diff --git a/.gitignore b/.gitignore index 1dee64d..723ef36 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1 @@ -.idea -infra/terraform/.terraform -infra/terraform/.terraform.lock.hcl +.idea \ No newline at end of file diff --git a/.gitlab/.gitlab-ci.yml b/.gitlab/.gitlab-ci.yml deleted file mode 100644 index b21e1bf..0000000 --- a/.gitlab/.gitlab-ci.yml +++ /dev/null @@ -1,34 +0,0 @@ -stages: - - triggers - -build_dmz: - stage: triggers - trigger: - include: dmz/.gitlab/.gitlab-ci.yml - rules: - - changes: - - "dmz/terraform/*.tf" - -build_infra: - stage: triggers - trigger: - include: infra/.gitlab/.gitlab-ci.yml - rules: - - changes: - - "infra/terraform/*.tf" - -build_dev: - stage: triggers - trigger: - include: dev/.gitlab/.gitlab-ci.yml - rules: - - changes: - - "dev/terraform/*.tf" - -build_prd: - stage: triggers - trigger: - include: prd/.gitlab/.gitlab-ci.yml - rules: - - changes: - - "prd/terraform/*.tf" diff --git a/ansible/base.yaml b/ansible/base.yaml deleted file mode 100644 index 9093cdb..0000000 --- a/ansible/base.yaml +++ /dev/null @@ -1,5 +0,0 @@ -- hosts: all - gather_facts: yes - become: yes - roles: - - base diff --git a/ansible/newcluster.yaml b/ansible/newcluster.yaml deleted file mode 100644 index 4fb3572..0000000 --- a/ansible/newcluster.yaml +++ /dev/null @@ -1,2 +0,0 @@ -argocd login --insecure -argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd diff --git a/ansible/roles/base/files/01proxy b/ansible/roles/base/files/01proxy deleted file mode 100644 index 947368d..0000000 --- a/ansible/roles/base/files/01proxy +++ /dev/null @@ -1 +0,0 @@ -Acquire::http::Proxy "http://192.168.21.200:3142"; diff --git a/ansible/roles/base/files/10periodic b/ansible/roles/base/files/10periodic deleted file mode 100644 index 5d37e9f..0000000 --- a/ansible/roles/base/files/10periodic +++ /dev/null @@ -1,4 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::AutocleanInterval "7"; -APT::Periodic::Unattended-Upgrade "1"; diff --git a/ansible/roles/base/files/authorized_keys_user b/ansible/roles/base/files/authorized_keys_user deleted file mode 100644 index 49d58bb..0000000 --- a/ansible/roles/base/files/authorized_keys_user +++ /dev/null @@ -1,2 +0,0 @@ -sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey -sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano \ No newline at end of file diff --git a/ansible/roles/base/files/issue b/ansible/roles/base/files/issue deleted file mode 100644 index 5acb66f..0000000 --- a/ansible/roles/base/files/issue +++ /dev/null @@ -1,4 +0,0 @@ -Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy. - -IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW. - diff --git a/ansible/roles/base/files/motd b/ansible/roles/base/files/motd deleted file mode 100644 index fa6c8db..0000000 --- a/ansible/roles/base/files/motd +++ /dev/null @@ -1,4 +0,0 @@ -THIS SYSTEM IS FOR AUTHORIZED USE ONLY - -All activities are logged and monitored. - diff --git a/ansible/roles/base/files/sshd_config_secured b/ansible/roles/base/files/sshd_config_secured deleted file mode 100644 index 88bfedb..0000000 --- a/ansible/roles/base/files/sshd_config_secured +++ /dev/null @@ -1,95 +0,0 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin no -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding no -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -ClientAliveInterval 300 - -#enable remote powershell -#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo - - diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml deleted file mode 100644 index 8cb1553..0000000 --- a/ansible/roles/base/tasks/main.yaml +++ /dev/null @@ -1,155 +0,0 @@ -- name: Copy apt proxy - copy: - src: files/01proxy - dest: /etc/apt/apt.conf.d/01proxy - owner: root - group: root - mode: "0644" - force: yes - when: - - ansible_os_family == "Debian" - - inventory_hostname not in hosts_deny - -- name: Update packages - apt: - name: '*' - state: latest - update_cache: yes - only_upgrade: yes - retries: 300 - delay: 10 - -- name: Remove packages not needed anymore - apt: - autoremove: yes - retries: 300 - delay: 10 - -- name: Install required packages Debian - apt: - state: latest - pkg: "{{ item }}" - with_items: "{{ required_packages }}" - retries: 300 - delay: 10 - -- name: Create user account - user: - name: "user" - shell: /bin/bash - state: present - createhome: yes - -- name: ensure ssh folder exists for user - file: - path: /home/user/.ssh - owner: user - group: user - mode: "0700" - state: directory - -- name: Deploy SSH Key (user) - copy: - dest: /home/user/.ssh/authorized_keys - src: files/authorized_keys_user - owner: user - group: user - force: true - -- name: Remove Root SSH Configuration - file: - path: /root/.ssh - state: absent - -- name: Copy Secured SSHD Configuration - copy: - src: files/sshd_config_secured - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: "0644" - when: ansible_os_family == "Debian" - -- name: Copy Secured SSHD Configuration - copy: - src: files/sshd_config_secured_redhat - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: "0644" - when: ansible_os_family == "RedHat" - -- name: Restart SSHD - systemd: - name: sshd - daemon_reload: yes - state: restarted - enabled: yes - ignore_errors: yes - - -- name: Copy unattended-upgrades file - copy: - src: files/10periodic - dest: /etc/apt/apt.conf.d/10periodic - owner: root - group: root - mode: "0644" - force: yes - when: ansible_os_family == "Debian" - -- name: Remove undesirable packages - package: - name: "{{ unnecessary_software }}" - state: absent - when: ansible_os_family == "Debian" - -- name: Stop and disable unnecessary services - service: - name: "{{ item }}" - state: stopped - enabled: no - with_items: "{{ unnecessary_services }}" - ignore_errors: yes - -- name: Set a message of the day - copy: - dest: /etc/motd - src: files/motd - owner: root - group: root - mode: 0644 - -- name: Set a login banner - copy: - dest: "{{ item }}" - src: files/issue - owner: root - group: root - mode: 0644 - with_items: - - /etc/issue - - /etc/issue.net - -- name: set timezone - shell: timedatectl set-timezone America/Chicago - -- name: Enable cockpit - systemd: - name: cockpit - daemon_reload: yes - state: restarted - enabled: yes - -- name: change password - ansible.builtin.user: - name: "user" - state: present - password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}" - -- name: add user to sudoers - community.general.sudoers: - name: user - state: present - user: user - commands: ALL diff --git a/ansible/roles/base/vars/main.yaml b/ansible/roles/base/vars/main.yaml deleted file mode 100644 index 2670ac2..0000000 --- a/ansible/roles/base/vars/main.yaml +++ /dev/null @@ -1,17 +0,0 @@ -required_packages: - - ufw - - qemu-guest-agent - - fail2ban - - unattended-upgrades - - cockpit - - nfs-common - - open-iscsi - -unnecessary_services: - - postfix - - telnet - -unnecessary_software: - - tcpdump - - nmap-ncat - - wpa_supplicant