🏗️ Add DAARION Infrastructure Stack

- Terraform + Ansible + K3s + Vault + Consul + Observability - Decentralized network architecture (own datacenters) - Complete Ansible playbooks: - bootstrap.yml: OS setup, packages, SSH - hardening.yml: Security (UFW, fail2ban, auditd, Trivy) - k3s-install.yml: Lightweight Kubernetes cluster - Production inventory with NODE1, NODE3 - Group variables for all nodes - Security check cron script - Multi-DC ready with Consul support
2026-01-10 05:31:51 -08:00
parent 02cfd90b6f
commit 12545a7c76
11 changed files with 1799 additions and 633 deletions
--- a/infrastructure/ansible/playbooks/bootstrap.yml
+++ b/infrastructure/ansible/playbooks/bootstrap.yml
@@ -0,0 +1,143 @@
+# DAARION Network - Bootstrap Playbook
+# Initial setup for all nodes: packages, SSH, hostname, etc.
+---
+- name: Bootstrap all nodes
+  hosts: all
+  become: yes
+  
+  vars:
+    common_packages:
+      - curl
+      - wget
+      - git
+      - htop
+      - vim
+      - jq
+      - unzip
+      - ca-certificates
+      - gnupg
+      - lsb-release
+      - net-tools
+      - dnsutils
+      - bc
+      
+  tasks:
+    # =========================================================================
+    # BASIC SETUP
+    # =========================================================================
+    - name: Set timezone
+      timezone:
+        name: "{{ timezone }}"
+        
+    - name: Set hostname
+      hostname:
+        name: "{{ inventory_hostname }}"
+        
+    - name: Update /etc/hosts with all nodes
+      lineinfile:
+        path: /etc/hosts
+        line: "{{ hostvars[item].ansible_host }} {{ item }}"
+        state: present
+      loop: "{{ groups['all'] }}"
+      when: 
+        - hostvars[item].ansible_host is defined
+        - hostvars[item].ansible_host != 'localhost'
+        
+    # =========================================================================
+    # PACKAGES
+    # =========================================================================
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+      when: ansible_os_family == "Debian"
+      
+    - name: Upgrade all packages
+      apt:
+        upgrade: safe
+      when: ansible_os_family == "Debian"
+      
+    - name: Install common packages
+      apt:
+        name: "{{ common_packages }}"
+        state: present
+      when: ansible_os_family == "Debian"
+        
+    # =========================================================================
+    # USERS & SSH
+    # =========================================================================
+    - name: Create admin group
+      group:
+        name: daarion-admin
+        state: present
+        
+    - name: Create directories
+      file:
+        path: "{{ item }}"
+        state: directory
+        mode: '0755'
+      loop:
+        - "{{ scripts_dir }}"
+        - "{{ config_dir }}"
+        - "{{ logs_dir }}"
+        - "{{ backup_dir }}"
+        
+    # =========================================================================
+    # SSH HARDENING
+    # =========================================================================
+    - name: Disable root login via SSH (workers only)
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin prohibit-password'
+      notify: restart sshd
+      when: "'workers' in group_names"
+      
+    - name: Set SSH MaxAuthTries
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?MaxAuthTries'
+        line: 'MaxAuthTries 3'
+      notify: restart sshd
+      
+    - name: Set SSH ClientAliveInterval
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?ClientAliveInterval'
+        line: 'ClientAliveInterval 300'
+      notify: restart sshd
+      
+    # =========================================================================
+    # KERNEL PARAMETERS
+    # =========================================================================
+    - name: Set kernel parameters for containers
+      sysctl:
+        name: "{{ item.name }}"
+        value: "{{ item.value }}"
+        state: present
+        reload: yes
+      loop:
+        - { name: 'net.ipv4.ip_forward', value: '1' }
+        - { name: 'net.bridge.bridge-nf-call-iptables', value: '1' }
+        - { name: 'net.bridge.bridge-nf-call-ip6tables', value: '1' }
+        - { name: 'fs.inotify.max_user_watches', value: '524288' }
+        - { name: 'fs.inotify.max_user_instances', value: '512' }
+      ignore_errors: yes  # Some params may not exist on all systems
+      
+    # =========================================================================
+    # VERIFICATION
+    # =========================================================================
+    - name: Verify setup
+      debug:
+        msg: |
+          Node: {{ inventory_hostname }}
+          Host: {{ ansible_host }}
+          Datacenter: {{ datacenter | default('unknown') }}
+          Role: {{ node_role | default('unknown') }}
+          GPU: {{ gpu | default(false) }}
+          
+  handlers:
+    - name: restart sshd
+      service:
+        name: sshd
+        state: restarted