docs(Wireguard): Add documentation

This contains a lot of changes, including better system configuration for some issues discovered during testing, and minor tweaking for better user experience when doing maintenance

.ansible-lint

@@ -0,0 +1,2 @@
+skip_list:
+  - 'fqcn-builtins'

.gitignore

@@ -0,0 +1,4 @@
+vault
+.vault_pass
+inventory/prod
+inventory/dev

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "wireguard"]
+	path = wireguard
+	url = https://github.com/jawher/automation-wireguard
+[submodule "k3s-ansible"]
+	path = k3s-ansible
+	url = https://github.com/k3s-io/k3s-ansible

Makefile

@@ -0,0 +1,56 @@
+ENV ?= none
+ANSIBLE_USER ?= atmen
+ANSIBLE_SSH_KEY ?= ~/.ssh/atmen
+CLUSTER_NAME ?= halis
+
+ifeq ($(ENV), prod)
+	INVENTORY:=$(shell ls -p inventory/prod -I "*.disabled" | grep -v / | sed 's/^/-i inventory\/prod\//g' | sed -z 's/\n/ /g' | head -c -1)
+	NODE_IP:=$(shell grep -s server inventory/prod/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+else ifeq ($(ENV), dev)
+	INVENTORY:=$(shell ls -p inventory/dev -I "*.disabled" | grep -v / | sed 's/^/-i inventory\/dev\//g' | sed -z 's/\n/ /g' | head -c -1)
+	NODE_IP:=$(shell grep -s server inventory/dev/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+else
+	INVENTORY = -i inventory/templates/hosts.yml
+	NODE_IP:=$(shell grep -s server inventory/templates/* | head -1 | cut -d ':' -f 1 | xargs cat | grep ansible_host | head -1 | cut -d ':' -f 2 | cut -c2-)
+endif
+
+prep:
+	@echo "Preparing environment..."
+	@echo "ENV: $(ENV)"
+	@echo "INVENTORY: $(INVENTORY)"
+	@echo "NODE_IP: $(NODE_IP)"
+	@cp k3s-ansible/playbooks/* k3s-ansible/
+	@echo "K3s-ansible configured"
+
+init:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "init.yml"
+
+install:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
+
+upgrade:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "k3s-upgrade.yml"
+
+conf:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=false enable_k3s=false"
+wg:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_setup=false enable_wireguard=true enable_k3s=false"
+
+k3s:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true enable_setup=false"
+
+k3s-uninstall:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook $(INVENTORY) "k3s-uninstall.yml"
+
+ping:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all $(INVENTORY) -m ping
+
+ping-unprovisioned:
+	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/unprovisioned.yml -m ping
+
+get_k3s_credentials:
+	@echo "Retrieving k3s credentials locally..."
+	ssh $(ANSIBLE_USER)@$(NODE_IP) -i $(ANSIBLE_SSH_KEY) -p 7929 "cat /home/$(ANSIBLE_USER)/.kube/config" > ~/.kube/config-$(CLUSTER_NAME)
+	@sed -i 's/127.0.*:/$(NODE_IP):/g' ~/.kube/config-$(CLUSTER_NAME)
+	@curl https://git.halis.io/therbron/dotfiles/raw/branch/master/.bin/kube-merge | bash
+	@kubectl get nodes --context $(CLUSTER_NAME)

README.md

@@ -1,3 +1,42 @@
 # Ansible
 
-Catalogue of Ansible playbooks and helper scripts for server management
+Catalogue of Ansible playbooks and helper scripts for server management
+atmen: slave, servant
+
+## Configuration options
+### SSH Ports
+The ssh port can be configured in 2 steps:
+1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
+2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
+
+## Node configuration process
+### Provisioning
+- Add atmen user for provisioning
+- Configure SSH key for atmen user
+- Add maintainer user
+- Configure SSH key for maintainer user
+- Disable root login (passwd --lock root)
+- Disable SSH login for creator user
+- Disable SSH password login
+- Change SSH port
+
+### SSH Setup
+- Install fail2ban
+
+### Miscellaneous
+- Disable unattended-upgrade is installed
+- Disable IPv6
+- Setup hostname
+- Install open-iscsi, nfs-common, nfs-utils
+
+### OMV configuration
+- Install OMV through OMV-extras
+- (lab) Add Vagrant user to SSH group
+- Add atmen user to sudoers
+- Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
+
+# OMV manual configuration
+## NFS configuration
+- Create FS
+- Enable NFS
+- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options

bootstrap.yml

@@ -0,0 +1,26 @@
+---
+- hosts: all
+  gather_facts: no
+  strategy: free
+  tasks:
+    - name: Include vault vars
+      include_vars: 
+        file: "{{ playbook_dir ~ '/vault/secrets' }}"
+    - name: Include vars
+      include_vars: 
+        file: inventory/vars/main.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+    - name: Gathering facts
+      setup:
+    - name: Start basic node configuration
+      include_role:
+        name: node-configuration
+      when: enable_setup | bool
+- name: Configure wireguard
+  ansible.builtin.import_playbook: wireguard/wireguard.yml
+  when: enable_wireguard|bool
+- name: Configure k3s
+  ansible.builtin.import_playbook: k3s-ansible/site.yml
+  when: enable_k3s | bool

docs/1-introduction.md

@@ -0,0 +1,45 @@
+# Halis Ansible
+
+This repository contains a collection of Ansible playbooks and roles to manage a k3s cluster, and its associated infrastructure.
+You will find a `Makefile` to help you run the playbooks, alongside some inventory templates for each use case.
+
+## Requirements
+Before you start, make sure you have the following packages installed:
+- `ansible-core`
+
+## Before you start
+### SSH connection
+TODO
+Document the installation of the maintainer user through ssh keys (./inventory/vars/unprovisioned.yml), same for atmen user.
+
+### Secrets
+Before you get started, you will need to create one master secret:
+```bash
+tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 13; echo
+```
+or use any password generator from your favorite password manager.
+
+Keep this secret in a safe place, as it will be used to encrypt and decrypt your vault.
+
+Two files in `./vault` are used to store sensitive data:
+- `user_provisioning` contains default and maintainer user credentials
+- `secrets` ansible root password and k3s secret token
+
+They are formatted as follows:
+```
+# vault/user_provisioning
+vault_atmen_password: <atmen_password>
+vault_maintainer_user: <maintainer_user>
+vault_maintainer_password: <maintainer_password>
+```
+
+```
+# vault/secrets
+ansible_become_password: <atmen_password>
+token: <k3s_token>
+```
+
+
+## More configuration
+Read more in the [configuration](./2-configuration.md) section.
+

docs/2-configuration.md

@@ -0,0 +1,27 @@
+# Configuration
+
+This set of playbooks can be configured through the following files:
+- `inventory/group_vars/all.yml`
+- `inventory/vars/main.yaml`
+- `inventory/vars/unprovisioned.yml`
+
+## Base user
+If you did not install your machines using processes from the [ISO repository](https://git.halis.io/athens-school/iso-repository), you will need to adapt the user configuration in `inventory/vars/unprovisioned.yml` to your initial user.
+
+## SSH Ports
+It is recommended to change the default SSH port for security reasons. 
+The ssh port can be configured in 2 steps:
+1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
+2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yml`
+
+`sshd_port` is used to configure the SSH port on the target machine, while `ansible_ssh_port` is used to configure the SSH port Ansible will use to connect to each host when running the unprovisioned playbook.
+
+## Wireguard port
+The default port for Wireguard is 51820. If you need to change it, you can do so by changing the `wireguard_port` variable in `inventory/group_vars/all.yml`.
+
+## K3s configuration
+All of the k3s configuration is done through the `inventory/group_vars/all/yml` file.
+
+You can update the `k3s_version` variable to install a specific version of k3s before running the playbooks.
+Other k3s configuration flags can be found under the `extra_server_args` and `extra_agent_args` variables.
+To learn more about the available flags, refer to the [k3s documentation](https://docs.k3s.io/cli/server).

docs/3-vault.md

@@ -0,0 +1,30 @@
+# Vault
+
+Before you get started, you will need to create one master secret:
+```bash
+tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 13; echo
+```
+or use any password generator from your favorite password manager.
+
+Keep this secret in a safe place, as it will be used to encrypt and decrypt your vault.
+
+Two files in `./vault` are used to store sensitive data:
+- `user_provisioning` contains default and maintainer user credentials
+- `secrets` ansible root password and k3s secret token
+
+They are formatted as follows:
+```
+# vault/user_provisioning
+vault_atmen_password: <atmen_password>
+vault_maintainer_user: <maintainer_user>
+vault_maintainer_password: <maintainer_password>
+```
+
+```
+# vault/secrets
+ansible_become_password: <atmen_password>
+token: <k3s_token>
+```
+
+## Note
+To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.

docs/4-inventory.md

@@ -0,0 +1,15 @@
+# Inventory
+
+The inventory is a list of hosts Ansible will manage, and how each of those hosts will be configured in term of networking, software and labeling.
+
+## Inventory templates
+
+This repository contains multiple inventory templates, each one adapted to its respective playbook.
+
+`./inventory/hosts.template.yml`
+
+This is the default inventory template, used for most playbooks to manage the k3s setup. It contains the following groups:
+ - server
+ - agent
+
+The `server` group contains the list of control plane nodes, while the `agent` group contains the list of worker nodes.

docs/5-node.md

@@ -0,0 +1,3 @@
+# Node
+
+Coming soon !

docs/6-network.md

@@ -0,0 +1,38 @@
+# Network
+
+Our infrascture may have machines accross multiple locations. We need to ensure that all machines can communicate with each other, even if they are behind a NAT. To allow such configuration, we will be using a VPN, more precisely, Wireguard. This also has the advantage of encrypting all traffic going between nodes.
+
+To ease the installation process, the installation is handled by [Jawher Moussa's ansible playbook](https://github.com/jawher/automation-wireguard).
+
+## Configuration
+
+When adding a new host to the inventory, the following entry needs to be added:
+```yaml
+all:
+  hosts:
+    <hostname>:
+      wireguard_ip: <wireguard_ip>
+      [...]
+```
+
+The `wireguard_ip` is the unique IP address the host will use to communicate with other hosts. 
+
+It is also recommended to change the `wireguard_port` in `inventory/*/group_vars/all.yml` to a random port for added obfuscation.
+Lastly, you can modify the `wireguard_mask_bits` to change the size of the subnet, but it is recommended to keep it at 8 for 254 IPs.
+
+### UFW
+
+For added security, UFW can be installed, but isn't enabled by default with these playbooks. To enable it, set the `enable_ufw` variable to `true` in `inventory/*/group_vars/all.yml`.
+
+You will need to read more about the playbook's documentation [here](https://github.com/jawher/automation-wireguard).
+
+## Installation
+
+To install Wireguard on all hosts, run the following commands:
+```bash
+# Select the desired environment
+export ENV=<environment>
+
+# Install Wireguard
+make wg
+```

docs/7-k3s.md

@@ -0,0 +1,3 @@
+# K3s
+
+Coming soon !

docs/8-nas.md

@@ -0,0 +1,3 @@
+# NAS
+
+Coming soon !

init.yml

@@ -0,0 +1,15 @@
+---
+- hosts: all
+  gather_facts: no
+  tasks:
+    - name: Add unprovisioned vars
+      include_vars: 
+        file: inventory/vars/unprovisioned.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+    - name: Gathering facts
+      setup:
+    - name: Provision users
+      include_role:
+        name: user-provision

inventory/templates/group_vars/all.yml

@@ -0,0 +1,23 @@
+---
+systemd_dir: "/etc/systemd/system"
+k3s_version: v1.31.4+k3s1
+api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
+extra_server_args: >
+  --disable traefik
+  --disable servicelb
+  --flannel-iface=wg0
+  --advertise-address={{hostvars[inventory_hostname]['wireguard_ip']}}
+  --tls-san={{hostvars[inventory_hostname]['wireguard_ip']}},{{hostvars[inventory_hostname]['ansible_host']}}
+  {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}
+  --kube-apiserver-arg enable-admission-plugins=NamespaceLifecycle,DefaultTolerationSeconds
+  --kube-apiserver-arg default-not-ready-toleration-seconds=300
+  --kube-apiserver-arg default-unreachable-toleration-seconds=300
+extra_agent_args: >
+  --flannel-iface wg0 
+  --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} 
+  {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}
+ansible_python_interpreter: /usr/bin/python3
+ansible_ssh_port: 22
+ufw_enabled: false
+wireguard_port: 51820
+wireguard_mask_bits: 8

inventory/templates/hosts.yml

@@ -0,0 +1,34 @@
+all:
+  hosts:
+    cp:
+      ansible_host: 192.168.1.1
+      is_nas: false
+      hostname: cp
+      wireguard_ip: 10.20.0.1
+      k3s_label:
+        - type=worker
+        - size=wide
+        - ingress=internal
+    vps:
+      ansible_host: 0.0.0.0
+      is_nas: false
+      hostname: vps
+      wireguard_ip: 10.20.0.250
+      k3s_label:
+        - type=outbound
+        - ingress=external
+  children:
+    server:
+      hosts:
+        cp:
+    agent:
+      hosts:
+        vps:
+    k3s_cluster:
+      children:
+        server:
+        agent:
+    wireguard_client:
+      hosts:
+        cp:
+        vps:

inventory/vars/main.yml

@@ -0,0 +1,2 @@
+ansible_ssh_private_key_file: ~/.ssh/atmen
+ansible_user: atmen

inventory/vars/unprovisioned.yml

@@ -0,0 +1,5 @@
+ansible_ssh_private_key_file: ~/.ssh/creator
+ansible_user: creator
+ansible_become_password: aberation
+ansible_ssh_port: 22
+sshd_port: 22

inventory/vars/vagrant.yml

@@ -0,0 +1 @@
+vagrant: true

k3s-ansible

@@ -0,0 +1 @@
+Subproject commit c38327927b35e7e8167cbd3e6db0d8e3f557f92c

k3s-uninstall.yml

@@ -0,0 +1,19 @@
+- hosts: all
+  gather_facts: no
+  vars_prompt:
+    - name: user_check
+      prompt: "You are about to destroy your cluster and uninstall k3s, this action is irreversible. Do you want to continue? (yes/no)"
+      private: no
+  tasks:
+    - name: Include vault vars
+      include_vars: 
+        file: "{{ playbook_dir ~ '/vault/secrets' }}"
+    - name: Include vars
+      include_vars: 
+        file: inventory/vars/main.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+    - name: Uninstall k3s
+      ansible.builtin.import_playbook: k3s-ansible/reset.yml
+      when: user_check == "yes"

k3s-upgrade.yml

@@ -0,0 +1,15 @@
+- hosts: all
+  gather_facts: no
+  tasks:
+    - name: Include vault vars
+      include_vars: 
+        file: "{{ playbook_dir ~ '/vault/secrets' }}"
+    - name: Include vars
+      include_vars: 
+        file: inventory/vars/main.yml
+    - name: Wait for hosts
+      ansible.builtin.wait_for_connection:
+        timeout: 60
+- name: Upgrade k3s
+  ansible.builtin.import_playbook: k3s-ansible/upgrade.yml
+  throttle: 1

node-configuration/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

node-configuration/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for node-configuration
+- name: Restart sshd service
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+  listen: "restart sshd"
+  ignore_errors: yes

node-configuration/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

node-configuration/tasks/firmware_control.yml

@@ -0,0 +1,82 @@
+# TBD
+# Add fan control config for rasp 4
+---
+
+- name: Check if Raspi5
+  lineinfile:
+    path: /proc/cpuinfo
+    regexp: "Raspberry Pi 5"
+    state: absent
+  register: is_raspi5
+  check_mode: yes
+  changed_when: false
+
+- name: Check if Raspi4
+  lineinfile:
+    path: /proc/cpuinfo
+    regexp: "Raspberry Pi 4"
+    state: absent
+  register: is_raspi4
+  check_mode: yes
+  changed_when: false
+
+- name: Check if PAGESIZE has been set
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "kernel=kernel8.img"
+    state: absent
+  register: has_pagesize
+  check_mode: yes
+  changed_when: false
+
+- name: Set PAGESIZE to 4k
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - PAGESIZE"
+    content: |
+      # Change PAGESIZE to 4k
+      kernel=kernel8.img
+  when: is_raspi5.found and not has_pagesize.found
+  register: pagesize
+
+- name: Check if manual fan control is enabled
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "dtparam=pwm_fan_temp0=255"
+    state: absent
+  register: has_manual_fan_control5
+  check_mode: yes
+  changed_when: false
+
+- name: Enable manual fan control
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - PWM FAN CONTROL"
+    content: |
+      # Enable manual fan control
+      dtparam=pwm_fan_temp0=255
+  when: is_raspi5.found and not has_manual_fan_control5.found
+  register: fan_control
+
+- name: Check if fan control is enabled
+  lineinfile:
+    path: /boot/firmware/config.txt
+    regexp: "dtoverlay=pwm,pin=18,func=2"
+    state: absent
+  register: has_manual_fan_control4
+  check_mode: yes
+  changed_when: false
+
+- name: Enable fan control
+  blockinfile:
+    dest: /boot/firmware/config.txt
+    content: |
+      # Enable fan control
+      dtoverlay=pwm,pin=18,func=2
+  when: is_raspi4.found and not has_manual_fan_control4.found
+  register: fan_control
+
+- name: Reboot to apply changes
+  ansible.builtin.reboot:
+  when: fan_control.changed or (pagesize and pagesize.changed)
+

node-configuration/tasks/journalctl.yml

@@ -0,0 +1,20 @@
+---
+- name: Ensures journalctl dir exists
+  file: 
+    path: /etc/systemd 
+    state: directory
+
+- name: Configure journalctl
+  copy:
+    src: ../templates/journald.conf
+    dest: /etc/systemd/journald.conf
+    backup: yes
+  register: journalctl_conf
+
+- name: Restart journalctl service
+  ansible.builtin.systemd:
+    name: systemd-journald
+    state: restarted
+    daemon_reload: true
+    enabled: true
+  when: journalctl_conf.changed

node-configuration/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Configure and harden SSH
+  import_tasks: ./ssh.yml
+  become: yes
+
+- name: Configure journalctl
+  import_tasks: ./journalctl.yml
+  become: yes
+
+- name: Miscellaneous operations
+  import_tasks: ./misc.yml
+  become: yes
+
+- name: Firmware modifications
+  import_tasks: ./firmware_control.yml
+  become: yes
+
+- name: Install OpenMediaVault
+  import_tasks: ./omv.yaml
+  become: yes
+  when: is_nas|bool == true

node-configuration/tasks/misc.yml

@@ -0,0 +1,54 @@
+---
+- name: Check if unattended-upgrades is installed
+  ansible.builtin.package_facts:
+    manager: "auto"
+
+- name: Remove unattended-upgrades package
+  ansible.builtin.package:
+    name: unattended-upgrades
+    state: absent
+  when: "'unattended-upgrades' in ansible_facts.packages"
+
+- name: Disable IPv6
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: '1'
+    sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
+    reload: true
+
+- name: Set node's hostname
+  ansible.builtin.hostname:
+    name: "{{ hostname }}"
+  when: hostname is defined
+
+- name: Install curl
+  ansible.builtin.package:
+      name: curl
+      state: present
+
+- name: Install nfs-common
+  ansible.builtin.package:
+      name: nfs-common
+      state: present
+
+- name: Install nfs-utils
+  ansible.builtin.package:
+      name: libnfs-utils
+      state: present
+
+- name: Install open-iscsi
+  ansible.builtin.package:
+      name: open-iscsi
+      state: present
+
+- name: Install sysstat
+  ansible.builtin.package:
+      name: sysstat
+      state: present
+
+- name: Enable sysstat service
+  ansible.builtin.systemd:
+    name: sysstat
+    enabled: true
+    state: started
+    daemon_reload: true

node-configuration/tasks/omv.yaml

@@ -0,0 +1,49 @@
+---
+- name: Install gnupg
+  ansible.builtin.package:
+    name: gnupg
+    state: present
+
+- name: Download OMV-extras
+  ansible.builtin.get_url:
+    url: https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install
+    dest: /tmp/omv-extras.install
+    mode: u+rwx
+
+# B: Beta to enable installation on Debian 12
+# N: Skip networking installation
+# F: Skip flashmemory plugin installation
+- name: Install OMV-extras
+  ansible.builtin.shell: /tmp/omv-extras.install -n -f >> /tmp/omv-extras.log
+ 
+# Check for vagrant variable, indicating we are running in a lab environment
+- name: Add Vagrant user to ssh group
+  ansible.builtin.user:
+    name: vagrant
+    groups: ssh
+    append: yes
+  when: vagrant | default(false)
+
+- name: Add Ansible user to ssh group
+  ansible.builtin.user:
+    name: "{{ ansible_user_id }}"
+    groups: ssh
+    append: yes
+
+- name: Upgrade packages
+  ansible.builtin.apt:
+    update_cache: yes
+    name: "*"
+    state: latest
+
+- name: Install ZFS, S3 with Minio and Filebrowser
+  ansible.builtin.apt:
+    pkg:
+      - openmediavault-zfs
+      - openmediavault-s3
+      - openmediavault-filebrowser
+  register: plugin_install
+
+- name: Reboot to enable ZFS module and finish upgrade
+  ansible.builtin.reboot:
+  when: plugin_install.changed

node-configuration/tasks/ssh.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensures fail2ban dir exists
+  file: 
+    path: /etc/fail2ban 
+    state: directory
+
+- name: Configure fail2ban
+  copy:
+    src: ../templates/fail2ban.conf
+    dest: /etc/fail2ban/fail2ban.conf
+    backup: yes
+
+- name: Update package cache (apt/Debian)
+  ansible.builtin.apt:
+    update_cache: yes
+  when: ansible_distribution == "Debian"
+
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: fail2ban
+    state: present

node-configuration/tasks/users.yml

@@ -0,0 +1,21 @@
+- include_vars: ../vars/users.yml
+# Atmen : slave, servant
+- name: Add provisioning user "atmen" for ansible
+  ansible.builtin.user:
+    name: atmen
+    comment: Ansible provisioner
+    groups: sudo
+    append: yes
+
+- name: Add maintainer user
+  ansible.builtin.user:
+    name: "{{ maintainer_user }}"
+    comment: Maintainer user
+    groups: sudo
+    append: yes
+    password: "{{ maintainer_password | password_hash('sha512') }}"
+
+- name: Disable root login
+  ansible.builtin.user:
+    name: root
+    password: '*'

node-configuration/templates/fail2ban.conf

@@ -0,0 +1,967 @@
+#
+# WARNING: heavily refactored in 0.9.0 release.  Please review and
+#          customize settings for your setup.
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in jail.local file,
+#           or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 1h
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignorself" specifies whether the local resp. own IP addresses should be ignored
+# (default is true). Fail2ban will not ban a host which matches such addresses.
+#ignorself = true
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8 85.129.40.199
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+# Set to -1 for permanent
+bantime  = -1
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 10m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+#              If pyinotify is not installed, Fail2ban will use auto.
+# gamin:     requires Gamin (a file alteration monitor) to be installed.
+#              If Gamin is not installed, Fail2ban will use auto.
+# polling:   uses a polling algorithm which does not require external libraries.
+# systemd:   uses systemd python library to access the systemd journal.
+#              Specifying "logpath" is not valid for this backend.
+#              See "journalmatch" in the jails associated filter config
+# auto:      will try to use the following backends, in order:
+#              pyinotify, gamin, polling.
+#
+# Note: if systemd backend is chosen as the default but you enable a jail
+#       for which logs are present only in its own log files, specify some other
+#       backend for that jail (e.g. polling) and provide empty value for
+#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a DNS lookup will be performed.
+# warn:  if a hostname is encountered, a DNS lookup will be performed,
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+#   This is used to decode the lines from the log file.
+#   Typical examples:  "ascii", "utf-8"
+#
+#   auto:   will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+#  By default all jails are disabled, and it should stay this way.
+#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true:  jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = true
+
+
+# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
+mode = normal
+
+# "filter" defines the filter to use by the jail.
+#  By default jails have names matching their filter name
+#
+filter = %(__name__)s[mode=%(mode)s]
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = <known/chain>
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+# 
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# corresponding jail.d/my-jail.local file).
+#
+action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via abuseipdb.com.
+#
+# See action.d/abuseipdb.conf for usage example and details.
+#
+action_abuseipdb = abuseipdb
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+
+[dropbear]
+
+enabled  = false
+port     = ssh
+logpath  = %(dropbear_log)s
+backend  = %(dropbear_backend)s
+
+
+[selinux-ssh]
+
+enabled  = false
+port     = ssh
+logpath  = %(auditd_log)s
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+enabled  = false
+port     = http,https
+logpath  = %(apache_access_log)s
+bantime  = 48h
+maxretry = 1
+
+
+[apache-noscript]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-overflows]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+enabled  = false
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-shellshock]
+
+enabled  = false
+port    = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+
+[openhab-auth]
+
+enabled  = false
+filter = openhab
+action = iptables-allports[name=NoAuthFailures]
+logpath = /opt/openhab/logs/request.log
+
+
+[nginx-http-auth]
+
+enabled  = false
+port    = http,https
+logpath = %(nginx_error_log)s
+
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+enabled  = false
+port    = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+enabled  = false
+port     = http,https
+logpath  = %(nginx_error_log)s
+maxretry = 2
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled  = false
+port    = http,https
+logpath = %(nginx_access_log)s
+          %(apache_access_log)s
+
+
+[suhosin]
+
+enabled  = false
+port    = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+enabled  = false
+port    = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+enabled  = false
+port     = http,https
+logpath  = %(roundcube_errors_log)s
+# Use following line in your jail.local if roundcube logs to journal.
+#backend = %(syslog_backend)s
+
+
+[openwebmail]
+
+enabled  = false
+port     = http,https
+logpath  = /var/log/openwebmail.log
+
+
+[horde]
+
+enabled  = false
+port     = http,https
+logpath  = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+enabled  = false
+port     = http,https
+logpath  = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port    = 20000
+enabled  = false
+port     = http,https
+logpath  = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+enabled  = false
+logpath  = /var/log/tine20/tine20.log
+port     = http,https
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+enabled  = false
+port     = http,https
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+[guacamole]
+
+enabled  = false
+port     = http,https
+logpath  = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+enabled  = false
+port = 2812
+logpath  = /var/log/monit
+
+
+[webmin-auth]
+
+enabled  = false
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[froxlor-auth]
+
+enabled  = false
+port    = http,https
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+enabled  = false
+port     =  80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+enabled  = false
+port    = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
+
+
+[pure-ftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(pureftpd_log)s
+backend  = %(pureftpd_backend)s
+
+
+[gssftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+
+[wuftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(wuftpd_log)s
+backend  = %(wuftpd_backend)s
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+enabled  = false
+port     = smtp,465,submission
+logpath  = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+enabled  = false
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+mode    = more
+enabled  = false
+port    = smtp,465,submission
+logpath = %(postfix_log)s
+backend = %(postfix_backend)s
+
+
+[postfix-rbl]
+
+filter   = postfix[mode=rbl]
+enabled  = false
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+enabled  = false
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+enabled  = false
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[qmail-rbl]
+
+filter  = qmail
+enabled  = false
+port    = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+enabled  = false
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[sieve]
+
+enabled  = false
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[solid-pop3d]
+
+enabled  = false
+port    = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+# see filter.d/exim.conf for further modes supported from filter:
+#mode = normal
+enabled  = false
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+enabled  = false
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+enabled  = false
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+enabled  = false
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix-sasl]
+
+filter   = postfix[mode=auth]
+enabled  = false
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+
+[perdition]
+
+enabled  = false
+port   = imap,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[squirrelmail]
+
+enabled  = false
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+enabled  = false
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[uwimap-auth]
+
+enabled  = false
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter   = named-refused
+# port     = domain,953
+# protocol = udp
+# logpath  = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+enabled  = false
+port     = domain,953
+logpath  = /var/log/named/security.log
+
+
+[nsd]
+
+enabled  = false
+port     = 53
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+enabled  = false
+port     = 5060,5061
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+enabled  = false
+port     = 5060,5061
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+enabled  = false
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+
+
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+[mongodb-auth]
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+enabled  = false
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+#    is not at DEBUG level -- which might then cause fail2ban to fall into
+#    an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+#    to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath  = /var/log/fail2ban.log
+banaction = %(banaction_allports)s
+bantime  = -1
+findtime = 1d
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath   = %(syslog_daemon)s
+backend   = %(syslog_backend)s
+maxretry  = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+enabled = false
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+enabled = false
+port    = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+enabled = false
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled = false
+logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
+backend  = %(syslog_backend)s
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+banaction = %(banaction_allports)s
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+enabled = false
+logpath  = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+enabled = false
+port         = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in jail.local
+knocking_url = /knocking/
+filter       = apache-pass[knocking_url="%(knocking_url)s"]
+# access log of the website with HTTP auth
+logpath      = %(apache_access_log)s
+blocktype    = RETURN
+returntype   = DROP
+action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
+bantime      = 1h
+maxretry     = 1
+findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+enabled = false
+port     = 64738
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharingd]
+# For Mac OS Screen Sharing Service (VNC)
+enabled = false
+logpath  = /var/log/system.log
+logencoding = utf-8
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+enabled = false
+logpath  = /var/log/haproxy.log
+
+[slapd]
+enabled = false
+port    = ldap,ldaps
+logpath = /var/log/slapd.log
+
+[domino-smtp]
+enabled = false
+port    = smtp,ssmtp
+logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
+
+[phpmyadmin-syslog]
+enabled = false
+port    = http,https
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[zoneminder]
+# Zoneminder HTTP/HTTPS web interface auth
+# Logs auth failures to apache2 error log
+enabled = false
+port    = http,https
+logpath = %(apache_error_log)s
+

node-configuration/templates/journald.conf

@@ -0,0 +1,4 @@
+[Journal]
+SystemMaxUse=256M
+RuntimeMaxUse=128M
+MaxFileSec=1month

user-provision/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

user-provision/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: Restart sshd service
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+  listen: "restart sshd"
+  ignore_errors: yes
+  become: yes

user-provision/meta/main.yml

@@ -0,0 +1,34 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

user-provision/tasks/main.yml

@@ -0,0 +1,66 @@
+- block:
+  - include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
+  # Atmen : slave, servant
+  - name: Add provisioning user "atmen" for ansible
+    ansible.builtin.user:
+      name: atmen
+      comment: Ansible provisioner
+      groups: sudo
+      append: yes
+      shell: /bin/bash
+      password: "{{ vault_atmen_password | password_hash('sha512') }}"
+
+  - name: Set authorized key for atmen
+    ansible.posix.authorized_key:
+      user: atmen
+      state: present
+      key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
+
+  - name: Add maintainer user
+    ansible.builtin.user:
+      name: "{{ vault_maintainer_user }}"
+      comment: Maintainer user
+      groups: sudo
+      append: yes
+      shell: /bin/bash
+      password: "{{ vault_maintainer_password | password_hash('sha512') }}"
+
+  - name: Set authorized key for maintainer user
+    ansible.posix.authorized_key:
+      user: "{{ vault_maintainer_user }}"
+      state: present
+      key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
+
+  - name: Disable root login
+    ansible.builtin.user:
+      name: root
+      password: '*'
+
+  - name: Disable SSH login for creator
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      line: DenyUsers creator
+      state: present
+
+  - name: Disable password login
+    lineinfile:
+      dest: "/etc/ssh/sshd_config"
+      regexp: '^(#\s*)?PasswordAuthentication '
+      line: "PasswordAuthentication no"
+    notify: restart sshd
+
+  - name: Remove SSH message
+    ansible.builtin.file:
+      path: /etc/ssh/sshd_config.d/rename_user.conf
+      state: absent
+    ignore_errors: yes
+
+  - name: Change SSH port
+    lineinfile:
+      dest: "/etc/ssh/sshd_config"
+      regexp: "^Port "
+      line: "Port {{ sshd_port }}"
+    notify: restart sshd
+    changed_when: true
+
+  become: yes

user-provision/vars/main.yml

@@ -0,0 +1,3 @@
+---
+atmen_ssh_key_host_path: ~/.ssh/atmen.pub
+maintainer_ssh_key_host_path: ~/.ssh/maintainer.pub

wireguard

@@ -0,0 +1 @@
+Subproject commit 11883d85c9ad3ff5b70e6e252111d39b5a32284d