- hosts: localhost vars: # Packages to install packages: # System - linux-headers-amd64 - build-essential - ssh - mount - vim - neofetch - htop - doas # Headless KVM Setup - qemu-kvm - libvirt-clients - libvirt-daemon-system - bridge-utils - virtinst - libvirt-daemon - cpu-checker - libguestfs-tools - libosinfo-bin # File Server - zfsutils-linux - samba # USB Key # - exfat-fuse # - exfat-utils - exfatprogs # VPN Client to access Proxy Server (Primarily for cockpit) - wireguard # Firewall - iptables-persistent # Cockpit web interface for web management of server - cockpit - cockpit-machines # Two Factor Authentication for Cockpit - libpam-oath - oathtool available_servicedirs: [] tasks: - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" - name: Temporarily disable doas pass prompt as doas persist does not work within scripts become: yes replace: path: /etc/doas.conf regexp: 'persist' replace: 'nopass' # System Setup - name: Ensure .bashrc is updated template: src: home_resources/.bashrc dest: "~/.bashrc" - name: Add contrib replace: dest: /etc/apt/sources.list regexp: '^(deb(?!.* contrib).*)' replace: '\1 contrib' # Custom Helper Scripts - name: Create the local bin dir if it does not exist ansible.builtin.file: path: "~/.local/bin" state: directory mode: '0755' - name: Ensure custom scripts are added to local bin dir template: src: "home_resources/.local/bin/{{ item }}" dest: "~/.local/bin/{{ item }}" mode: '0777' loop: - spark_ansible-playbook.sh - spark_ansible-editvault.sh - spark_ansible-viewvault.sh # Network Config - name: Ensure Network configuration is updated become: yes template: src: root_resources/etc/network/interfaces dest: "/etc/network/interfaces" # DNS Config - name: Ensure DNS configuration is updated become: yes template: src: root_resources/etc/resolv.conf dest: "/etc/resolv.conf" - name: Enable Systemd Resolved for DNS queries become: yes ansible.builtin.systemd: name: systemd-resolved enabled: yes state: started # Package Config - name: Ensure list of packages is installed become: yes apt: name: '{{ packages }}' state: present - name: Ensure USB key mountpoint exists become: yes ansible.builtin.file: path: "{{ usbkey_mountdir }}" state: directory # FStab Config - name: Mount up USB key by UUID become: yes ansible.posix.mount: path: '{{ usbkey_mountdir }}' src: UUID={{ usbkey_uuid }} fstype: exfat opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000 state: present # SSH Server Setup - name: Enable SSH become: yes ansible.builtin.systemd: name: ssh enabled: yes state: started - name: Ensure local ssh configuration is updated template: src: home_resources/.ssh/config dest: "~/.ssh/config" - name: Ensure sshd configuration is updated become: yes template: src: root_resources/etc/ssh/sshd_config dest: "/etc/ssh/sshd_config" # Cockpit Configuration - name: Ensure cockpit configuration is updated become: yes template: src: root_resources/etc/cockpit/cockpit.conf dest: "/etc/cockpit/cockpit.conf" # Cockpit 2FA Setup - name: Add cockpit two factor authentication key to system become: yes template: src: root_resources/etc/cockpit.oath dest: "/etc/cockpit.oath" - name: Configure cockpit to use oath two factor authentication become: yes template: src: root_resources/etc/pam.d/cockpit dest: "/etc/pam.d/cockpit" # Wireguard VPN Client Setup to establish connection to reverse proxy frontend (Primarily for cockpit) - name: Ensure wireguard client configuration is updated become: yes template: src: root_resources/etc/wireguard/wg0.conf dest: "/etc/wireguard/wg0.conf" - name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead) become: yes ansible.builtin.file: src: /usr/bin/resolvectl dest: "/usr/local/bin/resolvconf" state: link - name: Enable wireguard client become: yes ansible.builtin.systemd: name: wg-quick@wg0 enabled: yes state: started # Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory # Services Configuration - Groups - name: "Create admin user {{ admin_user_name }}" become: yes ansible.builtin.user: name: "{{ admin_user_name }}" state: present groups: wheel,libvirt append: yes # Services directory - where VM's etc are stored - name: Directory permissions for Service folder # (Directory should already exist via ZFS!) become: yes ansible.builtin.file: path: /spool1/services state: directory owner: "{{ admin_user_name }}" group: root mode: '0755' # Nextcloud has its own dedicated zfs directory to be able to set its own quota - name: Directory permissions for dedicated Nextcloud service folder # (Directory should already exist via ZFS!) become: yes ansible.builtin.file: path: /spool1/nextcloud state: directory owner: "{{ admin_user_name }}" group: root mode: '1700' # File Server Setup - name: Enable SAMBA become: yes ansible.builtin.systemd: name: smbd enabled: yes state: started - name: Ensure samba configuration is updated become: yes template: src: root_resources/etc/samba/smb.conf dest: "/etc/samba/smb.conf" # SMB Fileserver Permissions - name: Directory permissions for spool1 secret SMB fileserver directory # (Directory should already exist via ZFS!) become: yes ansible.builtin.file: path: /spool1/secret state: directory owner: "{{ admin_user_name }}" group: root mode: '1700' - name: Directory permissions for spool2 secret SMB fileserver directory # (Directory should already exist via ZFS!) become: yes ansible.builtin.file: path: /spool2/secret state: directory owner: "{{ admin_user_name }}" group: root mode: '1700' - name: Reset doas configuration back to default become: yes template: src: root_resources/etc/doas.conf dest: "/etc/doas.conf" # End - name: Debug Finish message debug: msg: Ansible playbook has finished!