wireapp · jschumacher-wire · Jan 24, 2024 · Jan 17, 2024 · Jan 18, 2024 · Jan 18, 2024
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+  chain block_definitions {
+    ct state established,related accept
+    ct state invalid drop
+    tcp flags != syn ct state new counter drop
+    counter drop
+#    log prefix "DROP " counter drop
+  }
+  chain INPUT {
+    type filter hook input priority 0;
+    ip protocol icmp icmp type echo-request counter accept
+    ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
+    ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } counter accept
+    ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } counter accept
+    iifname { lo, virbr0 } counter accept
+    tcp dport 22 counter accept comment "SSH incoming"
+    jump block_definitions
+  }
+  chain FORWARD {
+    type filter hook forward priority 0;
+    iifname virbr0 ip saddr 192.168.122.0/24 oifname virbr0 ip daddr 192.168.122.0/24 counter accept comment "allow all traffic between VMs"
+    jump block_definitions
+  }
+  chain OUTPUT {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}
@@ -0,0 +1,25 @@
+Port 22
+
+AcceptEnv LANG LC_*
+LogLevel verbose
+PrintMotd no
+
+# Hardened algorithm configuration based on the output of 'ssh-audit' (https://github.com/jtesta/ssh-audit).
+
+KexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512
+Ciphers [email protected],[email protected]
+MACs [email protected]
+
+HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512
+CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512
+PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,ecdsa-sha2-nistp521
+
+PasswordAuthentication no
+PubkeyAuthentication yes
+ChallengeResponseAuthentication no
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+X11Forwarding no
@@ -0,0 +1,150 @@
+- hosts: all
+  become: true
+  vars:
+    artifact_hash: cc69eb754b69b9fbe13784de8cf6e7f6ef0f7ff6
+    ubuntu_version: 22.04.3
+    ssh_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPTGTo1lTqd3Ym/75MRyQvj8xZINO/GI6FzfIadSe5c [email protected]"
+  tasks:
+  - name: apt update
+    apt: update_cache=yes force_apt_get=yes
+  - name: apt upgrade
+    apt: upgrade=dist force_apt_get=yes
+  - name: install default packages
+    apt:
+      install_recommends: no
+      pkg:
+      - aptitude
+      - apt-transport-https
+      - bind9-host
+      - curl
+      - debian-goodies
+      - dnsutils
+      - git
+      - less
+      - lsof
+      - net-tools
+      - rsyslog
+      - screen
+      - sudo
+      - vim
+      - wget
+      - whois
+      - docker.io
+      - qemu
+      - qemu-kvm
+      - qemu-utils
+      - libvirt-clients
+      - libvirt-daemon-system
+      - virtinst
+      - bridge-utils
+  - name: generate german locales
+    locale_gen:
+      name: de_DE.UTF-8
+      state: present
+  - name: generate us locales
+    locale_gen:
+      name: en_US.UTF-8
+      state: present
+  - name: set system language
+    lineinfile:
+      path: /etc/default/locale
+      regexp: '^#?LANG='
+      line: 'LANG="en_US.UTF-8"'
+  - name: set keyboard layout
+    lineinfile:
+      path: /etc/default/keyboard
+      regexp: '^#?XKBLAYOUT='
+      line: 'XKBLAYOUT="us"'
+  - name: set keyboard variant
+    lineinfile:
+      path: /etc/default/keyboard
+      regexp: '^#?XKVARIANT='
+      line: 'XKBVARIANT="de"'
+  - name: add default user accounts
+    user:
+      name: demo
+      groups: sudo, kvm, docker
+      uid: 900
+      state: present
+      shell: /bin/bash
+      password: "!"
+  - name: Adding SSH pubkey for user demo
+    authorized_key:
+      user: demo
+      state: present
+      key: "{{ ssh_pubkey }}"
+  - name: passwordless sudo
+    lineinfile:
+      dest: /etc/sudoers
+      regexp: '^%sudo'
+      line: "%sudo ALL=(ALL) NOPASSWD:ALL"
+  - name: deploy sshd config
+    copy:
+      src: files/hetzner_server_sshd_config
+      dest: /etc/ssh/sshd_config
+      mode: 0644
+      owner: root
+      group: root
+    notify: sshd | restart
+  - name: deploy /etc/nftables.conf
+    copy:
+      src: files/hetzner_server_nftables.conf
+      dest: /etc/nftables.conf
+      mode: 0750
+      owner: root
+      group: root
+    notify: nftables | restart
+  - name: deploy wire artifact, ubuntu iso
+    block:
+      - name: create wire-server-deploy directory for demo user
+        file:
+          path: /home/demo/wire-server-deploy
+          state: directory
+          owner: demo
+          group: demo
+          mode: 0775
+      - name: check if wire-server-deploy-static-{{ artifact_hash }}.tgz exists
+        stat:
+          path: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+          get_checksum: False
+          get_md5: False
+        register: artifact_archive_file_check
+      - name: download wire-server-deploy archive
+        shell:
+          cmd: curl -fsSLo /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-{{ artifact_hash }}.tgz
+          creates: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+        when: not artifact_archive_file_check.stat.exists
+      - name: check if wire-server-deploy folder contents exist
+        stat:
+          path: /home/demo/wire-server-deploy/containers-helm.tar
+        register: artifact_folder_content_check
+      - name: unpack wire-server-deploy archive
+        unarchive:
+          src: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+          dest: /home/demo/wire-server-deploy
+          remote_src: yes
+        when: not artifact_folder_content_check.stat.exists
+      - name: check if ubuntu iso exists
+        stat:
+          path: /home/demo/wire-server-deploy/ubuntu.iso
+        register: iso_file_check
+      - name: download ubuntu {{ ubuntu_version }} iso
+        shell:
+          cmd: curl -fsSLo /home/demo/wire-server-deploy/ubuntu.iso https://releases.ubuntu.com/jammy/ubuntu-{{ ubuntu_version }}-live-server-amd64.iso
+          creates: /home/demo/wire-server-deploy/ubuntu.iso
+        when: not iso_file_check.stat.exists
+      - name: set permissions inside wire-server-deploy via shell command (fails when using ansible directive)
+        shell:
+          cmd: sudo chmod -R 0775 /home/demo/wire-server-deploy; sudo chown -R demo:demo /home/demo
+    become_user: demo
+
+  handlers:
+  - name: sshd | restart
+    service:
+      name: sshd
+      state: restarted
+  - name: nftables | restart
+    service:
+      name: nftables
+      enabled: true
+      state: restarted