Homelab/Ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Homelab:main
Branches Tags
Homelab:main Homelab:test
..
compare: Homelab:5691924266eda02e4948b3f4b0d305ff4c619a7f
Branches Tags
Homelab:main Homelab:test

5 Commits
main ... 5691924266

Author SHA1 Message Date
Maksym Buz
5691924266 Merge branch 'main' into test 2025-08-26 20:06:24 +02:00
Maksym Buz
efe7308200 ADD: gitignore 2025-08-26 20:00:25 +02:00
Maksym Buz
78b85c892e ADD: Bash script to run apt upgrade playbook 2025-08-26 16:39:56 +00:00
Maksym Buz
950568ef3b FEATURE: Added new automate host for test purposes 2025-08-26 18:19:52 +02:00
Maksym Buz
d8dbfbd328 FEATURE: Added new yml for testing. It should clon the repo after LXC will be prepared 2025-08-26 18:02:55 +02:00
2 changed files with 24 additions and 43 deletions
Expand all files Collapse all files

9
inventory/hosts.ini
View File

@@ -19,11 +19,13 @@ truenas ansible_host=10.0.0.200
[lxc] [lxc]
gitea ansible_host=10.0.0.108 gitea ansible_host=10.0.0.108
zabbix-proxy ansible_host=10.0.0.110 zabbix-proxy ansible_host=10.0.0.110
pi-hole ansible_host=10.0.0.104
ansible ansible_host=10.0.0.111 ansible ansible_host=10.0.0.111
automate ansible_host=10.0.0.112 automate ansible_host=10.0.0.112
#localhost ansible_connection=local # for testing playbooks on the control node #localhost ansible_connection=local # for testing playbooks on the control node
[pbs] [pbs]
proxmox-backup ansible_host=10.0.0.201 proxmox-backup ansible_host=10.0.0.201
@@ -31,7 +33,4 @@ proxmox-backup ansible_host=10.0.0.201
[ubuntu:children] [ubuntu:children]
docker docker
ubuntu_servers ubuntu_servers
lxc lxc
[new]
pi-hole ansible_host=10.0.0.104 ansible_user=root

58
playbooks/lxc_setup_ubuntu.yml
View File

@@ -1,41 +1,43 @@
--- ---
- name: 1. Secure and Configure a New LXC Container - name: Secure and Configure a New LXC Container
hosts: 'new' # Target hosts in the [new] group hosts: 'lxc' # Hosts or group defined in your inventory
remote_user: root # Connect as root, as defined in the inventory for this group remote_user: root
gather_facts: no
vars:
target_user: mbuz
my_public_keys:
- "{{ lookup('file', '/home/mbuz/.ssh/id_ed25519.pub') }}"
tasks: tasks:
- name: Create user '{{ target_user }}' - name: 1. Create user '{{ target_user }}'
ansible.builtin.user: ansible.builtin.user:
name: '{{ target_user }}' name: '{{ target_user }}'
shell: /bin/bash shell: /bin/bash
groups: sudo groups: sudo # Add to sudo (for Debian/Ubuntu)
state: present state: present
- name: Allow '{{ target_user }}' to use sudo without a password - name: 1.1. Allow '{{ target_user }}' to use sudo without a password
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL' content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
mode: '0440' mode: '0440'
validate: /usr/sbin/visudo -cf %s validate: /usr/sbin/visudo -cf %s
- name: Set up authorized_keys for '{{ target_user }}' - name: 2. Set up authorized_keys for '{{ target_user }}'
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: '{{ target_user }}' user: '{{ target_user }}'
key: "{{ item }}" key: "{{ item }}"
state: present state: present
path: /home/{{ target_user }}/.ssh/authorized_keys path: /home/{{ target_user }}/.ssh/authorized_keys
loop: "{{ my_public_keys }}" loop: "{{ my_public_keys }}"
# ansible.posix.authorized_key will create an .ssh directory with the correct permissions.
- name: Lock password for '{{ target_user }}' - name: 3. Lock password for '{{ target_user }}'
ansible.builtin.user: ansible.builtin.user:
name: '{{ target_user }}' name: '{{ target_user }}'
password_lock: yes password_lock: yes
- name: Disallow root login over SSH - name: 4.0. Install software-properties-common
ansible.builtin.apt:
name: software-properties-common
state: present
update_cache: yes
- name: 4.1. Disallow root login over SSH
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin' regexp: '^#?PermitRootLogin'
@@ -43,7 +45,7 @@
validate: /usr/sbin/sshd -t -f %s validate: /usr/sbin/sshd -t -f %s
notify: restart sshd notify: restart sshd
- name: Disallow password authentication - name: 4.2. Disallow password authentication
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: '^#?PasswordAuthentication' regexp: '^#?PasswordAuthentication'
@@ -52,30 +54,10 @@
notify: restart sshd notify: restart sshd
handlers: handlers:
- name: Restart sshd server # This block will only run if at least one task sends a notification.
# This prevents unnecessary service restarts.
- name: 5. Restart sshd server
listen: "restart sshd" listen: "restart sshd"
ansible.builtin.service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
# --- Move host from NEW to LXC group ---
- name: 2. Graduate Host from [new] to [lxc] in Inventory
hosts: localhost
connection: local
gather_facts: no
tasks:
- name: Remove host from the [new] group
ansible.builtin.lineinfile:
path: /opt/ansible/inventory/hosts.ini
regexp: "^{{ item }}\\s" # Match the start of the line with the hostname
state: absent
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group
- name: Add host to the [lxc] group
ansible.builtin.blockinfile:
path: /opt/ansible/inventory/hosts.ini
block: |
{{ item }} ansible_host={{ hostvars[item]['ansible_host'] }}
insertafter: "[lxc]"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR LXC"
loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group