From e650f91311a93390af47b2fff0dae0fdd660fcdf Mon Sep 17 00:00:00 2001 From: Jens Heinrich Date: Tue, 21 May 2019 19:07:14 +0200 Subject: [PATCH] Di. 21 Mai 2019 19:07:14 CEST in /home/jens/Development/ansible/roles/tweaks on deathbolt.927589452.space --- handlers/main.yml | 37 +++++++++++ tasks/Archlinux-power.yml | 26 ++++++++ tasks/FreeBSD-bluetooth.yml | 28 ++++++++- tasks/FreeBSD-localunbound.yml | 36 +++++++---- tasks/FreeBSD-printing.yml | 4 +- tasks/main.yml | 14 ++++- templates/bluetooth_hcsecd.conf.j2 | 63 +++++++++++++++++++ templates/keyboard-conf.j2 | 7 +++ .../local_unbound_access_control.conf.j2 | 8 +++ templates/local_unbound_lan-zones.conf.j2 | 6 ++ .../local_unbound_local_resolver.conf.j2 | 12 ++++ templates/local_unbound_opennic.conf.j2 | 4 ++ templates/local_unbound_unbound.conf.j2 | 14 +++++ templates/resolv.conf.j2 | 7 +++ vars/FreeBSD.yml | 13 ++++ vars/bluetooth-devices.yml | 8 +++ vars/default.yml | 13 ++++ vars/local_unbound.yml | 17 +++++ vars/ssh.yaml | 3 + 19 files changed, 304 insertions(+), 16 deletions(-) create mode 100644 handlers/main.yml create mode 100644 tasks/Archlinux-power.yml create mode 100644 templates/bluetooth_hcsecd.conf.j2 create mode 100644 templates/keyboard-conf.j2 create mode 100644 templates/local_unbound_access_control.conf.j2 create mode 100644 templates/local_unbound_lan-zones.conf.j2 create mode 100644 templates/local_unbound_local_resolver.conf.j2 create mode 100644 templates/local_unbound_opennic.conf.j2 create mode 100644 templates/local_unbound_unbound.conf.j2 create mode 100644 templates/resolv.conf.j2 create mode 100644 vars/FreeBSD.yml create mode 100644 vars/bluetooth-devices.yml create mode 100644 vars/default.yml create mode 100644 vars/local_unbound.yml create mode 100644 vars/ssh.yaml diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b0fbc55 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,37 @@ +--- +- name: restart local_unbound + service: + name: local_unbound + state: stopped + become: true + notify: start local_unbound + +- name: start local_unbound + service: + name: local_unbound + state: started + become: true + +- name: restart dhclient + service: + name: dhclient + state: stopped + become: true + notify: start dhclient + +- name: start dhclient + service: + name: dhclient + state: started + become: true + +- name: load the bt modules + service: + name: "{{ module }}" + state: started + become: true + loop_control: + loop_var: module + loop: + - sdpd + - hpsecd diff --git a/tasks/Archlinux-power.yml b/tasks/Archlinux-power.yml new file mode 100644 index 0000000..9e99ef8 --- /dev/null +++ b/tasks/Archlinux-power.yml @@ -0,0 +1,26 @@ +--- +- name: install power managment utilities + package: + name: + - acpid + - tlp + - tp-smapi + - acpi-call + - powertop + - smartmontools + - x86_energy_perf_policy + - lsb-release + + state: present + become: true + tags: + - installation + +- name: enable tlp + service: + name: tlp + state: started + become: true + tags: + - services + diff --git a/tasks/FreeBSD-bluetooth.yml b/tasks/FreeBSD-bluetooth.yml index 1c0b7fe..97178e7 100644 --- a/tasks/FreeBSD-bluetooth.yml +++ b/tasks/FreeBSD-bluetooth.yml @@ -1,4 +1,8 @@ --- +- include_vars: bluetooth-devices.yml + tags: + - vars + - name: install pkg for bluetooth audio package: name: virtual_oss @@ -7,17 +11,39 @@ tags: - install -- name: load the bt security module +- name: generate BT configs + template: + src: "{{ BT_TEMPLATE.src }}" + dest: "{{ BT_TEMPLATE.dest }}" + loop_control: + loop_var: BT_TEMPLATE + tags: + - configuration + become: true + loop: + - src: bluetooth_hcsecd.conf.j2 + dest: "/etc/bluetooth/hcsecd.conf" + + # https://gist.github.com/david-moran/1a9e4f910749d66d93e3fa71f3f68c98 + # https://www.freebsd.org/doc/handbook/network-bluetooth.html + +- name: load the bt modules lineinfile: path: "/etc/rc.conf" regexp: "^{{ item.name }}" line: "{{ item.name }}={{ item.val }}" become: true + tags: + - configuration loop: "{{ sysctl_setting }}" vars: sysctl_setting: - name: "hcsecd_enable" val: "YES" + - name: "sdpd_enable" + val: "YES" + - name: "bthidd_enable" + val: "YES" - name: load the bt module lineinfile: diff --git a/tasks/FreeBSD-localunbound.yml b/tasks/FreeBSD-localunbound.yml index ce05483..63c4eea 100644 --- a/tasks/FreeBSD-localunbound.yml +++ b/tasks/FreeBSD-localunbound.yml @@ -1,4 +1,6 @@ --- +- include_vars: local_unbound.yml + - name: "save dhclients dns and dhcp in a file" lineinfile: path: "/etc/resolvconf.conf" @@ -27,6 +29,22 @@ - name: "local_unbound_enable" val: "YES" +- name: "get opennic hints" + shell: "{{ hints_opennic_cmd }}" + become: true + tags: + - installation + - configuration + +- name: "get named hints" + get_url: + url: "{{ hints_named_url }}" + dest: "{{ hints_named }}" + become: true + tags: + - installation + - configuration + - name: manage resolv.conf template: dest: /etc/resolv.conf @@ -35,20 +53,14 @@ tags: - configuration -- name: "generate access control" +- name: "generate configs" template: - dest: "/etc/unbound/conf.d/access_control.conf" - src: "templates/access_control.j2" - become: true - tags: - - configuration - notify: "restart local_unbound" - -- name: "generate overlay for local dns" - template: - dest: "/etc/unbound/conf.d/local_resolver.conf" - src: "templates/local_resolver.j2" + src: "{{ config.src }}" + dest: "{{ config.dest }}" become: true + loop: "{{ local_unbound_files }}" + loop_control: + loop_var: config tags: - configuration notify: "restart local_unbound" diff --git a/tasks/FreeBSD-printing.yml b/tasks/FreeBSD-printing.yml index e28d619..44bd7f7 100644 --- a/tasks/FreeBSD-printing.yml +++ b/tasks/FreeBSD-printing.yml @@ -45,10 +45,10 @@ - "[system=10]" - "add path 'unlpt*' mode 0660 group cups" - "add path 'ulpt*' mode 0660 group cups" - - "add path 'lpt*' mode 0660 group cupsd_enable" + - "add path 'lpt*' mode 0660 group cups" # add path 'usb/X.Y.Z' mode 0660 group cups # https://www.freebsd.org/doc/en/articles/cups/printing-cups-configuring-server.html - - add path 'usb/0.7.*' mode 0660 group cups + - "add path 'usb/0.7.*' mode 0660 group cups" tags: - configuration diff --git a/tasks/main.yml b/tasks/main.yml index fe97166..eb14c71 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,9 +1,10 @@ --- -- include: "{{ role_path }}/tasks/vars.yml" +- include: "{{ role_path }}/../common/tasks/vars.yml" tags: - vars - include_tasks: "{{ tweak }}" + when: "ansible_system == 'FreeBSD'" tags: - installation - configuration @@ -21,6 +22,17 @@ - FreeBSD-reader.yml - FreeBSD-shortcuts.yml - keyboard.yml + +- include_tasks: "{{ tweaks }}" + when: "ansible_system == 'FreeBSD'" + tags: + - installation + - configuration + - vars + loop_control: + loop_var: tweak + loop: - "{{ role_path }}/../common/tasks/chip-development.yml" - "{{ role_path }}/../common/tasks/nmap.yml" + diff --git a/templates/bluetooth_hcsecd.conf.j2 b/templates/bluetooth_hcsecd.conf.j2 new file mode 100644 index 0000000..bb9a119 --- /dev/null +++ b/templates/bluetooth_hcsecd.conf.j2 @@ -0,0 +1,63 @@ +{{ ansible_managed | comment }} + +# $Id: hcsecd.conf,v 1.1 2003/05/26 22:50:47 max Exp $ +# $FreeBSD: releng/12.0/usr.sbin/bluetooth/hcsecd/hcsecd.conf 338155 2018-08-21 19:28:53Z brd $ +# +# HCI security daemon configuration file +# +# Format: +# +# device { +# option value ; +# } +# +# Possible options and values +# +# Options Values +# ---------------------------------- +# bdaddr xx:xx:xx:xx:xx:xx ; - remote device BD_ADDR +# name "any char" ; - to set user friendly device name +# key 0x11223344 | nokey ; - to set link key for the device +# pin "secret" | nopin ; - to PIN code for the device +# +# Notes: +# +# Currently there is no way to select keys/PIN code based on which +# local device received the request. Everything is based on remote +# device BD_ADDR. +# +# "nokey" means that no link key has been defined and we should +# send Link_Key_Negative_Reply command to the device. +# +# "nopin" means that no PIN code has been defined and we should +# send PIN_Code_Negative_Reply command to the device +# + +# Default entry is applied if no better match found +# It MUST have 00:00:00:00:00:00 as bdaddr +device { + bdaddr 00:00:00:00:00:00; + name "Default entry"; + key nokey; + pin nopin; +} + +device { + bdaddr 00:01:02:03:04:05; + name "Dummy"; + key nokey; + pin "0000"; +} + +device { + bdaddr 00:11:22:33:44:55; + name "Dummy"; + key 0x00112233445566778899aabbccddeeff; # 16 bytes key (hex string) + pin nopin; +} +device { + bdaddr 8e:09:ab:dd:6e:ff; + name "Black TMouse"; + key nokey; + pin "0000"; + } diff --git a/templates/keyboard-conf.j2 b/templates/keyboard-conf.j2 new file mode 100644 index 0000000..422f29a --- /dev/null +++ b/templates/keyboard-conf.j2 @@ -0,0 +1,7 @@ +Section "InputClass" + Identifier "KeyboardDefaults" + Driver "keyboard" + MatchIsKeyboard "on" + Option "XkbLayout" "{{ kblayout }}" + Option "XkbVariant" "{{ kbvariant }}" +EndSection diff --git a/templates/local_unbound_access_control.conf.j2 b/templates/local_unbound_access_control.conf.j2 new file mode 100644 index 0000000..6fdecd8 --- /dev/null +++ b/templates/local_unbound_access_control.conf.j2 @@ -0,0 +1,8 @@ +{{ ansible_managed | comment }} + +server: + ## private addresses only + ## https://tools.ietf.org/html/rfc1918 + access-control: 10.0.0.0/8 allow + access-control: 172.16.0.0/12 allow + access-control: 192.168.0.0/16 allow diff --git a/templates/local_unbound_lan-zones.conf.j2 b/templates/local_unbound_lan-zones.conf.j2 new file mode 100644 index 0000000..c72154a --- /dev/null +++ b/templates/local_unbound_lan-zones.conf.j2 @@ -0,0 +1,6 @@ +# This file was generated by local-unbound-setup. +# Modifications will be overwritten. +server: + # Unblock reverse lookups for LAN addresses + unblock-lan-zones: yes + insecure-lan-zones: yes diff --git a/templates/local_unbound_local_resolver.conf.j2 b/templates/local_unbound_local_resolver.conf.j2 new file mode 100644 index 0000000..973ca51 --- /dev/null +++ b/templates/local_unbound_local_resolver.conf.j2 @@ -0,0 +1,12 @@ +{{ ansible_managed | comment }} + +server: +{% for domain in local_domains %} + +# {{ domain }} + local-zone: {{ domain.name }} transparent + local-data: "{{ domain.name }} IN NS {{ domain.ns }}" + local-data: "{{ domain.ns }} IN A {{ domain.ip }}" + local-data-ptr: "{{domain.ip}} {{domain.ns}}" + +{% endfor %} diff --git a/templates/local_unbound_opennic.conf.j2 b/templates/local_unbound_opennic.conf.j2 new file mode 100644 index 0000000..f3909cb --- /dev/null +++ b/templates/local_unbound_opennic.conf.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment }} +# https://wiki.opennic.org/tier_2_unbound +server: + root-hints: "{{ local_unbound_run_d }}/{{ hints_opennic }}" diff --git a/templates/local_unbound_unbound.conf.j2 b/templates/local_unbound_unbound.conf.j2 new file mode 100644 index 0000000..fe71b02 --- /dev/null +++ b/templates/local_unbound_unbound.conf.j2 @@ -0,0 +1,14 @@ +# This file was generated by local-unbound-setup. +# Modifications will be overwritten. +server: + username: unbound + directory: {{ local_unbound_run_d }} + chroot: {{ local_unbound_run_d }} + pidfile: /var/run/local_unbound.pid + auto-trust-anchor-file: {{ local_unbound_run_d }}/root.key + root-hints: {{ local_unbound_run_d }}/root.hints + +include: {{ local_unbound_run_d }}/forward.conf +include: {{ local_unbound_run_d }}/lan-zones.conf +include: {{ local_unbound_run_d }}/control.conf +include: {{ local_unbound_run_d }}/conf.d/*.conf diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2 new file mode 100644 index 0000000..99fbffd --- /dev/null +++ b/templates/resolv.conf.j2 @@ -0,0 +1,7 @@ +{{ ansible_managed | comment }} +search dietzenbach.927589452.space 927589452.space +# nameserver 10.47.11.72 +# nameserver 185.181.104.74 +nameserver 127.0.0.1 +#nameserver 8.8.8.8 +options edns0 diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml new file mode 100644 index 0000000..d7f7a08 --- /dev/null +++ b/vars/FreeBSD.yml @@ -0,0 +1,13 @@ +--- +xorgconfigpath: "/usr/local/etc/X11/xorg.conf.d/" +kblayout: "de" +kbvariant: "nodeadkeys" + +defaultsnddevice: "0" +audiochannel: 4 + +default_net_device: "wlan0" + +vm_nat_net: "10.70.14.0/22" + +vm_pool: zroot/vm diff --git a/vars/bluetooth-devices.yml b/vars/bluetooth-devices.yml new file mode 100644 index 0000000..fe3eb48 --- /dev/null +++ b/vars/bluetooth-devices.yml @@ -0,0 +1,8 @@ +--- +bluetooth_devices: + - name: + mac: + - name: + mac: + key: + pin: diff --git a/vars/default.yml b/vars/default.yml new file mode 100644 index 0000000..d7f7a08 --- /dev/null +++ b/vars/default.yml @@ -0,0 +1,13 @@ +--- +xorgconfigpath: "/usr/local/etc/X11/xorg.conf.d/" +kblayout: "de" +kbvariant: "nodeadkeys" + +defaultsnddevice: "0" +audiochannel: 4 + +default_net_device: "wlan0" + +vm_nat_net: "10.70.14.0/22" + +vm_pool: zroot/vm diff --git a/vars/local_unbound.yml b/vars/local_unbound.yml new file mode 100644 index 0000000..39e3c83 --- /dev/null +++ b/vars/local_unbound.yml @@ -0,0 +1,17 @@ +--- +local_unbound_conf_d: "{{ local_unbound_d}}conf.d/" +local_unbound_d: "/etc/unbound" +local_unbound_run_d: "/var/unbound" +hints_opennic: "opennic.cache" +hints_opennic_cmd: "drill . NS @75.127.96.89 > {{ local_unbound_d }}/{{ hints_opennic }}" +hints_named: "{{ local_unbound_d }}/named.cache" +hints_named_url: "https://www.internic.net/domain/named.cache" + +local_unbound_files: + - src: "local_unbound_opennic.conf.j2" + dest: "{{ local_unbound_conf_d }}/opennic.conf" + - src: "local_unbound_access_control.conf.j2" + dest: "{{ local_unbound_conf_d }}/access_control.conf" + - src: "local_unbound_local_resolver.conf.j2" + dest: "{{ local_unbound_conf_d }}/local_resolver.conf" + diff --git a/vars/ssh.yaml b/vars/ssh.yaml new file mode 100644 index 0000000..e9f0895 --- /dev/null +++ b/vars/ssh.yaml @@ -0,0 +1,3 @@ +--- +ctf_host: + - domain: overthewire.org