diff --git a/README.md b/README.md index f578cca..e7cbce4 100644 --- a/README.md +++ b/README.md @@ -1,227 +1,33 @@ # TuDatTr IaC -## User -It is expected that a user with sudo privilages is on the target, for me the users name is "tudattr" -you can add such user with the following command `useradd -m -g sudo -s /bin/bash tudattr` -Don't forget to set a password for the new user with `passwd tudattr` -## sudo -Install sudo on the target machine, with debian its +**I do not recommend this project being used for ones own infrastructure, as +this project is heavily attuned to my specific host/network setup** +The Ansible Project to provision fresh Debian VMs for my Proxmox instances. +Some values are hard coded such as the public key both in +[./scripts/debian_seed.sh](./scripts/debian_seed.sh) and [./group_vars/all/vars.yml](./group_vars/all/vars.yml). + +## Prerequisites + +- [secrets.yml](secrets.yml) in the root directory of this repository. + Skeleton file can be found as [./secrets.yml.skeleton](./secrets.yml.skeleton). +- IP Configuration of hosts like in [./host_vars/\*](./host_vars/*) +- Setup [~/.ssh/config](~/.ssh/config) for the respective hosts used. +- Install `passlib` for your operating system. Needed to hash passwords ad-hoc. + +## Improvable Variables + +- `group_vars/k3s/vars.yml`: + - `k3s.server.ips`: Take list of IPs from host_vars `k3s_server*.yml`. + - `k3s_db_connection_string`: Embed this variable in the `k3s.db.`-directory. + Currently causes loop. + +## Run Playbook + +To run a first playbook and test the setup the following command can be executed. ```sh -su root -apt install sudo -usermod -a -G sudo tudattr +ansible-playbook -i production -J k3s-servers.yml ``` -## Backups -Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone. -but first of all we need to create the buckets and provide ansible with the needed information. - -First we need to create a api key for backblaze, consists of an id and a key. -we use clone to sync to backblaze. -we can encrypt the data with rclone before sending it to backblaze. -to do this we need two buckets: -- b2 -- crypt -on each device that should be backupped. - -we create these by running `rclone config` and creating one [remote] b2 config and a [secret] crypt config. The crypt config should have two passwords that we store in our secrets file. - -` -## Vault -- Create vault with: `ansible-vault create secrets.yml` -- Create entry in vault with: `ansible-vault edit secrets.yml` -- Add following entries: TODO - -## Docker -To add new docker containers to the docker role you need to add the following and replace `service` with the name of your service: - -- Add relevent vars to `group_vars/all/vars.yaml`: -```yaml -service: - host: "service" - ports: - http: "19999" - volumes: - config: "{{ docker_dir }}/service/" # config folder or your dir - data: "{{ docker_data_dir }}/service/" # data folder or your dir (only works on aya01) -``` - -- Create necessary directories for service in the docker role `roles/docker/tasks/service.yaml` -```yaml -- name: Create service dirs - file: - path: "{{ item }}" - owner: 1000 - group: 1000 - mode: '775' - state: directory - loop: - - "{{ service.volumes.config }}" - - "{{ service.volumes.data }}" - -# optional: -# - name: Place service config -# template: -# owner: 1000 -# mode: '660' -# src: "templates/hostname/service/service.yml" -# dest: "{{ prm_config }}/service.yml" -``` - -- Includ new tasks to `roles/docker/tasks/hostname_compose.yaml`: -```yaml -- include_tasks: service.yaml - tags: - - service -``` - -- Add new service to compose `roles/docker/templates/hostname/compose.yaml` -```yaml - service: - image: service/service - container_name: service - hostname: service - networks: - - net - ports: - - "{{service_port}}:19999" - restart: unless-stopped - volumes: - - "{{service_config}}:/etc/service" - - "{{service_lib}}:/var/lib/service" - - "{{service_cache}}:/var/cache/service" -``` - -## Server -- Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system -- Create user (tudattr) -- Get IP of remote system (192.168.20.11) -- Create ssh-config entry - ```config - Host aya01 - HostName 192.168.20.11 - Port 22 - User tudattr - IdentityFile /mnt/veracrypt1/genesis - ``` - - copy public key to remote system - `ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01` -- Add this host to ansible inventory -- Install sudo on remote -- add user to sudo group (with `su --login` without login the path will not be loaded correctly see [here](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754)) and `usermod -a -G sudo tudattr` -- set time correctly when getting the following error -```sh -Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied. -``` -By doing on remote system (example): -```sh -sudo systemctl stop ntp.service -sudo ntpd -gq -sudo systemctl start ntp.service -``` -### zoneminder -- Enable authentification in (Option->System) -- Create new Camera: - - General>Name: BirdCam - - General>Function: Ffmpeg - - General>Function: Modect - - Source>Source Path: `rtsp://user:pw@ip:554/cam/mpeg4` -- Change default admin password -- Create users - - - -## RaspberryPi -- Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi -- Get IP of remote system (192.168.20.11) -- Create ssh-config entry -```config -Host pi - HostName 192.168.20.11 - Port 22 - User tudattr - IdentityFile /mnt/veracrypt1/genesis -``` -- enable ssh on pi -- copy public key to pi -- change user password of user on pi -- execute `ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml` - -## Mikrotik -- Create rsa-key on your device and name it mikrotik_rsa -- On mikrotik run: `/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr` -- Create ssh-config entry: -```config -Host mikrotik - HostName 192.168.70.1 - Port 2200 - User tudattr - IdentityFile /mnt/veracrypt1/mikrotik_rsa -``` - -### wireguard -thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0 -quick code -``` -# add wiregurad interface -interface/wireguard/add listen-port=51820 name=wg1 -# get public key -interface/wireguard/print -$ > public-key: -# add network/ip for wireguard interface -ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1 -# add firewall rule for wireguard (maybe specify to be from pppoe-wan) -/ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept -# routing for wg1 clients and rest of the network -> -# enable internet for wg1 clients (may have to add to enable internet list -/ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade -``` -add peer -``` -/interface/wireguard/peers/add interface=wg1 allowed-address=/24 public-key=" peer_A.pub` -Wireguard config on archlinux at `/etc/wireguard/wg0.conf`: -``` -[Interface] -PrivateKey = -Address = 192.168.200.250/24 - -[Peer] -PublicKey = -Endpoint = tudattr.dev:51820 -AllowedIPs = 0.0.0.0/0 -``` -used ipv4: -- tudattr: 192.168.200.250 -- livei: 192.168.200.240 - -#### notes -- wireguard->add - name: wg_tunnel01 - listen port: 51820 - [save] -- wireguard->peers->add - interface: wg_tunnel01 - endpoint port: 51820 - allowed address: ::/0 - psk: - persistent keepalive: 25 -- ip->address->address list->add - address:192.168.200.1/24 - network: 192.168.200.0 - interface: wg_tunnel01 - -## troubleshooting -### Docker networking problem -`docker system prune -a` -### Time problems (NTP service: n/a) -systemctl status systemd-timesyncd.service -when not available -sudo apt install systemd-timesyncd/stable -### Syncthing inotify -echo "fs.inotify.max_user_watches=204800" | sudo tee -a /etc/sysctl.conf -https://forum.cloudron.io/topic/7163/how-to-increase-inotify-limit-for-syncthing/2 +This will run the [./k3s-servers.yml](./k3s-servers.yml) playbook and execute +its roles. diff --git a/common-k3s.yml b/common-k3s.yml new file mode 100644 index 0000000..514366b --- /dev/null +++ b/common-k3s.yml @@ -0,0 +1,10 @@ +--- +- name: Run the common role on k3s + hosts: k3s + gather_facts: yes + vars_files: + - secrets.yml + roles: + - role: common + tags: + - common diff --git a/db.yml b/db.yml new file mode 100644 index 0000000..feba3d5 --- /dev/null +++ b/db.yml @@ -0,0 +1,16 @@ +--- +- name: Set up Servers + hosts: db + gather_facts: yes + vars_files: + - secrets.yml + roles: + - role: common + tags: + - common + - role: postgres + tags: + - postgres + - role: node_exporter + tags: + - node_exporter diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 8c123bf..5109150 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -4,7 +4,6 @@ user: tudattr timezone: Europe/Berlin -rclone_config: "/root/.config/rclone/" puid: "1000" pgid: "1000" pk_path: "/mnt/veracrypt1/genesis" diff --git a/group_vars/k3s/vars.yml b/group_vars/k3s/vars.yml new file mode 100644 index 0000000..0d45f41 --- /dev/null +++ b/group_vars/k3s/vars.yml @@ -0,0 +1,19 @@ +db: + default_user: + password: "{{ vault.k3s.postgres.default_user.password }}" + name: "k3s" + user: "k3s" + password: "{{ vault.k3s.db.password}}" + +k3s: + server: + ips: + - 192.168.20.21 + - 192.168.20.24 + loadbalancer: + ips: 192.168.20.22 + db: + ip: 192.168.20.23 + default_port: "5432" + +k3s_db_connection_string: "postgres://{{db.user}}:{{db.password}}@{{k3s.db.ip}}:{{k3s.db.default_port}}/{{db.name}}" diff --git a/host_vars/aya01.yml b/host_vars/aya01.yml deleted file mode 100644 index 34392b0..0000000 --- a/host_vars/aya01.yml +++ /dev/null @@ -1,53 +0,0 @@ -ansible_user: "{{ user }}" -ansible_host: 192.168.20.12 -ansible_port: 22 -ansible_ssh_private_key_file: '{{ pk_path }}' -ansible_become_pass: '{{ vault.aya01.sudo }}' - -host: - hostname: "aya01" - ip: "{{ ansible_host }}" - backblaze: - account: "{{ vault.aya01.backblaze.account }}" - key: "{{ vault.aya01.backblaze.key }}" - remote: "remote:aya01-tudattr-dev" - password: "{{ vault.aya01.rclone.password }}" - password2: "{{ vault.aya01.rclone.password2 }}" - paths: - - "{{ docker_compose_dir }}" - - "{{ docker_dir }}" - fstab: - - name: "config" - path: "/opt" - type: "ext4" - uuid: "cad60133-dd84-4a2a-8db4-2881c608addf" - - name: "media0" - path: "/mnt/media0" - type: "ext4" - uuid: "c4c724ec-4fe3-4665-adf4-acd31d6b7f95" - - name: "media1" - path: "/mnt/media1" - type: "ext4" - uuid: "8d66d395-1e35-4f5a-a5a7-d181d6642ebf" - mergerfs: - - name: "media" - path: "/media" - branches: - - "/mnt/media0" - - "/mnt/media1" - opts: - - "use_ino" - - "allow_other" - - "cache.files=partial" - - "dropcacheonclose=true" - - "category.create=mfs" - type: "fuse.mergerfs" - samba: - password: "{{ vault.aya01.samba.password }}" - paperless: - db: - password: "{{ vault.aya01.paperless.db.password }}" - gitea: - runner: - token: "{{ vault.aya01.gitea.runner.token }}" - name: "aya01" diff --git a/host_vars/k3s-loadbalancer.yml b/host_vars/k3s-loadbalancer.yml new file mode 100644 index 0000000..455ad44 --- /dev/null +++ b/host_vars/k3s-loadbalancer.yml @@ -0,0 +1,9 @@ +--- +ansible_user: "{{ user }}" +ansible_host: 192.168.20.22 +ansible_port: 22 +ansible_ssh_private_key_file: "{{ pk_path }}" +ansible_become_pass: "{{ vault.k3s.loadbalancer.sudo }}" +host: + hostname: "k3s-loadbalancer" + ip: "{{ ansible_host }}" diff --git a/host_vars/k3s-postgres.yml b/host_vars/k3s-postgres.yml new file mode 100644 index 0000000..5427603 --- /dev/null +++ b/host_vars/k3s-postgres.yml @@ -0,0 +1,9 @@ +--- +ansible_user: "{{ user }}" +ansible_host: 192.168.20.23 +ansible_port: 22 +ansible_ssh_private_key_file: "{{ pk_path }}" +ansible_become_pass: "{{ vault.k3s.postgres.sudo }}" +host: + hostname: "k3s-postgres" + ip: "{{ ansible_host }}" diff --git a/host_vars/k3s.server.yml b/host_vars/k3s-server00.yml similarity index 64% rename from host_vars/k3s.server.yml rename to host_vars/k3s-server00.yml index f3d22d1..cb76120 100644 --- a/host_vars/k3s.server.yml +++ b/host_vars/k3s-server00.yml @@ -1,9 +1,9 @@ +--- ansible_user: "{{ user }}" ansible_host: 192.168.20.21 ansible_port: 22 ansible_ssh_private_key_file: "{{ pk_path }}" -ansible_become_pass: "{{ vault.k3s-server.sudo }}" - +ansible_become_pass: "{{ vault.k3s.server00.sudo }}" host: - hostname: "k3s.server" + hostname: "k3s-server00" ip: "{{ ansible_host }}" diff --git a/host_vars/genesis.yml b/host_vars/k3s-server01.yml similarity index 52% rename from host_vars/genesis.yml rename to host_vars/k3s-server01.yml index c2afc30..3f34329 100644 --- a/host_vars/genesis.yml +++ b/host_vars/k3s-server01.yml @@ -1,9 +1,10 @@ +--- ansible_user: "{{ user }}" -ansible_host: 192.168.20.12 +ansible_host: 192.168.20.24 ansible_port: 22 ansible_ssh_private_key_file: "{{ pk_path }}" -ansible_become_pass: "{{ vault.aya01.sudo }}" +ansible_become_pass: "{{ vault.k3s.server01.sudo }}" host: - hostname: "k3s.server" + hostname: "k3s-server01" ip: "{{ ansible_host }}" diff --git a/k3s.server.yml b/k3s-servers.yml similarity index 70% rename from k3s.server.yml rename to k3s-servers.yml index eb293c6..79917b9 100644 --- a/k3s.server.yml +++ b/k3s-servers.yml @@ -1,14 +1,13 @@ --- - name: Set up Servers - hosts: aya01 + hosts: k3s_server gather_facts: yes + vars_files: + - secrets.yml roles: - role: common tags: - common - - role: k3s-server - tags: - - k3s-server - role: node_exporter tags: - node_exporter diff --git a/loadbalancer.yml b/loadbalancer.yml new file mode 100644 index 0000000..34e773d --- /dev/null +++ b/loadbalancer.yml @@ -0,0 +1,16 @@ +--- +- name: Set up Servers + hosts: loadbalancer + gather_facts: yes + vars_files: + - secrets.yml + roles: + - role: common + tags: + - common + - role: loadbalancer + tags: + - loadbalancer + - role: node_exporter + tags: + - node_exporter diff --git a/production b/production index 292ccd9..3df332f 100644 --- a/production +++ b/production @@ -2,10 +2,26 @@ mii [k3s] -k3s.server +k3s-server00 +k3s-server01 +k3s-postgres +k3s-loadbalancer + +[k3s_server] +k3s-server00 +k3s-server01 [vm] -k3s.server +k3s-server00 +k3s-server01 +k3s-postgres +k3s-loadbalancer -[controller] -genesis +[db] +k3s-postgres + +[loadbalancer] +k3s-loadbalancer + +[vm:vars] +ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"' diff --git a/roles/common/templates/common/bash/bashrc.j2 b/roles/common/files/bash/bashrc similarity index 98% rename from roles/common/templates/common/bash/bashrc.j2 rename to roles/common/files/bash/bashrc index c573e9c..3e5661f 100644 --- a/roles/common/templates/common/bash/bashrc.j2 +++ b/roles/common/files/bash/bashrc @@ -51,6 +51,3 @@ if ! shopt -oq posix; then . /etc/bash_completion fi fi - - -. "$HOME/.cargo/env" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..e1bf3a0 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart sshd + service: + name: sshd + state: restarted + become: yes diff --git a/roles/common/tasks/bash.yml b/roles/common/tasks/bash.yml index ddaaf10..1e2d442 100644 --- a/roles/common/tasks/bash.yml +++ b/roles/common/tasks/bash.yml @@ -1,10 +1,9 @@ --- - name: Copy .bashrc template: - src: templates/common/bash/bashrc.j2 + src: files/bash/bashrc dest: "/home/{{ user }}/.bashrc" owner: "{{ user }}" group: "{{ user }}" mode: 0644 become: yes - register: sshd diff --git a/roles/common/tasks/hostname.yml b/roles/common/tasks/hostname.yml new file mode 100644 index 0000000..4db114d --- /dev/null +++ b/roles/common/tasks/hostname.yml @@ -0,0 +1,14 @@ +--- +- name: Set a hostname + ansible.builtin.hostname: + name: "{{ host.hostname }}" + become: true + +- name: Update /etc/hosts to reflect the new hostname + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.1\.1' + line: "127.0.1.1 {{ host.hostname }}" + state: present + backup: yes + become: true diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f8f1218..fe0425b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,5 +1,6 @@ --- - include_tasks: time.yml -- include_tasks: essential.yml +- include_tasks: hostname.yml +- include_tasks: packages.yml - include_tasks: bash.yml - include_tasks: sshd.yml diff --git a/roles/common/tasks/essential.yml b/roles/common/tasks/packages.yml similarity index 83% rename from roles/common/tasks/essential.yml rename to roles/common/tasks/packages.yml index c0b2bd7..48c8908 100644 --- a/roles/common/tasks/essential.yml +++ b/roles/common/tasks/packages.yml @@ -1,5 +1,5 @@ --- -- name: Update and upgrade packages +- name: Update and upgrade packages apt: update_cache: yes upgrade: yes diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index e52a8aa..d1bc4ad 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -1,11 +1,12 @@ --- - name: Copy sshd_config template: - src: templates/common/ssh/sshd_config + src: templates/ssh/sshd_config dest: /etc/ssh/sshd_config mode: 0644 + notify: + - Restart sshd become: yes - register: sshd - name: Copy pubkey copy: @@ -14,10 +15,3 @@ owner: "{{ user }}" group: "{{ user }}" mode: "644" - -- name: Restart sshd - service: - name: "sshd" - state: "restarted" - become: yes - when: sshd.changed diff --git a/roles/common/templates/common/ssh/sshd_config b/roles/common/templates/ssh/sshd_config similarity index 100% rename from roles/common/templates/common/ssh/sshd_config rename to roles/common/templates/ssh/sshd_config diff --git a/roles/k3s_server/handlers/main.yml b/roles/k3s_server/handlers/main.yml new file mode 100644 index 0000000..a92a08b --- /dev/null +++ b/roles/k3s_server/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart sshd + service: + name: k3s + state: restarted + become: yes diff --git a/roles/k3s_server/tasks/installation.yml b/roles/k3s_server/tasks/installation.yml new file mode 100644 index 0000000..fec8879 --- /dev/null +++ b/roles/k3s_server/tasks/installation.yml @@ -0,0 +1,6 @@ +--- +- name: Install k3s + command: "curl -sfL https://get.k3s.io | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san {{ k3s.loadbalancer.ip }}" + environment: + K3S_DATASTORE_ENDPOINT: "{{ k3s_db_connection_string }}" + become: true diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml new file mode 100644 index 0000000..fc446ac --- /dev/null +++ b/roles/k3s_server/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: installation.yml diff --git a/genesis b/roles/k3s_server/vars/main.yml similarity index 100% rename from genesis rename to roles/k3s_server/vars/main.yml diff --git a/roles/loadbalancer/handlers/main.yml b/roles/loadbalancer/handlers/main.yml new file mode 100644 index 0000000..42a1349 --- /dev/null +++ b/roles/loadbalancer/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart nginx + systemd: + name: nginx + state: restarted + become: true diff --git a/roles/loadbalancer/tasks/configuration.yml b/roles/loadbalancer/tasks/configuration.yml new file mode 100644 index 0000000..4eef571 --- /dev/null +++ b/roles/loadbalancer/tasks/configuration.yml @@ -0,0 +1,20 @@ +--- +- name: Template the nginx config file with dynamic upstreams + template: + src: templates/nginx.conf.j2 + dest: "{{ nginx_config_path }}" + owner: root + group: root + mode: "0644" + become: true + notify: + - Restart nginx + vars: + k3s_server_ips: "{{ k3s.server.ips }}" + +- name: Enable nginx + systemd: + name: nginx + daemon_reload: true + enabled: true + become: true diff --git a/roles/loadbalancer/tasks/installation.yml b/roles/loadbalancer/tasks/installation.yml new file mode 100644 index 0000000..40d88bc --- /dev/null +++ b/roles/loadbalancer/tasks/installation.yml @@ -0,0 +1,12 @@ +--- +- name: Update apt cache + apt: + update_cache: yes + become: true + +- name: Install Nginx + apt: + name: + - nginx-full + state: present + become: true diff --git a/roles/loadbalancer/tasks/main.yml b/roles/loadbalancer/tasks/main.yml new file mode 100644 index 0000000..6de6e69 --- /dev/null +++ b/roles/loadbalancer/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- include_tasks: installation.yml +- include_tasks: configuration.yml diff --git a/roles/loadbalancer/templates/nginx.conf.j2 b/roles/loadbalancer/templates/nginx.conf.j2 new file mode 100644 index 0000000..4862934 --- /dev/null +++ b/roles/loadbalancer/templates/nginx.conf.j2 @@ -0,0 +1,16 @@ +include /etc/nginx/modules-enabled/*.conf; + +events {} + +stream { + upstream k3s_servers { + {% for ip in k3s_server_ips %} + server {{ ip }}:6443; + {% endfor %} + } + + server { + listen 6443; + proxy_pass k3s_servers; + } +} diff --git a/roles/loadbalancer/vars/main.yml b/roles/loadbalancer/vars/main.yml new file mode 100644 index 0000000..cc55422 --- /dev/null +++ b/roles/loadbalancer/vars/main.yml @@ -0,0 +1 @@ +nginx_config_path: "/etc/nginx/nginx.conf" diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml new file mode 100644 index 0000000..81bc625 --- /dev/null +++ b/roles/node_exporter/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart node_exporter + service: + name: node_exporter + state: restarted + become: true diff --git a/roles/node_exporter/tasks/get_version.yml b/roles/node_exporter/tasks/get_version.yml index 6cf8fd9..4b865de 100644 --- a/roles/node_exporter/tasks/get_version.yml +++ b/roles/node_exporter/tasks/get_version.yml @@ -2,17 +2,17 @@ - name: Determine latest GitHub release (local) delegate_to: localhost uri: - url: "https://api.github.com/repos/prometheus/node_exporter/releases/{{ node_exporter.version }}" + url: "https://api.github.com/repos/prometheus/node_exporter/releases/{{ version }}" body_format: json register: _github_release until: _github_release.status == 200 retries: 3 -- name: Set node_exporter_version +- name: Set version set_fact: - node_exporter_version: "{{ _github_release.json.tag_name + version: "{{ _github_release.json.tag_name | regex_replace('^v?([0-9\\.]+)$', '\\1') }}" -- name: Set node_exporter.download_url +- name: Set download_url set_fact: - node_exporter_download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}.tar.gz" + download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ version }}/node_exporter-{{ version }}.linux-{{ go_arch }}.tar.gz" diff --git a/roles/node_exporter/tasks/install.yml b/roles/node_exporter/tasks/install.yml index 6571632..c5269eb 100644 --- a/roles/node_exporter/tasks/install.yml +++ b/roles/node_exporter/tasks/install.yml @@ -1,15 +1,15 @@ --- -- name: Download/Extract "{{ node_exporter_download_url }}" +- name: Download/Extract "{{ download_url }}" unarchive: - src: "{{ node_exporter_download_url }}" + src: "{{ download_url }}" dest: /tmp/ remote_src: true mode: 755 - name: Move node_exporter into path copy: - src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}/node_exporter" - dest: "{{ node_exporter.bin_path }}" + src: "/tmp/node_exporter-{{ version }}.linux-{{ go_arch }}/node_exporter" + dest: "{{ bin_path }}" mode: 755 remote_src: true become: true @@ -26,6 +26,4 @@ src: node_exporter.service.j2 dest: /etc/systemd/system/node_exporter.service mode: 0644 - register: node_exporter_service become: true - diff --git a/roles/node_exporter/tasks/systemd.yml b/roles/node_exporter/tasks/systemd.yml index ced1cfe..cd64b5d 100644 --- a/roles/node_exporter/tasks/systemd.yml +++ b/roles/node_exporter/tasks/systemd.yml @@ -1,9 +1,10 @@ --- - name: Ensure node_exporter is running and enabled at boot. service: - daemon_reload: true name: node_exporter - state: restarted + state: started + daemon_reload: true enabled: true - when: node_exporter_service is changed + notify: + - Restart node_exporter become: true diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2 index 2a62e19..d6bbb8f 100644 --- a/roles/node_exporter/templates/node_exporter.service.j2 +++ b/roles/node_exporter/templates/node_exporter.service.j2 @@ -4,7 +4,7 @@ Description=NodeExporter [Service] TimeoutStartSec=0 User=node_exporter -ExecStart={{ node_exporter.bin_path }} --web.listen-address={{ host.ip }}:{{ node_exporter.port }} {{ node_exporter.options }} +ExecStart={{ bin_path }} --web.listen-address={{ host.ip }}:{{ bind_port }} {{ options }} [Install] WantedBy=multi-user.target diff --git a/roles/node_exporter/vars/main.yml b/roles/node_exporter/vars/main.yml index 191461d..159943e 100644 --- a/roles/node_exporter/vars/main.yml +++ b/roles/node_exporter/vars/main.yml @@ -6,3 +6,9 @@ go_arch_map: armv6l: "armv6" go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}" + +bind_port: 9100 +version: "latest" +serve: "localhost" +options: "" +bin_path: "/usr/local/bin/node_exporter" diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml new file mode 100644 index 0000000..ad474ff --- /dev/null +++ b/roles/postgres/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart postgres + systemd: + name: postgres + state: restarted + become: true diff --git a/roles/postgres/tasks/ansible_deps.yml b/roles/postgres/tasks/ansible_deps.yml new file mode 100644 index 0000000..cef2b3a --- /dev/null +++ b/roles/postgres/tasks/ansible_deps.yml @@ -0,0 +1,10 @@ +--- +- name: Update apt cache + apt: + update_cache: yes + become: true + +- name: Install ansible dependencies + apt: + name: "{{ ansible_dependencies }}" + become: true diff --git a/roles/postgres/tasks/configuration.yml b/roles/postgres/tasks/configuration.yml new file mode 100644 index 0000000..9d3d79a --- /dev/null +++ b/roles/postgres/tasks/configuration.yml @@ -0,0 +1,49 @@ +--- +- name: "Create postgres user: {{ db.user }}" + community.postgresql.postgresql_user: + state: present + name: "{{ db.user }}" + password: "{{ db.password }}" + become: true + become_user: "{{ db.default_user.user }}" + vars: + ansible_remote_temp: "/tmp/" + +- name: "Create database: {{ db.name }}" + community.postgresql.postgresql_db: + state: present + name: "{{ db.name }}" + encoding: UTF8 + lc_collate: "en_US.UTF-8" + lc_ctype: "en_US.UTF-8" + become: yes + become_user: postgres + vars: + ansible_remote_temp: "/tmp/" + +- name: "Grant {{ db.user }} user access to db {{ db.name }}" + postgresql_privs: + type: database + database: "{{ db.name }}" + roles: "{{ db.user }}" + grant_option: no + privs: all + become: yes + become_user: postgres + vars: + ansible_remote_temp: "/tmp/" + +- name: "Allow md5 connection for the {{ db.user }} user" + postgresql_pg_hba: + dest: "~/15/main/pg_hba.conf" + contype: host + databases: all + method: md5 + users: "{{ db.user }}" + create: true + become: yes + become_user: postgres + notify: + - Restart postgres + vars: + ansible_remote_temp: "/tmp/" diff --git a/roles/postgres/tasks/installation.yml b/roles/postgres/tasks/installation.yml new file mode 100644 index 0000000..ee8a2e6 --- /dev/null +++ b/roles/postgres/tasks/installation.yml @@ -0,0 +1,14 @@ +--- +- name: Install postgres + apt: + name: "{{ postgres_packages }}" + state: present + become: true + register: postgres_install + +- name: Start and enable the service + systemd: + name: postgresql + state: started + enabled: true + become: true diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml new file mode 100644 index 0000000..dc1b94f --- /dev/null +++ b/roles/postgres/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include_tasks: ansible_deps.yml +- include_tasks: installation.yml +- include_tasks: configuration.yml diff --git a/roles/postgres/vars/main.yml b/roles/postgres/vars/main.yml new file mode 100644 index 0000000..69e0d13 --- /dev/null +++ b/roles/postgres/vars/main.yml @@ -0,0 +1,21 @@ +############################################ +############### CHANGE THESE ############### +############################################ +db: + default_user: + user: "postgres" + name: "database" + user: "user" + password: "password" + +############################################ +# Don't change these (probably) +ansible_dependencies: + - python3-pip + - python3-psycopg + - python3-pexpect + - acl + +postgres_packages: + - postgresql + - postgresql-client diff --git a/roles/wireguard/tasks/config.yml b/roles/wireguard/tasks/config.yml deleted file mode 100644 index 0a0acb9..0000000 --- a/roles/wireguard/tasks/config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Copy "{{ wg_config }}" - template: - src: "{{ wg_config }}" - dest: "{{ wg_remote_config }}" - owner: "root" - group: "root" - mode: "0600" - become: true - -- name: Start wireguard - service: - name: "{{ wg_service }}" - state: started - enabled: yes - become: true diff --git a/roles/wireguard/tasks/install.yml b/roles/wireguard/tasks/install.yml deleted file mode 100644 index da1826e..0000000 --- a/roles/wireguard/tasks/install.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Update and upgrade packages - apt: - update_cache: true - upgrade: true - autoremove: true - become: true - -- name: Install WireGuard dependencies - apt: - name: "{{ wg_deps }}" - state: present - become: true - -- name: Create resolveconf symlink Debian bug #939904 - file: - src: /usr/bin/resolvectl - dest: /usr/local/bin/resolvconf - state: link - become: true diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml deleted file mode 100644 index 1c2de2c..0000000 --- a/roles/wireguard/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- include_tasks: install.yml -- include_tasks: config.yml diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf deleted file mode 100644 index 62507a3..0000000 --- a/roles/wireguard/templates/wg0.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Interface] -PrivateKey = {{ vault_wg_pk }} -Address = {{ wg_ip }} -DNS = {{ wg_dns }} - -[Peer] -PublicKey = {{ wg_pubkey }} -Endpoint = {{ wg_endpoint }} -AllowedIPs = {{ wg_allowed_ips }} diff --git a/scripts/create_secret_skeleton.sh b/scripts/create_secret_skeleton.sh new file mode 100755 index 0000000..a9e7336 --- /dev/null +++ b/scripts/create_secret_skeleton.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ansible-vault view secrets.yml | sed "s/: \w\+$/: ......../g" >>secrets.yml.skeleton diff --git a/scripts/debian_seed.sh b/scripts/debian_seed.sh new file mode 100755 index 0000000..98e9ffa --- /dev/null +++ b/scripts/debian_seed.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +ssh $1 'mkdir .ssh && echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+TYkkZRxl9 tuan@genesis-2022-01-20" >> .ssh/authorized_keys' +ssh $1 'su root -c "apt update && apt install sudo && /usr/sbin/usermod -a -G sudo tudattr"' diff --git a/secrets.yml.skeleton b/secrets.yml.skeleton new file mode 100644 index 0000000..69d2d77 --- /dev/null +++ b/secrets.yml.skeleton @@ -0,0 +1,4 @@ +vault: + k3s: + server: + sudo: ........ diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..122a424 --- /dev/null +++ b/test.yml @@ -0,0 +1,8 @@ +--- +- hosts: db + vars_files: + - secrets.yml + tasks: + - name: Print the database connection string + debug: + msg: "{{ k3s_db_connection_string }}"