# TuDatTr IaC ## User It is expected that a user with sudo privilages is on the target, for me the users name is "tudattr" you can add such user with the following command `useradd -m -g sudo -s /bin/bash tudattr` Don't forget to set a password for the new user with `passwd tudattr` ## Backups Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone. but first of all we need to create the buckets and provide ansible with the needed information. ## Vault - Create vault with: `ansible-vault create secrets.yml` - Create entry in vault with: `ansible-vault edit secrets.yml` - Add following entries: - `vault_pi_tudattr_password: ` (password you've setup on the device) - `vault_aya01_tudattr_password: ` (password you've setup on the device) - `vault_pihole_password: ` (arbitrary password you want to log in with) - `vault_mysql_root_password: ` (arbitrary password, used internally) - `vault_mysql_user_password: ` (arbitrary password, used internally) - `vault_ddns_tudattrdev_password: ` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/)) - `vault_ddns_borgland_password: ` (password needed for ddns, refer to [here](https://www.namecheap.com/support/knowledgebase/article.aspx/595/11/how-do-i-enable-dynamic-dns-for-a-domain/)) ## Docker To add new docker containers to the docker role you need to add the following and replace `service` with the name of your service: - Add relevent vars to `group_vars/all/vars.yaml`: ```yaml service_port: "19999" # Exposed port service_config: "{{ docker_dir }}/service/" # config folder or your dir service_data: "{{ docker_data_dir }}/service/" # data folder or your dir (only works on aya01) ``` - Create necessary directories for service in the docker role `roles/docker/tasks/service.yaml` ```yaml - name: Create service dirs file: path: "{{ item }}" owner: 1000 group: 1000 mode: '777' state: directory loop: - "{{ service_config }}" - "{{ service_data }}" # optional: # - name: Place service config # template: # owner: 1000 # mode: '660' # src: "templates/hostname/service/service.yml" # dest: "{{ prm_config }}/service.yml" ``` - Includ new tasks to `roles/docker/tasks/hostname_compose.yaml`: ```yaml - include_tasks: service.yaml tags: - service ``` - Add new service to compose `roles/docker/templates/hostname/compose.yaml` ```yaml service: image: service/service container_name: service hostname: service networks: - net ports: - "{{service_port}}:19999" restart: unless-stopped volumes: - "{{service_config}}:/etc/service" - "{{service_lib}}:/var/lib/service" - "{{service_cache}}:/var/cache/service" ``` ## Server - Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system - Create user (tudattr) - Get IP of remote system (192.168.20.11) - Create ssh-config entry ```config Host aya01 HostName 192.168.20.11 Port 22 User tudattr IdentityFile /mnt/veracrypt1/genesis ``` - copy public key to remote system `ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01` - Add this host to ansible inventory - Install sudo on remote - add user to sudo group (with `su --login` without login the path will not be loaded correctly see [here](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754)) and `usermod -a -G sudo tudattr` - set time correctly when getting the following error ```sh Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied. ``` By doing on remote system (example): ```sh sudo systemctl stop ntp.service sudo ntpd -gq sudo systemctl start ntp.service ``` ### zoneminder - Enable authentification in (Option->System) - Create new Camera: - General>Name: BirdCam - General>Function: Ffmpeg - General>Function: Modect - Source>Source Path: `rtsp://user:pw@ip:554/cam/mpeg4` - Change default admin password - Create users ## RaspberryPi - Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi - Get IP of remote system (192.168.20.11) - Create ssh-config entry ```config Host pi HostName 192.168.20.11 Port 22 User tudattr IdentityFile /mnt/veracrypt1/genesis ``` - enable ssh on pi - copy public key to pi - change user password of user on pi - execute `ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml` ## Mikrotik - Create rsa-key on your device and name it mikrotik_rsa - On mikrotik run: `/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr` - Create ssh-config entry: ```config Host mikrotik HostName 192.168.70.1 Port 2200 User tudattr IdentityFile /mnt/veracrypt1/mikrotik_rsa ``` ### wireguard thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0 quick code ``` # add wiregurad interface interface/wireguard/add listen-port=51820 name=wg1 # get public key interface/wireguard/print $ > public-key: # add network/ip for wireguard interface ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1 # add firewall rule for wireguard (maybe specify to be from pppoe-wan) /ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept # routing for wg1 clients and rest of the network > # enable internet for wg1 clients (may have to add to enable internet list /ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade ``` add peer ``` /interface/wireguard/peers/add interface=wg1 allowed-address=/24 public-key=" peer_A.pub` Wireguard config on archlinux at `/etc/wireguard/wg0.conf`: ``` [Interface] PrivateKey = Address = 192.168.200.250/24 [Peer] PublicKey = Endpoint = tudattr.dev:51820 AllowedIPs = 0.0.0.0/0 ``` used ipv4: - tudattr: 192.168.200.250 - livei: 192.168.200.240 #### notes - wireguard->add name: wg_tunnel01 listen port: 51820 [save] - wireguard->peers->add interface: wg_tunnel01 endpoint port: 51820 allowed address: ::/0 psk: persistent keepalive: 25 - ip->address->address list->add address:192.168.200.1/24 network: 192.168.200.0 interface: wg_tunnel01 ## troubleshooting ### Docker networking problem `docker system prune -a` ### Time problems (NTP service: n/a) systemctl status systemd-timesyncd.service when not available sudo apt install systemd-timesyncd/stable ### Syncthing inotify echo "fs.inotify.max_user_watches=204800" | sudo tee -a /etc/sysctl.conf https://forum.cloudron.io/topic/7163/how-to-increase-inotify-limit-for-syncthing/2