add ipset-deploy role

2020-04-14 21:42:03 -04:00 · 2020-04-14 21:42:03 -04:00 · ce39f769a2
parent 835384a24d
commit ce39f769a2
5 changed files with 74 additions and 0 deletions
--- a/ubuntu/roles/ipset-deploy/files/deirdre.asininetech.net.ipset
+++ b/ubuntu/roles/ipset-deploy/files/deirdre.asininetech.net.ipset
@ -0,0 +1,22 @@
+create nasties hash:net family inet hashsize 1024 maxelem 65536
+# Scrapy bot from University of Milan
+add nasties 159.149.133.66/32
+# domaincrawler.com aggressive crawler/bot
+add nasties 185.6.8.3/32
+add nasties 185.6.8.7/32
+# infegy data collection
+add nasties 173.244.135.0/24
+# 1776 Solutions, kiwifarms
+add nasties 103.114.191.0/24
+# Bytespider crawler, aggressive
+add nasties 110.240.0.0/12
+add nasties 111.224.0.0/14
+add nasties 220.243.128.0/20
+# Seekport Crawler, aggressive
+add nasties 95.216.172.167/32
+# SearchAtlas.com SEO Crawler, doesn't respect robots.txt
+add nasties 147.75.106.146/32
+# AlkonavtNetwork, Russian spam account creation source
+add nasties 5.188.210.0/24
+# moz.com SEO crawler
+add nasties 216.244.66.229/32
--- a/ubuntu/roles/ipset-deploy/files/ipset.service
+++ b/ubuntu/roles/ipset-deploy/files/ipset.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Loading IP Sets
+Before=network-pre.target netfilter-persistent.service
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/ipset -f /etc/ipset.conf restore
+ExecReload=/sbin/ipset -f /etc/ipset.conf restore
+ExecStop=/sbin/ipset destroy
+
+[Install]
+WantedBy=multi-user.target
--- a/ubuntu/roles/ipset-deploy/handlers/main.yml
+++ b/ubuntu/roles/ipset-deploy/handlers/main.yml
@ -0,0 +1,3 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
--- a/ubuntu/roles/ipset-deploy/tasks/main.yml
+++ b/ubuntu/roles/ipset-deploy/tasks/main.yml
@ -0,0 +1,28 @@
+---
+# This role deploys ipset rulesets to Ubuntu hosts
+
+- name: Copy ipset.service
+  copy:
+    src: ipset.service
+    dest: /etc/systemd/system/ipset.service
+  notify:
+    - reload systemd
+
+- name: Enable ipset.service
+  systemd:
+    name: ipset
+    enabled: yes
+
+- name: Copy ipset rulesets
+  copy:
+    src: "{{ ansible_fqdn }}".ipset
+    dest: /etc/ipset.conf
+
+- name: Flush any existing ipsets
+  shell:
+    cmd: /sbin/ipset destroy
+
+- name: Start ipset.service
+  systemd:
+    name: ipset
+    state: started
--- a/ubuntu/site.yml
+++ b/ubuntu/site.yml
@ -66,3 +66,10 @@

  roles:
    - pgbackrest-install
+
+- name: Deploy ipset rulesets
+  hosts: ipset
+  user: root
+
+  roles:
+    - ipset-deploy