From 28cf15ee42e0215c9db9a78b74d07616516bbf8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 09:34:38 +0200 Subject: [PATCH 01/10] Manage Fail2ban in the "systemd way" Thanks to @FinweVI ! Rebase after Gentoo related commits --- CHANGELOG.md | 1 + defaults/main.yml | 12 +++++++++ handlers/main.yml | 3 ++- tasks/main.yml | 27 ++++++++++++++++++- .../fail2ban.service.d/override.conf.j2 | 8 ++++++ 5 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 81e0003..9acf63a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Possibility to toggle file's backup (thanks to @p-rintz − PR #15). * Gentoo-specific variables * Ability to specify nft binary path through **nft__bin_location** +* Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16). ### Removed * Remove everything related to **in_udp_accept** (see conversation in PR #13). diff --git a/defaults/main.yml b/defaults/main.yml index 75904ee..7ba5bc4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -562,6 +562,17 @@ nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' # The directives will be ignored. nft__service_protect: true # ]]] + +# .. envvar:: nft__fail2ban_service_unit_path [[[ +# +# Path to store Fail2Ban custom conf. +nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/override.conf' + # ]]] +# .. envvar:: nft__fail2ban_service_unit_content [[[ +# +# Template used to provide systemd custom conf for Fail2Ban service. +nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2' + # ]]] # .. envvar:: nft__fail2ban_service [[[ # # If the Nftables systemd unit should also restart Fail2ban service. Possible @@ -574,6 +585,7 @@ nft__service_protect: true # Any Nftables service (re)start will also restart Fail2ban service. nft__fail2ban_service: False # ]]] + # # .. envvar:: nft_debug [[[ # # Toggle on/off more verbose output. Possible options are: diff --git a/handlers/main.yml b/handlers/main.yml index cb7e015..bfebe7b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,7 +4,8 @@ # (re)Start will be called at first run - name: Restart nftables service systemd: - daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}' + daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or + (nftables__register_fail2ban_service.changed | default(False)) }}' state: 'restarted' name: '{{ nft_service_name }}' enabled: '{{ nft_service_enabled }}' diff --git a/tasks/main.yml b/tasks/main.yml index 3746cc7..0d260d7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -185,4 +185,29 @@ register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) - notify: ['Restart nftables service'] \ No newline at end of file + notify: ['Restart nftables service'] + +# Manage custom fail2ban service [[[1 +- name: Create Fail2Ban custom directory for systemd service + file: + path: "{{ nft__fail2ban_service_unit_path | dirname }}" + state: directory + recurse: yes + when: + - nft_enabled|bool + - nft_service_manage|bool + - nft__fail2ban_service|bool + +- name: Install Debian Fail2Ban custom service + template: + src: '{{ nft__fail2ban_service_unit_content }}' + dest: '{{ nft__fail2ban_service_unit_path }}' + owner: 'root' + group: 'root' + mode: '0644' + register: nftables__register_fail2ban_service + when: + - nft_enabled|bool + - nft_service_manage|bool + - nft__fail2ban_service|bool + notify: ['Restart nftables service'] diff --git a/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 new file mode 100644 index 0000000..25eb25f --- /dev/null +++ b/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +[Unit] +After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +PartOf=firewalld.service nftables.service + +[Install] +WantedBy=multi-user.target nftables.service From 5001448a81f6f0ff82d06ddff79a97bb69e6d249 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 09:36:24 +0200 Subject: [PATCH 02/10] Drop fail2ban restart from nftables unit Rebase after Gentoo related commits --- templates/lib/systemd/system/nftables.service.j2 | 6 ------ 1 file changed, 6 deletions(-) diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2 index 87c51f5..5487cea 100644 --- a/templates/lib/systemd/system/nftables.service.j2 +++ b/templates/lib/systemd/system/nftables.service.j2 @@ -12,15 +12,9 @@ StandardInput=null ProtectSystem=full ProtectHome=true {% endif %} -{% if nft__fail2ban_service %} -ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service -ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service -ExecStop=/bin/systemctl stop fail2ban.service ; {{ nft__bin_location }} flush ruleset -{% else %} ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ExecStop={{ nft__bin_location }} flush ruleset -{% endif %} [Install] WantedBy=multi-user.target From ac61739f91ed723c13d073f065fd80d4ea10191c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 09:39:45 +0200 Subject: [PATCH 03/10] Automatically add overrides for fail2ban unit --- README.md | 1 - defaults/main.yml | 12 ------------ tasks/main.yml | 2 -- 3 files changed, 15 deletions(-) diff --git a/README.md b/README.md index 677987c..71b5e4e 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,6 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^ * **nft_service_name** : `nftables` service name [default : `nftables`]. * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`]. * **nft__service_protect** : If systemd unit should protect system and home [default : `true`]. -* **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`]. * **nft_merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`]. * **nft_merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`]. * **nft_debug** : Toggle more verbose output on/off. [default: 'false']. diff --git a/defaults/main.yml b/defaults/main.yml index 7ba5bc4..d721746 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -573,18 +573,6 @@ nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/overrid # Template used to provide systemd custom conf for Fail2Ban service. nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2' # ]]] -# .. envvar:: nft__fail2ban_service [[[ -# -# If the Nftables systemd unit should also restart Fail2ban service. Possible -# options are : -# -# ``False`` -# Default. Nftables service will not affect Fail2ban service. -# -# ``True`` -# Any Nftables service (re)start will also restart Fail2ban service. -nft__fail2ban_service: False - # ]]] # # .. envvar:: nft_debug [[[ # diff --git a/tasks/main.yml b/tasks/main.yml index 0d260d7..02826e1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -196,7 +196,6 @@ when: - nft_enabled|bool - nft_service_manage|bool - - nft__fail2ban_service|bool - name: Install Debian Fail2Ban custom service template: @@ -209,5 +208,4 @@ when: - nft_enabled|bool - nft_service_manage|bool - - nft__fail2ban_service|bool notify: ['Restart nftables service'] From abdc15191b279af32cc086d1af3764c1a180cefb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 11:04:37 +0200 Subject: [PATCH 04/10] Add infos about Fail2ban integration --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 71b5e4e..454af6a 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ * [With playbooks](#with-playbooks) * [With group_vars and host_vars](#with-group_vars-and-host_vars) 1. [Configuration](#configuration) + * [Fail2ban integration](#fail2ban-integration) 1. [Development](#development) 1. [License](#license) 1. [Author Information](#author-information) @@ -569,6 +570,15 @@ This role will : * Reload `nftables` service at next runs to avoid to let the host without firewall rules due to invalid syntax. +### Fail2ban integration + +Before Debian Bullseye, systemd unit for Fail2ban doesn't come with a decent +integration with Nftables. +So this role will create override file for `fail2ban` unit, even if it's not +(yet) available on the host, in order to : +* Start `fail2ban` unit after `nftables`. +* Restart `fail2ban` unit when `nftables` unit restart. + ## Development This source code comes from our [Gitea instance][nftables source] and the From a34e5441a92d4f0526c9eeb3468aa296f874206e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 11:15:34 +0200 Subject: [PATCH 05/10] Start nftables systemd unit earlier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Source: nftables 0.9.8-3.1 from Debian Bullseye Thanks to @kravietz − PR #19 --- CHANGELOG.md | 1 + templates/lib/systemd/system/nftables.service.j2 | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9acf63a..942a4ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ ### Fixed * Ansible-lint: Fix line longer than 160 chars. +* Start nftables systemd unit earlier (thanks to @kravietz − PR #19). ## v1.7.0 diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2 index 5487cea..433da76 100644 --- a/templates/lib/systemd/system/nftables.service.j2 +++ b/templates/lib/systemd/system/nftables.service.j2 @@ -2,7 +2,10 @@ [Unit] Description={{ nft_service_name }} Documentation=man:nft(8) http://wiki.nftables.org -;Before=fail2ban.service +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no [Service] Type=oneshot @@ -17,4 +20,4 @@ ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ExecStop={{ nft__bin_location }} flush ruleset [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target From 477f4f722c1d199b3af946c7cdbf4ae891472b74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 12:20:27 +0200 Subject: [PATCH 06/10] Ensure to disable nftables unit from old target --- CHANGELOG.md | 1 + handlers/main.yml | 3 ++- tasks/main.yml | 13 +++++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 942a4ef..84d189e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ ### Fixed * Ansible-lint: Fix line longer than 160 chars. * Start nftables systemd unit earlier (thanks to @kravietz − PR #19). +* Ensure to disable nftables systemd unit from old target. ## v1.7.0 diff --git a/handlers/main.yml b/handlers/main.yml index bfebe7b..6d6e9cb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,7 +5,8 @@ - name: Restart nftables service systemd: daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or - (nftables__register_fail2ban_service.changed | default(False)) }}' + (nftables__register_fail2ban_service.changed | default(False)) or + (nftables__register_fix_systemd_target.changed | default(False)) }}' state: 'restarted' name: '{{ nft_service_name }}' enabled: '{{ nft_service_enabled }}' diff --git a/tasks/main.yml b/tasks/main.yml index 02826e1..f7b7fe9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -174,8 +174,8 @@ when: (nft_enabled|bool and nft__nat_table_manage|bool) -# Manage service [[[1 -- name: Install Debian systemd service unit +# Manage nftables service [[[1 +- name: Install nftables Debian systemd service unit template: src: '{{ nft_service_unit_content }}' dest: '{{ nft_service_unit_path }}' @@ -187,6 +187,15 @@ nft_service_manage|bool) notify: ['Restart nftables service'] +- name: Ensure to remove nftables systemd service from old target + file: + path: '/etc/systemd/system/multi-user.target.wants/nftables.service' + state: absent + register: nftables__register_fix_systemd_target + when: (nft_enabled|bool and + nft_service_manage|bool) + notify: ['Restart nftables service'] + # Manage custom fail2ban service [[[1 - name: Create Fail2Ban custom directory for systemd service file: From 1a5e044ebb6ae10e779ea49ead3ea1508962c271 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Fri, 30 Jul 2021 13:05:34 +0200 Subject: [PATCH 07/10] Move systemd "Protect" options to override file Rebase after Gentoo related commits --- CHANGELOG.md | 1 + defaults/main.yml | 10 ++++++++ handlers/main.yml | 3 ++- tasks/main.yml | 25 +++++++++++++++++++ .../nftables.service.d/override.conf.j2 | 7 ++++++ .../lib/systemd/system/nftables.service.j2 | 2 -- 6 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 templates/etc/systemd/system/nftables.service.d/override.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 84d189e..5300aa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ * Ansible-lint: Fix line longer than 160 chars. * Start nftables systemd unit earlier (thanks to @kravietz − PR #19). * Ensure to disable nftables systemd unit from old target. +* Move systemd "Protect" options for nftables to specific override.conf file. ## v1.7.0 diff --git a/defaults/main.yml b/defaults/main.yml index d721746..9891ebc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -551,6 +551,16 @@ nft_service_unit_path: '/lib/systemd/system/nftables.service' # Template used to provide systemd unit for Nftables service. nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' # ]]] +# .. envvar:: nft__service_override_path [[[ +# +# Path to store Nftables custom conf. +nft__service_override_path: '/etc/systemd/system/nftables.service.d/override.conf' + # ]]] +# .. envvar:: nft__service_override_content [[[ +# +# Template used to provide systemd custom conf for Nftables service. +nft__service_override_content: 'etc/systemd/system/nftables.service.d/override.conf.j2' + # ]]] # .. envvar:: nft__service_protect [[[ # # If the systemd unit should have the Protect directives ? Possible options : diff --git a/handlers/main.yml b/handlers/main.yml index 6d6e9cb..764dbae 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,7 +6,8 @@ systemd: daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or (nftables__register_fail2ban_service.changed | default(False)) or - (nftables__register_fix_systemd_target.changed | default(False)) }}' + (nftables__register_fix_systemd_target.changed | default(False)) or + (nftables__register_systemd_custom.changed | default(False)) }}' state: 'restarted' name: '{{ nft_service_name }}' enabled: '{{ nft_service_enabled }}' diff --git a/tasks/main.yml b/tasks/main.yml index f7b7fe9..0d06dd9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -196,6 +196,31 @@ nft_service_manage|bool) notify: ['Restart nftables service'] +# Manage custom nftables service [[[1 +- name: Create Nftables custom directory for systemd service + file: + path: "{{ nft__service_override_path | dirname }}" + state: directory + recurse: yes + when: + - nft_enabled|bool + - nft_service_manage|bool + - not nft__service_protect|bool + +- name: Add Nftables systemd custom configuration + template: + src: '{{ nft__service_override_content }}' + dest: '{{ nft__service_override_path }}' + owner: 'root' + group: 'root' + mode: '0644' + register: nftables__register_systemd_custom + when: + - nft_enabled|bool + - nft_service_manage|bool + - not nft__service_protect|bool + notify: ['Restart nftables service'] + # Manage custom fail2ban service [[[1 - name: Create Fail2Ban custom directory for systemd service file: diff --git a/templates/etc/systemd/system/nftables.service.d/override.conf.j2 b/templates/etc/systemd/system/nftables.service.d/override.conf.j2 new file mode 100644 index 0000000..0ee48c1 --- /dev/null +++ b/templates/etc/systemd/system/nftables.service.d/override.conf.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +[Service] +{% if not nft__service_protect %} +ProtectSystem=no +ProtectHome=no +{% endif %} diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2 index 433da76..7909452 100644 --- a/templates/lib/systemd/system/nftables.service.j2 +++ b/templates/lib/systemd/system/nftables.service.j2 @@ -11,10 +11,8 @@ DefaultDependencies=no Type=oneshot RemainAfterExit=yes StandardInput=null -{% if nft__service_protect %} ProtectSystem=full ProtectHome=true -{% endif %} ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ExecStop={{ nft__bin_location }} flush ruleset From 34c2668912e16e2d4eec25e606b7704bbd5f681a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Sat, 31 Jul 2021 11:39:28 +0200 Subject: [PATCH 08/10] Fix systemd directories permissions --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 0d06dd9..eb225a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -201,6 +201,7 @@ file: path: "{{ nft__service_override_path | dirname }}" state: directory + mode: '0755' recurse: yes when: - nft_enabled|bool @@ -226,6 +227,7 @@ file: path: "{{ nft__fail2ban_service_unit_path | dirname }}" state: directory + mode: '0755' recurse: yes when: - nft_enabled|bool From 68c5d4e9f74fb93c89601333376d579a83a67795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Wed, 18 Aug 2021 13:11:43 +0200 Subject: [PATCH 09/10] Remove recurse on fail2ban custom directory Molecule idempotence test --- tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index eb225a6..7f00a04 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -202,7 +202,6 @@ path: "{{ nft__service_override_path | dirname }}" state: directory mode: '0755' - recurse: yes when: - nft_enabled|bool - nft_service_manage|bool @@ -228,7 +227,6 @@ path: "{{ nft__fail2ban_service_unit_path | dirname }}" state: directory mode: '0755' - recurse: yes when: - nft_enabled|bool - nft_service_manage|bool From 4267dd455e7375bec04dce64dfd0786a4f0f063b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Thu, 19 Aug 2021 13:56:26 +0200 Subject: [PATCH 10/10] Add Molecule tests for systemd unit --- molecule/archlinux/verify.yml | 22 +++++++++++++++++++++- molecule/default/verify.yml | 22 +++++++++++++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/molecule/archlinux/verify.yml b/molecule/archlinux/verify.yml index 3ac7ebe..8eb5316 100644 --- a/molecule/archlinux/verify.yml +++ b/molecule/archlinux/verify.yml @@ -26,7 +26,7 @@ that: - p.stat.exists - - name: check for nftables.conf + - name: check for filter-input.nft stat: path: /etc/nftables.d/filter-input.nft register: p @@ -53,6 +53,26 @@ - '"type filter hook input" in nft.stdout' - '"type filter hook output" in nft.stdout' + - name: check for fail2ban systemd custom dir + stat: + path: /etc/systemd/system/fail2ban.service.d + register: f2b_systemd_dir + + - name: check fail2ban systemd custom dir + assert: + that: + - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir + + - name: check for fail2ban systemd override + stat: + path: /etc/systemd/system/fail2ban.service.d/override.conf + register: f2b_systemd_override + + - name: check fail2ban systemd override + assert: + that: + - f2b_systemd_override.stat.exists + - name: service status - active command: systemctl is-active nftables.service register: status diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 3ac7ebe..8eb5316 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -26,7 +26,7 @@ that: - p.stat.exists - - name: check for nftables.conf + - name: check for filter-input.nft stat: path: /etc/nftables.d/filter-input.nft register: p @@ -53,6 +53,26 @@ - '"type filter hook input" in nft.stdout' - '"type filter hook output" in nft.stdout' + - name: check for fail2ban systemd custom dir + stat: + path: /etc/systemd/system/fail2ban.service.d + register: f2b_systemd_dir + + - name: check fail2ban systemd custom dir + assert: + that: + - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir + + - name: check for fail2ban systemd override + stat: + path: /etc/systemd/system/fail2ban.service.d/override.conf + register: f2b_systemd_override + + - name: check fail2ban systemd override + assert: + that: + - f2b_systemd_override.stat.exists + - name: service status - active command: systemctl is-active nftables.service register: status