From dba78460623af459e68c55f2a2ce60e68550c9f1 Mon Sep 17 00:00:00 2001 From: DeveloperDurp Date: Tue, 27 Jan 2026 05:28:57 -0600 Subject: [PATCH] update --- .gitignore | 1 + .gitlab-ci.yml | 15 ++ ansible/base.yaml | 5 + ansible/newcluster.yaml | 2 + ansible/roles/base/files/01proxy | 1 + ansible/roles/base/files/10periodic | 4 + ansible/roles/base/files/authorized_keys_user | 2 + ansible/roles/base/files/issue | 4 + ansible/roles/base/files/motd | 4 + ansible/roles/base/files/sshd_config_secured | 95 +++++++++++ ansible/roles/base/tasks/main.yaml | 155 ++++++++++++++++++ ansible/roles/base/vars/main.yaml | 17 ++ invintory.yaml | 44 +++++ 13 files changed, 349 insertions(+) create mode 100644 .gitignore create mode 100644 .gitlab-ci.yml create mode 100644 ansible/base.yaml create mode 100644 ansible/newcluster.yaml create mode 100644 ansible/roles/base/files/01proxy create mode 100644 ansible/roles/base/files/10periodic create mode 100644 ansible/roles/base/files/authorized_keys_user create mode 100644 ansible/roles/base/files/issue create mode 100644 ansible/roles/base/files/motd create mode 100644 ansible/roles/base/files/sshd_config_secured create mode 100644 ansible/roles/base/tasks/main.yaml create mode 100644 ansible/roles/base/vars/main.yaml create mode 100644 invintory.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..485dee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..31e961e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,15 @@ +stages: + - script + +ansible-base: + stage: script + variables: + DEBIAN_FRONTEND: noninteractive + image: + name: registry.durp.info/ubuntu:latest + before_script: + - apt update && apt install tzdata ansible python3-pip -y + script: + - ansible-playbook $CI_PROJECT_DIR/base.yml + rules: + - if: '$SCRIPT == "base"' diff --git a/ansible/base.yaml b/ansible/base.yaml new file mode 100644 index 0000000..9093cdb --- /dev/null +++ b/ansible/base.yaml @@ -0,0 +1,5 @@ +- hosts: all + gather_facts: yes + become: yes + roles: + - base diff --git a/ansible/newcluster.yaml b/ansible/newcluster.yaml new file mode 100644 index 0000000..4fb3572 --- /dev/null +++ b/ansible/newcluster.yaml @@ -0,0 +1,2 @@ +argocd login --insecure +argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd diff --git a/ansible/roles/base/files/01proxy b/ansible/roles/base/files/01proxy new file mode 100644 index 0000000..947368d --- /dev/null +++ b/ansible/roles/base/files/01proxy @@ -0,0 +1 @@ +Acquire::http::Proxy "http://192.168.21.200:3142"; diff --git a/ansible/roles/base/files/10periodic b/ansible/roles/base/files/10periodic new file mode 100644 index 0000000..5d37e9f --- /dev/null +++ b/ansible/roles/base/files/10periodic @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/ansible/roles/base/files/authorized_keys_user b/ansible/roles/base/files/authorized_keys_user new file mode 100644 index 0000000..49d58bb --- /dev/null +++ b/ansible/roles/base/files/authorized_keys_user @@ -0,0 +1,2 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano \ No newline at end of file diff --git a/ansible/roles/base/files/issue b/ansible/roles/base/files/issue new file mode 100644 index 0000000..5acb66f --- /dev/null +++ b/ansible/roles/base/files/issue @@ -0,0 +1,4 @@ +Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy. + +IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW. + diff --git a/ansible/roles/base/files/motd b/ansible/roles/base/files/motd new file mode 100644 index 0000000..fa6c8db --- /dev/null +++ b/ansible/roles/base/files/motd @@ -0,0 +1,4 @@ +THIS SYSTEM IS FOR AUTHORIZED USE ONLY + +All activities are logged and monitored. + diff --git a/ansible/roles/base/files/sshd_config_secured b/ansible/roles/base/files/sshd_config_secured new file mode 100644 index 0000000..88bfedb --- /dev/null +++ b/ansible/roles/base/files/sshd_config_secured @@ -0,0 +1,95 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding no +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +ClientAliveInterval 300 + +#enable remote powershell +#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo + + diff --git a/ansible/roles/base/tasks/main.yaml b/ansible/roles/base/tasks/main.yaml new file mode 100644 index 0000000..8cb1553 --- /dev/null +++ b/ansible/roles/base/tasks/main.yaml @@ -0,0 +1,155 @@ +- name: Copy apt proxy + copy: + src: files/01proxy + dest: /etc/apt/apt.conf.d/01proxy + owner: root + group: root + mode: "0644" + force: yes + when: + - ansible_os_family == "Debian" + - inventory_hostname not in hosts_deny + +- name: Update packages + apt: + name: '*' + state: latest + update_cache: yes + only_upgrade: yes + retries: 300 + delay: 10 + +- name: Remove packages not needed anymore + apt: + autoremove: yes + retries: 300 + delay: 10 + +- name: Install required packages Debian + apt: + state: latest + pkg: "{{ item }}" + with_items: "{{ required_packages }}" + retries: 300 + delay: 10 + +- name: Create user account + user: + name: "user" + shell: /bin/bash + state: present + createhome: yes + +- name: ensure ssh folder exists for user + file: + path: /home/user/.ssh + owner: user + group: user + mode: "0700" + state: directory + +- name: Deploy SSH Key (user) + copy: + dest: /home/user/.ssh/authorized_keys + src: files/authorized_keys_user + owner: user + group: user + force: true + +- name: Remove Root SSH Configuration + file: + path: /root/.ssh + state: absent + +- name: Copy Secured SSHD Configuration + copy: + src: files/sshd_config_secured + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: "0644" + when: ansible_os_family == "Debian" + +- name: Copy Secured SSHD Configuration + copy: + src: files/sshd_config_secured_redhat + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: "0644" + when: ansible_os_family == "RedHat" + +- name: Restart SSHD + systemd: + name: sshd + daemon_reload: yes + state: restarted + enabled: yes + ignore_errors: yes + + +- name: Copy unattended-upgrades file + copy: + src: files/10periodic + dest: /etc/apt/apt.conf.d/10periodic + owner: root + group: root + mode: "0644" + force: yes + when: ansible_os_family == "Debian" + +- name: Remove undesirable packages + package: + name: "{{ unnecessary_software }}" + state: absent + when: ansible_os_family == "Debian" + +- name: Stop and disable unnecessary services + service: + name: "{{ item }}" + state: stopped + enabled: no + with_items: "{{ unnecessary_services }}" + ignore_errors: yes + +- name: Set a message of the day + copy: + dest: /etc/motd + src: files/motd + owner: root + group: root + mode: 0644 + +- name: Set a login banner + copy: + dest: "{{ item }}" + src: files/issue + owner: root + group: root + mode: 0644 + with_items: + - /etc/issue + - /etc/issue.net + +- name: set timezone + shell: timedatectl set-timezone America/Chicago + +- name: Enable cockpit + systemd: + name: cockpit + daemon_reload: yes + state: restarted + enabled: yes + +- name: change password + ansible.builtin.user: + name: "user" + state: present + password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}" + +- name: add user to sudoers + community.general.sudoers: + name: user + state: present + user: user + commands: ALL diff --git a/ansible/roles/base/vars/main.yaml b/ansible/roles/base/vars/main.yaml new file mode 100644 index 0000000..2670ac2 --- /dev/null +++ b/ansible/roles/base/vars/main.yaml @@ -0,0 +1,17 @@ +required_packages: + - ufw + - qemu-guest-agent + - fail2ban + - unattended-upgrades + - cockpit + - nfs-common + - open-iscsi + +unnecessary_services: + - postfix + - telnet + +unnecessary_software: + - tcpdump + - nmap-ncat + - wpa_supplicant diff --git a/invintory.yaml b/invintory.yaml new file mode 100644 index 0000000..571c71e --- /dev/null +++ b/invintory.yaml @@ -0,0 +1,44 @@ +pihole: + hosts: + 192.168.12.41: + 192.168.12.42: + 192.168.12.43: +infra-master: + hosts: + 192.168.12.11: + 192.168.12.12: + 192.168.12.13: +infra-node: + hosts: + 192.168.12.21: + 192.168.12.22: + 192.168.12.23: +dmz-master: + hosts: + 192.168.98.11: + 192.168.98.12: + 192.168.98.13: +dmz-node: + hosts: + 192.168.98.21: + 192.168.98.22: + 192.168.98.23: +dev-master: + hosts: + 192.168.10.11: + 192.168.10.12: + 192.168.10.13: + 192.168.11.11: + 192.168.11.12: + 192.168.11.13: +dev-node: + hosts: + 192.168.10.21: + 192.168.10.22: + 192.168.10.23: + 192.168.11.21: + 192.168.11.22: + 192.168.11.23: +openvpn: + hosts: + 192.168.98.20: