ansible/group_vars/all/main.yaml

371 lines
12 KiB
YAML

---
ansible_python_interpreter: /usr/bin/python3
syslogfacility: LOG_LOCAL2
network_nameservers: "{{ dns_servers }}"
network_search: kill0.net
postfix_aliases:
postmaster: root
hostmaster: root
webmaster: root
abuse: root
administrator: root
admin: root
root: sysops@kill0.net
devnull: /dev/null
#firewall_ssh_whitelist:
# - "{{ lookup('dig', 'jump0.kill0.net/A') }}"
# - "{{ lookup('dig', 'jump0.kill0.net/AAAA') }}"
# - 192.168.255.17
# - 2600:3c00:e000:343::11/128
firewall_ipset_mgmt:
- "{{ lookup('dig', 'jump0.kill0.net/A') }}"
- "{{ lookup('dig', 'jump0.kill0.net/AAAA') }}"
firewall_limited_tcp_ports:
- 22
#unattended_upgrades_mailto: sysops@kill0.net
unattended_upgrades_mailto: devnull
unattended_upgrades_automatic_reboot: yes
unattended_upgrades_automatic_reboot_time: '8:00'
unattended_upgrades_reboot_with_users: no
openssh_sshd_config:
PermitRootLogin: prohibit-password
autossh_config:
- name: influx
host: jump0.kill0.net
options:
- -L 127.254.254.1:8086:127.0.0.1:8086
- name: syslog
host: jump0.kill0.net
options:
- -L 127.254.254.1:1514:127.0.0.1:514
user_authorized_keys_hash:
ryan:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGznaofIstAxYsX1MH8xQiZU4aOO4SUw9OlRbyFMfQTx
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKdWuh9fbKNubIWaYGwOcbGNkh1Osifh/22KE5pKlVxfVqTT2MiEY6LlvlqR0UkU0hos5F0aEigK7wsABy0KEP2Z0hlx1IwO89rX1TbeqbNVvFk34+jBFflNhBTwE4fekBc4WyvQ3MtlygUTqUnPiQNMBL6uV3rHfh015C5ZqRHSqT7O/+bIbuLSOLizQPph/EJ7U7ti5gfZb5J8uSLdaK0vCLSIokleht3dE1DxfNq4LaVcNCGfNXHIzhaew7L4IkJ7nSWGRtGD7aHKcPV8PRJCt3Mn1IDXrVwFYx0tmFF4eyJ5h9l7fTiRs8PjJ8zD8BePtAP/LFCrhCS+vYbGJT
# windows 10
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe1dmofrPBmchiBs1NQxJVEiAyNfd/eG/U6xh8buekKpEYu6vY9oLN3fk1TdIQoq5gl6qVMaT8cRXQkN7zPBHdwpX55ifmM8O5sQJ3Q2Wioi+6W2elVG58kDIaWFUiQLFm3CXUQ43Ec3+SMo2xlr8b7tUUbCc7690TNJx4gB1t+mYQMIv5OBuzRgUJLSclT0Tp5luJgVKVimPKXTqawDPIKwEZHHvJjs1S4irDdIP4OJJHfHmegapXbMexfEEmgt82axlSjywlMDOKCxnJphOSxtzbUGHkdNMM8VBQC/iMEHprmp75LQzgL5tk9cdIe6T8b1XyuD3tdO/xguChBPpV
# work
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICndorpp/6aKlLq2K1YP81r8zA80VGp1qAUeCZtdVhAw rcavicchioni@NMLT072
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCW02T3dkh1Ra9n+Ql86e/C2ZdtwY5if5RZoc2BYwFCcygwP3GUKOrR6c9SW25B3X048+tVdTiOUhqfsqWf6jxCJ5h17lJ2sigMxEZOht0hUQZSgmQgdviYv3WYrqC4hlStumwEgEsJjRl9PP5LnIcdjWWINslaweFdfD7KhTRPlok1T2ycd0wEvsSCVATW32xV4Dpof5HLgLqnNwtK3VKSl7YIQu5i9SimtRDijwPnOkeMoknGjatpOu5VrnOP03GaExqXnjaIaUz++5GhCGEQEKhlcQrBCYlxubH+L4r6bka1S5r1GeeZNL6g+uUVUP5XaG8HcA9vArilmQfDj3xd
rick:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTt13M/kyXmm8ORhefa6b4e0j1XczLu+R/asgTSdvhDCljo1LLtDvXWdUVQCwXxMXw8aPKjskBr+k1KJOFsdfVi65dExHhmaHk4qeGgkSkLNLPaMkKcNv3h+hS7VGmZjsxU0+bwl0b3g6woKEuMjnD5MfCsKIs6TOB5XjoDw8PMC+BsOiafFPeXGL8UA4yBtdNXFk6B4Ev6lZflPvenJXXJjYeePnhXjPaI6cNjSPhByy8mPU0AzWhtq8akbXlOCUrjuq2XoatwVOd1ZWj344PHfav7zmZkYLWOE7AR++ng+4pNxrfeiCxBcgSluKNYkZFac04OX8PSNbvqTWA29GIDlmcomaSJOWslVoVOiWYQ+7wWIb0d2+RgH/6UvVS500NyacOSkSlfI8SyqC5VVb2jjUC+GQ2zW/IMfYlwRutXT3MRgVtuoQ2i/aXizPLsH6iBqKxQDMV48avTNIitN29owOBPpDNsd1o4iy4kdMPrAFmrPBYSA939nOUzPmCCwU=
users_interactive:
- name: ryan
groups:
- users
- sudo
- adm
comment: Ryan Cavicchioni
password: "{{ vault_user_password_hashes['ryan'] }}"
- name: rick
groups:
- users
comment: Rick Elias
password:
users_authorized_keys:
- name: ryan
keys: "{{ user_authorized_keys_hash['ryan'] }}"
- name: rick
keys: "{{ user_authorized_keys_hash['rick'] }}"
- name: root
keys: "{{ user_authorized_keys_hash['ryan'] }}"
telegraf_config_outputs:
influxdb:
urls:
- http://127.254.254.1:8086
telegraf_config_d:
- name: ping
config:
inputs.ping:
- urls:
- 10.255.0.1
count: 10
ipv6: false
binary: ping4
rsyslog_archival_format_enabled: true
rsyslog_outputs:
- name: omfwd
params:
target: 169.254.0.1
port: 514
protocol: tcp
action.resumeretrycount: -1
queue.type: linkedlist
queue.size: 1000000
queue.filename: fwd
queue.saveonshutdown: "on"
keepalive: "on"
template: RSYSLOG_SyslogProtocol23Format
tcp_framing: octet-counted
sudo_aliases:
host:
- name: minecraft
items:
- mine[[\:digit\:]]*
- name: jumphosts
items:
- jump[[\:digit\:]]*
sudo_rules:
- name: "%sudo"
hosts: ALL
runas:
users: ALL
groups: ALL
tags:
- NOPASSWD
commands: ALL
restic_repos:
- name: b2
repo: "b2:kill0-infra-backup:/{{ inventory_hostname_short }}"
environment:
RESTIC_PASSWORD: "{{ vault_restic_repo_b2_password }}"
B2_ACCOUNT_ID: "{{ vault_restic_repo_b2_account_id }}"
B2_ACCOUNT_KEY: "{{ vault_restic_repo_b2_account_key }}"
restic_jobs:
- name: system
repo: b2
paths:
- /
certs_trusted_ca:
chill9-root-ca: |
subject=C = US, O = chill9, CN = chill9 Root CA
issuer=C = US, O = chill9, CN = chill9 Root CA
notBefore=May 16 17:36:20 2020 GMT
notAfter=May 14 17:36:20 2030 GMT
-----BEGIN CERTIFICATE-----
MIIFOjCCAyKgAwIBAgIQdRhWyOcUQ+uIEypQfJLvqTANBgkqhkiG9w0BAQsFADA3
MQswCQYDVQQGEwJVUzEPMA0GA1UECgwGY2hpbGw5MRcwFQYDVQQDDA5jaGlsbDkg
Um9vdCBDQTAeFw0yMDA1MTYxNzM2MjBaFw0zMDA1MTQxNzM2MjBaMDcxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQKDAZjaGlsbDkxFzAVBgNVBAMMDmNoaWxsOSBSb290IENB
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAswTensn+vA45WGRp3o/5
LX+wh6PTHAGNluLaZRyUNOg+EunnXAvMBF912D587wLAiC1G9FGOn+8JVws2QITX
+U8Y8L2vhnfGQNCQYvqBfJc5PJt3ZZ35to5tdTRJTeVhNWzIA7qOZh8ualFbCDYd
m6K74SlfEbvKzS02pYWN6wCVXtGOPl7VoOtjg8cOUX6u1pZpBKQfzq3lgLS2oMp0
VuBJeUMiki/O8nCC10VCXcZ9q4bsUvWH9lJB/IqlKt+bG9TjO+vigb9eOSfaILkM
d7NMziP5OQXMjv6NwmJQY7N5TiKWdh9h4G3KS41dr2Oeo+A1FcMEP9nkZb1lX3Ft
9Xzw8jJ99SD36mCEiqndvKA66/pcgMCvPAkkDwoSS+Er4LPcNmY2TVN+mIaF1OaS
Dc1EAXUfjnX8mZlclS/AfCg8TIPCc8o6Neg3DECT2j+IC9bgeoLqZLIuzzLNFrG5
aPNhG+24phHqdZvAkdhHWeEh1GS5uMutvV02hF5MrZLz8ou+56feFpUmeuPzQAfR
0Xbz0ot2JdETmcCTcmZBQ+9oP5DIszJt85wCHJ5S5FewUzsXJs1MQue3NLSM5FBS
hhOq+w6Pp64aaGKKyPi1GeZ1m31sM6w1yFVTQsqqy28GSjd/fQu55ESQ1sM0UhIo
DCUBbNPxycJGh9Ivxii1RqMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHFG9UxX+vMe4E0uEZ2LqyldmHkbMA0GCSqG
SIb3DQEBCwUAA4ICAQCC1jksFZp38JTGFIrNJJ6PgI6xXigtD2Z3KstS1cAIJi/P
/3NPu8iTgoyhNiq7a20tojPJGPlumezy3R5twA16UCq8guGFVEEEkJX+wOM0T4p0
jwtcMOeA6GchzS3+u74kk8oIvvw41K5gU2VU/W2axxnejt/HQMAYaMsD/zcNPXrP
oHAgEP5i7G7fX0FXqERnLU9lgbtTTTuszBnZHIdaUKSoK0Oji46y15pEdhxkVB6t
/BiNPAYM1Pc/Hi366eb6yuY8eJCK94QMQBvYpIjNwThAKclFh8n62KF6gXqj7Hcu
UQr1Z55KOuAlAM7fIBsqL4G2Ihs8yBeJe4YZrkdBqBzpJwOYNj7IsUnxgXYQpkVQ
u5coTbrB8w4Mw8ak+L2McMAYhG5FIndy9GAFEEanrmyiHJW96MHqTD1xY9TyvdN/
Kt/lsYt0W/y6jknv7hU9uP4X/xkZk8z1D+m4jZHRQpnUPL1eSOUPSJ0t+68GQUVJ
NJFmTx/qv1/9lXNy40jecX6sO4ZPLoQydMjwRmSerxki7MP4gxGNuBEpOvoj+ABM
MBlD7BhUn5++BZQOLUU+JYr5kNi0WmFFN1v2SpoMyDydTgA+cJsS/TiOeMrY9Szs
ZEFa3PSiA1fP03SRKC9tqjc7d6vQU0fE93wzcUCgyyf5mln6NV7cxOfDJNO8gA==
-----END CERTIFICATE-----
openvpn_config:
client:
client:
remote: vpn-jump0.kill0.net 1194
ca: "{{ openvpn_etc_path }}/client/ca.pem"
cert: "{{ openvpn_etc_path }}/client/cert.pem"
key: "{{ openvpn_etc_path }}/client/key.pem"
tls-auth: "{{ openvpn_etc_path }}/client/ta.key 1"
verb: 3
dev: tun
teleport_service_state: stopped
teleport_service_enabled: false
firewall_teleport_node_enabled: false
teleport_roles: [ node ]
teleport_config:
teleport:
auth_token: "{{ vault_teleport_static_token }}"
ca_pin: sha256:4ef484a5949aadedf983bc1f1d43f6f31356ca37f9608267424ddc0d9b68e010
auth_servers:
- "jump0.kill0.net:3025"
firewall_ipset_node_exporter:
- "{{ lookup('dig', 'jump0.kill0.net./A') }}"
- "{{ lookup('dig', 'jump0.kill0.net./AAAA') }}"
- 169.254.0.1
firewall_ipset_blackbox_exporter:
- "{{ lookup('dig', 'jump0.kill0.net./A') }}"
- "{{ lookup('dig', 'jump0.kill0.net./AAAA') }}"
- 169.254.0.1
firewall_ipset_mtail:
- "{{ lookup('dig', 'jump0.kill0.net./A') }}"
- "{{ lookup('dig', 'jump0.kill0.net./AAAA') }}"
- 169.254.0.1
node_exporter_du_directories:
- /var/log/syslog
- /var/spool/rsyslog
wireguard_iptables:
wg0:
input: true
wireguard_network_prefix: 169.254.0
wireguard_peers:
wg0:
- public_key: 1ipGUnK8XDbIoBIEF440BhwLUe0yHa5l3kZZc4eFxV8=
endpoint: "{{ lookup('dig', 'jump0.kill0.net./A') }}:{{ wireguard_port }}"
allowed_ips: "{{ hostvars['jump0.kill0.net'].wireguard_interfaces.wg0.address }}"
supervisor_unix_http_server_socket_chown: root:node_exporter
supervisor_unix_http_server_socket_chmod: "0770"
firewall_ipset_loki:
- 169.254.0.0/24
firewall_ipset_promtail:
- "{{ lookup('dig', 'jump0.kill0.net./A') }}"
- "{{ lookup('dig', 'jump0.kill0.net./AAAA') }}"
- 169.264.0.0/24
promtail_clients:
- url: http://169.254.0.1:3100/loki/api/v1/push
external_labels:
region: dallas
provider: linode
promtail_scrape_configs:
- job_name: journal
journal:
json: false
max_age: 12h
path: /var/log/journal
labels:
job: systemd-journal
relabel_configs:
- source_labels:
- __journal__systemd_unit
target_label: systemd_unit
- source_labels:
- __journal_unit
target_label: unit
- source_labels:
- __journal_priority_keyword
target_label: priority
- source_labels:
- __journal_syslog_identifier
target_label: syslog_identifier
pipeline_stages:
- match:
selector: '{systemd_unit=~"(alertmanager|blackbox_exporter|grafana|karma|kthxbye|loki|mimir|node_exporter|prometheus|promtail|pushgateway|thanos).+"}'
stages:
- logfmt:
mapping:
level:
ts:
- timestamp:
source: ts
format: RFC3339Nano
- timestamp:
source: t
format: RFC3339Nano
- labels:
priority: level
- job_name: nginx-access
static_configs:
- targets:
- localhost
labels:
job: nginx-access
__path__: /var/log/nginx/*.access.log
pipeline_stages:
- match:
selector: '{job="nginx-access"}'
stages:
- regex:
expression: ^(?P<hostname>[0-9A-Za-z\.:-]+) (?P<remote_addr>[0-9A-Za-z\.:-]+) (?P<remote_logname>[0-9A-Za-z-]+) (?P<remote_username>[0-9A-Za-z-]+) \[(?P<timestamp>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} (\+|-)\d{4})\] "(?P<request_method>[A-Z]+) (?P<URI>\S+) (?P<http_version>HTTP\/[0-9\.]+)" (?P<request_status>\d{3})
- timestamp:
source: timestamp
format: "02/Jan/2006:15:04:05 -0700"
- labels:
hostname:
method: request_method
status: request_status
version: http_version
- job_name: nginx-error
static_configs:
- targets:
- localhost
labels:
job: nginx-error
__path__: /var/log/nginx/*.error.log
pipeline_stages:
- match:
selector: '{job="nginx-error"}'
stages:
- regex:
expression: '^(?P<timestamp>\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}) \[(?P<priority>\w+)\] (?P<pid>\d+)\#(?P<tid>\d+): (?:\*(?P<cid>\d+))?'
- labels:
priority:
- timestamp:
source: timestamp
format: "2023/08/16 02:43:32"
- regex:
expression: 'host: "(?P<hostname>[0-9A-Za-z\.:-]+)"'
- labels:
hostname:
- job_name: syslog
syslog:
listen_address: 0.0.0.0:1514
listen_protocol: tcp
idle_timeout: 60s
label_structured_data: true
labels:
job: syslog
pipeline_stages:
- match:
selector: '{host=~"ap0|coresw0|fw0|power0|172\\."}'
stages:
- static_labels:
region: home
provider: home
relabel_configs:
- source_labels:
- __syslog_message_hostname
target_label: host
- source_labels:
- __syslog_message_severity
target_label: priority
- source_labels:
- __syslog_message_app_name
target_label: syslog_identifier
influxdb_service_enabled: false
influxdb_service_state: stopped
influxdb_package_state: absent
telegraf_service_enabled: false
telegraf_service_state: stopped
telegraf_package_state: absent