Murat ÖZDEMİR
f73504c0f2
This commit introduces the foundational Ansible playbooks, roles, and configurations for automated provisioning of both production and test environments. Key capabilities include: - **Base System Setup:** Common packages, timezone, chrony, and hostname. - **Security Hardening:** SELinux disable, SSH configuration, `dnf-automatic`, `fail2ban`, `firewalld` setup, and `journald` log limits. - **Docker & Swarm:** Docker installation and configuration, Docker Swarm initialization/joining for managers and workers, overlay network creation, and node labeling. - **Storage:** Hetzner StorageBox integration using `davfs2`. - **Directory Structure:** Creation of application and database-specific directories. This establishes a comprehensive, automated pipeline for infrastructure deployment and initial configuration.
71 lines
1.9 KiB
YAML
71 lines
1.9 KiB
YAML
---
|
|
- name: Disable SELinux
|
|
ansible.posix.selinux:
|
|
state: disabled
|
|
register: selinux_status
|
|
|
|
- name: Reboot if SELinux changed
|
|
ansible.builtin.reboot:
|
|
when: selinux_status.changed
|
|
|
|
- name: Configure SSH Hardening
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
|
|
- { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
|
|
- { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
|
|
- { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
|
|
notify: Restart sshd
|
|
|
|
- name: Install dnf-automatic
|
|
ansible.builtin.dnf:
|
|
name: dnf-automatic
|
|
state: present
|
|
|
|
- name: Enable dnf-automatic timer
|
|
ansible.builtin.systemd:
|
|
name: dnf-automatic.timer
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure fail2ban jail
|
|
ansible.builtin.template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
notify: Restart fail2ban
|
|
|
|
- name: Ensure firewalld is running
|
|
ansible.builtin.service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure firewalld default zone
|
|
ansible.builtin.shell: firewall-cmd --set-default-zone=drop
|
|
when: ansible_facts.services['firewalld.service'].state == 'running'
|
|
changed_when: false
|
|
|
|
- name: Configure journald log limits
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/journald.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
loop:
|
|
- { regexp: "^#?MaxRetentionSec=", line: "MaxRetentionSec=7day" }
|
|
- { regexp: "^#?SystemMaxUse=", line: "SystemMaxUse=500M" }
|
|
notify: Restart journald
|
|
|
|
- name: Allow SSH in firewalld from admin CIDRs
|
|
ansible.posix.firewalld:
|
|
service: ssh
|
|
source: "{{ item }}"
|
|
state: enabled
|
|
permanent: yes
|
|
immediate: yes
|
|
loop: "{{ admin_allowed_cidrs.split(' ') }}"
|