From 5c8eb91c75a8fd6533852320560baefa6854469f Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Sun, 31 Mar 2019 13:25:33 +0000 Subject: [PATCH] init --- ansible.cfg | 3 ++ files/issei/dnsmasq.conf | 18 +++++++++++ inventories/group_vars/servers.yml | 9 ++++++ inventories/servers.yml | 7 +++++ playbook.yml | 14 +++++++++ roles/base/handlers/main.yml | 6 ++++ roles/base/tasks/journal.yml | 8 +++++ roles/base/tasks/main.yml | 10 +++++++ roles/base/tasks/tools.yml | 30 +++++++++++++++++++ roles/dnsmasq/files/resolv.conf | 6 ++++ roles/dnsmasq/handlers/main.yml | 5 ++++ roles/dnsmasq/tasks/config.yml | 11 +++++++ roles/dnsmasq/tasks/main.yml | 10 +++++++ roles/dnsmasq/tasks/packages.yml | 5 ++++ roles/docker/files/daemon.json | 3 ++ roles/docker/handlers/main.yml | 8 +++++ roles/docker/tasks/config.yml | 6 ++++ roles/docker/tasks/kernel.yml | 7 +++++ roles/docker/tasks/main.yml | 13 ++++++++ roles/docker/tasks/packages.yml | 21 +++++++++++++ roles/initramfs/handlers/main.yml | 3 ++ roles/initramfs/tasks/dropbear.yml | 18 +++++++++++ roles/initramfs/tasks/main.yml | 7 +++++ roles/postfix/handlers/main.yml | 5 ++++ roles/postfix/tasks/config.yml | 13 ++++++++ roles/postfix/tasks/main.yml | 10 +++++++ roles/postfix/tasks/packages.yml | 5 ++++ roles/postfix/templates/main.cf | 6 ++++ roles/python/tasks/main.yml | 7 +++++ roles/python/tasks/pip.yml | 15 ++++++++++ roles/sshd/handlers/main.yml | 5 ++++ roles/sshd/tasks/config.yml | 6 ++++ roles/sshd/tasks/main.yml | 7 +++++ .../unattended-upgrades/files/20auto-upgrades | 2 ++ .../files/50unattended-upgrades | 6 ++++ roles/unattended-upgrades/handlers/main.yml | 5 ++++ roles/unattended-upgrades/tasks/config.yml | 11 +++++++ roles/unattended-upgrades/tasks/main.yml | 10 +++++++ roles/unattended-upgrades/tasks/packages.yml | 4 +++ .../wireguard/files/apt-preferences-unstable | 3 ++ roles/wireguard/tasks/main.yml | 7 +++++ roles/wireguard/tasks/packages.yml | 16 ++++++++++ vault-pass.sh | 2 ++ 43 files changed, 373 insertions(+) create mode 100644 ansible.cfg create mode 100644 files/issei/dnsmasq.conf create mode 100644 inventories/group_vars/servers.yml create mode 100644 inventories/servers.yml create mode 100644 playbook.yml create mode 100644 roles/base/handlers/main.yml create mode 100644 roles/base/tasks/journal.yml create mode 100644 roles/base/tasks/main.yml create mode 100644 roles/base/tasks/tools.yml create mode 100644 roles/dnsmasq/files/resolv.conf create mode 100644 roles/dnsmasq/handlers/main.yml create mode 100644 roles/dnsmasq/tasks/config.yml create mode 100644 roles/dnsmasq/tasks/main.yml create mode 100644 roles/dnsmasq/tasks/packages.yml create mode 100644 roles/docker/files/daemon.json create mode 100644 roles/docker/handlers/main.yml create mode 100644 roles/docker/tasks/config.yml create mode 100644 roles/docker/tasks/kernel.yml create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/docker/tasks/packages.yml create mode 100644 roles/initramfs/handlers/main.yml create mode 100644 roles/initramfs/tasks/dropbear.yml create mode 100644 roles/initramfs/tasks/main.yml create mode 100644 roles/postfix/handlers/main.yml create mode 100644 roles/postfix/tasks/config.yml create mode 100644 roles/postfix/tasks/main.yml create mode 100644 roles/postfix/tasks/packages.yml create mode 100644 roles/postfix/templates/main.cf create mode 100644 roles/python/tasks/main.yml create mode 100644 roles/python/tasks/pip.yml create mode 100644 roles/sshd/handlers/main.yml create mode 100644 roles/sshd/tasks/config.yml create mode 100644 roles/sshd/tasks/main.yml create mode 100644 roles/unattended-upgrades/files/20auto-upgrades create mode 100644 roles/unattended-upgrades/files/50unattended-upgrades create mode 100644 roles/unattended-upgrades/handlers/main.yml create mode 100644 roles/unattended-upgrades/tasks/config.yml create mode 100644 roles/unattended-upgrades/tasks/main.yml create mode 100644 roles/unattended-upgrades/tasks/packages.yml create mode 100644 roles/wireguard/files/apt-preferences-unstable create mode 100644 roles/wireguard/tasks/main.yml create mode 100644 roles/wireguard/tasks/packages.yml create mode 100755 vault-pass.sh diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..e608c82 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +inventory = inventories/servers.yml +vault_password_file = vault-pass.sh diff --git a/files/issei/dnsmasq.conf b/files/issei/dnsmasq.conf new file mode 100644 index 0000000..8e8d761 --- /dev/null +++ b/files/issei/dnsmasq.conf @@ -0,0 +1,18 @@ +# vim: set ft=dnsmasq: +port=53 + +domain-needed +bogus-priv + +resolv-file=/etc/resolv.conf.dnsmasq + +server=/fritz.box/192.168.100.1 + +no-hosts +#addn-hosts=/etc/banner_add_hosts + +domain=home.sbruder.de + +dhcp-range=192.168.100.20,192.168.100.150,12h + +dhcp-option=option:router,192.168.100.1 diff --git a/inventories/group_vars/servers.yml b/inventories/group_vars/servers.yml new file mode 100644 index 0000000..10857ba --- /dev/null +++ b/inventories/group_vars/servers.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +65653261616437626133346664313738316438343734323135323764633533386534336230336634 +3138336161303538376439333365323233633338383937660a356636653562303935653134633162 +37343662373164383338663365346435306532326432326563323464383262303163356363383637 +6564623838376331300a643339306234303465393737353064303431393963363265393935343731 +33643235653231383034303833306433346538323137303464303963383536356131353937356339 +62303264373734613335303766333333336561373633326137316532373064343336353666383439 +61323061366563313730396430316134386265626463643939363164666134323439623735353637 +36663831633236343134 diff --git a/inventories/servers.yml b/inventories/servers.yml new file mode 100644 index 0000000..54fc6a2 --- /dev/null +++ b/inventories/servers.yml @@ -0,0 +1,7 @@ +servers: + hosts: + issei: + ansible_host: issei.home.sbruder.de + ansible_user: root + vars: + debian_release: buster diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..97e7bd5 --- /dev/null +++ b/playbook.yml @@ -0,0 +1,14 @@ +--- +- hosts: servers + any_errors_fatal: yes + roles: + - role: base + - role: dnsmasq + - role: docker + - role: initramfs + - role: postfix + - role: python + - role: sshd + - role: unattended-upgrades + - role: wireguard + vars: diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml new file mode 100644 index 0000000..6d51563 --- /dev/null +++ b/roles/base/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart-journald + systemd: + name: systemd-journald + state: restarted + diff --git a/roles/base/tasks/journal.yml b/roles/base/tasks/journal.yml new file mode 100644 index 0000000..5ebf912 --- /dev/null +++ b/roles/base/tasks/journal.yml @@ -0,0 +1,8 @@ +--- +- name: make journal persistent + ini_file: + path: /etc/systemd/journald.conf + section: Journal + option: Storage + value: persistent + notify: restart-journald diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..8ae83ed --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- block: + - import_tasks: tools.yml + tags: + - base:tools + - import_tasks: journal.yml + tags: + - base:journal + tags: + - base diff --git a/roles/base/tasks/tools.yml b/roles/base/tasks/tools.yml new file mode 100644 index 0000000..763d2e1 --- /dev/null +++ b/roles/base/tasks/tools.yml @@ -0,0 +1,30 @@ +--- +- name: install tools + apt: + name: + - atool + - bmon + - dnsutils + - ethtool + - exa + - ffmpeg + - fzf + - git + - htop + - iperf3 + - lm-sensors + - molly-guard + - mpv + - mtr + - ncdu + - net-tools + - nftables + - reptyr + - ripgrep + - rsync + - smartmontools + - tmux + - vim-nox + - vnstat + - zsh + state: present diff --git a/roles/dnsmasq/files/resolv.conf b/roles/dnsmasq/files/resolv.conf new file mode 100644 index 0000000..301afdf --- /dev/null +++ b/roles/dnsmasq/files/resolv.conf @@ -0,0 +1,6 @@ +# ClaraNet +nameserver 212.82.226.212 +nameserver 212.82.225.7 +# Hurricane Electric +nameserver 74.82.42.42 +nameserver 2001:470:20::2 diff --git a/roles/dnsmasq/handlers/main.yml b/roles/dnsmasq/handlers/main.yml new file mode 100644 index 0000000..833e62b --- /dev/null +++ b/roles/dnsmasq/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart-dnsmasq + systemd: + name: dnsmasq + state: restarted diff --git a/roles/dnsmasq/tasks/config.yml b/roles/dnsmasq/tasks/config.yml new file mode 100644 index 0000000..4d9fe5d --- /dev/null +++ b/roles/dnsmasq/tasks/config.yml @@ -0,0 +1,11 @@ +--- +- name: copy dnsmasq config file + copy: + src: "{{ inventory_hostname }}/dnsmasq.conf" + dest: /etc/dnsmasq.conf + notify: restart-dnsmasq + +- name: copy dnsmasq resolv config + copy: + src: resolv.conf + dest: /etc/resolv.conf.dnsmasq diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..968fb93 --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- block: + - import_tasks: packages.yml + tags: + - dnsmasq:packages + - import_tasks: config.yml + tags: + - dnsmasq:config + tags: + - dnsmasq diff --git a/roles/dnsmasq/tasks/packages.yml b/roles/dnsmasq/tasks/packages.yml new file mode 100644 index 0000000..762edec --- /dev/null +++ b/roles/dnsmasq/tasks/packages.yml @@ -0,0 +1,5 @@ +--- +- name: install dnsmasq + apt: + name: dnsmasq + state: present diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json new file mode 100644 index 0000000..fe3a9bc --- /dev/null +++ b/roles/docker/files/daemon.json @@ -0,0 +1,3 @@ +{ + "log-driver": "journald" +} diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 0000000..c862e7d --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: update-grub + shell: update-grub + +- name: restart-docker + systemd: + name: docker + state: restarted diff --git a/roles/docker/tasks/config.yml b/roles/docker/tasks/config.yml new file mode 100644 index 0000000..bc8fddc --- /dev/null +++ b/roles/docker/tasks/config.yml @@ -0,0 +1,6 @@ +--- +- name: add docker configuration + copy: + dest: /etc/docker/daemon.json + src: daemon.json + notify: restart-docker diff --git a/roles/docker/tasks/kernel.yml b/roles/docker/tasks/kernel.yml new file mode 100644 index 0000000..42df66b --- /dev/null +++ b/roles/docker/tasks/kernel.yml @@ -0,0 +1,7 @@ +--- +- name: add boot parameters for docker + lineinfile: + path: /etc/default/grub + regexp: ^GRUB_CMDLINE_LINUX_DEFAULT= + line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1"' + notify: update-grub diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..c165a32 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- block: + - import_tasks: packages.yml + tags: + - docker:packages + - import_tasks: kernel.yml + tags: + - docker:kernel + - import_tasks: config.yml + tags: + - docker:config + tags: + - docker diff --git a/roles/docker/tasks/packages.yml b/roles/docker/tasks/packages.yml new file mode 100644 index 0000000..427190e --- /dev/null +++ b/roles/docker/tasks/packages.yml @@ -0,0 +1,21 @@ +--- +- name: install docker dependencies + apt: + name: apt-transport-https + state: present + +- name: add docker repository key + apt_key: + url: https://download.docker.com/linux/debian/gpg + state: present + +- name: add docker repository + apt_repository: + repo: deb https://download.docker.com/linux/debian {{debian_release}} stable + state: present + +- name: install docker + apt: + name: docker-ce + update_cache: yes + state: present diff --git a/roles/initramfs/handlers/main.yml b/roles/initramfs/handlers/main.yml new file mode 100644 index 0000000..059b620 --- /dev/null +++ b/roles/initramfs/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: update-initramfs + shell: update-initramfs -u diff --git a/roles/initramfs/tasks/dropbear.yml b/roles/initramfs/tasks/dropbear.yml new file mode 100644 index 0000000..19b00da --- /dev/null +++ b/roles/initramfs/tasks/dropbear.yml @@ -0,0 +1,18 @@ +--- +- name: install dropbear + apt: + name: dropbear + state: present + +- name: disable dropbear systemd service + systemd: + name: dropbear + enabled: false + state: stopped + +- name: add ssh key to authorized keys + copy: + dest: /etc/dropbear-initramfs/authorized_keys + content: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp simon@kipf + notify: update-initramfs diff --git a/roles/initramfs/tasks/main.yml b/roles/initramfs/tasks/main.yml new file mode 100644 index 0000000..da392d6 --- /dev/null +++ b/roles/initramfs/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- block: + - import_tasks: dropbear.yml + tags: + - initramfs:dropbear + tags: + - initramfs diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml new file mode 100644 index 0000000..ce364c9 --- /dev/null +++ b/roles/postfix/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart-postfix + systemd: + name: postfix + state: restarted diff --git a/roles/postfix/tasks/config.yml b/roles/postfix/tasks/config.yml new file mode 100644 index 0000000..65a74f5 --- /dev/null +++ b/roles/postfix/tasks/config.yml @@ -0,0 +1,13 @@ +--- +- name: disable smptd + lineinfile: + path: /etc/postfix/master.cf + regexp: ^smtp inet n - y - - smtpd$ + state: absent + notify: restart-postfix + +- name: configure postfix + template: + src: main.cf + dest: /etc/postfix/main.cf + notify: restart-postfix diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml new file mode 100644 index 0000000..e07b6d0 --- /dev/null +++ b/roles/postfix/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- block: + - import_tasks: packages.yml + tags: + - postfix:packages + - import_tasks: config.yml + tags: + - postfix:config + tags: + - postfix diff --git a/roles/postfix/tasks/packages.yml b/roles/postfix/tasks/packages.yml new file mode 100644 index 0000000..674577d --- /dev/null +++ b/roles/postfix/tasks/packages.yml @@ -0,0 +1,5 @@ +--- +- name: install postfix + apt: + name: postfix + state: present diff --git a/roles/postfix/templates/main.cf b/roles/postfix/templates/main.cf new file mode 100644 index 0000000..bb066b2 --- /dev/null +++ b/roles/postfix/templates/main.cf @@ -0,0 +1,6 @@ +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = static:SMTP_Injection:{{ secrets.sparkpost_api_key }} +relayhost = [smtp.sparkpostmail.com]:587 +smtp_sasl_security_options = noanonymous +smtp_tls_security_level = encrypt +header_size_limit = 4096000 diff --git a/roles/python/tasks/main.yml b/roles/python/tasks/main.yml new file mode 100644 index 0000000..e48ae7b --- /dev/null +++ b/roles/python/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- block: + - import_tasks: pip.yml + tags: + - python:pip + tags: + - python diff --git a/roles/python/tasks/pip.yml b/roles/python/tasks/pip.yml new file mode 100644 index 0000000..c98166f --- /dev/null +++ b/roles/python/tasks/pip.yml @@ -0,0 +1,15 @@ +--- +- name: install pip + apt: + name: + - python3-pip + - python-setuptools # YEAH! + state: present + +- name: install python modules via pip + pip: + name: + - docker-compose + state: present + executable: pip3 + diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..5ed1561 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart-sshd + systemd: + name: sshd + state: restarted diff --git a/roles/sshd/tasks/config.yml b/roles/sshd/tasks/config.yml new file mode 100644 index 0000000..06ba3fa --- /dev/null +++ b/roles/sshd/tasks/config.yml @@ -0,0 +1,6 @@ +--- +- name: only allow login with key + lineinfile: + path: /etc/ssh/sshd_config + line: PasswordAuthentication no + notify: restart-sshd diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..8adf790 --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- block: + - import_tasks: config.yml + tags: + - sshd:config + tags: + - sshd diff --git a/roles/unattended-upgrades/files/20auto-upgrades b/roles/unattended-upgrades/files/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/roles/unattended-upgrades/files/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/unattended-upgrades/files/50unattended-upgrades b/roles/unattended-upgrades/files/50unattended-upgrades new file mode 100644 index 0000000..d6ce694 --- /dev/null +++ b/roles/unattended-upgrades/files/50unattended-upgrades @@ -0,0 +1,6 @@ +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; +}; + +Unattended-Upgrade::Mail "root"; diff --git a/roles/unattended-upgrades/handlers/main.yml b/roles/unattended-upgrades/handlers/main.yml new file mode 100644 index 0000000..dd3e4c2 --- /dev/null +++ b/roles/unattended-upgrades/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart-unattended-upgrades + systemd: + name: unattended-upgrades + state: restarted diff --git a/roles/unattended-upgrades/tasks/config.yml b/roles/unattended-upgrades/tasks/config.yml new file mode 100644 index 0000000..7325d57 --- /dev/null +++ b/roles/unattended-upgrades/tasks/config.yml @@ -0,0 +1,11 @@ +--- +- name: configure unattended-upgrades + copy: + src: 50unattended-upgrades + dest: /etc/apt/apt.conf.d/50unattended-upgrades + notify: restart-unattended-upgrade + +- name: configure automatic upgrades + copy: + src: 20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml new file mode 100644 index 0000000..5b778da --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- block: + - import_tasks: packages.yml + tags: + - unattended-upgrades:packages + - import_tasks: config.yml + tags: + - unattended-upgrades:config + tags: + - unattended-upgrades diff --git a/roles/unattended-upgrades/tasks/packages.yml b/roles/unattended-upgrades/tasks/packages.yml new file mode 100644 index 0000000..d74f201 --- /dev/null +++ b/roles/unattended-upgrades/tasks/packages.yml @@ -0,0 +1,4 @@ +--- +- name: install unattended-upgrades packages + apt: + name: unattended-upgrades diff --git a/roles/wireguard/files/apt-preferences-unstable b/roles/wireguard/files/apt-preferences-unstable new file mode 100644 index 0000000..3350f2c --- /dev/null +++ b/roles/wireguard/files/apt-preferences-unstable @@ -0,0 +1,3 @@ +Package: * +Pin: release a=unstable +Pin-Priority: 90 diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..7406d8c --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- block: + - import_tasks: packages.yml + tags: + - wireguard:packages + tags: + - wireguard diff --git a/roles/wireguard/tasks/packages.yml b/roles/wireguard/tasks/packages.yml new file mode 100644 index 0000000..6d94410 --- /dev/null +++ b/roles/wireguard/tasks/packages.yml @@ -0,0 +1,16 @@ +--- +- name: add unstable repositories + apt_repository: + repo: deb https://deb.debian.org/debian/ unstable main + state: present + +- name: configure apt pinning for unstable + copy: + src: apt-preferences-unstable + dest: /etc/apt/preferences.d/limit-unstable + +- name: install wireguard + apt: + name: wireguard + update_cache: yes + state: present diff --git a/vault-pass.sh b/vault-pass.sh new file mode 100755 index 0000000..7531ab4 --- /dev/null +++ b/vault-pass.sh @@ -0,0 +1,2 @@ +#!/bin/sh +pass management/ansible/servers/vault