Felix Stupp 057baa9c22 | 4 years ago | |
---|---|---|
.vscode | 4 years ago | |
filter_plugins | 4 years ago | |
group_vars | 4 years ago | |
host_vars | 4 years ago | |
library | 4 years ago | |
misc/blocklists | 4 years ago | |
playbooks | 4 years ago | |
public_keys | 4 years ago | |
roles | 4 years ago | |
.gitignore | 5 years ago | |
LICENSE | 4 years ago | |
README.md | 4 years ago | |
ansible.cfg | 5 years ago | |
credentials.tar.gpg | 4 years ago | |
hosts.py | 5 years ago | |
hosts.yml | 4 years ago | |
makefile | 4 years ago | |
site.yml | 4 years ago |
README.md
Playbook for BananaNetwork
This playbook defines the configuration for all servers / devices controlled by the BananaNetwork.
All systems are expected to run a Debian GNU/Linux or a similiar distribution.
Roles
Following roles have been defined for making a server configuration easy:
- account installs an user account preconfigured with tmux, vim and zsh.
- acme defines roles for handling the automatic handling of certificates with certbot
- application installs main application
- certificate issues a given certificate
- bootstrap defines a way to connect to a server which has not been configured yet, changes user password and hardening SSH access
- common defines the installation of common packages and common configurations like firewall
- dns defines roles for handling dns authorities and slaves, uses bind9
- application installs main application (installs from bind9 official repository)
- entries configures given dns entries on authoritive dns server (authoritive must be configured by this repository)
- master configures a dns authority with support of DNSSEC for a domain
- server_entries configures default A/AAAA/SSHFP and additional records for current host and given domain (uses dns/entries)
- slave configures an automatic cloning slave for a domain
- fail2ban defines roles for configuring fail2ban for different systems
- application installs main application
- rule configures a filter + jail for a given server / use case
- git_auto_update adds an auto update mechanism for a git repository based on signed release tags
- hostname configures the hostname for a given host
- misc contains some required but small roles
- backup_files configures auto backup for a given directory
- deb_unstable enables Debian unstable on low priority
- docker installs Docker (from official Docker repository)
- handlers contains some handlers used by other roles
- ip_discover configures a server to automatically discover its ip addresses to a supported service
- overlay_mount configures an overlay mount with systemd
- system_user creates a system user
- mysql defines roles for handling mysql databases and users, uses MariaDB
- application installs the main application with automatic backup
- backup_database configures auto backup for a given mysql database
- database configures a database for an external application with its own user (uses mysql/backup_database)
- nfs defines roles to set up NFS file shares
- export configures a NFS share
- server configures main NFS server without default shares
- nginx defines roles to set up virtual servers, certificates will be requested by default
- application installs and configures the main requirements
- default_server configures default server for hostname fqdn with status info (only accessable from localhost)
- forward sets up a forwarding from one domain to another
- php sets up a PHP webpage with files at the given directory
- php-fpm installs php-fpm and requirements
- php-pool sets up a php-fpm pool running its own user account
- proxy sets up a reverse proxy to a local port / proxy
- server sets up a nginx server with custom directives
- static sets up a static web root
- upstream sets up an upstream accessible to nginx virtual servers
- node defines roles for setting up node applications
- application installs node (installs from node official repository)
- server defines roles using different kind of server applications, applications will be configured using separated system users
- firefox-sync sets up a Firefox sync server for bookmarks, history, etc.
- gitea sets up a git repository using Gitea as web overlay (fail2ban)
- minecraft sets up a Minecraft server at the given version (AppArmor, no Web UI)
- nextcloud sets up a cloud storage using NextCloud
- node sets up a Node.js server from a repository with a database expecting it can be configured using environment variables
- spotme sets up a SpotMe server
- static sets up a static virtual server with files from a repository
- tt-rss sets up a Tiny Tiny RSS Feed Reader server
- wireguard defines roles to handle a WireGuard configuration across different servers
- application installs and configures the main application
- backbone configures a system to allow all other WireGuard systems to connect to this server
- client configures a system to connect to WireGuard backbones
- handlers contains special handlers effecting all WireGuard backbones and clients
- special_client creates a configuration for a device not configurable by Ansible and stores it locally
All roles, but especially the server subroles, are built to include everything required. For example, some server subroles include support for configuring AppArmor or fail2ban. Also nearly all server subroles will install and configure nginx and set the required dns entries. The are some exceptions however, which are stated here, for example the dns/entries role.
Some roles require variables to be configured,
look into the roles defaults/main.yml
file.
All configurable variables are documenteted there with their default values.
Mandatory variables are commented or otherwise stated mandatory.
All roles will use official resources by default, but some of them let you configure those, e.g. server/tt-rss.
Usage
You may can apply the whole playbook to your server configuration without changes, but I would not recommended that. Some role's defaults are specially defined to work good in the environments of my server. Please use my playbook and roles to build one yourself suited for your environment.
License
This repository is licensed under MIT. This configuration comes with no warranty.