Remove LXC stuff; Add new setup.yml and inventory.yml

This commit is contained in:
Jeffrey Serio 2024-06-18 23:28:08 -05:00
parent 486608c005
commit c9f6a41d60
15 changed files with 179 additions and 644 deletions

View File

@ -1,85 +0,0 @@
# ansible-homelab
I use(d) these roles to automate the setup of my LXC homelab. They are highly tailored to my use-case and would require substantial review and editing for anyone else to use them.
## Example
``` bash
lxc init images:debian/12/cloud debian-archive --storage lxd-pool
```
Configure the instance for cloud-init:
``` bash
lxc config set debian-archive cloud-init.user-data - <<- EOF
#cloud-config
users:
- name: debian
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOmibToJQ8JZpSFLH3482oxvpD56QAfu4ndoofbew5t jas@si.local
sudo: 'ALL=(ALL) NOPASSWD: ALL'
shell: /bin/bash
lock_passwd: true
apt:
sources_list: |
deb http://deb.debian.org/debian $RELEASE main
deb http://deb.debian.org/debian $RELEASE-updates main
deb http://deb.debian.org/debian-security/ $RELEASE-security main
deb http://deb.debian.org/debian $RELEASE-backports
package_update: true
package_upgrade: true
packages:
- curl
- debian-keyring
- debsig-verify
- git
- nodejs
- npm
- notmuch
- offlineimap3
- pass
- python3-dev
- python3-pip
- ripgrep
- ssh
- wget
- xauth
- youtube-dl
rsyslog:
configs:
- content: "*.* @10.0.0.41:514"
filename: 99-forward.conf
remotes:
moonshadow: 10.0.0.41
timezone: America/Chicago
EOF
```
Start the instance, then check the cloud-init status:
``` bash
lxc start debian-archive
lxc exec debian-archive -- cloud-init status --wait
```
SSH into the new instance to accept the host key:
``` bash
ssh debian@10.227.115.42
```
Once that's done, you should be able to SSH directly to the debian user, and Ansible will be ready to run.
Add the instance's IP address to hosts.ini:
``` yaml
[homelab]
10.227.115.42
```
Run the setup.yml playbook for all roles, or choose specific roles with --tags:
``` bash
ansible-playbook -i hosts.ini setup.yml -u debian -b
ansible-playbook -i hosts.ini setup.yml --tags debian-archive -u debian -b
```

View File

@ -1,40 +0,0 @@
#cloud-config
users:
- name: debian
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOmibToJQ8JZpSFLH3482oxvpD56QAfu4ndoofbew5t jas@si.local
sudo: 'ALL=(ALL) NOPASSWD: ALL'
shell: /bin/bash
lock_passwd: true
apt:
sources_list: |
deb http://deb.debian.org/debian $RELEASE main
deb http://deb.debian.org/debian $RELEASE-updates main
deb http://deb.debian.org/debian-security/ $RELEASE-security main
deb http://deb.debian.org/debian $RELEASE-backports
package_update: true
package_upgrade: true
packages:
- curl
- debian-keyring
- debsig-verify
- git
- nodejs
- npm
- notmuch
- offlineimap3
- pass
- python3-dev
- python3-pip
- ripgrep
- ssh
- wget
- xauth
- youtube-dl
rsyslog:
configs:
- content: "*.* @10.0.0.27:514"
filename: 99-forward.conf
remotes:
logs: 10.0.0.27
timezone: America/Chicago

View File

@ -1,41 +0,0 @@
#cloud-config
apt:
sources_list: |
deb http://deb.debian.org/debian $RELEASE main
deb http://deb.debian.org/debian $RELEASE-updates main
deb http://deb.debian.org/debian-security/ $RELEASE-security main
deb http://deb.debian.org/debian $RELEASE-backports main
package_update: true
package_upgrade: true
packages:
- acl
- apt-transport-https
- apt-utils
- build-essential
- certbot
- curl
- debian-keyring
- debian-archive-keyring
- git
- golang
- man-db
- manpages
- ssh
- python3-dev
- python3-pip
- rsync
- wget
users:
- name: debian
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOmibToJQ8JZpSFLH3482oxvpD56QAfu4ndoofbew5t jas@si.local
sudo: 'ALL=(ALL) NOPASSWD: ALL'
shell: /bin/bash
lock_passwd: true
rsyslog:
configs:
- content: "*.* @10.0.0.27:514"
filename: 99-forward.conf
remotes:
logs: 10.0.0.27
timezone: America/Chicago

View File

@ -1,54 +0,0 @@
#cloud-config
yum_repos:
tailscale-stable:
name: Tailscale stable
baseurl: https://pkgs.tailscale.com/stable/fedora/x86_64
enabled: true
type: rpm
repo_gpgcheck: true
gpgcheck: false
gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg
caddy:
name: Copr repo for caddy owned by @caddy
baseurl: https://download.copr.fedorainfracloud.org/results/@caddy/caddy/fedora-38-x86_64/
type: rpm-md
skip_if_unavailable: true
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/@caddy/caddy/pubkey.gpg
repo_gpgcheck: 0
enabled: true
enabled_metadata: 1
package_update: true
package_upgrade: true
packages:
- '@c-development'
- '@development-tools'
- curl
- dnf-automatic
- git
- golang
- python3-devel
- python3-pip
- rsync
- openssh
- wget
- caddy
- vim
- tailscale
users:
- name: fedora
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOmibToJQ8JZpSFLH3482oxvpD56QAfu4ndoofbew5t jas@nexus.local
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPnZBvorp/NDi5MNmrBqeSTnY3sNiZVNPF91dORH94Y jas@evergloam
sudo: 'ALL=(ALL) NOPASSWD: ALL'
shell: /bin/bash
lock_passwd: true
rsyslog:
configs:
- content: "*.* @10.0.0.27:514"
filename: 99-forward.conf
remotes:
logs: 10.0.0.27
timezone: America/Chicago
runcmd:
- printf "fastestmirror=True\ndeltarpm=True\nmax_parallel_downloads=10\n" | tee -a /etc/dnf/dnf.conf

View File

@ -1,63 +0,0 @@
#cloud-config
yum_repos:
tailscale-stable:
name: Tailscale stable
baseurl: https://pkgs.tailscale.com/stable/fedora/x86_64
enabled: true
type: rpm
repo_gpgcheck: true
gpgcheck: false
gpgkey: https://pkgs.tailscale.com/stable/fedora/repo.gpg
charm:
name: Charm
baseurl: https://repo.charm.sh/yum/
enabled: true
gpgcheck: true
gpgkey: https://repo.charm.sh/yum/gpg.key
caddy:
name: Copr repo for caddy owned by @caddy
baseurl: https://download.copr.fedorainfracloud.org/results/@caddy/caddy/fedora-38-x86_64/
type: rpm-md
skip_if_unavailable: true
gpgcheck: true
gpgkey: https://download.copr.fedorainfracloud.org/results/@caddy/caddy/pubkey.gpg
repo_gpgcheck: 0
enabled: true
enabled_metadata: 1
package_update: true
package_upgrade: true
packages:
- '@c-development'
- '@development-tools'
- certbot
- curl
- dnf-automatic
- git
- golang
- python3-devel
- python3-pip
- rsync
- openssh
- wget
- caddy
- soft-serve
- vim
- tailscale
users:
- name: fedora
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOmibToJQ8JZpSFLH3482oxvpD56QAfu4ndoofbew5t jas@nexus.local
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItZX/e12RMbdTov8HYLTLTiY0U08X8z73LXdlRMNkTZ jas@moonshadow
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPnZBvorp/NDi5MNmrBqeSTnY3sNiZVNPF91dORH94Y jas@evergloam
sudo: 'ALL=(ALL) NOPASSWD: ALL'
shell: /bin/bash
lock_passwd: true
rsyslog:
configs:
- content: "*.* @10.0.0.27:514"
filename: 99-forward.conf
remotes:
logs: 10.0.0.27
timezone: America/Chicago
runcmd:
- printf "fastestmirror=True\ndeltarpm=True\nmax_parallel_downloads=10\n" | tee -a /etc/dnf/dnf.conf

View File

@ -1,5 +0,0 @@
[homelab]
debian-archive
debian-serv
fedora-transmission
ubuntu-mastodon

15
inventory.yml Normal file
View File

@ -0,0 +1,15 @@
---
homelab:
hosts:
pi0:
ansible_user: dietpi
ansible_host: 10.0.0.10
ansible_python_interpreter: /usr/bin/python3
pi1:
ansible_user: dietpi
ansible_host: 10.0.0.11
ansible_python_interpreter: /usr/bin/python3
pi2:
ansible_user: dietpi
ansible_host: 10.0.0.12
ansible_python_interpreter: /usr/bin/python3

View File

@ -1,25 +0,0 @@
[general]
accounts = protonmail
metadata = /home/debian/.offlineimap-metadata
[Account protonmail]
localrepository = protonmail-local
remoterepository = protonmail-remote
autorefresh = 1
postsynchook = notmuch new
[Repository protonmail-local]
type = Maildir
localfolders = /home/debian/mail
sync_deletes = no
[Repository protonmail-remote]
type = IMAP
remoteuser = hyperreal64@pm.me
remotepass =
remotehost = 127.0.0.1
remoteport = 1143
ssl = no
starttls = no
expunge = yes
readonly = True

View File

@ -1,37 +0,0 @@
#!/usr/bin/env bash
#
# This script must be run as the same user running offlineimap, which is
# preferably a non-privileged user.
#
# This script should be daemonized (forked to bg) or used as the value of
# the ExecStart= directive in a systemd service file.
set -exo pipefail
# If "init" is supplied as arg $1, initialize the bridge.
if [[ "$1" == "init" ]]; then
# Initialize pass
gpg --generate-key --batch <<EOF
%no-protection
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 2048
Name-Real: pass-key
Expire-Date: 0
%commit
%echo done
EOF
pass init pass-key
# Kill other instance of protonmail-bridge as only one can be running at a
# time.
pkill protonmail-bridge || true
# Login
protonmail-bridge --cli "$@"
else
# Start protonmail-bridge in a fake tty, so it does not quit because of EOF.
rm -f /tmp/faketty
mkfifo /tmp/faketty
cat /tmp/faketty | protonmail-bridge --cli "$@"
fi

View File

@ -1,161 +0,0 @@
---
# tasks file for debian-mail
- name: Install vimrc
ansible.builtin.import_role:
name: vimrc
vars:
user: "debian"
- name: Fetch bridge_pubkey.gpg
ansible.builtin.get_url:
url: https://proton.me/download/bridge/bridge_pubkey.gpg
dest: /tmp/bridge_pubkey.gpg
- name: Sign bridge_pubkey.gpg
ansible.builtin.shell:
cmd: rm -f debsig.gpg && gpg --dearmor --output debsig.gpg bridge_pubkey.gpg
chdir: /tmp
- name: Create keyring directory
ansible.builtin.file:
path: /usr/share/debsig/keyrings/E2C75D68E6234B07
state: directory
recurse: true
- name: Move debsig.gpg to keyring directory
ansible.builtin.copy:
src: /tmp/debsig.gpg
dest: /usr/share/debsig/keyrings/E2C75D68E6234B07
remote_src: true
- name: Create policy directory
ansible.builtin.file:
path: /etc/debsig/policies/E2C75D68E6234B07
state: directory
recurse: true
- name: Fetch and install the policy file
ansible.builtin.get_url:
url: https://proton.me/download/bridge/bridge.pol
dest: /etc/debsig/policies/E2C75D68E6234B07//bridge.pol
- name: Fetch protonmail-bridge DEB package
ansible.builtin.get_url:
url: https://proton.me/download/bridge/protonmail-bridge_3.2.0-1_amd64.deb
dest: /tmp/protonmail-bridge_3.2.0-1_amd64.deb
- name: Verify the signature on the protonmail-bridge package file
ansible.builtin.shell:
cmd: debsig-verify protonmail-bridge_3.2.0-1_amd64.deb
chdir: /tmp
register: debsig_output
failed_when: '"Verified package" not in debsig_output.stdout or debsig_output.rc != 0'
- name: Install protonmail-bridge_3.2.0-1_amd64.deb
ansible.builtin.apt:
deb: /tmp/protonmail-bridge_3.2.0-1_amd64.deb
- name: Copy systemd unit files for offlineimap
ansible.builtin.copy:
src: /usr/share/doc/offlineimap3/examples/systemd/offlineimap-oneshot.service
dest: /etc/systemd/system/offlineimap-oneshot.service
remote_src: true
- name: Change running user and group to debian for offlineimap-oneshot.service
ansible.builtin.blockinfile:
path: /etc/systemd/system/offlineimap-oneshot.service
insertafter: "Type=oneshot"
block: |
User=debian
Group=debian
- name: Create offlineimap-oneshot.timer
ansible.builtin.blockinfile:
path: /etc/systemd/system/offlineimap-oneshot.timer
create: true
block: |
[Unit]
Description=Offlineimap Query Timer
[Timer]
OnCalendar=daily
[Install]
WantedBy=default.target
- name: Create pm-bridge-tty.service
ansible.builtin.blockinfile:
path: /etc/systemd/system/pm-bridge-tty.service
create: true
block: |
[Unit]
Description=faketty service for protonmail-bridge
[Service]
Type=simple
User=debian
Group=debian
ExecStart=/usr/local/bin/pm-bridge-tty
[Install]
WantedBy=multi-user.target
- name: Copy offlineimaprc for debian
ansible.builtin.copy:
src: files/offlineimaprc
dest: /home/debian/.offlineimaprc
owner: debian
group: debian
- name: Copy protonmail-bridge faketty script
ansible.builtin.copy:
src: files/pm-bridge-tty
dest: /usr/local/bin/pm-bridge-tty
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: Enable offlineimap systemd timer
ansible.builtin.systemd:
name: offlineimap-oneshot.timer
enabled: true
- name: Create archivebox.service
ansible.builtin.blockinfile:
path: /etc/systemd/system/archivebox.service
create: true
block: |
[Unit]
Description=Archivebox server
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=simple
User=debian
Group=debian
ExecStart=/usr/local/bin/archivebox server 0.0.0.0:8000
WorkingDirectory=/home/debian/data
[Install]
WantedBy=multi-user.target
- name: Install Archivebox
ansible.builtin.shell:
cmd: sudo pip install archivebox --break-system-packages
- name: Message to Ansible user
ansible.builtin.debug:
msg:
- "Run 'pm-bridge-tty init' to initialize the bridge."
- "Login to Proton Mail with your user credentials."
- "Wait for the sync to finish."
- "Copy SMTP password and add it to /home/debian/.offlineimaprc"
- "Run 'notmuch setup'"
- "sudo systemctl enable --now pm-bridge-tty.service"
- "sudo systemctl start offlineimap-oneshot.service"
- "sudo systemctl enable offlineimap-oneshot.timer"
- "mkdir /home/debian/data"
- "cd /home/debian/data"
- "archivebox init"

View File

@ -1,7 +0,0 @@
---
# defaults file for debian-serv
caddy_pubkey_url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
caddy_sources_url: https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt
tailscale_pubkey_url: https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg
tailscale_sources_url: https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list

View File

@ -1,80 +0,0 @@
---
# tasks file for debian-serv
- name: Install vimrc
ansible.builtin.import_role:
name: vimrc
vars:
user: "debian"
- name: Fetch Caddy pubkey
ansible.builtin.get_url:
url: "{{ caddy_pubkey_url }}"
dest: /tmp/gpg.key
- name: Sign Caddy pubkey
ansible.builtin.shell:
cmd: gpg --dearmor -o caddy-stable-archive-keyring.gpg gpg.key && rm -f gpg.key
chdir: /tmp
- name: Copy signed key to /usr/share/keyrings/caddy-stable-archive-keyring.gpg
ansible.builtin.copy:
src: /tmp/caddy-stable-archive-keyring.gpg
dest: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
remote_src: true
- name: Fetch Caddy sources.list
ansible.builtin.get_url:
url: "{{ caddy_sources_url }}"
dest: /etc/apt/sources.list.d/caddy-stable.list
- name: Fetch Tailscale pubkey
ansible.builtin.get_url:
url: "{{ tailscale_pubkey_url }}"
dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
- name: Fetch Tailscale sources.list
ansible.builtin.get_url:
url: "{{ tailscale_sources_url }}"
dest: /etc/apt/sources.list.d/tailscale.list
- name: Install Caddy and Tailscale
ansible.builtin.apt:
pkg:
- caddy
- tailscale
update_cache: true
- name: Fetch molly-brown repo
ansible.builtin.git:
repo: https://tildegit.org/solderpunk/molly-brown.git
dest: /tmp/molly-brown
- name: Build molly-brown binary with Go
ansible.builtin.shell:
cmd: go build
chdir: /tmp/molly-brown
- name: Copy molly-brown binary to /usr/local/bin
ansible.builtin.copy:
src: /tmp/molly-brown/molly-brown
dest: /usr/local/bin/molly-brown
remote_src: true
- name: Copy molly-brown.service for systemd
ansible.builtin.copy:
src: /tmp/molly-brown/contrib/init/molly-brown.service.example
dest: /etc/systemd/system/molly-brown.service
remote_src: true
- name: Set User directive in molly-brown.service
ansible.builtin.lineinfile:
path: /etc/systemd/system/molly-brown.service
search_string: "User=molly"
line: "User={{ ansible_user }}"
- name: Set Group directive in molly-brown.service
ansible.builtin.lineinfile:
path: /etc/systemd/system/molly-brown.service
insertafter: '^User'
line: "Group={{ ansible_user }}"

View File

@ -1,17 +0,0 @@
---
# tasks file for update
- name: Update packages on all Debian/Ubuntu systems
ansible.builtin.apt:
upgrade: dist
update_cache: true
cache_valid_time: 3600
when:
- ansible_facts["os_family"] == "Debian"
- name: Update packages on Fedora systems
ansible.builtin.dnf:
name: "*"
state: latest
when:
- ansible_facts["distribution"] == "Fedora"

View File

@ -1,23 +0,0 @@
---
# tasks file for vimrc
- name: Clone vimrc gist
ansible.builtin.git:
repo: https://gist.github.com/90c3b2fcc9d70cf06e9f3660e0d15a48.git
dest: /tmp/vimrc
- name: Copy vimrc to /root/.vimrc
ansible.builtin.copy:
src: /tmp/vimrc/.vimrc
dest: /root/.vimrc
remote_src: true
owner: root
group: root
- name: Copy vimrc to /home/{{ user }}/.vimrc
ansible.builtin.copy:
src: /tmp/vimrc/.vimrc
dest: "/home/{{ user }}/.vimrc"
remote_src: true
owner: "{{ user }}"
group: "{{ user }}"

170
setup.yml
View File

@ -1,7 +1,165 @@
- name: Setup homelab LXC containers
---
- name: Setup homelab basics for DietPi systems
hosts: homelab
roles:
# Tag each role so that we can select individual roles to run with ansible-playbook --tags
- {role: update, tags: ['update']}
- {role: debian-archive, tags: ['debian-archive']}
- {role: debian-serv, tags: ['debian-serv']}
become: true
tasks:
- name: Update apt cache
ansible.builtin.apt:
cache_valid_time: 1200
- name: Update cache and all packages
register: updatesys
ansible.builtin.apt:
upgrade: dist
update_cache: true
- name: Display the last line of the previous task to check the stats
ansible.builtin.debug:
msg: "{{updatesys.stdout_lines|last}}"
- name: Install basic packages
ansible.builtin.apt:
update_cache: true
name:
- apt-file
- apt-listchanges
- apt-utils
- atop
- autoconf
- automake
- build-essential
- byobu
- clamav
- clamav-daemon
- clamav-freshclam
- cmake
- curl
- firewalld
- git
- glances
- htop
- httpie
- ifplugd
- iotop
- less
- libpam-systemd
- lynis
- man-db
- manpages
- nfs-common
- nmon
- pipx
- python3-dev
- python3-pip
- rkhunter
- rsync
- unattended-upgrades
- vim
- wget
- zsh
state: present
- name: Unmask systemd-logind
ansible.builtin.systemd_service:
name: systemd-logind
enabled: true
masked: no
- name: Configure ifplugd for eth0 interface
ansible.builtin.lineinfile:
path: /etc/default/ifplugd
search_string: "INTERFACES="
line: 'INTERFACES="eth0"'
owner: root
group: root
mode: "0644"
- name: Ensure ifplugd service is enabled
ansible.builtin.systemd_service:
name: ifplugd
enabled: true
- name: Ensure systemd-networkd is enabled
ansible.builtin.systemd_service:
name: systemd-networkd
enabled: true
- name: Ensure clamav-daemon is enabled
ansible.builtin.systemd_service:
name: clamav-daemon
enabled: true
- name: Ensure clamav-freshclam is enabled
ansible.builtin.systemd_service:
name: clamav-freshclam
enabled: true
- name: Ensure man-db.timer is enabled
ansible.builtin.systemd_service:
name: man-db.timer
enabled: true
- name: Configure systemd-networkd for eth0 interface
ansible.builtin.blockinfile:
path: /etc/systemd/network/eth0.network
create: true
block: |
[Match]
Name=eth0
[Network]
DHCP=yes
owner: root
group: root
mode: "0644"
- name: Configure unattended-upgrades mail user
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
search_string: "//Unattended-Upgrade::Mail"
line: 'Unattended-Upgrade::Mail "dietpi";'
owner: root
group: root
mode: "0644"
- name: Configure unattended-upgrades automatic reboot
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
search_string: "//Unattended-Upgrade::Automatic-Reboot"
line: 'Unattended-Upgrade::Automatic-Reboot "true";'
owner: root
group: root
mode: "0644"
- name: Disable apt downloading translations
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/99translations
create: true
line: 'Acquire::Languages "none";'
owner: root
group: root
mode: "0644"
- name: Set the shell to zsh for dietpi user
ansible.builtin.user:
name: dietpi
shell: /usr/bin/zsh
- name: Check if reboot is required
ansible.builtin.stat:
path: /var/run/reboot-required
register: reboot_required
- name: Set is_reboot_required fact
ansible.builtin.set_fact:
is_reboot_required: "{{ True if reboot_required.stat.exists else False }}"
- name: Reboot is needed
ansible.builtin.reboot:
reboot_timeout: 120
when: is_reboot_required | bool
- name: Post-reboot confirmation
ansible.builtin.debug:
msg: "{{ ansible_host }} is now back up and running"
when: is_reboot_required | bool