master
Simon Bruder 2019-03-31 13:25:33 +00:00
commit 5c8eb91c75
No known key found for this signature in database
GPG Key ID: 6F03E0000CC5B62F
43 changed files with 373 additions and 0 deletions

3
ansible.cfg Normal file
View File

@ -0,0 +1,3 @@
[defaults]
inventory = inventories/servers.yml
vault_password_file = vault-pass.sh

18
files/issei/dnsmasq.conf Normal file
View File

@ -0,0 +1,18 @@
# vim: set ft=dnsmasq:
port=53
domain-needed
bogus-priv
resolv-file=/etc/resolv.conf.dnsmasq
server=/fritz.box/192.168.100.1
no-hosts
#addn-hosts=/etc/banner_add_hosts
domain=home.sbruder.de
dhcp-range=192.168.100.20,192.168.100.150,12h
dhcp-option=option:router,192.168.100.1

View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
65653261616437626133346664313738316438343734323135323764633533386534336230336634
3138336161303538376439333365323233633338383937660a356636653562303935653134633162
37343662373164383338663365346435306532326432326563323464383262303163356363383637
6564623838376331300a643339306234303465393737353064303431393963363265393935343731
33643235653231383034303833306433346538323137303464303963383536356131353937356339
62303264373734613335303766333333336561373633326137316532373064343336353666383439
61323061366563313730396430316134386265626463643939363164666134323439623735353637
36663831633236343134

7
inventories/servers.yml Normal file
View File

@ -0,0 +1,7 @@
servers:
hosts:
issei:
ansible_host: issei.home.sbruder.de
ansible_user: root
vars:
debian_release: buster

14
playbook.yml Normal file
View File

@ -0,0 +1,14 @@
---
- hosts: servers
any_errors_fatal: yes
roles:
- role: base
- role: dnsmasq
- role: docker
- role: initramfs
- role: postfix
- role: python
- role: sshd
- role: unattended-upgrades
- role: wireguard
vars:

View File

@ -0,0 +1,6 @@
---
- name: restart-journald
systemd:
name: systemd-journald
state: restarted

View File

@ -0,0 +1,8 @@
---
- name: make journal persistent
ini_file:
path: /etc/systemd/journald.conf
section: Journal
option: Storage
value: persistent
notify: restart-journald

10
roles/base/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- block:
- import_tasks: tools.yml
tags:
- base:tools
- import_tasks: journal.yml
tags:
- base:journal
tags:
- base

View File

@ -0,0 +1,30 @@
---
- name: install tools
apt:
name:
- atool
- bmon
- dnsutils
- ethtool
- exa
- ffmpeg
- fzf
- git
- htop
- iperf3
- lm-sensors
- molly-guard
- mpv
- mtr
- ncdu
- net-tools
- nftables
- reptyr
- ripgrep
- rsync
- smartmontools
- tmux
- vim-nox
- vnstat
- zsh
state: present

View File

@ -0,0 +1,6 @@
# ClaraNet
nameserver 212.82.226.212
nameserver 212.82.225.7
# Hurricane Electric
nameserver 74.82.42.42
nameserver 2001:470:20::2

View File

@ -0,0 +1,5 @@
---
- name: restart-dnsmasq
systemd:
name: dnsmasq
state: restarted

View File

@ -0,0 +1,11 @@
---
- name: copy dnsmasq config file
copy:
src: "{{ inventory_hostname }}/dnsmasq.conf"
dest: /etc/dnsmasq.conf
notify: restart-dnsmasq
- name: copy dnsmasq resolv config
copy:
src: resolv.conf
dest: /etc/resolv.conf.dnsmasq

View File

@ -0,0 +1,10 @@
---
- block:
- import_tasks: packages.yml
tags:
- dnsmasq:packages
- import_tasks: config.yml
tags:
- dnsmasq:config
tags:
- dnsmasq

View File

@ -0,0 +1,5 @@
---
- name: install dnsmasq
apt:
name: dnsmasq
state: present

View File

@ -0,0 +1,3 @@
{
"log-driver": "journald"
}

View File

@ -0,0 +1,8 @@
---
- name: update-grub
shell: update-grub
- name: restart-docker
systemd:
name: docker
state: restarted

View File

@ -0,0 +1,6 @@
---
- name: add docker configuration
copy:
dest: /etc/docker/daemon.json
src: daemon.json
notify: restart-docker

View File

@ -0,0 +1,7 @@
---
- name: add boot parameters for docker
lineinfile:
path: /etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1"'
notify: update-grub

View File

@ -0,0 +1,13 @@
---
- block:
- import_tasks: packages.yml
tags:
- docker:packages
- import_tasks: kernel.yml
tags:
- docker:kernel
- import_tasks: config.yml
tags:
- docker:config
tags:
- docker

View File

@ -0,0 +1,21 @@
---
- name: install docker dependencies
apt:
name: apt-transport-https
state: present
- name: add docker repository key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: add docker repository
apt_repository:
repo: deb https://download.docker.com/linux/debian {{debian_release}} stable
state: present
- name: install docker
apt:
name: docker-ce
update_cache: yes
state: present

View File

@ -0,0 +1,3 @@
---
- name: update-initramfs
shell: update-initramfs -u

View File

@ -0,0 +1,18 @@
---
- name: install dropbear
apt:
name: dropbear
state: present
- name: disable dropbear systemd service
systemd:
name: dropbear
enabled: false
state: stopped
- name: add ssh key to authorized keys
copy:
dest: /etc/dropbear-initramfs/authorized_keys
content: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp simon@kipf
notify: update-initramfs

View File

@ -0,0 +1,7 @@
---
- block:
- import_tasks: dropbear.yml
tags:
- initramfs:dropbear
tags:
- initramfs

View File

@ -0,0 +1,5 @@
---
- name: restart-postfix
systemd:
name: postfix
state: restarted

View File

@ -0,0 +1,13 @@
---
- name: disable smptd
lineinfile:
path: /etc/postfix/master.cf
regexp: ^smtp inet n - y - - smtpd$
state: absent
notify: restart-postfix
- name: configure postfix
template:
src: main.cf
dest: /etc/postfix/main.cf
notify: restart-postfix

View File

@ -0,0 +1,10 @@
---
- block:
- import_tasks: packages.yml
tags:
- postfix:packages
- import_tasks: config.yml
tags:
- postfix:config
tags:
- postfix

View File

@ -0,0 +1,5 @@
---
- name: install postfix
apt:
name: postfix
state: present

View File

@ -0,0 +1,6 @@
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:SMTP_Injection:{{ secrets.sparkpost_api_key }}
relayhost = [smtp.sparkpostmail.com]:587
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
header_size_limit = 4096000

View File

@ -0,0 +1,7 @@
---
- block:
- import_tasks: pip.yml
tags:
- python:pip
tags:
- python

View File

@ -0,0 +1,15 @@
---
- name: install pip
apt:
name:
- python3-pip
- python-setuptools # YEAH!
state: present
- name: install python modules via pip
pip:
name:
- docker-compose
state: present
executable: pip3

View File

@ -0,0 +1,5 @@
---
- name: restart-sshd
systemd:
name: sshd
state: restarted

View File

@ -0,0 +1,6 @@
---
- name: only allow login with key
lineinfile:
path: /etc/ssh/sshd_config
line: PasswordAuthentication no
notify: restart-sshd

View File

@ -0,0 +1,7 @@
---
- block:
- import_tasks: config.yml
tags:
- sshd:config
tags:
- sshd

View File

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View File

@ -0,0 +1,6 @@
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
Unattended-Upgrade::Mail "root";

View File

@ -0,0 +1,5 @@
---
- name: restart-unattended-upgrades
systemd:
name: unattended-upgrades
state: restarted

View File

@ -0,0 +1,11 @@
---
- name: configure unattended-upgrades
copy:
src: 50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
notify: restart-unattended-upgrade
- name: configure automatic upgrades
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades

View File

@ -0,0 +1,10 @@
---
- block:
- import_tasks: packages.yml
tags:
- unattended-upgrades:packages
- import_tasks: config.yml
tags:
- unattended-upgrades:config
tags:
- unattended-upgrades

View File

@ -0,0 +1,4 @@
---
- name: install unattended-upgrades packages
apt:
name: unattended-upgrades

View File

@ -0,0 +1,3 @@
Package: *
Pin: release a=unstable
Pin-Priority: 90

View File

@ -0,0 +1,7 @@
---
- block:
- import_tasks: packages.yml
tags:
- wireguard:packages
tags:
- wireguard

View File

@ -0,0 +1,16 @@
---
- name: add unstable repositories
apt_repository:
repo: deb https://deb.debian.org/debian/ unstable main
state: present
- name: configure apt pinning for unstable
copy:
src: apt-preferences-unstable
dest: /etc/apt/preferences.d/limit-unstable
- name: install wireguard
apt:
name: wireguard
update_cache: yes
state: present

2
vault-pass.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
pass management/ansible/servers/vault