init
This commit is contained in:
commit
ae6f140f0f
14 changed files with 166 additions and 0 deletions
3
ansible.cfg
Normal file
3
ansible.cfg
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
[defaults]
|
||||||
|
inventory = ./inventory.yaml
|
||||||
|
#ask_vault_pass = True
|
3
host_vars/node01.yaml
Normal file
3
host_vars/node01.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
wg_ip: 10.23.23.11
|
||||||
|
wg_private_key: "sBrZZx++c+DtIaJuLuRDB/bLkBY437b5J98/E/60yVk="
|
||||||
|
wg_public_key: "RKebfofXjg07c3I2TFpKXtwxysEYCSfRjZqAMv7QiDg="
|
3
host_vars/node02.yaml
Normal file
3
host_vars/node02.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
wg_ip: 10.23.23.12
|
||||||
|
wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
|
||||||
|
wg_public_key: "6XnA2lYli12XTEIJuN0jHZ65n51FGvbEkUJWEZiR0m0="
|
3
host_vars/node03.yaml
Normal file
3
host_vars/node03.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
wg_ip: 10.23.23.13
|
||||||
|
wg_private_key: "MFkdgRe8Vkonzs9snOOk8HWpA1EPpE/HKf3Z7TUJyUE="
|
||||||
|
wg_public_key: "M2ohfUS2iHIoo0tXtqhQt8uJ/CdjVUZg9NiGx1SEfA0="
|
3
inventory.yaml
Normal file
3
inventory.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
node01 ansible_ssh_user=root ansible_ssh_host=78.47.49.236
|
||||||
|
node02 ansible_ssh_user=root ansible_ssh_host=78.46.186.206
|
||||||
|
node03 ansible_ssh_user=root ansible_ssh_host=78.47.122.172
|
16
roles/base/files/root.profile
Normal file
16
roles/base/files/root.profile
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# ~/.profile: executed by Bourne-compatible login shells.
|
||||||
|
|
||||||
|
if [ "$BASH" ]; then
|
||||||
|
if [ -f ~/.bashrc ]; then
|
||||||
|
. ~/.bashrc
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
mesg n || true
|
||||||
|
|
||||||
|
sname="t-$(hostname)"
|
||||||
|
|
||||||
|
if [[ -z "$TMUX" ]] && [ "$SSH_CONNECTION" != "" ]; then
|
||||||
|
tmux attach-session -t $sname || tmux new-session -s $sname
|
||||||
|
exit
|
||||||
|
fi
|
BIN
roles/base/files/xterm-termite
Normal file
BIN
roles/base/files/xterm-termite
Normal file
Binary file not shown.
5
roles/base/handlers/main.yaml
Normal file
5
roles/base/handlers/main.yaml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart sshd
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
77
roles/base/tasks/main.yaml
Normal file
77
roles/base/tasks/main.yaml
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
---
|
||||||
|
- name: set time zone
|
||||||
|
file:
|
||||||
|
src: /usr/share/zoneinfo/Etc/UTC
|
||||||
|
dest: /etc/localtime
|
||||||
|
state: link
|
||||||
|
- name: install packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- etckeeper
|
||||||
|
- logwatch
|
||||||
|
- unattended-upgrades
|
||||||
|
- needrestart
|
||||||
|
- htop
|
||||||
|
- unzip
|
||||||
|
- rkhunter
|
||||||
|
- iotop
|
||||||
|
- sudo
|
||||||
|
- tmux
|
||||||
|
- rsync
|
||||||
|
state: present
|
||||||
|
- name: configure ssh kex and ciphers
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "{{item}}"
|
||||||
|
regexp: "{{item.split()[0]}}.*"
|
||||||
|
state: present
|
||||||
|
notify: restart sshd
|
||||||
|
loop:
|
||||||
|
- "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
|
||||||
|
- "HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com"
|
||||||
|
- "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr"
|
||||||
|
- "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
|
||||||
|
- name: disable ssh v1
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "Protocol 2"
|
||||||
|
regexp: "^Protocol"
|
||||||
|
state: present
|
||||||
|
notify: restart sshd
|
||||||
|
- name: disable ssh root password login
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
line: "PermitRootLogin without-password"
|
||||||
|
regexp: "^PermitRootLogin"
|
||||||
|
state: present
|
||||||
|
notify: restart sshd
|
||||||
|
- name: disable ssh root check in rkhunter
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/rkhunter.conf
|
||||||
|
line: "{{item}}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- 'ALLOW_SSH_ROOT_USER=without-password'
|
||||||
|
- 'ALLOWHIDDENDIR=/etc/.git'
|
||||||
|
- 'ALLOWHIDDENFILE=/etc/.gitignore'
|
||||||
|
- 'ALLOWHIDDENFILE=/etc/.etckeeper'
|
||||||
|
- 'ALLOWDEVFILE=/dev/shm/rhm.*'
|
||||||
|
- name: copy roots dotprofile
|
||||||
|
copy:
|
||||||
|
src: root.profile
|
||||||
|
dest: /root/.profile
|
||||||
|
- name: create terminfo directory
|
||||||
|
file:
|
||||||
|
name: /etc/terminfo/x
|
||||||
|
state: directory
|
||||||
|
- name: copy termite terminfo
|
||||||
|
copy:
|
||||||
|
src: xterm-termite
|
||||||
|
dest: /etc/terminfo/x/xterm-termite
|
||||||
|
- name: enable services
|
||||||
|
systemd:
|
||||||
|
name: "{{item}}"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
with_items:
|
||||||
|
- unattended-upgrades
|
3
roles/wireguard/handlers/main.yaml
Normal file
3
roles/wireguard/handlers/main.yaml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
- name: ifup nodevpn
|
||||||
|
command: ifup nodevpn
|
27
roles/wireguard/tasks/main.yaml
Normal file
27
roles/wireguard/tasks/main.yaml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
- name: add unstable repo for wireguard
|
||||||
|
apt_repository:
|
||||||
|
repo: "deb http://deb.debian.org/debian/ unstable main"
|
||||||
|
update_cache: no
|
||||||
|
- name: pin unstable as unwanted
|
||||||
|
blockinfile:
|
||||||
|
create: yes
|
||||||
|
path: /etc/apt/preferences.d/limit-unstable
|
||||||
|
block: |
|
||||||
|
Package: *
|
||||||
|
Pin: release a=unstable
|
||||||
|
Pin-Priority: 90
|
||||||
|
- name: install wireguard
|
||||||
|
apt:
|
||||||
|
name: wireguard
|
||||||
|
update_cache: yes
|
||||||
|
- name: configure wireguard
|
||||||
|
template:
|
||||||
|
dest: /etc/wireguard/nodevpn.conf
|
||||||
|
src: wireguard-nodevpn.conf.j2
|
||||||
|
notify: ifup nodevpn
|
||||||
|
- name: configure wireguard interface
|
||||||
|
template:
|
||||||
|
dest: /etc/network/interfaces.d/nodevpn.cfg
|
||||||
|
src: interfaces-nodevpn.cfg.j2
|
||||||
|
notify: ifup nodevpn
|
7
roles/wireguard/templates/interfaces-nodevpn.cfg.j2
Normal file
7
roles/wireguard/templates/interfaces-nodevpn.cfg.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
auto nodevpn
|
||||||
|
iface nodevpn inet static
|
||||||
|
address {{wg_ip}}
|
||||||
|
netmask 255.255.255.0
|
||||||
|
pre-up ip link add $IFACE type wireguard
|
||||||
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
|
post-down ip link del $IFACE
|
10
roles/wireguard/templates/wireguard-nodevpn.conf.j2
Normal file
10
roles/wireguard/templates/wireguard-nodevpn.conf.j2
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = {{wg_private_key}}
|
||||||
|
ListenPort = 51820
|
||||||
|
|
||||||
|
{% for vars in hostvars.values() %}
|
||||||
|
[Peer]
|
||||||
|
Endpoint = {{vars.ansible_ssh_host}}:51820
|
||||||
|
PublicKey = {{vars.wg_public_key}}
|
||||||
|
AllowedIPs = {{vars.wg_ip}}
|
||||||
|
{% endfor %}
|
6
site.yml
Normal file
6
site.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: deploy base setup
|
||||||
|
hosts: all
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- wireguard
|
Loading…
Reference in a new issue