Update Ansible configuration and enhance playbook
- Add UFW configuration to secure server ports - Install additional packages including vim, zsh, and monitoring tools - Change default shell for 'deploy' user to zsh - Update .gitignore to include Ansible inventory files
This commit is contained in:
4
.gitignore
vendored
4
.gitignore
vendored
@@ -65,3 +65,7 @@ build/
|
|||||||
# Bots
|
# Bots
|
||||||
/bots/*
|
/bots/*
|
||||||
!/bots/.gitkeep
|
!/bots/.gitkeep
|
||||||
|
|
||||||
|
# Ansible inventory files (contain sensitive server info)
|
||||||
|
infra/ansible/inventory.ini
|
||||||
|
infra/ansible/inventory_*.ini
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
[new_server]
|
[new_server]
|
||||||
#your-new-server-ip ansible_user=deploy
|
127.0.0.1 ansible_user=deploy
|
||||||
|
|
||||||
[all:vars]
|
[all:vars]
|
||||||
ansible_python_interpreter=/usr/bin/python3
|
ansible_python_interpreter=/usr/bin/python3
|
||||||
@@ -31,6 +31,13 @@
|
|||||||
- curl
|
- curl
|
||||||
- sshpass
|
- sshpass
|
||||||
- rsync
|
- rsync
|
||||||
|
- vim
|
||||||
|
- zsh
|
||||||
|
- ufw
|
||||||
|
- htop
|
||||||
|
- iotop
|
||||||
|
- traceroute
|
||||||
|
- ncdu
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Включить и запустить Docker
|
- name: Включить и запустить Docker
|
||||||
@@ -39,6 +46,28 @@
|
|||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: Настроить UFW (файрвол)
|
||||||
|
ufw:
|
||||||
|
state: enabled
|
||||||
|
policy: deny
|
||||||
|
direction: incoming
|
||||||
|
rule: allow
|
||||||
|
port: "22"
|
||||||
|
proto: tcp
|
||||||
|
notify: restart ufw
|
||||||
|
|
||||||
|
- name: Открыть порты для сервисов
|
||||||
|
ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ item }}"
|
||||||
|
proto: tcp
|
||||||
|
loop:
|
||||||
|
- "8080" # Telegram Bot
|
||||||
|
- "8081" # AnonBot
|
||||||
|
- "9090" # Prometheus
|
||||||
|
- "3000" # Grafana
|
||||||
|
notify: restart ufw
|
||||||
|
|
||||||
- name: Проверить существование пользователя deploy
|
- name: Проверить существование пользователя deploy
|
||||||
getent:
|
getent:
|
||||||
database: passwd
|
database: passwd
|
||||||
@@ -57,13 +86,19 @@
|
|||||||
name: "{{ deploy_user }}"
|
name: "{{ deploy_user }}"
|
||||||
uid: "{{ uid }}"
|
uid: "{{ uid }}"
|
||||||
group: "{{ gid }}"
|
group: "{{ gid }}"
|
||||||
shell: /bin/bash
|
shell: /bin/zsh
|
||||||
create_home: yes
|
create_home: yes
|
||||||
system: no
|
system: no
|
||||||
groups: docker
|
groups: docker
|
||||||
append: yes
|
append: yes
|
||||||
when: not user_exists.exists
|
when: not user_exists.exists
|
||||||
|
|
||||||
|
- name: Установить zsh как оболочку по умолчанию для существующего пользователя deploy
|
||||||
|
user:
|
||||||
|
name: "{{ deploy_user }}"
|
||||||
|
shell: /bin/zsh
|
||||||
|
when: user_exists.exists
|
||||||
|
|
||||||
- name: Настроить безопасный SSH
|
- name: Настроить безопасный SSH
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
@@ -239,9 +274,13 @@
|
|||||||
debug:
|
debug:
|
||||||
msg: "Все сервисы запущены и слушают нужные порты."
|
msg: "Все сервисы запущены и слушают нужные порты."
|
||||||
|
|
||||||
# handler для перезагрузки SSH
|
# handlers для перезагрузки сервисов
|
||||||
handlers:
|
handlers:
|
||||||
- name: reload ssh
|
- name: reload ssh
|
||||||
systemd:
|
systemd:
|
||||||
name: ssh
|
name: ssh
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart ufw
|
||||||
|
ufw:
|
||||||
|
state: reloaded
|
||||||
Reference in New Issue
Block a user