Ansible/README.md

1.8 KiB

Ansible

Catalogue of Ansible playbooks and helper scripts for server management atmen: slave, servant

Configuration options

SSH Ports

The ssh port can be configured in 2 steps:

  1. Change the ansible_ssh_port variable in inventory/group_vars/all.yml
  2. Change the sshd_port variable in inventory/vars/unprovisioned.yaml

Node configuration process

Provisioning

  • Add atmen user for provisioning
  • Configure SSH key for atmen user
  • Add maintainer user
  • Configure SSH key for maintainer user
  • Disable root login (passwd --lock root)
  • Disable SSH login for creator user
  • Disable SSH password login
  • Change SSH port

SSH Setup

  • Install fail2ban

Miscellaneous

  • Disable unattended-upgrade is installed
  • Disable IPv6
  • Setup hostname
  • Install open-iscsi, nfs-common, nfs-utils

OMV configuration

  • Install OMV through OMV-extras
  • (lab) Add Vagrant user to SSH group
  • Add atmen user to sudoers
  • Install openmediavault-zfs, openmediavault-s3, openmediavault-filebrowser

OMV manual configuration

NFS configuration

  • Create FS
  • Enable NFS
  • subtree_check,insecure,no_root_squash,anonuid=1000,anongid=100 in NFS share extra options

Vault

Sensitive data is stored under two files in the vault directory:

  • user_provisioning.yml contains the vault password
  • vault.yml contains the sensitive data

user_provisioning.yml

Configure users for provisioning and manual maintenance

vault_atmen_password: <atmen_password>
vault_maintainer_user: <your_user>
vault_maintainer_password: <maintainer_password>

vault.yml

Configure k3s secrets

ansible_become_password: <atmen_password>
token: <k3s_token>

To avoid pasting your vault password everytime, you can create a .vault_pass file in the root directory with the vault password.