268 lines
7.7 KiB
YAML
Executable File
268 lines
7.7 KiB
YAML
Executable File
- hosts: localhost
|
|
ignore_errors: true
|
|
vars:
|
|
# Packages to install
|
|
packages:
|
|
# System
|
|
- linux-headers-amd64
|
|
- build-essential
|
|
- ssh
|
|
- mount
|
|
- vim
|
|
- neofetch
|
|
- htop
|
|
- doas
|
|
- systemd-resolved
|
|
|
|
# File Server
|
|
# - zfsutils-linux
|
|
# - samba
|
|
|
|
# USB Key
|
|
# - exfat-fuse
|
|
# - exfat-utils
|
|
- exfatprogs
|
|
|
|
# Docker
|
|
- ca-certificates
|
|
- curl
|
|
- gnupg
|
|
|
|
# TLS Certificates for Docker containers
|
|
- certbot
|
|
|
|
# VPN Client to Proxy server
|
|
# Now handled in the docker containers themselves via gluetun however wireguard tools still used for generating keys
|
|
# - wireguard
|
|
- wireguard-tools
|
|
|
|
# Firewall
|
|
- iptables-persistent
|
|
available_servicedirs: []
|
|
tasks:
|
|
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/doas.conf
|
|
dest: "/etc/doas.conf"
|
|
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
|
|
become: yes
|
|
replace:
|
|
path: /etc/doas.conf
|
|
regexp: 'persist'
|
|
replace: 'nopass'
|
|
|
|
# Environment Variables config
|
|
- name: Configure environment variables
|
|
become: yes
|
|
lineinfile:
|
|
path: "/etc/environment"
|
|
state: present
|
|
regexp: "^{{ item.key }}="
|
|
line: "{{ item.key }}={{ item.value}}"
|
|
loop:
|
|
- { key: "ANSIBLE_CONFIG", value: "{{ ansibleconf_directory }}/ansible.cfg" }
|
|
|
|
# System Setup
|
|
- name: Ensure .bashrc is updated
|
|
template:
|
|
src: home_resources/.bashrc
|
|
dest: "~/.bashrc"
|
|
- name: Add contrib
|
|
become: yes
|
|
replace:
|
|
dest: /etc/apt/sources.list
|
|
regexp: '^(deb(?!.* contrib).*)'
|
|
replace: '\1 contrib'
|
|
|
|
# Custom Helper Scripts
|
|
- name: Create the local bin dir if it does not exist
|
|
ansible.builtin.file:
|
|
path: "~/.local/bin"
|
|
state: directory
|
|
mode: '0755'
|
|
- name: Ensure custom scripts are added to local bin dir
|
|
template:
|
|
src: "home_resources/.local/bin/{{ item }}"
|
|
dest: "~/.local/bin/{{ item }}"
|
|
mode: '0777'
|
|
loop:
|
|
- spark_ansible-playbook.sh
|
|
- spark_ansible-editvault.sh
|
|
- spark_ansible-viewvault.sh
|
|
|
|
# DNS Config
|
|
- name: Ensure DNS configuration is updated
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/resolv.conf
|
|
dest: "/etc/resolv.conf"
|
|
|
|
# Package Config
|
|
- name: Ensure list of packages is installed
|
|
become: yes
|
|
apt:
|
|
name: '{{ packages }}'
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Enable Systemd Resolved for DNS queries
|
|
become: yes
|
|
ansible.builtin.systemd:
|
|
name: systemd-resolved
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Ensure USB key mountpoint exists
|
|
become: yes
|
|
ansible.builtin.file:
|
|
path: "{{ usbkey_mountdir }}"
|
|
state: directory
|
|
# FStab Config
|
|
- name: Mount up USB key by UUID
|
|
become: yes
|
|
ansible.posix.mount:
|
|
path: '{{ usbkey_mountdir }}'
|
|
src: UUID={{ usbkey_uuid }}
|
|
fstype: exfat
|
|
opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000
|
|
state: present
|
|
|
|
# SSH Server Setup
|
|
- name: Enable SSH
|
|
become: yes
|
|
ansible.builtin.systemd:
|
|
name: ssh
|
|
enabled: yes
|
|
state: started
|
|
- name: Ensure ssh configuration directory exists
|
|
ansible.builtin.file:
|
|
path: "~/.ssh"
|
|
state: directory
|
|
owner: "{{ admin_user_name }}"
|
|
group: "{{ admin_user_name }}"
|
|
mode: '1700'
|
|
- name: Ensure local ssh configuration is updated
|
|
template:
|
|
src: home_resources/.ssh/config
|
|
dest: "~/.ssh/config"
|
|
- name: Ensure sshd configuration is updated
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/ssh/sshd_config
|
|
dest: "/etc/ssh/sshd_config"
|
|
|
|
# Wireguard VPN Client Setup
|
|
# Now handled in the docker containers themselves via gluetun
|
|
# - name: Ensure wireguard client configuration is updated
|
|
# template:
|
|
# src: root_resources/etc/wireguard/wg0.conf
|
|
# dest: "/etc/wireguard/wg0.conf"
|
|
# - name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead)
|
|
# ansible.builtin.file:
|
|
# src: /usr/bin/resolvectl
|
|
# dest: "/usr/local/bin/resolvconf"
|
|
# state: link
|
|
# - name: Enable wireguard client
|
|
# ansible.builtin.systemd:
|
|
# name: wg-quick@wg0
|
|
# enabled: yes
|
|
# state: started
|
|
|
|
# Docker Setup
|
|
- name: Add Docker GPG apt Key
|
|
become: yes
|
|
apt_key:
|
|
url: https://download.docker.com/linux/debian/gpg
|
|
state: present
|
|
- name: Add Docker Repository
|
|
become: yes
|
|
apt_repository:
|
|
repo: deb https://download.docker.com/linux/debian bullseye stable
|
|
state: present
|
|
- name: Install docker packages
|
|
become: yes
|
|
apt:
|
|
pkg:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-buildx-plugin
|
|
- docker-compose-plugin
|
|
state: present
|
|
update_cache: true
|
|
|
|
# Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
|
|
# Services Configuration - Groups
|
|
- name: "Create admin user {{ admin_user_name }}"
|
|
become: yes
|
|
ansible.builtin.user:
|
|
name: "{{ admin_user_name }}"
|
|
state: present
|
|
groups: wheel,docker
|
|
append: yes
|
|
|
|
- name : Find all service directories available in ansible configuration
|
|
find:
|
|
paths: "{{ ansibleconf_directory }}/services"
|
|
file_type: directory
|
|
use_regex: yes
|
|
patterns: ['service_']
|
|
recurse: no
|
|
register: findoutput
|
|
|
|
- name: Add found ansible configuration service directories to service directories variable
|
|
#no_log: true
|
|
set_fact:
|
|
available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}"
|
|
with_items: "{{ findoutput.files }}"
|
|
|
|
- name: Automatically create service users based on found ansible conf service directories
|
|
become: yes
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
state: present
|
|
shell: /bin/bash
|
|
groups: docker
|
|
append: yes
|
|
loop: "{{ available_servicedirs }}"
|
|
|
|
# Services Configuration - Permissions
|
|
# Services
|
|
- name: Ensure service directory exists
|
|
become: yes
|
|
ansible.builtin.file:
|
|
path: "{{ services_directory }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '1755'
|
|
|
|
- name: Automatically create all services directory based on found ansible conf service directories
|
|
become: yes
|
|
ansible.builtin.file:
|
|
path: "{{ services_directory }}/{{ item }}"
|
|
state: directory
|
|
owner: "{{ item }}"
|
|
group: "{{ item }}"
|
|
mode: '1700'
|
|
loop: "{{ available_servicedirs }}"
|
|
|
|
- name: Ensure service users upon login start in their respective service directory
|
|
become: yes
|
|
ansible.builtin.lineinfile:
|
|
path: "/home/{{ item }}/.profile"
|
|
line: "cd {{ services_directory }}/{{ item }}"
|
|
loop: "{{ available_servicedirs }}"
|
|
|
|
- name: Reset doas configuration back to default
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/doas.conf
|
|
dest: "/etc/doas.conf"
|
|
|
|
# End
|
|
- name: Debug Finish message
|
|
debug:
|
|
msg: Ansible playbook has finished!
|