From bb91e139bce53dd7811ed4ea33e6a6445ca2e04a Mon Sep 17 00:00:00 2001
From: Andrey <j3tears100@gmail.com>
Date: Tue, 9 Sep 2025 23:00:15 +0300
Subject: [PATCH] Update Ansible configuration and enhance playbook

- Add UFW configuration to secure server ports
- Install additional packages including vim, zsh, and monitoring tools
- Change default shell for 'deploy' user to zsh
- Update .gitignore to include Ansible inventory files
---
 .gitignore                  |  6 +++++-
 infra/ansible/inventory.ini |  2 +-
 infra/ansible/playbook.yml  | 43 +++++++++++++++++++++++++++++++++++--
 3 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index 485844c..e0b952e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -64,4 +64,8 @@ build/
 
 # Bots
 /bots/*
-!/bots/.gitkeep
\ No newline at end of file
+!/bots/.gitkeep
+
+# Ansible inventory files (contain sensitive server info)
+infra/ansible/inventory.ini
+infra/ansible/inventory_*.ini
\ No newline at end of file
diff --git a/infra/ansible/inventory.ini b/infra/ansible/inventory.ini
index 5067f2d..50f4747 100644
--- a/infra/ansible/inventory.ini
+++ b/infra/ansible/inventory.ini
@@ -1,5 +1,5 @@
 [new_server]
-#your-new-server-ip ansible_user=deploy
+127.0.0.1 ansible_user=deploy
 
 [all:vars]
 ansible_python_interpreter=/usr/bin/python3
\ No newline at end of file
diff --git a/infra/ansible/playbook.yml b/infra/ansible/playbook.yml
index 789be02..d5ecda6 100644
--- a/infra/ansible/playbook.yml
+++ b/infra/ansible/playbook.yml
@@ -31,6 +31,13 @@
           - curl
           - sshpass
           - rsync
+          - vim
+          - zsh
+          - ufw
+          - htop
+          - iotop
+          - traceroute
+          - ncdu
         state: present
 
     - name: Включить и запустить Docker
@@ -39,6 +46,28 @@
         enabled: yes
         state: started
 
+    - name: Настроить UFW (файрвол)
+      ufw:
+        state: enabled
+        policy: deny
+        direction: incoming
+        rule: allow
+        port: "22"
+        proto: tcp
+      notify: restart ufw
+
+    - name: Открыть порты для сервисов
+      ufw:
+        rule: allow
+        port: "{{ item }}"
+        proto: tcp
+      loop:
+        - "8080"  # Telegram Bot
+        - "8081"  # AnonBot
+        - "9090"  # Prometheus
+        - "3000"  # Grafana
+      notify: restart ufw
+
     - name: Проверить существование пользователя deploy
       getent:
         database: passwd
@@ -57,13 +86,19 @@
         name: "{{ deploy_user }}"
         uid: "{{ uid }}"
         group: "{{ gid }}"
-        shell: /bin/bash
+        shell: /bin/zsh
         create_home: yes
         system: no
         groups: docker
         append: yes
       when: not user_exists.exists
 
+    - name: Установить zsh как оболочку по умолчанию для существующего пользователя deploy
+      user:
+        name: "{{ deploy_user }}"
+        shell: /bin/zsh
+      when: user_exists.exists
+
     - name: Настроить безопасный SSH
       lineinfile:
         path: /etc/ssh/sshd_config
@@ -239,9 +274,13 @@
       debug:
         msg: "Все сервисы запущены и слушают нужные порты."
 
-  # handler для перезагрузки SSH
+  # handlers для перезагрузки сервисов
   handlers:
     - name: reload ssh
       systemd:
         name: ssh
+        state: reloaded
+
+    - name: restart ufw
+      ufw:
         state: reloaded
\ No newline at end of file