agaric/agaric-coop
10
1
Fork 0
Code Issues 102 Pull requests Projects Releases Packages Wiki Activity

Add all files needed to bring up VM and run agaric.com locally

Browse source
This commit is contained in:
benjamin melançon 2018-08-20 10:45:20 -04:00
parent 52c8b60bac
commit 4d2bc0ee24
742 changed files with 24037 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
box/provisioning/roles/geerlingguy.firewall/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
*.retry
tests/test.sh

50
box/provisioning/roles/geerlingguy.firewall/.travis.yml Normal file
View file

@ -0,0 +1,50 @@
---
services: docker
env:
- distro: centos7
- distro: centos6
- distro: ubuntu1604
- distro: ubuntu1404
- distro: ubuntu1204
- distro: debian8
script:
# Download test shim.
- wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/
- chmod +x ${PWD}/tests/test.sh
# Run tests.
- ${PWD}/tests/test.sh
# # Check if TCP port 9123 is open.
# - >
# sudo iptables -L -n
# | grep -q "ACCEPT.*dpt:9123"
# && (echo 'Port 9123 is open - pass' && exit 0)
# || (echo 'Port 9123 is not open - fail' && exit 1)
# # Check running firewall has exit code 0
# - >
# sudo service firewall status
# && (echo 'Status of running firewall is 0 - pass' && exit 0)
# || (echo 'Status of running firewall is not 0 - fail' && exit 1)
# # Stop firewall
# - >
# sudo service firewall stop
# && (echo 'Stopping firewall - pass' && exit 0)
# || (echo 'Stopping firewall - fail' && exit 1)
# # Check stopped firewall has exit code 3
# - >
# sudo service firewall status;
# EXIT=$?;
# if [ 3 -eq $EXIT ]; then
# echo 'Status of stopped firewall is 3 - pass' && exit 0;
# else
# echo 'Status of stopped firewall is not 3 - fail' && exit 1;
# fi
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

20
box/provisioning/roles/geerlingguy.firewall/LICENSE Normal file
View file

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

93
box/provisioning/roles/geerlingguy.firewall/README.md Normal file
View file

@ -0,0 +1,93 @@
# Ansible Role: Firewall (iptables)
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall)
Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).
This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.
After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.
## Requirements
None.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
firewall_state: started
firewall_enabled_at_boot: true
Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`).
firewall_allowed_tcp_ports:
- "22"
- "80"
...
firewall_allowed_udp_ports: []
A list of TCP or UDP ports (respectively) to open to incoming traffic.
firewall_forwarded_tcp_ports:
- { src: "22", dest: "2222" }
- { src: "80", dest: "8080" }
firewall_forwarded_udp_ports: []
Forward `src` port to `dest` port, either TCP or UDP (respectively).
firewall_additional_rules: []
firewall_ip6_additional_rules: []
Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:
# Allow only the IP 167.89.89.18 to access port 4949 (Munin).
firewall_additional_rules:
- "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"
# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
firewall_additional_rules:
- "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"
See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples.
firewall_log_dropped_packets: true
Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").
firewall_disable_firewalld: false
firewall_disable_ufw: false
Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.
## Dependencies
None.
## Example Playbook
- hosts: server
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.firewall }
*Inside `vars/main.yml`*:
firewall_allowed_tcp_ports:
- "22"
- "25"
- "80"
## TODO
- Make outgoing ports more configurable.
- Make other firewall features (like logging) configurable.
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

19
box/provisioning/roles/geerlingguy.firewall/defaults/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
firewall_state: started
firewall_enabled_at_boot: true
firewall_allowed_tcp_ports:
- "22"
- "25"
- "80"
- "443"
firewall_allowed_udp_ports: []
firewall_forwarded_tcp_ports: []
firewall_forwarded_udp_ports: []
firewall_additional_rules: []
firewall_ip6_additional_rules: []
firewall_log_dropped_packets: true
# Set to true to ensure other firewall management software is disabled.
firewall_disable_firewalld: false
firewall_disable_ufw: false

3
box/provisioning/roles/geerlingguy.firewall/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: restart firewall
service: name=firewall state=restarted

23
box/provisioning/roles/geerlingguy.firewall/meta/main.yml Normal file
View file

@ -0,0 +1,23 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: Simple iptables firewall for most Unix-like systems.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- networking
- system
- security

48
box/provisioning/roles/geerlingguy.firewall/tasks/disable-other-firewalls.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: Check if firewalld package is installed (on RHEL).
shell: yum list installed firewalld
args:
warn: no
register: firewalld_installed
ignore_errors: true
changed_when: false
when: ansible_os_family == "RedHat" and firewall_disable_firewalld
- name: Disable the firewalld service (on RHEL, if configured).
service:
name: firewalld
state: stopped
enabled: no
when: ansible_os_family == "RedHat" and firewall_disable_firewalld and firewalld_installed.rc == 0
- name: Check if ufw package is installed (on Ubuntu).
shell: service ufw status
args:
warn: no
register: ufw_installed
ignore_errors: true
changed_when: false
when: ansible_distribution == "Ubuntu" and firewall_disable_ufw
- name: Disable the ufw firewall (on Ubuntu, if configured).
service:
name: ufw
state: stopped
enabled: no
when: ansible_distribution == "Ubuntu" and firewall_disable_ufw and ufw_installed.rc == 0
- name: Check if ufw package is installed (on Archlinux).
command: pacman -Q ufw
args:
warn: no
register: ufw_installed
ignore_errors: true
changed_when: false
when: ansible_distribution == "Archlinux" and firewall_disable_ufw
- name: Disable the ufw firewall (on Archlinux, if configured).
service:
name: ufw
state: stopped
enabled: no
when: ansible_distribution == "Archlinux" and firewall_disable_ufw and ufw_installed.rc == 0

44
box/provisioning/roles/geerlingguy.firewall/tasks/main.yml Normal file
View file

@ -0,0 +1,44 @@
---
- name: Ensure iptables is installed.
package: name=iptables state=installed
- name: Flush iptables the first time playbook runs.
command: >
iptables -F
creates=/etc/firewall.bash
- name: Copy firewall script into place.
template:
src: firewall.bash.j2
dest: /etc/firewall.bash
owner: root
group: root
mode: 0744
notify: restart firewall
- name: Copy firewall init script into place.
template:
src: firewall.init.j2
dest: /etc/init.d/firewall
owner: root
group: root
mode: 0755
when: "ansible_service_mgr != 'systemd'"
- name: Copy firewall systemd unit file into place (for systemd systems).
template:
src: firewall.unit.j2
dest: /etc/systemd/system/firewall.service
owner: root
group: root
mode: 0644
when: "ansible_service_mgr == 'systemd'"
- name: Configure the firewall service.
service:
name: firewall
state: "{{ firewall_state }}"
enabled: "{{ firewall_enabled_at_boot }}"
- include: disable-other-firewalls.yml
when: firewall_disable_firewalld or firewall_disable_ufw

136
box/provisioning/roles/geerlingguy.firewall/templates/firewall.bash.j2 Executable file
View file

@ -0,0 +1,136 @@
#!/bin/bash
# iptables firewall for common LAMP servers.
#
# This file should be located at /etc/firewall.bash, and is meant to work with
# Jeff Geerling's firewall init script.
#
# Common port reference:
# 22: SSH
# 25: SMTP
# 80: HTTP
# 123: NTP
# 443: HTTPS
# 2222: SSH alternate
# 4949: Munin
# 6082: Varnish admin
# 8080: HTTP alternate (often used with Tomcat)
# 8983: Tomcat HTTP
# 8443: Tomcat HTTPS
# 9000: SonarQube
#
# @author Jeff Geerling
# No spoofing.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filter in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filter
done
fi
# Completely reset the firewall by removing all rules and chains.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Accept traffic from loopback interface (localhost).
iptables -A INPUT -i lo -j ACCEPT
# Forwarded ports.
{# Add a rule for each forwarded port #}
{% for forwarded_port in firewall_forwarded_tcp_ports %}
iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
{% endfor %}
{% for forwarded_port in firewall_forwarded_udp_ports %}
iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
{% endfor %}
# Open ports.
{# Add a rule for each open port #}
{% for port in firewall_allowed_tcp_ports %}
iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% for port in firewall_allowed_udp_ports %}
iptables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}
# Accept icmp ping requests.
iptables -A INPUT -p icmp -j ACCEPT
# Allow NTP traffic for time synchronization.
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
# Additional custom rules.
{% for rule in firewall_additional_rules %}
{{ rule }}
{% endfor %}
# Allow established connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log EVERYTHING (ONLY for Debug).
# iptables -A INPUT -j LOG
{% if firewall_log_dropped_packets %}
# Log other incoming requests (all of which are dropped) at 15/minute max.
iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
{% endif %}
# Drop all other traffic.
iptables -A INPUT -j DROP
# Configure IPv6 if ip6tables is present.
if [ -x "$(which ip6tables 2>/dev/null)" ]; then
# Remove all rules and chains.
ip6tables -F
ip6tables -X
# Accept traffic from loopback interface (localhost).
ip6tables -A INPUT -i lo -j ACCEPT
# Open ports.
{# Add a rule for each open port #}
{% for port in firewall_allowed_tcp_ports %}
ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% for port in firewall_allowed_udp_ports %}
ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}
# Accept icmp ping requests.
ip6tables -A INPUT -p icmp -j ACCEPT
# Allow NTP traffic for time synchronization.
ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
# Additional custom rules.
{% for rule in firewall_ip6_additional_rules %}
{{ rule }}
{% endfor %}
# Allow established connections:
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log EVERYTHING (ONLY for Debug).
# ip6tables -A INPUT -j LOG
{% if firewall_log_dropped_packets %}
# Log other incoming requests (all of which are dropped) at 15/minute max.
ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
{% endif %}
# Drop all other traffic.
ip6tables -A INPUT -j DROP
fi

52
box/provisioning/roles/geerlingguy.firewall/templates/firewall.init.j2 Normal file
View file

@ -0,0 +1,52 @@
#! /bin/sh
# /etc/init.d/firewall
#
# Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling.
#
# @author Jeff Geerling
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall at boot time.
# Description: Enable the firewall.
### END INIT INFO
# Carry out specific functions when asked to by the system
case "$1" in
start)
echo "Starting firewall."
/etc/firewall.bash
;;
stop)
echo "Stopping firewall."
iptables -F
if [ -x "$(which ip6tables 2>/dev/null)" ]; then
ip6tables -F
fi
;;
restart)
echo "Restarting firewall."
/etc/firewall.bash
;;
status)
echo -e "`iptables -L -n`"
EXIT=4 # program or service status is unknown
NUMBER_OF_RULES=$(iptables-save | grep '^\-' | wc -l)
if [ 0 -eq $NUMBER_OF_RULES ]; then
EXIT=3 # program is not running
else
EXIT=0 # program is running or service is OK
fi
exit $EXIT
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|status|restart}"
exit 1
;;
esac
exit 0

12
box/provisioning/roles/geerlingguy.firewall/templates/firewall.unit.j2 Normal file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Firewall
After=syslog.target network.target
[Service]
Type=oneshot
ExecStart=/etc/firewall.bash
ExecStop=/sbin/iptables -F
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

11
box/provisioning/roles/geerlingguy.firewall/tests/README.md Normal file
View file

@ -0,0 +1,11 @@
# Ansible Role tests
To run the test playbook(s) in this directory:
1. Install and start Docker.
1. Download the test shim (see .travis.yml file for the URL) into `tests/test.sh`:
- `wget -O tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/`
1. Make the test shim executable: `chmod +x tests/test.sh`.
1. Run (from the role root directory) `distro=[distro] playbook=[playbook] ./tests/test.sh`
If you don't want the container to be automatically deleted after the test playbook is run, add the following environment variables: `cleanup=false container_id=$(date +%s)`

15
box/provisioning/roles/geerlingguy.firewall/tests/test.yml Normal file
View file

@ -0,0 +1,15 @@
---
- hosts: all
vars:
firewall_allowed_tcp_ports:
- "9123"
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=1200
when: ansible_os_family == 'Debian'
changed_when: false
roles:
- role_under_test