first commit

2024-11-29 09:24:14 +01:00
commit 8c3b5f57b5
17 changed files with 407 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,32 @@
+# Linux generic essentials
+
+Dieses Ansible Projekt beinhaltet eine generische
+Grundkonfiguration, die jeder Linux Server standardmaessig haben
+sollte.
+
+## Usage
+
+Klone dieses Repo:
+
+```bash
+git clone https://gitea.softbox.net/CubelaPetar/ansible-linux-default.git
+cd ansible-linux-default
+```
+
+Oeffne die Datei `hosts.ini` und passe die IP-Adresse an (und potentiel andere relevante Variablen).
+
+Teste mit dem folgenden _ad hoc_ Befehl die Kommunikation zum Server
+
+```bash
+ansible all -m ping
+```
+
+Dieser Befehl nutzt das Ansible `ping` Modul und sendet einen Ping an alle Server, die in der inventory-Datei `hosts.ini` hinterlegt sind.
+
+Wenn die Kommunikation sichergestellt ist, fuehre als naechstes den Befehl
+
+```bash
+ansible-playbook run.yml -K
+```
+
+aus und gebe das `sudo` Passwort ein.
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -0,0 +1,7 @@
+[defaults]
+nocows = 1
+host_key_checking = false
+inventory = ./hosts.ini 
+
+[ssh_connections]
+pipelining = true
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -0,0 +1,54 @@
+---
+# generic settings
+main_username: sbxadmin
+main_groupname: "{{ main_username }}"
+main_uid: "1000"
+main_gid: "{{ main_uid }}"
+
+# weareinteractive.environment
+environment_config: { "PUID": "{{ main_gid }}", "PGID": "{{ main_gid }}" }
+
+# geerlingguy.ntp
+ntp_timezone: "Europe/Berlin"
+
+# geerlingguy.nfs
+#nfs_exports: [ "/home/public    *(rw,sync,no_root_squash)" ]
+
+# geerlingguy.security
+security_ssh_port: 22
+security_ssh_password_authentication: "yes"
+security_ssh_permit_root_login: "no"
+security_ssh_usedns: "no"
+security_ssh_permit_empty_password: "no"
+security_ssh_challenge_response_auth: "no"
+security_ssh_gss_api_authentication: "no"
+security_ssh_x11_forwarding: "no"
+security_ssh_allowed_users:
+  - "{{ main_username }}"
+security_ssh_allowed_groups: []
+security_sudoers_passwordless:
+  - "{{ main_username }}"
+security_autoupdate_enabled: false
+security_autoupdate_blacklist: []
+security_autoupdate_reboot: false
+security_autoupdate_reboot_time: "03:00"
+security_autoupdate_mail_to: "service@softbox.de"
+security_autoupdate_mail_on_error: false
+security_fail2ban_enabled: false
+security_fail2ban_custom_configuration_template: "jail.local.j2"
+###
+#packages
+#package_list:
+#  - curl
+#  - htop
+#  - vim
+#  - bash-completion
+#  - apt-transport-https
+#  - network-manager
+#  - curl
+#  - xclip
+#  - net-tools
+#  - rsync
+#  - smartmontools
+#  - mlocate
+#  - parted
--- a/group_vars/snipeit.yml
+++ b/group_vars/snipeit.yml
@@ -0,0 +1,45 @@
+---
+main_username: root
+main_groupname: "{{ main_username }}"
+main_uid: "0"
+main_gid: "{{ main_uid }}"
+
+package_list:
+  - curl
+  - vim
+  - xclip
+  - rsync
+  - mlocate
+docker_compose_generator_output_path: "/root"
+containers:
+  - service_name: app
+    active: true
+    image: snipe/snipe-it:v7.0.13
+    restart: unless-stopped
+    volumes:
+      - ./storage:/var/lib/snipeit
+    ports:
+      - "8000:80"
+    depends_on:
+      db:
+        condition: service_healthy
+        restart: true
+    env_file:
+      - .env
+  - service_name: db
+    active: true
+    image: mariadb:11.5.2
+    restart: unless-stopped
+    volumes:
+      - ./db_data:/var/lib/mysql
+    environment:
+      - MYSQL_DATABASE={{ SNIPEIT_DB_DATABASE }}
+      - MYSQL_USER={{ SNIPEIT_DB_USERNAME }}
+      - MYSQL_PASSWORD={{ SNIPEIT_DB_PASSWD }}
+      - MYSQL_ROOT_PASSWORD={{ SNIPEIT_DB_ROOT_PASSWD }}
+    healthcheck:
+      # https://mariadb.com/kb/en/using-healthcheck-sh/#compose-file-example
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      interval: 5s
+      timeout: 1s
+      retries: 5
--- a/hosts.ini
+++ b/hosts.ini
@@ -0,0 +1,4 @@
+[snipeit]
+10.0.101.15 ansible_user=root ansible_port=22
+
+
--- a/playbooks/shutdown.yml
+++ b/playbooks/shutdown.yml
@@ -0,0 +1,9 @@
+---
+- name: Shutdown k3s_cluster
+  hosts: k3s_cluster
+  gather_facts: true
+  tasks:
+    - name: Shutdown the nodes (and wait one 1 min)
+      become: true
+      community.general.shutdown:
+        delay: 60
--- a/playbooks/update.yml
+++ b/playbooks/update.yml
@@ -0,0 +1,29 @@
+---
+- hosts:
+    - all
+  become: true
+
+  tasks:
+    - name: Perform a dist-upgrade.
+      ansible.builtin.apt:
+        upgrade: dist
+        update_cache: yes
+
+    - name: Install essential packages
+      package:
+        name: "{{ package_list }}"
+        state: present
+
+    - name: Check if a reboot is required.
+      ansible.builtin.stat:
+        path: /var/run/reboot-required
+        get_checksum: no
+      register: reboot_required_file
+
+    - name: Reboot the server (if required).
+      ansible.builtin.reboot:
+      when: reboot_required_file.stat.exists == true
+
+    - name: Remove dependencies that are no longer required.
+      ansible.builtin.apt:
+        autoremove: yes
--- a/requirements.yml
+++ b/requirements.yml
@@ -0,0 +1,8 @@
+---
+roles:
+  #- name: geerlingguy.pip
+  - name: geerlingguy.docker
+  - name: geerlingguy.nfs
+  - name: geerlingguy.security
+  - name: geerlingguy.ntp
+  - name: ironicbadger.docker_compose_generator
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@@ -0,0 +1,5 @@
+caddy_opnsense_cloudflare_binary_url: "https://caddyserver.com/api/download?os=freebsd&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
+caddy_opnsense_caddyfile_path: /usr/local/etc/caddy/
+
+caddy_amd64_linux_cloudflare_binary_url: "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
+caddy_linux_caddyfile_path: /etc/caddy
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart caddy
+  service:
+    name: caddy
+    state: restarted
+    enabled: yes
--- a/roles/caddy/tasks/configure.yml
+++ b/roles/caddy/tasks/configure.yml
@@ -0,0 +1,28 @@
+---
+- name: install caddy service file
+  template:
+    src: templates/caddy.service.j2
+    dest: "/etc/systemd/system/caddy.service"
+    owner: root
+    group: root
+
+- name: ensure Caddyfile target dir exists
+  file:
+    path: "{{ caddy_linux_caddyfile_path }}"
+    state: directory
+
+- name: template and install Caddyfile
+  template:
+    src: templates/Caddyfile.j2
+    dest: "{{ caddy_linux_caddyfile_path }}/Caddyfile"
+    owner: root
+    group: root
+    #validate: caddy fmt --overwrite
+  #notify: restart caddy
+
+- name: Enable caddy service
+  ansible.builtin.systemd:
+    name: caddy
+    enabled: yes
+    state: reloaded
+    daemon_reload: yes
--- a/roles/caddy/tasks/install.yml
+++ b/roles/caddy/tasks/install.yml
@@ -0,0 +1,19 @@
+---
+- name: download latest release
+  get_url:
+    url: "{{ caddy_amd64_linux_cloudflare_binary_url }}"
+    dest: /usr/local/bin/caddy
+    owner: root
+    group: root
+    mode: a+x
+  ignore_errors: true
+
+- name: Add the caddy group
+  ansible.builtin.group:
+    name: caddy
+    state: present
+
+- name: Add the caddy user
+  ansible.builtin.user:
+    name: caddy
+    group: caddy
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: install caddy
+  include_tasks:
+    file: install.yml
+
+- name: configure caddy rules
+  include_tasks:
+    file: configure.yml
+    apply:
+      tags:
+        - caddyconfig
--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@@ -0,0 +1,84 @@
+(cloudflare) {
+  tls {
+    dns cloudflare {{ opnsense_caddy_cloudflare_api_token }}
+    resolvers 1.1.1.1
+  }
+}
+
+(headers) {
+  header {
+    Permissions-Policy interest-cohort=()
+    Strict-Transport-Security "max-age=31536000; includeSubdomains"
+    X-XSS-Protection "1; mode=block"
+    X-Content-Type-Options "nosniff"
+    X-Robots-Tag noindex, nofollow
+    Referrer-Policy "same-origin"
+    Content-Security-Policy "frame-ancestors {{ domain_base }} *.{{ domain_base }}"
+    -Server
+    Permissions-Policy "geolocation=(self {{ domain_base }} *.{{ domain_base }}), microphone=()"
+  }
+}
+
+## core
+
+#neo
+neo.{{ domain_base }} {
+  reverse_proxy https://10.56.0.1:8006 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+  import cloudflare
+}
+
+# pihole
+dns.{{ domain_base }} {
+  redir / /admin
+  reverse_proxy http://10.56.0.253
+  import cloudflare
+}
+
+# # dhcp
+# dhcp.{{ domain_base }} {
+#   redir / /dhcp.leases
+#   reverse_proxy http://10.56.0.253:81
+#   import cloudflare
+# }
+
+# opnsense
+opnsense.{{ domain_base }} {
+  reverse_proxy https://10.56.0.254:8443 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+  import cloudflare
+}
+
+# pain ipmi
+ipmi.{{ domain_base }} {
+  reverse_proxy https://10.56.0.20 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+  import cloudflare
+}
+
+## pikvm
+#kvm.{{ domain_base }} {
+#  reverse_proxy https://10.56.0.100:443 {
+#    transport http {
+#      tls_insecure_skip_verify
+#    }
+#  }
+#  import cloudflare
+#}
+
+# uptime-kuma
+kuma.{{ domain_base }} {
+  reverse_proxy http://10.56.0.247:3001
+  import cloudflare
+}
+
+
--- a/roles/caddy/templates/caddy.service.j2
+++ b/roles/caddy/templates/caddy.service.j2
@@ -0,0 +1,37 @@
+# caddy.service
+#
+# For using Caddy with a config file.
+#
+# Make sure the ExecStart and ExecReload commands are correct
+# for your installation.
+#
+# See https://caddyserver.com/docs/install for instructions.
+#
+# WARNING: This service does not use the --resume flag, so if you
+# use the API to make changes, they will be overwritten by the
+# Caddyfile next time the service is restarted. If you intend to
+# use Caddy's API to configure it, add the --resume flag to the
+# `caddy run` command or use the caddy-api.service file instead.
+
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateDevices=yes
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
--- a/run.yml
+++ b/run.yml
@@ -0,0 +1,16 @@
+---
+#- hosts: k3s_cluster
+#  become: yes
+#  vars_files:
+#    - "vars/vault.yml"
+#  roles:
+#    - role: geerlingguy.security
+#    - role: geerlingguy.ntp
+
+- hosts: snipeit
+  vars_files:
+    - "vars/vault.yml"
+  roles:
+    #- role: geerlingguy.security
+    - role: geerlingguy.docker
+    - role: ironicbadger.docker_compose_generator
--- a/vars/vault.yml
+++ b/vars/vault.yml
@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+61653539633662393863626638666466303131396237373661303939333263303033653638343235
+6437663430656538303865336663616432313832333532380a323632633339616466313038356239
+64623565623264303739633134656666363163613361306230343638346330383435623931373364
+3463643433323631650a613233353266333036643239366330613133643238626132336530653462
+37643966643663313964373531373731343064613461636564656332336461326235666264643030
+37663966626561343761623363346539333662613966366564323639306230626265343431366238
+63353531313165633365323439643033313536306330656332373162373733616338613561383233
+33376530636530376638383562373862633362366366333130633833633938613462613932313834
+61353563356361363338356665363364366166346534346137323661363464653934363638303766
+39633963626231373138636237326531353835343930643535313937656334613462626639326139
+61326665643862326365356165393361326266616530306330643665386663356536646337343061
+37353230653062616266