diff --git a/.gitea/workflows/deploy-containers.yml b/.gitea/workflows/deploy-containers.yml index 255883c..404a5c5 100644 --- a/.gitea/workflows/deploy-containers.yml +++ b/.gitea/workflows/deploy-containers.yml @@ -26,5 +26,4 @@ jobs: echo "StrictHostKeyChecking no" >> ~/.ssh/config echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > ~/.vault_password.txt echo "nameserver 10.10.10.1" > /etc/resolv.conf - ansible-galaxy install oefenweb.fail2ban ./.gitea/workflows/deploy.sh "${{ github.event.before }}" "${{ github.sha }}" diff --git a/.gitea/workflows/deploy.sh b/.gitea/workflows/deploy.sh index 0293823..0d5b5ac 100755 --- a/.gitea/workflows/deploy.sh +++ b/.gitea/workflows/deploy.sh @@ -5,6 +5,7 @@ if [ ! -z "$changed_tasks" ]; then tag=$(echo "$task" | awk -F/ '{print $2}') if [[ "$tag" != "deploy-homelab.yml" && "$tag" != "main.yml" && "$tag" != "all.yml" && "$tag" != "all.example.yml" && "$tag" != "ISSUE_TEMPLATE" && "$tag" != "workflows" ]] ; then tag=${tag%.*}_install + ansible-galaxy install -r requirements.yml ansible-playbook main.yml --tags "$tag" --vault-password-file ~/.vault_password.txt fi done diff --git a/hosts b/hosts index cde5c58..4f7da70 100644 --- a/hosts +++ b/hosts @@ -16,10 +16,11 @@ vps01.comprofix.com [jellyfin] jellyfin.comprofix.xyz -[base] -vps01.comprofix.com -vps02.comprofix.com -omada-lxc.comprofix.xyz -jellyfin.comprofix.xyz - +[servers:children] +base +jellyfin +vps +omada +docker +cloud diff --git a/main.yml b/main.yml index f476742..f23e479 100644 --- a/main.yml +++ b/main.yml @@ -1,28 +1,56 @@ --- -- hosts: base - name: Configure all servers - become: yes - gather_facts: yes +- name: Prepare all servers + hosts: servers + become: true + vars_files: + - group_vars/all_secrets.yml + pre_tasks: + - name: Create directories + file: + path: "/data" + state: directory + + - name: Setup base system + import_tasks: tasks/base.yml + tags: base_setup roles: - - role: base - tags: base_install + - role: geerlingguy.docker + docker_users: + - administrator + - role: grzegorzfranus.fail2ban + vars: + fail2ban_ignoreip: + - 127.0.0.1/8 # loopback + - 10.0.0.0/8 # Private + - 172.16.0.0/12 # Private + - 192.168.0.0/16 # Private + - 169.254.0.0/16 # link-local / APIPA + - 100.64.0.0/10 # CGNAT + - 203.0.113.0/24 # TEST-NETs + - 192.0.2.0/24 # TEST-NETs + - 198.51.100.0/24 # TEST-NETs + - ::1 # ULA - fc00::/7 # Private + - fe80::/10 # Private + fail2ban_bantime: "1h" + fail2ban_findtime: "30m" + fail2ban_maxretry: 3 + fail2ban_custom_jail_files: + - name: sshd-strict # This will create /etc/fail2ban/jail.d/sshd-strict.conf + content: | + [sshd-strict] + enabled = true + filter = sshd + port = ssh + logpath = journal + backend = systemd + maxretry = 3 + bantime = 3600 + findtime = 300 - hosts: cloud become: yes roles: - - role: oefenweb.fail2ban - vars: - fail2ban_services: - - name: sshd - port: 22 - maxretry: 3 - bantime: -1 - tags: fail2ban - - - role: docker - tags: docker_install - - name: traefik vars: traefik_host: traefik01.comprofix.com @@ -53,17 +81,6 @@ tags: iscsi_connect roles: - - role: oefenweb.fail2ban - vars: - fail2ban_services: - - name: sshd - port: 22 - maxretry: 3 - bantime: -1 - tags: fail2ban - - - role: docker - tags: docker_install - role: nfs mounts: - name: Data share @@ -157,21 +174,7 @@ - hosts: omada become: yes - pre_tasks: - - name: Run base role to update packages - import_role: - name: base - tags: base_install - - - name: Create directories - file: - path: "{{ item }}" - state: directory - with_items: - - "/data" roles: - - role: docker - tags: docker_install - role: nfs mounts: - name: Data share diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..351e70c --- /dev/null +++ b/requirements.yml @@ -0,0 +1,7 @@ +roles: + - name: grzegorzfranus.fail2ban + src: git+https://github.com/grzegorzfranus/ansible-role-fail2ban + version: main + - name: geerlingguy.docker + src: git+https://github.com/geerlingguy/ansible-role-docker + version: master