{"id":23823383,"url":"https://github.com/bryopsida/pi-monger","last_synced_at":"2025-12-31T14:27:39.421Z","repository":{"id":269298260,"uuid":"906973338","full_name":"bryopsida/pi-monger","owner":"bryopsida","description":"A collection of ansible-pull compatible playbooks for maintaining RPIs","archived":false,"fork":false,"pushed_at":"2025-07-14T21:33:31.000Z","size":341,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-15T02:19:09.943Z","etag":null,"topics":["ansible-pull","cis-benchmarks","cloud-init","raspberry-pi","scap","ubuntu"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bryopsida.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-12-22T13:14:22.000Z","updated_at":"2025-07-14T21:33:20.000Z","dependencies_parsed_at":"2024-12-22T15:21:28.388Z","dependency_job_id":"093d2517-a140-468b-98b2-5c8e0b7ae2d2","html_url":"https://github.com/bryopsida/pi-monger","commit_stats":null,"previous_names":["bryopsida/pi-monger"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bryopsida/pi-monger","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fpi-monger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fpi-monger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fpi-monger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fpi-monger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bryopsida","download_url":"https://codeload.github.com/bryopsida/pi-monger/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fpi-monger/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265845141,"owners_count":23837740,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-pull","cis-benchmarks","cloud-init","raspberry-pi","scap","ubuntu"],"created_at":"2025-01-02T10:26:58.699Z","updated_at":"2025-12-31T14:27:39.395Z","avatar_url":"https://github.com/bryopsida.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PI Monger\n\n## What is this?\n\nA collection of ansible roles and playbooks with a focus on being used with ansible-pull to actively maintain Raspberry PIs.\nActively maintain means the plays are idempotent and intended to be run on a cron to prevent drift.\n\n## Pre-Requisites (tested)\n\n- RPI4\n- Ubuntu Server 22.04 or 24.04\n  - If Ubuntu 24.04 is used, oscap hardening is not yet supported\n- Ansible installed\n- Initial ansible-pull run with sudo\n- Network connectivity to github to pull this repo, or network connectivity to a clone of this repo\n\n## TODOs\n\n- [ ] Add test pipeline where pull runs on main, and then tries to run the pull on incoming branch, use multipass\n- [x] Add instructions for providing secrets/vaults to plays with cloud-init\n- [x] Add instructions to run initial ansible-pull\n- [x] Add instructions on how to add ansible-pull to sdcard cloud-init to run ansible-pull on first boot\n- [x] Implement update system role\n- [x] Implement auto pull role that sets up recurring ansible-pulls to the same play on a cron\n- [x] Implement nodejs role for installing and maintaining a node.js lts version\n- [x] Implement role that uses complianceascode security content and oscap to harden system\n- [x] Implement java role for installing and maintaining a java install\n- [x] Implement node-red role that installs node-red and takes patches on cron\n- [x] Implement monitoring role that reports system information to an external syste\n- [ ] Implement falco role\n  - [x] Falco service install\n  - [ ] Can manage falco rules\n- [ ] Implement pi-hole role\n- [ ] Implement adguard home role\n- [ ] Investigate and implement FDE if possible\n- [ ] Implement Clevis role\n- [ ] Implement k3s role\n- [ ] Implement envoy role that installs reverse proxy\n  - [ ] Add ability to manage/define virtual hosts and SNI routing.\n- [x] Implement cloudflared role\n- [x] Implement firewalld role\n- [ ] Implement role to manage static hostnames /etc/hosts\n- [ ] Implement role to manage static ip addresses via netplan\n- [x] Disable cloud-init and shred user-data after first pull\n- [ ] Add watch subscription to trigger runs on change instead of cron/polled updates\n\n## Running initial ansible-pull\n\n```sh\nsudo ansible-pull -U https://github.com/bryopsida/pi-monger.git -i inventory/localhost.ini plays/\u003cpick your falvor\u003e.yaml\n```\n\nIf you are cloning your own repo and running it locally, replace the url after -U.\n\n## Cloud-Init\n\n### Example cloud-init.yaml\n\n``` yaml\n#cloud-config\npackages:\n  - ansible\n\nruncmd:\n  - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i inventory/localhost.ini plays/nodejs.yaml\n```\n\n### How to run cloud-init on first boot\n\nAssuming you are using the Raspberry PI Imager tool, and selecting Ubuntu Server 22.04 or 24.04.\nAfter the flashing of the sd card has finished, remount the sd card.\nThere should be a user-data file located at the root of the image, if not make one.\n\nAnsible must be added to packages\n\n``` yaml\n...\npackages:\n- avahi-daemon\n- ansible # add ansible\n...\n```\n\nAn ansible pull instruction must be added\n\n``` yaml\n...\nruncmd:\n- localectl set-x11-keymap \"us\" pc105\n- setupcon -k --force || true\n- ansible-pull -U https://github.com/bryopsida/pi-monger.git -C main -i inventory/localhost.ini plays/nodejs.yaml\n...\n```\n\nSave the modifications to user-data and umount. You can now insert it into PI and proceed with booting the system.\n\n### Using sensitive values\n\nIf you need to provide the play with sensitive values such as access keys, you should do this using a secure copy to pull in vault and inventory values.\n\nFor example\n\n``` yaml\n#cloud-config\npackages:\n  - ansible\n\nwrite_files:\n  - content: |\n      \u003cssh private key with read access to server holding vault\u003e\n    path: /root/.ssh/ansible\n    permissions: '0400'\n    owner: 'root:root'\n  - content: |\n      \u003cssh public key with read access to server holding vault\u003e\n    path: /root/.ssh/ansible.pub\n    permissions: '0444'\n    owner: 'root:root'\n\nruncmd:\n  - scp -o StrictHostKeyChecking=no -r -i /root/.ssh/ansible ansible@\u003cservername with ansible files\u003e:/home/ansible/ansible-files /root\n  - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i /root/ansible-files/inventory/localhost.ini --vault-password-file /root/ansible-files/vault-password plays/nodejs.yaml\n```\n\nIf you are using a private repo you likely will prefer to keep the inventory and vault files in source with the playbooks, the above approach can be used to fetch the vault key file as well\n\n### Complete example\n\n#### Assumptions\n\n1) You know how to setup a SSH server\n1) A cloud provider secret manager is not available\n1) The ssh username is named ansible\n1) You are familiar with using Rasperry PI Imager\n1) You are familiar with mounting sdcards in your operating system\n1) You are familiar with linux file permissions and set appropriate permissions on your ansible files to restrict access to the owner:group.\n1) Some familiarity with [cloud-init](https://cloudinit.readthedocs.io/en/latest/#)\n\n#### Setup a SSH server\n\nIn order to handle sensitive values we cannot check into source, ansible vaults will need to be used. For that reason we need a ssh server we can use scp to fetch the values managed outside of source.\nThe details of setting up a SSH server is out of scope for this repo, depending on your network setup you may be able to use your router/gateway.\n\n##### Recommeneded Configuration\n\n1) Use pubkey ssh authentication\n1) Create dedicated non admin limited scope account to hold the ansible values\n\n#### SSH Server File Setup\n\n1) Login to your ssh server for holding the inventory files\n1) Create the `ansible-files` folder under the ssh users home folder\n1) Create a `vault-password` file underneath `ansible-files` folder, this should match the password you use for vaulting any sensitive values\n1) Create a `inventory` folder underneath the `ansible-files` folder\n1) Create a `localhost.ini` file under the `ansible-files/inventory` file with the following contents\n1) Ensure you have a copy of the ssh private key and public key for the ssh user\n\n``` ini\n[all]\nlocalhost ansible_connection=local\n\n[all:vars]\nauto_pull_inventory=/root/ansible-files/inventory/localhost.ini\nauto_pull_secure_copy_enabled=true\nauto_pull_secure_copy_host=\u003chostname of your ssh server with ansible-files\u003e\n```\n\nThe resulting folder structure should look like this\n\n``` shell\ntree ansible-files    \nansible-files\n├── inventory\n│   └── localhost.ini\n└── vault-password\n\n2 directories, 2 files\n```\n\n#### Flash a Ubuntu Server 22.04 Image\n\nUse [Raspberry PI Imager](https://www.raspberrypi.com/software/) to create a Ubuntu Server 22.04 image.\n\n#### Modify `user-data` to run ansible-pull\n\nAfter the image hs been created using Raspberry PI Imager.\n\n1) Remount the image.\n1) Open the `user-data` file with your editor of choice.\n1) Update `user-data` to look like this with your values replaced\n\n``` yaml\n#cloud-config\nhostname: \u003cyour desired hostname\u003e\nmanage_etc_hosts: true\npackages:\n  - avahi-daemon\n  - ansible\napt:\n  conf: |\n    Acquire {\n      Check-Date \"false\";\n    };\n\nusers:\n  - name: \u003cyour desired username\u003e\n    groups: users,adm,dialout,audio,netdev,video,plugdev,cdrom,games,input,gpio,spi,i2c,render,sudo\n    shell: /bin/bash\n    lock_passwd: false\n    passwd: \u003cpasswd hash\u003e\n    ssh_authorized_keys:\n      - \u003cssh pub key\u003e\n    sudo: ALL=(ALL) NOPASSWD:ALL\n\nwrite_files:\n  - content: |\n      -----BEGIN OPENSSH PRIVATE KEY-----\n      \u003credacted\u003e\n      -----END OPENSSH PRIVATE KEY-----\n    path: /root/.ssh/ansible\n    permissions: '0400'\n    owner: 'root:root'\n  - content: |\n      ssh-ed25519 redacted username@host\n    path: /root/.ssh/ansible.pub\n    permissions: '0444'\n    owner: 'root:root'\n\ntimezone: \u003cyour timezone\u003e\nruncmd:\n  - localectl set-x11-keymap \"us\" pc105\n  - setupcon -k --force || true\n  - scp -o StrictHostKeyChecking=no -r -i /root/.ssh/ansible ansible@your.ansible.server.name:/home/ansible/ansible-files /root\n  - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i /root/ansible-files/inventory/localhost.ini --vault-password-file /root/ansible-files/vault-password plays/nodejs.yaml\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbryopsida%2Fpi-monger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbryopsida%2Fpi-monger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbryopsida%2Fpi-monger/lists"}