diff --git a/external/sketch/ansible/roles/ingress-restrictions/README.md b/external/sketch/ansible/roles/ingress-restrictions/README.md new file mode 100644 index 0000000..3ef1d3b --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/README.md @@ -0,0 +1,24 @@ +ingress-restrictions +========= + +This role is used to help reduce the chances for backflip correlation from public ssh keys from tools like Censys. + +This will automatically tell middle hosts to only allow connections on port 2222 from edge hosts. + +This role only handles the sketch infrastructure as of now. + +Requirements +------------ + +Once you've ran this in your Sketch infrastructure, you will need to grab the IP Addresses or IP Address range from your middles and add them to your OCI/AWS infrastructure manually. + +Whenever we do the grand restructure, this should be done automatically for you everywhere. + +Example Playbook +---------------- + +```yml +- hosts: all + roles: + - ingress-restrictions +``` \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml new file mode 100644 index 0000000..32cf5dd --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml @@ -0,0 +1 @@ +dependencies: [] diff --git a/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml new file mode 100644 index 0000000..df20f2f --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml @@ -0,0 +1,33 @@ +--- +# tasks file for ingress-restrictions + +- name: Set fact for 'edge' hosts + set_fact: + is_edge_host: true + when: "'edge' in inventory_hostname" + +- name: Gather Edge IPs into a dictionary + set_fact: + edge_ips_dict: >- + {{ + edge_ips_dict | default({}) | combine( + { item: hostvars[item]['host_ip_address'] } + ) + }} + loop: "{{ groups['all'] }}" + when: hostvars[item]['is_edge_host'] is defined and hostvars[item]['is_edge_host'] + delegate_to: localhost + +- name: Allow port 2222 from Edges to Middles + ufw: + rule: allow + port: 2222 + from_ip: "{{ item.value }}" + with_items: "{{ edge_ips_dict | dict2items }}" + when: "'middle' in inventory_hostname" + +- name: Deny port 2222 + ufw: + rule: deny + port: 2222 + when: "'middle' in inventory_hostname" \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/inventory b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml new file mode 100644 index 0000000..71b6000 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ingress-restrictions