Add Ansible config

2022-04-07 22:13:36 +02:00 · 2022-04-07 22:13:36 +02:00 · 7c15e5fa97
commit 7c15e5fa97
parent 812f7a4888
22 changed files with 1943 additions and 177 deletions
--- a/ansible/host_vars/tipi.yml
+++ b/ansible/host_vars/tipi.yml
@ -1,6 +1,15 @@
 packages:
  - jq
  - mkcert
+  - ufw
+  - iptables
+  - coreutils
+  - git
+  - base-devel
+  - docker
+  - avahi
+
+username: nicolas

 ### ZSH Settings
 zsh_theme: "powerlevel10k/powerlevel10k"
--- a/ansible/setup.yml
+++ b/ansible/setup.yml
@ -3,11 +3,13 @@
  become: yes

  tasks:
-    - import_tasks: tasks/essential.yml
-    - import_tasks: tasks/zsh.yml
-    - import_tasks: tasks/nginx.yml
-    - import_tasks: tasks/pi-hole.yml
-    - import_tasks: tasks/pi-vpn.yml
-    - import_tasks: tasks/nextcloud.yml
+    - import_tasks: ./tasks/arch/essential.yml
+    - import_tasks: ./tasks/zsh.yml
+    - import_tasks: ./tasks/network/avahi.yml
+    # - import_tasks: tasks/zsh.yml
+    # - import_tasks: tasks/nginx.yml
+    # - import_tasks: tasks/pi-hole.yml
+    # - import_tasks: tasks/pi-vpn.yml
+    # - import_tasks: tasks/nextcloud.yml
    # - name: Reboot machine
-    #   reboot:
+    #   reboot:
--- a/ansible/tasks/common/docker.yml
+++ b/ansible/tasks/common/docker.yml
@ -0,0 +1,41 @@
+- name: Install docker
+  package:
+    name: docker
+    state: latest
+  when: not docker_status.stat.exists
+
+- name: Install essential packages
+  package:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+    state: latest
+  when: ansible_os_family == "Debian"
+
+- name: Check if docker-compose is installed
+  stat:
+    path: /usr/local/bin/docker-compose
+  register: docker_compose_status
+
+- name: Install docker-compose
+  shell: 'curl -L "https://github.com/docker/compose/releases/download/v2.3.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose'
+  when: not docker_compose_status.stat.exists
+
+- name: Make docker-compose executable
+  shell: chmod +x /usr/local/bin/docker-compose
+
+- name: Create group docker
+  group:
+    name: docker
+
+- name: Put user in docker group
+  user:
+    name: "{{ username }}"
+    group: docker
+
+- name: Start docker service
+  service:
+    enabled: yes
+    name: docker
+    state: started
--- a/ansible/tasks/common/essential.yml
+++ b/ansible/tasks/common/essential.yml
@ -0,0 +1,70 @@
+- name: Update packages
+  become: yes
+  pacman:
+    update_cache: yes
+    upgrade: yes
+
+- name: Add user to root group
+  user:
+    name: "{{ username }}"
+    group: root
+
+- name: Install essential packages
+  package:
+    name: "{{ packages }}"
+    state: latest
+
+- name: Disable SSH password auth
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#PasswordAuthentication yes"
+    line: "PasswordAuthentication no"
+  register: sshd_config
+
+- name: Enable passwordless sudo for user
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: "^%wheel"
+    line: "{{ username }} ALL=(ALL) NOPASSWD: ALL"
+    validate: "/usr/sbin/visudo -cf %s"
+
+- name: Restart SSH daemon
+  service:
+    name: sshd
+    state: restarted
+  when: sshd_config.changed
+
+- name: Allow SSH in UFW
+  community.general.ufw:
+    rule: allow
+    port: 22
+    from: 192.168.2.0/24
+    proto: tcp
+
+- name: Allow port 80 in UFW
+  community.general.ufw:
+    rule: allow
+    port: 80
+    proto: tcp
+
+- name: Allow port 443 in UFW
+  community.general.ufw:
+    rule: allow
+    port: 443
+    proto: tcp
+
+- name: Allow ports for apps
+  community.general.ufw:
+    rule: allow
+    port: 8080:8180
+    proto: tcp
+
+- name: Enable ufw daemon
+  service:
+    name: ufw
+    state: started
+    enabled: yes
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
--- a/ansible/tasks/common/zsh.yml
+++ b/ansible/tasks/common/zsh.yml
@ -0,0 +1,77 @@
+# Base config
+- name: Install zsh package
+  package:
+    name:
+      - zsh
+      - git
+    state: latest
+
+- name: Check if .zshrc exists
+  stat:
+    path: "/home/{{ username }}/.zshrc"
+  register: stat_rc_result
+
+- name: Check if .oh-my-zsh exists
+  stat:
+    path: "/home/{{ username }}/.oh-my-zsh"
+  register: stat_ohmyzsh_result
+
+# Oh-my-zsh installation
+- name: Get oh-my-zsh install script
+  get_url:
+    url: https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh
+    dest: /tmp/install.sh
+    mode: "0555"
+  when: not stat_ohmyzsh_result.stat.exists
+
+- name: Run installation script
+  become_user: "{{ username }}"
+  shell:
+    cmd: yes | /tmp/install.sh
+    creates: /home/{{ username }}/.oh-my-zsh"
+  when: not stat_ohmyzsh_result.stat.exists
+
+- name: Creating new /home/{{ username }}/.zshrc
+  copy:
+    src: /home/{{ username }}/.oh-my-zsh/templates/zshrc.zsh-template
+    dest: /home/{{ username }}/.zshrc
+    remote_src: yes
+  when: not stat_rc_result.stat.exists
+
+# Powerlevel10k configuration
+- name: Clone powerlevel10k theme
+  git:
+    repo: https://github.com/romkatv/powerlevel10k.git
+    dest: "/home/{{ username }}/.oh-my-zsh/custom/themes/powerlevel10k"
+
+- name: Enable powerlevel10k
+  lineinfile:
+    dest: /home/{{ username }}/.zshrc
+    regexp: "^ZSH_THEME="
+    line: "ZSH_THEME={{ zsh_theme }}"
+
+- name: Check if .p10k.zsh exists
+  stat:
+    path: "/home/{{ username }}/.p10k.zsh"
+  register: stat_p10k_result
+
+- name: Copy template to .p10k.zsh
+  copy:
+    src: "{{ playbook_dir }}/templates/zsh/p10k-template.zsh"
+    dest: /home/{{ username }}/.p10k.zsh
+  when: not stat_p10k_result.stat.exists
+
+- name: Store .zshrc in variable
+  shell: "cat /home/{{ username }}/.zshrc"
+  register: zshrc_result
+
+- name: Add line to .zshrc
+  shell: 'echo "[[ ! -f ~/.p10k.zsh ]] || source ~/.p10k.zsh" >> /home/{{ username }}/.zshrc'
+  when: zshrc_result.stdout.find('source ~/.p10k.zsh') == -1
+
+# Final teardown
+- name: Change default shell to zsh
+  become: yes
+  user:
+    name: "{{ username }}"
+    shell: /bin/zsh
--- a/ansible/tasks/essential.yml
+++ b/ansible/tasks/essential.yml
@ -1,115 +0,0 @@
- name: Create new user for system
-  user:
-    name: tipi
-    comment: Tipi user
-    uid: 1040
-    group: admin
-
- name: Update packages
-  become: tipi
-  apt:
-    update_cache: yes
-    upgrade: yes
-
- name: Install essential packages
-  package:
-    name: "{{ packages }}"
-    state: latest
-
- name: Check if docker is installed
-  stat:
-    path: /usr/bin/docker
-  register: docker_status
-
- name: Check if docker pgp key is installed
-  stat:
-    path: /usr/share/keyrings/docker-archive-keyring.gpg
-  register: docker_pgp_key_status
-
- name: Download docker
-  shell: "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg"
-  when: not docker_pgp_key_status.stat.exists
-
- name: Setup stable docker repository
-  shell: 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null'
-  when: not docker_status.stat.exists
-
- name: Update packages
-  apt:
-    update_cache: yes
-    upgrade: yes
-
- name: Install essential packages
-  package:
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-    state: latest
-
- name: Check if docker-compose is installed
-  stat:
-    path: /usr/local/bin/docker-compose
-  register: docker_compose_status
-
- name: Install docker-compose
-  shell: 'curl -L "https://github.com/docker/compose/releases/download/v2.3.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose'
-  when: not docker_compose_status.stat.exists
-
- name: Disable iptables for increased security with docker
-  lineinfile:
-    path: /etc/default/docker
-    regexp: "^DOCKER_OPTS="
-    line: 'DOCKER_OPTS="--iptables=false"'
-
- name: Add group docker
-  group:
-    name: docker
-
- name: Add user to group docker
-  user:
-    name: tipi
-    group: docker
-
- name: Disable SSH password auth
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#PasswordAuthentication yes"
-    line: "PasswordAuthentication no"
-  register: sshd_config
-
- name: Enable passwordless sudo for tipi user
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: "^%wheel"
-    line: "tipi ALL=(ALL) NOPASSWD: ALL"
-    validate: "/usr/sbin/visudo -cf %s"
-
- name: Restart SSH daemon
-  service:
-    name: sshd
-    state: restarted
-  when: sshd_config.changed
-
- name: Allow SSH in UFW
-  community.general.ufw:
-    rule: allow
-    port: 22
-    from: 192.168.2.0/24
-    proto: tcp
-
- name: Allow port 80 in UFW
-  community.general.ufw:
-    rule: allow
-    port: 80
-    proto: tcp
-
- name: Allow port 443 in UFW
-  community.general.ufw:
-    rule: allow
-    port: 443
-    proto: tcp
-
- name: Enable UFW
-  community.general.ufw:
-    state: enabled
--- a/ansible/tasks/network/avahi.yml
+++ b/ansible/tasks/network/avahi.yml
@ -0,0 +1,44 @@
+# Network
+- name: Install avahi
+  package:
+    name: avahi
+    state: latest
+  when: ansible_os_family == "Arch"
+
+- name: Install avahi
+  package:
+    name: avahi-daemon
+    state: latest
+  when: ansible_os_family == "Debian"
+
+- name: Disable and stop sytemd-resolved
+  service:
+    name: systemd-resolved
+    state: stopped
+    enabled: no
+
+- name: Replace line in /etc/nsswitch.conf
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^hosts:.*'
+    line: 'hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns'
+
+- name: Allow port 5353
+  ufw:
+    action: allow
+    port: 5353
+    proto: udp
+
+- name: Copy avahi template to /etc/avahi/services/tipi.service
+  copy:
+    src: "{{ playbook_dir }}/templates/avahi/tipi.service"
+    dest: /etc/avahi/services/tipi.service
+    group: avahi
+    user: avahi
+
+- name: Start and enable avahi-daemon
+  service:
+    name: avahi-daemon
+    state: started
+    enabled: yes
+###
--- a/ansible/templates/avahi/tipi.service
+++ b/ansible/templates/avahi/tipi.service
@ -0,0 +1,18 @@
+<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+
+<service-group>
+  <name replace-wildcards="yes">%h</name>
+  <service>
+    <type>_http._tcp</type>
+    <port>80</port>
+  </service>
+</service-group>
+
+<service-group>
+  <name replace-wildcards="yes">%h</name>
+  <service>
+    <type>_http._tcp</type>
+    <port>443</port>
+  </service>
+</service-group>
--- a/ansible/templates/zsh/p10k-template.zsh
+++ b/ansible/templates/zsh/p10k-template.zsh
--- a/apps/anonaddy/docker-compose.yml
+++ b/apps/anonaddy/docker-compose.yml
@ -50,7 +50,7 @@ services:
      - tipi_main_network
    labels:
        traefik.enable: true
-        traefik.http.routers.anonaddy.rule: Host(`anonaddy.tipi.local`)
+        traefik.http.routers.anonaddy.rule: Host(`anonaddy.tipi.home`)
        traefik.http.routers.anonaddy.tls: true
        traefik.http.routers.anonaddy.entrypoints: websecure
        traefik.http.routers.anonaddy.service: anonaddy
--- a/apps/freshrss/docker-compose.yml
+++ b/apps/freshrss/docker-compose.yml
@ -3,7 +3,7 @@ version: "3.7"
 services:
  freshrss:
    container_name: freshrss
-    image: freshrss/freshrss:1.19.2
+    image: freshrss/freshrss:arm
    restart: unless-stopped
    ports:
      - "${APP_FRESHRSS_PORT}:80"
@ -17,7 +17,7 @@ services:
      - tipi_main_network
    labels:
        traefik.enable: true
-        traefik.http.routers.freshrss.rule: Host(`freshrss.tipi.local`)
+        traefik.http.routers.freshrss.rule: Host(`freshrss.tipi.home`)
        traefik.http.routers.freshrss.service: freshrss
        traefik.http.routers.freshrss.tls: true
        traefik.http.routers.freshrss.entrypoints: websecure
--- a/apps/nextcloud/docker-compose.yml
+++ b/apps/nextcloud/docker-compose.yml
@ -3,7 +3,7 @@ version: "3.7"
 services:
  db-nextcloud:
    container_name: db-nextcloud
-    user: '1000:1000'
+    # user: '1000:1000'
    image: mariadb:10.5.12
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: on-failure
@ -19,7 +19,7 @@ services:

  redis-nextcloud:
    container_name: redis-nextcloud
-    user: '1000:1000'
+    # user: '1000:1000'
    image: redis:6.2.2-buster
    restart: on-failure
    volumes:
@ -27,7 +27,6 @@ services:
    networks:
      - tipi_main_network

-
  cron:
    image: nextcloud:22.0.0-apache
    restart: on-failure
@ -57,25 +56,18 @@ services:
      - MYSQL_USER=nextcloud
      - NEXTCLOUD_ADMIN_USER=tipi
      - NEXTCLOUD_ADMIN_PASSWORD=password
+      - NEXTCLOUD_TRUSTED_DOMAINS=tipi.local
    depends_on:
      - db-nextcloud
      - redis-nextcloud
    networks:
      - tipi_main_network
-    labels:
-        traefik.enable: true
-        traefik.http.routers.nextcloud.rule: Host(`nextcloud.tipi.local`)
-        traefik.http.routers.nextcloud.service: nextcloud
-        traefik.http.routers.nextcloud.tls: true
-        traefik.http.routers.nextcloud.entrypoints: websecure
-        traefik.http.services.nextcloud.loadbalancer.server.port: 80
-
    # labels:
    #     traefik.enable: true
-    #     traefik.http.routers.nextcloud.rule: PathPrefix(`/nextcloud`)
-
-    #     traefik.http.routers.nextcloud.entrypoints: http
+    #     traefik.http.routers.nextcloud.rule: Host(`nextcloud.tipi.home`)
    #     traefik.http.routers.nextcloud.service: nextcloud
+    #     traefik.http.routers.nextcloud.tls: true
+    #     traefik.http.routers.nextcloud.entrypoints: websecure
    #     traefik.http.services.nextcloud.loadbalancer.server.port: 80
      

--- a/apps/simple-torrent/docker-compose.yml
+++ b/apps/simple-torrent/docker-compose.yml
@ -4,7 +4,6 @@ services:
  server:
    container_name: simple-torrent
    image: boypt/cloud-torrent:1.3.9
-    user: "1000:1000"
    restart: on-failure
    ports:
      - "${APP_SIMPLETORRENT_PORT}:${APP_SIMPLETORRENT_PORT}"
@ -17,10 +16,10 @@ services:
      - ${APP_DATA_DIR}/data/config:/config
    networks:
        - tipi_main_network
-    labels:
-        traefik.enable: true
-        traefik.http.routers.simple-torrent.rule: Host(`simple-torrent.tipi.local`)
-        traefik.http.routers.simple-torrent.service: simple-torrent
-        traefik.http.routers.simple-torrent.tls: true
-        traefik.http.routers.simple-torrent.entrypoints: websecure
-        traefik.http.services.simple-torrent.loadbalancer.server.port: ${APP_SIMPLETORRENT_PORT}
+    # labels:
+    #     traefik.enable: true
+    #     traefik.http.routers.simple-torrent.rule: Host(`simple-torrent.tipi.home`)
+    #     traefik.http.routers.simple-torrent.service: simple-torrent
+    #     traefik.http.routers.simple-torrent.tls: true
+    #     traefik.http.routers.simple-torrent.entrypoints: websecure
+    #     traefik.http.services.simple-torrent.loadbalancer.server.port: ${APP_SIMPLETORRENT_PORT}
--- a/apps/wg-easy/docker-compose.yml
+++ b/apps/wg-easy/docker-compose.yml
@ -20,10 +20,10 @@ services:
        - net.ipv4.ip_forward=1
      networks:
        - tipi_main_network
-      labels:
-        traefik.enable: true
-        traefik.http.routers.wireguard.rule: Host(`wireguard.tipi.local`)
-        traefik.http.routers.wireguard.service: wireguard
-        traefik.http.routers.wireguard.tls: true
-        traefik.http.routers.wireguard.entrypoints: websecure
-        traefik.http.services.wireguard.loadbalancer.server.port: 51821
+      # labels:
+      #   traefik.enable: true
+      #   traefik.http.routers.wireguard.rule: Host(`wireguard.tipi.home`)
+      #   traefik.http.routers.wireguard.service: wireguard
+      #   traefik.http.routers.wireguard.tls: true
+      #   traefik.http.routers.wireguard.entrypoints: websecure
+      #   traefik.http.services.wireguard.loadbalancer.server.port: 51821
--- a/clean.sh
+++ b/clean.sh
@ -0,0 +1,4 @@
+# Script to clean up the setup
+./scripts/stop.sh
+
+sudo rm -rf app-data/**
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -36,6 +36,7 @@ services:
      - ${PWD}/traefik:/root/.config
    networks:
      - tipi_main_network
+
  dashboard:
    build:
      context: ./dashboard
@ -51,8 +52,8 @@ services:
    labels:
        traefik.enable: true
        traefik.http.routers.dashboard.rule: Host(`tipi.local`)
-        traefik.http.routers.dashboard.tls: true
-        traefik.http.routers.dashboard.entrypoints: websecure
+        # traefik.http.routers.dashboard.tls: true
+        traefik.http.routers.dashboard.entrypoints: webinsecure
        traefik.http.routers.dashboard.service: dashboard
        traefik.http.services.dashboard.loadbalancer.server.port: 3000

--- a/scripts/app.sh
+++ b/scripts/app.sh
@ -102,7 +102,7 @@ compose() {
 if [[ "$command" = "install" ]]; then
  compose "${app}" pull
  
-  # # Copy env file sample to .env
+  # # # Copy env file sample to .env
  # if [[ -f "${app_dir}/.env-sample" ]]; then
  #   # Append to .env
  #   echo "Copying .env-sample to .env for ${app} if not already done"
--- a/scripts/configure.sh
+++ b/scripts/configure.sh
@ -4,6 +4,11 @@ ROOT_FOLDER="$(readlink -f $(dirname "${BASH_SOURCE[0]}")/..)"
 NGINX_PORT="80"
 # Apps
 APP_PI_HOLE_PORT="8081"
+APP_WG_EASY_PORT="8082"
+APP_NEXTCLOUD_PORT="8082"
+APP_ANONADDY_PORT="8083"
+APP_SIMPLETORRENT_PORT="8084"
+APP_FRESHRSS_PORT="8085"

 echo
 echo "======================================"
@ -34,17 +39,21 @@ if ! command -v ansible-playbook > /dev/null; then
  sudo apt-get install -y ansible
 fi

-ansible-playbook ansible/setup.yml -K
+ansible-playbook ansible/setup.yml -i ansible/hosts

 echo "Generating config files..."
 for template in "${ENV_FILE}"; do
  sed -i "s/<nginx-port>/${NGINX_PORT}/g" "${template}"
  # Apps
  sed -i "s/<app-pi-hole-port>/${APP_PI_HOLE_PORT}/g" "${template}"
-  sed -i "s/<domain>/${DOMAIN}/g" "${template}"
+  sed -i "s/<app-wgeasy-port>/${APP_WG_EASY_PORT}/g" "${template}"
+  sed -i "s/<app-nextcloud-port>/${APP_NEXTCLOUD_PORT}/g" "${template}"
+  sed -i "s/<app-anonaddy-port>/${APP_ANONADDY_PORT}/g" "${template}"
+  sed -i "s/<app-simpletorrent-port>/${APP_SIMPLETORRENT_PORT}/g" "${template}"
+  sed -i "s/<app-freshrss-port>/${APP_FRESHRSS_PORT}/g" "${template}"
 done

-mv -f "$ENV_FILE" "./.env"
+mv -f "$ENV_FILE" "$ROOT_FOLDER/.env"

 echo "Configuring permissions..."
 echo
--- a/state/apps.json
+++ b/state/apps.json
@ -1,6 +1,6 @@
 {
-  "installed": "freshrss",
+  "installed": "nextcloud",
  "environment": {
    "anonaddy": {}
  }
-}
+}
--- a/templates/.env-sample
+++ b/templates/.env-sample
@ -1,13 +1,15 @@
 # Only edit this file if you know what you are doing!
 # It will be overwritten on update.

-#Umbrel
-NETWORK_IP=<network-ip>
-GATEWAY_IP=<gateway-ip>
-NGINX_IP=<nginx-ip>
-NGINX_PORT=<nginx-port>
-DASHBOARD_IP=<dashboard-ip>
+TZ=Europe/Paris
+PUID=1000
+PGID=1000

 # Apps
 APP_PI_HOLE_PORT=<app-pi-hole-port>
-APP_PI_HOLE_IP=<app-pi-hole-ip>
+APP_WGEASY_PORT=<app-wgeasy-port>
+APP_NEXTCLOUD_PORT=<app-nextcloud-port>
+APP_ANONADDY_PORT=<app-anonaddy-port>
+APP_SIMPLETORRENT_PORT=<app-simpletorrent-port>
+APP_FRESHRSS_PORT=<app-freshrss-port>
+
--- a/traefik/letsencrypt/mkcert/.gitkeep
+++ b/traefik/letsencrypt/mkcert/.gitkeep
--- a/traefik/traefik.yml
+++ b/traefik/traefik.yml
@ -9,18 +9,20 @@ providers:
    watch: true
    exposedByDefault: false

-  file:
-    filename: /root/.config/dynamic.yml
-    watch: true
+  # TODO: Add TLS support
+  # file:
+  #   filename: /root/.config/dynamic.yml
+  #   watch: true

 entryPoints:
  webinsecure:
    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
+    # TODO: Redirect when TLS is working
+    # http:
+    #   redirections:
+    #     entryPoint:
+    #       to: websecure
+    #       scheme: https
  websecure:
    address: ":443"