Initial commit

.gitignore

@@ -0,0 +1,2 @@
+venv/
+**.vault_pass

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+    "files.associations": {
+        "ansible/**/*.yml": "ansible",
+        "ansible/roles/pi_updatelist/files/pihole-updatelists.conf": "ini"
+    },
+}

README.md

@@ -0,0 +1 @@
+Infra

ansible/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+#nocows = 1
+inventory = ./hosts
+vault_password_file = .vault_pass
+#interpreter_python = /usr/bin/python3
+#enable_task_debugger = True

ansible/group_vars/all.yml

@@ -0,0 +1,40 @@
+ansible_become_password: "{{ secret_sudo }}"
+
+ntp_timezone: "Europe/Oslo"
+
+users:
+  - username: roxedus
+    groupname: roxedus
+    home: yes
+    uid: "1000"
+    gid: "1000"
+    github: Roxedus
+    password: "{{ secret_rox_pass }}"
+
+package_list:
+  - name: bash-completion
+  - name: ca-certificates
+  - name: curl
+  - name: git
+  - name: gnupg2
+  - name: htop
+  - name: jq
+  - name: ncdu
+  - name: net-tools
+  - name: python3
+  - name: python3-apt
+  - name: python3-pip
+  - name: software-properties-common
+  - name: tmux
+  - name: wget
+
+dmasq_local_domain: "{{ secret_local_domain }}"
+
+security_ssh_password_authentication: "no"
+security_ssh_permit_root_login: "no"
+security_ssh_port: 22
+security_ssh_usedns: "no"
+security_autoupdate_enabled: true
+security_fail2ban_enabled: true
+security_sudoers_passwordless:
+  - "{{ users.0.username }}"

ansible/hosts

@@ -0,0 +1,2 @@
+[piholes]
+pihole set_hostname=pihole."{{ secret_local_domain }}"

ansible/requirements.txt

@@ -0,0 +1,3 @@
+ansible==2.10.0
+ansible-base==2.10.2
+jmespath

ansible/requirements.yml

@@ -0,0 +1,6 @@
+---
+roles:
+  - name: geerlingguy.docker
+  - name: geerlingguy.ntp
+  - name: geerlingguy.pip
+  - name: geerlingguy.security

ansible/roles/pi_dnsmasq/defaults/main.yml

@@ -0,0 +1 @@
+dmasq_local_domain: local

ansible/roles/pi_dnsmasq/tasks/main.yml

@@ -0,0 +1,27 @@
+- name: Set up dnsmasq hosts
+  register: dnsmasq_hosts
+  become: true
+  ansible.builtin.template:
+    src: hosts.custom.j2
+    group: root
+    owner: root
+    mode: 0644
+    dest: /etc/hosts.custom
+
+- name: Set up dnsmasq rules
+  register: dnsmasq
+  become: true
+  ansible.builtin.template:
+    src: 02-custom.conf.j2
+    group: root
+    owner: root
+    mode: 0644
+    dest: /etc/dnsmasq.d/02-custom.conf
+
+- name: Restart PiHole systems
+  when: dnsmasq.changed or dnsmasq_hosts.changed
+  become: true
+  ansible.builtin.command:
+    argv:
+      - pihole
+      - restartdns

ansible/roles/pi_dnsmasq/templates/02-custom.conf.j2

@@ -0,0 +1,8 @@
+{{ ansible_managed | comment}}
+addn-hosts=/etc/hosts.custom
+
+address=/.{{ secret_wan_domain }}/10.0.0.29
+
+#rev-server=10.0.2.1/26,10.0.2.1
+#server=/man.{{ dmasq_local_domain }}/10.0.2.1
+#server=/2.0.10.in-addr.arpa/10.0.2.1

ansible/roles/pi_dnsmasq/templates/hosts.custom.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment}}
+
+10.0.0.29 {{ secret_wan_domain }}
+10.0.0.30 {{ secret_unraid_uuid }}.unraid.net

ansible/roles/pi_updatelist/files/pihole-updatelists.conf

@@ -0,0 +1,74 @@
+; Pi-hole's Lists Updater by Jack'lul
+; https://github.com/jacklul/pihole-updatelists
+
+; Remote list URL containing list of adlists to import
+ADLISTS_URL="https://v.firebog.net/hosts/lists.php?type=tick"
+
+; Remote list URL containing exact domains to whitelist
+WHITELIST_URL="https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt"
+
+; Remote list URL containing regex rules for whitelisting
+REGEX_WHITELIST_URL=""
+
+; Remote list URL containing exact domains to blacklist
+BLACKLIST_URL=""
+
+; Remote list URL containing regex rules for blacklisting
+REGEX_BLACKLIST_URL="https://raw.githubusercontent.com/mmotti/pihole-regex/master/regex.list"
+
+; =============================================================
+; OPTIONAL PARAMETERS (and their default values)
+; To change them you have to uncomment them first (remove prefixing ';')
+
+; Comment string used to know which entries were created by the script
+; You can still add your own comments to individual entries as long
+; you keep this string intact
+;COMMENT="Managed by pihole-updatelists"
+
+; Assign additional group to all inserted entries
+; To assign only the specified group make the number negative
+; `0` is the default group, you can view ID of the group in Pi-hole's web interface
+; by hovering mouse cursor over group name field on the 'Group management' page
+;GROUP_ID=0
+
+; Prevent touching entries not created by this script by comparing comment field
+; When disabled any user-created entry will be disabled
+;REQUIRE_COMMENT=true
+
+; Update gravity after lists are updated? (runs `pihole updateGravity`)
+; When disabled invokes lists reload instead
+; Set to 'null' to do nothing
+;UPDATE_GRAVITY=true
+
+; Vacuum database at the end? (runs `VACUUM` SQLite command)
+; Will cause additional writes to disk
+;VACUUM_DATABASE=false
+
+; Show more information while the script is running
+;VERBOSE=false
+
+; Show debug messages
+;DEBUG=false
+
+; Maximum time in seconds one list download can take before giving up
+; You should increase this when downloads fail because of timeout
+;DOWNLOAD_TIMEOUT=60
+
+; Ignore download failures when using multiple lists
+; This will cause entries from the lists that failed to download to be disabled
+;IGNORE_DOWNLOAD_FAILURE=false
+
+; Location of gravity.db file in case you need to change it
+;GRAVITY_DB="/etc/pihole/gravity.db"
+
+; Process lockfile to prevent multiple instances of the script from running
+; You shouldn't change it - unless `/var/lock` is unavailable
+;LOCK_FILE="/var/lock/pihole-updatelists.lock"
+
+; Log console output to file
+; In most cases you don't have to set this as you can view the log in the system journal
+; Put `-` before path to overwrite file instead of appending to it
+;LOG_FILE=""
+
+; Branch to pull remote checksum and update from
+;GIT_BRANCH="master"

ansible/roles/pi_updatelist/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Install updatelist conf
+  register: updatelist
+  ansible.builtin.copy:
+    src: "pihole-updatelists.conf"
+    dest: "/etc/pihole-updatelists.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  become: true
+
+- name: Activate changes
+  when: updatelist.changed
+  become: true
+  ansible.builtin.command:
+    argv:
+      - pihole-updatelists

ansible/run.yml

@@ -0,0 +1,165 @@
+- hosts: all
+  become: yes
+  tags: [never, init]
+  vars_files:
+    - "vars/vault.yml"
+
+  collections:
+    - ansible.builtin.apt
+    - ansible.builtin.git
+    - ansible.builtin.group
+    - ansible.builtin.hostname
+    - ansible.builtin.reboot
+    - ansible.builtin.user
+    - ansible.posix.authorized_key
+    - ansible.builtin.lineinfile
+    - ansible.builtin.git
+
+  pre_tasks:
+    - name: Ensure groups exists
+      register: group_exist
+      ansible.builtin.group:
+        name: "{{ item.groupname }}"
+        gid: "{{ item.gid | default(None) }}"
+        state: present
+      loop: "{{ users }}"
+
+    - name: Add users
+      ansible.builtin.user:
+        name: "{{ item.username }}"
+        uid: "{{ item.uid | default(None) }}"
+        group: "{{ item.groupname | default(item.username) }}"
+        shell: /bin/bash
+        move_home: "{{ item.home | default(None) }}"
+        password: "{{ item.password | default(None) }}"
+      loop: "{{ users }}"
+
+    - name: Add a ssh key
+      ansible.posix.authorized_key:
+        user: "{{ users.0.username }}"
+        key: "https://github.com/{{ users.0.github }}.keys"
+
+    - name: Change hostname
+      when: "set_hostname is defined"
+      register: new_hostname
+      ansible.builtin.hostname:
+        name: "{{ set_hostname }}"
+
+    - name: Change hostname in hosts
+      when: new_hostname.changed
+      ansible.builtin.lineinfile:
+        path: /etc/hosts
+        regexp: '^127\.0\.0\.1 localhost'
+        line: "127.0.0.1 localhost {{ set_hostname }}"
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Reboot the server
+      ansible.builtin.reboot:
+        msg: "Reboot initiated by Ansible due to hostname change"
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 2
+        post_reboot_delay: 30
+        test_command: uptime
+      when: new_hostname.changed
+
+  roles:
+    - role: geerlingguy.ntp
+    - role: geerlingguy.security
+
+  tasks:
+    - name: Install packages
+      ansible.builtin.apt:
+        name: "{{ item.name | default(omit) }}"
+        state: latest
+        default_release: "{{ item.default_release | default(omit) }}"
+      with_items:
+        - "{{package_list}}"
+
+- hosts: piholes
+  vars_files:
+    - "vars/vault.yml"
+  pre_tasks:
+    - name: Checkout pihole
+      tags: [never, init, pihole]
+      ansible.builtin.git:
+        repo: "https://github.com/pi-hole/pi-hole.git"
+        clone: yes
+        dest: "/home/{{ users.0.username }}/pihole"
+        depth: 1
+
+    - name: Checkout pihole_updatelist
+      tags: [never, init, pihole]
+      ansible.builtin.git:
+        repo: "https://github.com/jacklul/pihole-updatelists.git"
+        clone: yes
+        dest: "/home/{{ users.0.username }}/pihole_updatelist"
+        depth: 1
+
+    - name: Get dependencies
+      become: yes
+      tags: [never, init, pihole]
+      ansible.builtin.apt:
+        name:
+          [
+            "dns-root-data",
+            "idn2",
+            "lighttpd",
+            "php-cgi",
+            "php-cli",
+            "php-curl",
+            "php-intl",
+            "php-sqlite3",
+            "php-xml",
+            "sqlite3",
+            "unzip",
+          ]
+        state: latest
+
+  roles:
+    - role: pi_updatelist
+      tags: [update]
+    - role: pi_dnsmasq
+
+- hosts: all
+  become: yes
+  tags: [update]
+  vars_files:
+    - "vars/vault.yml"
+
+  tasks:
+    # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
+    - name: Update packages
+      ansible.builtin.apt:
+        update_cache: yes
+        force_apt_get: yes
+        cache_valid_time: 3600
+        upgrade: yes
+
+    - name: Remove ubuntu motd spam
+      ansible.builtin.file:
+        path: "/etc/update-motd.d/{{ item }}"
+        state: absent
+      loop:
+        - 10-help-text
+        - 50-landscape-sysinfo
+        - 50-motd-news
+        - 80-livepatch
+        - 95-hwe-eol
+      when: ansible_distribution == 'Ubuntu'
+
+    - name: Check if a reboot is needed for Debian and Ubuntu boxes
+      register: reboot_required_file
+      stat: path=/var/run/reboot-required get_md5=no
+
+    - name: Reboot the server
+      ansible.builtin.reboot:
+        msg: "Reboot initiated by Ansible due to kernel updates"
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 0
+        post_reboot_delay: 30
+        test_command: uptime
+      when: reboot_required_file.stat.exists

ansible/vars/vault.yml

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+63613666633537303031393636363930316663373334333131313233663033366634313934366665
+6166373661616530626361306338383262376661313161380a313536313462326165323636303163
+33663431326665353630366337356634663837306564616436303831616137626238613337616238
+6638323363376330650a643163613131346537613966356433666364653239633333643265626339
+32353339353966316636656139616262376135396237316162383230633438366434366566373737
+39366339333061393564353739373463336537303162353630303239303238643934646639383366
+61643537343834613063306131623265363933323835313034393761393637313662623163396364
+64656630343131613366343238643836396365616336663330366461396537373966316261383861
+38386138333561383831323530643235333636313338633462616163366134643634363131663530
+61303761306336373739346162303466303664336563303634326639343138303938363638373237
+61303733353237613234343165363233393762616661623233653430323538626135333833616337
+36333264616130633364303663653831343562643537623236653632656131353137613730393530
+62383733323534623064656233306638643236613766396635313436356665653663353137613964
+31346534613662336235316566636464306165323933636365636464633762303135616433383234
+37303633313932643439396435373438363039306136336334666436393166363934363436303365
+35613462656230653339383533303737313364386266366134633964633937383333316238323861
+34383237376432303164316431313565653666316130363931373365356634343966613737613162
+37373533613134353362623965316537373463303365323034336464313562613734316436346536
+33646335356330643034653862626531663063613230646432353761623365373332373738643931
+63316236343038393266

cloud-init/arm-ubuntu/user-data

@@ -0,0 +1,30 @@
+#cloud-config
+
+# This is the user-data configuration file for cloud-init. By default this sets
+# up an initial user called "ubuntu" with password "ubuntu", which must be
+# changed at first login. However, many additional actions can be initiated on
+# first boot from this file. The cloud-init documentation has more details:
+#
+# https://cloudinit.readthedocs.io/
+#
+# Some additional examples are provided in comments below the default
+# configuration.
+
+# https://cloudinit.readthedocs.io/en/latest/topics/examples.html#yaml-examples
+
+chpasswd:
+  expire: false
+  list:
+    - roxedus:roxedus
+
+# Enable password authentication with the SSH daemon
+ssh_pwauth: true
+
+system_info:
+  default_user:
+    name: roxedus
+    plain_text_passwd: roxedus
+    home: /home/roxedus
+    shell: /bin/bash
+    lock_passwd: True
+    groups: [adm, audio, cdrom, dialout, floppy, video, plugdev, dip, netdev]