diff --git a/flock.yml b/flock.yml index 75290ac..8bc8b70 100644 --- a/flock.yml +++ b/flock.yml @@ -1,6 +1,58 @@ --- -- name: Provision Guest - ansible.builtin.import_playbook: ./plays/provision-guest.yml +- hosts: all + vars: + resolv_nameservers: + - 9.9.9.9 + - 149.112.112.112 + chezmoi_init_url: https://git.fern.garden/fern/dots + roles: + - debian + - lifeofguenter.resolvconf + - hifis.toolkit.unattended_upgrades + - hussainweb.chezmoi -- name: Install Software - ansible.builtin.import_playbook: ./plays/install-software.yml +- hosts: vm + roles: + - vm + +- hosts: docker + vars: + docker_users: + - fern + roles: + - geerlingguy.docker + +- hosts: nfs-server + vars: + nfs_exports: [ + "/export/film 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)", + "/export/tv 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)", + "/export/misc 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)" + ] + roles: + - nfs-server + - geerlingguy.nfs + +- hosts: nfs-client + roles: + - nfs-client + +- hosts: jellyfin.local + roles: + - tomhesse.jellyfin + +- hosts: weebill.local + tasks: + - name: Install Webone dependencies + ansible.builtin.apt: + deb: https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb + - name: Install Webone + ansible.builtin.apt: + update_cache: yes + deb: https://github.com/atauenis/webone/releases/download/v0.17.4/webone.0.17.4.linux-arm64.deb + +- hosts: all + tags: + - ssh + roles: + - sshd diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 8a1b239..fec9e23 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -1,29 +1,30 @@ --- -ungrouped: +egret: hosts: - technitium.local: - immich.local: monitoring.local: - administration.local: + +spoonbill: + hosts: fern-garden.local: ferngarden-net.local: - minecraft.local: - weebill.local: - -lxc: - hosts: - jellyfin.local: - technitium.local: + ff-syncserver.local: immich.local: - monitoring.local: - administration.local: + jellyfin.local: + mailcow.local: + minecraft.local: + nfs-share.local: + technitium.local: + +weebill: + hosts: + weebill.local: vm: hosts: - #media-share.local: fern-garden.local: ferngarden-net.local: minecraft.local: + nfs-share.local: docker: hosts: @@ -40,4 +41,4 @@ nfs-client: nfs-server: hosts: - #media-share: + nfs-share.local: diff --git a/plays/files/quitcd.fish b/plays/files/quitcd.fish deleted file mode 100644 index 5dc3c71..0000000 --- a/plays/files/quitcd.fish +++ /dev/null @@ -1,36 +0,0 @@ -# Rename this file to match the name of the function -# e.g. ~/.config/fish/functions/n.fish -# or, add the lines to the 'config.fish' file. - -function n --wraps nnn --description 'support nnn quit and change directory' - # Block nesting of nnn in subshells - if test -n "$NNNLVL" -a "$NNNLVL" -ge 1 - echo "nnn is already running" - return - end - - # The behaviour is set to cd on quit (nnn checks if NNN_TMPFILE is set) - # If NNN_TMPFILE is set to a custom path, it must be exported for nnn to - # see. To cd on quit only on ^G, remove the "-x" from both lines below, - # without changing the paths. - if test -n "$XDG_CONFIG_HOME" - set -x NNN_TMPFILE "$XDG_CONFIG_HOME/nnn/.lastd" - else - set -x NNN_TMPFILE "$HOME/.config/nnn/.lastd" - end - - # Unmask ^Q (, ^V etc.) (if required, see `stty -a`) to Quit nnn - # stty start undef - # stty stop undef - # stty lwrap undef - # stty lnext undef - - # The command function allows one to alias this function to `nnn` without - # making an infinitely recursive alias - command nnn $argv - - if test -e $NNN_TMPFILE - source $NNN_TMPFILE - rm -- $NNN_TMPFILE - end -end diff --git a/plays/install-software.yml b/plays/install-software.yml deleted file mode 100644 index a25d2fd..0000000 --- a/plays/install-software.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- hosts: jellyfin.local - become: true - roles: - - tomhesse.jellyfin - -- hosts: all - become: true - vars: - neovim_prefix_dir: "/usr/local" - neovim_src_dir: "{{ neovim_prefix_dir }}/src/neovim" - neovim_binary_dir: "{{ neovim_prefix_dir }}/bin" - tasks: - - name: Build neovim - import_tasks: ./tasks/software/neovim.yml - -- hosts: weebill.local - become: true - tasks: - - name: Install Webone dependencies - ansible.builtin.apt: - deb: https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb - - name: Install Webone - ansible.builtin.apt: - update_cache: yes - deb: https://github.com/atauenis/webone/releases/download/v0.17.4/webone.0.17.4.linux-arm64.deb diff --git a/plays/provision-guest.yml b/plays/provision-guest.yml deleted file mode 100644 index 3e737d9..0000000 --- a/plays/provision-guest.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -- hosts: all - become: true - vars: - treesitter: false - chezmoi_init_url: ssh://git@10.0.1.116:222/fern/dots.git - resolv_nameservers: - - 10.0.1.1 - roles: - - lifeofguenter.resolvconf - - hifis.toolkit.unattended_upgrades - - hussainweb.chezmoi - - gikeymarcia.neovim - tasks: - - import_tasks: ./tasks/provisioning/debian.yml - -- hosts: vm - become: true - tasks: - - import_tasks: ./tasks/provisioning/vm.yml - -- hosts: lxc - become: true - tasks: - - import_tasks: ./tasks/provisioning/lxc.yml - -- hosts: docker - become: true - vars: - docker_users: - - fern - roles: - - geerlingguy.docker - -- hosts: nfs-server - become: true - tasks: - - import_tasks: ./tasks/provisioning/mount-hdds.yml - -- hosts: nfs-server - become: true - vars: - nfs_exports: [ - "/export/film 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)", - "/export/tv 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)", - "/export/misc 10.0.1.0/24(rw,subtree_check,insecure,no_root_squash,anonuid=100,anongid=100)" - ] - roles: - - geerlingguy.nfs - -- hosts: nfs-client - become: true - tasks: - - import_tasks: ./tasks/provisioning/nfs-client.yml - -- hosts: all - become: true - vars: - sshd_config_file: /etc/ssh/sshd_config - tasks: - - import_tasks: ./tasks/provisioning/post-install.yml - handlers: - - name: restart sshd - service: - name: sshd - state: restarted diff --git a/plays/tasks/provisioning/debian.yml b/plays/tasks/provisioning/debian.yml deleted file mode 100644 index a183070..0000000 --- a/plays/tasks/provisioning/debian.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: Set a hostname - ansible.builtin.hostname: - name: '{{ inventory_hostname.split(".")[0] | lower }}' - use: debian - -- name: Set the timezone - community.general.timezone: - name: Australia/Perth - -- name: Add AARNet bookworm repository - apt_repository: - repo: deb https://mirror.aarnet.edu.au/debian bookworm main contrib - state: present - -- name: Add AARNet bookworm-updates repository - apt_repository: - repo: deb https://mirror.aarnet.edu.au/debian bookworm-updates main contrib - state: present - -- name: Add AARNet bookworm-security repository - apt_repository: - repo: deb https://mirror.aarnet.edu.au/debian-security bookworm-security main contrib - state: present - -- name: Install some standard packages - apt: - pkg: - - avahi-daemon - - curl - - fish - - git - - libnss-mdns - - nnn - - rsync - - sudo - - trash-cli - - tmux - -- name: Make sure avahi-daemon is running - systemd_service: - state: started - name: avahi-daemon - -- name: Add 'fern' user - user: - name: fern - shell: /usr/bin/fish diff --git a/plays/tasks/provisioning/lxc.yml b/plays/tasks/provisioning/lxc.yml deleted file mode 100644 index 75cdbc1..0000000 --- a/plays/tasks/provisioning/lxc.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: Add SSH Key - ansible.posix.authorized_key: - user: fern - state: present - key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519.pub') }}" - -- name: Set sudo rules - community.general.sudoers: - name: sudo - commands: ALL - user: fern diff --git a/plays/tasks/provisioning/post-install.yml b/plays/tasks/provisioning/post-install.yml deleted file mode 100644 index 494983b..0000000 --- a/plays/tasks/provisioning/post-install.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Disable root login - lineinfile: - path: "{{ sshd_config_file }}" - regexp: "^PermitRootLogin" - line: "PermitRootLogin no" - backup: yes - notify: restart sshd diff --git a/plays/tasks/provisioning/vm.yml b/plays/tasks/provisioning/vm.yml deleted file mode 100644 index e57ed3a..0000000 --- a/plays/tasks/provisioning/vm.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Install package - apt: - pkg: - - qemu-guest-agent - -- name: Make sure service is running - systemd_service: - state: started - name: qemu-guest-agent diff --git a/plays/tasks/software/neovim.yml b/plays/tasks/software/neovim.yml deleted file mode 100644 index e2075dd..0000000 --- a/plays/tasks/software/neovim.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: Install dependencies - apt: - pkg: - - ninja-build - - gettext - - cmake - - unzip - - curl - -- name: Clone neovim repository - ansible.builtin.git: - repo: "https://github.com/neovim/neovim" - dest: "{{ neovim_src_dir }}" - version: stable - clone: yes - update: yes - force: yes - -- name: Check if recently built - ansible.builtin.find: - paths: "{{ neovim_binary_dir }}" - patterns: nvim - age: 1d - register: days - -- name: Build neovim - when: days.matched != '0' - community.general.make: - chdir: "{{ neovim_src_dir }}" - params: - CMAKE_BUILD_TYPE: Release - CMAKE_INSTALL_PREFIX: "{{ neovim_prefix_dir }}" - target: install diff --git a/inventory/requirements.yml b/requirements.yml similarity index 86% rename from inventory/requirements.yml rename to requirements.yml index 745cdf9..333cd9e 100644 --- a/inventory/requirements.yml +++ b/requirements.yml @@ -1,7 +1,6 @@ roles: - name: lifeofguenter.resolvconf - name: hussainweb.chezmoi - - name: gikeymarcia.neovim - name: geerlingguy.docker - name: tomhesse.jellyfin - name: geerlingguy.nfs diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml new file mode 100644 index 0000000..573554a --- /dev/null +++ b/roles/debian/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart avahi + service: + name: avahi-daemon + state: restarted diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml new file mode 100644 index 0000000..bf47b11 --- /dev/null +++ b/roles/debian/tasks/main.yml @@ -0,0 +1,39 @@ +- name: Set a hostname + become: true + ansible.builtin.hostname: + name: '{{ inventory_hostname.split(".")[0] | lower }}' + use: debian + +- name: Set the timezone + become: true + community.general.timezone: + name: Australia/Perth + +- name: Install some standard packages + become: true + apt: + update_cache: yes + pkg: + - avahi-daemon + - curl + - fish + - git + - libnss-mdns + - nnn + - rsync + - sudo + - tmux + - trash-cli + +- name: Add 'fern' user + become: true + user: + name: fern + shell: /usr/bin/fish + +- name: Set sudo rules + become: true + community.general.sudoers: + name: sudo + commands: ALL + user: fern diff --git a/plays/tasks/provisioning/nfs-client.yml b/roles/nfs-client/tasks/main.yml similarity index 89% rename from plays/tasks/provisioning/nfs-client.yml rename to roles/nfs-client/tasks/main.yml index 1799330..71549bb 100644 --- a/plays/tasks/provisioning/nfs-client.yml +++ b/roles/nfs-client/tasks/main.yml @@ -1,9 +1,11 @@ - name: Install nfs-common + become: true apt: pkg: - nfs-common - name: Mount /media/tv + become: true ansible.posix.mount: src: 10.0.1.101:/export/tv path: /media/tv @@ -12,6 +14,7 @@ fstype: nfs - name: Mount /media/film + become: true ansible.posix.mount: src: 10.0.1.101:/export/film path: /media/film @@ -20,6 +23,7 @@ fstype: nfs - name: Mount /media/misc + become: true ansible.posix.mount: src: 10.0.1.101:/export/misc path: /media/misc diff --git a/plays/tasks/provisioning/mount-hdds.yml b/roles/nfs-server/tasks/main.yml similarity index 91% rename from plays/tasks/provisioning/mount-hdds.yml rename to roles/nfs-server/tasks/main.yml index 2e5f7b0..f38ecd5 100644 --- a/plays/tasks/provisioning/mount-hdds.yml +++ b/roles/nfs-server/tasks/main.yml @@ -1,4 +1,5 @@ - name: Mount /export/tv + become: true ansible.posix.mount: src: UUID=fcee0188-8ca1-4fda-81b7-f5920c79ab48 path: /export/tv @@ -6,6 +7,7 @@ fstype: ext4 - name: Mount /export/film + become: true ansible.posix.mount: src: UUID=5d9dd538-79e4-4168-be91-e0b040155cb3 path: /export/film @@ -13,6 +15,7 @@ fstype: ext4 - name: Mount /export/misc + become: true ansible.posix.mount: src: UUID=5a43b7dc-3e28-459e-824a-ad45b5475361 path: /export/misc diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..3fc23d6 --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart SSHD + service: + name: sshd + state: restarted diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..1c2f60c --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Add SSH Key - fern@muskduck + ansible.posix.authorized_key: + user: fern + state: present + key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519.pub') }}" + +- name: Add SSH Key - YubiKey + ansible.posix.authorized_key: + user: fern + state: present + key: "{{ lookup('file', '/home/fern/.ssh/id_ed25519_sk.pub') }}" + +- name: Add SSH Key - fairywren + ansible.posix.authorized_key: + user: fern + state: present + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8W3zggrj6ml/VZWem9l21SWK3yffgw5RkdgF6fG6jo u0_a336@localhostsk-ssh-ed25519@openssh.com" + +- name: Disable root login + become: true + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^PermitRootLogin" + line: "PermitRootLogin no" + backup: yes + notify: restart sshd diff --git a/roles/vm/handlers/main.yml b/roles/vm/handlers/main.yml new file mode 100644 index 0000000..b0eeaa2 --- /dev/null +++ b/roles/vm/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart qemu-guest-agent + service: + name: qemu-guest-agent + state: restarted diff --git a/roles/vm/tasks/main.yml b/roles/vm/tasks/main.yml new file mode 100644 index 0000000..4120963 --- /dev/null +++ b/roles/vm/tasks/main.yml @@ -0,0 +1,5 @@ +- name: Install qemu-guest-agent package + become: true + apt: + pkg: + - qemu-guest-agent