🏗️ Add DAARION Infrastructure Stack

- Terraform + Ansible + K3s + Vault + Consul + Observability - Decentralized network architecture (own datacenters) - Complete Ansible playbooks: - bootstrap.yml: OS setup, packages, SSH - hardening.yml: Security (UFW, fail2ban, auditd, Trivy) - k3s-install.yml: Lightweight Kubernetes cluster - Production inventory with NODE1, NODE3 - Group variables for all nodes - Security check cron script - Multi-DC ready with Consul support
2026-01-10 05:31:51 -08:00
parent 02cfd90b6f
commit 12545a7c76
11 changed files with 1799 additions and 633 deletions
--- a/infrastructure/ansible/inventory/group_vars/all.yml
+++ b/infrastructure/ansible/inventory/group_vars/all.yml
@@ -0,0 +1,93 @@
+# DAARION Network - Global Variables
+# These variables apply to all hosts
+
+# =============================================================================
+# SECURITY
+# =============================================================================
+security_packages:
+  - fail2ban
+  - ufw
+  - auditd
+  - rkhunter
+  - unattended-upgrades
+  - ca-certificates
+
+# Firewall - allowed ports (in addition to SSH)
+firewall_allowed_tcp_ports:
+  - 6443   # K3s API
+  - 10250  # Kubelet
+  - 8200   # Vault
+  - 8500   # Consul HTTP
+  - 8600   # Consul DNS
+  - 9090   # Prometheus
+  - 3000   # Grafana
+  - 5432   # PostgreSQL
+
+firewall_allowed_outgoing:
+  - { port: 53, proto: udp }    # DNS
+  - { port: 80, proto: tcp }    # HTTP
+  - { port: 443, proto: tcp }   # HTTPS
+  - { port: 123, proto: udp }   # NTP
+
+# Blocked networks (internal/private)
+firewall_blocked_networks:
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+
+# =============================================================================
+# DOCKER
+# =============================================================================
+docker_users:
+  - "{{ ansible_user }}"
+
+docker_daemon_options:
+  storage-driver: "overlay2"
+  log-driver: "json-file"
+  log-opts:
+    max-size: "100m"
+    max-file: "3"
+
+# =============================================================================
+# K3S / KUBERNETES
+# =============================================================================
+k3s_version: "v1.29.0+k3s1"
+k3s_disable:
+  - traefik
+  - servicelb
+
+# =============================================================================
+# VAULT
+# =============================================================================
+vault_version: "1.15.4"
+vault_addr: "http://node1:8200"
+vault_data_dir: "/opt/vault/data"
+
+# =============================================================================
+# CONSUL
+# =============================================================================
+consul_version: "1.17.1"
+consul_data_dir: "/opt/consul/data"
+consul_enable_connect: true
+
+# =============================================================================
+# OBSERVABILITY
+# =============================================================================
+prometheus_retention: "30d"
+prometheus_storage_size: "50Gi"
+loki_retention: "168h"  # 7 days
+tempo_retention: "168h"  # 7 days
+
+# =============================================================================
+# POSTGRESQL
+# =============================================================================
+postgres_image: "postgres@sha256:23e88eb049fd5d54894d70100df61d38a49ed97909263f79d4ff4c30a5d5fca2"
+postgres_user: "daarion"
+postgres_db: "daarion_main"
+
+# =============================================================================
+# PATHS
+# =============================================================================
+scripts_dir: "/opt/scripts"
+config_dir: "/opt/config"
+logs_dir: "/var/log/daarion"
+backup_dir: "/opt/backups"