init

2026-02-19 11:34:13 +00:00
commit f243f440c3
191 changed files with 6183 additions and 0 deletions
--- a/ansible/roles/harden/nftables/handlers/main.yml
+++ b/ansible/roles/harden/nftables/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: validate nftables config
+  ansible.builtin.command:
+    cmd: nft -c -f /etc/nftables.conf
+  listen: apply nftables
+  changed_when: false
+
+- name: reload nftables
+  ansible.builtin.systemd:
+    name: nftables
+    state: reloaded
+  listen: apply nftables
--- a/ansible/roles/harden/nftables/tasks/main.yml
+++ b/ansible/roles/harden/nftables/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: install nftables
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    update_cache: true
+  notify: apply nftables
+
+- name: deploy nftables config
+  ansible.builtin.template:
+    src: "{{ nftables_conf_name }}"
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: apply nftables
+
+- name: enable and start nftables service
+  ansible.builtin.systemd:
+    name: nftables
+    enabled: true
+    state: started
--- a/ansible/roles/harden/nftables/templates/proxmox-nftables.j2
+++ b/ansible/roles/harden/nftables/templates/proxmox-nftables.j2
@@ -0,0 +1,36 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+        iif "lo" accept
+        ct state established,related accept
+
+        # SSH
+        tcp dport {{ ssh_port }} accept
+
+        # ICMP
+        ip protocol icmp accept
+        ip6 nexthdr icmpv6 accept
+
+        # Proxmox Web/API (LAN only)
+        ip saddr 192.168.0.0/24 tcp dport 8006 accept
+
+        # NTP
+        ip saddr 192.168.0.0/24 udp dport {{ ntp_port }} accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}
--- a/ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
+++ b/ansible/roles/harden/nftables/templates/vm-nftables.conf.j2
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0;
+        policy drop;
+
+        iif "lo" accept
+        ct state established,related accept
+
+        # SSH
+        tcp dport {{ ssh_port }} accept
+
+        # udp dport {{ ntp_port }} accept
+
+        # ICMP
+        ip protocol icmp accept
+        ip6 nexthdr icmpv6 accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0;
+        policy drop;
+    }
+
+    chain output {
+        type filter hook output priority 0;
+        policy accept;
+    }
+}