parent
02e5f4a94a
commit
ddfe75225b
@ -0,0 +1,2 @@
|
|||||||
|
hosts.yml
|
||||||
|
host_vars
|
@ -0,0 +1,26 @@
|
|||||||
|
# ansible
|
||||||
|
|
||||||
|
## Raspberry Pi
|
||||||
|
|
||||||
|
1. [Download Raspberian Stretch Lite](https://www.raspberrypi.org/downloads/raspbian/)
|
||||||
|
1. Install Etcher: `brew cask install balenaetcher`
|
||||||
|
1. [Flash the SD card](https://www.raspberrypi.org/documentation/installation/installing-images/README.md)
|
||||||
|
|
||||||
|
1. [Enable SSH](https://www.raspberrypi.org/documentation/remote-access/ssh/)
|
||||||
|
|
||||||
|
1. Run the Ansible playbooks
|
||||||
|
1. Add the host to the `pi_bootstrap` group and set the `password` variable
|
||||||
|
on the host
|
||||||
|
1. Connect to the host via SSH (so Ansible can piggyback off the existing
|
||||||
|
connection and not have to deal with password shenanigans)
|
||||||
|
1. `ansible-playbook playbooks/pi/bootstrap.yml`
|
||||||
|
1. `ansible-playbook {{ host }}/main.yml`
|
||||||
|
|
||||||
|
### etc
|
||||||
|
|
||||||
|
1. Use `raspi-config` to set up the WiFi
|
||||||
|
- [Additional setup](https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md)
|
||||||
|
- Add `scan_ssid=1` to `/etc/wpa_supplicant/wpa_supplicant.conf`
|
||||||
|
- Restart WiFi: `wpa_cli -i wlan0 reconfigure`
|
||||||
|
1. Use `raspi-config` to set the keyboard layout
|
||||||
|
|
@ -0,0 +1,22 @@
|
|||||||
|
FROM armhf/alpine
|
||||||
|
|
||||||
|
# https://wiki.alpinelinux.org/wiki/Ddclient
|
||||||
|
|
||||||
|
RUN apk update && apk upgrade && \
|
||||||
|
apk add \
|
||||||
|
curl \
|
||||||
|
make \
|
||||||
|
perl \
|
||||||
|
perl-io-socket-ssl
|
||||||
|
RUN cpan install Test::Requires && cpan Data::Validate::IP
|
||||||
|
|
||||||
|
RUN cd tmp && \
|
||||||
|
curl --location https://github.com/ddclient/ddclient/archive/v3.9.0.tar.gz > ddclient-3.9.0.tar.gz && \
|
||||||
|
tar xvz < ddclient-3.9.0.tar.gz && \
|
||||||
|
cp ddclient-3.9.0/ddclient /usr/sbin && \
|
||||||
|
mkdir /etc/ddclient && \
|
||||||
|
mkdir -p /var/cache/ddclient
|
||||||
|
|
||||||
|
VOLUME /etc/ddclient
|
||||||
|
|
||||||
|
ENTRYPOINT [ "ddclient", "-foreground" ]
|
@ -0,0 +1,16 @@
|
|||||||
|
# On Fire Within
|
||||||
|
|
||||||
|
## Setup
|
||||||
|
|
||||||
|
- [Installing Hass.io](https://www.home-assistant.io/hassio/installation/)
|
||||||
|
|
||||||
|
1. `ansible-playbook playbooks/pi/bootstrap.yml`
|
||||||
|
1. `ansible-playbook on-fire-within/bootstrap.yml`
|
||||||
|
1. `curl -fsSL get.docker.com | sh`
|
||||||
|
- `sudo usermod -aG docker alpha`
|
||||||
|
1. `curl -sL "https://raw.githubusercontent.com/home-assistant/hassio-installer/master/hassio_install.sh" | bash -s -- -m raspberrypi4`
|
||||||
|
1. `ansible-playbook on-fire-within/main.yml`
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
- `/usr/share/hassio`
|
@ -0,0 +1,29 @@
|
|||||||
|
# https://www.home-assistant.io/hassio/installation/
|
||||||
|
|
||||||
|
- hosts: on_fire_within
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
# Forgot what I need this for...
|
||||||
|
- name: install software-properties-common
|
||||||
|
apt: name=software-properties-common
|
||||||
|
|
||||||
|
- name: install other dependencies for hass.io
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- apparmor-utils
|
||||||
|
- apt-transport-https
|
||||||
|
- avahi-daemon
|
||||||
|
- ca-certificates
|
||||||
|
- curl
|
||||||
|
- dbus
|
||||||
|
- jq
|
||||||
|
- network-manager
|
||||||
|
- socat
|
||||||
|
update_cache: yes
|
||||||
|
- service:
|
||||||
|
name: ModemManager
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# homekit
|
||||||
|
- name: install dependenies for homekit
|
||||||
|
apt: name=libavahi-compat-libdnssd-dev
|
@ -0,0 +1,166 @@
|
|||||||
|
- import_playbook: ../playbooks/pi/security.yml
|
||||||
|
- import_playbook: hass-io.yml
|
||||||
|
|
||||||
|
- hosts: on_fire_within
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: install dependencies
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- git
|
||||||
|
- vim
|
||||||
|
|
||||||
|
# Needed for Docker stuff
|
||||||
|
- docker-compose
|
||||||
|
- python-pip
|
||||||
|
- python-backports-shutil-get-terminal-size
|
||||||
|
- python-backports.ssl-match-hostname
|
||||||
|
|
||||||
|
- name: install python docker packages
|
||||||
|
pip:
|
||||||
|
name:
|
||||||
|
- docker
|
||||||
|
- docker-compose
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: create conf dirs
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
with_items:
|
||||||
|
- /etc/ddclient
|
||||||
|
- /etc/traefik
|
||||||
|
|
||||||
|
- name: configure ddclient
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
daemon=300
|
||||||
|
|
||||||
|
use=web
|
||||||
|
ssl=yes
|
||||||
|
protocol=googledomains
|
||||||
|
|
||||||
|
{% for host in hosts %}
|
||||||
|
login={{ host.login }}, password={{ host.password }} {{ host.host }}
|
||||||
|
{% endfor %}
|
||||||
|
dest: /etc/ddclient/ddclient.conf
|
||||||
|
mode: 0600
|
||||||
|
vars:
|
||||||
|
hosts: "{{ ddclient.hosts }}"
|
||||||
|
notify: restart ddclient
|
||||||
|
|
||||||
|
- name: traefik static configuration
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[providers]
|
||||||
|
[providers.docker]
|
||||||
|
exposedByDefault = false
|
||||||
|
[providers.file]
|
||||||
|
filename = "/etc/traefik/dynamic_conf.toml"
|
||||||
|
watch = true
|
||||||
|
|
||||||
|
[entryPoints]
|
||||||
|
[entryPoints.http]
|
||||||
|
address = ":80"
|
||||||
|
|
||||||
|
[entryPoints.https]
|
||||||
|
address = ":443"
|
||||||
|
|
||||||
|
[certificatesResolvers.le.acme]
|
||||||
|
email = "{{ email }}"
|
||||||
|
storage = "/etc/traefik/acme.json"
|
||||||
|
[certificatesResolvers.le.acme.httpChallenge]
|
||||||
|
entryPoint = "http"
|
||||||
|
|
||||||
|
[api]
|
||||||
|
insecure = true
|
||||||
|
dest: /etc/traefik/traefik.toml
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: docker all the things!
|
||||||
|
docker_compose:
|
||||||
|
project_name: on-fire-within
|
||||||
|
definition:
|
||||||
|
version: '2'
|
||||||
|
services:
|
||||||
|
ddclient:
|
||||||
|
image: kejadlen/ddclient:latest
|
||||||
|
container_name: ddclient
|
||||||
|
volumes:
|
||||||
|
- /etc/ddclient:/etc/ddclient
|
||||||
|
restart: always
|
||||||
|
pihole:
|
||||||
|
image: pihole/pihole:latest
|
||||||
|
container_name: pihole
|
||||||
|
ports:
|
||||||
|
- 53:53/tcp
|
||||||
|
- 53:53/udp
|
||||||
|
environment:
|
||||||
|
TZ: America/Los_Angeles
|
||||||
|
VIRTUAL_HOST: "{{ pihole.host }}"
|
||||||
|
WEBPASSWORD: "{{ pihole.password }}"
|
||||||
|
volumes:
|
||||||
|
- /etc/pihole:/etc/pihole
|
||||||
|
- /etc/dnsmasq.d:/etc/dnsmasq.d
|
||||||
|
dns:
|
||||||
|
- 127.0.0.1
|
||||||
|
- 1.1.1.1
|
||||||
|
labels:
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`)
|
||||||
|
- traefik.http.routers.pihole.tls=true
|
||||||
|
- traefik.http.routers.pihole.tls.certresolver=le
|
||||||
|
- traefik.http.services.pihole.loadbalancer.server.port=80
|
||||||
|
restart: always
|
||||||
|
traefik:
|
||||||
|
image: traefik:latest
|
||||||
|
container_name: traefik
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 8080:8080
|
||||||
|
- 443:443
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- /etc/traefik:/etc/traefik
|
||||||
|
labels:
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }}
|
||||||
|
- traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`)
|
||||||
|
- traefik.http.routers.traefik.tls=true
|
||||||
|
- traefik.http.routers.traefik.tls.certresolver=le
|
||||||
|
- traefik.http.routers.traefik.middlewares=auth
|
||||||
|
- traefik.http.routers.traefik.service=api@internal
|
||||||
|
restart: always
|
||||||
|
|
||||||
|
- name: get docker ip
|
||||||
|
block:
|
||||||
|
# - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1
|
||||||
|
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
|
||||||
|
register: docker_ip_result
|
||||||
|
- set_fact:
|
||||||
|
docker_ip: "{{ docker_ip_result.stdout | trim }}"
|
||||||
|
|
||||||
|
- name: traefik dynamic configuration
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[http.routers]
|
||||||
|
[http.routers.hassio]
|
||||||
|
rule = "Host(`{{ traefik.host_rules.hassio }}`)"
|
||||||
|
service = "hassio"
|
||||||
|
[http.routers.hassio.tls]
|
||||||
|
certResolver = "le"
|
||||||
|
|
||||||
|
[http.services]
|
||||||
|
[http.services.hassio.loadBalancer]
|
||||||
|
[[http.services.hassio.loadBalancer.servers]]
|
||||||
|
url = "http://{{ docker_ip }}:8123/"
|
||||||
|
dest: /etc/traefik/dynamic_conf.toml
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: restart ddclient
|
||||||
|
docker_container:
|
||||||
|
name: ddclient
|
||||||
|
restart: yes
|
||||||
|
ignore_errors: yes
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
- hosts: linux
|
|
||||||
become: yes
|
|
||||||
tasks:
|
|
||||||
|
|
||||||
- name: create user
|
|
||||||
user:
|
|
||||||
name: alpha
|
|
||||||
password: "{{ password | password_hash('sha512') }}"
|
|
||||||
shell: /bin/bash
|
|
||||||
|
|
||||||
- name: give user sudo access
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers.d/alpha
|
|
||||||
line: "alpha ALL=(ALL) NOPASSWD: ALL"
|
|
||||||
create: yes
|
|
||||||
validate: visudo -cf %s
|
|
||||||
|
|
||||||
- name: add ssh keys
|
|
||||||
authorized_key:
|
|
||||||
user: alpha
|
|
||||||
key: https://github.com/kejadlen.keys
|
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
- hosts: pi_bootstrap
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: change hostname to {{ hostname }}
|
||||||
|
hostname:
|
||||||
|
name: "{{ hostname }}"
|
||||||
|
notify: reboot
|
||||||
|
|
||||||
|
- name: update hostname in /etc/hosts
|
||||||
|
replace:
|
||||||
|
path: /etc/hosts
|
||||||
|
regexp: '(\s+)raspberrypi(\s+.*)?$'
|
||||||
|
replace: '\1{{ hostname }}\2'
|
||||||
|
notify: reboot
|
||||||
|
|
||||||
|
- name: disable wifi
|
||||||
|
lineinfile:
|
||||||
|
path: /boot/config.txt
|
||||||
|
insertafter: dtoverlay
|
||||||
|
line: dtoverlay=pi3-disable-wifi
|
||||||
|
notify: reboot
|
||||||
|
|
||||||
|
- name: create user
|
||||||
|
user:
|
||||||
|
name: alpha
|
||||||
|
password: "{{ password | password_hash('sha512') }}"
|
||||||
|
shell: /bin/bash
|
||||||
|
|
||||||
|
- name: give user sudo access
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers.d/alpha
|
||||||
|
line: "alpha ALL=(ALL) NOPASSWD: ALL"
|
||||||
|
create: yes
|
||||||
|
validate: visudo -cf %s
|
||||||
|
|
||||||
|
- name: add ssh keys
|
||||||
|
authorized_key:
|
||||||
|
user: alpha
|
||||||
|
key: https://github.com/kejadlen.keys
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: reboot
|
||||||
|
reboot:
|
@ -0,0 +1,44 @@
|
|||||||
|
# https://www.raspberrypi.org/documentation/configuration/security.md
|
||||||
|
|
||||||
|
- hosts: pi
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: disable ssh password logins
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^(#\s*)?{{ item }} '
|
||||||
|
line: "{{ item }} no"
|
||||||
|
notify: reload ssh
|
||||||
|
with_items:
|
||||||
|
- ChallengeResponseAuthentication
|
||||||
|
- PasswordAuthentication
|
||||||
|
- UsePAM
|
||||||
|
|
||||||
|
- name: disable pi user
|
||||||
|
user:
|
||||||
|
name: pi
|
||||||
|
password: !
|
||||||
|
|
||||||
|
- name: install fail2ban
|
||||||
|
package:
|
||||||
|
name: fail2ban
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: create jail.local
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
notify: reload fail2ban
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: reload ssh
|
||||||
|
service:
|
||||||
|
name: ssh
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: reload fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: reloaded
|
Loading…
Reference in new issue