3.1 KiB
3.1 KiB
TuDatTr IaC
Vault
- Create vault with:
ansible-vault create secrets.yml
- Create entry in vault with:
ansible-vault edit secrets.yml
- Add following entries:
vault_pi_tudattr_password: <YOURPASSWORD>
(password you've setup on the device)vault_aya01_tudattr_password: <YOURPASSWORD>
(password you've setup on the device)vault_pihole_password: <YOURPASSWORD>
(arbitrary password you want to log in with)vault_mysql_root_password: <YOURPASSWORD>
(arbitrary password, used internally)vault_mysql_user_password: <YOURPASSWORD>
(arbitrary password, used internally)vault_ddns_tudattrdev_password: <YOURPASSWORD>
(password needed for ddns, refer to here)vault_ddns_borgland_password: <YOURPASSWORD>
(password needed for ddns, refer to here)
Server
- Install Debian (debian-11.5.0-amd64-netinst.iso) on remote system
- Create user (tudattr)
- Get IP of remote system (192.168.20.11)
- Create ssh-config entry
Host aya01 HostName 192.168.20.11 Port 22 User tudattr IdentityFile /mnt/veracrypt1/genesis
- copy public key to remote system
ssh-copy-id -i /mnt/veracrypt1/genesis.pub aya01
- copy public key to remote system
- Add this host to ansible inventory
- Install sudo on remote
- add user to sudo group (with
su --login
without login the path will not be loaded correctly see here) andusermod -a -G sudo tudattr
- set time correctly when getting the following error
Release file for http://security.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 12h 46min 9s). Updates for this repository will not be applied.
By doing on remote system (example):
sudo systemctl stop ntp.service
sudo ntpd -gq
sudo systemctl start ntp.service
zoneminder
- Enable authentification in (Option->System)
- Create new Camera:
- General>Name: BirdCam
- General>Function: Ffmpeg
- General>Function: Modect
- Source>Source Path:
rtsp://user:pw@ip:554/cam/mpeg4
- Change default admin password
- Create users
RaspberryPi
- Install raspbian lite (2022-09-22-raspios-bullseye-arm64-lite.img) on pi
- Get IP of remote system (192.168.20.11)
- Create ssh-config entry
Host pi
HostName 192.168.20.11
Port 22
User tudattr
IdentityFile /mnt/veracrypt1/genesis
- enable ssh on pi
- copy public key to pi
- change user password of user on pi
- execute
ansible-playbook -i production --ask-vault-pass --extra-vars '@secrets.yml' pi.yml
Mikrotik
- Create rsa-key on your device and name it mikrotik_rsa
- On mikrotik run:
/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=tudattr
- Create ssh-config entry:
Host mikrotik
HostName 192.168.70.1
Port 2200
User tudattr
IdentityFile /mnt/veracrypt1/mikrotik_rsa
Todo
- Role to setup backup
- Role to load customization/configurations from backup to servers
- aya01 fstab