# All hosts are debian 10 or 11 --- # Common - hosts: cloudlab,daily,homelab,irc become: yes handlers: - import_tasks: handlers.yml tasks: # Core - name: Set hostname hostname: name: "{{ hostname }}" - name: Install common packages apt: name: - apt-listchanges - beets - chrony - curl - dma - git - htop - iperf3 - mosh - mutt - netcat-openbsd - nfs-common - nmap - oidentd - rsync - smartmontools - snapd - speedtest-cli - tmux - tor - unattended-upgrades - vim force_apt_get: yes update_cache: yes - name: Install rclone apt: deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb force_apt_get: yes - name: Disable MOTDs file: path: /etc/update-motd.d/10-uname mode: '0644' - name: Set MOTD copy: src: files/motd dest: /etc/motd owner: root group: root mode: '0644' # No automatic reboots - name: Configure unattended-upgrades copy: src: files/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades owner: root group: root mode: '0644' - name: Enable auto-upgrades copy: src: files/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades owner: root group: root mode: '0644' - name: Disable power and reset buttons copy: src: files/logind.conf dest: /etc/systemd/logind.conf owner: root group: root mode: '0644' notify: Restart systemd-logind service - name: Set chrony ntp servers template: src: templates/chrony.conf.j2 dest: /etc/chrony/chrony.conf owner: root group: root mode: '0644' notify: Restart chrony service # Core networking - name: Configure sshd_config to listen on 22/37121 and disable password auth copy: src: files/sshd_config dest: /etc/ssh/sshd_config owner: root group: root mode: '0644' notify: Restart sshd service - name: Configure dma copy: src: files/dma.conf dest: /etc/dma/dma.conf owner: root group: mail mode: '0640' - name: Configure dma auth template: src: templates/auth.conf.j2 dest: /etc/dma/auth.conf owner: root group: mail mode: '0640' when: dma_auth is defined and dma_auth != '' ## Changes will take effect during next reboot, does not effect static IPs - name: Configure sysctl with IPv6 privacy extensions template: src: templates/local.conf.j2 dest: /etc/sysctl.d/local.conf owner: root group: root mode: '0644' - name: Configure smartd copy: src: files/smartd.conf dest: /etc/smartd.conf owner: root group: root mode: '0644' notify: Restart and enable smartd - name: Install tor config copy: src: files/torrc dest: /etc/tor/torrc owner: root group: root mode: '0644' notify: Restart and enable tor - debug: msg: Manually get tor hostname # Common dynamic settings - hosts: cloudlab,daily,homelab become: yes handlers: - import_tasks: handlers.yml tasks: - name: Copy Dynamic DNS script template: src: templates/gandi-ddns.sh.j2 dest: /usr/local/bin/gandi-ddns.sh owner: root group: root mode: '0755' when: gandi_api_key is defined and gandi_api_key != '' - name: Add Dynamic DNS cronjob cron: name: "Update dynamic dns" job: /usr/local/bin/gandi-ddns.sh special_time: daily user: root when: gandi_api_key is defined # Docker - hosts: homelab,irc become: yes tasks: - name: Add Docker GPG key apt_key: url: https://download.docker.com/linux/debian/gpg - name: Add Docker APT repository apt_repository: repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable - name: Install Docker CE apt: name: - docker-ce - docker-ce-cli - containerd.io force_apt_get: yes update_cache: yes - name: Add admin to docker group user: name: "{{ admin }}" groups: docker append: yes # Proxy config - hosts: cloudlab become: yes handlers: - import_tasks: handlers.yml tasks: ## Changes will take effect during next reboot - name: Configure sysctl to reject RA acceptance template: src: templates/disablera.conf.j2 dest: /etc/sysctl.d/disablera.conf owner: root group: root mode: '0644' - name: Add HAProxy GPG key apt_key: url: https://haproxy.debian.net/bernat.debian.org.gpg - name: Add HAProxy APT repository apt_repository: repo: deb http://haproxy.debian.net buster-backports-2.2 main - name: Install HAProxy apt: name: haproxy state: present force_apt_get: yes update_cache: yes - name: Install HAProxy proxy config copy: src: "files/{{ inventory_hostname.split('@')[1] }}/haproxy.cfg" dest: /etc/haproxy/haproxy.cfg owner: root group: root mode: '0644' notify: Restart haproxy - name: Sync data cronjob - Friday cron: name: 'Sync data' minute: '0' hour: '0' day: '*' month: '*' weekday: '5' user: pew job: "/home/pew/scripts-private/{{ inventory_hostname.split('@')[1] }}/sync.sh" # Compute config - hosts: homelab become: yes handlers: - import_tasks: handlers.yml tasks: - name: Install samba, zfs stuff apt: name: - samba - zfs-auto-snapshot - zfs-zed force_apt_get: yes update_cache: yes - name: Configure zfs-zed copy: src: files/zed.rc dest: /etc/zfs/zed.d/zed.rc owner: root group: root mode: '0644' notify: Restart zfs-zed - name: Install weekly bigdata scrub cron job cron: name: 'Weekly zfs pool status check' special_time: weekly job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paulsw.pw+alerts@gmail.com' user: root - name: Mount vtluug /media via sshfs mount: src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media path: /media-vtluug fstype: fuse.sshfs opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast state: mounted # /home/paul/.ssh/id_rsa_fast must exist - name: Install sshtunnel systemd service copy: src: "files/{{ inventory_hostname }}/sshtunnel.service" dest: /etc/systemd/system/sshtunnel.service owner: root group: root mode: '0644' notify: Load, start, and enable sshtunnel service - name: Install rclone apt: deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb force_apt_get: yes - debug: msg: Manually configure rclone remote drive - name: Backup data cronjob - Monday cron: name: 'Backup data' minute: '0' hour: '0' day: '*' month: '*' weekday: '1' user: paul job: "/home/paul/scripts-private/{{ inventory_hostname }}/backup.sh" - name: Configure samba copy: src: files/smb.conf dest: /etc/samba/smb.conf owner: root group: root mode: '0644' notify: Restart smbd - debug: msg: Manually set samba password # IRC config - hosts: irc become: yes handlers: - import_tasks: handlers.yml tasks: - name: Install weechat systemd service copy: src: files/weechat.service dest: /etc/systemd/system/weechat.service owner: root group: root mode: '0644' notify: Enable weechat service