coulomb/railiance-infra
0
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity
Files
3f4f03e838c2b3bd056e7fea9f55b31ef45f40b0
railiance-infra/ansible/roles/base/tasks/main.yml
tegwick 3f4f03e838 feat(ansible): inject ops-bridge key in base role at bootstrap 
Add ops_bridge_pubkey to group_vars/all.yaml (public key only, safe to
commit) and inject it via ansible.posix.authorized_key in the base role,
immediately after SSH hardening. This ensures ops-bridge tunnel
connectivity is available as soon as SSH infrastructure is up on any
managed host — no manual key provisioning required for new nodes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 23:52:54 +01:00

111 lines
2.5 KiB
YAML
Raw Blame History

---
- name: Ensure base packages
ansible.builtin.package:
name:
- apt-transport-https
- ca-certificates
- curl
- git
- vim
- ufw
- fail2ban
- python3
- python3-venv
state: present
update_cache: true
- name: Harden SSH
ansible.builtin.copy:
dest: /etc/ssh/sshd_config.d/10-hardening.conf
owner: root
group: root
mode: '0644'
content: |
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
- name: Restart sshd
ansible.builtin.service:
name: ssh
state: restarted
- name: Ensure .ssh directory exists for ops_bridge_user
ansible.builtin.file:
path: "/home/{{ ops_bridge_user | default('tegwick') }}/.ssh"
state: directory
owner: "{{ ops_bridge_user | default('tegwick') }}"
group: "{{ ops_bridge_user | default('tegwick') }}"
mode: '0700'
- name: Inject ops-bridge public key into authorized_keys
ansible.posix.authorized_key:
user: "{{ ops_bridge_user | default('tegwick') }}"
key: "{{ ops_bridge_pubkey }}"
comment: "ops-bridge@{{ inventory_hostname }}"
state: present
when: ops_bridge_pubkey is defined and ops_bridge_pubkey | length > 0
- name: Configure UFW default incoming policy
ansible.builtin.ufw:
state: enabled
policy: deny
direction: incoming
- name: Allow UFW routing (required for k3s flannel pod networking)
ansible.builtin.ufw:
policy: allow
direction: routed
- name: Allow SSH in UFW
ansible.builtin.ufw:
rule: allow
name: OpenSSH
- name: Allow k3s API in UFW
ansible.builtin.ufw:
rule: allow
port: '6443'
proto: tcp
- name: Allow Flannel VXLAN in UFW
ansible.builtin.ufw:
rule: allow
port: '8472'
proto: udp
- name: Enable fail2ban
ansible.builtin.service:
name: fail2ban
state: started
enabled: true
- name: Configure fail2ban SSH jail
ansible.builtin.copy:
dest: /etc/fail2ban/jail.d/sshd.conf
owner: root
group: root
mode: '0644'
content: |
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 5
bantime = 3600
findtime = 600
notify: Restart fail2ban
- name: Set HISTCONTROL to ignorespace
ansible.builtin.copy:
dest: /etc/profile.d/histcontrol.sh
owner: root
group: root
mode: '0644'
content: |
export HISTCONTROL=ignorespace
- name: Set timezone
community.general.timezone:
name: "{{ timezone | default('UTC') }}"
Reference in New Issue View Git Blame Copy Permalink