| collections/ansible_collections/nullified/infrastructure | ||
| images | ||
| inventory | ||
| playbooks | ||
| scripts | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| ansible_galaxy-requirements.yml | ||
| README.md | ||
| requirements.txt | ||
| Taskfile.yml | ||
Abstract
Presentation
This project aims to help me deploy and manage my homelab and a few other machines / services that I use, only for a personal purpose. It is also an opportunity for me to learn and improve my knowledge of Ansible,the IaC side of operations and systems administration.
What does it mean? The implications are that I will not be using external roles and collections unless they cover a part of my workflow that I do not wish to implement or have low value for me. The result of this premise is that this repository will probably not cover your use case and you should definitely not use this project as-is unless you thoroughly reviewed it, especially the system hardening and security tweaks that are implemented.
Roles
- common: all configurations and tools that are deployed everywhere, e.g. basic utilities, common QoL tweaks, shell customization.
- development: everything I use for development purposes, e.g. development tooling, assets and documentation creation, compilers and toolchains.
- gaming: gaming on linux, e.g. Steam and Heroic Games Launcher.
- security: security-related softwares and tweaks, e.g. applying custom system limits, installing an antivirus.
- server: common tooling for servers, e.g. monitoring, altering, firewall rules.
- workstation: tooling and configuration for an X11 graphical workstation.
Usage
Prerequisites
Required dependencies
- Python3.9+,
- PIP,
- Virtualenv
Dependencies installed using the Installation instructions
- Task,
- Debian packages:
- curl
- libcurl4-openssl-dev,
- libssl-dev,
- libcairo2,
- libcairo2-dev,
- libffi-dev,
- python3-dev,
- python3-virtualenv
Optional, dev-related dependencies
- Docker
Installation
# Debian amd64
sudo apt install -y \
curl \
libcurl4-openssl-dev \
libssl-dev \
libcairo2 \
libcairo2-dev \
libffi-dev \
python3-virtualenv \
python3-dev;
TASK_VERSION=$(curl -fsSL -XGET https://api.github.com/repos/go-task/task/releases/latest | grep tag_name | tr -d ' ",' | cut -d ':' -f 2)
curl -fsSLO https://github.com/go-task/task/releases/download/"${TASK_VERSION}"/task_linux_amd64.deb;
sudo dpkg -i task_linux_amd64.deb;
rm task_linux_amd64.deb;
Setup
# Generate default ansible configuration
./scripts/generate_ansible_config.sh > "${HOME}"/.ansible.cfg
# Setup Python virtualenv
task venv:setup
# Prepare and edit your inventory as needed
cp inventory/inventory.yml.dist inventory/inventory.yml
# Prepare and edit the global vault as needed
cp inventory/vault.yml.dist inventory/vault.yml
Using Tasks
Tasks
All tasks are available in Taskfile.yml and are executed at the root of the project.
molecule
Execute a molecule command, e.g. task molecule -- converge to create and populate a test container.
venv
Execute a command using the Python wrapper that activates the virtualenv, e.g. task venv --
docker
build: build all docker images available in /images, e.g. task docker:build
module:<module_name>
Directly execute a Python module located in collections/ansible_collections/nullified/infrastructure/plugins/modules with its default configuration
(typically the path to a test YAML file). Used only for debugging purpose.
Example call: task module:github_artifact.
test:collections
Executes molecule tests on each collections declared in collections/ansible_collections. Requires the collection to have a working molecule configuration.
Useful to ensure playbooks behave as expected using a Docker container.
test:modules
Run Ansible's sanity tests on each collections declared in collections/ansible_collections.
nosey
Run noseyparker, a tool that aims to find potential data leak such as passwords and security token.
Examples
# encrypt vault
task venv -- ansible-vault encrypt configuration/host_vars/vault.yml
# decrypt vault if needed
task venv -- ansible-vault decrypt configuration/host_vars/vault.yml
# run ansible command with vault-encrypted data for one specific host
task venv -- ansible-playbook --ask-vault-password -l my_host playbooks/test.yml
# run a specific role, e.g. security, for a host
task venv -- ansible --ask-vault-password -m import_role --args 'name=nullified.infrastructure.security' my_host
Generic collection / roles commands
mkdir -p collections/ansible_collections
cd collections/ansible_collections
task venv -- ansible-galaxy collection init nullified.infrastructure
cd nullified/infrastructure/roles
task venv -- ansible-galaxy collection init tooling
Advanced Configuration
Global variables
Global variables are defined in inventory/group_vars/all/vars.yml and are used in multiple roles and playbooks.
dns.type: what type of DNS configuration should be performed; also works as a selector for type related parameters;dns.default: default type of DNS configuration to setup; will use the correspondingdns.<type>dictionary retrieve corresponding data;dns.udp: IP addresses for basic DNS configuration;dns.dot: IP addresses for DNS-over-TLS configuration;dns.doh: IP addresses and HTTPS addresses for DNS-over-HTTPS configuration;
Notes
dir layout
- collections: ansible root dir for all collections to reside in;
- images: docker images, mostly used for ansible-test / molecule;
- inventory: all inventory related files are stored here;
- playbooks: top level playbooks, describe the way the infrastructure is laid out;
- scripts: various scripts and helpers;