| Commit message (Collapse) | Author | Age | Lines | |
|---|---|---|---|---|
| * | Readd nftables submodule |  Chris Lovering | 2024-05-15 | -0/+0 |
| | | ||||
| * | Deploy a pinnwand instance that used lovelace's pg database (#293) |  Amrou Bellalouna | 2024-05-15 | -0/+0 |
| | | | | | | | | | | | | * add a deployment config for pinnwand on lovelace * add a dns entry for the new pastebin * Add database URI for pinnwand to connect to psql on lovelace --------- Co-authored-by: Chris Lovering <[email protected]> | |||
| * | Pleasure the style dictator (#291) |  jchristgit | 2024-05-14 | -16/+25 |
| | | | | Fix warnings with argsplat in postgres role | |||
| * | add the task that configures host based authentication | shtlrs | 2024-05-14 | -0/+16 |
| | | ||||
| * | add the db_passwords secrets file | shtlrs | 2024-05-14 | -7/+24 |
| | | | | | | | This contains the encrypted passwords for all database users This also moves variables under the /vars/main folder to allow ansible to load all variable folders automatically | |||
| * | add a handler to reload postgres | shtlrs | 2024-05-14 | -1/+10 |
| | | | | | | | This also renames the handler that restarts it. You're welcome Johannes. | |||
| * | ignore .ansible file upon syncing | shtlrs | 2024-05-14 | -1/+1 |
| | | | | | This will avoid the copying of a potentially empty .ansible file on host, rendering the guest playbooks unrunnable | |||
| * | Update Ansible Prometheus to point to pydis.wtf alertmanager |  Joe Banks | 2024-05-14 | -1/+1 |
| | | ||||
| * | Remove obsolete cleanup tasks | Johannes Christ | 2024-05-12 | -18/+0 |
| | | ||||
| * | Configure sudo in separate file | Johannes Christ | 2024-05-12 | -2/+17 |
| | | ||||
| * | Properly load Prometheus rules | Johannes Christ | 2024-05-08 | -0/+1 |
| | | ||||
| * | Configure Prometheus alerting for failed systemd units (#278) | jchristgit | 2024-05-08 | -1/+16 |
| | | | | | | The two services that I would normally exclude are intentionally not excluded right now to test out the alertmanager setup. If all goes well, we should receive a notification on Discord. | |||
| * | Correct scheme configuration for Alertmanager | Johannes Christ | 2024-05-07 | -3/+3 |
| | | ||||
| * | install blackbox exporter as part of out monitoring stack | shtlrs | 2024-05-06 | -47/+49 |
| | | ||||
| * | Perform fail2ban bans directly via nftables | Johannes Christ | 2024-05-04 | -0/+2 |
| | | | | | | | See upstream at https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc, this will be incorporated into Debian at the next release. | |||
| * | Skip tasks requiring all hosts when running with limit | Johannes Christ | 2024-05-04 | -0/+2 |
| | | ||||
| * | Configure default security limits | Johannes Christ | 2024-05-04 | -0/+15 |
| | | | | | | | | | | The new limits allow each user to run a maximum of 100 processes by default, allowing to manually raise this number to 200. When a custom "pydis" group or similar is introduced, I plan to expand this to also specify other limits to prevent user error from causing problems on the system. | |||
| * | set backend to systemd | shtlrs | 2024-05-04 | -0/+1 |
| | | ||||
| * | Set up Prometheus alerting on Netcup | Johannes Christ | 2024-05-04 | -2/+18 |
| | | ||||
| * | Set up database group for database hosts | Johannes Christ | 2024-05-03 | -3/+9 |
| | | ||||
| * | Remove old groups from Vagrant inventory | Johannes Christ | 2024-05-03 | -30/+0 |
| | | | | | | These groups are no longer present in our proper inventory as we no longer plan on selfhosting Kubernetes on the netcup nodes. | |||
| * | Harden SSH security and prevent some misconfigurations | Johannes Christ | 2024-05-01 | -8/+45 |
| | | | | | | | | | | | | Disable agent forwarding and X11 forwarding in the default configuration. Users can still forward this if they really want to by installing a custom forwarder and utilizing their shell access to spawn it, but with this, we're making it impossible for people to accidentally forward their agent or their X socket to the remote server. Additionally, change the SSH configuration such that only the Python Discord users are allowed to log in. | |||
| * | Depend on ansible-core instead of Ansible | Johannes Christ | 2024-05-01 | -4/+20 |
| | | | | | Allow for faster local installation by only installing what we need. | |||
| * | update the readme file to be more user friendly | shtlrs | 2024-05-01 | -14/+51 |
| | | ||||
| * | Install dependencies using poetry | shtlrs | 2024-05-01 | -8/+14 |
| | | ||||
| * | bump the debian version used | shtlrs | 2024-05-01 | -4/+3 |
| | | | | | This also explicitly specifies the sync type to rsync | |||
| * | Whitelist possible LKE addresses to PostgreSQL on lovelace | Johannes Christ | 2024-04-29 | -8/+26 |
| | | | | | | | | | This allows us to connect to PostgreSQL on lovelace from any possible LKE node location, whilst not opening up our PostgreSQL instances to the world. This has already been rolled out. | |||
| * | Add LKE addresses to group variables | Johannes Christ | 2024-04-29 | -0/+9 |
| | | ||||
| * | Update nftables role | Johannes Christ | 2024-04-29 | -0/+0 |
| | | | | | | The new commit includes automatic validation of the `nft` configuration to ensure that any deployed config is valid. | |||
| * | Remove UFW and make ansible-lint happy | Johannes Christ | 2024-04-29 | -33/+2 |
| | | ||||
| * | Use nftables for firewalling | Johannes Christ | 2024-04-29 | -39/+83 |
| | | | | | | | | | | nftables is the modern replacement for iptables, which ufw uses under the hood. It allows us to specify firewall rules in a simple text file (with as much or as little abstraction as we want) and is quick to update and read. The text-file format allows more liberty with commenting compared to UFW. The existing `ufw` role has been converted to simply remove UFW. This has already been deployed on lovelace. | |||
| * | Connect netcup Prometheus to Kubernetes Alertmanager | Johannes Christ | 2024-04-28 | -1/+3 |
| | | | | | Closes #240. | |||
| * | Document how to use Ansible on Windows (#247) | jchristgit | 2024-04-28 | -4/+9 |
| | | ||||
| * | Use same indent for all fail2ban options | Johannes Christ | 2024-04-27 | -1/+1 |
| | | ||||
| * | Add bellas user | Chris Lovering | 2024-04-24 | -53/+99 |
| | | ||||
| * | Use Ansible Vault for storing users | Johannes Christ | 2024-04-15 | -1/+3 |
| | | | | | Closes #211. | |||
| * | Update vars to have the role name as a prefix | Chris Lovering | 2024-04-15 | -16/+16 |
| | | ||||
| * | Configure Ansible for user authentication (#213) | jchristgit | 2024-04-14 | -2/+1 |
| | | ||||
| * | Add a users role | Johannes Christ | 2024-04-13 | -0/+31 |
| | | | | | | | | | The new `pydis-users` role allows us to manage user accounts and move away from the root user setup script, eventually locking down SSH access to the root user. Joe, Chris and me have been added as users. | |||
| * | Copy root bashrc from skel | Johannes Christ | 2024-04-12 | -0/+1 |
| | | ||||
| * | Configure SSH daemon options in unit dropin | Johannes Christ | 2024-04-12 | -9/+20 |
| | | | | | | | Disable password authentication and root logins and use a configuration file that is independent of the `sshd_config` that `apt` itself will modify on upgrades. | |||
| * | Install unattended-upgrades on our nodes | Johannes Christ | 2024-04-12 | -0/+8 |
| | | ||||
| * | Move requirements to poetry | Chris Lovering | 2023-08-13 | -4/+0 |
| | | ||||
| * | Add a basic README for the ansible folder | Chris Lovering | 2023-08-13 | -0/+17 |
| | | ||||
| * | Move all ansible files to their own folder | Chris Lovering | 2023-08-13 | -0/+1101 |
 |
index : infra | |
| The PyDis DevOps boiler house, the engine room, where the magic happens. |
| aboutsummaryrefslogtreecommitdiffstats |