Infos
Ce fichier contient l'explication des variables s'appliquant à la machine physique nommé host
.
Pour rappel sur les services que cette machine propose, se référé à l'article Infrastructure
Variables
KVM specific
Storage
kvm_vg
: kvmvgkvm_pool
: VmsNetwork
kvm_net_host_hostname
: hostkvm_net_domain
: example.frkvm_net_interface
: virbr1kvm_net_network
: 192.168.121.0/24kvm_net_netmask
: 255.255.255.0kvm_net_host_ip
: 192.168.121.1kvm_net_start_dhcp
: 192.168.121.100kvm_net_stop_dhcp
: 192.168.121.254VMs
kvm_guests
:lvm
: debiandelete_old_vms
: truevms
:name
: proxy # characters a-z,A-Z,0-9 and-
only.user
: ""password
: ""mac
: 00:00:00:00:00:01ip
: 192.168.121.101cpu
: 1ram
: 512size_disk
: 2size_boot
: 200size_root
: 900size_var
: 500size_tmp
: 100size_home
: 100size_swap
: 200
Sysctl security rules
Warning : Please make sure "reload=yes" is set at least on last rule
sysctl_security_rules
:
Firewall specific
firewall_v4_default_rules: 002 allow loopback:
- -A INPUT -i lo -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
003 allow established related:
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
004 dhcp:
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dhcp_1}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dhcp_2}} -j ACCEPT
005 dns:
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dns}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_dns}} -j ACCEPT
006 ntp:
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_ntp}} -j ACCEPT
007 http_https output:
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_http}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_https}} -j ACCEPT
008 icmp:
- -A INPUT -p icmp -j ACCEPT
- -A OUTPUT -p icmp -j ACCEPT
009 ssh server:
- -A INPUT -i {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_sshd}} -j ACCEPT
020 specific service: {} 021 Internet access for VMs:
- -A FORWARD -i {{ kvm_net_interface }} -s {{ kvm_net_network }} -j ACCEPT # Tout ce qui sort des VMs est forwarder vers l'exterieur
- -A FORWARD -o {{ kvm_net_interface }} -d {{ kvm_net_network }} -j ACCEPT # Tout ce qui entre à destination des VMs est fowarder
- -t nat -A POSTROUTING -s {{ kvm_net_network }} ! -d {{ kvm_net_network }} -j MASQUERADE # Toutes les connexions venant des VMs sont envoye vers l'exterieur (si nécessaire)
022 DHCP/DNS VMS:
- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dhcp_1}} -j ACCEPT
- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dhcp_2}} -j ACCEPT
- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dns}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dhcp_1}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dhcp_2}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dns}} -j ACCEPT
023 HTTP/HTTPS reverseproxy:
- -I PREROUTING -t nat -i {{ ansible_default_ipv4.interface }} -p tcp --destination-port {{port_http}} -j DNAT --to-destination 192.168.121.101
- -I PREROUTING -t nat -i {{ ansible_default_ipv4.interface }} -p tcp --destination-port {{port_https}} -j DNAT --to-destination 192.168.121.101
024 ssh client rebond:
- -A OUTPUT -o {{ kvm_net_interface }} --protocol tcp --destination-port {{port_sshd}} -j ACCEPT
099 default policies:
- -P INPUT DROP
- -P OUTPUT DROP
- -P FORWARD DROP
firewall_v6_default_rules: 099 default policies:
- -P INPUT DROP
- -P OUTPUT DROP
- -P FORWARD DROP
Fail2ban specific
fail2ban_loglevel: WARN fail2ban_services:
- name: sshd port: "" maxretry: 6 logpath: /var/log/auth.log
- name: sshd-ddos port: "" filter: sshd-ddos maxretry: 6
- name: pam-generic filter: pam-generic port: all banaction: iptables-allports logpath: /var/log/auth.log maxretry: 6
Borg specific (client side)
borgbackup_client: true borgbackup_client_job: name: "" options: "-C lz4" day: "*" hour: "" minute: "" directories:
- "/home/*/.ssh"
- "/root/.ssh"
- "/etc/ssh"
- "/etc/libvirt"
excludes: [] prune_options: "--keep-daily=7 --keep-weekly=4" #false --> No prune preScript: "/host_vars//files/preBackup.sh.j2" postScript: false mail: false #@ --> Send mail to this address if error (use and install msmtp) (make sure mail variables are set) borgbackup_client_scripts_dir: "/etc/borg" borgbackup_client_log: "/var/log/backup.log" borgbackup_passphrase: "" borgbackup_client_backup_server: borgserver.example.fr borgbackup_client_ssh_proxycommand: False #Example : borgbackup@host.example.fr <-p port> borgbackup_client_ssh_port: ""