This Ansible playbook in this repository performs the following tasks on FreeBSD 13,
- Install tmux and htop
- Enable and configure IPFW for Fail2ban
- Install and configure Fail2ban for the following services,
- SSH
- Shadowsocks
Assumption: The instances run in Google Cloud using the Terraform script below,
- terraform__gcloud-instance
- GitHub: github.com/k3karthic/ansible__freebsd-basic
- Codeberg: codeberg.org/k3karthic/ansible__freebsd-basic
Install the following before running the playbook,
$ ansible-galaxy collection install community.general
$ pip install google-auth requests
$ ansible-galaxy collection install google.cloud
The Google Ansible Inventory Plugin populates public FreeBSD instances.
All target FreeBSD instances must have the label os: freebsd
.
- Create
inventory/google.gcp_compute.yml
based oninventory/google.gcp_compute.yml.sample
,- Specify the project ID
- Specify the zone where you have deployed your server on Google Cloud
- Configure the authentication,
- Application Default Credentials (
auth_kind: application
)- Import credentials from the Google Cloud Environment (e.g, Google Cloud Shell)
- Import credentials from Google Cloud SDK if installed
- Service Account (
auth_kind: serviceaccount
)- Use a service account for authentication. Refer cloud.google.com/docs/authentication/production#create_service_account.
- Set
service_account_file
to the credential file orservice_account_contents
to the json content
- Machine Account (
auth_kind: machineaccount
)- When running on Compute Engine, use the service account attached to the instance
- Application Default Credentials (
- Set username and SSH authentication in
inventory/group_vars/all.yml
Run the playbook using the following command,
$ ./bin/apply.sh
Encrypt sensitive files (SSH private keys) before saving them. .gitignore
must contain the unencrypted file paths.
Use the following command to decrypt the files after cloning the repository,
$ ./bin/decrypt.sh
Use the following command after running terraform to update the encrypted files,
$ ./bin/encrypt.sh <gpg key id>
- Reference for fail2ban configuration https://phrye.com/tools/fail2ban-on-freebsd/