server_automation

This repo is destined for my server automations and setup.

11.2 KB•YML

connectivity.yml

11.2 KB • 296 lines • yaml

1---
2# Connectivity Services Playbook
3# Comprehensive deployment for DNS, VPN, and proxy services
4
5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS)
6- name: Connectivity Server DNS Configuration
7  hosts: connectivity_servers
8  become: yes
9  gather_facts: yes
10  
11  vars:
12    # Enable DNS server configuration
13    connectivity_dns_server_enabled: true
14    connectivity_stop_resolvd: true
15    connectivity_local_dns_setup: true
16    
17  pre_tasks:
18    - name: Verify connectivity server requirements
19      assert:
20        that:
21          - connectivity_docker_base_path is defined
22          - ansible_default_ipv4.address is defined
23          - connectivity_docker_owner is defined
24          - connectivity_docker_group is defined
25        fail_msg: "Connectivity server requirements not met. Check host variables."
26        
27    - name: Display connectivity DNS setup information
28      debug:
29        msg: |
30          Configuring DNS server on: {{ inventory_hostname }}
31          IP Address: {{ ansible_default_ipv4.address }}
32          Docker Base: {{ connectivity_docker_base_path }}
33          User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
34          
35          DNS Configuration Tasks:
36          - Stop systemd-resolved service
37          - Configure local DNS settings
38          - Set up DNS server infrastructure
39          - Prepare for Pi-hole + Unbound deployment
40
41  tasks:
42    # Stop and disable systemd-resolved
43    - name: Stop systemd-resolved service
44      systemd:
45        name: systemd-resolved
46        state: stopped
47        enabled: no
48      when: connectivity_stop_resolvd | default(true)
49      tags: ['dns', 'setup', 'resolvd']
50
51    - name: Mask systemd-resolved to prevent restart
52      systemd:
53        name: systemd-resolved
54        masked: yes
55      when: connectivity_stop_resolvd | default(true)
56      tags: ['dns', 'setup', 'resolvd']
57
58    # Configure local DNS settings
59    - name: Create resolv.conf with local DNS
60      copy:
61        content: |
62          # Local DNS server configuration
63          nameserver 127.0.0.1
64          nameserver {{ ansible_default_ipv4.address }}
65          nameserver 1.1.1.1
66          nameserver 8.8.8.8
67          options edns0
68          search home
69        dest: /etc/resolv.conf
70        owner: root
71        group: root
72        mode: '0644'
73      when: connectivity_local_dns_setup | default(true)
74      tags: ['dns', 'setup', 'resolv']
75
76    - name: Prevent resolv.conf from being overwritten
77      file:
78        path: /etc/resolv.conf
79        attributes: immutable
80      when: connectivity_local_dns_setup | default(true)
81      tags: ['dns', 'setup', 'resolv']
82
83    - name: Configure NetworkManager to use local DNS
84      lineinfile:
85        path: /etc/NetworkManager/NetworkManager.conf
86        regexp: '^dns='
87        line: 'dns=none'
88        create: yes
89      when: connectivity_local_dns_setup | default(true)
90      tags: ['dns', 'setup', 'networkmanager']
91
92    - name: Restart NetworkManager to apply DNS changes
93      systemd:
94        name: NetworkManager
95        state: restarted
96      when: connectivity_local_dns_setup | default(true)
97      tags: ['dns', 'setup', 'networkmanager']
98
99    - name: Verify DNS configuration
100      command: cat /etc/resolv.conf
101      register: resolv_conf_content
102      changed_when: false
103      tags: ['dns', 'verification']
104
105    - name: Display DNS configuration status
106      debug:
107        msg: |
108          DNS Server Configuration Complete:
109          - systemd-resolved: Stopped and masked
110          - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }}
111          - Fallback DNS: 1.1.1.1, 8.8.8.8
112          - resolv.conf protected from modification
113          - NetworkManager configured for manual DNS
114          
115          Current resolv.conf:
116          {{ resolv_conf_content.stdout }}
117      tags: ['dns', 'info']
118
119# PHASE 2: Deploy connectivity services  
120- name: Connectivity Services Deployment
121  hosts: connectivity_servers
122  become: yes
123  gather_facts: yes
124  
125  vars:
126    # Override defaults for connectivity-specific deployment
127    connectivity_enabled: true
128    connectivity_wireguard_enabled: true
129    connectivity_nginx_proxy_enabled: true
130    connectivity_dns_stack_enabled: true
131
132  pre_tasks:
133    - name: Verify connectivity server requirements
134      assert:
135        that:
136          - connectivity_docker_base_path is defined
137          - ansible_default_ipv4.address is defined
138          - connectivity_docker_owner is defined
139          - connectivity_docker_group is defined
140        fail_msg: "Connectivity server requirements not met. Check host variables."
141
142    - name: Display connectivity deployment information
143      debug:
144        msg: |
145          ð Deploying Connectivity Services to: {{ inventory_hostname }}
146          
147          ð Server Information:
148          - IP Address: {{ ansible_default_ipv4.address }}
149          - Docker Base: {{ connectivity_docker_base_path }}
150          - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
151          - DNS Server: Configured and ready
152          
153          ð Services to Deploy:
154          {% if connectivity_wireguard_enabled | default(true) %}
155          - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP)
156          - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP)
157          {% endif %}
158          {% if connectivity_nginx_proxy_enabled | default(true) %}
159          - Nginx Proxy Manager:
160            * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }})
161            * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }})
162            * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }})
163          {% endif %}
164          {% if connectivity_dns_stack_enabled | default(true) %}
165          - DNS Stack:
166            * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP)
167            * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }})
168            * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }})
169          {% endif %}
170          
171          ð¡ï¸  Security Features:
172          - Firewall rules configured for all services
173          - Docker container isolation
174          - Service-specific user permissions
175          - Encrypted VPN connections
176          - DNS-over-TLS with Unbound
177          
178          ð Directory Structure:
179          - Service configs: {{ connectivity_docker_base_path }}/[service-name]
180          - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env
181          - Backup configuration: {{ connectivity_docker_base_path }}/backups/
182
183  roles:
184    # Core prerequisites
185    - role: user
186      tags: ['core', 'user']
187
188    - role: system  
189      tags: ['core', 'system']
190
191    - role: geerlingguy.docker
192      tags: ['core', 'docker']
193
194    - role: docker-framework
195      tags: ['core', 'docker', 'framework']
196
197    - role: geerlingguy.security
198      tags: ['core', 'security']
199
200    # Connectivity-specific services
201    - role: connectivity
202      tags: ['connectivity', 'dns', 'vpn', 'proxy']
203
204  post_tasks:
205    - name: Verify core services are running
206      systemd:
207        name: "{{ item }}"
208        state: started
209        enabled: yes
210      loop:
211        - docker
212        - NetworkManager
213      tags: ['verification', 'monitoring']
214
215    - name: Verify DNS server is responding
216      command: dig @127.0.0.1 google.com +short
217      register: local_dns_test
218      changed_when: false
219      ignore_errors: true
220      tags: ['verification', 'dns']
221
222    - name: Generate connectivity access summary
223      template:
224        src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2"
225        dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt"
226        owner: "{{ connectivity_docker_owner }}"
227        group: "{{ connectivity_docker_group }}"
228        mode: '0644'
229      vars:
230        role_path: "roles/connectivity"
231      tags: ['summary']
232
233
234    - name: Wait for all connectivity services to be healthy
235      uri:
236        url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}"
237        method: GET
238        status_code: [200, 302, 401]  # Some services redirect or require auth
239      loop:
240        - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" }
241        - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" }
242        - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" }
243      retries: 15
244      delay: 10
245      ignore_errors: yes
246      tags: ['verification', 'health-check']
247
248    - name: Display deployment completion summary
249      debug:
250        msg: |
251          ð Connectivity Services Deployment Complete!
252          
253          Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }})
254          
255          ð Service Status:
256          - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }}
257          - Docker: Active
258          - NetworkManager: Active
259          
260          ð Access Information:
261          {% if connectivity_wireguard_enabled | default(true) %}
262          - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }}
263          - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }}
264          {% endif %}
265          {% if connectivity_nginx_proxy_enabled | default(true) %}
266          - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }}
267          - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }}
268          - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }}
269          {% endif %}
270          {% if connectivity_dns_stack_enabled | default(true) %}
271          - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin
272          - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }}
273          - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }}
274          {% endif %}
275          
276          ð File Locations:
277          - Docker Configs: {{ connectivity_docker_base_path }}
278          - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt
279          
280          ð¡ï¸  Security Notes:
281          - systemd-resolved disabled and masked
282          - Local DNS server configured
283          - Firewall rules configured for all services
284          - All services running in Docker containers
285          
286          ð§ Management Commands:
287          - Restart All: docker restart $(docker ps -q)
288          - View Logs: docker compose logs -f (in service directories)
289          
290          ð¡ Important Notes:
291          - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server
292          - Set up WireGuard clients using the Web UI
293          - Configure reverse proxy rules in Nginx Proxy Manager
294          - Customize Pi-hole blocklists and local DNS entries
295          - Monitor service logs for connectivity issues
296      tags: ['always']

1--- 2# Connectivity Services Playbook 3# Comprehensive deployment for DNS, VPN, and proxy services 4 5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS) 6- name: Connectivity Server DNS Configuration 7 hosts: connectivity_servers 8 become: yes 9 gather_facts: yes 10 11 vars: 12 # Enable DNS server configuration 13 connectivity_dns_server_enabled: true 14 connectivity_stop_resolvd: true 15 connectivity_local_dns_setup: true 16 17 pre_tasks: 18 - name: Verify connectivity server requirements 19 assert: 20 that: 21 - connectivity_docker_base_path is defined 22 - ansible_default_ipv4.address is defined 23 - connectivity_docker_owner is defined 24 - connectivity_docker_group is defined 25 fail_msg: "Connectivity server requirements not met. Check host variables." 26 27 - name: Display connectivity DNS setup information 28 debug: 29 msg: | 30 Configuring DNS server on: {{ inventory_hostname }} 31 IP Address: {{ ansible_default_ipv4.address }} 32 Docker Base: {{ connectivity_docker_base_path }} 33 User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 34 35 DNS Configuration Tasks: 36 - Stop systemd-resolved service 37 - Configure local DNS settings 38 - Set up DNS server infrastructure 39 - Prepare for Pi-hole + Unbound deployment 40 41 tasks: 42 # Stop and disable systemd-resolved 43 - name: Stop systemd-resolved service 44 systemd: 45 name: systemd-resolved 46 state: stopped 47 enabled: no 48 when: connectivity_stop_resolvd | default(true) 49 tags: ['dns', 'setup', 'resolvd'] 50 51 - name: Mask systemd-resolved to prevent restart 52 systemd: 53 name: systemd-resolved 54 masked: yes 55 when: connectivity_stop_resolvd | default(true) 56 tags: ['dns', 'setup', 'resolvd'] 57 58 # Configure local DNS settings 59 - name: Create resolv.conf with local DNS 60 copy: 61 content: | 62 # Local DNS server configuration 63 nameserver 127.0.0.1 64 nameserver {{ ansible_default_ipv4.address }} 65 nameserver 1.1.1.1 66 nameserver 8.8.8.8 67 options edns0 68 search home 69 dest: /etc/resolv.conf 70 owner: root 71 group: root 72 mode: '0644' 73 when: connectivity_local_dns_setup | default(true) 74 tags: ['dns', 'setup', 'resolv'] 75 76 - name: Prevent resolv.conf from being overwritten 77 file: 78 path: /etc/resolv.conf 79 attributes: immutable 80 when: connectivity_local_dns_setup | default(true) 81 tags: ['dns', 'setup', 'resolv'] 82 83 - name: Configure NetworkManager to use local DNS 84 lineinfile: 85 path: /etc/NetworkManager/NetworkManager.conf 86 regexp: '^dns=' 87 line: 'dns=none' 88 create: yes 89 when: connectivity_local_dns_setup | default(true) 90 tags: ['dns', 'setup', 'networkmanager'] 91 92 - name: Restart NetworkManager to apply DNS changes 93 systemd: 94 name: NetworkManager 95 state: restarted 96 when: connectivity_local_dns_setup | default(true) 97 tags: ['dns', 'setup', 'networkmanager'] 98 99 - name: Verify DNS configuration 100 command: cat /etc/resolv.conf 101 register: resolv_conf_content 102 changed_when: false 103 tags: ['dns', 'verification'] 104 105 - name: Display DNS configuration status 106 debug: 107 msg: | 108 DNS Server Configuration Complete: 109 - systemd-resolved: Stopped and masked 110 - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }} 111 - Fallback DNS: 1.1.1.1, 8.8.8.8 112 - resolv.conf protected from modification 113 - NetworkManager configured for manual DNS 114 115 Current resolv.conf: 116 {{ resolv_conf_content.stdout }} 117 tags: ['dns', 'info'] 118 119# PHASE 2: Deploy connectivity services 120- name: Connectivity Services Deployment 121 hosts: connectivity_servers 122 become: yes 123 gather_facts: yes 124 125 vars: 126 # Override defaults for connectivity-specific deployment 127 connectivity_enabled: true 128 connectivity_wireguard_enabled: true 129 connectivity_nginx_proxy_enabled: true 130 connectivity_dns_stack_enabled: true 131 132 pre_tasks: 133 - name: Verify connectivity server requirements 134 assert: 135 that: 136 - connectivity_docker_base_path is defined 137 - ansible_default_ipv4.address is defined 138 - connectivity_docker_owner is defined 139 - connectivity_docker_group is defined 140 fail_msg: "Connectivity server requirements not met. Check host variables." 141 142 - name: Display connectivity deployment information 143 debug: 144 msg: | 145 ð Deploying Connectivity Services to: {{ inventory_hostname }} 146 147 ð Server Information: 148 - IP Address: {{ ansible_default_ipv4.address }} 149 - Docker Base: {{ connectivity_docker_base_path }} 150 - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 151 - DNS Server: Configured and ready 152 153 ð Services to Deploy: 154 {% if connectivity_wireguard_enabled | default(true) %} 155 - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP) 156 - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP) 157 {% endif %} 158 {% if connectivity_nginx_proxy_enabled | default(true) %} 159 - Nginx Proxy Manager: 160 * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }}) 161 * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }}) 162 * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }}) 163 {% endif %} 164 {% if connectivity_dns_stack_enabled | default(true) %} 165 - DNS Stack: 166 * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP) 167 * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }}) 168 * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }}) 169 {% endif %} 170 171 ð¡ï¸ Security Features: 172 - Firewall rules configured for all services 173 - Docker container isolation 174 - Service-specific user permissions 175 - Encrypted VPN connections 176 - DNS-over-TLS with Unbound 177 178 ð Directory Structure: 179 - Service configs: {{ connectivity_docker_base_path }}/[service-name] 180 - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env 181 - Backup configuration: {{ connectivity_docker_base_path }}/backups/ 182 183 roles: 184 # Core prerequisites 185 - role: user 186 tags: ['core', 'user'] 187 188 - role: system 189 tags: ['core', 'system'] 190 191 - role: geerlingguy.docker 192 tags: ['core', 'docker'] 193 194 - role: docker-framework 195 tags: ['core', 'docker', 'framework'] 196 197 - role: geerlingguy.security 198 tags: ['core', 'security'] 199 200 # Connectivity-specific services 201 - role: connectivity 202 tags: ['connectivity', 'dns', 'vpn', 'proxy'] 203 204 post_tasks: 205 - name: Verify core services are running 206 systemd: 207 name: "{{ item }}" 208 state: started 209 enabled: yes 210 loop: 211 - docker 212 - NetworkManager 213 tags: ['verification', 'monitoring'] 214 215 - name: Verify DNS server is responding 216 command: dig @127.0.0.1 google.com +short 217 register: local_dns_test 218 changed_when: false 219 ignore_errors: true 220 tags: ['verification', 'dns'] 221 222 - name: Generate connectivity access summary 223 template: 224 src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2" 225 dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt" 226 owner: "{{ connectivity_docker_owner }}" 227 group: "{{ connectivity_docker_group }}" 228 mode: '0644' 229 vars: 230 role_path: "roles/connectivity" 231 tags: ['summary'] 232 233 234 - name: Wait for all connectivity services to be healthy 235 uri: 236 url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}" 237 method: GET 238 status_code: [200, 302, 401] # Some services redirect or require auth 239 loop: 240 - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" } 241 - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" } 242 - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" } 243 retries: 15 244 delay: 10 245 ignore_errors: yes 246 tags: ['verification', 'health-check'] 247 248 - name: Display deployment completion summary 249 debug: 250 msg: | 251 ð Connectivity Services Deployment Complete! 252 253 Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }}) 254 255 ð Service Status: 256 - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }} 257 - Docker: Active 258 - NetworkManager: Active 259 260 ð Access Information: 261 {% if connectivity_wireguard_enabled | default(true) %} 262 - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }} 263 - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }} 264 {% endif %} 265 {% if connectivity_nginx_proxy_enabled | default(true) %} 266 - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }} 267 - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }} 268 - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }} 269 {% endif %} 270 {% if connectivity_dns_stack_enabled | default(true) %} 271 - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin 272 - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }} 273 - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }} 274 {% endif %} 275 276 ð File Locations: 277 - Docker Configs: {{ connectivity_docker_base_path }} 278 - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt 279 280 ð¡ï¸ Security Notes: 281 - systemd-resolved disabled and masked 282 - Local DNS server configured 283 - Firewall rules configured for all services 284 - All services running in Docker containers 285 286 ð§ Management Commands: 287 - Restart All: docker restart $(docker ps -q) 288 - View Logs: docker compose logs -f (in service directories) 289 290 ð¡ Important Notes: 291 - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server 292 - Set up WireGuard clients using the Web UI 293 - Configure reverse proxy rules in Nginx Proxy Manager 294 - Customize Pi-hole blocklists and local DNS entries 295 - Monitor service logs for connectivity issues 296 tags: ['always']