Update scripts

inventory/group_vars/debian.yml

@@ -1 +1,2 @@
 # Debian-specific variables go here
+ACME_EMAIL: noehbernasol0@gmail.com

inventory/hosts

@@ -1,9 +1,12 @@
 [debian]
-10.0.10.4
+# Hyper-V Test Nodes
-10.0.10.64
+172.22.90.75 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
-10.0.10.141
+# Bare Metal Nodes
+# 10.0.10.4 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
+# 10.0.10.141 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
+# 10.0.10.64 ansible_ssh_common_args="-o StrictHostKeyChecking=no"
 
 [openwrt]
 10.0.10.1
-10.0.10.2
+# 10.0.10.2
-10.0.10.3
+# 10.0.10.3

roles/files/debian/setup/crontabs/root

@@ -0,0 +1,22 @@
+# VIM Default Editor
+@reboot export VISUAL=vim
+@reboot export EDITOR=vim
+
+# Fix tmux bug
+@reboot tmux
+
+# Network mount
+* * * * * mount.cifs "//255.255.255.0/SAMBA-MOUNT" "/mnt/backups/" -o credentials="/root/.samba/credentials"
+
+# Start services
+@reboot sleep 30 && tmux new-session -d -s "start_services" "bash /root/scripts/start_services.sh"
+
+# Backups
+0 */4 * * * tmux new-session -d -s "Borg Backups" bash /root/scripts/backup.sh
+
+# Docker Cleanup
+0 0 1 * *  docker system prune --all --volumes --force
+
+# ACME
+52 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
+0 */7 * * * tmux new-session -d -s "Acme SSL Updater" bash /root/scripts/acme_ssl.sh

roles/files/debian/setup/samba/credentials

@@ -0,0 +1,2 @@
+username=USERNAME
+password=PASSWORD

roles/files/debian/setup/scripts/.env.sample

@@ -0,0 +1,2 @@
+CF_Token=REPLACE_WITH_YOUR_TOKEN
+DuckDNS_Token=REPLACE_WITH_YOUR_TOKEN

roles/files/debian/setup/scripts/acme_scripts/cloudflare.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Read CF_Token and ACME_Email from .env
+source ".env"
+
+/root/.acme.sh/acme.sh --upgrade --auto-upgrade
+
+# Array of domains
+domains=("*.06222001.xyz" "06222001.xyz")
+legacy_domains=()
+all_domains=("${domains[@]}" "${legacy_domains[@]}")
+
+# Whether to force update or not
+force_update=false
+echo "===== Force update domains: " $force_update " ====="
+
+# Loop through the domains and execute the commands for each one
+for domain in "${all_domains[@]}"
+do
+
+    # Issue the certificate using acme.sh
+	echo "====== Registering domain:" $domain " ======"
+	if $force_update ; then
+		/root/.acme.sh/acme.sh --force --issue --dns dns_cf --keylength 4096 -d "$domain" --server letsencrypt
+	else
+		/root/.acme.sh/acme.sh --issue --dns dns_cf --keylength 4096 -d "$domain" --server letsencrypt
+	fi
+
+done
+
+echo "===== Reloading firewall ====="
+service nginx reload 
+echo "===== Done ====="

roles/files/debian/setup/scripts/acme_scripts/duckdns.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Read DuckDNS_Token and ACME_Email from .env
+source ".env"
+
+/root/.acme.sh/acme.sh --upgrade --auto-upgrade
+
+# Array of main domains
+domains=("*.keannu1.duckdns.org" "keannu1.duckdns.org")
+legacy_domains=()
+all_domains=("${domains[@]}" "${legacy_domains[@]}")
+
+# Whether to force update or not
+force_update=false
+echo "===== Force update domains: " $force_update " ====="
+
+# Loop through the domains and execute the commands for each one
+for domain in "${all_domains[@]}"
+do
+
+    # Issue the certificate using acme.sh
+	echo "====== Registering domain:" $domain " ======"
+	if $force_update ; then
+		/root/.acme.sh/acme.sh --insecure --force --issue --dns dns_duckdns -d "$domain"
+	else
+		/root/.acme.sh/acme.sh --insecure --issue --dns dns_duckdns -d "$domain"
+	fi
+
+done
+
+echo "===== Reloading firewall ====="
+service nginx reload 
+echo "===== Done ====="

roles/files/debian/setup/scripts/backup.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+current_date=$(date "+%B %-d %Y%l:%M %p")
+
+env BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
+env BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
+
+echo "Timestamp: $current_date"
+
+# Check if the required mount point exists
+if ! df -h | grep -q "^//255\.255\.255\.255/SAMBA-MOUNT.*\/mnt/backups$"; then
+    echo "Error: Required mount point //255.255.255.255/SAMBA-MOUNT not found or not mounted at /mnt/backups."
+    exit 1
+fi
+
+function backup() {
+	# $1 - Backup Name
+	# $2 - Directory
+	# $3 - Extras
+	
+	if [ "$1" == "" ] || [ "$2" == "" ]; then
+		echo "Missing arguments!"
+		exit
+	fi
+	
+	# Root backup directory
+	root_directory="/mnt/backups/"
+
+	echo "Starting backups for: $1"
+	
+	# Check if the backup directory exists
+	if [ ! -d "$root_directory/$1" ]; then
+		echo "Backup directory does not exist for $1. Initializing one"
+		borg init --encryption=none "$root_directory/$1"
+	else
+		echo "Backup directory already exists for $1"
+	fi
+	
+	borg create --stats --progress --compression lz4 "$root_directory/$1"::"$current_date" "$2" $3
+	echo "Cleaning old backups"
+	borg prune --stats "$root_directory/$1" -d 6
+	borg compact "$root_directory/$1"
+	echo "Backup for $1 finished"
+}
+
+## Docker Projects
+
+## Root Docker Projects Directory
+docker_projects="/mnt/nvme/files/docker projects/"
+
+# Sample Entry
+backup "sample" "$docker_projects/sample_project" '--exclude "*.tmp" 
+
+## Non-Docker Directories
+
+# Bash Scripts
+backup "bash-scripts" "/root/scripts"
+
+# ACME
+backup "acme" "/root/.acme.sh" '--exclude "*.tmp"'
+
+# Crontab
+backup "cron" "/var/spool/cron/crontabs"
+
+# Nginx
+backup "nginx" "/etc/nginx" '--exclude "*.tmp"'
+
+# Syncthing
+backup "syncthing" "/root/.config/syncthing" '--exclude "*.tmp"'
+
+# Samba
+backup "samba" "/etc/samba"
+
+# Samba Credentials
+backup "samba_credentials" "/root/.samba"

roles/files/debian/setup/scripts/renew_ssl.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+scripts_directory="/root/scripts/acme_scripts"
+
+# Execute all .sh files in the directory
+for script in "$scripts_directory"/*.sh; do
+   echo "--Executing $script--"
+   bash "$script"
+done

roles/files/debian/setup/scripts/start_services.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+## Docker Projects
+
+# Root Docker Projects Directory
+docker_projects="/mnt/nvme/files/docker projects"
+
+# Sample Entry
+cd "$docker_projects/sample_project" && docker-compose down && docker-compose up -d
+
+## Non-Docker Projects
+
+# Syncthing
+systemctl start syncthing@root.service
+
+

roles/tasks/debian/README.md

@@ -0,0 +1,46 @@
+## Usage
+
+### Setup
+
+1. Run `setup.yml` using a non-sudo user, providing regular and sudo credentials.
+
+```bash
+ansible-playbook roles/tasks/debian/setup.yml -u keannu125 -k --ask-become-pass
+```
+
+This will elevate to `root` user via `sudo` and set up root SSH access through the provided `id_rsa.pub` file in the control node's own `.ssh` directory.
+
+2. Set up the necessary template scripts provided at `/root/scripts`.
+
+3. Rename `.env.sample` to `.env.` (via `mv .env.sample .env`).
+
+4. Provide your ACME SSL access tokens in the `.env` for `renew_ssl.sh` to parse.
+
+5. Also provide your `ACME_EMAIL` in `debian.yml` under `group_vars` for the playbook to parse.
+
+6. Provide project directories to spin up on boot through `start_services.sh`.
+
+7. Provide the same project directories to back up via Borg in `backup.sh` including any file/folder exemptions.
+
+8. Update the Samba credentials file located at `/root/.samba/credentials`.
+
+```
+# credentials
+user=USERNAME
+password=PASSWORD
+```
+
+4. Update the CIFS/Samba mount for backups located in `crontab` (via `crontab -e`).
+
+```
+# crontab entry
+* * * * * mount.cifs "//255.255.255.0/SAMBA-MOUNT" "/mnt/backups" -o credentials="/root/.samba/credentials"
+```
+
+If you'd need to run the `setup.yml` playbook again for any reason. You can omit specifying user or sudo credentials and simply run.
+
+```bash
+ansible-playbook roles/tasks/debian/setup.yml
+```
+
+Any existing or additional scripts that have already been modified will not be overwritten (See `force: false` directives in [`setup.yml`](./setup.yml)).

roles/tasks/debian/restart_services.yml

@@ -1,8 +0,0 @@
----
-- hosts:
-    - debian
-  # Runs on root user already
-  become: false
-  tasks:
-    - name: Restart all services
-      command: bash /root/scripts/start_services.sh

roles/tasks/debian/setup.yml

@@ -1,8 +1,8 @@
 ---
 - hosts:
     - debian
-  # Runs on root user already
+  become: true
-  become: false
+  vars_files: "{{ playbook_dir | dirname | dirname | dirname }}/inventory/group_vars/debian.yml"
   tasks:
     - name: Add SSH key to authorized_hosts - Debian
       authorized_key:
@@ -10,11 +10,27 @@
         state: present
         key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
         path: /root/.ssh/authorized_keys
+    - name: Enable Root Login
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        line: "PermitRootLogin yes"
+        state: present
+      notify: Restart SSHD on Config Change
     - name: Update all packages
       apt:
         update_cache: true
         autoremove: true
         state: latest
+    - name: Install Docker
+      apt:
+        name:
+          - docker
+        update_cache: false
+        autoremove: true
+        state: latest
+      # Safety net if this script is ran twice
+      notify: Restart Docker Containers
     - name: Install packages - Debian
       apt:
         name:
@@ -23,7 +39,6 @@
           - htop
           - tmux
           - samba
-          - docker
           - docker-compose
           - neofetch
           - cifs-utils
@@ -32,9 +47,49 @@
           - syncthing
           - socat
           - fish
+          - iperf3
         # Cache is already updated from previous step
         update_cache: false
         autoremove: true
         state: latest
     - name: Install ACME
-      command: curl https://get.acme.sh | sh -s email=noehbernasol0@gmail.com
+      shell: curl https://get.acme.sh | sh -s email="{{ ACME_EMAIL }}"
+    - name: Enable Syncthing Service
+      command: systemctl enable syncthing@root.service
+    - name: Start Syncthing Service
+      command: systemctl start syncthing@root.service
+    - name: Allow Syncthing Remote Management
+      replace:
+        path: /root/.config/syncthing/config.xml
+        regexp: "<address>127.0.0.1:8384</address>"
+        replace: "<address>0.0.0.0:8384</address>"
+      notify: Restart Syncthing Service
+    - name: Copy Template Scripts
+      copy:
+        src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/scripts/"
+        dest: /root/scripts/
+        mode: "0644"
+        force: false
+    - name: Copy Crontab Template
+      copy:
+        src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/crontabs/"
+        dest: /var/spool/cron/crontabs/
+        mode: "0600"
+        force: false
+    - name: Copy Samba Credentials Template
+      copy:
+        src: "{{ playbook_dir | dirname | dirname }}/files/debian/setup/samba/"
+        dest: /root/.samba/
+        mode: "0644"
+        force: false
+
+  handlers:
+    # Restart Syncthing on Config Change
+    - name: Restart Syncthing Service
+      command: systemctl restart syncthing@root.service
+    # Restart SSHD on Config Change
+    - name: Restart SSHD on Config Change
+      command: systemctl restart sshd
+    # Restart Docker Containers on Docker Update
+    - name: Restart Docker Containers
+      command: tmux new-session -d -s "start_services" "bash /root/scripts/start_services.sh"

roles/tasks/debian/start_services.yml

@@ -0,0 +1,8 @@
+---
+- hosts:
+    - debian
+  # Runs on root user already
+  become: false
+  tasks:
+    - name: Start All Services
+      command: tmux new-session -d -s "start_services" "bash /root/scripts/start_services.sh"

roles/tasks/debian/update.yml

@@ -4,10 +4,23 @@
   # Runs on root user already
   become: false
   tasks:
+    - name: Update Docker
+      apt:
+        name:
+          - docker
+        update_cache: true
+        autoremove: true
+        state: latest
+      notify: Restart Docker Containers
     - name: Update all packages
       apt:
-        update_cache: true
+        update_cache: false
         autoremove: true
         state: latest
     - name: Update ACME
       command: /root/.acme.sh/acme.sh --upgrade --auto-upgrade
+
+  handlers:
+    # Restart Docker Containers on Docker Update
+    - name: Restart Docker Containers
+      command: tmux new-session -d -s "start_services" "bash /root/scripts/start_services.sh"