{"id":26830855,"url":"https://github.com/oltdaniel/ansible-my-servers","last_synced_at":"2025-03-30T14:17:59.211Z","repository":{"id":277744963,"uuid":"871989562","full_name":"oltdaniel/ansible-my-servers","owner":"oltdaniel","description":"these are the playbooks I use for my servers for setup","archived":false,"fork":false,"pushed_at":"2025-03-28T21:29:15.000Z","size":32,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T22:30:13.412Z","etag":null,"topics":["ansible","automation"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oltdaniel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-13T13:59:49.000Z","updated_at":"2025-03-28T21:29:19.000Z","dependencies_parsed_at":"2025-02-15T20:37:54.200Z","dependency_job_id":null,"html_url":"https://github.com/oltdaniel/ansible-my-servers","commit_stats":null,"previous_names":["oltdaniel/ansible-my-servers"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oltdaniel%2Fansible-my-servers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oltdaniel%2Fansible-my-servers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oltdaniel%2Fansible-my-servers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oltdaniel%2Fansible-my-servers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oltdaniel","download_url":"https://codeload.github.com/oltdaniel/ansible-my-servers/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246326761,"owners_count":20759439,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","automation"],"created_at":"2025-03-30T14:17:58.761Z","updated_at":"2025-03-30T14:17:59.188Z","avatar_url":"https://github.com/oltdaniel.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ansible-my-servers\n\nThese are the ansible playbooks I use to kind of replicate the setup across multiple servers I use for my stuff. This is mainly used for playing a bit around with ansible and do some more complex stuff.\n\n\u003e [!IMPORTANT]  \n\u003e These playbooks are currently only tested on Debian 12. Only some functions work across multiple distros.\n\nThank you [@geerlingguy](https://github.com/geerlingguy) for providing the base roles I use here for my servers.\n\n## Usage\n\n```bash\n# Clone the repo\ngit clone https://github.com/oltdaniel/ansible-servers\ncd ansible-servers\n# Install the requirements\nansible-galaxy install -r requirements.yml\n# Copy the config files\ncp example.hosts.ini hosts.ini\ncp example.config.yml config.yml\n#\n# !! Edit the hosts.ini and config.yml to your needs !!\n#\n# First execution (we assume you configured your ssh key via the hosting provider already)\n# NOTE: Change the remote user in case it isn't root.\nansible-playbook playbooks/genisis.yml -u root\n# Deploy the software\nansible-playbook playbooks/software.yml\n# Upgrade the server and allow a reboot if required\nansible-playbook playbooks/upgrade.yml --extra-vars \"upgrade_allow_reboot=true\"\n```\n\n## Playbooks\n\n### `genisis.yml`\n\n\u003e [!IMPORTANT]  \n\u003e This role is intended for single execution with the `root` user. The root signin via SSH will be deactivated as a default setting via `geerlingguy.security`.\n\nThis is the main playbook that is also responsible to verify for the initial setup of things. By default it will use the remote user `root` as this is only meant to be executed once. After the first successful run, you should append `-u YOUR_GENISIS_USER` to the command.\n\n### `software.yml`\n\nThis is the playbook to install the generic software that runs on the servers. Before installing the software it upgrades everything and applies the network configuration.\n\nIt currently deploys the following software:\n- PostgreSQL\n- Netdata\n- Wireguard\n- Caddy\n\n### `upgrade.yml`\n\nThis is the playbook I use for upgrades. If a reboot is allowed if necessary, add `--extra-vars \"upgrade_allow_reboot=true\"` to the command.\n\n## Roles\n\n### `genisis`\n\n```yml\ngenisis_user: \"{{ lookup('env','USER') }}\" # required\ngenisis_user_ssh_pubkey: ~/.ssh/id_ed25519.pub # default: ~/.ssh/id_ed25519.pub\n```\nThis role is targeted for creating a user for yourself in order to interact with the system in other ways than the root user. The variable `genisis_user` is required and has no default value. With `genisis_user_ssh_pubkey` you can point to an ssh key that should be configured as an authorized key for the created user.\n\n```yml\ngenisis_user_passwordless_sudoer: true # default: true\ngenisis_group_sudo_passwordless_sudoers: true # default: true\n```\n\n### `upgrade`\n\n```yml\n# Whether to allow a reboot after the upgrade if required.\nupgrade_allow_reboot: no\n```\nThis variable will be used to check if an reboot is allowed after an upgrade when necessary.\n\n### `networking`\n\nThis role will install the `ufw` package, create an allow rule for OpenSSH and enable the firewall. Additionally, custom rules will be applied.\n\n```yml\n# UFW rules to apply\nnetworking_ufw_rules: [] # default\n#   - { rule: \"allow\", port: 19999, proto: \"any\", from_ip: \"{{ wireguard_network }}\" } # allow Netdata portal access from wireguard network\n#   - { rule: \"allow\", port: 80, proto: \"tcp\" } # allow HTTP\n#   - { rule: \"allow\", port: 443, proto: \"tcp\" } # allow HTTPS\n#   - { rule: \"allow\", port: 443, proto: \"udp\" } # allow HTTP/2+\n```\nWith this variable custom rules can be applied. Currently only the above properties are support.\n\n### `security`\n\nSee [geerlingguy/ansible-role-security](https://github.com/geerlingguy/ansible-role-security) for the base of the role and its options.\n\n### `postgresql`\n\nSee [geerlingguy/ansible-role-postgresql](https://github.com/geerlingguy/ansible-role-postgresql) for the base of the role and its options.\n\n### `netdata`\n\n\u003e These aren't allo variables that can be used, see [the role defaults](./roles/netdata/defaults/main.yml) for more options.\n\n```yml\n# Role can be undefined, 'primary' or 'secondary'\nnetdata_role: primary\n```\nIf undefined, it will keep netdata in the default configuration. If primary, it will configure the installation to operate in primary mode. If secondary, it will disable the web interface and so on and connect to the configured primary nodes (one or more primary nodes required).\n\nWe suggest to set this variable as a host specific variable. An example for this can be seen in `example.hosts.ini`, or you choose another way of defining host specific values.\n\n```yml\n# Use for the API Key in stream.conf\nnetdata_api_key: \"00000000-0000-0000-0000-000000000000\" # optional, required for parent config (generate with uuidgen)\n```\nOptional, unless you configure the system as a primary node. You can generate a value with the command `uuidgen`.\n\n```yml\n# Change options in the health_alarm_notify.conf\nnetdata_health_alarm_notify:\n  - option: SEND_NTFY\n    value: \"YES\"\n  - option: DEFAULT_RECIPIENT_NTFY\n    value: \"https://ntfy.sh/REPLACEME\"\n```\nThis variable allows you to change different options in the `health_alarm_notify.conf` that is used for sending notifications. This example shows a minimal ntfy.sh configuration.\n\n```yml\n# Configure the postgres collector\nnetdata_go_d_postgres:\n  - name: local\n    dsn: 'host=/var/run/postgresql dbname=postgres user=netdata'\n```\nThis option allows you to configure the postgresql collector in `go.d/postgres.conf`.\n\n```yml\n# Configure the necessary UFW rules for netdata.\nnetdata_enable_ufw_rules: true\n```\nThis option defines whether to apply the required UFW rules or not. In this setup it is recommended as we deploy UFW and this option will automatically apply the necessary rules for the primary and secondary netdata communcation. This will not publish the netdata interface to the public.\n\n### `wireguard`\n\n\u003e These aren't all variables that can be used, see [the role defaults](./roles/wireguard/defaults/main.yml) for more options.\n\nThe main use case is to connect all the servers in the inventory together into a single VPN to have a private network across cloud providers.\n\n```yml\n# Wireguard settings\nwireguard_network: 10.0.0.0/24 # default\nwireguard_address: 10.0.0.1 # default\n```\nBy default, WireGuard will be configured in such a way, that it uses the above mentioned network settings. You can easily overwrite `wireguard_address` for each host individually (see `example.hosts.ini`).\n\n```yml\n# Custom WireGuard profiles\nwireguard_export_custom_profiles: true # default: false\nwireguard_custom_profiles_directory: wireguard # default\nwireguard_custom_profiles: # default: []\n  - name: desktop                 # NOTE: this will also be the filename\n    address: 10.0.0.100\n    private_key: REDACTED         # optional\n    public_key: thisisntavalidkey\n```\nWhen `wireguard_export_custom_profiles` is set to true, the playbook will generate a config profile and save it into the directory configured in `wireguard_custom_profiles_directory`. The custom profile option `private_key` is optional (should be left empty when not using ansible vault), and the placeholder value `REDCATED` will be put in the config profile instead and hsould be replaced with the correct private key before importing it into the client.\n\n```yml\n# Default WireGuard interface name\nwireguard_interface: wg0\n\n# Allows config to disable server\nwireguard_disable_server: false\n\n# Default port that the WireGuard server will listen on\nwireguard_listen_port: 51820\n```\nThese are some more advanced options which allow you to change the interface name, disable listening and thereby the server function and also change the port used in the WireGuard environment.\n\n\u003e After this role has been executed and you connect to the VPN via your custom profile, you can use the `wireguard_address` of each host as the `ansible_host` address and configure everything else to communicate only via the WireGuard VPN in a secure tunnel.\n\n### `caddy`\n\n\u003e These aren't all variables that can be used, see [the role defaults](./roles/caddy/defaults/main.yml) for more options.\n\n```yml\n# Automatically deploy HTTP/HTTPS UFW roles (TCP and UDP)\ncaddy_enable_ufw_rules: true\n```\n\nThis automatically deployes UFW rules to allow for HTTP and HTTPS Traffic for both TCP and UDP.\n\n#### Example Playbook\n\nThis is an example playbook that can be used to deploy a custom website. \n\n```yml\n# playbooks/deploy-website.yml\n---\n- name: Deploy caddy website\n  hosts: servers\n  gather_facts: true\n  remote_user: \"{{ genisis_user }}\"\n\n  vars_files:\n    - ../config.yml\n\n  roles:\n    - name: caddy\n      become: true\n\n  tasks:\n    - name: Create website folder\n      ansible.builtin.file:\n        path: /srv/http/www\n        state: directory\n        recurse: yes\n        owner: caddy\n        group: caddy\n      become: true\n\n    - name: Upload website content.\n      ansible.builtin.copy:\n        src: ../www/\n        dest: /srv/http/www\n        owner: caddy\n        group: caddy\n      become: true\n\n    - name: Deploy caddy config.\n      ansible.builtin.copy:\n        content:  |\n          :80\n\n          root * /srv/http/www\n          file_server\n        dest: /etc/caddy/Caddyfile\n        owner: caddy\n        group: caddy\n      notify: reload caddy\n      become: true\n```\n\n## Tested on\n\n- Debian 12\n\n## License\n\n[MIT License](./LICENSE)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foltdaniel%2Fansible-my-servers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foltdaniel%2Fansible-my-servers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foltdaniel%2Fansible-my-servers/lists"}