diff --git a/.gitignore b/.gitignore index 499751e..386bd03 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -vars/secrets.yml +vars/secrets.yaml production .hidden diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..dd49c55 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "launch": { + "configurations": [], + "compounds": [] + } +} \ No newline at end of file diff --git a/README.md b/README.md index 9a5ae32..fe676fa 100644 --- a/README.md +++ b/README.md @@ -34,9 +34,9 @@ sudo nano /etc/ssh/sshd_config.d/sshd.conf ## Configurations -You can modify the [packages to be installed](set-up.yml) and the [UFW rules](roles/ufw/tasks/main.yml). +You can modify the [packages to be installed](set-up.yaml) and the [UFW rules](roles/ufw/tasks/main.yaml). -Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](vars/secrets.example.yml). +Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yaml](vars/secrets.example.yaml). ## Contact Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it. \ No newline at end of file diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yaml similarity index 100% rename from roles/chrony/tasks/main.yml rename to roles/chrony/tasks/main.yaml diff --git a/roles/disable-root/tasks/main.yaml b/roles/disable-root/tasks/main.yaml new file mode 100644 index 0000000..18f5b64 --- /dev/null +++ b/roles/disable-root/tasks/main.yaml @@ -0,0 +1,2 @@ +- name: Lock root password + user: name=root password='!' diff --git a/roles/docker-buildx/tasks/main.yml b/roles/docker-buildx/tasks/main.yaml similarity index 100% rename from roles/docker-buildx/tasks/main.yml rename to roles/docker-buildx/tasks/main.yaml diff --git a/roles/docker-buildx/tasks/remove-docker-buildx.yml b/roles/docker-buildx/tasks/remove-docker-buildx.yaml similarity index 100% rename from roles/docker-buildx/tasks/remove-docker-buildx.yml rename to roles/docker-buildx/tasks/remove-docker-buildx.yaml diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yaml similarity index 92% rename from roles/docker/tasks/main.yml rename to roles/docker/tasks/main.yaml index 7543126..83d04ce 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yaml @@ -10,7 +10,7 @@ - name: Create Docker directory file: - path: /home/{{ user }}/Docker + path: "/home/{{ user }}/Docker" state: directory owner: 1000 group: 1000 @@ -25,7 +25,7 @@ - name: Add user to Docker group user: - name: {{ user }} + name: "{{ user }}" groups: docker append: true @@ -43,4 +43,4 @@ service: name: docker enabled: true - state: restarted \ No newline at end of file + state: restarted diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yaml similarity index 100% rename from roles/fail2ban/tasks/main.yml rename to roles/fail2ban/tasks/main.yaml diff --git a/roles/hostname/tasks/main.yaml b/roles/hostname/tasks/main.yaml new file mode 100644 index 0000000..1b3142c --- /dev/null +++ b/roles/hostname/tasks/main.yaml @@ -0,0 +1,2 @@ +- name: Set hostname + command: "hostnamectl set-hostname {{ inventory_hostname }}" diff --git a/roles/nfs/tasks/main.yml b/roles/nfs-opnxng/tasks/main.yaml similarity index 100% rename from roles/nfs/tasks/main.yml rename to roles/nfs-opnxng/tasks/main.yaml diff --git a/roles/nfs/templates/exports.j2 b/roles/nfs-opnxng/templates/exports.j2 similarity index 100% rename from roles/nfs/templates/exports.j2 rename to roles/nfs-opnxng/templates/exports.j2 diff --git a/roles/sources-list/files/sources.list b/roles/sources-list/files/sources.list new file mode 100644 index 0000000..3e7051e --- /dev/null +++ b/roles/sources-list/files/sources.list @@ -0,0 +1,11 @@ +deb http://deb.debian.org/debian bookworm main non-free-firmware +deb-src http://deb.debian.org/debian bookworm main non-free-firmware + +deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware +deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware + +deb http://deb.debian.org/debian bookworm-updates main non-free-firmware +deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware + +deb http://deb.debian.org/debian bookworm-backports main non-free +deb-src http://deb.debian.org/debian bookworm-backports main non-free diff --git a/roles/sources-list/tasks/main.yaml b/roles/sources-list/tasks/main.yaml new file mode 100644 index 0000000..c9d53c5 --- /dev/null +++ b/roles/sources-list/tasks/main.yaml @@ -0,0 +1,7 @@ +- name: Set up source list + copy: + src: "sources.list" + dest: "/etc/apt/sources.list" + owner: root + group: root + mode: "0644" diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yaml similarity index 100% rename from roles/ssh/tasks/main.yml rename to roles/ssh/tasks/main.yaml diff --git a/roles/timezone/tasks/main.yaml b/roles/timezone/tasks/main.yaml new file mode 100644 index 0000000..f8fb961 --- /dev/null +++ b/roles/timezone/tasks/main.yaml @@ -0,0 +1,4 @@ +- name: Set timezone to Asia/Singapore + community.general.timezone: + name: "{{ TZ }}" + become: true \ No newline at end of file diff --git a/roles/ufw-opnxng/tasks/main.yaml b/roles/ufw-opnxng/tasks/main.yaml new file mode 100644 index 0000000..b2fbd0d --- /dev/null +++ b/roles/ufw-opnxng/tasks/main.yaml @@ -0,0 +1,69 @@ +- name: Install UFW + apt: + name: + - ufw + state: latest + install_recommends: false + +# ---------------------------------------------------------------------------------------------------- + +- name: Copy user.rules + template: + src: "user.rules.j2" + dest: "/etc/ufw/user.rules" + owner: root + group: root + mode: 0640 + +- name: Copy user6.rules + template: + src: "user6.rules.j2" + dest: "/etc/ufw/user6.rules" + owner: root + group: root + mode: 0640 + +# ---------------------------------------------------------------------------------------------------- + +- name: Copy user.rules (node-specific) + template: + src: "{{inventory_hostname}}.user.rules.j2" + dest: "/etc/ufw/user.rules" + owner: root + group: root + mode: 0640 + ignore_errors: true + no_log: true + +- name: Copy user6.rules (node-specific) + template: + src: "{{inventory_hostname}}.user6.rules.j2" + dest: "/etc/ufw/user6.rules" + owner: root + group: root + mode: 0640 + ignore_errors: true + no_log: true + +# ---------------------------------------------------------------------------------------------------- + +- name: UFW default deny routed + community.general.ufw: + default: deny + direction: routed + +- name: UFW default deny incoming + community.general.ufw: + default: deny + direction: incoming + +- name: UFW default allow outgoing + community.general.ufw: + default: allow + direction: outgoing + +# ---------------------------------------------------------------------------------------------------- + +- name: UFW enable + community.general.ufw: + state: enabled \ No newline at end of file diff --git a/roles/ufw-opnxng/templates/oracle4.user.rules.j2 b/roles/ufw-opnxng/templates/oracle4.user.rules.j2 new file mode 100644 index 0000000..45a2783 --- /dev/null +++ b/roles/ufw-opnxng/templates/oracle4.user.rules.j2 @@ -0,0 +1,59 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in +-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT + +### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p udp --dport 51820 -j ACCEPT + +### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p tcp --dport 443 -j ACCEPT + +### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p udp --dport 443 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/roles/ufw-opnxng/templates/oracle4.user6.rules.j2 b/roles/ufw-opnxng/templates/oracle4.user6.rules.j2 new file mode 100644 index 0000000..7e41be7 --- /dev/null +++ b/roles/ufw-opnxng/templates/oracle4.user6.rules.j2 @@ -0,0 +1,44 @@ +*filter +:ufw6-user-input - [0:0] +:ufw6-user-output - [0:0] +:ufw6-user-forward - [0:0] +:ufw6-before-logging-input - [0:0] +:ufw6-before-logging-output - [0:0] +:ufw6-before-logging-forward - [0:0] +:ufw6-user-logging-input - [0:0] +:ufw6-user-logging-output - [0:0] +:ufw6-user-logging-forward - [0:0] +:ufw6-after-logging-input - [0:0] +:ufw6-after-logging-output - [0:0] +:ufw6-after-logging-forward - [0:0] +:ufw6-logging-deny - [0:0] +:ufw6-logging-allow - [0:0] +:ufw6-user-limit - [0:0] +:ufw6-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp 80 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 80 -j ACCEPT + +### tuple ### allow tcp 443 ::/0 any ::/0 in +-A ufw6-user-input -p tcp --dport 443 -j ACCEPT + +### tuple ### allow udp 443 ::/0 any ::/0 in +-A ufw6-user-input -p udp --dport 443 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw6-user-limit -j REJECT +-A ufw6-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/roles/ufw-opnxng/templates/user.rules.j2 b/roles/ufw-opnxng/templates/user.rules.j2 new file mode 100644 index 0000000..480ec22 --- /dev/null +++ b/roles/ufw-opnxng/templates/user.rules.j2 @@ -0,0 +1,50 @@ +*filter +:ufw-user-input - [0:0] +:ufw-user-output - [0:0] +:ufw-user-forward - [0:0] +:ufw-before-logging-input - [0:0] +:ufw-before-logging-output - [0:0] +:ufw-before-logging-forward - [0:0] +:ufw-user-logging-input - [0:0] +:ufw-user-logging-output - [0:0] +:ufw-user-logging-forward - [0:0] +:ufw-after-logging-input - [0:0] +:ufw-after-logging-output - [0:0] +:ufw-after-logging-forward - [0:0] +:ufw-logging-deny - [0:0] +:ufw-logging-allow - [0:0] +:ufw-user-limit - [0:0] +:ufw-user-limit-accept - [0:0] +### RULES ### + +### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in +-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT + +### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in +-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT + +### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in +-A ufw-user-input -p udp --dport 51820 -j ACCEPT + +### END RULES ### + +### LOGGING ### +-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw-user-limit -j REJECT +-A ufw-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/roles/ufw-opnxng/templates/user6.rules.j2 b/roles/ufw-opnxng/templates/user6.rules.j2 new file mode 100644 index 0000000..4bef39e --- /dev/null +++ b/roles/ufw-opnxng/templates/user6.rules.j2 @@ -0,0 +1,35 @@ +*filter +:ufw6-user-input - [0:0] +:ufw6-user-output - [0:0] +:ufw6-user-forward - [0:0] +:ufw6-before-logging-input - [0:0] +:ufw6-before-logging-output - [0:0] +:ufw6-before-logging-forward - [0:0] +:ufw6-user-logging-input - [0:0] +:ufw6-user-logging-output - [0:0] +:ufw6-user-logging-forward - [0:0] +:ufw6-after-logging-input - [0:0] +:ufw6-after-logging-output - [0:0] +:ufw6-after-logging-forward - [0:0] +:ufw6-logging-deny - [0:0] +:ufw6-logging-allow - [0:0] +:ufw6-user-limit - [0:0] +:ufw6-user-limit-accept - [0:0] +### RULES ### + +### END RULES ### + +### LOGGING ### +-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +### END LOGGING ### + +### RATE LIMITING ### +-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] " +-A ufw6-user-limit -j REJECT +-A ufw6-user-limit-accept -j ACCEPT +### END RATE LIMITING ### +COMMIT diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml deleted file mode 100644 index ab54285..0000000 --- a/roles/ufw/tasks/main.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: Install UFW - apt: - name: - - ufw - state: latest - install_recommends: false - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW allow {{ wireguard_port }} UDP for Wireguard - community.general.ufw: - rule: allow - src: 0.0.0.0/0 - dest: any - proto: udp - port: {{ wireguard_port }} - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW allow {{ ssh_port }} TCP - community.general.ufw: - rule: allow - src: {{ wireguard_mesh_subnet }}/16 - dest: any - proto: tcp - port: {{ ssh_port }} - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW allow 8870 from {{ oracle_ipv4_cidr_block }}/16 TCP for Socks Proxy - community.general.ufw: - rule: allow - src: {{ oracle_ipv4_cidr_block }}/16 - dest: any - proto: tcp - port: 8870 - when: - - inventory_hostname in groups["oracle"] - -- name: UFW allow 8870 from {{ wireguard_mesh_subnet }}/16 TCP for Socks Proxy - community.general.ufw: - rule: allow - src: {{ wireguard_mesh_subnet }}/16 - dest: any - proto: tcp - port: 8870 - -- name: UFW allow NFS TCP - community.general.ufw: - rule: allow - src: {{ wireguard_mesh_subnet }}/16 - dest: any - proto: tcp - port: 2049 - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW allow 80 TCP - community.general.ufw: - rule: allow - src: any - dest: any - proto: tcp - port: 80 - when: inventory_hostname == 'oracle4' - -- name: UFW allow 443 TCP - community.general.ufw: - rule: allow - src: any - dest: any - proto: tcp - port: 443 - when: inventory_hostname == 'oracle4' - -- name: UFW allow 443 UDP - community.general.ufw: - rule: allow - src: any - dest: any - proto: udp - port: 443 - when: inventory_hostname == 'oracle4' - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW default deny routed - community.general.ufw: - default: deny - direction: routed - -- name: UFW default deny incoming - community.general.ufw: - default: deny - direction: incoming - -- name: UFW default allow outgoing - community.general.ufw: - default: allow - direction: outgoing - -# ---------------------------------------------------------------------------------------------------- - -- name: UFW enable - community.general.ufw: - state: enabled \ No newline at end of file diff --git a/roles/unattended-upgrades/tasks/main.yaml b/roles/unattended-upgrades/tasks/main.yaml new file mode 100644 index 0000000..8c2a8c3 --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.yaml @@ -0,0 +1,26 @@ +- name: Install packages + apt: + name: + - unattended-upgrades + - apt-listchanges + state: latest + install_recommends: false + +# ---------------------------------------------------------------------------------------------------- + +- name: Copy unattended-upgrades configuration files in place + template: + src: "{{ item }}.j2" + dest: "/etc/apt/apt.conf.d/{{ item }}" + owner: root + group: root + mode: 0644 + with_items: + - 20auto-upgrades + - 50unattended-upgrades + +- name: Enable unattended-upgrades service + service: + name: unattended-upgrades + enabled: true + state: started diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml deleted file mode 100644 index d071a5b..0000000 --- a/roles/unattended-upgrades/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Install packages - apt: - name: - - unattended-upgrades - - apt-listchanges - state: latest - install_recommends: false - -# ---------------------------------------------------------------------------------------------------- - - - name: Copy unattended-upgrades configuration files in place. - template: - src: "{{ item }}.j2" - dest: "/etc/apt/apt.conf.d/{{ item }}" - owner: root - group: root - mode: 0644 - with_items: - - 20auto-upgrades - - 50unattended-upgrades - - - name: Enable unattended-upgrades service - service: - name: unattended-upgrades - enabled: true - state: started \ No newline at end of file diff --git a/set-up.yml b/set-up.yaml similarity index 67% rename from set-up.yml rename to set-up.yaml index fe8e0bd..f18d3f3 100644 --- a/set-up.yml +++ b/set-up.yaml @@ -1,28 +1,18 @@ --- - name: Set up VPS hosts: all - gather_facts: true +# gather_facts: true vars_files: - - vars/secrets.yml + - vars/secrets.yaml become: true # ---------------------------------------------------------------------------------------------------- pre_tasks: - - name: Lock root password - user: name=root password='!' - - - name: Set hostname - command: "hostnamectl set-hostname {{ inventory_hostname }}" - - - name: Set timezone to Asia/Singapore - community.general.timezone: - name: {{ TZ }} - become: true - - name: Install packages apt: name: + - neovim - iputils-ping - cron - git @@ -39,11 +29,15 @@ # ---------------------------------------------------------------------------------------------------- roles: - - nfs + - disable-root + - timezone - chrony + - hostname + - sources-list + - ssh + - ufw-opnxng - fail2ban - unattended-upgrades + - nfs-opnxng - docker #- docker-buildx - - ssh - - ufw \ No newline at end of file diff --git a/vars/secrets.example.yml b/vars/secrets.example.yaml similarity index 100% rename from vars/secrets.example.yml rename to vars/secrets.example.yaml