realaravinth/libreddit-loadbalance-demo
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity

Compare commits

base: realaravinth:sec
Branches Tags
realaravinth:master
realaravinth:sec
..
compare: realaravinth:master
Branches Tags
realaravinth:sec
realaravinth:master

No commits in common. "sec" and "master" have entirely different histories.
sec ... master

10 changed files with 30 additions and 109 deletions
Show stats Expand all files Collapse all files

3
.gitignore vendored
View file

@ -9,6 +9,3 @@ terraform.tfstate.backup
.terraform/ .terraform/
.terraform.lock.hcl .terraform.lock.hcl
bullseye bullseye
inspec/
inspec.sh
ansible/assets/

2
Makefile
View file

@ -9,7 +9,6 @@ endef
define configure_base define configure_base
ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/playbook.yml ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/playbook.yml
ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/harden.yml
endef endef
define configure_loadbalance define configure_loadbalance
@ -105,5 +104,6 @@ test.loadbalance: ## Test loadbalancer installation
test.libreddit: ## Test libreddit installation test.libreddit: ## Test libreddit installation
$(call test_libreddit) $(call test_libreddit)
help: ## Prints help for targets with comments help: ## Prints help for targets with comments
@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' @cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

29
ansible/harden.yml
View file

@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Baseline security compliance
hosts: all
remote_user: atm
become: true
pre_tasks:
- name: Ensure all VMs are reachable
ansible.builtin.ping:
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
- ssh_hardening
vars:
- ssh_allow_tcp_forwarding: no
- ssh_allow_agent_forwarding: false
- ssh_x11_forwarding: false
- ssh_server_password_login: false
- os_filesystem_whitelist: vfat
- sysctl_overwrite:
- net.ipv6.conf.default.autoconf: 0
- net.ipv6.conf.all.autoconf: 0
- net.ipv6.conf.all.router_solicitations: 0
- fs.protected_symlinks: 1
- fs.protected_hardlinks: 1

12
ansible/libreddit.yml
View file

@ -8,50 +8,45 @@
remote_user: atm remote_user: atm
tasks: tasks:
- name: Ensure all VMs are reachable
ansible.builtin.ping:
- name: Create /etc/apt/keyrings dir - name: Create /etc/apt/keyrings dir
become: true
ansible.builtin.file: ansible.builtin.file:
path: /etc/apt/keyrings path: /etc/apt/keyrings
state: directory state: directory
recurse: true recurse: true
- name: Add Docker GPG apt Key - name: Add Docker GPG apt Key
become: true
ansible.builtin.apt_key: ansible.builtin.apt_key:
url: https://download.docker.com/linux/debian/gpg url: https://download.docker.com/linux/debian/gpg
state: present state: present
- name: Add Docker Repository - name: Add Docker Repository
become: true
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: deb https://download.docker.com/linux/debian buster stable repo: deb https://download.docker.com/linux/debian buster stable
state: present state: present
- name: Update apt and install docker-ce - name: Update apt and install docker-ce
become: true
ansible.builtin.apt: ansible.builtin.apt:
name: docker-ce name: docker-ce
update_cache: true update_cache: true
- name: Install Docker Module for Python - name: Install Docker Module for Python
become: true
ansible.builtin.pip: ansible.builtin.pip:
name: docker name: docker
- name: Ensure docker group is present - name: Ensure docker group is present
become: true
ansible.builtin.group: ansible.builtin.group:
name: docker name: docker
state: present state: present
- name: Add user atm to docker group - name: Add user atm to docker group
become: true
ansible.builtin.user: ansible.builtin.user:
name: atm name: atm
groups: docker,users,admin groups: docker,users,admin
- name: Deploy libreddit - name: Deploy libreddit
become: true
ansible.builtin.docker_container: ansible.builtin.docker_container:
name: libreddit name: libreddit
state: started state: started
@ -61,7 +56,6 @@
- "8080:8080" - "8080:8080"
- name: Allow port 8080 - name: Allow port 8080
become: true
community.general.ufw: community.general.ufw:
state: enabled state: enabled
proto: tcp proto: tcp

29
ansible/loadbalance.yml
View file

@ -5,23 +5,24 @@
--- ---
- name: Configure loadbalancers - name: Configure loadbalancers
hosts: bullseye_loadbalance hosts: bullseye_loadbalance
remote_user: atm remote_user: root
become: true
pre_tasks: tasks:
- name: Install nginx - name: Ensure all VMs are reachable
become: true ansible.builtin.ping:
- name: Update package cache
ansible.builtin.apt:
update_cache: true
upgrade: safe
- name: Install git, zip, nginx, wget, curl & other utils
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
pkg: pkg:
- nginx - nginx
- ca-certificates - ca-certificates
- ufw
collections:
- devsec.hardening
roles:
- dev-sec.nginx-hardening
tasks:
- name: Add user atm to docker group - name: Add user atm to docker group
ansible.builtin.user: ansible.builtin.user:
name: atm name: atm
@ -61,12 +62,12 @@
- name: Copy the Nginx config file and restart nginx - name: Copy the Nginx config file and restart nginx
ansible.builtin.copy: ansible.builtin.copy:
src: ./assets/nginx.cfg src: ./assets/nginx.cfg
dest: /etc/nginx/sites-available/libreddit dest: /etc/nginx/sites-available/nginx.cfg
- name: Create symlink - name: Create symlink
ansible.builtin.file: ansible.builtin.file:
src: /etc/nginx/sites-available/libreddit src: /etc/nginx/sites-available/nginx.cfg
dest: /etc/nginx/sites-enabled/libreddit dest: /etc/nginx/sites-enabled/default
state: link state: link
- name: Enable and start nginx service - name: Enable and start nginx service

26
ansible/playbook.yml
View file

@ -3,22 +3,19 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
--- ---
- name: Install and enable firewall - name: Configure webservers
hosts: all hosts: [bullseye_libreddit,bullseye_loadbalance]
remote_user: atm remote_user: root
pre_tasks:
- name: Ensure all VMs are reachable
ansible.builtin.ping:
tasks: tasks:
- name: Update all packages - name: Ensure all VMs are reachable
become: true ansible.builtin.ping:
- name: Update package cache
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
upgrade: safe upgrade: safe
- name: Install git, zip, nginx, wget, curl & other utils - name: Install git, zip, nginx, wget, curl & other utils
become: true
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
pkg: pkg:
@ -27,7 +24,6 @@
- curl - curl
- gpg - gpg
- ca-certificates - ca-certificates
- ntp
- zip - zip
- python3-pip - python3-pip
- virtualenv - virtualenv
@ -36,12 +32,10 @@
- name: Set logging - name: Set logging
become: true
community.general.ufw: community.general.ufw:
logging: "on" logging: "on"
- name: Allow port 22 and enable UFW - name: Allow port 22 and enable UFW
become: true
community.general.ufw: community.general.ufw:
state: enabled state: enabled
rule: allow rule: allow
@ -50,15 +44,7 @@
- name: Enable and start ufw service - name: Enable and start ufw service
become: true
ansible.builtin.service: ansible.builtin.service:
name: ufw name: ufw
enabled: true enabled: true
state: started state: started
- name: Enable and start ufw service
become: true
ansible.builtin.service:
name: ntp
enabled: true
state: started

18
conf.tf
View file

@ -34,7 +34,7 @@ variable "loadbalance_count" {
variable "libreddit_count" { variable "libreddit_count" {
default = 2 default = 4
} }
@ -208,19 +208,3 @@ resource "local_file" "nginx_loadbalance_conf" {
filename = "./ansible/assets/nginx.cfg" filename = "./ansible/assets/nginx.cfg"
} }
resource "local_file" "auditor_script" {
content = templatefile("./templates/auditor.tftpl",
{
libreddit_vm_ips = local.libreddit_vm_ips,
libreddit_vm_names = local.libreddit_vm_names,
libreddit_vms = local.libreddit_vm_map,
loadbalance_vm_ips = local.loadbalance_vm_ips,
loadbalance_vm_names = local.loadbalance_vm_names,
loadbalance_vms = local.loadbalance_vm_map
})
filename = "./inspec.sh"
}

12
templates/auditor.tftpl
View file

@ -1,12 +0,0 @@
#!/bin/bash
%{ for vm in loadbalance_vms ~}
cinc-auditor exec ./inspec/linux-baseline -t ssh://atm@${vm.ip} # ${vm.name}
cinc-auditor exec ./inspec/ssh-baseline -t ssh://atm@${vm.ip} # ${vm.name}
cinc-auditor exec ./inspec/nginx-baseline -t ssh://atm@${vm.ip} # ${vm.name}
%{ endfor ~}
%{ for vm in libreddit_vms ~}
cinc-auditor exec ./inspec/linux-baseline -t ssh://atm@${vm.ip} # ${vm.name}
cinc-auditor exec ./inspec/ssh-baseline -t ssh://atm@${vm.ip} # ${vm.name}
%{ endfor ~}

4
templates/hosts.yml.tftpl
View file

@ -1,9 +1,9 @@
[bullseye_loadbalance] [bullseye_loadbalance]
%{ for vm in loadbalance_vms ~} %{ for vm in loadbalance_vms ~}
${vm.name} ansible_host=${vm.ip} ansible_user=atm ${vm.name} ansible_host=${vm.ip} ansible_user=root
%{ endfor ~} %{ endfor ~}
[bullseye_libreddit] [bullseye_libreddit]
%{ for vm in libreddit_vms ~} %{ for vm in libreddit_vms ~}
${vm.name} ansible_host=${vm.ip} ansible_user=atm ${vm.name} ansible_host=${vm.ip} ansible_user=root
%{ endfor ~} %{ endfor ~}

4
tests/test_loadbalance.py
View file

@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
assert service.is_enabled assert service.is_enabled
def test_config_is_present(host): def test_config_is_present(host):
file = host.file("/etc/nginx/sites-available/libreddit") file = host.file("/etc/nginx/sites-available/nginx.cfg")
assert file.exists assert file.exists
assert file.is_file assert file.is_file
sym_file = host.file("/etc/nginx/sites-enabled/libreddit") sym_file = host.file("/etc/nginx/sites-enabled/default")
assert sym_file.exists assert sym_file.exists
assert sym_file.is_symlink assert sym_file.is_symlink
assert sym_file.linked_to == file assert sym_file.linked_to == file