From 592992f031310e0cdcefdf044dc0a290ce344d80 Mon Sep 17 00:00:00 2001 From: Chewing_Bever Date: Sun, 24 Dec 2023 20:52:13 +0100 Subject: [PATCH] jelly, caddy, other stuff --- first_run.yml | 13 ++++++----- group_vars/all/vars.yml | 13 ----------- group_vars/nas/vars.yml | 2 ++ group_vars/nas/vault.yml | 7 ++++++ hosts.ini | 3 ++- nas.yml | 36 +++++++++++++++++++++++++++++ roles/base/tasks/main.yml | 9 +++++++- roles/caddy/files/Caddyfile | 16 +++++++++++++ roles/caddy/handlers/main.yml | 5 ++++ roles/caddy/tasks/main.yml | 17 ++++++++++++++ roles/common/tasks/main.yml | 12 ++++++++++ roles/install-python/tasks/main.yml | 6 ----- roles/jellyfin/tasks/main.yml | 12 +++++++++- roles/net-security/tasks/main.yml | 14 ----------- roles/raid/tasks/main.yml | 20 ++++++++++++++++ roles/samba/handlers/main.yml | 5 ++++ roles/samba/tasks/main.yml | 5 ++-- 17 files changed, 150 insertions(+), 45 deletions(-) create mode 100644 group_vars/nas/vars.yml create mode 100644 group_vars/nas/vault.yml create mode 100644 nas.yml create mode 100644 roles/caddy/files/Caddyfile create mode 100644 roles/caddy/handlers/main.yml delete mode 100644 roles/install-python/tasks/main.yml delete mode 100644 roles/net-security/tasks/main.yml create mode 100644 roles/raid/tasks/main.yml diff --git a/first_run.yml b/first_run.yml index 7f22173..45cc231 100644 --- a/first_run.yml +++ b/first_run.yml @@ -1,11 +1,12 @@ --- -- name: Install Python - hosts: all - gather_facts: no - roles: - - install-python - - name: Configure base system. hosts: all + gather_facts: no + # Debian installs don't have Python by default + pre_tasks: + - name: Update package database + raw: apt update + - name: Install Python + raw: apt install -y python3 roles: - base diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index b08ee1c..5579c57 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -15,16 +15,3 @@ ansible_become_pass: !vault | 36343435646561643662373138613237626461373330346566356132636366623731643838383633 3765666163656264340a663138623535626161376666323862373131383637356231323737313564 6430 - -lambroek_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33373365393262643630646336323731376232646138613061363933366265393863636536303430 - 3738363338653035623039383463643761343261336366620a353532613132343439333563663664 - 61643135323936323362326365663366333864363735363438636361643734333930616566356563 - 3038373639646338380a393061376135353564373062353139366461383939333161333936613430 - 33383233336531663261373631363733323839353235613131363966643838373033373437613764 - 37306137366666663938616465393464653961643732636236636438396165623165653363623135 - 36386632303939646632393362373838663337663063326338623534326561656561633131376138 - 64376237373133333761313635346266306638383038663333366139303437323562303733373764 - 63316564393763643834643232663462333633373639633938663035633063356530 - diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml new file mode 100644 index 0000000..4afc031 --- /dev/null +++ b/group_vars/nas/vars.yml @@ -0,0 +1,2 @@ +raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978' +lambroek_password: "{{ vault_lambroek_password }}" diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml new file mode 100644 index 0000000..547b0e2 --- /dev/null +++ b/group_vars/nas/vault.yml @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +63336531383736643438396339366463383265373633373666623566616538316666323136626537 +3462346135616462383838613531343537313165653962370a343965613330636566393363633733 +35313039626430346264373361306464343532316532353232666166656531346237613033383662 +3563663536616362620a626563666631336537373961636232386430366139396262666466626633 +30653138633830636130663139373462663266643332303234303564353162333031383331396562 +6136386164613435633835336462663834376130383362666561 diff --git a/hosts.ini b/hosts.ini index e91633a..cd752ae 100644 --- a/hosts.ini +++ b/hosts.ini @@ -1 +1,2 @@ -192.168.0.3 +[nas] +192.168.0.3 static_ip=192.168.0.3 diff --git a/nas.yml b/nas.yml new file mode 100644 index 0000000..d7c40d3 --- /dev/null +++ b/nas.yml @@ -0,0 +1,36 @@ +--- +- name: Perform common tasks + hosts: nas + become: yes + roles: + - base + - common + tags: base + +- name: Configure BTRFS RAID + hosts: nas + become: yes + roles: + - raid + tags: raid + +- name: Set up Samba + hosts: nas + become: yes + roles: + - samba + tags: samba + +- name: Set up Jellyfin + hosts: nas + become: yes + roles: + - jellyfin + tags: jellyfin + +- name: Set up Caddy + hosts: nas + become: yes + roles: + - caddy + tags: caddy diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index dafa3f6..8ec3e10 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -4,10 +4,17 @@ name: sudo state: present +- name: Create data group. + group: + name: data + gid: 1002 + - name: Create debian user. user: name: debian - groups: sudo + groups: + - sudo + - data append: true create_home: yes shell: /bin/bash diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile new file mode 100644 index 0000000..fdb27ea --- /dev/null +++ b/roles/caddy/files/Caddyfile @@ -0,0 +1,16 @@ +# The Caddyfile is an easy way to configure your Caddy web server. +# +# Unless the file starts with a global options block, the first +# uncommented line is always the address of your site. +# +# To use your own domain name (with automatic HTTPS), first make +# sure your domain's A/AAAA DNS records are properly pointed to +# this machine's public IP, then replace ":80" below with your +# domain name. + +media.roosens.me { + reverse_proxy localhost:8096 +} + +# Refer to the Caddy docs for more information: +# https://caddyserver.com/docs/caddyfile diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml new file mode 100644 index 0000000..ddf490e --- /dev/null +++ b/roles/caddy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload-caddy + service: + name: caddy + state: reloaded diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml index 4f5faa3..f3eb347 100644 --- a/roles/caddy/tasks/main.yml +++ b/roles/caddy/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Add Caddy GPG key apt_key: url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" @@ -16,3 +17,19 @@ apt: name: caddy state: present + +- name: Copy over Caddyfile + copy: + src: Caddyfile + dest: '/etc/caddy/Caddyfile' + owner: root + group: root + mode: '644' + notify: reload-caddy + +- name: Ensure Caddy service is running & enabled + service: + name: caddy + state: started + enabled: true + diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ebc1050..efe7bbf 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -10,6 +10,12 @@ - vim - tmux - htop + + # Spam prevention + - fail2ban + + # Disk monitoring + - smartmontools state: present - name: Install Vim config @@ -24,3 +30,9 @@ dest: "/home/debian/.vimrc" - user: root dest: "/root/.vimrc" + +- name: Enable fail2ban + service: + name: fail2ban + state: started + enabled: true diff --git a/roles/install-python/tasks/main.yml b/roles/install-python/tasks/main.yml deleted file mode 100644 index 484575f..0000000 --- a/roles/install-python/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Update package database - raw: apt update - -- name: Install Python - raw: apt install -y python3 diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index bea451e..48b969b 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -5,7 +5,7 @@ - name: Add Jellyfin repository apt_repository: - repo: "deb https://repo.jellyfin.org/debian bullseye main" + repo: "deb https://repo.jellyfin.org/debian bookworm main" filename: 'jellyfin' state: present @@ -14,6 +14,16 @@ name: jellyfin state: present +- name: Create Jellyfin user + user: + name: jellyfin + groups: + - data + append: true + create_home: no + shell: /bin/nologin + update_password: on_create + - name: Copy over service file copy: src: jellyfin.service.conf diff --git a/roles/net-security/tasks/main.yml b/roles/net-security/tasks/main.yml deleted file mode 100644 index 83332f2..0000000 --- a/roles/net-security/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Install fail2ban. - apt: - name: fail2ban - state: present - -# TODO add proper fail2ban config - -- name: Ensure fail2ban is started & enabled. - service: - name: fail2ban - state: started - enabled: true - -# TODO install UFW diff --git a/roles/raid/tasks/main.yml b/roles/raid/tasks/main.yml new file mode 100644 index 0000000..b0e10bf --- /dev/null +++ b/roles/raid/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install BTRFS tools + apt: + name: btrfs-progs + state: present + +- name: Create mountpoint + file: + path: /mnt/data1 + state: directory + mode: '0755' + owner: debian + group: debian + +- name: Mount RAID + mount: + path: /mnt/data1 + src: "UUID={{ raid_uuid }}" + fstype: btrfs + state: mounted diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml index e0b8a12..48e1e38 100644 --- a/roles/samba/handlers/main.yml +++ b/roles/samba/handlers/main.yml @@ -3,3 +3,8 @@ service: name: smbd state: restarted + +- name: smbpasswd-lambroek + shell: + cmd: "smbpasswd -sa lambroek" + stdin: "{{ lambroek_password }}\n{{ lambroek_password }}" diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml index b46817e..60ea3c3 100644 --- a/roles/samba/tasks/main.yml +++ b/roles/samba/tasks/main.yml @@ -16,10 +16,9 @@ create_home: false groups: - data - password: "{{ lambroek_password }}" + password: "{{ lambroek_password | password_hash('sha512') }}" shell: /sbin/nologin - -# TODO run "smbpasswd -a lambroek" + notify: smbpasswd-lambroek - name: Copy over smb config file copy: