# All hosts are debian 10 --- # Common - hosts: compute,nfs,router become: yes handlers: - import_tasks: handlers.yml tasks: # Core - name: Install common packages apt: name: - apt-listchanges - chrony - curl - git - htop - iperf3 - mosh - nmap - tmux - unattended-upgrades - vim force_apt_get: yes update_cache: yes # TODO Change defaults - name: Configure unattended-upgrades copy: src: files/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades owner: root group: root mode: '0644' - name: Enable unattended-upgrades copy: src: files/20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades owner: root group: root mode: '0644' - name: Disable power and reset buttons copy: src: files/logind.conf dest: /etc/systemd/logind.conf owner: root group: root mode: '0644' notify: Restart systemd-logind service - name: Set chrony ntp servers copy: src: files/chrony.conf dest: /etc/chrony/chrony.conf owner: root group: root mode: '0644' notify: Restart chrony service # Core networking - name: Configure sshd_config to listen on 2222/22 and disable password auth copy: src: files/sshd_config dest: /etc/ssh/sshd_config owner: root group: root mode: '0644' notify: Restart sshd service ## Changes will take effect during next reboot ## (determined by unattended-upgrades) - name: Configure sysctl with IPv6 privacy extensions template: src: templates/local.conf.j2 dest: /etc/sysctl.d/local.conf owner: root group: root mode: '0644' ### Router ##- hosts: router ## become: yes ## tasks: ## - name: Install frrouting and related router packages ## - name: Configure bgp, etc??? # Media networking (Wireguard VPN, NFS) - hosts: compute,nfs become: yes handlers: - import_tasks: handlers.yml tasks: - name: Add unstable repository shell: | echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable args: creates: /etc/apt/sources.list.d/unstable.list - name: Install media networking packages apt: name: - nfs-common - wireguard force_apt_get: yes update_cache: yes # Manually do wireguard config https://wiki.debian.org/Wireguard # NFS core config # ASSUMES /bigdata IS CONFIGURED (make sure dir is 755) - hosts: nfs become: yes handlers: - import_tasks: handlers.yml tasks: - name: Install NFS server package apt: name: nfs-kernel-server force_apt_get: yes update_cache: yes - name: Export /bigdata copy: src: files/exports dest: /etc/exports owner: root group: root mode: '0644' notify: Re-export exportfs # Compute core config - hosts: compute become: yes tasks: - name: Install Docker + compute packages apt: name: - apt-transport-https - ca-certificates - curl - gnupg2 - software-properties-common - sshfs force_apt_get: yes update_cache: yes - name: Mount bigdummy /bigdata via NFS mount: src: 10.200.0.202:/bigdata path: /bigdata fstype: nfs opts: soft,nodev,nosuid state: mounted - name: Create /media-vtluug directory file: path: /media-vtluug state: directory mode: '0755' # Might require running manually mounting - name: Mount vtluug /media via sshfs mount: src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media path: /media-vtluug fstype: fuse.sshfs opts: allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa state: mounted - name: Add Docker GPG key apt_key: url: https://download.docker.com/linux/debian/gpg - name: Add Docker APT repository apt_repository: repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable - name: Install Docker CE apt: name: - docker-ce - docker-ce-cli - containerd.io force_apt_get: yes update_cache: yes - name: Add paul to docker group user: name: paul groups: docker append: yes # Clone docker-manifests repo to start services