Infos

Ce fichier contient l'explication des variables s'appliquant à la machine physique nommé host.

Pour rappel sur les services que cette machine propose, se référé à l'article Infrastructure

Variables

KVM specific

Storage

  • kvm_vg: kvmvg
  • kvm_pool: Vms

    Network

  • kvm_net_host_hostname: host
  • kvm_net_domain: example.fr
  • kvm_net_interface: virbr1
  • kvm_net_network: 192.168.121.0/24
  • kvm_net_netmask: 255.255.255.0
  • kvm_net_host_ip: 192.168.121.1
  • kvm_net_start_dhcp: 192.168.121.100
  • kvm_net_stop_dhcp: 192.168.121.254

    VMs

  • kvm_guests:
    • lvm: debian
    • delete_old_vms: true
    • vms:
      • name: proxy # characters a-z,A-Z,0-9 and - only.
      • user: ""
      • password: ""
      • mac: 00:00:00:00:00:01
      • ip: 192.168.121.101
      • cpu: 1
      • ram: 512
      • size_disk: 2
      • size_boot: 200
      • size_root: 900
      • size_var: 500
      • size_tmp: 100
      • size_home: 100
      • size_swap: 200

Sysctl security rules

Warning : Please make sure "reload=yes" is set at least on last rule

  • sysctl_security_rules:

Firewall specific

firewall_v4_default_rules: 002 allow loopback:

- -A INPUT -i lo -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT

003 allow established related:

- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

004 dhcp:

- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dhcp_1}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dhcp_2}} -j ACCEPT

005 dns:

- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_dns}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_dns}} -j ACCEPT

006 ntp:

- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol udp --destination-port {{port_ntp}} -j ACCEPT

007 http_https output:

- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_http}} -j ACCEPT
- -A OUTPUT -o {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_https}} -j ACCEPT

008 icmp:

- -A INPUT -p icmp -j ACCEPT
- -A OUTPUT -p icmp -j ACCEPT

009 ssh server:

- -A INPUT -i {{ ansible_default_ipv4.interface }} --protocol tcp --destination-port {{port_sshd}} -j ACCEPT

020 specific service: {} 021 Internet access for VMs:

- -A FORWARD -i {{ kvm_net_interface }} -s {{ kvm_net_network }} -j ACCEPT  # Tout ce qui sort des VMs est forwarder vers l'exterieur
- -A FORWARD -o {{ kvm_net_interface }} -d {{ kvm_net_network }} -j ACCEPT  # Tout ce qui entre à destination des VMs est fowarder
- -t nat -A POSTROUTING -s {{ kvm_net_network }} ! -d {{ kvm_net_network }} -j MASQUERADE # Toutes les connexions venant des VMs sont envoye vers l'exterieur (si nécessaire)

022 DHCP/DNS VMS:

- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dhcp_1}} -j ACCEPT
- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dhcp_2}} -j ACCEPT
- -A INPUT -i {{ kvm_net_interface }} -p udp --destination-port {{port_dns}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dhcp_1}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dhcp_2}} -j ACCEPT
- -A OUTPUT -o {{ kvm_net_interface }} -p udp --source-port {{port_dns}} -j ACCEPT

023 HTTP/HTTPS reverseproxy:

- -I PREROUTING -t nat -i {{ ansible_default_ipv4.interface }} -p tcp --destination-port {{port_http}} -j DNAT --to-destination 192.168.121.101
- -I PREROUTING -t nat -i {{ ansible_default_ipv4.interface }} -p tcp --destination-port {{port_https}} -j DNAT --to-destination 192.168.121.101

024 ssh client rebond:

- -A OUTPUT -o {{ kvm_net_interface }} --protocol tcp --destination-port {{port_sshd}} -j ACCEPT

099 default policies:

- -P INPUT DROP
- -P OUTPUT DROP
- -P FORWARD DROP

firewall_v6_default_rules: 099 default policies:

- -P INPUT DROP
- -P OUTPUT DROP
- -P FORWARD DROP

Fail2ban specific

fail2ban_loglevel: WARN fail2ban_services:

  • name: sshd port: "" maxretry: 6 logpath: /var/log/auth.log
  • name: sshd-ddos port: "" filter: sshd-ddos maxretry: 6
  • name: pam-generic filter: pam-generic port: all banaction: iptables-allports logpath: /var/log/auth.log maxretry: 6

Borg specific (client side)

borgbackup_client: true borgbackup_client_job: name: "" options: "-C lz4" day: "*" hour: "" minute: "" directories:

- "/home/*/.ssh"
- "/root/.ssh"
- "/etc/ssh"
- "/etc/libvirt"

excludes: [] prune_options: "--keep-daily=7 --keep-weekly=4" #false --> No prune preScript: "/host_vars//files/preBackup.sh.j2" postScript: false mail: false #@ --> Send mail to this address if error (use and install msmtp) (make sure mail variables are set) borgbackup_client_scripts_dir: "/etc/borg" borgbackup_client_log: "/var/log/backup.log" borgbackup_passphrase: "" borgbackup_client_backup_server: borgserver.example.fr borgbackup_client_ssh_proxycommand: False #Example : borgbackup@host.example.fr <-p port> borgbackup_client_ssh_port: ""

results matching ""

    No results matching ""