From a2ba31fab2000c76467ed583731db9ce287ada27 Mon Sep 17 00:00:00 2001
From: Paul-Henri Froidmont <git.contact-57n2p@froidmont.org>
Date: Mon, 23 Jul 2018 00:46:10 +0200
Subject: [PATCH] Use harden role on controller host

---
 authorized-keys/ansible-controller |  1 +
 authorized-keys/froidmpa-desktop   |  1 +
 authorized-keys/froidmpa-laptop    |  1 +
 group_vars/all/vars                | 27 +++++++++++++++++++++++++++
 group_vars/k8s.yml                 | 23 -----------------------
 host_vars/localhost                | 10 ++++++++++
 hosts                              |  4 ++--
 k8s.yml                            |  4 +---
 scripts/rsync-and-run.sh           |  2 +-
 9 files changed, 44 insertions(+), 29 deletions(-)
 create mode 100644 authorized-keys/ansible-controller
 create mode 100644 authorized-keys/froidmpa-desktop
 create mode 100644 authorized-keys/froidmpa-laptop

diff --git a/authorized-keys/ansible-controller b/authorized-keys/ansible-controller
new file mode 100644
index 0000000..a3df111
--- /dev/null
+++ b/authorized-keys/ansible-controller
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJqXLGhN77S73f6hpyWZ7j/coHVPQ9fWWfNnyi2It8uh1mjaNDoO2VtLRaNcWc0novaYjB1ijTSTmpHw9ZUaGApXBdHuOgG+YA7gKtPrA6pxzevI1AAsJDljje0ph6D2GBzj8NvPxYXqrG4huOrREkRRQQC6qa8wNoDQljO6Qzv67OPr/Efgs/TknTSFufthu6FSn5TOejM+us4QEy7+4twSVTMLTAOYmqLzQUj2NfJ0qIGduIovwxYqt5eWdYw4EUtjdYK8BTbFE1ZPGmhTcuqPZUo5EmZcD5/ir+wJZ5ILtu6KiN/MDM5HBUQthTo8jR0cFwt/Nu7vfhcxR/KRZoPuxmg4wStrT1fMCgbmHMP4JDecnOoZZgnmelaABDjWfE2gMUq5Fz5mTx5CQAT5ebtf8NiiwSEyV72q3KTbh4MJVf8y/eWLlH1qcraMLZL/iXXfChx7tNwBO8qoKV6LsbMts3OYqbFVFOd2Df8l7PQ+1AnUK0sAuJYCUdAUFyFjF7P5amHul9Z+iUDcNDMXYme73pOOvF1T8bEHinkU66YtZHFYm9W6HmqB8HgaUgeZVInoZ4fdzxvhsh4wjGIRkhK5i0Pq/AHUXg9uevDxdWPifFlNCG3nR3BKolM4EeL0JrGO++igrXmxuk+T9Xss27bumViM3Fi/q71ft3SlxwUQ== root@ansible-controller-2018-07-22
diff --git a/authorized-keys/froidmpa-desktop b/authorized-keys/froidmpa-desktop
new file mode 100644
index 0000000..98d7377
--- /dev/null
+++ b/authorized-keys/froidmpa-desktop
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPhCld0dsDzpdkMvPRdiwd6IX8HF8Mb2V6uQzBl8/syeny8FbZxlZR8gk39RGxNYcLaZ+nA50DS6mOIplXCGdtozfw0Vm+FdITN3apMufWIdobG7Igs1vxKBBbkAb5lwxkEFUCUMzPdCLFHd5zabVH0WE42Be8+hYPLd5W/ikPCOgxRaGwryHHroxRMdkD3PcNE8upSEMdGl51pzgXhO6Fcig8UokOYHxV92SiQ0KEsCbc+oe8e9Gkr7g78tz+6YcTYLY2p2ygR7Vrh/WyTaUVnrNNqL8NIqp+Lc2kVtnqGXHFBJ0Wggaly+AeKWygy+dnOMEGSirhQ6/dUcB/Phz phfroidmont@archdesktop-2017-07-31
diff --git a/authorized-keys/froidmpa-laptop b/authorized-keys/froidmpa-laptop
new file mode 100644
index 0000000..d686f02
--- /dev/null
+++ b/authorized-keys/froidmpa-laptop
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRX1scknsDkFvi1DRfNzYKPpyn9x4tiPjqkSlCQnXtmZUmK8ssYAQrM9iSIszT1tr5nQERBAHtUMjSJN8Ofi42LCJWakdYiSQSaSx3kM4TpYx8bKTEX2oxdifOovaGyn7jz8DmTipJLlrxjkQZ0HU8f6lhNPpke/jGioH6lvVtUVVDb1Ny+ygvoJsZHPuU/KSSnFED91sNrSoE8NGa29gPBrDMUZHSZVJW8+c0DWENxKpu7TKx/s64SsT3jX6gx76J/umvS7OfDu1SXg9lX6+1OUQMexjRImmzUy4VFrJAf9iAVvwYI5RlcLR9j2DbNBg0gikLAc+1OeBQcGrwYzid froidmpa@froidmpa-2017-07-31
diff --git a/group_vars/all/vars b/group_vars/all/vars
index 089674e..a994659 100644
--- a/group_vars/all/vars
+++ b/group_vars/all/vars
@@ -10,6 +10,33 @@ k8s_config_cluster_name: banditlair.com
 k8s_encryption_config_directory: "{{k8s_config_directory}}"
 k8s_interface: "{{peervpn_conf_interface}}"
 etcd_version: "3.2.18"
+harden_linux_root_password: "{{k8s_scaleway_root_password}}"
+harden_linux_deploy_user: deploy
+harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
+harden_linux_deploy_user_home: /home/deploy
+harden_linux_ufw_defaults_user:
+  "^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
+harden_linux_deploy_user_public_keys:
+  - authorized-keys/ansible-controller
+  - authorized-keys/froidmpa-laptop
+  - authorized-keys/froidmpa-desktop
+harden_linux_ufw_allow_networks:
+  - "10.0.0.0/8"
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
+harden_linux_sysctl_settings_user:
+  "net.ipv4.ip_forward": 1
+  "net.ipv6.conf.default.forwarding": 1
+  "net.ipv6.conf.all.forwarding": 1
+harden_linux_ufw_logging: 'on'
+harden_linux_sshguard_whitelist:
+  - "127.0.0.0/8"
+  - "::1/128"
+  - "212.83.165.111"
+  - "10.3.0.0/24"
+  - "10.200.0.0/16"
+
+
 peervpn_conf_networkname: "peervpn"
 peervpn_conf_psk: "{{k8s_peervpn_pre_shared_key}}"
 peervpn_conf_initpeers: "master1.banditlair.com 7000"
diff --git a/group_vars/k8s.yml b/group_vars/k8s.yml
index 9c07bd3..5fe62f6 100644
--- a/group_vars/k8s.yml
+++ b/group_vars/k8s.yml
@@ -3,16 +3,8 @@ ansible_user: deploy
 ansible_become: true
 ansible_port: 2242
 
-harden_linux_root_password: "{{k8s_scaleway_root_password}}"
-harden_linux_deploy_user: deploy
-harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
-harden_linux_deploy_user_home: /home/deploy
-harden_linux_deploy_user_public_keys:
-  - ~/.ssh/id_rsa.pub
 harden_linux_sshd_settings_user:
   "^Port ": "Port 2242"
-harden_linux_ufw_defaults_user:
-  "^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
 harden_linux_ufw_rules:
   - rule: "allow"
     to_port: "2242"
@@ -20,19 +12,4 @@ harden_linux_ufw_rules:
   - rule: "allow"
     to_port: "7000"
     protocol: "udp"
-harden_linux_ufw_allow_networks:
-  - "10.0.0.0/8"
-  - "172.16.0.0/12"
-  - "192.168.0.0/16"
-harden_linux_sysctl_settings_user:
-  "net.ipv4.ip_forward": 1
-  "net.ipv6.conf.default.forwarding": 1
-  "net.ipv6.conf.all.forwarding": 1
-harden_linux_ufw_logging: 'on'
-harden_linux_sshguard_whitelist:
-  - "127.0.0.0/8"
-  - "::1/128"
-  - "212.83.165.111"
-  - "10.3.0.0/24"
-  - "10.200.0.0/16"
 
diff --git a/host_vars/localhost b/host_vars/localhost
index fd2bde8..da074e2 100644
--- a/host_vars/localhost
+++ b/host_vars/localhost
@@ -1,2 +1,12 @@
 ---
 peervpn_conf_ifconfig4: "10.3.0.100/24"
+harden_linux_sshd_settings_user:
+  "^Port ": "Port 22"
+harden_linux_ufw_rules:
+  - rule: "allow"
+    to_port: "22"
+    protocol: "tcp"
+  - rule: "allow"
+    to_port: "7000"
+    protocol: "udp"
+
diff --git a/hosts b/hosts
index cfc8d36..71eb971 100644
--- a/hosts
+++ b/hosts
@@ -1,8 +1,8 @@
 [k8s_kubectl]
-localhost ansible_connection=local
+localhost ansible_connection=local ansible_become=true
 
 [k8s_ca]
-localhost ansible_connection=local
+localhost ansible_connection=local ansible_become=true
 
 [k8s_etcd]
 master[1:3].banditlair.com
diff --git a/k8s.yml b/k8s.yml
index 11b3033..1f0a233 100644
--- a/k8s.yml
+++ b/k8s.yml
@@ -19,11 +19,9 @@
   roles:
     - role: githubixx.kubernetes-controller
       tags: role-kubernetes-controller
-- hosts: k8s
+- hosts: all
   roles:
     - role: githubixx.harden-linux
       tags: role-harden-linux
-- hosts: all
-  roles:
     - role: githubixx.peervpn
       tags: role-peervpn
diff --git a/scripts/rsync-and-run.sh b/scripts/rsync-and-run.sh
index 26d255d..a9389de 100755
--- a/scripts/rsync-and-run.sh
+++ b/scripts/rsync-and-run.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 DIRECTORY=`dirname $0`
 cd DIRECTORY/..
-rsync -avzhe ssh --delete --exclude=.* ./ root@163.172.145.22:/root/ansible && ssh -t root@163.172.145.22 "cd ansible && $1"
+rsync -avzhe ssh --delete --exclude=.* ./ deploy@ansible.banditlair.com:/home/deploy/ansible && ssh -t deploy@ansible.banditlair.com "cd ansible && $1"