forked from HolgerHees/smartserver
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.yml
executable file
·165 lines (109 loc) · 12.6 KB
/
server.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
---
- hosts: all
become: yes
become_user: root
vars:
ansible_python_interpreter: /usr/bin/python3
pre_tasks:
# ************ INIT CONFIG ***********
- { import_role: { name: _shared, tasks_from: init }, tags: [ 'always' ] } # detect environment and load configs
# ************************************
- name: loaded values from config files
debug:
msg:
- "mode: {{inventory_hostname}}"
- "server: {{server_ip}}"
- "gateway: {{server_gateway}}{{ ' (' + default_gateway + ')' if server_gateway != default_gateway else ''}}"
- "network: {{server_network}}/24"
- "macvlan: {{macvlan_range if macvlan_range | length > 0 else 'None'}}"
- "arpha: {{server_arpa}}"
- "os-name: {{ansible_distribution}} {{ansible_distribution_version}} ({{ansible_distribution_release}})"
- "net: {{main_network_interface}}"
- "vault: {{'encrypted' if has_encrypted_vault else 'plain'}}"
tags: always
- name: dynamic values from init role
debug:
msg:
- "production: {{ 'active' if is_production else 'inactive' }}"
- "flags: is_suse: {{is_suse}}, is_fedora: {{is_fedora}}, is_ubuntu: {{is_ubuntu}}"
tags: always
# needed by all roles which needs to register their own fluentd handler
# search for "import_tasks: roles/fluentd/tasks/add_config.yml" to see which ones
- { import_role: { name: fluentd, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'fluentd' ] } # creates /etc/fluent/_.ansible.d
# is creating and fetching wwwrun uid and gid to make them available globaly for all roles
- { import_role: { name: apache, tasks_from: ensure_www_user_exists, handlers_from: empty }, tags: [ 'always' ] }
# needed by all roles which needs to register their own vhost
# search for "import_tasks: roles/apache/tasks/add_vhost.yml" to see which ones
- { import_role: { name: apache, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'apache' ] } # creates {{global_etc}}apache2/(_.ansible.conf.d & _.ansible.vhost.d)
# needed by all roles which needs to register menu entries in the web ui like
# search for "import_tasks: roles/apache_webui/tasks/add_webui.yml" to see which ones
- { import_role: { name: apache_webui, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'apache_webui' ] } # creates {{htdocs_path}}main/components
- { import_role: { name: nextcloud, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'nextcloud', 'php' ] }
- { import_role: { name: openhab_toolbox, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'openhab_toolbox', 'php', 'apache' ] }
- { import_role: { name: systemd_watcher, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'systemd_watcher' ] }
- { import_role: { name: update_daemon, tasks_from: create_shared_folder, handlers_from: empty }, tags: [ 'update_daemon' ] }
tasks:
- { import_role: { name: base }, tags: [ 'base' ] } # basic setup like global folders and some often used basic packages
- { import_role: { name: alpine }, tags: [ 'alpine' ] } # registers update notifier for alpine based container images
- { import_role: { name: network }, tags: [ 'network', 'macvlan' ] } # basic network tweaks like enabled ipv6
- { import_role: { name: firewall }, tags: [ 'firewall', 'macvlan' ] } # firewall configuration
# ************ FLUSH HANDLER ***********
- { meta: flush_handlers } # activate network configs (network & firewall). Otherwise docker related iptables rules are sometime lost and prevents to continue
# **************************************
- { import_role: { name: cron }, tags: [ 'cron' ] } # basic cron configuration + common cron jobs
- { import_role: { name: systemd_watcher }, tags: [ 'systemd_watcher' ] } # checking for failed service starts
- { import_role: { name: mdadm }, tags: [ 'mdadm' ] } # raid monitor + weekly check cron job
- { import_role: { name: smartd }, tags: [ 'smartd' ] } # disk monitoring
- { import_role: { name: sensors }, tags: [ 'sensors' ] } # sensors monitoring
- { import_role: { name: container }, tags: [ 'container' ] } # installs and initializes the container infrastructure (docker & podman)
- { import_role: { name: ssh }, tags: [ 'ssh' ] } # settup allowed ssh user
- { import_role: { name: dns }, tags: [ 'dns', 'alpine' ] } # dns server [docker,user:root]
- { import_role: { name: pihole }, tags: [ 'pihole' ], when: "pihole_ip != 'None'" } # adblock server [docker,user:root]
- { import_role: { name: wireguard_mobile }, tags: [ 'wireguard', 'wireguard_mobile', 'macvlan', 'alpine' ] } # vpn configuration (mobile access) [docker,user:root]
- { import_role: { name: postfix }, tags: [ 'postfix', 'alpine' ] } # mail server to forward root mails [docker,user:root]
- { import_role: { name: samba }, tags: [ 'samba', 'alpine' ] } # smb file server [docker,user:root]
- { import_role: { name: ftp }, tags: [ 'ftp', 'alpine' ], when: "vault_ftp_username != 'None'" } # ftp file server for camera picture upload and cleanup [docker,user:ftp]
- { import_role: { name: mysql }, tags: [ 'mysql' ] } # mysql db => needed by nextcloud and openhab [docker,user:999]
- { import_role: { name: influxdb }, tags: [ 'influxdb' ] } # influxdb => needed by openhab [docker,user:root]
- { import_role: { name: telegraf }, tags: [ 'telegraf' ] } # telegraf => needed by netdata [docker,user:root]
- { import_role: { name: prometheus }, tags: [ 'prometheus' ] } # prometheus => needed by openhab [docker,user:root]
- { import_role: { name: alertmanager }, tags: [ 'alertmanager' ] } # alertmanager => needed by loki alerts [docker,user:root]
- { import_role: { name: loki }, tags: [ 'loki' ] } # grafana logstore [docker,user:10001|10001]
- { import_role: { name: redis }, tags: [ 'redis' ] } # redis db => needed by nextcloud [docker,user:999]
- { import_role: { name: mosquitto }, tags: [ 'mosquitto' ] } # mqtt message broker [docker,user:1883]
- { import_role: { name: shared_libs }, tags: [ 'shared_libs' ] } # php & python libs
- { import_role: { name: php }, tags: [ 'php' ] } # php cli [docker,user:wwwrun|apache]
- { import_role: { name: apache }, tags: [ 'apache' ] } # apache web server & php runtime [docker,user:wwwrun|apache]
- { import_role: { name: fluentd }, tags: [ 'fluentd' ] } # log collector !!! MUST BE LAST ONE !!!
# => previous roles are triggering fluentd handler
# ************ FLUSH HANDLER ***********
- { meta: flush_handlers } # Previous roles are independent from upcoming roles, But lot of upcoming roles are depending from previous roles
# **************************************
- { import_role: { name: user }, tags: [ 'user' ] } # default users and permissions (linux, samba, web ...)
- { import_role: { name: netdata }, tags: [ 'netdata' ] } # server monitoring
- { import_role: { name: grafana }, tags: [ 'grafana' ] } # graphical dashboards [docker,user:root]
- { import_role: { name: mysql_phpmyadmin }, tags: [ 'mysql_phpmyadmin' ] } # phpMyAdmin
- { import_role: { name: mysql_adminer }, tags: [ 'mysql_adminer' ] } # Adminer
- { import_role: { name: apache_webui }, tags: [ 'apache_webui' ] } # responsive web ui
- { import_role: { name: nextcloud }, tags: [ 'nextcloud' ] } # private cloud
- { import_role: { name: onlyoffice }, tags: [ 'onlyoffice' ] } # office editor [docker,user:106|108]
- { import_role: { name: minidlna }, tags: [ 'minidlna', 'alpine' ], when: "dlna_ip != 'None' and ( dlna_volumes | length ) > 0" } # dlna media server [docker,user:wwwrun|apache]
- { import_role: { name: openhab }, tags: [ 'openhab' ] } # openhab iot server [docker,user:openhab|openhab]
- { import_role: { name: openhab_toolbox }, tags: [ 'openhab_toolbox' ] } # admin scripts and tools
- { import_role: { name: device_ping }, tags: [ 'device_ping' ] } # ping mobile device service
- { import_role: { name: cron_backup_rsync }, tags: [ 'cron_backup_rsync' ] } # rsync copy of {{data_path}} to {{backup_path}}dataDisk/
- { import_role: { name: deployment }, tags: [ 'deployment' ] } # ansible deployment project + backup collector
- { import_role: { name: update_daemon }, tags: [ 'update_daemon' ], when: "update_daemon_software_check_enabled or update_daemon_system_check_enabled" } # update check & handler
# ************ CUSTOM ROLES ************
- { include_tasks: "{{config_path}}roles.yml", tags: [ 'always' ] } # Details can be found inside the demo configuration 'config/demo/roles.yml'
# **************************************
post_tasks:
- { import_role: { name: apache, tasks_from: letsencrypt, handlers_from: empty }, tags: [ 'apache_letsencrypt' ], when: "ssl_certificate == 'letsencrypt'" } # activate letsencrypt certificate
#- { import_role: { name: dns, tasks_from: enable, handlers_from: empty }, tags: [ 'dns' ] } # activate local named
- { import_role: { name: pihole, tasks_from: whitelist, handlers_from: empty }, tags: [ 'pihole' ] } # add whitelist entries
- { import_role: { name: nextcloud, tasks_from: enable_apps, handlers_from: empty }, tags: [ 'nextcloud', 'nextcloud_apps' ] } # ENABLE NEXTCLOUD APPS needs a running system (php, database, redis ...)
- { import_role: { name: influxdb, tasks_from: create_users, handlers_from: empty }, tags: [ 'influxdb', 'influxdb_users' ] } # create influxdb users
- { import_role: { name: openhab, tasks_from: create_users, handlers_from: empty }, tags: [ 'openhab', 'openhab_users' ] } # create openhab users
- { import_role: { name: systemd_watcher, tasks_from: check_services, handlers_from: empty }, tags: [ 'validate' ] } # last check if all registered services are running
- { import_role: { name: update_daemon, tasks_from: collect_deployment_tags, handlers_from: empty }, tags: [ 'all', 'collect_deployment_tags', 'confirm' ], when: "update_daemon_system_check_enabled" } # get ansible tags, used in update daemon webui
- { import_role: { name: update_daemon, tasks_from: confirm_deployment, handlers_from: empty }, tags: [ 'all', 'confirm_deployment', 'confirm' ], when: "update_daemon_system_check_enabled" } # set confirm date