From ba82ec5dff95adf7310760ed1e8d0d45c8603027 Mon Sep 17 00:00:00 2001
From: pycm1k <pycm1k@yandex.ru>
Date: Fri, 22 May 2026 06:43:27 +0400
Subject: [PATCH] 20260522

---
 MY/base_util.yml                  | 47 ++++++++++++++-
 MY/docker_net.yaml                |  8 ++-
 MY/hosts.yaml                     |  5 +-
 MY/install_docker.yaml            | 32 +++++++++++
 MY/nft_config.yaml                | 96 +++++++++++++++++++++++++++++++
 MY/templates/nft/nftables.conf.j2 | 71 +++++++++++++++++++++++
 6 files changed, 255 insertions(+), 4 deletions(-)
 create mode 100644 MY/install_docker.yaml
 create mode 100644 MY/nft_config.yaml
 create mode 100644 MY/templates/nft/nftables.conf.j2

diff --git a/MY/base_util.yml b/MY/base_util.yml
index 8b5094c..0b83699 100644
--- a/MY/base_util.yml
+++ b/MY/base_util.yml
@@ -1,8 +1,53 @@
 ---
 
-- hosts: mts_serv
+- hosts: hip
+  gather_facts: yes  # ВАЖНО: собираем факты о системе
   become: yes
   tasks:
     - name: Install base utils
       apt: name=mc,atop,htop,iotop,mtr-tiny,iperf,iperf3,dnsutils,tcpdump,iftop,byobu,git,nload,bmon state=latest update_cache=yes
 
+
+
+
+
+
+    # 1. Добавление репозитория Zabbix
+    - name: Добавление репозитория Zabbix
+      shell: |
+        wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian{{ ansible_distribution_major_version }}_all.deb
+        dpkg -i zabbix-release_7.0-1+debian{{ ansible_distribution_major_version }}_all.deb
+        apt update
+      args:
+        warn: no
+      when: ansible_distribution == "Debian"
+
+    - name: Добавление репозитория Zabbix для Ubuntu
+      shell: |
+        wget https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_7.0-1+ubuntu{{ ansible_distribution_major_version }}_all.deb
+        dpkg -i zabbix-release_7.0-1+ubuntu{{ ansible_distribution_major_version }}_all.deb
+        apt update
+      args:
+        warn: no
+      when: ansible_distribution == "Ubuntu"
+
+    # 2. Установка Zabbix Agent 2
+    - name: Установка Zabbix Agent 2
+      apt:
+        name: zabbix-agent2
+        state: present
+        update_cache: yes
+
+    # 3. Настройка конфигурации (добавление сети 11.200.0.0/24)
+    - name: Добавление доверенной сети в конфиг
+      lineinfile:
+        path: /etc/zabbix/zabbix_agent2.conf
+        regexp: "^Server="
+        line: "Server=127.0.0.1,11.200.0.0/24"
+
+    # 4. Запуск сервиса
+    - name: Запуск Zabbix Agent 2
+      systemd:
+        name: zabbix-agent2
+        state: restarted
+        enabled: yes
diff --git a/MY/docker_net.yaml b/MY/docker_net.yaml
index 17a38d5..c9bf699 100644
--- a/MY/docker_net.yaml
+++ b/MY/docker_net.yaml
@@ -1,9 +1,15 @@
 ---
 
-- hosts: ztv
+- hosts: hip
   #become: yes
   tasks:
 
+    - name: Install Docker SDK for Python via apt
+      ansible.builtin.apt:
+        name: python3-docker
+        state: present
+      become: yes
+
     - name: Create a network with custom IPAM config
       community.docker.docker_network:
         name: overlay_net
diff --git a/MY/hosts.yaml b/MY/hosts.yaml
index fdcd3f2..ab58a39 100644
--- a/MY/hosts.yaml
+++ b/MY/hosts.yaml
@@ -9,9 +9,10 @@ all_servers:
         docker_overlay_net_subnet: 11.100.0.0/24
         docker_overlay_net_gateway: 11.100.0.254
         docker_overlay_net_iprange: 11.100.0.128/25
-    ztv:
+    hip:
       hosts:
-        ztv.rgk.fm
+        #france#        83.171.226.120
+        93.177.116.129
       vars:
         ansible_user: pycm1k
         docker_overlay_net_subnet: 11.101.0.0/24
diff --git a/MY/install_docker.yaml b/MY/install_docker.yaml
new file mode 100644
index 0000000..eba284e
--- /dev/null
+++ b/MY/install_docker.yaml
@@ -0,0 +1,32 @@
+- name: Install Docker and Compose using official script (recommended)
+  hosts: hip
+  become: true
+
+  tasks:
+    - name: Download and run Docker installation script
+      ansible.builtin.shell: |
+        curl -fsSL https://get.docker.com -o /tmp/get-docker.sh
+        sh /tmp/get-docker.sh
+      args:
+        creates: /usr/bin/docker
+      register: install_result
+
+    - name: Show installation output
+      ansible.builtin.debug:
+        msg: "{{ install_result.stdout_lines }}"
+
+    - name: Add current user to docker group
+      ansible.builtin.user:
+        name: "{{ ansible_user }}"
+        groups: docker
+        append: true
+      when: ansible_user != 'root'
+
+    - name: Verify Docker Compose V2 installation
+      ansible.builtin.command: docker compose version
+      register: compose_version
+      changed_when: false
+
+    - name: Show Compose version
+      ansible.builtin.debug:
+        msg: "Docker Compose: {{ compose_version.stdout }}"
diff --git a/MY/nft_config.yaml b/MY/nft_config.yaml
new file mode 100644
index 0000000..51ddf86
--- /dev/null
+++ b/MY/nft_config.yaml
@@ -0,0 +1,96 @@
+---
+- name: Настройка nftables с белым списком портов и VIP адресами
+  hosts: hip
+  become: yes
+  gather_facts: yes
+  
+  vars:
+    # VIP адреса (полный доступ)
+    vip_addresses:
+      - "192.168.1.100"
+      - "10.10.10.50"
+      - "172.16.0.10"
+    
+    # Белый список TCP портов
+    white_list_tcp_ports:
+      - 35130      # SSH
+      - 80      # HTTP
+      - 443     # HTTPS
+      - 5432    # PostgreSQL
+      - 8080    # Jenkins/Proxy
+      - 8443    # Alternative HTTPS
+    
+    # Белый список UDP портов
+    white_list_udp_ports:
+      - 53      # DNS
+      - 123     # NTP
+      - 1194    # OpenVPN
+    
+    # Дополнительные настройки
+    enable_ip_forwarding: true
+    nftables_log_prefix_input: "[nftables-input] Dropped: "
+    nftables_log_prefix_forward: "[nftables-forward] Blocked non-whitelist port: "
+  
+  tasks:
+    - name: Установка nftables
+      apt:
+        name: nftables
+        state: present
+        update_cache: yes
+    
+    - name: Создание директории для шаблонов (если не существует)
+      file:
+        path: /etc/nftables
+        state: directory
+        mode: '0755'
+    
+    - name: Копирование конфигурации nftables из шаблона
+      template:
+        src: templates/nft/nftables.conf.j2
+        dest: /etc/nftables.conf
+        mode: '0644'
+        backup: yes
+      notify: restart nftables
+    
+    - name: Включение IP forwarding (если нужно)
+      sysctl:
+        name: "{{ item }}"
+        value: '1'
+        sysctl_set: yes
+        state: present
+        reload: yes
+      loop:
+        - net.ipv4.ip_forward
+        - net.ipv6.conf.all.forwarding
+      when: enable_ip_forwarding
+    
+    - name: Убеждаемся что nftables запущен и включен
+      systemd:
+        name: nftables
+        state: started
+        enabled: yes
+    
+    - name: Проверка синтаксиса конфигурации
+      command: nft -c -f /etc/nftables.conf
+      register: nft_check
+      changed_when: false
+    
+    - name: Вывод результата проверки
+      debug:
+        msg: "✅ Конфигурация nftables валидна"
+      when: nft_check.rc == 0
+    
+    - name: Применение правил (если не были применены при старте)
+      command: nft -f /etc/nftables.conf
+      when: nft_check.rc == 0
+      notify: restart nftables
+  
+  handlers:
+    - name: restart nftables
+      systemd:
+        name: nftables
+        state: restarted
+    
+    - name: validate nftables
+      command: nft -c -f /etc/nftables.conf
+      listen: "restart nftables"
diff --git a/MY/templates/nft/nftables.conf.j2 b/MY/templates/nft/nftables.conf.j2
new file mode 100644
index 0000000..e13d829
--- /dev/null
+++ b/MY/templates/nft/nftables.conf.j2
@@ -0,0 +1,71 @@
+#!/usr/sbin/nft -f
+
+# ========== ПЕРЕМЕННЫЕ ==========
+define VIP_ADDRESSES = {
+{% for vip in vip_addresses %}
+    {{ vip }}{% if not loop.last %},{% endif %}
+{% endfor %}
+}
+
+define WHITE_LIST_PORTS = {
+{% for port in white_list_tcp_ports %}
+    {{ port }}{% if not loop.last %},{% endif %}
+{% endfor %}
+}
+
+define WHITE_LIST_PORTS_UDP = {
+{% for port in white_list_udp_ports %}
+    {{ port }}{% if not loop.last %},{% endif %}
+{% endfor %}
+}
+
+flush ruleset
+
+table inet my-firewall {
+    # ========== ЦЕПОЧКА ДЛЯ ВХОДЯЩИХ ПАКЕТОВ (INPUT) ==========
+    chain input {
+        type filter hook input priority -10; policy drop;
+        
+        # Разрешаем уже установленные соединения
+        ct state established,related accept
+        
+        # Разрешаем loopback
+        iifname "lo" accept
+        
+        # Разрешаем ping
+        icmp type echo-request accept
+        
+        # --- VIP-адреса (полный доступ на INPUT) ---
+        ip saddr $VIP_ADDRESSES accept
+        
+        # --- Белый список портов для всех остальных на INPUT ---
+        tcp dport $WHITE_LIST_PORTS accept
+        udp dport $WHITE_LIST_PORTS_UDP accept
+        
+        # Логируем и дропаем всё остальное
+        log prefix "{{ nftables_log_prefix_input }}" counter drop
+    }
+    
+    # ========== ЦЕПОЧКА ДЛЯ МАРШРУТИЗАЦИИ (FORWARD) ==========
+    chain forward {
+        type filter hook forward priority -10; policy drop;
+        
+        # Разрешаем уже установленные соединения
+        ct state established,related accept
+        
+        # --- VIP-адреса (полный доступ ко всем контейнерам) ---
+        ip saddr $VIP_ADDRESSES accept
+        
+        # --- Белый список портов для всех остальных ---
+        tcp dport $WHITE_LIST_PORTS accept
+        udp dport $WHITE_LIST_PORTS_UDP accept
+        
+        # ВСЁ остальное блокируем
+        log prefix "{{ nftables_log_prefix_forward }}" counter drop
+    }
+    
+    # ========== ЦЕПОЧКА ДЛЯ ИСХОДЯЩИХ ПАКЕТОВ (OUTPUT) ==========
+    chain output {
+        type filter hook output priority -10; policy accept;
+    }
+}