From 41347d0f648c9f8e1c779d46425719d09a60516e Mon Sep 17 00:00:00 2001 From: devzspy <7217419+devzspy@users.noreply.github.com> Date: Tue, 13 Aug 2024 17:38:47 -0700 Subject: [PATCH 1/2] feat(ansible): Add role for managing ingress restrictions Introduces a new Ansible role `ingress-restrictions` with tasks to manage ingress restrictions between edge and middle hosts. Also includes necessary files such as handlers, vars, defaults, and README. --- .../roles/ingress-restrictions/README.md | 38 ++++++++++++++ .../ingress-restrictions/defaults/main.yml | 2 + .../ingress-restrictions/handlers/main.yml | 2 + .../roles/ingress-restrictions/meta/main.yml | 52 +++++++++++++++++++ .../roles/ingress-restrictions/tasks/main.yml | 38 ++++++++++++++ .../ingress-restrictions/tests/inventory | 2 + .../roles/ingress-restrictions/tests/test.yml | 5 ++ .../roles/ingress-restrictions/vars/main.yml | 2 + 8 files changed, 141 insertions(+) create mode 100644 external/sketch/ansible/roles/ingress-restrictions/README.md create mode 100644 external/sketch/ansible/roles/ingress-restrictions/defaults/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/handlers/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/meta/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tests/inventory create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tests/test.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/vars/main.yml diff --git a/external/sketch/ansible/roles/ingress-restrictions/README.md b/external/sketch/ansible/roles/ingress-restrictions/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/external/sketch/ansible/roles/ingress-restrictions/defaults/main.yml b/external/sketch/ansible/roles/ingress-restrictions/defaults/main.yml new file mode 100644 index 0000000..3153d52 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for ingress-restrictions diff --git a/external/sketch/ansible/roles/ingress-restrictions/handlers/main.yml b/external/sketch/ansible/roles/ingress-restrictions/handlers/main.yml new file mode 100644 index 0000000..abc080e --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ingress-restrictions diff --git a/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml new file mode 100644 index 0000000..49ab3e6 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml @@ -0,0 +1,38 @@ +--- +# tasks file for ingress-restrictions + +- name: Set fact for 'edge' hosts + set_fact: + is_edge_host: true + when: "'edge' in inventory_hostname" + +- name: Gather Edge IPs into a dictionary + set_fact: + edge_ips_dict: >- + {{ + edge_ips_dict | default({}) | combine( + { item: hostvars[item]['host_ip_address'] } + ) + }} + loop: "{{ groups['all'] }}" + when: hostvars[item]['is_edge_host'] is defined and hostvars[item]['is_edge_host'] + delegate_to: localhost + +- name: Debug shit + debug: + msg: "{{ item.value }}" + with_items: "{{ edge_ips_dict | dict2items }}" + +- name: Allow port 2222 from Edges to Middles + ufw: + rule: allow + port: 2222 + from_ip: "{{ item.value }}" + with_items: "{{ edge_ips_dict | dict2items }}" + when: "'middle' in inventory_hostname" + +- name: Deny port 2222 + ufw: + rule: deny + port: 2222 + when: "'middle' in inventory_hostname" \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/inventory b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml new file mode 100644 index 0000000..71b6000 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ingress-restrictions diff --git a/external/sketch/ansible/roles/ingress-restrictions/vars/main.yml b/external/sketch/ansible/roles/ingress-restrictions/vars/main.yml new file mode 100644 index 0000000..af52e43 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for ingress-restrictions From 730920901c6f034f35c801a38bba4447b7b825ec Mon Sep 17 00:00:00 2001 From: devzspy <7217419+devzspy@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:41:11 -0700 Subject: [PATCH 2/2] feat: Update role name and description in README Update role name to 'ingress-restrictions' and description to explain purpose of reducing backflip correlation and allowing connections on port 2222 from edge hosts. --- .../roles/ingress-restrictions/README.md | 40 ++++++------------- .../roles/ingress-restrictions/tasks/main.yml | 5 --- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/external/sketch/ansible/roles/ingress-restrictions/README.md b/external/sketch/ansible/roles/ingress-restrictions/README.md index 225dd44..3ef1d3b 100644 --- a/external/sketch/ansible/roles/ingress-restrictions/README.md +++ b/external/sketch/ansible/roles/ingress-restrictions/README.md @@ -1,38 +1,24 @@ -Role Name +ingress-restrictions ========= -A brief description of the role goes here. +This role is used to help reduce the chances for backflip correlation from public ssh keys from tools like Censys. -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +This will automatically tell middle hosts to only allow connections on port 2222 from edge hosts. -Role Variables --------------- +This role only handles the sketch infrastructure as of now. -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies +Requirements ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +Once you've ran this in your Sketch infrastructure, you will need to grab the IP Addresses or IP Address range from your middles and add them to your OCI/AWS infrastructure manually. + +Whenever we do the grand restructure, this should be done automatically for you everywhere. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +```yml +- hosts: all + roles: + - ingress-restrictions +``` \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml index 49ab3e6..df20f2f 100644 --- a/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml +++ b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml @@ -18,11 +18,6 @@ when: hostvars[item]['is_edge_host'] is defined and hostvars[item]['is_edge_host'] delegate_to: localhost -- name: Debug shit - debug: - msg: "{{ item.value }}" - with_items: "{{ edge_ips_dict | dict2items }}" - - name: Allow port 2222 from Edges to Middles ufw: rule: allow