96e3f32f28
Turborepo + pnpm monorepo for k3s homelab cluster on Intel NUCs. - Apps: Next.js web frontend, Express API (TypeScript, Dockerfiles, k8s manifests) - Packages: shared UI, ESLint config, TypeScript config, Drizzle DB schemas - Infra/Ansible: bare-metal provisioning with roles for common, k3s-server, k3s-agent, hardening - Infra/Kubernetes: ArgoCD GitOps (app-of-apps + ApplicationSets), platform components (cert-manager, Traefik, CloudNativePG, Valkey, Longhorn, Sealed Secrets), namespaces - Observability: kube-prometheus-stack, Loki, Promtail as ArgoCD Applications - CI/CD: GitHub Actions for PR builds, preview deploys, production deploys - DX: Taskfile, utility scripts, copier templates, Ubiquiti network docs
82 lines
1.7 KiB
YAML
82 lines
1.7 KiB
YAML
---
|
|
- name: Ensure SSH password authentication is disabled
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PasswordAuthentication"
|
|
line: "PasswordAuthentication no"
|
|
notify: restart sshd
|
|
|
|
- name: Disable root SSH login
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^#?PermitRootLogin"
|
|
line: "PermitRootLogin no"
|
|
notify: restart sshd
|
|
|
|
- name: Install and configure UFW
|
|
ansible.builtin.apt:
|
|
name: ufw
|
|
state: present
|
|
|
|
- name: Set UFW default deny incoming
|
|
community.general.ufw:
|
|
direction: incoming
|
|
default: deny
|
|
|
|
- name: Set UFW default allow outgoing
|
|
community.general.ufw:
|
|
direction: outgoing
|
|
default: allow
|
|
|
|
- name: Allow SSH
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "22"
|
|
proto: tcp
|
|
|
|
- name: Allow k3s API server (servers only)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "6443"
|
|
proto: tcp
|
|
when: k3s_role == 'server'
|
|
|
|
- name: Allow k3s flannel VXLAN
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "8472"
|
|
proto: udp
|
|
|
|
- name: Allow kubelet metrics
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "10250"
|
|
proto: tcp
|
|
|
|
- name: Allow HTTP/HTTPS (for Traefik ingress)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
loop:
|
|
- "80"
|
|
- "443"
|
|
|
|
- name: Enable UFW
|
|
community.general.ufw:
|
|
state: enabled
|
|
|
|
- name: Configure automatic security updates
|
|
ansible.builtin.apt:
|
|
name: unattended-upgrades
|
|
state: present
|
|
|
|
- name: Enable automatic security updates
|
|
ansible.builtin.copy:
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
content: |
|
|
APT::Periodic::Update-Package-Lists "1";
|
|
APT::Periodic::Unattended-Upgrade "1";
|
|
APT::Periodic::AutocleanInterval "7";
|
|
mode: "0644"
|