Update playbooks

This commit is contained in:
Keannu Bernasol 2024-10-29 01:36:24 +08:00
parent 46250f9a99
commit 2150c17f24
14 changed files with 315 additions and 9 deletions

View file

@ -1 +1,2 @@
# Debian-specific variables go here # Debian-specific variables go here
ACME_EMAIL: noehbernasol0@gmail.com

View file

@ -1,7 +1,11 @@
[debian] [debian]
10.0.10.4 # Hyper-V Test Nodes
10.0.10.64 172.22.88.4 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
10.0.10.141 172.22.85.231 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
# Bare Metal Nodes
10.0.10.4 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
10.0.10.141 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
10.0.10.64 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
[openwrt] [openwrt]
10.0.10.1 10.0.10.1

View file

@ -0,0 +1,22 @@
# VIM Default Editor
@reboot export VISUAL=vim
@reboot export EDITOR=vim
# Fix tmux bug
@reboot tmux
# Network mount
* * * * * mount.cifs "//255.255.255.0/SAMBA-MOUNT" "/mnt/backups/" -o credentials="/root/.samba/credentials"
# Start services
@reboot sleep 30 && tmux new-session -d -s "start_services" "bash /root/scripts/start_services.sh"
# Backups
0 */4 * * * tmux new-session -d -s "Borg Backups" bash /root/scripts/backup.sh
# Docker Cleanup
0 0 1 * * docker system prune --all --volumes --force
# ACME
52 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
0 */7 * * * tmux new-session -d -s "Acme SSL Updater" bash /root/scripts/acme_ssl.sh

View file

@ -0,0 +1,2 @@
username=USERNAME
password=PASSWORD

View file

@ -0,0 +1,2 @@
CF_Token=REPLACE_WITH_YOUR_TOKEN
DuckDNS_Token=REPLACE_WITH_YOUR_TOKEN

View file

@ -0,0 +1,34 @@
#!/bin/bash
# Read CF_Token and ACME_Email from .env
source ".env"
/root/.acme.sh/acme.sh --upgrade --auto-upgrade
/root/.acme.sh/acme.sh --register-account -m noehbernasol0@gmail.com
# Array of domains
domains=("*.06222001.xyz" "06222001.xyz")
legacy_domains=()
all_domains=("${domains[@]}" "${legacy_domains[@]}")
# Whether to force update or not
force_update=false
echo "===== Force update domains: " $force_update " ====="
# Loop through the domains and execute the commands for each one
for domain in "${all_domains[@]}"
do
# Issue the certificate using acme.sh
echo "====== Registering domain:" $domain " ======"
if $force_update ; then
/root/.acme.sh/acme.sh --force --issue --dns dns_cf --keylength 4096 -d "$domain" --server letsencrypt
else
/root/.acme.sh/acme.sh --issue --dns dns_cf --keylength 4096 -d "$domain" --server letsencrypt
fi
done
echo "===== Reloading firewall ====="
service nginx reload
echo "===== Done ====="

View file

@ -0,0 +1,34 @@
#!/bin/bash
# Read DuckDNS_Token and ACME_Email from .env
source ".env"
/root/.acme.sh/acme.sh --upgrade --auto-upgrade
/root/.acme.sh/acme.sh --register-account -m noehbernasol0@gmail.com
# Array of main domains
domains=("*.keannu1.duckdns.org" "keannu1.duckdns.org")
legacy_domains=()
all_domains=("${domains[@]}" "${legacy_domains[@]}")
# Whether to force update or not
force_update=false
echo "===== Force update domains: " $force_update " ====="
# Loop through the domains and execute the commands for each one
for domain in "${all_domains[@]}"
do
# Issue the certificate using acme.sh
echo "====== Registering domain:" $domain " ======"
if $force_update ; then
/root/.acme.sh/acme.sh --insecure --force --issue --dns dns_duckdns -d "$domain"
else
/root/.acme.sh/acme.sh --insecure --issue --dns dns_duckdns -d "$domain"
fi
done
echo "===== Reloading firewall ====="
service nginx reload
echo "===== Done ====="

View file

@ -0,0 +1,75 @@
#!/bin/bash
current_date=$(date "+%B %-d %Y%l:%M %p")
env BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
env BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
echo "Timestamp: $current_date"
# Check if the required mount point exists
if ! df -h | grep -q "^//255\.255\.255\.255/SAMBA-MOUNT.*\/mnt/backups$"; then
echo "Error: Required mount point //255.255.255.255/SAMBA-MOUNT not found or not mounted at /mnt/backups."
exit 1
fi
function backup() {
# $1 - Backup Name
# $2 - Directory
# $3 - Extras
if [ "$1" == "" ] || [ "$2" == "" ]; then
echo "Missing arguments!"
exit
fi
# Root backup directory
root_directory="/mnt/backups/"
echo "Starting backups for: $1"
# Check if the backup directory exists
if [ ! -d "$root_directory/$1" ]; then
echo "Backup directory does not exist for $1. Initializing one"
borg init --encryption=none "$root_directory/$1"
else
echo "Backup directory already exists for $1"
fi
borg create --stats --progress --compression lz4 "$root_directory/$1"::"$current_date" "$2" $3
echo "Cleaning old backups"
borg prune --stats "$root_directory/$1" -d 6
borg compact "$root_directory/$1"
echo "Backup for $1 finished"
}
## Docker Projects
## Root Docker Projects Directory
docker_projects="/mnt/nvme/files/docker projects/"
# Sample Entry
backup "sample" "$docker_projects/sample_project"
## Non-Docker Directories
# Bash Scripts
backup "bash-scripts" "/root/scripts"
# ACME
backup "acme" "/root/.acme.sh" '--exclude "*.tmp"'
# Crontab
backup "cron" "/var/spool/cron/crontabs"
# Nginx
backup "nginx" "/etc/nginx" '--exclude "*.tmp"'
# Syncthing
backup "syncthing" "/root/.config/syncthing" '--exclude "*.tmp"'
# Samba
backup "samba" "/etc/samba"
# Samba Credentials
backup "samba_credentials" "/root/.samba"

View file

@ -0,0 +1,9 @@
#!/bin/bash
scripts_directory="/root/scripts/acme_scripts"
# Execute all .sh files in the directory
for script in "$scripts_directory"/*.sh; do
echo "--Executing $script--"
bash "$script"
done

View file

@ -0,0 +1,16 @@
#!/bin/bash
## Docker Projects
# Root Docker Projects Directory
docker_projects="/mnt/nvme/files/docker projects"
# Sample Entry
cd "$docker_projects/sample_project" && docker-compose down && docker-compose up -d
## Non-Docker Projects
# Syncthing
systemctl start syncthing@root.service

View file

@ -0,0 +1,41 @@
## Usage
### Setup
1. Run `setup.yml` using a non-sudo user, providing regular and sudo credentials.
```bash
ansible-playbook roles/tasks/debian/setup.yml -u keannu125 -k --ask-become-pass
```
This will elevate to `root` user via `sudo` and set up root SSH access through the provided `id_rsa.pub` file in the control node's own `.ssh` directory
2. Set up the necessary template scripts provided at `/root/scripts`
- Rename `.env.sample` to `.env.` (via `mv .env.sample .env`)
- Provide your ACME SSL access tokens in the `.env` for `renew_ssl.sh` to parse
- Provide project directories to spin up on boot through `start_services.sh`
- Provide the same project directories to back up via Borg in `backup.sh`
3. Update the Samba credentials file located at `/root/.samba`
```
# credentials
user=USERNAME
password=PASSWORD
```
4. Update the CIFS/Samba mount for backups located in `crontab` (via `crontab -e`)
```
# crontab entry
* * * * * mount.cifs "//255.255.255.0/SAMBA-MOUNT" "/mnt/backups" -o credentials="/root/.samba/credentials"
```
If you'd need to run the `setup.yml` playbook again for any reason. You can omit specifying user or sudo credentials and simply run
```bash
ansible-playbook roles/tasks/debian/setup.yml
```
Any existing or additional scripts that have already been modified will not be overwritten (See `force: false` directives in [`setup.yml`](./setup.yml))

View file

@ -1,8 +1,8 @@
--- ---
- hosts: - hosts:
- debian - debian
# Runs on root user already become: true
become: false vars_files: "{{ playbook_dir | dirname | dirname | dirname }}/inventory/group_vars/debian.yml"
tasks: tasks:
- name: Add SSH key to authorized_hosts - Debian - name: Add SSH key to authorized_hosts - Debian
authorized_key: authorized_key:
@ -10,11 +10,27 @@
state: present state: present
key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
path: /root/.ssh/authorized_keys path: /root/.ssh/authorized_keys
- name: Enable Root Login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin yes"
state: present
notify: Restart SSHD on Config Change
- name: Update all packages - name: Update all packages
apt: apt:
update_cache: true update_cache: true
autoremove: true autoremove: true
state: latest state: latest
- name: Install Docker
apt:
name:
- docker
update_cache: false
autoremove: true
state: latest
# Safety net if this script is ran twice
notify: Restart Docker Containers
- name: Install packages - Debian - name: Install packages - Debian
apt: apt:
name: name:
@ -23,7 +39,6 @@
- htop - htop
- tmux - tmux
- samba - samba
- docker
- docker-compose - docker-compose
- neofetch - neofetch
- cifs-utils - cifs-utils
@ -32,9 +47,47 @@
- syncthing - syncthing
- socat - socat
- fish - fish
- iperf3
# Cache is already updated from previous step # Cache is already updated from previous step
update_cache: false update_cache: false
autoremove: true autoremove: true
state: latest state: latest
- name: Install ACME - name: Install ACME
command: curl https://get.acme.sh | sh -s email=noehbernasol0@gmail.com shell: curl https://get.acme.sh | sh -s email="{{ ACME_EMAIL }}"
- name: Enable Syncthing Service
command: systemctl enable syncthing@root.service
- name: Allow Syncthing Remote Management
replace:
path: /root/.config/syncthing/config.xml
regexp: "<address>127.0.0.1:8384</address>"
replace: "<address>0.0.0.0:8384</address>"
notify: Restart Syncthing Service
- name: Copy Template Scripts
copy:
src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/scripts/"
dest: /root/scripts/
mode: "0644"
force: false
- name: Copy Crontab Template
copy:
src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/crontabs/"
dest: /var/spool/cron/crontabs/
mode: "0600"
force: false
- name: Copy Samba Credentials Template
copy:
src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/samba/"
dest: /root/.samba/
mode: "0644"
force: false
handlers:
# Restart Syncthing on Config Change
- name: Restart Syncthing Service
command: systemctl restart syncthing@root.service
# Restart SSHD on Config Change
- name: Restart SSHD on Config Change
command: systemctl restart sshd
# Restart Docker Containers on Docker Update
- name: Restart Docker Containers
command: bash /root/scripts/start_services.sh

View file

@ -4,5 +4,5 @@
# Runs on root user already # Runs on root user already
become: false become: false
tasks: tasks:
- name: Restart all services - name: Start all services
command: bash /root/scripts/start_services.sh command: bash /root/scripts/start_services.sh

View file

@ -4,10 +4,23 @@
# Runs on root user already # Runs on root user already
become: false become: false
tasks: tasks:
- name: Update Docker
apt:
name:
- docker
update_cache: true
autoremove: true
state: latest
notify: Restart Docker Containers
- name: Update all packages - name: Update all packages
apt: apt:
update_cache: true update_cache: false
autoremove: true autoremove: true
state: latest state: latest
- name: Update ACME - name: Update ACME
command: /root/.acme.sh/acme.sh --upgrade --auto-upgrade command: /root/.acme.sh/acme.sh --upgrade --auto-upgrade
handlers:
# Restart Docker Containers on Docker Update
- name: Restart Docker Containers
command: bash /root/scripts/start_services.sh