diff --git a/.ansible-lint b/.ansible-lint index 5578e18..deafac3 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -61,6 +61,7 @@ enable_list: warn_list: - skip_this_tag - experimental # experimental is included in the implicit list + - no-changed-when # - role-name # - yaml[document-start] # you can also use sub-rule matches diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml index fe6d3c8..bb2b623 100644 --- a/group_vars/all/secrets.yml +++ b/group_vars/all/secrets.yml @@ -1,30 +1,40 @@ $ANSIBLE_VAULT;1.1;AES256 -66653666613865393239313165343731323338616237653731343964373065386138666161653164 -3031306366373335323239396631633034363332306434380a613331613239663035313235383137 -62356463323933303336383363363962643963623934663363636364363034323465326562616463 -3236396135396566300a396162623864346162383338343132353331623664643065303634616664 -65623037636561313237376233623137616537346535333536396662343164633737313938313637 -64313366303264336464653231333562363835383036663864323764636565646137353265363566 -63333332373562663866393139643465346164316464373132636166363562643564343935383737 -61653332326162316532656262666233393132386238653032353435306464343138326236386330 -36316263383863393866616562306365643132633939373836353236666432373662386632323234 -64326132616433643132633035306266623235316137396362306132636437646430323663653233 -62393165333537383232643132353431373338633261323739616565306634306263346163353938 -30393766323339616238613361313834636534623265346237383730386163346562666234303832 -35613236626465393031663833336238323832646261333731393365373539393231366134613866 -36376135396335333437383864613634383635663834393138376635613633333062343338643965 -65343335643435303765666530346431313632353434343735383065346132653035316239353566 -32616536626138653939306137636136396330613964393833616536636464326538396634323037 -63366364393061353638633663343263666132336330306136663662366132343265653361356161 -39666138616331323336313438343763666331363238396364353664383533393632646665326337 -37613034633939356134366639663239653031323037623364633838303734336532626536356365 -66613061653833646231666564316632346166313461636333393965386162626232626465376437 -63396464346137666537626333643564316461316536323236643132346462353133653739363330 -33376137633336616663373633303964323661353636373631633465663566383834373932306330 -38626465353265306431386563343638363064623164393563376365353534343036356331393435 -64613331366234343261343463366330316566313431653632653339386631363966663634656434 -64666161313264386165373231666665303435373138633536616535373132353966636662666561 -35343966373330323231346637363563343063373639326134636364626462663061343231363631 -31303937373261623362323833613837336631346137633831356165313864383364613431646333 -61316636396236633164336563306534626162326263643230303839373761633739366165396331 -33326332393935313262663631386631353936626161623238343335383764343131 +33343537323631306437363833656262343362616463373262346436363462373561373565323035 +3838366637626533363434363539633261346332343939340a393433623033653933336461336337 +61306630343036326139663164646137333235323235306138653030663832353137376339373539 +3965303431346538300a306331363135346262346138343430613337373632343538336664383932 +34333163646339613238646161343239383931343566373337313938323963356338663031333731 +61346636656337346166663132383263666332363162323132303939623566353937633939313166 +38313465363738336336316538356266333138373039356337326133306265616232323466363037 +36643637396262666432356233313964636663623636376637336232633462656537313638376663 +62366162396365343530343335643762656661313762333532656532333334396230626631623561 +32363734376261346264643636323636623935633737306262623630373832363763306364653662 +37323930323432383330313331393930396339393530316133666330386531313731656534633436 +62633737393635626561346364656531333531636633633837353634376439653438616433376464 +65613334623439356637323837383863373034363634373531383862323362323237643431636263 +36306563353238373330643337313833376263663938376663323462626563633035616637663432 +62613862303832633238316436353534306137356663373737313931643132333962646536623837 +34616666396238633432306364633434346334376331633137613235383938643735323536373531 +30393033613662393266306666343337373862613034303538353138653562616662653062316538 +32626233613838313331336634613963636230396131313333376330353061363532623664373331 +62303733383237383666633733643164613065323131616239316537666138393130656332396335 +33333761313261373730333733646135313230346161636536353065366365303436366235323463 +31343334303738333362626665363965306531373862363930656666636434323064656339383462 +64393332623663363762313364333131303539363264656632646564306262323534366531356561 +39303062363530623733343437343836636233353163643733363739316461373431623264643333 +61313465363635653333626230643932363563663066366163636565356431666563343866613862 +65643862636331646434393032363163336565613732373338616237366131626566316534623435 +66343964303335626461323132653734653136363762656166336532633964323636653838626531 +30386130393032623965336336393930653239393263633466666135363439653839663038656264 +65336463636331313365623433383237383730393262656262376465376236613732353663306535 +31653230363263626135393338313864643561346438643633623331333931386337376431303566 +65353736353339653937303164383765653635336632666439313366626133376430626435623232 +64393936363266303934313033303562303562323165316334653162343139636663316534333331 +30323139326265626566393365316434323863333037646235646235363761326336626561376463 +61396439363932643936623764396538346361373635653737633534656665613137656132303033 +31306230326264353133313665346261653033626163323461346330353134323836666139326633 +62326139653762326262393630303932383461353761386434643230633134643163303463613961 +39333531373539366461356166623466626635323564393337396136616363663763313030393863 +31633938323332646366326662393339653137636535343062306233633330656266396162666465 +63623735393864346137333864326165656133653836353836396432396436346265343138666339 +626635323031343133366135303261356136 diff --git a/playbook.yml b/playbook.yml index c354ffa..5279495 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,8 +4,11 @@ gather_facts: false become: true vars: - hdd_mount_point: /opt/storage - ssd_mount_point: /opt/pi-ssd + hdd_name: storage + hdd_mount_point: "/opt/{{ hdd_name }}" + + ssd_name: pi-ssd + ssd_mount_point: "/opt/{{ ssd_name }}" timezone: Europe/Copenhagen @@ -13,6 +16,10 @@ - name: Run OS configuration role import_role: name: os_config + tags: + - os - name: Run Docker role import_role: name: docker + tags: + - docker diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 08bd93b..91f3bc3 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -36,18 +36,14 @@ - docker - docker-compose -- name: Start but disable Docker daemon - service: - name: "{{ unit }}" - enabled: false - state: started - loop: - - docker.socket - - docker.service - loop_control: - loop_var: unit +- name: Copy Docker daemon config file + template: + src: daemon.json.j2 + dest: /etc/docker/daemon.json + mode: u=rw,g=r,o=r - name: Set up Docker services import_tasks: services.yml tags: + - boot - services diff --git a/roles/docker/tasks/services.yml b/roles/docker/tasks/services.yml index 768b0e9..16d8791 100644 --- a/roles/docker/tasks/services.yml +++ b/roles/docker/tasks/services.yml @@ -1,5 +1,14 @@ # vim: ft=yaml.ansible --- +- name: Start but disable Docker daemon + service: + name: "{{ item }}" + enabled: false + state: started + loop: + - docker.socket + - docker.service + - name: Create base directory for Docker volumes file: name: "{{ base_volume }}" diff --git a/roles/os_config/tasks/disks.yml b/roles/os_config/tasks/disks.yml new file mode 100644 index 0000000..d3a9ea1 --- /dev/null +++ b/roles/os_config/tasks/disks.yml @@ -0,0 +1,46 @@ +# vim: ft=yaml.ansible +--- +- name: (Create and) open LUKS containers + luks_device: + uuid: "{{ item.disk.uuid }}" + passphrase: "{{ item.disk.luks_pw }}" + name: "{{ item.name }}" + type: luks2 + state: opened + loop: + - disk: "{{ secrets.hdd }}" + name: "{{ hdd_name }}" + - disk: "{{ secrets.ssd }}" + name: "{{ ssd_name }}" + +- name: Create filesystems if they do not exist + filesystem: + dev: "/dev/mapper/{{ item }}" + fstype: ext4 + state: present + loop: + - "{{ hdd_name }}" + - "{{ ssd_name }}" + +- name: Mount filesystems + mount: + src: "/dev/disk/by-uuid/{{ item.uuid }}" + path: "{{ item.path }}" + fstype: ext4 + state: ephemeral + loop: + - uuid: "{{ secrets.hdd.uuid }}" + path: "{{ hdd_mount_point }}" + - uuid: "{{ secrets.ssd.uuid }}" + path: "{{ ssd_mount_point }}" + +- name: Create swapfile + community.general.filesize: + path: "{{ ssd_mount_point }}/swapfile" + size: 8G + mode: 0600 + +- name: Mount swapfile + shell: | + mkswap {{ ssd_mount_point }}/swapfile + swapon {{ ssd_mount_point }}/swapfile diff --git a/roles/os_config/tasks/luks.yml b/roles/os_config/tasks/luks.yml deleted file mode 100644 index a00885c..0000000 --- a/roles/os_config/tasks/luks.yml +++ /dev/null @@ -1,3 +0,0 @@ -# vim: ft=yaml.ansible ---- - diff --git a/roles/os_config/tasks/main.yml b/roles/os_config/tasks/main.yml index 736fe61..18078d3 100644 --- a/roles/os_config/tasks/main.yml +++ b/roles/os_config/tasks/main.yml @@ -1,16 +1,14 @@ --- - name: Configure system packages - import_tasks: - - pkgs.yml + import_tasks: pkgs.yml - name: Configure firewall - import_tasks: - - ufw.yml - -- name: Configure disk encryption - import_tasks: - - luks.yml + import_tasks: ufw.yml - name: Configure SSH - import_tasks: - - ssh.yml + import_tasks: ssh.yml + +- name: Configure disks + import_tasks: disks.yml + tags: + - boot diff --git a/roles/os_config/tasks/pkgs.yml b/roles/os_config/tasks/pkgs.yml index c3859ab..e871ebd 100644 --- a/roles/os_config/tasks/pkgs.yml +++ b/roles/os_config/tasks/pkgs.yml @@ -1,7 +1,7 @@ # vim: ft=yaml.ansible --- - name: Upgrade system packages - apt: + apt: update_cache: true upgrade: full diff --git a/roles/os_config/tasks/ufw.yml b/roles/os_config/tasks/ufw.yml index 2c2dba9..0e7f073 100644 --- a/roles/os_config/tasks/ufw.yml +++ b/roles/os_config/tasks/ufw.yml @@ -1,7 +1,7 @@ # vim: ft=yaml.ansible --- - name: Allow necessary ports in UFW - community.general.ufw: + ufw: rule: allow port: "{{ item.port }}" proto: "{{ item.proto | default('tcp') }}" @@ -15,6 +15,6 @@ proto: udp - name: Enable UFW - community.general.ufw: + ufw: state: enabled policy: deny