ansible/README.md

5.1 KiB

TuDatTr IaC

Backups

Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone. but first of all we need to create the buckets and provide ansible with the needed information.

Vault

  • Create vault with: ansible-vault create secrets.yml
  • Create entry in vault with: ansible-vault edit secrets.yml
  • Add following entries:
    • vault_pi_tudattr_password: <YOURPASSWORD> (password you've setup on the device)
    • vault_aya01_tudattr_password: <YOURPASSWORD> (password you've setup on the device)
    • vault_pihole_password: <YOURPASSWORD> (arbitrary password you want to log in with)
    • vault_mysql_root_password: <YOURPASSWORD> (arbitrary password, used internally)
    • vault_mysql_user_password: <YOURPASSWORD> (arbitrary password, used internally)
    • vault_ddns_tudattrdev_password: <YOURPASSWORD> (password needed for ddns, refer to here)
    • vault_ddns_borgland_password: <YOURPASSWORD> (password needed for ddns, refer to here)

Server

  • Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system
  • Create user (tudattr)
  • Get IP of remote system (192.168.20.11)
  • Create ssh-config entry
    Host aya01
      HostName 192.168.20.11
      Port 22
      User tudattr
      IdentityFile /mnt/veracrypt1/genesis
    
    • copy public key to remote system ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01
  • Add this host to ansible inventory
  • Install sudo on remote
  • add user to sudo group (with su --login without login the path will not be loaded correctly see here) and usermod -a -G sudo tudattr
  • set time correctly when getting the following error
Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied.

By doing on remote system (example):

sudo systemctl stop ntp.service
sudo ntpd -gq
sudo systemctl start ntp.service

zoneminder

  • Enable authentification in (Option->System)
  • Create new Camera:
    • General>Name: BirdCam
    • General>Function: Ffmpeg
    • General>Function: Modect
    • Source>Source Path: rtsp://user:pw@ip:554/cam/mpeg4
  • Change default admin password
  • Create users

RaspberryPi

  • Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi
  • Get IP of remote system (192.168.20.11)
  • Create ssh-config entry
Host pi
     HostName 192.168.20.11
     Port 22
     User tudattr
     IdentityFile /mnt/veracrypt1/genesis
  • enable ssh on pi
  • copy public key to pi
  • change user password of user on pi
  • execute ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml

Mikrotik

  • Create rsa-key on your device and name it mikrotik_rsa
  • On mikrotik run: /user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr
  • Create ssh-config entry:
Host mikrotik
     HostName 192.168.70.1
     Port 2200
     User tudattr
     IdentityFile /mnt/veracrypt1/mikrotik_rsa

wireguard

thanks to mikrotik0 quick code

# add wiregurad interface
interface/wireguard/add listen-port=51820 name=wg1
# get public key
interface/wireguard/print
$ > public-key: <mikrotik_public_key>
# add network/ip for wireguard interface
ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1
# add firewall rule for wireguard (maybe specify to be from pppoe-wan)
/ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept 
# routing for wg1 clients and rest of the network
> <insert forward for routing between wg1 and other networks>
# enable internet for wg1 clients (may have to add to enable internet list
/ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade

add peer

/interface/wireguard/peers/add interface=wg1 allowed-address=<untaken_ipv4>/24 public-key="<client_public_key"

Keygeneragion on archlinux wg genkey | (umask 0077 && tee wireguard.key) | wg pubkey > peer_A.pub Wireguard config on archlinux at /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <client_private_key>
Address = 192.168.200.250/24

[Peer]
PublicKey = <mikrotik public key>
Endpoint = tudattr.dev:51820
AllowedIPs = 0.0.0.0/0

used ipv4:

  • tudattr: 192.168.200.250
  • livei: 192.168.200.240

notes

  • wireguard->add name: wg_tunnel01 listen port: 51820 [save]
  • wireguard->peers->add interface: wg_tunnel01 endpoint port: 51820 allowed address: ::/0 psk: persistent keepalive: 25
  • ip->address->address list->add address:192.168.200.1/24 network: 192.168.200.0 interface: wg_tunnel01

troubleshooting

when problems with docker: docker system prune -a

Todo

  • Role to load customization/configurations from backup to servers
  • split docker containers to different composes or tag