# Ansible Catalogue of Ansible playbooks and helper scripts for server management atmen: slave, servant ## Configuration options ### SSH Ports The ssh port can be configured in 2 steps: 1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml` 2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml` ## Node configuration process ### Provisioning - Add atmen user for provisioning - Configure SSH key for atmen user - Add maintainer user - Configure SSH key for maintainer user - Disable root login (passwd --lock root) - Disable SSH login for creator user - Disable SSH password login - Change SSH port ### SSH Setup - Install fail2ban ### Miscellaneous - Disable unattended-upgrade is installed - Disable IPv6 - Setup hostname - Install open-iscsi, nfs-common, nfs-utils ### OMV configuration - Install OMV through OMV-extras - (lab) Add Vagrant user to SSH group - Add atmen user to sudoers - Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser # OMV manual configuration ## NFS configuration - Create FS - Enable NFS - `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options # Vault Sensitive data is stored under two files in the `vault` directory: - `user_provisioning.yml` contains the vault password - `vault.yml` contains the sensitive data ## user_provisioning.yml Configure users for provisioning and manual maintenance ```yaml vault_atmen_password: vault_maintainer_user: vault_maintainer_password: ``` ## vault.yml Configure k3s secrets ```yaml ansible_become_password: token: ``` To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.