Basic deployment on valkyrie
This commit is contained in:
parent
8e690941bf
commit
4c7c0e052b
4
.gitignore
vendored
4
.gitignore
vendored
@ -1 +1,3 @@
|
|||||||
secrets.yml
|
secrets/common.yml
|
||||||
|
secrets/valkyrie.yml
|
||||||
|
secrets/yggdrasil.yml
|
||||||
|
@ -5,5 +5,6 @@ Ansible playbooks for provisioning Yggdrasil.
|
|||||||
## Secrets vault
|
## Secrets vault
|
||||||
|
|
||||||
- Encrypt with: ```ansible-vault encrypt secrets.yml```
|
- Encrypt with: ```ansible-vault encrypt secrets.yml```
|
||||||
|
- Decrypt with: ```ansible-vault decrypt secrets.yml```
|
||||||
- Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
|
- Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
|
||||||
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```
|
- Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```
|
||||||
|
@ -2,4 +2,4 @@
|
|||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
|
|
||||||
[privilege_escalation]
|
[privilege_escalation]
|
||||||
become=True
|
become = True
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||||
# will not ban a host which matches an address in this list. Several addresses
|
# will not ban a host which matches an address in this list. Several addresses
|
||||||
# can be defined using space (and/or comma) separator.
|
# can be defined using space (and/or comma) separator.
|
||||||
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
|
ignoreip = 127.0.0.1/8 ::1 {{ subnet }}
|
||||||
|
|
||||||
# "bantime" is the number of seconds that a host is banned.
|
# "bantime" is the number of seconds that a host is banned.
|
||||||
bantime = 1d
|
bantime = 1d
|
1
filesystem/common/etc/mailname.j2
Normal file
1
filesystem/common/etc/mailname.j2
Normal file
@ -0,0 +1 @@
|
|||||||
|
{{ hostname }}.{{ domain }}
|
@ -3,8 +3,8 @@
|
|||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
|
|
||||||
# Accept any localhost traffic.
|
# Accept any localhost traffic.
|
||||||
iif lo accept;
|
iif lo accept;
|
||||||
@ -17,19 +17,19 @@ table inet filter {
|
|||||||
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
|
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
|
||||||
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
|
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
|
||||||
|
|
||||||
# Drop invalid connections.
|
# Drop invalid connections.
|
||||||
ct state invalid drop;
|
ct state invalid drop;
|
||||||
|
|
||||||
# Activate the following line to accept common local services.
|
# Activate the following line to accept common local services.
|
||||||
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
|
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
|
||||||
|
|
||||||
# Count and drop any other traffic.
|
# Count and drop any other traffic.
|
||||||
counter drop;
|
counter drop;
|
||||||
}
|
}
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
}
|
}
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -15,3 +15,6 @@ PasswordAuthentication no
|
|||||||
|
|
||||||
# No X window forwarding.
|
# No X window forwarding.
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
|
|
||||||
|
# Check in with the client every now and then.
|
||||||
|
ClientAliveInterval 120
|
9
filesystem/valkyrie/etc/motd
Normal file
9
filesystem/valkyrie/etc/motd
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
_ _ _
|
||||||
|
__ ____ _| | | ___ _ _ __(_) ___
|
||||||
|
\ \ / / _` | | |/ / | | | '__| |/ _ \
|
||||||
|
\ V / (_| | | <| |_| | | | | __/
|
||||||
|
\_/ \__,_|_|_|\_\\__, |_| |_|\___|
|
||||||
|
|___/
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
@ -1 +0,0 @@
|
|||||||
{{ domain }}
|
|
@ -10,6 +10,7 @@ hostname:
|
|||||||
domain:
|
domain:
|
||||||
subnet_address:
|
subnet_address:
|
||||||
subnet_masklen:
|
subnet_masklen:
|
||||||
|
subnet:
|
||||||
|
|
||||||
# Postfix variables
|
# Postfix variables
|
||||||
postfix_smtp_server:
|
postfix_smtp_server:
|
@ -4,14 +4,14 @@
|
|||||||
|
|
||||||
- name: Configure fail2ban
|
- name: Configure fail2ban
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/fail2ban/jail.local.j2
|
src: ./filesystem/common/etc/fail2ban/jail.local.j2
|
||||||
dest: /etc/fail2ban/jail.local
|
dest: /etc/fail2ban/jail.local
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: fail2ban_conf
|
register: fail2ban_conf
|
||||||
|
|
||||||
- name: Configure fail2ban sshd jail
|
- name: Configure fail2ban sshd jail
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
|
||||||
dest: /etc/fail2ban/jail.d/sshd.local
|
dest: /etc/fail2ban/jail.d/sshd.local
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: fail2ban_sshd_jail
|
register: fail2ban_sshd_jail
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
- name: Configure nftables
|
- name: Configure nftables
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/nftables.conf.j2
|
src: ./filesystem/common/etc/nftables.conf.j2
|
||||||
dest: /etc/nftables.conf
|
dest: /etc/nftables.conf
|
||||||
mode: 0755
|
mode: 0755
|
||||||
register: nftables_conf
|
register: nftables_conf
|
||||||
|
5
tasks/fstrim.yml
Normal file
5
tasks/fstrim.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
- name: Enable fstrim
|
||||||
|
systemd:
|
||||||
|
name: fstrim.timer
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
- name: Configure logcheck
|
- name: Configure logcheck
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
|
src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
|
||||||
dest: /etc/logcheck/ignore.d.server/yggdrasil
|
dest: /etc/logcheck/ignore.d.server/{{ hostname }}
|
||||||
group: logcheck
|
group: logcheck
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -1,24 +1,13 @@
|
|||||||
- name: Configure mailname
|
- name: Configure mailname
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/mailname.j2
|
src: ./filesystem/common/etc/mailname.j2
|
||||||
dest: /etc/mailname
|
dest: /etc/mailname
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: mail_mailname
|
register: mail_mailname
|
||||||
|
|
||||||
- name: Configure aliases
|
|
||||||
template:
|
|
||||||
src: ./root/etc/aliases.j2
|
|
||||||
dest: /etc/aliases
|
|
||||||
mode: 0644
|
|
||||||
register: mail_aliases
|
|
||||||
|
|
||||||
- name: Update aliases
|
|
||||||
command: newaliases
|
|
||||||
when: mail_aliases is changed
|
|
||||||
|
|
||||||
- name: Configure mailutils
|
- name: Configure mailutils
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/mailutils.conf.j2
|
src: ./filesystem/common/etc/mailutils.conf.j2
|
||||||
dest: /etc/mailutils.conf
|
dest: /etc/mailutils.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
@ -29,16 +18,27 @@
|
|||||||
- ca-certificates
|
- ca-certificates
|
||||||
- libsasl2-modules
|
- libsasl2-modules
|
||||||
|
|
||||||
|
- name: Configure aliases
|
||||||
|
template:
|
||||||
|
src: ./filesystem/common/etc/aliases.j2
|
||||||
|
dest: /etc/aliases
|
||||||
|
mode: 0644
|
||||||
|
register: mail_aliases
|
||||||
|
|
||||||
|
- name: Update aliases
|
||||||
|
command: newaliases
|
||||||
|
when: mail_aliases is changed
|
||||||
|
|
||||||
- name: Configure postfix
|
- name: Configure postfix
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/postfix/main.cf.j2
|
src: ./filesystem/common/etc/postfix/main.cf.j2
|
||||||
dest: /etc/postfix/main.cf
|
dest: /etc/postfix/main.cf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: mail_postfix_conf
|
register: mail_postfix_conf
|
||||||
|
|
||||||
- name: Configure credentials
|
- name: Configure credentials
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/postfix/sasl_passwd.j2
|
src: ./filesystem/common/etc/postfix/sasl_passwd.j2
|
||||||
dest: /etc/postfix/sasl_passwd
|
dest: /etc/postfix/sasl_passwd
|
||||||
mode: 0600
|
mode: 0600
|
||||||
register: mail_postfix_credentials
|
register: mail_postfix_credentials
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
- name: Set MotD
|
- name: Set MotD
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/motd
|
src: ./filesystem/{{ hostname }}/etc/motd
|
||||||
dest: /etc/motd
|
dest: /etc/motd
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -5,6 +5,6 @@
|
|||||||
|
|
||||||
- name: Disable su for non-wheel users
|
- name: Disable su for non-wheel users
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/pam.d/su
|
src: ./filesystem/common/etc/pam.d/su
|
||||||
dest: /etc/pam.d/su
|
dest: /etc/pam.d/su
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
- name: Smartd configuration
|
- name: Smartd configuration
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/smartd.conf
|
src: ./filesystem/yggdrasil/etc/smartd.conf
|
||||||
dest: /etc/smartd.conf
|
dest: /etc/smartd.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: smartd_conf
|
register: smartd_conf
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
|
|
||||||
- name: Configure sshd
|
- name: Configure sshd
|
||||||
template:
|
template:
|
||||||
src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
|
src: ./filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2
|
||||||
dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
|
dest: /etc/ssh/sshd_config.d/00-local.conf
|
||||||
mode: 0600
|
mode: 0600
|
||||||
register: sshd_conf
|
register: sshd_conf
|
||||||
|
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
- name: SystemD mail script
|
- name: SystemD mail script
|
||||||
template:
|
template:
|
||||||
src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
|
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-systemctl-status.j2
|
||||||
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
dest: /usr/local/sbin/systemd-mail-systemctl-status
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: SystemD mail service
|
- name: SystemD mail service
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/systemd/system/status-mail@.service
|
src: ./filesystem/yggdrasil/etc/systemd/system/status-mail@.service
|
||||||
dest: /etc/systemd/system/status-mail@.service
|
dest: /etc/systemd/system/status-mail@.service
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: systemd_status_mail_service_file
|
register: systemd_status_mail_service_file
|
||||||
|
@ -4,12 +4,12 @@
|
|||||||
|
|
||||||
- name: Configure unattended-upgrades
|
- name: Configure unattended-upgrades
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
|
src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Enable unattended-upgrades
|
- name: Enable unattended-upgrades
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/apt/apt.conf.d/20auto-upgrades
|
src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
|
||||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
- name: Apcupsd configuration
|
- name: Apcupsd configuration
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/apcupsd/apcupsd.conf
|
src: ./filesystem/yggdrasil/etc/apcupsd/apcupsd.conf
|
||||||
dest: /etc/apcupsd/apcupsd.conf
|
dest: /etc/apcupsd/apcupsd.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: apcupsd_conf
|
register: apcupsd_conf
|
||||||
|
@ -8,14 +8,14 @@
|
|||||||
- name: Configure tmux
|
- name: Configure tmux
|
||||||
become: no
|
become: no
|
||||||
copy:
|
copy:
|
||||||
src: ./root/home/user/tmux.conf
|
src: ./filesystem/common/home/user/tmux.conf
|
||||||
dest: .tmux.conf
|
dest: .tmux.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Configure bashrc
|
- name: Configure bashrc
|
||||||
become: no
|
become: no
|
||||||
copy:
|
copy:
|
||||||
src: ./root/home/user/bashrc
|
src: ./filesystem/common/home/user/bashrc
|
||||||
dest: .bashrc
|
dest: .bashrc
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
@ -4,4 +4,5 @@
|
|||||||
- git
|
- git
|
||||||
- htop
|
- htop
|
||||||
- man
|
- man
|
||||||
|
- perl
|
||||||
- tmux
|
- tmux
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
- name: Zpool status mail script
|
- name: Zpool status mail script
|
||||||
template:
|
template:
|
||||||
src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
|
src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-zpool-status.j2
|
||||||
dest: /usr/local/sbin/systemd-mail-zpool-status
|
dest: /usr/local/sbin/systemd-mail-zpool-status
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: Zfs scrub service file
|
- name: Zfs scrub service file
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/systemd/system/zfs-scrub@.service
|
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub@.service
|
||||||
dest: /etc/systemd/system/zfs-scrub@.service
|
dest: /etc/systemd/system/zfs-scrub@.service
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: systemd_zfs_scrub_service_file
|
register: systemd_zfs_scrub_service_file
|
||||||
|
|
||||||
- name: Zfs scrub timer file
|
- name: Zfs scrub timer file
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
|
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub-monthly@.timer
|
||||||
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
|
dest: /etc/systemd/system/zfs-scrub-monthly@.timer
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: systemd_zfs_scrub_monthly_timer_file
|
register: systemd_zfs_scrub_monthly_timer_file
|
||||||
|
@ -1,19 +1,13 @@
|
|||||||
- name: Enable fstrim
|
|
||||||
systemd:
|
|
||||||
name: fstrim.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Zfs trim service file
|
- name: Zfs trim service file
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/systemd/system/zfs-trim@.service
|
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim@.service
|
||||||
dest: /etc/systemd/system/zfs-trim@.service
|
dest: /etc/systemd/system/zfs-trim@.service
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: systemd_zfs_trim_service_file
|
register: systemd_zfs_trim_service_file
|
||||||
|
|
||||||
- name: Zfs trim timer file
|
- name: Zfs trim timer file
|
||||||
copy:
|
copy:
|
||||||
src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
|
src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim-monthly@.timer
|
||||||
dest: /etc/systemd/system/zfs-trim-monthly@.timer
|
dest: /etc/systemd/system/zfs-trim-monthly@.timer
|
||||||
mode: 0644
|
mode: 0644
|
||||||
register: systemd_zfs_trim_monthly_timer_file
|
register: systemd_zfs_trim_monthly_timer_file
|
20
valkyrie.yml
Normal file
20
valkyrie.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
- hosts: valkyrie
|
||||||
|
|
||||||
|
vars_files:
|
||||||
|
- secrets/common.yml
|
||||||
|
- secrets/valkyrie.yml
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- import_tasks: tasks/sshd.yml
|
||||||
|
- import_tasks: tasks/firewall.yml
|
||||||
|
- import_tasks: tasks/ntp.yml
|
||||||
|
- import_tasks: tasks/mail.yml
|
||||||
|
- import_tasks: tasks/unattended-upgrades.yml
|
||||||
|
- import_tasks: tasks/fail2ban.yml
|
||||||
|
- import_tasks: tasks/fstrim.yml
|
||||||
|
- import_tasks: tasks/logs.yml
|
||||||
|
- import_tasks: tasks/motd.yml
|
||||||
|
- import_tasks: tasks/utils.yml
|
||||||
|
- import_tasks: tasks/user.yml
|
||||||
|
- import_tasks: tasks/root-shell.yml
|
@ -2,7 +2,8 @@
|
|||||||
- hosts: yggdrasil
|
- hosts: yggdrasil
|
||||||
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- secrets.yml
|
- secrets/common.yml
|
||||||
|
- secrets/yggdrasil.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- import_tasks: tasks/sshd.yml
|
- import_tasks: tasks/sshd.yml
|
||||||
@ -13,7 +14,8 @@
|
|||||||
- import_tasks: tasks/fail2ban.yml
|
- import_tasks: tasks/fail2ban.yml
|
||||||
- import_tasks: tasks/systemd-mail.yml
|
- import_tasks: tasks/systemd-mail.yml
|
||||||
- import_tasks: tasks/zfs-scrub.yml
|
- import_tasks: tasks/zfs-scrub.yml
|
||||||
- import_tasks: tasks/trim.yml
|
- import_tasks: tasks/zfs-trim.yml
|
||||||
|
- import_tasks: tasks/fstrim.yml
|
||||||
- import_tasks: tasks/zfsutils-cron.yml
|
- import_tasks: tasks/zfsutils-cron.yml
|
||||||
- import_tasks: tasks/ups.yml
|
- import_tasks: tasks/ups.yml
|
||||||
- import_tasks: tasks/smart.yml
|
- import_tasks: tasks/smart.yml
|
Loading…
Reference in New Issue
Block a user