Merge pull request #2 from secshellnet/development

Introduced ansible roles for fail2ban and sshd hardening; Switched to label based system to determin new_server state

.github/workflows/gitops.yaml

@@ -3,7 +3,7 @@ name: GitOps
 
 on:
   push:
-    branches: [main, development]
+    branches: [main]
   pull_request:
   schedule:
     - cron: '53 1 */15 * *'
@@ -12,7 +12,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/secshellnet/ansible-vyos-lint
+      image: ghcr.io/ansible/creator-ee
 
     steps:
       - uses: actions/checkout@v3

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "roles/ansible-role-fail2ban"]
+	path = roles/ansible-role-fail2ban
+	url = https://github.com/secshellnet/ansible-role-fail2ban
+[submodule "roles/ansible-role-sshd"]
+	path = roles/ansible-role-sshd
+	url = https://github.com/secshellnet/ansible-role-sshd

README.md

@@ -3,7 +3,7 @@
 This repository template provides a ansible inventory to manage cloud server in 
 hetzner cloud (hcloud). It performes some basic linux hardening (unattended upgrades, 
 ssh, fail2ban) and can be extended by roles or tasks to perform whatever you need.
-For now it only supports ubuntu and debian, we tested both and they are working pretty good.
+For now it only supports ubuntu (18.04, 20.04, 22.04) and debian (10, 11, 12), we tested both and they are working pretty good.
 
 ## Getting started
 1. Create a reporitory from this template repository and clone it:
@@ -60,7 +60,6 @@ For now it only supports ubuntu and debian, we tested both and they are working
    directory is excluded from git operations (see [`.gitignore`](./.gitignore)), so by 
    default it will not be pushed to your git repository!
 
-
 ## What about GitOps?
 I've tried integrating git ops, but there is one problem: the GitHub actions runner does 
 not support ipv6... So you need an ipv4 address on each vm to use git ops for now.
@@ -90,10 +89,12 @@ hcloud-ansible
 │       └── vault                # encrypted global variables (e. g. hetzner cloud api token)
 ├── inventory.yaml
 ├── playbook.yaml
+├── roles
+│   ├── ansible-role-fail2ban
+│   └── ansible-role-sshd
 └── tasks                        # ansible subtasks to be used in the playbooks
-    ├── configure-sshd.yaml
-    ├── create-worker-user.yaml
-    └── hetzner-cloud.yaml
+    ├── create-worker-user.yaml
+    └── hetzner-cloud.yaml
 ```
 
 ## TODO

playbook.yaml

@@ -7,15 +7,11 @@
     - ansible.builtin.include_tasks: "tasks/hetzner-cloud.yaml"
 
 - hosts: all
-  handlers:
-    - name: "Restart sshd"
-      ansible.builtin.systemd:
-        name: "sshd"
-        state: "restarted"
-
   tasks:
     - ansible.builtin.include_tasks: "tasks/create-worker-user.yaml"
-    - ansible.builtin.include_tasks: "tasks/configure-sshd.yaml"
+
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-sshd"
 
     - name: "Install tools and requirements"
       ansible.builtin.apt:
@@ -36,4 +32,17 @@
         state: present
       become: true
 
-    - ansible.builtin.include_tasks: "tasks/configure-fail2ban.yaml"
+    - ansible.builtin.include_role:
+        name: "roles/ansible-role-fail2ban"
+
+  post_tasks:
+    - name: "Remove labels from cloud server {{ inventory_hostname }}"
+      hetzner.hcloud.hcloud_server:
+        api_token: "{{ hcloud_api_token }}"
+
+        name: "{{ inventory_hostname }}"
+        labels: {}
+
+        state: present
+      when: new_server
+      delegate_to: localhost

tasks/hetzner-cloud.yaml

@@ -19,20 +19,24 @@
     state: present
   run_once: true
 
-- name: "Gather list of hcloud servers to remove absent servers"
+- name: "Gather list of hcloud servers"
   hetzner.hcloud.hcloud_server_info:
     api_token: "{{ hcloud_api_token }}"
   register: output
 
+- name: "Map response of hcloud_server_info to list of server names"
+  ansible.builtin.set_fact:
+    existing_cloud_servers: "{{ output.hcloud_server_info | map(attribute='name') | list }}"
+
 - name: "Remove cloud server which are no longer defined in the ansible inventory"
   hetzner.hcloud.hcloud_server:
     api_token: "{{ hcloud_api_token }}"
 
     name: "{{ item.name }}"
     state: absent
-  with_items: "{{ output.hcloud_server_info }}"
+  with_items: "{{ existing_cloud_servers }}"
   when:
-    - "item.name not in ansible_play_hosts_all"
+    - "item not in ansible_play_hosts_all"
 
 - name: "Create cloud server"
   hetzner.hcloud.hcloud_server:
@@ -45,9 +49,11 @@
     ssh_keys: ["ansible"]
     enable_ipv4: "{{ enable_ipv4 | default('false') }}"
     enable_ipv6: "{{ enable_ipv6 | default('true') }}"
+    labels: {"new": ""}
 
     state: present
-  register: create_server_output
+  when:
+    - "inventory_hostname not in existing_cloud_servers"
 
 - name: "Gather hcloud server infos"
   hetzner.hcloud.hcloud_server_info:
@@ -73,7 +79,7 @@
 
 - name: "Set fact whether the server has just been created or already existed"
   ansible.builtin.set_fact:
-    new_server: "{{ create_server_output.changed }}"
+    new_server: "{{ 'new' in server_info.labels }}"
 
 # when multiple hosts are defined the add_host task doesn't work as I was expecting 
 # it before that's why I decided to run the job only once, loop over all hosts