cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Host-Ansible-Setup/server-setup.yml

355 lines
10 KiB
YAML
Raw Blame History

- hosts: localhost
vars:
# Packages to install
packages:
# System
- linux-headers-amd64
- build-essential
- ssh
- mount
- vim
- neofetch
- htop
- doas
# Headless KVM Setup
- qemu-kvm
- libvirt-clients
- libvirt-daemon-system
- bridge-utils
- virtinst
- libvirt-daemon
- cpu-checker
- libguestfs-tools
- libosinfo-bin
# File Server
- zfsutils-linux
- samba
# USB Key
# - exfat-fuse
# - exfat-utils
- exfatprogs
- usbip
# VPN Client to access Proxy Server (Primarily for cockpit)
- wireguard
# Firewall
- iptables-persistent
# Cockpit web interface for web management of server
- cockpit
- cockpit-machines
# Two Factor Authentication for Cockpit
- libpam-oath
- oathtool
available_servicedirs: []
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# Environment Variables config
- name: Configure environment variables
become: yes
lineinfile:
path: "/etc/environment"
state: present
regexp: "^{{ item.key }}="
line: "{{ item.key }}={{ item.value}}"
loop:
- { key: "ANSIBLE_CONFIG", value: "{{ ansibleconf_directory }}/ansible.cfg" }
- name: Ensure vhci_hcd kernel module is loaded and persistent on reboot (For USBIP client support)
become: yes
community.general.modprobe:
name: vhci_hcd
state: present
persistent: present
# System Setup
- name: Ensure .bashrc is updated
template:
src: home_resources/.bashrc
dest: "~/.bashrc"
- name: Add contrib
replace:
dest: /etc/apt/sources.list
regexp: '^(deb(?!.* contrib).*)'
replace: '\1 contrib'
# Custom Helper Scripts
- name: Create the local bin dir if it does not exist
ansible.builtin.file:
path: "~/.local/bin"
state: directory
mode: '0755'
- name: Ensure custom scripts are added to local bin dir
template:
src: "home_resources/.local/bin/{{ item }}"
dest: "~/.local/bin/{{ item }}"
mode: '0777'
loop:
- spark_ansible-playbook.sh
- spark_ansible-editvault.sh
- spark_ansible-viewvault.sh
# Network Config
- name: Ensure Network configuration is updated
become: yes
template:
src: root_resources/etc/network/interfaces
dest: "/etc/network/interfaces"
# DNS Config
- name: Ensure DNS configuration is updated
become: yes
template:
src: root_resources/etc/resolv.conf
dest: "/etc/resolv.conf"
- name: Enable Systemd Resolved for DNS queries
become: yes
ansible.builtin.systemd:
name: systemd-resolved
enabled: yes
state: started
# Package Config
- name: Ensure list of packages is installed
become: yes
apt:
name: '{{ packages }}'
state: present
- name: Ensure USB key mountpoint exists
become: yes
ansible.builtin.file:
path: "{{ usbkey_mountdir }}"
state: directory
# FStab Config
- name: Mount up USB key by UUID
become: yes
ansible.posix.mount:
path: '{{ usbkey_mountdir }}'
src: UUID={{ usbkey_uuid }}
fstype: exfat
opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000
state: present
# SSH Server Setup
- name: Enable SSH
become: yes
ansible.builtin.systemd:
name: ssh
enabled: yes
state: started
- name: Ensure local ssh configuration is updated
template:
src: home_resources/.ssh/config
dest: "~/.ssh/config"
- name: Ensure sshd configuration is updated
become: yes
template:
src: root_resources/etc/ssh/sshd_config
dest: "/etc/ssh/sshd_config"
# Cockpit Configuration
- name: Ensure cockpit configuration is updated
become: yes
template:
src: root_resources/etc/cockpit/cockpit.conf
dest: "/etc/cockpit/cockpit.conf"
# Cockpit 2FA Setup
- name: Add cockpit two factor authentication key to system
become: yes
template:
src: root_resources/etc/cockpit.oath
dest: "/etc/cockpit.oath"
- name: Configure cockpit to use oath two factor authentication
become: yes
template:
src: root_resources/etc/pam.d/cockpit
dest: "/etc/pam.d/cockpit"
# Wireguard VPN Client Setup to establish connection to reverse proxy frontend (Primarily for cockpit)
- name: Ensure wireguard client configuration is updated
become: yes
template:
src: root_resources/etc/wireguard/wg0.conf
dest: "/etc/wireguard/wg0.conf"
- name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead)
become: yes
ansible.builtin.file:
src: /usr/bin/resolvectl
dest: "/usr/local/bin/resolvconf"
state: link
- name: Enable wireguard client
become: yes
ansible.builtin.systemd:
name: wg-quick@wg0
enabled: yes
state: started
# Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
# Services Configuration - Groups
- name: "Create admin user {{ admin_user_name }}"
become: yes
ansible.builtin.user:
name: "{{ admin_user_name }}"
state: present
groups: wheel,libvirt
append: yes
# Services directory - where VM's etc are stored
- name: Directory permissions for Service folder # (Directory should already exist via ZFS!)
become: yes
ansible.builtin.file:
path: /spool1/services
state: directory
owner: "{{ admin_user_name }}"
group: root
mode: '0755'
# Nextcloud has its own dedicated zfs directory to be able to set its own quota
- name: Directory permissions for dedicated Nextcloud service folder # (Directory should already exist via ZFS!)
become: yes
ansible.builtin.file:
path: /spool1/nextcloud
state: directory
owner: "{{ admin_user_name }}"
group: root
mode: '1700'
# File Server Setup
- name: Enable SAMBA
become: yes
ansible.builtin.systemd:
name: smbd
enabled: yes
state: started
- name: Ensure samba configuration is updated
become: yes
template:
src: root_resources/etc/samba/smb.conf
dest: "/etc/samba/smb.conf"
# SMB Fileserver Permissions
- name: Directory permissions for spool1 secret SMB fileserver directory # (Directory should already exist via ZFS!)
become: yes
ansible.builtin.file:
path: /spool1/secret
state: directory
owner: "{{ admin_user_name }}"
group: root
mode: '1700'
- name: Directory permissions for spool2 secret SMB fileserver directory # (Directory should already exist via ZFS!)
become: yes
ansible.builtin.file:
path: /spool2/secret
state: directory
owner: "{{ admin_user_name }}"
group: root
mode: '1700'
# Docker Setup
- name: Add Docker GPG apt Key
become: yes
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Add Docker Repository
become: yes
apt_repository:
repo: deb https://download.docker.com/linux/debian bullseye stable
state: present
- name: Install docker packages
become: yes
apt:
pkg:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache:true
# Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
- name : Find all service directories available in ansible configuration
find:
paths: "{{ ansibleconf_directory }}/services"
file_type: directory
use_regex: yes
patterns: ['service_']
recurse: no
register: findoutput
- name: Add found ansible configuration service directories to service directories variable
#no_log: true
set_fact:
available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}"
with_items: "{{ findoutput.files }}"
- name: Automatically create service users based on found ansible conf service directories
become: yes
ansible.builtin.user:
name: "{{ item }}"
state: present
shell: /bin/bash
groups: docker
append: yes
loop: "{{ available_servicedirs }}"
# Services Configuration - Permissions
# Services
- name: Ensure service directory exists
become: yes
ansible.builtin.file:
path: "{{ services_directory }}"
state: directory
owner: root
group: root
mode: '1755'
- name: Automatically create all services directory based on found ansible conf service directories
become: yes
ansible.builtin.file:
path: "{{ services_directory }}/{{ item }}"
state: directory
owner: "{{ item }}"
group: "{{ item }}"
mode: '1700'
loop: "{{ available_servicedirs }}"
- name: Ensure service users upon login start in their respective service directory
become: yes
ansible.builtin.lineinfile:
path: "/home/{{ item }}/.profile"
line: "cd {{ services_directory }}/{{ item }}"
loop: "{{ available_servicedirs }}"
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# End
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!
Reference in New Issue View Git Blame Copy Permalink