0Ry5/netz39-infra-ansible
1
0
Fork 0
forked from Netz39_Admin/netz39-infra-ansible
Code Pull requests Activity
Ansible configuration for the Netz39 infrastructure
1269 commits 1 branch 0 tags 3.2 MiB
Jinja 93.7%
Shell 4.9%
Lua 1.4%
Find a file
Alexander Dahl 605eca4c38 🚚 roles: dehydrated_cron: Use namespaced name 
Removes the redundant words "ansible" and "role" from the role name
originating from the Git repo name, and uses the author's name as
namespace instead.  This makes it easier to recognize as external role.

Note: the host-wittgenstein recipe already used that new name, but we
did not set it up in requirements, yet.  (How did that ever work?)

Link: https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-multiple-roles-from-a-file
Fixes: f4db6fa395 ("Add Ansible setup for wittgenstein")
2024-12-28 12:16:21 +01:00
files Add sudo configuration for Asterisk I2C access 2024-11-04 10:13:40 +01:00
group_vars chore: remove inactive admin kwasir 2024-11-02 23:59:56 +01:00
host_vars chore(deps): update louislam/uptime-kuma docker tag to v1.23.16 2024-12-20 17:18:45 +00:00
roles feat: add role to manage dyndns entry on desec.io 2024-11-02 22:31:28 +01:00
templates Change forwarding for SpaceAPI according to the new service 2024-11-02 23:01:13 +01:00
.editorconfig Add EditorConfig configuration file 2022-01-08 13:25:36 +01:00
.gitignore git: add ansible vault pass to gitignore 2023-07-25 23:26:23 +02:00
.mailmap 📝 mailmap: Expand alias to real name 2022-12-31 10:43:16 +01:00
.yamllint 🚨 yamllint: Ignore line-length warnings 2022-11-18 08:58:19 +01:00
ansible.cfg feat: add nicer rendering to ansible config 2022-10-24 16:33:16 +00:00
configure-grafana.yml update requirements.yml to correctly install collection 2022-11-12 15:31:51 +01:00
group-all.yml 🚚 roles: timezone: Override with galaxy name 2024-12-28 12:00:40 +01:00
group-docker_host.yml 🐳 Add telegraf container for Docker metrics in influxdb 2023-01-10 06:26:14 +01:00
group-k3s.yml install nfs-common on all k3s nodes 2023-11-04 17:16:02 +01:00
group-proxmox.yml 🚚 Rename group playbooks to group-* 2022-11-04 22:35:41 +01:00
host-beaker.yml chore: remove inactive admin kwasir 2024-11-02 23:59:56 +01:00
host-hobbes.yml Setup a Kiosk on hobbes to show Grafana screenshots 2024-01-06 17:48:53 +01:00
host-holmium.yml 🧱: change git url to git.n39.eu 2023-09-01 19:06:28 +02:00
host-krypton.yml 🚚 roles: dehydrated_cron: Use namespaced name 2024-12-28 12:16:21 +01:00
host-oganesson.yml 🚚 Rename host playbooks to host-* 2022-11-04 22:34:37 +01:00
host-platon.yml Install sudo config for Asterisk I2C 2024-11-04 10:13:40 +01:00
host-plumbum.yml fix: add no_root_squash option to nfs exports 2024-01-13 12:22:25 +01:00
host-pottwal.yml 🚚 roles: dehydrated_cron: Use namespaced name 2024-12-28 12:16:21 +01:00
host-radon.yml 🚚 roles: dehydrated_cron: Use namespaced name 2024-12-28 12:16:21 +01:00
host-tau.yml 🚚 roles: dehydrated_cron: Use namespaced name 2024-12-28 12:16:21 +01:00
host-unicorn.yml chore(deps): update jacobalberty/unifi docker tag to v8.6.9 2024-11-11 20:03:23 +01:00
host-wittgenstein.yml 🚚 roles: dehydrated: Use namespaced role name 2024-12-28 12:07:20 +01:00
inventory.yml Add wittgenstein to inventory 2024-11-02 23:01:13 +01:00
main.yml Add wittgenstein to main playbook 2024-11-02 23:01:13 +01:00
README.md 🧱: change git url to git.n39.eu 2023-09-01 19:06:28 +02:00
renovate.json fix: add missing entry to renovate configuration 2024-01-15 10:25:14 +01:00
requirements.yml 🚚 roles: dehydrated_cron: Use namespaced name 2024-12-28 12:16:21 +01:00
setup-ssh.yml 🚨 Fix new-line-at-end-of-file warnings 2022-11-18 08:50:33 +01:00

README.md

Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

ansible all --list-hosts

Setup

ansible-galaxy install -r requirements.yml

Setup SSH Access to hosts

LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"

Edit vault encrypted vars files

ansible-vault edit group_vars/all/vault

Call with

ansible-playbook --ask-vault-pass main.yml

You need to provide a user with sudo rights and the vault password.

Verify Changes

ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff

HTTPS ingress configuration

HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

  1. Select a domain (for internal services we use sub-domains of .n39.eu).
  2. Create an external CNAME from this domain to dyndns.n39.eu.
  3. Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
  4. Add the entry to the holmium playbook.
  5. Set up Dehydrated and vhost on the target host, e.g. using setup_http_site_proxy.

Do not forget to execute all playbooks with relevant changes.