added:

- set file permissions - setup sysctls - set root password from vault var - added doas + config
2024-11-18 18:33:33 +01:00 · 2024-11-18 18:33:33 +01:00 · 8e23c090d9
commit 8e23c090d9
parent c8f169253d
7 changed files with 112 additions and 16 deletions
--- a/15
+++ b/15
@ -1,11 +1,11 @@
-.PHONY: all deploy check clean create debug
+.PHONY: all deploy check clean create debug editvars


-TOKEN = $(shell ansible-vault decrypt --vault-password-file \
-		        ~/.config/ansible/hcloud.secret --output - \
-				group_vars/all/vars.yaml | cut -d' ' -f2)
+VARS = group_vars/all/vars.yaml
+VALL = group_vars/all/all.yaml
+TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)

-SNAPNAME = $(shell cat group_vars/all/all.yaml | yq .snapshot)
+SNAPNAME = $(shell cat $(VALL) | yq .snapshot)

 SNAPSHOT = $(shell hcloud image  list -t snapshot -o yaml | \
 			       yq '. | map(select(.description == "$(SNAPNAME)")) | .[].id')
@ -41,3 +41,8 @@ clean:

 check:
 	ansible-playbook -vvv --ask-vault-pass deploy.yaml -i inventory --syntax-check
+
+editvars:
+	ansible-vault decrypt $(VARS)
+	vi $(VARS)
+	ansible-vault encrypt $(VARS)
--- a/README.md
+++ b/README.md
@ -35,8 +35,7 @@ dynamic inventory to discover your vps.
  `pwgen -ys 32 1 > ~/.config/ansible/hcloud.secret`
  
 - Encrypt the vars file:
-  `ansible-vault encrypt --vault-password-file
-  ~/.config/ansible/hcloud.secret group_vars/all/vars.yaml`
+  `ansible-vault encrypt group_vars/all/vars.yaml`
  
 Now the hetzner ansible plugin is able to call hcloud with the
 appropriate token, no need to enter it manually anymore. Also, while
--- a/TODO.md
+++ b/TODO.md
@ -22,3 +22,13 @@
 https://github.com/bodsch/ansible-collection-dns/blob/main/roles/knot/README.md

 or using e3 using wrapper script around `jaildk exec dns knotc ...`
+
+### Cleanup release snapshot
+
+- remove /home symlink
+- remove pkg function from root .bashrc
+
+
+## Add users with authorized_keys files
+
+## Add quota config and enable/configure rctl
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -7,6 +7,7 @@ image: "{{ lookup('ansible.builtin.env', 'SNAPSHOT') }}"
 packages:
  - cpdup
  - bash
+  - doas

 # used by bastille to build a base
 release: 14.1-RELEASE
@ -36,3 +37,51 @@ storage:
      name: /home
    - mount: /var/cron/tabs
      name: /crontabs
+
+
+kernel:
+  sysctls:
+    security.bsd.see_other_uids: 0
+    security.bsd.see_other_gids: 0
+    security.bsd.see_jail_proc: 0
+    security.bsd.unprivileged_read_msgbuf: 0
+    security.bsd.unprivileged_proc_debug: 0
+    kern.randompid: 1
+    net.inet.ip.random_id: 1
+    hw.spec_store_bypass_disable: 1
+    kern.elf64.allow_wx: 0
+    kern.elf32.aslr.stack: 3
+    kern.elf32.aslr.pie_enable: 1
+    vfs.zfs.min_auto_ashift: 12
+    kern.securelevel: 2
+
+
+permissions:
+  - name: /home
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /usr/local/etc
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /root
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'
+  - name: /var/cron/tabs
+    owner: root
+    group: wheel
+    mode: '0700'
+  - name: /var/log
+    owner: root
+    group: wheel
+    mode: '0711'
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@ -1,10 +1,12 @@
 $ANSIBLE_VAULT;1.1;AES256
-34666232626536653339373961383331363035343266633232643930663733386466663933356138
-6366653166656465373634306461643236333162383138380a626430626631626133373330646361
-31303163343637626130393237666333643965646431306134643039363233386235623463633862
-3334363233313532310a323965363364646362343937653534623930376461356633656135646533
-37343162333634373963366433393231626136353832613937343363623565303561663461333431
-30353831376134336663643534383535656638663931626665336638353432626330356561643439
-61303638336365636233353937626461643263383435353561303831363531653935386435316562
-35363833383732656261643765323432363430636564626166653263643632373731323637663165
-6437
+66323661356665373037316136353833646231623531323031306336613065326431643138336430
+3438323839633335333963306638323137333664366466310a623862636139366336393835353238
+38613934383631633134386564616233326234333637636162626632633762656366303036313539
+3365646662386263650a333636366132363662376362383737383233646531616632376234303062
+32366464613630396463326236643361386637616664663066326337663037663639613433316462
+33636665653930346265323237363238626463666163616439393332313639343863343764323639
+34353834393236643530346238323164656339653365393563383938316461393730333536343365
+63303865626534653237383634633937613039663761313038303461303837643066306161383661
+65326237366536306632633539656335373536336231303330386332646363333131393664656365
+36366539616230623338396434376565346435636331353963366438376437343233373735393730
+346162343166373762626664363866663536
--- a/roles/server/files/doas.conf
+++ b/roles/server/files/doas.conf
@ -0,0 +1 @@
+permit persist :wheel as root
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@ -44,3 +44,33 @@
  args:
    creates: "{{ item.mount }}"

+- name: Change permissions
+  loop: "{{ permissions }}"
+  ansible.builtin.file:
+    path: "{{ item.name }}"
+    owner: "{{ item.owner }}" 
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+    
+- name: Change root password
+  user:
+    name: root
+    password: "{{ root_password | password_hash('sha512') }}"
+
+- name: Setup sysctls
+  loop: "{{ kernel.sysctls | dict2items }}"
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    sysctl_set: true
+    state: present
+    reload: true
+
+- name: Install doas config
+  ansible.builtin.copy:
+    src: roles/server/files/doas.conf
+    dest: /usr/local/etc/doas.conf
+    owner: root
+    group: wheel
+    mode: '0600'
+