geoipupdate: implement role for use on geo mirrors

9f1a5c93 · Evangelos Foutras · e3d55585 · 9f1a5c93 · 9f1a5c93 · 9f1a5c93
Verified Commit 9f1a5c93 authored 3 years ago by Evangelos Foutras
--- a/roles/geoipupdate/defaults/main.yml
+++ b/roles/geoipupdate/defaults/main.yml
+---
+
+geoipupdate_edition_ids: GeoLite2-Country # GeoLite2-City GeoLite2-ASN
--- a/roles/geoipupdate/files/hardening.conf
+++ b/roles/geoipupdate/files/hardening.conf
+[Service]
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/GeoIP
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=invisible
+
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
--- a/roles/geoipupdate/handlers/main.yml
+++ b/roles/geoipupdate/handlers/main.yml
+---
+
+- name: daemon reload
+  systemd:
+    daemon-reload: true
--- a/roles/geoipupdate/tasks/main.yml
+++ b/roles/geoipupdate/tasks/main.yml
+---
+
+- name: install geoipupdate
+  pacman: name=geoipupdate state=present
+
+- name: configure geoipupdate
+  lineinfile:
+    path: /etc/GeoIP.conf
+    regex: '^#*\s*{{ item.setting }} '
+    line: '{{ item.setting }} {{ item.value }}'
+    owner: root
+    group: root
+    mode: 0600
+  no_log: true
+  loop:
+    - { setting: AccountID, value: '{{ vault_mirror_maxmind_id }}' }
+    - { setting: LicenseKey, value: '{{ vault_mirror_maxmind_license }}' }
+    - { setting: EditionIDs, value: '{{ geoipupdate_edition_ids }}' }
+
+- name: create drop-in directory for geoipupdate.service
+  file: path=/etc/systemd/system/geoipupdate.service.d state=directory owner=root group=root mode=0755
+
+- name: install drop-in for geoipupdate.service
+  copy: src=hardening.conf dest=/etc/systemd/system/geoipupdate.service.d/ owner=root group=root mode=0644
+  notify:
+    - daemon reload
+
+- name: start and enable geoipupdate.timer
+  systemd: name=geoipupdate.timer enabled=yes state=started