65 lines
1.8 KiB
Markdown
65 lines
1.8 KiB
Markdown
# Ansible
|
|
|
|
Catalogue of Ansible playbooks and helper scripts for server management
|
|
atmen: slave, servant
|
|
|
|
## Configuration options
|
|
### SSH Ports
|
|
The ssh port can be configured in 2 steps:
|
|
1. Change the `ansible_ssh_port` variable in `inventory/group_vars/all.yml`
|
|
2. Change the `sshd_port` variable in `inventory/vars/unprovisioned.yaml`
|
|
|
|
## Node configuration process
|
|
### Provisioning
|
|
- Add atmen user for provisioning
|
|
- Configure SSH key for atmen user
|
|
- Add maintainer user
|
|
- Configure SSH key for maintainer user
|
|
- Disable root login (passwd --lock root)
|
|
- Disable SSH login for creator user
|
|
- Disable SSH password login
|
|
- Change SSH port
|
|
|
|
### SSH Setup
|
|
- Install fail2ban
|
|
|
|
### Miscellaneous
|
|
- Disable unattended-upgrade is installed
|
|
- Disable IPv6
|
|
- Setup hostname
|
|
- Install open-iscsi, nfs-common, nfs-utils
|
|
|
|
### OMV configuration
|
|
- Install OMV through OMV-extras
|
|
- (lab) Add Vagrant user to SSH group
|
|
- Add atmen user to sudoers
|
|
- Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser
|
|
|
|
# OMV manual configuration
|
|
## NFS configuration
|
|
- Create FS
|
|
- Enable NFS
|
|
- `subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100` in NFS share extra options
|
|
|
|
# Vault
|
|
Sensitive data is stored under two files in the `vault` directory:
|
|
- `user_provisioning.yml` contains the vault password
|
|
- `vault.yml` contains the sensitive data
|
|
|
|
## user_provisioning.yml
|
|
Configure users for provisioning and manual maintenance
|
|
```yaml
|
|
vault_atmen_password: <atmen_password>
|
|
vault_maintainer_user: <your_user>
|
|
vault_maintainer_password: <maintainer_password>
|
|
```
|
|
|
|
## vault.yml
|
|
Configure k3s secrets
|
|
```yaml
|
|
ansible_become_password: <atmen_password>
|
|
token: <k3s_token>
|
|
```
|
|
|
|
To avoid pasting your vault password everytime, you can create a `.vault_pass` file in the root directory with the vault password.
|