normal file
View File

@@ -0,0 +1,2 @@
dns_porkbun_secret={{ dns_secret }}
dns_porkbun_key={{ dns_key }}

93
.ansible/roles/bootstrap/templates/proftpd/proftpd.conf.j2 Normal file
View File

@@ -0,0 +1,93 @@
ServerType standalone
ServerName ProFTPd
ServerAdmin ftp@sukaato
ServerIdent on "Currently on the fallback server..."
Protocols ftp
DefaultServer on
Port 21
User ftpd
Group nogroup
TransferLog /var/log/proftpd/transfer.log
SystemLog /var/log/proftpd/proftpd.log
<IfModule !mod_tls.c>
LoadModule mod_tls.c
</IfModule>
<IfModule !mod_ifsession.c>
LoadModule mod_ifsession.c
</IfModule>
<IfModule !mod_auth_file.c>
LoadModule mod_auth_file.c
</IfModule>
<Limit LOGIN SITE_CHMOD>
DenyAll
</Limit>
<Global>
AuthOrder mod_auth_file.c mod_auth_pam.c mod_auth_unix.c
RootLogin off
RequireValidShell off
UseFtpUsers off
PersistentPassword off
AllowEmptyPasswords off
DisplayConnect {{ welcome_msg_path }}
DisplayQuit {{ goodbye_msg_path }}
DisplayFileTransfer {{ transfer_msg_path }}
Umask {{ default_umask }}
MaxClients 35
MaxClientsPerUser 5
MaxLoginAttempts 4
TimeoutSession 28800
TimeoutNoTransfer 900
TimeoutStalled 900
TimeoutIdle 1200
TimeoutLinger 120
ListOptions "" maxdepth 3
AllowOverwrite on
ShowSymlinks on
<IfModule mod_ident.c>
IdentLookups off
</IfModule>
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<Limit SITE_CHMOD SITE_CHGRP>
DenyAll
</Limit>
<Limit LOGIN>
AllowUser OR {{ users_allowed }}
DenyAll
</Limit>
DirFakeUser on ~
DirFakeGroup on ~
DefaultRoot ~
<Directory /*>
HideFiles ^\.
<Limit DIRS APPE DELE RMD XRMD RNTO RNFR SYMLINK>
IgnoreHidden on
</Limit>
</Directory>
</Global>
Include /etc/proftpd/conf.d/*.conf

31
.ansible/roles/bootstrap/templates/proftpd/vhost.conf.j2 Normal file
View File

@@ -0,0 +1,31 @@
<IfModule mod_tls.c>
<VirtualHost 0.0.0.0>
ServerName {{ servername }}
ServerAdmin {{ admin_email }}
ServerAlias {{ serveralias }}
ServerIdent on "Welcome to %v!"
Protocols {{ ftp_protocols }}
Port {{ ftp_port }}
{# PassivePorts 49152 65534 #}
DisplayChdir .category.msg
DisplayLogin .welcome.msg
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions AllowClientRenegotiations
TLSVerifyClient off
TLSRequired on
TLSRenegotiate required off
TLSECCertificateFile {{ sec_cert_path }}
TLSCACertificateFile {{ sca_cert_path }}
TLSECCertificateKeyFile {{ key_cert_path }}
<IfModule mod_auth_file.c>
AuthUserFile {{ ftp_auth_user_path }}
AuthGroupFile {{ ftp_auth_group_path }}
AuthFileOptions SyntaxCheck
</IfModule>
</VirtualHost>
</IfModule>

3
.ansible/roles/bootstrap/tests/inventory Normal file
View File

@@ -0,0 +1,3 @@
#SPDX-License-Identifier: MIT-0
localhost

6
.ansible/roles/bootstrap/tests/test.yml Normal file
View File

@@ -0,0 +1,6 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- bootstrap

12
.ansible/roles/bootstrap/vars/main/general.yml Normal file
View File

@@ -0,0 +1,12 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for bootstrap
admins: ~
guests: ~
users: ~
roots: ~
enrollment_key: "{{ crowdsec_key }}"
gcfs_password: "{{ gocrypt_password }}"
gpg_sign_id: ~
official_name: ~
official_email: ~

3
.ansible/roles/bootstrap/vars/options/certbot.yml Normal file
View File

@@ -0,0 +1,3 @@
---
dns_secret: "{{ porkbun_api_secret }}"
dns_key: "{{ porkbun_api_key }}"

2
.ansible/roles/bootstrap/vars/options/crowdsec.yml Normal file
View File

@@ -0,0 +1,2 @@
---
enrollment_key: "{{ crowdsec_key }}"

4
.ansible/roles/bootstrap/vars/options/git.yml Normal file
View File

@@ -0,0 +1,4 @@
---
gpg_sign_id: ~
official_name: ~
official_email: ~

2
.ansible/roles/bootstrap/vars/options/gpg.yml Normal file
View File

@@ -0,0 +1,2 @@
---
gcfs_password: "{{ gocrypt_password }}"

16
.ansible/roles/bootstrap/vars/options/proftpd.yml Normal file
View File

@@ -0,0 +1,16 @@
---
welcome_msg_path: /etc/proftpd/welcome.msg
goodbye_msg_path: /etc/proftpd/bye.msg
transfer_msg_path: /etc/proftpd/transfer.msg
default_umask: "0022 0022"
users_allowed: cybersmuggler webmaster
servername: ftp.sukaato.moe
admin_email: admin@sukaato.moe
serveralias: sukaato
ftp_protocols: ftps
ftp_port: 990
sec_cert_path: /etc/srv/domain.cert.pem
sca_cert_path: /etc/srv/domain.cert.pem
key_cert_path: /etc/srv/private.key.pem
ftp_auth_user_path: /etc/proftpd/ftp.passwd
ftp_auth_group_path: /etc/proftpd/ftpd.group

5
.ansible/roles/bootstrap/vars/options/ssh.yml Normal file
View File

@@ -0,0 +1,5 @@
---
pubkeys: "{{ user_pubkeys }}"
primary_root_acct: "{{ root_auths[0] }}"
nonlogin_method: delog
roots: "{{ root_auths }}"