atomaka/home-ansible
1
0
Fork 0
Code Releases Activity

Compare commits

base: atomaka:010a8fb7c9e09b44568203a587ad4773f8700e32
Branches Tags
atomaka:master
atomaka:crowdsec-nginx
..
compare: atomaka:8257b0b4a7f06c9731b50183abcb3b920e08cbc4
Branches Tags
atomaka:master
atomaka:crowdsec-nginx

No commits in common. "010a8fb7c9e09b44568203a587ad4773f8700e32" and "8257b0b4a7f06c9731b50183abcb3b920e08cbc4" have entirely different histories.
010a8fb7c9 ... 8257b0b4a7

8 changed files with 135 additions and 7 deletions
Show stats Expand all files Collapse all files

1
roles/administrators/files/atomaka.pub
View file

@ -1,2 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR1+I4hzK79yoQUvSbBZ3scdXaZvB/9ZOHtJ/rMqig me@atomaka.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR1+I4hzK79yoQUvSbBZ3scdXaZvB/9ZOHtJ/rMqig me@atomaka.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJTU7eUJoZssZb9rJvsVdRTZLE1GDaj3vg3CuCXT8Ev atomaka@atomaka.com

5
roles/apt/tasks/main.yml
View file

@ -13,3 +13,8 @@
- ca-certificates - ca-certificates
- gnupg - gnupg
state: present state: present
- name: Ensure unattended-upgrades is runing
service:
name: unattended-upgrades
enabled: true

5
roles/docker/tasks/main.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: Add apt key for docker - name: Add apt key for docker
apt_key: apt_key:
url: https://download.docker.com/linux/debian/gpg url: https://download.docker.com/linux/ubuntu/gpg
state: present state: present
- name: Add docker repository into sources list - name: Add docker repository into sources list
apt_repository: apt_repository:
repo: deb https://download.docker.com/linux/debian bullseye stable repo: deb https://download.docker.com/linux/ubuntu jammy stable
state: present state: present
- name: Install docker packages - name: Install docker packages
@ -15,6 +15,5 @@
- docker-ce - docker-ce
- docker-ce-cli - docker-ce-cli
- containerd.io - containerd.io
- docker-buildx-plugin
- docker-compose-plugin - docker-compose-plugin
state: present state: present

3
roles/firewall/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
- name: Persist iptables
shell:
cmd: iptables-save > /etc/iptables/rules.v4

97
roles/firewall/tasks/main.yml Normal file
View file

@ -0,0 +1,97 @@
---
- name: Install iptables packages
apt:
name: iptables-persistent
state: present
# TURN IT OFF
- name: Turn iptables off for now
service:
name: iptables
state: stopped
enabled: no
- name: Allow all loopback traffic
iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
notify: Persist iptables
- name: Allow port ping traffic
iptables:
chain: INPUT
jump: ACCEPT
protocol: icmp
notify: Persist iptables
- name: Allow related and established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
notify: Persist iptables
- name: Allow SSH
iptables:
chain: INPUT
destination_port: 22
jump: ACCEPT
protocol: tcp
notify: Persist iptables
- name: Allow web
iptables:
chain: INPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
notify: Persist iptables
- name: Allow admin web (nginx proxy)
iptables:
chain: INPUT
protocol: tcp
destination_port: 81
jump: ACCEPT
notify: Persist iptables
- name: Allow dns
iptables:
chain: INPUT
protocol: tcp
destination_port: 53
jump: ACCEPT
notify: Persist iptables
- name: Allow dns (udp)
iptables:
chain: INPUT
protocol: udp
destination_port: 53
jump: ACCEPT
notify: Persist iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Set the policy for the INPUT chain to DROP
iptables:
chain: INPUT
policy: DROP
notify: Persist iptables
- name: Set the policy for the FORWARD chain to DROP
iptables:
chain: FORWARD
policy: DROP
notify: Persist iptables
- name: Set the policy for the OUTPUT chain to ACCEPT
iptables:
chain: OUTPUT
policy: ACCEPT
notify: Persist iptables

5
roles/nginx-proxy-manager/files/docker-compose.yml
View file

@ -1,7 +1,7 @@
version: "3" version: "3"
services: services:
app: app:
image: jc21/nginx-proxy-manager:latest image: jc21/nginx-proxy-manager:2.9.22
restart: unless-stopped restart: unless-stopped
ports: ports:
- 80:80 # Public HTTP Port - 80:80 # Public HTTP Port
@ -10,5 +10,8 @@ services:
volumes: volumes:
- ./data:/data - ./data:/data
- ./letsencrypt:/etc/letsencrypt - ./letsencrypt:/etc/letsencrypt
- ./default.conf:/etc/nginx/conf.d/default.conf
# hack to avoid sed on default.conf
- /dev/null:/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh
environment: environment:
- AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-6 - AWS_CONFIG_FILE=/etc/letsencrypt/credentials/credentials-6

24
roles/ssh/tasks/main.yml
View file

@ -9,6 +9,28 @@
with_items: with_items:
- regexp: '^PasswordAuthentication' - regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no' line: 'PasswordAuthentication no'
- regexp: '^#PermitRootLogin' - regexp: '^PermitRootLogin'
line: 'PermitRootLogin no' line: 'PermitRootLogin no'
notify: Restart ssh notify: Restart ssh
- name: Install fail2ban
apt:
name: fail2ban
state: present
- name: Configure fail2ban
blockinfile:
path: /etc/fail2ban/jail.local
create: yes
mode: 0644
block: |
[sshd]
enabled = true
filter = sshd
# notify: Restart fail2ban
- name: Turn fail2ban off for now
service:
name: fail2ban
enabled: false
state: stopped

2
site.yml
View file

@ -10,8 +10,8 @@
- role: instance - role: instance
tags: instance tags: instance
- role: apt - role: apt
- role: firewall
- role: administrators - role: administrators
tags: administrators
- role: ssh - role: ssh
- hosts: dns - hosts: dns
become: yes become: yes