initial bootstrapping workflow

README.md

@@ -1,10 +1,20 @@
 # Raspberry Pi NAS
 
-This repository contains all configuration I use to set up a Raspberry Pi 4B as
-a NAS and media storage server. This repository will most likely evolve a lot.
+Ansible configuration repository for my Raspberry Pi's.
 
-The Pi is used to host the following:
+## Initial setup for new systems
 
-* Samba network share for access to family pictures
-* [Photoview](https://photoview.github.io/) instance for accessing image over the internet
-* [Jellyfin](https://jellyfin.org/) for accessing media library as well
+1. Flash [Debian Raspberry Pi](https://raspi.debian.net/) on the SD card.
+2. Configure `/boot/firmware/sysconf.txt`
+    1. Set `hostname` to the desired name
+    2. Set `root_authorized_key` to the contents of the current computer's
+      public SSH key
+3. Put SD card in Pi and boot
+4. Connect Pi to wired internet
+5. Determine IP address given to the new Pi
+6. Add this IP address to the `initial-hosts.ini` file, along with the
+   `static_ip` host var set to the desired static IP address
+8. Comment out `ansible_ssh_user` in `group_vars/all/vars.yml`, as this
+   overwrites the one set in the hosts file
+9. Run `ansible-playbook -i initial-hosts.ini first_run.yml`. This command will
+   hang at the `restart networking` step; at this point you can Ctrl-C.

first_run.yml

@@ -0,0 +1,11 @@
+---
+- name: Install Python
+  hosts: all
+  gather_facts: no
+  roles:
+    - install-python
+
+- name: Configure base system.
+  hosts: all
+  roles:
+    - base

group_vars/all/vars.yml

@@ -1,14 +1,13 @@
 ---
-ansible_ssh_user: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63363333613666383765643633393735396439386662346364643730373138333931303833393339
-          6430306434646562396134373433343439316133303931640a343536383539666132633636303031
-          65643735333839613636613963303433623933366532623037323963646462366464623739393461
-          3233613932616531360a326235346464333566633466633864343261663831336166313230306635
-          3265
-
+ansible_ssh_user: debian
 ansible_ssh_port: 22
 
+# Values for static IP configuration
+broadcast_ip: 192.168.0.255
+router_ip: 192.168.0.1
+
+debian_pass: "{{ vault_debian_pass }}"
+
 ansible_become_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           38306565386265383731653936353766396630626163316335643261613561363030653561346239
@@ -28,3 +27,4 @@ lambroek_password: !vault |
           36386632303939646632393362373838663337663063326338623534326561656561633131376138
           64376237373133333761313635346266306638383038663333366139303437323562303733373764
           63316564393763643834643232663462333633373639633938663035633063356530
+

group_vars/all/vault.yml

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+37303338366435366664333235623930303461666537326463613536303263353233303631653061
+3365613139333035616434376464386436653863366338650a366363336438313364646432626335
+32396334643064326531393930666263643163636163316430616434363139316665323262616538
+3665633530616432350a326439636231383765666365386433313432373432373938656638373636
+34323166343965616330366265353462626132356565316637313430343462363163

initial-hosts.ini

@@ -0,0 +1,5 @@
+192.168.0.216 static_ip=192.168.0.3
+
+[all:vars]
+# These are expected to be the same
+ansible_ssh_user=root

roles/base/files/authorized_keys

@@ -0,0 +1,5 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com
+
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com

roles/base/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart networking
+  service:
+    name: networking
+    state: restarted

roles/base/tasks/main.yml

@@ -1,25 +1,37 @@
-- name: Install packages
+---
+- name: Install sudo.
   apt:
-    name:
-      # Needed for handling GPG keys for repositories
-      - debian-keyring
-      - debian-archive-keyring
-      - apt-transport-https
-
-      # Easy to edit files
-      - vim
-      - tmux
+    name: sudo
     state: present
 
-- name: Install Vim config
-  get_url:
-    url: 'https://r8r.be/vim'
-    dest: '{{ item.dest }}'
-    owner: "{{ item.user }}"
-    group: "{{ item.user }}"
-    mode: '644'
-  with_items:
-    - user: debian
-      dest: "/home/debian/.vimrc"
-    - user: root
-      dest: "/root/.vimrc"
+- name: Create debian user.
+  user:
+    name: debian
+    groups: sudo
+    append: true
+    create_home: yes
+    shell: /bin/bash
+    password: "{{ vault_debian_pass | password_hash('sha512') }}"
+    update_password: on_create
+
+- name: Create SSH directory.
+  file:
+    path: /home/debian/.ssh/
+    state: directory
+    owner: debian
+    group: debian
+    mode: '700'
+
+- name: Add authorized SSH keys.
+  copy:
+    src: authorized_keys
+    dest: /home/debian/.ssh/authorized_keys
+    owner: debian
+    group: debian
+    mode: '600'
+
+- name: Install networking config file.
+  template:
+    src: interfaces.j2
+    dest: /etc/network/interfaces.d/eth0
+  notify: restart networking

roles/base/templates/interfaces.j2

@@ -0,0 +1,7 @@
+auto eth0
+iface eth0 inet static
+	address {{ static_ip }}
+	broadcast {{ broadcast_ip }}
+	netmask 255.255.255.0
+	gateway {{ router_ip }}
+	dns-nameservers {{ router_ip }} 8.8.8.8

roles/common/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Install packages
+  apt:
+    name:
+      # Needed for handling GPG keys for repositories
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+
+      # Easy to edit files
+      - vim
+      - tmux
+      - htop
+    state: present
+
+- name: Install Vim config
+  get_url:
+    url: 'https://r8r.be/vim'
+    dest: '{{ item.dest }}'
+    owner: "{{ item.user }}"
+    group: "{{ item.user }}"
+    mode: '644'
+  with_items:
+    - user: debian
+      dest: "/home/debian/.vimrc"
+    - user: root
+      dest: "/root/.vimrc"

roles/install-python/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Update package database
+  raw: apt update
+
+- name: Install Python
+  raw: apt install -y python3