2020-05-10 01:20:06 +00:00
|
|
|
---
|
2020-12-16 22:07:49 +00:00
|
|
|
- name: Configure repos
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2020-12-16 22:07:49 +00:00
|
|
|
template:
|
|
|
|
src: apk_repositories.j2
|
|
|
|
dest: /etc/apk/repositories
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
notify: update-apk
|
|
|
|
|
2020-05-10 01:20:06 +00:00
|
|
|
- name: Add common utilities
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
|
|
|
package:
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
with_items: "{{ alpine_common_utilities }}"
|
|
|
|
|
|
|
|
- name: Add common debian utilities
|
|
|
|
when: ansible_facts['os_family'] == "Debian"
|
2020-05-10 01:20:06 +00:00
|
|
|
package:
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: present
|
2021-08-01 18:03:58 +00:00
|
|
|
with_items: "{{ debian_common_utilities }}"
|
2020-05-10 01:20:06 +00:00
|
|
|
|
|
|
|
- name: Add motd
|
|
|
|
template:
|
|
|
|
src: "motd.j2"
|
|
|
|
dest: '/etc/motd'
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
|
|
|
|
- name: Install chrony
|
|
|
|
package:
|
|
|
|
name: chrony
|
|
|
|
state: present
|
|
|
|
|
2021-04-02 03:35:16 +00:00
|
|
|
# this baby right here can send arbitrary metrics
|
|
|
|
- name: Add prom-collect
|
|
|
|
template:
|
|
|
|
src: prom-collect.j2
|
|
|
|
dest: /usr/bin/prom-collect
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0755
|
|
|
|
|
2021-04-02 04:14:45 +00:00
|
|
|
- name: Add cyberia-alpine-metrics
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2021-04-02 04:14:45 +00:00
|
|
|
template:
|
|
|
|
src: cyberia-alpine-metrics.j2
|
|
|
|
dest: /etc/periodic/daily/cyberia-alpine-metrics
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0755
|
|
|
|
|
2021-04-02 03:35:16 +00:00
|
|
|
# anyone can make a metric, who cares!
|
2021-04-02 02:37:57 +00:00
|
|
|
- name: Create textfile collector dir
|
|
|
|
file:
|
|
|
|
path: /var/lib/prometheus/textfile_collector
|
|
|
|
state: directory
|
2021-04-02 03:35:16 +00:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0777
|
2021-04-02 02:37:57 +00:00
|
|
|
|
|
|
|
- name: Set textfile collector flag
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2021-04-02 02:37:57 +00:00
|
|
|
template:
|
|
|
|
src: node-exporter.j2
|
|
|
|
dest: /etc/conf.d/node-exporter
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
|
2021-08-01 18:03:58 +00:00
|
|
|
- name: Start and enable common alpine daemons
|
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2020-05-10 01:20:06 +00:00
|
|
|
service:
|
2020-05-23 00:01:46 +00:00
|
|
|
name: "{{ item }}"
|
2020-05-10 01:20:06 +00:00
|
|
|
state: started
|
|
|
|
enabled: yes
|
2020-05-23 00:01:46 +00:00
|
|
|
with_items:
|
|
|
|
- chronyd
|
|
|
|
- crond
|
|
|
|
- syslog
|
|
|
|
- klogd
|
2020-12-16 22:07:49 +00:00
|
|
|
- node-exporter
|
2020-05-10 01:20:06 +00:00
|
|
|
|
2021-08-01 18:03:58 +00:00
|
|
|
- name: Start and enable common debian daemons
|
|
|
|
when: ansible_facts['os_family'] == "Debian"
|
|
|
|
service:
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: started
|
|
|
|
enabled: yes
|
|
|
|
with_items:
|
|
|
|
- chrony
|
|
|
|
- cron
|
|
|
|
- syslog
|
|
|
|
- rsyslog
|
|
|
|
- prometheus-node-exporter
|
|
|
|
|
2020-08-27 17:28:59 +00:00
|
|
|
- name: Lock down cyberian account to just ansible
|
|
|
|
template:
|
|
|
|
src: authorized_keys.j2
|
|
|
|
dest: /home/cyberian/.ssh/authorized_keys
|
|
|
|
owner: cyberian
|
|
|
|
group: cyberian
|
|
|
|
mode: 0600
|
|
|
|
|
2020-05-10 01:20:06 +00:00
|
|
|
- name: Create operators
|
|
|
|
user:
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
groups: wheel
|
|
|
|
password: '*'
|
|
|
|
with_items: "{{ operators }}"
|
|
|
|
|
|
|
|
- name: Add operator keys
|
|
|
|
authorized_key:
|
|
|
|
user: "{{ item }}"
|
|
|
|
state: present
|
2020-05-10 20:10:26 +00:00
|
|
|
key: "{{ lookup('file', 'files/keys/' + item + '.pub') }}"
|
2020-05-10 01:20:06 +00:00
|
|
|
loop: "{{ operators }}"
|
|
|
|
|
2021-08-01 18:03:58 +00:00
|
|
|
- name: Create service operators
|
|
|
|
when: service_operators is defined
|
|
|
|
user:
|
|
|
|
name: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
groups: wheel
|
|
|
|
password: '*'
|
|
|
|
with_items: "{{ service_operators }}"
|
|
|
|
|
|
|
|
- name: Add service operator keys
|
|
|
|
when: service_operators is defined
|
|
|
|
authorized_key:
|
|
|
|
user: "{{ item }}"
|
|
|
|
state: present
|
|
|
|
key: "{{ lookup('file', 'files/keys/' + item + '.pub') }}"
|
|
|
|
loop: "{{ service_operators }}"
|
|
|
|
|
2021-03-14 21:08:21 +00:00
|
|
|
- name: Add backup user
|
|
|
|
when: backup_user is defined and backup_user == True
|
|
|
|
user:
|
|
|
|
name: backups
|
|
|
|
state: present
|
|
|
|
password: '*'
|
|
|
|
|
|
|
|
- name: Add backup key
|
|
|
|
when: backup_user is defined and backup_user == True
|
|
|
|
authorized_key:
|
|
|
|
user: backups
|
|
|
|
state: present
|
|
|
|
# secret 83a7f301-1e06-4fbb-9ab7-43ca3c018a4b
|
|
|
|
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz68mEHm2XjA1ppXQW9kBVyIAnn4tH2le84momBySTM77F4rKgC7ZhL9IK+JZaXZylJaM9Rhc+m9y5j+Nh0DZBj+xYtIHHZgUVBnTaPpNMYBAiSAARF0h9LcrF8Z6uC3Al1hPxpeah6SPH7LIJjH8X2aGAYnPxtQ9YN88K4GM0zUdC+H0c+vfMv3koCkJClamS/GB3pQxDkFumJ86qDJVv1rDk2iGMlgPsJ61txr/xA9VpiavEtwFJH3VH7aFcYj17dviYGJUoU0nqgGLg3q0ZCmg/WAczni1N/0B+ztDKNwxF16v5MZIDszH+nJsMuR5Vp9eyuZ7XNYcOjtrM21bL backup-user"
|
|
|
|
|
2020-05-10 01:20:06 +00:00
|
|
|
- name: Configure sshd
|
|
|
|
template:
|
|
|
|
src: sshd_config.j2
|
|
|
|
dest: /etc/ssh/sshd_config
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0644
|
|
|
|
notify: restart-sshd
|
|
|
|
|
|
|
|
- name: Configure Sudoers
|
|
|
|
# what were we replacing again?
|
|
|
|
template:
|
|
|
|
src: sudoers.j2
|
|
|
|
dest: /etc/sudoers
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0440
|
|
|
|
|
|
|
|
- name: Enable iptables
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2020-05-10 01:20:06 +00:00
|
|
|
service:
|
|
|
|
name: iptables
|
|
|
|
enabled: yes
|
|
|
|
|
|
|
|
- name: Enable ip6tables
|
2021-08-01 18:03:58 +00:00
|
|
|
when: ansible_facts['os_family'] == "Alpine"
|
2020-05-10 01:20:06 +00:00
|
|
|
service:
|
|
|
|
name: ip6tables
|
|
|
|
enabled: yes
|
|
|
|
|
|
|
|
- name: Allow related and established connections
|
|
|
|
iptables:
|
|
|
|
chain: INPUT
|
|
|
|
ctstate: ESTABLISHED,RELATED
|
|
|
|
jump: ACCEPT
|
|
|
|
|
2020-05-23 00:26:54 +00:00
|
|
|
- name: Allow loopback connections
|
|
|
|
iptables:
|
|
|
|
in_interface: lo
|
|
|
|
chain: INPUT
|
|
|
|
jump: ACCEPT
|
|
|
|
comment: Allow localhost
|
|
|
|
|
2020-05-10 01:20:06 +00:00
|
|
|
- name: Allow new incoming SYN packets on TCP port 22 (SSH).
|
|
|
|
iptables:
|
|
|
|
chain: INPUT
|
|
|
|
protocol: tcp
|
|
|
|
destination_port: '22'
|
|
|
|
ctstate: NEW
|
|
|
|
syn: match
|
|
|
|
jump: ACCEPT
|
|
|
|
comment: Accept new SSH connections.
|
|
|
|
|
|
|
|
- name: Allow new incoming SYN packets on TCP port 9100 (Prometheus).
|
|
|
|
iptables:
|
|
|
|
chain: INPUT
|
|
|
|
protocol: tcp
|
|
|
|
destination_port: '9100'
|
|
|
|
ctstate: NEW
|
|
|
|
syn: match
|
|
|
|
jump: ACCEPT
|
|
|
|
comment: Accept new Prometheus connections.
|
|
|
|
|
|
|
|
- name: Set the policy for the INPUT chain to DROP
|
|
|
|
iptables:
|
|
|
|
chain: INPUT
|
|
|
|
policy: DROP
|
|
|
|
|