diff --git a/README.md b/README.md index 22091cd..01af570 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ ## installation steps +- Install required packages: + - sshpass - Copy `inventory.example.yml` to `inventory.yml`, modifying fields as adequate. - Look at `group_vars/all/vars.yml`, and set needed settings in `host_vars//vars.yml`. - Look at the following roles, and for each of them override their `defaults/vars.yml` in host or group vars: @@ -24,3 +26,12 @@ ansible-vault encrypt roles/filesystems/files/host1.secret # repeat the above for every host with encrypted external storage ``` + +- Start avahi-daemon (install `avahi` if not installed): + ``` + systemctl start avahi-daemon + ``` +- Run the playbook: + ``` + ansible-playbook run.yml --ask-vault-pass + ``` diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 61a405c..5de4bd6 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -30,3 +30,8 @@ domain: null # clone dotfiles and stuff enable_dotfiles: yes + +escalation_method: doas + +# set up static IP +enable_connection: yes diff --git a/inventory.example.yml b/inventory.example.yml index 129c395..661ffb5 100644 --- a/inventory.example.yml +++ b/inventory.example.yml @@ -2,6 +2,7 @@ # fallback_host is only used during setup before the static IP (local_ip) is configured. +# Set fallback_host using `nmap 192.168.0.0/24 -p 22` to find the dynamic IP of your Pi # local_ip is used after first setup. # Make sure to make entries in your .ssh/config for each hostname @@ -17,13 +18,13 @@ all: hosts: your_bastion_host: - fallback_host: alarm1.local + fallback_host: 192.168.0.123 local_ip: 192.168.0.3 ansible_port: 2500 ansible_connection: ssh ansible_ssh_private_key_file: ~/.ssh/keys/your_bastion_host your_fleet_host: - fallback_host: alarm2.local + fallback_host: 192.168.0.124 local_ip: 192.168.0.86 ansible_port: 2500 ansible_connection: ssh diff --git a/roles/filesystems/tasks/main.yml b/roles/filesystems/tasks/main.yml index d542ae3..48b0941 100644 --- a/roles/filesystems/tasks/main.yml +++ b/roles/filesystems/tasks/main.yml @@ -1,6 +1,6 @@ - name: Deploy keyfile copy: - src: "{{ inventory_hostname }}".secret + src: "{{ inventory_hostname }}.secret" dest: /k5e mode: 0600 diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml index 8880cc3..f2938ff 100644 --- a/roles/firewall/defaults/main.yml +++ b/roles/firewall/defaults/main.yml @@ -7,4 +7,4 @@ local_subnet: 192.168.0.0/24 sshd_port: 2500 -bastion_ip: "{{ host_vars[groups['bastion'][0]]['local_ip'] }}" +bastion_ip: "{{ hostvars[groups['bastion'][0]]['local_ip'] }}" diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 6595509..aa056ee 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -10,12 +10,12 @@ - name: Set default sources (bastion server) set_fact: default_firewall_src: any - when: "bastion" in group_names + when: '"bastion" in group_names' - name: Set default sources (fleet server) set_fact: default_firewall_src: "{{ bastion_ip }}" - when: "fleet" in group_names + when: '"fleet" in group_names' - name: Allow service ports community.general.ufw: @@ -24,7 +24,7 @@ proto: "{{ item.proto | default('tcp') }}" state: "{{ 'enabled' if item.name in group_names else 'disabled' }}" src: "{{ item.src | default(default_firewall_src) }}" - with_item: + with_items: # matrix ports - name: "synapse" port: 8448 diff --git a/roles/haproxy/templates/haproxy.j2 b/roles/haproxy/templates/haproxy.j2 index 8924a65..eb77d7c 100644 --- a/roles/haproxy/templates/haproxy.j2 +++ b/roles/haproxy/templates/haproxy.j2 @@ -16,7 +16,7 @@ listen gitea_ssh tcp-check expect rstring SSH-2.0-OpenSSH.* {% for host in groups["gitea"] %} - server {{ host }} {{ host_vars[host]["local_ip"] }}:2499 + server {{ host }} {{ hostvars[host]["local_ip"] }}:2499 {% endfor %} {% endif %} diff --git a/roles/networking/hosts/templates/hosts.j2 b/roles/networking/hosts/templates/hosts.j2 index bb266cd..aa44469 100644 --- a/roles/networking/hosts/templates/hosts.j2 +++ b/roles/networking/hosts/templates/hosts.j2 @@ -5,5 +5,5 @@ # Modifications will be lost! {% for host in groups["all"] %} -{{ host_vars[host]["local_ip"] }} {{ host }} +{{ hostvars[host]["local_ip"] }} {{ host }} {% endfor %} diff --git a/run.yml b/run.yml index 259158d..180df8e 100644 --- a/run.yml +++ b/run.yml @@ -22,10 +22,6 @@ tags: - system - - role: dotfiles - tags: - - dotfiles - - role: filesystems tags: - filesystems @@ -45,7 +41,7 @@ tags: - firewall - - role: ddclient + - role: networking/ddclient tags: - ddclient when: enable_ddclient @@ -53,7 +49,7 @@ - role: networking/nameserver tags: - nameserver - when: "nameserver" in group_names + when: '"nameserver" in group_names' - role: networking/hosts tags: @@ -62,17 +58,17 @@ - role: mail tags: - mail - when: "mailserver" in group_names + when: '"mailserver" in group_names' - role: caddy tags: - caddy - when: "caddy" in group_names + when: '"caddy" in group_names' - role: haproxy tags: - haproxy - when: "haproxy" in group_names + when: '"haproxy" in group_names' - role: dotfiles tags: @@ -85,9 +81,13 @@ - role: website tags: - website - when: "website" in group_names + when: '"website" in group_names' - role: containers tags: - containers - when: "fleet" in group_names + when: '"fleet" in group_names' + + - role: dotfiles + tags: + - dotfiles