ansible/all/playbook.yaml

- name: Playbook to Provision / Re-configure Node
  hosts: all
  vars:
    users:
      - name: arya
        password: {{arya_encrypted_pass}}
      - name: devrand
        password: {{devrand_encrypted_pass}}
      - name: midou
        password: {{midou_encrypted_pass}}
      - name: ansiblerunner
        password: {{ansiblerunner_encrypted_pass}}
  tasks:
    - name: Enable backports
      ansible.builtin.apt_repository:
        repo: deb http://deb.debian.org/debian bookworm-backports main contrib
        state: present
    - name: Install Required Programs / APT
      ansible.builtin.apt:
        name:
          # Misc
          - sudo
          - chrony
          - tmux
          - nala
          - apt-file
          # Monitoring
          - htop
          - gdu
          - btop
          - iotop
          - vnstat
          - neofetch
          - prometheus-node-exporter
          - goaccess
          # Text Editing
          - vim
          - neovim
          - curl
          - wget
          # Backups
          - borgbackup
          - rsync
          # Basic Networking
          - net-tools
          - nmap
          # Python3
          - python3-pip
          - python3-passlib # Ansible User Creation
          - python3-pyroute2 # for smart-ipv6-rotator
          - python3-requests # for smart-ipv6-rotator
          # Speed Tests
          - iperf3
          - speedtest-cli
          # Security
          - ufw
    - name: Enable VNStat service
      ansible.builtin.service:
        name: vnstat
        enabled: true
        state: started
    - name: Enable Chrony (NTP) service
      ansible.builtin.service:
        name: chrony
        enabled: true
        state: started
    - name: Enable Prometheus Node Exporter service
      ansible.builtin.service:
        name: prometheus-node-exporter
        enabled: true
        state: started
    - name: Enable UFW service
      ansible.builtin.service:
        name: ufw
        enabled: true
        state: started

    - name: Disable dmesg logging to console
      ansible.posix.sysctl:
        name: kernel.printk
        value: "3 4 1 3"
        state: present
        sysctl_set: true
    - name: Allow binding to non-local IPs / IPv6
      ansible.posix.sysctl:
        name: net.ipv6.ip_nonlocal_bind
        value: "1"
        state: present
        sysctl_set: true
    - name: Allow IP forwarding / IPv4
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        state: present
        sysctl_set: true
    - name: Allow IP forwarding / IPv6
      ansible.posix.sysctl:
        name: net.ipv6.conf.all.forwarding
        value: "1"
        state: present
        sysctl_set: true
    - name: Swappiness
      ansible.posix.sysctl:
        name: vm.swappiness
        value: "60"
        state: present
        sysctl_set: true

    - name: Bashrc skel
      ansible.builtin.template:
        src: templates/bashrc.j2
        dest: /etc/skel/.bashrc
        mode: preserve
    - name: Profile skel
      ansible.builtin.template:
        src: templates/profile.j2
        dest: /etc/skel/.profile
        mode: preserve
    - name: Bash_aliases skel
      ansible.builtin.template:
        src: templates/bash_aliases.j2
        dest: /etc/skel/.bash_aliases
        mode: preserve
    - name: Prompt skel
      ansible.builtin.template:
        src: templates/prompt.j2
        dest: /etc/skel/.prompt
        mode: preserve
    - name: Bashrc root
      ansible.builtin.template:
        src: templates/bashrc.j2
        dest: /root/.bashrc
        mode: preserve
    - name: Profile root
      ansible.builtin.template:
        src: templates/profile.j2
        dest: /root/.profile
        mode: preserve
    - name: Bash_aliases root
      ansible.builtin.template:
        src: templates/bash_aliases.j2
        dest: /root/.bash_aliases
        mode: preserve
    - name: Prompt root
      ansible.builtin.template:
        src: templates/prompt.j2
        dest: /root/.prompt
        mode: preserve

    - name: Add user
      ansible.builtin.user:
        name: "{{ item.name }}"
        group: users
        groups: users,sudo
        password: "{{ item.password }}"
        shell: /bin/bash
        update_password: on_create # Add the same initial password for all users (can be overwritten by user)
      with_items:
        - "{{ users }}"
    - name: "Add authorized keys"
      ansible.posix.authorized_key:
        user: "{{ item.name }}"
        key: "{{ lookup('file', 'files/' + item + '.pub') }}"
      with_items:
        - "{{ users }}"

    - name: "Allow admin users to sudo without a password"
      ansible.builtin.lineinfile:
        dest: "/etc/sudoers" # path: in version 2.3
        state: "present"
        regexp: "^%sudo"
        line: "%sudo ALL=(ALL) NOPASSWD: ALL"

    - name: Sshd configuration file update
      ansible.builtin.template:
        src: templates/sshd_config.j2
        dest: /etc/ssh/sshd_config
        backup: true
        owner: 0
        group: 0
        mode: "0644"
        validate: "/usr/sbin/sshd -T -f %s"
      notify:
        - Restart sshd
  handlers:
    - name: Restart sshd
      ansible.builtin.service:
        name: ssh
        enabled: true
        state: restarted
  roles:
    - role: geerlingguy.docker
      docker_install_compose_plugin: true
      docker_compose_package: docker-compose-plugin
      docker_compose_package_state: present
    - role: artis3n.tailscale
      # Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)
      tailscale_authkey: "{{tailscale_authkey}}"
      tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false"
    - role: borgbase.ansible_role_borgbackup
      borg_repository:
        - ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}
      borg_source_directories: {{bkp_source_directories}}
      borg_exclude_patterns: {{bkp_exclude_patterns}}
      borg_remote_path: /usr/local/bin/borg_1.2.4/borg1
      borgmatic_hooks:
        postgresql_databases: {{bkp_postgresql_databases}}
        healthchecks:
          ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
          states:
            - finish
      borg_retention_policy:
        keep_daily: 7
        keep_weekly: 4
        keep_monthly: 3
      borg_encryption_passcommand: cat /etc/borgmatic/passphrase # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
- name: UFW Firewall Configuration
  hosts: eu,us # IN is behind router so no f/w is needed
  tasks:
    - name: Enable UFW
      community.general.ufw:
        state: enabled
        policy: deny
    - name: Allow all in from tailscale
      community.general.ufw:
        rule: allow
        interface: tailscale0
        direction: in
    - name: Allow all in from wg (if its there)
      community.general.ufw:
        rule: allow
        interface: wg0
        direction: in
    - name: Deny rules
      community.general.ufw:
        rule: allow
        port: {{item.port}}
        proto: {{item.proto}}
      with_items:
        - "{{ ufw_deny_rules }}"
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- name: Playbook to Provision / Re-configure Node`
init 2023-05-13 06:44:40 +05:30			`hosts: all`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`vars:`
			`users:`
			`- name: arya`
			`password: {{arya_encrypted_pass}}`
			`- name: devrand`
			`password: {{devrand_encrypted_pass}}`
			`- name: midou`
			`password: {{midou_encrypted_pass}}`
			`- name: ansiblerunner`
			`password: {{ansiblerunner_encrypted_pass}}`
init 2023-05-13 06:44:40 +05:30			`tasks:`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- name: Enable backports`
			`ansible.builtin.apt_repository:`
			`repo: deb http://deb.debian.org/debian bookworm-backports main contrib`
			`state: present`
			`- name: Install Required Programs / APT`
ansible-lint 2023-07-07 22:40:54 +05:30			`ansible.builtin.apt:`
			`name:`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`# Misc`
			`- sudo`
			`- chrony`
			`- tmux`
			`- nala`
			`- apt-file`
			`# Monitoring`
add a few packages 2023-08-12 11:01:24 +05:30			`- htop`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- gdu`
			`- btop`
			`- iotop`
			`- vnstat`
			`- neofetch`
			`- prometheus-node-exporter`
			`- goaccess`
			`# Text Editing`
ansible-lint 2023-07-07 22:40:54 +05:30			`- vim`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- neovim`
ansible-lint 2023-07-07 22:40:54 +05:30			`- curl`
			`- wget`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`# Backups`
			`- borgbackup`
			`- rsync`
			`# Basic Networking`
ansible-lint 2023-07-07 22:40:54 +05:30			`- net-tools`
			`- nmap`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`# Python3`
ansible-lint 2023-07-07 22:40:54 +05:30			`- python3-pip`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- python3-passlib # Ansible User Creation`
			`- python3-pyroute2 # for smart-ipv6-rotator`
			`- python3-requests # for smart-ipv6-rotator`
			`# Speed Tests`
add a few packages 2023-08-12 11:01:24 +05:30			`- iperf3`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- speedtest-cli`
			`# Security`
			`- ufw`
ansible-lint 2023-07-07 22:40:54 +05:30			`- name: Enable VNStat service`
			`ansible.builtin.service:`
			`name: vnstat`
			`enabled: true`
			`state: started`
			`- name: Enable Chrony (NTP) service`
			`ansible.builtin.service:`
			`name: chrony`
			`enabled: true`
			`state: started`
add prometheus node exporter to ansible 2023-08-22 18:01:27 +05:30			`- name: Enable Prometheus Node Exporter service`
			`ansible.builtin.service:`
			`name: prometheus-node-exporter`
			`enabled: true`
			`state: started`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- name: Enable UFW service`
			`ansible.builtin.service:`
			`name: ufw`
			`enabled: true`
			`state: started`

ansible-lint 2023-07-07 22:40:54 +05:30			`- name: Disable dmesg logging to console`
			`ansible.posix.sysctl:`
sysctks 2023-06-10 23:28:18 +05:30			`name: kernel.printk`
Add GDU check 2023-07-21 17:49:35 +05:30			`value: "3 4 1 3"`
sysctks 2023-06-10 23:28:18 +05:30			`state: present`
ansible-lint 2023-07-07 22:40:54 +05:30			`sysctl_set: true`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`- name: Allow binding to non-local IPs / IPv6`
			`ansible.posix.sysctl:`
			`name: net.ipv6.ip_nonlocal_bind`
			`value: "1"`
			`state: present`
			`sysctl_set: true`
			`- name: Allow IP forwarding / IPv4`
			`ansible.posix.sysctl:`
			`name: net.ipv4.ip_forward`
			`value: "1"`
			`state: present`
			`sysctl_set: true`
			`- name: Allow IP forwarding / IPv6`
			`ansible.posix.sysctl:`
			`name: net.ipv6.conf.all.forwarding`
			`value: "1"`
			`state: present`
			`sysctl_set: true`
			`- name: Swappiness`
			`ansible.posix.sysctl:`
			`name: vm.swappiness`
			`value: "60"`
			`state: present`
			`sysctl_set: true`

ansible-lint 2023-07-07 22:40:54 +05:30			`- name: Bashrc skel`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/bashrc.j2`
			`dest: /etc/skel/.bashrc`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Profile skel`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/profile.j2`
			`dest: /etc/skel/.profile`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Bash_aliases skel`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/bash_aliases.j2`
			`dest: /etc/skel/.bash_aliases`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Prompt skel`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/prompt.j2`
			`dest: /etc/skel/.prompt`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Bashrc root`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/bashrc.j2`
			`dest: /root/.bashrc`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Profile root`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/profile.j2`
			`dest: /root/.profile`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Bash_aliases root`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/bash_aliases.j2`
			`dest: /root/.bash_aliases`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
			`- name: Prompt root`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/prompt.j2`
			`dest: /root/.prompt`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: preserve`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30
init 2023-05-13 06:44:40 +05:30			`- name: Add user`
ansible-lint 2023-07-07 22:40:54 +05:30			`ansible.builtin.user:`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`name: "{{ item.name }}"`
init 2023-05-13 06:44:40 +05:30			`group: users`
			`groups: users,sudo`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`password: "{{ item.password }}"`
init 2023-05-13 06:44:40 +05:30			`shell: /bin/bash`
			`update_password: on_create # Add the same initial password for all users (can be overwritten by user)`
ansible-lint 2023-07-07 22:40:54 +05:30			`with_items:`
init 2023-05-13 06:44:40 +05:30			`- "{{ users }}"`
			`- name: "Add authorized keys"`
ansible-lint 2023-07-07 22:40:54 +05:30			`ansible.posix.authorized_key:`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`user: "{{ item.name }}"`
ansible-lint 2023-07-07 22:40:54 +05:30			`key: "{{ lookup('file', 'files/' + item + '.pub') }}"`
init 2023-05-13 06:44:40 +05:30			`with_items:`
			`- "{{ users }}"`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30
init 2023-05-13 06:44:40 +05:30			`- name: "Allow admin users to sudo without a password"`
ansible-lint 2023-07-07 22:40:54 +05:30			`ansible.builtin.lineinfile:`
init 2023-05-13 06:44:40 +05:30			`dest: "/etc/sudoers" # path: in version 2.3`
			`state: "present"`
			`regexp: "^%sudo"`
			`line: "%sudo ALL=(ALL) NOPASSWD: ALL"`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30
ansible-lint 2023-07-07 22:40:54 +05:30			`- name: Sshd configuration file update`
			`ansible.builtin.template:`
init 2023-05-13 06:44:40 +05:30			`src: templates/sshd_config.j2`
			`dest: /etc/ssh/sshd_config`
ansible-lint 2023-07-07 22:40:54 +05:30			`backup: true`
init 2023-05-13 06:44:40 +05:30			`owner: 0`
			`group: 0`
ansible-lint 2023-07-07 22:40:54 +05:30			`mode: "0644"`
Add GDU check 2023-07-21 17:49:35 +05:30			`validate: "/usr/sbin/sshd -T -f %s"`
init 2023-05-13 06:44:40 +05:30			`notify:`
add simplelogin and fix sshd configurator in all 2023-08-12 18:38:30 +05:30			`- Restart sshd`
init 2023-05-13 06:44:40 +05:30			`handlers:`
ansible-lint 2023-07-07 22:40:54 +05:30			`- name: Restart sshd`
			`ansible.builtin.service:`
add simplelogin and fix sshd configurator in all 2023-08-12 18:38:30 +05:30			`name: ssh`
ansible-lint 2023-07-07 22:40:54 +05:30			`enabled: true`
			`state: restarted`
Enable UFW; add more pkgs; diff encrypted pass per user; add backports by def; add more sysctls; install docker; auto-configure borg, tailscale 2024-01-06 22:32:19 +05:30			`roles:`
			`- role: geerlingguy.docker`
			`docker_install_compose_plugin: true`
			`docker_compose_package: docker-compose-plugin`
			`docker_compose_package_state: present`
			`- role: artis3n.tailscale`
			`# Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)`
			`tailscale_authkey: "{{tailscale_authkey}}"`
			`tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false"`
			`- role: borgbase.ansible_role_borgbackup`
			`borg_repository:`
			`- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}`
			`borg_source_directories: {{bkp_source_directories}}`
			`borg_exclude_patterns: {{bkp_exclude_patterns}}`
			`borg_remote_path: /usr/local/bin/borg_1.2.4/borg1`
			`borgmatic_hooks:`
			`postgresql_databases: {{bkp_postgresql_databases}}`
			`healthchecks:`
			`ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}`
			`states:`
			`- finish`
			`borg_retention_policy:`
			`keep_daily: 7`
			`keep_weekly: 4`
			`keep_monthly: 3`
			`borg_encryption_passcommand: cat /etc/borgmatic/passphrase # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)`
			`- name: UFW Firewall Configuration`
			`hosts: eu,us # IN is behind router so no f/w is needed`
			`tasks:`
			`- name: Enable UFW`
			`community.general.ufw:`
			`state: enabled`
			`policy: deny`
			`- name: Allow all in from tailscale`
			`community.general.ufw:`
			`rule: allow`
			`interface: tailscale0`
			`direction: in`
			`- name: Allow all in from wg (if its there)`
			`community.general.ufw:`
			`rule: allow`
			`interface: wg0`
			`direction: in`
			`- name: Deny rules`
			`community.general.ufw:`
			`rule: allow`
			`port: {{item.port}}`
			`proto: {{item.proto}}`
			`with_items:`
			`- "{{ ufw_deny_rules }}"`