parent
02e5f4a94a
commit
ddfe75225b
@ -0,0 +1,2 @@
|
||||
hosts.yml
|
||||
host_vars
|
@ -0,0 +1,26 @@
|
||||
# ansible
|
||||
|
||||
## Raspberry Pi
|
||||
|
||||
1. [Download Raspberian Stretch Lite](https://www.raspberrypi.org/downloads/raspbian/)
|
||||
1. Install Etcher: `brew cask install balenaetcher`
|
||||
1. [Flash the SD card](https://www.raspberrypi.org/documentation/installation/installing-images/README.md)
|
||||
|
||||
1. [Enable SSH](https://www.raspberrypi.org/documentation/remote-access/ssh/)
|
||||
|
||||
1. Run the Ansible playbooks
|
||||
1. Add the host to the `pi_bootstrap` group and set the `password` variable
|
||||
on the host
|
||||
1. Connect to the host via SSH (so Ansible can piggyback off the existing
|
||||
connection and not have to deal with password shenanigans)
|
||||
1. `ansible-playbook playbooks/pi/bootstrap.yml`
|
||||
1. `ansible-playbook {{ host }}/main.yml`
|
||||
|
||||
### etc
|
||||
|
||||
1. Use `raspi-config` to set up the WiFi
|
||||
- [Additional setup](https://www.raspberrypi.org/documentation/configuration/wireless/wireless-cli.md)
|
||||
- Add `scan_ssid=1` to `/etc/wpa_supplicant/wpa_supplicant.conf`
|
||||
- Restart WiFi: `wpa_cli -i wlan0 reconfigure`
|
||||
1. Use `raspi-config` to set the keyboard layout
|
||||
|
@ -0,0 +1,22 @@
|
||||
FROM armhf/alpine
|
||||
|
||||
# https://wiki.alpinelinux.org/wiki/Ddclient
|
||||
|
||||
RUN apk update && apk upgrade && \
|
||||
apk add \
|
||||
curl \
|
||||
make \
|
||||
perl \
|
||||
perl-io-socket-ssl
|
||||
RUN cpan install Test::Requires && cpan Data::Validate::IP
|
||||
|
||||
RUN cd tmp && \
|
||||
curl --location https://github.com/ddclient/ddclient/archive/v3.9.0.tar.gz > ddclient-3.9.0.tar.gz && \
|
||||
tar xvz < ddclient-3.9.0.tar.gz && \
|
||||
cp ddclient-3.9.0/ddclient /usr/sbin && \
|
||||
mkdir /etc/ddclient && \
|
||||
mkdir -p /var/cache/ddclient
|
||||
|
||||
VOLUME /etc/ddclient
|
||||
|
||||
ENTRYPOINT [ "ddclient", "-foreground" ]
|
@ -0,0 +1,16 @@
|
||||
# On Fire Within
|
||||
|
||||
## Setup
|
||||
|
||||
- [Installing Hass.io](https://www.home-assistant.io/hassio/installation/)
|
||||
|
||||
1. `ansible-playbook playbooks/pi/bootstrap.yml`
|
||||
1. `ansible-playbook on-fire-within/bootstrap.yml`
|
||||
1. `curl -fsSL get.docker.com | sh`
|
||||
- `sudo usermod -aG docker alpha`
|
||||
1. `curl -sL "https://raw.githubusercontent.com/home-assistant/hassio-installer/master/hassio_install.sh" | bash -s -- -m raspberrypi4`
|
||||
1. `ansible-playbook on-fire-within/main.yml`
|
||||
|
||||
## Notes
|
||||
|
||||
- `/usr/share/hassio`
|
@ -0,0 +1,29 @@
|
||||
# https://www.home-assistant.io/hassio/installation/
|
||||
|
||||
- hosts: on_fire_within
|
||||
become: yes
|
||||
tasks:
|
||||
# Forgot what I need this for...
|
||||
- name: install software-properties-common
|
||||
apt: name=software-properties-common
|
||||
|
||||
- name: install other dependencies for hass.io
|
||||
apt:
|
||||
name:
|
||||
- apparmor-utils
|
||||
- apt-transport-https
|
||||
- avahi-daemon
|
||||
- ca-certificates
|
||||
- curl
|
||||
- dbus
|
||||
- jq
|
||||
- network-manager
|
||||
- socat
|
||||
update_cache: yes
|
||||
- service:
|
||||
name: ModemManager
|
||||
enabled: false
|
||||
|
||||
# homekit
|
||||
- name: install dependenies for homekit
|
||||
apt: name=libavahi-compat-libdnssd-dev
|
@ -0,0 +1,166 @@
|
||||
- import_playbook: ../playbooks/pi/security.yml
|
||||
- import_playbook: hass-io.yml
|
||||
|
||||
- hosts: on_fire_within
|
||||
become: yes
|
||||
tasks:
|
||||
- name: install dependencies
|
||||
apt:
|
||||
name:
|
||||
- git
|
||||
- vim
|
||||
|
||||
# Needed for Docker stuff
|
||||
- docker-compose
|
||||
- python-pip
|
||||
- python-backports-shutil-get-terminal-size
|
||||
- python-backports.ssl-match-hostname
|
||||
|
||||
- name: install python docker packages
|
||||
pip:
|
||||
name:
|
||||
- docker
|
||||
- docker-compose
|
||||
state: latest
|
||||
|
||||
- name: create conf dirs
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- /etc/ddclient
|
||||
- /etc/traefik
|
||||
|
||||
- name: configure ddclient
|
||||
copy:
|
||||
content: |
|
||||
daemon=300
|
||||
|
||||
use=web
|
||||
ssl=yes
|
||||
protocol=googledomains
|
||||
|
||||
{% for host in hosts %}
|
||||
login={{ host.login }}, password={{ host.password }} {{ host.host }}
|
||||
{% endfor %}
|
||||
dest: /etc/ddclient/ddclient.conf
|
||||
mode: 0600
|
||||
vars:
|
||||
hosts: "{{ ddclient.hosts }}"
|
||||
notify: restart ddclient
|
||||
|
||||
- name: traefik static configuration
|
||||
copy:
|
||||
content: |
|
||||
[providers]
|
||||
[providers.docker]
|
||||
exposedByDefault = false
|
||||
[providers.file]
|
||||
filename = "/etc/traefik/dynamic_conf.toml"
|
||||
watch = true
|
||||
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
|
||||
[certificatesResolvers.le.acme]
|
||||
email = "{{ email }}"
|
||||
storage = "/etc/traefik/acme.json"
|
||||
[certificatesResolvers.le.acme.httpChallenge]
|
||||
entryPoint = "http"
|
||||
|
||||
[api]
|
||||
insecure = true
|
||||
dest: /etc/traefik/traefik.toml
|
||||
mode: 0600
|
||||
|
||||
- name: docker all the things!
|
||||
docker_compose:
|
||||
project_name: on-fire-within
|
||||
definition:
|
||||
version: '2'
|
||||
services:
|
||||
ddclient:
|
||||
image: kejadlen/ddclient:latest
|
||||
container_name: ddclient
|
||||
volumes:
|
||||
- /etc/ddclient:/etc/ddclient
|
||||
restart: always
|
||||
pihole:
|
||||
image: pihole/pihole:latest
|
||||
container_name: pihole
|
||||
ports:
|
||||
- 53:53/tcp
|
||||
- 53:53/udp
|
||||
environment:
|
||||
TZ: America/Los_Angeles
|
||||
VIRTUAL_HOST: "{{ pihole.host }}"
|
||||
WEBPASSWORD: "{{ pihole.password }}"
|
||||
volumes:
|
||||
- /etc/pihole:/etc/pihole
|
||||
- /etc/dnsmasq.d:/etc/dnsmasq.d
|
||||
dns:
|
||||
- 127.0.0.1
|
||||
- 1.1.1.1
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.pihole.rule=Host(`{{ traefik.host_rules.pihole }}`)
|
||||
- traefik.http.routers.pihole.tls=true
|
||||
- traefik.http.routers.pihole.tls.certresolver=le
|
||||
- traefik.http.services.pihole.loadbalancer.server.port=80
|
||||
restart: always
|
||||
traefik:
|
||||
image: traefik:latest
|
||||
container_name: traefik
|
||||
ports:
|
||||
- 80:80
|
||||
- 8080:8080
|
||||
- 443:443
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- /etc/traefik:/etc/traefik
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.middlewares.auth.basicauth.users=alpha:{{ traefik.password | password_hash("md5") | replace("$", "$$") }}
|
||||
- traefik.http.routers.traefik.rule=Host(`{{ traefik.host_rules.traefik }}`)
|
||||
- traefik.http.routers.traefik.tls=true
|
||||
- traefik.http.routers.traefik.tls.certresolver=le
|
||||
- traefik.http.routers.traefik.middlewares=auth
|
||||
- traefik.http.routers.traefik.service=api@internal
|
||||
restart: always
|
||||
|
||||
- name: get docker ip
|
||||
block:
|
||||
# - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1
|
||||
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
|
||||
register: docker_ip_result
|
||||
- set_fact:
|
||||
docker_ip: "{{ docker_ip_result.stdout | trim }}"
|
||||
|
||||
- name: traefik dynamic configuration
|
||||
copy:
|
||||
content: |
|
||||
[http.routers]
|
||||
[http.routers.hassio]
|
||||
rule = "Host(`{{ traefik.host_rules.hassio }}`)"
|
||||
service = "hassio"
|
||||
[http.routers.hassio.tls]
|
||||
certResolver = "le"
|
||||
|
||||
[http.services]
|
||||
[http.services.hassio.loadBalancer]
|
||||
[[http.services.hassio.loadBalancer.servers]]
|
||||
url = "http://{{ docker_ip }}:8123/"
|
||||
dest: /etc/traefik/dynamic_conf.toml
|
||||
mode: 0600
|
||||
|
||||
handlers:
|
||||
- name: restart ddclient
|
||||
docker_container:
|
||||
name: ddclient
|
||||
restart: yes
|
||||
ignore_errors: yes
|
||||
|
@ -1,22 +0,0 @@
|
||||
- hosts: linux
|
||||
become: yes
|
||||
tasks:
|
||||
|
||||
- name: create user
|
||||
user:
|
||||
name: alpha
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
shell: /bin/bash
|
||||
|
||||
- name: give user sudo access
|
||||
lineinfile:
|
||||
path: /etc/sudoers.d/alpha
|
||||
line: "alpha ALL=(ALL) NOPASSWD: ALL"
|
||||
create: yes
|
||||
validate: visudo -cf %s
|
||||
|
||||
- name: add ssh keys
|
||||
authorized_key:
|
||||
user: alpha
|
||||
key: https://github.com/kejadlen.keys
|
||||
|
@ -0,0 +1,44 @@
|
||||
- hosts: pi_bootstrap
|
||||
become: yes
|
||||
tasks:
|
||||
|
||||
- name: change hostname to {{ hostname }}
|
||||
hostname:
|
||||
name: "{{ hostname }}"
|
||||
notify: reboot
|
||||
|
||||
- name: update hostname in /etc/hosts
|
||||
replace:
|
||||
path: /etc/hosts
|
||||
regexp: '(\s+)raspberrypi(\s+.*)?$'
|
||||
replace: '\1{{ hostname }}\2'
|
||||
notify: reboot
|
||||
|
||||
- name: disable wifi
|
||||
lineinfile:
|
||||
path: /boot/config.txt
|
||||
insertafter: dtoverlay
|
||||
line: dtoverlay=pi3-disable-wifi
|
||||
notify: reboot
|
||||
|
||||
- name: create user
|
||||
user:
|
||||
name: alpha
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
shell: /bin/bash
|
||||
|
||||
- name: give user sudo access
|
||||
lineinfile:
|
||||
path: /etc/sudoers.d/alpha
|
||||
line: "alpha ALL=(ALL) NOPASSWD: ALL"
|
||||
create: yes
|
||||
validate: visudo -cf %s
|
||||
|
||||
- name: add ssh keys
|
||||
authorized_key:
|
||||
user: alpha
|
||||
key: https://github.com/kejadlen.keys
|
||||
|
||||
handlers:
|
||||
- name: reboot
|
||||
reboot:
|
@ -0,0 +1,44 @@
|
||||
# https://www.raspberrypi.org/documentation/configuration/security.md
|
||||
|
||||
- hosts: pi
|
||||
become: yes
|
||||
tasks:
|
||||
- name: disable ssh password logins
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^(#\s*)?{{ item }} '
|
||||
line: "{{ item }} no"
|
||||
notify: reload ssh
|
||||
with_items:
|
||||
- ChallengeResponseAuthentication
|
||||
- PasswordAuthentication
|
||||
- UsePAM
|
||||
|
||||
- name: disable pi user
|
||||
user:
|
||||
name: pi
|
||||
password: !
|
||||
|
||||
- name: install fail2ban
|
||||
package:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
||||
- name: create jail.local
|
||||
copy:
|
||||
content: |
|
||||
[sshd]
|
||||
enabled = true
|
||||
dest: /etc/fail2ban/jail.local
|
||||
notify: reload fail2ban
|
||||
|
||||
handlers:
|
||||
- name: reload ssh
|
||||
service:
|
||||
name: ssh
|
||||
state: reloaded
|
||||
|
||||
- name: reload fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: reloaded
|
Loading…
Reference in new issue