mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2025-12-25 05:36:59 +01:00
Use harden role on controller host
This commit is contained in:
Paul-Henri Froidmont
parent
010c48b243
commit
a2ba31fab2
9 changed files with 44 additions and 29 deletions
1
authorized-keys/ansible-controller
Normal file
1
authorized-keys/ansible-controller
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJqXLGhN77S73f6hpyWZ7j/coHVPQ9fWWfNnyi2It8uh1mjaNDoO2VtLRaNcWc0novaYjB1ijTSTmpHw9ZUaGApXBdHuOgG+YA7gKtPrA6pxzevI1AAsJDljje0ph6D2GBzj8NvPxYXqrG4huOrREkRRQQC6qa8wNoDQljO6Qzv67OPr/Efgs/TknTSFufthu6FSn5TOejM+us4QEy7+4twSVTMLTAOYmqLzQUj2NfJ0qIGduIovwxYqt5eWdYw4EUtjdYK8BTbFE1ZPGmhTcuqPZUo5EmZcD5/ir+wJZ5ILtu6KiN/MDM5HBUQthTo8jR0cFwt/Nu7vfhcxR/KRZoPuxmg4wStrT1fMCgbmHMP4JDecnOoZZgnmelaABDjWfE2gMUq5Fz5mTx5CQAT5ebtf8NiiwSEyV72q3KTbh4MJVf8y/eWLlH1qcraMLZL/iXXfChx7tNwBO8qoKV6LsbMts3OYqbFVFOd2Df8l7PQ+1AnUK0sAuJYCUdAUFyFjF7P5amHul9Z+iUDcNDMXYme73pOOvF1T8bEHinkU66YtZHFYm9W6HmqB8HgaUgeZVInoZ4fdzxvhsh4wjGIRkhK5i0Pq/AHUXg9uevDxdWPifFlNCG3nR3BKolM4EeL0JrGO++igrXmxuk+T9Xss27bumViM3Fi/q71ft3SlxwUQ== root@ansible-controller-2018-07-22
|
||||||
1
authorized-keys/froidmpa-desktop
Normal file
1
authorized-keys/froidmpa-desktop
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPhCld0dsDzpdkMvPRdiwd6IX8HF8Mb2V6uQzBl8/syeny8FbZxlZR8gk39RGxNYcLaZ+nA50DS6mOIplXCGdtozfw0Vm+FdITN3apMufWIdobG7Igs1vxKBBbkAb5lwxkEFUCUMzPdCLFHd5zabVH0WE42Be8+hYPLd5W/ikPCOgxRaGwryHHroxRMdkD3PcNE8upSEMdGl51pzgXhO6Fcig8UokOYHxV92SiQ0KEsCbc+oe8e9Gkr7g78tz+6YcTYLY2p2ygR7Vrh/WyTaUVnrNNqL8NIqp+Lc2kVtnqGXHFBJ0Wggaly+AeKWygy+dnOMEGSirhQ6/dUcB/Phz phfroidmont@archdesktop-2017-07-31
|
||||||
1
authorized-keys/froidmpa-laptop
Normal file
1
authorized-keys/froidmpa-laptop
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRX1scknsDkFvi1DRfNzYKPpyn9x4tiPjqkSlCQnXtmZUmK8ssYAQrM9iSIszT1tr5nQERBAHtUMjSJN8Ofi42LCJWakdYiSQSaSx3kM4TpYx8bKTEX2oxdifOovaGyn7jz8DmTipJLlrxjkQZ0HU8f6lhNPpke/jGioH6lvVtUVVDb1Ny+ygvoJsZHPuU/KSSnFED91sNrSoE8NGa29gPBrDMUZHSZVJW8+c0DWENxKpu7TKx/s64SsT3jX6gx76J/umvS7OfDu1SXg9lX6+1OUQMexjRImmzUy4VFrJAf9iAVvwYI5RlcLR9j2DbNBg0gikLAc+1OeBQcGrwYzid froidmpa@froidmpa-2017-07-31
|
||||||
|
|
@ -10,6 +10,33 @@ k8s_config_cluster_name: banditlair.com
|
||||||
k8s_encryption_config_directory: "{{k8s_config_directory}}"
|
k8s_encryption_config_directory: "{{k8s_config_directory}}"
|
||||||
k8s_interface: "{{peervpn_conf_interface}}"
|
k8s_interface: "{{peervpn_conf_interface}}"
|
||||||
etcd_version: "3.2.18"
|
etcd_version: "3.2.18"
|
||||||
|
harden_linux_root_password: "{{k8s_scaleway_root_password}}"
|
||||||
|
harden_linux_deploy_user: deploy
|
||||||
|
harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
|
||||||
|
harden_linux_deploy_user_home: /home/deploy
|
||||||
|
harden_linux_ufw_defaults_user:
|
||||||
|
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
|
||||||
|
harden_linux_deploy_user_public_keys:
|
||||||
|
- authorized-keys/ansible-controller
|
||||||
|
- authorized-keys/froidmpa-laptop
|
||||||
|
- authorized-keys/froidmpa-desktop
|
||||||
|
harden_linux_ufw_allow_networks:
|
||||||
|
- "10.0.0.0/8"
|
||||||
|
- "172.16.0.0/12"
|
||||||
|
- "192.168.0.0/16"
|
||||||
|
harden_linux_sysctl_settings_user:
|
||||||
|
"net.ipv4.ip_forward": 1
|
||||||
|
"net.ipv6.conf.default.forwarding": 1
|
||||||
|
"net.ipv6.conf.all.forwarding": 1
|
||||||
|
harden_linux_ufw_logging: 'on'
|
||||||
|
harden_linux_sshguard_whitelist:
|
||||||
|
- "127.0.0.0/8"
|
||||||
|
- "::1/128"
|
||||||
|
- "212.83.165.111"
|
||||||
|
- "10.3.0.0/24"
|
||||||
|
- "10.200.0.0/16"
|
||||||
|
|
||||||
|
|
||||||
peervpn_conf_networkname: "peervpn"
|
peervpn_conf_networkname: "peervpn"
|
||||||
peervpn_conf_psk: "{{k8s_peervpn_pre_shared_key}}"
|
peervpn_conf_psk: "{{k8s_peervpn_pre_shared_key}}"
|
||||||
peervpn_conf_initpeers: "master1.banditlair.com 7000"
|
peervpn_conf_initpeers: "master1.banditlair.com 7000"
|
||||||
|
|
|
||||||
|
|
@ -3,16 +3,8 @@ ansible_user: deploy
|
||||||
ansible_become: true
|
ansible_become: true
|
||||||
ansible_port: 2242
|
ansible_port: 2242
|
||||||
|
|
||||||
harden_linux_root_password: "{{k8s_scaleway_root_password}}"
|
|
||||||
harden_linux_deploy_user: deploy
|
|
||||||
harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}"
|
|
||||||
harden_linux_deploy_user_home: /home/deploy
|
|
||||||
harden_linux_deploy_user_public_keys:
|
|
||||||
- ~/.ssh/id_rsa.pub
|
|
||||||
harden_linux_sshd_settings_user:
|
harden_linux_sshd_settings_user:
|
||||||
"^Port ": "Port 2242"
|
"^Port ": "Port 2242"
|
||||||
harden_linux_ufw_defaults_user:
|
|
||||||
"^DEFAULT_FORWARD_POLICY": 'DEFAULT_FORWARD_POLICY="ACCEPT"'
|
|
||||||
harden_linux_ufw_rules:
|
harden_linux_ufw_rules:
|
||||||
- rule: "allow"
|
- rule: "allow"
|
||||||
to_port: "2242"
|
to_port: "2242"
|
||||||
|
|
@ -20,19 +12,4 @@ harden_linux_ufw_rules:
|
||||||
- rule: "allow"
|
- rule: "allow"
|
||||||
to_port: "7000"
|
to_port: "7000"
|
||||||
protocol: "udp"
|
protocol: "udp"
|
||||||
harden_linux_ufw_allow_networks:
|
|
||||||
- "10.0.0.0/8"
|
|
||||||
- "172.16.0.0/12"
|
|
||||||
- "192.168.0.0/16"
|
|
||||||
harden_linux_sysctl_settings_user:
|
|
||||||
"net.ipv4.ip_forward": 1
|
|
||||||
"net.ipv6.conf.default.forwarding": 1
|
|
||||||
"net.ipv6.conf.all.forwarding": 1
|
|
||||||
harden_linux_ufw_logging: 'on'
|
|
||||||
harden_linux_sshguard_whitelist:
|
|
||||||
- "127.0.0.0/8"
|
|
||||||
- "::1/128"
|
|
||||||
- "212.83.165.111"
|
|
||||||
- "10.3.0.0/24"
|
|
||||||
- "10.200.0.0/16"
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,12 @@
|
||||||
---
|
---
|
||||||
peervpn_conf_ifconfig4: "10.3.0.100/24"
|
peervpn_conf_ifconfig4: "10.3.0.100/24"
|
||||||
|
harden_linux_sshd_settings_user:
|
||||||
|
"^Port ": "Port 22"
|
||||||
|
harden_linux_ufw_rules:
|
||||||
|
- rule: "allow"
|
||||||
|
to_port: "22"
|
||||||
|
protocol: "tcp"
|
||||||
|
- rule: "allow"
|
||||||
|
to_port: "7000"
|
||||||
|
protocol: "udp"
|
||||||
|
|
||||||
|
|
|
||||||
4
hosts
4
hosts
|
|
@ -1,8 +1,8 @@
|
||||||
[k8s_kubectl]
|
[k8s_kubectl]
|
||||||
localhost ansible_connection=local
|
localhost ansible_connection=local ansible_become=true
|
||||||
|
|
||||||
[k8s_ca]
|
[k8s_ca]
|
||||||
localhost ansible_connection=local
|
localhost ansible_connection=local ansible_become=true
|
||||||
|
|
||||||
[k8s_etcd]
|
[k8s_etcd]
|
||||||
master[1:3].banditlair.com
|
master[1:3].banditlair.com
|
||||||
|
|
|
||||||
4
k8s.yml
4
k8s.yml
|
|
@ -19,11 +19,9 @@
|
||||||
roles:
|
roles:
|
||||||
- role: githubixx.kubernetes-controller
|
- role: githubixx.kubernetes-controller
|
||||||
tags: role-kubernetes-controller
|
tags: role-kubernetes-controller
|
||||||
- hosts: k8s
|
- hosts: all
|
||||||
roles:
|
roles:
|
||||||
- role: githubixx.harden-linux
|
- role: githubixx.harden-linux
|
||||||
tags: role-harden-linux
|
tags: role-harden-linux
|
||||||
- hosts: all
|
|
||||||
roles:
|
|
||||||
- role: githubixx.peervpn
|
- role: githubixx.peervpn
|
||||||
tags: role-peervpn
|
tags: role-peervpn
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
DIRECTORY=`dirname $0`
|
DIRECTORY=`dirname $0`
|
||||||
cd DIRECTORY/..
|
cd DIRECTORY/..
|
||||||
rsync -avzhe ssh --delete --exclude=.* ./ root@163.172.145.22:/root/ansible && ssh -t root@163.172.145.22 "cd ansible && $1"
|
rsync -avzhe ssh --delete --exclude=.* ./ deploy@ansible.banditlair.com:/home/deploy/ansible && ssh -t deploy@ansible.banditlair.com "cd ansible && $1"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue