Compare commits

...

3 commits

Author SHA1 Message Date
Ada
cb50373b94
WIP
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/pr/woodpecker Pipeline failed
2024-03-25 00:51:16 +01:00
Ada
97ab23e625
WIP
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/pr/woodpecker Pipeline failed
2024-03-25 00:32:09 +01:00
Ada
2410885737
Add knot roles
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-03-24 22:12:56 +01:00
21 changed files with 273 additions and 23 deletions

View file

@ -1,2 +1,3 @@
---
skip_list:
- '403' # Package installs should not use latest.
- "403" # Package installs should not use latest.

19
ansible/deploy.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Configure base
hosts: all
become: true
roles:
- role: dnf
when: ansible_facts['os_family'] == "RedHat"
- auditd
- fail2ban
- journald
- sshd
- role: timesyncd
when: ansible_facts['os_family'] == "Ubuntu"
- name: Resolver
hosts: resolver
become: true
roles:
- knot_resolver

View file

@ -0,0 +1,2 @@
---
resolver_ip: 10.20.0.42

View file

@ -0,0 +1,4 @@
---
kresd_allow:
- 10.0.0.0/8
- 172.16.0.0/12

8
ansible/hosts.yml Normal file
View file

@ -0,0 +1,8 @@
all:
hosts:
resolver-1:
ansible_host: 10.20.0.42
children:
resolver:
hosts:
resolver-1:

View file

@ -13,5 +13,5 @@
when: ansible_facts['os_family'] == "Ubuntu"
post_tasks:
- name: Clean cloud-init
ansible.builtin.command: "cloud-init clean"
ansible.builtin.command: cloud-init clean
changed_when: false

View file

@ -19,6 +19,6 @@
- name: Add rules
ansible.builtin.copy:
src: 'custom.rules'
dest: '/etc/audit/rules.d/custom.rules'
src: custom.rules
dest: /etc/audit/rules.d/custom.rules
mode: "0640"

View file

@ -0,0 +1,19 @@
---
- name: Package cache update
become: true
ansible.builtin.package:
update_cache: true
- name: Restart knot resolver
become: true
ansible.builtin.service:
state: restarted
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}
- name: Enable knot resolver
become: true
ansible.builtin.service:
enabled: true
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}

View file

@ -0,0 +1,32 @@
---
- name: Get authentik source
ansible.builtin.git:
repo: https://github.com/goauthentik/authentik.git
dest: /opt/authentik/src
version: version/2024.2.2
force: true
- name: Build front
ansible.builtin.shell: |
cd /opt/authentik/src/website
npm i
npm run build-docs-only
cd /opt/authentik/src/web
npm i
npm run build
- name: Create virtualenv
ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv
- name: Installl poetry and dependencies
ansible.builtin.shell: |
cd /opt/authentik/src/
venv/bin/pip install poetry
venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root
- name: Build go proxy
ansible.builtin.shell: |-
cd /opt/authentik/src/
sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go
go build -o /opt/authentik/src/authentik-server ./cmd/server/

View file

@ -0,0 +1,59 @@
---
- name: Install roles dependencies
ansible.builtin.apt:
name: "{{ item }}"
with_items:
- git
- libpq-dev
- libxmlsec1-dev
- name: Add deadsnake ppa for python3.12
ansible.builtin.apt_repository:
repo: ppa:deadsnakes/ppa
- name: Install python3.12
ansible.builtin.apt:
name: "{{ item }}"
with_items:
- python3.12
- python3.12-distutils
- python3.12-venv
- python3.12-dev
- name: Add longsleep ppa for go 1.22
ansible.builtin.apt_repository:
repo: ppa:longsleep/golang-backports
- name: Install go 1.22
ansible.builtin.apt:
name: golang-go
- name: Download node GPG key
ansible.builtin.get_url:
url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
dest: /usr/share/keyrings/node-archive-keyring.asc
mode: "0644"
validate_certs: true
checksum: sha512:36c77b2bddaea0523ab90962a38ebd3ee90c3d5cf17e525f02898aa8e7b14fd1026f6d659b99d931fe907e9142a98ff08075ebfc56f0f1e2001c6ba4791d3daa
changed_when: false
no_log: false
- name: Add nodesource repo for node
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main
- name: Install nodejs
ansible.builtin.apt:
name: nodejs
- name: Add authentik user
ansible.builtin.user:
name: authentik
system: true
- name: Create /opt/authentik
ansible.builtin.file:
path: /opt/authentik
state: directory
mode: "0755"
owner: authentik

View file

@ -0,0 +1,13 @@
---
- name: Install dependencies
ansible.builtin.import_tasks: dependencies.yml
become: true
tags:
- install_dependencies
- name: Build authentik
ansible.builtin.import_tasks: build.yml
become: true
tags:
- build
become_user: authentik

View file

@ -0,0 +1,26 @@
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
cache.size = 128 * MB
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'predict', -- Prefetch expiring/frequent records
}
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
modules.load('view')
view:addr('127.0.0.0/8', policy.all(policy.PASS))
view:addr('::1/128', policy.all(policy.PASS))
{% for prefix in kresd_allow %}
view:addr('{{ prefix }}', policy.all(policy.PASS))
{% endfor %}
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
log_target('stdout')
log_level('debug')

View file

@ -6,5 +6,5 @@
- name: Install epel
ansible.builtin.dnf:
name: "epel-release"
state: "latest"
name: epel-release
state: latest

View file

@ -1,20 +1,20 @@
---
- name: Install fail2ban
ansible.builtin.apt:
name: "fail2ban"
name: fail2ban
state: latest
when: ansible_facts['os_family'] == "Debian"
- name: Install fail2ban
ansible.builtin.dnf:
name: "fail2ban"
name: fail2ban
state: latest
when: ansible_facts['os_family'] == "RedHat"
- name: Copy sshd.conf
ansible.builtin.template:
src: 'sshd.conf.j2'
dest: '/etc/fail2ban/jail.d/sshd.conf'
src: sshd.conf.j2
dest: /etc/fail2ban/jail.d/sshd.conf
mode: "0640"
notify:
- Restart fail2ban

View file

@ -1,14 +1,14 @@
---
- name: Create /etc/systemd/journald.conf.d
ansible.builtin.file:
path: '/etc/systemd/journald.conf.d'
state: 'directory'
path: /etc/systemd/journald.conf.d
state: directory
mode: "0750"
- name: Copy retention-time.conf
ansible.builtin.copy:
src: 'retention-time.conf'
dest: '/etc/systemd/journald.conf.d'
src: retention-time.conf
dest: /etc/systemd/journald.conf.d
mode: "0640"
notify:
- Restart journald

View file

@ -0,0 +1,19 @@
---
- name: Package cache update
become: true
ansible.builtin.package:
update_cache: true
- name: Restart knot resolver
become: true
ansible.builtin.service:
state: restarted
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}
- name: Enable knot resolver
become: true
ansible.builtin.service:
enabled: true
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}

View file

@ -0,0 +1,21 @@
---
- name: Install knot repository
ansible.builtin.apt:
deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
notify:
- Package cache update
- name: Install knot resolver
ansible.builtin.apt:
name: knot-resolver
notify:
- Enable knot resolver
- Restart knot resolver
- name: Configure
ansible.builtin.template:
src: kresd.conf.j2
dest: /etc/knot-resolver/kresd.conf
mode: "0644"
notify:
- Restart knot resolver

View file

@ -0,0 +1,26 @@
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
cache.size = 128 * MB
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'predict', -- Prefetch expiring/frequent records
}
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
modules.load('view')
view:addr('127.0.0.0/8', policy.all(policy.PASS))
view:addr('::1/128', policy.all(policy.PASS))
{% for prefix in kresd_allow %}
view:addr('{{ prefix }}', policy.all(policy.PASS))
{% endfor %}
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
log_target('stdout')
log_level('debug')

View file

@ -1,3 +1,4 @@
---
- name: Restart SSH
ansible.builtin.service:
name: sshd

View file

@ -2,8 +2,8 @@
- name: Disable Password Authentication
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: "PasswordAuthentication no"
regexp: ^PasswordAuthentication
line: PasswordAuthentication no
state: present
backup: true
notify:
@ -12,8 +12,8 @@
- name: Disable Root Login
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: "PermitRootLogin no"
regexp: ^PermitRootLogin
line: PermitRootLogin no
state: present
backup: true
notify:
@ -22,8 +22,8 @@
- name: Restrict host key
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '#HostKey /etc/ssh/ssh_host_ed25519_key'
line: "HostKey /etc/ssh/ssh_host_ed25519_key"
regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
line: HostKey /etc/ssh/ssh_host_ed25519_key
state: present
backup: true
notify:
@ -31,8 +31,8 @@
- name: Configure sshd
ansible.builtin.copy:
src: "crypto.conf"
dest: "/etc/ssh/sshd_config.d/"
src: crypto.conf
dest: /etc/ssh/sshd_config.d/
owner: root
group: root
mode: "0640"

View file

@ -4,5 +4,5 @@
name: Europe/Brussels
- name: Enable ntp
ansible.builtin.command: 'timedatectl set-ntp true'
ansible.builtin.command: timedatectl set-ntp true
changed_when: false