# DAARION Network - Bootstrap Playbook # Initial setup for all nodes: packages, SSH, hostname, etc. --- - name: Bootstrap all nodes hosts: all become: yes vars: common_packages: - curl - wget - git - htop - vim - jq - unzip - ca-certificates - gnupg - lsb-release - net-tools - dnsutils - bc tasks: # ========================================================================= # BASIC SETUP # ========================================================================= - name: Set timezone timezone: name: "{{ timezone }}" - name: Set hostname hostname: name: "{{ inventory_hostname }}" - name: Update /etc/hosts with all nodes lineinfile: path: /etc/hosts line: "{{ hostvars[item].ansible_host }} {{ item }}" state: present loop: "{{ groups['all'] }}" when: - hostvars[item].ansible_host is defined - hostvars[item].ansible_host != 'localhost' # ========================================================================= # PACKAGES # ========================================================================= - name: Update apt cache apt: update_cache: yes cache_valid_time: 3600 when: ansible_os_family == "Debian" - name: Upgrade all packages apt: upgrade: safe when: ansible_os_family == "Debian" - name: Install common packages apt: name: "{{ common_packages }}" state: present when: ansible_os_family == "Debian" # ========================================================================= # USERS & SSH # ========================================================================= - name: Create admin group group: name: daarion-admin state: present - name: Create directories file: path: "{{ item }}" state: directory mode: '0755' loop: - "{{ scripts_dir }}" - "{{ config_dir }}" - "{{ logs_dir }}" - "{{ backup_dir }}" # ========================================================================= # SSH HARDENING # ========================================================================= - name: Disable root login via SSH (workers only) lineinfile: path: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin' line: 'PermitRootLogin prohibit-password' notify: restart sshd when: "'workers' in group_names" - name: Set SSH MaxAuthTries lineinfile: path: /etc/ssh/sshd_config regexp: '^#?MaxAuthTries' line: 'MaxAuthTries 3' notify: restart sshd - name: Set SSH ClientAliveInterval lineinfile: path: /etc/ssh/sshd_config regexp: '^#?ClientAliveInterval' line: 'ClientAliveInterval 300' notify: restart sshd # ========================================================================= # KERNEL PARAMETERS # ========================================================================= - name: Set kernel parameters for containers sysctl: name: "{{ item.name }}" value: "{{ item.value }}" state: present reload: yes loop: - { name: 'net.ipv4.ip_forward', value: '1' } - { name: 'net.bridge.bridge-nf-call-iptables', value: '1' } - { name: 'net.bridge.bridge-nf-call-ip6tables', value: '1' } - { name: 'fs.inotify.max_user_watches', value: '524288' } - { name: 'fs.inotify.max_user_instances', value: '512' } ignore_errors: yes # Some params may not exist on all systems # ========================================================================= # VERIFICATION # ========================================================================= - name: Verify setup debug: msg: | Node: {{ inventory_hostname }} Host: {{ ansible_host }} Datacenter: {{ datacenter | default('unknown') }} Role: {{ node_role | default('unknown') }} GPU: {{ gpu | default(false) }} handlers: - name: restart sshd service: name: sshd state: restarted