Murat ÖZDEMİR
2198f932cd
* Introduces an Ansible role for installing and registering `act_runner` for Gitea Actions. * Automates PostgreSQL and MongoDB deployment on Docker Swarm in the test environment, leveraging Docker named volumes for data persistence. * Translates core documentation, including `README.md` and `setup/04-test-db-docker-kurulum.md`, to Turkish. * Adds comprehensive documentation for firewall architecture (`facts/firewall.md`) and Docker Swarm node recovery (`facts/swarm-node-recovery.md`). * Enhances security hardening by ensuring `fail2ban` is enabled and streamlining admin SSH key management via Ansible. * Updates Ansible vault structure to support new secret variables and adds `.vault_pass` to `.gitignore`.
93 lines
2.4 KiB
YAML
93 lines
2.4 KiB
YAML
---
|
|
- name: Disable SELinux
|
|
ansible.posix.selinux:
|
|
state: disabled
|
|
register: selinux_status
|
|
|
|
- name: Reboot if SELinux changed
|
|
ansible.builtin.reboot:
|
|
when: selinux_status.changed
|
|
|
|
- name: Configure SSH Hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
- { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
|
|
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
|
|
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
|
|
notify: Restart sshd
|
|
|
|
- name: Install dnf-automatic
|
|
ansible.builtin.dnf:
|
|
name: dnf-automatic
|
|
state: present
|
|
|
|
- name: Enable dnf-automatic timer
|
|
ansible.builtin.systemd:
|
|
name: dnf-automatic.timer
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure fail2ban jail
|
|
ansible.builtin.template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
notify: Restart fail2ban
|
|
|
|
- name: Ensure fail2ban is running and enabled
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Ensure firewalld is running
|
|
ansible.builtin.service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Allow SSH in firewalld from admin CIDRs
|
|
ansible.posix.firewalld:
|
|
rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
|
|
zone: drop
|
|
state: enabled
|
|
permanent: yes
|
|
immediate: yes
|
|
loop: "{{ admin_allowed_cidrs.split(' ') }}"
|
|
|
|
- name: Configure firewalld default zone
|
|
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
|
|
changed_when: false
|
|
|
|
- name: Create iklim user
|
|
ansible.builtin.user:
|
|
name: iklim
|
|
password: "{{ iklim_password | password_hash('sha512') }}"
|
|
groups: wheel
|
|
append: yes
|
|
shell: /bin/bash
|
|
create_home: yes
|
|
state: present
|
|
|
|
- name: Add SSH key to iklim user
|
|
ansible.posix.authorized_key:
|
|
user: iklim
|
|
state: present
|
|
key: "{{ lookup('file', admin_ssh_public_key_path) }}"
|
|
|
|
- name: Configure journald log limits
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/journald.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
create: yes
|
|
loop:
|
|
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
|
|
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
|
|
notify: Restart journald
|