current state + english docs
This commit is contained in:
Ansible Servercow
@@ -3,7 +3,7 @@ ssh_user: "root"
|
||||
authorized_keys_file: >-
|
||||
{{ "/root/.ssh/authorized_keys" if ssh_user == "root" else "/home/{{ ssh_user }}/.ssh/authorized_keys" }}
|
||||
|
||||
# Liste der erwünschten (Good) Keys
|
||||
# List of desired (good) keys
|
||||
good_keys:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCKcSu464ffJh6fcrWSajlkdGzyeP1+eStHeiFWjfvTZN1YD/05LsADLv8QwnwDbjIHpi/jO2N9mzN55O2MP4FP33Ztmex5CW1sALHynCX7/LtxmklUxbezoJPp1+evhcEQ670KfCpuWWTgGI2ChANnfb/QlON6UWERjauHoNvO33LnO2ySWxHULDlv7BuJCrmk1ZgH2DI7nGIl2KEdkvtJrUaz/fkjalzdfsD+5bsCVxEXBwF5vOAflYdgLAA9AiiHNrwmoU7ELy+WN7YYA0ikoFAUsaW3R4lzA9Cl9wGQmnF30fMChB3JOHF+fFVLFgftChKlB1A1pddaNMPULPyxNJXBXpZCw0ntLcA3UNtnBl0McVKLdVvQfyeWygqqu9OYtkWWO1KApGxss2KDabKG9C+WRhx6z06lFlPMqZK2bmaZDszd8fKI+jbVRKBq2njZmE/uRfEvHHSXqskBDefdMqIUpRN8cN05vZm+sphIaHfOX1vCy1ZDVTiThFcd/z0= root@ansible-servercow"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsWfznWCcqpgoq4awYDp2W8y62rDT8PEN0xx7818OA1B/mENiBb6jB9qojBpXuSqXKCg7WIVawtl4DSufN4tx2CCNXJPZGcYxkzYrA+bYHMgNUtDF6ps1odFFCu7D1ioVj+hSiM0coFzdgBeT4owg2S8h8kdUmwEbOECp75/3KjV/JUsHrytfJlSTN2mr+SpV3LRL19zFJ67PQXLUyC5oXUR1DZxgzCR2+bWPM7zW0xkVD3c1D+S2JRV4RCZts1Lfgoo/Fl88YMjwk1s3W38Zp/uAgIY6Boan193RWY1yqeCq6u2xAcIiAUqZrVnKesWVnXeRiPuTEESuthK3xSjxd mschild@WS-WIL-MSCHILD"
|
||||
@@ -15,10 +15,11 @@ good_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlJlysj2Ff/8lLgNTkNX/uJVz4uIiEtvO/s3qzUMH1j eddsa-key-mv-tinc-20230130"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyZYxVyFQlhn/O6XpvnQL9l9bv652pH4jrkiUuNHMsT nm-tinc-eddsa-key-20240805"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPb3H/K8w22FIpsb+tad+T1PQjrTdry+cM/fmYiLbSDo root@ansible-servercow"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyZYxVyFQlhn/O6XpvnQL9l9bv652pH4jrkiUuNHMsT nm-tinc-eddsa-key-20240805"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjDcw9yWAsc1OOtvefPP0NyoJC3c97OeklpH+UbT2FG44iraTshsYGtQrU6cRAOvZM+wOuv78QL9duqNM8PHbwahverwzrBkBz6lQ1owCaqXFdqdbdixutepPGC2f9qPeJIcKj7Y+IWqMTwF8P7+rp4ueLipu3gJEJOvtWYnFloVEf66zoHh5uuDyf7xSPkwL/oChVcCg/O6zRXFcNnLe4tpBWMv+x5HtR9HOnUEddkKB+GtGkm8wZpbuzkVN3LIGZnW/bxtphqkAKcUDTM4yBeQXsIm/nKw6eNeHjDHh5z19RUNWKSIywCn4RNaCTla//RA2CkSflnybbmNbqd+yRnza3xv9TnIGV3lvnluxB9Of87mGLFPr9aebR1SAiTz7owqbZmai1bs3wDebt0hjr0ixxFrPTDjp9X/f20MAN847R/2sV6adD+4M4ej4JZJb7Fq6YjCq7bw0xNgHdEi7mqQWDrwM37PtjLNN0PJ27A5a5ltyyHRBRXDKLXYTqfkZVOLBSKDG6iN3oKqA1hTSWHJqrdys9Kwnwtq3b+cav2m0N0seURjdniTDEh27S5AECL0VcoxnTIo73WpY2LglnA30wXp0NLZflChG7+wOT0I5p/O4GyTENPHFsqjHgiAKhYDv/h6ioTZXJxFJuLBdq2lFJ6HyG8qovnNYUS/h3xw== tobimuel@tobimuel-q6600"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDg1KyrhUDDor3nluin7QbgTFMF4HgUKxXxNRq6rwiTPZgi8DF41YMd4Xk7jgiWQDYqb9P1n/vgR/CiMgDzeF93pd0ShAwgOV+s8TSvtCgQAyfiV+fe0cO/abx2/lUXVIGUzVhhoU2atIgH6GcDWSR4FdjvaF+fhGcbiuqZQ/q7XMjJvn4MoW5uN4MuPMVr5wadBo8CrhxQi1MmaSfkGj9w5VKvjefbrz1CuEvxfnXmbgzsaczSN422BRvWeLY1RHnGf7m47LUQWRTZj1aguuon1uwx7g5uY+1zrYrD+5nU5J8ezgp//g2gOXrvkK1T9c+g2QloDigVJuFRnKwO9OkcJhhlDgZ+fDViLLnka7YPtPsr8qC6pUNfvzK2FMTNPxH7o/V4TNFiFoyP1EJvQSnUnAz96j3HBbbDdXXFOAosLEra4Zkpnkz8aZ0wjWTFtH3io25ok/h9VmWvJ7kPlTnyAMtW3V07Y7Fqc3+gDye5yqNmZxOIk0Qzg61PwWswsn7RL8o7aLNINZpmIHPCUO7vlcUi3hOVchkjfMBLB1kIE60yZgS8wVQYo2z10o9RsyvQHtLiGEpqEBP1/ofoEN2t0HuIJQfyOGsUGZbsddOPcduXGLLMpbazVGI7sS2vSRjcUVEgcqEHIjQq3i60Xv9k66IA2JJlLNs22qM2tp72DQ== tobimuel@tobimuel-e480"
|
||||
|
||||
|
||||
# Liste der unerwünschten (Bad) Keys
|
||||
# List of undesired (bad) keys
|
||||
bad_keys:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx5Gwq39Jaf9YQr0qWzCZMU0l1sPfrJE7vWyrZiQRv2IgVvkIuDl1gv+Gaf1wL69WookC0TGc4Ce2tH5xfcz2tiH72jIDf60izrf2attmPcbLnZfFgN6cPFzCIoMVMIMhROgOF9wF1MzO9WUggJBEpcxotoiPfKkmIrfYXLnnMmZ6XXs3LCcdP1wNOkh/mZ3KfwhH6/GhV/0/mjymzrO5DL/piu+89ZrLmsVU9F/VUZciG7zCv8g6Hhiy25vyOmtGL/DPHfszzlQuvRo0hjTjEdNsnv9b44zc7OtGYdrZ4SPK7v2dSLdzU9eL3+7m6zocaVrbM6YWTph9acwkKOehV root@ccp-wil-backup01"
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcqqrN2lC4lajOmiFuUqHBQ2C07YTl3w5e/FT3+ddZ5YOiONr+e8FvKkiw4he5fvGnt6/RUZgnJW+rI7jlF5qPJjdkdJ3wZNiwp4gTiebNV2hvLx3AL0aoH/5tN9m4KDTYZKfnF1JZAgsZrLNrfYJp8F8+AQk24rAQINQ3Cku0i4cgenOQBrT48/Ibv7erav7ZkUFvIPkh4B4Owzu6MUGzKNFoLypgMRXMmLN2vyaor/q4aA9xeha2CKdbJYhTwgrYMieiAyDw9dbe8rJe0BB7VXxDmX54seLsmSWhs6/6L2JNDAdpV/f4Jb2n2L0GaFlyjGpi64nwfoWng2Meou0J mo@LenovoP340-Tiny"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Good Keys hinzufügen
|
||||
- name: Add good keys
|
||||
lineinfile:
|
||||
path: "{{ authorized_keys_file }}"
|
||||
line: "{{ item }}"
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
---
|
||||
# Haupt-Task der Rolle: Modularer Aufbau mit Subtasks
|
||||
- name: Validiere SSH Keys
|
||||
# Main task of the role: modular structure with subtasks
|
||||
- name: Validate SSH keys
|
||||
import_tasks: validate-keys.yml
|
||||
|
||||
- name: Füge Good Keys hinzu
|
||||
- name: Add good keys
|
||||
import_tasks: add-goodkeys.yml
|
||||
|
||||
- name: Entferne Bad Keys
|
||||
- name: Remove bad keys
|
||||
import_tasks: remove-badkeys.yml
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Bad Keys entfernen
|
||||
- name: Remove bad keys
|
||||
lineinfile:
|
||||
path: "{{ authorized_keys_file }}"
|
||||
line: "{{ item }}"
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: Stelle sicher, dass das .ssh-Verzeichnis existiert
|
||||
- name: Ensure that .ssh directory exists
|
||||
file:
|
||||
path: "{{ authorized_keys_file | dirname }}"
|
||||
state: directory
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Check if mailcow.conf exists
|
||||
ansible.builtin.stat:
|
||||
path: "{{ mailcow_dir_result.files[0].path | default('/opt/mailcow-dockerized') }}/mailcow.conf"
|
||||
register: mailcow_conf
|
||||
when: mailcow_dir_result.files[0].path is defined
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Check mailcow Version
|
||||
ansible.builtin.shell: |
|
||||
cd {{ mailcow_dir_result.files[0].path | default('/opt/mailcow-dockerized') }}/data/web/inc
|
||||
grep -oP '\$MAILCOW_GIT_VERSION="\K[^"]+' app_info.inc.php
|
||||
register: local_mailcow_version
|
||||
@@ -1,22 +1,5 @@
|
||||
---
|
||||
- name: Check if mailcow.conf exists
|
||||
ansible.builtin.stat:
|
||||
path: "{{ mailcow_dir_result.files[0].path }}/mailcow.conf"
|
||||
register: mailcow_conf
|
||||
when: mailcow_dir_result.files[0].path is defined
|
||||
|
||||
- name: Check mailcow Version
|
||||
ansible.builtin.shell: |
|
||||
cd {{ mailcow_dir_result.files[0].path }}/data/web/inc
|
||||
grep -oP '\$MAILCOW_GIT_VERSION="\K[^"]+' app_info.inc.php
|
||||
register: local_mailcow_version
|
||||
when: mailcow_conf.stat.exists
|
||||
|
||||
- name: Check Disk Utilization
|
||||
import_role:
|
||||
name: roles/system
|
||||
tasks_from: check-disk-utilization.yaml
|
||||
|
||||
- name: Update mailcow
|
||||
throttle: 30
|
||||
shell: "cd {{ mailcow_dir_result.files[0].path }} && git fetch && git checkout origin/master update.sh && git checkout origin/master _modules && ./update.sh --force"
|
||||
when: local_mailcow_version.stdout != github_mailcow_ver and mailcow_conf.stat.exists and disk_space_output.stdout | bool
|
||||
register: update_mailcow
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Standardwerte, die überschrieben werden können
|
||||
# Default values that can be overridden
|
||||
os_update_auto_upgrade: true
|
||||
os_also_update_mirror: true # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
|
||||
os_update_mirrors:
|
||||
|
||||
@@ -16,6 +16,10 @@
|
||||
register: running_kernel
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Trigger reboot if kernel has been updated
|
||||
command: /bin/true
|
||||
notify:
|
||||
- Reboot system
|
||||
when: running_kernel.stdout != latest_kernel.stdout
|
||||
changed_when: true
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
---
|
||||
collections:
|
||||
- name: community.proxmox
|
||||
version: 1.4.0
|
||||
version: 1.5.0
|
||||
@@ -1,4 +1,14 @@
|
||||
- name: Delete snapshot before_major
|
||||
- name: Get all snapshots
|
||||
community.proxmox.proxmox_snap_info:
|
||||
api_host: "{{ proxmox_host }}"
|
||||
api_user: "{{ proxmox_user }}"
|
||||
api_token_id: "{{ proxmox_token_id }}"
|
||||
api_token_secret: "{{ proxmox_token_secret }}"
|
||||
vmid: "{{ vmid }}"
|
||||
register: snapshot_info
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Delete all snapshots
|
||||
community.proxmox.proxmox_snap:
|
||||
api_host: "{{ proxmox_host }}"
|
||||
api_user: "{{ proxmox_user }}"
|
||||
@@ -6,5 +16,7 @@
|
||||
api_token_secret: "{{ proxmox_token_secret }}"
|
||||
vmid: "{{ vmid }}"
|
||||
state: absent
|
||||
snapname: before_major
|
||||
snapname: "{{ item.name }}"
|
||||
loop: "{{ snapshot_info.snapshots }}"
|
||||
when: item.name != "current"
|
||||
delegate_to: localhost
|
||||
0
roles/ssh/tasks/hardenize-ssh-algos.yaml
Normal file
0
roles/ssh/tasks/hardenize-ssh-algos.yaml
Normal file
@@ -1,6 +1,6 @@
|
||||
- name: Run disk space command
|
||||
ansible.builtin.shell: "df --output=used,avail / | awk 'NR==2 {used=$1; available=$2; total=used+available; percentage=used*100/total; if (percentage < {{ disk_space_percent_max }} ) printf \"true\"; else printf \"false\"}'"
|
||||
# System uses the disk_space_percent_max variable to determine condition this check is getting. Over the amount defined in the var causes the check to fail!
|
||||
ansible.builtin.shell: "df --output=avail / | awk 'NR==2 {avail=$1; if (avail >= 4194304) printf \"true\"; else printf \"false\"}'"
|
||||
# System checks if root partition has at least 4 GB (4194304 KB) available for updates
|
||||
register: disk_space_output
|
||||
|
||||
- name: "**DEBUG**: Server disk Utilization condition"
|
||||
|
||||
@@ -1,5 +1,11 @@
|
||||
- name: Install gpg package
|
||||
ansible.builtin.apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: Install Docker from official repo
|
||||
when: docker_install_source == "official"
|
||||
|
||||
block:
|
||||
- name: Ensure Docker GPG key is dearmored and installed
|
||||
ansible.builtin.get_url:
|
||||
|
||||
@@ -34,7 +34,7 @@
|
||||
group: "{{ admin_user }}"
|
||||
mode: "0600"
|
||||
|
||||
- name: Jeden Key einzeln mit authorized_key hinzufügen
|
||||
- name: Add each key individually with authorized_key
|
||||
ansible.builtin.authorized_key:
|
||||
user: "{{ admin_user }}"
|
||||
key: "{{ item | trim }}"
|
||||
@@ -42,7 +42,7 @@
|
||||
loop: "{{ key_list }}"
|
||||
when: item | trim != ""
|
||||
|
||||
- name: Passwordless‑sudo für alle Befehle konfigurieren
|
||||
- name: Configure passwordless sudo for all commands
|
||||
ansible.builtin.copy:
|
||||
dest: "/etc/sudoers.d/{{ admin_user }}"
|
||||
content: |
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
group: "root"
|
||||
mode: "0600"
|
||||
|
||||
- name: Jeden Key einzeln mit authorized_key hinzufügen
|
||||
- name: Add each key individually with authorized_key
|
||||
ansible.builtin.authorized_key:
|
||||
user: "root"
|
||||
key: "{{ item | trim }}"
|
||||
|
||||
Reference in New Issue
Block a user