ansible
/
xoxys.kernel
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: ansible:main
Branches Tags
ansible:main
ansible:docs
...
pull from: ansible:docs
Branches Tags
ansible:main
ansible:docs

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

31 changed files with 141 additions and 603 deletions
Show Stats Expand all files Collapse all files

11
.gitignore vendored
View File

@ -1,11 +0,0 @@
# ---> Ansible
*.retry
plugins
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

15
.later.yml
View File

@ -1,15 +0,0 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- "LICENSE*"
- "**/*.md"
- "**/*.ini"

7
.markdownlint.yml
View File

@ -1,7 +0,0 @@
---
default: True
MD013: False
MD041: False
MD024: False
MD004:
style: dash

1
.prettierignore
View File

@ -1 +0,0 @@
LICENSE

47
.woodpecker/docs.yaml
View File

@ -1,47 +0,0 @@
---
when:
- event: [pull_request]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: generate
image: quay.io/thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true"
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME}
ANSIBLE_DOCTOR_TEMPLATE: readme
- name: format
image: quay.io/thegeeklab/alpine-tools
commands:
- prettier -w README.md
- name: diff
image: quay.io/thegeeklab/alpine-tools
commands:
- git diff --color=always README.md
- name: publish
image: quay.io/thegeeklab/wp-git-action
settings:
action:
- commit
- push
author_email: ci-bot@rknet.org
author_name: ci-bot
branch: main
message: "[skip ci] automated docs update"
netrc_machine: gitea.rknet.org
netrc_password:
from_secret: gitea_token
when:
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
depends_on:
- test

30
.woodpecker/lint.yaml
View File

@ -1,30 +0,0 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: ansible-later
image: quay.io/thegeeklab/ansible-later:4
commands:
- ansible-later
environment:
FORCE_COLOR: "1"
- name: python-format
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff format --check --diff .
environment:
PY_COLORS: "1"
- name: python-lint
image: docker.io/python:3.12
commands:
- pip install -qq ruff
- ruff .
environment:
PY_COLORS: "1"

26
.woodpecker/notify.yml
View File

@ -1,26 +0,0 @@
---
when:
- event: [tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
runs_on: [success, failure]
steps:
- name: matrix
image: quay.io/thegeeklab/wp-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
username:
from_secret: matrix_username
when:
- status: [success, failure]
depends_on:
- docs

25
.woodpecker/test.yaml
View File

@ -1,25 +0,0 @@
---
when:
- event: [pull_request, tag]
- event: [push, manual]
branch:
- ${CI_REPO_DEFAULT_BRANCH}
variables:
- &molecule_base
image: quay.io/thegeeklab/molecule:6
group: molecule
secrets:
- source: molecule_hcloud_token
target: HCLOUD_TOKEN
environment:
PY_COLORS: "1"
steps:
- name: molecule-default
<<: *molecule_base
commands:
- molecule test -s default
depends_on:
- lint

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

31
README.md → _docs/index.md
View File

@ -1,11 +1,15 @@
# xoxys.kernel
---
title: kernel
type: docs
---
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.kernel/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.kernel)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.kernel)
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.kernel?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.kernel)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
Configure kernel parameters and coredump settings.
## Table of content
<!--more-->
- [Requirements](#requirements)
- [Default Variables](#default-variables)
@ -18,16 +22,13 @@ Configure kernel parameters and coredump settings.
- [kernel_ipv6_enabled](#kernel_ipv6_enabled)
- [kernel_ipv6_forwarding_enabled](#kernel_ipv6_forwarding_enabled)
- [kernel_namespace_support_enabled](#kernel_namespace_support_enabled)
- [kernel_printk](#kernel_printk)
- [Dependencies](#dependencies)
- [License](#license)
- [Author](#author)
---
## Requirements
- Minimum Ansible version: `2.10`
- Minimum Ansible version: `2.1`
## Default Variables
@ -131,22 +132,8 @@ kernel_ipv6_forwarding_enabled: false
kernel_namespace_support_enabled: false
```
### kernel_printk
#### Default value
```YAML
kernel_printk: 4 4 1 7
```
## Dependencies
None.
## License
MIT
## Author
[Robert Kaussow](https://gitea.rknet.org/xoxys)

37
defaults/main.yml
View File

@ -1,37 +0,0 @@
---
kernel_disable_modules:
- usb-storage
- firewire-core
- dccp
- sctp
- tipc
- rds
- bluetooth
- cramfs
- squashfs
- udf
kernel_blacklist_modules: []
kernel_custom_config: []
# @var kernel_custom_config:example: >
# kernel_custom_config:
# - file: 90-example
# content:
# - name: vm.panic_on_oom
# value: 0
# - name: vm.overcommit_memory
# value: 1
# @end
kernel_namespace_support_enabled: False
kernel_coredump_enabled: True
# @var kernel_ipv4_ping_group_range: $ "_unset"
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
kernel_ipv4_forwarding_enabled: False
kernel_ipv6_enabled: False
kernel_ipv6_forwarding_enabled: False
kernel_printk: "4 4 1 7"

9
handlers/main.yml
View File

@ -1,9 +0,0 @@
---
- name: Reload kernel configuration
ansible.builtin.command: "sysctl --system"
listen: __kernel_reload
- name: Reboot server
ansible.builtin.reboot:
reboot_timeout: 600
listen: __kernel_server_restart

132
index.md Normal file
View File

@ -0,0 +1,132 @@
---
title: kernel
type: docs
---
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&amp;logoColor=white)](https://gitea.rknet.org/ansible/xoxys.kernel) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.kernel?logo=drone&amp;server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.kernel) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
Configure kernel parameters and coredump settings.
<!--more-->
- [Default Variables](#default-variables)
- [kernel_blacklist_modules](#kernel_blacklist_modules)
- [kernel_coredump_enabled](#kernel_coredump_enabled)
- [kernel_custom_config](#kernel_custom_config)
- [kernel_disable_modules](#kernel_disable_modules)
- [kernel_ipv4_forwarding_enabled](#kernel_ipv4_forwarding_enabled)
- [kernel_ipv4_ping_group_range](#kernel_ipv4_ping_group_range)
- [kernel_ipv6_enabled](#kernel_ipv6_enabled)
- [kernel_ipv6_forwarding_enabled](#kernel_ipv6_forwarding_enabled)
- [kernel_namespace_support_enabled](#kernel_namespace_support_enabled)
- [Dependencies](#dependencies)
---
## Default Variables
### kernel_blacklist_modules
#### Default value
```YAML
kernel_blacklist_modules: []
```
### kernel_coredump_enabled
#### Default value
```YAML
kernel_coredump_enabled: true
```
### kernel_custom_config
#### Default value
```YAML
kernel_custom_config: []
```
#### Example usage
```YAML
kernel_custom_config:
- file: 90-example
content:
- name: vm.panic_on_oom
value: 0
- name: vm.overcommit_memory
value: 1
```
### kernel_disable_modules
#### Default value
```YAML
kernel_disable_modules:
- usb-storage
- firewire-core
- dccp
- sctp
- tipc
- rds
- bluetooth
- cramfs
- squashfs
- udf
```
### kernel_ipv4_forwarding_enabled
#### Default value
```YAML
kernel_ipv4_forwarding_enabled: false
```
### kernel_ipv4_ping_group_range
#### Default value
```YAML
kernel_ipv4_ping_group_range: _unset
```
#### Example usage
```YAML
kernel_ipv4_ping_group_range: 0 2000000
```
### kernel_ipv6_enabled
#### Default value
```YAML
kernel_ipv6_enabled: false
```
### kernel_ipv6_forwarding_enabled
#### Default value
```YAML
kernel_ipv6_forwarding_enabled: false
```
### kernel_namespace_support_enabled
#### Default value
```YAML
kernel_namespace_support_enabled: false
```
## Dependencies
None.

25
meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: Robert Kaussow <mail@thegeeklab.de>
namespace: xoxys
role_name: kernel
# @meta description: >
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.kernel/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.kernel)
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
#
# Configure kernel parameters and coredump settings.
# @end
description: Configure kernel parameters and coredump settings
license: MIT
min_ansible_version: "2.10"
platforms:
- name: EL
versions:
- "9"
galaxy_tags:
- kernel
- security
dependencies: []
collections:
- community.general

15
molecule/default/converge.yml
View File

@ -1,15 +0,0 @@
---
- name: Converge
hosts: all
vars:
kernel_coredump_enabled: False
kernel_ipv6_enabled: True
kernel_custom_config:
- file: 90-example
content:
- name: vm.panic_on_oom
value: 0
- name: vm.overcommit_memory
value: 1
roles:
- role: xoxys.kernel

17
molecule/default/molecule.yml
View File

@ -1,17 +0,0 @@
---
driver:
name: molecule_hetznercloud
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
platforms:
- name: "rocky9-kernel"
server_type: "cx11"
image: "rocky-9"
provisioner:
name: ansible
log: False
verifier:
name: testinfra

11
molecule/default/prepare.yml
View File

@ -1,11 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: False
tasks:
- name: Bootstrap Python for Ansible
ansible.builtin.raw: |
command -v python3 python ||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
echo "Warning: Python not boostrapped due to unknown platform.")
changed_when: False

47
molecule/default/tests/test_default.py
View File

@ -1,47 +0,0 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_sysctl_file(host):
sysctl = host.file("/etc/sysctl.d/99-local.conf")
assert sysctl.exists
assert sysctl.user == "root"
assert sysctl.group == "root"
assert sysctl.mode == 0o644
@pytest.mark.parametrize(
"name,value",
[
("net.ipv4.ip_forward", 0),
("net.ipv6.conf.all.forwarding", 0),
("vm.panic_on_oom", 0),
("vm.overcommit_memory", 1),
],
)
def test_sysctl_values(host, name, value):
assert host.sysctl(name) == value
def test_modprobe_file(host):
modprobe = host.file("/etc/modprobe.d/custom.conf")
assert modprobe.exists
assert modprobe.user == "root"
assert modprobe.group == "root"
assert modprobe.mode == 0o644
assert modprobe.contains("install usb-storage /bin/true")
assert modprobe.contains("blacklist firewire-core")
def test_coredump_config(host):
assert host.file("/etc/sysctl.d/99-dump.conf").exists
assert host.file("/etc/security/limits.d/dump.conf").exists
assert host.file("/etc/profile.d/dump.sh").exists

4
molecule/requirements.yml
View File

@ -1,4 +0,0 @@
---
collections: []
roles: []

17
pyproject.toml
View File

@ -1,17 +0,0 @@
[tool.ruff]
exclude = [".git", "__pycache__"]
line-length = 99
indent-width = 4
[tool.ruff.lint]
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
select = ["F", "E", "I", "W", "S"]
[tool.ruff.format]
quote-style = "double"
indent-style = "space"
line-ending = "lf"
[tool.pytest.ini_options]
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]

33
tasks/coredump.yml
View File

@ -1,33 +0,0 @@
---
- name: Disable core dump for setuid programs
ansible.builtin.template:
src: etc/sysctl.d/99-dump.conf.j2
dest: /etc/sysctl.d/99-dump.conf
owner: root
group: root
mode: "0644"
notify: __kernel_reload
- name: Disable core dump for all users
ansible.builtin.template:
src: etc/security/limits.d/dump.conf.j2
dest: /etc/security/limits.d/dump.conf
owner: root
group: root
mode: "0644"
- name: Disable core dump via soft limits
ansible.builtin.template:
src: etc/profile.d/dump.sh.j2
dest: /etc/profile.d/dump.sh
owner: root
group: root
mode: "0644"
- name: Disable core dump via systemd
ansible.builtin.template:
src: etc/systemd/coredump.conf.j2
dest: /etc/systemd/coredump.conf
owner: root
group: root
mode: "0644"

30
tasks/kernel.yml
View File

@ -1,30 +0,0 @@
---
- name: Set default kernel hardening parameters
ansible.builtin.template:
src: etc/sysctl.d/99-local.conf.j2
dest: /etc/sysctl.d/99-local.conf
owner: root
group: root
mode: "0644"
notify: __kernel_reload
- name: Deploy custom kernel configurations
ansible.builtin.template:
src: etc/sysctl.d/xx-custom.conf.j2
dest: "/etc/sysctl.d/{{ item.file }}.conf"
owner: root
group: root
mode: "0644"
loop: "{{ kernel_custom_config }}"
loop_control:
label: "{{ item.file }}"
notify: __kernel_reload
- name: Deploy custom modprobe
ansible.builtin.template:
src: etc/modprobe.d/custom.conf.j2
dest: /etc/modprobe.d/custom.conf
owner: root
group: root
mode: "0644"
notify: __kernel_reload

5
tasks/main.yml
View File

@ -1,5 +0,0 @@
---
- ansible.builtin.include_tasks: kernel.yml
- ansible.builtin.include_tasks: coredump.yml
when: not (kernel_coredump_enabled | bool)
- ansible.builtin.include_tasks: post.yml

3
tasks/post.yml
View File

@ -1,3 +0,0 @@
---
- name: Flush handlers to enforce sysctl reload
ansible.builtin.meta: flush_handlers

11
templates/etc/modprobe.d/custom.conf.j2
View File

@ -1,11 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% for module in kernel_disable_modules %}
install {{ module }} /bin/true
{% endfor %}
{% if (kernel_blacklist_modules + kernel_disable_modules) | length > 0 %}
{% for module in (kernel_blacklist_modules + kernel_disable_modules) %}
blacklist {{ module }}
{% endfor %}
{% endif %}

3
templates/etc/profile.d/dump.sh.j2
View File

@ -1,3 +0,0 @@
{{ ansible_managed | comment}}
# Disable core dumps via soft limits for all users
ulimit -S -c 0 > /dev/null 2>&1

3
templates/etc/security/limits.d/dump.conf.j2
View File

@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
# Prevent core dumps for all users
* hard core 0

10
templates/etc/sysctl.d/99-dump.conf.j2
View File

@ -1,10 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
# Controls whether core dumps will append the PID to the core filename
kernel.core_uses_pid = 1
# Disable storing core dumps
kernel.core_pattern = |/bin/false
# Disable core dumps for setuid programs
fs.suid_dumpable = 0

106
templates/etc/sysctl.d/99-local.conf.j2
View File

@ -1,106 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
# Buffer Overflow Protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Command is trapped and sent to the init program to handle a graceful restart
kernel.ctrl-alt-del = 0
# Prevents unprivileged users from being able to use eBPF
kernel.unprivileged_bpf_disabled = 1
# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload = 0
# Disallow opening FIFOs or regular files not owned by the user in world-writable directories
fs.protected_fifos = 2
fs.protected_regular = 2
# Disallow following not owned by the user in world-writable directories
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability
net.core.bpf_jit_harden = 2
# Disable Bootstrap protocol, as it is superseded by DHCP
net.ipv4.conf.all.bootp_relay = 0
# Disable the ARP proxy on all interfaces
net.ipv4.conf.all.proxy_arp = 0
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = {{ kernel_ipv4_forwarding_enabled | bool | ternary(1, 0, 0) }}
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
{% if not kernel_ipv6_enabled | bool %}
# Disable IPv6 for all interfaces
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
{% else %}
# Disable router advertisements
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_ra = 0
# Disable ICMP routing redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable forwarding of IPv6 source-routed packets
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable forwarding of IPv6
net.ipv6.conf.all.forwarding = {{ kernel_ipv6_forwarding_enabled | bool | ternary(1, 0, 0) }}
{% endif %}
{% if kernel_namespace_support_enabled | bool %}
user.max_user_namespaces = 15076
{% endif %}
{% if kernel_ipv4_ping_group_range is defined %}
net.ipv4.ping_group_range={{ kernel_ipv4_ping_group_range }}
{% endif %}
# Kernel message logging
kernel.printk = {{ kernel_printk }}

5
templates/etc/sysctl.d/xx-custom.conf.j2
View File

@ -1,5 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
{% for option in item.content %}
{{ option.name }} = {{ option.value }}
{% endfor %}

7
templates/etc/systemd/coredump.conf.j2
View File

@ -1,7 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
[Coredump]
{% if not kernel_coredump_enabled | bool %}
Storage=none
ProcessSizeMax=0
{% endif %}