samsapti/pi-ansible
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add os_config role

Browse source
This commit is contained in:
Sam A. 2022-12-22 20:18:27 +01:00
parent c8f9e551ab
commit ccb92cabe6
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
21 changed files with 204 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
group_vars/all/secrets.yml
View file

@ -1,27 +1,30 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
65633564663165316234316164633133393062326534613461663237666537373861323162396136 66653666613865393239313165343731323338616237653731343964373065386138666161653164
6665653130343264636466656566636132366439326330610a643735626235323335303937656333 3031306366373335323239396631633034363332306434380a613331613239663035313235383137
36326161666239323838373466373463383465396635393630663132356234353765653930643463 62356463323933303336383363363962643963623934663363636364363034323465326562616463
3735383539303631300a633839373936663563363537656636633632323964393138333730303031 3236396135396566300a396162623864346162383338343132353331623664643065303634616664
61333535353132383562396136616138326265336235633665316164316234646533343232633938 65623037636561313237376233623137616537346535333536396662343164633737313938313637
63343034363636343966363161376463383432643536633638663339323566396330306565356666 64313366303264336464653231333562363835383036663864323764636565646137353265363566
33623936653635656265616364653831313866313931653662396463393430326662303164613838 63333332373562663866393139643465346164316464373132636166363562643564343935383737
33306538366531656166306566353636366539636266346537353539643862663630663938663865 61653332326162316532656262666233393132386238653032353435306464343138326236386330
62636531333566636438393831646466613465613537653162383030626564393464656132346661 36316263383863393866616562306365643132633939373836353236666432373662386632323234
37383137633833366338383637333161303434363533363135376237636565373337396230663033 64326132616433643132633035306266623235316137396362306132636437646430323663653233
38313838373131633035633761636134653263386430656535616339373336373538376364613563 62393165333537383232643132353431373338633261323739616565306634306263346163353938
31323335343066346635393130623834313839303464313365633331616361393462373862306335 30393766323339616238613361313834636534623265346237383730386163346562666234303832
31633266666630343637333936643633396463363336613332313736623466633733343164363631 35613236626465393031663833336238323832646261333731393365373539393231366134613866
62303163616563393735633438633739333732656161653337343439313265656166613731356162 36376135396335333437383864613634383635663834393138376635613633333062343338643965
66313433306338643533373265613637336232623732643734646233666266663666623565636631 65343335643435303765666530346431313632353434343735383065346132653035316239353566
61336635326465333232616134666635363234396535386265373533363138363366303631616630 32616536626138653939306137636136396330613964393833616536636464326538396634323037
61393837313139313531336631333734633039363034396165643733653132623136363137343232 63366364393061353638633663343263666132336330306136663662366132343265653361356161
39633839303536613636313661363831343831303562383832313166316164346231626565323961 39666138616331323336313438343763666331363238396364353664383533393632646665326337
31336334393965346466386564393961383734393663636139313964653163666235323538626362 37613034633939356134366639663239653031323037623364633838303734336532626536356365
34373263383463376130323562386561376262666539663233346431623263376532643737633830 66613061653833646231666564316632346166313461636333393965386162626232626465376437
62626136336632663030383136383364343332323732306539306663613161646535656531383561 63396464346137666537626333643564316461316536323236643132346462353133653739363330
32353436386163626436356632386631653666343931663063373462613134613039386266636366 33376137633336616663373633303964323661353636373631633465663566383834373932306330
36646538633166383830643466383936613565613031313936316539313434333839363764636438 38626465353265306431386563343638363064623164393563376365353534343036356331393435
62616261613936663762373764656466623666373034303662306265636431333663376230393634 64613331366234343261343463366330316566313431653632653339386631363966663634656434
64323032323439363265623938323237626538653534633364623730613836373336363862613334 64666161313264386165373231666665303435373138633536616535373132353966636662666561
3566396264653531386637613639373638393633363639613566 35343966373330323231346637363563343063373639326134636364626462663061343231363631
31303937373261623362323833613837336631346137633831356165313864383364613431646333
61316636396236633164336563306534626162326263643230303839373761633739366165396331
33326332393935313262663631386631353936626161623238343335383764343131

10
playbook.yml
View file

@ -1,10 +1,18 @@
--- ---
- name: Deploy homeserver - name: Deploy self-hosted services
hosts: all hosts: all
gather_facts: false gather_facts: false
become: true become: true
vars:
hdd_mount_point: /opt/storage
ssd_mount_point: /opt/pi-ssd
timezone: Europe/Copenhagen
tasks: tasks:
- name: Run OS configuration role
import_role:
name: os_config
- name: Run Docker role - name: Run Docker role
import_role: import_role:
name: docker name: docker

3
roles/docker/defaults/main.yml
View file

@ -1,7 +1,6 @@
--- ---
base_domain: sapti.me base_domain: sapti.me
base_volume: /opt/storage/apps base_volume: "{{ hdd_mount_point }}/apps"
timezone: Europe/Copenhagen
services: services:
caddy: caddy:

35
roles/docker/tasks/main.yml
View file

@ -13,11 +13,12 @@
- name: Install Docker - name: Install Docker
apt: apt:
name: "{{ item }}" name: "{{ pkgs }}"
state: present state: present
loop: vars:
- docker-ce pkgs:
- docker-compose-plugin - docker-ce
- docker-compose-plugin
- name: Create docker-compose symlink - name: Create docker-compose symlink
file: file:
@ -25,18 +26,26 @@
name: /usr/local/bin/docker-compose name: /usr/local/bin/docker-compose
state: link state: link
- name: Install Python bindings for Docker Compose - name: Install Python bindings for Docker
pip: pip:
executable: pip3 name: "{{ pkgs }}"
name: docker-compose
state: present state: present
executable: pip3
vars:
pkgs:
- docker
- docker-compose
- name: Create base directory for Docker volumes - name: Start but disable Docker daemon
file: service:
name: "{{ base_volume }}" name: "{{ unit }}"
owner: "{{ ansible_user }}" enabled: false
mode: u=rwx,g=rx,o=rx state: started
state: directory loop:
- docker.socket
- docker.service
loop_control:
loop_var: unit
- name: Set up Docker services - name: Set up Docker services
import_tasks: services.yml import_tasks: services.yml

8
roles/docker/tasks/services.yml
View file

@ -1,4 +1,12 @@
# vim: ft=yaml.ansible
--- ---
- name: Create base directory for Docker volumes
file:
name: "{{ base_volume }}"
owner: "{{ ansible_user }}"
mode: u=rwx,g=rx,o=rx
state: directory
- name: Deploy services - name: Deploy services
include_tasks: "services/{{ item.service.file }}" include_tasks: "services/{{ item.service.file }}"
loop: "{{ services | dict2items(value_name='service') }}" loop: "{{ services | dict2items(value_name='service') }}"

3
roles/docker/tasks/services/caddy.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Create Caddy volume directories - name: Create Caddy volume directories
file: file:
@ -31,3 +32,5 @@
- dac_override - dac_override
cap_drop: cap_drop:
- all - all
# vim: ft=yaml.ansible

3
roles/docker/tasks/services/emby.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Create Emby volume directories - name: Create Emby volume directories
file: file:
@ -25,6 +26,6 @@
- "{{ services.emby.volume }}/tvshows:/mnt/share1:rw" - "{{ services.emby.volume }}/tvshows:/mnt/share1:rw"
- "{{ services.emby.volume }}/movies:/mnt/share2:rw" - "{{ services.emby.volume }}/movies:/mnt/share2:rw"
published_ports: published_ports:
- "8096:8096" - '8096:8096'
devices: devices:
- /dev/vchiq:/dev/vchiq # MMAL/OMX on Raspberry Pi - /dev/vchiq:/dev/vchiq # MMAL/OMX on Raspberry Pi

9
roles/docker/tasks/services/monerod.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Create Docker volume for Monero blockchain data - name: Create Docker volume for Monero blockchain data
docker_volume: docker_volume:
@ -11,11 +12,11 @@
volumes: volumes:
- monerod_data:/home/monero/.bitmonero:rw - monerod_data:/home/monero/.bitmonero:rw
command: command:
- --rpc-restricted-bind-ip=0.0.0.0 - '--rpc-restricted-bind-ip=0.0.0.0'
- --rpc-restricted-bind-port=18089 - '--rpc-restricted-bind-port=18089'
- --no-igd - --no-igd
- --no-zmq - --no-zmq
- --enable-dns-blocklist - --enable-dns-blocklist
published_ports: published_ports:
- "18080:18080" - '18080:18080'
- "127.0.0.1:18081:18089" - '127.0.0.1:18081:18089'

19
roles/docker/tasks/services/nextcloud.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Create Nextcloud volume directories - name: Create Nextcloud volume directories
file: file:
@ -34,22 +35,22 @@
image: "mariadb:{{ services.nextcloud.mariadb_version }}" image: "mariadb:{{ services.nextcloud.mariadb_version }}"
restart: unless-stopped restart: unless-stopped
command: command:
- --transaction-isolation=READ-COMMITTED - '--transaction-isolation=READ-COMMITTED'
- --log-bin - --log-bin
- --binlog-format=ROW - '--binlog-format=ROW'
- --innodb_read_only_compressed=OFF - '--innodb_read_only_compressed=OFF'
environment: environment:
MYSQL_DATABASE: nextcloud MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud MYSQL_USER: nextcloud
MYSQL_PASSWORD: "{{ secrets.nextcloud.mysql.pw }}" MYSQL_PASSWORD: "{{ secrets.nextcloud.mysql_pw }}"
MYSQL_ROOT_PASSWORD: "{{ secrets.nextcloud.mysql.pw }}" MYSQL_ROOT_PASSWORD: "{{ secrets.nextcloud.mysql_pw }}"
volumes: volumes:
- "{{ services.nextcloud.volume }}/db:/var/lib/mysql:rw" - "{{ services.nextcloud.volume }}/db:/var/lib/mysql:rw"
redis: redis:
image: "redis:{{ services.nextcloud.redis_version }}" image: "redis:{{ services.nextcloud.redis_version }}"
restart: unless-stopped restart: unless-stopped
command: "redis-server --requirepass={{ secrets.nextcloud.redis.pw }}" command: "redis-server --requirepass={{ secrets.nextcloud.redis_pw }}"
tmpfs: tmpfs:
- /var/lib/redis - /var/lib/redis
@ -70,9 +71,9 @@
MYSQL_HOST: mysql MYSQL_HOST: mysql
MYSQL_DATABASE: nextcloud MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud MYSQL_USER: nextcloud
MYSQL_PASSWORD: "{{ secrets.nextcloud.mysql.pw }}" MYSQL_PASSWORD: "{{ secrets.nextcloud.mysql_pw }}"
REDIS_HOST: redis REDIS_HOST: redis
REDIS_HOST_PASSWORD: "{{ secrets.nextcloud.redis.pw }}" REDIS_HOST_PASSWORD: "{{ secrets.nextcloud.redis_pw }}"
PHP_MEMORY_LIMIT: 2G PHP_MEMORY_LIMIT: 2G
PHP_UPLOAD_LIMIT: 16G PHP_UPLOAD_LIMIT: 16G
volumes: volumes:
@ -80,7 +81,7 @@
- "{{ services.nextcloud.volume }}/apache2/apache2.conf:/etc/apache2/apache2.conf:ro" - "{{ services.nextcloud.volume }}/apache2/apache2.conf:/etc/apache2/apache2.conf:ro"
- "{{ services.nextcloud.volume }}/apache2/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro" - "{{ services.nextcloud.volume }}/apache2/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
ports: ports:
- "127.0.0.1:8080:80" - '127.0.0.1:8080:80'
depends_on: depends_on:
- mysql - mysql
- redis - redis

7
roles/docker/tasks/services/restic.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Deploy Restic with Docker Compose - name: Deploy Restic with Docker Compose
docker_compose: docker_compose:
@ -14,7 +15,7 @@
RUN_ON_STARTUP: false RUN_ON_STARTUP: false
BACKUP_CRON: '0 30 3 * * *' BACKUP_CRON: '0 30 3 * * *'
RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}"
RESTIC_PASSWORD: "{{ secrets.restic.pw }}" RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}"
RESTIC_BACKUP_SOURCES: /mnt/volumes RESTIC_BACKUP_SOURCES: /mnt/volumes
RESTIC_BACKUP_ARGS: >- RESTIC_BACKUP_ARGS: >-
--tag docker-volumes --tag docker-volumes
@ -40,7 +41,7 @@
RUN_ON_STARTUP: false RUN_ON_STARTUP: false
PRUNE_CRON: '0 0 4 * * *' PRUNE_CRON: '0 0 4 * * *'
RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}"
RESTIC_PASSWORD: "{{ secrets.restic.pw }}" RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}"
RESTIC_PRUNE_ARGS: >- RESTIC_PRUNE_ARGS: >-
--verbose --verbose
B2_ACCOUNT_ID: "{{ secrets.restic.b2.id }}" B2_ACCOUNT_ID: "{{ secrets.restic.b2.id }}"
@ -54,7 +55,7 @@
RUN_ON_STARTUP: false RUN_ON_STARTUP: false
CHECK_CRON: '0 30 4 * * *' CHECK_CRON: '0 30 4 * * *'
RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}" RESTIC_REPOSITORY: "b2:{{ secrets.restic.b2.bucket }}:{{ services.restic.repo }}"
RESTIC_PASSWORD: "{{ secrets.restic.pw }}" RESTIC_PASSWORD: "{{ secrets.restic.repo_pw }}"
RESTIC_CHECK_ARGS: >- RESTIC_CHECK_ARGS: >-
--verbose --verbose
B2_ACCOUNT_ID: "{{ secrets.restic.b2.id }}" B2_ACCOUNT_ID: "{{ secrets.restic.b2.id }}"

1
roles/docker/tasks/services/snowflake.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Deploy snowflake-proxy Docker container - name: Deploy snowflake-proxy Docker container
docker_container: docker_container:

1
roles/docker/tasks/services/watchtower.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Deploy Watchtower Docker container - name: Deploy Watchtower Docker container
docker_container: docker_container:

1
roles/docker/tasks/services/wireguard.yml
View file

@ -1,3 +1,4 @@
# vim: ft=yaml.ansible
--- ---
- name: Create Wireguard volume directory - name: Create Wireguard volume directory
file: file:

18
roles/docker/templates/Caddyfile.j2
View file

@ -3,7 +3,7 @@
} }
{{ services.nextcloud.domain }} { {{ services.nextcloud.domain }} {
tls {{ secrets.tls.email }} tls {{ secrets.tls_email }}
rewrite /.well-known/caldav /remote.php/dav rewrite /.well-known/caldav /remote.php/dav
rewrite /.well-known/carddav /remote.php/dav rewrite /.well-known/carddav /remote.php/dav
@ -13,39 +13,27 @@
-Server -Server
} }
log {
output discard
}
reverse_proxy localhost:8080 reverse_proxy localhost:8080
} }
{{ services.emby.domain }} { {{ services.emby.domain }} {
tls {{ secrets.tls.email }} tls {{ secrets.tls_email }}
header { header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server -Server
} }
log {
output discard
}
reverse_proxy localhost:8096 reverse_proxy localhost:8096
} }
{{ services.monerod.domain }}:18089 { {{ services.monerod.domain }}:18089 {
tls {{ secrets.tls.email }} tls {{ secrets.tls_email }}
header { header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-Server -Server
} }
log {
output discard
}
reverse_proxy localhost:18081 reverse_proxy localhost:18081
} }

11
roles/docker/templates/daemon.json.j2 Normal file
View file

@ -0,0 +1,11 @@
{
"data-root": "{{ ssd_mount_point }}/docker-runtime",
"default-address-pools": [
{
"base": "172.17.0.0/16",
"size": 24
}
],
"ipv6": true,
"fixed-cidr-v6": "fd00::/80"
}

2
roles/os_config/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf

3
roles/os_config/tasks/luks.yml Normal file
View file

@ -0,0 +1,3 @@
# vim: ft=yaml.ansible
---

16
roles/os_config/tasks/main.yml Normal file
View file

@ -0,0 +1,16 @@
---
- name: Configure system packages
import_tasks:
- pkgs.yml
- name: Configure firewall
import_tasks:
- ufw.yml
- name: Configure disk encryption
import_tasks:
- luks.yml
- name: Configure SSH
import_tasks:
- ssh.yml

17
roles/os_config/tasks/pkgs.yml Normal file
View file

@ -0,0 +1,17 @@
# vim: ft=yaml.ansible
---
- name: Upgrade system packages
apt:
update_cache: true
upgrade: full
- name: Install packages via apt
apt:
name: "{{ pkgs }}"
state: present
vars:
pkgs:
- python3-pip
- apparmor
- haveged
- ufw

36
roles/os_config/tasks/ssh.yml Normal file
View file

@ -0,0 +1,36 @@
# vim: ft=yaml.ansible
---
- name: Add public SSH key to default user
authorized_key:
user: "{{ ansible_user }}"
key: "{{ ssh_key }}"
exclusive: true
- name: Allow SSH login with public keys
lineinfile:
regexp: '^#?PubkeyAuthentication '
line: PubkeyAuthentication yes
dest: /etc/ssh/sshd_config
register: ssh_pubkey
- name: Disallow SSH login with password
lineinfile:
regexp: '^#?PasswordAuthentication '
line: PasswordAuthentication no
dest: /etc/ssh/sshd_config
register: ssh_pw
- name: Disallow root login over SSH
lineinfile:
regexp: '^#?PermitRootLogin '
line: PermitRootLogin no
dest: /etc/ssh/sshd_config
register: ssh_root
- name: Restart sshd
service:
name: sshd
state: restarted
when: (ssh_pubkey is defined and ssh_pubkey.changed) or
(ssh_pw is defined and ssh_pw.changed) or
(ssh_root is defined and ssh_root.changed)

20
roles/os_config/tasks/ufw.yml Normal file
View file

@ -0,0 +1,20 @@
# vim: ft=yaml.ansible
---
- name: Allow necessary ports in UFW
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto | default('tcp') }}"
loop:
- port: 22 # SSH
- port: 80 # HTTP
- port: 443 # HTTPS
- port: 18080 # monerod P2P
- port: 18089 # monerod RPC
- port: 51820 # Wireguard
proto: udp
- name: Enable UFW
community.general.ufw:
state: enabled
policy: deny