feat(监控): 添加Telegraf监控配置和磁盘监控脚本

refactor(容器): 从Docker迁移到Podman并更新Nomad配置 fix(配置): 修复代理和别名配置问题 docs(文档): 更新配置文件和脚本注释 chore(清理): 移除不再使用的Consul和Docker相关文件
2025-09-24 03:46:30 +00:00
parent 3f45ad8361
commit d0e7f64c1d
92 changed files with 3552 additions and 7737 deletions
--- a/configuration/playbooks/security/certificate-management.yml
+++ b/configuration/playbooks/security/certificate-management.yml
@@ -1,152 +0,0 @@
---
- name: SSL Certificate Management and Monitoring
-  hosts: all
-  gather_facts: yes
-  
-  vars:
-    # 常见证书路径
-    cert_paths:
-      - /etc/ssl/certs
-      - /etc/letsencrypt/live
-      - /etc/nginx/ssl
-      - /etc/apache2/ssl
-      - /usr/local/share/ca-certificates
-    
-    # 需要检查的服务端口
-    ssl_services:
-      - { name: "HTTPS", port: 443 }
-      - { name: "SMTPS", port: 465 }
-      - { name: "IMAPS", port: 993 }
-      - { name: "LDAPS", port: 636 }
-  
-  tasks:
-    # 检查证书目录
-    - name: Check certificate directories
-      stat:
-        path: "{{ item }}"
-      register: cert_dirs
-      loop: "{{ cert_paths }}"
-      
-    - name: List existing certificate directories
-      debug:
-        msg: "📁 Certificate directory {{ item.item }}: {{ 'EXISTS' if item.stat.exists else 'NOT FOUND' }}"
-      loop: "{{ cert_dirs.results }}"
-      
-    # 查找证书文件
-    - name: Find certificate files
-      find:
-        paths: "{{ cert_paths }}"
-        patterns: "*.crt,*.pem,*.cert"
-        recurse: yes
-      register: cert_files
-      
-    - name: Display found certificates
-      debug:
-        msg: "🔐 Found {{ cert_files.files | length }} certificate files"
-        
-    # 检查证书过期时间
-    - name: Check certificate expiration
-      shell: |
-        if [ -f "{{ item.path }}" ]; then
-          openssl x509 -in "{{ item.path }}" -noout -enddate 2>/dev/null | cut -d= -f2
-        fi
-      register: cert_expiry
-      loop: "{{ cert_files.files[:10] }}"  # 限制检查前10个证书
-      failed_when: false
-      
-    - name: Display certificate expiration dates
-      debug:
-        msg: "📅 {{ item.item.path | basename }}: expires {{ item.stdout if item.stdout else 'INVALID/UNREADABLE' }}"
-      loop: "{{ cert_expiry.results }}"
-      when: item.stdout != ""
-      
-    # 检查即将过期的证书 (30天内)
-    - name: Check certificates expiring soon
-      shell: |
-        if [ -f "{{ item.path }}" ]; then
-          exp_date=$(openssl x509 -in "{{ item.path }}" -noout -enddate 2>/dev/null | cut -d= -f2)
-          if [ ! -z "$exp_date" ]; then
-            exp_epoch=$(date -d "$exp_date" +%s 2>/dev/null)
-            now_epoch=$(date +%s)
-            days_left=$(( (exp_epoch - now_epoch) / 86400 ))
-            if [ $days_left -lt 30 ]; then
-              echo "WARNING: $days_left days left"
-            else
-              echo "OK: $days_left days left"
-            fi
-          fi
-        fi
-      register: cert_warnings
-      loop: "{{ cert_files.files[:10] }}"
-      failed_when: false
-      
-    - name: Display certificate warnings
-      debug:
-        msg: "⚠️  {{ item.item.path | basename }}: {{ item.stdout }}"
-      loop: "{{ cert_warnings.results }}"
-      when: item.stdout != "" and "WARNING" in item.stdout
-      
-    # 检查 Let's Encrypt 证书
-    - name: Check Let's Encrypt certificates
-      shell: certbot certificates 2>/dev/null || echo "Certbot not installed"
-      register: letsencrypt_certs
-      failed_when: false
-      
-    - name: Display Let's Encrypt status
-      debug:
-        msg: "🔒 Let's Encrypt: {{ letsencrypt_certs.stdout_lines }}"
-      when: "'not installed' not in letsencrypt_certs.stdout"
-      
-    # 检查 SSL 服务端口
-    - name: Check SSL service ports
-      wait_for:
-        port: "{{ item.port }}"
-        timeout: 3
-      register: ssl_ports
-      loop: "{{ ssl_services }}"
-      failed_when: false
-      
-    - name: Display SSL service status
-      debug:
-        msg: "🔌 {{ item.item.name }} (port {{ item.item.port }}): {{ 'LISTENING' if not item.failed else 'NOT AVAILABLE' }}"
-      loop: "{{ ssl_ports.results }}"
-      
-    # 测试 HTTPS 连接
-    - name: Test HTTPS connection to localhost
-      uri:
-        url: "https://{{ ansible_default_ipv4.address }}"
-        method: GET
-        validate_certs: no
-        timeout: 5
-      register: https_test
-      failed_when: false
-      when: ssl_ports.results[0] is defined and not ssl_ports.results[0].failed
-      
-    - name: Display HTTPS test result
-      debug:
-        msg: "🌐 HTTPS Test: {{ 'SUCCESS' if https_test.status is defined else 'FAILED' }}"
-      when: https_test is defined
-      
-    # 检查证书链
-    - name: Check certificate chain for HTTPS
-      shell: |
-        echo | openssl s_client -connect {{ ansible_default_ipv4.address }}:443 -servername {{ ansible_hostname }} 2>/dev/null | openssl x509 -noout -subject -issuer
-      register: cert_chain
-      failed_when: false
-      when: ssl_ports.results[0] is defined and not ssl_ports.results[0].failed
-      
-    - name: Display certificate chain info
-      debug:
-        msg: "🔗 Certificate Chain: {{ cert_chain.stdout_lines }}"
-      when: cert_chain is defined and cert_chain.rc == 0
-      
-    # 生成证书健康报告
-    - name: Generate certificate health summary
-      debug:
-        msg: |
-          🔐 Certificate Health Summary for {{ inventory_hostname }}:
-          📁 Certificate directories found: {{ (cert_dirs.results | selectattr('stat.exists') | list | length) }}
-          📄 Certificate files found: {{ cert_files.files | length }}
-          ⚠️  Certificates expiring soon: {{ (cert_warnings.results | selectattr('stdout', 'search', 'WARNING') | list | length) }}
-          🔒 Let's Encrypt: {{ 'Configured' if 'not installed' not in letsencrypt_certs.stdout else 'Not installed' }}
-          🌐 SSL Services: {{ (ssl_ports.results | rejectattr('failed') | list | length) }}/{{ ssl_services | length }} available
--- a/configuration/playbooks/security/security-hardening.yml
+++ b/configuration/playbooks/security/security-hardening.yml
@@ -1,119 +0,0 @@
---
- name: Security Hardening and Backup
-  hosts: all
-  become: yes
-  gather_facts: yes
-  
-  tasks:
-    # SSH 安全配置检查
-    - name: Check SSH configuration security
-      lineinfile:
-        path: /etc/ssh/sshd_config
-        regexp: "{{ item.regexp }}"
-        line: "{{ item.line }}"
-        backup: yes
-      loop:
-        - { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
-        - { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
-        - { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }
-        - { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
-      notify: restart ssh
-      when: ansible_os_family == "Debian"
-      
-    # 防火墙状态检查
-    - name: Check UFW firewall status
-      shell: ufw status
-      register: ufw_status
-      changed_when: false
-      failed_when: false
-      when: ansible_os_family == "Debian"
-      
-    - name: Display firewall status
-      debug:
-        msg: "🔥 Firewall Status: {{ ufw_status.stdout_lines }}"
-      when: ansible_os_family == "Debian" and ufw_status.stdout_lines is defined
-      
-    # 检查可疑登录
-    - name: Check for failed login attempts
-      shell: grep "Failed password" /var/log/auth.log | tail -10
-      register: failed_logins
-      changed_when: false
-      failed_when: false
-      
-    - name: Report suspicious login attempts
-      debug:
-        msg: "🚨 Recent failed logins: {{ failed_logins.stdout_lines }}"
-      when: failed_logins.stdout_lines | length > 0
-      
-    # 检查 root 用户活动
-    - name: Check recent root activity
-      shell: grep "sudo.*root" /var/log/auth.log | tail -5
-      register: root_activity
-      changed_when: false
-      failed_when: false
-      
-    - name: Display root activity
-      debug:
-        msg: "👑 Recent root activity: {{ root_activity.stdout_lines }}"
-      when: root_activity.stdout_lines | length > 0
-      
-    # 备份重要配置文件
-    - name: Create backup directory
-      file:
-        path: /backup/configs
-        state: directory
-        mode: '0700'
-        
-    - name: Backup important configuration files
-      copy:
-        src: "{{ item }}"
-        dest: "/backup/configs/{{ item | basename }}.{{ ansible_date_time.epoch }}"
-        remote_src: yes
-        backup: yes
-      loop:
-        - /etc/ssh/sshd_config
-        - /etc/hosts
-        - /etc/fstab
-        - /etc/crontab
-      failed_when: false
-      
-    # 检查系统完整性
-    - name: Check for world-writable files
-      shell: find /etc /usr /bin /sbin -type f -perm -002 2>/dev/null | head -10
-      register: world_writable
-      changed_when: false
-      
-    - name: Report world-writable files
-      debug:
-        msg: "⚠️  World-writable files found: {{ world_writable.stdout_lines }}"
-      when: world_writable.stdout_lines | length > 0
-      
-    # 检查 SUID 文件
-    - name: Check for SUID files
-      shell: find /usr /bin /sbin -type f -perm -4000 2>/dev/null
-      register: suid_files
-      changed_when: false
-      
-    - name: Display SUID files count
-      debug:
-        msg: "🔐 Found {{ suid_files.stdout_lines | length }} SUID files"
-        
-    # 更新系统时间
-    - name: Sync system time
-      shell: timedatectl set-ntp true
-      failed_when: false
-      
-    - name: Check time synchronization
-      shell: timedatectl status
-      register: time_status
-      
-    - name: Display time sync status
-      debug:
-        msg: "🕐 Time sync: {{ time_status.stdout_lines | select('match', '.*synchronized.*') | list }}"
-        
-  handlers:
-    - name: restart ssh
-      systemd:
-        name: ssh
-        state: restarted
-      when: ansible_os_family == "Debian"