commit fb003815987e7343459fab7c061a8ff6bb616b38 Author: Roxedus Date: Wed Oct 28 22:15:23 2020 +0100 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fb026b8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +venv/ +**.vault_pass diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..4cf87fa --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "files.associations": { + "ansible/**/*.yml": "ansible", + "ansible/roles/pi_updatelist/files/pihole-updatelists.conf": "ini" + }, +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..8ca3c27 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +Infra diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..bb1c1a0 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +#nocows = 1 +inventory = ./hosts +vault_password_file = .vault_pass +#interpreter_python = /usr/bin/python3 +#enable_task_debugger = True diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..e25ffba --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,40 @@ +ansible_become_password: "{{ secret_sudo }}" + +ntp_timezone: "Europe/Oslo" + +users: + - username: roxedus + groupname: roxedus + home: yes + uid: "1000" + gid: "1000" + github: Roxedus + password: "{{ secret_rox_pass }}" + +package_list: + - name: bash-completion + - name: ca-certificates + - name: curl + - name: git + - name: gnupg2 + - name: htop + - name: jq + - name: ncdu + - name: net-tools + - name: python3 + - name: python3-apt + - name: python3-pip + - name: software-properties-common + - name: tmux + - name: wget + +dmasq_local_domain: "{{ secret_local_domain }}" + +security_ssh_password_authentication: "no" +security_ssh_permit_root_login: "no" +security_ssh_port: 22 +security_ssh_usedns: "no" +security_autoupdate_enabled: true +security_fail2ban_enabled: true +security_sudoers_passwordless: + - "{{ users.0.username }}" diff --git a/ansible/hosts b/ansible/hosts new file mode 100644 index 0000000..4949047 --- /dev/null +++ b/ansible/hosts @@ -0,0 +1,2 @@ +[piholes] +pihole set_hostname=pihole."{{ secret_local_domain }}" diff --git a/ansible/requirements.txt b/ansible/requirements.txt new file mode 100644 index 0000000..c9f5354 --- /dev/null +++ b/ansible/requirements.txt @@ -0,0 +1,3 @@ +ansible==2.10.0 +ansible-base==2.10.2 +jmespath \ No newline at end of file diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..340a47a --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,6 @@ +--- +roles: + - name: geerlingguy.docker + - name: geerlingguy.ntp + - name: geerlingguy.pip + - name: geerlingguy.security diff --git a/ansible/roles/pi_dnsmasq/defaults/main.yml b/ansible/roles/pi_dnsmasq/defaults/main.yml new file mode 100644 index 0000000..df4cafe --- /dev/null +++ b/ansible/roles/pi_dnsmasq/defaults/main.yml @@ -0,0 +1 @@ +dmasq_local_domain: local diff --git a/ansible/roles/pi_dnsmasq/tasks/main.yml b/ansible/roles/pi_dnsmasq/tasks/main.yml new file mode 100644 index 0000000..012b973 --- /dev/null +++ b/ansible/roles/pi_dnsmasq/tasks/main.yml @@ -0,0 +1,27 @@ +- name: Set up dnsmasq hosts + register: dnsmasq_hosts + become: true + ansible.builtin.template: + src: hosts.custom.j2 + group: root + owner: root + mode: 0644 + dest: /etc/hosts.custom + +- name: Set up dnsmasq rules + register: dnsmasq + become: true + ansible.builtin.template: + src: 02-custom.conf.j2 + group: root + owner: root + mode: 0644 + dest: /etc/dnsmasq.d/02-custom.conf + +- name: Restart PiHole systems + when: dnsmasq.changed or dnsmasq_hosts.changed + become: true + ansible.builtin.command: + argv: + - pihole + - restartdns diff --git a/ansible/roles/pi_dnsmasq/templates/02-custom.conf.j2 b/ansible/roles/pi_dnsmasq/templates/02-custom.conf.j2 new file mode 100644 index 0000000..5f6a6e2 --- /dev/null +++ b/ansible/roles/pi_dnsmasq/templates/02-custom.conf.j2 @@ -0,0 +1,8 @@ +{{ ansible_managed | comment}} +addn-hosts=/etc/hosts.custom + +address=/.{{ secret_wan_domain }}/10.0.0.29 + +#rev-server=10.0.2.1/26,10.0.2.1 +#server=/man.{{ dmasq_local_domain }}/10.0.2.1 +#server=/2.0.10.in-addr.arpa/10.0.2.1 diff --git a/ansible/roles/pi_dnsmasq/templates/hosts.custom.j2 b/ansible/roles/pi_dnsmasq/templates/hosts.custom.j2 new file mode 100644 index 0000000..39ac709 --- /dev/null +++ b/ansible/roles/pi_dnsmasq/templates/hosts.custom.j2 @@ -0,0 +1,4 @@ +{{ ansible_managed | comment}} + +10.0.0.29 {{ secret_wan_domain }} +10.0.0.30 {{ secret_unraid_uuid }}.unraid.net diff --git a/ansible/roles/pi_updatelist/files/pihole-updatelists.conf b/ansible/roles/pi_updatelist/files/pihole-updatelists.conf new file mode 100644 index 0000000..417d5ec --- /dev/null +++ b/ansible/roles/pi_updatelist/files/pihole-updatelists.conf @@ -0,0 +1,74 @@ +; Pi-hole's Lists Updater by Jack'lul +; https://github.com/jacklul/pihole-updatelists + +; Remote list URL containing list of adlists to import +ADLISTS_URL="https://v.firebog.net/hosts/lists.php?type=tick" + +; Remote list URL containing exact domains to whitelist +WHITELIST_URL="https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt" + +; Remote list URL containing regex rules for whitelisting +REGEX_WHITELIST_URL="" + +; Remote list URL containing exact domains to blacklist +BLACKLIST_URL="" + +; Remote list URL containing regex rules for blacklisting +REGEX_BLACKLIST_URL="https://raw.githubusercontent.com/mmotti/pihole-regex/master/regex.list" + +; ============================================================= +; OPTIONAL PARAMETERS (and their default values) +; To change them you have to uncomment them first (remove prefixing ';') + +; Comment string used to know which entries were created by the script +; You can still add your own comments to individual entries as long +; you keep this string intact +;COMMENT="Managed by pihole-updatelists" + +; Assign additional group to all inserted entries +; To assign only the specified group make the number negative +; `0` is the default group, you can view ID of the group in Pi-hole's web interface +; by hovering mouse cursor over group name field on the 'Group management' page +;GROUP_ID=0 + +; Prevent touching entries not created by this script by comparing comment field +; When disabled any user-created entry will be disabled +;REQUIRE_COMMENT=true + +; Update gravity after lists are updated? (runs `pihole updateGravity`) +; When disabled invokes lists reload instead +; Set to 'null' to do nothing +;UPDATE_GRAVITY=true + +; Vacuum database at the end? (runs `VACUUM` SQLite command) +; Will cause additional writes to disk +;VACUUM_DATABASE=false + +; Show more information while the script is running +;VERBOSE=false + +; Show debug messages +;DEBUG=false + +; Maximum time in seconds one list download can take before giving up +; You should increase this when downloads fail because of timeout +;DOWNLOAD_TIMEOUT=60 + +; Ignore download failures when using multiple lists +; This will cause entries from the lists that failed to download to be disabled +;IGNORE_DOWNLOAD_FAILURE=false + +; Location of gravity.db file in case you need to change it +;GRAVITY_DB="/etc/pihole/gravity.db" + +; Process lockfile to prevent multiple instances of the script from running +; You shouldn't change it - unless `/var/lock` is unavailable +;LOCK_FILE="/var/lock/pihole-updatelists.lock" + +; Log console output to file +; In most cases you don't have to set this as you can view the log in the system journal +; Put `-` before path to overwrite file instead of appending to it +;LOG_FILE="" + +; Branch to pull remote checksum and update from +;GIT_BRANCH="master" diff --git a/ansible/roles/pi_updatelist/tasks/main.yml b/ansible/roles/pi_updatelist/tasks/main.yml new file mode 100644 index 0000000..9ec449a --- /dev/null +++ b/ansible/roles/pi_updatelist/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Install updatelist conf + register: updatelist + ansible.builtin.copy: + src: "pihole-updatelists.conf" + dest: "/etc/pihole-updatelists.conf" + mode: "0644" + owner: "root" + group: "root" + become: true + +- name: Activate changes + when: updatelist.changed + become: true + ansible.builtin.command: + argv: + - pihole-updatelists diff --git a/ansible/run.yml b/ansible/run.yml new file mode 100644 index 0000000..cdc17c1 --- /dev/null +++ b/ansible/run.yml @@ -0,0 +1,165 @@ +- hosts: all + become: yes + tags: [never, init] + vars_files: + - "vars/vault.yml" + + collections: + - ansible.builtin.apt + - ansible.builtin.git + - ansible.builtin.group + - ansible.builtin.hostname + - ansible.builtin.reboot + - ansible.builtin.user + - ansible.posix.authorized_key + - ansible.builtin.lineinfile + - ansible.builtin.git + + pre_tasks: + - name: Ensure groups exists + register: group_exist + ansible.builtin.group: + name: "{{ item.groupname }}" + gid: "{{ item.gid | default(None) }}" + state: present + loop: "{{ users }}" + + - name: Add users + ansible.builtin.user: + name: "{{ item.username }}" + uid: "{{ item.uid | default(None) }}" + group: "{{ item.groupname | default(item.username) }}" + shell: /bin/bash + move_home: "{{ item.home | default(None) }}" + password: "{{ item.password | default(None) }}" + loop: "{{ users }}" + + - name: Add a ssh key + ansible.posix.authorized_key: + user: "{{ users.0.username }}" + key: "https://github.com/{{ users.0.github }}.keys" + + - name: Change hostname + when: "set_hostname is defined" + register: new_hostname + ansible.builtin.hostname: + name: "{{ set_hostname }}" + + - name: Change hostname in hosts + when: new_hostname.changed + ansible.builtin.lineinfile: + path: /etc/hosts + regexp: '^127\.0\.0\.1 localhost' + line: "127.0.0.1 localhost {{ set_hostname }}" + owner: root + group: root + mode: "0644" + + - name: Reboot the server + ansible.builtin.reboot: + msg: "Reboot initiated by Ansible due to hostname change" + connect_timeout: 5 + reboot_timeout: 300 + pre_reboot_delay: 2 + post_reboot_delay: 30 + test_command: uptime + when: new_hostname.changed + + roles: + - role: geerlingguy.ntp + - role: geerlingguy.security + + tasks: + - name: Install packages + ansible.builtin.apt: + name: "{{ item.name | default(omit) }}" + state: latest + default_release: "{{ item.default_release | default(omit) }}" + with_items: + - "{{package_list}}" + +- hosts: piholes + vars_files: + - "vars/vault.yml" + pre_tasks: + - name: Checkout pihole + tags: [never, init, pihole] + ansible.builtin.git: + repo: "https://github.com/pi-hole/pi-hole.git" + clone: yes + dest: "/home/{{ users.0.username }}/pihole" + depth: 1 + + - name: Checkout pihole_updatelist + tags: [never, init, pihole] + ansible.builtin.git: + repo: "https://github.com/jacklul/pihole-updatelists.git" + clone: yes + dest: "/home/{{ users.0.username }}/pihole_updatelist" + depth: 1 + + - name: Get dependencies + become: yes + tags: [never, init, pihole] + ansible.builtin.apt: + name: + [ + "dns-root-data", + "idn2", + "lighttpd", + "php-cgi", + "php-cli", + "php-curl", + "php-intl", + "php-sqlite3", + "php-xml", + "sqlite3", + "unzip", + ] + state: latest + + roles: + - role: pi_updatelist + tags: [update] + - role: pi_dnsmasq + +- hosts: all + become: yes + tags: [update] + vars_files: + - "vars/vault.yml" + + tasks: + # https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/ + - name: Update packages + ansible.builtin.apt: + update_cache: yes + force_apt_get: yes + cache_valid_time: 3600 + upgrade: yes + + - name: Remove ubuntu motd spam + ansible.builtin.file: + path: "/etc/update-motd.d/{{ item }}" + state: absent + loop: + - 10-help-text + - 50-landscape-sysinfo + - 50-motd-news + - 80-livepatch + - 95-hwe-eol + when: ansible_distribution == 'Ubuntu' + + - name: Check if a reboot is needed for Debian and Ubuntu boxes + register: reboot_required_file + stat: path=/var/run/reboot-required get_md5=no + + - name: Reboot the server + ansible.builtin.reboot: + msg: "Reboot initiated by Ansible due to kernel updates" + connect_timeout: 5 + reboot_timeout: 300 + pre_reboot_delay: 0 + post_reboot_delay: 30 + test_command: uptime + when: reboot_required_file.stat.exists diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml new file mode 100644 index 0000000..4af8d23 --- /dev/null +++ b/ansible/vars/vault.yml @@ -0,0 +1,21 @@ +$ANSIBLE_VAULT;1.1;AES256 +63613666633537303031393636363930316663373334333131313233663033366634313934366665 +6166373661616530626361306338383262376661313161380a313536313462326165323636303163 +33663431326665353630366337356634663837306564616436303831616137626238613337616238 +6638323363376330650a643163613131346537613966356433666364653239633333643265626339 +32353339353966316636656139616262376135396237316162383230633438366434366566373737 +39366339333061393564353739373463336537303162353630303239303238643934646639383366 +61643537343834613063306131623265363933323835313034393761393637313662623163396364 +64656630343131613366343238643836396365616336663330366461396537373966316261383861 +38386138333561383831323530643235333636313338633462616163366134643634363131663530 +61303761306336373739346162303466303664336563303634326639343138303938363638373237 +61303733353237613234343165363233393762616661623233653430323538626135333833616337 +36333264616130633364303663653831343562643537623236653632656131353137613730393530 +62383733323534623064656233306638643236613766396635313436356665653663353137613964 +31346534613662336235316566636464306165323933636365636464633762303135616433383234 +37303633313932643439396435373438363039306136336334666436393166363934363436303365 +35613462656230653339383533303737313364386266366134633964633937383333316238323861 +34383237376432303164316431313565653666316130363931373365356634343966613737613162 +37373533613134353362623965316537373463303365323034336464313562613734316436346536 +33646335356330643034653862626531663063613230646432353761623365373332373738643931 +63316236343038393266 diff --git a/cloud-init/arm-ubuntu/ssh b/cloud-init/arm-ubuntu/ssh new file mode 100644 index 0000000..e69de29 diff --git a/cloud-init/arm-ubuntu/user-data b/cloud-init/arm-ubuntu/user-data new file mode 100644 index 0000000..fe3ca3a --- /dev/null +++ b/cloud-init/arm-ubuntu/user-data @@ -0,0 +1,30 @@ +#cloud-config + +# This is the user-data configuration file for cloud-init. By default this sets +# up an initial user called "ubuntu" with password "ubuntu", which must be +# changed at first login. However, many additional actions can be initiated on +# first boot from this file. The cloud-init documentation has more details: +# +# https://cloudinit.readthedocs.io/ +# +# Some additional examples are provided in comments below the default +# configuration. + +# https://cloudinit.readthedocs.io/en/latest/topics/examples.html#yaml-examples + +chpasswd: + expire: false + list: + - roxedus:roxedus + +# Enable password authentication with the SSH daemon +ssh_pwauth: true + +system_info: + default_user: + name: roxedus + plain_text_passwd: roxedus + home: /home/roxedus + shell: /bin/bash + lock_passwd: True + groups: [adm, audio, cdrom, dialout, floppy, video, plugdev, dip, netdev]