feat(boundary): remove OS-hardening overlap; add k3s baseline workplan
Per ADR-002 (railiance-hosts/docs/adr/ADR-002-repo-boundary-hosts-vs-bootstrap.md): - ansible/harden.yml: replaced with tombstone pointing to railiance-hosts - ansible/bootstrap.yml: remove `import_playbook: harden.yml`; add pre-condition comment; OS hardening is no longer this repo's concern - docs/first_host.md: rewritten to reflect 3-step flow: converge railiance-hosts → railiance-bootstrap k3s install → smoke test - workplans/RAIL-BS-WP-0002-k3s-baseline.md: new workplan for k3s + Helm + Kubernetes platform baseline; linked to repo goal 70ab2379 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
1d759508ac
commit
783c8cebbd
4 changed files with 219 additions and 140 deletions
|
|
@ -1,8 +1,9 @@
|
|||
---
|
||||
# Stage 1: Harden the server before anything else is installed.
|
||||
- import_playbook: harden.yml
|
||||
# Pre-condition: the target host must already be converged by railiance-hosts
|
||||
# (`make converge` in that repo) before running this playbook.
|
||||
# OS hardening (SSH, UFW, fail2ban) is owned by railiance-hosts — see ADR-002.
|
||||
|
||||
# Stage 2: Install base packages and k3s.
|
||||
# Install base packages and k3s.
|
||||
- name: Railiance host bootstrap
|
||||
hosts: all
|
||||
become: true
|
||||
|
|
|
|||
|
|
@ -1,124 +1,16 @@
|
|||
---
|
||||
- name: Server hardening
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
vars:
|
||||
ssh_port: 22
|
||||
k3s_api_port: 6443
|
||||
flannel_vxlan_port: 8472
|
||||
|
||||
tasks:
|
||||
# ── SSH hardening ────────────────────────────────────────────────────────
|
||||
|
||||
- name: Disable root SSH login
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?PermitRootLogin'
|
||||
line: 'PermitRootLogin no'
|
||||
state: present
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Disable password authentication
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?PasswordAuthentication'
|
||||
line: 'PasswordAuthentication no'
|
||||
state: present
|
||||
notify: Restart sshd
|
||||
|
||||
- name: Disable challenge-response authentication
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^#?ChallengeResponseAuthentication'
|
||||
line: 'ChallengeResponseAuthentication no'
|
||||
state: present
|
||||
notify: Restart sshd
|
||||
|
||||
# ── UFW firewall ─────────────────────────────────────────────────────────
|
||||
|
||||
- name: Install ufw
|
||||
apt:
|
||||
name: ufw
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: Set UFW default inbound policy to deny
|
||||
ufw:
|
||||
default: deny
|
||||
direction: incoming
|
||||
|
||||
- name: Set UFW default outbound policy to allow
|
||||
ufw:
|
||||
default: allow
|
||||
direction: outgoing
|
||||
|
||||
- name: Allow SSH
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ ssh_port }}"
|
||||
proto: tcp
|
||||
|
||||
- name: Allow k3s API server
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ k3s_api_port }}"
|
||||
proto: tcp
|
||||
|
||||
- name: Allow Flannel VXLAN (inter-node)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ flannel_vxlan_port }}"
|
||||
proto: udp
|
||||
|
||||
- name: Enable UFW
|
||||
ufw:
|
||||
state: enabled
|
||||
|
||||
# ── fail2ban ─────────────────────────────────────────────────────────────
|
||||
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
||||
- name: Configure fail2ban SSH jail
|
||||
copy:
|
||||
dest: /etc/fail2ban/jail.d/sshd.conf
|
||||
content: |
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = {{ ssh_port }}
|
||||
maxretry = 5
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
mode: '0644'
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Enable and start fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
# ── Shell hygiene ─────────────────────────────────────────────────────────
|
||||
|
||||
- name: Set HISTCONTROL to suppress space-prefixed commands from history
|
||||
copy:
|
||||
dest: /etc/profile.d/histcontrol.sh
|
||||
content: |
|
||||
# Commands prefixed with a space are not recorded in shell history.
|
||||
# Use this when typing secrets interactively.
|
||||
export HISTCONTROL=ignorespace
|
||||
mode: '0644'
|
||||
|
||||
handlers:
|
||||
- name: Restart sshd
|
||||
systemd:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: Restart fail2ban
|
||||
systemd:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
# SUPERSEDED — do not use for new work.
|
||||
#
|
||||
# OS security hardening (SSH, UFW, fail2ban, HISTCONTROL) is now owned by
|
||||
# the railiance-hosts repository:
|
||||
#
|
||||
# railiance-hosts/ansible/roles/base/
|
||||
# railiance-hosts/spec/server-baseline.yaml ← authoritative spec
|
||||
# railiance-hosts/goss/baseline.yaml ← automated assertions
|
||||
#
|
||||
# Run `make converge` in railiance-hosts before deploying anything from
|
||||
# this repo. See ADR-002 for the full boundary definition:
|
||||
# railiance-hosts/docs/adr/ADR-002-repo-boundary-hosts-vs-bootstrap.md
|
||||
#
|
||||
# This file is retained to avoid breaking git history references.
|
||||
# It must not be imported or executed.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue