ansible plays for docker, haproxy & varnish

ansible/plays/base_server_setup.yml

@@ -0,0 +1,24 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Basic setup, brute force protection, firewall and log shipping
+  hosts: all
+  roles:
+    - role: roles/apt
+    - role: roles/base                  # - Basic server setup and configuration
+    # - role: roles/fail2ban              # - SSH Brute force protection
+    # - role: roles/prox-qemu-agent       # - If proxmox vm insatll qemu agent
+    - role: roles/firewall              # - Firewall, if firewall_enable is true
+    - role: roles/ssh                   # - Sets up the ssh role, with keys, ssh_config and sshd_config
+    - role: roles/oh-my-zsh
+    - role: roles/motd
+#    - role: roles/bacula

ansible/plays/bind9.yml

@@ -0,0 +1,16 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Install all bind9 service and transfer zone files
+  hosts: all
+  roles:
+    - role: roles/bind9

ansible/plays/consul.yml

@@ -0,0 +1,5 @@
+---
+- name: Consul
+  hosts: all
+  roles:
+    - role: roles/consul

ansible/plays/cve-2024-3094.yml

@@ -0,0 +1,6 @@
+---
+- name: patch xz-utils
+  hosts: all
+  roles:
+    - roles/xz_utils_patch
+

ansible/plays/docker.yml

@@ -0,0 +1,5 @@
+---
+- name: Install docker on linux host
+  hosts: all
+  roles:
+    - role: roles/docker

ansible/plays/firewall.yml

@@ -0,0 +1,6 @@
+---
+- name: Install all ufw service and enable ports
+  hosts: all
+  roles:
+    - role: roles/firewall
+

ansible/plays/get_os.yml

@@ -0,0 +1,7 @@
+- hosts: all
+  tasks:
+  - debug:
+      msg:
+      - "ansible_distribution {{ hostvars[inventory_hostname].ansible_distribution }}"
+      - "major version {{ hostvars[inventory_hostname].ansible_distribution_major_version }}"
+      - "version {{ hostvars[inventory_hostname].ansible_distribution_version }}"

ansible/plays/gitea.yml

@@ -0,0 +1,5 @@
+---
+- name: Provision git server with gitea
+  hosts: all
+  roles:
+    - role: roles/gitea

ansible/plays/haproxy.yml

@@ -0,0 +1,7 @@
+---
+- name: Configure HAProxy edge + Certbot Cloudflare plugin
+  hosts: haproxy
+
+  roles:
+    # - role: roles/certbot
+    - role: roles/haproxy

ansible/plays/immich.yml

@@ -0,0 +1,7 @@
+---
+- name: Install and setup immich backup service
+  hosts: all
+  roles:
+    #    - role: roles/docker
+    - role: roles/immich
+

ansible/plays/ip_list.yml

@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+    - name: Print IPv4 addresse and hostname for all hosts
+      debug:
+        msg: '{{ ansible_default_ipv4.address }} - {{ ansible_hostname }}'
+

ansible/plays/minecraft.yml

@@ -0,0 +1,7 @@
+---
+- name: Setup minecraft requirements w/ latest server jar
+  hosts: all
+  roles:
+    - role: roles/apt
+    - role: roles/minecraft
+

ansible/plays/motd.yml

@@ -0,0 +1,5 @@
+---
+- name: Generate motd figlet hostnames
+  hosts: all
+  roles:
+    - role: roles/motd

ansible/plays/openssl_upgrade_3.0.7.yml

@@ -0,0 +1,13 @@
+---
+- name: Get openssl version
+  hosts: all
+
+  tasks:
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: Install openssl version 3.0.6
+      ansible.builtin.package:
+        name: openssl=3.0.6
+        state: present      

ansible/plays/openssl_version.yml

@@ -0,0 +1,11 @@
+---
+- name: Get openssl version
+  hosts: all
+
+  tasks:
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: print openssl version
+      debug: var=ansible_facts.packages.openssl[0].version

ansible/plays/ping.yml

@@ -0,0 +1,5 @@
+- hosts: all
+
+  tasks:
+    - name: Ping all hosts
+      ping:

ansible/plays/prox-node.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}"
+      TELEGRAF_TOKEN: "{{ lookup('env', 'TELEGRAF_TOKEN') }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Basic setup for proxmox vm clients
+  hosts: proxmox_nodes
+  roles:
+    # - role: roles/prox-telegraf-metrics
+    - role: roles/prox-templates
+

ansible/plays/ssh_config.yml

@@ -0,0 +1,7 @@
+---
+- name: create ssh config
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_sshd_config: true
+      ssh_skip_ssh_keys: true

ansible/plays/ssh_keys.yml

@@ -0,0 +1,10 @@
+---
+- name: Deploy ssh keys
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_sshd_config: true
+      ssh_skip_ssh_config: true
+      ssh_keys_users:
+        - 'root'
+

ansible/plays/sshd_config.yml

@@ -0,0 +1,7 @@
+---
+- name: create ssh server config
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_ssh_config: true
+      ssh_skip_ssh_keys: true

ansible/plays/syncthing.yml

@@ -0,0 +1,5 @@
+---
+- name: Install & configure syncthing
+  hosts: all
+  roles:
+    - role: roles/syncthing

ansible/plays/traefik.yml

@@ -0,0 +1,6 @@
+---
+- name: Install traefik binary & config
+  hosts: all
+  roles:
+    - role: roles/traefik
+

ansible/plays/upgrade.yml

@@ -0,0 +1,15 @@
+---
+- name: Upgrade all machines
+  hosts: all
+
+  tasks:
+    - name: update debian hosts
+      become: true
+      apt:
+        upgrade: yes
+        update_cache: yes
+        cache_valid_time: 86400
+      when:
+        - ansible_os_family == 'Debian'
+
+

ansible/plays/varnish.yml

@@ -0,0 +1,9 @@
+---
+- name: Install and configure systemd for varnish
+  hosts: varnish
+  roles:
+    - role: roles/firewall
+      enable_80_ufw_port: true
+      enable_443_ufw_port: true
+
+    - role: roles/varnish

ansible/plays/vault.yml

@@ -0,0 +1,7 @@
+---
+- name: Install all required packages, built and start service for vault
+  hosts: all
+  roles:
+    - role: roles/vault
+    - role: roles/firewall
+      enable_vault_ufw_port: true

ansible/plays/vim.yml

@@ -0,0 +1,6 @@
+---
+- name: Install vim
+  hosts: all
+  
+  roles:
+    - role: roles/vim

ansible/plays/vinlottis.yml

@@ -0,0 +1,5 @@
+---
+- name: Install all required packages, built and start service for vinlottis
+  hosts: all
+  roles:
+    - role: roles/vinlottis

ansible/plays/wireguard.yml

@@ -0,0 +1,6 @@
+- name: Setup wireguard
+  hosts: all
+  roles:
+    - role: roles/docker
+    - role: roles/firewall
+    - role: roles/wireguard

ansible/plays/xwiki.yml

@@ -0,0 +1,21 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}"
+      XWIKI_DB_USER: "{{ lookup('env', 'XWIKI_DB_USER') }}"
+      XWIKI_DB_PASSWORD: "{{ lookup('env', 'XWIKI_DB_PASSWORD') }}"
+      XWIKI_DB_ROOT_PASSWORD: "{{ lookup('env', 'XWIKI_DB_ROOT_PASSWORD') }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Setup xwiki working directory and move docker-compose file
+  hosts: all
+  roles:
+    - role: roles/docker
+    - role: roles/firewall
+    - role: roles/xwiki

ansible/plays/zsh.yml

@@ -0,0 +1,7 @@
+- name: Install oh-my-zsh
+  hosts: all
+  roles:
+    - role: roles/oh-my-zsh
+      oh_my_zsh:
+        theme: robbyrussell
+