feat: bootstrap and harden Railiance01 at HostEurope

- Extend base role with fail2ban, UFW k3s/Flannel rules, HISTCONTROL - Add handlers dir for fail2ban restart - Fix inventory script to emit correct dynamic inventory JSON format - Add roles_path to ansible.cfg so playbook finds roles - Add Railiance01 (92.205.62.239) to inventory/servers.yaml - Mark workplan T03/T04/T05 as done Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 22:53:38 +00:00
parent 5187e63504
commit 679d0d67b1
6 changed files with 68 additions and 6 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,5 +1,6 @@
 [defaults]
 inventory = ./inventory_from_yaml.py
+roles_path = ./roles
 host_key_checking = False
 retry_files_enabled = False
 interpreter_python = auto
--- a/ansible/inventory_from_yaml.py
+++ b/ansible/inventory_from_yaml.py
@@ -20,14 +20,19 @@ def load_tf_outputs():
 def main():
    server_list = load_servers()
    tf = load_tf_outputs()
-    hosts = {}
+    host_names = []
+    hostvars = {}
    for s in server_list:
        name = s['name']
-        hosts[name] = {
+        host_names.append(name)
+        hostvars[name] = {
            "ansible_host": tf.get(name) or s.get('ip'),
            "ansible_user": s.get('ssh_user', 'admin')
        }
-    inv = {"all": {"hosts": hosts}}
+    inv = {
+        "all": {"hosts": host_names},
+        "_meta": {"hostvars": hostvars}
+    }
    print(json.dumps(inv))

 if __name__ == "__main__":
--- a/ansible/roles/base/handlers/main.yml
+++ b/ansible/roles/base/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -8,6 +8,7 @@
      - git
      - vim
      - ufw
+      - fail2ban
      - python3
      - python3-venv
    state: present
@@ -40,6 +41,49 @@
    rule: allow
    name: OpenSSH

+- name: Allow k3s API in UFW
+  ansible.builtin.ufw:
+    rule: allow
+    port: '6443'
+    proto: tcp
+
+- name: Allow Flannel VXLAN in UFW
+  ansible.builtin.ufw:
+    rule: allow
+    port: '8472'
+    proto: udp
+
+- name: Enable fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: started
+    enabled: true
+
+- name: Configure fail2ban SSH jail
+  ansible.builtin.copy:
+    dest: /etc/fail2ban/jail.d/sshd.conf
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      [sshd]
+      enabled = true
+      port    = ssh
+      filter  = sshd
+      maxretry = 5
+      bantime  = 3600
+      findtime = 600
+  notify: Restart fail2ban
+
+- name: Set HISTCONTROL to ignorespace
+  ansible.builtin.copy:
+    dest: /etc/profile.d/histcontrol.sh
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      export HISTCONTROL=ignorespace
+
 - name: Set timezone
  community.general.timezone:
    name: "{{ timezone | default('UTC') }}"
--- a/inventory/servers.yaml
+++ b/inventory/servers.yaml
@@ -0,0 +1,4 @@
+servers:
+  - name: Railiance01
+    ip: 92.205.62.239
+    ssh_user: tegwick
--- a/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md
+++ b/workplans/RAIL-HO-WP-0001-hosteurope-bootstrap.md
@@ -120,7 +120,8 @@ curl http://127.0.0.1:8000/state/health

 ```task
 id: T03
-status: todo
+status: done
+completed: "2026-03-08"
 priority: high
 state_hub_task_id: "6eda6875-1301-4794-a07e-3e13ff1d92bf"
 ```
@@ -149,7 +150,8 @@ the play recap.

 ```task
 id: T04
-status: todo
+status: done
+completed: "2026-03-08"
 priority: high
 state_hub_task_id: "77921431-3a45-45b2-a0b0-cf0c43262205"
 ```
@@ -172,7 +174,8 @@ ansible-playbook -i ansible/hosts.ini -l hosteurope ansible/playbooks/bootstrap.

 ```task
 id: T05
-status: todo
+status: done
+completed: "2026-03-08"
 priority: medium
 state_hub_task_id: "c573c200-bf22-49d1-86f9-dca1fc71743c"
 ```