diff --git a/.gitignore b/.gitignore index 5778c75..4eb5ead 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ scan/ dirsearch/ reports/ bw.yml +inventory/sample/artifacts/* diff --git a/collections/requirements.yml b/collections/requirements.yml index 3c2cab1..4e48c7e 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -8,6 +8,8 @@ collections: - name: bitwarden.secrets - name: devsec.hardening - name: fedora.linux_system_roles + # - name: bodsch.core + # - name: bodsch.scm # - name: community.general # # - name: geerlingguy.redis # # - name: git+https://github.com/netways/ansible-collection-elasticstack.git diff --git a/group_vars/all.yml b/group_vars/all.yml index c040cff..e69de29 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,62 +0,0 @@ -#* USERS -users: - - username: bot - name: bot user - # groups: ['wheel','systemd-journal'] - # uid: 1000 - home: /home/bot - # profile: | - # alias ll='ls -lah' - ssh_key: - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW" - - username: dbtest - name: dbtest user - # groups: ['wheel','systemd-journal'] - # uid: 1000 - -sudo_sudoers_files: - - path: /etc/sudoers.d/bot - user_specifications: - - users: - - bot - hosts: - - ALL - operators: - - ALL - commands: - - "NOPASSWD: ALL" - -#* PACKAGES - -package_repo: - - python3-pip - - podman - - lsof -# - libsemanage - -# package_pip: -# - python3-libsemanage - - - -#* FIREWALL - -firewall_allowed_tcp_ports: - - "22" - - "2222" - - "80" - - "8080" - - "443" - - "9100" - - "32222" - # #! Kubernetes control plane ports - # - "6443" - # - "2379" - # - "2380" - # - "10250" - # - "10259" - # - "10257" - # - "9090" - # - "3000" - # - "9323" -#! Kubernetes Worker ports \ No newline at end of file diff --git a/hardening-linux.yml b/hardening-linux.yml index 9aa43bf..432d8ec 100644 --- a/hardening-linux.yml +++ b/hardening-linux.yml @@ -1,7 +1,61 @@ -- hosts: localtest +- hosts: all #! Need first setup with root access user become: true + vars: + # os_remove_additional_root_users: false + #* USERS + users: + - username: bot + name: bot user + # groups: ['wheel','systemd-journal'] + # uid: 1000 + home: /home/bot + # profile: | + # alias ll='ls -lah' + ssh_key: + #- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFof5AdYrrwtMsxSWB8KW04/s3hl5rrHzF0zhk7zK5dF" + # - username: dbtest + # name: dbtest user + # groups: ['wheel','systemd-journal'] + # uid: 1000 + sudo_sudoers_files: + - path: /etc/sudoers.d/bot + user_specifications: + - users: + - bot + hosts: + - ALL + operators: + - ALL + commands: + - "NOPASSWD: ALL" + # - path: /etc/sudoers.d/orbstack + # user_specifications: + # - users: + # - stephanegratias + # hosts: + # - ALL + # operators: + # - ALL + # commands: + # - "NOPASSWD: ALL" + #* PACKAGES + package_repo: + - python3-pip + - podman + - lsof + # package_pip: + # - python3-libsemanage + #* FIREWALL + firewall_allowed_tcp_ports: + - "22" + - "6443" + - "80" + - "443" + - "6881" pre_tasks: + - ansible.builtin.apt: update_cache: yes @@ -26,9 +80,26 @@ loop: "{{ package_pip }}" when: package_pip is defined +#! ROLES roles: - name: singleplatform-eng.users - name: linux-system-roles.sudo - name: devsec.hardening.ssh_hardening - - name: devsec.hardening.os_hardening - - name: geerlingguy.firewall \ No newline at end of file + #! delete user like root + # - name: devsec.hardening.os_hardening + - name: geerlingguy.firewall + + + + +# # #! Launch single node +# alias docker=podman +# docker run -d --name k0s-controller --hostname k0s-controller \ +# --network host \ +# --privileged \ +# -v /var/lib/k0s \ +# --tmpfs /run \ +# --tmpfs /tmp \ +# -p 6443:6443 \ +# docker.io/k0sproject/k0s:v1.34.3-k0s.0 \ +# k0s controller --enable-worker --single=true --ignore-pre-flight-checks diff --git a/hosts b/hosts index da6c469..a8421d9 100644 --- a/hosts +++ b/hosts @@ -1,12 +1,17 @@ [all] -scaleway ansible_host=163.172.84.28 ansible_user=stephane +contabo ansible_host=144.91.102.84 ansible_user=root -[tower] -scaleway ansible_host=163.172.84.28 ansible_user=stephane +; [tower] +; scaleway ansible_host=163.172.84.28 ansible_user=stephane -; [localtest] +; k0s_cluster_nodes: +; initial_controller: controller-1.k0s.local +; controllers: [] +; workers: [] + +; [test] ; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup -; test ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 +; controller-1.k0s.local ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 ; [local] ; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias ; [cluster] diff --git a/k0sctl.yaml b/k0sctl.yaml new file mode 100644 index 0000000..d582076 --- /dev/null +++ b/k0sctl.yaml @@ -0,0 +1,40 @@ +apiVersion: k0sctl.k0sproject.io/v1beta1 +kind: Cluster +metadata: + name: k0s-cluster + user: admin +spec: + hosts: + - ssh: + address: 10.0.0.1 + user: root + port: 22 + keyPath: null + role: controller + - ssh: + address: 10.0.0.2 + user: root + port: 22 + keyPath: null + role: worker + options: + wait: + enabled: true + drain: + enabled: true + gracePeriod: 2m0s + timeout: 5m0s + force: true + ignoreDaemonSets: true + deleteEmptyDirData: true + podSelector: "" + skipWaitForDeleteTimeout: 0s + concurrency: + limit: 30 + workerDisruptionPercent: 10 + uploads: 5 + evictTaint: + enabled: false + taint: k0sctl.k0sproject.io/evict=true + effect: NoExecute + controllerWorkers: false diff --git a/podman.yml b/podman.yml index 5b6b393..9aad31f 100644 --- a/podman.yml +++ b/podman.yml @@ -1,138 +1,11 @@ -- hosts: localtest +- hosts: k0s-1 become: true vars: - #! SECRETS - # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}" - # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" - # bw_client_password: "{{ lookup('env', 'bw_client_password') }}" - # bw_client_id: "{{ lookup('env', 'bw_client_id') }}" - # user_mail: "{{ lookup('env', 'mail') }}" - # user: "{{ lookup('env', 'username') }}" - # # Token full access gitea - # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}" - #! PODS - # podman_registries_conf: - # aliases: - # myregistry: quay.io - # podman_registry_username: test - # podman_registry_password: test - podman_create_host_directories: true - # podman_firewall: - # - port: 8080-8081/tcp - # state: enabled - # - port: 12340/tcp - # state: enabled - # podman_selinux_ports: - # - ports: 8080-8081 - # setype: http_port_t - podman_kube_specs: - - state: started - run_as_user: bot - run_as_group: bot - kube_file_content: - apiVersion: v1 - kind: Pod - metadata: - name: db - spec: - containers: - - name: db - image: docker.io/mysql:9 - ports: - - containerPort: 1234 - hostPort: 12340 - volumeMounts: - - mountPath: /var/lib/db:Z - name: db - volumes: - - name: db - hostPath: - path: /var/lib/db - # podman_secrets: - # - name: mysql-root-password-container - # state: present - # skip_existing: true - # data: "{{ root_password_from_vault }}" - # - name: mysql-root-password-kube - # state: present - # skip_existing: true - # data: | - # apiVersion: v1 - # data: - # password: "{{ root_password_from_vault | b64encode }}" - # kind: Secret - # metadata: - # name: mysql-root-password-kube - # - name: envoy-certificates - # state: present - # skip_existing: true - # data: | - # apiVersion: v1 - # data: - # certificate.key: {{ key_from_vault | b64encode }} - # certificate.pem: {{ cert_from_vault | b64encode }} - # kind: Secret - # metadata: - # name: envoy-certificates - # - state: started - # run_as_user: webapp - # run_as_group: webapp - # kube_file_src: /path/to/webapp.yml - -#! SECRETS - pre_tasks: - - name: Install Bitwarden CLI - ansible.builtin.command: - cmd: "{{ item }}" - delegate_to: localhost - loop: - - apk add --no-cache nodejs npm - - npm install -g @bitwarden/cli - - - ansible.builtin.command: - cmd: bw logout - delegate_to: localhost - ignore_errors: true - - - name: bitwarden token session - ansible.builtin.shell: "{{ item }}" - environment: - BW_CLIENTID: "{{ bw_client_id }}" - BW_CLIENTSECRET: "{{ bw_client_secret }}" - BW_PASSWORD: "{{ bw_client_password }}" - loop: - - bw config server {{ vaultwarden_url }} - - bw login --apikey - - bw unlock --passwordenv BW_PASSWORD --raw - delegate_to: localhost - register: bw_session_result - - - name: Get secret from Bitwarden - command: - argv: - - bw - - get - - password - - "{{ bw_requested_password_id }}" - - --session - - "{{ bw_session_result.results[-1].stdout | trim }}" - delegate_to: localhost - register: gitea_token_result - no_log: true - changed_when: false - - # - name: Return all secrets from a path - # ansible.builtin.debug: - # msg: "{{ gitea_token_result.stdout }}" - # delegate_to: localhost - - - ansible.builtin.set_fact: - gitea_token : "{{ gitea_token_result.stdout | trim }}" - no_log: true - delegate_to: localhost #! ROLES roles: #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. - - name: linux-system-roles.podman \ No newline at end of file + # - name: bodsch.k0s + + diff --git a/roles/.gitignore b/roles/.gitignore index 8bec64d..b6d0b5c 100644 --- a/roles/.gitignore +++ b/roles/.gitignore @@ -55,4 +55,6 @@ devsec.hardening.ssh_hardening geerlingguy.firewall alvistack.podman linux-system-roles.podman -linux-system-roles.selinux \ No newline at end of file +linux-system-roles.selinux +export +bodsch.k0s \ No newline at end of file diff --git a/roles/requirements.yml b/roles/requirements.yml index aba7997..a0aaf50 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -24,6 +24,7 @@ #! PODS - src: alvistack.podman - src: linux-system-roles.podman +- src: bodsch.k0s # - src: fedora.linux_system_roles.firewall # jnv.unattended-upgrades # - src: asg1612.dockerswarm