sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test with ssh new ubuntu

Browse Source
This commit is contained in:
sgratias
2024-05-08 12:49:46 +02:00
parent d38ceafb94
commit 5b02fbfc41
7 changed files with 1549 additions and 1553 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
group_vars/all.yml
View File

@@ -1,4 +1,41 @@
github_registry_containerlab: ghcr.io #* USERS
github_user: staff92
github_token: ghp_XXXXXXXXX management_user_list:
github_registry_clabernetes: "oci://{{ github_registry_containerlab }}/srl-labs/clabernetes/clabernetes" - name: stephane
shell: '/bin/bash'
authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: ALL
#* FIREWALL
firewall_allowed_tcp_ports:
- "22"
- "80"
- "443"
- "9100"
# - "9090"
# - "3000"
# - "9323"
#* NETBIRD
netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED
netbird_register: true
#* TLS
node_exporter_tls_server_config:
cert_file: /etc/node_exporter/tls.cert
key_file: /etc/node_exporter/tls.key
#* NODE_EXPORTER
# node_exporter_basic_auth_users:
# randomuser: examplepassword
node_exporter_web_listen_address: "{{ host_private_address }}:9100"

252
group_vars/controller.yml
View File

@@ -1,139 +1,139 @@
--- # ---
install_docker: true # install_docker: true
install_fail2ban: true # install_fail2ban: true
package_list: # package_list:
- name: python3-pip
- name: proxychains
########
# USER #
########
management_user_list:
- name: stephane
shell: '/bin/bash'
authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: ALL
################
# SSH - CLIENT #
################
# ssh_drop_in_name: null
# #ssh_user: root
# ssh:
# # noqa var-naming
# Compression: true
# GSSAPIAuthentication: false
# # wokeignore:rule=master
# ControlMaster: auto
# ControlPath: ~/.ssh/.cm%C
# Match:
# - Condition: "final all"
# GSSAPIAuthentication: true
# Host:
# - Condition: example
# Hostname: example.com
# User: somebody
# ssh_ForwardX11: false
#################
# SSH - SERVEUR #
#################
sshd_skip_defaults: true
sshd_config_file: /etc/ssh/sshd_config
sshd_AuthorizedKeysFile: .ssh/authorized_keys
sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL"
sshd_Protocol: 2
sshd_LoginGraceTime: 30
sshd_SyslogFacility: AUTH
sshd_LogLevel: VERBOSE
sshd_PermitRootLogin: 'no'
sshd_StrictModes: 'yes'
sshd_IgnoreRhosts: 'yes'
sshd_HostbasedAuthentication: 'no'
sshd_PasswordAuthentication: 'no'
sshd_PermitEmptyPasswords: 'no'
sshd_ChallengeResponseAuthentication: 'no'
sshd_GSSAPIAuthentication: 'no'
sshd_X11DisplayOffset: 10
sshd_PrintMotd: 'yes'
sshd_PrintLastLog: 'yes'
sshd_TCPKeepAlive: 'yes'
sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server"
sshd_UsePAM: 'yes'
sshd_UseDNS: 'no'
sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr"
sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
sshd_HostKey:
- /etc/ssh/ssh_host_rsa_key
#######
# APT #
#######
apt_upgrade: true
apt_repositories: []
apt_ppas: []
# # nginx ppa repo
# - repo: ppa:nginx/stable
# # not needed on ubuntu distribution
# #codename: trusty
# apt_packages:
# - name: python3-pip # - name: python3-pip
# - name: proxychains
######### # ########
# ALERT # # # USER #
######### # ########
alert_username: jingohalert # management_user_list:
alert_password: jMVmbM2VQ5gEiV # - name: stephane
alert_vault: "Jingoh0947;" # shell: '/bin/bash'
alert_list_server: # authorized_keys:
- '"163.172.84.28"' # - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
- '"37.187.127.90"' # exclusive: yes
alert_server_ssl: gitea.jingoh.fr # sudo:
# hosts: ALL
# as: ALL
# commands: ALL
# nopasswd: ALL
########## # ################
# CHISEL # # # SSH - CLIENT #
########## # ################
chisel_version: 1.8.1 # # ssh_drop_in_name: null
chisel_server_host: 163.172.84.28 # # #ssh_user: root
chisel_server_port: 8080
chisel_client_auth_username: user
chisel_client_auth_password: pass
chisel_remove_all: # # ssh:
- "{{ chisel_service_destination }}" # # # noqa var-naming
- "{{ chisel_config_folder }}" # # Compression: true
- "{{ chisel_download_destination }}" # # GSSAPIAuthentication: false
- "{{ chisel_install_destination }}" # # # wokeignore:rule=master
- /var/log/chisel # # ControlMaster: auto
# # ControlPath: ~/.ssh/.cm%C
# # Match:
# # - Condition: "final all"
# # GSSAPIAuthentication: true
# # Host:
# # - Condition: example
# # Hostname: example.com
# # User: somebody
# # ssh_ForwardX11: false
# #################
# # SSH - SERVEUR #
# #################
# sshd_skip_defaults: true
# sshd_config_file: /etc/ssh/sshd_config
# sshd_AuthorizedKeysFile: .ssh/authorized_keys
# sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL"
# sshd_Protocol: 2
# sshd_LoginGraceTime: 30
# sshd_SyslogFacility: AUTH
# sshd_LogLevel: VERBOSE
# sshd_PermitRootLogin: 'no'
# sshd_StrictModes: 'yes'
# sshd_IgnoreRhosts: 'yes'
# sshd_HostbasedAuthentication: 'no'
# sshd_PasswordAuthentication: 'no'
# sshd_PermitEmptyPasswords: 'no'
# sshd_ChallengeResponseAuthentication: 'no'
# sshd_GSSAPIAuthentication: 'no'
# sshd_X11DisplayOffset: 10
# sshd_PrintMotd: 'yes'
# sshd_PrintLastLog: 'yes'
# sshd_TCPKeepAlive: 'yes'
# sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server"
# sshd_UsePAM: 'yes'
# sshd_UseDNS: 'no'
# sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
# sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr"
# sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
# sshd_HostKey:
# - /etc/ssh/ssh_host_rsa_key
# #######
# # APT #
# #######
# apt_upgrade: true
# apt_repositories: []
# apt_ppas: []
# # # nginx ppa repo
# # - repo: ppa:nginx/stable
# # # not needed on ubuntu distribution
# # #codename: trusty
# # apt_packages:
# # - name: python3-pip
# #########
# # ALERT #
# #########
# alert_username: jingohalert
# alert_password: jMVmbM2VQ5gEiV
# alert_vault: "Jingoh0947;"
# alert_list_server:
# - '"163.172.84.28"'
# - '"37.187.127.90"'
# alert_server_ssl: gitea.jingoh.fr
# ##########
# # CHISEL #
# ##########
# chisel_version: 1.8.1
# chisel_server_host: 163.172.84.28
# chisel_server_port: 8080
# chisel_client_auth_username: user
# chisel_client_auth_password: pass
# chisel_remove_all:
# - "{{ chisel_service_destination }}"
# - "{{ chisel_config_folder }}"
# - "{{ chisel_download_destination }}"
# - "{{ chisel_install_destination }}"
# - /var/log/chisel
test_vault: !vault | # test_vault: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod # $ANSIBLE_VAULT;1.2;AES256;prod
36663965646236326237623936646161653232306263353564666238626564633530363761633164 # 36663965646236326237623936646161653232306263353564666238626564633530363761633164
6166363235383964626463353061343635626431396664660a333231303661343362353162353938 # 6166363235383964626463353061343635626431396664660a333231303661343362353162353938
32373332373362656635393365363635313137306532366536323765346464336634653366383961 # 32373332373362656635393365363635313137306532366536323765346464336634653366383961
3965626433316138320a366336393034383065363134623239646230396432356431383935346463 # 3965626433316138320a366336393034383065363134623239646230396432356431383935346463
6330 # 6330

176
group_vars/kubernetes.yml
View File

@@ -1,99 +1,99 @@
--- # ---
package_list: # package_list:
- name: python3-pip # - name: python3-pip
sshd_skip_defaults: true # sshd_skip_defaults: true
sshd_config_file: /etc/ssh/sshd_config # sshd_config_file: /etc/ssh/sshd_config
sshd_AuthorizedKeysFile: .ssh/authorized_keys # sshd_AuthorizedKeysFile: .ssh/authorized_keys
sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL" # sshd_AcceptEnv: "LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL"
sshd_Protocol: 2 # sshd_Protocol: 2
sshd_LoginGraceTime: 30 # sshd_LoginGraceTime: 30
sshd_SyslogFacility: AUTH # sshd_SyslogFacility: AUTH
sshd_LogLevel: VERBOSE # sshd_LogLevel: VERBOSE
sshd_PermitRootLogin: 'no' # sshd_PermitRootLogin: 'no'
sshd_StrictModes: 'yes' # sshd_StrictModes: 'yes'
sshd_IgnoreRhosts: 'yes' # sshd_IgnoreRhosts: 'yes'
sshd_HostbasedAuthentication: 'no' # sshd_HostbasedAuthentication: 'no'
sshd_PasswordAuthentication: 'no' # sshd_PasswordAuthentication: 'no'
sshd_PermitEmptyPasswords: 'no' # sshd_PermitEmptyPasswords: 'no'
sshd_ChallengeResponseAuthentication: 'no' # sshd_ChallengeResponseAuthentication: 'no'
sshd_GSSAPIAuthentication: 'no' # sshd_GSSAPIAuthentication: 'no'
sshd_X11DisplayOffset: 10 # sshd_X11DisplayOffset: 10
sshd_PrintMotd: 'yes' # sshd_PrintMotd: 'yes'
sshd_PrintLastLog: 'yes' # sshd_PrintLastLog: 'yes'
sshd_TCPKeepAlive: 'yes' # sshd_TCPKeepAlive: 'yes'
sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server" # sshd_Subsystem: "sftp /usr/lib/openssh/sftp-server"
sshd_UsePAM: 'yes' # sshd_UsePAM: 'yes'
sshd_UseDNS: 'no' # sshd_UseDNS: 'no'
sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" # sshd_KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256"
sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr" # sshd_Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr"
sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com" # sshd_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
sshd_HostKey: # sshd_HostKey:
- /etc/ssh/ssh_host_rsa_key # - /etc/ssh/ssh_host_rsa_key
####### # #######
# APT # # # APT #
####### # #######
apt_repositories_sources: # apt_repositories_sources:
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal main restricted
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates main restricted
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal universe
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates universe
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal multiverse
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-updates multiverse
- deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse # - deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
- deb http://security.ubuntu.com/ubuntu focal-security main restricted # - deb http://security.ubuntu.com/ubuntu focal-security main restricted
- deb http://security.ubuntu.com/ubuntu focal-security universe # - deb http://security.ubuntu.com/ubuntu focal-security universe
- deb http://security.ubuntu.com/ubuntu focal-security multiverse # - deb http://security.ubuntu.com/ubuntu focal-security multiverse
######## # ########
# KUBE # # # KUBE #
######## # ########
disable_firewall: true # disable_firewall: true
# Need public_network for argocd # # Need public_network for argocd
# I use any because both worker and master are not on the same network ( # # I use any because both worker and master are not on the same network (
# They have only one public IP # # They have only one public IP
kubernetes_subnet: 0.0.0.0/0 # kubernetes_subnet: 0.0.0.0/0
# vip control plan 192.168.25.255 # # vip control plan 192.168.25.255
setup_vip: false # setup_vip: false
install_nginx_ingress: false # install_nginx_ingress: false
install_longhorn: false # install_longhorn: false
# This variable is used when the cluster is bootstrapped for the first time # # This variable is used when the cluster is bootstrapped for the first time
kubernetes_init_host: ovh-master # kubernetes_init_host: ovh-master
kubernetes_init_app: true # kubernetes_init_app: true
kubernetes_app: # kubernetes_app:
- url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml # - url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
namespace: argocd # namespace: argocd
kubernetes_alias_bashrc: # kubernetes_alias_bashrc:
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: "^source /usr/share/bash-completion/bash_completion" # regexp: "^source /usr/share/bash-completion/bash_completion"
state: present # state: present
line: "source /usr/share/bash-completion/bash_completion" # line: "source /usr/share/bash-completion/bash_completion"
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: "^source /etc/bash_completion" # regexp: "^source /etc/bash_completion"
state: present # state: present
line: "source /etc/bash_completion" # line: "source /etc/bash_completion"
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: "^source <(kubectl completion bash)" # regexp: "^source <(kubectl completion bash)"
state: present # state: present
line: "source <(kubectl completion bash)" # line: "source <(kubectl completion bash)"
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: "^alias k=kubectl" # regexp: "^alias k=kubectl"
state: present # state: present
line: "alias k=kubectl" # line: "alias k=kubectl"
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: "^complete -F __start_kubectl k" # regexp: "^complete -F __start_kubectl k"
state: present # state: present
line: "complete -F __start_kubectl k" # line: "complete -F __start_kubectl k"
- path: "/root/.bashrc" # - path: "/root/.bashrc"
regexp: '^alias kname="kubectl config set-context --current --namespace="' # regexp: '^alias kname="kubectl config set-context --current --namespace="'
state: present # state: present
line: '^alias kname="kubectl config set-context --current --namespace="' # line: '^alias kname="kubectl config set-context --current --namespace="'

24
hardening.yml
View File

@@ -82,18 +82,18 @@
roles: roles:
# - robertdebock.update # - robertdebock.update
# - devsec.hardening.os_hardening - devsec.hardening.os_hardening
# - devsec.hardening.ssh_hardening - devsec.hardening.ssh_hardening
# - maxlareo.rkhunter # - maxlareo.rkhunter
# - maxlareo.chkrootkit # - maxlareo.chkrootkit
# - robertdebock.auditd - robertdebock.auditd
- { role: geerlingguy.firewall, tags: firewall } - geerlingguy.firewall
# - grog.management-user - grog.management-user
# - GROG.user - GROG.user
# - GROG.authorized-key - GROG.authorized-key
# - GROG.sudo - GROG.sudo
# - ansible_unattended_upgrades - ansible_unattended_upgrades
# - buluma.lynis - buluma.lynis
# roles: # roles:
# - role: netways.elasticstack.elasticsearch # - role: netways.elasticstack.elasticsearch
@@ -102,7 +102,7 @@
- name: Update repositories and install py3-pip package - name: Update repositories and install py3-pip package
community.general.apk: community.general.apk:
name: py3-pip name: python3-pip
update_cache: true update_cache: true
delegate_to: localhost delegate_to: localhost
@@ -121,7 +121,7 @@
firstmatch: true firstmatch: true
line: '#!Enable-HMAC-ETM' line: '#!Enable-HMAC-ETM'
- name: Reload service httpd, in all cases - name: Reload service sshd, in all cases
ansible.builtin.service: ansible.builtin.service:
name: sshd.service name: sshd.service
state: reloaded state: reloaded

220
host_vars/ovh01.yml
View File

@@ -1,130 +1,130 @@
--- # ---
#* DOCKER # #* DOCKER
docker_install_compose: true # docker_install_compose: true
pip_executable: pip3 # pip_executable: pip3
#*PIP # #*PIP
pip_install_packages: # pip_install_packages:
- docker-compose # - docker-compose
#* SSH # #* SSH
#ssh_listen_to: "{{ host_private_address }}" # #ssh_listen_to: "{{ host_private_address }}"
#* USERS # #* USERS
management_user_list: # management_user_list:
- name: admin # - name: admin
shell: '/bin/bash' # shell: '/bin/bash'
authorized_keys: # authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" # - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes # exclusive: yes
sudo: # sudo:
hosts: ALL # hosts: ALL
as: ALL # as: ALL
commands: ALL # commands: ALL
nopasswd: ALL # nopasswd: ALL
#* FIREWALL # #* FIREWALL
firewall_allowed_tcp_ports: # firewall_allowed_tcp_ports:
- "22" # - "22"
- "80" # - "80"
- "443" # - "443"
- "9100" # - "9100"
- "9090" # - "9090"
- "3000" # - "3000"
- "9323" # - "9323"
#* NETBIRD # #* NETBIRD
netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED # netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED
netbird_register: true # netbird_register: true
#* TLS # #* TLS
node_exporter_tls_server_config: # node_exporter_tls_server_config:
cert_file: /etc/node_exporter/tls.cert # cert_file: /etc/node_exporter/tls.cert
key_file: /etc/node_exporter/tls.key # key_file: /etc/node_exporter/tls.key
#* NODE_EXPORTER # #* NODE_EXPORTER
# node_exporter_basic_auth_users: # # node_exporter_basic_auth_users:
# randomuser: examplepassword # # randomuser: examplepassword
node_exporter_web_listen_address: "{{ host_private_address }}:9100" # node_exporter_web_listen_address: "{{ host_private_address }}:9100"
#* PROMETHEUS # #* PROMETHEUS
prometheus_web_listen_address: "{{ host_private_address }}:9090" # prometheus_web_listen_address: "{{ host_private_address }}:9090"
prometheus_scrape_configs: # prometheus_scrape_configs:
- job_name: "prometheus" # Custom scrape job, here using `static_config` # - job_name: "prometheus" # Custom scrape job, here using `static_config`
metrics_path: "/metrics" # metrics_path: "/metrics"
static_configs: # static_configs:
- targets: # - targets:
- "{{ host_private_address }}:9090" # - "{{ host_private_address }}:9090"
- job_name: "node1" # - job_name: "node1"
scheme: https # Custom scrape job, here using `static_config` # scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics" # metrics_path: "/metrics"
tls_config: # tls_config:
ca_file: "{{ node_exporter_tls_server_config.cert_file }}" # ca_file: "{{ node_exporter_tls_server_config.cert_file }}"
static_configs: # static_configs:
- targets: # - targets:
- "{{ ansible_hostname }}.netbird.cloud:9100" # - "{{ ansible_hostname }}.netbird.cloud:9100"
- job_name: "node2" # - job_name: "node2"
scheme: https # Custom scrape job, here using `static_config` # scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics" # metrics_path: "/metrics"
tls_config: # tls_config:
ca_file: "/etc/node_exporter/tls_scaleway.cert" # ca_file: "/etc/node_exporter/tls_scaleway.cert"
static_configs: # static_configs:
- targets: # - targets:
- "scaleway.netbird.cloud:9100" # - "scaleway.netbird.cloud:9100"
# - "{{ host_private_address }}:9100" # # - "{{ host_private_address }}:9100"
- job_name: "git" # - job_name: "git"
scheme: https # Custom scrape job, here using `static_config` # scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics" # metrics_path: "/metrics"
static_configs: # static_configs:
- targets: # - targets:
- "gitea.jingoh.fr" # - "gitea.jingoh.fr"
- job_name: "publicservicediscovery" # - job_name: "publicservicediscovery"
metrics_path: "/metrics" # metrics_path: "/metrics"
basic_auth: # basic_auth:
username: 'jingohtraf' # username: 'jingohtraf'
password: 'FSzmSLr#6i9M#d' # password: 'FSzmSLr#6i9M#d'
scheme: https # scheme: https
file_sd_configs: # file_sd_configs:
- files: # - files:
- "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets` # - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets`
prometheus_targets: # prometheus_targets:
node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<<BASENAME>>.yml" # node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<<BASENAME>>.yml"
- targets: # # - targets: #
- "traefik.jingoh.fr" # - "traefik.jingoh.fr"
#* GRAFANA # #* GRAFANA
grafana_address: "{{ host_private_address }}" # grafana_address: "{{ host_private_address }}"
install_grafana__protocol: "https" # install_grafana__protocol: "https"
install_grafana__http_addr: "{{ host_private_address }}" # install_grafana__http_addr: "{{ host_private_address }}"
install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" # install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud"
inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}" # inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}"
inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}" # inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}"
# ########## # # ##########
# # CHISEL # # # # CHISEL #
# ########## # # ##########
# chisel_server: false # # chisel_server: false
# chisel_client_server_url: "{{ chisel_server_host }}:8080" # # chisel_client_server_url: "{{ chisel_server_host }}:8080"
# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" # # chisel_client_remotes: "R:{{ chisel_server_host }}:socks"
# chisel_service_name: chisel-client # # chisel_service_name: chisel-client
# chisel_config_name: chisel-client # # chisel_config_name: chisel-client
# chisel_conf: # # chisel_conf:
# # chisel enable auth and finder # # # chisel enable auth and finder
# - path: "/etc/chisel/{{ chisel_config_name }}.conf" # # - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" # # regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# state: present # # state: present
# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" # # line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# - path: "/etc/chisel/{{ chisel_config_name }}.conf" # # - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" # # regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}"
# state: present # # state: present
# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" # # line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}"

2330
host_vars/scaleway.yml
View File

File diff suppressed because it is too large Load Diff

53
hosts
View File

@@ -1,53 +1,12 @@
# Test VM vagrant
; [kubernetes:children]
; kubemaster
; kubeworker
; [kubemaster]
; ovh_master ansible_host=37.187.127.90 ansible_user=stephane
[netbird] [netbird]
ovh01 ansible_host=5.135.181.11 ansible_user=stephane node1 ansible_host=163.172.209.36 ansible_user=stephane
scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane node2 ansible_host=5.135.181.11 ansible_user=stephane
scaleway ansible_host=163.172.84.28 ansible_user=stephane
[controller] [controller]
scaleway ansible_host=163.172.84.28 ansible_user=stephane scaleway ansible_host=163.172.84.28 ansible_user=stephane
[monitoring] [kubernetes]
ovh01 ansible_host=5.135.181.11 ansible_user=stephane node1 ansible_host=163.172.209.36 ansible_user=stephane
; ubuntu ansible_host=192.168.0.22 ansible_user=vagrant ansible_password=vagrant node2 ansible_host=5.135.181.11 ansible_user=stephane
[elasticsearch]
ubuntu ansible_host=192.168.0.26 ansible_user=vagrant ansible_password=vagrant
[test]
ubuntu ansible_host=192.168.0.26 ansible_user=vagrant ansible_password=vagrant
; # TO KNOW WHOIS CHISEL SERVER
; [server]
; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane
; [local]
; vagrant ansible_host=192.168.33.10 ansible_user=vagrant ansible_password=vagrant
; ubuntu-worker ansible_host=192.168.33.11 ansible_user=vagrant ansible_password=vagrant
; [workers]
; ubuntu-worker ansible_host=192.168.33.11 ansible_user=vagrant ansible_password=vagrant
#kubectl label node ubuntu-worker node-role.kubernetes.io/worker ubuntu-worker
[testswarm]
manager ansible_host=192.168.50.4 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant
worker1 ansible_host=192.168.50.40 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant
worker2 ansible_host=192.168.50.44 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant
[docker_swarm_manager]
manager ansible_host=192.168.50.4 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant
[docker_swarm_worker]
worker1 ansible_host=192.168.50.40 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant
worker2 ansible_host=192.168.50.44 ansible_user=vagrant ansible_password=vagrant ansible_become_password=vagrant