This commit is contained in:
Kris Lamoureux 2023-05-04 01:20:22 -04:00
parent dfd93dd5f8
commit 410763ed5d
13 changed files with 48 additions and 22 deletions

View File

@ -32,12 +32,14 @@
ansible.builtin.template:
src: fail2ban-ssh.conf.j2
dest: /etc/fail2ban/jail.d/sshd.conf
mode: 0640
notify: restart_fail2ban
- name: Install Fail2ban IP allow list
ansible.builtin.template:
src: fail2ban-allowlist.conf.j2
dest: /etc/fail2ban/jail.d/allowlist.conf
mode: 0640
when: fail2ban_ignoreip is defined
notify: restart_fail2ban

View File

@ -11,9 +11,10 @@
ansible.builtin.template:
src: msmtprc.j2
dest: /root/.msmtprc
mode: 0700
mode: 0600
- name: Install /etc/aliases
ansible.builtin.copy:
dest: /etc/aliases
content: "root: {{ mail.rootalias }}"
mode: 0644

View File

@ -1,24 +1,31 @@
- ansible.builtin.import_tasks: ansible.yml
- name: Import Ansible tasks
ansible.builtin.import_tasks: ansible.yml
tags: ansible
- ansible.builtin.import_tasks: system.yml
- name: Import System tasks
ansible.builtin.import_tasks: system.yml
tags: system
- ansible.builtin.import_tasks: firewall.yml
- name: Import Firewall tasks
ansible.builtin.import_tasks: firewall.yml
tags: firewall
- ansible.builtin.import_tasks: network.yml
- name: Import Network tasks
ansible.builtin.import_tasks: network.yml
tags: network
when: manage_network
- ansible.builtin.import_tasks: mail.yml
- name: Import Mail tasks
ansible.builtin.import_tasks: mail.yml
tags: mail
when: mail is defined
- ansible.builtin.import_tasks: ddclient.yml
- name: Import ddclient tasks
ansible.builtin.import_tasks: ddclient.yml
tags: ddclient
when: ddclient is defined
- ansible.builtin.import_tasks: wireguard.yml
- name: Import WireGuard tasks
ansible.builtin.import_tasks: wireguard.yml
tags: wireguard
when: wireguard is defined

View File

@ -10,5 +10,6 @@
ansible.builtin.template:
src: "interface.j2"
dest: "/etc/network/interfaces.d/{{ item.name }}"
mode: 0400
loop: "{{ interfaces }}"
notify: reboot_host

View File

@ -8,6 +8,7 @@
ansible.builtin.template:
src: authorized_keys.j2
dest: /root/.ssh/authorized_keys
mode: 0400
when: authorized_keys is defined
- name: Manage filesystem mounts

View File

@ -5,7 +5,9 @@
update_cache: true
- name: Generate WireGuard keys
ansible.builtin.shell: wg genkey | tee privatekey | wg pubkey > publickey
ansible.builtin.shell: |
set -o pipefail
wg genkey | tee privatekey | wg pubkey > publickey
args:
chdir: /etc/wireguard/
creates: /etc/wireguard/privatekey
@ -19,8 +21,8 @@
ansible.builtin.template:
src: wireguard.j2
dest: /etc/wireguard/wg0.conf
notify:
- restart_wireguard
mode: 0400
notify: restart_wireguard
- name: Start WireGuard interface
ansible.builtin.service:

View File

@ -0,0 +1,4 @@
- name: Reload systemd manager configuration
ansible.builtin.systemd:
daemon_reload: true
listen: reload_compose_systemd

View File

@ -8,18 +8,15 @@
ansible.builtin.file:
path: "{{ docker_compose_root }}"
state: directory
mode: 0500
- name: Install docker-compose systemd service
ansible.builtin.template:
src: docker-compose.service.j2
dest: "/etc/systemd/system/{{ docker_compose_service }}@.service"
mode: 0400
register: compose_systemd
- name: Reload systemd manager configuration
ansible.builtin.systemd:
daemon_reload: true
when: compose_systemd.changed
- name: Add users to docker group
ansible.builtin.user:
name: "{{ item }}"

View File

@ -2,4 +2,4 @@ jellyfin_name: jellyfin
jellyfin_volume: "{{ jellyfin_name }}"
jellyfin_router: "{{ jellyfin_name }}"
jellyfin_rooturl: "https://{{ jellyfin_domain }}"
jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"
jellyfin_root: "{{ docker_compose_root }}/{{ jellyfin_name }}"

View File

@ -2,18 +2,19 @@
ansible.builtin.file:
path: "{{ jellyfin_root }}"
state: directory
mode: 0500
- name: Create jellyfin user
ansible.builtin.user:
name: jellyfin
state: present
- name: jellyfin user uid
- name: Get user jellyfin uid
ansible.builtin.getent:
database: passwd
key: jellyfin
- name: jellyfin user gid
- name: Get user jellyfin gid
ansible.builtin.getent:
database: group
key: jellyfin
@ -22,12 +23,14 @@
ansible.builtin.template:
src: docker-compose.yml.j2
dest: "{{ jellyfin_root }}/docker-compose.yml"
mode: 0400
notify: restart_jellyfin
- name: Install Jellyfin's docker-compose variables
ansible.builtin.template:
src: compose-env.j2
dest: "{{ jellyfin_root }}/.env"
mode: 0400
notify: restart_jellyfin
- name: Start and enable Jellyfin service

View File

@ -36,12 +36,13 @@
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
state: link
mode: 0400
loop: "{{ nginx_sites.results }}"
when: item.changed
notify: reload_nginx
- name: Generate self-signed certificate
ansible.builtin.shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
-subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt'
@ -60,13 +61,14 @@
ansible.builtin.template:
src: cloudflare.ini.j2
dest: /root/.cloudflare.ini
mode: '0600'
mode: 0400
when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
- name: Create nginx post renewal hook directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/post
state: directory
mode: 0500
when: proxy.production is defined and proxy.production
- name: Install nginx post renewal hook

View File

@ -2,6 +2,7 @@
ansible.builtin.file:
path: "{{ traefik_root }}/config/dynamic"
state: touch
mode: 0500
listen: reload_traefik
- name: Restart Traefik

View File

@ -1,6 +1,7 @@
- name: Create Traefik directories
ansible.builtin.file:
path: "{{ traefik_root }}/config/dynamic"
mode: 0500
state: directory
- name: Install dynamic security configuration
@ -9,13 +10,14 @@
dest: "{{ traefik_root }}/config/dynamic/security.yml"
owner: root
group: root
mode: 0600
mode: 0400
notify: reload_traefik
- name: Install dynamic non-docker configuration
ansible.builtin.template:
src: "external.yml.j2"
dest: "{{ traefik_root }}/config/dynamic/{{ item.name }}.yml"
mode: 0400
loop: "{{ traefik_external }}"
when: traefik_external is defined
@ -23,18 +25,21 @@
ansible.builtin.template:
src: docker-compose.yml.j2
dest: "{{ traefik_root }}/docker-compose.yml"
mode: 0400
notify: restart_traefik
- name: Install Traefik's docker-compose variables
ansible.builtin.template:
src: compose-env.j2
dest: "{{ traefik_root }}/.env"
mode: 0400
notify: restart_traefik
- name: Install static Traefik configuration
ansible.builtin.template:
src: traefik.yml.j2
dest: "{{ traefik_root }}/config/traefik.yml"
mode: 0400
notify: restart_traefik
- name: Start and enable Traefik service