sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[last try from k0sctl, migration to github]

Browse Source
This commit is contained in:
sgratias
2026-03-03 20:51:35 +01:00
parent 7f760cf4a6
commit b8d9daa87f
9 changed files with 135 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -7,3 +7,4 @@ scan/
dirsearch/ dirsearch/
reports/ reports/
bw.yml bw.yml
inventory/sample/artifacts/*

2
collections/requirements.yml
View File

@@ -8,6 +8,8 @@ collections:
- name: bitwarden.secrets - name: bitwarden.secrets
- name: devsec.hardening - name: devsec.hardening
- name: fedora.linux_system_roles - name: fedora.linux_system_roles
# - name: bodsch.core
# - name: bodsch.scm
# - name: community.general # - name: community.general
# # - name: geerlingguy.redis # # - name: geerlingguy.redis
# # - name: git+https://github.com/netways/ansible-collection-elasticstack.git # # - name: git+https://github.com/netways/ansible-collection-elasticstack.git

62
group_vars/all.yml
View File

@@ -1,62 +0,0 @@
#* USERS
users:
- username: bot
name: bot user
# groups: ['wheel','systemd-journal']
# uid: 1000
home: /home/bot
# profile: |
# alias ll='ls -lah'
ssh_key:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW"
- username: dbtest
name: dbtest user
# groups: ['wheel','systemd-journal']
# uid: 1000
sudo_sudoers_files:
- path: /etc/sudoers.d/bot
user_specifications:
- users:
- bot
hosts:
- ALL
operators:
- ALL
commands:
- "NOPASSWD: ALL"
#* PACKAGES
package_repo:
- python3-pip
- podman
- lsof
# - libsemanage
# package_pip:
# - python3-libsemanage
#* FIREWALL
firewall_allowed_tcp_ports:
- "22"
- "2222"
- "80"
- "8080"
- "443"
- "9100"
- "32222"
# #! Kubernetes control plane ports
# - "6443"
# - "2379"
# - "2380"
# - "10250"
# - "10259"
# - "10257"
# - "9090"
# - "3000"
# - "9323"
#! Kubernetes Worker ports

75
hardening-linux.yml
View File

@@ -1,7 +1,61 @@
- hosts: localtest - hosts: all
#! Need first setup with root access user #! Need first setup with root access user
become: true become: true
vars:
# os_remove_additional_root_users: false
#* USERS
users:
- username: bot
name: bot user
# groups: ['wheel','systemd-journal']
# uid: 1000
home: /home/bot
# profile: |
# alias ll='ls -lah'
ssh_key:
#- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFof5AdYrrwtMsxSWB8KW04/s3hl5rrHzF0zhk7zK5dF"
# - username: dbtest
# name: dbtest user
# groups: ['wheel','systemd-journal']
# uid: 1000
sudo_sudoers_files:
- path: /etc/sudoers.d/bot
user_specifications:
- users:
- bot
hosts:
- ALL
operators:
- ALL
commands:
- "NOPASSWD: ALL"
# - path: /etc/sudoers.d/orbstack
# user_specifications:
# - users:
# - stephanegratias
# hosts:
# - ALL
# operators:
# - ALL
# commands:
# - "NOPASSWD: ALL"
#* PACKAGES
package_repo:
- python3-pip
- podman
- lsof
# package_pip:
# - python3-libsemanage
#* FIREWALL
firewall_allowed_tcp_ports:
- "22"
- "6443"
- "80"
- "443"
- "6881"
pre_tasks: pre_tasks:
- ansible.builtin.apt: - ansible.builtin.apt:
update_cache: yes update_cache: yes
@@ -26,9 +80,26 @@
loop: "{{ package_pip }}" loop: "{{ package_pip }}"
when: package_pip is defined when: package_pip is defined
#! ROLES
roles: roles:
- name: singleplatform-eng.users - name: singleplatform-eng.users
- name: linux-system-roles.sudo - name: linux-system-roles.sudo
- name: devsec.hardening.ssh_hardening - name: devsec.hardening.ssh_hardening
- name: devsec.hardening.os_hardening #! delete user like root
# - name: devsec.hardening.os_hardening
- name: geerlingguy.firewall - name: geerlingguy.firewall
# # #! Launch single node
# alias docker=podman
# docker run -d --name k0s-controller --hostname k0s-controller \
# --network host \
# --privileged \
# -v /var/lib/k0s \
# --tmpfs /run \
# --tmpfs /tmp \
# -p 6443:6443 \
# docker.io/k0sproject/k0s:v1.34.3-k0s.0 \
# k0s controller --enable-worker --single=true --ignore-pre-flight-checks

15
hosts
View File

@@ -1,12 +1,17 @@
[all] [all]
scaleway ansible_host=163.172.84.28 ansible_user=stephane contabo ansible_host=144.91.102.84 ansible_user=root
[tower] ; [tower]
scaleway ansible_host=163.172.84.28 ansible_user=stephane ; scaleway ansible_host=163.172.84.28 ansible_user=stephane
; [localtest] ; k0s_cluster_nodes:
; initial_controller: controller-1.k0s.local
; controllers: []
; workers: []
; [test]
; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup ; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup
; test ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 ; controller-1.k0s.local ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519
; [local] ; [local]
; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias ; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias
; [cluster] ; [cluster]

40
k0sctl.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: k0sctl.k0sproject.io/v1beta1
kind: Cluster
metadata:
name: k0s-cluster
user: admin
spec:
hosts:
- ssh:
address: 10.0.0.1
user: root
port: 22
keyPath: null
role: controller
- ssh:
address: 10.0.0.2
user: root
port: 22
keyPath: null
role: worker
options:
wait:
enabled: true
drain:
enabled: true
gracePeriod: 2m0s
timeout: 5m0s
force: true
ignoreDaemonSets: true
deleteEmptyDirData: true
podSelector: ""
skipWaitForDeleteTimeout: 0s
concurrency:
limit: 30
workerDisruptionPercent: 10
uploads: 5
evictTaint:
enabled: false
taint: k0sctl.k0sproject.io/evict=true
effect: NoExecute
controllerWorkers: false

135
podman.yml
View File

@@ -1,138 +1,11 @@
- hosts: localtest - hosts: k0s-1
become: true become: true
vars: vars:
#! SECRETS
# vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}"
# bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
# bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
# bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
# user_mail: "{{ lookup('env', 'mail') }}"
# user: "{{ lookup('env', 'username') }}"
# # Token full access gitea
# bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}"
#! PODS
# podman_registries_conf:
# aliases:
# myregistry: quay.io
# podman_registry_username: test
# podman_registry_password: test
podman_create_host_directories: true
# podman_firewall:
# - port: 8080-8081/tcp
# state: enabled
# - port: 12340/tcp
# state: enabled
# podman_selinux_ports:
# - ports: 8080-8081
# setype: http_port_t
podman_kube_specs:
- state: started
run_as_user: bot
run_as_group: bot
kube_file_content:
apiVersion: v1
kind: Pod
metadata:
name: db
spec:
containers:
- name: db
image: docker.io/mysql:9
ports:
- containerPort: 1234
hostPort: 12340
volumeMounts:
- mountPath: /var/lib/db:Z
name: db
volumes:
- name: db
hostPath:
path: /var/lib/db
# podman_secrets:
# - name: mysql-root-password-container
# state: present
# skip_existing: true
# data: "{{ root_password_from_vault }}"
# - name: mysql-root-password-kube
# state: present
# skip_existing: true
# data: |
# apiVersion: v1
# data:
# password: "{{ root_password_from_vault | b64encode }}"
# kind: Secret
# metadata:
# name: mysql-root-password-kube
# - name: envoy-certificates
# state: present
# skip_existing: true
# data: |
# apiVersion: v1
# data:
# certificate.key: {{ key_from_vault | b64encode }}
# certificate.pem: {{ cert_from_vault | b64encode }}
# kind: Secret
# metadata:
# name: envoy-certificates
# - state: started
# run_as_user: webapp
# run_as_group: webapp
# kube_file_src: /path/to/webapp.yml
#! SECRETS
pre_tasks:
- name: Install Bitwarden CLI
ansible.builtin.command:
cmd: "{{ item }}"
delegate_to: localhost
loop:
- apk add --no-cache nodejs npm
- npm install -g @bitwarden/cli
- ansible.builtin.command:
cmd: bw logout
delegate_to: localhost
ignore_errors: true
- name: bitwarden token session
ansible.builtin.shell: "{{ item }}"
environment:
BW_CLIENTID: "{{ bw_client_id }}"
BW_CLIENTSECRET: "{{ bw_client_secret }}"
BW_PASSWORD: "{{ bw_client_password }}"
loop:
- bw config server {{ vaultwarden_url }}
- bw login --apikey
- bw unlock --passwordenv BW_PASSWORD --raw
delegate_to: localhost
register: bw_session_result
- name: Get secret from Bitwarden
command:
argv:
- bw
- get
- password
- "{{ bw_requested_password_id }}"
- --session
- "{{ bw_session_result.results[-1].stdout | trim }}"
delegate_to: localhost
register: gitea_token_result
no_log: true
changed_when: false
# - name: Return all secrets from a path
# ansible.builtin.debug:
# msg: "{{ gitea_token_result.stdout }}"
# delegate_to: localhost
- ansible.builtin.set_fact:
gitea_token : "{{ gitea_token_result.stdout | trim }}"
no_log: true
delegate_to: localhost
#! ROLES #! ROLES
roles: roles:
#! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers
#! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node.
- name: linux-system-roles.podman # - name: bodsch.k0s

2
roles/.gitignore vendored
View File

@@ -56,3 +56,5 @@ geerlingguy.firewall
alvistack.podman alvistack.podman
linux-system-roles.podman linux-system-roles.podman
linux-system-roles.selinux linux-system-roles.selinux
export
bodsch.k0s

1
roles/requirements.yml
View File

@@ -24,6 +24,7 @@
#! PODS #! PODS
- src: alvistack.podman - src: alvistack.podman
- src: linux-system-roles.podman - src: linux-system-roles.podman
- src: bodsch.k0s
# - src: fedora.linux_system_roles.firewall # - src: fedora.linux_system_roles.firewall
# jnv.unattended-upgrades # jnv.unattended-upgrades
# - src: asg1612.dockerswarm # - src: asg1612.dockerswarm