durfy/homelab-gitops
1
0
Fork 0
mirror of https://gitlab.durp.info/durfy/homelab/gitops.git synced 2026-05-07 07:50:29 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove ansible

Browse source
This commit is contained in:
DeveloperDurp 2026-02-02 05:24:41 -06:00
parent 6912ca701a
commit 30b6c8ebc8
12 changed files with 1 additions and 326 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -1,3 +1 @@
.idea .idea
infra/terraform/.terraform
infra/terraform/.terraform.lock.hcl

34
.gitlab/.gitlab-ci.yml
View file

@ -1,34 +0,0 @@
stages:
- triggers
build_dmz:
stage: triggers
trigger:
include: dmz/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "dmz/terraform/*.tf"
build_infra:
stage: triggers
trigger:
include: infra/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "infra/terraform/*.tf"
build_dev:
stage: triggers
trigger:
include: dev/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "dev/terraform/*.tf"
build_prd:
stage: triggers
trigger:
include: prd/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "prd/terraform/*.tf"

5
ansible/base.yaml
View file

@ -1,5 +0,0 @@
- hosts: all
gather_facts: yes
become: yes
roles:
- base

2
ansible/newcluster.yaml
View file

@ -1,2 +0,0 @@
argocd login --insecure
argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

1
ansible/roles/base/files/01proxy
View file

@ -1 +0,0 @@
Acquire::http::Proxy "http://192.168.21.200:3142";

4
ansible/roles/base/files/10periodic
View file

@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

2
ansible/roles/base/files/authorized_keys_user
View file

@ -1,2 +0,0 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

4
ansible/roles/base/files/issue
View file

@ -1,4 +0,0 @@
Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.

4
ansible/roles/base/files/motd
View file

@ -1,4 +0,0 @@
THIS SYSTEM IS FOR AUTHORIZED USE ONLY
All activities are logged and monitored.

95
ansible/roles/base/files/sshd_config_secured
View file

@ -1,95 +0,0 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
ClientAliveInterval 300
#enable remote powershell
#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo

155
ansible/roles/base/tasks/main.yaml
View file

@ -1,155 +0,0 @@
- name: Copy apt proxy
copy:
src: files/01proxy
dest: /etc/apt/apt.conf.d/01proxy
owner: root
group: root
mode: "0644"
force: yes
when:
- ansible_os_family == "Debian"
- inventory_hostname not in hosts_deny
- name: Update packages
apt:
name: '*'
state: latest
update_cache: yes
only_upgrade: yes
retries: 300
delay: 10
- name: Remove packages not needed anymore
apt:
autoremove: yes
retries: 300
delay: 10
- name: Install required packages Debian
apt:
state: latest
pkg: "{{ item }}"
with_items: "{{ required_packages }}"
retries: 300
delay: 10
- name: Create user account
user:
name: "user"
shell: /bin/bash
state: present
createhome: yes
- name: ensure ssh folder exists for user
file:
path: /home/user/.ssh
owner: user
group: user
mode: "0700"
state: directory
- name: Deploy SSH Key (user)
copy:
dest: /home/user/.ssh/authorized_keys
src: files/authorized_keys_user
owner: user
group: user
force: true
- name: Remove Root SSH Configuration
file:
path: /root/.ssh
state: absent
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "Debian"
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured_redhat
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "RedHat"
- name: Restart SSHD
systemd:
name: sshd
daemon_reload: yes
state: restarted
enabled: yes
ignore_errors: yes
- name: Copy unattended-upgrades file
copy:
src: files/10periodic
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: "0644"
force: yes
when: ansible_os_family == "Debian"
- name: Remove undesirable packages
package:
name: "{{ unnecessary_software }}"
state: absent
when: ansible_os_family == "Debian"
- name: Stop and disable unnecessary services
service:
name: "{{ item }}"
state: stopped
enabled: no
with_items: "{{ unnecessary_services }}"
ignore_errors: yes
- name: Set a message of the day
copy:
dest: /etc/motd
src: files/motd
owner: root
group: root
mode: 0644
- name: Set a login banner
copy:
dest: "{{ item }}"
src: files/issue
owner: root
group: root
mode: 0644
with_items:
- /etc/issue
- /etc/issue.net
- name: set timezone
shell: timedatectl set-timezone America/Chicago
- name: Enable cockpit
systemd:
name: cockpit
daemon_reload: yes
state: restarted
enabled: yes
- name: change password
ansible.builtin.user:
name: "user"
state: present
password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}"
- name: add user to sudoers
community.general.sudoers:
name: user
state: present
user: user
commands: ALL

17
ansible/roles/base/vars/main.yaml
View file

@ -1,17 +0,0 @@
required_packages:
- ufw
- qemu-guest-agent
- fail2ban
- unattended-upgrades
- cockpit
- nfs-common
- open-iscsi
unnecessary_services:
- postfix
- telnet
unnecessary_software:
- tcpdump
- nmap-ncat
- wpa_supplicant