Licensing

Reviewed-on: #6

.gitattributes

@@ -0,0 +1,2 @@
+usertwist filter=lfs diff=lfs merge=lfs -text
+files/usertwist filter=lfs diff=lfs merge=lfs -text

bootstrap.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+read -p "Enter root password : " password
+
+# Update APT repos
+sudo apt update
+
+# Make sure python is installed
+sudo apt install python3 python3-pip -y
+
+# Install pipx
+sudo apt install pipx -y
+pipx ensurepath
+
+# Install Ansible
+pipx install --include-deps ansible
+
+# Install sshpass (for ssh password connection) & passlib (for password encryption)
+sudo apt install python3-passlib sshpass
+pipx inject ansible passlib
+
+# Make sure git & git-lfs are installed and configured
+sudo apt install git git-lfs -y
+git lfs install
+
+# Clone ansible_playbooks repo
+git clone -b dev https://git.athelas-conseils.fr/Stage/ansible_playbooks.git
+
+
+~/.local/bin/ansible-playbook ansible_playbooks/tasks/full_setup.yml -i ansible_playbooks/inventory.ini --extra-vars "ansible_ssh_pass=$password ansible_ssh_common_args='-o StrictHostKeyChecking=no'"

files/usertwist.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Simple Web Service
+
+[Service]
+User=usertwist
+Group=usertwist
+ExecStart=/usr/local/bin/usertwist
+PrivateTmp=yes
+NoNewPrivileges=true
+RestrictNamespaces=uts ipc pid user cgroup
+ProtectSystem=strict
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
+RestrictSUIDSGID=true
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target

inventory.ini

@@ -1,2 +1,2 @@
 [athelas]
-vps ansible_host=95.217.153.90 ansible_connection=ssh ansible_user=root
+vps ansible_host=135.181.250.127 ansible_connection=ssh ansible_user=root

tasks/install_caddy.yml

@@ -24,24 +24,44 @@
     ansible.builtin.package:
       name: caddy
 
-  - name: Creating webserver root folder
-    ansible.builtin.file:
-      path: /var/www/html/
-      state: directory
-      group: caddy
-      owner: caddy
-
-  - name: Creating webserver index.html
-    ansible.builtin.file:
-      path: /var/www/html/index.html
-      state: touch
-      group: caddy
-      owner: caddy
-
-  - name: Editing Caddyfile
+  - name: Editing Caddyfile to setup the reverse_proxy
     ansible.builtin.template:
-      src: ~/ansible/templates/Caddyfile.j2
+      src: ../templates/Caddyfile.j2
       dest: /etc/caddy/Caddyfile
 
-  - name: Reboot
-    ansible.builtin.reboot:
+  - name: Create the usertwist group
+    ansible.builtin.group:
+      name: usertwist
+
+  - name: Create the usertwist user
+    ansible.builtin.user:
+      name: usertwist
+      group: usertwist
+      system: true
+      shell: /usr/sbin/nologin
+
+  - name: Put the service binary on the remote server
+    ansible.builtin.copy:
+      src: ../files/usertwist
+      dest: /usr/local/bin
+      owner: root
+      group: root
+      mode: '0755'
+
+  - name: Put the service systemd file on the remote server
+    ansible.builtin.copy:
+      src: ../files/usertwist.service
+      dest: /etc/systemd/system
+      owner: root
+      group: root
+
+  - name: Enable the service systemd unit
+    ansible.builtin.systemd_service:
+      name: usertwist
+      enabled: true
+      state: started
+
+  - name: Restart Caddy service
+    ansible.builtin.service:
+      name: caddy
+      state: restarted

tasks/roles/setup_iptables/README.md

@@ -0,0 +1,22 @@
+Setup IPTables
+=========
+
+Create iptables rules on the remote server to allow connection on WEB and SSH ports only
+
+Example Playbook
+----------------
+
+    - hosts: servers
+      roles:
+        - setup_iptables
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Motysten
+E-Mail : mdm@athelas.fr

tasks/roles/setup_iptables/meta/main.yml

@@ -0,0 +1,34 @@
+galaxy_info:
+  author: Motysten
+  description: Dev
+  company: Athelas
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: MIT
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

tasks/roles/setup_iptables/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+# tasks file for setup_iptables
+- name: Open needed ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    in_interface: eth0
+    jump: ACCEPT
+    destination_ports:
+      - "22"
+      - "443"
+      - "80"
+
+- name: Accept connection on lo (for Caddy <-> usertwist communication)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    in_interface: lo
+    jump: ACCEPT
+
+- name: Set INPUT policy to DROP
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+
+- name: Create iptables folder in /etc
+  ansible.builtin.file:
+    path: /etc/ansible
+    state: directory
+    mode: '0755'
+
+- name: Install iptables-persistent for rules persistence
+  ansible.builtin.package:
+    name: iptables-persistent
+    update_cache: true
+
+- name: Save IPv4 rules to keep them on reboot
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v4
+
+- name: Save IPv6 rules to keep them on reboot
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v6

tasks/setup_iptables.yml

@@ -1,20 +1,6 @@
 - name: Edit iptables settings
   hosts: athelas
   become: true
-  tasks:
-
-  - name: Open needed ports
-    ansible.builtin.iptables:
-      chain: INPUT
-      protocol: tcp
-      in_interface: eth0
-      jump: ACCEPT
-      destination_ports:
-        - "22"
-        - "80"
-        - "443"
-
-  - name: Set INPUT policy to DROP
-    ansible.builtin.iptables:
-      chain: INPUT
-      policy: DROP
+  
+  roles:
+    - setup_iptables

tasks/setup_ssh.yml

@@ -9,25 +9,26 @@
 
   - name: Get SSH Private Key
     ansible.builtin.fetch:
-      dest: "~/ansible/keys/"
+      dest: "../keys/"
       src: "~/ssh_key"
       flat: true
 
   - name: Get SSH Public Key
     ansible.builtin.fetch:
-      dest: "~/ansible/keys/"
+      dest: "../keys/"
       src: "~/ssh_key.pub"
       flat: true
 
   - name: Copy new SSH configuration
     ansible.builtin.template:
-      src: "~/ansible/templates/sshd_config.j2"
+      src: "../templates/sshd_config.j2"
       dest: "/etc/ssh/sshd_config"
 
   - name: Create new user
     ansible.builtin.user:
       name: "motysten"
       groups: "sudo"
+      shell: /bin/bash
       append: true
       password: "{{ lookup('password', '/tmp/userpass length=12 encrypt=sha512_crypt') }}"
     become: true
@@ -39,7 +40,7 @@
   - name: Add SSH public key to remote host
     ansible.builtin.authorized_key:
       user: "motysten"
-      key: "{{ lookup('file', '~/ansible/keys/ssh_key.pub') }}"
+      key: "{{ lookup('file', '../keys/ssh_key.pub') }}"
     become: true
 
   - name: Restart SSH Services

templates/Caddyfile.j2

@@ -9,17 +9,23 @@
 # domain name.
 
 poc.athelas.fr {
-	# Set this path to your site's directory.
-	root * /var/www/html
-
-	# Enable the static file server.
-	file_server
 
 	# Another common task is to set up a reverse proxy:
-	# reverse_proxy localhost:8080
+	reverse_proxy localhost:8080
+
+	# Also edit ACME server
+	tls {
+		ca https://acme-staging-v02.api.letsencrypt.org/directory
+	}
+
+	handle_errors {
+		rewrite * /{err.status_code}
+		reverse_proxy https://http.cat {
+			header_up Host {upstream_hostport}
+			replace_status {err.status_code}
+		}
+	}
 
-	# Or serve a PHP site through php-fpm:
-	# php_fastcgi localhost:9000
 }
 
 # Refer to the Caddy docs for more information: