diff --git a/README.md b/README.md index ffb60d9..649fded 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,15 @@ It is expected that a user with sudo privilages is on the target, for me the users name is "tudattr" you can add such user with the following command `useradd -m -g sudo -s /bin/bash tudattr` Don't forget to set a password for the new user with `passwd tudattr` +## sudo +Install sudo on the target machine, with debian its + +```sh +su root +apt install sudo +usermod -a -G sudo tudattr +``` + ## Backups Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone. but first of all we need to create the buckets and provide ansible with the needed information. diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 33b2cf9..00e8552 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -7,6 +7,8 @@ rclone_config: "/root/.config/rclone/" puid: "1000" pgid: "1000" pk_path: "/mnt/veracrypt1/genesis" +pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+TYkkZRxl9 tuan@genesis-2022-01-20" + local_domain: borg.land local_subdomains: "@" @@ -14,7 +16,33 @@ remote_domain: tudattr.dev remote_subdomains: "www,plex,status,tautulli" backup_domain: seyshiro.de backup_subdomains: "hass,qbit,zm," +# +# +# aya01 +# +aya01_host: "aya01" +aya01_ip: "192.168.20.12" + +# +# mii +# + +mii_host: "mii" +mii_ip: "192.168.200.2" + +# +# naruto +# +naruto_host: "naruto" +naruto_ip: "192.168.20.13" + +# +# pi +# + +pi_host: "pi" +pi_ip: "192.168.20.11" # # Used to download for git releases @@ -95,20 +123,6 @@ docker_data_dir: /media/docker/data # only available on aya01 mysql_user: user -# -# aya01 -# - -aya01_host: "aya01" -aya01_ip: "192.168.20.12" - -# -# mii -# - -mii_host: "mii" -mii_ip: "192.168.200.2" - # # ZoneMinder # @@ -154,13 +168,6 @@ kuma_host: "status" kuma_port: "3001" kuma_config: "{{ docker_dir }}/kuma/" -# -# pi -# - -pi_host: "pi" -pi_ip: "192.168.20.11" - # # Traefik # @@ -214,15 +221,15 @@ pihole_dnsmasq: "{{ docker_dir }}/pihole/etc-dnsmasq.d/" # # samba # -smb_deps: - - "samba" - - "smbclient" - - "cifs-utils" - -smb_config: "templates/smb.conf" -smb_media_dir: "/media" -smb_group: "smbshare" -smb_user: "smbuser" +samba: + dependencies: + - "samba" + - "smbclient" + - "cifs-utils" + user: "smbuser" + group: "smbshare" + config: "templates/smb.conf" + media_dir: "/media" # @@ -386,12 +393,13 @@ gluetun_config: "{{ docker_dir }}/{{ gluetun_host }}/config" # NodeExporter # -node_exporter_port: 9100 -node_exporter_host: 'node' -node_exporter_version: 'latest' -node_exporter_serve: 'localhost' -node_exporter_options: '' -node_exporter_bin_path: /usr/local/bin/node_exporter +node_exporter: + port: 9100 + host: 'node' + version: 'latest' + serve: 'localhost' + options: '' + bin_path: /usr/local/bin/node_exporter # # Prometheus @@ -425,30 +433,10 @@ snmp_exporter_target: "192.168.20.1" snmp_exporter_config: "{{ docker_dir }}/snmp_exporter/" snmp_exporter_host: "snmp_exporter" -# -# Gitlab -# - -gitlab: - host: "gitlab" - restart: "unless-stopped" - puid: 998 - pgid: 998 - paths: - config: "{{ docker_dir }}/gitlab/config/" - logs: "{{ docker_data_dir }}/gitlab/logs/" - data: "{{ docker_data_dir }}/gitlab/data/" - ports: - ssh: - local: 22 - remote: 23232 - http: - local: 80 - remote: 8084 - # # SMART Exporter # + smart_exporter: port: 9633 version: 'latest' diff --git a/host_vars/aya01.yml b/host_vars/aya01.yml index 019e576..f7b0fc1 100644 --- a/host_vars/aya01.yml +++ b/host_vars/aya01.yml @@ -15,3 +15,31 @@ host: paths: - "{{ docker_compose_dir }}" - "{{ docker_dir }}" + fstab: + - name: "config" + path: "/opt" + type: "ext4" + uuid: "cad60133-dd84-4a2a-8db4-2881c608addf" + - name: "media0" + path: "/mnt/media0" + type: "ext4" + uuid: "c4c724ec-4fe3-4665-adf4-acd31d6b7f95" + - name: "media1" + path: "/mnt/media1" + type: "ext4" + uuid: "8d66d395-1e35-4f5a-a5a7-d181d6642ebf" + mergerfs: + - name: "media" + path: "/media" + branches: + - "/mnt/media0" + - "/mnt/media1" + opts: + - "use_ino" + - "allow_other" + - "cache.files=partial" + - "dropcacheonclose=true" + - "category.create=mfs" + type: "fuse.mergerfs" + samba: + password: "{{ vault.aya01.samba.password }}" diff --git a/host_vars/naruto.yml b/host_vars/naruto.yml new file mode 100644 index 0000000..9b834d5 --- /dev/null +++ b/host_vars/naruto.yml @@ -0,0 +1,21 @@ +ansible_user: "{{ user }}" +ansible_host: 192.168.20.13 +ansible_port: 22 +ansible_ssh_private_key_file: '{{ pk_path }}' +ansible_become_pass: '{{ vault.naruto.sudo }}' + +host: + ip: "{{ ansible_host }}" + backblaze: + account: "{{ vault.naruto.backblaze.account }}" + key: "{{ vault.naruto.backblaze.key }}" + remote: "remote:naruto-tudattr-dev" +# password: "{{}}" +# password2: "{{}}" +# paths: +# - "{{}}" +# - "{{}}" + fstab: + mergerfs: + samba: + password: "{{ vault.aya01.samba.password }}" diff --git a/naruto.yml b/naruto.yml new file mode 100644 index 0000000..09a4011 --- /dev/null +++ b/naruto.yml @@ -0,0 +1,17 @@ +--- +- name: Set up Servers + hosts: nas + gather_facts: yes + roles: + - role: common + tags: + - common + - role: samba + tags: + - samba + - role: node_exporter + tags: + - node_exporter + - role: smart_exporter + tags: + - smart_exporter diff --git a/production b/production index cd78ee9..835ed39 100644 --- a/production +++ b/production @@ -6,3 +6,6 @@ pi [vps] mii + +[nas] +naruto diff --git a/roles/common/tasks/bash.yml b/roles/common/tasks/bash.yml new file mode 100644 index 0000000..ddaaf10 --- /dev/null +++ b/roles/common/tasks/bash.yml @@ -0,0 +1,10 @@ +--- +- name: Copy .bashrc + template: + src: templates/common/bash/bashrc.j2 + dest: "/home/{{ user }}/.bashrc" + owner: "{{ user }}" + group: "{{ user }}" + mode: 0644 + become: yes + register: sshd diff --git a/roles/common/tasks/aya01_fstab.yml b/roles/common/tasks/fstab.yml similarity index 76% rename from roles/common/tasks/aya01_fstab.yml rename to roles/common/tasks/fstab.yml index 1b89f2e..fee2997 100644 --- a/roles/common/tasks/aya01_fstab.yml +++ b/roles/common/tasks/fstab.yml @@ -5,11 +5,11 @@ state: present become: yes -- name: Create folders to mount to +- name: Create mount folders file: path: "{{ item.path }}" state: directory - loop: "{{ fstab_entries }}" + loop: "{{ host.fstab if host.fstab is iterable else []}}" become: true - name: Create fstab entries @@ -19,7 +19,7 @@ fstype: "{{ item.type }}" state: present backup: true - loop: "{{ fstab_entries }}" + loop: "{{ host.fstab if host.fstab is iterable else []}}" become: true register: fstab @@ -32,7 +32,7 @@ state: present backup: true become: true - loop: "{{ mergerfs_entries }}" + loop: "{{ host.mergerfs if host.mergerfs is iterable else []}}" register: fstab - name: Mount all disks diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1b17917..3ae9583 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,6 +1,6 @@ --- - include_tasks: time.yml - include_tasks: essential.yml +- include_tasks: bash.yml - include_tasks: sshd.yml -- include_tasks: aya01_fstab.yml - when: inventory_hostname == "aya01" +- include_tasks: fstab.yml diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index a5d1704..e52a8aa 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -7,6 +7,14 @@ become: yes register: sshd +- name: Copy pubkey + copy: + content: "{{ pubkey }}" + dest: "/home/{{ user }}/.ssh/authorized_keys" + owner: "{{ user }}" + group: "{{ user }}" + mode: "644" + - name: Restart sshd service: name: "sshd" diff --git a/roles/common/templates/common/bash/bashrc.j2 b/roles/common/templates/common/bash/bashrc.j2 new file mode 100644 index 0000000..c573e9c --- /dev/null +++ b/roles/common/templates/common/bash/bashrc.j2 @@ -0,0 +1,56 @@ +export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +case $- in + *i*) ;; + *) return;; +esac +HISTCONTROL=ignoreboth +shopt -s histappend +HISTSIZE=1000 +HISTFILESIZE=2000 +shopt -s checkwinsize +if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi +case "$TERM" in + xterm-color|*-256color) color_prompt=yes;; +esac +if [ -n "$force_color_prompt" ]; then + if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then + color_prompt=yes + else + color_prompt= + fi +fi +if [ "$color_prompt" = yes ]; then + PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' +else + PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' +fi +unset color_prompt force_color_prompt +case "$TERM" in +xterm*|rxvt*) + PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" + ;; +*) + ;; +esac + +if [ -x /usr/bin/dircolors ]; then + test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" + alias ls='ls --color=auto' +fi + +if [ -f ~/.bash_aliases ]; then + . ~/.bash_aliases +fi + +if ! shopt -oq posix; then + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + elif [ -f /etc/bash_completion ]; then + . /etc/bash_completion + fi +fi + + +. "$HOME/.cargo/env" diff --git a/roles/docker/tasks/aya01_compose.yml b/roles/docker/tasks/aya01_compose.yml index fd58320..6880a60 100644 --- a/roles/docker/tasks/aya01_compose.yml +++ b/roles/docker/tasks/aya01_compose.yml @@ -75,7 +75,3 @@ - include_tasks: grafana.yml tags: - grafana - -- include_tasks: gitlab.yml - tags: - - gitlab diff --git a/roles/docker/templates/aya01/compose.yaml b/roles/docker/templates/aya01/compose.yaml index 320b16f..a707c3e 100644 --- a/roles/docker/templates/aya01/compose.yaml +++ b/roles/docker/templates/aya01/compose.yaml @@ -51,57 +51,57 @@ services: - "traefik.http.routers.{{ pihole_host }}.rule=Host(`{{ pihole_host }}.{{ aya01_host }}.{{ local_domain }}`)" - "traefik.http.services.{{ pihole_host }}.loadbalancer.server.port=80" - db: - image: mariadb - container_name: zoneminder_db - restart: unless-stopped - networks: - - zoneminder - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "{{ zoneminder_db }}:/var/lib/mysql" - environment: - - "MYSQL_DATABASE={{ zoneminder_host }}" - - "MYSQL_ROOT_PASSWORD={{ vault_mysql_root_password }}" - - "MYSQL_USER={{ mysql_user }}" - - "MYSQL_PASSWORD={{ vault_mysql_user_password }}" - - "MAX_LOG_SIZE_BYTES=1000000" - - "MAX_LOG_NUMBER=20" - - "TZ=Europe/Berlin" - zoneminder: - image: ghcr.io/zoneminder-containers/zoneminder-base:latest - container_name: zoneminder - restart: unless-stopped - stop_grace_period: 45s - depends_on: - - db - - traefik - networks: - - zoneminder - - net - ports: - - "{{ zoneminder_port }}:80" - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "{{ zoneminder_data }}:/data" - - "{{ zoneminder_config }}:/config" - - "{{ zoneminder_log}}:/log" - - type: tmpfs - target: /dev/shm - tmpfs: - size: 1000000000 - environment: - - "MYSQL_DATABASE={{ zoneminder_host }}" - - "MYSQL_ROOT_PASSWORD={{ vault_mysql_root_password }}" - - "MYSQL_USER={{ mysql_user }}" - - "MYSQL_PASSWORD={{ vault_mysql_user_password }}" - - "MAX_LOG_SIZE_BYTES=1000000" - - "MAX_LOG_NUMBER=20" - - "TZ=Europe/Berlin" - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ zoneminder_host }}.rule=Host(`{{ zoneminder_host}}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ zoneminder_host }}.loadbalancer.server.port=80" +# db: +# image: mariadb +# container_name: zoneminder_db +# restart: unless-stopped +# networks: +# - zoneminder +# volumes: +# - "/etc/localtime:/etc/localtime:ro" +# - "{{ zoneminder_db }}:/var/lib/mysql" +# environment: +# - "MYSQL_DATABASE={{ zoneminder_host }}" +# - "MYSQL_ROOT_PASSWORD={{ vault_mysql_root_password }}" +# - "MYSQL_USER={{ mysql_user }}" +# - "MYSQL_PASSWORD={{ vault_mysql_user_password }}" +# - "MAX_LOG_SIZE_BYTES=1000000" +# - "MAX_LOG_NUMBER=20" +# - "TZ=Europe/Berlin" +# zoneminder: +# image: ghcr.io/zoneminder-containers/zoneminder-base:latest +# container_name: zoneminder +# restart: unless-stopped +# stop_grace_period: 45s +# depends_on: +# - db +# - traefik +# networks: +# - zoneminder +# - net +# ports: +# - "{{ zoneminder_port }}:80" +# volumes: +# - "/etc/localtime:/etc/localtime:ro" +# - "{{ zoneminder_data }}:/data" +# - "{{ zoneminder_config }}:/config" +# - "{{ zoneminder_log}}:/log" +# - type: tmpfs +# target: /dev/shm +# tmpfs: +# size: 1000000000 +# environment: +# - "MYSQL_DATABASE={{ zoneminder_host }}" +# - "MYSQL_ROOT_PASSWORD={{ vault_mysql_root_password }}" +# - "MYSQL_USER={{ mysql_user }}" +# - "MYSQL_PASSWORD={{ vault_mysql_user_password }}" +# - "MAX_LOG_SIZE_BYTES=1000000" +# - "MAX_LOG_NUMBER=20" +# - "TZ=Europe/Berlin" +# labels: +# - "traefik.enable=true" +# - "traefik.http.routers.{{ zoneminder_host }}.rule=Host(`{{ zoneminder_host}}.{{ aya01_host }}.{{ local_domain }}`)" +# - "traefik.http.services.{{ zoneminder_host }}.loadbalancer.server.port=80" syncthing: image: syncthing/syncthing @@ -475,29 +475,6 @@ services: - "traefik.http.routers.{{ grafana_host }}.rule=Host(`{{ grafana_host }}.{{ aya01_host }}.{{ local_domain }}`)" - "traefik.http.services.{{ grafana_host }}.loadbalancer.server.port={{ grafana_port }}" - {{ gitlab.host }}: - image: gitlab/gitlab-ce:latest - container_name: {{ gitlab.host }} - restart: {{ gitlab.restart }} - depends_on: - - {{ pihole_host }} - networks: - - net - environment: - - TZ={{ timezone }} - volumes: - - {{ gitlab.paths.config }}:/etc/gitlab/ - - {{ gitlab.paths.logs}}:/var/log/gitlab/ - - {{ gitlab.paths.data}}:/var/opt/gitlab/ - ports: - - {{ gitlab.ports.ssh.remote }}:{{ gitlab.ports.ssh.local }} - - {{ gitlab.ports.http.remote }}:{{ gitlab.ports.http.local }} - shm_size: '256m' - labels: - - "traefik.enable=true" - - "traefik.http.routers.{{ gitlab.host }}.rule=Host(`{{ gitlab.host }}.{{ aya01_host }}.{{ local_domain }}`)" - - "traefik.http.services.{{ gitlab.host }}.loadbalancer.server.port={{ gitlab.ports.http.local }}" - networks: zoneminder: driver: bridge diff --git a/roles/docker/templates/aya01/prometheus/prometheus.yml.j2 b/roles/docker/templates/aya01/prometheus/prometheus.yml.j2 index 14788bb..0f11d32 100644 --- a/roles/docker/templates/aya01/prometheus/prometheus.yml.j2 +++ b/roles/docker/templates/aya01/prometheus/prometheus.yml.j2 @@ -16,16 +16,17 @@ rule_files: # - "second_rules.yml" scrape_configs: - - job_name: 'aya01' + - job_name: 'node' scrape_interval: 10s scrape_timeout: 10s tls_config: insecure_skip_verify: true static_configs: - - targets: ['{{ aya01_ip }}:{{node_exporter_port}}'] - - targets: ['{{ mii_ip }}:{{node_exporter_port}}'] - - targets: ['{{ pi_ip }}:{{node_exporter_port}}'] - - job_name: Mikrotik + - targets: ['{{ aya01_ip }}:{{node_exporter.port}}'] + - targets: ['{{ mii_ip }}:{{node_exporter.port}}'] + - targets: ['{{ pi_ip }}:{{node_exporter.port}}'] + - targets: ['{{ naruto_ip }}:{{node_exporter.port}}'] + - job_name: 'mikrotik' static_configs: - targets: - {{ snmp_exporter_target }} @@ -39,6 +40,7 @@ scrape_configs: target_label: instance - target_label: __address__ replacement: {{ aya01_ip }}:{{ snmp_exporter_port }} # The SNMP exporter's real hostname:port. - - job_name: 'smart' + - job_name: 'SMART' static_configs: - targets: ['{{ aya01_ip }}:{{smart_exporter.port}}'] + - targets: ['{{ naruto_ip }}:{{smart_exporter.port}}'] diff --git a/roles/node_exporter/tasks/get_version.yml b/roles/node_exporter/tasks/get_version.yml index 2dd2014..6cf8fd9 100644 --- a/roles/node_exporter/tasks/get_version.yml +++ b/roles/node_exporter/tasks/get_version.yml @@ -2,7 +2,7 @@ - name: Determine latest GitHub release (local) delegate_to: localhost uri: - url: "https://api.github.com/repos/prometheus/node_exporter/releases/{{ node_exporter_version }}" + url: "https://api.github.com/repos/prometheus/node_exporter/releases/{{ node_exporter.version }}" body_format: json register: _github_release until: _github_release.status == 200 @@ -13,6 +13,6 @@ node_exporter_version: "{{ _github_release.json.tag_name | regex_replace('^v?([0-9\\.]+)$', '\\1') }}" -- name: Set node_exporter_download_url +- name: Set node_exporter.download_url set_fact: node_exporter_download_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}.tar.gz" diff --git a/roles/node_exporter/tasks/install.yml b/roles/node_exporter/tasks/install.yml index b9acc7a..6571632 100644 --- a/roles/node_exporter/tasks/install.yml +++ b/roles/node_exporter/tasks/install.yml @@ -9,7 +9,7 @@ - name: Move node_exporter into path copy: src: "/tmp/node_exporter-{{ node_exporter_version }}.linux-{{ go_arch }}/node_exporter" - dest: "{{ node_exporter_bin_path }}" + dest: "{{ node_exporter.bin_path }}" mode: 755 remote_src: true become: true diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2 index c645a7e..2a62e19 100644 --- a/roles/node_exporter/templates/node_exporter.service.j2 +++ b/roles/node_exporter/templates/node_exporter.service.j2 @@ -4,7 +4,7 @@ Description=NodeExporter [Service] TimeoutStartSec=0 User=node_exporter -ExecStart={{ node_exporter_bin_path }} --web.listen-address={{ host.ip }}:{{ node_exporter_port }} {{ node_exporter_options }} +ExecStart={{ node_exporter.bin_path }} --web.listen-address={{ host.ip }}:{{ node_exporter.port }} {{ node_exporter.options }} [Install] WantedBy=multi-user.target diff --git a/roles/samba/tasks/config.yaml b/roles/samba/tasks/config.yaml index 03dbdc9..110549f 100644 --- a/roles/samba/tasks/config.yaml +++ b/roles/samba/tasks/config.yaml @@ -1,7 +1,7 @@ --- -- name: Copy "{{ smb_config }}" +- name: Copy "{{ samba.config }}" template: - src: "{{ smb_config }}" + src: "{{ samba.config }}" dest: /etc/samba/smb.conf become: true register: smbconf diff --git a/roles/samba/tasks/install.yaml b/roles/samba/tasks/install.yaml index f9dbdd3..bc04f23 100644 --- a/roles/samba/tasks/install.yaml +++ b/roles/samba/tasks/install.yaml @@ -8,36 +8,36 @@ - name: Install Samba dependencies apt: - name: "{{ smb_deps }}" + name: "{{ samba.dependencies }}" state: present become: true -- name: Add group "{{smb_group}}" +- name: Add group "{{ samba.group }}" group: - name: "{{smb_group}}" + name: "{{ samba.group }}" state: present become: true - name: Change permission on share file: - path: "{{ smb_media_dir }}" - group: "{{smb_group}}" + path: "{{ samba.media_dir }}" + group: "{{ samba.group }}" mode: "2770" become: true -- name: Add user "{{ smb_user }}" +- name: Add user "{{ samba.user }}" user: - name: "{{ smb_user }}" + name: "{{ samba.user }}" shell: "/sbin/nologin" - groups: "{{ smb_group }}" + groups: "{{ samba.group }}" append: true become: true register: new_user -- name: Add password to "{{ smb_user }}" +- name: Add password to "{{ samba.user }}" shell: - cmd: smbpasswd -a "{{ smb_user }}" - stdin: "{{ vault_smb_user_password }}\n{{ vault_smb_user_password }}" + cmd: smbpasswd -a "{{ samba.user }}" + stdin: "{{ host.samba.password }}\n{{ host.samba.password }}" become: true when: new_user.changed diff --git a/roles/samba/templates/smb.conf b/roles/samba/templates/smb.conf index 70be511..49339ed 100644 --- a/roles/samba/templates/smb.conf +++ b/roles/samba/templates/smb.conf @@ -213,10 +213,10 @@ [media] comment = Media - path = "{{ smb_media_dir }}" + path = "{{ samba.media_dir }}" writable = yes guest ok = no - valid users = "@{{smb_group}}" + valid users = "@{{samba.group}}" force create mode = 770 force directory mode = 770 - inherit permissions = yes \ No newline at end of file + inherit permissions = yes