add bastion fail2ban config

group_vars/bastions.yml

@@ -12,6 +12,11 @@ haproxy:
           - 192.168.20.22
           - 192.168.20.23
           - 192.168.20.24
+      - src:
+          - s3.badjware.dev
+        dst:
+          - 192.168.20.30:9000
+        ssl: false
       # - src:
       #     - kubernetes-dashboard.badjnet.home
       #     - traefik.badjnet.home
@@ -26,6 +31,7 @@ haproxy:
     tcp:
       - src: "30022"
         dst:
+          - 192.168.20.20:30022
           - 192.168.20.21:30022
           - 192.168.20.22:30022
           - 192.168.20.23:30022

hosts

@@ -35,10 +35,11 @@ all:
           ansible_host: 192.168.10.11
           vfio_pci_ids:
             - '1000:0086' # Broadcom / LSI SAS2308 PCI-Express Fusion-MPT SAS-2
-    lb:
+    bastions:
       hosts:
-        lb:
+        bastion:
           ansible_host: 192.168.20.10
+          users_enable_sudo: false
     k3s:
       children:
         k3s-server:
@@ -69,7 +70,7 @@ all:
           ansible_host: 192.168.20.2
       children:
         proxmox:
-        lb:
+        bastions:
         k3s:
       vars:
         <<: *user_config

playbook.yml

@@ -6,9 +6,10 @@
   roles:
     - common
 
-- hosts: lb
+- hosts: bastion
   roles:
     - haproxy
+    - bastion
 
 - hosts: k3s-server
   roles:

roles/bastion/files/fail2ban/jail.local

@@ -0,0 +1,10 @@
+[DEFAULT]
+bantime  = 1h
+findtime = 5m
+maxretry = 3
+
+ignoreip = 192.168.0.0/16
+
+[sshd]
+enabled  = true
+mode     = aggressive

roles/bastion/handlers/main.yml

@@ -0,0 +1,11 @@
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    enabled: true
+    state: reloaded
+
+- name: Restart sshd
+  service:
+    name: sshd
+    enabled: true
+    state: reloaded

roles/bastion/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: Install fail2ban
+  apt:
+    name:
+      - fail2ban
+
+- name: Configure fail2ban
+  copy:
+    src: fail2ban/jail.local
+    dest: /etc/fail2ban/jail.local
+  notify: Restart fail2ban
+
+- name: Disable ssh password authentication for all but user of ansible
+  blockinfile:
+    path: /etc/ssh/sshd_config
+    block: |
+      Match User {{ ansible_user }}
+          PasswordAuthentication yes
+      Match all
+          PasswordAuthentication no 
+  notify: Restart sshd
+
+- name: Configure sshd ClientAliveInterval
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?ClientAliveInterval'
+    line: ClientAliveInterval 5m
+  notify: Restart sshd
+
+- name: Configure sshd ClientAliveCountMax
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?ClientAliveCountMax'
+    line: ClientAliveCountMax 3
+  notify: Restart sshd

roles/common/defaults/main.yml

@@ -1 +1,2 @@
-users: {}
+users: {}
+users_enable_sudo: true

roles/common/tasks/user.yml

@@ -4,7 +4,7 @@
     password: '{{ item.value.default_password }}'
     update_password: on_create
     shell: /bin/bash
-    groups: sudo
+    groups: '{{["sudo"] if users_enable_sudo else []}}'
 
 - name: '{{ item.key }}: Configure ssh public keys'
   authorized_key:

roles/haproxy/templates/haproxy.cfg

@@ -79,14 +79,15 @@ backend haproxy_metrics
     http-request use-service prometheus-exporter
 
 {% for http_route in https_routing %}
-# backend for {{ http_route.src[0] }}
+# backend for {{ ', '.join(http_route.src) }}
 backend https_{{ http_route.src[0]|replace('.','_') }}
     mode http
     balance roundrobin
 {% for dst in http_route.dst %}
-    server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check ssl verify none alpn h2
+    server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %}
-    #server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check
+
 {% endfor %}
+
 {% endfor %}
 
 ## TCP ##