finish madone ansible config

ansible/README.md

@@ -1,13 +1,19 @@
 Assumes:
 
-- OS (Debian) has been installed and IPs have been configured in hosts.cfg
+- ALl:
+  - OS (Debian) has been installed and IPs have been configured in hosts.cfg
+  - Host is already trusted via ssh and can be ssh'd into using keys
+  - Passwordless sudo is enabled for the user ansible uses
 
-- Host is already trusted via ssh and can be ssh'd into using keys
+- Wireguard hosts:
+  - Secure boot is disabled (wireguard is an unsigned module)
+  - Wireguard is configured on 10.200.0.0/24; See https://wiki.debian.org/Wireguard
 
-- Passwordless sudo is enabled for the user ansible uses
+- ZFS server:
+  - ZFS is configured with a volume at /bigdata for sharing
 
-- Secure boot is disabled (wireguard is an unsigned module)
+- Media server:
+  - Create /media-vtluug folder
 
-- Wireguard is configured on 10.200.0.0/24; See https://wiki.debian.org/Wireguard
+- Remote:
-
+  - joe/pew users have been created
-- ZFS is configured with a volume at /bigdata for sharing

ansible/files/weechat.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Weechat IRC Client (in tmux)
+After=network.target
+
+[Service]
+User=pew
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/tmux new-session -d -s irc /usr/bin/weechat
+ExecStop=/usr/bin/tmux kill-session -t irc
+
+[Install]
+WantedBy=multi-user.target

ansible/handlers.yml

@@ -1,9 +1,4 @@
 ---
-- name: Restart systemd-logind service
-  service:
-    name: systemd-logind
-    state: restarted
-
 - name: Restart chrony service
   service:
     name: chrony
@@ -14,5 +9,15 @@
     name: sshd
     state: restarted
 
+- name: Restart systemd-logind service
+  service:
+    name: systemd-logind
+    state: restarted
+
+- name: Enable weechat service
+  service:
+    name: weechat
+    enabled: yes
+
 - name: Re-export exportfs
   command: exportfs -arv

ansible/hosts.cfg

@@ -6,3 +6,6 @@ bigdummy    interface=enp2s0
 
 [compute]
 fogcutter   interface=eno1
+
+[remote]
+joe@madone.seaturtle.pw interface=enp1s0

ansible/main.yml

@@ -18,12 +18,27 @@
           - iperf3
           - mosh
           - nmap
+          - oidentd
+          - speedtest-cli
           - tmux
           - unattended-upgrades
           - vim
         force_apt_get: yes
         update_cache: yes
 
+    - name: Disable MOTDs
+      command: chmod -x /etc/update-motd.d/10-uname
+      args:
+        warn: false
+
+    - name: Set MOTD
+      copy:
+        src: files/motd
+        dest: /etc/motd
+        owner: root
+        group: root
+        mode: '0644'
+
     # TODO Change defaults
     - name: Configure unattended-upgrades
       copy:
@@ -135,12 +150,11 @@
 - hosts: compute
   become: yes
   tasks:
-    - name: Install Docker + compute packages
+    - name: Install Docker + compute dependencies
       apt:
         name:
           - apt-transport-https
           - ca-certificates
-          - curl
           - gnupg2
           - software-properties-common
           - sshfs
@@ -155,12 +169,6 @@
         opts: soft,nodev,nosuid
         state: mounted
 
-    - name: Create /media-vtluug directory
-      file:
-        path: /media-vtluug
-        state: directory
-        mode: '0755'
-
     # Might require running manually mounting
     - name: Mount vtluug /media via sshfs
       mount:
@@ -193,4 +201,4 @@
         groups: docker
         append: yes
     
-    # Clone docker-manifests repo to start services
+    # Clone docker repo to start services

ansible/remote.yml

@@ -0,0 +1,126 @@
+# All hosts are debian 10
+---
+# remote
+- hosts: remote
+  become: yes
+  handlers:
+    - import_tasks: handlers.yml
+  tasks:
+    # Core
+    - name: Install common packages
+      apt:
+        name:
+          - apt-listchanges
+          - apt-transport-https
+          - ca-certificates
+          - chrony
+          - curl
+          - git
+          - gnupg2
+          - htop
+          - iperf3
+          - mosh
+          - nmap
+          - oidentd
+          - software-properties-common
+          - speedtest-cli
+          - tmux
+          - unattended-upgrades
+          - vim
+          - weechat
+          - zsh
+        force_apt_get: yes
+        update_cache: yes
+
+    - name: Disable MOTDs
+      command: chmod -x /etc/update-motd.d/10-uname
+      args:
+        warn: false
+
+    - name: Set MOTD
+      copy:
+        src: files/motd
+        dest: /etc/motd
+        owner: root
+        group: root
+        mode: '0644'
+
+    # TODO Change defaults
+    - name: Configure unattended-upgrades
+      copy:
+        src: files/50unattended-upgrades
+        dest: /etc/apt/apt.conf.d/50unattended-upgrades
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Enable unattended-upgrades
+      copy:
+        src: files/20auto-upgrades
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Disable power and reset buttons
+      copy:
+        src: files/logind.conf
+        dest: /etc/systemd/logind.conf
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart systemd-logind service
+
+    # Core networking
+    - name: Configure sshd_config to listen on 2222/22 and disable password auth
+      copy:
+        src: files/sshd_config
+        dest: /etc/ssh/sshd_config
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart sshd service
+
+    ## Changes will take effect during next reboot
+    ## (determined by unattended-upgrades)
+    - name: Configure sysctl with IPv6 privacy extensions
+      template:
+        src: templates/local.conf.j2
+        dest: /etc/sysctl.d/local.conf
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Add Docker GPG key
+      apt_key:
+        url: https://download.docker.com/linux/debian/gpg
+
+    - name: Add Docker APT repository
+      apt_repository:
+        repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
+
+    - name: Install Docker CE
+      apt:
+        name:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+        force_apt_get: yes
+        update_cache: yes
+
+    - name: Add joe to docker group
+      user:
+        name: joe
+        groups: docker
+        append: yes
+
+    - name: Install weechat systemd service
+      copy:
+        src: files/weechat.service
+        dest: /etc/systemd/system/weechat.service
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Enable weechat service
+    
+    # Clone docker repo to start services