ansible/README.md

# Playbook for BananaNetwork

This playbook defines the configuration for all servers / devices controlled by the BananaNetwork.

All systems are expected to run a Debian GNU/Linux or a similiar distribution.

## Roles

Following roles have been defined for making a server configuration easy:

- **account** installs an user account preconfigured with tmux, vim and zsh.
- **acme** defines roles for handling the automatic handling of certificates with *certbot*
  - **application** installs main application
  - **certificate** issues a given certificate
- **bootstrap** defines a way to connect to a server which has not been configured yet, changes user password and hardening SSH access
- **common** defines the installation of common packages and common configurations like firewall
- **dns** defines roles for handling dns authorities and slaves, uses *bind9*
  - **application** installs main application (installs from bind9 official repository)
  - **entries** configures given dns entries on authoritive dns server (authoritive must be configured by this repository)
  - **master** configures a dns authority with support of DNSSEC for a domain
  - **server_entries** configures default A/AAAA/SSHFP and additional records for current host and given domain (uses **dns/entries**)
  - **slave** configures an automatic cloning slave for a domain
- **fail2ban** defines roles for configuring fail2ban for different systems
  - **application** installs main application
  - **rule** configures a filter + jail for a given server / use case
- **git_auto_update** adds an auto update mechanism for a git repository based on signed release tags
- **hostname** configures the hostname for a given host
- **misc** contains some required but small roles
  - **backup_files** configures auto backup for a given directory
  - **deb_unstable** enables Debian unstable on low priority
  - **docker** installs *Docker* (from official Docker repository)
  - **handlers** contains some handlers used by other roles
  - **ip_discover** configures a server to automatically discover its ip addresses to a supported service
  - **overlay_mount** configures an overlay mount with systemd
  - **system_user** creates a system user
- **mysql** defines roles for handling mysql databases and users, uses *MariaDB*
  - **application** installs the main application with automatic backup
  - **backup_database** configures auto backup for a given mysql database
  - **database** configures a database for an external application with its own user (uses **mysql/backup_database**)
- **nfs** defines roles to set up NFS file shares
  - **export** configures a NFS share
  - **server** configures main NFS server without default shares
- **nginx** defines roles to set up virtual servers, certificates will be requested by default
  - **application** installs and configures the main requirements
  - **default_server** configures default server for hostname fqdn with status info (only accessable from localhost)
  - **forward** sets up a forwarding from one domain to another
  - **php** sets up a PHP webpage with files at the given directory
  - **php-fpm** installs php-fpm and requirements
  - **php-pool** sets up a php-fpm pool running its own user account
  - **proxy** sets up a reverse proxy to a local port / proxy
  - **server** sets up a nginx server with custom directives
  - **static** sets up a static web root
  - **upstream** sets up an upstream accessible to nginx virtual servers
- **node** defines roles for setting up node applications
  - **application** installs node (installs from node official repository)
- **server** defines roles using different kind of server applications, applications will be configured using separated system users
  - **firefox-sync** sets up a Firefox sync server for bookmarks, history, etc.
  - **gitea** sets up a git repository using *Gitea* as web overlay (fail2ban)
  - **minecraft** sets up a Minecraft server at the given version (AppArmor, no Web UI)
  - **nextcloud** sets up a cloud storage using *NextCloud*
  - **node** sets up a *Node.js* server from a repository with a database expecting it can be configured using environment variables
  - **spotme** sets up a SpotMe server
  - **static** sets up a static virtual server with files from a repository
  - **tt-rss** sets up a Tiny Tiny RSS Feed Reader server
- **wireguard** defines roles to handle a *WireGuard* configuration across different servers
  - **application** installs and configures the main application
  - **backbone** configures a system to allow all other *WireGuard* systems to connect to this server
  - **client** configures a system to connect to *WireGuard* backbones
  - **handlers** contains special handlers effecting all *WireGuard* backbones and clients
  - **special_client** creates a configuration for a device not configurable by Ansible and stores it locally

All roles, but especially the server subroles, are built to include everything required.
For example, some server subroles include support for configuring AppArmor or fail2ban.
Also nearly all server subroles will install and configure nginx and set the required dns entries.
The are some exceptions however, which are stated here, for example the **dns/entries** role.

Some roles require variables to be configured,
look into the roles `defaults/main.yml` file.
All configurable variables are documenteted there with their default values.
Mandatory variables are commented or otherwise stated mandatory.

All roles will use official resources by default, but some of them let you configure those, e.g. **server/tt-rss**.

## Usage

You *may* can apply the whole playbook to your server configuration without changes,
but I would not recommended that.
Some role's defaults are specially defined to work good in the environments of my server.
Please use my playbook and roles to build one yourself suited for your environment.

## License

This repository is licensed under MIT.
This configuration comes with no warranty.