feat: Update Ansible playbooks and host variables for improved organization and functionality
This commit is contained in:
@@ -4,7 +4,9 @@ on:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- ansible/host_vars/*.yml
|
||||
- ansible/host_vars/*.alexpires.me.yml
|
||||
- ansible/host_vars/*.a13labs.me.yml
|
||||
- ansible/host_vars/*.a13labs.pt.yml
|
||||
jobs:
|
||||
ansible-apply:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -38,7 +40,6 @@ jobs:
|
||||
CHANGED_FILES: ${{ steps.setup_env.outputs.CHANGED_FILES }}
|
||||
run: |
|
||||
cd ansible
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_fail2ban.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_geoip.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_duo_security.yml
|
||||
@@ -46,7 +47,7 @@ jobs:
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_gitea.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_nextcloud.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_wordpress.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_websites.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_m3uproxy.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_monitoring.yml
|
||||
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_rustdesk.yml
|
||||
|
||||
@@ -6,6 +6,7 @@ on:
|
||||
paths:
|
||||
- ansible/playbook_*.yml
|
||||
- '!ansible/playbook_websites.yml'
|
||||
- '!ansible/playbook_hardening*.yml'
|
||||
jobs:
|
||||
ansible-apply:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
hostname: dev-01.alexpires.local
|
||||
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||||
|
||||
# Users
|
||||
login_users:
|
||||
- username: "{{ ansible_user }}"
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
sudoer_root_only: true
|
||||
sudoer_no_password: true
|
||||
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
||||
password_disabled: true
|
||||
- username: operator
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
|
||||
|
||||
# SSH Connection and security
|
||||
sshd_port: 22
|
||||
ssh_allowed_networks:
|
||||
- "0.0.0.0/0"
|
||||
sshd_admin_net: "0.0.0.0/0"
|
||||
sshd_allow_groups: "{{ ansible_user }} users"
|
||||
sshd_permit_root_login: "no"
|
||||
sshd_password_authentication: "no"
|
||||
sshd_allow_tcp_forwarding: "yes"
|
||||
|
||||
# Due to an issue increase the number of max auth tries
|
||||
sshd_max_auth_tries: 10
|
||||
|
||||
# Firewall ports
|
||||
ufw_enable: true
|
||||
fw_allowed_ports:
|
||||
- { rule: "allow", port: "80", proto: "tcp" }
|
||||
- { rule: "allow", port: "443", proto: "tcp" }
|
||||
- { rule: "allow", port: "22", proto: "tcp" }
|
||||
|
||||
ufw_outgoing_traffic:
|
||||
- 22 # SSH
|
||||
- 53 # DNS
|
||||
- 80 # HTTP
|
||||
- 123 # NTP
|
||||
- 443 # HTTPS
|
||||
- 853 # DNS over TLS
|
||||
|
||||
ufw_default_forward_policy: "ACCEPT"
|
||||
|
||||
ipv4_sysctl_settings:
|
||||
net.ipv4.ip_forward: 1
|
||||
|
||||
disable_ipv6: true
|
||||
|
||||
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
|
||||
custom_hosts_acls: true
|
||||
|
||||
# fail2ban
|
||||
fail2ban_jails:
|
||||
ssh:
|
||||
enabled: true
|
||||
port: "{{ sshd_port }}"
|
||||
filter: "sshd"
|
||||
logpath: "/var/log/auth.log"
|
||||
maxretry: 5
|
||||
findtime: 600
|
||||
bantime: 3600
|
||||
|
||||
# aide
|
||||
install_aide: false
|
||||
|
||||
# Unattended upgrades
|
||||
unattended_reboot: true
|
||||
unattended_reboot_time: "04:30"
|
||||
|
||||
# Duo Security
|
||||
duo_users: ["*", "!provision"]
|
||||
duo_api_hostname: api-7cda1654.duosecurity.com
|
||||
@@ -1,22 +0,0 @@
|
||||
---
|
||||
- name: CIS Hardening
|
||||
hosts: linux
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
- role: "cis"
|
||||
tags:
|
||||
- roles
|
||||
- roles::cis
|
||||
- role: "fail2ban"
|
||||
tags:
|
||||
- roles
|
||||
- roles::fail2ban
|
||||
- role: "geoip"
|
||||
tags:
|
||||
- roles
|
||||
- roles::geoip
|
||||
- role: "duo"
|
||||
tags:
|
||||
- roles
|
||||
- roles::duosecurity
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Duo Security
|
||||
hosts: linux
|
||||
- name: Duo Security
|
||||
hosts: public
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Setup encrypted volumes
|
||||
hosts: linux
|
||||
hosts: public
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Fail2Ban
|
||||
hosts: linux
|
||||
hosts: public
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Fail2Ban
|
||||
hosts: linux
|
||||
hosts: public
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: CIS Hardening
|
||||
hosts: localnetwork
|
||||
hosts: hardening
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Login setup
|
||||
hosts: linux
|
||||
hosts: all
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
- name: Set required facts
|
||||
ansible.builtin.set_fact:
|
||||
mail_folders:
|
||||
mail_folders:
|
||||
- "{{ mail_home }}/getmail"
|
||||
- "{{ mail_home }}/mailboxes"
|
||||
tags: always
|
||||
@@ -54,7 +54,7 @@
|
||||
mode: "0750"
|
||||
owner: "{{ postfix_user_id }}"
|
||||
group: "{{ postfix_group_id }}"
|
||||
loop:
|
||||
loop:
|
||||
- "{{ mail_home }}/postfix"
|
||||
tags:
|
||||
- tasks
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
---
|
||||
- name: Wordpress Playbook (K8s)
|
||||
hosts: wordpress
|
||||
gather_facts: true
|
||||
|
||||
# Specific tasks for this playbook
|
||||
tasks:
|
||||
- name: Set required facts
|
||||
ansible.builtin.set_fact:
|
||||
wordpress_home: "{{ persistent_data | default('/var/lib') }}/wordpress"
|
||||
wordpress_mysql_home: "{{ database_path | default('/var/lib') }}/mysql.wordpress"
|
||||
wordpress_user_id: 33
|
||||
wordpress_group_id: 26
|
||||
mysql_user_id: 999
|
||||
mysql_group_id: 107
|
||||
tags: always
|
||||
|
||||
- name: Create required wordpress data folder
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: "{{ wordpress_home }}"
|
||||
mode: "0750"
|
||||
owner: "{{ wordpress_user_id }}"
|
||||
group: "{{ wordpress_group_id }}"
|
||||
tags:
|
||||
- tasks
|
||||
- tasks::folders
|
||||
|
||||
- name: Create required mysql data folder
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: "{{ wordpress_mysql_home }}"
|
||||
mode: "0750"
|
||||
owner: "{{ mysql_user_id }}"
|
||||
group: "{{ mysql_group_id }}"
|
||||
tags:
|
||||
- tasks
|
||||
- tasks::folders
|
||||
@@ -44,6 +44,7 @@
|
||||
- name: Read system id
|
||||
ansible.builtin.command: |
|
||||
read_system_id
|
||||
changed_when: false
|
||||
register: system_id
|
||||
|
||||
- name: Download key file from Key server
|
||||
|
||||
+10
-1
@@ -1,11 +1,20 @@
|
||||
[all]
|
||||
prod-01.alexpires.me
|
||||
dev-01.alexpires.dev
|
||||
|
||||
[linux]
|
||||
[hardening]
|
||||
prod-01.alexpires.me
|
||||
dev-01.alexpires.dev
|
||||
|
||||
[ubuntu]
|
||||
prod-01.alexpires.me
|
||||
dev-01.alexpires.dev
|
||||
|
||||
[public]
|
||||
prod-01.alexpires.me
|
||||
|
||||
[private]
|
||||
dev-01.alexpires.me
|
||||
|
||||
[gitea]
|
||||
prod-01.alexpires.me
|
||||
|
||||
Reference in New Issue
Block a user