diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..9a8bb94 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +inventory = hosts.yaml diff --git a/ansible/bootstrapuser.yaml b/ansible/bootstrapuser.yaml new file mode 100644 index 0000000..e5dd266 --- /dev/null +++ b/ansible/bootstrapuser.yaml @@ -0,0 +1,79 @@ +--- +- name: Prepare System + hosts: all + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 2 seconds... + ansible.builtin.pause: + seconds: 2 + tasks: + - name: Packages + block: + - name: Packages | Add fish key + ansible.builtin.get_url: + url: https://download.opensuse.org/repositories/shells:fish:release:3/Debian_12/Release.key + dest: /etc/apt/trusted.gpg.d/fish.asc + owner: root + group: root + mode: "0644" + - name: Packages | Add fish repository + ansible.builtin.apt_repository: + repo: deb [signed-by=/etc/apt/trusted.gpg.d/fish.asc] http://download.opensuse.org/repositories/shells:/fish:/release:/3/Debian_12/ / + filename: fish + update_cache: true + - name: Packages | Add non-free repository + ansible.builtin.apt_repository: + repo: deb http://deb.debian.org/debian/ stable main contrib non-free + filename: non-free + update_cache: true + - name: Packages | Install + ansible.builtin.apt: + name: i965-va-driver-shaders,apt-transport-https,ca-certificates,conntrack,curl,dirmngr,fish,gdisk, + gnupg,hdparm,htop,intel-gpu-tools,intel-media-va-driver-non-free,iperf3,iptables,iputils-ping,ipvsadm, + libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3, + python3-apt,python3-openshift,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common, + unzip,util-linux + install_recommends: false + - name: User Configuration + block: + - name: User Configuration | SSH keys + ansible.posix.authorized_key: + user: "{{ ansible_user }}" + key: "https://github.com/{{ github_username }}.keys" + - name: User Configuration | Silence login + ansible.builtin.file: + dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.hushlogin" + state: touch + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0644" + modification_time: preserve + access_time: preserve + - name: User Configuration | Add user to sudoers + when: ansible_user != 'root' + ansible.builtin.copy: + content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL" + dest: "/etc/sudoers.d/{{ ansible_user }}" + owner: root + group: root + mode: "0440" + - name: User Configuration | Fish shell (1) + ansible.builtin.user: + name: "{{ ansible_user }}" + shell: /usr/bin/fish + - name: User Configuration | Fish shell (2) + ansible.builtin.file: + path: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + recurse: true + - name: User Configuration | Fish shell (3) + ansible.builtin.copy: + dest: "{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}/.config/fish/functions/fish_greeting.fish" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "0755" + content: neofetch --config none diff --git a/ansible/dhcp.yaml b/ansible/dhcp.yaml new file mode 100644 index 0000000..cd4896d --- /dev/null +++ b/ansible/dhcp.yaml @@ -0,0 +1,53 @@ +--- +- hosts: all + become: true + + tasks: + # VM DHCP Config + - name: Install isc-dhcp-server + ansible.builtin.apt: + pkg: + - isc-dhcp-server + state: present + - name: Copy dhcpd.conf to /etc/dhcp/dhcpd.conf + ansible.builtin.copy: + src: ../config/dhcpd-hostnet.conf + dest: /etc/dhcp/dhcpd.conf + owner: root + group: root + mode: '0644' + - name: Copy isc-dhcp-server to /etc/default/isc-dhcp-server + ansible.builtin.copy: + src: ../config/dhcpd-interfaces.conf + dest: /etc/default/isc-dhcp-server + owner: root + group: root + mode: '0644' + - name: Copy net create script in ../scripts to /tmp + ansible.builtin.copy: + src: ../scripts/create_net_if.sh + dest: /tmp/create_net_if.sh + owner: root + group: root + mode: '0755' + - name: Check if vmbr1 exists + ansible.builtin.stat: + path: /sys/class/net/vmbr1 + register: vmbr1 + - name: Set the network interfaces + ansible.builtin.shell: /tmp/valinor-scripts/create_net_if.sh > /etc/network/interfaces + when: not vmbr1.stat.exists + - name: Restart service networking + ansible.builtin.service: + name: networking + state: restarted + - name: Delete script /tmp/ + ansible.builtin.file: + path: /tmp/create_net_if.sh + state: absent + force: true + - name: Enable isc-dhcp-server + ansible.builtin.service: + name: isc-dhcp-server + enabled: true + state: started diff --git a/ansible/extras-only.yaml b/ansible/extras-only.yaml new file mode 100644 index 0000000..c894c3e --- /dev/null +++ b/ansible/extras-only.yaml @@ -0,0 +1,112 @@ +--- +- hosts: all + become: true + + tasks: + - name: Check if reboot is required + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required + - name: Reboot if required + ansible.builtin.reboot: + when: reboot_required.stat.exists + - name: Installing Crowdsec pre-reqs + ansible.builtin.apt: + pkg: + - gnupg + state: present + - name: Add crowdsec keyring + ansible.builtin.get_url: + url: https://packagecloud.io/crowdsec/crowdsec/gpgkey + dest: /etc/apt/trusted.gpg.d/crowdsec + checksum: sha512:5036042aff9d2700a39f64c3a6a70164a76162973e10dacb119aec98e9d60bd4a2f6d6ca4bc2c243a0751fd957baa51e0182fa0cd2f5798d7ec8a7893a1e219f + mode: '0644' + - name: Dearmor crowdsec gpg key + ansible.builtin.command: + cmd: gpg --dearmor /etc/apt/trusted.gpg.d/crowdsec + creates: /etc/apt/trusted.gpg.d/crowdsec.gpg + - name: Ensure keyring is removed + ansible.builtin.file: + path: /etc/apt/trusted.gpg.d/crowdsec + state: absent + - name: Add crowdsec repo + ansible.builtin.apt_repository: + repo: deb https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main + state: present + filename: crowdsec-install-repo + update_cache: true + - name: Add crowdsec source repo + ansible.builtin.apt_repository: + repo: deb-src https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main + state: present + filename: crowdsec-src-repo + update_cache: true + - name: Install firewalld and crowdsec packages + ansible.builtin.apt: + pkg: + - firewalld + - crowdsec + - crowdsec-firewall-bouncer-iptables + update_cache: true + - name: Add enp5s0 interface to public firewalld zone + ansible.posix.firewalld: + state: "enabled" + interface: "enp5s0" + zone: public + immediate: true + permanent: true + - name: Configure open ports with firewalld + ansible.posix.firewalld: + state: "{{ item.state }}" + port: "{{ item.port }}" + zone: public + immediate: true + permanent: true + with_items: + - { state: 'enabled', port: '22/tcp' } + - { state: 'enabled', port: '8006/tcp' } + - name: Enable firewalld masquerade + ansible.posix.firewalld: + state: "enabled" + masquerade: "true" + zone: public + immediate: true + permanent: true + - name: Enable masquerade rich rule for 192.168.20.0/24 network + ansible.posix.firewalld: + state: "enabled" + rich_rule: "rule family=ipv4 source address=192.168.20.0/24 masquerade" + permanent: true + immediate: true + - name: Enable ipv4 forwarding + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: 1 + state: present + reload: true + - name: Enable ipv6 forwarding + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 1 + state: present + reload: true + - name: Add vfio modules to /etc/modules + ansible.builtin.lineinfile: + path: /etc/modules + line: "{{ item }}" + create: true + with_items: + - vfio + - vfio_iommu_type1 + - vfio_pci + - vfio_virqfd + - name: Add intel_iommu=on iommu=pt to kernel start parameters + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 systemd.show_status=true intel_iommu=on iommu=pt"' + state: present + backup: true + ## TODO: Find a way to only execute this ONLY when the kernel is installed. + - name: Update grub + ansible.builtin.command: update-grub diff --git a/ansible/hosts.yaml b/ansible/hosts.yaml new file mode 100644 index 0000000..9395729 --- /dev/null +++ b/ansible/hosts.yaml @@ -0,0 +1,21 @@ +--- +valinor: + vars: + ansible_user: jahanson + github_username: jahanson + ansible_ssh_port: 22 + children: + workers: + hosts: + varda: + ansible_host: varda.hsn.dev + ceph_drives: + - /dev/disk/by-id/nvme-SAMSUNG_MZVL2512HCJQ-00B00_S675NU0TB36131 + # manwe: + # ansible_host: manwe.hsn.dev + # ceph_drives: + # - /dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0TC01391F + # nienna: + # ansible_host: nienna.hsn.dev + # ceph_drives: + # - /dev/disk/by-id/nvme-SAMSUNG_MZVLB512HBJQ-00000_S4GENX0N424497 diff --git a/ansible/proxmox8.yaml b/ansible/proxmox8.yaml new file mode 100644 index 0000000..0bd0134 --- /dev/null +++ b/ansible/proxmox8.yaml @@ -0,0 +1,166 @@ +--- +- hosts: all + become: true + + tasks: + - name: Add proxmox gpg key + ansible.builtin.get_url: + url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg + dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg + checksum: sha512:7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87 + mode: '0644' + - name: Add proxmox repo + ansible.builtin.apt_repository: + repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription + state: present + filename: pve-install-repo + update_cache: true + - name: Ensure that pve-enterprise apt repo is removed + ansible.builtin.apt_repository: + repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise + state: absent + filename: pve-enterprise + - name: Upgrade apt packages + ansible.builtin.apt: + upgrade: full + update_cache: true + - name: Install pve-kernel-6.2 + ansible.builtin.apt: + pkg: pve-kernel-6.2 + state: present + - name: Check if reboot is required + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required + - name: Reboot if required + ansible.builtin.reboot: + when: reboot_required.stat.exists + - name: Install proxmox-ve postfix and open-iscsi + ansible.builtin.apt: + pkg: + - proxmox-ve + - postfix + - open-iscsi + state: present + - name: Ensure the Debian Kernel is removed + ansible.builtin.apt: + pkg: + - linux-image-amd64 + - linux-image-6.1* + state: absent +## TODO: Find a way to only execute this ONLY when the kernel is installed. + - name: Update grub + ansible.builtin.command: update-grub + - name: Remove os-prober + ansible.builtin.apt: + pkg: os-prober + state: absent + - name: Ensure that pve-enterprise apt repo is removed + ansible.builtin.apt_repository: + repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise + state: absent + filename: pve-enterprise + - name: Upgrade apt packages + ansible.builtin.apt: + upgrade: full + update_cache: true + - name: Installing Crowdsec pre-reqs + ansible.builtin.apt: + pkg: + - gnupg + state: present + - name: Add crowdsec keyring + ansible.builtin.get_url: + url: https://packagecloud.io/crowdsec/crowdsec/gpgkey + dest: /etc/apt/trusted.gpg.d/crowdsec + checksum: sha512:5036042aff9d2700a39f64c3a6a70164a76162973e10dacb119aec98e9d60bd4a2f6d6ca4bc2c243a0751fd957baa51e0182fa0cd2f5798d7ec8a7893a1e219f + mode: '0644' + - name: Dearmor crowdsec gpg key + ansible.builtin.command: + cmd: gpg --dearmor /etc/apt/trusted.gpg.d/crowdsec + creates: /etc/apt/trusted.gpg.d/crowdsec.gpg + - name: Ensure keyring is removed + ansible.builtin.file: + path: /etc/apt/trusted.gpg.d/crowdsec + state: absent + - name: Add crowdsec repo + ansible.builtin.apt_repository: + repo: deb https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main + state: present + filename: crowdsec-install-repo + update_cache: true + - name: Add crowdsec source repo + ansible.builtin.apt_repository: + repo: deb-src https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main + state: present + filename: crowdsec-src-repo + update_cache: true + - name: Install firewalld and crowdsec packages + ansible.builtin.apt: + pkg: + - firewalld + - crowdsec + - crowdsec-firewall-bouncer-iptables + update_cache: true + - name: Add enp5s0 interface to public firewalld zone + ansible.posix.firewalld: + state: "enabled" + interface: "enp5s0" + zone: public + immediate: true + permanent: true + - name: Configure open ports with firewalld + ansible.posix.firewalld: + state: "{{ item.state }}" + port: "{{ item.port }}" + zone: public + immediate: true + permanent: true + with_items: + - { state: 'enabled', port: '22/tcp' } + - { state: 'enabled', port: '8006/tcp' } + - name: Enable firewalld masquerade + ansible.posix.firewalld: + state: "enabled" + masquerade: "true" + zone: public + immediate: true + permanent: true + - name: Enable masquerade rich rule for 192.168.20.0/24 network + ansible.posix.firewalld: + state: "enabled" + rich_rule: "rule family=ipv4 source address=192.168.20.0/24 masquerade" + permanent: true + immediate: true + - name: Enable ipv4 forwarding + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: 1 + state: present + reload: true + - name: Enable ipv6 forwarding + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: 1 + state: present + reload: true + - name: Add vfio modules to /etc/modules + ansible.builtin.lineinfile: + path: /etc/modules + line: "{{ item }}" + create: true + with_items: + - vfio + - vfio_iommu_type1 + - vfio_pci + - vfio_virqfd + - name: Add intel_iommu=on iommu=pt to debian bookworm kernel start parameters + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 systemd.show_status=true intel_iommu=on iommu=pt"' + state: present + backup: true + ## TODO: Find a way to only execute this ONLY when the kernel is installed. + - name: Update grub + ansible.builtin.command: update-grub