feat(users): Add user creation and refine provision

fix(vars): Set proper IPs for k3s configuration on Wireguard
fix: Local cluster installation
2024-08-04 19:41:35 +02:00 · 2024-06-20 14:48:29 +02:00 · 2024-02-28 17:34:57 +01:00 · 2024-02-02 13:49:05 +01:00 · 2024-01-14 01:34:34 +01:00 · 2024-01-14 01:34:08 +01:00
49 changed files with 2256 additions and 1 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -0,0 +1,2 @@
 skip_list:
  - 'fqcn-builtins'
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 vault
 .vault_pass
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,9 @@
 [submodule "wireguard"]
 	path = wireguard
 	url = https://github.com/jawher/automation-wireguard
 [submodule "k3s-ansible"]
 	path = k3s-ansible
 	url = https://github.com/k3s-io/k3s-ansible
 [submodule "postgresql_cluster"]
 	path = postgresql_cluster
 	url = https://github.com/vitabaks/postgresql_cluster.git
--- a/20
+++ b/20
@ -0,0 +1,20 @@
 init:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "init.yml"
 install:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_setup=true enable_wireguard=true enable_k3s=true"
 wg:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=true enable_k3s=false"
 k3s:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "bootstrap.yml" --extra-vars "enable_wireguard=false enable_k3s=true"
 uninstall:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i "inventory/hosts.yml" "k3s-ansible/reset.yml"
 ping:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/hosts.yml --extra-vars "@inventory/vars/main.yaml" -m ping
 ping-unprovisioned:
 	ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass ANSIBLE_HOST_KEY_CHECKING=False ansible all -i inventory/unprovisioned.yml -m ping
--- a/README.md
+++ b/README.md
@ -1,3 +1,64 @@
 # Ansible
 Catalogue of Ansible playbooks and helper scripts for server management
 atmen: slave, servant
 ## Configuration options
 ### SSH Ports
 The ssh port can be configured in 2 steps:
 1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
 2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
 ## Node configuration process
 ### Provisioning
 - Add atmen user for provisioning
 - Configure SSH key for atmen user
 - Add maintainer user
 - Configure SSH key for maintainer user
 - Disable root login (passwd --lock root)
 - Disable SSH login for creator user
 - Disable SSH password login
 - Change SSH port
 ### SSH Setup
 - Install fail2ban
 ### Miscellaneous
 - Disable unattended-upgrade is installed
 - Disable IPv6
 - Setup hostname
 - Install open-iscsi, nfs-common, nfs-utils
 ### OMV configuration
 - Install OMV through OMV-extras
 - (lab) Add Vagrant user to SSH group
 - Add atmen user to sudoers
 - Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
 # OMV manual configuration
 ## NFS configuration
 - Create FS
 - Enable NFS
 - `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
 # Vault
 Sensitive data is stored under two files in the `vault` directory:
 - `user_provisioning.yml` contains the vault password
 - `vault.yml` contains the sensitive data
 ## user_provisioning.yml
 Configure users for provisioning and manual maintenance
 ```yaml
 vault_atmen_password: <atmen_password>
 vault_maintainer_user: <your_user>
 vault_maintainer_password: <maintainer_password>
 ```
 ## vault.yml
 Configure k3s secrets
 ```yaml
 ansible_become_password: <atmen_password>
 token: <k3s_token>
 ```
 To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.
--- a/backup.yml
+++ b/backup.yml
@ -0,0 +1,6 @@
 ---
 - hosts: all
  roles:
    - role: gitlab
      tags: backup
--- a/bootstrap.yml
+++ b/bootstrap.yml
@ -0,0 +1,29 @@
 ---
 - hosts: all
  gather_facts: no
  tasks:
    - name: Include vault vars
      include_vars: 
        file: "{{ playbook_dir ~ '/vault/secrets' }}"
    - name: Include vars
      include_vars: 
        file: inventory/vars/main.yaml
    - name: Wait for hosts
      ansible.builtin.wait_for_connection:
        timeout: 60
    - name: Gathering facts
      setup:
    - name: Start basic node configuration
      include_role:
        name: node-configuration
      when: enable_setup | bool
    - name: Configure headscale
      include_role:
        name: headscale
      when: enable_headscale|bool
 - name: Configure wireguard
  ansible.builtin.import_playbook: wireguard/wireguard.yml
  when: enable_wireguard|bool
 - name: Configure k3s
  ansible.builtin.import_playbook: k3s-ansible/site.yml
  when: enable_k3s | bool
--- a/gitlab/.travis.yml
+++ b/gitlab/.travis.yml
@ -0,0 +1,29 @@
 ---
 language: python
 python: "2.7"
 # Use the new container infrastructure
 sudo: false
 # Install ansible
 addons:
  apt:
    packages:
    - python-pip
 install:
  # Install ansible
  - pip install ansible
  # Check ansible version
  - ansible --version
  # Create ansible.cfg with correct roles_path
  - printf '[defaults]\nroles_path=../' >ansible.cfg
 script:
  # Basic role syntax check
  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/gitlab/README.md
+++ b/gitlab/README.md
@ -0,0 +1,38 @@
 Role Name
 =========
 A brief description of the role goes here.
 Requirements
 ------------
 Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 Dependencies
 ------------
 A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 Example Playbook
 ----------------
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
 License
 -------
 BSD
 Author Information
 ------------------
 An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/gitlab/defaults/main.yml
+++ b/gitlab/defaults/main.yml
@ -0,0 +1,6 @@
 ---
 # defaults file for gitlab
 gitlab_container_name: gitlab
 gitlab_backup_directory: /opt/services/gitlab
 gitlab_local_backup_directory: /home/tanguy/backups/
 gitlab_host: pythagoras-b
--- a/gitlab/handlers/main.yml
+++ b/gitlab/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file for gitlab
--- a/gitlab/meta/main.yml
+++ b/gitlab/meta/main.yml
@ -0,0 +1,3 @@
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/gitlab/tasks/backup.yml
+++ b/gitlab/tasks/backup.yml
@ -0,0 +1,29 @@
 ---
 # tasks file for gitlab
 - name: Ensure a gitlab container is running.
  docker_container:
    name: "{{ gitlab_container_name }}"
    state: present
    image: gitlab/gitlab-ce
    comparisons:
      '*': ignore
 - name: Start gitlab backup
  community.docker.docker_container_exec:
    container: "{{ gitlab_container_name }}"
    command: gitlab-backup create GZIP_RSYNCABLE=yes SKIP=registry
 - name: Get list of backups
  find:
    paths: "{{ gitlab_backup_directory }}"
  register: found_files
 - name: Get latest backup
  set_fact:
    latest_file: "{{ found_files.files | sort(attribute='mtime',reverse=true) | first }}"
 - name: Download latest backup from remote
  ansible.posix.synchronize:
    src: "{{ latest_file.path }}"
    dest: "{{ gitlab_local_backup_directory }}"/backups
    mode: pull
--- a/gitlab/tasks/main.yml
+++ b/gitlab/tasks/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Init backup procedure
  include_tasks: backup.yml
  when: inventory_hostname in groups['{{ gitlab_host }}']
  tags:
    - gitlab
--- a/gitlab/tests/inventory
+++ b/gitlab/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/gitlab/tests/test.yml
+++ b/gitlab/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - gitlab
--- a/gitlab/vars/main.yml
+++ b/gitlab/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file for gitlab
--- a/headscale/README.md
+++ b/headscale/README.md
@ -0,0 +1,38 @@
 Role Name
 =========
 A brief description of the role goes here.
 Requirements
 ------------
 Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 Dependencies
 ------------
 A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 Example Playbook
 ----------------
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
 License
 -------
 BSD
 Author Information
 ------------------
 An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/headscale/defaults/main.yml
+++ b/headscale/defaults/main.yml
@ -0,0 +1,2 @@
 ---
 # defaults file for headscale
--- a/headscale/handlers/main.yml
+++ b/headscale/handlers/main.yml
@ -0,0 +1,2 @@
 ---
 # handlers file for headscale
--- a/headscale/meta/main.yml
+++ b/headscale/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: your name
  description: your role description
  company: your company (optional)
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license (GPL-2.0-or-later, MIT, etc)
  min_ansible_version: 2.1
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/headscale/tasks/main.yml
+++ b/headscale/tasks/main.yml
@ -0,0 +1,82 @@
 ---
 # tasks file for headscale
 - name: Check if tailscale (client) is installed
  shell: command -v tailscale >/dev/null 2>&1
  register: tailscale_exists
  ignore_errors: true
  changed_when: false
 - name: Check if headscale is installed
  shell: command -v headscale >/dev/null 2>&1
  register: headscale_exists
  ignore_errors: true
  changed_when: false
 - name: Download headscale binary (arm64)
  get_url:
    url: https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_arm64.deb
    dest: /tmp/headscale_install.deb
    mode: u+rwx
  when: ansible_architecture == "aarch64" and inventory_hostname in groups['headscale_server']
 - name: Download headscale binary (amd64)
  get_url:
    url: https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_amd64.deb
    dest: /tmp/headscale_install.deb
    mode: u+rwx
  when: ansible_architecture == "x86_64" and inventory_hostname in groups['headscale_server']
 - name: Download tailscale install script
  get_url:
    url: https://tailscale.com/install.sh
    dest: /tmp/tailscale_install.sh
    mode: u+rwx
  when: tailscale_exists.rc != 0
 - name: Install headscale (server)
  apt:
    deb: /tmp/headscale_install.deb
  become: true
  when: inventory_hostname in groups['headscale_server']
 - name: Install tailscale (client)
  command: /tmp/tailscale_install.sh
  become: true
  when: tailscale_exists.rc != 0
  changed_when: true
 - name: Enable and start headscale server
  service:
    name: headscale
    state: started
    enabled: true
  become: true
  when: inventory_hostname in groups['headscale_server']
 - name: Create headscale users
  loop: "{{ groups['all'] }}"
  command: headscale users create "{{ item }}"
  when: inventory_hostname in groups['headscale_server']
  become: true
 - name: Generate pre authentication keys
  with_items: "{{ groups['all'] }}"
  command: headscale --user "{{ item }}" preauthkeys create --expiration 1h
  when: inventory_hostname in groups['headscale_server']
  become: true
  register: headscale_preauthkey
 - name: Register clients
  with_items: "{{ hostvars[groups['headscale_server'][0]].headscale_preauthkey.results }}"
  command: |
    tailscale up --reset --login-server
    http://"{{ hostvars[groups['headscale_server'][0]]['ansible_default_ipv4']['address'] }}":8080
    --auth-key "{{ item.stdout }}"
  become: true
  when: inventory_hostname in groups['all'] and inventory_hostname in item['item']
 - name: Advertise exit nodes
  command: tailscale set --advertise-exit-node
  become: true
  when: inventory_hostname in groups['headscale_server']
--- a/headscale/templates/config.yaml
+++ b/headscale/templates/config.yaml
@ -0,0 +1,369 @@
 ---
 # headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
 #
 # - `/etc/headscale`
 # - `~/.headscale`
 # - current working directory
 # The url clients will connect to.
 # Typically this will be a domain like:
 #
 # https://myheadscale.example.com:443
 #
 server_url: {{ headscale_url }}
 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
 listen_addr: {{ ansible_default_ipv4.address }}
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
 # network
 #
 metrics_listen_addr: {{ hostvars[peer].headscale_ip }}
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
 # remotely with the CLI
 # Note: Remote access _only_ works if you have
 # valid certificates.
 #
 # For production:
 # grpc_listen_addr: 0.0.0.0:50443
 grpc_listen_addr: 127.0.0.1:50443
 # Allow the gRPC admin interface to run in INSECURE
 # mode. This is not recommended as the traffic will
 # be unencrypted. Only enable if you know what you
 # are doing.
 grpc_allow_insecure: false
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
 # It must be within IP ranges supported by the Tailscale
 # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
 # See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
 # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
 #
 # headscale needs a list of DERP servers that can be presented
 # to the clients.
 derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
    enabled: false
    # Region ID to use for the embedded DERP server.
    # The local DERP prevails if the region ID collides with other region ID coming from
    # the regular DERP config.
    region_id: 999
    # Region code and name are displayed in the Tailscale UI to identify a DERP region
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"
    # Private key used to encrypt the traffic between headscale DERP
    # and Tailscale clients.
    # The private key file will be autogenerated if it's missing.
    #
    private_key_path: /var/lib/headscale/derp_server_private.key
  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  # Locally available DERP map files encoded in YAML
  #
  # This option is mostly interesting for people hosting
  # their own DERP servers:
  # https://tailscale.com/kb/1118/custom-derp-servers/
  #
  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths: []
  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true
  # How often should we check for DERP updates?
  update_frequency: 24h
 # Disables the automatic check for headscale updates on startup
 disable_check_updates: true
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 # Period to check for node updates within the tailnet. A value too low will severely affect
 # CPU consumption of Headscale. A value too high (over 60s) will cause problems
 # for the nodes, as they won't get updates or keep alive messages frequently enough.
 # In case of doubts, do not touch the default 10s.
 node_update_check_interval: 10s
 # SQLite config
 db_type: sqlite3
 # For production:
 db_path: /var/lib/headscale/db.sqlite
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
 # db_type: postgres
 # db_host: localhost
 # db_port: 5432
 # db_name: headscale
 # db_user: foo
 # db_pass: bar
 # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
 # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false
 ### TLS configuration
 #
 ## Let's encrypt / ACME
 #
 # headscale supports automatically requesting and setting up
 # TLS for a domain with Let's Encrypt.
 #
 # URL to ACME directory
 acme_url: https://acme-v02.api.letsencrypt.org/directory
 # Email to register with ACME provider
 acme_email: "{{ headscale_tls_email }}"
 # Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: "{{ headscale_url }}"
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
 tls_letsencrypt_cache_dir: /var/lib/headscale/cache
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
 # See [docs/tls.md](docs/tls.md) for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
 # :http = port 80
 tls_letsencrypt_listen: ":http"
 ## Use already defined certificates:
 tls_cert_path: ""
 tls_key_path: ""
 log:
  # Output formatting for logs: text or json
  format: text
  level: info
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
 acl_policy_path: ""
 ## DNS
 #
 # headscale supports Tailscale's DNS configuration and MagicDNS.
 # Please have a look to their KB to better understand the concepts:
 #
 # - https://tailscale.com/kb/1054/dns/
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
 dns_config:
  # Whether to prefer using Headscale provided DNS or use local.
  override_local_dns: true
  # List of DNS servers to expose to clients.
  nameservers:
    - 1.1.1.1
  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
  # "abc123" is example NextDNS ID, replace with yours.
  #
  # With metadata sharing:
  # nameservers:
  #   - https://dns.nextdns.io/abc123
  #
  # Without metadata sharing:
  # nameservers:
  #   - 2a07:a8c0::ab:c123
  #   - 2a07:a8c1::ab:c123
  # Split DNS (see https://tailscale.com/kb/1054/dns/),
  # list of search domains and the DNS to query for each one.
  #
  # restricted_nameservers:
  #   foo.bar.com:
  #     - 1.1.1.1
  #   darp.headscale.net:
  #     - 1.1.1.1
  #     - 8.8.8.8
  # Search domains to inject.
  domains: []
  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
  # extra_records:
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  # Only works if there is at least a nameserver defined.
  magic_dns: true
  # Defines the base domain to create the hostnames for MagicDNS.
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
  base_domain: example.com
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please
 # help us test it.
 # OpenID Connect
 # oidc:
 #   only_start_if_oidc_is_available: true
 #   issuer: "https://your-oidc.issuer.com/path"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
 #   # Alternatively, set `client_secret_path` to read the secret from the file.
 #   # It resolves environment variables, making integration to systemd's
 #   # `LoadCredential` straightforward:
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #   # client_secret and client_secret_path are mutually exclusive.
 #
 #   # The amount of time from a node is authenticated with OpenID until it
 #   # expires and needs to reauthenticate.
 #   # Setting the value to "0" will mean no expiry.
 #   expiry: 180d
 #
 #   # Use the expiry from the token received from OpenID when the user logged
 #   # in, this will typically lead to frequent need to reauthenticate and should
 #   # only been enabled if you know what you are doing.
 #   # Note: enabling this will cause `oidc.expiry` to be ignored.
 #   use_expiry_from_token: false
 #
 #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
 #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
 #
 #   scope: ["openid", "profile", "email", "custom"]
 #   extra_params:
 #     domain_hint: example.com
 #
 #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
 #   # authentication request will be rejected.
 #
 #   allowed_domains:
 #     - example.com
 #   # Note: Groups from keycloak have a leading '/'
 #   allowed_groups:
 #     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
 #   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
 #   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
 #   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
 #   user: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
 # to instruct tailscale nodes to log their activity to a remote server.
 logtail:
  # Enable logtail for this headscales clients.
  # As there is currently no support for overriding the log server in headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false
 # Enabling this option makes devices prefer a random port for WireGuard traffic over the
 # default static port 41641. This option is intended as a workaround for some buggy
 # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
 randomize_client_port: false
--- a/headscale/tests/inventory
+++ b/headscale/tests/inventory
@ -0,0 +1,2 @@
 localhost
--- a/headscale/tests/test.yml
+++ b/headscale/tests/test.yml
@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - headscale
--- a/headscale/vars/main.yml
+++ b/headscale/vars/main.yml
@ -0,0 +1,2 @@
 ---
 # vars file for headscale
--- a/init.yml
+++ b/init.yml
@ -0,0 +1,15 @@
 ---
 - hosts: all
  gather_facts: no
  tasks:
    - name: Add unprovisioned vars
      include_vars: 
        file: inventory/vars/unprovisioned.yaml
    - name: Wait for hosts
      ansible.builtin.wait_for_connection:
        timeout: 60
    - name: Gathering facts
      setup:
    - name: Provision users
      include_role:
        name: user-provision
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -0,0 +1,11 @@
 ---
 k3s_version: "v1.29.2+k3s1"
 systemd_dir: "/etc/systemd/system"
 api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
 extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{ ansible_host }} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
 extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
 ansible_python_interpreter: /usr/bin/python3
 ansible_ssh_port: 22
 ufw_enabled: false
 wireguard_port: 51820
 wireguard_mask_bits: 8
--- a/inventory/hosts.template.yml
+++ b/inventory/hosts.template.yml
@ -0,0 +1,36 @@
 all:
  hosts:
    cp:
      ansible_host: 192.168.56.101
      is_nas: false
      hostname: cp
      wireguard_ip: 10.20.0.1
      k3s_label:
        - type=worker
        - size=wide
    vps:
      ansible_host: 192.168.56.102
      is_nas: false
      hostname: vps
      wireguard_ip: 10.20.0.2
      k3s_label:
        - type=outbound
  children:
    server:
      hosts:
        cp:
    agent:
      hosts:
        vps:
    k3s_cluster:
      children:
        server:
        agent:
  vars:
    k3s_version: v1.28.5+k3s1
    api_endpoint: "{{ hostvars[groups['server'][0]]['wireguard_ip'] | default(groups['server'][0]) }}"
    extra_server_args: "--disable traefik --advertise-address {{hostvars[inventory_hostname]['wireguard_ip']}} --flannel-iface wg0 --tls-san {{hostvars[inventory_hostname]['wireguard_ip']}} --disable servicelb {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
    extra_agent_args: "--flannel-iface wg0 --node-external-ip {{hostvars[inventory_hostname]['wireguard_ip']}} {{ ['--node-label']|product(hostvars[inventory_hostname]['k3s_label'])|map('join', ' ')|join(' ') }}"
    ufw_enabled: false
    wireguard_port: 51820
    wireguard_mask_bits: 8
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -0,0 +1,28 @@
 all:
  hosts:
    cp:
      ansible_host: 192.168.56.101
      is_nas: false
      hostname: cp
      wireguard_ip: 10.20.0.1
      k3s_label:
        - type=worker
        - size=wide
    vps:
      ansible_host: 192.168.56.102
      is_nas: false
      hostname: vps
      wireguard_ip: 10.20.0.2
      k3s_label:
        - type=outbound
  children:
    server:
      hosts:
        cp:
    agent:
      hosts:
        vps:
    k3s_cluster:
      children:
        server:
        agent:
--- a/inventory/vars/main.yml
+++ b/inventory/vars/main.yml
@ -0,0 +1,2 @@
 ansible_ssh_private_key_file: ~/.ssh/atmen
 ansible_user: atmen
--- a/inventory/vars/unprovisioned.yml
+++ b/inventory/vars/unprovisioned.yml
@ -0,0 +1,5 @@
 ansible_ssh_private_key_file: ~/.ssh/creator
 ansible_user: creator
 ansible_become_password: aberation
 ansible_ssh_port: 22
 sshd_port: 22
--- a/inventory/vars/vagrant.yml
+++ b/inventory/vars/vagrant.yml
@ -0,0 +1 @@
 vagrant: true
--- a/1
+++ b/1
@ -0,0 +1 @@
 Subproject commit 9c8ba5c1555944f02f7ffadc3b0839530b2782f7
--- a/node-configuration/README.md
+++ b/node-configuration/README.md
@ -0,0 +1,38 @@
 Role Name
 =========
 A brief description of the role goes here.
 Requirements
 ------------
 Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 Dependencies
 ------------
 A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 Example Playbook
 ----------------
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
 License
 -------
 BSD
 Author Information
 ------------------
 An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/node-configuration/handlers/main.yml
+++ b/node-configuration/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 # handlers file for node-configuration
 - name: Restart sshd service
  ansible.builtin.service:
    name: sshd
    state: restarted
  listen: "restart sshd"
  ignore_errors: yes
--- a/node-configuration/meta/main.yml
+++ b/node-configuration/meta/main.yml
@ -0,0 +1,52 @@
 galaxy_info:
  author: your name
  description: your role description
  company: your company (optional)
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license (GPL-2.0-or-later, MIT, etc)
  min_ansible_version: 2.1
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/node-configuration/tasks/main.yml
+++ b/node-configuration/tasks/main.yml
@ -0,0 +1,13 @@
 ---
 - name: Configure and harden SSH
  import_tasks: ./ssh.yml
  become: yes
 - name: Miscellaneous operations
  import_tasks: ./misc.yml
  become: yes
 - name: Install OpenMediaVault
  import_tasks: ./omv.yaml
  become: yes
  when: is_nas|bool == true
--- a/node-configuration/tasks/misc.yml
+++ b/node-configuration/tasks/misc.yml
@ -0,0 +1,37 @@
 ---
 - name: Check if unattended-upgrades is installed
  ansible.builtin.package_facts:
    manager: "auto"
 - name: Remove unattended-upgrades package
  ansible.builtin.package:
    name: unattended-upgrades
    state: absent
  when: "'unattended-upgrades' in ansible_facts.packages"
 - name: Disable IPv6
  ansible.posix.sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: '1'
    sysctl_file: /etc/sysctl.d/70-disable-ipv6.conf
    reload: true
 - name: Set node's hostname
  ansible.builtin.hostname:
    name: "{{ hostname }}"
  when: hostname is defined
 - name: Install open-iscsi
  ansible.builtin.package:
      name: open-iscsi
      state: present
 - name: Install nfs-common
  ansible.builtin.package:
      name: nfs-common
      state: present
 - name: Install nfs-utils
  ansible.builtin.package:
      name: libnfs-utils
      state: present
--- a/node-configuration/tasks/omv.yaml
+++ b/node-configuration/tasks/omv.yaml
@ -0,0 +1,49 @@
 ---
 - name: Install gnupg
  ansible.builtin.package:
    name: gnupg
    state: present
 - name: Download OMV-extras
  ansible.builtin.get_url:
    url: https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install
    dest: /tmp/omv-extras.install
    mode: u+rwx
 # B: Beta to enable installation on Debian 12
 # N: Skip networking installation
 # F: Skip flashmemory plugin installation
 - name: Install OMV-extras
  ansible.builtin.shell: /tmp/omv-extras.install -n -f >> /tmp/omv-extras.log
 # Check for vagrant variable, indicating we are running in a lab environment
 - name: Add Vagrant user to ssh group
  ansible.builtin.user:
    name: vagrant
    groups: ssh
    append: yes
  when: vagrant | default(false)
 - name: Add Ansible user to ssh group
  ansible.builtin.user:
    name: "{{ ansible_user_id }}"
    groups: ssh
    append: yes
 - name: Upgrade packages
  ansible.builtin.apt:
    update_cache: yes
    name: "*"
    state: latest
 - name: Install ZFS, S3 with Minio and Filebrowser
  ansible.builtin.apt:
    pkg:
      - openmediavault-zfs
      - openmediavault-s3
      - openmediavault-filebrowser
  register: plugin_install
 - name: Reboot to enable ZFS module and finish upgrade
  ansible.builtin.reboot:
  when: plugin_install.changed
--- a/node-configuration/tasks/ssh.yml
+++ b/node-configuration/tasks/ssh.yml
@ -0,0 +1,21 @@
 ---
 - name: Ensures fail2ban dir exists
  file: 
    path: /etc/fail2ban 
    state: directory
 - name: Configure fail2ban
  copy:
    src: ../templates/fail2ban.conf
    dest: /etc/fail2ban/fail2ban.conf
    backup: yes
 - name: Update package cache (apt/Debian)
  ansible.builtin.apt:
    update_cache: yes
  when: ansible_distribution == "Debian"
 - name: Install fail2ban
  ansible.builtin.package:
    name: fail2ban
    state: present
--- a/node-configuration/tasks/users.yml
+++ b/node-configuration/tasks/users.yml
@ -0,0 +1,21 @@
 - include_vars: ../vars/users.yml
 # Atmen : slave, servant
 - name: Add provisioning user "atmen" for ansible
  ansible.builtin.user:
    name: atmen
    comment: Ansible provisioner
    groups: sudo
    append: yes
 - name: Add maintainer user
  ansible.builtin.user:
    name: "{{ maintainer_user }}"
    comment: Maintainer user
    groups: sudo
    append: yes
    password: "{{ maintainer_password | password_hash('sha512') }}"
 - name: Disable root login
  ansible.builtin.user:
    name: root
    password: '*'
--- a/node-configuration/templates/fail2ban.conf
+++ b/node-configuration/templates/fail2ban.conf
@ -0,0 +1,967 @@
 #
 # WARNING: heavily refactored in 0.9.0 release.  Please review and
 #          customize settings for your setup.
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in jail.local file,
 #           or separate .conf files under jail.d/ directory, e.g.:
 #
 # HOW TO ACTIVATE JAILS:
 #
 # YOU SHOULD NOT MODIFY THIS FILE.
 #
 # It will probably be overwritten or improved in a distribution update.
 #
 # Provide customizations in a jail.local file or a jail.d/customisation.local.
 # For example to change the default bantime for all jails and to enable the
 # ssh-iptables jail the following (uncommented) would appear in the .local file.
 # See man 5 jail.conf for details.
 #
 # [DEFAULT]
 # bantime = 1h
 #
 # [sshd]
 # enabled = true
 #
 # See jail.conf(5) man page for more information
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
 [INCLUDES]
 #before = paths-distro.conf
 before = paths-debian.conf
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 #
 # MISCELLANEOUS OPTIONS
 #
 # "ignorself" specifies whether the local resp. own IP addresses should be ignored
 # (default is true). Fail2ban will not ban a host which matches such addresses.
 #ignorself = true
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
 ignoreip = 127.0.0.1/8 85.129.40.199
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
 #
 # ignorecommand = /path/to/command <ip>
 ignorecommand =
 # "bantime" is the number of seconds that a host is banned.
 # Set to -1 for permanent
 bantime  = -1
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime  = 10m
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 # "backend" specifies the backend used to get files modification.
 # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
 # This option can be overridden in each jail as well.
 #
 # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 #              If pyinotify is not installed, Fail2ban will use auto.
 # gamin:     requires Gamin (a file alteration monitor) to be installed.
 #              If Gamin is not installed, Fail2ban will use auto.
 # polling:   uses a polling algorithm which does not require external libraries.
 # systemd:   uses systemd python library to access the systemd journal.
 #              Specifying "logpath" is not valid for this backend.
 #              See "journalmatch" in the jails associated filter config
 # auto:      will try to use the following backends, in order:
 #              pyinotify, gamin, polling.
 #
 # Note: if systemd backend is chosen as the default but you enable a jail
 #       for which logs are present only in its own log files, specify some other
 #       backend for that jail (e.g. polling) and provide empty value for
 #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
 #   warn when DNS lookups are performed, or ignore all hostnames in logs
 #
 # yes:   if a hostname is encountered, a DNS lookup will be performed.
 # warn:  if a hostname is encountered, a DNS lookup will be performed,
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
 # raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
 usedns = warn
 # "logencoding" specifies the encoding of the log files handled by the jail
 #   This is used to decode the lines from the log file.
 #   Typical examples:  "ascii", "utf-8"
 #
 #   auto:   will use the system locale setting
 logencoding = auto
 # "enabled" enables the jails.
 #  By default all jails are disabled, and it should stay this way.
 #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
 #
 # true:  jail will be enabled and log files will get monitored for changes
 # false: jail is not enabled
 enabled = true
 # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
 mode = normal
 # "filter" defines the filter to use by the jail.
 #  By default jails have names matching their filter name
 #
 filter = %(__name__)s[mode=%(mode)s]
 #
 # ACTIONS
 #
 # Some options used for actions
 # Destination email address used solely for the interpolations in
 # jail.{conf,local,d/*} configuration files.
 destemail = root@localhost
 # Sender email address used solely for some actions
 sender = root@<fq-hostname>
 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 # mailing. Change mta configuration parameter to mail if you want to
 # revert to conventional 'mail'.
 mta = sendmail
 # Default protocol
 protocol = tcp
 # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
 chain = <known/chain>
 # Ports to be banned
 # Usually should be overridden in a particular jail
 port = 0:65535
 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
 fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 #
 # Action shortcuts. To be used to define action parameter
 # Default banning action (e.g. iptables, iptables-new,
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport
 banaction_allports = iptables-allports
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
 #
 # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 # to the destemail.
 action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 # Report block via blocklist.de fail2ban reporting service API
 # 
 # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
 # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
 # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
 # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
 # corresponding jail.d/my-jail.local file).
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 # Report ban via badips.com, and use as blacklist
 #
 # See BadIPsAction docstring in config/action.d/badips.py for
 # documentation for this action.
 #
 # NOTE: This action relies on banaction being present on start and therefore
 # should be last action defined for a jail.
 #
 action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
 #
 # Report ban via badips.com (uses action.d/badips.conf for reporting only)
 #
 action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
 # Report ban via abuseipdb.com.
 #
 # See action.d/abuseipdb.conf for usage example and details.
 #
 action_abuseipdb = abuseipdb
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section
 action = %(action_)s
 #
 # JAILS
 #
 #
 # SSH servers
 #
 [sshd]
 # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 # normal (default), ddos, extra or aggressive (combines all).
 # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 #mode   = normal
 port    = ssh
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
 [dropbear]
 enabled  = false
 port     = ssh
 logpath  = %(dropbear_log)s
 backend  = %(dropbear_backend)s
 [selinux-ssh]
 enabled  = false
 port     = ssh
 logpath  = %(auditd_log)s
 #
 # HTTP servers
 #
 [apache-auth]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 [apache-badbots]
 # Ban hosts which agent identifies spammer robots crawling the web
 # for email addresses. The mail outputs are buffered.
 enabled  = false
 port     = http,https
 logpath  = %(apache_access_log)s
 bantime  = 48h
 maxretry = 1
 [apache-noscript]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 [apache-overflows]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-nohome]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-botsearch]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-fakegooglebot]
 enabled  = false
 port     = http,https
 logpath  = %(apache_access_log)s
 maxretry = 1
 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
 [apache-modsecurity]
 enabled  = false
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-shellshock]
 enabled  = false
 port    = http,https
 logpath = %(apache_error_log)s
 maxretry = 1
 [openhab-auth]
 enabled  = false
 filter = openhab
 action = iptables-allports[name=NoAuthFailures]
 logpath = /opt/openhab/logs/request.log
 [nginx-http-auth]
 enabled  = false
 port    = http,https
 logpath = %(nginx_error_log)s
 # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
 # and define `limit_req` and `limit_req_zone` as described in nginx documentation
 # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
 # or for example see in 'config/filter.d/nginx-limit-req.conf'
 [nginx-limit-req]
 enabled  = false
 port    = http,https
 logpath = %(nginx_error_log)s
 [nginx-botsearch]
 enabled  = false
 port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
 [php-url-fopen]
 enabled  = false
 port    = http,https
 logpath = %(nginx_access_log)s
          %(apache_access_log)s
 [suhosin]
 enabled  = false
 port    = http,https
 logpath = %(suhosin_log)s
 [lighttpd-auth]
 # Same as above for Apache's mod_auth
 # It catches wrong authentifications
 enabled  = false
 port    = http,https
 logpath = %(lighttpd_error_log)s
 #
 # Webmail and groupware servers
 #
 [roundcube-auth]
 enabled  = false
 port     = http,https
 logpath  = %(roundcube_errors_log)s
 # Use following line in your jail.local if roundcube logs to journal.
 #backend = %(syslog_backend)s
 [openwebmail]
 enabled  = false
 port     = http,https
 logpath  = /var/log/openwebmail.log
 [horde]
 enabled  = false
 port     = http,https
 logpath  = /var/log/horde/horde.log
 [groupoffice]
 enabled  = false
 port     = http,https
 logpath  = /home/groupoffice/log/info.log
 [sogo-auth]
 # Monitor SOGo groupware server
 # without proxy this would be:
 # port    = 20000
 enabled  = false
 port     = http,https
 logpath  = /var/log/sogo/sogo.log
 [tine20]
 enabled  = false
 logpath  = /var/log/tine20/tine20.log
 port     = http,https
 #
 # Web Applications
 #
 #
 [drupal-auth]
 enabled  = false
 port     = http,https
 logpath  = %(syslog_daemon)s
 backend  = %(syslog_backend)s
 [guacamole]
 enabled  = false
 port     = http,https
 logpath  = /var/log/tomcat*/catalina.out
 [monit]
 #Ban clients brute-forcing the monit gui login
 enabled  = false
 port = 2812
 logpath  = /var/log/monit
 [webmin-auth]
 enabled  = false
 port    = 10000
 logpath = %(syslog_authpriv)s
 backend = %(syslog_backend)s
 [froxlor-auth]
 enabled  = false
 port    = http,https
 logpath  = %(syslog_authpriv)s
 backend  = %(syslog_backend)s
 #
 # HTTP Proxy servers
 #
 #
 [squid]
 enabled  = false
 port     =  80,443,3128,8080
 logpath = /var/log/squid/access.log
 [3proxy]
 enabled  = false
 port    = 3128
 logpath = /var/log/3proxy.log
 #
 # FTP servers
 #
 [proftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(proftpd_log)s
 backend  = %(proftpd_backend)s
 [pure-ftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(pureftpd_log)s
 backend  = %(pureftpd_backend)s
 [gssftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(syslog_daemon)s
 backend  = %(syslog_backend)s
 [wuftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(wuftpd_log)s
 backend  = %(wuftpd_backend)s
 [vsftpd]
 # or overwrite it in jails.local to be
 # logpath = %(syslog_authpriv)s
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(vsftpd_log)s
 #
 # Mail servers
 #
 # ASSP SMTP Proxy Jail
 [assp]
 enabled  = false
 port     = smtp,465,submission
 logpath  = /root/path/to/assp/logs/maillog.txt
 [courier-smtp]
 enabled  = false
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [postfix]
 # To use another modes set filter parameter "mode" in jail.local:
 mode    = more
 enabled  = false
 port    = smtp,465,submission
 logpath = %(postfix_log)s
 backend = %(postfix_backend)s
 [postfix-rbl]
 filter   = postfix[mode=rbl]
 enabled  = false
 port     = smtp,465,submission
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
 maxretry = 1
 [sendmail-auth]
 enabled  = false
 port    = submission,465,smtp
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [sendmail-reject]
 # To use more aggressive modes set filter parameter "mode" in jail.local:
 # normal (default), extra or aggressive
 # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
 #mode    = normal
 enabled  = false
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [qmail-rbl]
 filter  = qmail
 enabled  = false
 port    = smtp,465,submission
 logpath = /service/qmail/log/main/current
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]
 enabled  = false
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s
 backend = %(dovecot_backend)s
 [sieve]
 enabled  = false
 port   = smtp,465,submission
 logpath = %(dovecot_log)s
 backend = %(dovecot_backend)s
 [solid-pop3d]
 enabled  = false
 port    = pop3,pop3s
 logpath = %(solidpop3d_log)s
 [exim]
 # see filter.d/exim.conf for further modes supported from filter:
 #mode = normal
 enabled  = false
 port   = smtp,465,submission
 logpath = %(exim_main_log)s
 [exim-spam]
 enabled  = false
 port   = smtp,465,submission
 logpath = %(exim_main_log)s
 [kerio]
 enabled  = false
 port    = imap,smtp,imaps,465
 logpath = /opt/kerio/mailserver/store/logs/security.log
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned
 #
 [courier-auth]
 enabled  = false
 port     = smtp,465,submission,imap,imaps,pop3,pop3s
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [postfix-sasl]
 filter   = postfix[mode=auth]
 enabled  = false
 port     = smtp,465,submission,imap,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
 [perdition]
 enabled  = false
 port   = imap,imaps,pop3,pop3s
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [squirrelmail]
 enabled  = false
 port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
 logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
 [cyrus-imap]
 enabled  = false
 port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [uwimap-auth]
 enabled  = false
 port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 #
 #
 # DNS servers
 #
 # !!! WARNING !!!
 #   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 #   Please DO NOT USE this jail unless you know what you are doing.
 #
 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks UDP traffic for DNS requests.
 # [named-refused-udp]
 #
 # filter   = named-refused
 # port     = domain,953
 # protocol = udp
 # logpath  = /var/log/named/security.log
 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks TCP traffic for DNS requests.
 [named-refused]
 enabled  = false
 port     = domain,953
 logpath  = /var/log/named/security.log
 [nsd]
 enabled  = false
 port     = 53
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
 logpath = /var/log/nsd.log
 #
 # Miscellaneous
 #
 [asterisk]
 enabled  = false
 port     = 5060,5061
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [freeswitch]
 enabled  = false
 port     = 5060,5061
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
 logpath  = /var/log/freeswitch.log
 maxretry = 10
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
 # log-warning = 2
 #
 # for syslog (daemon facility)
 # [mysqld_safe]
 # syslog
 #
 # for own logfile
 # [mysqld]
 # log-error=/var/log/mysqld.log
 [mysqld-auth]
 enabled  = false
 port     = 3306
 logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 [mongodb-auth]
 # change port when running with "--shardsvr" or "--configsvr" runtime operation
 enabled  = false
 port     = 27017
 logpath  = /var/log/mongodb/mongodb.log
 # Jail for more extended banning of persistent abusers
 # !!! WARNINGS !!!
 # 1. Make sure that your loglevel specified in fail2ban.conf/.local
 #    is not at DEBUG level -- which might then cause fail2ban to fall into
 #    an infinite loop constantly feeding itself with non-informative lines
 # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
 #    to maintain entries for failed logins for sufficient amount of time
 [recidive]
 logpath  = /var/log/fail2ban.log
 banaction = %(banaction_allports)s
 bantime  = -1
 findtime = 1d
 # Generic filter for PAM. Has to be used with action which bans all
 # ports such as iptables-allports, shorewall
 [pam-generic]
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 banaction = %(banaction_allports)s
 logpath  = %(syslog_authpriv)s
 backend  = %(syslog_backend)s
 [xinetd-fail]
 banaction = iptables-multiport-log
 logpath   = %(syslog_daemon)s
 backend   = %(syslog_backend)s
 maxretry  = 2
 # stunnel - need to set port for this
 [stunnel]
 enabled = false
 logpath = /var/log/stunnel4/stunnel.log
 [ejabberd-auth]
 enabled = false
 port    = 5222
 logpath = /var/log/ejabberd/ejabberd.log
 [counter-strike]
 enabled = false
 logpath = /opt/cstrike/logs/L[0-9]*.log
 # Firewall: http://www.cstrike-planet.com/faq/6
 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
 # consider low maxretry and a long bantime
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
 enabled = false
 logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 backend  = %(syslog_backend)s
 maxretry = 1
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
 enabled = false
 logpath = /opt/sun/comms/messaging64/log/mail.log_current
 banaction = %(banaction_allports)s
 [directadmin]
 enabled = false
 logpath = /var/log/directadmin/login.log
 port = 2222
 [portsentry]
 enabled = false
 logpath  = /var/lib/portsentry/portsentry.history
 maxretry = 1
 [pass2allow-ftp]
 # this pass2allow example allows FTP traffic after successful HTTP authentication
 enabled = false
 port         = ftp,ftp-data,ftps,ftps-data
 # knocking_url variable must be overridden to some secret value in jail.local
 knocking_url = /knocking/
 filter       = apache-pass[knocking_url="%(knocking_url)s"]
 # access log of the website with HTTP auth
 logpath      = %(apache_access_log)s
 blocktype    = RETURN
 returntype   = DROP
 action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
 bantime      = 1h
 maxretry     = 1
 findtime     = 1
 [murmur]
 # AKA mumble-server
 enabled = false
 port     = 64738
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
 logpath  = /var/log/mumble-server/mumble-server.log
 [screensharingd]
 # For Mac OS Screen Sharing Service (VNC)
 enabled = false
 logpath  = /var/log/system.log
 logencoding = utf-8
 [haproxy-http-auth]
 # HAProxy by default doesn't log to file you'll need to set it up to forward
 # logs to a syslog server which would then write them to disk.
 # See "haproxy-http-auth" filter for a brief cautionary note when setting
 # maxretry and findtime.
 enabled = false
 logpath  = /var/log/haproxy.log
 [slapd]
 enabled = false
 port    = ldap,ldaps
 logpath = /var/log/slapd.log
 [domino-smtp]
 enabled = false
 port    = smtp,ssmtp
 logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
 [phpmyadmin-syslog]
 enabled = false
 port    = http,https
 logpath = %(syslog_authpriv)s
 backend = %(syslog_backend)s
 [zoneminder]
 # Zoneminder HTTP/HTTPS web interface auth
 # Logs auth failures to apache2 error log
 enabled = false
 port    = http,https
 logpath = %(apache_error_log)s
--- a/user-provision/README.md
+++ b/user-provision/README.md
@ -0,0 +1,38 @@
 Role Name
 =========
 A brief description of the role goes here.
 Requirements
 ------------
 Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 Dependencies
 ------------
 A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 Example Playbook
 ----------------
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
 License
 -------
 BSD
 Author Information
 ------------------
 An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/user-provision/handlers/main.yml
+++ b/user-provision/handlers/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Restart sshd service
  ansible.builtin.service:
    name: sshd
    state: restarted
  listen: "restart sshd"
  ignore_errors: yes
  become: yes
--- a/user-provision/meta/main.yml
+++ b/user-provision/meta/main.yml
@ -0,0 +1,34 @@
 galaxy_info:
  author: your name
  description: your role description
  company: your company (optional)
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license (GPL-2.0-or-later, MIT, etc)
  min_ansible_version: 2.1
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/user-provision/tasks/main.yml
+++ b/user-provision/tasks/main.yml
@ -0,0 +1,60 @@
 - block:
  - include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
  # Atmen : slave, servant
  - name: Add provisioning user "atmen" for ansible
    ansible.builtin.user:
      name: atmen
      comment: Ansible provisioner
      groups: sudo
      append: yes
      shell: /bin/bash
      password: "{{ vault_atmen_password | password_hash('sha512') }}"
  - name: Set authorized key for atmen
    ansible.posix.authorized_key:
      user: atmen
      state: present
      key: "{{ lookup('file', atmen_ssh_key_host_path) }}"
  - name: Add maintainer user
    ansible.builtin.user:
      name: "{{ vault_maintainer_user }}"
      comment: Maintainer user
      groups: sudo
      append: yes
      shell: /bin/bash
      password: "{{ vault_maintainer_password | password_hash('sha512') }}"
  - name: Set authorized key for maintainer user
    ansible.posix.authorized_key:
      user: "{{ vault_maintainer_user }}"
      state: present
      key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"
  - name: Disable root login
    ansible.builtin.user:
      name: root
      password: '*'
  - name: Disable SSH login for creator
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      line: DenyUsers creator
      state: present
  - name: Disable password login
    lineinfile:
      dest: "/etc/ssh/sshd_config"
      regexp: '^(#\s*)?PasswordAuthentication '
      line: "PasswordAuthentication no"
    notify: restart sshd
  - name: Change SSH port
    lineinfile:
      dest: "/etc/ssh/sshd_config"
      regexp: "^Port "
      line: "Port {{ sshd_port }}"
    notify: restart sshd
    changed_when: true
  become: yes
--- a/user-provision/vars/main.yml
+++ b/user-provision/vars/main.yml
@ -0,0 +1,3 @@
 ---
 atmen_ssh_key_host_path: ~/.ssh/atmen.pub
 maintainer_ssh_key_host_path: ~/.ssh/maintainer.pub
--- a/1
+++ b/1
@ -0,0 +1 @@
 Subproject commit 11883d85c9ad3ff5b70e6e252111d39b5a32284d
Author	SHA1	Message	Date
Tanguy Herbron	c779f9cc7e	feat(users): Add user creation and refine provision	2024-08-04 19:41:35 +02:00
Tanguy Herbron	7dea909100	fix(vars): Set proper IPs for k3s configuration on Wireguard	2024-06-20 14:48:29 +02:00
Tanguy Herbron	724cb89683	fix: Local cluster installation	2024-02-28 17:34:57 +01:00
Tanguy Herbron	a16d3d0773	chore: Bump k3s-ansible version	2024-02-02 13:49:05 +01:00
Tanguy Herbron	aae49a299f	chore(lint): Add ansible lint configuration file	2024-01-14 01:34:34 +01:00
Tanguy Herbron	6a3922eb78	feat(omv): Restart NAS only after plugin installation	2024-01-14 01:34:08 +01:00
Tanguy Herbron	f45e372bbe	feat(k3s): Update group_vars to work with tailscale configuration	2024-01-14 01:33:41 +01:00
Tanguy Herbron	29ffd36261	chore(init): Fix linting errors	2024-01-14 01:33:14 +01:00
Tanguy Herbron	f3cda8f36c	feat(tailscale): Complete configuration	2024-01-14 01:31:57 +01:00
Tanguy Herbron	73e48b3203	WIP(headscale): Start migration	2023-12-05 10:03:09 +01:00
Tanguy Herbron	f98a2a63c3	fix(OMV): Enable SSH after installation and update version	2023-12-05 10:02:01 +01:00
Tanguy Herbron	ecfad95853	docs(README): Add TODO items for creator provisioning	2023-12-02 18:03:59 +01:00
Tanguy Herbron	1c4b20430f	fix(omv): Add vagrant and ansible user to ssh group	2023-12-02 17:59:52 +01:00
Tanguy Herbron	c0bdaf0315	docs(README): Add OMV documentation	2023-11-12 23:04:38 +01:00
Tanguy Herbron	4c6e278623	chore(group_vars): Remove unused entries	2023-10-30 16:57:59 +01:00
Tanguy Herbron	920407620d	feat(Configuration): Remove SSH fingerprint check and useless comment	2023-10-23 14:25:09 +02:00
Tanguy Herbron	2c1968e159	fix(fail2ban): Add package cache update	2023-10-22 12:50:14 +02:00
Tanguy Herbron	79b14782fc	chore(Cleaning): Remove legacy dependency and update k3s installation process	2023-10-22 12:34:22 +02:00
Tanguy Herbron	a802758168	Merge branch 'dev' of https://git.halia.dev/athens-school/ansible into dev	2023-04-11 10:24:26 +02:00
Tanguy Herbron	4b572ec302	feat(setup): Add NFS dependencies	2023-04-11 10:23:23 +02:00
Tanguy Herbron	cded5d886c	refactor(OMV): Install OMV through OMV-Extra script	2023-04-11 10:22:52 +02:00
Tanguy Herbron	2626e7d15a	build(makefile): improve stacked execution with custom environments, for better summary	2023-03-06 15:03:09 +01:00
Tanguy Herbron	ff5e321b1a	feat(k3s): Add label injection for nodes	2023-03-05 12:23:42 +01:00
Tanguy Herbron	96ccae1b22	chore(k3s): Bump version	2023-03-05 12:23:16 +01:00
Tanguy Herbron	f568a97b10	feat(k3s): Disable embeded LB	2022-11-16 23:53:26 +01:00
Tanguy Herbron	234e986eff	Holyday tmp	2022-06-24 20:38:52 +02:00
Tanguy Herbron	f40d2eeeba	Fix submodules	2022-06-11 02:40:21 +02:00
Tanguy Herbron	7f72142755	Add Makefile to easy start some scenarios	2022-06-11 02:33:04 +02:00
Tanguy Herbron	9a6e3b904c	Simplify init.yml file construction	2022-06-11 02:32:48 +02:00
Tanguy Herbron	886232e1aa	Fix Fail2ban installation process	2022-06-11 02:32:23 +02:00
Tanguy Herbron	09376d3cd1	Remove temporary file	2022-06-11 02:31:46 +02:00
Tanguy Herbron	05cb4ceb48	Remove legacy scripts and tasks	2022-06-11 02:31:29 +02:00
Tanguy Herbron	bdc1667dcb	Add inventory hierarchy and temporary hosts	2022-06-11 02:30:35 +02:00
Tanguy Herbron	39a5980f43	Add wireguard playbook repository	2022-06-11 02:28:30 +02:00
Tanguy Herbron	ecdfa19fd2	Add additional step to README	2022-06-11 02:27:58 +02:00
Tanguy Herbron	60d090a5ea	Add k3s-ansible playbook from Jeff Geerling	2022-06-11 02:22:02 +02:00
Tanguy Herbron	93f9bdd953	Add basic playbook for node setup	2022-05-26 01:24:56 +02:00
Tanguy Herbron	88bbe3a882	Update gitlab role + add misc role	2022-02-14 01:02:14 +01:00
Tanguy Herbron	d2e59d6bbb	Add temporary devops rework	2022-02-11 17:49:06 +01:00
Tanguy Herbron	cc46c0e89e	Add gitlab role with backup task	2022-02-09 00:04:05 +01:00
Tanguy Herbron	e400549073	Add install steps for k3s	2022-02-04 00:19:45 +01:00
Tanguy Herbron	960c02f914	Development of auto-inventory	2021-10-16 18:29:06 +02:00
		`@ -0,0 +1,2 @@`
							`ansible_ssh_private_key_file: ~/.ssh/atmen`
							`ansible_user: atmen`
		`@ -0,0 +1 @@`
							`Subproject commit 9c8ba5c1555944f02f7ffadc3b0839530b2782f7`
		`@ -0,0 +1 @@`
							`Subproject commit 11883d85c9ad3ff5b70e6e252111d39b5a32284d`