Update SWAG, fail2ban (IPSec rules), rename bitwarden to vaultwarden

group_vars/all/vars.yml

@@ -113,6 +113,8 @@ security_autoupdate_mail_to: "{{ email }}"
 
 security_autoupdate_mail_on_error: true
 
+security_fail2ban_enabled: false
+
 #
 # Enable/disable individual Docker containers
 #
@@ -141,10 +143,6 @@ enable_sonarr: true
 
 enable_radarr: true
 
-enable_lidarr: false
-
-enable_readarr: false
-
 enable_openbooks: true
 
 
@@ -154,14 +152,10 @@ enable_jackett: true
 
 enable_nextcloud: true
 
-enable_bitwarden: true
-
-enable_youtransfer: false
+enable_vaultwarden: true
 
 enable_swag: true
 
-enable_swag-internal: true
-
 # DDNS
 
 enable_duckdns: false

roles/containers/services/vaultwarden/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+container_name: vaultwarden
+
+dashboard_url: "https://{{ subdomains['vaultwarden'] }}.{{ host }}"
+
+homer_category: services
+
+dashboard_name: Vaultwarden
+
+health_url: "http://{{ ansible_default_ipv4.address }}:3000/https://{{ subdomains['vaultwarden'] }}.{{ host }}"

roles/containers/services/bitwarden/tasks/main.yml → roles/containers/services/vaultwarden/tasks/main.yml

@@ -2,7 +2,7 @@
 
 - name: Make sure the Vaultwarden container is created and running
   docker_container:
-    name: 'bitwarden'
+    name: 'vaultwarden'
     image: "vaultwarden/server"
     pull: true
     state: 'started'
@@ -27,6 +27,6 @@
   docker_network:
     name: swag_network
     connected:
-      - bitwarden
+      - vaultwarden
     appends: yes
   when: enable_swag

roles/network/ikev2/tasks/main.yml

@@ -23,6 +23,10 @@
       VPNUSERNAME:  "{{ username }}"
       VPNPASSWORD:  "{{ vpn_password }}"
       EXCLUDE_SSIDS: "{{ ikev2_excludedssids }}"
+    mounts:
+      - source: "{{ docker_dir }}/{{ container_name }}/log/charon.log"
+        target: "/var/log/charon.log"
+        type: bind
     volumes:
       - "{{ docker_dir }}/{{ container_name }}/config:/config"
       - "{{ docker_dir }}/{{ container_name }}/letsencrypt:/etc/letsencrypt"

roles/network/swag/tasks/check_status.yml

@@ -15,4 +15,4 @@
 - name: Are containers running?
   set_fact:
     running: yes
-  when: swag_docker_status.results[0].container['State']['Running'] and swag_docker_status.results[1].container['State']['Running']
+  when: existing is defined and swag_docker_status.results[0].container['State']['Running'] and swag_docker_status.results[1].container['State']['Running']

roles/network/swag/tasks/docker.yml

@@ -60,7 +60,7 @@
     ports:
       - "443:443"
     volumes:
-      - "{{ docker_dir }}/swag/external/proxy-confs:/config/nginx/proxy-confs"
+      - "{{ docker_dir }}/swag/public/proxy-confs:/config/nginx/proxy-confs"
       - "{{ docker_dir }}/swag/dns-conf:/config/dns-conf"
       - "{{ docker_dir }}/swag/letsencrypt:/config/etc/letsencrypt"
     restart_policy: unless-stopped

roles/network/swag/templates/public/bitwarden.subdomain.conf.j2 → roles/network/swag/templates/public/vaultwarden.subdomain.conf.j2

@@ -2,7 +2,7 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
 
-    server_name {{ swag_urls['bitwarden'] }};
+    server_name {{ swag_urls['vaultwarden'] }};
 
 
     {% include "nginx/params.j2" %}
@@ -14,7 +14,7 @@ server {
         {% include "nginx/cors.j2" %}
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
-        set $upstream_app bitwarden;
+        set $upstream_app vaultwarden;
         set $upstream_port 80;
         set $upstream_proto http;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
@@ -24,7 +24,7 @@ server {
     location /admin {
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
-        set $upstream_app bitwarden;
+        set $upstream_app vaultwarden;
         set $upstream_port 80;
         set $upstream_proto http;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
@@ -34,7 +34,7 @@ server {
     location /notifications/hub {
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
-        set $upstream_app bitwarden;
+        set $upstream_app vaultwarden;
         set $upstream_port 3012;
         set $upstream_proto http;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;
@@ -44,7 +44,7 @@ server {
     location /notifications/hub/negotiate {
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
-        set $upstream_app bitwarden;
+        set $upstream_app vaultwarden;
         set $upstream_port 80;
         set $upstream_proto http;
         proxy_pass $upstream_proto://$upstream_app:$upstream_port;

roles/security/fail2ban/files/filter.d/ikev2.conf

@@ -0,0 +1,11 @@
+[Init]
+maxlines = 8
+
+[Definition]
+failregex = ^.*N\(AUTH_FAILED\).*\n.*to <HOST>
+	        ^.*\'certificate unknown\'.*\n.*\n.*to <HOST> 
+	        ^.*no peer config found\n.*\n.*sending packet.*to <HOST>
+            ^.*no peer config found\n.*\n.*\n.*\n.*\n.* sending packet.*to <HOST>
+            ^.*no IKE config found for.*\.\.\.<HOST>
+            ^.*verification failed, retry.*\n.*received packet: from <HOST>\[.*\].*
+ignoreregex =

roles/security/fail2ban/tasks/main.yml

@@ -17,12 +17,14 @@
     group: "{{ username }}"
   with_fileglob: 
     - "files/filter.d/*.conf"
+  when: lookup('vars', 'enable_' + (item | basename).split('.')[0].split('-')[0]) | default(False)
   register: copied_rules
 
 - name: Create a list of rule files that were deployed
   set_fact:
     installed_configs: "{{ installed_configs | default([]) + [ item.dest.split('/')[-1].split('.')[0] ] }}" 
   with_items: "{{ copied_rules.results }}"
+  when: item.skipped is not defined
 
 - name: Install the jail.local file
   template:
@@ -34,20 +36,21 @@
     src: "paths-overrides.local.j2"
     dest: "/etc/fail2ban/paths-overrides.local"
 
-
 - name: Put the cloudflare token into the configuration file
   lineinfile:
     regex: "^cftoken ="
     line: "cftoken = {{ cloudflare_firewall_token }}"
     path: "/etc/fail2ban/action.d/cloudflare.conf"
+  when: enable_cloudflare | default(False)
 
 - name: Put the cloudflare email into the configuration file
   lineinfile:
     regex: "^cfuser ="
     line: "cfuser = {{ email }}"
     path: "/etc/fail2ban/action.d/cloudflare.conf"
+  when: enable_cloudflare | default(False)
 
 - name: Restart fail2ban
   service:
     name: fail2ban
-    state: restarted
+    state: restarted

roles/security/fail2ban/templates/jail.local.j2

@@ -21,3 +21,11 @@ port     = http,https
 filter   = {{ name }}
 logpath  = %({{ name }}_log)s
 {% endfor %}
+
+{% if "vaultwarden" in installed_configs %}
+[vaultwarden-admin]
+enabled  = true
+port     = http,https
+filter   = vaultwarden-admin
+logpath  = %(vaultwarden-admin_log)s
+{% endif %}

roles/security/fail2ban/templates/paths-overrides.local.j2

@@ -2,3 +2,4 @@
 nextcloud_log = {{ docker_dir }}/nextcloud/data/nextcloud.log
 vaultwarden_log = {{ docker_dir }}/vaultwarden/vaultwarden.log
 vaultwarden-admin_log = {{ docker_dir }}/vaultwarden/vaultwarden.log
+ikev2_log = {{ docker_dir }}/ikev2/log/charon.log

run.yml

@@ -22,6 +22,10 @@
       tags: 
         - docker
 
+    - role: security/fail2ban
+      tags:
+      - fail2ban
+
     - role: chriswayg.msmtp-mailer
       tags: 
         - msmtp
@@ -81,10 +85,6 @@
 
   roles:
 
-    - role: security/fail2ban
-      tags:
-      - fail2ban
-
     #
     # Filesystems
     #
@@ -222,11 +222,11 @@
         - containers
       when: enable_nextcloud | default(False)
 
-    - role: containers/services/bitwarden
+    - role: containers/services/vaultwarden
       tags:
-        - bitwarden
+        - vaultwarden
         - containers
-      when: enable_bitwarden | default(False)
+      when: enable_vaultwarden | default(False)
 
     #
     # Home automation