Files
a13labs.infra/ansible/host_vars/prod-01.alexpires.me.yml
T
alexandre.pires 4e5346e2e0 feat: Enhance website deployment and build process
- Added rsync installation in setup-env action for file synchronization.
- Excluded playbook_websites.yml from ansible-apply-playbook workflow.
- Created a new workflow for building and releasing the Hugo website.
- Added submodule for Hugo theme in .gitmodules.
- Updated host_vars for production to include websites configuration.
- Introduced playbook_websites.yml for managing static files deployment.
- Implemented hugo_build script for building and archiving Hugo sites.
- Updated inventory to include a new web group for website deployment.
- Refactored Terraform configuration to support new website structure.
- Removed deprecated WordPress Terraform configuration.
- Added .gitignore files for websites and specific Hugo site.
- Created archetype and configuration files for the Hugo site.
- Added static assets including CV and images for the Hugo site.
- Integrated Hugo profile theme as a submodule for the website.
2025-04-27 14:03:56 +02:00

170 lines
4.7 KiB
YAML

hostname: prod-01.alexpires.me
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator
comment: "Managed by Ansible"
sudoer: true
pubkey: "{{ lookup('file', 'keys/operator.pub') }}"
- username: git
comment: "Managed by Ansible"
shell: "/usr/local/bin/gitea-shell"
password_disabled: true
password_expiration: false
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "{{ ansible_user }} git users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10
# Firewall ports
ufw_enable: true
fw_allowed_ports:
- { rule: "allow", port: "80", proto: "tcp" }
- { rule: "allow", port: "443", proto: "tcp" }
- { rule: "allow", port: "22", proto: "tcp" }
- { rule: "allow", port: "993", proto: "tcp" }
- { rule: "allow", port: "465", proto: "tcp" }
- { rule: "allow", port: "21115", proto: "tcp" }
- { rule: "allow", port: "21116", proto: "tcp" }
- { rule: "allow", port: "21116", proto: "udp" }
- { rule: "allow", port: "21117", proto: "tcp" }
- { rule: "allow", port: "16443", proto: "tcp", from: "10.1.0.0/16" }
- { rule: "allow", port: "10254", proto: "tcp", from: "10.1.0.0/16" }
# Access to the Kube API Server from the Office
- { rule: "allow", port: "16443", proto: "tcp", from: "188.82.170.183" }
# VPN to Portugal
- { rule: "allow", port: "10254", proto: "tcp", from: "147.78.131.194" }
ufw_outgoing_traffic:
- 22 # SSH
- 53 # DNS
- 80 # HTTP
- 123 # NTP
- 443 # HTTPS
- 853 # DNS over TLS
- 10250 # Kubelet
- 16443 # Kube API Server
- 4443
- 9443
- 995 # POP3S
ufw_default_forward_policy: "ACCEPT"
ipv4_sysctl_settings:
net.ipv4.ip_forward: 1
disable_ipv6: true
# geoip will override hosts_allow and hosts_deny (so it's disabled - CIS hardening)
custom_hosts_acls: true
# GeoIP subscription
geoip_sshd_enabled: true
geoip_ssh_allowed_zones:
- "BE"
- "PT"
geoip_ssh_allowed_networks:
- "0.0.0.0/0"
# fail2ban
fail2ban_jails:
ssh:
enabled: true
port: "{{ sshd_port }}"
filter: "sshd"
logpath: "/var/log/auth.log"
maxretry: 5
findtime: 600
bantime: 3600
postfix:
enabled: true
port: "smtp,ssmtp"
filter: "postfix-k8s"
logpath: "/var/log/postfix/current"
maxretry: 3
findtime: 18000
bantime: -1
fail2ban_filters:
postfix-k8s:
Definition:
failregex: "^.*?postfix/smtps/smtpd\\[\\d+\\]:.*\\[<HOST>\\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*$"
ignoreregex: ""
# aide
install_aide: true
aide_exclude:
- "!/var/lib/snapd"
- "!/mnt/microk8s_persistent"
- "!/var/lib/encrypted_volumes"
# Unattended upgrades
unattended_reboot: true
unattended_reboot_time: "04:30"
# Encrypted volumes
encryption_volumes:
- name: "microk8s_config"
size: "0.1G"
key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys
fetch_key_service_before: snap.microk8s.daemon-kubelite.service
fetch_key_service_after: network-online.target
fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service
mount_service_before: snap.microk8s.daemon-kubelite.service
mount_service_wantedby: snap.microk8s.daemon-kubelite.service
- name: "microk8s_persistent"
size: "150G"
key_server: https://a13labs-infra-53d7as6g1sh19k.s3.fr-par.scw.cloud/keys
fetch_key_service_before: snap.microk8s.daemon-kubelite.service
fetch_key_service_after: network-online.target
fetch_key_service_wantedby: snap.microk8s.daemon-kubelite.service
mount_service_before: snap.microk8s.daemon-kubelite.service
mount_service_wantedby: snap.microk8s.daemon-kubelite.service
mount_permission: "0755"
# Kubernetes specific settings
microk8s_version: 1.29
microk8s_allowed_hosts:
- 87.67.163.177
microk8s_alt_names: "{{ hostname }}"
# Let's encrypt issuer
microk8s_issuer_email: c.alexandre.pires@alexpires.me
microk8s_encryption_cfg: /mnt/microk8s_config/microk8s_encryption.yaml
microk8s_encryption_secret: "{{ lookup('env', 'MICROK8S_ENCRYPTION_SECRET') }}"
microk8s_users:
- username: operator
enabled: true
- username: git
namespace: "gitea"
enabled: true
# Duo Security
duo_users: ["*", "!provision", "!git"]
duo_api_hostname: api-7cda1654.duosecurity.com
# Apps
persistent_data: "/mnt/microk8s_persistent"
database_path: "/var/lib"
# Websites
websites:
- "alexpires.me"