-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yml
153 lines (153 loc) · 4.09 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
- hosts: all
tasks:
- name: Ensure SSH Key is authorized
authorized_key:
user: pi
state: present
key: https://github.com/benbalter.keys
- name: update and upgrade apt packages
become: true
ansible.builtin.apt:
upgrade: dist
update_cache: true
- name: set timezone
community.general.timezone:
name: America/New_York
become: true
- name: install unattended upgrades
become: true
ansible.builtin.apt:
name: unattended-upgrades
state: present
- name: Setup unattended upgrades
ansible.builtin.debconf:
name: unattended-upgrades
question: unattended-upgrades/enable_auto_updates
vtype: boolean
value: "true"
- name: install ntp
become: true
ansible.builtin.apt:
name: ntp
state: present
- name: enable ntp
ansible.builtin.service:
name: ntp
state: started
enabled: true
- name: install ufw
become: true
ansible.builtin.apt:
name: ufw
state: present
- name: limit ssh
become: true
community.general.ufw:
rule: limit
port: ssh
proto: tcp
- name: Allow all access to port 22
become: true
community.general.ufw:
rule: allow
app: '{{ item }}'
loop:
- SSH
- name: enable ufw and default to deny
become: true
community.general.ufw:
state: enabled
default: deny
- name: install fail2ban
become: true
ansible.builtin.apt:
name: fail2ban
state: present
- name: Install dependencies
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
update_cache: true
loop:
- python3-dev
- python3-pip
- git
- name: Ensure deploy key is present
community.crypto.openssh_keypair:
path: "~/.ssh/id_github"
type: ed25519
register: deploy_key
- name: Ensure deploy key is authorized
community.general.github_deploy_key:
key: "{{ deploy_key.public_key }}"
name: Raspberry Pi
state: present
read_only: false
owner: benbalter
repo: meeting-matrix
token: "{{ lookup('community.general.onepassword', 'Raspberry pi', field='GitHub Token') }}"
- name: Clone benbalter/meeting-matrix
ansible.builtin.git:
repo: git@github.com:benbalter/meeting-matrix.git
dest: /home/pi/meeting-matrix/
clone: true
update: true
key_file: ~/.ssh/id_github
accept_hostkey: true
- name: Install docker dependencies
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
update_cache: true
loop:
- apt-transport-https
- ca-certificates
- curl
- gnupg
- lsb-release
- name: add Docker GPG key
become: true
ansible.builtin.apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: add docker repository to apt
become: true
ansible.builtin.apt_repository:
repo: deb [arch=arm64] https://download.docker.com/linux/debian bullseye stable
state: present
- name: install docker
become: true
ansible.builtin.apt:
name: "{{ item }}"
state: present
loop:
- docker-ce
- docker-ce-cli
- containerd.io
- name: Add user to docker group
become: true
ansible.builtin.user:
name: pi
groups: docker
append: true
- name: Enable & Start Docker service
become: true
ansible.builtin.service:
name: docker
enabled: true
state: started
- name: Install docker compose
ansible.builtin.pip:
executable: pip3
name:
- docker
- docker-compose
- name: Init Docker container
community.docker.docker_compose:
project_src: /home/pi/meeting-matrix/
pull: true
build: true
remove_orphans: true
register: output