diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 1f0d659..7702e08 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,5 +1,6 @@ [defaults] inventory = ./inventory_from_yaml.py +roles_path = ./roles host_key_checking = False retry_files_enabled = False interpreter_python = auto diff --git a/ansible/inventory_from_yaml.py b/ansible/inventory_from_yaml.py old mode 100644 new mode 100755 index 1e3a2ac..b207483 --- a/ansible/inventory_from_yaml.py +++ b/ansible/inventory_from_yaml.py @@ -20,14 +20,19 @@ def load_tf_outputs(): def main(): server_list = load_servers() tf = load_tf_outputs() - hosts = {} + host_names = [] + hostvars = {} for s in server_list: name = s['name'] - hosts[name] = { + host_names.append(name) + hostvars[name] = { "ansible_host": tf.get(name) or s.get('ip'), "ansible_user": s.get('ssh_user', 'admin') } - inv = {"all": {"hosts": hosts}} + inv = { + "all": {"hosts": host_names}, + "_meta": {"hostvars": hostvars} + } print(json.dumps(inv)) if __name__ == "__main__": diff --git a/ansible/roles/base/handlers/main.yml b/ansible/roles/base/handlers/main.yml new file mode 100644 index 0000000..c86a3ee --- /dev/null +++ b/ansible/roles/base/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart fail2ban + ansible.builtin.service: + name: fail2ban + state: restarted diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml index 2b0ffcc..af6a177 100644 --- a/ansible/roles/base/tasks/main.yml +++ b/ansible/roles/base/tasks/main.yml @@ -8,6 +8,7 @@ - git - vim - ufw + - fail2ban - python3 - python3-venv state: present @@ -40,6 +41,49 @@ rule: allow name: OpenSSH +- name: Allow k3s API in UFW + ansible.builtin.ufw: + rule: allow + port: '6443' + proto: tcp + +- name: Allow Flannel VXLAN in UFW + ansible.builtin.ufw: + rule: allow + port: '8472' + proto: udp + +- name: Enable fail2ban + ansible.builtin.service: + name: fail2ban + state: started + enabled: true + +- name: Configure fail2ban SSH jail + ansible.builtin.copy: + dest: /etc/fail2ban/jail.d/sshd.conf + owner: root + group: root + mode: '0644' + content: | + [sshd] + enabled = true + port = ssh + filter = sshd + maxretry = 5 + bantime = 3600 + findtime = 600 + notify: Restart fail2ban + +- name: Set HISTCONTROL to ignorespace + ansible.builtin.copy: + dest: /etc/profile.d/histcontrol.sh + owner: root + group: root + mode: '0644' + content: | + export HISTCONTROL=ignorespace + - name: Set timezone community.general.timezone: name: "{{ timezone | default('UTC') }}" diff --git a/inventory/servers.yaml b/inventory/servers.yaml index e69de29..81e0cc1 100644 --- a/inventory/servers.yaml +++ b/inventory/servers.yaml @@ -0,0 +1,4 @@ +servers: + - name: Railiance01 + ip: 92.205.62.239 + ssh_user: tegwick diff --git a/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md b/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md index 21d0f5c..e2a4209 100644 --- a/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md +++ b/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md @@ -120,7 +120,8 @@ curl http://127.0.0.1:8000/state/health ```task id: T03 -status: todo +status: done +completed: "2026-03-08" priority: high state_hub_task_id: "6eda6875-1301-4794-a07e-3e13ff1d92bf" ``` @@ -149,7 +150,8 @@ the play recap. ```task id: T04 -status: todo +status: done +completed: "2026-03-08" priority: high state_hub_task_id: "77921431-3a45-45b2-a0b0-cf0c43262205" ``` @@ -172,7 +174,8 @@ ansible-playbook -i ansible/hosts.ini -l hosteurope ansible/playbooks/bootstrap. ```task id: T05 -status: todo +status: done +completed: "2026-03-08" priority: medium state_hub_task_id: "c573c200-bf22-49d1-86f9-dca1fc71743c" ```