|
|
|
# Playbook for BananaNetwork
|
|
|
|
|
|
|
|
This playbook defines the configuration for all servers / devices controlled by the BananaNetwork.
|
|
|
|
|
|
|
|
All systems are expected to run a Debian GNU/Linux or a similiar distribution.
|
|
|
|
|
|
|
|
## Roles
|
|
|
|
|
|
|
|
Following roles have been defined for making a server configuration easy:
|
|
|
|
|
|
|
|
- **account** installs an user account preconfigured with tmux, vim and zsh.
|
|
|
|
- **acme** defines roles for handling the automatic handling of certificates with *certbot*
|
|
|
|
- **application** installs main application
|
|
|
|
- **certificate** issues a given certificate
|
|
|
|
- **bootstrap** defines a way to connect to a server which has not been configured yet, changes user password and hardening SSH access
|
|
|
|
- **common** defines the installation of common packages and common configurations like firewall
|
|
|
|
- **dns** defines roles for handling dns authorities and slaves, uses *bind9*
|
|
|
|
- **application** installs main application (installs from bind9 official repository)
|
|
|
|
- **entries** configures given dns entries on authoritive dns server (authoritive must be configured by this repository)
|
|
|
|
- **master** configures a dns authority with support of DNSSEC for a domain
|
|
|
|
- **server_entries** configures default A/AAAA/SSHFP and additional records for current host and given domain (uses **dns/entries**)
|
|
|
|
- **slave** configures an automatic cloning slave for a domain
|
|
|
|
- **fail2ban** defines roles for configuring fail2ban for different systems
|
|
|
|
- **application** installs main application
|
|
|
|
- **rule** configures a filter + jail for a given server / use case
|
|
|
|
- **git_auto_update** adds an auto update mechanism for a git repository based on signed release tags
|
|
|
|
- **hostname** configures the hostname for a given host
|
|
|
|
- **misc** contains some required but small roles
|
|
|
|
- **backup_files** configures auto backup for a given directory
|
|
|
|
- **deb_unstable** enables Debian unstable on low priority
|
|
|
|
- **docker** installs *Docker* (from official Docker repository)
|
|
|
|
- **handlers** contains some handlers used by other roles
|
|
|
|
- **ip_discover** configures a server to automatically discover its ip addresses to a supported service
|
|
|
|
- **overlay_mount** configures an overlay mount with systemd
|
|
|
|
- **system_user** creates a system user
|
|
|
|
- **mysql** defines roles for handling mysql databases and users, uses *MariaDB*
|
|
|
|
- **application** installs the main application with automatic backup
|
|
|
|
- **backup_database** configures auto backup for a given mysql database
|
|
|
|
- **database** configures a database for an external application with its own user (uses **mysql/backup_database**)
|
|
|
|
- **nfs** defines roles to set up NFS file shares
|
|
|
|
- **export** configures a NFS share
|
|
|
|
- **server** configures main NFS server without default shares
|
|
|
|
- **nginx** defines roles to set up virtual servers, certificates will be requested by default
|
|
|
|
- **application** installs and configures the main requirements
|
|
|
|
- **default_server** configures default server for hostname fqdn with status info (only accessable from localhost)
|
|
|
|
- **forward** sets up a forwarding from one domain to another
|
|
|
|
- **php** sets up a PHP webpage with files at the given directory
|
|
|
|
- **php-fpm** installs php-fpm and requirements
|
|
|
|
- **php-pool** sets up a php-fpm pool running its own user account
|
|
|
|
- **proxy** sets up a reverse proxy to a local port / proxy
|
|
|
|
- **server** sets up a nginx server with custom directives
|
|
|
|
- **static** sets up a static web root
|
|
|
|
- **upstream** sets up an upstream accessible to nginx virtual servers
|
|
|
|
- **node** defines roles for setting up node applications
|
|
|
|
- **application** installs node (installs from node official repository)
|
|
|
|
- **server** defines roles using different kind of server applications, applications will be configured using separated system users
|
|
|
|
- **firefox-sync** sets up a Firefox sync server for bookmarks, history, etc.
|
|
|
|
- **gitea** sets up a git repository using *Gitea* as web overlay (fail2ban)
|
|
|
|
- **minecraft** sets up a Minecraft server at the given version (AppArmor, no Web UI)
|
|
|
|
- **nextcloud** sets up a cloud storage using *NextCloud*
|
|
|
|
- **node** sets up a *Node.js* server from a repository with a database expecting it can be configured using environment variables
|
|
|
|
- **spotme** sets up a SpotMe server
|
|
|
|
- **static** sets up a static virtual server with files from a repository
|
|
|
|
- **tt-rss** sets up a Tiny Tiny RSS Feed Reader server
|
|
|
|
- **wireguard** defines roles to handle a *WireGuard* configuration across different servers
|
|
|
|
- **application** installs and configures the main application
|
|
|
|
- **backbone** configures a system to allow all other *WireGuard* systems to connect to this server
|
|
|
|
- **client** configures a system to connect to *WireGuard* backbones
|
|
|
|
- **handlers** contains special handlers effecting all *WireGuard* backbones and clients
|
|
|
|
- **special_client** creates a configuration for a device not configurable by Ansible and stores it locally
|
|
|
|
|
|
|
|
All roles, but especially the server subroles, are built to include everything required.
|
|
|
|
For example, some server subroles include support for configuring AppArmor or fail2ban.
|
|
|
|
Also nearly all server subroles will install and configure nginx and set the required dns entries.
|
|
|
|
The are some exceptions however, which are stated here, for example the **dns/entries** role.
|
|
|
|
|
|
|
|
Some roles require variables to be configured,
|
|
|
|
look into the roles `defaults/main.yml` file.
|
|
|
|
All configurable variables are documenteted there with their default values.
|
|
|
|
Mandatory variables are commented or otherwise stated mandatory.
|
|
|
|
|
|
|
|
All roles will use official resources by default, but some of them let you configure those, e.g. **server/tt-rss**.
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
You *may* can apply the whole playbook to your server configuration without changes,
|
|
|
|
but I would not recommended that.
|
|
|
|
Some role's defaults are specially defined to work good in the environments of my server.
|
|
|
|
Please use my playbook and roles to build one yourself suited for your environment.
|
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
This repository is licensed under MIT.
|
|
|
|
This configuration comes with no warranty.
|