WPB-2324 introduce more automation for dedicated Hetzner server deplo…

…yments prior to kubespray upgrades

ansible/files/hetzner_server_nftables.conf

@@ -0,0 +1,31 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+  chain block_definitions {
+    ct state established,related accept
+    ct state invalid drop
+    tcp flags != syn ct state new counter drop
+    counter drop
+#    log prefix "DROP " counter drop
+  }
+  chain INPUT {
+    type filter hook input priority 0;
+    ip protocol icmp icmp type echo-request counter accept
+    ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter accept
+    ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } counter accept
+    ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert } counter accept
+    iifname { lo, virbr0 } counter accept
+    tcp dport 22 counter accept comment "SSH incoming"
+    jump block_definitions
+  }
+  chain FORWARD {
+    type filter hook forward priority 0;
+    policy drop;
+  }
+  chain OUTPUT {
+    type filter hook output priority 0;
+    policy accept;
+  }
+}

ansible/files/hetzner_server_sshd_config

@@ -0,0 +1,23 @@
+Port 22
+
+AcceptEnv LANG LC_*
+LogLevel verbose
+PrintMotd no
+
+KexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512
+Ciphers [email protected],[email protected]
+MACs [email protected]
+
+HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512
+CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512
+PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,ecdsa-sha2-nistp521
+
+PasswordAuthentication no
+PubkeyAuthentication yes
+ChallengeResponseAuthentication no
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+X11Forwarding no

ansible/hetzner-single-deploy.yml

@@ -0,0 +1,141 @@
+- hosts: all
+  become: true
+  vars:
+    artifact_hash: a6e0929c9a5f4af09655c9433bb56a4858ec7574
+    ubuntu_version: 22.04.3
+    ssh_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODDzgw4BncNvSVOIraAXZYkkLn+iTo6ixkXXQ4lKZhL [email protected]"
+  tasks:
+  - name: apt update
+    apt: update_cache=yes force_apt_get=yes
+  - name: apt upgrade
+    apt: upgrade=dist force_apt_get=yes
+  - name: install default packages
+    apt:
+      install_recommends: no
+      pkg:
+      - aptitude
+      - apt-transport-https
+      - bind9-host
+      - curl
+      - debian-goodies
+      - dnsutils
+      - git
+      - less
+      - lsof
+      - net-tools
+      - rsyslog
+      - screen
+      - sudo
+      - vim
+      - wget
+      - whois
+      - qemu
+      - qemu-kvm
+      - qemu-utils
+      - libvirt-clients
+      - libvirt-daemon-system
+      - virtinst
+      - bridge-utils
+  - name: generate german locales
+    locale_gen:
+      name: de_DE.UTF-8
+      state: present
+  - name: generate us locales
+    locale_gen:
+      name: en_US.UTF-8
+      state: present
+  - name: set system language
+    lineinfile:
+      path: /etc/default/locale
+      regexp: '^#?LANG='
+      line: 'LANG="en_US.UTF-8"'
+  - name: set keyboard layout
+    lineinfile:
+      path: /etc/default/keyboard
+      regexp: '^#?XKBLAYOUT='
+      line: 'XKBLAYOUT="us"'
+  - name: set keyboard variant
+    lineinfile:
+      path: /etc/default/keyboard
+      regexp: '^#?XKVARIANT='
+      line: 'XKBVARIANT="de"'
+  - name: add default user accounts
+    user:
+      name: demo
+      groups: sudo, kvm
+      uid: 900
+      state: present
+      shell: /bin/bash
+      password: "!"
+  - name: Adding SSH pubkey for user demo
+    authorized_key:
+      user: demo
+      state: present
+      key: "{{ ssh_pubkey }}"
+  - name: passwordless sudo
+    lineinfile:
+      dest: /etc/sudoers
+      regexp: '^%sudo'
+      line: "%sudo ALL=(ALL) NOPASSWD:ALL"
+  - name: deploy sshd config
+    copy:
+      src: files/hetzner_server_sshd_config
+      dest: /etc/ssh/sshd_config
+      mode: 0644
+      owner: root
+      group: root
+    notify: sshd | restart
+  - name: deploy /etc/nftables.conf
+    copy:
+      src: files/hetzner_server_nftables.conf
+      dest: /etc/nftables.conf
+      mode: 0750
+      owner: root
+      group: root
+    notify: nftables | restart
+  - name: create wire-server-deploy directory for demo user
+    file:
+      path: /home/demo/wire-server-deploy
+      state: directory
+      owner: demo
+      group: demo
+      mode: 0775
+  - name: check if wire-server-deploy-static-{{ artifact_hash }}.tgz exists
+    stat:
+      path: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+    register: artifact_archive_file_check
+  - name: download wire-server-deploy archive
+    shell:
+      cmd: curl -fsSLo /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-{{ artifact_hash }}.tgz
+      creates: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+    when: not artifact_archive_file_check.stat.exists
+  - name: check if wire-server-deploy folderi contents exist
+    stat:
+      path: /home/demo/wire-server-deploy/containers-helm.tar
+    register: artifact_folder_content_check
+  - name: unpack wire-server-deploy archive
+    unarchive:
+      src: /home/demo/wire-server-deploy-static-{{ artifact_hash }}.tgz
+      dest: /home/demo/wire-server-deploy
+      remote_src: yes
+    when: not artifact_folder_content_check.stat.exists
+  - name: check if ubuntu iso exists
+    stat:
+      path: /home/demo/wire-server-deploy/ubuntu.iso
+    register: iso_file_check
+  - name: download ubuntu {{ ubuntu_version }} iso
+    shell:
+      cmd: curl -fsSLo /home/demo/wire-server-deploy/ubuntu.iso https://releases.ubuntu.com/jammy/ubuntu-{{ ubuntu_version }}-live-server-amd64.iso
+      creates: /home/demo/wire-server-deploy/ubuntu.iso
+    when: not iso_file_check.stat.exists
+
+  handlers:
+  - name: sshd | restart
+    service:
+      name: sshd
+      state: restarted
+  - name: nftables | restart
+    service:
+      name: nftables
+      enabled: true
+      state: restarted