Ansible Playbook for Servers of BananaNetwork
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Felix Stupp 2efb214edd
misc/ssh_tg_notify: Ignore messages from trusted VPN subnet
2 years ago
.vscode Implement virtual env for pip and ansible collections 3 years ago
filter_plugins filter_plugins/systemd_escape: Fix missing import sys for testing purposes 4 years ago
group_vars misc/ssh_tg_notify: Ignore messages from trusted VPN subnet 2 years ago
host_vars Renamed host_var files to add .yml ending 3 years ago
library Added module tsig_interpreter 4 years ago
misc Move credentials.tar.gpg into misc directory 3 years ago
playbooks Added playbooks/facts folder with gitignore 3 years ago
public_keys dns/server_entries: Use relative domain suffix instead of absolute 4 years ago
roles misc/ssh_tg_notify: Ignore messages from trusted VPN subnet 2 years ago
.gitignore Implement virtual env for pip and ansible collections 3 years ago
.gitmodules Integrated mitogen boost for ansible 4 years ago
LICENSE Added LICENSE 4 years ago Added role misc/overlay_mount 4 years ago
ansible.cfg Implement virtual env for pip and ansible collections 3 years ago
enter Implement virtual env for pip and ansible collections 3 years ago Added support for "&" operator in groups pattern 4 years ago
hosts.yml Updated hosts.yml to support new inventory syntax 4 years ago
makefile Implement virtual env for pip and ansible collections 3 years ago
pip-requirements.txt Implement virtual env for pip and ansible collections 3 years ago
site.yml Added tags to included roles 3 years ago

Playbook for BananaNetwork

This playbook defines the configuration for all servers / devices controlled by the BananaNetwork.

All systems are expected to run a Debian GNU/Linux or a similiar distribution.


Following roles have been defined for making a server configuration easy:

  • account installs an user account preconfigured with tmux, vim and zsh.
  • acme defines roles for handling the automatic handling of certificates with certbot
    • application installs main application
    • certificate issues a given certificate
  • bootstrap defines a way to connect to a server which has not been configured yet, changes user password and hardening SSH access
  • common defines the installation of common packages and common configurations like firewall
  • dns defines roles for handling dns authorities and slaves, uses bind9
    • application installs main application (installs from bind9 official repository)
    • entries configures given dns entries on authoritive dns server (authoritive must be configured by this repository)
    • master configures a dns authority with support of DNSSEC for a domain
    • server_entries configures default A/AAAA/SSHFP and additional records for current host and given domain (uses dns/entries)
    • slave configures an automatic cloning slave for a domain
  • fail2ban defines roles for configuring fail2ban for different systems
    • application installs main application
    • rule configures a filter + jail for a given server / use case
  • git_auto_update adds an auto update mechanism for a git repository based on signed release tags
  • hostname configures the hostname for a given host
  • misc contains some required but small roles
    • backup_files configures auto backup for a given directory
    • deb_unstable enables Debian unstable on low priority
    • docker installs Docker (from official Docker repository)
    • handlers contains some handlers used by other roles
    • ip_discover configures a server to automatically discover its ip addresses to a supported service
    • overlay_mount configures an overlay mount with systemd
    • system_user creates a system user
  • mysql defines roles for handling mysql databases and users, uses MariaDB
    • application installs the main application with automatic backup
    • backup_database configures auto backup for a given mysql database
    • database configures a database for an external application with its own user (uses mysql/backup_database)
  • nfs defines roles to set up NFS file shares
    • export configures a NFS share
    • server configures main NFS server without default shares
  • nginx defines roles to set up virtual servers, certificates will be requested by default
    • application installs and configures the main requirements
    • default_server configures default server for hostname fqdn with status info (only accessable from localhost)
    • forward sets up a forwarding from one domain to another
    • php sets up a PHP webpage with files at the given directory
    • php-fpm installs php-fpm and requirements
    • php-pool sets up a php-fpm pool running its own user account
    • proxy sets up a reverse proxy to a local port / proxy
    • server sets up a nginx server with custom directives
    • static sets up a static web root
    • upstream sets up an upstream accessible to nginx virtual servers
  • node defines roles for setting up node applications
    • application installs node (installs from node official repository)
  • server defines roles using different kind of server applications, applications will be configured using separated system users
    • firefox-sync sets up a Firefox sync server for bookmarks, history, etc.
    • gitea sets up a git repository using Gitea as web overlay (fail2ban)
    • minecraft sets up a Minecraft server at the given version (AppArmor, no Web UI)
    • nextcloud sets up a cloud storage using NextCloud
    • node sets up a Node.js server from a repository with a database expecting it can be configured using environment variables
    • spotme sets up a SpotMe server
    • static sets up a static virtual server with files from a repository
    • tt-rss sets up a Tiny Tiny RSS Feed Reader server
  • wireguard defines roles to handle a WireGuard configuration across different servers
    • application installs and configures the main application
    • backbone configures a system to allow all other WireGuard systems to connect to this server
    • client configures a system to connect to WireGuard backbones
    • handlers contains special handlers effecting all WireGuard backbones and clients
    • special_client creates a configuration for a device not configurable by Ansible and stores it locally

All roles, but especially the server subroles, are built to include everything required. For example, some server subroles include support for configuring AppArmor or fail2ban. Also nearly all server subroles will install and configure nginx and set the required dns entries. The are some exceptions however, which are stated here, for example the dns/entries role.

Some roles require variables to be configured, look into the roles defaults/main.yml file. All configurable variables are documenteted there with their default values. Mandatory variables are commented or otherwise stated mandatory.

All roles will use official resources by default, but some of them let you configure those, e.g. server/tt-rss.


You may can apply the whole playbook to your server configuration without changes, but I would not recommended that. Some role's defaults are specially defined to work good in the environments of my server. Please use my playbook and roles to build one yourself suited for your environment.


This repository is licensed under MIT. This configuration comes with no warranty.