Basic deployment on valkyrie

This commit is contained in:
Wojciech Kozlowski 2022-09-21 23:57:15 +02:00
parent 8e690941bf
commit 4c7c0e052b
50 changed files with 99 additions and 60 deletions

4
.gitignore vendored
View File

@ -1 +1,3 @@
secrets.yml
secrets/common.yml
secrets/valkyrie.yml
secrets/yggdrasil.yml

View File

@ -5,5 +5,6 @@ Ansible playbooks for provisioning Yggdrasil.
## Secrets vault
- Encrypt with: ```ansible-vault encrypt secrets.yml```
- Decrypt with: ```ansible-vault decrypt secrets.yml```
- Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```

View File

@ -2,4 +2,4 @@
inventory = ./hosts
[privilege_escalation]
become=True
become = True

View File

@ -3,7 +3,7 @@
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
ignoreip = 127.0.0.1/8 ::1 {{ subnet }}
# "bantime" is the number of seconds that a host is banned.
bantime = 1d

View File

@ -0,0 +1 @@
{{ hostname }}.{{ domain }}

View File

@ -3,8 +3,8 @@
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
chain input {
type filter hook input priority 0;
# Accept any localhost traffic.
iif lo accept;
@ -17,19 +17,19 @@ table inet filter {
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
# Drop invalid connections.
ct state invalid drop;
# Drop invalid connections.
ct state invalid drop;
# Activate the following line to accept common local services.
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
# Count and drop any other traffic.
counter drop;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}

View File

@ -15,3 +15,6 @@ PasswordAuthentication no
# No X window forwarding.
X11Forwarding no
# Check in with the client every now and then.
ClientAliveInterval 120

View File

@ -0,0 +1,9 @@
-------------------------------------------------------------------
_ _ _
__ ____ _| | | ___ _ _ __(_) ___
\ \ / / _` | | |/ / | | | '__| |/ _ \
\ V / (_| | | <| |_| | | | | __/
\_/ \__,_|_|_|\_\\__, |_| |_|\___|
|___/
-------------------------------------------------------------------

1
hosts
View File

@ -1 +1,2 @@
valkyrie
yggdrasil

View File

@ -1 +0,0 @@
{{ domain }}

View File

@ -10,6 +10,7 @@ hostname:
domain:
subnet_address:
subnet_masklen:
subnet:
# Postfix variables
postfix_smtp_server:

View File

@ -4,14 +4,14 @@
- name: Configure fail2ban
template:
src: ./root/etc/fail2ban/jail.local.j2
src: ./filesystem/common/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local
mode: 0644
register: fail2ban_conf
- name: Configure fail2ban sshd jail
template:
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
mode: 0644
register: fail2ban_sshd_jail

View File

@ -4,7 +4,7 @@
- name: Configure nftables
template:
src: ./root/etc/nftables.conf.j2
src: ./filesystem/common/etc/nftables.conf.j2
dest: /etc/nftables.conf
mode: 0755
register: nftables_conf

5
tasks/fstrim.yml Normal file
View File

@ -0,0 +1,5 @@
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started

View File

@ -6,7 +6,7 @@
- name: Configure logcheck
template:
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
dest: /etc/logcheck/ignore.d.server/yggdrasil
src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
dest: /etc/logcheck/ignore.d.server/{{ hostname }}
group: logcheck
mode: 0644

View File

@ -1,24 +1,13 @@
- name: Configure mailname
template:
src: ./root/etc/mailname.j2
src: ./filesystem/common/etc/mailname.j2
dest: /etc/mailname
mode: 0644
register: mail_mailname
- name: Configure aliases
template:
src: ./root/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure mailutils
template:
src: ./root/etc/mailutils.conf.j2
src: ./filesystem/common/etc/mailutils.conf.j2
dest: /etc/mailutils.conf
mode: 0644
@ -29,16 +18,27 @@
- ca-certificates
- libsasl2-modules
- name: Configure aliases
template:
src: ./filesystem/common/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure postfix
template:
src: ./root/etc/postfix/main.cf.j2
src: ./filesystem/common/etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf
mode: 0644
register: mail_postfix_conf
- name: Configure credentials
template:
src: ./root/etc/postfix/sasl_passwd.j2
src: ./filesystem/common/etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd
mode: 0600
register: mail_postfix_credentials

View File

@ -1,5 +1,5 @@
- name: Set MotD
copy:
src: ./root/etc/motd
src: ./filesystem/{{ hostname }}/etc/motd
dest: /etc/motd
mode: 0644

View File

@ -5,6 +5,6 @@
- name: Disable su for non-wheel users
copy:
src: ./root/etc/pam.d/su
src: ./filesystem/common/etc/pam.d/su
dest: /etc/pam.d/su
mode: 0644

View File

@ -4,7 +4,7 @@
- name: Smartd configuration
copy:
src: ./root/etc/smartd.conf
src: ./filesystem/yggdrasil/etc/smartd.conf
dest: /etc/smartd.conf
mode: 0644
register: smartd_conf

View File

@ -3,8 +3,8 @@
- name: Configure sshd
template:
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
src: ./filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2
dest: /etc/ssh/sshd_config.d/00-local.conf
mode: 0600
register: sshd_conf

View File

@ -1,12 +1,12 @@
- name: SystemD mail script
template:
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-systemctl-status.j2
dest: /usr/local/sbin/systemd-mail-systemctl-status
mode: 0755
- name: SystemD mail service
copy:
src: ./root/etc/systemd/system/status-mail@.service
src: ./filesystem/yggdrasil/etc/systemd/system/status-mail@.service
dest: /etc/systemd/system/status-mail@.service
mode: 0644
register: systemd_status_mail_service_file

View File

@ -4,12 +4,12 @@
- name: Configure unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644
- name: Enable unattended-upgrades
copy:
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644

View File

@ -4,7 +4,7 @@
- name: Apcupsd configuration
copy:
src: ./root/etc/apcupsd/apcupsd.conf
src: ./filesystem/yggdrasil/etc/apcupsd/apcupsd.conf
dest: /etc/apcupsd/apcupsd.conf
mode: 0644
register: apcupsd_conf

View File

@ -8,14 +8,14 @@
- name: Configure tmux
become: no
copy:
src: ./root/home/user/tmux.conf
src: ./filesystem/common/home/user/tmux.conf
dest: .tmux.conf
mode: 0644
- name: Configure bashrc
become: no
copy:
src: ./root/home/user/bashrc
src: ./filesystem/common/home/user/bashrc
dest: .bashrc
mode: 0644

View File

@ -4,4 +4,5 @@
- git
- htop
- man
- perl
- tmux

View File

@ -1,19 +1,19 @@
- name: Zpool status mail script
template:
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-zpool-status.j2
dest: /usr/local/sbin/systemd-mail-zpool-status
mode: 0755
- name: Zfs scrub service file
copy:
src: ./root/etc/systemd/system/zfs-scrub@.service
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub@.service
dest: /etc/systemd/system/zfs-scrub@.service
mode: 0644
register: systemd_zfs_scrub_service_file
- name: Zfs scrub timer file
copy:
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub-monthly@.timer
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
mode: 0644
register: systemd_zfs_scrub_monthly_timer_file

View File

@ -1,19 +1,13 @@
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started
- name: Zfs trim service file
copy:
src: ./root/etc/systemd/system/zfs-trim@.service
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim@.service
dest: /etc/systemd/system/zfs-trim@.service
mode: 0644
register: systemd_zfs_trim_service_file
- name: Zfs trim timer file
copy:
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim-monthly@.timer
dest: /etc/systemd/system/zfs-trim-monthly@.timer
mode: 0644
register: systemd_zfs_trim_monthly_timer_file

20
valkyrie.yml Normal file
View File

@ -0,0 +1,20 @@
---
- hosts: valkyrie
vars_files:
- secrets/common.yml
- secrets/valkyrie.yml
tasks:
- import_tasks: tasks/sshd.yml
- import_tasks: tasks/firewall.yml
- import_tasks: tasks/ntp.yml
- import_tasks: tasks/mail.yml
- import_tasks: tasks/unattended-upgrades.yml
- import_tasks: tasks/fail2ban.yml
- import_tasks: tasks/fstrim.yml
- import_tasks: tasks/logs.yml
- import_tasks: tasks/motd.yml
- import_tasks: tasks/utils.yml
- import_tasks: tasks/user.yml
- import_tasks: tasks/root-shell.yml

View File

@ -2,7 +2,8 @@
- hosts: yggdrasil
vars_files:
- secrets.yml
- secrets/common.yml
- secrets/yggdrasil.yml
tasks:
- import_tasks: tasks/sshd.yml
@ -13,7 +14,8 @@
- import_tasks: tasks/fail2ban.yml
- import_tasks: tasks/systemd-mail.yml
- import_tasks: tasks/zfs-scrub.yml
- import_tasks: tasks/trim.yml
- import_tasks: tasks/zfs-trim.yml
- import_tasks: tasks/fstrim.yml
- import_tasks: tasks/zfsutils-cron.yml
- import_tasks: tasks/ups.yml
- import_tasks: tasks/smart.yml