hostname: prod-01.alexpires.me ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" # Users login_users: - username: "{{ ansible_user }}" comment: "Managed by Ansible" sudoer: true sudoer_root_only: true sudoer_no_password: true pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}" password_disabled: true - username: operator comment: "Managed by Ansible" sudoer: true pubkey: "{{ lookup('file', 'keys/operator.pub') }}" password_expiration: false - username: git comment: "Managed by Ansible" shell: "/usr/local/bin/gitea-shell" password_disabled: true password_expiration: false # SSH Connection and security sshd_port: 22 ssh_allowed_networks: - "0.0.0.0/0" sshd_admin_net: "0.0.0.0/0" sshd_allow_groups: "{{ ansible_user }} git users" sshd_permit_root_login: "no" sshd_password_authentication: "no" sshd_allow_tcp_forwarding: "yes" # Due to an issue increase the number of max auth tries sshd_max_auth_tries: 10 # Firewall ports ufw_enable: true fw_allowed_ports: - { rule: "allow", port: "80", proto: "tcp" } - { rule: "allow", port: "443", proto: "tcp" } - { rule: "allow", port: "22", proto: "tcp" } - { rule: "allow", port: "993", proto: "tcp" } - { rule: "allow", port: "465", proto: "tcp" } - { rule: "allow", port: "21115", proto: "tcp" } - { rule: "allow", port: "21116", proto: "tcp" } - { rule: "allow", port: "21116", proto: "udp" } - { rule: "allow", port: "21117", proto: "tcp" } - { rule: "allow", port: "16443", proto: "tcp", from: "10.1.0.0/16" } - { rule: "allow", port: "10254", proto: "tcp", from: "10.1.0.0/16" } # Access to the Kube API Server from the Office - { rule: "allow", port: "16443", proto: "tcp", from: "188.82.170.183" } # VPN to Portugal - { rule: "allow", port: "10254", proto: "tcp", from: "147.78.131.194" } ufw_outgoing_traffic: - 22 # SSH - 53 # DNS - 80 # HTTP - 123 # NTP - 443 # HTTPS - 853 # DNS over TLS - 10250 # Kubelet - 16443 # Kube API Server - 4443 - 9443 - 995 # POP3S ufw_default_forward_policy: "ACCEPT" ipv4_sysctl_settings: net.ipv4.ip_forward: 1 disable_ipv6: true # geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening) custom_hosts_acls: true # GeoIP subscription geoip_sshd_enabled: true geoip_ssh_allowed_zones: - "BE" - "PT" geoip_ssh_allowed_networks: - "0.0.0.0/0" # fail2ban fail2ban_jails: ssh: enabled: true port: "{{ sshd_port }}" filter: "sshd" logpath: "/var/log/auth.log" maxretry: 5 findtime: 600 bantime: 3600 postfix: enabled: true port: "smtp,ssmtp" filter: "postfix-k8s" logpath: "/var/log/postfix/current" maxretry: 3 findtime: 18000 bantime: -1 fail2ban_filters: postfix-k8s: Definition: failregex: "^.*?postfix/smtps/smtpd\\[\\d+\\]:.*\\[\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*$" ignoreregex: "" # aide install_aide: true aide_exclude: - "!/var/lib/snapd" - "!/mnt/microk8s_persistent" - "!/var/lib/encrypted_volumes" # Unattended upgrades unattended_reboot: true unattended_reboot_time: "04:30" # Encrypted volumes encryption_volumes: - name: "microk8s_config" size: "0.1G" key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys fetch_key_service_before: snap.microk8s.daemon-kubelite.service fetch_key_service_after: network-online.target fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service mount_service_before: snap.microk8s.daemon-kubelite.service mount_service_wantedby: snap.microk8s.daemon-kubelite.service - name: "microk8s_persistent" size: "150G" key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys fetch_key_service_before: snap.microk8s.daemon-kubelite.service fetch_key_service_after: network-online.target fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service mount_service_before: snap.microk8s.daemon-kubelite.service mount_service_wantedby: snap.microk8s.daemon-kubelite.service mount_permission: "0755" encryption_kms_socket: /var/run/kmsplugin/socket.sock # Kubernetes specific settings microk8s_version: 1.29 microk8s_allowed_hosts: - 87.67.163.177 microk8s_alt_names: "{{ hostname }}" # Let's encrypt issuer microk8s_issuer_email: c.alexandre.pires@alexpires.me microk8s_encryption_cfg: /mnt/microk8s_config/microk8s_encryption.yaml microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}" microk8s_encryption_kms_socket: /var/run/kmsplugin/socket.sock microk8s_users: - username: operator enabled: true - username: git namespace: "gitea" enabled: true # Duo Security duo_users: ["*", "!provision", "!git"] duo_api_hostname: api-7cda1654.duosecurity.com # Apps persistent_data: "/mnt/microk8s_persistent" database_path: "/var/lib" # Websites websites: - "alexpires.me"