Disroot/Disroot-Project
Disroot/Disroot-Project
17
39
Fork 0
Code Issues 231 Pull requests Projects 7 Releases Activity

[CT] - migrate to nftables and re-deploy fail2ban #1124

New issue
Open
opened 2025-02-13 15:59:49 +01:00 by muppeth · 2 comments
muppeth commented 2025-02-13 15:59:49 +01:00
Owner
Copy link

Current default on containers is iptables. We should migrate to nftables and automate it unlike current iptables setup on containers.

Development:

  • Write quick role similar to host setup
  • Create needed Host_vars for staging
  • Create needed vars for production
  • Create procedure for manually blocking IPs (in case of abuse of all sort, which currently is done manually with iptables)
    • Procedure should be automated (script+ansible)
    • Every added rule should have a reason documented
  • Document procedure, and entire setup

Implementation:

  • Create nft playbook
  • Update fail2ban playbook
  • Test and prepare procedure for migrating log directory into external mountpoint
  • Implement migration of log files
  • Mount gathered log dirs on containers requiring external logfiles from other containers in order to provide paring data for fail2ban
  • Run nft/fail2ban playbook
  • Test blocking
  • Test custom IP block procedure
Current default on containers is iptables. We should migrate to nftables and automate it unlike current iptables setup on containers. ### Development: - [x] Write quick role similar to host setup - [x] Create needed Host_vars for staging - [x] Create needed vars for production - [x] Create procedure for manually blocking IPs (in case of abuse of all sort, which currently is done manually with iptables) - [x] Procedure should be automated (script+ansible) - [x] Every added rule should have a reason documented - [x] Document procedure, and entire setup ### Implementation: - [x] Create nft playbook - [x] Update fail2ban playbook - [x] Test and prepare procedure for migrating log directory into external mountpoint - [ ] Implement migration of log files - [x] Mount gathered log dirs on containers requiring external logfiles from other containers in order to provide paring data for fail2ban - [x] Run nft/fail2ban playbook - [x] Test blocking - [x] Test custom IP block procedure
muppeth added the
Documentation
sysadmin
housekeeping
 labels 2025-02-13 15:59:49 +01:00
muppeth added this to the Currently working on milestone 2025-02-24 10:08:08 +01:00
muppeth self-assigned this 2025-02-24 10:08:12 +01:00
meaz commented 2025-03-01 08:16:00 +01:00
Owner
Copy link

I added a comment in the Documentation that you already provided to ask also for documentation on how you mount needed stuff for logfile parsing

I added a comment in the Documentation that you already provided to ask also for documentation on how you mount needed stuff for logfile parsing
👍 1
muppeth changed title from [CT] - migrate to nftables to [CT] - migrate to nftables and re-deploy fail2ban 2025-03-02 16:27:51 +01:00
muppeth added the
🦾 6
 label 2025-03-14 14:37:34 +01:00
muppeth commented 2025-04-18 09:31:05 +02:00
Author
Owner
Copy link

Pretty much done but need to do logdir mount and remounts and that will disturb services and since its middle of the day I will not do it now. I will either do it during morning session or perhaps sunday as it's usually quiet. I will see what I will be more comfortable with.

Pretty much done but need to do logdir mount and remounts and that will disturb services and since its middle of the day I will not do it now. I will either do it during morning session or perhaps sunday as it's usually quiet. I will see what I will be more comfortable with.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
🔥

Urgent

  
🦾 1

Tasks requiring minimal time and resources.

  
🦾 2

   
🦾 3

Tasks needing moderate attention, possibly involving coordination with others or multiple steps.

  
🦾 4

   
🦾 5

   
🦾 6

Significant tasks that require substantial time investment, potentially impacting other work.

  
administration

   
Akkoma

Pleroma related issues

  
Android

Issues related to Android platform

  
Bare metal

Everything related to phisical servers

  
bug

Something is not working

  
Communication

Disroot's communications

  
Community

Community related

  
Cryptpad

Cryptpad related issues

  
🙌 Decission needed

We need a decission of the core team or community at large on the topic

  
Discussion

   
Documentation

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
etherpad

   
Feature request

   
Feedback

Users' comments, ideas and suggestions

  
finances

   
Fixed

   
forgejo

   
fun_project

   
Goal 2024

   
Goal 2025

   
help wanted

Need some help

  
high impact

   
housekeeping

   
Howto

Howto's related

  
infra

   
In progress

   
🤔️ Investigate

   
Invoice Ninja

   
ios

   
jitsi

   
lacre

   
Lacre Test

   
ldap

   
Lemmy

   
LibreTranslate

   
low impact

   
low prio

   
Lufi

Lufi service related

  
macos

   
Mail

   
Merch

   
monitoring

   
movim

Movim related

  
needs_refine

   
New Auth

   
Nextcloud

Nextcloud related issues

  
nice to have

   
on hold

   
proposal

   
PR ready

There are PR waiting for approval and merging

  
question

More information is needed

  
Ready

   
refined

   
Roundcube

Roundcube related

  
searX

   
SPAM Issues

   
spam-protection

   
Staging Server

Regarding staging server

  
sysadmin

   
Themes

   
TOR

   
upstream issue

issue caused by upstream code

  
Website

   
windows

   
wontfix

This won't be fixed

  
xmpp

   
Yearly Report

Disroot yearly report

No labels
🔥
🦾 1
🦾 2
🦾 3
🦾 4
🦾 5
🦾 6
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
🙌 Decission needed
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
Goal 2025
help wanted
high impact
housekeeping
Howto
infra
In progress
🤔️ Investigate
Invoice Ninja
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low impact
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
PR ready
question
Ready
refined
Roundcube
searX
SPAM Issues
spam-protection
Staging Server
sysadmin
Themes
TOR
upstream issue
Website
windows
wontfix
xmpp
Yearly Report
Milestone
Clear milestone
No items
No milestone
Currently working on
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
muppeth
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Disroot/Disroot-Project#1124
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?