sinibaldi
/
SSE-Lab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sinibaldi:main
Branches Tags
sinibaldi:main
sinibaldi:playground
sinibaldi:automotive
sinibaldi:sifi
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site
..
compare: sinibaldi:ansible_init
Branches Tags
sinibaldi:playground
sinibaldi:automotive
sinibaldi:sifi
sinibaldi:main
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site

No commits in common. "main" and "ansible_init" have entirely different histories.
main ... ansible_in

51 changed files with 359 additions and 830 deletions
Show Stats Expand all files Collapse all files

3
ansible/ansible.cfg
View File

@ -54,8 +54,7 @@ fact_caching_timeout=86400
# (pathspec) Colon-separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``.
collections_path=/Users/fabioisti/.ansible/collections:/usr/share/ansible/collections
;collections_path=/Users/fabioisti/.ansible/collections:/usr/share/ansible/collections
# (boolean) A boolean to enable or disable scanning the sys.path for installed collections.
;collections_scan_sys_path=True

8
ansible/inventories/automotive.yaml
View File

@ -1,8 +0,0 @@
---
automotive:
children:
web:
hosts:
automotive.sse.cloud.isti.cnr.it:
ansible_host: 146.48.29.251
#automotive2.sse.cloud.isti.cnr.it:

2
ansible/inventories/group_vars/all/all.yml
View File

@ -1,3 +1,3 @@
ansible_user: ansible
#ansible_password: "{{ ansible_crypted_password }}"
ansible_password: "{{ ansible_crypted_password }}"
ansible_python_interpreter: /usr/bin/python3

19
ansible/inventories/group_vars/all/vault.yaml
View File

@ -1,14 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
31646131636537653763323564346131333639656663326334316561633266333335623331383034
3163376161306433323865646334373931393638363663360a666562373631373365623932613031
37343563333730303535393636373533643734656462313631626130326134363031353263356133
3266333534323539650a613262613434636162633536353963366161623438663437636138393036
35666136623034333265313664663266353666396334663135333234313835663735306631363137
61633638313530373562633135333939333863303339343532656236353431343237303663373430
37623339643232666335343437393966303231386235626439306438313439363939663564333539
38346665356638373265346633303031356333303862626139346432633237663330333930646630
34663236326462386634326435373134666663613633323932383338616662333438623565366536
63633439616137383438636637623135623339303736353364313462303062383331373164353632
31653337653938306164653235656662343266316238326230393733303031366532643166646263
33653934396131626330656432643164616136323831353835656538363131313934346234336561
3363
37333066623836633836613066346434626134336537663236396639346235386362336637376534
3833636230313835326663306236333837343337393530390a636464393562346662613838343738
39356439343862633937313539323661303866316164343830363431626435396636386366376263
6536393735363663650a383461666230633838303436643837636562343366313235393264666462
38643366653861666364363538333230656539663134646566666664626463343433613166393337
3432333863646664336262353262333635323436326430376465

39
ansible/inventories/group_vars/automotive/automotive.yaml
View File

@ -1,39 +0,0 @@
---
#Common Docker
docker_network_name: wp_net
docker_base_volume_path: /usr/data/wp
# MYSQL Docker
mysql_docker_tag: 9.7.0
docker_mysql_hostname: web_db
db_name: automotive_test_db
db_user: automotive_test_db_u
db_password: "{{ automotive_mysql_user_password }}"
db_root_password: "{{ automotive_mysql_root_password }}"
#NGINX Docker
nginx_docker_tag: 1.31.1
nginx_server_name: automotive.sse.cloud.isti.cnr.it
ssl: true
#WORDPRESS Docker
wordpress_docker_tag: 7.0.0-php8.2-apache
docker_wordpress_hostname: automotive_test
#CERTBOT for letsencrypt
certbot_create_method: webroot
certbot_create_if_missing: true
certbot_admin_email: fabio.sinibaldi@isti.cnr.it
certbot_webroot: "{{ docker_base_volume_path }}/wordpress"
certbot_certs:
- name: "automotive"
domains:
- "{{ nginx_server_name }}"
#Certbot verbose level
certbot_create_extra_args: "-v"
certbot_testmode: false

117
ansible/inventories/group_vars/nameserver/sifi.yaml
View File

@ -1,117 +0,0 @@
bind_allow_query:
- "any"
bind_listen:
ipv4:
- port: 53
addresses:
- "127.0.0.1"
- "146.48.108.51"
- port: 5353
addresses:
- "127.0.1.1"
bind_zones:
- name: 'sifi.isti.cnr.it'
# default: primary [primary, secondary, forward]
# type: primary
# create_forward_zones: true
# Skip creation of reverse zones
# create_reverse_zones: false
# fpr type: secondary
primaries:
- 146.48.108.51
networks:
- '146.48.108'
#ipv6_networks:
# - '2001:db9::/48'
name_servers:
- ns1.sifi.isti.cnr.it.
# hostmaster_email: admin
#
#allow_updates:
# - "10.0.1.2"
# - 'key "external-dns"'
#allow_transfers:
# - 'key "external-dns"'
hosts:
- name: ns1
ip: 146.48.108.51
- name: bigbrain
ip: 146.48.108.14
- name: wireguarder
ip: 146.48.108.13
#ipv6: '2001:db9::1'
#mail_servers:
# - name: mail001
# preference: 10
bind_logging:
enable: true
channels:
- channel: general
file: "data/general.log"
versions: 3
size: 10M
print_time: true # true | false
print_category: true
print_severity: true
severity: dynamic # critical | error | warning | notice | info | debug [level] | dynamic
- channel: query
file: "data/query.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: dnssec
file: "data/dnssec.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: notify
file: "data/notify.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: transfers
file: "data/transfers.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: slog
syslog: security # kern | user | mail | daemon | auth | syslog | lpr |
# news | uucp | cron | authpriv | ftp |
# local0 | local1 | local2 | local3 |
# local4 | local5 | local6 | local7
# file: "data/transfers.log"
#versions: 5
#size: 10M
print_time: "" # true | false
severity: info #
categories:
"xfer-out":
- transfers
- slog
"xfer-in":
- transfers
- slog
notify:
- notify
"lame-servers":
- general
config:
- general
default:
- general
security:
- general
- slog
dnssec:
- dnssec
queries:
- query

79
ansible/inventories/group_vars/sifi/SIFI_CA.pem
View File

@ -1,79 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMjU3MjVaFw0y
ODA3MjMxMjU3MjVaMIGKMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTENMAsGA1UECwwEU0lGSTEqMCgG
CSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRAwDgYDVQQD
DAdyb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1A22Q0X
nJAwlbbkFr5/L6THhkquWakWs8/AJx5iIYZEXI7BkxU2R1qtUdfMp36ifwb4nmVZ
6WCzl9WzYqZqSZN79dtzENT5Y+Kwy9cGCHcEK6jZ//5w+Uqlad3wwnQq3UubN4m6
cmolg8pY6xqVjOK2AptrEIGc557JX3kujFci2n0Db3yzDtOJh7cTV7d/duCgX8el
zZBGLB47HXsVpy2cb70iyqC/CWGgCuYmXDNujzrhabboi8HA88IbqnY4jx5T1d0f
R7IuWXX+fG0D8fEiL/wqTNFk+rAGfTAyx3JPGtDhfHn+sXeUirh8n694sMU5WRWW
jd3b64/JaDdXBwIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5zZSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBShuiplNRfk
tfYS+JhEaZlrc2zWaTAfBgNVHSMEGDAWgBShuiplNRfktfYS+JhEaZlrc2zWaTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAWV2VrUz8Gl2QjZNNKaovWpAboJXzqlhLyQncRm5Pb5iZ9IbEUVhb68L65QYm
POFeetUyef1OgPqZ1cr8+ihiqTb6IXZqOhtOTZWBiyD+RX8UmvBN86uX7jkbvbQL
AteTdm9K2n0DKhjjk12D3FK+6WUO2NiwfMBL8EDzt9vzf3SxTRgPCc9A4Wud35Y1
MErGUfrGoq3QzQtNevfQ3+qopLF+tCbNdfKpXEFRPfDbzEIlzIPfc8uRKq5XueW9
RVFUgoXJ0bJlcvncyGEBCjrPYUCld/i2oKvE+50qEkCWgci3cEDev6/p5W7dDiA2
BKjq45LlfNj/1ZBQDE8U2QLIBA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMzAwMjhaFw0y
ODA3MjMxMzAwMjhaMIGDMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYbZmFi
aW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRgwFgYDVQQDDA9pbnRlcm1lZGlhdGUt
Y2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJssRmE4uoIBTp7j7L
XStVzuO4vuBwTWVlQy+5CJVG7Yt4tkKZ1pkkn3xBbdpSbHxleDmUfP7eKXUe6cWo
Jv1aCQ4DbZMGOseo6OXQ3fBIjbp+f9pYtEEQkUCFz6PV3CwFnzFIjjKxjsPN6gXE
ZtAe/zo9zAc/fqySFVxYgBvBYz8UhMJ7VzU+sna84ojbYSleF3CzPKrN6dmWj0uq
o6o7EWLxUPVEnNlSpYfWp9SO1Hcouu9Fj15BSVUZFZLdsxI7S9UnraqFwXxf0eBl
/0zm97DSkOwdj2BmXaeGvrOZmfwln7vO5HRUZq1/VFcu81hUgr6H9zVTwRJbrbdO
42y1AgMBAAGjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9QTnNlbnNlIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCAPopFmSzDWL0TM+aS9
Oxr/Df2QMB8GA1UdIwQYMBaAFKG6KmU1F+S19hL4mERpmWtzbNZpMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCJId+d
X6IbDzguLM3nSBGwvTSVtvNHXAnZQxqXW7DQCF12i8rvGXndMgZ2JwxA8p3Ljcyf
eZoxBKDp1ftehtWxipIguX0DSC8R3SwsFBr7yBbmpMHDGlGqWtQnDpv6bSDRtCAp
f13B+6AVx8XtT6MNJuOAGue/4kzwi/xkWWMJVNXoKFSw6qOH5IhOiJnYWpasx7LK
nJ/O8Q8fKIVp/Ganmc4NdCArM9dHipt8HXAiqYNW02RSLOrCp6E7pQRLB3R8TZoj
NXvDjwKXb3CXwZRLbytm+egu+Oml6Bdb9wC7y4QHLV6JBIKvMMI/6aOhgLeFVI7v
K9idaANxrsZPFQ7i
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
KjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBpc3RpLmNuci5pdDEYMBYG
A1UEAwwPaW50ZXJtZWRpYXRlLWNhMB4XDTI2MDQyNDA5MjA1OVoXDTI3MDUyNjA5
MjA1OVowaTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcM
BFBpc2ExDTALBgNVBAoMBElTVEkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmli
YWxkaUBpc3RpLmNuci5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK74AA1JuHvsT60jCWp+Rp2inBBdlzWlXIS7eAjEmFWr3TApbUZ9W0HPgQ+WuUsA
9I/iiQedGHlaaCjeYGH/kTPkWhpZpCJ3rB+cIcWUlU5UPg+U1E3mwNEFEkJxJ8iB
SN1Fpt+RZemhnZJpZqSKRiQku3XNq56WBfnR0oQ63CJmPsH3+1WJsU5PxHvymcNN
ci3ISvU9rSKtziX61L08Yt20NMd6/HTcORpZZBNS8vSa/2Yk5BMBgrZUXk7/lS0+
hkzgt0omCTU9q7hYXg29Ihdp1YKLOjO+4aM/9POliBn+sIYyBcbY9Y5lqQ0KdsAP
3VofycDNJFJ9JhrANFlqYP8CAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVPUE5zZW5zZSBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSHLdstzVl5xCb+XT5sj39TGhUS
ADCBtwYDVR0jBIGvMIGsgBQgD6KRZksw1i9EzPmkvTsa/w39kKGBkKSBjTCBijEL
MAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTAL
BgNVBAoMBElTVEkxDTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlv
LnNpbmliYWxkaUBpc3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYYIBAjAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwCwYDVR0PBAQDAgWgMA0GCSqGSIb3
DQEBCwUAA4IBAQCsbDfFqTr2+p5cpV7KxAyIqQtT6fo0f0rvJeAglJ38rWSne4Sn
LDfTQmx/bKSf79E/TuoxGoTjsL9TceqPoDbt8TXgxPALBbON2XAah7JFAotAB6dG
kOMbmBiKOghDMPMDriU+zQAFQ/OtjuhzHD0GpciRKyVgC14iDBmeyEgSOEBqH4sp
lxKCJDNjWC2THv8dqLlaE4QlRNcprEiUNJhbxNg39A+PjYKHp5O5epfdMAVpzqC6
wgDww95xKM9xG4YZzpmoUn8sziJ2XTWWiLj9HHSaGcHx3H/QPpSiXM802tEs3gHr
rZI3EjNgrdhHxS7HZuAixXtTDeK4bfuk9n4L
-----END CERTIFICATE-----

12
ansible/inventories/group_vars/wireguard_server/sifi.yaml
View File

@ -1,12 +0,0 @@
---
wg_interface: wg0
wg_port: 51820
#wg_server_public_interface: eth0
wg_server_address: 192.168.99.1/32
#wg_server_private_key: "{{ wg_server_private_key }}"
wg_peers:
- name: fabio_test
publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
allowedIP: "192.168.99.4/32"

23
ansible/inventories/sifi.yaml
View File

@ -1,23 +0,0 @@
---
# SIFI
sifi:
children:
opn:
hosts:
sifi_opnsense.sifi.isti.cnr.it:
# ns1.sifi.isti.cnr.it:
# ansible_host: 146.48.108.51 #[WAN public ip]
# ansible_host: 10.20.30.111
wireguard_server:
hosts:
wireguarder.sifi.isti.cnr.it:
# ansible_host: 146.48.108.13
nameserver:
hosts:
ns1.sifi.isti.cnr.it:
ansible_host: 146.48.108.51
# dns1.internal.sifi.isti.cnr.it:
# ansible_host: 10.11.12.11
workers:
hosts:
worker1.internal.sifi.isti.cnr.it:

31
ansible/playbooks/bootstrap.yml
View File

@ -1,6 +1,6 @@
- hosts: all
become: yes
#debugger: on_failed
debugger: on_failed
tasks:
- name: Add the ansible group
group:
@ -18,9 +18,9 @@
password: "{{ ansible_crypted_password | password_hash('sha512') }}"
shell: /bin/bash
# Uncomment to prevent password reset
update_password: on_create
# update_password: on_create
system: yes
home: /home/ansible
home: /srv/ansible
state: present
- name: Set ansible user as sudoer
@ -31,30 +31,9 @@
group: root
mode: 0440
- name: Init cache directory
ansible.builtin.file:
path: /var/cache/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
- name: Init etc directory
ansible.builtin.file:
path: /etc/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
# Inserts public keys of allowed externals users to log in as ansible
# e.g. fabio
- name: Create the .ssh directory
file: path=/home/ansible/.ssh owner=ansible group=ansible mode=0700 state=directory
file: path=/srv/ansible/.ssh owner=ansible group=ansible mode=0700 state=directory
- name: Add the mandatory ssh keys to the ansible user
template: src=templates/ansible_auth_keys.j2 dest=/home/ansible/.ssh/authorized_keys owner=ansible group=ansible mode=0644
template: src=library/templates/ansible_auth_keys.j2 dest=/srv/ansible/.ssh/authorized_keys owner=ansible group=ansible mode=0600

0
ansible/playbooks/templates/ansible_auth_keys.j2 → ansible/playbooks/library/templates/ansible_auth_keys.j2
View File

19
ansible/playbooks/nameserver.yaml
View File

@ -1,19 +0,0 @@
---
- name: Configure Nameserver
hosts: nameserver
collections:
- bodsch.dns
tasks:
- name: Import role Bind
ansible.builtin.import_role:
name: bind
- name: Start a service
become: True
ansible.builtin.systemd:
name: named
state: restarted

17
ansible/playbooks/nextcloud.yaml
View File

@ -1,17 +0,0 @@
---
- name: Install Nextcloud AIO Docker
hosts: all
become: true
vars:
pip_install_packages:
- name: docker
docker_version: "=5:28.2.2-1~ubuntu.24.04~noble"
docker_users:
- fabio
- ansible
roles:
- geerlingguy.pip
- geerlingguy.docker
# - nextcloud_aio

28
ansible/playbooks/opnsense.yaml
View File

@ -1,28 +0,0 @@
---
# Usese oxlorg.opnsense
# Check documentation @ https://ansible-opnsense.oxl.app/usage/2_basic.html#prerequisites
- name: Configure OPNSense
hosts: opn
connection: local #executes on controller
gather_facts: false
collections:
- oxlorg.opnsense
module_defaults:
oxlorg.opnsense.alias:
api_credential_file: '/Users/fabioisti/Keys/ns1.sifi.isti.cnr.it_fabio_apikey.txt'
firewall: "{{ ansible_host}}"
ssl_verify: true
ssl_ca_file: '/Users/fabioisti/git/SSE-LAB/ansible/inventories/group_vars/sifi/SIFI_CA.pem'
tasks:
- name : Check libs
script: /Users/fabioisti/test_httpx.py
args:
executable: python3
- name: Test
oxlorg.opnsense.alias:
name: 'ANSIBLE_TEST1'
content: ['1.1.1.1']

23
ansible/playbooks/roles/common/tasks/basic_checks.yaml
View File

@ -1,23 +0,0 @@
---
## Register output of whoami
- name: Who am I
ansible.builtin.command: whoami
register: _my_whoiam_var
## Displays variable as to stdout
- name: Debug
ansible.builtin.debug:
var: _my_whoiam_var.stdout
## Check if can write on tmp
- name: Check write operation
ansible.builtin.copy:
content: "Hello world"
dest: /tmp/{{ _my_whoiam_var.stdout}}.hello-world.txt
## Cleans up
- name: Clean up
ansible.builtin.file:
path: /tmp/{{ _my_whoiam_var.stdout}}.hello-world.txt
state: absent

1
ansible/playbooks/roles/common/tasks/main.yml
View File

@ -1,3 +1,2 @@
---
- import_tasks: basic_checks.yaml
- import_tasks: connectivity.yml

18
ansible/playbooks/roles/docker-certbot/tasks/main.yaml
View File

@ -1,18 +0,0 @@
---
- name: Pull certbot image
docker_image:
name: "certbot/certbot:{{ certbot_docker_tag }}"
source: pull
- name: Create container with certbot image
docker_container:
name: certbot
image: certbot/certbot
networks:
- name: "{{ docker_network_name }}"
hostname: certbot
volumes:
- "{{ docker_base_volume_path }}/certbot/logs:/var/log/letsencrypt"
- "{{ docker_base_volume_path }}/nginx/ssl:/etc/letsencrypt/live/{{ nginx_server_name}}"
restart: true

2
ansible/playbooks/roles/nextcloud_aio/meta/main.yml
View File

@ -1,2 +0,0 @@
dependencies:
- role: docker

2
ansible/playbooks/roles/nextcloud_aio/tasks/main.yaml
View File

@ -1,2 +0,0 @@
---
- import_tasks: nextcloud_docker_aio.yaml

18
ansible/playbooks/roles/nextcloud_aio/tasks/nextcloud_docker_aio.yaml
View File

@ -1,18 +1,6 @@
---
# NB inherit docker
- name: Create volumes
debug:
msg:
- "TODO!!!"
## TODO
- name: Download compose file
become: true
become_user: docker
ansible.builtin.git:
repo: "https://gitea-s2i2s.isti.cnr.it/sinibaldi/SSE-Lab"
dest: SSE-Lab
- name: create and start docker compose services
become: true
become_user: docker
community.docker.docker_compose_v2:
project_src: ~/SSE-Lab/dockerized/nextcloud-aio/compose.yaml
- name: launch Nextcloud aio docker image

3
ansible/playbooks/roles/robgmills.pure-ftpd/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
.idea/
*.iml
.vagrant/

38
ansible/playbooks/roles/robgmills.pure-ftpd/.travis.yml Normal file
View File

@ -0,0 +1,38 @@
---
sudo: required
language: python
python: "2.7"
env:
- SITE=test.yml
before_install:
- sudo apt-get update -qq
- sudo apt-get install -y curl
install:
# Install Ansible.
- pip install ansible
# Add ansible.cfg to pick up roles path.
#- "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
script:
# Check the role/playbook's syntax.
- "ansible-playbook -i tests/inventory tests/$SITE --syntax-check"
# Run the role/playbook with ansible-playbook.
- "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo"
# Run the role/playbook again, checking to make sure it's idempotent.
- >
ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo
| grep -q 'changed=2.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# TODO - get the test working.
# Request a file via FTP, to make sure pure-ftpd is running and responds.
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

106
ansible/playbooks/roles/robgmills.pure-ftpd/README.md Normal file
View File

@ -0,0 +1,106 @@
# Ansible Role: Pure-FTPd
[![Build Status](https://travis-ci.org/robgmills/ansible-pure-ftpd.svg?branch=master)](https://travis-ci.org/robgmills/ansible-pure-ftpd)
Installs Pure-FTPd on Debian/Ubuntu Linux.
This role installs and configures the latest version of Pure-FTPd from the Pure-FTPd via apt (on Debian-based systems). You will likely need to do extra setup work after this role has installed Pure-FTPd.
## Requirements
None.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
pure_ftpd_root: "/var/ftp"
A directory path at which to scope the FTP server access.
pure_ftpd_user: "ftp"
The system-level user that the FTP daemon performs operations under. This user is setup without login permissions (can't ssh into system) but owns all of the files uploaded via the FTP server.
pure_ftpd_group: "ftp-sys-group"
The system-level group that the FTP daemon performs operations under. This is the group assigned to all files uploaded via the FTP server.
pure_ftpd_vusers:
- name: "ftp"
password: "FTPisSoC00l?"
dir: "/var/ftp" # optional
A list of user definitions virtual FTP users. If left empty, defaults to a single user with the username `ftp` and password `ftp`. `name` and `password` are required fields. `dir` is optional and defaults to the value of `ftp_root`.
Since the array of `virtual_users` needs to contain secret credentials, it is recommended to create an [Ansible Vault][vault]-encrypted variable file to include that contains your users and overrides the role default vars.
pure_ftpd_tls: true
Turns on/off support for FTP TLS encryption. It is strongly recommended that this remain `true`.
pure_ftpd_allow_insecure: false
When TLS encryption is enabled, the default is to not allow non-encrypted, insecure connections. Setting this value to `true` will allow both secure and insecure connections. Requires that `enable_tls` be `true`.
pure_ftpd_pem: ""
The contents of the PEM certificate to use for FTP TLS encryption. It is recommended to create an [Ansible Vault][vault]-encrypted variable file to include that contains your PEM certificate.
If no `pure_ftpd_pem` is provided, a PEM certificate is generated using `openssl`.
pure_ftpd_openssl_config: {}
The `openssl_config` vars object controls the generation of an openssl PEM certificate + key combination.
The sub-properties of the `openssl_config` object are as follows:
days: "365"
The number of days for which the certificate is valid.
size: "2048"
The size of the certificate key. The larger, the more secure.
country: ""
state: ""
locality: ""
org: ""
unit: ""
common: ""
email: ""
The values of the certificate subject information.
## Dependencies
None.
## Example Playbook
- hosts: server
roles:
- role: robgmills.pure-ftpd
## Try It!
From the root of the project:
vagrant up
...then...
ansible-playbook -i inventory -b -u vagrant -k playbook.yml
...then use your favorite FTPS client to connect to `ftps://ftp:FTPisSoC00l?@192.168.50.2`
## License
MIT / BSD
## Author Information
This role was created in 2016 by [Rob Mills](https://robgmills.com/).
[vault]: http://docs.ansible.com/ansible/playbooks_vault.html

4
ansible/playbooks/roles/robgmills.pure-ftpd/Vagrantfile vendored Normal file
View File

@ -0,0 +1,4 @@
Vagrant.configure(2) do |config|
config.vm.box = "debian/jessie64"
config.vm.network "private_network", ip: "192.168.50.2"
end

2
ansible/playbooks/roles/robgmills.pure-ftpd/ansible.cfg Normal file
View File

@ -0,0 +1,2 @@
[defaults]
roles_path = ../

23
ansible/playbooks/roles/robgmills.pure-ftpd/defaults/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
# Used only for Debian/Ubuntu installation, as the -t option for apt.
pureftpd_default_release: ""
pure_ftpd_user: "ftp"
pure_ftpd_group: "ftp"
pure_ftpd_root: "/var/ftp"
pure_ftpd_vusers:
- name: ftp
dir: "{{ pure_ftpd_root }}"
password: "FTPisSoC00l?"
pure_ftpd_tls: true
pure_ftpd_allow_insecure: false
pure_ftpd_openssl_config:
days: "365"
size: "2048"
country: ""
state: ""
locality: ""
org: ""
unit: ""
common: ""
email: ""

1
ansible/playbooks/roles/robgmills.pure-ftpd/inventory Normal file
View File

@ -0,0 +1 @@
192.168.50.2

2
ansible/playbooks/roles/robgmills.pure-ftpd/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: Thu Sep 25 13:49:03 2025
version: 1.0.1

18
ansible/playbooks/roles/robgmills.pure-ftpd/meta/main.yml Normal file
View File

@ -0,0 +1,18 @@
---
galaxy_info:
author: Rob Mills
description: Installs and configures a Pure-FTPd server
company: RGM
license: MIT
min_ansible_version: 2.0
platforms:
- name: Debian
versions:
- all
galaxy_tags:
- ftp
- server
- ftps
- tls
- openssl
dependencies: []

5
ansible/playbooks/roles/robgmills.pure-ftpd/playbook.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: 192.168.50.2
become: true
roles:
- ansible-pure-ftpd

38
ansible/playbooks/roles/robgmills.pure-ftpd/tasks/main.yml Normal file
View File

@ -0,0 +1,38 @@
---
# Variable setup.
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
# Setup/install tasks.
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
# Pure-FTPd setup
- name: Create the FTP system group '{{ pure_ftpd_group }}'
group: name={{ pure_ftpd_group }} state=present
- name: Create the FTP system user '{{ pure_ftpd_user }}'
user: name={{ pure_ftpd_user }} group={{ pure_ftpd_group }} home=/dev/null shell=/sbin/nologin state=present
- name: Create FTP server root directory '{{ pure_ftpd_root }}'
file: dest={{ pure_ftpd_root }} mode=0755 state=directory owner={{ pure_ftpd_user }} group={{ pure_ftpd_group }}
# Create and/or install SSL certificate
- include_tasks: tls.yml
when: pure_ftpd_tls
# Create the virtual FTP users and set their passwords
- include_tasks: virtual-user.yml
with_items: "{{ pure_ftpd_vusers }}"
- name: Link virtual FTP user database to the correct location
file: src={{ __ftp_user_db }} dest={{ __ftp_user_db_sym }} state=link
register: r_linkdb
- name: Restart pure-ftpd
service: name=pure-ftpd state=restarted
when: r_linkdb.changed
# - Ensure that FTP service is running
- name: Ensure pure-ftpd is started and enabled to start at boot.
service: name=pure-ftpd state=started enabled=yes

15
ansible/playbooks/roles/robgmills.pure-ftpd/tasks/setup-Debian.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=86400
- name: Ensure requisite apt packages are installed.
apt: name={{ item }} state=present default_release={{ pureftpd_default_release }}
with_items:
- pure-ftpd
- python-pip
- openssl
- name: Install pexpect
pip:
name: "pexpect"
state: present

41
ansible/playbooks/roles/robgmills.pure-ftpd/tasks/tls.yml Normal file
View File

@ -0,0 +1,41 @@
---
# assumes that `enable_tls: true`
- name: Define TLS support level.
no_log: true
set_fact:
tls_level: 2
when: not pure_ftpd_allow_insecure
- name: Define TLS support level.
no_log: true
set_fact:
tls_level: 1
when: pure_ftpd_allow_insecure
- name: Set TLS config level ({{ tls_level | default(2) }})
copy: content={{ tls_level | default(2) }} dest={{ __ftp_conf_root }}/TLS owner=root group=root
- name: Install configured TLS PEM for pure-ftpd
no_log: true
copy: content="{{ pure_ftpd_pem }}" dest=/etc/ssl/private/pure-ftpd.pem owner=root group=root
when: pure_ftpd_pem is defined
- name: Check if pure-pw centificate file exists
stat: path=/etc/ssl/private/pure-ftpd.pem
register: r_ftppem
- name: Generate TLS PEM for pure-ftpd
expect:
command: openssl req -x509 -nodes -days {{ pure_ftpd_openssl_config.days }} -newkey rsa:{{ pure_ftpd_openssl_config.size }} -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
responses:
(?i)country name: "{{ pure_ftpd_openssl_config.country }}"
(?i)state or province name: "{{ pure_ftpd_openssl_config.state }}"
(?i)locality name: "{{ pure_ftpd_openssl_config.locality }}"
(?i)organization name: "{{ pure_ftpd_openssl_config.org }}"
(?i)organizational unit name: "{{ pure_ftpd_openssl_config.unit }}"
(?i)common name: "{{ pure_ftpd_openssl_config.common }}"
(?i)email address: "{{ pure_ftpd_openssl_config.email }}"
when: pure_ftpd_pem is not defined and not r_ftppem.stat.exists
- name: Restrict permissions on PEM
file: state=file path=/etc/ssl/private/pure-ftpd.pem mode=0600 owner=root group=root

34
ansible/playbooks/roles/robgmills.pure-ftpd/tasks/virtual-user.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Create directory {{ item.dir | default( pure_ftpd_root ) }} for virtual FTP user {{ item.name }}
file: dest={{ item.dir | default( pure_ftpd_root ) }} mode=0755 state=directory owner={{ pure_ftpd_user }} group={{ pure_ftpd_group}}
- name: Check if pure-pw passwords file exists
stat: path={{ __ftp_passwd }}
register: r_passwd
- name: Check if virtual FTP user {{ item.name }} exists
command: pure-pw show {{ item.name }}
register: r_userexists
when: r_passwd.stat.exists
changed_when: "r_userexists.rc != 0"
ignore_errors: true
- name: Create virtual FTP user {{ item.name }}
expect:
command: pure-pw useradd {{ item.name }} -u {{ pure_ftpd_user }} -g {{ pure_ftpd_group }} -d {{ item.dir | default( pure_ftpd_root ) }} -m
responses:
(?i)password: "{{ item.password }}"
(?i)enter it again: "{{ item.password }}"
when: (r_userexists|failed) or (not r_passwd.stat.exists)
- name: Update virtual FTP user {{ item.name }}
command: pure-pw usermod {{ item.name }} -u {{ pure_ftpd_user }} -g {{ pure_ftpd_group }} -d {{ item.dir | default( pure_ftpd_root ) }} -m
when: r_userexists|success
- name: Update virtual FTP user {{ item.name }} password
expect:
command: pure-pw passwd {{ item.name }}
responses:
(?i)password: "{{ item.password }}"
(?i)enter it again: "{{ item.password }}"
when: r_userexists|success

1
ansible/playbooks/roles/robgmills.pure-ftpd/tests/inventory Normal file
View File

@ -0,0 +1 @@
localhost

5
ansible/playbooks/roles/robgmills.pure-ftpd/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- role: ansible-pure-ftpd

6
ansible/playbooks/roles/robgmills.pure-ftpd/vars/Debian.yml Normal file
View File

@ -0,0 +1,6 @@
---
__ftp_root: "/etc/pure-ftpd"
__ftp_passwd: "{{ __ftp_root }}/pureftpd.passwd"
__ftp_conf_root: "{{ __ftp_root }}/conf"
__ftp_user_db: "{{ __ftp_conf_root }}/PureDB"
__ftp_user_db_sym: "{{ __ftp_root }}/auth/60puredb"

5
ansible/playbooks/roles/wireguard_server/handlers/main.yaml
View File

@ -1,5 +0,0 @@
---
- name: Restart WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: restarted

31
ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml
View File

@ -1,31 +0,0 @@
# wireguard_server.yml - Configure WireGuard VPN server
---
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: wg_server_private_key
args:
chdir: /etc/wireguard
- name: Deploy WireGuard server configuration
ansible.builtin.template:
src: templates/wireguard_server.jinja
dest: "/etc/wireguard/{{ wg_interface }}.conf"
owner: root
group: root
mode: '0600'
notify: Restart WireGuard
- name: Enable and start WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: started
enabled: true
- name: Open WireGuard port in firewall
community.general.ufw:
rule: allow
port: "{{ wg_port }}"
proto: udp
comment: "WireGuard VPN"
ignore_errors: true

49
ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml
View File

@ -1,49 +0,0 @@
# generate_keys.yml - Generate WireGuard key pairs
---
- name: Create WireGuard directory
ansible.builtin.file:
path: /etc/wireguard
state: directory
mode: '0700'
- name: Check if private key already exists
ansible.builtin.stat:
path: /etc/wireguard/privatekey
register: privkey_file
- name: Generate private key
ansible.builtin.command: wg genkey
register: wg_private_key
when: not privkey_file.stat.exists
changed_when: true
- name: Save private key
ansible.builtin.copy:
content: "{{ wg_private_key.stdout }}"
dest: /etc/wireguard/privatekey
owner: root
group: root
mode: '0600'
when: not privkey_file.stat.exists
- name: Read private key
ansible.builtin.slurp:
src: /etc/wireguard/privatekey
register: private_key_content
- name: Generate public key from private key
ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey
register: wg_public_key
changed_when: false
- name: Save public key
ansible.builtin.copy:
content: "{{ wg_public_key.stdout }}"
dest: /etc/wireguard/publickey
owner: root
group: root
mode: '0644'
- name: Display public key for reference
ansible.builtin.debug:
msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}"

25
ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml
View File

@ -1,25 +0,0 @@
# install_wireguard.yml - Install WireGuard on Linux hosts
---
- name: Install WireGuard on Debian/Ubuntu
ansible.builtin.apt:
name:
- wireguard
- wireguard-tools
state: present
update_cache: true
when: ansible_os_family == "Debian"
- name: Install WireGuard on RHEL/CentOS 8+
ansible.builtin.yum:
name:
- wireguard-tools
state: present
when: ansible_os_family == "RedHat"
- name: Enable IP forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true

4
ansible/playbooks/roles/wireguard_server/tasks/main.yaml
View File

@ -1,4 +0,0 @@
---
- include_tasks: install_wireguard.yaml
- include_tasks: generate_keys.yaml
- include_tasks: configure_server.yaml

62
ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back
View File

@ -1,62 +0,0 @@
---
- name: Install Wireguard Server
apt:
pkg:
- wireguard
state: latest
update_cache: true
- name: Create directory for wg keys
ansible.builtin.file:
path: /etc/wireguard/keys
state: directory
mode: '0755'
- name: Creating server privatekey and publickey
shell: wg genkey | tee privatekey | wg pubkey > publickey
args:
chdir: /etc/wireguard/keys
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: var_privatekey
args:
chdir: /etc/wireguard/keys
#- name: Add WireGuard interface
# command: ip link add dev wg0 type wireguard
- name: Updating configuration
template:
src: wireguard_server.jinja
dest: /etc/wireguard/wg0.conf
#- name: Activating link
# command: ip link set up dev wg0
- name: Starting wg service
systemd:
state: started
name: wg-quick@wg0
enabled: yes
- name: Getting public key
shell: cat publickey
register: var_publickey
args:
chdir: /etc/wireguard/keys
- name: Check server public IP
shell: curl https://ipinfo.io/ip
register: var_server_ip
- name: Printing public key
debug:
msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}"

0
ansible/playbooks/roles/wireguard_server/templates/wireguard_client.jinja
View File

27
ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja
View File

@ -1,27 +0,0 @@
# templates/wireguard-server.conf.j2 - WireGuard server configuration
# Managed by Ansible - do not edit manually
[Interface]
Address = {{ wg_server_address }}
ListenPort = {{ wg_port }}
PrivateKey = {{ wg_server_private_key.stdout }}
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
{% for peer in wg_peers %}
# {{ peer.name }}
[Peer]
PublicKey = {{ peer.publicKey }}
AllowedIPs = {{ peer.allowedIP }}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}
{% endfor %}

29
ansible/playbooks/templates/nginx.j2
View File

@ -1,29 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ nginx_server_name }};
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name {{ nginx_server_name }};
root /var/www/html;
index index.php;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
{# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #}
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

16
ansible/playbooks/templates/nginx.j2_http
View File

@ -1,16 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ nginx_server_name }};
root /var/www/html;
index index.php;
location / {
proxy_pass http://{{ docker_wordpress_hostname }}:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

6
ansible/playbooks/vpn_server.yaml
View File

@ -1,6 +0,0 @@
---
- name: Configure VPN Server
hosts: wireguard_server
become: true
roles:
- wireguard_server

62
ansible/playbooks/wordpress.yaml
View File

@ -1,62 +0,0 @@
---
- name: Install and configure Wordpress
hosts: web
become : True
collections:
- chrissayon.wordpress_docker
roles:
- geerlingguy.docker
- chrissayon.wordpress_docker.network
- chrissayon.wordpress_docker.mysql
- chrissayon.wordpress_docker.wordpress
tasks:
# Need to stop using port 80 for certbot webroot validation
- name: Gathering NGINX container state
docker_container_info:
name: nginx
register: nginx_info
- name: Stop NGINX if present
docker_container:
name: nginx
state: stopped
when:
- nginx_info.exists
# Manage certbot
- name: Install / configure certbot
include_role:
name: geerlingguy.certbot
# Copy certificates
# configured volume for ssl is
# "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro"
- name: Copy fullchain files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
- name: Copy privkey files to nginx volume
ansible.builtin.copy:
src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
#TODO nginx configuration is not multi domain
dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
remote_src: true
mode: '0644'
loop: "{{ certbot_certs }}"
# Restart NGINX
- name: (Re)start NGINX
include_role:
name: chrissayon.wordpress_docker.nginx

29
ansible/readme.md
View File

@ -8,9 +8,6 @@ Playbooks run Roles against node groups.
Roles define set of Tasks.
### Install both roles and collections
`ansible-galaxy install -r requirements.yml`
## Playbooks
@ -19,8 +16,7 @@ Launch playbooks from present folder in order to use [default config file](ansib
**Site** playbook launches them all.
**Bootstrap** is to be run first on new installations.
**NameServer** configures a BIND DNS
**OPNSense** configure a OPNSense edge node
### Site
This playbook recalls all the following playbooks in the stated order.
@ -33,32 +29,13 @@ Basic checks connectivity for **all**
##### NextCloud
Installs Nextcloud AIO using SSE Lab / dockerized / nextcloud-aio
Calls role nextcloud_aio, dependent on docker role.
- Downloads SSE-Lab Repo
- Runs compose up (using ansible plugins)
E.g. `ansible-playbook -i inventories/ -l nextrup_copy_test playbooks/nextcloud.yaml`
### Bootstrap ###
Creates sudoer user ansible, necessitates of sudoer user.
Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K`
### NameServer ###
Configures a BIND DNS. Uses collection bodsch.dns.
NB DNS configuration comes from variable file.
### OPNSense ###
Configures a OPNSense edge node features :
- BIND DNS
- FIREWALL
- Wireguard VPN
NB runs locally so python intepreter needs to be specified
E.g. `ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
`
## Inventories
### Main Lab
@ -73,10 +50,6 @@ Management of production services, beware!
Hosts are commented by default
### Sifi
Macchine per il gruppo di lavoro Sistemi Fiscali
### Prox1_lab
Prox mox laboratory

41
ansible/requirements.yml
View File

@ -1,41 +0,0 @@
# requirements.yml
---
roles:
# - name: bodsch.dns.bind
# version:
# - name: nginx
# src: git@github.com:myorg/ansible-role-nginx.git
# scm: git
# version: v2.0.0
# Required by wordpress_docker
- name: geerlingguy.docker
- name: geerlingguy.certbot
collections:
- name: bodsch.dns
source: https://github.com/bodsch/ansible-collection-dns.git
type: git
version: 1.4.1
- name: dsglaser.cis_security
version: 1.5.4
- name: chrissayon.wordpress_docker
version: 1.0.2
# dockerless wordpress
# - name: iamgini.wordpress
# version: 1.0.0
# - name: community.postgresql
# version: "3.2.0"
# - name: ansible.posix
# version: "1.5.4"
# - name: myorg.infrastructure
# source: https://hub.internal.com/api/galaxy/
# version: "1.0.0"