transatoshi/grinminer.net
1
0
Fork 0
mirror of https://github.com/transatoshi-mw/grinminer.net.git synced 2025-10-06 22:02:48 +00:00
Code Issues 3 Packages Projects 1 Releases Wiki Activity

added ssh playbook

Browse Source
This commit is contained in:
transatoshi
2025-01-11 19:02:56 -08:00
parent 7fba9be8a9
commit f1e5b16093
5 changed files with 32 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
ansible/borg-server-install.yml
View File

@@ -1,71 +0,0 @@
- hosts: backup
vars:
user: backup
group: backup
home: /home/backup
pool: "{{ home }}/repos"
auth_users:
- host: node00.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/node00.grinminer.net.pub') }}"
- host: node01.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/node01.grinminer.net.pub') }}"
- host: node02.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-testnet.grinminer.net.pub') }}"
- host: node03.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-testnet.grinminer.net.pub') }}"
- host: core00.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/core00.grinminer.net.pub') }}"
- host: core01.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/core01.grinminer.net.pub') }}"
- host: freenode00.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode00.grinminer.net.pub') }}"
- host: freenode01.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode01.grinminer.net.pub') }}"
- host: freenode02.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode02.grinminer.net.pub') }}"
- host: freenode03.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode03.grinminer.net.pub') }}"
- host: freenode04.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode04.grinminer.net.pub') }}"
- host: freenode05.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/freenode05.grinminer.net.pub') }}"
- host: ha-mainnet.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-testnet.grinminer.net.pub') }}"
- host: ha-testnet.grinminer.net
key: "{{ lookup('file', '/etc/ssh/ha-testnet.grinminer.net.pub') }}"
- host: ha-node.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-node.grinminer.net.pub') }}"
- host: ha-testnode.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-testnode.grinminer.net.pub') }}"
- host: ha-mine.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ha-mine.grinminer.net.pub') }}"
- host: dns.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/dns.grinminer.net.pub') }}"
- host: dns1.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/dns1.grinminer.net.pub') }}"
- host: www.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/www.grinminer.net.pub') }}"
- host: proxy.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/proxy.grinminer.net.pub') }}"
- host: stats.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/stats.grinminer.net.pub') }}"
- host: zabbix.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/zabbix.grinminer.net.pub') }}"
- host: matrix.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/matrix.grinminer.net.pub') }}"
- host: ansible.grinminer.net
key: "{{ lookup('file', '/etc/ssh/keys/ansible.grinminer.net.pub') }}"
tasks:
- package: name=borg state=present
- group: name="{{ group }}" state=present
- user: name="{{ user }}" shell=/bin/bash home="{{ home }}" createhome=yes group="{{ group }}" groups= state=present
- file: path="{{ home }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
- file: path="{{ home }}/.ssh" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
- file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
- authorized_key: user="{{ user }}"
key="{{ item.key }}"
key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",restrict'
with_items: "{{ auth_users }}"
- file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
- file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
with_items: "{{ auth_users }}"

32
ansible/ssh-hardening.yml Normal file
View File

@@ -0,0 +1,32 @@
- hosts: all
remote_user: root
tasks:
- name: Install fail2ban
ansible.builtin.apt:
pkg:
- fail2ban
state: latest
update_cache: yes
- name: Download and install fail2ban
ansible.builtin.shell:
cmd: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cmd: systemctl enable fail2ban
cmd: systemctl start fail2ban
- name: Replace PermitRootLogin
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: PermitRootLogin yes
replace: PermitRootLogin prohibit-password
- name: Replace PasswordAuthentication
ansible.builtin.replace:
path: /etc/ssh/sshd_config
regexp: PasswordAuthentication yes
replace: PasswordAuthentication no
- name: Restart SSH
ansible.builtin.shell:
cmd: systemctl restart ssh

38
ansible/vaultwarden-server-install.yml
View File

@@ -1,38 +0,0 @@
- hosts: vaultwarden
remote_user: root
tasks:
- name: Create user vaultwarden
ansible.builtin.user:
name: vaultwarden
password: $6$rKRPJwebeYGVL1tm$iDBNbMkfGaTJ1odReOEA.lD7jVndeBN2AQNo9AHxCRcx6HFKQg8MQT.P3bmfEbrnhdDBDlB1WRpH/sTyjSgrX/
- name: Download vaultwarden-server
get_url:
url: https://github.com/dionysius/vaultwarden-deb/releases/download/debian%2F1.32.6-0/vaultwarden_1.32.6-0.bookworm_amd64.deb
dest: /tmp/
mode: '0775'
force: 'yes'
- name: Download vaultwarden-vault
get_url:
url: https://github.com/dionysius/vaultwarden-web-vault-deb/releases/download/debian%2F2024.6.2-0/vaultwarden-web-vault_2024.6.2-0.bookworm_all.deb
dest: /tmp/
mode: '0775'
force: 'yes'
- name: Install dependencies
ansible.builtin.apt:
name: mariadb-server
name: libpq5
state: latest
- name: Install web-vault
ansible.builtin.shell:
cmd: dpkg -i /tmp/vaultwarden-web-vault_2024.6.2-0.bookworm_all.deb
- name: install server
ansible.builtin.shell:
cmd: dpkg -i /tmp/vaultwarden_1.32.6-0.bookworm_amd64.deb

11
ansible/www-server-replication.yml
View File

@@ -1,11 +0,0 @@
- hosts: www
remote_user: root
tasks:
- name: Replicate /var/www/html/ to all webservers
ansible.builtin.shell:
cmd: scp /var/www/html/* https://www1.grinminer.net:/var/www/html/
cmd: scp /var/www/html/* https://www2.grinminer.net:/var/www/html/
cmd: scp /var/www/html/* https://www3.grinminer.net:/var/www/html/
cmd: scp /var/www/html/* https://www4.grinminer.net:/var/www/html/
cmd: scp /var/www/html/* https://www5.grinminer.net:/var/www/html/

60
ansible/zabbix-agent-install.yml
View File

@@ -1,60 +0,0 @@
- hosts: all
remote_user: root
tasks:
- name: Create user zabbix
ansible.builtin.user:
name: zabbix
password: <SHA-512 HASH>
- name: Download zabbix repository
get_url:
url: https://repo.zabbix.com/zabbix/7.2/release/debian/pool/main/z/zabbix-release/zabbix-release_latest_7.2+debian12_all.deb
dest: /tmp/
mode: '0775'
force: 'yes'
- name: Unpack and update repository
ansible.builtin.shell:
cmd: dpkg -i /tmp/zabbix-release_latest_7.2+debian12_all.deb
- name: Install zabbix-agent
ansible.builtin.apt:
name: zabbix-agent
name: ufw
state: latest
update_cache: yes
- name: Enable zabbix-agent.service
ansible.builtin.shell:
cmd: systemctl enable zabbix-agent
- name: DNS config overwrite
ansible.builtin.shell:
cmd: echo "domain grinminer.net \nsearch grinminer.net \nnameserver 10.0.0.2 \nnameserver 10.0.0.3 \nnameserver 1.1.1.1" > /etc/resolv.conf
- name: zabbix-agent config1
ansible.builtin.replace:
path: /etc/zabbix/zabbix_agentd.conf
backup: true
regexp: 127.0.0.1
replace: 10.0.0.5
- name: zabbix-agent config2
ansible.builtin.replace:
path: /etc/zabbix/zabbix_agentd.conf
backup: true
regexp: '#Hostname'
replace: 'Hostname'
- name: zabbix-agent config3
ansible.builtin.replace:
path: /etc/zabbix/zabbix_agentd.conf
backup: true
regexp: 'Hostname='
replace: 'Hostname=zabbix.grinminer.net'
- name: restart zabbix-agent and open fw
ansible.builtin.shell:
cmd: systemctl restart zabbix-agent
cmd: ufw allow 10050