You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

223 lines
5.1 KiB

---
- name: Configure repos
when: ansible_facts['os_family'] == "Alpine"
template:
src: apk_repositories.j2
dest: /etc/apk/repositories
owner: root
group: root
mode: 0644
notify: update-apk
- name: Add common utilities
when: ansible_facts['os_family'] == "Alpine"
package:
name: "{{ item }}"
state: present
with_items: "{{ alpine_common_utilities }}"
- name: Add common debian utilities
when: ansible_facts['os_family'] == "Debian"
package:
name: "{{ item }}"
state: present
with_items: "{{ debian_common_utilities }}"
- name: Add motd
template:
src: "motd.j2"
dest: '/etc/motd'
owner: root
group: root
mode: 0644
- name: Install chrony
package:
name: chrony
state: present
# this baby right here can send arbitrary metrics
- name: Add prom-collect
template:
src: prom-collect.j2
dest: /usr/bin/prom-collect
owner: root
group: root
mode: 0755
- name: Add cyberia-alpine-metrics
when: ansible_facts['os_family'] == "Alpine"
template:
src: cyberia-alpine-metrics.j2
dest: /etc/periodic/daily/cyberia-alpine-metrics
owner: root
group: root
mode: 0755
# anyone can make a metric, who cares!
- name: Create textfile collector dir
file:
path: /var/lib/prometheus/textfile_collector
state: directory
owner: root
group: root
mode: 0777
- name: Set textfile collector flag
when: ansible_facts['os_family'] == "Alpine"
template:
src: node-exporter.j2
dest: /etc/conf.d/node-exporter
owner: root
group: root
mode: 0644
- name: Start and enable common alpine daemons
when: ansible_facts['os_family'] == "Alpine"
service:
name: "{{ item }}"
state: started
enabled: yes
with_items:
- chronyd
- crond
- syslog
- klogd
- node-exporter
- name: Start and enable common debian daemons
when: ansible_facts['os_family'] == "Debian"
service:
name: "{{ item }}"
state: started
enabled: yes
with_items:
- chrony
- cron
- syslog
- rsyslog
- prometheus-node-exporter
- name: Lock down cyberian account to just ansible
template:
src: authorized_keys.j2
dest: /home/cyberian/.ssh/authorized_keys
owner: cyberian
group: cyberian
mode: 0600
- name: Create operators
user:
name: "{{ item }}"
state: present
groups: wheel
password: '*'
with_items: "{{ operators }}"
- name: Add operator keys
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', 'files/keys/' + item + '.pub') }}"
loop: "{{ operators }}"
- name: Create service operators
when: service_operators is defined
user:
name: "{{ item }}"
state: present
groups: wheel
password: '*'
with_items: "{{ service_operators }}"
- name: Add service operator keys
when: service_operators is defined
authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', 'files/keys/' + item + '.pub') }}"
loop: "{{ service_operators }}"
- name: Add backup user
when: backup_user is defined and backup_user == True
user:
name: backups
state: present
password: '*'
- name: Add backup key
when: backup_user is defined and backup_user == True
authorized_key:
user: backups
state: present
# secret 83a7f301-1e06-4fbb-9ab7-43ca3c018a4b
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz68mEHm2XjA1ppXQW9kBVyIAnn4tH2le84momBySTM77F4rKgC7ZhL9IK+JZaXZylJaM9Rhc+m9y5j+Nh0DZBj+xYtIHHZgUVBnTaPpNMYBAiSAARF0h9LcrF8Z6uC3Al1hPxpeah6SPH7LIJjH8X2aGAYnPxtQ9YN88K4GM0zUdC+H0c+vfMv3koCkJClamS/GB3pQxDkFumJ86qDJVv1rDk2iGMlgPsJ61txr/xA9VpiavEtwFJH3VH7aFcYj17dviYGJUoU0nqgGLg3q0ZCmg/WAczni1N/0B+ztDKNwxF16v5MZIDszH+nJsMuR5Vp9eyuZ7XNYcOjtrM21bL backup-user"
- name: Configure sshd
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
notify: restart-sshd
- name: Configure Sudoers
# what were we replacing again?
template:
src: sudoers.j2
dest: /etc/sudoers
owner: root
group: root
mode: 0440
- name: Enable iptables
when: ansible_facts['os_family'] == "Alpine"
service:
name: iptables
enabled: yes
- name: Enable ip6tables
when: ansible_facts['os_family'] == "Alpine"
service:
name: ip6tables
enabled: yes
- name: Allow related and established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Allow loopback connections
iptables:
in_interface: lo
chain: INPUT
jump: ACCEPT
comment: Allow localhost
- name: Allow new incoming SYN packets on TCP port 22 (SSH).
iptables:
chain: INPUT
protocol: tcp
destination_port: '22'
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
- name: Allow new incoming SYN packets on TCP port 9100 (Prometheus).
iptables:
chain: INPUT
protocol: tcp
destination_port: '9100'
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new Prometheus connections.
- name: Set the policy for the INPUT chain to DROP
iptables:
chain: INPUT
policy: DROP