-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit d635e64
Showing
10 changed files
with
445 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
# Created by https://www.toptal.com/developers/gitignore/api/linux,macos,windows,jetbrains+all,visualstudiocode | ||
# Edit at https://www.toptal.com/developers/gitignore?templates=linux,macos,windows,jetbrains+all,visualstudiocode | ||
|
||
### JetBrains+all ### | ||
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider | ||
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 | ||
|
||
# User-specific stuff | ||
.idea/**/workspace.xml | ||
.idea/**/tasks.xml | ||
.idea/**/usage.statistics.xml | ||
.idea/**/dictionaries | ||
.idea/**/shelf | ||
|
||
# AWS User-specific | ||
.idea/**/aws.xml | ||
|
||
# Generated files | ||
.idea/**/contentModel.xml | ||
|
||
# Sensitive or high-churn files | ||
.idea/**/dataSources/ | ||
.idea/**/dataSources.ids | ||
.idea/**/dataSources.local.xml | ||
.idea/**/sqlDataSources.xml | ||
.idea/**/dynamic.xml | ||
.idea/**/uiDesigner.xml | ||
.idea/**/dbnavigator.xml | ||
|
||
# Gradle | ||
.idea/**/gradle.xml | ||
.idea/**/libraries | ||
|
||
# Gradle and Maven with auto-import | ||
# When using Gradle or Maven with auto-import, you should exclude module files, | ||
# since they will be recreated, and may cause churn. Uncomment if using | ||
# auto-import. | ||
# .idea/artifacts | ||
# .idea/compiler.xml | ||
# .idea/jarRepositories.xml | ||
# .idea/modules.xml | ||
# .idea/*.iml | ||
# .idea/modules | ||
# *.iml | ||
# *.ipr | ||
|
||
# CMake | ||
cmake-build-*/ | ||
|
||
# Mongo Explorer plugin | ||
.idea/**/mongoSettings.xml | ||
|
||
# File-based project format | ||
*.iws | ||
|
||
# IntelliJ | ||
out/ | ||
|
||
# mpeltonen/sbt-idea plugin | ||
.idea_modules/ | ||
|
||
# JIRA plugin | ||
atlassian-ide-plugin.xml | ||
|
||
# Cursive Clojure plugin | ||
.idea/replstate.xml | ||
|
||
# SonarLint plugin | ||
.idea/sonarlint/ | ||
|
||
# Crashlytics plugin (for Android Studio and IntelliJ) | ||
com_crashlytics_export_strings.xml | ||
crashlytics.properties | ||
crashlytics-build.properties | ||
fabric.properties | ||
|
||
# Editor-based Rest Client | ||
.idea/httpRequests | ||
|
||
# Android studio 3.1+ serialized cache file | ||
.idea/caches/build_file_checksums.ser | ||
|
||
### JetBrains+all Patch ### | ||
# Ignore everything but code style settings and run configurations | ||
# that are supposed to be shared within teams. | ||
|
||
.idea/* | ||
|
||
!.idea/codeStyles | ||
!.idea/runConfigurations | ||
|
||
### Linux ### | ||
*~ | ||
|
||
# temporary files which can be created if a process still has a handle open of a deleted file | ||
.fuse_hidden* | ||
|
||
# KDE directory preferences | ||
.directory | ||
|
||
# Linux trash folder which might appear on any partition or disk | ||
.Trash-* | ||
|
||
# .nfs files are created when an open file is removed but is still being accessed | ||
.nfs* | ||
|
||
### macOS ### | ||
# General | ||
.DS_Store | ||
.AppleDouble | ||
.LSOverride | ||
|
||
# Icon must end with two \r | ||
Icon | ||
|
||
# Thumbnails | ||
._* | ||
|
||
# Files that might appear in the root of a volume | ||
.DocumentRevisions-V100 | ||
.fseventsd | ||
.Spotlight-V100 | ||
.TemporaryItems | ||
.Trashes | ||
.VolumeIcon.icns | ||
.com.apple.timemachine.donotpresent | ||
|
||
# Directories potentially created on remote AFP share | ||
.AppleDB | ||
.AppleDesktop | ||
Network Trash Folder | ||
Temporary Items | ||
.apdisk | ||
|
||
### macOS Patch ### | ||
# iCloud generated files | ||
*.icloud | ||
|
||
### VisualStudioCode ### | ||
.vscode/* | ||
!.vscode/settings.json | ||
!.vscode/tasks.json | ||
!.vscode/launch.json | ||
!.vscode/extensions.json | ||
!.vscode/*.code-snippets | ||
|
||
# Local History for Visual Studio Code | ||
.history/ | ||
|
||
# Built Visual Studio Code Extensions | ||
*.vsix | ||
|
||
### VisualStudioCode Patch ### | ||
# Ignore all local history of files | ||
.history | ||
.ionide | ||
|
||
# Support for Project snippet scope | ||
.vscode/*.code-snippets | ||
|
||
# Ignore code-workspaces | ||
*.code-workspace | ||
|
||
### Windows ### | ||
# Windows thumbnail cache files | ||
Thumbs.db | ||
Thumbs.db:encryptable | ||
ehthumbs.db | ||
ehthumbs_vista.db | ||
|
||
# Dump file | ||
*.stackdump | ||
|
||
# Folder config file | ||
[Dd]esktop.ini | ||
|
||
# Recycle Bin used on file shares | ||
$RECYCLE.BIN/ | ||
|
||
# Windows Installer files | ||
*.cab | ||
*.msi | ||
*.msix | ||
*.msm | ||
*.msp | ||
|
||
# Windows shortcuts | ||
*.lnk | ||
|
||
# End of https://www.toptal.com/developers/gitignore/api/linux,macos,windows,jetbrains+all,visualstudiocode | ||
|
||
.keys/* | ||
!.keys/.gitkeep |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Secure Shell Networks: [Hetzner Cloud](https://www.hetzner.com/cloud) Ansible Inventory | ||
|
||
## Getting started | ||
1. Clone this git repository: | ||
```shell | ||
git clone https://github.com/secshellnet/hcloud-ansible.git | ||
``` | ||
2. Install the required ansible and python modules: | ||
```shell | ||
ansible-galaxy collection install hetzner.hcloud | ||
pip3 install ipaddress passlib | ||
``` | ||
3. Create account on [hetzner.cloud](https://console.hetzner.cloud/) | ||
4. Create new cloud project | ||
5. Create an api token inside this cloud project | ||
![Creating an api token in the hetzner cloud console](./img/hetzner-create-api-token.png) | ||
6. Generate a new secret for the ansible vault file | ||
```shell | ||
cat /dev/urandom | tr -dc A-Za-z0-9 | fold -w 59 | head -n 1 > .keys/all | ||
``` | ||
7. Create a new ansible vault | ||
```shell | ||
ansible-vault create group_vars/all/vault | ||
``` | ||
with the following content: | ||
```yaml | ||
--- | ||
hcloud_api_token: "__YOUR_API_TOKEN__" | ||
low_priv_password: "__RANDOM_SECRET_PASSWORD__" | ||
``` | ||
8. Extend the [`inventory.yaml`](./inventory.yaml), it should look for example like this: | ||
```yaml | ||
--- | ||
all: | ||
hosts: | ||
server1: # default settings if no configuration given | ||
server_type: cx11 | ||
location: hel1 | ||
image: ubuntu-22.04 | ||
enable_ipv4: false | ||
enable_ipv6: true | ||
server2: | ||
server_type: cx21 | ||
location: fsn1 | ||
image: ubuntu-22.04 | ||
enable_ipv4: true | ||
enable_ipv6: true | ||
``` | ||
9. Use the ansible inventory: | ||
```shell | ||
ansible-playbook playbook.yaml | ||
``` | ||
10. Create a backup of the [`.keys`](./keys/) directory. It contains the key to your vault and the ssh key ansible uses to connect to the cloud servers. For security reasons this directory is excluded from git operations (see [`.gitignore`](./.gitignore)), so by default it will not be pushed to your git repository! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
[defaults] | ||
inventory = inventory.yaml | ||
interpreter_python = /usr/bin/python3 | ||
host_key_checking = False | ||
private_key_file = .keys/id_ecdsa | ||
vault_identity_list = all@.keys/all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
import ipaddress | ||
|
||
def first_address(network): | ||
return ipaddress.ip_network(network).network_address + 1 | ||
|
||
class FilterModule(object): | ||
def filters(self): | ||
return { | ||
'first_address': first_address | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
low_priv_user: "worker" |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
all: | ||
hosts: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
--- | ||
- hosts: all | ||
connection: local | ||
gather_facts: false | ||
|
||
tasks: | ||
- ansible.builtin.include_tasks: "tasks/hetzner-cloud.yaml" | ||
|
||
- hosts: all | ||
handlers: | ||
- name: "Restart ssh" | ||
ansible.builtin.systemd: | ||
name: "sshd" | ||
state: "restarted" | ||
|
||
tasks: | ||
- name: "Create low privileged unix user account {{ low_priv_user }}" | ||
ansible.builtin.user: | ||
name: "{{ low_priv_user }}" | ||
groups: "sudo" | ||
append: true | ||
shell: "/bin/bash" | ||
become: true | ||
|
||
- name: "Set password for low priviledged unix user account {{ low_priv_user }}" | ||
ansible.builtin.user: | ||
name: "{{ low_priv_user }}" | ||
password: "{{ low_priv_password | password_hash('sha512') }}" | ||
password_lock: no | ||
when: new_server | ||
|
||
- name: "Ensure .ssh directory exists for {{ low_priv_user }}" | ||
ansible.builtin.file: | ||
state: directory | ||
path: "/home/{{ low_priv_user }}/.ssh/" | ||
owner: "{{ low_priv_user }}" | ||
group: "{{ low_priv_user }}" | ||
mode: "0700" | ||
become: true | ||
|
||
- name: "Copy ssh key of ansible to {{ low_priv_user }}" | ||
ansible.builtin.copy: | ||
src: ".keys/id_ecdsa.pub" | ||
dest: "/home/{{ low_priv_user }}/.ssh/authorized_keys" | ||
owner: "{{ low_priv_user }}" | ||
group: "{{ low_priv_user }}" | ||
mode: "0600" | ||
become: true | ||
|
||
- name: "Disable ssh root login" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/ssh/sshd_config" | ||
regexp: "^#?PermitRootLogin" | ||
line: "PermitRootLogin no" | ||
notify: "Restart ssh" | ||
become: true | ||
|
||
- name: "Disable ssh password authentication" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/ssh/sshd_config" | ||
regexp: "^#?PasswordAuthentication" | ||
line: "PasswordAuthentication no" | ||
notify: "Restart ssh" | ||
become: true | ||
|
||
- name: "Install tools and requirements" | ||
ansible.builtin.apt: | ||
update_cache: true | ||
name: | ||
- python3-requests | ||
- python3-apt | ||
- curl | ||
- wget | ||
- dnsutils | ||
- mtr | ||
- tcpdump | ||
- ncdu | ||
- jq | ||
state: present | ||
become: true |
Oops, something went wrong.