chore: added iac

Signed-off-by: ITQ <itq.dev@ya.ru>
2025-11-21 18:16:52 +03:00
parent 5d66fcd0ca
commit 44df678c82
43 changed files with 1598 additions and 45 deletions
@@ -0,0 +1,5 @@
+---
+- name: Restart ssh
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
@@ -0,0 +1,77 @@
+---
+- name: Include optimization tasks
+  include_tasks: optimization.yaml
+  tags: optimization
+
+- name: Install essential packages
+  ansible.builtin.apt:
+    name: "{{ system_packages.essential }}"
+    state: present
+    update_cache: true
+    cache_valid_time: 3600
+  tags: packages
+
+- name: Set hostname and FQDN
+  block:
+    - name: Set hostname
+      ansible.builtin.hostname:
+        name: "{{ hostname | default(inventory_hostname) }}"
+
+    - name: Configure FQDN in hosts file
+      ansible.builtin.lineinfile:
+        path: /etc/hosts
+        regexp: '^127\.0\.1\.1.*'
+        line: "127.0.1.1 {{ fqdn | default(hostname) }} {{ hostname | default(inventory_hostname) }}"
+        state: present
+  tags: system
+
+- name: Deploy MOTD template
+  template:
+    src: motd.j2
+    dest: /etc/motd
+    mode: '0644'
+
+- name: Configure timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+  tags: system, ntp
+
+- name: Install and configure NTP
+  include_role:
+    name: geerlingguy.ntp
+  tags: system, ntp
+
+- name: Deploy SSH configuration
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0600'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: Restart ssh
+
+- name: Create admin users with proper SSH keys
+  block:
+    - name: Ensure user exists
+      ansible.builtin.user:
+        name: "{{ item.name }}"
+        shell: "{{ item.shell | default('/bin/bash') }}"
+        groups: "{{ item.groups }}"
+        append: true
+        state: "{{ item.state | default('present') }}"
+        create_home: true
+        home: "/home/{{ item.name }}"
+      loop: "{{ admin_users }}"
+      tags: users
+
+    - name: Deploy SSH authorized keys
+      ansible.posix.authorized_key:
+        user: "{{ item.0.name }}"
+        state: present
+        key: "{{ item.1 }}"
+        manage_dir: true
+      with_subelements:
+        - "{{ admin_users }}"
+        - ssh_keys
+      tags: users, ssh
@@ -0,0 +1,22 @@
+---
+- name: Configure sysctl parameters
+  ansible.builtin.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: true
+  loop: "{{ sysctl_tuning | dict2items }}"
+  tags: optimization
+
+- name: Configure file handle limits
+  ansible.builtin.lineinfile:
+    path: /etc/security/limits.conf
+    regexp: "^{{ item.user | regex_escape }}.*{{ item.type }}"
+    line: "{{ item.user }} - nofile {{ item.limit }}"
+    create: true
+  loop:
+    - {user: "root", type: "soft", limit: "65536"}
+    - {user: "root", type: "hard", limit: "65536"}
+    - {user: "*", type: "soft", limit: "65536"}
+    - {user: "*", type: "hard", limit: "65536"}
+  tags: limits
@@ -0,0 +1,4 @@
+{{ ansible_hostname }}
+--------------------
+Welcome to {{ ansible_distribution }} {{ ansible_distribution_version }}
+Kernel: {{ ansible_kernel }}
@@ -0,0 +1,100 @@
+# Managed by Ansible - do not modify manually
+# Security hardened SSH configuration
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+# Basic settings
+Port {{ security_ssh_port }}
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+Protocol 2
+
+# Host keys (modern algorithms first)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Cryptography settings (modern ciphers)
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+# Authentication security
+PermitRootLogin {{ ssh_config.permit_root_login }}
+MaxAuthTries {{ ssh_config.max_auth_tries }}
+MaxSessions {{ ssh_config.max_sessions }}
+ClientAliveInterval {{ ssh_config.client_alive_interval }}
+ClientAliveCountMax {{ ssh_config.client_alive_count_max }}
+LoginGraceTime 60
+
+# General security settings
+UsePAM {{ ssh_config.use_pam }}
+X11Forwarding {{ ssh_config.x11_forwarding }}
+PrintMotd no
+Compression no
+UseDNS no
+IgnoreRhosts yes
+StrictModes yes
+PermitEmptyPasswords no
+TCPKeepAlive yes
+KbdInteractiveAuthentication no
+PrintLastLog yes
+
+# Authorization settings
+AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+# Logging
+LogLevel INFO
+SyslogFacility AUTH
+
+# User restrictions
+{% if ssh_config.allow_users is defined and ssh_config.allow_users %}
+AllowUsers {{ ssh_config.allow_users }}
+{% endif %}
+{% if ssh_config.allow_groups is defined and ssh_config.allow_groups %}
+AllowGroups {{ ssh_config.allow_groups }}
+{% endif %}
+
+# Key-based auth enforcement
+PasswordAuthentication {{ ssh_config.password_authentication }}
+PermitEmptyPasswords no
+PubkeyAuthentication yes
+AuthenticationMethods publickey
+ChallengeResponseAuthentication {{ ssh_config.challenge_response_authentication }}
+
+# Rekey limits
+RekeyLimit 512M 1h
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Authorized key and principal controls
+AuthorizedPrincipalsFile none
+AuthorizedKeysCommand none
+AuthorizedKeysCommandUser nobody
+
+# Disable forwarding and tunnels unless explicitly needed
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+PermitTunnel no
+
+# Disable user-controlled environments and TTY manipulations
+PermitUserEnvironment no
+PermitTTY yes
+X11UseLocalhost yes
+X11DisplayOffset 10
+
+# Limit connection attempts
+MaxStartups 2:30:100
+
+# Misc hardening
+IgnoreUserKnownHosts yes
+VersionAddendum none
+ChrootDirectory none
+
+Match Address 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
+        PermitRootLogin yes