ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale

Browse Source
This commit is contained in:
Arya
2024-01-06 22:32:19 +05:30
parent bda495537a
commit 630724be56
10 changed files with 363 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
all/playbook.yaml
View File

@@ -1,30 +1,59 @@
- name: Install shit
- name: Playbook to Provision / Re-configure Node
hosts: all
vars:
users:
- name: arya
password: {{arya_encrypted_pass}}
- name: devrand
password: {{devrand_encrypted_pass}}
- name: midou
password: {{midou_encrypted_pass}}
- name: ansiblerunner
password: {{ansiblerunner_encrypted_pass}}
tasks:
- name: Std Repo stuff
- name: Enable backports
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian bookworm-backports main contrib
state: present
- name: Install Required Programs / APT
ansible.builtin.apt:
update_cache: true
name:
- htop
- vim
- neovim # Something went wrong!
- curl
- wget
# Misc
- sudo
- net-tools
- nmap
- python3-pip
- python3-passlib
- vnstat
- chrony
- tmux
- nala
- apt-file
# Monitoring
- htop
- gdu
- btop
- iperf3
- iotop
- vnstat
- neofetch
- tmux
- prometheus-node-exporter
- goaccess
- nala
# Text Editing
- vim
- neovim
- curl
- wget
# Backups
- borgbackup
- rsync
# Basic Networking
- net-tools
- nmap
# Python3
- python3-pip
- python3-passlib # Ansible User Creation
- python3-pyroute2 # for smart-ipv6-rotator
- python3-requests # for smart-ipv6-rotator
# Speed Tests
- iperf3
- speedtest-cli
# Security
- ufw
- name: Enable VNStat service
ansible.builtin.service:
name: vnstat
@@ -40,26 +69,43 @@
name: prometheus-node-exporter
enabled: true
state: started
- name: Sysctl
hosts: all
tasks:
- name: Enable UFW service
ansible.builtin.service:
name: ufw
enabled: true
state: started
- name: Disable dmesg logging to console
ansible.posix.sysctl:
name: kernel.printk
value: "3 4 1 3"
state: present
sysctl_set: true
- name: Add users
hosts: all
vars:
users:
- arya
- mrlerien
- devrand
- midou
- ansiblerunner
password: d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db
tasks:
- name: Allow binding to non-local IPs / IPv6
ansible.posix.sysctl:
name: net.ipv6.ip_nonlocal_bind
value: "1"
state: present
sysctl_set: true
- name: Allow IP forwarding / IPv4
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: true
- name: Allow IP forwarding / IPv6
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: "1"
state: present
sysctl_set: true
- name: Swappiness
ansible.posix.sysctl:
name: vm.swappiness
value: "60"
state: present
sysctl_set: true
- name: Bashrc skel
ansible.builtin.template:
src: templates/bashrc.j2
@@ -100,31 +146,31 @@
src: templates/prompt.j2
dest: /root/.prompt
mode: preserve
- name: Add user
ansible.builtin.user:
name: "{{ item }}"
name: "{{ item.name }}"
group: users
groups: users,sudo
password: "{{ password }}"
password: "{{ item.password }}"
shell: /bin/bash
update_password: on_create # Add the same initial password for all users (can be overwritten by user)
with_items:
- "{{ users }}"
- name: "Add authorized keys"
ansible.posix.authorized_key:
user: "{{ item }}"
user: "{{ item.name }}"
key: "{{ lookup('file', 'files/' + item + '.pub') }}"
with_items:
- "{{ users }}"
- name: "Allow admin users to sudo without a password"
ansible.builtin.lineinfile:
dest: "/etc/sudoers" # path: in version 2.3
state: "present"
regexp: "^%sudo"
line: "%sudo ALL=(ALL) NOPASSWD: ALL"
- name: Configure SSHD
hosts: all
tasks:
- name: Sshd configuration file update
ansible.builtin.template:
src: templates/sshd_config.j2
@@ -142,3 +188,53 @@
name: ssh
enabled: true
state: restarted
roles:
- role: geerlingguy.docker
docker_install_compose_plugin: true
docker_compose_package: docker-compose-plugin
docker_compose_package_state: present
- role: artis3n.tailscale
# Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)
tailscale_authkey: "{{tailscale_authkey}}"
tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false"
- role: borgbase.ansible_role_borgbackup
borg_repository:
- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}
borg_source_directories: {{bkp_source_directories}}
borg_exclude_patterns: {{bkp_exclude_patterns}}
borg_remote_path: /usr/local/bin/borg_1.2.4/borg1
borgmatic_hooks:
postgresql_databases: {{bkp_postgresql_databases}}
healthchecks:
ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
states:
- finish
borg_retention_policy:
keep_daily: 7
keep_weekly: 4
keep_monthly: 3
borg_encryption_passcommand: cat /etc/borgmatic/passphrase # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
- name: UFW Firewall Configuration
hosts: eu,us # IN is behind router so no f/w is needed
tasks:
- name: Enable UFW
community.general.ufw:
state: enabled
policy: deny
- name: Allow all in from tailscale
community.general.ufw:
rule: allow
interface: tailscale0
direction: in
- name: Allow all in from wg (if its there)
community.general.ufw:
rule: allow
interface: wg0
direction: in
- name: Deny rules
community.general.ufw:
rule: allow
port: {{item.port}}
proto: {{item.proto}}
with_items:
- "{{ ufw_deny_rules }}"