init

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+inventory = inventories/servers.yml
+vault_password_file = vault-pass.sh

files/issei/dnsmasq.conf

@@ -0,0 +1,18 @@
+# vim: set ft=dnsmasq:
+port=53
+
+domain-needed
+bogus-priv
+
+resolv-file=/etc/resolv.conf.dnsmasq
+
+server=/fritz.box/192.168.100.1
+
+no-hosts
+#addn-hosts=/etc/banner_add_hosts
+
+domain=home.sbruder.de
+
+dhcp-range=192.168.100.20,192.168.100.150,12h
+
+dhcp-option=option:router,192.168.100.1

inventories/group_vars/servers.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+65653261616437626133346664313738316438343734323135323764633533386534336230336634
+3138336161303538376439333365323233633338383937660a356636653562303935653134633162
+37343662373164383338663365346435306532326432326563323464383262303163356363383637
+6564623838376331300a643339306234303465393737353064303431393963363265393935343731
+33643235653231383034303833306433346538323137303464303963383536356131353937356339
+62303264373734613335303766333333336561373633326137316532373064343336353666383439
+61323061366563313730396430316134386265626463643939363164666134323439623735353637
+36663831633236343134

inventories/servers.yml

@@ -0,0 +1,7 @@
+servers:
+  hosts:
+    issei:
+      ansible_host: issei.home.sbruder.de
+      ansible_user: root
+  vars:
+    debian_release: buster

playbook.yml

@@ -0,0 +1,14 @@
+---
+- hosts: servers
+  any_errors_fatal: yes
+  roles:
+    - role: base
+    - role: dnsmasq
+    - role: docker
+    - role: initramfs
+    - role: postfix
+    - role: python
+    - role: sshd
+    - role: unattended-upgrades
+    - role: wireguard
+  vars:

roles/base/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart-journald
+  systemd:
+    name: systemd-journald
+    state: restarted
+

roles/base/tasks/journal.yml

@@ -0,0 +1,8 @@
+---
+- name: make journal persistent
+  ini_file:
+    path: /etc/systemd/journald.conf
+    section: Journal
+    option: Storage
+    value: persistent
+  notify: restart-journald

roles/base/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- block:
+  - import_tasks: tools.yml
+    tags:
+      - base:tools
+  - import_tasks: journal.yml
+    tags:
+      - base:journal
+  tags:
+    - base

roles/base/tasks/tools.yml

@@ -0,0 +1,30 @@
+---
+- name: install tools
+  apt:
+    name:
+      - atool
+      - bmon
+      - dnsutils
+      - ethtool
+      - exa
+      - ffmpeg
+      - fzf
+      - git
+      - htop
+      - iperf3
+      - lm-sensors
+      - molly-guard
+      - mpv
+      - mtr
+      - ncdu
+      - net-tools
+      - nftables
+      - reptyr
+      - ripgrep
+      - rsync
+      - smartmontools
+      - tmux
+      - vim-nox
+      - vnstat
+      - zsh
+    state: present

roles/dnsmasq/files/resolv.conf

@@ -0,0 +1,6 @@
+# ClaraNet
+nameserver 212.82.226.212
+nameserver 212.82.225.7
+# Hurricane Electric
+nameserver 74.82.42.42
+nameserver 2001:470:20::2

roles/dnsmasq/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart-dnsmasq
+  systemd:
+    name: dnsmasq
+    state: restarted

roles/dnsmasq/tasks/config.yml

@@ -0,0 +1,11 @@
+---
+- name: copy dnsmasq config file
+  copy:
+    src: "{{ inventory_hostname }}/dnsmasq.conf"
+    dest: /etc/dnsmasq.conf
+  notify: restart-dnsmasq
+
+- name: copy dnsmasq resolv config
+  copy:
+    src: resolv.conf
+    dest: /etc/resolv.conf.dnsmasq

roles/dnsmasq/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- block:
+  - import_tasks: packages.yml
+    tags:
+      - dnsmasq:packages
+  - import_tasks: config.yml
+    tags:
+      - dnsmasq:config
+  tags:
+    - dnsmasq

roles/dnsmasq/tasks/packages.yml

@@ -0,0 +1,5 @@
+---
+- name: install dnsmasq
+  apt:
+    name: dnsmasq
+    state: present

roles/docker/files/daemon.json

@@ -0,0 +1,3 @@
+{
+  "log-driver": "journald"
+}

roles/docker/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+- name: update-grub
+  shell: update-grub
+
+- name: restart-docker
+  systemd:
+    name: docker
+    state: restarted

roles/docker/tasks/config.yml

@@ -0,0 +1,6 @@
+---
+- name: add docker configuration
+  copy:
+    dest: /etc/docker/daemon.json
+    src: daemon.json
+  notify: restart-docker

roles/docker/tasks/kernel.yml

@@ -0,0 +1,7 @@
+---
+- name: add boot parameters for docker
+  lineinfile:
+    path: /etc/default/grub
+    regexp: ^GRUB_CMDLINE_LINUX_DEFAULT=
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1"'
+  notify: update-grub

roles/docker/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- block:
+  - import_tasks: packages.yml
+    tags:
+      - docker:packages
+  - import_tasks: kernel.yml
+    tags:
+      - docker:kernel
+  - import_tasks: config.yml
+    tags:
+      - docker:config
+  tags:
+    - docker

roles/docker/tasks/packages.yml

@@ -0,0 +1,21 @@
+---
+- name: install docker dependencies
+  apt:
+    name: apt-transport-https
+    state: present
+
+- name: add docker repository key
+  apt_key:
+    url: https://download.docker.com/linux/debian/gpg
+    state: present
+
+- name: add docker repository
+  apt_repository:
+    repo: deb https://download.docker.com/linux/debian {{debian_release}} stable
+    state: present
+
+- name: install docker
+  apt:
+    name: docker-ce
+    update_cache: yes
+    state: present

roles/initramfs/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: update-initramfs
+  shell: update-initramfs -u

roles/initramfs/tasks/dropbear.yml

@@ -0,0 +1,18 @@
+---
+- name: install dropbear
+  apt:
+    name: dropbear
+    state: present
+
+- name: disable dropbear systemd service
+  systemd:
+    name: dropbear
+    enabled: false
+    state: stopped
+
+- name: add ssh key to authorized keys
+  copy:
+    dest: /etc/dropbear-initramfs/authorized_keys
+    content: |
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs0igb6TTxPkKEQ96pk/NEqqWvQH/miJEBAEe1bzHlo5n5ThnGYvVPadfHIwq1ix0IdAfyWoG8duaKVDJAUAFBtegRO7vRBYBYR04V8DE8n66MgDbbLDuu7Kbm4JWMUNg43KwJDzZtSvEKjyh5/u/TT59D1F+toxMfet++jNG03mFa6ANhMTjghbkFHj3eyuiXA/SxZLorhkCFW6Tri3u5FFLGpjaom1dZ5PAcic0+ZOECpgEwTj8FpOzmldjsu8gFxdPYGrqfA1dOxL3OQ6/rB0LfHjwrN9i3DrZzG+RfJxZbgO4/RLQz2sHYM6S6d1MtCcXThozCXSbmpdNdwdPp simon@kipf
+  notify: update-initramfs

roles/initramfs/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- block:
+  - import_tasks: dropbear.yml
+    tags:
+      - initramfs:dropbear
+  tags:
+    - initramfs

roles/postfix/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart-postfix
+  systemd:
+    name: postfix
+    state: restarted

roles/postfix/tasks/config.yml

@@ -0,0 +1,13 @@
+---
+- name: disable smptd
+  lineinfile:
+    path: /etc/postfix/master.cf
+    regexp: ^smtp      inet  n       -       y       -       -       smtpd$
+    state: absent
+  notify: restart-postfix
+
+- name: configure postfix
+  template:
+    src: main.cf
+    dest: /etc/postfix/main.cf
+  notify: restart-postfix

roles/postfix/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- block:
+  - import_tasks: packages.yml
+    tags:
+      - postfix:packages
+  - import_tasks: config.yml
+    tags:
+      - postfix:config
+  tags:
+    - postfix

roles/postfix/tasks/packages.yml

@@ -0,0 +1,5 @@
+---
+- name: install postfix
+  apt:
+    name: postfix
+    state: present

roles/postfix/templates/main.cf

@@ -0,0 +1,6 @@
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = static:SMTP_Injection:{{ secrets.sparkpost_api_key }}
+relayhost = [smtp.sparkpostmail.com]:587
+smtp_sasl_security_options = noanonymous
+smtp_tls_security_level = encrypt
+header_size_limit = 4096000

roles/python/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- block:
+  - import_tasks: pip.yml
+    tags:
+      - python:pip
+  tags:
+    - python

roles/python/tasks/pip.yml

@@ -0,0 +1,15 @@
+---
+- name: install pip
+  apt:
+    name:
+      - python3-pip
+      - python-setuptools # YEAH!
+    state: present
+
+- name: install python modules via pip
+  pip:
+    name:
+      - docker-compose
+    state: present
+    executable: pip3
+

roles/sshd/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart-sshd
+  systemd:
+    name: sshd
+    state: restarted

roles/sshd/tasks/config.yml

@@ -0,0 +1,6 @@
+---
+- name: only allow login with key
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: PasswordAuthentication no
+  notify: restart-sshd

roles/sshd/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- block:
+  - import_tasks: config.yml
+    tags:
+      - sshd:config
+  tags:
+    - sshd

roles/unattended-upgrades/files/20auto-upgrades

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

roles/unattended-upgrades/files/50unattended-upgrades

@@ -0,0 +1,6 @@
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+Unattended-Upgrade::Mail "root";

roles/unattended-upgrades/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart-unattended-upgrades
+  systemd:
+    name: unattended-upgrades
+    state: restarted

roles/unattended-upgrades/tasks/config.yml

@@ -0,0 +1,11 @@
+---
+- name: configure unattended-upgrades
+  copy:
+    src: 50unattended-upgrades
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+  notify: restart-unattended-upgrade
+
+- name: configure automatic upgrades
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades

roles/unattended-upgrades/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- block:
+  - import_tasks: packages.yml
+    tags:
+      - unattended-upgrades:packages
+  - import_tasks: config.yml
+    tags:
+      - unattended-upgrades:config
+  tags:
+    - unattended-upgrades

roles/unattended-upgrades/tasks/packages.yml

@@ -0,0 +1,4 @@
+---
+- name: install unattended-upgrades packages
+  apt:
+    name: unattended-upgrades

roles/wireguard/files/apt-preferences-unstable

@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=unstable
+Pin-Priority: 90

roles/wireguard/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- block:
+  - import_tasks: packages.yml
+    tags:
+      - wireguard:packages
+  tags:
+    - wireguard

roles/wireguard/tasks/packages.yml

@@ -0,0 +1,16 @@
+---
+- name: add unstable repositories
+  apt_repository:
+    repo: deb https://deb.debian.org/debian/ unstable main
+    state: present
+
+- name: configure apt pinning for unstable
+  copy:
+    src: apt-preferences-unstable
+    dest: /etc/apt/preferences.d/limit-unstable
+
+- name: install wireguard
+  apt:
+    name: wireguard
+    update_cache: yes
+    state: present

vault-pass.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+pass management/ansible/servers/vault