GitHub Actions - Thu Jan 9 15:50:29 UTC 2025

Author: ce-dev

2.x/index.xml

@@ -40,7 +40,7 @@
       <link>https://codeenigma.github.io/ce-provision-docs/2.x/roles/_init/</link>
       <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
       <guid>https://codeenigma.github.io/ce-provision-docs/2.x/roles/_init/</guid>
-      <description>Init role This is meant to ALWAYS be included as the first task of a play. If you include this role, as you will in the vast majority of cases, be sure to also include the _exit role as the last task of the play.&#xA;Default variables --- # Set this variable to true to tell ce-provision it is running in a container. is_local: false _ce_provision_username: &amp;#34;{% if is_local %}ce-dev{% else %}controller{% endif %}&amp;#34; _venv_path: &amp;#34;/home/{{ _ce_provision_username }}/ce-python&amp;#34; _venv_command: /usr/bin/python3 -m venv _venv_install_username: &amp;#34;{{ _ce_provision_username }}&amp;#34; _ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 _init: # A list of var directories to include.</description>
+      <description>Init role This is meant to ALWAYS be included as the first task of a play. If you include this role, as you will in the vast majority of cases, be sure to also include the _exit role as the last task of the play.&#xA;Default variables --- # Set this variable to true to tell ce-provision it is running in a container. is_local: false _ce_provision_username: &amp;#34;{% if is_local %}ce-dev{% else %}controller{% endif %}&amp;#34; _venv_path: &amp;#34;/home/{{ _ce_provision_username }}/ce-python&amp;#34; _venv_command: /usr/bin/python3 -m venv _venv_install_username: &amp;#34;{{ _ce_provision_username }}&amp;#34; _ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 # AWS tags _aws_resource_name: &amp;#34;&amp;#34; # Name # _profile: web_server # Profile # _env_type: dev # Env # _infra_name: acme # Infra _init: # A list of var directories to include.</description>
     </item>
     <item>
       <title></title>

2.x/roles/_init/index.html

@@ -28,6 +28,12 @@ <h2 id="default-variables">Default variables</h2>
 </span></span><span style="display:flex;"><span><span style="color:#75715e">#_aws_profile: example # boto profile name</span>
 </span></span><span style="display:flex;"><span><span style="color:#75715e">#_aws_region: eu-west-1</span>
 </span></span><span style="display:flex;"><span>
+</span></span><span style="display:flex;"><span><span style="color:#75715e"># AWS tags</span>
+</span></span><span style="display:flex;"><span><span style="color:#f92672">_aws_resource_name</span>: <span style="color:#e6db74">&#34;&#34;</span> <span style="color:#75715e"># Name</span>
+</span></span><span style="display:flex;"><span><span style="color:#75715e"># _profile: web_server # Profile</span>
+</span></span><span style="display:flex;"><span><span style="color:#75715e"># _env_type: dev # Env</span>
+</span></span><span style="display:flex;"><span><span style="color:#75715e"># _infra_name: acme # Infra</span>
+</span></span><span style="display:flex;"><span>
 </span></span><span style="display:flex;"><span><span style="color:#f92672">_init</span>:
 </span></span><span style="display:flex;"><span>  <span style="color:#75715e"># A list of var directories to include. We only support .yml extensions.</span>
 </span></span><span style="display:flex;"><span>  <span style="color:#75715e"># This is used to detect if the playbook must re-run or not.</span>

2.x/roles/debian/firewall_config/index.html

@@ -56,6 +56,7 @@ <h2 id="default-variables">Default variables</h2>
 </span></span><span style="display:flex;"><span>  <span style="color:#f92672">rulesets</span>:
 </span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">ssh_open</span>
 </span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">web_open</span>
+</span></span><span style="display:flex;"><span>    - <span style="color:#ae81ff">common_network</span> <span style="color:#75715e"># rule always needs to be last so the DROP rules in the OUTPUT chain get applied at the end</span>
 </span></span><span style="display:flex;"><span>
 </span></span><span style="display:flex;"><span>  <span style="color:#75715e"># Ruleset definitions</span>
 </span></span><span style="display:flex;"><span>  <span style="color:#75715e"># Permitted rule lists</span>
@@ -86,6 +87,29 @@ <h2 id="default-variables">Default variables</h2>
 </span></span><span style="display:flex;"><span>  <span style="color:#f92672">letsencrypt</span>:
 </span></span><span style="display:flex;"><span>    <span style="color:#f92672">firewall_allowed_tcp_ports</span>:
 </span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;80&#34;</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#75715e"># Standard ports for Prometheus outbound rules to allow scraping of exporters</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#f92672">prometheus_server_scraping</span>:
+</span></span><span style="display:flex;"><span>    <span style="color:#f92672">firewall_additional_rules</span>:
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 9100 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow scraping node exporter</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 9101 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow scraping process exporter</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 9093 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow posting to alertmanager</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 9115 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow scraping blackbox exporter</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#75715e"># Commonly required outbound ports for PHP web servers</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#f92672">common_web</span>:
+</span></span><span style="display:flex;"><span>    <span style="color:#f92672">firewall_additional_rules</span>:
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 2049 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow NFS</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p udp --dport 2049 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow NFS</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT&#34;</span> <span style="color:#75715e"># allow MySQL</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#75715e"># Recommended general firewall settings</span>
+</span></span><span style="display:flex;"><span>  <span style="color:#f92672">common_network</span>:
+</span></span><span style="display:flex;"><span>    <span style="color:#f92672">firewall_additional_rules</span>:
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT&#34;</span> <span style="color:#75715e"># ICMP ping in</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A INPUT -p icmp --icmp-type 128 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT&#34;</span> <span style="color:#75715e"># ICMP ping in</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT&#34;</span> <span style="color:#75715e"># ICMP ping out</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT&#34;</span> <span style="color:#75715e"># established connections out</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -o lo -j ACCEPT&#34;</span> <span style="color:#75715e"># allow all local traffic</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p tcp --dport 1025:65535 -j DROP&#34;</span> <span style="color:#75715e"># block high port tcp traffic outbound</span>
+</span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;iptables -A OUTPUT -p udp --dport 1025:65535 -j DROP&#34;</span> <span style="color:#75715e"># block high port udp traffic outbound</span>
 </span></span><span style="display:flex;"><span>  <span style="color:#f92672">ossec</span>:
 </span></span><span style="display:flex;"><span>    <span style="color:#f92672">firewall_allowed_udp_ports</span>:
 </span></span><span style="display:flex;"><span>      - <span style="color:#e6db74">&#34;1514&#34;</span>

2.x/roles/index.xml

@@ -12,7 +12,7 @@
       <link>https://codeenigma.github.io/ce-provision-docs/2.x/roles/_init/</link>
       <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
       <guid>https://codeenigma.github.io/ce-provision-docs/2.x/roles/_init/</guid>
-      <description>Init role This is meant to ALWAYS be included as the first task of a play. If you include this role, as you will in the vast majority of cases, be sure to also include the _exit role as the last task of the play.&#xA;Default variables --- # Set this variable to true to tell ce-provision it is running in a container. is_local: false _ce_provision_username: &amp;#34;{% if is_local %}ce-dev{% else %}controller{% endif %}&amp;#34; _venv_path: &amp;#34;/home/{{ _ce_provision_username }}/ce-python&amp;#34; _venv_command: /usr/bin/python3 -m venv _venv_install_username: &amp;#34;{{ _ce_provision_username }}&amp;#34; _ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 _init: # A list of var directories to include.</description>
+      <description>Init role This is meant to ALWAYS be included as the first task of a play. If you include this role, as you will in the vast majority of cases, be sure to also include the _exit role as the last task of the play.&#xA;Default variables --- # Set this variable to true to tell ce-provision it is running in a container. is_local: false _ce_provision_username: &amp;#34;{% if is_local %}ce-dev{% else %}controller{% endif %}&amp;#34; _venv_path: &amp;#34;/home/{{ _ce_provision_username }}/ce-python&amp;#34; _venv_command: /usr/bin/python3 -m venv _venv_install_username: &amp;#34;{{ _ce_provision_username }}&amp;#34; _ce_ansible_timer_name: upgrade_ansible # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 # AWS tags _aws_resource_name: &amp;#34;&amp;#34; # Name # _profile: web_server # Profile # _env_type: dev # Env # _infra_name: acme # Infra _init: # A list of var directories to include.</description>
     </item>
     <item>
       <title></title>