diff --git a/files/icons/bitwarden.png b/files/icons/vaultwarden.png similarity index 100% rename from files/icons/bitwarden.png rename to files/icons/vaultwarden.png diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0c3163c7..eedcc57f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -113,6 +113,8 @@ security_autoupdate_mail_to: "{{ email }}" security_autoupdate_mail_on_error: true +security_fail2ban_enabled: false + # # Enable/disable individual Docker containers # @@ -141,10 +143,6 @@ enable_sonarr: true enable_radarr: true -enable_lidarr: false - -enable_readarr: false - enable_openbooks: true @@ -154,14 +152,10 @@ enable_jackett: true enable_nextcloud: true -enable_bitwarden: true - -enable_youtransfer: false +enable_vaultwarden: true enable_swag: true -enable_swag-internal: true - # DDNS enable_duckdns: false diff --git a/roles/containers/services/bitwarden/defaults/main.yml b/roles/containers/services/bitwarden/defaults/main.yml deleted file mode 100644 index 919d30cc..00000000 --- a/roles/containers/services/bitwarden/defaults/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -container_name: vaultwarden - -dashboard_url: "https://{{ subdomains['bitwarden'] }}.{{ host }}" - -homer_category: services - -dashboard_name: Bitwarden - -health_url: "http://{{ ansible_default_ipv4.address }}:3000/https://{{ subdomains['bitwarden'] }}.{{ host }}" \ No newline at end of file diff --git a/roles/containers/services/vaultwarden/defaults/main.yml b/roles/containers/services/vaultwarden/defaults/main.yml new file mode 100644 index 00000000..bade94cb --- /dev/null +++ b/roles/containers/services/vaultwarden/defaults/main.yml @@ -0,0 +1,10 @@ +--- +container_name: vaultwarden + +dashboard_url: "https://{{ subdomains['vaultwarden'] }}.{{ host }}" + +homer_category: services + +dashboard_name: Vaultwarden + +health_url: "http://{{ ansible_default_ipv4.address }}:3000/https://{{ subdomains['vaultwarden'] }}.{{ host }}" \ No newline at end of file diff --git a/roles/containers/services/bitwarden/tasks/main.yml b/roles/containers/services/vaultwarden/tasks/main.yml similarity index 94% rename from roles/containers/services/bitwarden/tasks/main.yml rename to roles/containers/services/vaultwarden/tasks/main.yml index e61c5a8c..b383d5de 100644 --- a/roles/containers/services/bitwarden/tasks/main.yml +++ b/roles/containers/services/vaultwarden/tasks/main.yml @@ -2,7 +2,7 @@ - name: Make sure the Vaultwarden container is created and running docker_container: - name: 'bitwarden' + name: 'vaultwarden' image: "vaultwarden/server" pull: true state: 'started' @@ -27,6 +27,6 @@ docker_network: name: swag_network connected: - - bitwarden + - vaultwarden appends: yes when: enable_swag diff --git a/roles/network/ikev2/tasks/main.yml b/roles/network/ikev2/tasks/main.yml index 38e4c76d..68c84be8 100644 --- a/roles/network/ikev2/tasks/main.yml +++ b/roles/network/ikev2/tasks/main.yml @@ -23,6 +23,10 @@ VPNUSERNAME: "{{ username }}" VPNPASSWORD: "{{ vpn_password }}" EXCLUDE_SSIDS: "{{ ikev2_excludedssids }}" + mounts: + - source: "{{ docker_dir }}/{{ container_name }}/log/charon.log" + target: "/var/log/charon.log" + type: bind volumes: - "{{ docker_dir }}/{{ container_name }}/config:/config" - "{{ docker_dir }}/{{ container_name }}/letsencrypt:/etc/letsencrypt" diff --git a/roles/network/swag/tasks/check_status.yml b/roles/network/swag/tasks/check_status.yml index 80880c40..8eb00ce0 100644 --- a/roles/network/swag/tasks/check_status.yml +++ b/roles/network/swag/tasks/check_status.yml @@ -15,4 +15,4 @@ - name: Are containers running? set_fact: running: yes - when: swag_docker_status.results[0].container['State']['Running'] and swag_docker_status.results[1].container['State']['Running'] \ No newline at end of file + when: existing is defined and swag_docker_status.results[0].container['State']['Running'] and swag_docker_status.results[1].container['State']['Running'] \ No newline at end of file diff --git a/roles/network/swag/tasks/docker.yml b/roles/network/swag/tasks/docker.yml index 4af89065..dce5e811 100644 --- a/roles/network/swag/tasks/docker.yml +++ b/roles/network/swag/tasks/docker.yml @@ -60,7 +60,7 @@ ports: - "443:443" volumes: - - "{{ docker_dir }}/swag/external/proxy-confs:/config/nginx/proxy-confs" + - "{{ docker_dir }}/swag/public/proxy-confs:/config/nginx/proxy-confs" - "{{ docker_dir }}/swag/dns-conf:/config/dns-conf" - "{{ docker_dir }}/swag/letsencrypt:/config/etc/letsencrypt" restart_policy: unless-stopped \ No newline at end of file diff --git a/roles/network/swag/templates/public/bitwarden.subdomain.conf.j2 b/roles/network/swag/templates/public/vaultwarden.subdomain.conf.j2 similarity index 85% rename from roles/network/swag/templates/public/bitwarden.subdomain.conf.j2 rename to roles/network/swag/templates/public/vaultwarden.subdomain.conf.j2 index f95e7b03..d8a4e859 100644 --- a/roles/network/swag/templates/public/bitwarden.subdomain.conf.j2 +++ b/roles/network/swag/templates/public/vaultwarden.subdomain.conf.j2 @@ -2,7 +2,7 @@ server { listen 443 ssl; listen [::]:443 ssl; - server_name {{ swag_urls['bitwarden'] }}; + server_name {{ swag_urls['vaultwarden'] }}; {% include "nginx/params.j2" %} @@ -14,7 +14,7 @@ server { {% include "nginx/cors.j2" %} include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - set $upstream_app bitwarden; + set $upstream_app vaultwarden; set $upstream_port 80; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; @@ -24,7 +24,7 @@ server { location /admin { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - set $upstream_app bitwarden; + set $upstream_app vaultwarden; set $upstream_port 80; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; @@ -34,7 +34,7 @@ server { location /notifications/hub { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - set $upstream_app bitwarden; + set $upstream_app vaultwarden; set $upstream_port 3012; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; @@ -44,7 +44,7 @@ server { location /notifications/hub/negotiate { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; - set $upstream_app bitwarden; + set $upstream_app vaultwarden; set $upstream_port 80; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; diff --git a/roles/security/fail2ban/files/filter.d/ikev2.conf b/roles/security/fail2ban/files/filter.d/ikev2.conf new file mode 100644 index 00000000..035b699c --- /dev/null +++ b/roles/security/fail2ban/files/filter.d/ikev2.conf @@ -0,0 +1,11 @@ +[Init] +maxlines = 8 + +[Definition] +failregex = ^.*N\(AUTH_FAILED\).*\n.*to + ^.*\'certificate unknown\'.*\n.*\n.*to + ^.*no peer config found\n.*\n.*sending packet.*to + ^.*no peer config found\n.*\n.*\n.*\n.*\n.* sending packet.*to + ^.*no IKE config found for.*\.\.\. + ^.*verification failed, retry.*\n.*received packet: from \[.*\].* +ignoreregex = diff --git a/roles/security/fail2ban/tasks/main.yml b/roles/security/fail2ban/tasks/main.yml index a44374b3..f57f54fa 100644 --- a/roles/security/fail2ban/tasks/main.yml +++ b/roles/security/fail2ban/tasks/main.yml @@ -17,12 +17,14 @@ group: "{{ username }}" with_fileglob: - "files/filter.d/*.conf" + when: lookup('vars', 'enable_' + (item | basename).split('.')[0].split('-')[0]) | default(False) register: copied_rules - name: Create a list of rule files that were deployed set_fact: installed_configs: "{{ installed_configs | default([]) + [ item.dest.split('/')[-1].split('.')[0] ] }}" with_items: "{{ copied_rules.results }}" + when: item.skipped is not defined - name: Install the jail.local file template: @@ -34,20 +36,21 @@ src: "paths-overrides.local.j2" dest: "/etc/fail2ban/paths-overrides.local" - - name: Put the cloudflare token into the configuration file lineinfile: regex: "^cftoken =" line: "cftoken = {{ cloudflare_firewall_token }}" path: "/etc/fail2ban/action.d/cloudflare.conf" + when: enable_cloudflare | default(False) - name: Put the cloudflare email into the configuration file lineinfile: regex: "^cfuser =" line: "cfuser = {{ email }}" path: "/etc/fail2ban/action.d/cloudflare.conf" + when: enable_cloudflare | default(False) - name: Restart fail2ban service: name: fail2ban - state: restarted + state: restarted \ No newline at end of file diff --git a/roles/security/fail2ban/templates/jail.local.j2 b/roles/security/fail2ban/templates/jail.local.j2 index 9b4b2c41..14e2f42f 100644 --- a/roles/security/fail2ban/templates/jail.local.j2 +++ b/roles/security/fail2ban/templates/jail.local.j2 @@ -21,3 +21,11 @@ port = http,https filter = {{ name }} logpath = %({{ name }}_log)s {% endfor %} + +{% if "vaultwarden" in installed_configs %} +[vaultwarden-admin] +enabled = true +port = http,https +filter = vaultwarden-admin +logpath = %(vaultwarden-admin_log)s +{% endif %} \ No newline at end of file diff --git a/roles/security/fail2ban/templates/paths-overrides.local.j2 b/roles/security/fail2ban/templates/paths-overrides.local.j2 index ce5d2811..ae5a603a 100644 --- a/roles/security/fail2ban/templates/paths-overrides.local.j2 +++ b/roles/security/fail2ban/templates/paths-overrides.local.j2 @@ -2,3 +2,4 @@ nextcloud_log = {{ docker_dir }}/nextcloud/data/nextcloud.log vaultwarden_log = {{ docker_dir }}/vaultwarden/vaultwarden.log vaultwarden-admin_log = {{ docker_dir }}/vaultwarden/vaultwarden.log +ikev2_log = {{ docker_dir }}/ikev2/log/charon.log \ No newline at end of file diff --git a/run.yml b/run.yml index 028a06fd..ba324edd 100644 --- a/run.yml +++ b/run.yml @@ -22,6 +22,10 @@ tags: - docker + - role: security/fail2ban + tags: + - fail2ban + - role: chriswayg.msmtp-mailer tags: - msmtp @@ -81,10 +85,6 @@ roles: - - role: security/fail2ban - tags: - - fail2ban - # # Filesystems # @@ -222,11 +222,11 @@ - containers when: enable_nextcloud | default(False) - - role: containers/services/bitwarden + - role: containers/services/vaultwarden tags: - - bitwarden + - vaultwarden - containers - when: enable_bitwarden | default(False) + when: enable_vaultwarden | default(False) # # Home automation