Refactor host_vars and inventory paths for prod-01.alexpires.me
This commit is contained in:
@@ -0,0 +1,140 @@
|
||||
hostname: prod-01.alexpires.me
|
||||
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||||
|
||||
# Users
|
||||
login_users:
|
||||
- username: "{{ ansible_user }}"
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
sudoer_root_only: true
|
||||
sudoer_no_password: true
|
||||
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
||||
password_disabled: true
|
||||
- username: operator
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
|
||||
- username: git
|
||||
comment: "Managed by Ansible"
|
||||
shell: "/usr/local/bin/gitea-shell"
|
||||
password_disabled: true
|
||||
password_expiration: false
|
||||
|
||||
# SSH Connection and security
|
||||
sshd_port: 22
|
||||
ssh_allowed_networks:
|
||||
- "0.0.0.0/0"
|
||||
sshd_admin_net: "0.0.0.0/0"
|
||||
sshd_allow_groups: "{{ ansible_user }} git users"
|
||||
sshd_permit_root_login: "no"
|
||||
sshd_password_authentication: "no"
|
||||
sshd_allow_tcp_forwarding: "yes"
|
||||
|
||||
# Due to an issue increase the number of max auth tries
|
||||
sshd_max_auth_tries: 10
|
||||
|
||||
# Firewall ports
|
||||
ufw_enable: true
|
||||
fw_allowed_ports:
|
||||
- { rule: "allow", port: "80", proto: "tcp" }
|
||||
- { rule: "allow", port: "443", proto: "tcp" }
|
||||
- { rule: "allow", port: "22", proto: "tcp" }
|
||||
- { rule: "allow", port: "16443", proto: "tcp", from: "10.1.0.0/16" }
|
||||
- { rule: "allow", port: "10254", proto: "tcp", from: "10.1.0.0/16" }
|
||||
- { rule: "allow", port: "10254", proto: "tcp", from: "147.78.131.194" }
|
||||
|
||||
ufw_outgoing_traffic:
|
||||
- 22 # SSH
|
||||
- 53 # DNS
|
||||
- 80 # HTTP
|
||||
- 123 # NTP
|
||||
- 443 # HTTPS
|
||||
- 853 # DNS over TLS
|
||||
- 10250 # Kubelet
|
||||
- 16443 # Kube API Server
|
||||
- 4443
|
||||
- 9443
|
||||
|
||||
ufw_default_forward_policy: "ACCEPT"
|
||||
|
||||
ipv4_sysctl_settings:
|
||||
net.ipv4.ip_forward: 1
|
||||
|
||||
disable_ipv6: true
|
||||
|
||||
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
|
||||
custom_hosts_acls: true
|
||||
|
||||
# GeoIP subscription
|
||||
geoip_sshd_enabled: true
|
||||
geoip_ssh_allowed_zones:
|
||||
- "BE"
|
||||
- "PT"
|
||||
geoip_ssh_allowed_networks:
|
||||
- "0.0.0.0/0"
|
||||
|
||||
# fail2ban
|
||||
fail2ban_jails:
|
||||
ssh:
|
||||
enabled: true
|
||||
port: "{{ sshd_port }}"
|
||||
filter: "sshd"
|
||||
logpath: "/var/log/auth.log"
|
||||
maxretry: 5
|
||||
findtime: 600
|
||||
bantime: 3600
|
||||
|
||||
# aide
|
||||
install_aide: true
|
||||
aide_exclude:
|
||||
- "!/var/lib/snapd"
|
||||
- "!/mnt/microk8s_persistent"
|
||||
- "!/var/lib/encrypted_volumes"
|
||||
|
||||
# Unattended upgrades
|
||||
unattended_reboot: true
|
||||
unattended_reboot_time: "04:30"
|
||||
|
||||
# Encrypted volumes
|
||||
encryption_volumes:
|
||||
- name: "microk8s_config"
|
||||
size: "0.1G"
|
||||
key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys
|
||||
fetch_key_service_before: snap.microk8s.daemon-kubelite.service
|
||||
fetch_key_service_after: network-online.target
|
||||
fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service
|
||||
mount_service_before: snap.microk8s.daemon-kubelite.service
|
||||
mount_service_wantedby: snap.microk8s.daemon-kubelite.service
|
||||
- name: "microk8s_persistent"
|
||||
size: "150G"
|
||||
key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys
|
||||
fetch_key_service_before: snap.microk8s.daemon-kubelite.service
|
||||
fetch_key_service_after: network-online.target
|
||||
fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service
|
||||
mount_service_before: snap.microk8s.daemon-kubelite.service
|
||||
mount_service_wantedby: snap.microk8s.daemon-kubelite.service
|
||||
mount_permission: "0755"
|
||||
|
||||
# Kubernetes specific settings
|
||||
microk8s_version: 1.29
|
||||
microk8s_allowed_hosts:
|
||||
- 87.67.163.177
|
||||
microk8s_alt_names: "{{ hostname }}"
|
||||
|
||||
# Let's encrypt issuer
|
||||
microk8s_issuer_email: c.alexandre.pires@alexpires.me
|
||||
microk8s_encryption_cfg: /mnt/microk8s_config/microk8s_encryption.yaml
|
||||
microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}"
|
||||
microk8s_users:
|
||||
- username: operator
|
||||
enabled: true
|
||||
- username: git
|
||||
namespace: "gitea"
|
||||
enabled: true
|
||||
|
||||
# Duo Security
|
||||
duo_users: ["*", "!provision", "!git"]
|
||||
duo_api_hostname: api-7cda1654.duosecurity.com
|
||||
|
||||
# Apps
|
||||
persistent_data: "/mnt/microk8s_persistent"
|
||||
Reference in New Issue
Block a user