reorganize entire ansible folder and related misc edits

.gitea/workflows/ansible-deploy.yml

@@ -9,10 +9,8 @@ jobs:
     strategy:
       matrix:
         playbook:
-          - Ansible/openssh.yml
-          - Ansible/cloudflare-dns.yml
-          - Ansible/heartbeat.yml
-          - Ansible/debian.yml
+          - Ansible/playbooks/debian.yml
+          - Ansible/playbooks/proxmox.yml
     steps:
       - name: Copy SSH Key
         run: | 
@@ -53,5 +51,5 @@ jobs:
           # requirements: requirements.yaml
 
           options: |
-            --inventory Ansible/inventory.ini
+            --inventory Ansible/inventory/homelab.ini
             --extra-vars "@Ansible/homelab-vault/secrets.yml"

.gitea/workflows/ansible-lint.yml

@@ -4,12 +4,13 @@ on: [push]
 jobs:
   build:
     runs-on: ubuntu-latest
+    env:
+      RUNNER_TOOL_CACHE: /toolcache
     steps:
       - name: Install Ansible-Lint
         run: |
           apt update -y
           apt install python3-pip -y
-          python3 -m pip install ansible
           python3 -m pip install ansible-lint
       - name: Checkout
         uses: actions/checkout@v3

Ansible/ansible.cfg

@@ -1,7 +1,8 @@
 [defaults]
 nocows = 1
 host_key_checking = False
-inventory = ./inventory.ini
+inventory = ./inventory/homelab.ini
+interpreter_python=auto_silent  
 
 [privilege_escalation]
 #become_ask_pass = True

Ansible/cloudflare-dns.yml

@@ -1,36 +0,0 @@
----
-- name: Cloudflare Dynamic DNS Script
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Copy Cloudflare IPAM Script
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0700"
-        src: ../Bash/cloudflare-dns.sh
-        dest: /opt/cloudflare-dns.sh
-    - name: Insert API Token
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^cloudflare_zone_api_token=''"
-        replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
-    - name: Insert Zone ID
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^zoneid=''"
-        replace: "zoneid='{{ CF_ZONE_ID }}'"
-    - name: Insert Zone ID
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^dns_record=''"
-        replace: "dns_record='{{ inventory_hostname }}'"
-    - name: Add Cronjob for IPAM Script
-      ansible.builtin.cron:
-        name: "Cloudflare IPAM Script"
-        job: "/opt/cloudflare-dns.sh"
-        special_time: hourly
-        user: bhays

Ansible/debian.yml

@@ -1,20 +0,0 @@
----
-- name: Debian Hardening
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Update/install Debian Utilities
-      ansible.builtin.apt:
-        name:
-          - "apt-listchanges"
-          - "needrestart"
-          - "libpam-tmpdir"
-          - "debsums"
-          - "apt-show-versions"
-        state: latest
-        update_cache: true
-    # TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

Ansible/fail2ban.yml

@@ -1,26 +0,0 @@
----
-- name: Fail2ban Configuration
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  tasks:
-    - name: Update/install Fail2Ban
-      ansible.builtin.apt:
-        name: fail2ban
-        state: latest
-        update_cache: true
-    - name: Copy Secure Configuration File
-      ansible.builtin.copy:
-        mode: "0664"
-        src: ../Configs/jail.local
-        dest: /etc/fail2ban/jail.local
-    - name: Restart Fail2Ban
-      ansible.builtin.systemd:
-        name: fail2ban
-        state: restarted
-    - name: Disable Postfix
-      ansible.builtin.systemd:
-        name: postfix
-        state: stopped
-        enabled: false

Ansible/heartbeat.yml

@@ -1,15 +0,0 @@
----
-- name: Betterstack Heartbeat Cronjob
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Add Cronjob
-      ansible.builtin.cron:
-        name: "Betterstack Heartbeat"
-        job: "curl {{ heartbeat_url }}"
-        special_time: hourly
-        user: bhays

Ansible/homelab-vault

@@ -1 +1 @@
-Subproject commit e95c8ff2aef2e919e5bf0fc8133aaec69ea8dc08
+Subproject commit fd37b52a9e6025dbad72e63820cb03d3008da17d

Ansible/inventory/homelab.ini

@@ -1,10 +1,9 @@
 [proxmox]
 proxmox.benhays.cloud
 
-[linux]
-devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR"
-web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU'
-tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy'
-bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v'
-nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB'
-
+[debian_servers]
+web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU' # <--- Debian 12
+devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR"    # <---
+tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy' # <--- All the rest are Ubuntu 22.04
+bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v' # <---
+nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB' # <---

Ansible/openssh.yml

@@ -1,51 +0,0 @@
-- name: OpenSSH Configuration Playbook
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  tasks:
-    - name: Update/install OpenSSH
-      ansible.builtin.apt:
-        name: openssh-server
-        state: latest
-        update_cache: true
-    - name: Add 'bhays' user
-      ansible.builtin.user:
-        name: bhays
-        groups: sudo,adm
-        append: true
-        shell: /bin/bash
-        comment: Benjamin Hays
-    - name: Update/install Sudo
-      ansible.builtin.apt:
-        name: sudo
-        state: latest
-    - name: Ensure .ssh user folder exists
-      ansible.builtin.file:
-        path: "/home/bhays/.ssh/"
-        owner: bhays
-        group: bhays
-        mode: "0770"
-        state: directory
-    - name: Copy public key
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0600"
-        src: ../Configs/authorized_keys
-        dest: /home/bhays/.ssh/authorized_keys
-    - name: Copy secure login banner
-      ansible.builtin.copy:
-        owner: root
-        mode: "0644"
-        src: ../Configs/login_banner
-        dest: /etc/login_banner
-    - name: Copy Secure Configuration File
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0600"
-        src: ../Configs/sshd_config
-        dest: /etc/ssh/sshd_config
-    - name: Restart OpenSSH
-      ansible.builtin.systemd:
-        name: sshd
-        state: restarted

Ansible/playbooks/debian.yml

@@ -0,0 +1,22 @@
+---
+- name: Debian Server Hardening
+  hosts: debian_servers
+  remote_user: bhays
+  become: true
+  become_user: root
+  vars_files:
+    - ../homelab-vault/secrets.yml
+  pre_tasks:
+    - name: Update apt cache if needed.
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+  tasks:
+    - name: Cloudflare DDNS Cronjob
+      ansible.builtin.import_tasks: ../roles/cloudflare-dns.yml
+    - name: Heartbeat Cronjob for Betterstack
+      ansible.builtin.import_tasks: ../roles/heartbeat.yml
+    - name: OpenSSH Hardening
+      ansible.builtin.import_tasks: ../roles/openssh.yml
+    - name: Generic Debian Hardening
+      ansible.builtin.import_tasks: ../roles/debian.yml

Ansible/playbooks/proxmox.yml

@@ -15,10 +15,10 @@
         block: |
           # PVE pve-no-subscription repository provided by proxmox.com,
           # NOT recommended for production use
-          deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
+          deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
     - name: Upgrading system
       ansible.builtin.apt:
-        upgrade: full
+        upgrade: safe
         update_cache: true
         cache_valid_time: 7200
     - name: Installing sudo

Ansible/roles/cloudflare-dns.yml

@@ -0,0 +1,28 @@
+---
+- name: Copy Cloudflare IPAM Script
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0700"
+    src: ../../Scripts/cloudflare-dns.sh
+    dest: /opt/cloudflare-dns.sh
+- name: Insert API Token
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^cloudflare_zone_api_token=''"
+    replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
+- name: Insert Zone ID
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^zoneid=''"
+    replace: "zoneid='{{ CF_ZONE_ID }}'"
+- name: Insert Zone ID
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^dns_record=''"
+    replace: "dns_record='{{ inventory_hostname }}'"
+- name: Add Cronjob for IPAM Script
+  ansible.builtin.cron:
+    name: "Cloudflare IPAM Script"
+    job: "/opt/cloudflare-dns.sh"
+    special_time: hourly
+    user: bhays

Ansible/roles/debian.yml

@@ -0,0 +1,11 @@
+---
+- name: Update/install Debian Utilities
+  ansible.builtin.apt:
+    name:
+      - "apt-listchanges"
+      - "needrestart"
+      - "libpam-tmpdir"
+      - "debsums"
+      - "apt-show-versions"
+    state: latest
+# TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

Ansible/roles/fail2ban.yml

@@ -0,0 +1,19 @@
+---
+- name: Update/install Fail2Ban
+  ansible.builtin.apt:
+    name: fail2ban
+    state: latest
+- name: Copy Secure Configuration File
+  ansible.builtin.copy:
+    mode: "0664"
+    src: ../../Configs/jail.local
+    dest: /etc/fail2ban/jail.local
+- name: Restart Fail2Ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+- name: Disable Postfix
+  ansible.builtin.systemd:
+    name: postfix
+    state: stopped
+    enabled: false

Ansible/roles/heartbeat.yml

@@ -0,0 +1,7 @@
+---
+- name: Add Cronjob
+  ansible.builtin.cron:
+    name: "Betterstack Heartbeat"
+    job: "curl {{ heartbeat_url }}"
+    special_time: hourly
+    user: bhays

Ansible/roles/openssh.yml

@@ -0,0 +1,44 @@
+- name: Update/install OpenSSH
+  ansible.builtin.apt:
+    name: openssh-server
+    state: latest
+- name: Add 'bhays' user
+  ansible.builtin.user:
+    name: bhays
+    groups: sudo,adm
+    append: true
+    shell: /bin/bash
+    comment: Benjamin Hays
+- name: Update/install Sudo
+  ansible.builtin.apt:
+    name: sudo
+    state: latest
+- name: Ensure .ssh user folder exists
+  ansible.builtin.file:
+    path: "/home/bhays/.ssh/"
+    owner: bhays
+    group: bhays
+    mode: "0770"
+    state: directory
+- name: Copy public key
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0600"
+    src: ../../Configs/authorized_keys
+    dest: /home/bhays/.ssh/authorized_keys
+- name: Copy secure login banner
+  ansible.builtin.copy:
+    owner: root
+    mode: "0644"
+    src: ../../Configs/login_banner
+    dest: /etc/login_banner
+- name: Copy Secure Configuration File
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0600"
+    src: ../../Configs/sshd_config
+    dest: /etc/ssh/sshd_config
+- name: Restart OpenSSH
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted

PowerShell/Find-RDP.ps1

@@ -1,11 +0,0 @@
-# Find-RDP.ps1
-# (c) Ben Hays, 2023
-# Description: Find all the computers joined to an AD domain that are running RDP
-
-$computers = Get-ADComputer -Filter *
-foreach ($Name in $computers.DNSHostName) {
-    $rdpSuccess = Test-Connection -TargetName $Name -TimeoutSeconds 2 -TcpPort 3389 -Quiet
-    if ($rdpSuccess) {
-        Write-Output $Name
-    }
-}

PowerShell/Get-Programs.ps1

@@ -1,15 +0,0 @@
-# Get-Programs.ps1
-# (c) Ben Hays, 2023
-# Description: Get a list of installed programs for backup purposes
-
-$FinalList = @()
-
-# Grab list from common directories
-$ProgramDirs = "C:\Program Files", "C:\Program Files (x86)"
-$FinalList += Get-ChildItem $ProgramDirs | Where-Object { $_.PSIsContainer } | Select-Object -ExpandProperty Name -Unique | Sort-Object
-
-# Grab list from Windows Registry
-$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
-$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
-
-Write-Output $FinalList

ansible.cfg

@@ -1,7 +1,8 @@
 [defaults]
 nocows = 1
 host_key_checking = False
-inventory = ./Ansible/inventory.ini
+inventory = ./Ansible/inventory/homelab.ini
+interpreter_python=auto_silent  
 
 [privilege_escalation]
 #become_ask_pass = True