feat: Update Ansible playbooks and host variables for improved organization and functionality

This commit is contained in:
2025-05-02 14:24:08 +02:00
parent 0eaadbe6a7
commit 5b341c9430
14 changed files with 101 additions and 75 deletions
@@ -4,7 +4,9 @@ on:
branches:
- main
paths:
- ansible/host_vars/*.yml
- ansible/host_vars/*.alexpires.me.yml
- ansible/host_vars/*.a13labs.me.yml
- ansible/host_vars/*.a13labs.pt.yml
jobs:
ansible-apply:
runs-on: ubuntu-latest
@@ -38,7 +40,6 @@ jobs:
CHANGED_FILES: ${{ steps.setup_env.outputs.CHANGED_FILES }}
run: |
cd ansible
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_fail2ban.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_geoip.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_duo_security.yml
@@ -46,7 +47,7 @@ jobs:
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_gitea.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_nextcloud.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_wordpress.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_websites.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_m3uproxy.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_monitoring.yml
sectool -f ../sectool.json exec ansible-playbook -u $ANSIBLE_USER playbook_rustdesk.yml
@@ -6,6 +6,7 @@ on:
paths:
- ansible/playbook_*.yml
- '!ansible/playbook_websites.yml'
- '!ansible/playbook_hardening*.yml'
jobs:
ansible-apply:
runs-on: ubuntu-latest
@@ -0,0 +1,76 @@
hostname: dev-01.alexpires.local
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator
comment: "Managed by Ansible"
sudoer: true
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "{{ ansible_user }} users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10
# Firewall ports
ufw_enable: true
fw_allowed_ports:
- { rule: "allow", port: "80", proto: "tcp" }
- { rule: "allow", port: "443", proto: "tcp" }
- { rule: "allow", port: "22", proto: "tcp" }
ufw_outgoing_traffic:
- 22 # SSH
- 53 # DNS
- 80 # HTTP
- 123 # NTP
- 443 # HTTPS
- 853 # DNS over TLS
ufw_default_forward_policy: "ACCEPT"
ipv4_sysctl_settings:
net.ipv4.ip_forward: 1
disable_ipv6: true
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
custom_hosts_acls: true
# fail2ban
fail2ban_jails:
ssh:
enabled: true
port: "{{ sshd_port }}"
filter: "sshd"
logpath: "/var/log/auth.log"
maxretry: 5
findtime: 600
bantime: 3600
# aide
install_aide: false
# Unattended upgrades
unattended_reboot: true
unattended_reboot_time: "04:30"
# Duo Security
duo_users: ["*", "!provision"]
duo_api_hostname: api-7cda1654.duosecurity.com
-22
View File
@@ -1,22 +0,0 @@
---
- name: CIS Hardening
hosts: linux
gather_facts: true
roles:
- role: "cis"
tags:
- roles
- roles::cis
- role: "fail2ban"
tags:
- roles
- roles::fail2ban
- role: "geoip"
tags:
- roles
- roles::geoip
- role: "duo"
tags:
- roles
- roles::duosecurity
+2 -2
View File
@@ -1,6 +1,6 @@
---
- name: Duo Security
hosts: linux
- name: Duo Security
hosts: public
gather_facts: true
roles:
+1 -1
View File
@@ -1,6 +1,6 @@
---
- name: Setup encrypted volumes
hosts: linux
hosts: public
gather_facts: true
roles:
+1 -1
View File
@@ -1,6 +1,6 @@
---
- name: Fail2Ban
hosts: linux
hosts: public
gather_facts: true
roles:
+1 -1
View File
@@ -1,6 +1,6 @@
---
- name: Fail2Ban
hosts: linux
hosts: public
gather_facts: true
roles:
@@ -1,6 +1,6 @@
---
- name: CIS Hardening
hosts: localnetwork
hosts: hardening
gather_facts: true
roles:
@@ -1,6 +1,6 @@
---
- name: Login setup
hosts: linux
hosts: all
gather_facts: true
roles:
+2 -2
View File
@@ -16,7 +16,7 @@
- name: Set required facts
ansible.builtin.set_fact:
mail_folders:
mail_folders:
- "{{ mail_home }}/getmail"
- "{{ mail_home }}/mailboxes"
tags: always
@@ -54,7 +54,7 @@
mode: "0750"
owner: "{{ postfix_user_id }}"
group: "{{ postfix_group_id }}"
loop:
loop:
- "{{ mail_home }}/postfix"
tags:
- tasks
-40
View File
@@ -1,40 +0,0 @@
---
- name: Wordpress Playbook (K8s)
hosts: wordpress
gather_facts: true
# Specific tasks for this playbook
tasks:
- name: Set required facts
ansible.builtin.set_fact:
wordpress_home: "{{ persistent_data | default('/var/lib') }}/wordpress"
wordpress_mysql_home: "{{ database_path | default('/var/lib') }}/mysql.wordpress"
wordpress_user_id: 33
wordpress_group_id: 26
mysql_user_id: 999
mysql_group_id: 107
tags: always
- name: Create required wordpress data folder
become: true
ansible.builtin.file:
state: directory
path: "{{ wordpress_home }}"
mode: "0750"
owner: "{{ wordpress_user_id }}"
group: "{{ wordpress_group_id }}"
tags:
- tasks
- tasks::folders
- name: Create required mysql data folder
become: true
ansible.builtin.file:
state: directory
path: "{{ wordpress_mysql_home }}"
mode: "0750"
owner: "{{ mysql_user_id }}"
group: "{{ mysql_group_id }}"
tags:
- tasks
- tasks::folders
@@ -44,6 +44,7 @@
- name: Read system id
ansible.builtin.command: |
read_system_id
changed_when: false
register: system_id
- name: Download key file from Key server
+10 -1
View File
@@ -1,11 +1,20 @@
[all]
prod-01.alexpires.me
dev-01.alexpires.dev
[linux]
[hardening]
prod-01.alexpires.me
dev-01.alexpires.dev
[ubuntu]
prod-01.alexpires.me
dev-01.alexpires.dev
[public]
prod-01.alexpires.me
[private]
dev-01.alexpires.me
[gitea]
prod-01.alexpires.me