From f6138ec43bc9fb9e26dd9ca0e535e707cb48a33f Mon Sep 17 00:00:00 2001 From: rslangl Date: Sun, 8 Feb 2026 21:49:16 +0100 Subject: [PATCH 1/7] chore: fix collection path --- ansible.cfg | 2 ++ .../nekrohaven}/bootstrap/README.md | 0 .../nekrohaven/bootstrap/galaxy.yml} | 0 .../nekrohaven/bootstrap/inventory/all.yaml | 8 ++++++++ .../nekrohaven}/bootstrap/playbooks/bootstrap.yaml | 0 .../nekrohaven}/bootstrap/requirements.yaml | 0 .../bootstrap/roles/dns_external/handlers/main.yaml | 0 .../roles/dns_external/tasks/dnscrypt-proxy.yaml | 0 .../bootstrap/roles/dns_external/tasks/main.yaml | 0 .../bootstrap/roles/dns_external/tasks/unbound.yaml | 0 .../roles/dns_external/templates/dnscrypt-proxy.toml.j2 | 0 .../roles/dns_external/templates/unbound.conf.j2 | 0 .../bootstrap/roles/dns_internal/defaults/main.yaml | 0 .../bootstrap/roles/dns_internal/handlers/main.yaml | 0 .../bootstrap/roles/dns_internal/meta/main.yaml | 0 .../roles/dns_internal/molecule/default/converge.yaml | 0 .../roles/dns_internal/molecule/default/molecule.yaml | 0 .../roles/dns_internal/molecule/default/verify.yaml | 0 .../bootstrap/roles/dns_internal/tasks/ipsec.yaml | 0 .../bootstrap/roles/dns_internal/tasks/main.yaml | 0 .../bootstrap/roles/dns_internal/tasks/unbound.yaml | 0 .../bootstrap/roles/dns_internal/templates/ipsec.conf.j2 | 0 .../roles/dns_internal/templates/ipsec.secrets.j2 | 0 .../bootstrap/roles/dns_internal/templates/resolv.conf.j2 | 0 .../roles/dns_internal/templates/unbound.conf.j2 | 0 .../bootstrap/roles/firewall/defaults/main.yaml | 0 .../nekrohaven}/bootstrap/roles/firewall/meta/main.yaml | 0 .../nekrohaven}/bootstrap/roles/firewall/tasks/main.yaml | 0 .../nekrohaven}/bootstrap/roles/kvm/tasks/hid.yaml | 0 .../nekrohaven}/bootstrap/roles/kvm/tasks/main.yaml | 0 .../bootstrap/roles/kvm/tasks/resource_proxy.yaml | 0 .../nekrohaven}/bootstrap/roles/kvm/tasks/user.yaml | 0 .../bootstrap/roles/kvm/tasks/virtual_device.yaml | 0 .../nekrohaven}/bootstrap/roles/prelude/meta/main.yaml | 0 .../bootstrap/roles/prelude/tasks/disable_ipv6.yaml | 0 .../nekrohaven}/bootstrap/roles/prelude/tasks/main.yaml | 0 .../nekrohaven}/bootstrap/roles/prelude/tasks/ntp.yaml | 0 .../nekrohaven}/bootstrap/roles/router/defaults/main.yaml | 0 .../nekrohaven}/bootstrap/roles/router/tasks/main.yaml | 0 .../bootstrap/roles/runtime_security/defaults/main.yaml | 0 .../bootstrap/roles/runtime_security/meta/main.yaml | 0 .../bootstrap/roles/runtime_security/tasks/antivirus.yaml | 0 .../bootstrap/roles/runtime_security/tasks/apparmor.yaml | 0 .../roles/runtime_security/tasks/hardened_malloc.yaml | 0 .../bootstrap/roles/runtime_security/tasks/main.yaml | 0 .../roles/runtime_security/tasks/peripherals.yaml | 0 .../bootstrap/roles/service_account/defaults/main.yaml | 0 .../bootstrap/roles/service_account/tasks/main.yaml | 0 .../nekrohaven}/bootstrap/tests/post/verify.yaml | 0 collections/bootstrap/inventory/.gitkeep | 0 50 files changed, 10 insertions(+) create mode 100644 ansible.cfg rename collections/{ => ansible_collections/nekrohaven}/bootstrap/README.md (100%) rename collections/{bootstrap/galaxy.yaml => ansible_collections/nekrohaven/bootstrap/galaxy.yml} (100%) create mode 100644 collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml rename collections/{ => ansible_collections/nekrohaven}/bootstrap/playbooks/bootstrap.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/requirements.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/handlers/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/tasks/unbound.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_external/templates/unbound.conf.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/defaults/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/handlers/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/meta/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/molecule/default/converge.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/molecule/default/molecule.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/molecule/default/verify.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/tasks/ipsec.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/tasks/unbound.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/templates/resolv.conf.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/dns_internal/templates/unbound.conf.j2 (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/firewall/defaults/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/firewall/meta/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/firewall/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/kvm/tasks/hid.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/kvm/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/kvm/tasks/resource_proxy.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/kvm/tasks/user.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/kvm/tasks/virtual_device.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/prelude/meta/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/prelude/tasks/disable_ipv6.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/prelude/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/prelude/tasks/ntp.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/router/defaults/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/router/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/defaults/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/meta/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/tasks/antivirus.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/tasks/apparmor.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/runtime_security/tasks/peripherals.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/service_account/defaults/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/roles/service_account/tasks/main.yaml (100%) rename collections/{ => ansible_collections/nekrohaven}/bootstrap/tests/post/verify.yaml (100%) delete mode 100644 collections/bootstrap/inventory/.gitkeep diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..0a1eb1b --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +collections_paths = ./collections diff --git a/collections/bootstrap/README.md b/collections/ansible_collections/nekrohaven/bootstrap/README.md similarity index 100% rename from collections/bootstrap/README.md rename to collections/ansible_collections/nekrohaven/bootstrap/README.md diff --git a/collections/bootstrap/galaxy.yaml b/collections/ansible_collections/nekrohaven/bootstrap/galaxy.yml similarity index 100% rename from collections/bootstrap/galaxy.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/galaxy.yml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml b/collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml new file mode 100644 index 0000000..3a08565 --- /dev/null +++ b/collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml @@ -0,0 +1,8 @@ +--- +all: + children: + app_servers: + hosts: + hv01: + ansible_host: 14.88.0.1 + ansible_user: root diff --git a/collections/bootstrap/playbooks/bootstrap.yaml b/collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml similarity index 100% rename from collections/bootstrap/playbooks/bootstrap.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml diff --git a/collections/bootstrap/requirements.yaml b/collections/ansible_collections/nekrohaven/bootstrap/requirements.yaml similarity index 100% rename from collections/bootstrap/requirements.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/requirements.yaml diff --git a/collections/bootstrap/roles/dns_external/handlers/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/handlers/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_external/handlers/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/handlers/main.yaml diff --git a/collections/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml similarity index 100% rename from collections/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml diff --git a/collections/bootstrap/roles/dns_external/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_external/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/main.yaml diff --git a/collections/bootstrap/roles/dns_external/tasks/unbound.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/unbound.yaml similarity index 100% rename from collections/bootstrap/roles/dns_external/tasks/unbound.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/unbound.yaml diff --git a/collections/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 similarity index 100% rename from collections/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 diff --git a/collections/bootstrap/roles/dns_external/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 similarity index 100% rename from collections/bootstrap/roles/dns_external/templates/unbound.conf.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 diff --git a/collections/bootstrap/roles/dns_internal/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/defaults/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml diff --git a/collections/bootstrap/roles/dns_internal/handlers/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/handlers/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/handlers/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/handlers/main.yaml diff --git a/collections/bootstrap/roles/dns_internal/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/meta/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml diff --git a/collections/bootstrap/roles/dns_internal/molecule/default/converge.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/converge.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/molecule/default/converge.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/converge.yaml diff --git a/collections/bootstrap/roles/dns_internal/molecule/default/molecule.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/molecule.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/molecule/default/molecule.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/molecule.yaml diff --git a/collections/bootstrap/roles/dns_internal/molecule/default/verify.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/verify.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/molecule/default/verify.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/molecule/default/verify.yaml diff --git a/collections/bootstrap/roles/dns_internal/tasks/ipsec.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/ipsec.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/tasks/ipsec.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/ipsec.yaml diff --git a/collections/bootstrap/roles/dns_internal/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml diff --git a/collections/bootstrap/roles/dns_internal/tasks/unbound.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml similarity index 100% rename from collections/bootstrap/roles/dns_internal/tasks/unbound.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml diff --git a/collections/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 similarity index 100% rename from collections/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 diff --git a/collections/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 similarity index 100% rename from collections/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 diff --git a/collections/bootstrap/roles/dns_internal/templates/resolv.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 similarity index 100% rename from collections/bootstrap/roles/dns_internal/templates/resolv.conf.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 diff --git a/collections/bootstrap/roles/dns_internal/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 similarity index 100% rename from collections/bootstrap/roles/dns_internal/templates/unbound.conf.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 diff --git a/collections/bootstrap/roles/firewall/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/defaults/main.yaml similarity index 100% rename from collections/bootstrap/roles/firewall/defaults/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/defaults/main.yaml diff --git a/collections/bootstrap/roles/firewall/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/meta/main.yaml similarity index 100% rename from collections/bootstrap/roles/firewall/meta/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/meta/main.yaml diff --git a/collections/bootstrap/roles/firewall/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/firewall/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/firewall/tasks/main.yaml diff --git a/collections/bootstrap/roles/kvm/tasks/hid.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/hid.yaml similarity index 100% rename from collections/bootstrap/roles/kvm/tasks/hid.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/hid.yaml diff --git a/collections/bootstrap/roles/kvm/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/kvm/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/main.yaml diff --git a/collections/bootstrap/roles/kvm/tasks/resource_proxy.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/resource_proxy.yaml similarity index 100% rename from collections/bootstrap/roles/kvm/tasks/resource_proxy.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/resource_proxy.yaml diff --git a/collections/bootstrap/roles/kvm/tasks/user.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/user.yaml similarity index 100% rename from collections/bootstrap/roles/kvm/tasks/user.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/user.yaml diff --git a/collections/bootstrap/roles/kvm/tasks/virtual_device.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/virtual_device.yaml similarity index 100% rename from collections/bootstrap/roles/kvm/tasks/virtual_device.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/kvm/tasks/virtual_device.yaml diff --git a/collections/bootstrap/roles/prelude/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/meta/main.yaml similarity index 100% rename from collections/bootstrap/roles/prelude/meta/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/meta/main.yaml diff --git a/collections/bootstrap/roles/prelude/tasks/disable_ipv6.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/disable_ipv6.yaml similarity index 100% rename from collections/bootstrap/roles/prelude/tasks/disable_ipv6.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/disable_ipv6.yaml diff --git a/collections/bootstrap/roles/prelude/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/prelude/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/main.yaml diff --git a/collections/bootstrap/roles/prelude/tasks/ntp.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/ntp.yaml similarity index 100% rename from collections/bootstrap/roles/prelude/tasks/ntp.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/prelude/tasks/ntp.yaml diff --git a/collections/bootstrap/roles/router/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/router/defaults/main.yaml similarity index 100% rename from collections/bootstrap/roles/router/defaults/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/router/defaults/main.yaml diff --git a/collections/bootstrap/roles/router/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/router/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/router/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/router/tasks/main.yaml diff --git a/collections/bootstrap/roles/runtime_security/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/defaults/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml diff --git a/collections/bootstrap/roles/runtime_security/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/meta/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml diff --git a/collections/bootstrap/roles/runtime_security/tasks/antivirus.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/antivirus.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/tasks/antivirus.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/antivirus.yaml diff --git a/collections/bootstrap/roles/runtime_security/tasks/apparmor.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/apparmor.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/tasks/apparmor.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/apparmor.yaml diff --git a/collections/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml diff --git a/collections/bootstrap/roles/runtime_security/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml diff --git a/collections/bootstrap/roles/runtime_security/tasks/peripherals.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/peripherals.yaml similarity index 100% rename from collections/bootstrap/roles/runtime_security/tasks/peripherals.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/peripherals.yaml diff --git a/collections/bootstrap/roles/service_account/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml similarity index 100% rename from collections/bootstrap/roles/service_account/defaults/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml diff --git a/collections/bootstrap/roles/service_account/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml similarity index 100% rename from collections/bootstrap/roles/service_account/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml diff --git a/collections/bootstrap/tests/post/verify.yaml b/collections/ansible_collections/nekrohaven/bootstrap/tests/post/verify.yaml similarity index 100% rename from collections/bootstrap/tests/post/verify.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/tests/post/verify.yaml diff --git a/collections/bootstrap/inventory/.gitkeep b/collections/bootstrap/inventory/.gitkeep deleted file mode 100644 index e69de29..0000000 From 35f872c9972b5c956c8b9b842a3fa7bf00bddeee Mon Sep 17 00:00:00 2001 From: rslangl Date: Sun, 8 Feb 2026 22:13:58 +0100 Subject: [PATCH 2/7] chore: place inventory and playbook in orchestrator subdir --- README.md | 9 +++++ ansible.cfg | 1 + .../bootstrap/playbooks/bootstrap.yaml | 30 ----------------- .../stage_1/inventory.yaml | 0 orchestration/stage_1/playbook.yaml | 33 +++++++++++++++++++ 5 files changed, 43 insertions(+), 30 deletions(-) delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml rename collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml => orchestration/stage_1/inventory.yaml (100%) create mode 100644 orchestration/stage_1/playbook.yaml diff --git a/README.md b/README.md index e339dcf..ce38130 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,15 @@ Bootable environment to bootstrap my infrastructure. TODO +## Usage + +Install collection and run locally: + +```shell +ansible-galaxy collection install ./collections/ansible_collections/nekrohaven/bootstrap +ansible-playbook orchestrator/stage_1/playbook.yaml -i orchestrator/stage_1/inventory.yaml +``` + ## Development Using nix, which spins up a nix-shell containing all tools required: diff --git a/ansible.cfg b/ansible.cfg index 0a1eb1b..3df3b17 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,3 @@ [defaults] collections_paths = ./collections +roles_path = ./collections/ansible_collections/nekrohaven/bootstrap/roles diff --git a/collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml b/collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml deleted file mode 100644 index bfed365..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/playbooks/bootstrap.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Base access and identiy - hosts: all - roles: - - nekrohaven.bootstrap.service_account - -- name: Configure router - hosts: routers - roles: - - nekrohaven.bootstrap.router - -- name: Configure hypervisors - hosts: app_servers - roles: - - nekrohaven.bootstrap.prelude - - nekrohaven.bootstrap.dns_internal - - nekrohaven.bootstrap.runtime_security - - nekrohaven.bootstrap.firewall - -- name: Configure redzone access point - hosts: ap_redzone - roles: - - nekrohaven.bootstrap.prelude - - nekrohaven.bootstrap.ap_redzone - -- name: Configure greenzone access point - hosts: ap_greenzone - roles: - - nekrohaven.bootstrap.prelude - - nekrohaven.bootstrap.ap_redzone diff --git a/collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml b/orchestration/stage_1/inventory.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/inventory/all.yaml rename to orchestration/stage_1/inventory.yaml diff --git a/orchestration/stage_1/playbook.yaml b/orchestration/stage_1/playbook.yaml new file mode 100644 index 0000000..6762a7b --- /dev/null +++ b/orchestration/stage_1/playbook.yaml @@ -0,0 +1,33 @@ +--- +# - name: Base access and identiy +# hosts: all +# roles: +# - nekrohaven.bootstrap.service_account +# +# - name: Configure router +# hosts: routers +# roles: +# - nekrohaven.bootstrap.router +# +- name: Configure hypervisors + hosts: app_servers + tasks: + - name: Create service account + import_role: + name: nekrohaven.bootstrap.service_account + # - nekrohaven.bootstrap.prelude + # - nekrohaven.bootstrap.dns_internal + # - nekrohaven.bootstrap.runtime_security + # - nekrohaven.bootstrap.firewall + +# - name: Configure redzone access point +# hosts: ap_redzone +# roles: +# - nekrohaven.bootstrap.prelude +# - nekrohaven.bootstrap.ap_redzone +# +# - name: Configure greenzone access point +# hosts: ap_greenzone +# roles: +# - nekrohaven.bootstrap.prelude +# - nekrohaven.bootstrap.ap_redzone From 3e8853e6e216819ce19ab4985c141ece9cf7cb86 Mon Sep 17 00:00:00 2001 From: rslangl Date: Sun, 8 Feb 2026 22:36:35 +0100 Subject: [PATCH 3/7] fix: groups append on service account creation --- .../bootstrap/roles/service_account/defaults/main.yaml | 3 ++- .../nekrohaven/bootstrap/roles/service_account/tasks/main.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml index 167920e..1a7d95a 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/defaults/main.yaml @@ -1,5 +1,6 @@ --- service_account_name: ansible service_account_shell: /bin/bash -service_account_groups: [] +service_account_groups: + - ansible service_account_authorized_keys: [] diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml index 47b27d8..492a79b 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/service_account/tasks/main.yaml @@ -9,7 +9,7 @@ name: "{{ service_account_name }}" uid: "{{ service_account_uid | default(omit) }}" shell: "{{ service_account_shell }}" - group: "{{ service_account_groups | join(',') }}" + groups: "{{ service_account_groups | join(',') }}" append: true create_home: true password_lock: true From 335700d0cd6a70b11c3d1ea2a1482309e38ad518 Mon Sep 17 00:00:00 2001 From: rslangl Date: Mon, 9 Feb 2026 22:50:44 +0100 Subject: [PATCH 4/7] chore: restructuring existing roles --- .../tasks/main.yaml} | 0 .../roles/dns_internal/defaults/main.yaml | 8 +-- .../roles/dns_internal/tasks/main.yaml | 52 +++++++++++++++++-- .../roles/dns_internal/tasks/unbound.yaml | 40 -------------- .../tasks/main.yaml} | 0 .../ipsec.yaml => ipsec/tasks/main.yaml} | 1 - .../templates/ipsec.conf.j2 | 0 .../templates/ipsec.secrets.j2 | 0 .../tasks/apparmor.yaml | 12 ----- .../bootstrap/roles/mac/tasks/main.yaml | 7 +++ .../tasks/main.yaml} | 1 - .../roles/runtime_security/defaults/main.yaml | 5 -- .../roles/runtime_security/meta/main.yaml | 7 --- .../roles/runtime_security/tasks/main.yaml | 19 ------- 14 files changed, 59 insertions(+), 93 deletions(-) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{runtime_security/tasks/antivirus.yaml => antivirus/tasks/main.yaml} (100%) delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml rename collections/ansible_collections/nekrohaven/bootstrap/roles/{runtime_security/tasks/hardened_malloc.yaml => hardened_malloc/tasks/main.yaml} (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_internal/tasks/ipsec.yaml => ipsec/tasks/main.yaml} (94%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_internal => ipsec}/templates/ipsec.conf.j2 (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_internal => ipsec}/templates/ipsec.secrets.j2 (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{runtime_security => mac}/tasks/apparmor.yaml (51%) create mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/main.yaml rename collections/ansible_collections/nekrohaven/bootstrap/roles/{runtime_security/tasks/peripherals.yaml => peripherals/tasks/main.yaml} (67%) delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/antivirus.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/antivirus/tasks/main.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/antivirus.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/antivirus/tasks/main.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml index ab1052c..0cb2f29 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml @@ -1,5 +1,7 @@ # roles/dns/defaults/main.yaml --- -dns_port: "{{ lookup('env', 'DNS_PORT') }}" -dns_host_authoritative: "{{ lookup('env', 'AUTHORITATIVE_DNS') }}" -dns_host_public: "{{ lookup('env', 'PUBLIC_DNS_1') }}" +dns_internal_domain: "" +dns_internal_port: "{{ lookup('env', 'DNS_PORT') }}" +# This is the top-level authoritative DNS (usually the router) +dns_internal_authoritative_ipv4: "" +dns_internal_host_fqdn: "{{ ansible_hostname }}.{{ dns_internal_domain }}" diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml index 9b3326a..4a9dd23 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml @@ -1,7 +1,49 @@ -# dns/tasks/main.yaml +# dns/tasks/unbound.yaml --- -- name: Setup IPSec - include_tasks: ipsec.yaml +- name: Get service facts + ansible.builtin.service_facts: -- name: Setup host-level DNS - include_tasks: unbound.yaml +- name: Install unbound + ansible.builtin.package: + name: "{{ item }}" + state: present + update_cache: true + with_items: + - unbound + - unbound-anchor + +- name: Configure AppArmor for Unbound + block: + - name: Configure AppArmor for access to logfile + ansible.builtin.lineinfile: + path: /etc/unbound/unbound.conf + line: ' /var/log/unbound.log rw,' + insertbefore: '}$' + state: present + register: aa_unbound + + - name: Reload AppArmor + ansible.builtin.command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound + when: aa_unbound.changed + when: ansible_facts['services']['apparmor.service']['status'] | default('not-found') != 'not-found' + +- name: Setup trust anchor + ansible.builtin.command: unbound-anchor -a /var/lib/unbound/root.key + +- name: Configure unbound + ansible.builtin.template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + +- name: Configure interface resolver + ansible.builtin.lineinfile: + path: /etc/network/interfaces + line: ' dns-nameservers 127.0.0.1' + insertafter: '^iface vmbr0 inet static' + state: present + +- name: Configure resolv.conf + ansible.builtin.template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + backup: true diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml deleted file mode 100644 index 8de83d1..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/unbound.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# dns/tasks/unbound.yaml ---- -- name: Install unbound - ansible.builtin.package: - name: ["unbound", "unbound-anchor"] - state: present - update_cache: true - -- name: Configure AppArmor for access to logfile - ansible.builtin.lineinfile: - path: /etc/unbound/unbound.conf - line: ' /var/log/unbound.log rw,' - insertbefore: '}$' - state: present - register: aa_unbound - -- name: Reload AppArmor - ansible.builtin.command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound - when: aa_unbound.changed - -- name: Setup trust anchor - ansible.builtin.command: unbound-anchor -a /var/lib/unbound/root.key - -- name: Configure unbound - ansible.builtin.template: - src: unbound.conf.j2 - dest: /etc/unbound/unbound.conf - -- name: Configure interface resolver - ansible.builtin.lineinfile: - path: /etc/network/interfaces - line: ' dns-nameservers 127.0.0.1' - insertafter: '^iface vmbr0 inet static' - state: present - -- name: Configure resolv.conf - ansible.builtin.template: - src: resolv.conf.j2 - dest: /etc/resolv.conf - backup: true diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/hardened_malloc/tasks/main.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/hardened_malloc.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/hardened_malloc/tasks/main.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/ipsec.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/tasks/main.yaml similarity index 94% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/ipsec.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/tasks/main.yaml index ff82811..8d58eb7 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/ipsec.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/tasks/main.yaml @@ -1,4 +1,3 @@ -# dns/tasks/ipsec.yaml --- - name: Install strongswan ansible.builtin.apt: diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/templates/ipsec.conf.j2 similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.conf.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/templates/ipsec.conf.j2 diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/templates/ipsec.secrets.j2 similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/ipsec.secrets.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/ipsec/templates/ipsec.secrets.j2 diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/apparmor.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml similarity index 51% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/apparmor.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml index ce17e9a..586192d 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/apparmor.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml @@ -1,4 +1,3 @@ -# security/tasks/apparmor.yaml --- - name: Ensure apparmor and apparmor-utils is present ansible.builtin.apt: @@ -16,14 +15,3 @@ enabled: true # TODO: define custom rules if necessary - -- name: Register aa-status output - ansible.builtin.shell: - command: aa-status --complaining - register: aa_status_complaining - -- name: Get processes in complain mode - ansible.builtin.debug: - msg: "WARNING: Some AppArmor processes are in complain mode" - when: aa_status_complaining.stdout > 0 - diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/main.yaml new file mode 100644 index 0000000..2734554 --- /dev/null +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/main.yaml @@ -0,0 +1,7 @@ +--- +- name: Setup MAC using AppArmor + import_tasks: + file: apparmor.yaml + when: mac_module is defined and mac_module == "apparmor" + +# TODO: SELinux diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/peripherals.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/peripherals/tasks/main.yaml similarity index 67% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/peripherals.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/peripherals/tasks/main.yaml index f2bc80c..c648d50 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/peripherals.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/peripherals/tasks/main.yaml @@ -1,3 +1,2 @@ -# roles/security/tasks/peripherals.yaml --- # TODO: disable data transfer/communication peripherals not in use (e.g. USB) diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml deleted file mode 100644 index 78db05f..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/defaults/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# roles/runtime_security/defaults/main.yaml ---- -runtime_security_service_disable_list: - - squid-http - - rpcbind diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml deleted file mode 100644 index 2a4d1c3..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/meta/main.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# roles/runtime_security/meta/main.yaml ---- -galaxy_info: - author: rslangl - description: Runtime security role -dependencies: - - role: prelude diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml deleted file mode 100644 index ec2b70a..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/runtime_security/tasks/main.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# roles/security/tasks/main.yaml ---- -- name: Ensure specified services are disabled - ansible.builtin.service: - name: "{{ service_disable }}" - state: stopped - enabled: false - loop: "{{ runtime_security_service_disable_list }}" - loop_control: - loop_var: service_disable - -- name: Setup hardened malloc - include_tasks: hardened_malloc.yaml - -- name: Setup AppArmor - include_tasks: apparmor.yaml - -- name: Setup antivirus - include_tasks: antivirus.yaml From 6f88b30da397e812d5260383dd9b822086cc0ea8 Mon Sep 17 00:00:00 2001 From: rslangl Date: Mon, 9 Feb 2026 22:51:44 +0100 Subject: [PATCH 5/7] chore: restructuring existing roles --- README.md | 3 ++- ansible.cfg | 1 - orchestration/stage_1/.gitignore | 1 + orchestration/stage_1/inventory.yaml | 9 ++++++- orchestration/stage_1/playbook.yaml | 38 ++++++++++++++++++++++------ 5 files changed, 41 insertions(+), 11 deletions(-) create mode 100644 orchestration/stage_1/.gitignore diff --git a/README.md b/README.md index ce38130..7586a22 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,8 @@ TODO Install collection and run locally: ```shell -ansible-galaxy collection install ./collections/ansible_collections/nekrohaven/bootstrap +ansible-galaxy collection build +ansible-galaxy collection install nekrohaven-bootstrap-*.tar.gz --force ansible-playbook orchestrator/stage_1/playbook.yaml -i orchestrator/stage_1/inventory.yaml ``` diff --git a/ansible.cfg b/ansible.cfg index 3df3b17..0a1eb1b 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,2 @@ [defaults] collections_paths = ./collections -roles_path = ./collections/ansible_collections/nekrohaven/bootstrap/roles diff --git a/orchestration/stage_1/.gitignore b/orchestration/stage_1/.gitignore new file mode 100644 index 0000000..e665358 --- /dev/null +++ b/orchestration/stage_1/.gitignore @@ -0,0 +1 @@ +inventory.yaml diff --git a/orchestration/stage_1/inventory.yaml b/orchestration/stage_1/inventory.yaml index 3a08565..1063003 100644 --- a/orchestration/stage_1/inventory.yaml +++ b/orchestration/stage_1/inventory.yaml @@ -4,5 +4,12 @@ all: app_servers: hosts: hv01: - ansible_host: 14.88.0.1 + ansible_host: 14.88.0.10 ansible_user: root + vars: + service_disable_list: + - rpcbind + mac_module: apparmor + dns_internal_domain: nekrohaven.io + dns_internal_authoritative_ipv4: 14.88.0.1 + diff --git a/orchestration/stage_1/playbook.yaml b/orchestration/stage_1/playbook.yaml index 6762a7b..84180a8 100644 --- a/orchestration/stage_1/playbook.yaml +++ b/orchestration/stage_1/playbook.yaml @@ -1,22 +1,44 @@ --- -# - name: Base access and identiy -# hosts: all -# roles: -# - nekrohaven.bootstrap.service_account -# # - name: Configure router # hosts: routers # roles: -# - nekrohaven.bootstrap.router +# - name: Create service account +# import_role: +# name: nekrohaven.bootstrap.service_account # +# - name: Configure router +# import_role: nekrohaven.bootstrap.router + - name: Configure hypervisors hosts: app_servers tasks: - name: Create service account import_role: name: nekrohaven.bootstrap.service_account - # - nekrohaven.bootstrap.prelude - # - nekrohaven.bootstrap.dns_internal + + - name: Setup base configurations + import_role: + name: nekrohaven.bootstrap.prelude + + - name: Ensure specified services are disabled + ansible.builtin.service: + name: "{{ service_disable }}" + state: stopped + enabled: false + loop: "{{ service_disable_list }}" + loop_control: + loop_var: service_disable + when: service_disable_list | length > 0 + ignore_errors: true + + - name: Configure MAC module + import_role: + name: nekrohaven.bootstrap.mac + when: mac_module is defined + + - name: Configure host-based DNS + import_role: + name: nekrohaven.bootstrap.dns_internal # - nekrohaven.bootstrap.runtime_security # - nekrohaven.bootstrap.firewall From f295cebad5103a4a4d52c32fc4321bcbf3b9942f Mon Sep 17 00:00:00 2001 From: rslangl Date: Tue, 10 Feb 2026 18:47:01 +0100 Subject: [PATCH 6/7] chore: ensure internal DNS role runs --- .../roles/dns_internal/defaults/main.yaml | 8 ++++---- .../bootstrap/roles/dns_internal/meta/main.yaml | 2 -- .../roles/dns_internal/templates/resolv.conf.j2 | 2 +- .../roles/dns_internal/templates/unbound.conf.j2 | 14 ++++++-------- .../bootstrap/roles/mac/tasks/apparmor.yaml | 6 +++--- 5 files changed, 14 insertions(+), 18 deletions(-) diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml index 0cb2f29..96379d0 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml @@ -1,7 +1,7 @@ # roles/dns/defaults/main.yaml --- -dns_internal_domain: "" -dns_internal_port: "{{ lookup('env', 'DNS_PORT') }}" +dns_internal_domain: "{{ lookup('ansible.builtin.vars', 'internal_domain') }}" +dns_internal_port: 53 # This is the top-level authoritative DNS (usually the router) -dns_internal_authoritative_ipv4: "" -dns_internal_host_fqdn: "{{ ansible_hostname }}.{{ dns_internal_domain }}" +dns_internal_authoritative_ipv4: "{{ lookup('ansible.builtin.vars', 'dns_authoritative') }}" +dns_internal_host_fqdn: "{{ ansible_facts['nodename'] }}.{{ dns_internal_domain }}" diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml index 6dd1bd2..beeb68e 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/meta/main.yaml @@ -3,5 +3,3 @@ galaxy_info: author: rslangl description: DNS role -dependencies: - - role: runtime_security diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 index ff63277..f3e8e9f 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/resolv.conf.j2 @@ -2,4 +2,4 @@ DNS=127.0.0.1 DNSSEC=yes DNSStubListener=no -Domains={{ dns_domain }} +Domains={{ dns_internal_domain }} diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 index 62778b3..406bc13 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 @@ -3,9 +3,9 @@ server: verbosity: 1 interface: 0.0.0.0 - port: {{ dns.port }} + port: "{{ dns_internal_port }}" #interface: ::0 # not used, ipv6 is disabled - access-control: 127.0.0.0/8 allow + access-control: 127.0.0.0/8 allow #access-control: ::1 allow # not used, ipv6 is disabled logfile: /var/log/unbound.log @@ -13,9 +13,9 @@ server: cache-min-ttl: 3600 auto-trust-anchor-file: "/var/lib/unbound/root.key" - local-zone: "{{ dns.authoritative }}" transparent - local-zone: "{{ host_fqdn }}" static - local-data: "{{ host_fqdn }} A {{ ansible_default_ipv4.address }}" + local-zone: "{{ dns_internal_authoritative_ipv4 }}" transparent + local-zone: "{{ dns_internal_host_fqdn }}" static + local-data: "{{ dns_internal_host_fqdn }} A {{ ansible_default_ipv4.address }}" # Localhost/VM DNS resolution for internal names #local-data: "myvm.local. IN A 192.168.1.10" @@ -23,6 +23,4 @@ server: forward-zone: name: "." - forward-addr: {{ dns.authoritative }}@{{ dns.port }} - #forward-addr: {{ dns.public_dns_1 }} - #forward-addr: {{ dns.public_dns_2 }} + forward-addr: "{{ dns_internal_authoritative_ipv4 }}@{{ dns_internal_port }}" diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml index 586192d..1df4d21 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/mac/tasks/apparmor.yaml @@ -4,9 +4,9 @@ name: "{{ item }}" state: present update_cache: true - with_items: - - apparmor - - apparmor-utils + with_items: + - apparmor + - apparmor-utils - name: Start apparmor service ansible.builtin.service: From 9ddfae6d71ae8db59bdf7046da68846b675ffe00 Mon Sep 17 00:00:00 2001 From: rslangl Date: Tue, 10 Feb 2026 21:11:18 +0100 Subject: [PATCH 7/7] chore: re-work DNS layout --- README.md | 10 ++++ .../handlers/main.yaml | 0 .../tasks/dnscrypt-proxy.yaml | 0 .../tasks/main.yaml | 0 .../tasks/unbound.yaml | 0 .../templates/dnscrypt-proxy.toml.j2 | 0 .../templates/unbound.conf.j2 | 52 +++++++++++++++++++ .../roles/dns_authoritative/templates/zone.j2 | 17 ++++++ .../dns_external/templates/unbound.conf.j2 | 40 -------------- .../roles/dns_internal/defaults/main.yaml | 1 + .../roles/dns_internal/tasks/main.yaml | 12 ++++- .../dns_internal/templates/unbound.conf.j2 | 24 +++++---- orchestration/stage_1/inventory.yaml | 7 ++- 13 files changed, 108 insertions(+), 55 deletions(-) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_external => dns_authoritative}/handlers/main.yaml (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_external => dns_authoritative}/tasks/dnscrypt-proxy.yaml (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_external => dns_authoritative}/tasks/main.yaml (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_external => dns_authoritative}/tasks/unbound.yaml (100%) rename collections/ansible_collections/nekrohaven/bootstrap/roles/{dns_external => dns_authoritative}/templates/dnscrypt-proxy.toml.j2 (100%) create mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/unbound.conf.j2 create mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/zone.j2 delete mode 100644 collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 diff --git a/README.md b/README.md index 7586a22..928e26c 100644 --- a/README.md +++ b/README.md @@ -27,3 +27,13 @@ Using nix, which spins up a nix-shell containing all tools required: ```shell nix develop .#default ``` + +## TODO + +* DNS: + * Resilience: top-level DNS (router) specifies an Unbound zonefile + * Internal DNS fetches from master + * Clients should add both the hypervisor and the router as nameservers + * DNSSEC: +* IPsec: + diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/handlers/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/handlers/main.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/handlers/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/handlers/main.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/dnscrypt-proxy.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/dnscrypt-proxy.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/dnscrypt-proxy.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/main.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/main.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/main.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/unbound.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/unbound.yaml similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/tasks/unbound.yaml rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/tasks/unbound.yaml diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/dnscrypt-proxy.toml.j2 similarity index 100% rename from collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/dnscrypt-proxy.toml.j2 rename to collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/dnscrypt-proxy.toml.j2 diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/unbound.conf.j2 new file mode 100644 index 0000000..f6e87eb --- /dev/null +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/unbound.conf.j2 @@ -0,0 +1,52 @@ +# Generated unbound.conf + +server: + + # Disable Unbound's own recursion + # do-not-query-localhost: no + # do-ip6: no + # do-daemonize: no + # hide-identity: yes + # harden-glue: yes + # harden-dnssec-stripped: yes + # use-caps-for-ids: yes + # prefetch: yes + # cache-max-ttl: 86400 + # cache-min-ttl: 3600 + # + # # Enable DNSSEC + # auto-trust-anchor-file: "/var/unbound/root.key" # NOTE: can be fetched/updated with `unbound-anchor -a "/var/unbound/root.key"` + # val-clean-additional: yes + # val-log-level: 1 + # ipsecmod-enabled: yes + # module-config: "ipsecmod validator iterator" + # validator: + # validator-config: yes + # + # local-zone: "{{ domain }}" static + # {% for host in hosts %} + # local-data: "{{ host.fqdn }} IN A {{ host.ipv4 }}" + # {% endfor %} + +server: + verbosity: 1 + # Listens for LAN clients + #interface: 0.0.0.0 + # Listens for DNSCrypt-proxy + interface: 127.0.0.1 + access-control: 127.0.0.0/8 allow + logfile: /var/log/unbound.log + + auth-zone: + name: "{{ dns_internal_domain }}" + # The master config, typically /etc/unbound/zones/internal.lan.zone + zonefile: "{{ dns_internal_zonefile }}" + {% dns_host in dns_internal_hosts %} + allow-notify: "{{ dns_host }}" + allow-transfer: "{{ dns_host }}" + {% endfor %} + allow-notify: "{{ dns_internal_hosts }}" + + forward-zone: + name: "." + forward-addr: 127.0.0.1@5353 # DNSCrypt-proxy diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/zone.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/zone.j2 new file mode 100644 index 0000000..7f5d0bc --- /dev/null +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_authoritative/templates/zone.j2 @@ -0,0 +1,17 @@ +$TTL 3600 +@ IN SOA {{ dns_authoritative_host }}. ( + 2026021001 ; serial + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 3600 ) ; minimum + + {% dns_host in dns_service_hosts %} + IN NS {{ dns_host.hostaddr }}. + {% endfor %} + +{% dns_host in dns_service_hosts %} +{{ dns_host.hostname }} IN A {{ dns_host.ipv4 }} +{% endfor %} + + diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 deleted file mode 100644 index 2861312..0000000 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_external/templates/unbound.conf.j2 +++ /dev/null @@ -1,40 +0,0 @@ -# Generated unbound.conf - -server: - verbosity: 1 - interface: {{ ansible_host }} # Listens for LAN clients - interface: 127.0.0.1 # Listens for DNSCrypt-proxy - port: 53 - access-control: {{ ansible_host }}/24 allow - access-control: 127.0.0.0/8 allow - logfile: /var/log/unbound.log - - # Disable Unbound's own recursion - do-not-query-localhost: no - do-ip6: no - do-daemonize: no - hide-identity: yes - harden-glue: yes - harden-dnssec-stripped: yes - use-caps-for-ids: yes - prefetch: yes - cache-max-ttl: 86400 - cache-min-ttl: 3600 - - # Enable DNSSEC - auto-trust-anchor-file: "/var/unbound/root.key" # NOTE: can be fetched/updated with `unbound-anchor -a "/var/unbound/root.key"` - val-clean-additional: yes - val-log-level: 1 - ipsecmod-enabled: yes - module-config: "ipsecmod validator iterator" - validator: - validator-config: yes - - local-zone: "{{ domain }}" static - {% for host in hosts %} - local-data: "{{ host.fqdn }} IN A {{ host.ipv4 }}" - {% endfor %} - - forward-zone: - name: "." - forward-addr: 127.0.0.1@5353 # DNSCrypt-proxy diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml index 96379d0..1834d9e 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/defaults/main.yaml @@ -5,3 +5,4 @@ dns_internal_port: 53 # This is the top-level authoritative DNS (usually the router) dns_internal_authoritative_ipv4: "{{ lookup('ansible.builtin.vars', 'dns_authoritative') }}" dns_internal_host_fqdn: "{{ ansible_facts['nodename'] }}.{{ dns_internal_domain }}" +dns_internal_host_ipv4: "{{ ansible_facts['default_ipv4']['address'] }}" diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml index 4a9dd23..181895c 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/tasks/main.yaml @@ -16,7 +16,7 @@ block: - name: Configure AppArmor for access to logfile ansible.builtin.lineinfile: - path: /etc/unbound/unbound.conf + path: /etc/apparmor.d/usr.sbin.unbound line: ' /var/log/unbound.log rw,' insertbefore: '}$' state: present @@ -30,6 +30,14 @@ - name: Setup trust anchor ansible.builtin.command: unbound-anchor -a /var/lib/unbound/root.key +- name: Ensure presence of log file + ansible.builtin.file: + path: /var/log/unbound.log + state: touch + owner: unbound + group: unbound + mode: "0640" + - name: Configure unbound ansible.builtin.template: src: unbound.conf.j2 @@ -38,7 +46,7 @@ - name: Configure interface resolver ansible.builtin.lineinfile: path: /etc/network/interfaces - line: ' dns-nameservers 127.0.0.1' + line: '\tdns-nameservers 127.0.0.1' insertafter: '^iface vmbr0 inet static' state: present diff --git a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 index 406bc13..399fd0a 100644 --- a/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 +++ b/collections/ansible_collections/nekrohaven/bootstrap/roles/dns_internal/templates/unbound.conf.j2 @@ -1,26 +1,28 @@ # Generated unbound.conf server: + do-ip6: no verbosity: 1 interface: 0.0.0.0 port: "{{ dns_internal_port }}" - #interface: ::0 # not used, ipv6 is disabled access-control: 127.0.0.0/8 allow - #access-control: ::1 allow # not used, ipv6 is disabled + access-control: 10.0.0.0/8 allow + logfile: /var/log/unbound.log cache-max-ttl: 86400 cache-min-ttl: 3600 auto-trust-anchor-file: "/var/lib/unbound/root.key" - local-zone: "{{ dns_internal_authoritative_ipv4 }}" transparent - local-zone: "{{ dns_internal_host_fqdn }}" static - local-data: "{{ dns_internal_host_fqdn }} A {{ ansible_default_ipv4.address }}" - # Localhost/VM DNS resolution for internal names - #local-data: "myvm.local. IN A 192.168.1.10" - #local-data: "anothervm.local. IN A 192.168.1.11" + # Internal-only zone + local-zone: "{{ dns_internal_domain }}" static + local-data: "{{ dns_internal_host_fqdn }} A {{ dns_internal_host_ipv4 }}" - forward-zone: - name: "." - forward-addr: "{{ dns_internal_authoritative_ipv4 }}@{{ dns_internal_port }}" + auth-zone: + name: "{{ dns_internal_domain }}." + # The top-level DNS, usually the router + master: "{{ dns_internal_master_ipv4 }}" + # forward-zone: + # name: "." + # forward-addr: "{{ dns_internal_authoritative_ipv4 }}@{{ dns_internal_port }}" diff --git a/orchestration/stage_1/inventory.yaml b/orchestration/stage_1/inventory.yaml index 1063003..9efc5b9 100644 --- a/orchestration/stage_1/inventory.yaml +++ b/orchestration/stage_1/inventory.yaml @@ -10,6 +10,9 @@ all: service_disable_list: - rpcbind mac_module: apparmor - dns_internal_domain: nekrohaven.io - dns_internal_authoritative_ipv4: 14.88.0.1 + # dns_internal_domain: nekrohaven.io + # dns_internal_authoritative_ipv4: 14.88.0.1 + vars: + internal_domain: nekrohaven.io + dns_authoritative: 14.88.0.1