mirror of
http://172.20.10.11:3000/gitadmin/INSIGHT-MVP.git
synced 2026-06-25 00:16:41 +02:00
36196457ea
- Alle Ansible-Rollen erstellt: common, disk_setup, docker, postgresql, pgbouncer, redis, nginx, zabbix_agent - ansible.cfg mit Pipeline-Optimierung - hosts.yml mit echten IPs (DBS01=.20, APS01=.21, WEB01=.22) - group_vars für alle Server (dbs, aps, web) - Zabbix-Server auf sentinel.xinion.de gesetzt - vault.yml.example als Vorlage für Secrets - site.yml nutzt import_playbook (DBS01→APS01→WEB01) - BRIEFING.md für alle 4 Repos angelegt (Platform, Apps, Infra, Shared) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
87 lines
1.6 KiB
YAML
87 lines
1.6 KiB
YAML
---
|
|
# Role: common
|
|
# Basis-Hardening für alle INSIGHT-Server
|
|
|
|
- name: "System-Pakete aktualisieren"
|
|
apt:
|
|
update_cache: true
|
|
upgrade: dist
|
|
cache_valid_time: 3600
|
|
|
|
- name: "Basis-Pakete installieren"
|
|
apt:
|
|
name:
|
|
- curl
|
|
- wget
|
|
- git
|
|
- htop
|
|
- vim
|
|
- unzip
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
- ufw
|
|
- fail2ban
|
|
- chrony
|
|
- python3-pip
|
|
state: present
|
|
|
|
- name: "Unattended-Upgrades installieren"
|
|
apt:
|
|
name: unattended-upgrades
|
|
state: present
|
|
|
|
- name: "Unattended-Upgrades aktivieren"
|
|
copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
APT::Periodic::Download-Upgradeable-Packages "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
|
|
- name: "Zeitzone setzen"
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: "Chrony (NTP) konfigurieren"
|
|
template:
|
|
src: chrony.conf.j2
|
|
dest: /etc/chrony/chrony.conf
|
|
notify: restart chrony
|
|
|
|
- name: "SSH Hardening — sshd_config"
|
|
template:
|
|
src: sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
validate: 'sshd -t -f %s'
|
|
notify: restart sshd
|
|
|
|
- name: "UFW — Standard: alles ablehnen"
|
|
ufw:
|
|
state: enabled
|
|
policy: deny
|
|
direction: incoming
|
|
|
|
- name: "UFW — SSH erlauben"
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ ssh_port }}"
|
|
proto: tcp
|
|
|
|
- name: "Fail2ban aktivieren"
|
|
service:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: true
|
|
|
|
handlers:
|
|
- name: restart chrony
|
|
service:
|
|
name: chrony
|
|
state: restarted
|
|
|
|
- name: restart sshd
|
|
service:
|
|
name: sshd
|
|
state: restarted
|