Ansible Playbook for Servers of BananaNetwork

ansible

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Felix Stupp 255de97175 README: server/gitea: Added hint that fail2ban is included		4 years ago
.vscode	vscode: Removed python path from repository configuration	5 years ago
filter_plugins	domain_relative_to: Fixed missing input parameter zone	4 years ago
group_vars	acme: Changed underlying package from acme.sh to certbot	4 years ago
host_vars	Renamed zone khitomer to eridon	5 years ago
misc/blocklists	blocklists: Added ipv4 of known SemrushBots	5 years ago
playbooks	Moved conversion from domain to username into filter with shorts table	4 years ago
public_keys	Added role dns/entries for configuring dns entries	5 years ago
roles	acme: Changed underlying package from acme.sh to certbot	4 years ago
.gitignore	gitignore: Added pycache to excluded files	4 years ago
README.md	README: server/gitea: Added hint that fail2ban is included	4 years ago
ansible.cfg	ansible.cfg: Changed type of python detection	5 years ago
credentials.tar.gpg	Updated credentials	5 years ago
hosts.py	hosts.py: Added missing json.dumps	5 years ago
hosts.yml	Added group contabo_vserver	5 years ago
makefile	makefile: Added rules for load/store credentials	5 years ago
site.yml	site: Extracted playbook local.yml	5 years ago

README.md

Playbook for BananaNetwork

This playbook defines the configuration for all servers / devices controlled by the BananaNetwork.

All systems are expected to run a Debian GNU/Linux or a similiar distribution.

Roles

Following roles have been defined for making a server configuration easy:

account installs an user account preconfigured with tmux, vim and zsh.
acme defines roles for handling the automatic handling of certificates with certbot
- application installs main application
- certificate issues a given certificate
bootstrap defines a way to connect to a server which has not been configured yet, changes user password and hardening SSH access
common defines the installation of common packages and common configurations like firewall
dns defines roles for handling dns authorities and slaves, uses bind9
- application installs main application (installs from bind9 official repository)
- entries configures given dns entries on authoritive dns server (authoritive must be configured by this repository)
- master configures a dns authority with support of DNSSEC for a domain
- server_entries configures default A/AAAA/SSHFP and additional records for current host and given domain (uses dns/entries)
- slave configures an automatic cloning slave for a domain
fail2ban defines roles for configuring fail2ban for different systems
- application installs main application
- rule configures a filter + jail for a given server / use case
git_auto_update adds an auto update mechanism for a git repository based on signed release tags
hostname configures the hostname for a given host
misc contains some required but small roles
- backup_files configures auto backup for a given directory
- deb_unstable enables Debian unstable on low priority
- docker installs Docker (from official Docker repository)
- handlers contains some handlers used by other roles
- ip_discover configures a server to automatically discover its ip addresses to a supported service
- system_user creates a system user
mysql defines roles for handling mysql databases and users, uses MariaDB
- application installs the main application with automatic backup
- backup_database configures auto backup for a given mysql database
- database configures a database for an external application with its own user (uses mysql/backup_database)
nginx defines roles to set up virtual servers, certificates will be requested by default
- application installs and configures the main requirements
- default_server configures default server for hostname fqdn with status info (only accessable from localhost)
- forward sets up a forwarding from one domain to another
- php sets up a PHP webpage with files at the given directory
- php-fpm installs php-fpm and requirements
- php-pool sets up a php-fpm pool running its own user account
- proxy sets up a reverse proxy to a local port / proxy
- server sets up a nginx server with custom directives
- static sets up a static web root
- upstream sets up an upstream accessible to nginx virtual servers
node defines roles for setting up node applications
- application installs node (installs from node official repository)
server defines roles using different kind of server applications, applications will be configured using separated system users
- firefox-sync sets up a Firefox sync server for bookmarks, history, etc.
- gitea sets up a git repository using Gitea as web overlay (fail2ban)
- minecraft sets up a Minecraft server at the given version (AppArmor, no Web UI)
- nextcloud sets up a cloud storage using NextCloud
- node sets up a Node.js server from a repository with a database expecting it can be configured using environment variables
- spotme sets up a SpotMe server
- static sets up a static virtual server with files from a repository
- tt-rss sets up a Tiny Tiny RSS Feed Reader server
wireguard defines roles to handle a WireGuard configuration across different servers
- application installs and configures the main application
- backbone configures a system to allow all other WireGuard systems to connect to this server
- client configures a system to connect to WireGuard backbones
- handlers contains special handlers effecting all WireGuard backbones and clients
- special_client creates a configuration for a device not configurable by Ansible and stores it locally