atomaka/home-ansible
1
0
Fork 0
Code Releases Activity

Initial commit

Browse source
This commit is contained in:
Andrew Tomaka 2022-12-21 22:56:39 -05:00
commit d6bd3862eb
Signed by: atomaka
GPG key ID: 61209BF70A5B18BE
19 changed files with 357 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
config/master.key

0
config/.gitinclude Normal file
View file

13
hosts Normal file
View file

@ -0,0 +1,13 @@
---
dns:
hosts:
dns_1:
ansible_host: 192.168.1.3
sync_target: 192.168.1.4
dns_2:
ansible_host: 192.168.1.4
sync_target: 192.168.1.3
nginx:
hosts:
nginx_1:
ansible_host: 192.168.1.12

1
roles/administrators/files/atomaka.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR1+I4hzK79yoQUvSbBZ3scdXaZvB/9ZOHtJ/rMqig me@atomaka.com

23
roles/administrators/tasks/main.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: Allow passwordless sudo
lineinfile:
path: /etc/sudoers
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
state: present
- name: Add administrators
user:
name: "{{ item }}"
groups: sudo
shell: /bin/bash
state: present
with_items: "{{ users }}"
- name: Add SSH keys
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'files/{{ item }}.pub') }}"
state: present
with_items: "{{ users }}"

3
roles/administrators/vars/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
users:
- atomaka

20
roles/apt/tasks/main.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Install unattended-upgrades
apt:
name: unattended-upgrades
state: present
- name: Install repository tools
apt:
name:
- debian-keyring
- debian-archive-keyring
- apt-transport-https
- ca-certificates
- gnupg
state: present
- name: Ensure unattended-upgrades is runing
service:
name: unattended-upgrades
enabled: true

3
roles/firewall/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
- name: Persist iptables
shell:
cmd: iptables-save > /etc/iptables/rules.v4

82
roles/firewall/tasks/main.yml Normal file
View file

@ -0,0 +1,82 @@
---
- name: Install iptables packages
apt:
name: iptables-persistent
state: present
- name: Allow all loopback traffic
iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
notify: Persist iptables
- name: Allow port ping traffic
iptables:
chain: INPUT
jump: ACCEPT
protocol: icmp
notify: Persist iptables
- name: Allow related and established connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
notify: Persist iptables
- name: Allow SSH
iptables:
chain: INPUT
destination_port: 22
jump: ACCEPT
protocol: tcp
notify: Persist iptables
- name: Allow web
iptables:
chain: INPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
notify: Persist iptables
- name: Allow dns
iptables:
chain: INPUT
protocol: tcp
destination_port: 53
jump: ACCEPT
notify: Persist iptables
- name: Allow dns (udp)
iptables:
chain: INPUT
protocol: udp
destination_port: 53
jump: ACCEPT
notify: Persist iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Set the policy for the INPUT chain to DROP
iptables:
chain: INPUT
policy: DROP
notify: Persist iptables
- name: Set the policy for the FORWARD chain to DROP
iptables:
chain: FORWARD
policy: DROP
notify: Persist iptables
- name: Set the policy for the OUTPUT chain to ACCEPT
iptables:
chain: OUTPUT
policy: ACCEPT
notify: Persist iptables

17
roles/instance/tasks/main.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: Set hostname
hostname:
name: '{{ inventory_hostname | replace("_", "-") }}'
- name: Add hostname to /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '^127\.0\.0\.1[ \t]+localhost'
line: '127.0.0.1 localhost {{ inventory_hostname | replace("_", "-") }}'
state: present
- name: Install ansible pre-requisites
apt:
name:
- acl
state: present

25
roles/pihole/files/id_ed25519 Normal file
View file

@ -0,0 +1,25 @@
$ANSIBLE_VAULT;1.1;AES256
65383462643264626136333163366264353039393537313264303835393537396664633539616534
6664613531623666386661653330386538366466313133390a393562363835326136393664353334
62383932373036303233306138366464323463303238316434383264306632653533623665343066
3037326266326465300a653435646538613636336236343231376635646439663963346130656164
31383238613230356661626230353933346563333939383238336164336362323939666561306433
34353430633131663531333030636137396537643735666533633630393166363739663538363161
35373234623763346661656562346339366531663432666132356132323161323934323262653538
34626130383535396631646439303431363432383265636365633831626162656432333839326137
34386235643132366532316234396635366438623235636630663033396638336337666431653138
38343734663666343334616436363335353764366564376565313834326364646231303662643463
61643932366438366339383032306366376537326665393331333463656262373134656234393264
65626161656163396531313739323732313132623934336337386534366163313933613535323864
30303532396236613836316133363862663764333231326261366235353264356535326334353265
35313534616361316636383161363630393362333362623966373264393138646335316531633136
32333832643836646165643865636566663331333033303839653938653837353063366566623364
65636661623833376236613566623839633734333866393032613861646666333732386166633865
30616237663439383131653836303738653538353162333731343938643765333532373237353336
35363436643833643030663638333663633337326461663866386532396364313330656130653665
31333564363362613330363461383637666366333832326437666435336331643332376339623732
37363139666339313962633961363262343130323531313432623737663737643830316639623864
38393737313838343666376538616334363037353165323039626235646139346361343432316539
62303932306635303731646234633936373562656136623030656231616563623336393466616335
38306162393433306631383432346532376134323034616663373066303932376438656238336361
62336537383461343636

1
roles/pihole/files/id_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQu1fLqmEcru0rAk8hTJ59WA3sLO7KDFIc4RgxCI0UP pihole

6
roles/pihole/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
- name: Restart dnsmasq
service:
name: dnsmasq
enabled: true
state: restarted
when: ansible_facts.services['dnsmasq.service'] is defined

78
roles/pihole/tasks/main.yml Normal file
View file

@ -0,0 +1,78 @@
---
- name: Create pihole user
user:
name: pihole
groups: sudo
shell: /bin/bash
state: present
- name: Ensure .ssh directory exists.
file:
dest: /home/pihole/.ssh
mode: 0700
owner: pihole
state: directory
- name: Install ssh key
copy:
src: files/id_ed25519
dest: /home/pihole/.ssh/id_ed25519
mode: 0600
owner: pihole
- name: Set the authorized keys
authorized_key:
user: pihole
state: present
key: "{{ lookup('file', 'id_ed25519.pub') }}"
- name: Create pihole directory
file:
path: /etc/pihole
state: directory
- name: Configure pihole
template:
src: templates/setupVars.j2
dest: /etc/pihole/setupVars.conf
notify: Restart dnsmasq
- name: Download pihole installer
become: yes
become_user: pihole
get_url:
url: https://install.pi-hole.net
dest: /tmp/basic-install.sh
mode: 0755
- name: Install pihole
become: yes
become_user: pihole
command:
cmd: /tmp/basic-install.sh --unattended
creates: /usr/local/bin/pihole
- name: Create gravity directory
file:
path: /etc/gravity-sync
state: directory
- name: Configure gravity
template:
src: templates/gravity-sync.conf.j2
dest: /etc/gravity-sync/gravity-sync.conf
- name: Download gravity installer
become: yes
become_user: pihole
get_url:
url: https://raw.githubusercontent.com/vmstan/gs-install/main/gs-install.sh
dest: /tmp/gravity-install.sh
mode: 0755
- name: Install gravity
become: yes
become_user: pihole
command:
cmd: /tmp/gravity-install.sh --unattended
creates: /usr/local/bin/gravity-sync

4
roles/pihole/templates/gravity-sync.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
REMOTE_HOST={{ sync_target }}
REMOTE_USER=pihole
GS_SSH_PKIF=/home/pihole/.ssh/id_ed25519

16
roles/pihole/templates/setupVars.j2 Normal file
View file

@ -0,0 +1,16 @@
IPV4_ADDRESS={{ ansible_host }}/24
PIHOLE_INTERFACE=eth0
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=10000
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSMASQ_LISTENING=local
WEBPASSWORD=998ed4d621742d0c2d85ed84173db569afa194d4597686cae947324aa58ab4bb
BLOCKING_ENABLED=true
DNSSEC=false
REV_SERVER=false
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4

9
roles/ssh/handlers/main.yml Normal file
View file

@ -0,0 +1,9 @@
- name: Restart ssh
service:
name: sshd
state: restarted
- name: Restart fail2ban
service:
name: fail2ban
state: restarted

36
roles/ssh/tasks/main.yml Normal file
View file

@ -0,0 +1,36 @@
---
- name: Block root and password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
line: '{{ item.line }}'
validate: 'sshd -T -f %s'
state: present
with_items:
- regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
- regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
notify: Restart ssh
- name: Install fail2ban
apt:
name: fail2ban
state: present
- name: Configure fail2ban
blockinfile:
path: /etc/fail2ban/jail.local
create: yes
mode: 0644
block: |
[sshd]
enabled = true
filter = sshd
notify: Restart fail2ban
- name: Start fail2ban on boot
service:
name: fail2ban
enabled: true
state: started

19
site.yml Normal file
View file

@ -0,0 +1,19 @@
---
- hosts: all
become: yes
pre_tasks:
- name: Update apt-get repo and cache
apt:
update_cache: yes
cache_valid_time: 3600
roles:
- role: instance
- role: apt
- role: firewall
- role: administrators
- role: ssh
- hosts: dns
become: yes
roles:
- role: pihole
tags: pihole