Compare commits
3 commits
f4109954e1
...
cb50373b94
Author | SHA1 | Date | |
---|---|---|---|
cb50373b94 | |||
97ab23e625 | |||
2410885737 |
21 changed files with 273 additions and 23 deletions
|
@ -1,2 +1,3 @@
|
|||
---
|
||||
skip_list:
|
||||
- '403' # Package installs should not use latest.
|
||||
- "403" # Package installs should not use latest.
|
||||
|
|
19
ansible/deploy.yml
Normal file
19
ansible/deploy.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Configure base
|
||||
hosts: all
|
||||
become: true
|
||||
roles:
|
||||
- role: dnf
|
||||
when: ansible_facts['os_family'] == "RedHat"
|
||||
- auditd
|
||||
- fail2ban
|
||||
- journald
|
||||
- sshd
|
||||
- role: timesyncd
|
||||
when: ansible_facts['os_family'] == "Ubuntu"
|
||||
|
||||
- name: Resolver
|
||||
hosts: resolver
|
||||
become: true
|
||||
roles:
|
||||
- knot_resolver
|
2
ansible/group_vars/all/all.yml
Normal file
2
ansible/group_vars/all/all.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
resolver_ip: 10.20.0.42
|
4
ansible/group_vars/resolver/all.yml
Normal file
4
ansible/group_vars/resolver/all.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
kresd_allow:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
8
ansible/hosts.yml
Normal file
8
ansible/hosts.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
all:
|
||||
hosts:
|
||||
resolver-1:
|
||||
ansible_host: 10.20.0.42
|
||||
children:
|
||||
resolver:
|
||||
hosts:
|
||||
resolver-1:
|
|
@ -13,5 +13,5 @@
|
|||
when: ansible_facts['os_family'] == "Ubuntu"
|
||||
post_tasks:
|
||||
- name: Clean cloud-init
|
||||
ansible.builtin.command: "cloud-init clean"
|
||||
ansible.builtin.command: cloud-init clean
|
||||
changed_when: false
|
||||
|
|
|
@ -19,6 +19,6 @@
|
|||
|
||||
- name: Add rules
|
||||
ansible.builtin.copy:
|
||||
src: 'custom.rules'
|
||||
dest: '/etc/audit/rules.d/custom.rules'
|
||||
src: custom.rules
|
||||
dest: /etc/audit/rules.d/custom.rules
|
||||
mode: "0640"
|
||||
|
|
19
ansible/roles/authentik/handlers/main.yml
Normal file
19
ansible/roles/authentik/handlers/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Package cache update
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
update_cache: true
|
||||
|
||||
- name: Restart knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
state: restarted
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
||||
|
||||
- name: Enable knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
enabled: true
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
32
ansible/roles/authentik/tasks/build.yml
Normal file
32
ansible/roles/authentik/tasks/build.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
- name: Get authentik source
|
||||
ansible.builtin.git:
|
||||
repo: https://github.com/goauthentik/authentik.git
|
||||
dest: /opt/authentik/src
|
||||
version: version/2024.2.2
|
||||
force: true
|
||||
|
||||
- name: Build front
|
||||
ansible.builtin.shell: |
|
||||
cd /opt/authentik/src/website
|
||||
npm i
|
||||
npm run build-docs-only
|
||||
cd /opt/authentik/src/web
|
||||
npm i
|
||||
npm run build
|
||||
|
||||
- name: Create virtualenv
|
||||
ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv
|
||||
|
||||
- name: Installl poetry and dependencies
|
||||
ansible.builtin.shell: |
|
||||
cd /opt/authentik/src/
|
||||
venv/bin/pip install poetry
|
||||
venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root
|
||||
|
||||
|
||||
- name: Build go proxy
|
||||
ansible.builtin.shell: |-
|
||||
cd /opt/authentik/src/
|
||||
sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go
|
||||
go build -o /opt/authentik/src/authentik-server ./cmd/server/
|
59
ansible/roles/authentik/tasks/dependencies.yml
Normal file
59
ansible/roles/authentik/tasks/dependencies.yml
Normal file
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- name: Install roles dependencies
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- git
|
||||
- libpq-dev
|
||||
- libxmlsec1-dev
|
||||
|
||||
- name: Add deadsnake ppa for python3.12
|
||||
ansible.builtin.apt_repository:
|
||||
repo: ppa:deadsnakes/ppa
|
||||
|
||||
- name: Install python3.12
|
||||
ansible.builtin.apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- python3.12
|
||||
- python3.12-distutils
|
||||
- python3.12-venv
|
||||
- python3.12-dev
|
||||
|
||||
- name: Add longsleep ppa for go 1.22
|
||||
ansible.builtin.apt_repository:
|
||||
repo: ppa:longsleep/golang-backports
|
||||
|
||||
- name: Install go 1.22
|
||||
ansible.builtin.apt:
|
||||
name: golang-go
|
||||
|
||||
- name: Download node GPG key
|
||||
ansible.builtin.get_url:
|
||||
url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
|
||||
dest: /usr/share/keyrings/node-archive-keyring.asc
|
||||
mode: "0644"
|
||||
validate_certs: true
|
||||
checksum: sha512:36c77b2bddaea0523ab90962a38ebd3ee90c3d5cf17e525f02898aa8e7b14fd1026f6d659b99d931fe907e9142a98ff08075ebfc56f0f1e2001c6ba4791d3daa
|
||||
changed_when: false
|
||||
no_log: false
|
||||
|
||||
- name: Add nodesource repo for node
|
||||
ansible.builtin.apt_repository:
|
||||
repo: deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main
|
||||
|
||||
- name: Install nodejs
|
||||
ansible.builtin.apt:
|
||||
name: nodejs
|
||||
|
||||
- name: Add authentik user
|
||||
ansible.builtin.user:
|
||||
name: authentik
|
||||
system: true
|
||||
|
||||
- name: Create /opt/authentik
|
||||
ansible.builtin.file:
|
||||
path: /opt/authentik
|
||||
state: directory
|
||||
mode: "0755"
|
||||
owner: authentik
|
13
ansible/roles/authentik/tasks/main.yml
Normal file
13
ansible/roles/authentik/tasks/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: Install dependencies
|
||||
ansible.builtin.import_tasks: dependencies.yml
|
||||
become: true
|
||||
tags:
|
||||
- install_dependencies
|
||||
|
||||
- name: Build authentik
|
||||
ansible.builtin.import_tasks: build.yml
|
||||
become: true
|
||||
tags:
|
||||
- build
|
||||
become_user: authentik
|
26
ansible/roles/authentik/templates/kresd.conf.j2
Normal file
26
ansible/roles/authentik/templates/kresd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
|
||||
cache.size = 128 * MB
|
||||
modules = {
|
||||
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
|
||||
'predict', -- Prefetch expiring/frequent records
|
||||
}
|
||||
|
||||
modules.load('prefill')
|
||||
prefill.config({
|
||||
['.'] = {
|
||||
url = 'https://www.internic.net/domain/root.zone',
|
||||
interval = 86400, -- seconds
|
||||
}
|
||||
})
|
||||
|
||||
modules.load('view')
|
||||
view:addr('127.0.0.0/8', policy.all(policy.PASS))
|
||||
view:addr('::1/128', policy.all(policy.PASS))
|
||||
{% for prefix in kresd_allow %}
|
||||
view:addr('{{ prefix }}', policy.all(policy.PASS))
|
||||
{% endfor %}
|
||||
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||
view:addr('::/0', policy.all(policy.DROP))
|
||||
|
||||
log_target('stdout')
|
||||
log_level('debug')
|
|
@ -6,5 +6,5 @@
|
|||
|
||||
- name: Install epel
|
||||
ansible.builtin.dnf:
|
||||
name: "epel-release"
|
||||
state: "latest"
|
||||
name: epel-release
|
||||
state: latest
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
---
|
||||
- name: Install fail2ban
|
||||
ansible.builtin.apt:
|
||||
name: "fail2ban"
|
||||
name: fail2ban
|
||||
state: latest
|
||||
when: ansible_facts['os_family'] == "Debian"
|
||||
|
||||
- name: Install fail2ban
|
||||
ansible.builtin.dnf:
|
||||
name: "fail2ban"
|
||||
name: fail2ban
|
||||
state: latest
|
||||
when: ansible_facts['os_family'] == "RedHat"
|
||||
|
||||
- name: Copy sshd.conf
|
||||
ansible.builtin.template:
|
||||
src: 'sshd.conf.j2'
|
||||
dest: '/etc/fail2ban/jail.d/sshd.conf'
|
||||
src: sshd.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/sshd.conf
|
||||
mode: "0640"
|
||||
notify:
|
||||
- Restart fail2ban
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
- name: Create /etc/systemd/journald.conf.d
|
||||
ansible.builtin.file:
|
||||
path: '/etc/systemd/journald.conf.d'
|
||||
state: 'directory'
|
||||
path: /etc/systemd/journald.conf.d
|
||||
state: directory
|
||||
mode: "0750"
|
||||
|
||||
- name: Copy retention-time.conf
|
||||
ansible.builtin.copy:
|
||||
src: 'retention-time.conf'
|
||||
dest: '/etc/systemd/journald.conf.d'
|
||||
src: retention-time.conf
|
||||
dest: /etc/systemd/journald.conf.d
|
||||
mode: "0640"
|
||||
notify:
|
||||
- Restart journald
|
||||
|
|
19
ansible/roles/knot_resolver/handlers/main.yml
Normal file
19
ansible/roles/knot_resolver/handlers/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Package cache update
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
update_cache: true
|
||||
|
||||
- name: Restart knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
state: restarted
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
||||
|
||||
- name: Enable knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
enabled: true
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
21
ansible/roles/knot_resolver/tasks/main.yml
Normal file
21
ansible/roles/knot_resolver/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install knot repository
|
||||
ansible.builtin.apt:
|
||||
deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
|
||||
notify:
|
||||
- Package cache update
|
||||
|
||||
- name: Install knot resolver
|
||||
ansible.builtin.apt:
|
||||
name: knot-resolver
|
||||
notify:
|
||||
- Enable knot resolver
|
||||
- Restart knot resolver
|
||||
|
||||
- name: Configure
|
||||
ansible.builtin.template:
|
||||
src: kresd.conf.j2
|
||||
dest: /etc/knot-resolver/kresd.conf
|
||||
mode: "0644"
|
||||
notify:
|
||||
- Restart knot resolver
|
26
ansible/roles/knot_resolver/templates/kresd.conf.j2
Normal file
26
ansible/roles/knot_resolver/templates/kresd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
|
||||
cache.size = 128 * MB
|
||||
modules = {
|
||||
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
|
||||
'predict', -- Prefetch expiring/frequent records
|
||||
}
|
||||
|
||||
modules.load('prefill')
|
||||
prefill.config({
|
||||
['.'] = {
|
||||
url = 'https://www.internic.net/domain/root.zone',
|
||||
interval = 86400, -- seconds
|
||||
}
|
||||
})
|
||||
|
||||
modules.load('view')
|
||||
view:addr('127.0.0.0/8', policy.all(policy.PASS))
|
||||
view:addr('::1/128', policy.all(policy.PASS))
|
||||
{% for prefix in kresd_allow %}
|
||||
view:addr('{{ prefix }}', policy.all(policy.PASS))
|
||||
{% endfor %}
|
||||
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||
view:addr('::/0', policy.all(policy.DROP))
|
||||
|
||||
log_target('stdout')
|
||||
log_level('debug')
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- name: Restart SSH
|
||||
ansible.builtin.service:
|
||||
name: sshd
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
- name: Disable Password Authentication
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PasswordAuthentication'
|
||||
line: "PasswordAuthentication no"
|
||||
regexp: ^PasswordAuthentication
|
||||
line: PasswordAuthentication no
|
||||
state: present
|
||||
backup: true
|
||||
notify:
|
||||
|
@ -12,8 +12,8 @@
|
|||
- name: Disable Root Login
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin'
|
||||
line: "PermitRootLogin no"
|
||||
regexp: ^PermitRootLogin
|
||||
line: PermitRootLogin no
|
||||
state: present
|
||||
backup: true
|
||||
notify:
|
||||
|
@ -22,8 +22,8 @@
|
|||
- name: Restrict host key
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '#HostKey /etc/ssh/ssh_host_ed25519_key'
|
||||
line: "HostKey /etc/ssh/ssh_host_ed25519_key"
|
||||
regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
|
||||
line: HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
state: present
|
||||
backup: true
|
||||
notify:
|
||||
|
@ -31,8 +31,8 @@
|
|||
|
||||
- name: Configure sshd
|
||||
ansible.builtin.copy:
|
||||
src: "crypto.conf"
|
||||
dest: "/etc/ssh/sshd_config.d/"
|
||||
src: crypto.conf
|
||||
dest: /etc/ssh/sshd_config.d/
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
|
|
|
@ -4,5 +4,5 @@
|
|||
name: Europe/Brussels
|
||||
|
||||
- name: Enable ntp
|
||||
ansible.builtin.command: 'timedatectl set-ntp true'
|
||||
ansible.builtin.command: timedatectl set-ntp true
|
||||
changed_when: false
|
||||
|
|
Loading…
Reference in a new issue