# TuDatTr IaC ## Vault - Create vault with: `ansible-vault create secrets.yml` - Create entry in vault with: `ansible-vault edit secrets.yml` - Add following entries: - `vault_pi_tudattr_password: ` (password you've setup on the device) - `vault_aya01_tudattr_password: ` (password you've setup on the device) - `vault_pihole_password: ` (arbitrary password you want to log in with) - `vault_mysql_root_password: ` (arbitrary password, used internally) - `vault_mysql_user_password: ` (arbitrary password, used internally) - `vault_ddns_tudattrdev_password: ` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/)) - `vault_ddns_borgland_password: ` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/)) ## Server - Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system - Create user (tudattr) - Get IP of remote system (192.168.20.11) - Create ssh-config entry ```config Host aya01 HostName 192.168.20.11 Port 22 User tudattr IdentityFile /mnt/veracrypt1/genesis ``` - copy public key to remote system `ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01` - Add this host to ansible inventory - Install sudo on remote - add user to sudo group (with `su --login` without login the path will not be loaded correctly see [here](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754)) and `usermod -a -G sudo tudattr` - set time correctly when getting the following error ```sh Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied. ``` By doing on remote system (example): ```sh sudo systemctl stop ntp.service sudo ntpd -gq sudo systemctl start ntp.service ``` ### zoneminder - Enable authentification in (Option->System) - Create new Camera: - General>Name: BirdCam - General>Function: Ffmpeg - General>Function: Modect - Source>Source Path: `rtsp://user:pw@ip:554/cam/mpeg4` - Change default admin password - Create users ## RaspberryPi - Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi - Get IP of remote system (192.168.20.11) - Create ssh-config entry ```config Host pi HostName 192.168.20.11 Port 22 User tudattr IdentityFile /mnt/veracrypt1/genesis ``` - enable ssh on pi - copy public key to pi - change user password of user on pi - execute `ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml` ## Mikrotik - Create rsa-key on your device and name it mikrotik_rsa - On mikrotik run: `/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr` - Create ssh-config entry: ```config Host mikrotik HostName 192.168.70.1 Port 2200 User tudattr IdentityFile /mnt/veracrypt1/mikrotik_rsa ``` ## Todo - Role to setup backup - Role to load customization/configurations from backup to servers - aya01 fstab