Merge branch 'main' into feature/offboard-state

Author: sjpb

ansible/.gitignore

@@ -14,6 +14,8 @@ roles/*
 !roles/grafana-datasources/**
 !roles/passwords/
 !roles/passwords/**
+!roles/fail2ban/
+!roles/fail2ban/**
 !roles/hpctests/
 !roles/hpctests/**
 !roles/block_devices/
@@ -22,3 +24,5 @@ roles/*
 !roles/basic_users/**
 !roles/openondemand/
 !roles/openondemand/**
+!roles/firewalld/
+!roles/firewalld/**

ansible/bootstrap.yml

@@ -36,6 +36,22 @@
         policy: "{{ selinux_policy }}"
       register: sestatus
 
+- hosts: firewalld
+  gather_facts: false
+  become: yes
+  tags: firewalld
+  tasks:
+    - import_role:
+        name: firewalld
+
+- hosts: fail2ban
+  gather_facts: false
+  become: yes
+  tags: fail2ban
+  tasks:
+    - import_role:
+        name: fail2ban
+
 - hosts: update
   gather_facts: false
   become: yes

ansible/roles/fail2ban/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible/roles/fail2ban/README.md

@@ -0,0 +1,45 @@
+fail2ban
+=========
+
+Setup fail2ban to protect SSH on a host.
+
+Note that no email alerts are set up so logs (at `/var/log/fail2ban.log`) will have to be manually reviewed if required.
+
+Requirements
+------------
+
+- An EL8 system.
+- `firewalld` running.
+
+Role Variables
+--------------
+None.
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+```yaml
+- hosts: fail2ban
+  gather_facts: false
+  become: yes
+  tasks:
+    - import_role:
+        name: firewalld
+    - import_role:
+        name: fail2ban
+```
+
+License
+-------
+
+Apache v2
+
+Author Information
+------------------
+
+stackhpc.com

ansible/roles/fail2ban/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+    enabled: true

ansible/roles/fail2ban/meta/main.yml

@@ -0,0 +1,44 @@
+galaxy_info:
+  author: Steve Brasier
+  company: stackhpc
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: Apache-2.0
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+  - name: EL
+    versions:
+    - 8
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/roles/fail2ban/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Install EPEL repo
+  package:
+    name: epel-release
+
+- name: Install fail2ban packages
+  package:
+    name:
+      - fail2ban-server
+      - fail2ban-firewalld
+    state: present
+
+- name: Create config
+  template:
+    dest: /etc/fail2ban/jail.local
+    src: jail.local.j2
+  notify: Restart fail2ban
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: Ensure fail2ban running even if no config change
+  service:
+    name: fail2ban
+    state: started
+    enabled: true

ansible/roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,6 @@
+[DEFAULT]
+bantime = 3600
+action = %(action_)s
+
+[sshd]
+enabled = true

ansible/roles/firewalld/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

ansible/roles/firewalld/README.md

@@ -0,0 +1,63 @@
+Role Name
+=========
+
+Install and configure the `firewalld` firewall.
+
+Requirements
+------------
+
+EL8 host
+
+Role Variables
+--------------
+
+- `firewalld_enabled`: Optional. Whether `firewalld` service is enabled (starts at boot). Default `yes`.
+- `firewalld_state`: Optional. State of `firewalld` service. Default `started`. Other values: `stopped`.
+- `firewalld_configs`: Optional. List of dicts giving parameters for [ansible.posix.firewalld module](https://docs.ansible.com/ansible/latest/collections/ansible/posix/firewalld_module.html). Default is an empty list.
+
+Note that the default configuration for firewalld on Rocky Linux 8.5 is as follows:
+```shell
+#  firewall-offline-cmd --list-all
+public
+  target: default
+  icmp-block-inversion: no
+  interfaces: 
+  sources: 
+  services: cockpit dhcpv6-client ssh
+  ports: 
+  protocols: 
+  forward: no
+  masquerade: no
+  forward-ports: 
+  source-ports: 
+  icmp-blocks: 
+  rich rules: 
+```
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+```
+- hosts: firewalld
+  gather_facts: false
+  become: yes
+  tags: firewalld
+  tasks:
+    - import_role:
+        name: firewalld
+```
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible/roles/firewalld/defaults/main.yml

@@ -0,0 +1,3 @@
+firewalld_enabled: yes
+firewalld_state: started
+firewalld_configs: []

ansible/roles/firewalld/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart filewalld
+  service:
+    name: firewalld
+    state: restarted
+  when: "{{ firewalld_state != 'stopped' }}"

ansible/roles/firewalld/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/roles/firewalld/tasks/install.yml

@@ -0,0 +1,3 @@
+- name: Install firewalld package
+  dnf:
+    name: firewalld

ansible/roles/firewalld/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- import_tasks: install.yml
+
+- name: Apply filewalld configs
+  ansible.posix.firewalld: "{{ item }}"
+  notify: Restart filewalld
+  loop: "{{ firewalld_configs }}"
+
+- meta: flush_handlers
+
+- name: Ensure filewalld state
+  ansible.builtin.systemd:
+    name: firewalld
+    state: "{{ firewalld_state }}"
+    enabled: "{{ firewalld_enabled | default('yes' ) }}"

ansible/roles/firewalld/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for firewalld