BenHays42/homelab-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reorganize entire ansible folder and related misc edits
Some checks failed
Ansible Deploy / deploy (Ansible/playbooks/debian.yml) (push) Successful in 2m4s
Details
Ansible Deploy / deploy (Ansible/playbooks/proxmox.yml) (push) Failing after 59s
Details
Ansible Lint / build (push) Successful in 33s
Details

Browse Source
This commit is contained in:
Benjamin Hays 2024-10-12 22:34:48 -04:00
parent 8784058874
commit c403578372
25 changed files with 149 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitea/workflows/ansible-deploy.yml
View File

@ -9,10 +9,8 @@ jobs:
strategy: strategy:
matrix: matrix:
playbook: playbook:
- Ansible/openssh.yml - Ansible/playbooks/debian.yml
- Ansible/cloudflare-dns.yml - Ansible/playbooks/proxmox.yml
- Ansible/heartbeat.yml
- Ansible/debian.yml
steps: steps:
- name: Copy SSH Key - name: Copy SSH Key
run: | run: |
@ -53,5 +51,5 @@ jobs:
# requirements: requirements.yaml # requirements: requirements.yaml
options: | options: |
--inventory Ansible/inventory.ini --inventory Ansible/inventory/homelab.ini
--extra-vars "@Ansible/homelab-vault/secrets.yml" --extra-vars "@Ansible/homelab-vault/secrets.yml"

3
.gitea/workflows/ansible-lint.yml
View File

@ -4,12 +4,13 @@ on: [push]
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
RUNNER_TOOL_CACHE: /toolcache
steps: steps:
- name: Install Ansible-Lint - name: Install Ansible-Lint
run: | run: |
apt update -y apt update -y
apt install python3-pip -y apt install python3-pip -y
python3 -m pip install ansible
python3 -m pip install ansible-lint python3 -m pip install ansible-lint
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3

3
Ansible/ansible.cfg
View File

@ -1,7 +1,8 @@
[defaults] [defaults]
nocows = 1 nocows = 1
host_key_checking = False host_key_checking = False
inventory = ./inventory.ini inventory = ./inventory/homelab.ini
interpreter_python=auto_silent
[privilege_escalation] [privilege_escalation]
#become_ask_pass = True #become_ask_pass = True

36
Ansible/cloudflare-dns.yml
View File

@ -1,36 +0,0 @@
---
- name: Cloudflare Dynamic DNS Script
hosts: linux
remote_user: bhays
become: true
become_user: root
vars_files:
- homelab-vault/secrets.yml
tasks:
- name: Copy Cloudflare IPAM Script
ansible.builtin.copy:
owner: bhays
mode: "0700"
src: ../Bash/cloudflare-dns.sh
dest: /opt/cloudflare-dns.sh
- name: Insert API Token
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^cloudflare_zone_api_token=''"
replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
- name: Insert Zone ID
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^zoneid=''"
replace: "zoneid='{{ CF_ZONE_ID }}'"
- name: Insert Zone ID
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^dns_record=''"
replace: "dns_record='{{ inventory_hostname }}'"
- name: Add Cronjob for IPAM Script
ansible.builtin.cron:
name: "Cloudflare IPAM Script"
job: "/opt/cloudflare-dns.sh"
special_time: hourly
user: bhays

20
Ansible/debian.yml
View File

@ -1,20 +0,0 @@
---
- name: Debian Hardening
hosts: linux
remote_user: bhays
become: true
become_user: root
vars_files:
- homelab-vault/secrets.yml
tasks:
- name: Update/install Debian Utilities
ansible.builtin.apt:
name:
- "apt-listchanges"
- "needrestart"
- "libpam-tmpdir"
- "debsums"
- "apt-show-versions"
state: latest
update_cache: true
# TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

26
Ansible/fail2ban.yml
View File

@ -1,26 +0,0 @@
---
- name: Fail2ban Configuration
hosts: linux
remote_user: bhays
become: true
become_user: root
tasks:
- name: Update/install Fail2Ban
ansible.builtin.apt:
name: fail2ban
state: latest
update_cache: true
- name: Copy Secure Configuration File
ansible.builtin.copy:
mode: "0664"
src: ../Configs/jail.local
dest: /etc/fail2ban/jail.local
- name: Restart Fail2Ban
ansible.builtin.systemd:
name: fail2ban
state: restarted
- name: Disable Postfix
ansible.builtin.systemd:
name: postfix
state: stopped
enabled: false

15
Ansible/heartbeat.yml
View File

@ -1,15 +0,0 @@
---
- name: Betterstack Heartbeat Cronjob
hosts: linux
remote_user: bhays
become: true
become_user: root
vars_files:
- homelab-vault/secrets.yml
tasks:
- name: Add Cronjob
ansible.builtin.cron:
name: "Betterstack Heartbeat"
job: "curl {{ heartbeat_url }}"
special_time: hourly
user: bhays

2
Ansible/homelab-vault

@ -1 +1 @@
Subproject commit e95c8ff2aef2e919e5bf0fc8133aaec69ea8dc08 Subproject commit fd37b52a9e6025dbad72e63820cb03d3008da17d

13
Ansible/inventory.ini → Ansible/inventory/homelab.ini
View File

@ -1,10 +1,9 @@
[proxmox] [proxmox]
proxmox.benhays.cloud proxmox.benhays.cloud
[linux] [debian_servers]
devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR" web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU' # <--- Debian 12
web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU' devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR" # <---
tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy' tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy' # <--- All the rest are Ubuntu 22.04
bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v' bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v' # <---
nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB' nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB' # <---

51
Ansible/openssh.yml
View File

@ -1,51 +0,0 @@
- name: OpenSSH Configuration Playbook
hosts: linux
remote_user: bhays
become: true
become_user: root
tasks:
- name: Update/install OpenSSH
ansible.builtin.apt:
name: openssh-server
state: latest
update_cache: true
- name: Add 'bhays' user
ansible.builtin.user:
name: bhays
groups: sudo,adm
append: true
shell: /bin/bash
comment: Benjamin Hays
- name: Update/install Sudo
ansible.builtin.apt:
name: sudo
state: latest
- name: Ensure .ssh user folder exists
ansible.builtin.file:
path: "/home/bhays/.ssh/"
owner: bhays
group: bhays
mode: "0770"
state: directory
- name: Copy public key
ansible.builtin.copy:
owner: bhays
mode: "0600"
src: ../Configs/authorized_keys
dest: /home/bhays/.ssh/authorized_keys
- name: Copy secure login banner
ansible.builtin.copy:
owner: root
mode: "0644"
src: ../Configs/login_banner
dest: /etc/login_banner
- name: Copy Secure Configuration File
ansible.builtin.copy:
owner: bhays
mode: "0600"
src: ../Configs/sshd_config
dest: /etc/ssh/sshd_config
- name: Restart OpenSSH
ansible.builtin.systemd:
name: sshd
state: restarted

22
Ansible/playbooks/debian.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Debian Server Hardening
hosts: debian_servers
remote_user: bhays
become: true
become_user: root
vars_files:
- ../homelab-vault/secrets.yml
pre_tasks:
- name: Update apt cache if needed.
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
tasks:
- name: Cloudflare DDNS Cronjob
ansible.builtin.import_tasks: ../roles/cloudflare-dns.yml
- name: Heartbeat Cronjob for Betterstack
ansible.builtin.import_tasks: ../roles/heartbeat.yml
- name: OpenSSH Hardening
ansible.builtin.import_tasks: ../roles/openssh.yml
- name: Generic Debian Hardening
ansible.builtin.import_tasks: ../roles/debian.yml

4
Ansible/proxmox.yml → Ansible/playbooks/proxmox.yml
View File

@ -15,10 +15,10 @@
block: | block: |
# PVE pve-no-subscription repository provided by proxmox.com, # PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use # NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
- name: Upgrading system - name: Upgrading system
ansible.builtin.apt: ansible.builtin.apt:
upgrade: full upgrade: safe
update_cache: true update_cache: true
cache_valid_time: 7200 cache_valid_time: 7200
- name: Installing sudo - name: Installing sudo

28
Ansible/roles/cloudflare-dns.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Copy Cloudflare IPAM Script
ansible.builtin.copy:
owner: bhays
mode: "0700"
src: ../../Scripts/cloudflare-dns.sh
dest: /opt/cloudflare-dns.sh
- name: Insert API Token
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^cloudflare_zone_api_token=''"
replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
- name: Insert Zone ID
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^zoneid=''"
replace: "zoneid='{{ CF_ZONE_ID }}'"
- name: Insert Zone ID
ansible.builtin.replace:
path: "/opt/cloudflare-dns.sh"
regexp: "^dns_record=''"
replace: "dns_record='{{ inventory_hostname }}'"
- name: Add Cronjob for IPAM Script
ansible.builtin.cron:
name: "Cloudflare IPAM Script"
job: "/opt/cloudflare-dns.sh"
special_time: hourly
user: bhays

11
Ansible/roles/debian.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Update/install Debian Utilities
ansible.builtin.apt:
name:
- "apt-listchanges"
- "needrestart"
- "libpam-tmpdir"
- "debsums"
- "apt-show-versions"
state: latest
# TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

19
Ansible/roles/fail2ban.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Update/install Fail2Ban
ansible.builtin.apt:
name: fail2ban
state: latest
- name: Copy Secure Configuration File
ansible.builtin.copy:
mode: "0664"
src: ../../Configs/jail.local
dest: /etc/fail2ban/jail.local
- name: Restart Fail2Ban
ansible.builtin.systemd:
name: fail2ban
state: restarted
- name: Disable Postfix
ansible.builtin.systemd:
name: postfix
state: stopped
enabled: false

7
Ansible/roles/heartbeat.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Add Cronjob
ansible.builtin.cron:
name: "Betterstack Heartbeat"
job: "curl {{ heartbeat_url }}"
special_time: hourly
user: bhays

44
Ansible/roles/openssh.yml Normal file
View File

@ -0,0 +1,44 @@
- name: Update/install OpenSSH
ansible.builtin.apt:
name: openssh-server
state: latest
- name: Add 'bhays' user
ansible.builtin.user:
name: bhays
groups: sudo,adm
append: true
shell: /bin/bash
comment: Benjamin Hays
- name: Update/install Sudo
ansible.builtin.apt:
name: sudo
state: latest
- name: Ensure .ssh user folder exists
ansible.builtin.file:
path: "/home/bhays/.ssh/"
owner: bhays
group: bhays
mode: "0770"
state: directory
- name: Copy public key
ansible.builtin.copy:
owner: bhays
mode: "0600"
src: ../../Configs/authorized_keys
dest: /home/bhays/.ssh/authorized_keys
- name: Copy secure login banner
ansible.builtin.copy:
owner: root
mode: "0644"
src: ../../Configs/login_banner
dest: /etc/login_banner
- name: Copy Secure Configuration File
ansible.builtin.copy:
owner: bhays
mode: "0600"
src: ../../Configs/sshd_config
dest: /etc/ssh/sshd_config
- name: Restart OpenSSH
ansible.builtin.systemd:
name: sshd
state: restarted

11
PowerShell/Find-RDP.ps1
View File

@ -1,11 +0,0 @@
# Find-RDP.ps1
# (c) Ben Hays, 2023
# Description: Find all the computers joined to an AD domain that are running RDP
$computers = Get-ADComputer -Filter *
foreach ($Name in $computers.DNSHostName) {
$rdpSuccess = Test-Connection -TargetName $Name -TimeoutSeconds 2 -TcpPort 3389 -Quiet
if ($rdpSuccess) {
Write-Output $Name
}
}

15
PowerShell/Get-Programs.ps1
View File

@ -1,15 +0,0 @@
# Get-Programs.ps1
# (c) Ben Hays, 2023
# Description: Get a list of installed programs for backup purposes
$FinalList = @()
# Grab list from common directories
$ProgramDirs = "C:\Program Files", "C:\Program Files (x86)"
$FinalList += Get-ChildItem $ProgramDirs | Where-Object { $_.PSIsContainer } | Select-Object -ExpandProperty Name -Unique | Sort-Object
# Grab list from Windows Registry
$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
Write-Output $FinalList

0
Bash/cloudflare-dns.sh → Scripts/cloudflare-dns.sh
View File

0
Bash/compliance-list.txt → Scripts/compliance-list.txt
View File

0
Bash/scan-lan.sh → Scripts/scan-lan.sh
View File

0
Bash/ssh-compliance.sh → Scripts/ssh-compliance.sh
View File

0
Bash/ssl-compliance.sh → Scripts/ssl-compliance.sh
View File

3
ansible.cfg
View File

@ -1,7 +1,8 @@
[defaults] [defaults]
nocows = 1 nocows = 1
host_key_checking = False host_key_checking = False
inventory = ./Ansible/inventory.ini inventory = ./Ansible/inventory/homelab.ini
interpreter_python=auto_silent
[privilege_escalation] [privilege_escalation]
#become_ask_pass = True #become_ask_pass = True