DerLinkman/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

restructure repo

Browse Source
This commit is contained in:
DerLinkman
2024-11-22 20:25:38 +01:00
parent 5a0f229511
commit 344c9508ea
17 changed files with 184 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -1,3 +1,3 @@
ansible.cfg
hosts hosts
proxmox.* proxmox.*
.vscode

3
ansible.cfg Normal file
View File

@@ -0,0 +1,3 @@
[defaults]
host_key_checking = False
roles_path = ./roles:/etc/ansible/roles

6
playbooks/hardening/manage-ssh-keys.yml Normal file
View File

@@ -0,0 +1,6 @@
- hosts: all
vars:
good_keys: "{{ lookup('env', 'good_keys') | from_json }}"
bad_keys: "{{ lookup('env', 'bad_keys') | from_json }}"
roles:
- role: manage-ssh-keys

14
roles/manage-ssh-keys/defaults/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
ssh_user: "root"
authorized_keys_file: >-
{{ "/root/.ssh/authorized_keys" if ssh_user == "root" else "/home/{{ ssh_user }}/.ssh/authorized_keys" }}
# Liste der erwünschten (Good) Keys
good_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/XwF0Na+YH7lRqGtwEcyIMVGTQZetNDrC9sZ8ofjC5 niklas@Linkman-PC"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPHSP1qvaoJDwMtka6UV9aOw24cKHBOa2Eyx7JBmhEg dennis@DESKTOP-V99ARL9"
# Liste der unerwünschten (Bad) Keys
bad_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgNIBhFlWa82Q0f2EnPcpHsP5JmmGpxyWVUhfpWV3KLvNkl63aGBRZW1gEoda1P5j/ESkwHntVeen8vHjqlQ/ZB9Bs3XtWwsvtS8gfyCoRqgQVQ31T52KVT3QL8/ep0RYwG+3VbE9yvQgeELJETzpXWoyY9+RrPG1gMdArML5cO1NCizShsxNKgHe75+GjCdEe3HMUuCcfJ23JqxPqgA5HoGW1mGsbI1LnLn1fqgmywSKET5LpkKHtHjrXFtQi2NKEnZ3RNxgh60v4amvMKLsxBk1vAn40X+ZeLJwNMpMHep2IzvO67inlj9iWaY5VXjZznLXzd85zhTO3eDv+yAp9 linkman-pc-2022"
# - "ssh-rsa AAAAB3... badkey2"

13
roles/manage-ssh-keys/handlers/main.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Cleanup Comments
lineinfile:
path: "{{ authorized_keys_file }}"
state: absent
regexp: '^#.*$'
- name: Add Comment
blockinfile:
path: "{{ authorized_keys_file }}"
marker: ""
block: |
# Modified by Ansible on {{ ansible_date_time.date }} at {{ ansible_date_time.time }}

11
roles/manage-ssh-keys/tasks/add-goodkeys.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Good Keys hinzufügen
lineinfile:
path: "{{ authorized_keys_file }}"
line: "{{ item }}"
create: yes
state: present
with_items: "{{ good_keys }}"
notify:
- Cleanup Comments
- Add Comment

12
roles/manage-ssh-keys/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
# Haupt-Task der Rolle: Modularer Aufbau mit Subtasks
- name: Validiere SSH Keys
import_tasks: validate-authorized-keys.yml
- name: Füge Good Keys hinzu
import_tasks: add-goodkeys.yml
when: good_keys
- name: Entferne Bad Keys
import_tasks: remove-badkeys.yml
when: bad_keys

10
roles/manage-ssh-keys/tasks/remove-badkeys.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Bad Keys entfernen
lineinfile:
path: "{{ authorized_keys_file }}"
line: "{{ item }}"
state: absent
with_items: "{{ bad_keys }}"
notify:
- Cleanup Comments
- Add Comment

8
roles/manage-ssh-keys/tasks/validate-authorized-keys.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Stelle sicher, dass das .ssh-Verzeichnis existiert
file:
path: "{{ authorized_keys_file | dirname }}"
state: directory
owner: "{{ ssh_user }}"
group: "{{ ssh_user }}"
mode: '0700'

9
roles/os-updates/defaults/main.yml Normal file
View File

@@ -0,0 +1,9 @@
# Standardwerte, die überschrieben werden können
os_update_auto_upgrade: true
os_also_update_mirror: false
os_update_mirrors:
# Role needs two mirros to use for the sources.list.j2 Template
- "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
- "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
os_update_major_version: false # Can either be true or false | To toggle if systems need to be upgraded to newer codename
os_update_version_codename: "{{ ansible_distribution_release }}" # KEEP UNTOUCHED!! | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on

11
roles/os-updates/handlers/main.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: apt cleanup
apt:
clean: yes
autoclean: yes
- name: Reboot system
command: /sbin/reboot
async: 1
poll: 0
ignore_errors: true
when: reboot_required.stdout == "yes"

12
roles/os-updates/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: Update mirrors if necessary
when: os_also_update_mirror |bool
include_tasks: update_mirrors.yml
ignore_errors: true
- name: Upgrade to new major version if enabled
when: os_update_major_version
include_tasks: update_major_version.yml
ignore_errors: true
- name: Upgrade all packages
include_tasks: upgrade_packages.yml

34
roles/os-updates/tasks/update_major_version.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: Backup existing sources in /etc/apt
copy:
src: "{{ item }}"
dest: "{{ item }}.bak"
remote_src: yes
loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') + ['/etc/apt/sources.list'] }}"
when: item | file
- name: Update sources.list for new major version
template:
src: sources.list.j2
dest: /etc/apt/sources.list
vars:
os_update_version_codename: "{{ new_version_codename }}" # Variable gets passed by main.yml task
- name: Update additional repositories in /etc/apt/sources.list.d
lineinfile:
path: "{{ item }}"
regexp: '^(deb .* )({{ os_update_version_codename }})'
line: '\1{{ new_version_codename }}'
loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') }}"
when: item | file
- name: Update apt cache
apt:
update_cache: yes
- name: Perform distribution upgrade
apt:
upgrade: yes
allow_unauthenticated: yes
notify:
- Reboot system
- apt cleanup

16
roles/os-updates/tasks/update_mirrors.yml Normal file
View File

@@ -0,0 +1,16 @@
- name: Backup existing sources.list
copy:
src: /etc/apt/sources.list
dest: /etc/apt/sources.list.bak
remote_src: yes
force: yes
- name: Update sources.list with new mirrors
template:
src: sources.list.j2
dest: /etc/apt/sources.list
- name: Update apt cache
apt:
update_cache: yes

23
roles/os-updates/tasks/upgrade_packages.yml Normal file
View File

@@ -0,0 +1,23 @@
- name: Upgrade all installed packages
apt:
upgrade: full
update_cache: yes
notify:
- apt cleanup
- name: Check if a kernel update is available
shell: |
dpkg -l | grep -E 'linux-image-[0-9]' | awk '{print $2}' | sort | tail -n 1
register: latest_kernel
- name: Check if running kernel matches the latest installed kernel
shell: uname -r | grep -c "{{ latest_kernel.stdout }}"
register: kernel_match
changed_when: false
- name: Mark reboot required if a new kernel is installed
set_fact:
reboot_required: "yes"
notify:
- Reboot system
when: kernel_match.stdout == "0"

25
update-to-deb12/update-to-deb12.yaml
View File

@@ -1,25 +0,0 @@
---
- name: Update to Debian 12
hosts: all
tasks:
- name: Run Pre Update and Upgrade before Dist Upgrade
apt:
update_cache: yes
upgrade: yes
when: ansible_distribution == 'Debian'
- name: Replace "bullseye" with "bookworm" in sources.list
replace:
backup: yes
path: /etc/apt/sources.list
regexp: 'bullseye'
replace: 'bookworm'
when: ansible_distribution == 'Debian'
- name: Replace "bullseye" with "bookworm" in sources.list.d/docker
replace:
backup: yes
path: /etc/apt/sources.list.d/docker.list
regexp: 'bullseye'
replace: 'bookworm'
when: ansible_distribution == 'Debian'

16
upgrade-alpine/upgrade-alpine.yaml
View File

@@ -1,16 +0,0 @@
- name: Update to newest Alpine
hosts: all
tasks:
- name: Run APK update
apk:
update_cache: yes
upgrade: true
when: ansible_distribution == 'Alpine'
- name: Update Alpine versions
replace:
backup: yes
path: "/etc/apk/repositories"
regexp: 'v\d+\.\d+'
replace: 'v3.20'
when: ansible_distribution == 'Alpine'