Initial monorepo scaffold
Turborepo + pnpm monorepo for k3s homelab cluster on Intel NUCs. - Apps: Next.js web frontend, Express API (TypeScript, Dockerfiles, k8s manifests) - Packages: shared UI, ESLint config, TypeScript config, Drizzle DB schemas - Infra/Ansible: bare-metal provisioning with roles for common, k3s-server, k3s-agent, hardening - Infra/Kubernetes: ArgoCD GitOps (app-of-apps + ApplicationSets), platform components (cert-manager, Traefik, CloudNativePG, Valkey, Longhorn, Sealed Secrets), namespaces - Observability: kube-prometheus-stack, Loki, Promtail as ArgoCD Applications - CI/CD: GitHub Actions for PR builds, preview deploys, production deploys - DX: Taskfile, utility scripts, copier templates, Ubiquiti network docs
This commit is contained in:
Julia McGhee
5
infra/ansible/roles/hardening/handlers/main.yaml
Normal file
5
infra/ansible/roles/hardening/handlers/main.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: restart sshd
|
||||
ansible.builtin.systemd:
|
||||
name: sshd
|
||||
state: restarted
|
||||
81
infra/ansible/roles/hardening/tasks/main.yaml
Normal file
81
infra/ansible/roles/hardening/tasks/main.yaml
Normal file
@@ -0,0 +1,81 @@
|
||||
---
|
||||
- name: Ensure SSH password authentication is disabled
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#?PasswordAuthentication"
|
||||
line: "PasswordAuthentication no"
|
||||
notify: restart sshd
|
||||
|
||||
- name: Disable root SSH login
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "^#?PermitRootLogin"
|
||||
line: "PermitRootLogin no"
|
||||
notify: restart sshd
|
||||
|
||||
- name: Install and configure UFW
|
||||
ansible.builtin.apt:
|
||||
name: ufw
|
||||
state: present
|
||||
|
||||
- name: Set UFW default deny incoming
|
||||
community.general.ufw:
|
||||
direction: incoming
|
||||
default: deny
|
||||
|
||||
- name: Set UFW default allow outgoing
|
||||
community.general.ufw:
|
||||
direction: outgoing
|
||||
default: allow
|
||||
|
||||
- name: Allow SSH
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "22"
|
||||
proto: tcp
|
||||
|
||||
- name: Allow k3s API server (servers only)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "6443"
|
||||
proto: tcp
|
||||
when: k3s_role == 'server'
|
||||
|
||||
- name: Allow k3s flannel VXLAN
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "8472"
|
||||
proto: udp
|
||||
|
||||
- name: Allow kubelet metrics
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "10250"
|
||||
proto: tcp
|
||||
|
||||
- name: Allow HTTP/HTTPS (for Traefik ingress)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "{{ item }}"
|
||||
proto: tcp
|
||||
loop:
|
||||
- "80"
|
||||
- "443"
|
||||
|
||||
- name: Enable UFW
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
|
||||
- name: Configure automatic security updates
|
||||
ansible.builtin.apt:
|
||||
name: unattended-upgrades
|
||||
state: present
|
||||
|
||||
- name: Enable automatic security updates
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
content: |
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
mode: "0644"
|
||||
Reference in New Issue
Block a user