Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/reefactor/org.backbone

Ansible playbooks to build your team's encrypted private cloud, messenger, VPN with blackjack and GitLab
https://github.com/reefactor/org.backbone

ansible ansible-playbook devops gitlab-ci immutable-infrastructure infrastructure-as-code openvpn-client openvpn-server ssh-key vagrant vpn

Last synced: about 1 month ago
JSON representation

Ansible playbooks to build your team's encrypted private cloud, messenger, VPN with blackjack and GitLab

Host: GitHub
URL: https://github.com/reefactor/org.backbone
Owner: reefactor
License: mit
Created: 2019-03-06T16:08:39.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2021-06-17T13:00:41.000Z (about 3 years ago)
Last Synced: 2024-01-14T03:32:49.468Z (6 months ago)
Topics: ansible, ansible-playbook, devops, gitlab-ci, immutable-infrastructure, infrastructure-as-code, openvpn-client, openvpn-server, ssh-key, vagrant, vpn
Language: Jinja
Homepage:
Size: 1010 KB
Stars: 2
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

my-awesome-stars - org.backbone
awesome-stars - reefactor/org.backbone - Ansible playbooks to build your team's encrypted private cloud, messenger, VPN with blackjack and GitLab (vpn)

README

        # org.backbone

Collection of [ansible](https://www.ansible.com/) playbooks for most popular IT infastructure tools

ready for [deploy and maintainance](https://en.wikipedia.org/wiki/Infrastructure_as_code).

Bootstrap from zero to playground in 30 minutes with automated [vagrant tests](tests).

Build your own team IT infrastructure with ~blackjack~ encrypted private cloud, messenger, VPN and GitLab.

### Features

##### Collaboration

* Encrypted file storage, sharing, mobile app, messenger powered by [nextcloud](https://nextcloud.com/)

* [GitLab CE](tests/test_deploy_gitlab.sh) on docker based on [sameersbn's pack](https://github.com/sameersbn/docker-gitlab)

* Continuous integration with [gitlab-runner](roles/gitlab-runner/tasks/main.yml)

##### Infrastructure

* Software distribution server [storage and docker registry](roles/distribution_hub) based on [Nexus Repository Manager 3](https://github.com/sonatype/docker-nexus3)

behind [nginx for SSL termination](roles/nginx)

* Media [server](playbooks/openmediavault.yml) from [openmediavault.org](https://www.openmediavault.org)

* [Infrastructure monitoring & alerting](tests/test_deploy_monitoring.sh) with [Grafana + Prometheus](roles/monitoring_hub/files/dockprom)

based on [dockprom](https://github.com/stefanprodan/dockprom)

* [Infrastructure monitoring & alerting](tests/test_deploy_monitoring.sh) with [collectd](roles/collectd_beacon) and [Graphite + Grafana + Zabbix + nginx/certbot with SSL cert autorenewal](roles/monitoring_hub/files/monitoring_hub)

* BIND DNS server bundled with the Webmin UI based on [sameersbn's docker-bind](https://github.com/sameersbn/docker-bind)

###### Privacy

* [OpenVPN](tests/test_deploy_openvpn.sh) and [keys management](environments/test/group_vars/openvpn.yml) based on [Stouts.openvpn ansible role](https://github.com/Stouts/Stouts.openvpn/)

###### Security

* [SSH users ACL and management](tests/test_deploy_users.sh) with public ssh keys and common sudoer user

.. and more in the [roadmap](#roadmap)

### Prerequisites

* Python to run ansible playbooks

* Vagrant with Virtualbox is optional for automated testing sandbox

```bash

apt install python3-pip

pip3 install -r requirements.txt

ansible-galaxy install -r requirements.yml

curl -O https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb

dpkg -i vagrant_2.2.9_x86_64.deb

apt install virtualbox

```

### HOW-TO

#### VPN

```bash

ansible-playbook playbooks/openvpn-server.yml

```

##### Add user key to VPN

See example test [test_deploy_openvpn.sh](tests/test_deploy_openvpn.sh)

1. Add `username` entry into list of **openvpn_clients_active** in [environments/test/group_vars/openvpn](environments/test/group_vars/openvpn.yml).

Client may reserve static VPN IP or dynamic otherwise.

2. Generate OpenVPN server keys for client:

```bash

ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml

```

VPN keys are now downloaded to local dir `./.vpnkeys/test`.

Encrypt zip with strong key and send username.7z and the password via separate channels.

```bash

ls -l ./.vpnkeys/test/

7za a -p${ATLEAST16SYMBOLS_PASSWORD} -mhe=on vpnkeys/username.7z vpnkeys/username.zip

```

3. Deploy client keys (add host to VPN network)

Add target host VM to **openvpn_clients_group**, tag it with `openvpn_client_name=username` variable and run playbook:

```bash

ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml

```

##### Revoke VPN key

1. Add client's name into `openvpn_clients_revoke` blacklist of [environments/test/inventory](environments/test/inventory)

2. Update OpenVPN server:

```bash

ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml --limit openvpn-server

```

##### Add ssh user

* put user's public ssh key into `roles/users/files` (or download via `roles/users/files/update_pub_keys.sh`)

* add pub key file to `Add users` list of `roles/users/tasks/main.yml`

* add to `authorized_key` lists of `roles/users/tasks/main.yml`

* update environment:

```bash

ansible-playbook playbooks/users.yml

```

##### Remove ssh user

* delete user's public ssh key file from `roles/users/files`

* add to blacklist `Delete users` of `roles/users/tasks/main.yml`

* remove from `authorized_key` list

* update environment:

```bash

ansible-playbook playbooks/users.yml

```

#### Monitoring

1. Deploy example in vagrant vbox with [tests/test_deploy_monitoring.sh](tests/test_deploy_monitoring.sh)

2. Open Grafana UI in [http://192.168.10.101:3000](http://192.168.10.101:3000/) with login *admin* and password *admin* configured in [docker-compose.yml](roles/monitoring_hub/files/dockprom/docker-compose.yml)

#### DNS

```bash

ansible-playbook -i environments/test/inventory playbooks/dns.yml -l dns

```

1. Deploy example in vagrant vbox with [test_deploy_dns.sh](tests/test_deploy_dns.sh)

2. Open Webmin UI in [https://192.168.10.101:10000](https://192.168.10.101:10000/) with *root* password *secretpassword* configured in [docker-compose.yml](roles/dns/files/docker-compose.yml)

### Roadmap

* Provisioning with Terraform in addition to Vagrant

* Errors tracking with [Sentry](https://sentry.io/) 

#### Tools

##### TCP tunnel with docker and socat

Use cases:

* Expose port from docker internal network via additional docker container with [sockat](https://wiki.ipfire.org/addons/socat) tunnel.

* tcp port forwarding from local to remote host

0.0.0.0:$HOSTPORT -> $TARGET_HOST:$TARGET_PORT (via socat on port 12345 in docker container named socat-tunnel)

* trivial command-line: [docat-tunnel/docker-run-socat.sh](./socat-tunnel/docker-run-socat.sh)

* convinient compose config: [socat-tunnel/docker-compose.yml](./socat-tunnel/docker-run-socat.sh)