cleanup

2025-12-15 22:12:26 +03:00
parent 48ada6fa03
commit f8e1a74786
3 changed files with 5 additions and 155 deletions
--- a/README.md
+++ b/README.md
@@ -6,56 +6,14 @@
 ## 🔧 Возможности
-* 📦 Полная автоматизация развертывания K3s-кластера
+* Полная автоматизация развертывания K3s-кластера
-* 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
+* Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
-* 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
+* IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
-## 📁 Структура проекта
+## Структура проекта
 ```
 ├── ansible/                # Ansible playbooks для настройки VM и K3s
 ├── terraform/              # Terraform модули для создания VM в Proxmox
 └── README.md
-```
+```
 ## ⚙️ Требования
 * Proxmox VE 7.x+
 * Terraform 1.0+
 * Ansible 2.10+
 * Bash (Linux/macOS)
 * Доступ к Proxmox через API
 * SSH-ключ для доступа к виртуальным машинам
 ## 🚀 Установка
 1. **Склонируйте репозиторий:**
 ```bash
 git clone https://git.vadzik-iot.ru/vadzik/sac_project.git
 cd k3s-proxmox-sec
 ```
 2. **Настройте переменные окружения и secrets (Terraform/Ansible):**
 3. **Создайте виртуальные машины через Terraform:**
 ```bash
 cd terraform
 terraform init
 terraform apply
 ```
 4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:**
 ```bash
 cd ../ansible
 ansible-playbook site.yml -i inventory.ini
 ```
 ## 🔐 Безопасность
 * Минимизация прав пользователей
 * Только доступ по SSH-ключу (пароли отключены)
 * Проверка хэшей и сертификатов при установке
--- a/SECURITY_README.md
+++ b/SECURITY_README.md
@@ -1,98 +0,0 @@
 # Security as Code Infrastructure on Proxmox
 This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code.
 ## Security Features
 ### Terraform Security
 - **Secure VM Configuration**: Virtual machines are created with security best practices:
  - Non-root SSH users
  - Memory limits to prevent resource exhaustion
  - Only approved template images are used
  - Disk encryption available (currently commented)
  - All VMs properly tagged for inventory management
  - EFI disks with secure boot capability
 - **Policy as Code**: Security policies are enforced through:
  - **OPA/Conftest**: Rego policies that enforce security rules during Terraform plan/apply
  - **Trivy**: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies
  - **checkov**: Plan analysis that detects security issues in the final configuration
 ### Ansible Security
 - **SSH Hardening**:
  - Disables password authentication
  - Disables root login
  - Configures secure ciphers and key exchange algorithms
  - Limits user access
 - **System Hardening**:
  - Configures audit rules for comprehensive logging (auditd)
  - Implements fail2ban for brute force protection
  - Configures UFW firewall with restrictive rules
  - Sets up unattended security updates (excluding Kubernetes components)
  - Persistent journald logging
  - Secure sysctl parameters
 - **Kubernetes Security**:
  - RBAC for access control
  - Network Policies for cluster network security
  - Pod Security Standards/Admission for container security
 ## CI/CD Security Pipeline
 The `.gitlab-ci.yml` file defines a complete security pipeline:
 1. **Validation Stage**: 
   - Terraform validation and formatting check
   - Trivy security scanning for IaC misconfigurations and secrets
   - checkov security scanning 
   - Conftest OPA policy validation
 2. **Lint Stage**:
   - Ansible-lint for playbook security issues
   - Conftest checks for Ansible
 3. **Plan/Apply Stage**:
   - Terraform plan reviewed before application
   - Ansible playbook syntax checking
 4. **Test Stage**:
   - Verifies that all nodes are properly configured
 ## Usage
 1. Update Terraform variables in `terraform/terraform.tfvars`
 2. Run security checks:
   ```
   cd terraform
   terraform init
   terraform plan -out=tfplan
   terraform show -json tfplan > tfplan.json
   conftest test tfplan.json -p policies/
   ```
 3. Deploy infrastructure:
   ```
   terraform apply tfplan
   ```
 4. Configure nodes with Ansible:
   ```
   cd ../ansible
   ansible-playbook -i inventory/hosts.ini site.yml
   ```
 ## Policy Enforcement
 - All infrastructure changes must pass the security pipeline
 - Policy violations halt the deployment process
 - Security configuration is maintained by Ansible on a regular schedule
 ## Monitoring and Maintenance
 - Centralized logging configuration
 - Audit logs setup for security events
 - Automatic security updates
 - Network security monitoring
 For more details, see the [README.md](README.md) file for general infrastructure information. 
--- a/ansible/inventory/k3s-cluster/hosts.ini
+++ b/ansible/inventory/k3s-cluster/hosts.ini
@@ -1,10 +0,0 @@
 [master]
 192.168.30.81 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
 [node]
 192.168.30.91 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
 192.168.30.92 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
 [k3s_cluster:children]
 master
 node