Initial commit

.gitignore

@@ -0,0 +1,193 @@
+# Created by https://www.toptal.com/developers/gitignore/api/linux,macos,windows,jetbrains+all,visualstudiocode
+# Edit at https://www.toptal.com/developers/gitignore?templates=linux,macos,windows,jetbrains+all,visualstudiocode
+
+### JetBrains+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### JetBrains+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix
+
+### VisualStudioCode Patch ###
+# Ignore all local history of files
+.history
+.ionide
+
+# Support for Project snippet scope
+.vscode/*.code-snippets
+
+# Ignore code-workspaces
+*.code-workspace
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# End of https://www.toptal.com/developers/gitignore/api/linux,macos,windows,jetbrains+all,visualstudiocode
+
+.keys/*
+!.keys/.gitkeep

README.md

@@ -0,0 +1,53 @@
+# Secure Shell Networks: [Hetzner Cloud](https://www.hetzner.com/cloud) Ansible Inventory
+
+## Getting started
+1. Clone this git repository:
+   ```shell
+   git clone https://github.com/secshellnet/hcloud-ansible.git
+   ```
+2. Install the required ansible and python modules:
+   ```shell
+   ansible-galaxy collection install hetzner.hcloud
+   pip3 install ipaddress passlib
+   ```
+3. Create account on [hetzner.cloud](https://console.hetzner.cloud/)
+4. Create new cloud project
+5. Create an api token inside this cloud project
+   ![Creating an api token in the hetzner cloud console](./img/hetzner-create-api-token.png)
+6. Generate a new secret for the ansible vault file
+   ```shell
+   cat /dev/urandom | tr -dc A-Za-z0-9 | fold -w 59 | head -n 1 > .keys/all
+   ```
+7. Create a new ansible vault
+   ```shell
+   ansible-vault create group_vars/all/vault
+   ```
+   with the following content:
+   ```yaml
+   ---
+   hcloud_api_token: "__YOUR_API_TOKEN__"
+   low_priv_password: "__RANDOM_SECRET_PASSWORD__"
+   ```
+8. Extend the [`inventory.yaml`](./inventory.yaml), it should look for example like this:
+   ```yaml
+   ---
+   all:
+     hosts:
+       server1:   # default settings if no configuration given
+         server_type: cx11
+         location: hel1
+         image: ubuntu-22.04
+         enable_ipv4: false
+         enable_ipv6: true
+       server2:
+         server_type: cx21
+         location: fsn1
+         image: ubuntu-22.04
+         enable_ipv4: true
+         enable_ipv6: true
+   ```
+9. Use the ansible inventory:
+   ```shell
+   ansible-playbook playbook.yaml
+   ```
+10. Create a backup of the [`.keys`](./keys/) directory. It contains the key to your vault and the ssh key ansible uses to connect to the cloud servers. For security reasons this directory is excluded from git operations (see [`.gitignore`](./.gitignore)), so by default it will not be pushed to your git repository!

ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = inventory.yaml
+interpreter_python = /usr/bin/python3
+host_key_checking = False
+private_key_file = .keys/id_ecdsa
+vault_identity_list = all@.keys/all

filter_plugins/network_filters.py

@@ -0,0 +1,10 @@
+import ipaddress
+
+def first_address(network):
+    return ipaddress.ip_network(network).network_address + 1
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'first_address': first_address
+        }

group_vars/all/vars.yaml

@@ -0,0 +1,2 @@
+---
+low_priv_user: "worker"

inventory.yaml

@@ -0,0 +1,3 @@
+---
+all:
+  hosts:

playbook.yaml

@@ -0,0 +1,80 @@
+---
+- hosts: all
+  connection: local
+  gather_facts: false
+
+  tasks:
+    - ansible.builtin.include_tasks: "tasks/hetzner-cloud.yaml"
+
+- hosts: all
+  handlers:
+    - name: "Restart ssh"
+      ansible.builtin.systemd:
+        name: "sshd"
+        state: "restarted"
+
+  tasks:
+    - name: "Create low privileged unix user account {{ low_priv_user }}"
+      ansible.builtin.user:
+        name: "{{ low_priv_user }}"
+        groups: "sudo"
+        append: true
+        shell: "/bin/bash"
+      become: true
+
+    - name: "Set password for low priviledged unix user account {{ low_priv_user }}"
+      ansible.builtin.user:
+        name: "{{ low_priv_user }}"
+        password: "{{ low_priv_password | password_hash('sha512') }}"
+        password_lock: no
+      when: new_server
+
+    - name: "Ensure .ssh directory exists for {{ low_priv_user }}"
+      ansible.builtin.file:
+        state: directory
+        path: "/home/{{ low_priv_user }}/.ssh/"
+        owner: "{{ low_priv_user }}"
+        group: "{{ low_priv_user }}"
+        mode: "0700"
+      become: true
+
+    - name: "Copy ssh key of ansible to {{ low_priv_user }}"
+      ansible.builtin.copy:
+        src: ".keys/id_ecdsa.pub"
+        dest: "/home/{{ low_priv_user }}/.ssh/authorized_keys"
+        owner: "{{ low_priv_user }}"
+        group: "{{ low_priv_user }}"
+        mode: "0600"
+      become: true
+
+    - name: "Disable ssh root login"
+      ansible.builtin.lineinfile:
+        path: "/etc/ssh/sshd_config"
+        regexp: "^#?PermitRootLogin"
+        line: "PermitRootLogin no"
+      notify: "Restart ssh"
+      become: true
+
+    - name: "Disable ssh password authentication"
+      ansible.builtin.lineinfile:
+        path: "/etc/ssh/sshd_config"
+        regexp: "^#?PasswordAuthentication"
+        line: "PasswordAuthentication no"
+      notify: "Restart ssh"
+      become: true
+
+    - name: "Install tools and requirements"
+      ansible.builtin.apt:
+        update_cache: true
+        name:
+          - python3-requests
+          - python3-apt
+          - curl
+          - wget
+          - dnsutils
+          - mtr
+          - tcpdump
+          - ncdu
+          - jq
+        state: present
+      become: true