m0e/datatroniq_challenge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: m0e:dev
Branches Tags
m0e:main
m0e:dev
m0e:local
..
compare: m0e:main
Branches Tags
m0e:dev
m0e:local
m0e:main

No commits in common. "dev" and "main" have entirely different histories.
dev ... main

32 changed files with 35 additions and 289 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,4 +1,2 @@
**/*.key
**/*.pub
*.key
kubeconfig
.vscode

3
TODO.md
View File

@ -1,3 +0,0 @@
**Clean up**
- write config files to server-configs
- set server-configs as global var

3
ansible/ansible.cfg
View File

@ -3,14 +3,13 @@ python_interpreter=/usr/bin/python3
interpreter_python = auto_silent
ansible_ssh_private_key_file=../root.key
inventory=inventory/
remote_user=ansible
remote_user=admin_dev
#log_path = ./ansible.log
#verbosity = 0
display_ok_hosts = true
stdout_callback = yaml
bin_ansible_callbacks = true
deprecation_warnings= false
host_key_checking = False
[privilege_escalation]
Become = true

21
ansible/base.yaml
View File

@ -1,21 +1,10 @@
### Playbook for adding sysupgrade, add user and ssh hardening
- name: Base setup
hosts: all
hosts: dev
vars:
#ansible_user: root
ansible_user: root
roles:
- name: Setup host
role: roles/init
tags: setup_host
- name: Sysupgrade role
role: roles/sysupgrade
tags: sysupgrade
- name: User_add role
role: roles/user_add
tags: user_add
- name: Ssh_hardening role
role: roles/ssh_hardening
tags: ssh_hardening
tags:
- base
- roles/sysupgrade
- roles/user_add
- roles/ssh_hardening

11
ansible/full-install.yaml
View File

@ -1,11 +1,11 @@
### Playbook for datatroniq-challenge
- name: Full install
hosts: all
hosts: dev
become: false
gather_facts: false
vars:
ansible_user: ansible
ansible_user: root
- name: Import base setup
import_playbook: base.yaml
@ -21,10 +21,3 @@
import_playbook: k8s-deployments.yaml
tags:
- k8s-deployments
- name: Cleanup
hosts: all
roles:
- role: roles/cleanup
tags:
- cleanup

3
ansible/inventory/dev.yaml Normal file
View File

@ -0,0 +1,3 @@
dev:
hosts:
0.0.0.0:

11
ansible/inventory/inventory.yaml
View File

@ -1,11 +0,0 @@
dev:
hosts:
10.3.0.101:
vars:
confdir: "/root/server-configs"
live:
hosts:
10.3.0.102:
vars:
confdir: "/root/server-configs"

6
ansible/k3s.yaml
View File

@ -1,9 +1,7 @@
### Playbook for installing k3s
- name: Install k3s
hosts: all
hosts: dev
become: yes
roles:
- name: K3s role
role: roles/k3s
tags: k3s
- roles/k3s

18
ansible/k8s-deployments.yaml
View File

@ -1,20 +1,12 @@
### Playbook for deploying kubernetes resources
- name: Install k8s apps
hosts: all
hosts: dev
become: yes
roles:
- name: Ingress role
role: roles/k8s-nginx-ingress
tags: ingress
- name: Cert-manager role
role: roles/k8s-cert-manager
tags: cert-mangager
- name: Kube-prom role
role: roles/k8s-kube-prom-stack
tags: prom-stack
- name: Wordpress role
role: roles/k8s-wordpress
tags: wordpress
- roles/k8s-nginx-ingress
- roles/k8s-cert-manager
- roles/k8s-kube-prom-stack
- roles/k8s-wordpress
tags:
- k8s-deployments

38
ansible/roles/cleanup/README.md
View File

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

3
ansible/roles/cleanup/defaults/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for cleanup

3
ansible/roles/cleanup/handlers/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for cleanup

35
ansible/roles/cleanup/meta/main.yml
View File

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

8
ansible/roles/cleanup/tasks/main.yml
View File

@ -1,8 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for cleanup
#
- name: Remove config directory
ansible.builtin.file:
path: "{{ confdir }}"
state: absent

3
ansible/roles/cleanup/tests/inventory
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

6
ansible/roles/cleanup/tests/test.yml
View File

@ -1,6 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- cleanup

3
ansible/roles/cleanup/vars/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for cleanup

38
ansible/roles/init/README.md
View File

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

3
ansible/roles/init/defaults/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for init

3
ansible/roles/init/handlers/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for init

35
ansible/roles/init/meta/main.yml
View File

@ -1,35 +0,0 @@
#SPDX-License-Identifier: MIT-0
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

13
ansible/roles/init/tasks/main.yml
View File

@ -1,13 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# tasks file for init
- name: Setup host
block:
- name: Create config dir
ansible.builtin.file:
path: "{{ confdir }}"
state: directory
mode: 0700
tags:
- setup_host

3
ansible/roles/init/tests/inventory
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
localhost

6
ansible/roles/init/tests/test.yml
View File

@ -1,6 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- init

3
ansible/roles/init/vars/main.yml
View File

@ -1,3 +0,0 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for init

2
ansible/roles/k3s/tasks/main.yml
View File

@ -44,7 +44,7 @@
#- name: Copy k3s.config to server
# ansible.builtin.copy:
# src: k3s.config
# dest: "{{ confdir }}"/config.yaml
# dest: /root/config.yaml
- name: Install k3s (disabled traefik in favour of nginx for modSecurity support)
shell: |

12
ansible/roles/k8s-cert-manager/tasks/main.yml
View File

@ -11,17 +11,17 @@
- name: Copy value files
ansible.builtin.copy:
src: files/values.yaml
dest: "{{ confdir }}/cert-manager-values.yaml"
dest: ~/cert-manager-values.yaml
- name: Copy clusterissuer-staging yaml
ansible.builtin.copy:
src: files/clusterissuer-staging.yaml
dest: "{{ confdir }}/"
dest: ~/
- name: Copy clusterissuer-prod yaml
ansible.builtin.copy:
src: files/clusterissuer-prod.yaml
dest: "{{ confdir }}/"
dest: ~/
- name: Install cert-manager
kubernetes.core.helm:
@ -36,17 +36,17 @@
values:
installCRDs: true
values_files:
"{{ confdir }}/cert-manager-values.yaml"
/root/cert-manager-values.yaml
state: present
- name: Create staging clusterissuer for letsencrypt
kubernetes.core.k8s:
kubeconfig: /etc/rancher/k3s/k3s.yaml
state: present
src: "{{ confdir }}/clusterissuer-staging.yaml"
src: /root/clusterissuer-staging.yaml
- name: Create prod clusterissuer for letsencrypt
kubernetes.core.k8s:
kubeconfig: /etc/rancher/k3s/k3s.yaml
state: present
src: "{{ confdir }}/clusterissuer-prod.yaml"
src: /root/clusterissuer-prod.yaml

8
ansible/roles/k8s-kube-prom-stack/tasks/main.yml
View File

@ -11,12 +11,12 @@
- name: Copy value files
ansible.builtin.copy:
src: files/values.yaml
dest: "{{ confdir }}/prom-values.yaml"
dest: /root/prom-values.yaml
- name: Copy wordpress-dashboard
ansible.builtin.copy:
src: files/wordpress-dashboard.yaml
dest: "{{ confdir }}/"
dest: /root/
- name: Install kube-prom-stack
kubernetes.core.helm:
@ -29,11 +29,11 @@
wait: yes
timeout: 600s
values_files:
"{{ confdir }}/prom-values.yaml"
/root/prom-values.yaml # Path to your custom values file, if needed
state: present
- name: Add wordpress-dashboard to grafana
kubernetes.core.k8s:
kubeconfig: /etc/rancher/k3s/k3s.yaml
state: present
src: "{{ confdir }}/wordpress-dashboard.yaml"
src: /root/wordpress-dashboard.yaml

4
ansible/roles/k8s-nginx-ingress/tasks/main.yml
View File

@ -11,7 +11,7 @@
- name: Copy value files
ansible.builtin.copy:
src: files/values.yaml
dest: "{{ confdir }}/ingress-values.yaml"
dest: /root/ingress-values.yaml
- name: Install ingress-nginx
kubernetes.core.helm:
@ -24,6 +24,6 @@
wait: yes
timeout: 600s
values_files:
"{{ confdir }}/ingress-values.yaml"
/root/ingress-values.yaml
state: present

4
ansible/roles/k8s-wordpress/tasks/main.yml
View File

@ -11,7 +11,7 @@
- name: Copy value files
ansible.builtin.copy:
src: files/values.yaml
dest: "{{ confdir }}/wordpress-values.yaml"
dest: ~/wordpress-values.yaml
- name: Install wordpress
kubernetes.core.helm:
@ -24,6 +24,6 @@
wait: yes
timeout: 600s
values_files:
"{{ confdir }}/wordpress-values.yaml"
/root/wordpress-values.yaml
state: present

2
ansible/roles/ssh_hardening/handlers/main.yml
View File

@ -4,5 +4,5 @@
- name: restart_sshd
ansible.builtin.service:
name: ssh
name: sshd
state: restarted

9
cloud-config
View File

@ -1,9 +0,0 @@
users:
- name: ansible
groups: sudo
shell: /bin/bash
ssh-authorized-keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDorAQu895vEuoODXCagfS6mN+oQveUepKUaAFD/dm5dyG1i4TPa88US/oKko210XWZeAaqtCzuUV/ceahRyrPrFn78TFUtmIjxP1ym8W+19lzZ6tqb9xDlgXvJm4nR074NyFjK8DwBJQPGPjDKhxH6P02KuWJgjfUOW/7vFdB0Pd+fzjvUcb+k17F3b3SReqcR4PpdzP8tWJRkCfMpKkaTwk+T+56ub9RO2VKPvRhagd7pUBWyUCnSmVlUaUfBNidgErRRdd39dKSz6Ua4Oqs3JYOze/7Ib+3GOemkQBwpUW3PPqXSrL40f3BvhkQZdOPAR0Cz2Nync/u2rAdkH0oABHlWq6axWXKatOJ1zyN2SZwTe2d0RqPaP3eeKZ96caJ0u7LNSeXKVOp27qop46xe+USI109JA8dgvg1zw0mBIbhBcSef0feMSwxy/Za6ke/29hYishlowJF3S2Wk0XoZIMeKQjLPq70yBj/Kuf483ikO5MroqsSeVeyqMDSBeVCtW357tkzAJmJu76DFVJFe+2r8F7XhRMxh7q4FZnfxtu4rSjy1p8rZW5RP3faCHddeV8EMq3Pj2lEt/n2lcIQ0uwgQY7zNOHVnEMmyMjWlGhVSOcik7q4a5PmMETv2NqAVqAKAxwDfYG8KlhopWWTr4iDYNc+Wzk10ke7k5I6MTw== ansible
runcmd:
- echo 'ansible ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers.d/ansible