Basic deployment on valkyrie

This commit is contained in:
Wojciech Kozlowski 2022-09-21 23:57:15 +02:00
parent 8e690941bf
commit 4c7c0e052b
50 changed files with 99 additions and 60 deletions

4
.gitignore vendored
View File

@ -1 +1,3 @@
secrets.yml secrets/common.yml
secrets/valkyrie.yml
secrets/yggdrasil.yml

View File

@ -5,5 +5,6 @@ Ansible playbooks for provisioning Yggdrasil.
## Secrets vault ## Secrets vault
- Encrypt with: ```ansible-vault encrypt secrets.yml``` - Encrypt with: ```ansible-vault encrypt secrets.yml```
- Decrypt with: ```ansible-vault decrypt secrets.yml```
- Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml``` - Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml``` - Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```

View File

@ -2,4 +2,4 @@
inventory = ./hosts inventory = ./hosts
[privilege_escalation] [privilege_escalation]
become=True become = True

View File

@ -3,7 +3,7 @@
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses # will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. # can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }} ignoreip = 127.0.0.1/8 ::1 {{ subnet }}
# "bantime" is the number of seconds that a host is banned. # "bantime" is the number of seconds that a host is banned.
bantime = 1d bantime = 1d

View File

@ -0,0 +1 @@
{{ hostname }}.{{ domain }}

View File

@ -3,8 +3,8 @@
flush ruleset flush ruleset
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0;
# Accept any localhost traffic. # Accept any localhost traffic.
iif lo accept; iif lo accept;
@ -17,19 +17,19 @@ table inet filter {
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept; ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept; ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
# Drop invalid connections. # Drop invalid connections.
ct state invalid drop; ct state invalid drop;
# Activate the following line to accept common local services. # Activate the following line to accept common local services.
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept; tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
# Count and drop any other traffic. # Count and drop any other traffic.
counter drop; counter drop;
} }
chain forward { chain forward {
type filter hook forward priority 0; type filter hook forward priority 0;
} }
chain output { chain output {
type filter hook output priority 0; type filter hook output priority 0;
} }
} }

View File

@ -15,3 +15,6 @@ PasswordAuthentication no
# No X window forwarding. # No X window forwarding.
X11Forwarding no X11Forwarding no
# Check in with the client every now and then.
ClientAliveInterval 120

View File

@ -0,0 +1,9 @@
-------------------------------------------------------------------
_ _ _
__ ____ _| | | ___ _ _ __(_) ___
\ \ / / _` | | |/ / | | | '__| |/ _ \
\ V / (_| | | <| |_| | | | | __/
\_/ \__,_|_|_|\_\\__, |_| |_|\___|
|___/
-------------------------------------------------------------------

1
hosts
View File

@ -1 +1,2 @@
valkyrie
yggdrasil yggdrasil

View File

@ -1 +0,0 @@
{{ domain }}

View File

@ -10,6 +10,7 @@ hostname:
domain: domain:
subnet_address: subnet_address:
subnet_masklen: subnet_masklen:
subnet:
# Postfix variables # Postfix variables
postfix_smtp_server: postfix_smtp_server:

View File

@ -4,14 +4,14 @@
- name: Configure fail2ban - name: Configure fail2ban
template: template:
src: ./root/etc/fail2ban/jail.local.j2 src: ./filesystem/common/etc/fail2ban/jail.local.j2
dest: /etc/fail2ban/jail.local dest: /etc/fail2ban/jail.local
mode: 0644 mode: 0644
register: fail2ban_conf register: fail2ban_conf
- name: Configure fail2ban sshd jail - name: Configure fail2ban sshd jail
template: template:
src: ./root/etc/fail2ban/jail.d/sshd.local.j2 src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local dest: /etc/fail2ban/jail.d/sshd.local
mode: 0644 mode: 0644
register: fail2ban_sshd_jail register: fail2ban_sshd_jail

View File

@ -4,7 +4,7 @@
- name: Configure nftables - name: Configure nftables
template: template:
src: ./root/etc/nftables.conf.j2 src: ./filesystem/common/etc/nftables.conf.j2
dest: /etc/nftables.conf dest: /etc/nftables.conf
mode: 0755 mode: 0755
register: nftables_conf register: nftables_conf

5
tasks/fstrim.yml Normal file
View File

@ -0,0 +1,5 @@
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started

View File

@ -6,7 +6,7 @@
- name: Configure logcheck - name: Configure logcheck
template: template:
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2 src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
dest: /etc/logcheck/ignore.d.server/yggdrasil dest: /etc/logcheck/ignore.d.server/{{ hostname }}
group: logcheck group: logcheck
mode: 0644 mode: 0644

View File

@ -1,24 +1,13 @@
- name: Configure mailname - name: Configure mailname
template: template:
src: ./root/etc/mailname.j2 src: ./filesystem/common/etc/mailname.j2
dest: /etc/mailname dest: /etc/mailname
mode: 0644 mode: 0644
register: mail_mailname register: mail_mailname
- name: Configure aliases
template:
src: ./root/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure mailutils - name: Configure mailutils
template: template:
src: ./root/etc/mailutils.conf.j2 src: ./filesystem/common/etc/mailutils.conf.j2
dest: /etc/mailutils.conf dest: /etc/mailutils.conf
mode: 0644 mode: 0644
@ -29,16 +18,27 @@
- ca-certificates - ca-certificates
- libsasl2-modules - libsasl2-modules
- name: Configure aliases
template:
src: ./filesystem/common/etc/aliases.j2
dest: /etc/aliases
mode: 0644
register: mail_aliases
- name: Update aliases
command: newaliases
when: mail_aliases is changed
- name: Configure postfix - name: Configure postfix
template: template:
src: ./root/etc/postfix/main.cf.j2 src: ./filesystem/common/etc/postfix/main.cf.j2
dest: /etc/postfix/main.cf dest: /etc/postfix/main.cf
mode: 0644 mode: 0644
register: mail_postfix_conf register: mail_postfix_conf
- name: Configure credentials - name: Configure credentials
template: template:
src: ./root/etc/postfix/sasl_passwd.j2 src: ./filesystem/common/etc/postfix/sasl_passwd.j2
dest: /etc/postfix/sasl_passwd dest: /etc/postfix/sasl_passwd
mode: 0600 mode: 0600
register: mail_postfix_credentials register: mail_postfix_credentials

View File

@ -1,5 +1,5 @@
- name: Set MotD - name: Set MotD
copy: copy:
src: ./root/etc/motd src: ./filesystem/{{ hostname }}/etc/motd
dest: /etc/motd dest: /etc/motd
mode: 0644 mode: 0644

View File

@ -5,6 +5,6 @@
- name: Disable su for non-wheel users - name: Disable su for non-wheel users
copy: copy:
src: ./root/etc/pam.d/su src: ./filesystem/common/etc/pam.d/su
dest: /etc/pam.d/su dest: /etc/pam.d/su
mode: 0644 mode: 0644

View File

@ -4,7 +4,7 @@
- name: Smartd configuration - name: Smartd configuration
copy: copy:
src: ./root/etc/smartd.conf src: ./filesystem/yggdrasil/etc/smartd.conf
dest: /etc/smartd.conf dest: /etc/smartd.conf
mode: 0644 mode: 0644
register: smartd_conf register: smartd_conf

View File

@ -3,8 +3,8 @@
- name: Configure sshd - name: Configure sshd
template: template:
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2 src: ./filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf dest: /etc/ssh/sshd_config.d/00-local.conf
mode: 0600 mode: 0600
register: sshd_conf register: sshd_conf

View File

@ -1,12 +1,12 @@
- name: SystemD mail script - name: SystemD mail script
template: template:
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2 src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-systemctl-status.j2
dest: /usr/local/sbin/systemd-mail-systemctl-status dest: /usr/local/sbin/systemd-mail-systemctl-status
mode: 0755 mode: 0755
- name: SystemD mail service - name: SystemD mail service
copy: copy:
src: ./root/etc/systemd/system/status-mail@.service src: ./filesystem/yggdrasil/etc/systemd/system/status-mail@.service
dest: /etc/systemd/system/status-mail@.service dest: /etc/systemd/system/status-mail@.service
mode: 0644 mode: 0644
register: systemd_status_mail_service_file register: systemd_status_mail_service_file

View File

@ -4,12 +4,12 @@
- name: Configure unattended-upgrades - name: Configure unattended-upgrades
copy: copy:
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades
mode: 0644 mode: 0644
- name: Enable unattended-upgrades - name: Enable unattended-upgrades
copy: copy:
src: ./root/etc/apt/apt.conf.d/20auto-upgrades src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades
mode: 0644 mode: 0644

View File

@ -4,7 +4,7 @@
- name: Apcupsd configuration - name: Apcupsd configuration
copy: copy:
src: ./root/etc/apcupsd/apcupsd.conf src: ./filesystem/yggdrasil/etc/apcupsd/apcupsd.conf
dest: /etc/apcupsd/apcupsd.conf dest: /etc/apcupsd/apcupsd.conf
mode: 0644 mode: 0644
register: apcupsd_conf register: apcupsd_conf

View File

@ -8,14 +8,14 @@
- name: Configure tmux - name: Configure tmux
become: no become: no
copy: copy:
src: ./root/home/user/tmux.conf src: ./filesystem/common/home/user/tmux.conf
dest: .tmux.conf dest: .tmux.conf
mode: 0644 mode: 0644
- name: Configure bashrc - name: Configure bashrc
become: no become: no
copy: copy:
src: ./root/home/user/bashrc src: ./filesystem/common/home/user/bashrc
dest: .bashrc dest: .bashrc
mode: 0644 mode: 0644

View File

@ -4,4 +4,5 @@
- git - git
- htop - htop
- man - man
- perl
- tmux - tmux

View File

@ -1,19 +1,19 @@
- name: Zpool status mail script - name: Zpool status mail script
template: template:
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2 src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-zpool-status.j2
dest: /usr/local/sbin/systemd-mail-zpool-status dest: /usr/local/sbin/systemd-mail-zpool-status
mode: 0755 mode: 0755
- name: Zfs scrub service file - name: Zfs scrub service file
copy: copy:
src: ./root/etc/systemd/system/zfs-scrub@.service src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub@.service
dest: /etc/systemd/system/zfs-scrub@.service dest: /etc/systemd/system/zfs-scrub@.service
mode: 0644 mode: 0644
register: systemd_zfs_scrub_service_file register: systemd_zfs_scrub_service_file
- name: Zfs scrub timer file - name: Zfs scrub timer file
copy: copy:
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub-monthly@.timer
dest: /etc/systemd/system/zfs-scrub-monthly@.timer dest: /etc/systemd/system/zfs-scrub-monthly@.timer
mode: 0644 mode: 0644
register: systemd_zfs_scrub_monthly_timer_file register: systemd_zfs_scrub_monthly_timer_file

View File

@ -1,19 +1,13 @@
- name: Enable fstrim
systemd:
name: fstrim.timer
enabled: yes
state: started
- name: Zfs trim service file - name: Zfs trim service file
copy: copy:
src: ./root/etc/systemd/system/zfs-trim@.service src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim@.service
dest: /etc/systemd/system/zfs-trim@.service dest: /etc/systemd/system/zfs-trim@.service
mode: 0644 mode: 0644
register: systemd_zfs_trim_service_file register: systemd_zfs_trim_service_file
- name: Zfs trim timer file - name: Zfs trim timer file
copy: copy:
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim-monthly@.timer
dest: /etc/systemd/system/zfs-trim-monthly@.timer dest: /etc/systemd/system/zfs-trim-monthly@.timer
mode: 0644 mode: 0644
register: systemd_zfs_trim_monthly_timer_file register: systemd_zfs_trim_monthly_timer_file

20
valkyrie.yml Normal file
View File

@ -0,0 +1,20 @@
---
- hosts: valkyrie
vars_files:
- secrets/common.yml
- secrets/valkyrie.yml
tasks:
- import_tasks: tasks/sshd.yml
- import_tasks: tasks/firewall.yml
- import_tasks: tasks/ntp.yml
- import_tasks: tasks/mail.yml
- import_tasks: tasks/unattended-upgrades.yml
- import_tasks: tasks/fail2ban.yml
- import_tasks: tasks/fstrim.yml
- import_tasks: tasks/logs.yml
- import_tasks: tasks/motd.yml
- import_tasks: tasks/utils.yml
- import_tasks: tasks/user.yml
- import_tasks: tasks/root-shell.yml

View File

@ -2,7 +2,8 @@
- hosts: yggdrasil - hosts: yggdrasil
vars_files: vars_files:
- secrets.yml - secrets/common.yml
- secrets/yggdrasil.yml
tasks: tasks:
- import_tasks: tasks/sshd.yml - import_tasks: tasks/sshd.yml
@ -13,7 +14,8 @@
- import_tasks: tasks/fail2ban.yml - import_tasks: tasks/fail2ban.yml
- import_tasks: tasks/systemd-mail.yml - import_tasks: tasks/systemd-mail.yml
- import_tasks: tasks/zfs-scrub.yml - import_tasks: tasks/zfs-scrub.yml
- import_tasks: tasks/trim.yml - import_tasks: tasks/zfs-trim.yml
- import_tasks: tasks/fstrim.yml
- import_tasks: tasks/zfsutils-cron.yml - import_tasks: tasks/zfsutils-cron.yml
- import_tasks: tasks/ups.yml - import_tasks: tasks/ups.yml
- import_tasks: tasks/smart.yml - import_tasks: tasks/smart.yml