chore: added iac

Signed-off-by: ITQ <itq.dev@ya.ru>
2025-11-21 18:16:52 +03:00
parent 5d66fcd0ca
commit 44df678c82
43 changed files with 1598 additions and 45 deletions
@@ -0,0 +1,33 @@
+---
+ansible_become: true
+ansible_become_method: sudo
+ansible_python_interpreter: /usr/bin/python3
+
+# System configuration
+timezone: UTC
+system_locale: en_US.UTF-8
+
+# Monitoring
+monitoring_enabled: true
+monitoring_prometheus_node_exporter: true
+
+# User management
+admin_users:
+  - name: "{{ ansible_user }}"
+    groups: "sudo"
+    shell: /bin/bash
+    ssh_keys: "{{ admin_ssh_keys | default([]) }}"
+    state: present
+
+# Applications management
+applications:
+  coolify:
+    enabled: false
+    state: latest
+  dokploy:
+    enabled: false
+    state: latest
+  tailscale:
+    enabled: false
+  borgbackup:
+    enabled: false
@@ -0,0 +1,46 @@
+---
+borg_repository:
+borg_install_method: pip
+borg_lock_wait_time: 10
+borg_source_directories:
+  - /home
+  - /root
+  - /etc
+  - /srv
+  - /var/www
+  - /var/lib/docker/volumes
+borg_ssh_key_type: "ed25519"
+borg_retention_policy:
+  keep_hourly: 1
+  keep_daily: 1
+  keep_weekly: 1
+  keep_monthly: 3
+
+borgmatic_timer_cron_name: "borgmatic"
+borgmatic_timer: cron
+borgmatic_timer_hour: "{{ range(0, 5) | random(seed=inventory_hostname) }}"
+borgmatic_timer_minute: "{{ range(0, 59) | random(seed=inventory_hostname) }}"
+borgmatic_timer_flags: ""
+
+borgmatic_config_name: config.yaml
+borgmatic_hooks:
+  on_error:
+    - echo "`date` - Error while creating a backup."
+  before_backup:
+    - echo "`date` - Starting backup."
+  after_backup:
+    - echo "`date` - Finished backup."
+borgmatic_checks:
+  - name: repository
+    frequency: "4 weeks"
+  - name: archives
+    frequency: "6 weeks"
+borgmatic_check_last: 3
+borgmatic_store_atime: false
+borgmatic_store_ctime: false
+borgmatic_relocated_repo_access_is_ok: false
+borgmatic_version: ">=1.7.11"
+
+borg_venv_path: /opt/borgmatic
+borg_user: root
+borg_group: root
@@ -0,0 +1,17 @@
+---
+docker_edition: "ce"
+docker_install_compose_plugin: true
+docker_users:
+  - "{{ ansible_user }}"
+docker_daemon_options:
+  storage-driver: "overlay2"
+
+  log-driver: "json-file"
+  log-opts:
+    max-size: "50m"
+    max-file: "5"
+
+  live-restore: false
+  icc: false
+  userland-proxy: false
+  default-address-pools: [{"base": "10.200.0.0/16", "size": 24}]
@@ -0,0 +1,15 @@
+---
+ntp_enabled: true
+ntp_timezone: Etc/UTC
+ntp_manage_config: true
+
+ntp_servers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+ntp_restrict:
+  - "127.0.0.1"
+  - "::1"
+
+ntp_cron_handler_enabled: true
@@ -0,0 +1,33 @@
+---
+system_packages:
+  essential:
+    - curl
+    - wget
+    - git
+    - htop
+    - vim
+    - gnupg
+    - ca-certificates
+    - apt-transport-https
+    - software-properties-common
+    - iproute2
+    - net-tools
+    - unzip
+    - jq
+    - tree
+    - bash-completion
+    - tmux
+    - rsync
+    - python3-docker
+    - borgbackup
+  monitoring:
+    - atop
+    - iotop
+    - nethogs
+    - nload
+    - sysstat
+    - dstat
+    - smartmontools
+  security:
+    - fail2ban
+    - nftables
@@ -0,0 +1,25 @@
+---
+security_firewall_default_policy: drop
+security_firewall_allowed_ports:
+  - "{{ security_ssh_port }}/tcp"
+  - "80/tcp"
+  - "443/tcp"
+  - "443/udp"
+  - "53/udp"
+
+security_ssh_port: 2424
+security_fail2ban_enabled: true
+security_fail2ban_custom_configuration_template: "jail.local.j2"
+security_autoupdate_enabled: true
+
+ssh_config:
+  permit_root_login: "no"
+  password_authentication: "no"
+  challenge_response_authentication: "no"
+  use_pam: "yes"
+  x11_forwarding: "no"
+  client_alive_interval: 300
+  client_alive_count_max: 2
+  max_auth_tries: 3
+  max_sessions: 10
+  allow_users: "root {{ admin_users | map(attribute='name') | join(' ') }}"
@@ -0,0 +1,25 @@
+---
+sysctl_tuning:
+  # Network tuning
+  net.core.somaxconn: 65535
+  net.ipv4.tcp_max_syn_backlog: 65535
+  net.ipv4.tcp_fin_timeout: 30
+  net.ipv4.tcp_keepalive_time: 600
+  net.ipv4.tcp_keepalive_probes: 5
+  net.ipv4.tcp_keepalive_intvl: 15
+  net.ipv4.ip_local_port_range: "1024 65535"
+
+  # Memory tuning
+  vm.swappiness: 10
+  vm.vfs_cache_pressure: 50
+  vm.dirty_ratio: 15
+  vm.dirty_background_ratio: 5
+  vm.overcommit_memory: 1
+  vm.overcommit_ratio: 90
+
+  # Security tuning
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+  net.ipv4.tcp_syncookies: 1
@@ -0,0 +1,16 @@
+---
+state: "{{ applications.tailscale.state | default('latest') }}"
+
+tailscale_authkey: "{{ lookup('env', 'TAILSCALE_KEY') }}"
+tailscale_tags: >-
+  {{
+    ['vm'] +
+    ([hostname.split('-')[-1]] if '-' in hostname else [])
+  }}
+tailscale_args: "--accept-dns=true --accept-routes=false --netfilter-mode on --shields-up=false --ssh=true --stateful-filtering=false"
+
+tailscale_oauth_ephemeral: false
+tailscale_oauth_preauthorized: true
+insecurely_log_authkey: false
+release_stability: stable
+tailscale_up_timeout: 120