32 lines
1.3 KiB
Markdown
32 lines
1.3 KiB
Markdown
# Ansible MicroOS VM setup
|
|
|
|
<!--
|
|
Unfortunately, the devsec hardening role does not play well with MicroOS.
|
|
|
|
1. Install devsec hardening collection
|
|
```shell
|
|
ansible-galaxy collection install devsec.hardening
|
|
```
|
|
2. Create the inventory.txt file for the server
|
|
3. Run the hardening playbook. Does not run completely through because of MicroOS immutability. At some point, a PR properly supporting MicroOS could be opened to https://github.com/dev-sec/ansible-os-hardening
|
|
```shell
|
|
ansible-playbook -i inventory.txt hardening.yml
|
|
```
|
|
-->
|
|
4. Run the custom_hardening playbook. This mostly sets SSH parameters to best practice values.
|
|
```shell
|
|
ansible-playbook -i inventory.txt custom_hardening.yml
|
|
```
|
|
5. Run the allow_privileged_ports_rootless playbook. This allows a rootless traefik container to use ports 80 and 443.
|
|
```shell
|
|
ansible-playbook -i inventory.txt allow_privileged_ports_rootless.yml
|
|
```
|
|
6. Run the deploy_services playbook. This creates groups and users for each service, creates a btrfs subvolume for data and copies the quadlet files to the correct location, then activates the service.
|
|
```shell
|
|
ansible-playbook -i inventory.txt deploy_services.yml
|
|
```
|
|
7. Run the deploy_traefik_config playbool. This copies the traefik configuration to the correct location.
|
|
```shell
|
|
ansible-playbook -i inventory.txt deploy_traefik_config.yml
|
|
```
|