Murat ÖZDEMİR
9e20f2fcf8
Document and commit the production bootstrap state after the initial Hetzner and Ansible rollout. - switch Ansible prod runbooks to use the shared vault password file - record production admin CIDRs, SSH key path, encrypted group vault, and encrypted per-host vault files - add generated production inventory and the prod setup history notes from the first bootstrap - keep root password login disabled while preserving key-based root access for Ansible bootstrap continuity - document separate Hetzner projects and tokens for test/prod and commit the prod provider lock file - remove the private Redis firewall allowance from the prod Terraform firewall and matching setup docs
93 lines
2.4 KiB
YAML
93 lines
2.4 KiB
YAML
---
|
|
- name: Disable SELinux
|
|
ansible.posix.selinux:
|
|
state: disabled
|
|
register: selinux_status
|
|
|
|
- name: Reboot if SELinux changed
|
|
ansible.builtin.reboot:
|
|
when: selinux_status.changed
|
|
|
|
- name: Configure SSH Hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
- { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
|
|
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
|
|
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
|
|
notify: Restart sshd
|
|
|
|
- name: Install dnf-automatic
|
|
ansible.builtin.dnf:
|
|
name: dnf-automatic
|
|
state: present
|
|
|
|
- name: Enable dnf-automatic timer
|
|
ansible.builtin.systemd:
|
|
name: dnf-automatic.timer
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure fail2ban jail
|
|
ansible.builtin.template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
notify: Restart fail2ban
|
|
|
|
- name: Ensure fail2ban is running and enabled
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Ensure firewalld is running
|
|
ansible.builtin.service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Allow SSH in firewalld from admin CIDRs
|
|
ansible.posix.firewalld:
|
|
rich_rule: 'rule family="ipv4" source address="{{ item }}" service name="ssh" accept'
|
|
zone: drop
|
|
state: enabled
|
|
permanent: yes
|
|
immediate: yes
|
|
loop: "{{ admin_allowed_cidrs.split(' ') }}"
|
|
|
|
- name: Configure firewalld default zone
|
|
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
|
|
changed_when: false
|
|
|
|
- name: Create iklim user
|
|
ansible.builtin.user:
|
|
name: iklim
|
|
password: "{{ iklim_password | password_hash('sha512') }}"
|
|
groups: wheel
|
|
append: yes
|
|
shell: /bin/bash
|
|
create_home: yes
|
|
state: present
|
|
|
|
- name: Add SSH key to iklim user
|
|
ansible.posix.authorized_key:
|
|
user: iklim
|
|
state: present
|
|
key: "{{ lookup('file', admin_ssh_public_key_path) }}"
|
|
|
|
- name: Configure journald log limits
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/journald.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
create: yes
|
|
loop:
|
|
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
|
|
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
|
|
notify: Restart journald
|