Initial commit

parents
inventory
\ No newline at end of file
{
"files.associations": {
"**/*.yml": "ansible"
}
}
\ No newline at end of file
# Infrastructure
This playbook is used to install and maintain my private infrastructure setup.
Usage
---
To run this playbook you have to do a few steps:
```console
# Clone the repository
git clone https://gitlab.lelux.fi/Lelux/infrastructure.git
# Install dependencies (requirements.yml)
ansible-galaxy install -r requirements.yml
# Edit the inventory file
nano inventory
# Edit the group_vars
nano group_vars/*
# Deploy
ansible-playbook -i inventory base.yml
# ansible-playbook -i inventory site.yml
```
That's it for now.
*Hint: For own modifications and to keep track of your changes in a git repository you can use a deployment branch. For details see: https://www.shivering-isles.com/publish-your-work-while-keeping-a-private-fork/*
[defaults]
inventory = ./inventory
retry_files_enabled = False
[privilege_escalation]
become_ask_pass = True
# Base configuration for each server.
# Includes hardening.
---
- import_playbook: ssh.yml
- import_playbook: os.yml
- import_playbook: firewall.yml
- import_playbook: create_user.yml
- import_playbook: force_password_change.yml
\ No newline at end of file
---
- hosts: ssh
tasks:
- name: Add primary user
user:
name: user
uid: 1000
groups: sudo
shell: /bin/bash
- name: Set authorized key taken from file
authorized_key:
user: user
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/yubikey.pub') }}"
\ No newline at end of file
---
- hosts: ssh
roles:
- role: weareinteractive.ufw
become: true
vars:
ufw_state: enabled
# Resetting shuts down the firewall, which is stupid.
ufw_reset: no
ufw_rules: []
ufw_applications:
- { name: "OpenSSH", rule: allow, from_ip: 2000::/3 }
ufw_default_input_policy: DROP
ufw_default_forward_policy: DROP
ufw_logging: off
\ No newline at end of file
---
# https://github.com/ansible/ansible/issues/18917#issuecomment-578394140
- hosts: ssh
name: Ensure the user will set up a password on first login
become: yes
tasks:
- name: Disable user's password
shell:
cmd: passwd -d user
- name: Expire user's password
shell:
cmd: passwd -e user
\ No newline at end of file
[ssh]
server-01.example.com
\ No newline at end of file
---
- hosts: ssh
tasks:
- name: Remove qemu-guest-agent
apt:
name: qemu-guest-agent
state: absent
autoremove: yes
- name: Install needrestart
apt:
name: needrestart
state: present
roles:
- sys-upgrade
- role: dev-sec.os-hardening
become: true
vars:
# Fix boot issues on Hetzner Cloud
os_filesystem_whitelist: vfat
sysctl_overwrite:
# Enable IPv6
net.ipv6.conf.all.disable_ipv6: 0
# Multiple IPv6 addresses on single interface
# net.ipv6.conf.ens3.max_addresses: 2
---
- src: dev-sec.ssh-hardening
- src: dev-sec.os-hardening
- src: weareinteractive.ufw
\ No newline at end of file
# ssh
Source: https://git.shivering-isles.com/shivering-isles/infrastructure/tree/3b986957c4922244b1f159115947c2a79b22f646/roles/ssh
\ No newline at end of file
ssh_authorized_keys: []
sshd_binary: "/usr/sbin/sshd"
---
- name: Install ssh keys
authorized_key:
user: "{{ item.user }}"
state: "{{ item.state | default('present') }}"
key: "{{ item.key }}"
comment: "{{ item.owner }} - {{ item.comment }} | Managed by Ansible"
with_items:
- "{{ ssh_authorized_keys }}"
become: true
tags:
- ssh
---
- name: Install ssh keys
authorized_key:
user: "{{ item.user }}"
state: "{{ item.state | default('present') }}"
key: "{{ item.key }}"
comment: "{{ item.owner }} - {{ item.comment }} | Managed by Ansible"
with_items:
- "{{ ssh_authorized_keys }}"
become: true
tags:
- ssh
- name: Set ratelimit for SSH
firewalld:
rich_rule: "rule service name=ssh limit value=10/m accept"
state: enabled
permanent: true
immediate: true
become: true
tags:
- firewall
- ssh
- name: Disable SSH by firewall to let ratelimit kick in
firewalld:
service: "ssh"
state: disabled
permanent: true
immediate: true
become: true
tags:
- firewall
- ssh
---
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
include_tasks: "{{ distro_file }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
loop_control:
loop_var: distro_file
tags:
- firewall
- ssh
# sys-upgrade
Source: https://git.shivering-isles.com/shivering-isles/infrastructure/tree/852d7bc4e9148fa14081f919fd5436bb647122bc/roles/sys-upgrade
galaxy_info:
author: Christoph Kern
description: Upgrades System so latest packages are installed
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://github.com/SISheogorath/ansible-client/issues
license: GPLv3
min_ansible_version: 2.1
#
# platforms is a list of platforms, and each platform has a name and a list of versions.
#
platforms:
- name: Debian
versions:
- all
galaxy_tags: []
dependencies: []
---
# tasks file for sys-upgrade
- name: Install aptitude
apt:
name: "aptitude"
state: present
tags:
- apt
- download
- packages
become: true
- name: Upgrade all packages
apt:
name: "*"
state: latest
tags:
- apt
- download
- packages
become: true
---
# tasks file for sys-upgrade
- name: "Select tasks for {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
include_tasks: "{{ distro_file }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
loop_control:
loop_var: distro_file
---
- hosts: ssh
roles:
- sys-upgrade
- role: dev-sec.ssh-hardening
become: true
- ssh
vars:
# Otherwise Ansible outputs error messages: "sftp transfer mechanism failed"
sftp_enabled: true
# Enable only IPv6
network_ipv6_enable: true
ssh_listen_to: ['::']
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment