diff --git a/ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml b/ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml new file mode 100644 index 0000000..9c282a3 --- /dev/null +++ b/ansible/inventory/host_vars/kodi00.balsillie.house/certbot.yaml @@ -0,0 +1,11 @@ +certbot_rfc2136_server: '10.208.240.1' +certbot_rfc2136_key_name: 'rndc-house' +certbot_rfc2136_key_algorithm: 'hmac-sha256' + +certbot_webserver_type: 'nginx' # 'nginx' or 'apache' +certbot_dns_plugin: 'rfc2136' +certbot_email: "certbot.kodi00@balsillie.email" +certbot_acme_server: "https://acme-v02.api.letsencrypt.org/directory" + +certbot_domains: + - kodi.balsillie.house \ No newline at end of file diff --git a/ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml b/ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml new file mode 100644 index 0000000..f70e2c7 --- /dev/null +++ b/ansible/inventory/host_vars/kodi00.balsillie.house/nginx.yaml @@ -0,0 +1,13 @@ +nginx_sites: + - name: tv.balsillie.house + upstream: 127.0.0.1:8080 + - name: movies.balsillie.house + upstream: 127.0.0.1:8081 + - name: index.balsillie.house + upstream: 127.0.0.1:8082 + - name: torrent.balsillie.house + upstream: 127.0.0.1:9090 + - name: jellyfin.balsillie.house + upstream: 127.0.0.1:8096 + - name: kodi.balsillie.house + upstream: 127.0.0.1:8082 \ No newline at end of file diff --git a/ansible/inventory/host_vars/kodi00.balsillie.house/sshd.yaml b/ansible/inventory/host_vars/kodi00.balsillie.house/sshd.yaml new file mode 100644 index 0000000..1e30b88 --- /dev/null +++ b/ansible/inventory/host_vars/kodi00.balsillie.house/sshd.yaml @@ -0,0 +1,4 @@ +sshd: + auth: + password: 'no' + pubkey: 'yes' \ No newline at end of file diff --git a/ansible/inventory/host_vars/kodi00.balsillie.house/ufw.yaml b/ansible/inventory/host_vars/kodi00.balsillie.house/ufw.yaml new file mode 100644 index 0000000..9acd1b6 --- /dev/null +++ b/ansible/inventory/host_vars/kodi00.balsillie.house/ufw.yaml @@ -0,0 +1,21 @@ +ufw_enabled: true + +ufw_rules: + - name: "SSH from Local Subnet" + port: "22" + protocol: "tcp" + action: "allow" + source: "10.192.210.0/24" + destination: "10.192.210.169" + - name: "HTTP from Local Subnet" + port: "80" + protocol: "tcp" + action: "allow" + source: "10.192.210.0/24" + destination: "10.192.210.169" + - name: "HTTPS from Local Subnet" + port: "443" + protocol: "tcp" + action: "allow" + source: "10.192.210.0/24" + destination: "10.192.210.169" \ No newline at end of file diff --git a/ansible/playbooks/infra/kodi.yaml b/ansible/playbooks/infra/kodi.yaml index 4eb5f19..ad24596 100644 --- a/ansible/playbooks/infra/kodi.yaml +++ b/ansible/playbooks/infra/kodi.yaml @@ -4,4 +4,7 @@ gather_facts: true become: true roles: - - name: kodi + - role: sshd + - role: ufw + - role: nginx + - role: certbot diff --git a/ansible/roles/certbot/tasks/main.yaml b/ansible/roles/certbot/tasks/main.yaml index 507832f..4504d94 100644 --- a/ansible/roles/certbot/tasks/main.yaml +++ b/ansible/roles/certbot/tasks/main.yaml @@ -3,8 +3,50 @@ community.general.pacman: name: - certbot - - certbot-dns-rfc2136 + - certbot-dns-{{ certbot_dns_plugin }} state: present update_cache: true -- name: Add certbot config +- name: Install certbot webserver plugin (Archlinux) + when: + - ansible_facts['os_family'] == "Archlinux" + - certbot_webserver_type == 'nginx' + community.general.pacman: + name: + - certbot-nginx + state: present + update_cache: true + +- name: Template out the dns config file + when: certbot_dns_plugin == 'rfc2136' + ansible.builtin.template: + src: "{{ certbot_dns_plugin }}.conf.j2" + dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf" + owner: root + group: root + mode: '0600' + +- name: Register certbot account + ansible.builtin.command: + argv: + - "certbot register" + - "--agree-tos" + - "--email {{ certbot_email }}" + - "--no-eff-email" + creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/{{ certbot_email }} + +- name: Request and install certificates + ansible.builtin.command: + argv: + - "certbot --nginx run -n" + - "--dns-{{ certbot_dns_plugin }}" + - "--dns-{{ certbot_dns_plugin }}-credentials /etc/letsencrypt/{{ certbot_dns_plugin }}.conf" + - "-d {{ item }}" + creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem + loop: "{{ certbot_domains }}" + +- name: Enable certbot renewal + ansible.builtin.service: + name: certbot-renew.timer + state: started + enabled: true diff --git a/ansible/roles/certbot/templates/rfc2136.conf.j2 b/ansible/roles/certbot/templates/rfc2136.conf.j2 new file mode 100644 index 0000000..86fe7da --- /dev/null +++ b/ansible/roles/certbot/templates/rfc2136.conf.j2 @@ -0,0 +1,4 @@ +dns_rfc2136_server = {{ certbot_rfc2136_server }} +dns_rfc2136_name = {{ certbot_rfc2136_key_name }} +dns_rfc2136_secret = {{ certbot_rfc2136_key_secret }} +dns_rfc2136_algorithm = {{ certbot_rfc2136_key_algorithm }} \ No newline at end of file diff --git a/ansible/roles/nginx/tasks/main.yaml b/ansible/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..1581428 --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yaml @@ -0,0 +1,7 @@ +- name: Install nginx package (Archlinux) + when: ansible_facts['os_family'] == "Archlinux" + community.general.pacman: + name: + - nginx + state: present + update_cache: true diff --git a/ansible/roles/sshd_setup/defaults/main.yaml b/ansible/roles/sshd/defaults/main.yaml similarity index 100% rename from ansible/roles/sshd_setup/defaults/main.yaml rename to ansible/roles/sshd/defaults/main.yaml diff --git a/ansible/roles/sshd_setup/handlers/main.yaml b/ansible/roles/sshd/handlers/main.yaml similarity index 100% rename from ansible/roles/sshd_setup/handlers/main.yaml rename to ansible/roles/sshd/handlers/main.yaml diff --git a/ansible/roles/sshd/tasks/main.yaml b/ansible/roles/sshd/tasks/main.yaml new file mode 100644 index 0000000..d198a21 --- /dev/null +++ b/ansible/roles/sshd/tasks/main.yaml @@ -0,0 +1,14 @@ +--- + +- name: Template out sshd_config + ansible.builtin.template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + owner: root + group: root + mode: '0644' + notify: + - Restart sshd + +- name: Flush handlers for immediate shhd restart + ansible.builtin.meta: flush_handlers diff --git a/ansible/roles/sshd_setup/tasks/main.yaml b/ansible/roles/sshd/tasks/setup_key.yaml similarity index 78% rename from ansible/roles/sshd_setup/tasks/main.yaml rename to ansible/roles/sshd/tasks/setup_key.yaml index 21ad2ac..a8d1b04 100644 --- a/ansible/roles/sshd_setup/tasks/main.yaml +++ b/ansible/roles/sshd/tasks/setup_key.yaml @@ -1,13 +1,5 @@ --- -# - name: Debug ansible facts -# ansible.builtin.debug: -# msg: "{{ ansible_facts }}" - -# - name: Debug host vars -# ansible.builtin.debug: -# msg: "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}" - - name: Ensure ssh config dir exists delegate_to: localhost become: false @@ -39,19 +31,6 @@ user: "{{ ansible_user }}" state: present -- name: Template out sshd_config - ansible.builtin.template: - src: sshd_config.j2 - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: '0644' - notify: - - Restart sshd - -- name: Flush handlers for immediate shhd restart - ansible.builtin.meta: flush_handlers - - name: Add local ssh client config delegate_to: localhost become: false diff --git a/ansible/roles/sshd_setup/templates/sshd_config.j2 b/ansible/roles/sshd/templates/sshd_config.j2 similarity index 100% rename from ansible/roles/sshd_setup/templates/sshd_config.j2 rename to ansible/roles/sshd/templates/sshd_config.j2 diff --git a/ansible/roles/ufw/tasks/main.yaml b/ansible/roles/ufw/tasks/main.yaml new file mode 100644 index 0000000..2854f5a --- /dev/null +++ b/ansible/roles/ufw/tasks/main.yaml @@ -0,0 +1,33 @@ +- name: Install ufw package (Archlinux) + when: ansible_facts['os_family'] == "Archlinux" + community.general.pacman: + name: + - ufw + state: present + update_cache: true + +- name: Add ufw rules + community.general.ufw: + comment: "{{ item.name }}" + direction: 'in' + from_ip: "{{ item.source }}" + proto: "{{ item.protocol }}" + rule: "{{ item.action }}" + to_ip: "{{ item.destination }}" + to_port: "{{ item.port }}" + loop: "{{ ufw_rules }}" + +- name: Enable ufw + when: ufw_enabled + community.general.ufw: + default: "deny" + direction: "incoming" + logging: "low" + state: enabled + +- name: Enable the ufw service + when: ufw_enabled + ansible.builtin.service: + name: ufw + state: restarted + enabled: true