CubelaPetar/ansible-office
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Petar Cubela
2024-11-29 09:24:14 +01:00
commit 8c3b5f57b5
17 changed files with 407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
README.md Normal file
View File

@@ -0,0 +1,32 @@
# Linux generic essentials
Dieses Ansible Projekt beinhaltet eine generische
Grundkonfiguration, die jeder Linux Server standardmaessig haben
sollte.
## Usage
Klone dieses Repo:
```bash
git clone https://gitea.softbox.net/CubelaPetar/ansible-linux-default.git
cd ansible-linux-default
```
Oeffne die Datei `hosts.ini` und passe die IP-Adresse an (und potentiel andere relevante Variablen).
Teste mit dem folgenden _ad hoc_ Befehl die Kommunikation zum Server
```bash
ansible all -m ping
```
Dieser Befehl nutzt das Ansible `ping` Modul und sendet einen Ping an alle Server, die in der inventory-Datei `hosts.ini` hinterlegt sind.
Wenn die Kommunikation sichergestellt ist, fuehre als naechstes den Befehl
```bash
ansible-playbook run.yml -K
```
aus und gebe das `sudo` Passwort ein.

7
ansible.cfg Normal file
View File

@@ -0,0 +1,7 @@
[defaults]
nocows = 1
host_key_checking = false
inventory = ./hosts.ini
[ssh_connections]
pipelining = true

54
group_vars/all.yml Normal file
View File

@@ -0,0 +1,54 @@
---
# generic settings
main_username: sbxadmin
main_groupname: "{{ main_username }}"
main_uid: "1000"
main_gid: "{{ main_uid }}"
# weareinteractive.environment
environment_config: { "PUID": "{{ main_gid }}", "PGID": "{{ main_gid }}" }
# geerlingguy.ntp
ntp_timezone: "Europe/Berlin"
# geerlingguy.nfs
#nfs_exports: [ "/home/public *(rw,sync,no_root_squash)" ]
# geerlingguy.security
security_ssh_port: 22
security_ssh_password_authentication: "yes"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
security_ssh_allowed_users:
- "{{ main_username }}"
security_ssh_allowed_groups: []
security_sudoers_passwordless:
- "{{ main_username }}"
security_autoupdate_enabled: false
security_autoupdate_blacklist: []
security_autoupdate_reboot: false
security_autoupdate_reboot_time: "03:00"
security_autoupdate_mail_to: "service@softbox.de"
security_autoupdate_mail_on_error: false
security_fail2ban_enabled: false
security_fail2ban_custom_configuration_template: "jail.local.j2"
###
#packages
#package_list:
# - curl
# - htop
# - vim
# - bash-completion
# - apt-transport-https
# - network-manager
# - curl
# - xclip
# - net-tools
# - rsync
# - smartmontools
# - mlocate
# - parted

45
group_vars/snipeit.yml Normal file
View File

@@ -0,0 +1,45 @@
---
main_username: root
main_groupname: "{{ main_username }}"
main_uid: "0"
main_gid: "{{ main_uid }}"
package_list:
- curl
- vim
- xclip
- rsync
- mlocate
docker_compose_generator_output_path: "/root"
containers:
- service_name: app
active: true
image: snipe/snipe-it:v7.0.13
restart: unless-stopped
volumes:
- ./storage:/var/lib/snipeit
ports:
- "8000:80"
depends_on:
db:
condition: service_healthy
restart: true
env_file:
- .env
- service_name: db
active: true
image: mariadb:11.5.2
restart: unless-stopped
volumes:
- ./db_data:/var/lib/mysql
environment:
- MYSQL_DATABASE={{ SNIPEIT_DB_DATABASE }}
- MYSQL_USER={{ SNIPEIT_DB_USERNAME }}
- MYSQL_PASSWORD={{ SNIPEIT_DB_PASSWD }}
- MYSQL_ROOT_PASSWORD={{ SNIPEIT_DB_ROOT_PASSWD }}
healthcheck:
# https://mariadb.com/kb/en/using-healthcheck-sh/#compose-file-example
test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
interval: 5s
timeout: 1s
retries: 5

4
hosts.ini Normal file
View File

@@ -0,0 +1,4 @@
[snipeit]
10.0.101.15 ansible_user=root ansible_port=22

9
playbooks/shutdown.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Shutdown k3s_cluster
hosts: k3s_cluster
gather_facts: true
tasks:
- name: Shutdown the nodes (and wait one 1 min)
become: true
community.general.shutdown:
delay: 60

29
playbooks/update.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- hosts:
- all
become: true
tasks:
- name: Perform a dist-upgrade.
ansible.builtin.apt:
upgrade: dist
update_cache: yes
- name: Install essential packages
package:
name: "{{ package_list }}"
state: present
- name: Check if a reboot is required.
ansible.builtin.stat:
path: /var/run/reboot-required
get_checksum: no
register: reboot_required_file
- name: Reboot the server (if required).
ansible.builtin.reboot:
when: reboot_required_file.stat.exists == true
- name: Remove dependencies that are no longer required.
ansible.builtin.apt:
autoremove: yes

8
requirements.yml Normal file
View File

@@ -0,0 +1,8 @@
---
roles:
#- name: geerlingguy.pip
- name: geerlingguy.docker
- name: geerlingguy.nfs
- name: geerlingguy.security
- name: geerlingguy.ntp
- name: ironicbadger.docker_compose_generator

5
roles/caddy/defaults/main.yml Normal file
View File

@@ -0,0 +1,5 @@
caddy_opnsense_cloudflare_binary_url: "https://caddyserver.com/api/download?os=freebsd&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
caddy_opnsense_caddyfile_path: /usr/local/etc/caddy/
caddy_amd64_linux_cloudflare_binary_url: "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
caddy_linux_caddyfile_path: /etc/caddy

6
roles/caddy/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart caddy
service:
name: caddy
state: restarted
enabled: yes

28
roles/caddy/tasks/configure.yml Normal file
View File

@@ -0,0 +1,28 @@
---
- name: install caddy service file
template:
src: templates/caddy.service.j2
dest: "/etc/systemd/system/caddy.service"
owner: root
group: root
- name: ensure Caddyfile target dir exists
file:
path: "{{ caddy_linux_caddyfile_path }}"
state: directory
- name: template and install Caddyfile
template:
src: templates/Caddyfile.j2
dest: "{{ caddy_linux_caddyfile_path }}/Caddyfile"
owner: root
group: root
#validate: caddy fmt --overwrite
#notify: restart caddy
- name: Enable caddy service
ansible.builtin.systemd:
name: caddy
enabled: yes
state: reloaded
daemon_reload: yes

19
roles/caddy/tasks/install.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: download latest release
get_url:
url: "{{ caddy_amd64_linux_cloudflare_binary_url }}"
dest: /usr/local/bin/caddy
owner: root
group: root
mode: a+x
ignore_errors: true
- name: Add the caddy group
ansible.builtin.group:
name: caddy
state: present
- name: Add the caddy user
ansible.builtin.user:
name: caddy
group: caddy

11
roles/caddy/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: install caddy
include_tasks:
file: install.yml
- name: configure caddy rules
include_tasks:
file: configure.yml
apply:
tags:
- caddyconfig

84
roles/caddy/templates/Caddyfile.j2 Normal file
View File

@@ -0,0 +1,84 @@
(cloudflare) {
tls {
dns cloudflare {{ opnsense_caddy_cloudflare_api_token }}
resolvers 1.1.1.1
}
}
(headers) {
header {
Permissions-Policy interest-cohort=()
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Robots-Tag noindex, nofollow
Referrer-Policy "same-origin"
Content-Security-Policy "frame-ancestors {{ domain_base }} *.{{ domain_base }}"
-Server
Permissions-Policy "geolocation=(self {{ domain_base }} *.{{ domain_base }}), microphone=()"
}
}
## core
#neo
neo.{{ domain_base }} {
reverse_proxy https://10.56.0.1:8006 {
transport http {
tls_insecure_skip_verify
}
}
import cloudflare
}
# pihole
dns.{{ domain_base }} {
redir / /admin
reverse_proxy http://10.56.0.253
import cloudflare
}
# # dhcp
# dhcp.{{ domain_base }} {
# redir / /dhcp.leases
# reverse_proxy http://10.56.0.253:81
# import cloudflare
# }
# opnsense
opnsense.{{ domain_base }} {
reverse_proxy https://10.56.0.254:8443 {
transport http {
tls_insecure_skip_verify
}
}
import cloudflare
}
# pain ipmi
ipmi.{{ domain_base }} {
reverse_proxy https://10.56.0.20 {
transport http {
tls_insecure_skip_verify
}
}
import cloudflare
}
## pikvm
#kvm.{{ domain_base }} {
# reverse_proxy https://10.56.0.100:443 {
# transport http {
# tls_insecure_skip_verify
# }
# }
# import cloudflare
#}
# uptime-kuma
kuma.{{ domain_base }} {
reverse_proxy http://10.56.0.247:3001
import cloudflare
}

37
roles/caddy/templates/caddy.service.j2 Normal file
View File

@@ -0,0 +1,37 @@
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target

16
run.yml Normal file
View File

@@ -0,0 +1,16 @@
---
#- hosts: k3s_cluster
# become: yes
# vars_files:
# - "vars/vault.yml"
# roles:
# - role: geerlingguy.security
# - role: geerlingguy.ntp
- hosts: snipeit
vars_files:
- "vars/vault.yml"
roles:
#- role: geerlingguy.security
- role: geerlingguy.docker
- role: ironicbadger.docker_compose_generator

13
vars/vault.yml Normal file
View File

@@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
61653539633662393863626638666466303131396237373661303939333263303033653638343235
6437663430656538303865336663616432313832333532380a323632633339616466313038356239
64623565623264303739633134656666363163613361306230343638346330383435623931373364
3463643433323631650a613233353266333036643239366330613133643238626132336530653462
37643966643663313964373531373731343064613461636564656332336461326235666264643030
37663966626561343761623363346539333662613966366564323639306230626265343431366238
63353531313165633365323439643033313536306330656332373162373733616338613561383233
33376530636530376638383562373862633362366366333130633833633938613462613932313834
61353563356361363338356665363364366166346534346137323661363464653934363638303766
39633963626231373138636237326531353835343930643535313937656334613462626639326139
61326665643862326365356165393361326266616530306330643665386663356536646337343061
37353230653062616266