Compare commits

...

42 Commits

Author SHA1 Message Date
c779f9cc7e feat(users): Add user creation and refine provision 2024-08-04 19:41:35 +02:00
7dea909100 fix(vars): Set proper IPs for k3s configuration on Wireguard 2024-06-20 14:48:29 +02:00
724cb89683 fix: Local cluster installation 2024-02-28 17:34:57 +01:00
a16d3d0773 chore: Bump k3s-ansible version 2024-02-02 13:49:05 +01:00
aae49a299f chore(lint): Add ansible lint configuration file 2024-01-14 01:34:34 +01:00
6a3922eb78 feat(omv): Restart NAS only after plugin installation 2024-01-14 01:34:08 +01:00
f45e372bbe feat(k3s): Update group_vars to work with tailscale configuration 2024-01-14 01:33:41 +01:00
29ffd36261 chore(init): Fix linting errors 2024-01-14 01:33:14 +01:00
f3cda8f36c feat(tailscale): Complete configuration 2024-01-14 01:31:57 +01:00
73e48b3203 WIP(headscale): Start migration 2023-12-05 10:03:09 +01:00
f98a2a63c3 fix(OMV): Enable SSH after installation and update version 2023-12-05 10:02:01 +01:00
ecfad95853 docs(README): Add TODO items for creator provisioning 2023-12-02 18:03:59 +01:00
1c4b20430f fix(omv): Add vagrant and ansible user to ssh group 2023-12-02 17:59:52 +01:00
c0bdaf0315 docs(README): Add OMV documentation 2023-11-12 23:04:38 +01:00
4c6e278623 chore(group_vars): Remove unused entries 2023-10-30 16:57:59 +01:00
920407620d feat(Configuration): Remove SSH fingerprint check and useless comment 2023-10-23 14:25:09 +02:00
2c1968e159 fix(fail2ban): Add package cache update 2023-10-22 12:50:14 +02:00
79b14782fc chore(Cleaning): Remove legacy dependency and update k3s installation process 2023-10-22 12:34:22 +02:00
a802758168 Merge branch 'dev' of https://git.halia.dev/athens-school/ansible into dev 2023-04-11 10:24:26 +02:00
4b572ec302 feat(setup): Add NFS dependencies 2023-04-11 10:23:23 +02:00
cded5d886c refactor(OMV): Install OMV through OMV-Extra script 2023-04-11 10:22:52 +02:00
2626e7d15a build(makefile): improve stacked execution with custom environments, for better summary 2023-03-06 15:03:09 +01:00
ff5e321b1a feat(k3s): Add label injection for nodes 2023-03-05 12:23:42 +01:00
96ccae1b22 chore(k3s): Bump version 2023-03-05 12:23:16 +01:00
f568a97b10 feat(k3s): Disable embeded LB 2022-11-16 23:53:26 +01:00
234e986eff Holyday tmp 2022-06-24 20:38:52 +02:00
f40d2eeeba Fix submodules 2022-06-11 02:40:21 +02:00
7f72142755 Add Makefile to easy start some scenarios 2022-06-11 02:33:04 +02:00
9a6e3b904c Simplify init.yml file construction 2022-06-11 02:32:48 +02:00
886232e1aa Fix Fail2ban installation process 2022-06-11 02:32:23 +02:00
09376d3cd1 Remove temporary file 2022-06-11 02:31:46 +02:00
05cb4ceb48 Remove legacy scripts and tasks 2022-06-11 02:31:29 +02:00
bdc1667dcb Add inventory hierarchy and temporary hosts 2022-06-11 02:30:35 +02:00
39a5980f43 Add wireguard playbook repository 2022-06-11 02:28:30 +02:00
ecdfa19fd2 Add additional step to README 2022-06-11 02:27:58 +02:00
60d090a5ea Add k3s-ansible playbook from Jeff Geerling 2022-06-11 02:22:02 +02:00
93f9bdd953 Add basic playbook for node setup 2022-05-26 01:24:56 +02:00
88bbe3a882 Update gitlab role + add misc role 2022-02-14 01:02:14 +01:00
d2e59d6bbb Add temporary devops rework 2022-02-11 17:49:06 +01:00
cc46c0e89e Add gitlab role with backup task 2022-02-09 00:04:05 +01:00
e400549073 Add install steps for k3s 2022-02-04 00:19:45 +01:00
960c02f914 Development of auto-inventory 2021-10-16 18:29:06 +02:00
49 changed files with 2256 additions and 1 deletions

2
.ansible-lint Normal file
View File

@ -0,0 +1,2 @@
skip_list:
- 'fqcn-builtins'

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
vault
.vault_pass

9
.gitmodules vendored Normal file
View File

@ -0,0 +1,9 @@
[submodule "wireguard"]
path = wireguard
url = https://github.com/jawher/automation-wireguard
[submodule "k3s-ansible"]
path = k3s-ansible
url = https://github.com/k3s-io/k3s-ansible
[submodule "postgresql_cluster"]
path = postgresql_cluster
url = https://github.com/vitabaks/postgresql_cluster.git

20
Makefile Normal file
View File

@ -0,0 +1,20 @@
init:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml"
install:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
wg:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=true enable_k3s=false"
k3s:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true"
uninstall:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "k3s-ansible/reset.yml"
ping:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/hosts.yml --extra-vars "@inventory/vars/main.yaml" -m ping
ping-unprovisioned:
ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/unprovisioned.yml -m ping

View File

@ -1,3 +1,64 @@
# Ansible
Catalogue of Ansible playbooks and helper scripts for server management
atmen: slave, servant
## Configuration options
### SSH Ports
The ssh port can be configured in 2 steps:
1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
## Node configuration process
### Provisioning
- Add atmen user for provisioning
- Configure SSH key for atmen user
- Add maintainer user
- Configure SSH key for maintainer user
- Disable root login (passwd --lock root)
- Disable SSH login for creator user
- Disable SSH password login
- Change SSH port
### SSH Setup
- Install fail2ban
### Miscellaneous
- Disable unattended-upgrade is installed
- Disable IPv6
- Setup hostname
- Install open-iscsi, nfs-common, nfs-utils
### OMV configuration
- Install OMV through OMV-extras
- (lab) Add Vagrant user to SSH group
- Add atmen user to sudoers
- Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
# OMV manual configuration
## NFS configuration
- Create FS
- Enable NFS
- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
# Vault
Sensitive data is stored under two files in the `vault` directory:
- `user_provisioning.yml` contains the vault password
- `vault.yml` contains the sensitive data
## user_provisioning.yml
Configure users for provisioning and manual maintenance
```yaml
vault_atmen_password: <atmen_password>
vault_maintainer_user: <your_user>
vault_maintainer_password: <maintainer_password>
```
## vault.yml
Configure k3s secrets
```yaml
ansible_become_password: <atmen_password>
token: <k3s_token>
```
To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.

6
backup.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: all
roles:
- role: gitlab
tags: backup

29
bootstrap.yml Normal file
View File

@ -0,0 +1,29 @@
---
- hosts: all
gather_facts: no
tasks:
- name: Include vault vars
include_vars:
file: "{{ playbook_dir ~ '/vault/secrets' }}"
- name: Include vars
include_vars:
file: inventory/vars/main.yaml
- name: Wait for hosts
ansible.builtin.wait_for_connection:
timeout: 60
- name: Gathering facts
setup:
- name: Start basic node configuration
include_role:
name: node-configuration
when: enable_setup | bool
- name: Configure headscale
include_role:
name: headscale
when: enable_headscale|bool
- name: Configure wireguard
ansible.builtin.import_playbook: wireguard/wireguard.yml
when: enable_wireguard|bool
- name: Configure k3s
ansible.builtin.import_playbook: k3s-ansible/site.yml
when: enable_k3s | bool

29
gitlab/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
gitlab/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

6
gitlab/defaults/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
# defaults file for gitlab
gitlab_container_name: gitlab
gitlab_backup_directory: /opt/services/gitlab
gitlab_local_backup_directory: /home/tanguy/backups/
gitlab_host: pythagoras-b

2
gitlab/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for gitlab

3
gitlab/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

29
gitlab/tasks/backup.yml Normal file
View File

@ -0,0 +1,29 @@
---
# tasks file for gitlab
- name: Ensure a gitlab container is running.
docker_container:
name: "{{ gitlab_container_name }}"
state: present
image: gitlab/gitlab-ce
comparisons:
'*': ignore
- name: Start gitlab backup
community.docker.docker_container_exec:
container: "{{ gitlab_container_name }}"
command: gitlab-backup create GZIP_RSYNCABLE=yes SKIP=registry
- name: Get list of backups
find:
paths: "{{ gitlab_backup_directory }}"
register: found_files
- name: Get latest backup
set_fact:
latest_file: "{{ found_files.files | sort(attribute='mtime',reverse=true) | first }}"
- name: Download latest backup from remote
ansible.posix.synchronize:
src: "{{ latest_file.path }}"
dest: "{{ gitlab_local_backup_directory }}"/backups
mode: pull

7
gitlab/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Init backup procedure
include_tasks: backup.yml
when: inventory_hostname in groups['{{ gitlab_host }}']
tags:
- gitlab

2
gitlab/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
gitlab/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- gitlab

2
gitlab/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for gitlab

38
headscale/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View File

@ -0,0 +1,2 @@
---
# defaults file for headscale

View File

@ -0,0 +1,2 @@
---
# handlers file for headscale

52
headscale/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

82
headscale/tasks/main.yml Normal file
View File

@ -0,0 +1,82 @@
---
# tasks file for headscale
- name: Check if tailscale (client) is installed
shell: command -v tailscale >/dev/null 2>&1
register: tailscale_exists
ignore_errors: true
changed_when: false
- name: Check if headscale is installed
shell: command -v headscale >/dev/null 2>&1
register: headscale_exists
ignore_errors: true
changed_when: false
- name: Download headscale binary (arm64)
get_url:
url: https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_arm64.deb
dest: /tmp/headscale_install.deb
mode: u+rwx
when: ansible_architecture == "aarch64" and inventory_hostname in groups['headscale_server']
- name: Download headscale binary (amd64)
get_url:
url: https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_amd64.deb
dest: /tmp/headscale_install.deb
mode: u+rwx
when: ansible_architecture == "x86_64" and inventory_hostname in groups['headscale_server']
- name: Download tailscale install script
get_url:
url: https://tailscale.com/install.sh
dest: /tmp/tailscale_install.sh
mode: u+rwx
when: tailscale_exists.rc != 0
- name: Install headscale (server)
apt:
deb: /tmp/headscale_install.deb
become: true
when: inventory_hostname in groups['headscale_server']
- name: Install tailscale (client)
command: /tmp/tailscale_install.sh
become: true
when: tailscale_exists.rc != 0
changed_when: true
- name: Enable and start headscale server
service:
name: headscale
state: started
enabled: true
become: true
when: inventory_hostname in groups['headscale_server']
- name: Create headscale users
loop: "{{ groups['all'] }}"
command: headscale users create "{{ item }}"
when: inventory_hostname in groups['headscale_server']
become: true
- name: Generate pre authentication keys
with_items: "{{ groups['all'] }}"
command: headscale --user "{{ item }}" preauthkeys create --expiration 1h
when: inventory_hostname in groups['headscale_server']
become: true
register: headscale_preauthkey
- name: Register clients
with_items: "{{ hostvars[groups['headscale_server'][0]].headscale_preauthkey.results }}"
command: |
tailscale up --reset --login-server
http://"{{ hostvars[groups['headscale_server'][0]]['ansible_default_ipv4']['address'] }}":8080
--auth-key "{{ item.stdout }}"
become: true
when: inventory_hostname in groups['all'] and inventory_hostname in item['item']
- name: Advertise exit nodes
command: tailscale set --advertise-exit-node
become: true
when: inventory_hostname in groups['headscale_server']

View File

@ -0,0 +1,369 @@
---
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory
# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
server_url: {{ headscale_url }}
# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: {{ ansible_default_ipv4.address }}
# Address to listen to /metrics, you may want
# to keep this endpoint private to your internal
# network
#
metrics_listen_addr: {{ hostvars[peer].headscale_ip }}
# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
#
# For production:
# grpc_listen_addr: 0.0.0.0:50443
grpc_listen_addr: 127.0.0.1:50443
# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false
# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
# The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when
# using the new Noise-based protocol.
private_key_path: /var/lib/headscale/noise_private.key
# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
# It must be within IP ranges supported by the Tailscale
# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
# See below:
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# Any other range is NOT supported, and it will cause unexpected issues.
ip_prefixes:
- fd7a:115c:a1e0::/48
- 100.64.0.0/10
# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# headscale needs a list of DERP servers that can be presented
# to the clients.
derp:
server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false
# Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from
# the regular DERP config.
region_id: 999
# Region code and name are displayed in the Tailscale UI to identify a DERP region
region_code: "headscale"
region_name: "Headscale Embedded DERP"
# Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
# When the embedded DERP server is enabled stun_listen_addr MUST be defined.
#
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: "0.0.0.0:3478"
# Private key used to encrypt the traffic between headscale DERP
# and Tailscale clients.
# The private key file will be autogenerated if it's missing.
#
private_key_path: /var/lib/headscale/derp_server_private.key
# List of externally available DERP maps encoded in JSON
urls:
- https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML
#
# This option is mostly interesting for people hosting
# their own DERP servers:
# https://tailscale.com/kb/1118/custom-derp-servers/
#
# paths:
# - /etc/headscale/derp-example.yaml
paths: []
# If enabled, a worker will be set up to periodically
# refresh the given sources and update the derpmap
# will be set up.
auto_update_enabled: true
# How often should we check for DERP updates?
update_frequency: 24h
# Disables the automatic check for headscale updates on startup
disable_check_updates: true
# Time before an inactive ephemeral node is deleted?
ephemeral_node_inactivity_timeout: 30m
# Period to check for node updates within the tailnet. A value too low will severely affect
# CPU consumption of Headscale. A value too high (over 60s) will cause problems
# for the nodes, as they won't get updates or keep alive messages frequently enough.
# In case of doubts, do not touch the default 10s.
node_update_check_interval: 10s
# SQLite config
db_type: sqlite3
# For production:
db_path: /var/lib/headscale/db.sqlite
# # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
# db_type: postgres
# db_host: localhost
# db_port: 5432
# db_name: headscale
# db_user: foo
# db_pass: bar
# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
# db_ssl: false
### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider
acme_email: "{{ headscale_tls_email }}"
# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: "{{ headscale_url }}"
# Path to store certificates and metadata needed by
# letsencrypt
# For production:
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"
## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""
log:
# Output formatting for logs: text or json
format: text
level: info
# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: ""
## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their KB to better understand the concepts:
#
# - https://tailscale.com/kb/1054/dns/
# - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
#
dns_config:
# Whether to prefer using Headscale provided DNS or use local.
override_local_dns: true
# List of DNS servers to expose to clients.
nameservers:
- 1.1.1.1
# NextDNS (see https://tailscale.com/kb/1218/nextdns/).
# "abc123" is example NextDNS ID, replace with yours.
#
# With metadata sharing:
# nameservers:
# - https://dns.nextdns.io/abc123
#
# Without metadata sharing:
# nameservers:
# - 2a07:a8c0::ab:c123
# - 2a07:a8c1::ab:c123
# Split DNS (see https://tailscale.com/kb/1054/dns/),
# list of search domains and the DNS to query for each one.
#
# restricted_nameservers:
# foo.bar.com:
# - 1.1.1.1
# darp.headscale.net:
# - 1.1.1.1
# - 8.8.8.8
# Search domains to inject.
domains: []
# Extra DNS records
# so far only A-records are supported (on the tailscale side)
# See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
# extra_records:
# - name: "grafana.myvpn.example.com"
# type: "A"
# value: "100.64.0.3"
#
# # you can also put it in one line
# - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
# Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
# Only works if there is at least a nameserver defined.
magic_dns: true
# Defines the base domain to create the hostnames for MagicDNS.
# `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: example.com
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
#
# headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
# oidc:
# only_start_if_oidc_is_available: true
# issuer: "https://your-oidc.issuer.com/path"
# client_id: "your-oidc-client-id"
# client_secret: "your-oidc-client-secret"
# # Alternatively, set `client_secret_path` to read the secret from the file.
# # It resolves environment variables, making integration to systemd's
# # `LoadCredential` straightforward:
# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
# # client_secret and client_secret_path are mutually exclusive.
#
# # The amount of time from a node is authenticated with OpenID until it
# # expires and needs to reauthenticate.
# # Setting the value to "0" will mean no expiry.
# expiry: 180d
#
# # Use the expiry from the token received from OpenID when the user logged
# # in, this will typically lead to frequent need to reauthenticate and should
# # only been enabled if you know what you are doing.
# # Note: enabling this will cause `oidc.expiry` to be ignored.
# use_expiry_from_token: false
#
# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
#
# scope: ["openid", "profile", "email", "custom"]
# extra_params:
# domain_hint: example.com
#
# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
# # authentication request will be rejected.
#
# allowed_domains:
# - example.com
# # Note: Groups from keycloak have a leading '/'
# allowed_groups:
# - /headscale
# allowed_users:
# - alice@example.com
#
# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
# user: `first-name.last-name.example.com`
#
# strip_email_domain: true
# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
# to instruct tailscale nodes to log their activity to a remote server.
logtail:
# Enable logtail for this headscales clients.
# As there is currently no support for overriding the log server in headscale, this is
# disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
enabled: false
# Enabling this option makes devices prefer a random port for WireGuard traffic over the
# default static port 41641. This option is intended as a workaround for some buggy
# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
randomize_client_port: false

View File

@ -0,0 +1,2 @@
localhost

5
headscale/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- headscale

2
headscale/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for headscale

15
init.yml Normal file
View File

@ -0,0 +1,15 @@
---
- hosts: all
gather_facts: no
tasks:
- name: Add unprovisioned vars
include_vars:
file: inventory/vars/unprovisioned.yaml
- name: Wait for hosts
ansible.builtin.wait_for_connection:
timeout: 60
- name: Gathering facts
setup:
- name: Provision users
include_role:
name: user-provision

View File

@ -0,0 +1,11 @@
---
k3s_version: "v1.29.2+k3s1"
systemd_dir: "/etc/systemd/system"
api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{ ansible_host }} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
ansible_python_interpreter: /usr/bin/python3
ansible_ssh_port: 22
ufw_enabled: false
wireguard_port: 51820
wireguard_mask_bits: 8

View File

@ -0,0 +1,36 @@
all:
hosts:
cp:
ansible_host: 192.168.56.101
is_nas: false
hostname: cp
wireguard_ip: 10.20.0.1
k3s_label:
- type=worker
- size=wide
vps:
ansible_host: 192.168.56.102
is_nas: false
hostname: vps
wireguard_ip: 10.20.0.2
k3s_label:
- type=outbound
children:
server:
hosts:
cp:
agent:
hosts:
vps:
k3s_cluster:
children:
server:
agent:
vars:
k3s_version: v1.28.5+k3s1
api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{hostvars[inventory_hostname]['wireguard_ip']}} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
ufw_enabled: false
wireguard_port: 51820
wireguard_mask_bits: 8

28
inventory/hosts.yml Normal file
View File

@ -0,0 +1,28 @@
all:
hosts:
cp:
ansible_host: 192.168.56.101
is_nas: false
hostname: cp
wireguard_ip: 10.20.0.1
k3s_label:
- type=worker
- size=wide
vps:
ansible_host: 192.168.56.102
is_nas: false
hostname: vps
wireguard_ip: 10.20.0.2
k3s_label:
- type=outbound
children:
server:
hosts:
cp:
agent:
hosts:
vps:
k3s_cluster:
children:
server:
agent:

2
inventory/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
ansible_ssh_private_key_file: ~/.ssh/atmen
ansible_user: atmen

View File

@ -0,0 +1,5 @@
ansible_ssh_private_key_file: ~/.ssh/creator
ansible_user: creator
ansible_become_password: aberation
ansible_ssh_port: 22
sshd_port: 22

View File

@ -0,0 +1 @@
vagrant: true

1
k3s-ansible Submodule

@ -0,0 +1 @@
Subproject commit 9c8ba5c1555944f02f7ffadc3b0839530b2782f7

View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View File

@ -0,0 +1,8 @@
---
# handlers file for node-configuration
- name: Restart sshd service
ansible.builtin.service:
name: sshd
state: restarted
listen: "restart sshd"
ignore_errors: yes

View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -0,0 +1,13 @@
---
- name: Configure and harden SSH
import_tasks: ./ssh.yml
become: yes
- name: Miscellaneous operations
import_tasks: ./misc.yml
become: yes
- name: Install OpenMediaVault
import_tasks: ./omv.yaml
become: yes
when: is_nas|bool == true

View File

@ -0,0 +1,37 @@
---
- name: Check if unattended-upgrades is installed
ansible.builtin.package_facts:
manager: "auto"
- name: Remove unattended-upgrades package
ansible.builtin.package:
name: unattended-upgrades
state: absent
when: "'unattended-upgrades' in ansible_facts.packages"
- name: Disable IPv6
ansible.posix.sysctl:
name: net.ipv6.conf.all.disable_ipv6
value: '1'
sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
reload: true
- name: Set node's hostname
ansible.builtin.hostname:
name: "{{ hostname }}"
when: hostname is defined
- name: Install open-iscsi
ansible.builtin.package:
name: open-iscsi
state: present
- name: Install nfs-common
ansible.builtin.package:
name: nfs-common
state: present
- name: Install nfs-utils
ansible.builtin.package:
name: libnfs-utils
state: present

View File

@ -0,0 +1,49 @@
---
- name: Install gnupg
ansible.builtin.package:
name: gnupg
state: present
- name: Download OMV-extras
ansible.builtin.get_url:
url: https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install
dest: /tmp/omv-extras.install
mode: u+rwx
# B: Beta to enable installation on Debian 12
# N: Skip networking installation
# F: Skip flashmemory plugin installation
- name: Install OMV-extras
ansible.builtin.shell: /tmp/omv-extras.install -n -f >> /tmp/omv-extras.log
# Check for vagrant variable, indicating we are running in a lab environment
- name: Add Vagrant user to ssh group
ansible.builtin.user:
name: vagrant
groups: ssh
append: yes
when: vagrant | default(false)
- name: Add Ansible user to ssh group
ansible.builtin.user:
name: "{{ ansible_user_id }}"
groups: ssh
append: yes
- name: Upgrade packages
ansible.builtin.apt:
update_cache: yes
name: "*"
state: latest
- name: Install ZFS, S3 with Minio and Filebrowser
ansible.builtin.apt:
pkg:
- openmediavault-zfs
- openmediavault-s3
- openmediavault-filebrowser
register: plugin_install
- name: Reboot to enable ZFS module and finish upgrade
ansible.builtin.reboot:
when: plugin_install.changed

View File

@ -0,0 +1,21 @@
---
- name: Ensures fail2ban dir exists
file:
path: /etc/fail2ban
state: directory
- name: Configure fail2ban
copy:
src: ../templates/fail2ban.conf
dest: /etc/fail2ban/fail2ban.conf
backup: yes
- name: Update package cache (apt/Debian)
ansible.builtin.apt:
update_cache: yes
when: ansible_distribution == "Debian"
- name: Install fail2ban
ansible.builtin.package:
name: fail2ban
state: present

View File

@ -0,0 +1,21 @@
- include_vars: ../vars/users.yml
# Atmen : slave, servant
- name: Add provisioning user "atmen" for ansible
ansible.builtin.user:
name: atmen
comment: Ansible provisioner
groups: sudo
append: yes
- name: Add maintainer user
ansible.builtin.user:
name: "{{ maintainer_user }}"
comment: Maintainer user
groups: sudo
append: yes
password: "{{ maintainer_password | password_hash('sha512') }}"
- name: Disable root login
ansible.builtin.user:
name: root
password: '*'

View File

@ -0,0 +1,967 @@
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 85.129.40.199
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
# Set to -1 for permanent
bantime = -1
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = true
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@<fq-hostname>
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
enabled = false
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
enabled = false
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
[apache-auth]
enabled = false
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled = false
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
[apache-noscript]
enabled = false
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
enabled = false
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
enabled = false
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
enabled = false
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
enabled = false
port = http,https
logpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
enabled = false
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
enabled = false
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
enabled = false
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
enabled = false
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
enabled = false
port = http,https
logpath = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s
[openwebmail]
enabled = false
port = http,https
logpath = /var/log/openwebmail.log
[horde]
enabled = false
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
enabled = false
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
enabled = false
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
enabled = false
logpath = /var/log/tine20/tine20.log
port = http,https
#
# Web Applications
#
#
[drupal-auth]
enabled = false
port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
enabled = false
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
enabled = false
port = 2812
logpath = /var/log/monit
[webmin-auth]
enabled = false
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
enabled = false
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#
# HTTP Proxy servers
#
#
[squid]
enabled = false
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
enabled = false
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
enabled = false
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
enabled = false
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
enabled = false
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode = more
enabled = false
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
filter = postfix[mode=rbl]
enabled = false
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
enabled = false
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode = normal
enabled = false
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
enabled = false
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
enabled = false
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
enabled = false
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
enabled = false
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
# see filter.d/exim.conf for further modes supported from filter:
#mode = normal
enabled = false
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
enabled = false
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
enabled = false
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
enabled = false
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
filter = postfix[mode=auth]
enabled = false
port = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
enabled = false
port = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
enabled = false
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
enabled = false
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
enabled = false
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
enabled = false
port = domain,953
logpath = /var/log/named/security.log
[nsd]
enabled = false
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
enabled = false
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
enabled = false
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
enabled = false
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
enabled = false
port = 27017
logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = -1
findtime = 1d
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
enabled = false
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
enabled = false
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
enabled = false
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled = false
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
enabled = false
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
enabled = false
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
enabled = false
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
enabled = false
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
bantime = 1h
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
enabled = false
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
enabled = false
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
enabled = false
logpath = /var/log/haproxy.log
[slapd]
enabled = false
port = ldap,ldaps
logpath = /var/log/slapd.log
[domino-smtp]
enabled = false
port = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
[phpmyadmin-syslog]
enabled = false
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
enabled = false
port = http,https
logpath = %(apache_error_log)s

38
user-provision/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View File

@ -0,0 +1,8 @@
---
- name: Restart sshd service
ansible.builtin.service:
name: sshd
state: restarted
listen: "restart sshd"
ignore_errors: yes
become: yes

View File

@ -0,0 +1,34 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View File

@ -0,0 +1,60 @@
- block:
- include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
# Atmen : slave, servant
- name: Add provisioning user "atmen" for ansible
ansible.builtin.user:
name: atmen
comment: Ansible provisioner
groups: sudo
append: yes
shell: /bin/bash
password: "{{ vault_atmen_password | password_hash('sha512') }}"
- name: Set authorized key for atmen
ansible.posix.authorized_key:
user: atmen
state: present
key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
- name: Add maintainer user
ansible.builtin.user:
name: "{{ vault_maintainer_user }}"
comment: Maintainer user
groups: sudo
append: yes
shell: /bin/bash
password: "{{ vault_maintainer_password | password_hash('sha512') }}"
- name: Set authorized key for maintainer user
ansible.posix.authorized_key:
user: "{{ vault_maintainer_user }}"
state: present
key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
- name: Disable root login
ansible.builtin.user:
name: root
password: '*'
- name: Disable SSH login for creator
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: DenyUsers creator
state: present
- name: Disable password login
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: '^(#\s*)?PasswordAuthentication '
line: "PasswordAuthentication no"
notify: restart sshd
- name: Change SSH port
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "^Port "
line: "Port {{ sshd_port }}"
notify: restart sshd
changed_when: true
become: yes

View File

@ -0,0 +1,3 @@
---
atmen_ssh_key_host_path: ~/.ssh/atmen.pub
maintainer_ssh_key_host_path: ~/.ssh/maintainer.pub

1
wireguard Submodule

@ -0,0 +1 @@
Subproject commit 11883d85c9ad3ff5b70e6e252111d39b5a32284d