ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/README.md

508 lines
15 KiB
Markdown
Raw Blame History

# Ansible Infrastructure Management
This Ansible project provides comprehensive infrastructure automation for development environments, server management, and VM provisioning across multiple machines and platforms.
## 🏗️ Architecture
### Host Groups
- `dev`: Development machines (dev01, bottom, debianDesktopVM)
- `gitea`: Gitea server (Alpine Linux)
- `portainer`: Portainer container management (Alpine Linux)
- `homepage`: Homepage dashboard (Debian)
- `ansible`: Ansible control node
- `local`: Local machine management
### Roles
#### Core Infrastructure Roles
- **`maintenance`**: System updates, package cleanup, and automated reboots
- **`base`**: Core system packages, security tools, and system hardening
- **`ssh`**: SSH server hardening and firewall configuration
- **`user`**: User management and configuration
#### Development & Shell Roles
- **`development`**: Development tools (git, nodejs, build-essential, python3)
- **`shell`**: Shell configuration (zsh + oh-my-zsh + powerlevel10k)
- **`docker`**: Docker CE installation and user configuration
#### Application Roles
- **`applications`**: Desktop applications (Brave, LibreOffice, Redshift, Evince)
- **`snap`**: Snap daemon and snap applications (VSCode, Cursor)
#### Network & Monitoring Roles
- **`tailscale`**: VPN mesh networking across all machines
- **`monitoring`**: System monitoring tools and scripts
- **`backup`**: Automated backup solutions (✨ NEW)
#### Infrastructure Roles
- **`proxmox_vm`**: Proxmox VM creation and management (✨ NEW)
## 🚀 Usage
### Quick Start with Makefile (Recommended)
```bash
# Setup dependencies
make bootstrap
# Test everything
make test
# Dry run to see what would change
make check
# Apply to all development hosts
make apply
# Run on specific host
make dev HOST=dev01
# Run locally
make local
```
### New Infrastructure Features
#### Proxmox VM Creation (✨ NEW)
```bash
# Create new VMs on Proxmox
make create-vm
# Or manually:
ansible-playbook proxmox-create-vm.yml
```
#### Automated Backups (✨ NEW)
```bash
# Deploy backup system
make backup
# Includes:
# - Daily home directory backups (2:00 AM)
# - Daily system config backups (2:30 AM)
# - 7-day retention for home, 30-day for system
# - Automated cleanup and logging
```
#### System Monitoring (✨ NEW)
```bash
# Deploy monitoring tools
make monitoring
# Includes:
# - Advanced system monitoring (btop, iotop, nethogs)
# - Custom monitoring scripts
# - System information dashboards
# - Tailscale network status integration
```
#### Tailscale VPN Network
```bash
# Deploy Tailscale across all machines
make tailscale
# Check Tailscale status
make tailscale-status
# Deploy to development machines only
make tailscale-dev
```
### Prerequisites (Manual Setup)
```bash
# Install required collections
ansible-galaxy collection install -r collections/requirements.yml
```
### Vault Password Setup
Host variables and sensitive data are encrypted with Ansible Vault:
#### Option 1: Vault Password File (Recommended)
```bash
# Create the vault password file
echo "your_vault_password" > ~/.ansible-vault-pass
chmod 600 ~/.ansible-vault-pass
```
#### Option 2: Interactive Password Prompt
Use `--ask-vault-pass` with each command.
### Vault Configuration
Create vault files with encrypted secrets:
```bash
# Create/edit vault files
make create-vault
make edit-vault HOST=dev01
# Required vault variables:
# - vault_tailscale_auth_key: "tskey-auth-your-key"
# - vault_proxmox_host: "proxmox-server-ip"
# - vault_proxmox_user: "root@pam"
# - vault_proxmox_password: "proxmox-password"
# - vault_vm_cipassword: "vm-user-password"
# - vault_ssh_public_key: "ssh-ed25519 AAAA..."
```
### Selective Execution with Tags
#### Using Makefile (Recommended)
```bash
# Infrastructure roles
make security # Security-related roles only
make monitoring # Monitoring tools only
make backup # Backup system only
# Development tools
make docker # Docker installation only
make shell # Shell configuration only
make apps # Applications only
# Network services
make tailscale # VPN network setup
make tailscale-status # Check VPN status
# Maintenance (unified system)
make maintenance # All hosts
make maintenance GROUP=dev # Specific group
make maintenance HOST=dev01 # Specific host
make maintenance CHECK=true # Dry-run all hosts
make maintenance GROUP=dev SERIAL=1 # Serial execution
# Infrastructure management
make create-vm # Create new Proxmox VMs
make status # Check connectivity
make facts # Gather system facts
```
#### Manual Commands
```bash
# Security-related roles only
ansible-playbook dev-playbook.yml --tags security
# Development tools only
ansible-playbook dev-playbook.yml --tags development,docker
# Network services
ansible-playbook tailscale-playbook.yml
# Infrastructure provisioning
ansible-playbook proxmox-create-vm.yml
# Skip maintenance
ansible-playbook dev-playbook.yml --skip-tags maintenance
```
### Playbook Overview
- **`dev-playbook.yml`**: Complete development environment setup
- **`local-playbook.yml`**: Local machine configuration
- **`tailscale-playbook.yml`**: VPN network deployment
- **`proxmox-create-vm.yml`**: VM provisioning on Proxmox
- **`maintenance-playbook.yml`**: System maintenance operations
## 🔧 Configuration
### Global Variables (`group_vars/all.yml`)
- `timezone`: System timezone (default: UTC)
- `locale`: System locale (default: en_US.UTF-8)
- `ansible_debug_output`: Show debug information (default: false)
- `fail2ban_bantime`: Ban duration in seconds
- `fail2ban_findtime`: Time window for failures
- `fail2ban_maxretry`: Max failures before ban
### Tailscale Configuration
- `tailscale_auth_key`: Authentication key (stored in vault)
- `tailscale_accept_routes`: Accept subnet routes (default: true)
- `tailscale_accept_dns`: Accept DNS settings (default: true)
- `tailscale_ssh`: Enable SSH access through Tailscale (default: true)
### Backup Configuration (`roles/backup/defaults/main.yml`)
- `backup_enable_cron`: Enable automated backups (default: true)
- `backup_retention_days_home`: Home backup retention (default: 7)
- `backup_retention_days_system`: System backup retention (default: 30)
- `backup_users`: Users to backup (default: ['master', 'beast', 'ladmin', 'user'])
### SSH Configuration (`roles/ssh/defaults/main.yml`)
Comprehensive security hardening:
- `ssh_port`: SSH port (default: 22)
- `ssh_permit_root_login`: Root login setting (default: 'no')
- `ssh_password_authentication`: Password auth (default: 'no')
- `ssh_max_auth_tries`: Authentication attempts (default: 3)
- `ssh_allowed_users`: Restrict to specific users (default: [])
- `ssh_allowed_groups`: Restrict to specific groups (default: ['sudo', 'ssh'])
### Proxmox VM Configuration (`roles/proxmox_vm/defaults/main.yml`)
- `vm_memory`: RAM allocation (default: 8192MB)
- `vm_cores`: CPU cores (default: 2)
- `vm_disk_size`: Disk size (default: 20G)
- `vm_iso`: Ubuntu Server ISO (default: ubuntu-24.04-live-server-amd64.iso)
- `vm_ciuser`: Default user (default: master)
## 🛡️ Security Features
### Comprehensive SSH Hardening
- Modern cryptographic algorithms (ChaCha20-Poly1305, AES-256-GCM)
- Secure key exchange (Curve25519, DH Group 16)
- Disabled password authentication
- Connection rate limiting and timeouts
- User/group access restrictions
- Configuration validation and automatic backup
### Fail2ban Integration
- SSH brute force protection
- Configurable ban times and retry limits
- Email notifications
### UFW Firewall
- Deny-by-default policy
- SSH access allowed
- Automatic enablement
### Tailscale VPN Security
- Zero-trust mesh networking
- End-to-end encryption
- SSH access through secure tunnel
- Subnet routing capabilities
## 📦 Installed Packages
### Base System
- **Core utilities**: `curl`, `wget`, `unzip`, `xclip`, `tree`
- **Network/Security**: `net-tools`, `ufw`, `fail2ban`, `mailutils`
- **Monitoring**: `iotop`, `nethogs`, `logwatch`, `btop` (via snap)
- **Modern CLI**: `jq`, `yq` (via snap), `ripgrep`, `fd-find`
### Development Tools
- `git`, `nodejs`, `npm`
- `build-essential`, `python3`, `python3-pip`
### Applications
- `brave-browser`, `libreoffice`, `evince`, `redshift`
- `code` (VSCode), `cursor` (via snap)
### Docker & Containers
- Docker CE with all components
- Docker Compose
- User added to docker group
### Backup Tools (✨ NEW)
- `rsync`, `borgbackup`, `rclone`, `restic`
- Automated backup scripts and cron jobs
### Monitoring Tools (✨ NEW)
- `htop`, `iotop`, `nethogs`, `btop`
- Custom system information scripts
- Network monitoring utilities
### VPN & Network
- `tailscale` - Mesh VPN networking
- Network utilities and monitoring
## 🔧 Modern CLI Tools
The base role installs modern replacements for traditional Unix tools:
### Available Commands
```bash
# Fast searching
rg "pattern" files/ # ripgrep - faster than grep
fd "filename" # fd-find - intuitive find replacement
# Data processing
jq '.key' file.json # JSON processor and formatter
yq '.key' file.yaml # YAML processor and formatter
# System monitoring
btop # Modern system monitor (better than htop)
tree directory/ # Directory structure visualization
# File operations
tree -L 2 # Limit tree depth
rg -i "case insensitive" # Case-insensitive search
fd -e yml # Find only YAML files
jq -r '.items[].name' # Raw JSON output
```
## 🔄 Maintenance & Operations
### Unified Maintenance System
```bash
# Basic usage
make maintenance # Run on all hosts
make maintenance GROUP=dev # Run on specific group
make maintenance HOST=dev01 # Run on specific host
# Advanced options
make maintenance CHECK=true # Dry-run (safe testing)
make maintenance GROUP=dev SERIAL=1 # One host at a time
make maintenance GROUP=local # Local machine (auto-sudo)
```
### Backup Operations (✨ NEW)
```bash
# Deploy backup system
make backup
# Manual backup operations
sudo /opt/backups/scripts/backup-home.sh # Run home backup
sudo /opt/backups/scripts/backup-system.sh # Run system backup
# Check backup logs
tail -f /var/log/backups/home.log
tail -f /var/log/backups/system.log
```
### Monitoring Operations (✨ NEW)
```bash
# Deploy monitoring tools
make monitoring
# Use monitoring scripts
/usr/local/bin/monitoring/sysinfo # System information dashboard
/usr/local/bin/monitoring/netinfo # Network information
# System monitoring
btop # Interactive system monitor
```
### Tailscale Network Management
```bash
# Deploy VPN network
make tailscale
# Check status across all machines
make tailscale-status
# Manual Tailscale commands
tailscale status # Check connection status
tailscale ip # Show Tailscale IP
tailscale netcheck # Network connectivity check
```
### Infrastructure Provisioning (✨ NEW)
```bash
# Create new VMs on Proxmox
make create-vm
# Custom VM creation
ansible-playbook proxmox-create-vm.yml -e "vm_name=new-server vm_id=111"
```
## 🐛 Troubleshooting
### Common Issues
1. **SSH Connection Issues**
- Check `ansible.cfg` SSH settings
- Verify host keys and user permissions
- Test Tailscale connectivity: `tailscale ping hostname`
2. **Vault Access Issues**
- Verify vault password file: `~/.ansible-vault-pass`
- Test vault decryption: `ansible-vault view host_vars/hostname.yml`
3. **Tailscale Connection Issues**
- Check service status: `sudo systemctl status tailscaled`
- Verify auth key in vault
- Check firewall: `sudo ufw status`
4. **Proxmox VM Creation Issues**
- Verify Proxmox credentials in vault
- Check ISO availability: `pvesm list local --content iso`
- Ensure sufficient resources on Proxmox node
5. **Backup Issues**
- Check backup directories: `ls -la /opt/backups/`
- Review logs: `tail -f /var/log/backups/*.log`
- Verify cron jobs: `sudo crontab -l`
### Debug Commands
```bash
# Using Makefile
make status # Test connectivity to all hosts
make facts # Gather facts from all hosts
make debug # Run with debug output
make verbose # Run with verbose output
# Manual commands
ansible dev -m ping # Test connectivity
ansible dev -m setup # Check facts
ansible-playbook dev-playbook.yml --tags base # Run specific role
# Verify installations
ansible dev -m shell -a "tailscale status" # Check Tailscale
ansible dev -m shell -a "docker --version" # Check Docker
ansible dev -m shell -a "sudo sshd -t" # Validate SSH config
```
## 🛠️ Makefile Workflows
### Development Workflow
```bash
make bootstrap # Install collections
make test # Lint + syntax check
make check # Dry run
make apply # Deploy to all hosts
```
### Infrastructure Management
```bash
make create-vm # Provision new VMs
make tailscale # Deploy VPN network
make monitoring # Deploy monitoring
make backup # Deploy backup system
```
### Host-Specific Operations
```bash
make dev HOST=dev01 # Deploy to specific host
make edit-vault HOST=dev01 # Edit encrypted host variables
make tailscale-dev # Deploy Tailscale to dev hosts only
```
### Maintenance and Utilities
```bash
make clean # Clean up artifacts
make status # Check host connectivity
make install-tools # Install recommended CLI tools locally
```
Run `make help` for the complete list of available commands.
## 📝 File Structure
ansible/
├── ansible.cfg # Enhanced Ansible configuration
├── Makefile # Workflow automation with unified maintenance
├── hosts # Inventory file
├── dev-playbook.yml # Main development playbook
├── local-playbook.yml # Local machine setup
├── tailscale-playbook.yml # VPN network deployment
├── proxmox-create-vm.yml # VM provisioning playbook
├── maintenance-playbook.yml # Dedicated maintenance playbook
├── collections/
│ └── requirements.yml # Required Ansible collections
├── group_vars/
│ └── all.yml # Global variables and Tailscale config
├── host_vars/ # Host-specific variables (encrypted)
└── roles/
├── maintenance/ # System maintenance
├── base/ # Core system setup
├── development/ # Development tools
├── shell/ # Shell configuration (zsh + oh-my-zsh)
├── docker/ # Docker installation
├── ssh/ # SSH hardening and configuration
├── user/ # User management
├── applications/ # Desktop applications
├── snap/ # Snap applications
├── tailscale/ # VPN mesh networking
├── monitoring/ # System monitoring tools
├── backup/ # Automated backup solutions
└── proxmox_vm/ # VM provisioning on Proxmox
## 🤝 Contributing
1. Test changes with `--check` first
2. Update documentation for new roles/tasks
3. Use proper handlers for service restarts
4. Follow existing naming conventions
5. Encrypt sensitive data with ansible-vault
6. Test across different OS distributions (Ubuntu, Debian, Alpine)
Reference in New Issue View Git Blame Copy Permalink