2020-12-29 21:11:44 -05:00
|
|
|
# All hosts are debian 10 or 11
|
2019-08-25 14:17:20 -04:00
|
|
|
---
|
|
|
|
# Common
|
2020-12-28 22:12:31 -05:00
|
|
|
- hosts: daily,compute,nfs,proxy,irc
|
2019-08-25 14:17:20 -04:00
|
|
|
become: yes
|
|
|
|
handlers:
|
|
|
|
- import_tasks: handlers.yml
|
|
|
|
tasks:
|
|
|
|
# Core
|
2020-12-23 00:08:41 -05:00
|
|
|
- name: Set hostname
|
|
|
|
hostname:
|
|
|
|
name: "{{ hostname }}"
|
|
|
|
|
2019-08-25 14:17:20 -04:00
|
|
|
- name: Install common packages
|
|
|
|
apt:
|
|
|
|
name:
|
|
|
|
- apt-listchanges
|
|
|
|
- chrony
|
|
|
|
- curl
|
2019-12-03 23:11:20 -05:00
|
|
|
- dma
|
2019-08-25 14:17:20 -04:00
|
|
|
- git
|
|
|
|
- htop
|
|
|
|
- iperf3
|
|
|
|
- mosh
|
2020-12-28 22:12:31 -05:00
|
|
|
- netcat-openbsd
|
2020-12-27 00:13:34 -05:00
|
|
|
- nfs-common
|
2019-08-25 14:17:20 -04:00
|
|
|
- nmap
|
2019-09-02 01:29:24 -04:00
|
|
|
- oidentd
|
2019-09-10 00:08:21 -04:00
|
|
|
- rsync
|
2019-12-03 23:11:20 -05:00
|
|
|
- smartmontools
|
2020-12-13 15:55:46 -05:00
|
|
|
- snapd
|
2019-09-02 01:29:24 -04:00
|
|
|
- speedtest-cli
|
2019-08-25 14:17:20 -04:00
|
|
|
- tmux
|
2020-12-24 02:17:45 -05:00
|
|
|
- tor
|
2019-08-25 14:17:20 -04:00
|
|
|
- unattended-upgrades
|
|
|
|
- vim
|
|
|
|
force_apt_get: yes
|
|
|
|
update_cache: yes
|
|
|
|
|
2019-09-02 01:29:24 -04:00
|
|
|
- name: Disable MOTDs
|
2020-12-27 00:13:34 -05:00
|
|
|
file:
|
|
|
|
path: /etc/update-motd.d/10-uname
|
|
|
|
mode: '0644'
|
2019-09-02 01:29:24 -04:00
|
|
|
|
|
|
|
- name: Set MOTD
|
|
|
|
copy:
|
|
|
|
src: files/motd
|
|
|
|
dest: /etc/motd
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
|
2020-12-24 02:17:45 -05:00
|
|
|
# No automatic reboots
|
2019-08-25 14:17:20 -04:00
|
|
|
- name: Configure unattended-upgrades
|
|
|
|
copy:
|
|
|
|
src: files/50unattended-upgrades
|
|
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
|
2020-03-25 22:48:33 -04:00
|
|
|
- name: Enable auto-upgrades
|
2019-08-25 14:17:20 -04:00
|
|
|
copy:
|
|
|
|
src: files/20auto-upgrades
|
|
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
|
|
|
|
- name: Disable power and reset buttons
|
|
|
|
copy:
|
|
|
|
src: files/logind.conf
|
|
|
|
dest: /etc/systemd/logind.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart systemd-logind service
|
|
|
|
|
|
|
|
- name: Set chrony ntp servers
|
2020-12-23 00:08:41 -05:00
|
|
|
template:
|
|
|
|
src: templates/chrony.conf.j2
|
2019-08-25 14:17:20 -04:00
|
|
|
dest: /etc/chrony/chrony.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart chrony service
|
|
|
|
|
|
|
|
# Core networking
|
2020-12-24 02:17:45 -05:00
|
|
|
- name: Configure sshd_config to listen on 22/37121 and disable password auth
|
2019-08-25 14:17:20 -04:00
|
|
|
copy:
|
|
|
|
src: files/sshd_config
|
|
|
|
dest: /etc/ssh/sshd_config
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart sshd service
|
|
|
|
|
2020-12-31 12:48:53 -05:00
|
|
|
- name: Configure dma
|
|
|
|
copy:
|
|
|
|
src: files/dma.conf
|
|
|
|
dest: /etc/dma/dma.conf
|
|
|
|
owner: root
|
|
|
|
group: mail
|
|
|
|
mode: '0640'
|
|
|
|
|
|
|
|
- name: Configure dma auth
|
|
|
|
template:
|
|
|
|
src: templates/auth.conf.j2
|
|
|
|
dest: /etc/dma/auth.conf
|
|
|
|
owner: root
|
|
|
|
group: mail
|
|
|
|
mode: '0640'
|
|
|
|
when: dma_auth is defined
|
|
|
|
|
2020-12-23 00:08:41 -05:00
|
|
|
## Changes will take effect during next reboot, does not effect static IPs
|
2019-08-25 14:17:20 -04:00
|
|
|
- name: Configure sysctl with IPv6 privacy extensions
|
|
|
|
template:
|
|
|
|
src: templates/local.conf.j2
|
|
|
|
dest: /etc/sysctl.d/local.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
|
2019-12-03 23:11:20 -05:00
|
|
|
- name: Configure smartd
|
|
|
|
copy:
|
|
|
|
src: files/smartd.conf
|
|
|
|
dest: /etc/smartd.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart and enable smartd
|
|
|
|
|
2020-12-24 02:17:45 -05:00
|
|
|
- name: Install tor config
|
|
|
|
copy:
|
|
|
|
src: files/torrc
|
2020-12-27 00:13:34 -05:00
|
|
|
dest: /etc/tor/torrc
|
2020-12-24 02:17:45 -05:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart and enable tor
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
msg: Manually get tor hostname
|
|
|
|
|
|
|
|
# Common dynamic settings
|
2020-12-27 00:13:34 -05:00
|
|
|
- hosts: compute,daily,proxy
|
2020-12-24 02:17:45 -05:00
|
|
|
become: yes
|
|
|
|
handlers:
|
|
|
|
- import_tasks: handlers.yml
|
|
|
|
tasks:
|
2020-12-13 15:55:46 -05:00
|
|
|
- name: Copy Dynamic DNS script
|
|
|
|
template:
|
2020-12-27 00:13:34 -05:00
|
|
|
src: templates/gandi-ddns.sh.j2
|
2020-12-13 15:55:46 -05:00
|
|
|
dest: /usr/local/bin/gandi-ddns.sh
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0755'
|
2020-12-31 12:48:53 -05:00
|
|
|
when: gandi_api_key is defined
|
2020-12-13 15:55:46 -05:00
|
|
|
|
|
|
|
- name: Add Dynamic DNS cronjob
|
|
|
|
cron:
|
|
|
|
name: "Update dynamic dns"
|
|
|
|
job: /usr/local/bin/gandi-ddns.sh
|
|
|
|
special_time: daily
|
|
|
|
user: root
|
2020-12-31 12:48:53 -05:00
|
|
|
when: gandi_api_key is defined
|
2020-12-13 15:55:46 -05:00
|
|
|
|
2020-12-27 00:13:34 -05:00
|
|
|
# Custom repo config
|
|
|
|
- hosts: compute
|
2019-08-25 14:17:20 -04:00
|
|
|
become: yes
|
|
|
|
handlers:
|
|
|
|
- import_tasks: handlers.yml
|
|
|
|
tasks:
|
2020-12-27 00:13:34 -05:00
|
|
|
- name: Install compute packages
|
2019-08-25 14:17:20 -04:00
|
|
|
apt:
|
|
|
|
name:
|
2020-12-27 00:13:34 -05:00
|
|
|
- podman
|
|
|
|
- sshfs
|
2019-08-25 14:17:20 -04:00
|
|
|
force_apt_get: yes
|
|
|
|
update_cache: yes
|
|
|
|
|
2020-12-27 00:13:34 -05:00
|
|
|
- name: Mount bigdummy /bigdata via NFS
|
|
|
|
mount:
|
|
|
|
src: root@10.42.0.202:/bigdata
|
|
|
|
path: /bigdata
|
|
|
|
fstype: fuse.sshfs
|
|
|
|
opts: reconnect,allow_other,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
|
|
|
state: mounted
|
|
|
|
|
|
|
|
- name: Mount vtluug /media via sshfs
|
|
|
|
mount:
|
|
|
|
src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media
|
|
|
|
path: /media-vtluug
|
|
|
|
fstype: fuse.sshfs
|
|
|
|
opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast
|
|
|
|
state: mounted
|
|
|
|
|
|
|
|
# /home/paul/.ssh/id_rsa_fast must exist
|
|
|
|
- name: Install sshtunnel systemd service
|
|
|
|
copy:
|
|
|
|
src: files/fogcutter/sshtunnel.service
|
|
|
|
dest: /etc/systemd/system/sshtunnel.service
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Load, start, and enable sshtunnel service
|
|
|
|
|
2019-12-03 23:11:20 -05:00
|
|
|
- debug:
|
2020-12-27 00:13:34 -05:00
|
|
|
msg: Start podman services manually
|
2019-08-25 14:17:20 -04:00
|
|
|
|
|
|
|
# NFS core config
|
|
|
|
# ASSUMES /bigdata IS CONFIGURED (make sure dir is 755)
|
|
|
|
- hosts: nfs
|
|
|
|
become: yes
|
|
|
|
handlers:
|
|
|
|
- import_tasks: handlers.yml
|
|
|
|
tasks:
|
2020-12-31 12:48:53 -05:00
|
|
|
- name: Install zfs-zed, and nfs-kernel-server
|
2019-09-09 21:38:53 -04:00
|
|
|
apt:
|
2019-12-02 22:06:59 -05:00
|
|
|
name:
|
2020-12-27 00:13:34 -05:00
|
|
|
- beets
|
2019-12-02 22:06:59 -05:00
|
|
|
- nfs-kernel-server
|
2020-06-07 12:53:59 -04:00
|
|
|
- zfs-auto-snapshot
|
2019-12-02 22:06:59 -05:00
|
|
|
- zfs-zed
|
2019-09-09 21:38:53 -04:00
|
|
|
force_apt_get: yes
|
2019-12-02 22:06:59 -05:00
|
|
|
update_cache: yes
|
|
|
|
|
|
|
|
- name: Configure zfs-zed
|
|
|
|
copy:
|
|
|
|
src: files/zed.rc
|
|
|
|
dest: /etc/zfs/zed.d/zed.rc
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Restart zfs-zed
|
|
|
|
|
2019-12-03 23:11:20 -05:00
|
|
|
- name: Install weekly bigdata scrub cron job
|
|
|
|
cron:
|
2020-12-31 12:48:53 -05:00
|
|
|
name: 'Weekly zfs pool status check'
|
2019-12-03 23:11:20 -05:00
|
|
|
special_time: weekly
|
2021-01-03 11:53:25 -05:00
|
|
|
job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paulsw.pw+alerts@gmail.com'
|
2019-12-03 23:11:20 -05:00
|
|
|
user: root
|
|
|
|
|
2019-12-02 22:06:59 -05:00
|
|
|
- name: Install rclone
|
2019-08-25 14:17:20 -04:00
|
|
|
apt:
|
2019-12-02 22:06:59 -05:00
|
|
|
deb: https://github.com/rclone/rclone/releases/download/v1.49.2/rclone-v1.49.2-linux-amd64.deb
|
2019-08-25 14:17:20 -04:00
|
|
|
force_apt_get: yes
|
2019-12-02 22:06:59 -05:00
|
|
|
|
2019-12-03 23:11:20 -05:00
|
|
|
- debug:
|
|
|
|
msg: Manually configure rclone remote drive
|
2019-08-25 14:17:20 -04:00
|
|
|
|
|
|
|
- name: Export /bigdata
|
|
|
|
copy:
|
|
|
|
src: files/exports
|
|
|
|
dest: /etc/exports
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Re-export exportfs
|
|
|
|
|
2020-12-27 00:13:34 -05:00
|
|
|
# Proxy config
|
|
|
|
- hosts: proxy
|
2019-08-25 14:17:20 -04:00
|
|
|
become: yes
|
|
|
|
tasks:
|
2020-12-27 00:13:34 -05:00
|
|
|
## Changes will take effect during next reboot
|
|
|
|
- name: Configure sysctl to reject RA acceptance
|
|
|
|
template:
|
|
|
|
src: templates/disablera.conf.j2
|
|
|
|
dest: /etc/sysctl.d/disablera.conf
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
2019-08-25 14:17:20 -04:00
|
|
|
|
2020-12-13 15:55:46 -05:00
|
|
|
- name: Add HAProxy GPG key
|
2019-08-25 14:17:20 -04:00
|
|
|
apt_key:
|
2020-12-13 15:55:46 -05:00
|
|
|
url: https://haproxy.debian.net/bernat.debian.org.gpg
|
2019-08-25 14:17:20 -04:00
|
|
|
|
2020-12-13 15:55:46 -05:00
|
|
|
- name: Add HAProxy APT repository
|
2019-08-25 14:17:20 -04:00
|
|
|
apt_repository:
|
2020-12-13 15:55:46 -05:00
|
|
|
repo: deb http://haproxy.debian.net buster-backports-2.2 main
|
2019-08-25 14:17:20 -04:00
|
|
|
|
2020-12-13 15:55:46 -05:00
|
|
|
- name: Install HAProxy
|
2019-08-25 14:17:20 -04:00
|
|
|
apt:
|
2020-12-13 15:55:46 -05:00
|
|
|
name: haproxy
|
|
|
|
state: present
|
2019-08-25 14:17:20 -04:00
|
|
|
force_apt_get: yes
|
|
|
|
update_cache: yes
|
|
|
|
|
2020-12-27 00:13:34 -05:00
|
|
|
- name: Install HAProxy proxy config
|
|
|
|
copy:
|
|
|
|
src: files/{{ inventory_hostname }}/haproxy.cfg
|
|
|
|
dest: /etc/haproxy/haproxy.cfg
|
2020-12-23 00:08:41 -05:00
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
2020-12-27 00:13:34 -05:00
|
|
|
notify: Restart haproxy
|
2020-12-28 22:12:31 -05:00
|
|
|
|
|
|
|
# IRC config
|
|
|
|
- hosts: irc
|
|
|
|
become: yes
|
|
|
|
handlers:
|
|
|
|
- import_tasks: handlers.yml
|
|
|
|
tasks:
|
|
|
|
- name: Add Docker GPG key
|
|
|
|
apt_key:
|
|
|
|
url: https://download.docker.com/linux/debian/gpg
|
|
|
|
|
|
|
|
- name: Add Docker APT repository
|
|
|
|
apt_repository:
|
|
|
|
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
|
|
|
|
|
|
|
|
- name: Install Docker CE
|
|
|
|
apt:
|
|
|
|
name:
|
|
|
|
- docker-ce
|
|
|
|
- docker-ce-cli
|
|
|
|
- containerd.io
|
|
|
|
force_apt_get: yes
|
|
|
|
update_cache: yes
|
|
|
|
|
|
|
|
- name: Add joe to docker group
|
|
|
|
user:
|
|
|
|
name: joe
|
|
|
|
groups: docker
|
|
|
|
append: yes
|
|
|
|
|
|
|
|
- name: Install weechat systemd service
|
|
|
|
copy:
|
|
|
|
src: files/weechat.service
|
|
|
|
dest: /etc/systemd/system/weechat.service
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '0644'
|
|
|
|
notify: Enable weechat service
|
|
|
|
|
|
|
|
- debug:
|
|
|
|
msg: Clone docker repo to start services
|