iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/ansible/roles/hardening/tasks/main.yml
Murat ÖZDEMİR 27f4f83f73 docs(prod): resolve cross-layer inconsistencies and complete prod env implementation 
Ansible roles:
- act_runner/defaults: set act_runner_name to inventory_hostname (was
  hardcoded to iklim-test-app); added vault_gitea_runner_token to vault.yml
- prod/group_vars/all: restructured from flat files to all/ directory;
  added act_runner_labels override (prod-runner,ubuntu-24.04,hostname);
  added storagebox_managed_directories; added swarm_manager_ip and other
  prod-specific vars
- prod/roles/db_stack: prod-specific db_node tasks using StorageBox paths
  (/mnt/storagebox/db/...) instead of local paths
- docker/tasks: split firewalld loop into all-nodes (Swarm ports) and
  app-only (80/443) tasks
- swarm/tasks: added --advertise-addr private_ip to join commands for
  correct multi-homed node advertisement
- hardening/tasks: corrected firewalld drop zone configuration
- node_dirs/tasks: added /opt/iklimco/vault/data for Vault Raft volume
- db_stack/tasks/app_node: updated stale comment (removed pg-proxy reference)
- db_stack/templates: removed pg-proxy and mongo-proxy service blocks
- test/host_vars/iklim-app-01: added act_runner_name override to preserve
  existing test runner registration

Roadmap and setup docs:
- roadmap/03-infra-stack-changes: added replicas:0 for etcd/postgresql/
  mongodb/pg-proxy/mongo-proxy in prod overlay; updated placement table;
  fixed grafana/data mkdir (auto-created by Ansible); translated Turkish
  note to English
- roadmap/08-deploy-pipeline-update: updated stale "remains idle" note
  for standalone etcd (now disabled with replicas:0)
- roadmap/01-swarm-init-multinode: consistency fixes
- setup/06: added Outputs section and etcd firewall port documentation
- setup/07: removed prometheus/data from StorageBox acceptance criteria;
  replaced manual StorageBox mkdir section with Ansible auto-creation note;
  updated prod README section with full bootstrap instructions and vault docs;
  added act_runner_labels prod policy
- setup/08: extensive rewrite — aligned with Patroni etcd overlay DNS,
  corrected hcloud_firewall.app reference, updated all StorageBox paths
  from /prod/db/ to /db/
- setup/09: removed prometheus/data from acceptance criteria; updated
  runner label policy (removed docker/swarm-manager labels); added
  acceptance criterion for disabled services absent from docker service ls

Terraform:
- prod/firewall.tf: added missing DB subnet mutual rules (etcd, Patroni)
- prod/outputs.tf: added prod_floating_ip and prod_private_ips outputs
- prod/servers.tf: aligned placement group and naming
- prod/variables.tf: corrected variable descriptions
- prod/terraform.tfvars.example: updated defaults
- terraform/hetzner/README.md: new comprehensive README covering both
  test and prod environments with firewall tables and inventory instructions

ansible/README.md: expanded prod section with inventory groups, bootstrap
  run order, runner label policy, and vault variable documentation
2026-05-18 19:17:56 +03:00

93 lines
2.4 KiB
YAML
Raw Blame History

---
- name: Disable SELinux
ansible.posix.selinux:
state: disabled
register: selinux_status
- name: Reboot if SELinux changed
ansible.builtin.reboot:
when: selinux_status.changed
- name: Configure SSH Hardening
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
loop:
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
- { regexp: "^PermitRootLogin", line: "PermitRootLogin no" }
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
notify: Restart sshd
- name: Install dnf-automatic
ansible.builtin.dnf:
name: dnf-automatic
state: present
- name: Enable dnf-automatic timer
ansible.builtin.systemd:
name: dnf-automatic.timer
state: started
enabled: yes
- name: Configure fail2ban jail
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
notify: Restart fail2ban
- name: Ensure fail2ban is running and enabled
ansible.builtin.service:
name: fail2ban
state: started
enabled: yes
- name: Ensure firewalld is running
ansible.builtin.service:
name: firewalld
state: started
enabled: yes
- name: Allow SSH in firewalld from admin CIDRs
ansible.posix.firewalld:
rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
zone: drop
state: enabled
permanent: yes
immediate: yes
loop: "{{ admin_allowed_cidrs.split(' ') }}"
- name: Configure firewalld default zone
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
changed_when: false
- name: Create iklim user
ansible.builtin.user:
name: iklim
password: "{{ iklim_password | password_hash('sha512') }}"
groups: wheel
append: yes
shell: /bin/bash
create_home: yes
state: present
- name: Add SSH key to iklim user
ansible.posix.authorized_key:
user: iklim
state: present
key: "{{ lookup('file', admin_ssh_public_key_path) }}"
- name: Configure journald log limits
ansible.builtin.lineinfile:
path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: yes
loop:
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
notify: Restart journald
Reference in New Issue View Git Blame Copy Permalink