75cff49e85
Implement provider-agnostic infrastructure for local testing and production deployment. Terraform configuration: - Local environment: libvirt provider (KVM/QEMU on Debian 13) - Production environment: OVH provider (cloud infrastructure) - Network and VM provisioning - SSH key management - State management (local and S3 backends) Ansible playbooks: - VM provisioning (OS hardening, Docker, Cloudron) - Security configuration (UFW, fail2ban) - Application setup - Monitoring (node exporter) Inventory management: - Local VMs for testing - Production instances - Dynamic inventory support Provider abstraction: - Same Terraform modules work for both providers - Same Ansible playbooks work for all environments - Easy swap between local testing and production 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
197 lines
4.4 KiB
YAML
197 lines
4.4 KiB
YAML
---
|
|
# Ansible playbook for post-VM configuration
|
|
# Works on both local KVM/QEMU VMs and production OVH instances
|
|
|
|
- name: Configure YDN VPS
|
|
hosts: all
|
|
become: yes
|
|
gather_facts: yes
|
|
|
|
vars:
|
|
app_user: "ydn"
|
|
app_dir: "/opt/ydn"
|
|
docker_compose_version: "2.23.0"
|
|
cloudron_domain: "{{ ansible_default_ipv4.address }}.nip.io"
|
|
|
|
handlers:
|
|
- name: Restart Docker
|
|
service:
|
|
name: docker
|
|
state: restarted
|
|
|
|
- name: Restart Nginx
|
|
service:
|
|
name: nginx
|
|
state: restarted
|
|
|
|
tasks:
|
|
# System Hardening
|
|
- name: Update system packages
|
|
apt:
|
|
update_cache: yes
|
|
upgrade: dist
|
|
cache_valid_time: 3600
|
|
|
|
- name: Install system dependencies
|
|
apt:
|
|
name:
|
|
- curl
|
|
- wget
|
|
- git
|
|
- vim
|
|
- ufw
|
|
- fail2ban
|
|
- htop
|
|
- python3-pip
|
|
state: present
|
|
|
|
- name: Configure firewall
|
|
ufw:
|
|
rule: allow
|
|
name: OpenSSH
|
|
state: enabled
|
|
|
|
- name: Allow HTTP/HTTPS
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ item }}"
|
|
proto: tcp
|
|
loop:
|
|
- "80"
|
|
- "443"
|
|
- "8080"
|
|
|
|
- name: Set timezone to UTC
|
|
timezone:
|
|
name: UTC
|
|
|
|
# User Management
|
|
- name: Create application user
|
|
user:
|
|
name: "{{ app_user }}"
|
|
shell: /bin/bash
|
|
home: "/home/{{ app_user }}"
|
|
create_home: yes
|
|
|
|
- name: Add sudo privileges for app user
|
|
lineinfile:
|
|
path: /etc/sudoers.d/{{ app_user }}
|
|
line: "{{ app_user }} ALL=(ALL) NOPASSWD: ALL"
|
|
create: yes
|
|
mode: '0440'
|
|
validate: 'visudo -cf %s'
|
|
|
|
# Docker Installation
|
|
- name: Add Docker GPG key
|
|
apt_key:
|
|
url: https://download.docker.com/linux/debian/gpg
|
|
state: present
|
|
|
|
- name: Add Docker repository
|
|
apt_repository:
|
|
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
|
|
state: present
|
|
|
|
- name: Install Docker
|
|
apt:
|
|
name:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-compose-plugin
|
|
state: present
|
|
update_cache: yes
|
|
notify: Restart Docker
|
|
|
|
- name: Add app user to docker group
|
|
user:
|
|
name: "{{ app_user }}"
|
|
groups: docker
|
|
append: yes
|
|
|
|
- name: Enable and start Docker
|
|
service:
|
|
name: docker
|
|
enabled: yes
|
|
state: started
|
|
|
|
# Docker Compose Installation
|
|
- name: Install Docker Compose
|
|
get_url:
|
|
url: "https://github.com/docker/compose/releases/download/v{{ docker_compose_version }}/docker-compose-linux-x86_64"
|
|
dest: /usr/local/bin/docker-compose
|
|
mode: '0755'
|
|
|
|
# Cloudron Installation
|
|
- name: Check if Cloudron is installed
|
|
stat:
|
|
path: /etc/cloudron/cloudron.conf
|
|
register: cloudron_installed
|
|
|
|
- name: Install Cloudron
|
|
shell: |
|
|
curl -sSL https://get.cloudron.io | bash
|
|
args:
|
|
warn: false
|
|
when: not cloudron_installed.stat.exists
|
|
|
|
# Application Setup
|
|
- name: Create application directory
|
|
file:
|
|
path: "{{ app_dir }}"
|
|
state: directory
|
|
owner: "{{ app_user }}"
|
|
group: "{{ app_user }}"
|
|
mode: '0755'
|
|
|
|
- name: Create logs directory
|
|
file:
|
|
path: /var/log/ydn
|
|
state: directory
|
|
owner: "{{ app_user }}"
|
|
group: "{{ app_user }}"
|
|
mode: '0755'
|
|
|
|
# Security Hardening
|
|
- name: Configure fail2ban
|
|
template:
|
|
src: ../templates/fail2ban.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Restart fail2ban
|
|
|
|
- name: Enable fail2ban
|
|
service:
|
|
name: fail2ban
|
|
enabled: yes
|
|
state: started
|
|
|
|
# Monitoring Setup
|
|
- name: Install monitoring agents
|
|
apt:
|
|
name:
|
|
- prometheus-node-exporter
|
|
state: present
|
|
|
|
- name: Enable node exporter
|
|
service:
|
|
name: prometheus-node-exporter
|
|
enabled: yes
|
|
state: started
|
|
|
|
# Final Cleanup
|
|
- name: Clean apt cache
|
|
apt:
|
|
autoclean: yes
|
|
autoremove: yes
|
|
|
|
- name: Display completion message
|
|
debug:
|
|
msg: |
|
|
VPS configuration complete!
|
|
IP Address: {{ ansible_default_ipv4.address }}
|
|
SSH User: {{ app_user }}
|
|
Docker Version: {{ docker_version.stdout }}
|