From 79c8123c6ff5b2ef045a9dba46f2c14ba3cb7f67 Mon Sep 17 00:00:00 2001 From: aleidk Date: Thu, 28 Nov 2024 16:52:27 -0300 Subject: [PATCH] add basic ansible playbook for alpine setup --- .gitignore | 1 + .justfile | 18 +++++++ files/alpine/motd.j2 | 15 ++++++ files/alpine/repositories.j2 | 4 ++ hosts/inventory.ini | 2 + playbooks/setup/alpine.yaml | 101 +++++++++++++++++++++++++++++++++++ variables/secrets.yaml | 9 ++++ 7 files changed, 150 insertions(+) create mode 100644 .justfile create mode 100644 files/alpine/motd.j2 create mode 100644 files/alpine/repositories.j2 create mode 100644 hosts/inventory.ini create mode 100644 playbooks/setup/alpine.yaml create mode 100644 variables/secrets.yaml diff --git a/.gitignore b/.gitignore index b53173d..b5b9d47 100644 --- a/.gitignore +++ b/.gitignore @@ -204,3 +204,4 @@ cython_debug/ # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ +.decrypt-pass.txt diff --git a/.justfile b/.justfile new file mode 100644 index 0000000..d640496 --- /dev/null +++ b/.justfile @@ -0,0 +1,18 @@ +export ANSIBLE_VAULT_PASSWORD_FILE := "./.decrypt-pass.txt" + +inventory := "./hosts/inventory.ini" + +play +ARGS: + ansible-playbook -i {{ inventory }} {{ ARGS }} + +ansible +ARGS: + ansible -i {{ inventory }} {{ ARGS }} + +list-host: + ansible-inventory -i {{ inventory }} --list + +encrypt +ARGS: + ansible-valut encrypt {{ ARGS }} + +decrypt +ARGS: + ansible-vault edit {{ ARGS }} diff --git a/files/alpine/motd.j2 b/files/alpine/motd.j2 new file mode 100644 index 0000000..55f3344 --- /dev/null +++ b/files/alpine/motd.j2 @@ -0,0 +1,15 @@ + + This system is managed by Ansible. + _ _ _ _ _ + / \ | |_ __ (_)_ __ ___ | | (_)_ __ _ ___ __ + / _ \ | | '_ \| | '_ \ / _ \ | | | | '_ \| | | \ \/ / + / ___ \| | |_) | | | | | __/ | |___| | | | | |_| |> < + /_/ \_\_| .__/|_|_| |_|\___| |_____|_|_| |_|\__,_/_/\_\ + |_| + + OS : {{ ansible_distribution }} {{ ansible_distribution_version }} + Hostname : {{ ansible_hostname }} + IP address : {{ ansible_eth0.ipv4.address }} + System type : {{ ansible_system }} + Kernel : {{ ansible_kernel }} + diff --git a/files/alpine/repositories.j2 b/files/alpine/repositories.j2 new file mode 100644 index 0000000..5f44c79 --- /dev/null +++ b/files/alpine/repositories.j2 @@ -0,0 +1,4 @@ +https://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/main +https://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/community +http://elmirror.cl/alpine/{{ alpine_version }}/main +http://elmirror.cl/alpine/{{ alpine_version }}/community diff --git a/hosts/inventory.ini b/hosts/inventory.ini new file mode 100644 index 0000000..43b2f86 --- /dev/null +++ b/hosts/inventory.ini @@ -0,0 +1,2 @@ +[homelab] +10.0.10.50 diff --git a/playbooks/setup/alpine.yaml b/playbooks/setup/alpine.yaml new file mode 100644 index 0000000..d6f3d27 --- /dev/null +++ b/playbooks/setup/alpine.yaml @@ -0,0 +1,101 @@ +- name: Setup an alpine machine + hosts: homelab + user: root + vars: + # alpine_version: v3.19 + alpine_version: latest-stable + robo: + authorized_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPiEGbVaaSJq/9hGaou3gd6m4Jzyj4AIgCL5wGTxVz1" + allowed_commands: + - "docker ps" + vars_files: + ../../variables/secrets.yaml + tasks: + - name: Change login message + template: + src: ../../files/alpine/motd.j2 + dest: /etc/motd + owner: root + group: root + mode: 0644 + backup: yes + + - name: Update repositories + template: + src: ../../files/alpine/repositories.j2 + dest: /etc/apk/repositories + owner: root + group: root + mode: 0644 + backup: yes + + - name: Update all packages + command: /sbin/apk upgrade -U -a + + - name: Be sure python is installed + command: /sbin/apk add python3 + args: + creates: /usr/bin/python3 + + - name: Disable password authentication for SSH + become: true + notify: Restart sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^#?PasswordAuthentication' + line: 'PasswordAuthentication no' + state: present + + - name: Allow users of the weel group to use doas command + become: true + ansible.builtin.lineinfile: + path: /etc/doas.conf + regexp: '^#\s*permit persist :wheel' + line: 'permit persist :wheel' + state: present + + - name: Create a user group named docker + ansible.builtin.group: + name: docker + + - name: Setup users + ansible.builtin.user: + state: present + name: aleidk + password: "{{ users.aleidk.password | password_hash('sha512') }}" + groups: + - wheel + - docker + + - name: Create a user for executing remote commands + ansible.builtin.user: + name: robo + system: true + create_home: true + groups: nogroup + state: present + + - name: Add SSH public key for robo user + ansible.posix.authorized_key: + user: robo + state: present + key: "{{ robo.authorized_key }}" + key_options: "command=\"{{ robo.allowed_commands | join('; ') }}\"" + + - name: Install packages + ansible.builtin.package: + state: present + name: + - docker + + - name: Start docker service + ansible.builtin.service: + name: docker + state: started + enabled: true + + handlers: + - name: Restart sshd + ansible.builtin.service: + name: sshd + state: restarted diff --git a/variables/secrets.yaml b/variables/secrets.yaml new file mode 100644 index 0000000..bc78f77 --- /dev/null +++ b/variables/secrets.yaml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +62343433336464323761613330643861353862393130383631306536366639323233663233623735 +3131393037626664333235623764353939613835313030330a346133636334323132623536663830 +65386432383562343738333137386564653963396537653435613566326463356131316437393537 +3239353134323261340a306234393263383331396430396666376337343161313232396566343933 +39356161346439663764663763346666653933316537306336383339626136326639343564613231 +34343730326166356433336266643532393037653363356334383630646335313162366237343234 +34353933383365636662343364303366633662316430646536323861356163383039346234663239 +62376366373864373336