Commit 764893b4 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Initial config check-in for vostok and orion

parents
[defaults]
inventory = hosts
remote_tmp = $HOME/.ansible/tmp
transport = smart
remote_port = 22
gathering = implicit
remote_user = root
nocows = 1
[ssh_connection]
pipelining = True
scp_if_ssh = True
ansible_python_interpreter: "/usr/bin/python2"
[orion]
88.198.91.70
[vostok]
5.9.158.171
---
# This script is for provisioning a server for first boot.
# Care: It is not idempotent by design.
- name: provision orion
hosts: orion
remote_user: root
vars:
- hostname: orion
ipv4_address: "88.198.91.70"
ipv6_address: "2a01:4f8:160:6087::1/128"
ipv4_gateway: "88.198.91.65"
ipv6_gateway: "fe80::1"
filesystem: btrfs
roles:
- install_arch
---
- name: setup orion
hosts: orion
remote_user: root
roles:
- common
- tools
- borg
---
- name: install borg
pacman: name=borg state=present
---
- name: update pacman cache
pacman: update_cache=yes
- name: install ntp
pacman: name=ntp state=present
- name: start and enable ntp
service: name=ntpd enabled=yes state=started
- name: install smart
pacman: name=smartmontools state=present
- name: start and enable smart
service: name=smartd enabled=yes state=started
- name: install mlocate
pacman: name=mlocate state=present
- name: activate regular updatedb for mlocate
service: name=updatedb.timer enabled=yes state=started
- name: generate locales
locale_gen: name={{ item }} state=present
with_items:
- en_US.UTF-8
- name: configure locales
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
LANG=en_US.UTF-8
LC_COLLATE=en_US.UTF-8
LC_TIME=en_US.UTF-8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3jDEPHSY0t7kUWqHIdzhFcjeDRK2dDxUAYXLyGKWMJixiBn9w0ZeXiyqrcJ/fH0b2Js85oOfl5EFVN4WKr0bEvSaw/pfLOYpbvdP/Xt272PH583rIlA12rTvbr3MMQMJO6yc/LD98zdCioW6XCbsqPvVYSlYiYdHLCxlS/DeKjxowu+b5FeiCOxHtsYBFGlln3WjeFEBhIjyS/DBvDG8bGhHLiCDzv568rJmAl8c3yY2rxC1nGboOBqQ4fC8xI/jljj8UhxBRAPFgthG127S14dDUlDEqCu7wRiog0C3ax5Ux6cksnS3wlh7FS3/dbMkoPP0YDrg+pgfYBkW0u46MdVjUVMeNIckpMvlvxSPvv49azFtkBcPhwOaKDYjRoeaHJobHIPPWm/FJU61G4voptf9IrjUWdG/QqhFKx3v3s+9mYArXLssh42BYSDxLEisiSvbDjrBeuyIU2QoehvzwTRT6kmmg6I68WIsSC08mF0no3CqrXkOXq46gXqJheQwzUAwVm5Mg94ntCI3eUl1sWsaiwWreY9zq6ZOfuhUFA0nanMozyouG0wtfKHv7T/jxxPAMHZgozY4Bf3XOA9Nz8CrQmbty0hAQOho5n9mGIcmMLukXGhNXzkkmNmyH+aTR2D6qlrsRiLTwIVxcwWjmk9Iq/iXMB0OSFjYsrEi8Rw== flo@Marin
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJV4OQ6NSq0pXRZZB2jAOZnzW1eyt+7ctPZ6ZM31u2TOWgWCSfHYH6l0BxBtaL1HPlUxV+FZUheMbeXdgViI3WIO78zzuY/br9If6ZjYqdSwJFnYTNU+tLQhI5uVls0bmPvHkAn51JnVL56Vnil2mEylWRzKEg8RZvuaVEtQwvfR1mwQaR2ofSMuC6xE2hCcz93LWf+R+xjbQFtAdAQU288SB9SeABiG6FRgSUc1cGKFz8sBdsUpnlmCXqPD7fLJfPw1yF3M5HlN8ZHBhF1CZXNEKlQgXgtMz4eUc3JA10gVVAlm15PUOiEw0Tq9mOIT8ryaf7PyYxMpU4LzLoWHMxbiVD4CNq2ODGtHyLBX9lcHwwDTCwH1STht9992Bgd/5kpZ4df4gDBV89+w9758lX3eROZ7CQSEP2jSYNN2tr9KmYDiV5OY7KOGtkUZaDIMfQva6YMCQscKB8X/ypNkrQmwQwyOoXi1gbdF4zgmcDW68dzDPOiH+tzgLwJvUpkwMxvovzjMnMXUJjjXFqP8pgxM4OmTO9Ixhrt4TMsQXfmsVgUiGd+WecYguNF9UTBPum/KOOpa3wOr1vJnwrEZVJjhrhXNyNi2wnPUYB0CVEl6floR04pYYQs4K9MORgTxEiSYfbNpDMHgi5uuQAngJdQ9s7zc3bAS9Tp3de23b2w== svenstaro@smith
---
- name: read /etc/motd
command: cat /etc/motd
register: motd_contents
- name: check whether we're running in the Hetzner rescue system
fail: msg="Not running in Hetzner rescue system!"
when: "'Hetzner Rescue' not in motd_contents.stdout"
- name: partition and format the disks
command: mkfs.btrfs -f -L rootfs -d raid1 /dev/sda /dev/sdb
when: filesystem == "btrfs"
- name: create BIOS boot partitions
command: sgdisk -n 1:0:10M /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: create RAID partitions
command: sgdisk -n 2:0:0 /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: set BIOS boot partition types
command: sgdisk -t 1:ef02 /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: set RAID partition types
command: sgdisk -t 2:fd00
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: create MDADM array
command: mdadm --create --level=1 --raid-devices=2 --run /dev/md0 /dev/sda2 /dev/sdb2
- name: format the MDADM array
filesystem: dev=/dev/md0 fstype=ext4
when: filesystem == "ext4"
- name: mount the filesystem (btrfs)
mount: name=/mnt src='LABEL=rootfs' fstype=btrfs state=mounted
when: filesystem == "btrfs"
- name: mount the filesystem (ext4)
mount: name=/mnt src=/dev/md0 fstype=ext4 state=mounted
when: filesystem == "ext4"
- name: install arch base
command: pacstrap /mnt base
- name: initialize pacman keyring
command: arch-chroot /mnt pacman-key --init
- name: populate pacman keyring
command: arch-chroot /mnt pacman-key --poulate archlinux
- name: force re-install all packages with proper database in chroot
command: arch-chroot /mnt pacman --force base base-devel grub openssh sudo btrfs-progs python2
- name: generate mdadm.conf
shell: mdadm --detail --scan >> /mnt/etc/mdadm.conf
when: filesystem == "ext4"
- name: set the hostname
lineinfile: dest=/mnt/etc/hostname line="{{ hostname }}" create=yes
- name: add mdadm_udev to mkinitcpio.conf
lineinfile: dest=/mnt/etc/mkinitcpio.conf backrefs=yes regexp="^(.*)block filesystems(.*)$" line="\1block mdadm_udev filesystems\2"
when: filesystem == "ext4"
- name: run mkinitcpio
command: arch-chroot /mnt mkinitcpio -p linux
- name: generate fstab
shell: genfstab -p -L /mnt >> /etc/fstab
- name: configure network
template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
- name: install grub
command: arch-chroot /mnt grub-install --recheck {{ item }}
with_items:
- sda
- sdb
- name: configure grub
command: arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
- name: configure zoneinfo
file: src=/usr/share/zoneinfo/UTC dest=/mnt/etc/localtime state=link force=yes
- name: configure locale.gen
lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
- name: run locale-gen inside chroot
command: arch-chroot /mnt locale-gen
- name: enable services inside chroot
command: arch-chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved
- name: add authorized key for root
authorized_key: user=root key="{{ item }}" path=/mnt/root/.ssh/authorized_keys
with_file:
- sven.pub
- florian.pub
- name: configure sshd
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
- name: create symlink to resolv.conf
file: src=/run/systemd/resolve/resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
[Match]
Name=e*
[Network]
DNS=213.133.98.98
DNS=213.133.99.99
DNS=213.133.100.100
Address={{ ipv4_address }}
Address={{ ipv6_address }}
Gateway={{ ipv4_gateway }}
Gateway={{ ipv6_gateway }}
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
- name: install sysadmin tools
pacman: name=lsof,psmisc,htop,nethogs,iftop,rsync,tmux,mtr,sshfs,dfc,tree,dstat,dmidecode,net-tools,ncdu state=present
- name: install misc utils
pacman: name=zsh,colordiff,multitail,httpie,the_silver_searcher,cloc,ipcalc,calc,wget,neovim,python2-neovim state=present
---
# This script is for provisioning a server for first boot.
# Care: It is not idempotent by design.
- name: provision vostok
hosts: vostok
remote_user: root
vars:
- hostname: vostok
ipv4_address: "5.9.158.171"
ipv6_address: "2a01:4f8:190:51aa::1/128"
ipv4_gateway: "5.9.158.161"
ipv6_gateway: "fe80::1"
filesystem: ext4
roles:
- install_arch
---
- name: setup vostok
hosts: vostok
remote_user: root
roles:
- common
- tools
- borg
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment