sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update infra semaphore

Browse Source
This commit is contained in:
sgratias
2024-03-17 20:48:58 +01:00
parent c6ed07e1f2
commit 7485cee556
6 changed files with 93 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
hardening.yml
View File

@@ -1,4 +1,4 @@
- hosts: test - hosts: monitoring
# vars: # vars:
become: true become: true
gather_facts: true gather_facts: true
@@ -7,7 +7,45 @@
- name: Set hostname - name: Set hostname
ansible.builtin.hostname: ansible.builtin.hostname:
name: "{{ ansible_hostname }}" name: "{{ inventory_hostname }}"
- name: Check for Netbird Installation
ansible.builtin.shell:
cmd: netbird version
ignore_errors: true
register: netbird_installed
- name: Install Netbird first to have private network
block:
- name: Add key Netbird
become: true
ansible.builtin.shell: curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg
- name: mode file for netbird key
ansible.builtin.file:
path: /usr/share/keyrings/netbird-archive-keyring.gpg
state: file
mode: 0644
- name: somerepo | apt source
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main"
state: present
- name: Install netbird
ansible.builtin.apt:
name: "netbird"
state: present
update_cache: true
- name: Start Netbird
become: true
ansible.builtin.shell: netbird up --setup-key="{{ netbird_setup_key }}"
when: netbird_installed.rc != 0
# curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg
# chmod 0644 /usr/share/keyrings/netbird-archive-keyring.gpg
# # echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' | sudo tee /etc/apt/sources.list.d/netbird.list
- name: Create node_exporter cert dir - name: Create node_exporter cert dir
file: file:
@@ -29,7 +67,7 @@
community.crypto.openssl_csr: community.crypto.openssl_csr:
path: /etc/node_exporter/tls.csr path: /etc/node_exporter/tls.csr
privatekey_path: /etc/node_exporter/tls.key privatekey_path: /etc/node_exporter/tls.key
common_name: "{{ ansible_hostname }}.netbird.cloud" common_name: "{{ inventory_hostname }}.netbird.cloud"
- name: Generate a Self Signed OpenSSL certificate - name: Generate a Self Signed OpenSSL certificate
community.crypto.x509_certificate: community.crypto.x509_certificate:
@@ -43,22 +81,22 @@
# chmod go+r /usr/share/keyrings/netbird-archive-keyring.gpg for error: # chmod go+r /usr/share/keyrings/netbird-archive-keyring.gpg for error:
#||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available
roles: # roles:
- robertdebock.update # - robertdebock.update
- devsec.hardening.os_hardening # - devsec.hardening.os_hardening
- devsec.hardening.ssh_hardening # - devsec.hardening.ssh_hardening
- maxlareo.rkhunter # - maxlareo.rkhunter
- maxlareo.chkrootkit # - maxlareo.chkrootkit
- robertdebock.auditd # - robertdebock.auditd
- geerlingguy.firewall # - geerlingguy.firewall
- grog.management-user # - grog.management-user
- GROG.user # - GROG.user
- GROG.authorized-key # - GROG.authorized-key
- GROG.sudo # - GROG.sudo
- ansible_unattended_upgrades # - ansible_unattended_upgrades
- dominion_solutions.netbird.netbird # - buluma.lynis
- buluma.lynis
tasks: tasks:
- name: Retrieve private IP address netbird - name: Retrieve private IP address netbird
ansible.builtin.gather_facts: ansible.builtin.gather_facts:
@@ -67,6 +105,7 @@
host_interfaces: "{{ host_interfaces + [item]}}" host_interfaces: "{{ host_interfaces + [item]}}"
vars: vars:
host_interfaces: [] host_interfaces: []
when: ansible_facts[item].ipv4.address is defined
loop: "{{ ansible_facts.interfaces }}" loop: "{{ ansible_facts.interfaces }}"
- name: Set host_private_address - name: Set host_private_address
@@ -83,25 +122,12 @@
# when: group_names is search("monitoring") # when: group_names is search("monitoring")
- ansible.builtin.import_role: - ansible.builtin.import_role:
name: prometheus.prometheus.node_exporter name: prometheus.prometheus.node_exporter
- ansible.builtin.import_role: - ansible.builtin.import_role:
name: prometheus.prometheus.prometheus name: prometheus.prometheus.prometheus
when: group_names is search("monitoring") when: group_names is search("monitoring")
- ansible.builtin.import_role:
# - name: "Include labocbz.install_grafana" name: ansible-role-labocbz-install-grafana
# tags: when: group_names is search("monitoring")
# - test
# vars:
# install_grafana__protocol: "https"
# install_grafana__http_addr: "{{ host_private_address }}"
# install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud"
# inv_install_grafana__cert_file: /etc/node_exporter/tls.cert
# inv_install_grafana__cert_key: /etc/node_exporter/tls.key
# ansible.builtin.include_role:
# name: ansible-role-labocbz-install-grafana
# - prometheus.prometheus.node_exporter
# https://galaxy.ansible.com/ui/repo/published/prometheus/prometheus/content/role/node_exporter/

8
host_vars/ovh01.yml
View File

@@ -57,6 +57,14 @@ prometheus_scrape_configs:
static_configs: static_configs:
- targets: - targets:
- "{{ ansible_hostname }}.netbird.cloud:9100" - "{{ ansible_hostname }}.netbird.cloud:9100"
- job_name: "node2"
scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics"
tls_config:
ca_file: "/etc/node_exporter/tls_scaleway.cert"
static_configs:
- targets:
- "scaleway.netbird.cloud:9100"
# - "{{ host_private_address }}:9100" # - "{{ host_private_address }}:9100"
- job_name: "git" - job_name: "git"
scheme: https # Custom scrape job, here using `static_config` scheme: https # Custom scrape job, here using `static_config`

20
host_vars/scaleway_fr.yml → host_vars/scaleway.yml
View File

@@ -1,5 +1,25 @@
--- ---
#* NETBIRD
netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED
netbird_register: true
#* TLS
node_exporter_tls_server_config:
cert_file: /etc/node_exporter/tls.cert
key_file: /etc/node_exporter/tls.key
#* NODE_EXPORTER
# node_exporter_basic_auth_users:
# randomuser: examplepassword
node_exporter_web_listen_address: "{{ host_private_address }}:9100"
######## ########
# USER # # USER #
######## ########

0
host_vars/test.yml → host_vars/ubuntu.yml
View File

6
hosts
View File

@@ -11,14 +11,14 @@ ovh01 ansible_host=5.135.181.11 ansible_user=stephane
scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane
[controller] [controller]
scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane scaleway ansible_host=163.172.84.28 ansible_user=stephane
[monitoring] [monitoring]
ovh01 ansible_host=5.135.181.11 ansible_user=stephane ovh01 ansible_host=5.135.181.11 ansible_user=stephane
ubuntu ansible_host=192.168.0.21 ansible_user=vagrant ansible_password=vagrant ; ubuntu ansible_host=192.168.0.22 ansible_user=vagrant ansible_password=vagrant
[test] [test]
ubuntu ansible_host=192.168.0.21 ansible_user=vagrant ansible_password=vagrant ubuntu ansible_host=192.168.0.22 ansible_user=vagrant ansible_password=vagrant
; # TO KNOW WHOIS CHISEL SERVER ; # TO KNOW WHOIS CHISEL SERVER
; [server] ; [server]

1
requirements.yml
View File

@@ -1,6 +1,5 @@
collections: collections:
- name: devsec.hardening - name: devsec.hardening
- name: dominion_solutions.netbird
- name: prometheus.prometheus - name: prometheus.prometheus
- name: community.crypto - name: community.crypto
- name: ansible.utils - name: ansible.utils