map

ansible/ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+interpreter_python = auto_silent
+host_key_checking = False

ansible/inventory.ini

@@ -0,0 +1,12 @@
+[linux]
+general      ansible_host=100.120.57.49 ansible_port=54321
+k3s1         ansible_host=100.117.166.126 ansible_port=54321
+k3s2         ansible_host=100.64.200.58 ansible_port=54321
+k3s3         ansible_host=100.83.32.18 ansible_port=54321
+loadbalancer ansible_host=100.75.102.81 ansible_port=54321
+nl           ansible_host=100.92.32.17 ansible_port=54321
+pve          ansible_host=100.102.23.33
+storage01    ansible_host=100.92.109.78
+ovh          ansible_host=p.h-y.st
+uk           ansible_host=100.122.107.18 ansible_port=54321
+us           ansible_host=100.126.105.9 ansible_port=54321

ansible/mount.sh

@@ -0,0 +1,4 @@
+ansible-playbook -i inventory.ini ssh.yml --vault-password-file ~/.vault_pass.txt
+ansible-playbook -i inventory.ini update.yml --vault-password-file ~/.vault_pass.txt
+ansible-playbook -i inventory.ini fail2ban.yml --vault-password-file ~/.vault_pass.txt
+ansible-playbook -i inventory.ini smb.yml --vault-password-file ~/.vault_pass.txt

ansible/ssh.yml

@@ -0,0 +1,108 @@
+---
+- name: Phase 1 - Bootstrap SSH Keys and Packages
+  hosts: linux
+  remote_user: root
+  vars_files:
+    - vault.yml
+  tasks:
+    - name: Ensure .ssh directory exists
+      file:
+        path: /root/.ssh
+        state: directory
+        mode: '0700'
+
+    - name: Deploy SSH Identity (Private and Public Keys)
+      copy:
+        dest: "/root/.ssh/{{ item.file }}"
+        content: "{{ item.content }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - { file: 'id_ed25519', content: "{{ my_private_key }}", mode: '0400' }
+        - { file: 'id_ed25519.pub', content: "{{ my_public_key }}", mode: '0644' }
+      when: my_private_key is defined
+
+    - name: Authorize Public Key for Root
+      authorized_key:
+        user: root
+        key: "{{ my_public_key }}"
+      when: my_public_key is defined
+
+    - name: Configure Passwordless Sudo for Zeshan
+      copy:
+        dest: /etc/sudoers.d/zeshan
+        content: "zeshan ALL=(ALL) NOPASSWD: ALL"
+        mode: '0440'
+
+- name: Phase 2 - Secure SSH Port
+  hosts: linux
+  become: yes
+  vars:
+    new_ssh_port: 54321
+  tasks:
+    - name: Handle SELinux for custom SSH port (RHEL)
+      block:
+        - name: Install SELinux management tools
+          package:
+            name: policycoreutils-python-utils
+            state: present
+        - name: Allow SSH on custom port in SELinux
+          seport:
+            ports: "{{ new_ssh_port }}"
+            proto: tcp
+            setype: ssh_port_t
+            state: present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Configure SSH Port in sshd_config
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?Port\s+'
+        line: "Port {{ new_ssh_port }}"
+      notify: Restart SSH
+
+    - name: Handle Systemd Socket Activation (Debian/Ubuntu)
+      block:
+        - name: Check if SSH socket exists
+          stat:
+            path: /lib/systemd/system/ssh.socket
+          register: ssh_socket_file
+
+        - name: Create socket override directory
+          file:
+            path: /etc/systemd/system/ssh.socket.d
+            state: directory
+          when: ssh_socket_file.stat.exists
+
+        - name: Set Port in Systemd Socket Override
+          copy:
+            dest: /etc/systemd/system/ssh.socket.d/addresses.conf
+            content: |
+              [Socket]
+              ListenStream=
+              ListenStream={{ new_ssh_port }}
+          when: ssh_socket_file.stat.exists
+          notify: 
+            - Reload Systemd
+            - Stop SSH Service
+            - Restart SSH Socket
+
+  handlers:
+    - name: Reload Systemd
+      systemd:
+        daemon_reload: yes
+
+    - name: Stop SSH Service
+      service:
+        name: ssh
+        state: stopped
+      when: ansible_os_family == 'Debian'
+
+    - name: Restart SSH Socket
+      service:
+        name: ssh.socket
+        state: restarted
+
+    - name: Restart SSH
+      service:
+        name: "{{ (ansible_os_family == 'Debian') | ternary('ssh', 'sshd') }}"
+        state: restarted

ansible/update.yml

@@ -0,0 +1,65 @@
+---
+- name: Universal Linux System Maintenance
+  hosts: linux
+  remote_user: root
+  # Gather facts once at the start to determine OS family
+  gather_facts: yes
+
+  tasks:
+    # --- DEBIAN / UBUNTU / PROXMOX ---
+    - name: Debian-based Maintenance
+      when: ansible_os_family == "Debian"
+      block:
+        - name: Update apt cache and upgrade all packages
+          apt:
+            upgrade: dist
+            update_cache: yes
+            cache_valid_time: 3600
+
+        - name: Install baseline toolset (Debian)
+          apt:
+            name:
+              - htop
+              - make
+              - git
+              - curl
+              - samba
+              - fail2ban
+              - sshpass
+              - sudo
+            state: present
+
+        - name: Remove obsolete packages and kernels
+          apt:
+            autoremove: yes
+            autoclean: yes
+
+    # --- RHEL / ALMALINUX / ROCKY ---
+    - name: RedHat-based Maintenance
+      when: ansible_os_family == "RedHat"
+      block:
+        - name: Upgrade all packages (DNF)
+          dnf:
+            name: "*"
+            state: latest
+            update_cache: yes
+
+        - name: Install baseline toolset (RHEL)
+          dnf:
+            name: [htop, make, nano, git, curl, fail2ban, samba, sshpass]
+            state: present
+
+        - name: Clean DNF metadata and cache
+          command: dnf clean all
+          changed_when: false
+
+    # --- FINAL CHECK ---
+    - name: Check if reboot is required
+      stat:
+        path: /var/run/reboot-required
+      register: reboot_required_file
+
+    - name: Notify if reboot is needed
+      debug:
+        msg: "Host {{ inventory_hostname }} requires a reboot to apply updates."
+      when: reboot_required_file.stat.exists

ansible/vault.yml

@@ -0,0 +1,50 @@
+$ANSIBLE_VAULT;1.1;AES256
+64376334353039653233386464663633646238333537623265623334633061633337353161376638
+6532373239376635333664653866343239393062316439650a353063653131363166353931333237
+66646661393663376263323565626331353137323330343664633230373732616566353231623631
+6263376364633036630a393839306239383066623436356235393263373438623630396139326536
+32636630336136646636623932383337386331616230663063366337303836633065346239616261
+32333439363664306235366366346238653735383231393530633833323131333937663065353738
+34666135656366313633373839376138396566653132353637616261343264366436326337373130
+30323435613438363432393431313666653063323333633338626265313531356164633764343837
+34363466616462626436633939303538333531336537393131306136336663636538303739343030
+63393930343530626363666364626537636231343334393132386537386537356237396634323234
+34366464313864636639623037613666326430376239386439646665333966653938613465366565
+35616462333762386532616634656534616365643030653335353132636462633666363639353738
+31636435623333656262323565383161316164363239643531616162623865666266616639366365
+36376634386535333765383366323939386133633230373539343936376239646465373266313635
+31303266353732616533663433626635383962626566396233323265316437326238326131336538
+30623365633765383138306537303266336436386631396435663366626531656230336565376630
+32303933343131346161633437363738363336336666666264653532316334633833653134383738
+32373730343833376334376439376166376666356265366565306562303539333061633061353861
+62353533326238313961613864346432313937356430373134626265366638393036373930326364
+34323630313964396165393761613764643633643738353838626238636433366134613333633565
+65346635356538386164303034323332303736353038656364373435343037336536363439393733
+39333833623033393062346261376666643236663132343265613438313639326532383132636338
+36623463383935306164656435383938376138323637653964306364313534306564363562633130
+39386236373333643165363231306132663036373232653236316230356533373338363636306639
+39313130626337353663633465643030363466356238626364363132353033366237353834376564
+65346638383538313861343163653435633734343230313737623136373832323537616438633130
+62623536343935333539646537383930633339316535343364623230353861336239373535633136
+64366231656238633233333834663831366538653837613137643163613330333538373362343733
+62373839396666366266646435336561643031393763396366646262666165616130656437396238
+64666236623534353536356562616132646561623165346265326231363963323365393336316565
+66363963346164623962393463646130323138613132383436396562613137343034303634323237
+36326364333731633233393265306462303038383762356233346266663363653034623164353236
+31656339353264316337633166383734343335303331376261626531366165326239363836316566
+36666466653230393137316234306363356433613964393065313563303062363065393232613265
+34333764336434373361326462643739363361376231623265323564653963313337616363353936
+32313934343037333836653235653761623133373635626433313935613734653336376633653933
+65353063323431646437643032383835613865343130336366646338663430346336396163396538
+30386339663930666539346666303664663836353435666164346635383237343431633730616336
+34636539343466346433373138323664653561343532383536313738633831613931383635323434
+30316136383434346437633562383934353764366537646566646239653136623163393130326538
+37393439383232363266646564623134323439353834353139303066633539363738303932623436
+36373439363961613337666532633933336566386330353534306363313436333763333465373861
+33386537346462656430373363303235663565313538353732303064363365343734626237393830
+30316362333738636237393733313234336536643338626134613065363862643962333836663639
+37343637326538363635343032353936333938666430346633323966653438636265356532313066
+37336131396138636438383163613933353130623837346561386638366562343862376266323833
+37316231346532623934303962633365656433663661333062303033656133336563356435333164
+34653735303865396330653931336362353334373935653566326166623863616461616635636231
+3239