Update to 2021-12-01 19:13

roles/crowdsec_firewall_bouncer/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+
+# Version of the firewall bouncer to install
+cs_fw_version: 0.0.10
+# URL of the firewall bouncer archive
+cs_fw_archive_url: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v{{ cs_fw_version }}/cs-firewall-bouncer.tgz
+# Expected sha1 of the archive
+cs_fw_archive_sha1: 46863e95bdc8f48434583f55e89b7720fce5736d
+
+# API on which the bouncer should listen for alerts
+cs_fw_lapi_url: "{{ cs_lapi_url | default('http://localhost:8080/') }}"
+# If not defined, ansible will try to register the bouncer on the Local API server
+# cs_lapi_server must be defined in this case
+# cs_fw_lapi_key: aaabbbccc
+

roles/crowdsec_firewall_bouncer/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: restart cs-firewall-bouncer
+  service: name=cs-firewall-bouncer state=restarted

roles/crowdsec_firewall_bouncer/tasks/cleanup.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Remove temp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - /tmp/cs-firewall-bouncer.tgz
+    - /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+  tags: cs

roles/crowdsec_firewall_bouncer/tasks/conf.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Deploy configuration
+  template: src=cs-firewall-bouncer.yaml.j2 dest=/etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml mode=600
+  notify: restart cs-firewall-bouncer
+  tags: cs

roles/crowdsec_firewall_bouncer/tasks/directories.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Create needed directories
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /etc/crowdsec/cs-firewall-bouncer
+    - dir: /etc/crowdsec/meta
+      mode: 700
+  tags: cs

roles/crowdsec_firewall_bouncer/tasks/facts.yml

@@ -0,0 +1,73 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: cs
+
+- name: Check if API key is available
+  stat: path=/etc/crowdsec/meta/bouncer_fw_api_key
+  register: cs_fw_lapi_key_file
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined and (not cs_fw_lapi_key_file.stat.exists or cs_fw_lapi_key_file.stat.size == 0)
+  block:
+    - name: Register the bouncer
+      shell: |
+        cscli bouncers list -o raw | grep -q -P '^{{ inventory_hostname }}-firewall' && cscli bouncers delete {{ inventory_hostname }}-firewall
+        cscli bouncers add {{ inventory_hostname }}-firewall -o raw
+      register: cs_bouncer_add
+      failed_when: cs_bouncer_add.rc not in [0,1]
+      changed_when: cs_bouncer_add.rc == 0
+      delegate_to: "{{ cs_lapi_server | default(inventory_hostname) }}"
+
+    - name: Record the API key for later use
+      copy: content={{ cs_bouncer_add.stdout }} dest=/etc/crowdsec/meta/bouncer_fw_api_key mode=600
+
+  tags: cs
+
+- when: cs_fw_lapi_key is not defined
+  block:
+    - name: Read the API key
+      slurp: src=/etc/crowdsec/meta/bouncer_fw_api_key
+      register: cs_fw_lapi_generated_key
+    - set_fact: cs_fw_lapi_key={{ cs_fw_lapi_generated_key.content | b64decode | trim }}
+  tags: cs
+
+- name: Set initial facts
+  block:
+    - set_fact: cs_fw_current_version=''
+    - set_fact: cs_fw_install_mode='none'
+  tags: cs
+
+- name: Check if the bouncer is installed
+  stat: path=/usr/local/bin/cs-firewall-bouncer
+  register: cs_fw_bin
+  tags: cs
+
+- when: cs_fw_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: |
+        cs-firewall-bouncer -c /dev/null 2>&1 | perl -ne 'm/cs-firewall-bouncer v(\d+(\.\d+)*)/ && print $1'
+      register: cs_fw_current_version
+      changed_when: False
+
+    - set_fact: cs_fw_current_version={{ cs_fw_current_version.stdout }}
+  tags: cs
+
+- name: Set install mode
+  set_fact: cs_fw_install_mode='install'
+  when: not cs_fw_bin.stat.exists
+  tags: cs
+
+- name: Set upgrade mode
+  set_fact: cs_fw_install_mode='upgrade'
+  when:
+    - cs_fw_bin.stat.exists
+    - cs_fw_current_version != cs_fw_version
+  tags: cs
+

roles/crowdsec_firewall_bouncer/tasks/install.yml

@@ -0,0 +1,70 @@
+---
+
+- name: Install needed tools
+  package:
+    name:
+      - ipset
+  tags: cs
+
+- when: cs_fw_install_mode != 'none'
+  block:
+
+    - name: Download the bouncer
+      get_url:
+        url: "{{ cs_fw_archive_url }}"
+        dest: /tmp
+        checksum: sha1:{{ cs_fw_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: /tmp/cs-firewall-bouncer.tgz
+        dest: /tmp
+        remote_src: True
+
+    - name: Install or upgrade
+      command: ./{{ cs_fw_install_mode }}.sh
+      args:
+        chdir: /tmp/cs-firewall-bouncer-v{{ cs_fw_version }}
+      notify: restart cs-firewall-bouncer
+
+  tags: cs
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/cs-firewall-bouncer.service.d state=directory
+  tags: cs
+
+- name: Create iptables snippet dir
+  file: path=/etc/systemd/system/{{ cs_iptables_service }}.service.d state=directory
+  tags: cs
+
+- name: Create ipsets before iptables starts
+  copy:
+    content: |
+      [Service]
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300
+      ExecStartPre=/usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6
+    dest: /etc/systemd/system/{{ cs_iptables_service }}.service.d/cs-ipset.conf
+  register: cs_iptable_unit
+  tags: cs
+
+- name: Tune cs-firewall-bouncer service
+  copy:
+    content: |
+      [Unit]
+      # The bouncer should start after crowdsec to be able to register on the API
+      After=crowdsec.service
+
+      [Service]
+      # Restart on failure
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/cs-firewall-bouncer.service.d/ansible.conf
+  register: crodwsec_fw_unit
+  notify: restart cs-firewall-bouncer
+  tags: cs
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: crodwsec_fw_unit.changed or cs_iptable_unit.changed
+  tags: cs

roles/crowdsec_firewall_bouncer/tasks/iptables.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Ensure ipsets exist
+  shell: |
+    ipset list crowdsec-blacklists || ipset create crowdsec-blacklists nethash timeout 300
+    ipset list crowdsec6-blacklists || ipset create crowdsec6-blacklists nethash timeout 300 family inet6
+  changed_when: False
+  tags: cs
+
+- name: Add DROP rules
+  iptables_raw:
+    name: cs_blacklist
+    weight: 9
+    rules: |
+      -A INPUT -m set --match-set crowdsec-blacklists src -j DROP
+      -A FORWARD -m set --match-set crowdsec-blacklists src -j DROP
+  tags: cs

roles/crowdsec_firewall_bouncer/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- include: directories.yml
+- include: facts.yml
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: services.yml
+- include: cleanup.yml

roles/crowdsec_firewall_bouncer/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable the service
+  service: name=cs-firewall-bouncer state=started enabled=True
+  tags: cs

roles/crowdsec_firewall_bouncer/templates/cs-firewall-bouncer.yaml.j2

@@ -0,0 +1,12 @@
+---
+
+mode: iptables
+piddir: /var/run/
+update_frequency: 10s
+daemonize: true
+log_mode: stdout
+log_level: info
+api_url: {{ (cs_fw_lapi_url is search('/$')) | ternary(cs_fw_lapi_url,cs_fw_lapi_url ~ '/') }}
+api_key: {{ cs_fw_lapi_key }}
+disable_ipv6: false
+

roles/crowdsec_firewall_bouncer/vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+
+cs_iptables_service: netfilter-persistent

roles/crowdsec_firewall_bouncer/vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+
+cs_iptables_service: iptables