This commit is contained in:
chris 2019-12-18 14:15:52 +01:00
commit ae6f140f0f
14 changed files with 166 additions and 0 deletions

3
ansible.cfg Normal file
View File

@ -0,0 +1,3 @@
[defaults]
inventory = ./inventory.yaml
#ask_vault_pass = True

3
host_vars/node01.yaml Normal file
View File

@ -0,0 +1,3 @@
wg_ip: 10.23.23.11
wg_private_key: "sBrZZx++c+DtIaJuLuRDB/bLkBY437b5J98/E/60yVk="
wg_public_key: "RKebfofXjg07c3I2TFpKXtwxysEYCSfRjZqAMv7QiDg="

3
host_vars/node02.yaml Normal file
View File

@ -0,0 +1,3 @@
wg_ip: 10.23.23.12
wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
wg_public_key: "6XnA2lYli12XTEIJuN0jHZ65n51FGvbEkUJWEZiR0m0="

3
host_vars/node03.yaml Normal file
View File

@ -0,0 +1,3 @@
wg_ip: 10.23.23.13
wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
wg_public_key: "M2ohfUS2iHIoo0tXtqhQt8uJ/CdjVUZg9NiGx1SEfA0="

3
inventory.yaml Normal file
View File

@ -0,0 +1,3 @@
node01 ansible_ssh_user=root ansible_ssh_host=78.47.49.236
node02 ansible_ssh_user=root ansible_ssh_host=78.46.186.206
node03 ansible_ssh_user=root ansible_ssh_host=78.47.122.172

View File

@ -0,0 +1,16 @@
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi
mesg n || true
sname="t-$(hostname)"
if [[ -z "$TMUX" ]] && [ "$SSH_CONNECTION" != "" ]; then
tmux attach-session -t $sname || tmux new-session -s $sname
exit
fi

Binary file not shown.

View File

@ -0,0 +1,5 @@
---
- name: restart sshd
service:
name: sshd
state: restarted

View File

@ -0,0 +1,77 @@
---
- name: set time zone
file:
src: /usr/share/zoneinfo/Etc/UTC
dest: /etc/localtime
state: link
- name: install packages
apt:
name:
- etckeeper
- logwatch
- unattended-upgrades
- needrestart
- htop
- unzip
- rkhunter
- iotop
- sudo
- tmux
- rsync
state: present
- name: configure ssh kex and ciphers
lineinfile:
dest: /etc/ssh/sshd_config
line: "{{item}}"
regexp: "{{item.split()[0]}}.*"
state: present
notify: restart sshd
loop:
- "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
- "HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com"
- "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr"
- "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
- name: disable ssh v1
lineinfile:
dest: /etc/ssh/sshd_config
line: "Protocol 2"
regexp: "^Protocol"
state: present
notify: restart sshd
- name: disable ssh root password login
lineinfile:
dest: /etc/ssh/sshd_config
line: "PermitRootLogin without-password"
regexp: "^PermitRootLogin"
state: present
notify: restart sshd
- name: disable ssh root check in rkhunter
lineinfile:
dest: /etc/rkhunter.conf
line: "{{item}}"
state: present
with_items:
- 'ALLOW_SSH_ROOT_USER=without-password'
- 'ALLOWHIDDENDIR=/etc/.git'
- 'ALLOWHIDDENFILE=/etc/.gitignore'
- 'ALLOWHIDDENFILE=/etc/.etckeeper'
- 'ALLOWDEVFILE=/dev/shm/rhm.*'
- name: copy roots dotprofile
copy:
src: root.profile
dest: /root/.profile
- name: create terminfo directory
file:
name: /etc/terminfo/x
state: directory
- name: copy termite terminfo
copy:
src: xterm-termite
dest: /etc/terminfo/x/xterm-termite
- name: enable services
systemd:
name: "{{item}}"
enabled: yes
state: started
with_items:
- unattended-upgrades

View File

@ -0,0 +1,3 @@
---
- name: ifup nodevpn
command: ifup nodevpn

View File

@ -0,0 +1,27 @@
---
- name: add unstable repo for wireguard
apt_repository:
repo: "deb http://deb.debian.org/debian/ unstable main"
update_cache: no
- name: pin unstable as unwanted
blockinfile:
create: yes
path: /etc/apt/preferences.d/limit-unstable
block: |
Package: *
Pin: release a=unstable
Pin-Priority: 90
- name: install wireguard
apt:
name: wireguard
update_cache: yes
- name: configure wireguard
template:
dest: /etc/wireguard/nodevpn.conf
src: wireguard-nodevpn.conf.j2
notify: ifup nodevpn
- name: configure wireguard interface
template:
dest: /etc/network/interfaces.d/nodevpn.cfg
src: interfaces-nodevpn.cfg.j2
notify: ifup nodevpn

View File

@ -0,0 +1,7 @@
auto nodevpn
iface nodevpn inet static
address {{wg_ip}}
netmask 255.255.255.0
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
post-down ip link del $IFACE

View File

@ -0,0 +1,10 @@
[Interface]
PrivateKey = {{wg_private_key}}
ListenPort = 51820
{% for vars in hostvars.values() %}
[Peer]
Endpoint = {{vars.ansible_ssh_host}}:51820
PublicKey = {{vars.wg_public_key}}
AllowedIPs = {{vars.wg_ip}}
{% endfor %}

6
site.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: deploy base setup
hosts: all
roles:
- base
- wireguard