2024-01-06 22:32:19 +05:30
- name : Playbook to Provision / Re-configure Node
2023-05-13 06:44:40 +05:30
hosts : all
2024-01-06 22:32:19 +05:30
vars :
users :
- name : arya
password : {{arya_encrypted_pass}}
- name : devrand
password : {{devrand_encrypted_pass}}
- name : midou
password : {{midou_encrypted_pass}}
- name : ansiblerunner
password : {{ansiblerunner_encrypted_pass}}
2023-05-13 06:44:40 +05:30
tasks :
2024-01-06 22:32:19 +05:30
- name : Enable backports
ansible.builtin.apt_repository :
repo : deb http://deb.debian.org/debian bookworm-backports main contrib
state : present
- name : Install Required Programs / APT
2023-07-07 22:40:54 +05:30
ansible.builtin.apt :
name :
2024-01-06 22:32:19 +05:30
# Misc
- sudo
- chrony
- tmux
- nala
- apt-file
# Monitoring
2023-08-12 11:01:24 +05:30
- htop
2024-01-06 22:32:19 +05:30
- gdu
- btop
- iotop
- vnstat
- neofetch
- prometheus-node-exporter
- goaccess
# Text Editing
2023-07-07 22:40:54 +05:30
- vim
2024-01-06 22:32:19 +05:30
- neovim
2023-07-07 22:40:54 +05:30
- curl
- wget
2024-01-06 22:32:19 +05:30
# Backups
- borgbackup
- rsync
# Basic Networking
2023-07-07 22:40:54 +05:30
- net-tools
- nmap
2024-01-06 22:32:19 +05:30
# Python3
2023-07-07 22:40:54 +05:30
- python3-pip
2024-01-06 22:32:19 +05:30
- python3-passlib # Ansible User Creation
- python3-pyroute2 # for smart-ipv6-rotator
- python3-requests # for smart-ipv6-rotator
# Speed Tests
2023-08-12 11:01:24 +05:30
- iperf3
2024-01-06 22:32:19 +05:30
- speedtest-cli
# Security
- ufw
2023-07-07 22:40:54 +05:30
- name : Enable VNStat service
ansible.builtin.service :
name : vnstat
enabled : true
state : started
- name : Enable Chrony (NTP) service
ansible.builtin.service :
name : chrony
enabled : true
state : started
2023-08-22 18:01:27 +05:30
- name : Enable Prometheus Node Exporter service
ansible.builtin.service :
name : prometheus-node-exporter
enabled : true
state : started
2024-01-06 22:32:19 +05:30
- name : Enable UFW service
ansible.builtin.service :
name : ufw
enabled : true
state : started
2023-07-07 22:40:54 +05:30
- name : Disable dmesg logging to console
ansible.posix.sysctl :
2023-06-10 23:28:18 +05:30
name : kernel.printk
2023-07-21 17:49:35 +05:30
value : "3 4 1 3"
2023-06-10 23:28:18 +05:30
state : present
2023-07-07 22:40:54 +05:30
sysctl_set : true
2024-01-06 22:32:19 +05:30
- name : Allow binding to non-local IPs / IPv6
ansible.posix.sysctl :
name : net.ipv6.ip_nonlocal_bind
value : "1"
state : present
sysctl_set : true
- name : Allow IP forwarding / IPv4
ansible.posix.sysctl :
name : net.ipv4.ip_forward
value : "1"
state : present
sysctl_set : true
- name : Allow IP forwarding / IPv6
ansible.posix.sysctl :
name : net.ipv6.conf.all.forwarding
value : "1"
state : present
sysctl_set : true
- name : Swappiness
ansible.posix.sysctl :
name : vm.swappiness
value : "60"
state : present
sysctl_set : true
2023-07-07 22:40:54 +05:30
- name : Bashrc skel
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/bashrc.j2
dest : /etc/skel/.bashrc
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Profile skel
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/profile.j2
dest : /etc/skel/.profile
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Bash_aliases skel
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/bash_aliases.j2
dest : /etc/skel/.bash_aliases
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Prompt skel
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/prompt.j2
dest : /etc/skel/.prompt
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Bashrc root
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/bashrc.j2
dest : /root/.bashrc
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Profile root
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/profile.j2
dest : /root/.profile
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Bash_aliases root
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/bash_aliases.j2
dest : /root/.bash_aliases
2023-07-07 22:40:54 +05:30
mode : preserve
- name : Prompt root
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/prompt.j2
dest : /root/.prompt
2023-07-07 22:40:54 +05:30
mode : preserve
2024-01-06 22:32:19 +05:30
2023-05-13 06:44:40 +05:30
- name : Add user
2023-07-07 22:40:54 +05:30
ansible.builtin.user :
2024-01-06 22:32:19 +05:30
name : "{{ item.name }}"
2023-05-13 06:44:40 +05:30
group : users
groups : users,sudo
2024-01-06 22:32:19 +05:30
password : "{{ item.password }}"
2023-05-13 06:44:40 +05:30
shell : /bin/bash
update_password : on_create # Add the same initial password for all users (can be overwritten by user)
2023-07-07 22:40:54 +05:30
with_items :
2023-05-13 06:44:40 +05:30
- "{{ users }}"
- name : "Add authorized keys"
2023-07-07 22:40:54 +05:30
ansible.posix.authorized_key :
2024-01-06 22:32:19 +05:30
user : "{{ item.name }}"
2023-07-07 22:40:54 +05:30
key : "{{ lookup('file', 'files/' + item + '.pub') }}"
2023-05-13 06:44:40 +05:30
with_items :
- "{{ users }}"
2024-01-06 22:32:19 +05:30
2023-05-13 06:44:40 +05:30
- name : "Allow admin users to sudo without a password"
2023-07-07 22:40:54 +05:30
ansible.builtin.lineinfile :
2023-05-13 06:44:40 +05:30
dest : "/etc/sudoers" # path: in version 2.3
state : "present"
regexp : "^%sudo"
line : "%sudo ALL=(ALL) NOPASSWD: ALL"
2024-01-06 22:32:19 +05:30
2023-07-07 22:40:54 +05:30
- name : Sshd configuration file update
ansible.builtin.template :
2023-05-13 06:44:40 +05:30
src : templates/sshd_config.j2
dest : /etc/ssh/sshd_config
2023-07-07 22:40:54 +05:30
backup : true
2023-05-13 06:44:40 +05:30
owner : 0
group : 0
2023-07-07 22:40:54 +05:30
mode : "0644"
2023-07-21 17:49:35 +05:30
validate : "/usr/sbin/sshd -T -f %s"
2023-05-13 06:44:40 +05:30
notify :
2023-08-12 18:38:30 +05:30
- Restart sshd
2023-05-13 06:44:40 +05:30
handlers :
2023-07-07 22:40:54 +05:30
- name : Restart sshd
ansible.builtin.service :
2023-08-12 18:38:30 +05:30
name : ssh
2023-07-07 22:40:54 +05:30
enabled : true
state : restarted
2024-01-06 22:32:19 +05:30
roles :
- role : geerlingguy.docker
docker_install_compose_plugin : true
docker_compose_package : docker-compose-plugin
docker_compose_package_state : present
- role : artis3n.tailscale
# Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)
tailscale_authkey : "{{tailscale_authkey}}"
tailscale_args : "--login-server https://hs.projectsegfau.lt --accept-dns=false"
- role : borgbase.ansible_role_borgbackup
borg_repository :
- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}
borg_source_directories : {{bkp_source_directories}}
borg_exclude_patterns : {{bkp_exclude_patterns}}
borg_remote_path : /usr/local/bin/borg_1.2.4/borg1
borgmatic_hooks :
postgresql_databases : {{bkp_postgresql_databases}}
healthchecks :
ping_url : https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
states :
- finish
borg_retention_policy :
keep_daily : 7
keep_weekly : 4
keep_monthly : 3
borg_encryption_passcommand : cat /etc/borgmatic/passphrase # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
- name : UFW Firewall Configuration
hosts : eu,us # IN is behind router so no f/w is needed
tasks :
- name : Enable UFW
community.general.ufw :
state : enabled
policy : deny
- name : Allow all in from tailscale
community.general.ufw :
rule : allow
interface : tailscale0
direction : in
- name : Allow all in from wg (if its there)
community.general.ufw :
rule : allow
interface : wg0
direction : in
- name : Deny rules
community.general.ufw :
rule : allow
port : {{item.port}}
proto : {{item.proto}}
with_items :
- "{{ ufw_deny_rules }}"