Ansible/README.md

65 lines
1.8 KiB
Markdown

# Ansible
Catalogue of Ansible playbooks and helper scripts for server management
atmen: slave, servant
## Configuration options
### SSH Ports
The ssh port can be configured in 2 steps:
1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
## Node configuration process
### Provisioning
- Add atmen user for provisioning
- Configure SSH key for atmen user
- Add maintainer user
- Configure SSH key for maintainer user
- Disable root login (passwd --lock root)
- Disable SSH login for creator user
- Disable SSH password login
- Change SSH port
### SSH Setup
- Install fail2ban
### Miscellaneous
- Disable unattended-upgrade is installed
- Disable IPv6
- Setup hostname
- Install open-iscsi, nfs-common, nfs-utils
### OMV configuration
- Install OMV through OMV-extras
- (lab) Add Vagrant user to SSH group
- Add atmen user to sudoers
- Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
# OMV manual configuration
## NFS configuration
- Create FS
- Enable NFS
- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
# Vault
Sensitive data is stored under two files in the `vault` directory:
- `user_provisioning.yml` contains the vault password
- `vault.yml` contains the sensitive data
## user_provisioning.yml
Configure users for provisioning and manual maintenance
```yaml
vault_atmen_password: <atmen_password>
vault_maintainer_user: <your_user>
vault_maintainer_password: <maintainer_password>
```
## vault.yml
Configure k3s secrets
```yaml
ansible_become_password: <atmen_password>
token: <k3s_token>
```
To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.