538feb79c2
Add comprehensive security audit and Jenkins connectivity fixes
...
Security Audit Infrastructure:
- Add security-audit.yml and security-audit-v2.yml playbooks
- Comprehensive security checks: SSH config, firewall, open ports,
failed logins, auto-updates, password policies
- Generate per-server reports in /tmp/security-audit-*/
- Add SECURITY-AUDIT-SUMMARY.md with prioritized findings
Docker Server Security (Ready for Execution):
- Add secure-docker-server-firewall.yml playbook
- Three firewall modes: internal (recommended), selective, custom
- Add DOCKER-SERVER-SECURITY.md execution guide
- Security updates applied (107 packages upgraded)
- Firewall configuration saved for future execution
Jenkins Connectivity Fixes:
- Fixed Jenkins and SonarQube port blocking (opened 8080, 9000)
- Created jenkins host_vars with firewall configuration
- Restarted SonarQube containers (postgresql, sonarqube)
- Add JENKINS-CONNECTIVITY-FIX.md documentation
Jenkins SSH Agent Configuration:
- Add setup-jenkins-agent-ssh.yml for SSH key generation
- Enable password authentication for AWS Jenkins Master
- Created jenkins user SSH key pair
- Add comprehensive troubleshooting guide
NPM SSH Proxy Setup:
- Configure NPM as SSH proxy for Jenkins agents (port 2222)
- Update npm.yml host_vars with port 2222
- Add configure-npm-ssh-proxy.yml playbook
- Create nginx stream config at /data/nginx/stream/jenkins.conf
- Add NPM-SSH-PROXY-FOR-JENKINS.md full documentation
- Add JENKINS-NPM-PROXY-QUICK-REFERENCE.md quick guide
DNS Configuration:
- Add jenkins.directlx.dev to Pi-hole DNS
- Points to NPM server (192.168.200.71) for internal resolution
Key Security Findings:
- 16 servers audited
- Critical: Root SSH login enabled on 2 servers
- Critical: No firewall on several servers
- High: 65 pending security updates on docker server (now applied)
- High: Automatic updates not configured on most servers
Documentation:
- SECURITY-AUDIT-SUMMARY.md: Executive summary and remediation plan
- DOCKER-SERVER-SECURITY.md: Docker server security guide
- JENKINS-CONNECTIVITY-FIX.md: Jenkins firewall fix documentation
- JENKINS-SSH-AGENT-TROUBLESHOOTING.md: SSH troubleshooting guide
- NPM-SSH-PROXY-FOR-JENKINS.md: NPM proxy configuration
- JENKINS-NPM-PROXY-QUICK-REFERENCE.md: Quick reference guide
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-09 13:27:36 -05:00
7754585436
Enable MySQL connectivity for Docker applications
...
- Add MySQL host_vars with firewall rules for port 3306
- Enable IP forwarding on Docker hosts (hiveops, smartjournal)
- Fix container-to-external-network connectivity issue
The IP forwarding setting was previously disabled by the common role's
security defaults, preventing Docker containers from reaching external
databases. This change overrides that setting for hosts running Docker.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 11:30:14 -05:00
d7c7b82314
Disable firewall on smartjournal
...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 09:50:29 -05:00
047b485a13
Add host_vars for firewall configuration
...
- docker.yml: Disable firewall (Docker manages iptables)
- hiveops.yml: Disable firewall (many ports needed)
- npm.yml: Allow ports 22, 80, 443, 81 (admin)
- smartjournal.yml: Allow ports 22, 80, 443
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 09:49:31 -05:00
b2151858da
Add Pi-hole host_vars for firewall ports
...
Allow required ports for Pi-hole:
- 22/tcp (SSH)
- 53/tcp, 53/udp (DNS)
- 80/tcp (Web admin)
- 443/tcp (HTTPS)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 09:25:46 -05:00
c781ec25a2
Initial Ansible project structure
...
Set up standard directory layout with:
- ansible.cfg with sensible defaults
- YAML inventory with example groups
- Main site playbook template
- Directories for roles, group_vars, host_vars, files, templates
- .gitignore for secrets, vault files, and SSH keys
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 06:37:33 -05:00
directlx