12545a7c76
- Terraform + Ansible + K3s + Vault + Consul + Observability - Decentralized network architecture (own datacenters) - Complete Ansible playbooks: - bootstrap.yml: OS setup, packages, SSH - hardening.yml: Security (UFW, fail2ban, auditd, Trivy) - k3s-install.yml: Lightweight Kubernetes cluster - Production inventory with NODE1, NODE3 - Group variables for all nodes - Security check cron script - Multi-DC ready with Consul support
94 lines
2.8 KiB
YAML
94 lines
2.8 KiB
YAML
# DAARION Network - Global Variables
|
|
# These variables apply to all hosts
|
|
|
|
# =============================================================================
|
|
# SECURITY
|
|
# =============================================================================
|
|
security_packages:
|
|
- fail2ban
|
|
- ufw
|
|
- auditd
|
|
- rkhunter
|
|
- unattended-upgrades
|
|
- ca-certificates
|
|
|
|
# Firewall - allowed ports (in addition to SSH)
|
|
firewall_allowed_tcp_ports:
|
|
- 6443 # K3s API
|
|
- 10250 # Kubelet
|
|
- 8200 # Vault
|
|
- 8500 # Consul HTTP
|
|
- 8600 # Consul DNS
|
|
- 9090 # Prometheus
|
|
- 3000 # Grafana
|
|
- 5432 # PostgreSQL
|
|
|
|
firewall_allowed_outgoing:
|
|
- { port: 53, proto: udp } # DNS
|
|
- { port: 80, proto: tcp } # HTTP
|
|
- { port: 443, proto: tcp } # HTTPS
|
|
- { port: 123, proto: udp } # NTP
|
|
|
|
# Blocked networks (internal/private)
|
|
firewall_blocked_networks:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
|
|
# =============================================================================
|
|
# DOCKER
|
|
# =============================================================================
|
|
docker_users:
|
|
- "{{ ansible_user }}"
|
|
|
|
docker_daemon_options:
|
|
storage-driver: "overlay2"
|
|
log-driver: "json-file"
|
|
log-opts:
|
|
max-size: "100m"
|
|
max-file: "3"
|
|
|
|
# =============================================================================
|
|
# K3S / KUBERNETES
|
|
# =============================================================================
|
|
k3s_version: "v1.29.0+k3s1"
|
|
k3s_disable:
|
|
- traefik
|
|
- servicelb
|
|
|
|
# =============================================================================
|
|
# VAULT
|
|
# =============================================================================
|
|
vault_version: "1.15.4"
|
|
vault_addr: "http://node1:8200"
|
|
vault_data_dir: "/opt/vault/data"
|
|
|
|
# =============================================================================
|
|
# CONSUL
|
|
# =============================================================================
|
|
consul_version: "1.17.1"
|
|
consul_data_dir: "/opt/consul/data"
|
|
consul_enable_connect: true
|
|
|
|
# =============================================================================
|
|
# OBSERVABILITY
|
|
# =============================================================================
|
|
prometheus_retention: "30d"
|
|
prometheus_storage_size: "50Gi"
|
|
loki_retention: "168h" # 7 days
|
|
tempo_retention: "168h" # 7 days
|
|
|
|
# =============================================================================
|
|
# POSTGRESQL
|
|
# =============================================================================
|
|
postgres_image: "postgres@sha256:23e88eb049fd5d54894d70100df61d38a49ed97909263f79d4ff4c30a5d5fca2"
|
|
postgres_user: "daarion"
|
|
postgres_db: "daarion_main"
|
|
|
|
# =============================================================================
|
|
# PATHS
|
|
# =============================================================================
|
|
scripts_dir: "/opt/scripts"
|
|
config_dir: "/opt/config"
|
|
logs_dir: "/var/log/daarion"
|
|
backup_dir: "/opt/backups"
|