phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use harden role on controller host

Browse source
This commit is contained in:
Paul-Henri Froidmont 2018-07-23 00:46:10 +02:00
parent 010c48b243
commit a2ba31fab2
9 changed files with 44 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

27
group_vars/all/vars
View file

@ -10,6 +10,33 @@ k8s_config_cluster_name: banditlair.com
k8s_encryption_config_directory: "{{k8s_config_directory}}"
k8s_interface: "{{peervpn_conf_interface}}"
etcd_version: "3.2.18"
harden_linux_root_password: "{{k8s_scaleway_root_password}}"
harden_linux_deploy_user: deploy
harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
harden_linux_deploy_user_home: /home/deploy
harden_linux_ufw_defaults_user:
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
harden_linux_deploy_user_public_keys:
- authorized-keys/ansible-controller
- authorized-keys/froidmpa-laptop
- authorized-keys/froidmpa-desktop
harden_linux_ufw_allow_networks:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
harden_linux_sysctl_settings_user:
"net.ipv4.ip_forward": 1
"net.ipv6.conf.default.forwarding": 1
"net.ipv6.conf.all.forwarding": 1
harden_linux_ufw_logging: 'on'
harden_linux_sshguard_whitelist:
- "127.0.0.0/8"
- "::1/128"
- "212.83.165.111"
- "10.3.0.0/24"
- "10.200.0.0/16"
peervpn_conf_networkname: "peervpn"
peervpn_conf_psk: "{{k8s_peervpn_pre_shared_key}}"
peervpn_conf_initpeers: "master1.banditlair.com 7000"

23
group_vars/k8s.yml
View file

@ -3,16 +3,8 @@ ansible_user: deploy
ansible_become: true
ansible_port: 2242
harden_linux_root_password: "{{k8s_scaleway_root_password}}"
harden_linux_deploy_user: deploy
harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
harden_linux_deploy_user_home: /home/deploy
harden_linux_deploy_user_public_keys:
- ~/.ssh/id_rsa.pub
harden_linux_sshd_settings_user:
"^Port ": "Port 2242"
harden_linux_ufw_defaults_user:
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
harden_linux_ufw_rules:
- rule: "allow"
to_port: "2242"
@ -20,19 +12,4 @@ harden_linux_ufw_rules:
- rule: "allow"
to_port: "7000"
protocol: "udp"
harden_linux_ufw_allow_networks:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
harden_linux_sysctl_settings_user:
"net.ipv4.ip_forward": 1
"net.ipv6.conf.default.forwarding": 1
"net.ipv6.conf.all.forwarding": 1
harden_linux_ufw_logging: 'on'
harden_linux_sshguard_whitelist:
- "127.0.0.0/8"
- "::1/128"
- "212.83.165.111"
- "10.3.0.0/24"
- "10.200.0.0/16"