2025-06-07 16:12:55 +02:00
|
|
|
hostname: dev-01.lab.alexpires.me
|
2025-05-02 14:24:08 +02:00
|
|
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
|
|
|
|
|
|
|
|
|
# Users
|
|
|
|
|
login_users:
|
|
|
|
|
- username: "{{ ansible_user }}"
|
|
|
|
|
comment: "Managed by Ansible"
|
|
|
|
|
sudoer: true
|
|
|
|
|
sudoer_root_only: true
|
|
|
|
|
sudoer_no_password: true
|
|
|
|
|
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
|
|
|
|
password_disabled: true
|
|
|
|
|
- username: operator
|
|
|
|
|
comment: "Managed by Ansible"
|
|
|
|
|
sudoer: true
|
|
|
|
|
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
|
|
|
|
|
|
|
|
|
|
# SSH Connection and security
|
|
|
|
|
sshd_port: 22
|
|
|
|
|
ssh_allowed_networks:
|
2025-06-06 23:49:38 +02:00
|
|
|
- "10.5.5.5/32" # Wireguard VPN (Laptop)
|
|
|
|
|
- "10.19.4.0/24" # local network
|
|
|
|
|
sshd_admin_net: "10.19.4.0/24" # local network
|
2025-05-02 14:24:08 +02:00
|
|
|
sshd_allow_groups: "{{ ansible_user }} users"
|
|
|
|
|
sshd_permit_root_login: "no"
|
|
|
|
|
sshd_password_authentication: "no"
|
|
|
|
|
sshd_allow_tcp_forwarding: "yes"
|
|
|
|
|
|
|
|
|
|
# Due to an issue increase the number of max auth tries
|
|
|
|
|
sshd_max_auth_tries: 10
|
|
|
|
|
|
|
|
|
|
# Firewall ports
|
|
|
|
|
ufw_enable: true
|
|
|
|
|
fw_allowed_ports:
|
2025-06-07 16:12:55 +02:00
|
|
|
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # SSH Access (VPN device)
|
|
|
|
|
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # SSH Access (local network)
|
2025-06-06 23:49:38 +02:00
|
|
|
- { rule: "allow", port: "16443", proto: "tcp", from: "10.5.5.5/32" } # Kubernetes API (Laptop)
|
|
|
|
|
- { rule: "allow", port: "16443", proto: "tcp", from: "10.19.4.0/24" } # Kubernetes API (local network)
|
2025-06-07 16:12:55 +02:00
|
|
|
- { rule: "allow", port: "139", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only)
|
|
|
|
|
- { rule: "allow", port: "445", proto: "tcp", from: "10.19.4.0/24" } # Samba (local network only)
|
2025-06-22 18:43:55 +02:00
|
|
|
- { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network only)
|
2025-06-22 18:51:27 +02:00
|
|
|
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop)
|
2025-09-21 23:55:53 +02:00
|
|
|
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.2/32" } # Ollama (Contabo VPN)
|
2025-10-02 00:19:01 +02:00
|
|
|
- { rule: "allow", port: "9090", proto: "tcp", from: "10.5.5.2/32" } # Prometheus (Contabo VPN)
|
2025-06-07 16:12:55 +02:00
|
|
|
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.2/32" } # HTTPS (Contabo VPN)
|
|
|
|
|
- { rule: "allow", port: "53", proto: "udp", from: "10.19.4.0/24" } # DNS (local network)
|
|
|
|
|
- { rule: "allow", port: "53", proto: "udp", from: "10.5.5.2/32" } # DNS (Contabo VPN)
|
2025-05-02 14:24:08 +02:00
|
|
|
|
|
|
|
|
ufw_outgoing_traffic:
|
2025-06-22 18:43:55 +02:00
|
|
|
- 9 # For Wake-on-LAN
|
2025-05-02 14:24:08 +02:00
|
|
|
- 22 # SSH
|
|
|
|
|
- 53 # DNS
|
|
|
|
|
- 80 # HTTP
|
|
|
|
|
- 123 # NTP
|
|
|
|
|
- 443 # HTTPS
|
2025-10-02 00:19:01 +02:00
|
|
|
- 465 # SMTPS
|
2025-05-02 14:24:08 +02:00
|
|
|
- 853 # DNS over TLS
|
2025-06-05 23:27:50 +02:00
|
|
|
- 10250 # Kubelet
|
2025-06-03 23:43:19 +02:00
|
|
|
- 8880 # Kokoro-FastAPI
|
2025-06-05 23:27:50 +02:00
|
|
|
- 11434 # Ollama
|
|
|
|
|
- 16443 # Kubernetes API
|
2025-07-06 22:56:13 +02:00
|
|
|
- 8188 # comfyui
|
2025-06-05 23:27:50 +02:00
|
|
|
- 4443
|
|
|
|
|
- 9443
|
2025-10-02 00:19:01 +02:00
|
|
|
- 993 # IMAPS
|
|
|
|
|
- 9090 # Prometheus
|
2025-05-02 14:24:08 +02:00
|
|
|
|
|
|
|
|
ufw_default_forward_policy: "ACCEPT"
|
|
|
|
|
|
|
|
|
|
ipv4_sysctl_settings:
|
|
|
|
|
net.ipv4.ip_forward: 1
|
|
|
|
|
|
|
|
|
|
disable_ipv6: true
|
|
|
|
|
|
|
|
|
|
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
|
|
|
|
|
custom_hosts_acls: true
|
|
|
|
|
|
|
|
|
|
# fail2ban
|
|
|
|
|
fail2ban_jails:
|
|
|
|
|
ssh:
|
|
|
|
|
enabled: true
|
|
|
|
|
port: "{{ sshd_port }}"
|
|
|
|
|
filter: "sshd"
|
|
|
|
|
logpath: "/var/log/auth.log"
|
|
|
|
|
maxretry: 5
|
|
|
|
|
findtime: 600
|
|
|
|
|
bantime: 3600
|
|
|
|
|
|
|
|
|
|
# aide
|
2025-10-02 00:19:01 +02:00
|
|
|
install_aide: true
|
|
|
|
|
aide_exclude:
|
|
|
|
|
- "!/var/lib/snapd"
|
|
|
|
|
- "!/srv"
|
2025-05-02 14:24:08 +02:00
|
|
|
|
2025-06-06 23:49:38 +02:00
|
|
|
misc_modules_blocklist:
|
|
|
|
|
- bluetooth
|
|
|
|
|
- bnep
|
|
|
|
|
- btusb
|
|
|
|
|
- can
|
|
|
|
|
- cpia2
|
|
|
|
|
- firewire-core
|
|
|
|
|
- floppy
|
|
|
|
|
- ksmbd
|
|
|
|
|
- n_hdlc
|
|
|
|
|
- net-pf-31
|
|
|
|
|
- pcspkr
|
|
|
|
|
- soundcore
|
|
|
|
|
- thunderbolt
|
|
|
|
|
- usb-midi
|
|
|
|
|
- uvcvideo
|
|
|
|
|
- v4l2_common
|
|
|
|
|
|
2025-05-02 14:24:08 +02:00
|
|
|
# Unattended upgrades
|
|
|
|
|
unattended_reboot: true
|
|
|
|
|
unattended_reboot_time: "04:30"
|
|
|
|
|
|
|
|
|
|
# Duo Security
|
|
|
|
|
duo_users: ["*", "!provision"]
|
|
|
|
|
duo_api_hostname: api-7cda1654.duosecurity.com
|
2025-06-02 22:52:04 +02:00
|
|
|
|
2025-06-05 23:27:50 +02:00
|
|
|
# Kubernetes specific settings
|
|
|
|
|
microk8s_allowed_hosts:
|
|
|
|
|
- 10.19.4.0/24
|
|
|
|
|
- 10.5.5.5
|
|
|
|
|
microk8s_alt_names: "{{ hostname }}"
|
|
|
|
|
|
2025-06-07 20:39:38 +02:00
|
|
|
microk8s_certmgr_letsencrypt_issuer_email: c.alexandre.pires@alexpires.me
|
|
|
|
|
# HTTP-01 Let's encrypt issuer is disable in dev
|
|
|
|
|
microk8s_certmgr_letsencrypt_http01: false
|
|
|
|
|
# DNS-01 issuer is enabled in dev
|
|
|
|
|
microk8s_certmgr_letsencrypt_dns01: true
|
|
|
|
|
microk8s_cloudns_auth_id: "{{ lookup('env', 'CLOUDNS_AUTH_ID') }}"
|
|
|
|
|
microk8s_cloudns_auth_password: "{{ lookup('env', 'CLOUDNS_PASSWORD') }}"
|
|
|
|
|
|
2025-06-05 23:27:50 +02:00
|
|
|
microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}"
|
|
|
|
|
microk8s_users:
|
|
|
|
|
- username: operator
|
|
|
|
|
enabled: true
|
|
|
|
|
|
2025-06-02 22:52:04 +02:00
|
|
|
# podman services settings
|
2025-06-05 23:27:50 +02:00
|
|
|
persistent_data: "/srv"
|