Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale

This commit is contained in:
Arya 2024-01-06 22:32:19 +05:30
parent bda495537a
commit 630724be56
Signed by: arya
GPG Key ID: 842D12BDA50DF120
10 changed files with 363 additions and 104 deletions

View File

@ -1,30 +1,59 @@
- name: Install shit - name: Playbook to Provision / Re-configure Node
hosts: all hosts: all
vars:
users:
- name: arya
password: {{arya_encrypted_pass}}
- name: devrand
password: {{devrand_encrypted_pass}}
- name: midou
password: {{midou_encrypted_pass}}
- name: ansiblerunner
password: {{ansiblerunner_encrypted_pass}}
tasks: tasks:
- name: Std Repo stuff - name: Enable backports
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian bookworm-backports main contrib
state: present
- name: Install Required Programs / APT
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true
name: name:
- htop # Misc
- vim
- neovim # Something went wrong!
- curl
- wget
- sudo - sudo
- net-tools
- nmap
- python3-pip
- python3-passlib
- vnstat
- chrony - chrony
- tmux
- nala
- apt-file
# Monitoring
- htop
- gdu - gdu
- btop - btop
- iperf3 - iotop
- vnstat
- neofetch - neofetch
- tmux
- prometheus-node-exporter - prometheus-node-exporter
- goaccess - goaccess
- nala # Text Editing
- vim
- neovim
- curl
- wget
# Backups
- borgbackup
- rsync
# Basic Networking
- net-tools
- nmap
# Python3
- python3-pip
- python3-passlib # Ansible User Creation
- python3-pyroute2 # for smart-ipv6-rotator
- python3-requests # for smart-ipv6-rotator
# Speed Tests
- iperf3
- speedtest-cli
# Security
- ufw
- name: Enable VNStat service - name: Enable VNStat service
ansible.builtin.service: ansible.builtin.service:
name: vnstat name: vnstat
@ -40,26 +69,43 @@
name: prometheus-node-exporter name: prometheus-node-exporter
enabled: true enabled: true
state: started state: started
- name: Sysctl - name: Enable UFW service
hosts: all ansible.builtin.service:
tasks: name: ufw
enabled: true
state: started
- name: Disable dmesg logging to console - name: Disable dmesg logging to console
ansible.posix.sysctl: ansible.posix.sysctl:
name: kernel.printk name: kernel.printk
value: "3 4 1 3" value: "3 4 1 3"
state: present state: present
sysctl_set: true sysctl_set: true
- name: Add users - name: Allow binding to non-local IPs / IPv6
hosts: all ansible.posix.sysctl:
vars: name: net.ipv6.ip_nonlocal_bind
users: value: "1"
- arya state: present
- mrlerien sysctl_set: true
- devrand - name: Allow IP forwarding / IPv4
- midou ansible.posix.sysctl:
- ansiblerunner name: net.ipv4.ip_forward
password: d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db value: "1"
tasks: state: present
sysctl_set: true
- name: Allow IP forwarding / IPv6
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: "1"
state: present
sysctl_set: true
- name: Swappiness
ansible.posix.sysctl:
name: vm.swappiness
value: "60"
state: present
sysctl_set: true
- name: Bashrc skel - name: Bashrc skel
ansible.builtin.template: ansible.builtin.template:
src: templates/bashrc.j2 src: templates/bashrc.j2
@ -100,31 +146,31 @@
src: templates/prompt.j2 src: templates/prompt.j2
dest: /root/.prompt dest: /root/.prompt
mode: preserve mode: preserve
- name: Add user - name: Add user
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item.name }}"
group: users group: users
groups: users,sudo groups: users,sudo
password: "{{ password }}" password: "{{ item.password }}"
shell: /bin/bash shell: /bin/bash
update_password: on_create # Add the same initial password for all users (can be overwritten by user) update_password: on_create # Add the same initial password for all users (can be overwritten by user)
with_items: with_items:
- "{{ users }}" - "{{ users }}"
- name: "Add authorized keys" - name: "Add authorized keys"
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{ item }}" user: "{{ item.name }}"
key: "{{ lookup('file', 'files/' + item + '.pub') }}" key: "{{ lookup('file', 'files/' + item + '.pub') }}"
with_items: with_items:
- "{{ users }}" - "{{ users }}"
- name: "Allow admin users to sudo without a password" - name: "Allow admin users to sudo without a password"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "/etc/sudoers" # path: in version 2.3 dest: "/etc/sudoers" # path: in version 2.3
state: "present" state: "present"
regexp: "^%sudo" regexp: "^%sudo"
line: "%sudo ALL=(ALL) NOPASSWD: ALL" line: "%sudo ALL=(ALL) NOPASSWD: ALL"
- name: Configure SSHD
hosts: all
tasks:
- name: Sshd configuration file update - name: Sshd configuration file update
ansible.builtin.template: ansible.builtin.template:
src: templates/sshd_config.j2 src: templates/sshd_config.j2
@ -142,3 +188,53 @@
name: ssh name: ssh
enabled: true enabled: true
state: restarted state: restarted
roles:
- role: geerlingguy.docker
docker_install_compose_plugin: true
docker_compose_package: docker-compose-plugin
docker_compose_package_state: present
- role: artis3n.tailscale
# Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)
tailscale_authkey: "{{tailscale_authkey}}"
tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false"
- role: borgbase.ansible_role_borgbackup
borg_repository:
- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}
borg_source_directories: {{bkp_source_directories}}
borg_exclude_patterns: {{bkp_exclude_patterns}}
borg_remote_path: /usr/local/bin/borg_1.2.4/borg1
borgmatic_hooks:
postgresql_databases: {{bkp_postgresql_databases}}
healthchecks:
ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
states:
- finish
borg_retention_policy:
keep_daily: 7
keep_weekly: 4
keep_monthly: 3
borg_encryption_passcommand: cat /etc/borgmatic/passphrase # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
- name: UFW Firewall Configuration
hosts: eu,us # IN is behind router so no f/w is needed
tasks:
- name: Enable UFW
community.general.ufw:
state: enabled
policy: deny
- name: Allow all in from tailscale
community.general.ufw:
rule: allow
interface: tailscale0
direction: in
- name: Allow all in from wg (if its there)
community.general.ufw:
rule: allow
interface: wg0
direction: in
- name: Deny rules
community.general.ufw:
rule: allow
port: {{item.port}}
proto: {{item.proto}}
with_items:
- "{{ ufw_deny_rules }}"

View File

@ -1,11 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61353335333766313361356562623335303363653831383165636530333234383030303962613931 64373361323136313936333662343963373332633633363033346335646639616561386261376263
6131353234313634623166333539326635643939343030370a326435323338343535303030393233 6662326539303839633939663066626465383939626139380a663763336132396536373761373938
34333764386332663139353665613935623230343335336235643634666362356339313165663132 33363034343334313566356639313631323931643863363363373265303164306538323638356132
3335633432303033390a326564346637363534383239333031313361333234653136653231373363 6234633666303737650a643135613166313963656234336266643731376431626432626662313535
38663465656539653864313330313238383861373065356562373231613930653931306239356230 38646363656566366637336639613766636333383436313566666462303837393338343565306139
63363130323235346162316361383639386531303661313531373535313563623531376161356435 37626530633733386231633031623362653433353163666431626661386261343632646632636231
64363730663430343737353331323061303434363263313435363033613435313735333835393863 39663161323139623065326361663737623431343765643565653636623839306662393832643237
36363861353835356238643739633139313136343830613564623764646230323566353236636666 66663934653161363939373966306233346561623138353462383437623230363265626536346139
31626338313336616330333866326534306331373666663430313438383163643837376166316633 39366365343331653232663465343630393434326437393033633864343636623437366139383730
3263366236656464623063636333323465363338326366663838 32373939643531376231356364353438376539626339306134353738363135303436666536393835
33663432643764333830373337376365613332383061386461653662356237326266643466633836
31393662323363653232326134303365323339323366396161656538663565336565343466363365
3634

51
host_vars/eu/misc.yaml Normal file
View File

@ -0,0 +1,51 @@
---
ufw_allow_rules:
- port: 22
proto: tcp
- port: 80
proto: tcp
- port: 443
proto: tcp
- port: 443
proto: udp
- port: 53
proto: udp
- port: 53
proto: tcp
- port: 25
proto: tcp
- port: 5201
proto: tcp
- port: 6697
proto: tcp
- port: 1965
proto: tcp
- port: 51820
proto: udp
- port: 5202
proto: tcp
- port: 3389
proto: tcp
bkp_source_directories:
- /configs
- /var
- /home
- /boot
- /usr
- /root
- /opt
- /zfspool
- /etc
bkp_exclude_patterns:
- /var/log
- /var/lib/docker/buildkit
- /var/lib/docker/containers
- /var/lib/docker/image
- /var/lib/docker/overlay2
- /var/lib/docker/plugins
- /var/lib/docker/runtimes
- /var/lib/docker/swarm
- /var/lib/docker/tmp
- /var/lib/docker/trust
bkp_postgresql_databases:
- name: invidious

View File

@ -1,11 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
38626431346431393962623738643565313736393130653265373038393538633431333634376134 39306635373466386133306563356330636363653032313836366462633664386133313637656562
3733626230643163366565333763626536633666373466300a616337623935326538363866643465 3838393830616131333135633935613762643364323536390a383564333933323066353635393939
32663835333930393631623836633865393938353331396164623465326233363034303965393133 34626435363936303839373166336533383936643731333934626632626634653634333931646261
6165633030366266330a643339626531303766383366663065353239346139663730663539653034 6235613466356239640a323039623039623335613763663730303161373362393264393138363565
38363266393734376139396638356264326166343964323065373732626134643133386330653233 31353033303434343937646433386531356363613263653736356531303564326134656334653037
63336663366165643561356131336566393532393537303235663866353261343033616530353839 61613436366163333933386633366165356235313763653334633830323636303334616432323163
38656536306561613237386339663636633036386438326162653863363139393862356434353463 62323262373264383939313464626431626366343339373137626365313962383735383764633632
34313135643736663564626666643030646561363037383536656661316564356133396535613137 39343561306663366438353233636162373961323264386563353231626364356536396164363730
34633763306139613363616366343062613730353938373465373135636230316236643365393764 64663338623365326161333336336534373933346136336538646636653734383164366266633233
6461333665333538303466336363376435363966393538663265 35363462663938366262626461363535343266653739366430646535313865663263363137333138
32383236326565656538653339666432346237313363653761396430333236363331393763393931
65353539646464386435633830663933363265663734623464323964386238386535303834653532
6666

31
host_vars/in/misc.yaml Normal file
View File

@ -0,0 +1,31 @@
---
bkp_source_directories:
- /var
- /home
- /boot
- /usr
- /root
- /opt
- /zfspool
- /etc
bkp_exclude_patterns:
- /var/log
- /var/lib/docker/buildkit
- /var/lib/docker/containers
- /var/lib/docker/image
- /var/lib/docker/overlay2
- /var/lib/docker/plugins
- /var/lib/docker/runtimes
- /var/lib/docker/swarm
- /var/lib/docker/tmp
- /var/lib/docker/trust
- /var/lib/postgresql
bkp_postgresql_databases:
- name: gitea
- name: healthchecks
- name: hedgedoc
- name: semaphore
- name: vaultwarden
- name: ejabberd
- name: mailu
- name: roundcube

View File

@ -1,11 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
32353133376437383030636135373334663838383965303761373666656236653335656430633735 36393333323061396634373536623135376336653134303130336163316163343438613966313162
3861393933636337646535393837663336303538346635340a316664366632363461663734326437 6263613432353933633535656633383865643537386132320a623837636238386135376333623630
30623838643565633464393837343133313337393431613562303631366262646135633965346465 35393233306435363332346562363239663636633863616362643931626563343037343463333365
3138613663343966310a353062613134393933373364373432356565363465316431613535393363 3632373132653830610a373763316130343737613233636237626534323030303430323461353562
37393935303434636365616235613831666231386632636161656135633734343266653636313261 62333061376563343562386562313031363132326137333634316135343339626264623238343935
39623632376536643065313137396135623165356362616538386664393333333232383930663263 31656639376339353439656632393363656664346362663031343931313534393862616532353732
38336439633239636339363961623837396334343064313736666235333434383762663231323263 31663463363039386565653363653332396336306634356339616630623261643162373839356132
61633961623464643138633131666266323339363862326461323133383938356337393933613436 64323038343430346433633865356462623133353339653336386261323637373731333630666333
38396563373133356330316333613263363935663163363337373836396238636637373735383833 35643961316137356532653864613631633938303031663231343365646232636264633961373930
3037653434623331633666633533363561346364373965336432 36326239653963353562633134666262613332393963646239306336646338363734306161646562
31366633336566393636616230326663363430333137656366336435656335343732393165363834
34393766336138373164386332643661646162346166316265346664363530336336313334636366
3132

35
host_vars/us/misc.yaml Normal file
View File

@ -0,0 +1,35 @@
---
ufw_allow_rules:
- port: 443
proto: tcp
- port: 443
proto: udp
- port: 80
proto: tcp
- port: 53
proto: udp
- port: 53
proto: tcp
- port: 5201
proto: tcp
bkp_source_directories:
- /home
- /etc
- /boot
- /root
- /opt
- /usr
- /var
bkp_exclude_patterns:
- /var/log
- /var/lib/docker/buildkit
- /var/lib/docker/containers
- /var/lib/docker/image
- /var/lib/docker/overlay2
- /var/lib/docker/plugins
- /var/lib/docker/runtimes
- /var/lib/docker/swarm
- /var/lib/docker/tmp
- /var/lib/docker/trust
bkp_postgresql_databases:
- name: invidious

View File

@ -14,6 +14,7 @@ all:
isp: Nonic Cloud isp: Nonic Cloud
wiki_page: Pizza-1 wiki_page: Pizza-1
watchtower_mtrx_username: psf-watchtower-pizza watchtower_mtrx_username: psf-watchtower-pizza
rsyncnet_slug: pizza1
us: us:
ansible_host: us.vpn.projectsegfau.lt ansible_host: us.vpn.projectsegfau.lt
ansible_user: ansiblerunner ansible_user: ansiblerunner
@ -26,6 +27,7 @@ all:
wiki_page: US_Node wiki_page: US_Node
server_prefix: us server_prefix: us
watchtower_mtrx_username: psf-watchtower-us watchtower_mtrx_username: psf-watchtower-us
rsyncnet_slug: us
in: in:
ansible_host: in.vpn.projectsegfau.lt ansible_host: in.vpn.projectsegfau.lt
ansible_user: ansiblerunner ansible_user: ansiblerunner
@ -38,3 +40,4 @@ all:
isp: Bharti Airtel isp: Bharti Airtel
wiki_page: India_Node wiki_page: India_Node
watchtower_mtrx_username: psf-watchtower-in watchtower_mtrx_username: psf-watchtower-in
rsyncnet_slug: in

View File

@ -1,3 +1,6 @@
--- ---
- src: git+https://github.com/caddy-ansible/caddy-ansible.git - src: git+https://github.com/caddy-ansible/caddy-ansible.git
version: v3.2.0 version: v3.2.0
- src: geerlingguy.docker
- src: artis3n.tailscale
- src: borgbase.ansible_role_borgbackup

View File

@ -1,39 +1,70 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
66363332323239613534666139626138646536326232313666336635616562616162656561643739 31373334316338616530336663386162326136303066636462656235636139613037323732616433
3731613361633338636264323832616333363561373836340a363065313866343036363538316264 3464633562643434666536373662363132656238336435640a343261393539363663623731323533
35373334393964343561353066623931353230313338303465383033623031643431646338663863 35383934346563633538353535613936316237613832353261376534323665653834353831353831
3961663534333666340a326231383037346631346339663037303730653331663531663663303834 6237323465623230340a666366333130306462333233336431306135386339373763653037653238
36353534633437313036396532356332626235653635303435653538396635383236663734333136 32393563383237356235633935383161623332613934383164386532316564653861356163393236
62663563663064333537376333646130613537323138333831643961323862336435363861633031 33356133313633333534613966666662636336633565356331616165383433663935663162373730
31363065346235666563613463356231616262303130323962393264393166306238383265653631 30343961316638393433613935323635363332663735623730353230643163393336393462613764
63386539623935336237373037643035623930313232303130383732303262316662363065346633 39323532343533396532636264373166323739343931353139343633636137323633303038643561
63393136376131613630396263343830653334656535386139303135656437333533646266346330 63633964616334386463353566636638393963343931316635343664653363393231363531393438
64313934616234333239353237343736323738633031336435396336653239626462383461666365 31626666616634343833623661386663393731616162636337346235626433356230376564333533
34376665326231353531666639623239633735633934383761613465613835323136316339643665 30626232643461613934346534613233363737373161363832326463343363636336666538633132
34343539356339306134386665633937353138356461343233363835303032636438383731616261 63656633613466623265646235383238663738383632626664356133373964643536646635653238
64333631333563303838393133316566633038353032623765333430313531396361396530633266 66376264376538643465306664653035346637636336366339383561636364616530353232303265
65343964636664346630663332326539373235316165386139333264666431366436373963646633 66626431663965323136363065646339323934623436663862366338613466663564333462326431
61646538643130616666383530303666633665666261376235373939393833633638383137343533 63326131353462316563346366356665393438346430663839376562386638643630613232303833
63643338616139326166353231323865636162653234636366666230373730663266653738656365 66346265633261653463363761333335343331366265663735656331616537323631396331386262
64383037643562633538353331383665326666306663333539353261633030633465623866643532 31623439393039613461303434333636613037326436656363303532373132666339653662376332
36393361356536643036316633383364366233613032653231333636643536313564303235353231 35343964636638393563613066323763653365333965366139396665353065333131653037363563
65613433306164663961653865616662353639346465386466356531353635656163373039303964 65383132356239383332636235336434663961306130656461663739663663346136613239623965
66306230376161373861356562643663323634373636366366626465343032313439366366343362 61363334303637343732393030663066353631323365643532633865363134363761323138343365
63636630333437653835663038663738316462653431333865373463353235363261636561626236 64323233383632376338396632376561636134386133303835396231666436613362343435383234
33653435303634626166633234386561313662666535396562353633656135383932303363663830 36316237636435353736623033356362643238616536626133306639376539353132303331336164
37323732626339396433316364343833363261646632316634613331613362653535613337633364 61396261323865353464353637653061366463376638363736333233383163613662386631343933
33353535303537666637336337663530636461346632633932643362316230316139633566616465 32343937626138343937336162303534336533663535636234363936326139623233356538346630
63643530636530323839623531376166633035343865393530376134616465363633633739393134 63306439643366616137656135623637333033626438343933653063636165373038613239383164
33623762643430326233343463346132663134383738336165333561313530633664663966303962 34636664336165643565643436393961316266653339383961666337383039656362623031656138
63396431643762623533353261373638313230373363633339643737623136646661653532393134 30306433623131366461383635303361666162333261616431363966613432663034343966656139
64393439336163363430663535656439353933356436663630363234393165303938366535313534 63316131646165316339303564316533396362613232643237393233643235666531646162623064
66623231376461333565613436333930323038336438353931363663386332366434636134356339 34393435613635326539613035336462393832653534623433396661366236336237613966623234
38383563363166663634643666356265363231303431663763363764323665666565646238386539 34633838376532326163343437633134353132616438343538633564623033346364336663343564
37636566333036383533623034306332666661393233613538626261616137616430653164373462 64383939646637323932383336303834663236313932656436633533303437626562303031346162
62633935646231653037353062363830383530376234366334663938366539353935633962393963 36623936663266336236346432356135636662613137336439333735356438613433663963653732
38643435643632343266333439313535386634353663316263333734373839663432346437323361 36623331633338346437336130373035306566653766623334303037343663663063663661373736
35326265613134393931656130303432353664643364656233363334383762333632613662653461 31313564646333616638643133636265393837663261396336343866313035643730613639343234
33313131363434343563633638336365623162363534363933373533346130386130343639643534 30653935303831366136633361333637336433393236376339613435303535313038303539336539
61343261626239353838633638306430303536323931636566643236333338303966623934376466 33356634626164663963363562333838353237616130313839653135363733323362613132386461
64633266383631663030653637653161613934636135383339323462663237356137343839653635 64623839356236613839356534323562303031613061633435323232306231313965343766623831
6462613966346234363839316134373962316564313462363935 35636530613036393465323364636661383739623266616530343536353061353363643163666537
33353961313963366637373163616530373962643630353435383634333865303634363735633461
62626363303163303265646565373865363733626432353232386436313533353334376165376266
38623037626137643833363361353635363734393666643336353631363664643863383633336137
36383834623163323463383736663035653234373337353264316639643462376434633232316331
33313236333530663362313736303033346134383138333338393761343138363561376334356138
36363163393835333666393531333635633162363861373033393464623938356332653761333930
35386435636566336633313263646339303061353638663833643761303463333031386664303531
61343930306338643634333731353635323164643939356331326564636665303966346137393536
33313066633266313464333463306637386262363130633832393633366532363538313834306565
61356533393661353565313166653134643336356138653966623434633335363630636139363139
36663037303362663035653864306364316361326236623938656334373733313665646530303066
61386634343232373730363031376637653063333834313862636461353463653161376562376138
39646164306233643665663737653631353035656135373263343863356437623661633333643331
35353334313964363731636166356163363831653930356133643938303664336533303331333536
65353364376232623463623138663737303333636432663262633033663737303836666135386138
38666562383337353137663735306230373637353837616237643334663933316463666335613739
65663565643365363431396635663661643964643462643364663231613333323433343931623637
36336266373333623237383635303436396362393032303731633162383265666430386437643963
62643961383435626633353733373336313638333038653238383034373635626637303665303562
36663531326434343763663731623865323531303037306166316264646461376134353831656565
39613962643938333332333038346234393538343030343261396532363237613339373831303564
66393162613230376237373631323931663830366336663138643631633438386131333763646562
38646431343263653237313336653231363962373939393164636562613939663161353565343438
36626134656533366131653466646138326237303262623731373533313132303339333661616335
37616334646131303332326261633938336633373039636131363235313330653530346636353236
64663463333435383535393831613564613266616166666332653366656165633939333537393033
35393965623265633035656162343961396230346431646533363666396461363139376134326134
34346136326537616533636433633562336563396539653965633037383265383930303866666535
30343536623163343237393866323637313739366339316532636633643533373937653764356564
34373836396264613766666565343139613033373136363165646138636633383361653036653232
3730