aboutsummaryrefslogtreecommitdiffstats
path: root/ansible/roles (follow)
Commit message (Collapse)AuthorAgeLines
...
* Remove obsolete cleanup tasksGravatar Johannes Christ2024-05-12-18/+0
|
* Configure sudo in separate fileGravatar Johannes Christ2024-05-12-2/+17
|
* Configure Prometheus alerting for failed systemd units (#278)Gravatar jchristgit2024-05-08-1/+1
| | | | | The two services that I would normally exclude are intentionally not excluded right now to test out the alertmanager setup. If all goes well, we should receive a notification on Discord.
* install blackbox exporter as part of out monitoring stackGravatar shtlrs2024-05-06-47/+10
|
* Perform fail2ban bans directly via nftablesGravatar Johannes Christ2024-05-04-0/+2
| | | | | | See upstream at https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc, this will be incorporated into Debian at the next release.
* Skip tasks requiring all hosts when running with limitGravatar Johannes Christ2024-05-04-0/+2
|
* Configure default security limitsGravatar Johannes Christ2024-05-04-0/+15
| | | | | | | | | The new limits allow each user to run a maximum of 100 processes by default, allowing to manually raise this number to 200. When a custom "pydis" group or similar is introduced, I plan to expand this to also specify other limits to prevent user error from causing problems on the system.
* set backend to systemdGravatar shtlrs2024-05-04-0/+1
|
* Set up Prometheus alerting on NetcupGravatar Johannes Christ2024-05-04-2/+18
|
* Harden SSH security and prevent some misconfigurationsGravatar Johannes Christ2024-05-01-8/+45
| | | | | | | | | | | Disable agent forwarding and X11 forwarding in the default configuration. Users can still forward this if they really want to by installing a custom forwarder and utilizing their shell access to spawn it, but with this, we're making it impossible for people to accidentally forward their agent or their X socket to the remote server. Additionally, change the SSH configuration such that only the Python Discord users are allowed to log in.
* Depend on ansible-core instead of AnsibleGravatar Johannes Christ2024-05-01-0/+10
| | | | Allow for faster local installation by only installing what we need.
* Update nftables roleGravatar Johannes Christ2024-04-29-0/+0
| | | | | The new commit includes automatic validation of the `nft` configuration to ensure that any deployed config is valid.
* Remove UFW and make ansible-lint happyGravatar Johannes Christ2024-04-29-31/+0
|
* Use nftables for firewallingGravatar Johannes Christ2024-04-29-38/+12
| | | | | | | | | nftables is the modern replacement for iptables, which ufw uses under the hood. It allows us to specify firewall rules in a simple text file (with as much or as little abstraction as we want) and is quick to update and read. The text-file format allows more liberty with commenting compared to UFW. The existing `ufw` role has been converted to simply remove UFW. This has already been deployed on lovelace.
* Use same indent for all fail2ban optionsGravatar Johannes Christ2024-04-27-1/+1
|
* Add bellas userGravatar Chris Lovering2024-04-24-53/+99
|
* Use Ansible Vault for storing usersGravatar Johannes Christ2024-04-15-0/+0
| | | | Closes #211.
* Update vars to have the role name as a prefixGravatar Chris Lovering2024-04-15-16/+16
|
* Add a users roleGravatar Johannes Christ2024-04-13-0/+29
| | | | | | | | The new `pydis-users` role allows us to manage user accounts and move away from the root user setup script, eventually locking down SSH access to the root user. Joe, Chris and me have been added as users.
* Copy root bashrc from skelGravatar Johannes Christ2024-04-12-0/+1
|
* Configure SSH daemon options in unit dropinGravatar Johannes Christ2024-04-12-9/+20
| | | | | | Disable password authentication and root logins and use a configuration file that is independent of the `sshd_config` that `apt` itself will modify on upgrades.
* Install unattended-upgrades on our nodesGravatar Johannes Christ2024-04-12-0/+7
|
* Move all ansible files to their own folderGravatar Chris Lovering2023-08-13-0/+795
generated by cgit v1.2.3 (git 2.39.1) at 2025-11-07 21:32:30 +0000