pycm1k/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20260522

Browse Source
This commit is contained in:
pycm1k 2026-05-22 06:43:27 +04:00
parent af70a6a354
commit ba82ec5dff
6 changed files with 255 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
MY/base_util.yml
View File

@ -1,8 +1,53 @@
--- ---
- hosts: mts_serv - hosts: hip
gather_facts: yes # ВАЖНО: собираем факты о системе
become: yes become: yes
tasks: tasks:
- name: Install base utils - name: Install base utils
apt: name=mc,atop,htop,iotop,mtr-tiny,iperf,iperf3,dnsutils,tcpdump,iftop,byobu,git,nload,bmon state=latest update_cache=yes apt: name=mc,atop,htop,iotop,mtr-tiny,iperf,iperf3,dnsutils,tcpdump,iftop,byobu,git,nload,bmon state=latest update_cache=yes
# 1. Добавление репозитория Zabbix
- name: Добавление репозитория Zabbix
shell: |
wget https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian{{ ansible_distribution_major_version }}_all.deb
dpkg -i zabbix-release_7.0-1+debian{{ ansible_distribution_major_version }}_all.deb
apt update
args:
warn: no
when: ansible_distribution == "Debian"
- name: Добавление репозитория Zabbix для Ubuntu
shell: |
wget https://repo.zabbix.com/zabbix/7.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_7.0-1+ubuntu{{ ansible_distribution_major_version }}_all.deb
dpkg -i zabbix-release_7.0-1+ubuntu{{ ansible_distribution_major_version }}_all.deb
apt update
args:
warn: no
when: ansible_distribution == "Ubuntu"
# 2. Установка Zabbix Agent 2
- name: Установка Zabbix Agent 2
apt:
name: zabbix-agent2
state: present
update_cache: yes
# 3. Настройка конфигурации (добавление сети 11.200.0.0/24)
- name: Добавление доверенной сети в конфиг
lineinfile:
path: /etc/zabbix/zabbix_agent2.conf
regexp: "^Server="
line: "Server=127.0.0.1,11.200.0.0/24"
# 4. Запуск сервиса
- name: Запуск Zabbix Agent 2
systemd:
name: zabbix-agent2
state: restarted
enabled: yes

8
MY/docker_net.yaml
View File

@ -1,9 +1,15 @@
--- ---
- hosts: ztv - hosts: hip
#become: yes #become: yes
tasks: tasks:
- name: Install Docker SDK for Python via apt
ansible.builtin.apt:
name: python3-docker
state: present
become: yes
- name: Create a network with custom IPAM config - name: Create a network with custom IPAM config
community.docker.docker_network: community.docker.docker_network:
name: overlay_net name: overlay_net

5
MY/hosts.yaml
View File

@ -9,9 +9,10 @@ all_servers:
docker_overlay_net_subnet: 11.100.0.0/24 docker_overlay_net_subnet: 11.100.0.0/24
docker_overlay_net_gateway: 11.100.0.254 docker_overlay_net_gateway: 11.100.0.254
docker_overlay_net_iprange: 11.100.0.128/25 docker_overlay_net_iprange: 11.100.0.128/25
ztv: hip:
hosts: hosts:
ztv.rgk.fm #france# 83.171.226.120
93.177.116.129
vars: vars:
ansible_user: pycm1k ansible_user: pycm1k
docker_overlay_net_subnet: 11.101.0.0/24 docker_overlay_net_subnet: 11.101.0.0/24

32
MY/install_docker.yaml Normal file
View File

@ -0,0 +1,32 @@
- name: Install Docker and Compose using official script (recommended)
hosts: hip
become: true
tasks:
- name: Download and run Docker installation script
ansible.builtin.shell: |
curl -fsSL https://get.docker.com -o /tmp/get-docker.sh
sh /tmp/get-docker.sh
args:
creates: /usr/bin/docker
register: install_result
- name: Show installation output
ansible.builtin.debug:
msg: "{{ install_result.stdout_lines }}"
- name: Add current user to docker group
ansible.builtin.user:
name: "{{ ansible_user }}"
groups: docker
append: true
when: ansible_user != 'root'
- name: Verify Docker Compose V2 installation
ansible.builtin.command: docker compose version
register: compose_version
changed_when: false
- name: Show Compose version
ansible.builtin.debug:
msg: "Docker Compose: {{ compose_version.stdout }}"

96
MY/nft_config.yaml Normal file
View File

@ -0,0 +1,96 @@
---
- name: Настройка nftables с белым списком портов и VIP адресами
hosts: hip
become: yes
gather_facts: yes
vars:
# VIP адреса (полный доступ)
vip_addresses:
- "192.168.1.100"
- "10.10.10.50"
- "172.16.0.10"
# Белый список TCP портов
white_list_tcp_ports:
- 35130 # SSH
- 80 # HTTP
- 443 # HTTPS
- 5432 # PostgreSQL
- 8080 # Jenkins/Proxy
- 8443 # Alternative HTTPS
# Белый список UDP портов
white_list_udp_ports:
- 53 # DNS
- 123 # NTP
- 1194 # OpenVPN
# Дополнительные настройки
enable_ip_forwarding: true
nftables_log_prefix_input: "[nftables-input] Dropped: "
nftables_log_prefix_forward: "[nftables-forward] Blocked non-whitelist port: "
tasks:
- name: Установка nftables
apt:
name: nftables
state: present
update_cache: yes
- name: Создание директории для шаблонов (если не существует)
file:
path: /etc/nftables
state: directory
mode: '0755'
- name: Копирование конфигурации nftables из шаблона
template:
src: templates/nft/nftables.conf.j2
dest: /etc/nftables.conf
mode: '0644'
backup: yes
notify: restart nftables
- name: Включение IP forwarding (если нужно)
sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: yes
state: present
reload: yes
loop:
- net.ipv4.ip_forward
- net.ipv6.conf.all.forwarding
when: enable_ip_forwarding
- name: Убеждаемся что nftables запущен и включен
systemd:
name: nftables
state: started
enabled: yes
- name: Проверка синтаксиса конфигурации
command: nft -c -f /etc/nftables.conf
register: nft_check
changed_when: false
- name: Вывод результата проверки
debug:
msg: "✅ Конфигурация nftables валидна"
when: nft_check.rc == 0
- name: Применение правил (если не были применены при старте)
command: nft -f /etc/nftables.conf
when: nft_check.rc == 0
notify: restart nftables
handlers:
- name: restart nftables
systemd:
name: nftables
state: restarted
- name: validate nftables
command: nft -c -f /etc/nftables.conf
listen: "restart nftables"

71
MY/templates/nft/nftables.conf.j2 Normal file
View File

@ -0,0 +1,71 @@
#!/usr/sbin/nft -f
# ========== ПЕРЕМЕННЫЕ ==========
define VIP_ADDRESSES = {
{% for vip in vip_addresses %}
{{ vip }}{% if not loop.last %},{% endif %}
{% endfor %}
}
define WHITE_LIST_PORTS = {
{% for port in white_list_tcp_ports %}
{{ port }}{% if not loop.last %},{% endif %}
{% endfor %}
}
define WHITE_LIST_PORTS_UDP = {
{% for port in white_list_udp_ports %}
{{ port }}{% if not loop.last %},{% endif %}
{% endfor %}
}
flush ruleset
table inet my-firewall {
# ========== ЦЕПОЧКА ДЛЯ ВХОДЯЩИХ ПАКЕТОВ (INPUT) ==========
chain input {
type filter hook input priority -10; policy drop;
# Разрешаем уже установленные соединения
ct state established,related accept
# Разрешаем loopback
iifname "lo" accept
# Разрешаем ping
icmp type echo-request accept
# --- VIP-адреса (полный доступ на INPUT) ---
ip saddr $VIP_ADDRESSES accept
# --- Белый список портов для всех остальных на INPUT ---
tcp dport $WHITE_LIST_PORTS accept
udp dport $WHITE_LIST_PORTS_UDP accept
# Логируем и дропаем всё остальное
log prefix "{{ nftables_log_prefix_input }}" counter drop
}
# ========== ЦЕПОЧКА ДЛЯ МАРШРУТИЗАЦИИ (FORWARD) ==========
chain forward {
type filter hook forward priority -10; policy drop;
# Разрешаем уже установленные соединения
ct state established,related accept
# --- VIP-адреса (полный доступ ко всем контейнерам) ---
ip saddr $VIP_ADDRESSES accept
# --- Белый список портов для всех остальных ---
tcp dport $WHITE_LIST_PORTS accept
udp dport $WHITE_LIST_PORTS_UDP accept
# ВСЁ остальное блокируем
log prefix "{{ nftables_log_prefix_forward }}" counter drop
}
# ========== ЦЕПОЧКА ДЛЯ ИСХОДЯЩИХ ПАКЕТОВ (OUTPUT) ==========
chain output {
type filter hook output priority -10; policy accept;
}
}