Update to use actual RPis (raspbian)
This commit is contained in:
parent
8257b0b4a7
commit
a9b2823a13
GPG key ID:
61209BF70A5B18BE
7 changed files with 5 additions and 135 deletions
|
|
@ -13,8 +13,3 @@
|
|||
- ca-certificates
|
||||
- gnupg
|
||||
state: present
|
||||
|
||||
- name: Ensure unattended-upgrades is runing
|
||||
service:
|
||||
name: unattended-upgrades
|
||||
enabled: true
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: Add apt key for docker
|
||||
apt_key:
|
||||
url: https://download.docker.com/linux/ubuntu/gpg
|
||||
url: https://download.docker.com/linux/debian/gpg
|
||||
state: present
|
||||
|
||||
- name: Add docker repository into sources list
|
||||
apt_repository:
|
||||
repo: deb https://download.docker.com/linux/ubuntu jammy stable
|
||||
repo: deb https://download.docker.com/linux/debian bullseye stable
|
||||
state: present
|
||||
|
||||
- name: Install docker packages
|
||||
|
|
@ -15,5 +15,6 @@
|
|||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- docker-buildx-plugin
|
||||
- docker-compose-plugin
|
||||
state: present
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
- name: Persist iptables
|
||||
shell:
|
||||
cmd: iptables-save > /etc/iptables/rules.v4
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
---
|
||||
- name: Install iptables packages
|
||||
apt:
|
||||
name: iptables-persistent
|
||||
state: present
|
||||
|
||||
# TURN IT OFF
|
||||
- name: Turn iptables off for now
|
||||
service:
|
||||
name: iptables
|
||||
state: stopped
|
||||
enabled: no
|
||||
|
||||
- name: Allow all loopback traffic
|
||||
iptables:
|
||||
chain: INPUT
|
||||
in_interface: lo
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow port ping traffic
|
||||
iptables:
|
||||
chain: INPUT
|
||||
jump: ACCEPT
|
||||
protocol: icmp
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow related and established connections
|
||||
iptables:
|
||||
chain: INPUT
|
||||
ctstate: ESTABLISHED,RELATED
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow SSH
|
||||
iptables:
|
||||
chain: INPUT
|
||||
destination_port: 22
|
||||
jump: ACCEPT
|
||||
protocol: tcp
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow web
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: 80
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow admin web (nginx proxy)
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: 81
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow dns
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: 53
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow dns (udp)
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: udp
|
||||
destination_port: 53
|
||||
jump: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Allow related and established connections
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
ctstate: ESTABLISHED,RELATED
|
||||
jump: ACCEPT
|
||||
|
||||
- name: Set the policy for the INPUT chain to DROP
|
||||
iptables:
|
||||
chain: INPUT
|
||||
policy: DROP
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Set the policy for the FORWARD chain to DROP
|
||||
iptables:
|
||||
chain: FORWARD
|
||||
policy: DROP
|
||||
notify: Persist iptables
|
||||
|
||||
- name: Set the policy for the OUTPUT chain to ACCEPT
|
||||
iptables:
|
||||
chain: OUTPUT
|
||||
policy: ACCEPT
|
||||
notify: Persist iptables
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
version: "3"
|
||||
services:
|
||||
app:
|
||||
image: jc21/nginx-proxy-manager:2.9.22
|
||||
image: jc21/nginx-proxy-manager:latest
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- 80:80 # Public HTTP Port
|
||||
|
|
@ -10,8 +10,5 @@ services:
|
|||
volumes:
|
||||
- ./data:/data
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./default.conf:/etc/nginx/conf.d/default.conf
|
||||
# hack to avoid sed on default.conf
|
||||
- /dev/null:/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
|
||||
environment:
|
||||
- AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-6
|
||||
|
|
|
|||
|
|
@ -9,28 +9,6 @@
|
|||
with_items:
|
||||
- regexp: '^PasswordAuthentication'
|
||||
line: 'PasswordAuthentication no'
|
||||
- regexp: '^PermitRootLogin'
|
||||
- regexp: '^#PermitRootLogin'
|
||||
line: 'PermitRootLogin no'
|
||||
notify: Restart ssh
|
||||
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
||||
- name: Configure fail2ban
|
||||
blockinfile:
|
||||
path: /etc/fail2ban/jail.local
|
||||
create: yes
|
||||
mode: 0644
|
||||
block: |
|
||||
[sshd]
|
||||
enabled = true
|
||||
filter = sshd
|
||||
# notify: Restart fail2ban
|
||||
|
||||
- name: Turn fail2ban off for now
|
||||
service:
|
||||
name: fail2ban
|
||||
enabled: false
|
||||
state: stopped
|
||||
|
|
|
|||
1
site.yml
1
site.yml
|
|
@ -10,7 +10,6 @@
|
|||
- role: instance
|
||||
tags: instance
|
||||
- role: apt
|
||||
- role: firewall
|
||||
- role: administrators
|
||||
- role: ssh
|
||||
- hosts: dns
|
||||
|
|
|
|||
Loading…
Reference in a new issue