server_automation
This repo is destined for my server automations and setup.
11.2 KB•YML
connectivity.yml
11.2 KB • 296 lines • yaml
1---
2# Connectivity Services Playbook
3# Comprehensive deployment for DNS, VPN, and proxy services
4
5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS)
6- name: Connectivity Server DNS Configuration
7 hosts: connectivity_servers
8 become: yes
9 gather_facts: yes
10
11 vars:
12 # Enable DNS server configuration
13 connectivity_dns_server_enabled: true
14 connectivity_stop_resolvd: true
15 connectivity_local_dns_setup: true
16
17 pre_tasks:
18 - name: Verify connectivity server requirements
19 assert:
20 that:
21 - connectivity_docker_base_path is defined
22 - ansible_default_ipv4.address is defined
23 - connectivity_docker_owner is defined
24 - connectivity_docker_group is defined
25 fail_msg: "Connectivity server requirements not met. Check host variables."
26
27 - name: Display connectivity DNS setup information
28 debug:
29 msg: |
30 Configuring DNS server on: {{ inventory_hostname }}
31 IP Address: {{ ansible_default_ipv4.address }}
32 Docker Base: {{ connectivity_docker_base_path }}
33 User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
34
35 DNS Configuration Tasks:
36 - Stop systemd-resolved service
37 - Configure local DNS settings
38 - Set up DNS server infrastructure
39 - Prepare for Pi-hole + Unbound deployment
40
41 tasks:
42 # Stop and disable systemd-resolved
43 - name: Stop systemd-resolved service
44 systemd:
45 name: systemd-resolved
46 state: stopped
47 enabled: no
48 when: connectivity_stop_resolvd | default(true)
49 tags: ['dns', 'setup', 'resolvd']
50
51 - name: Mask systemd-resolved to prevent restart
52 systemd:
53 name: systemd-resolved
54 masked: yes
55 when: connectivity_stop_resolvd | default(true)
56 tags: ['dns', 'setup', 'resolvd']
57
58 # Configure local DNS settings
59 - name: Create resolv.conf with local DNS
60 copy:
61 content: |
62 # Local DNS server configuration
63 nameserver 127.0.0.1
64 nameserver {{ ansible_default_ipv4.address }}
65 nameserver 1.1.1.1
66 nameserver 8.8.8.8
67 options edns0
68 search home
69 dest: /etc/resolv.conf
70 owner: root
71 group: root
72 mode: '0644'
73 when: connectivity_local_dns_setup | default(true)
74 tags: ['dns', 'setup', 'resolv']
75
76 - name: Prevent resolv.conf from being overwritten
77 file:
78 path: /etc/resolv.conf
79 attributes: immutable
80 when: connectivity_local_dns_setup | default(true)
81 tags: ['dns', 'setup', 'resolv']
82
83 - name: Configure NetworkManager to use local DNS
84 lineinfile:
85 path: /etc/NetworkManager/NetworkManager.conf
86 regexp: '^dns='
87 line: 'dns=none'
88 create: yes
89 when: connectivity_local_dns_setup | default(true)
90 tags: ['dns', 'setup', 'networkmanager']
91
92 - name: Restart NetworkManager to apply DNS changes
93 systemd:
94 name: NetworkManager
95 state: restarted
96 when: connectivity_local_dns_setup | default(true)
97 tags: ['dns', 'setup', 'networkmanager']
98
99 - name: Verify DNS configuration
100 command: cat /etc/resolv.conf
101 register: resolv_conf_content
102 changed_when: false
103 tags: ['dns', 'verification']
104
105 - name: Display DNS configuration status
106 debug:
107 msg: |
108 DNS Server Configuration Complete:
109 - systemd-resolved: Stopped and masked
110 - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }}
111 - Fallback DNS: 1.1.1.1, 8.8.8.8
112 - resolv.conf protected from modification
113 - NetworkManager configured for manual DNS
114
115 Current resolv.conf:
116 {{ resolv_conf_content.stdout }}
117 tags: ['dns', 'info']
118
119# PHASE 2: Deploy connectivity services
120- name: Connectivity Services Deployment
121 hosts: connectivity_servers
122 become: yes
123 gather_facts: yes
124
125 vars:
126 # Override defaults for connectivity-specific deployment
127 connectivity_enabled: true
128 connectivity_wireguard_enabled: true
129 connectivity_nginx_proxy_enabled: true
130 connectivity_dns_stack_enabled: true
131
132 pre_tasks:
133 - name: Verify connectivity server requirements
134 assert:
135 that:
136 - connectivity_docker_base_path is defined
137 - ansible_default_ipv4.address is defined
138 - connectivity_docker_owner is defined
139 - connectivity_docker_group is defined
140 fail_msg: "Connectivity server requirements not met. Check host variables."
141
142 - name: Display connectivity deployment information
143 debug:
144 msg: |
145 ð Deploying Connectivity Services to: {{ inventory_hostname }}
146
147 ð Server Information:
148 - IP Address: {{ ansible_default_ipv4.address }}
149 - Docker Base: {{ connectivity_docker_base_path }}
150 - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
151 - DNS Server: Configured and ready
152
153 ð Services to Deploy:
154 {% if connectivity_wireguard_enabled | default(true) %}
155 - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP)
156 - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP)
157 {% endif %}
158 {% if connectivity_nginx_proxy_enabled | default(true) %}
159 - Nginx Proxy Manager:
160 * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }})
161 * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }})
162 * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }})
163 {% endif %}
164 {% if connectivity_dns_stack_enabled | default(true) %}
165 - DNS Stack:
166 * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP)
167 * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }})
168 * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }})
169 {% endif %}
170
171 ð¡ï¸ Security Features:
172 - Firewall rules configured for all services
173 - Docker container isolation
174 - Service-specific user permissions
175 - Encrypted VPN connections
176 - DNS-over-TLS with Unbound
177
178 ð Directory Structure:
179 - Service configs: {{ connectivity_docker_base_path }}/[service-name]
180 - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env
181 - Backup configuration: {{ connectivity_docker_base_path }}/backups/
182
183 roles:
184 # Core prerequisites
185 - role: user
186 tags: ['core', 'user']
187
188 - role: system
189 tags: ['core', 'system']
190
191 - role: geerlingguy.docker
192 tags: ['core', 'docker']
193
194 - role: docker-framework
195 tags: ['core', 'docker', 'framework']
196
197 - role: geerlingguy.security
198 tags: ['core', 'security']
199
200 # Connectivity-specific services
201 - role: connectivity
202 tags: ['connectivity', 'dns', 'vpn', 'proxy']
203
204 post_tasks:
205 - name: Verify core services are running
206 systemd:
207 name: "{{ item }}"
208 state: started
209 enabled: yes
210 loop:
211 - docker
212 - NetworkManager
213 tags: ['verification', 'monitoring']
214
215 - name: Verify DNS server is responding
216 command: dig @127.0.0.1 google.com +short
217 register: local_dns_test
218 changed_when: false
219 ignore_errors: true
220 tags: ['verification', 'dns']
221
222 - name: Generate connectivity access summary
223 template:
224 src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2"
225 dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt"
226 owner: "{{ connectivity_docker_owner }}"
227 group: "{{ connectivity_docker_group }}"
228 mode: '0644'
229 vars:
230 role_path: "roles/connectivity"
231 tags: ['summary']
232
233
234 - name: Wait for all connectivity services to be healthy
235 uri:
236 url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}"
237 method: GET
238 status_code: [200, 302, 401] # Some services redirect or require auth
239 loop:
240 - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" }
241 - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" }
242 - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" }
243 retries: 15
244 delay: 10
245 ignore_errors: yes
246 tags: ['verification', 'health-check']
247
248 - name: Display deployment completion summary
249 debug:
250 msg: |
251 ð Connectivity Services Deployment Complete!
252
253 Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }})
254
255 ð Service Status:
256 - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }}
257 - Docker: Active
258 - NetworkManager: Active
259
260 ð Access Information:
261 {% if connectivity_wireguard_enabled | default(true) %}
262 - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }}
263 - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }}
264 {% endif %}
265 {% if connectivity_nginx_proxy_enabled | default(true) %}
266 - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }}
267 - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }}
268 - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }}
269 {% endif %}
270 {% if connectivity_dns_stack_enabled | default(true) %}
271 - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin
272 - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }}
273 - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }}
274 {% endif %}
275
276 ð File Locations:
277 - Docker Configs: {{ connectivity_docker_base_path }}
278 - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt
279
280 ð¡ï¸ Security Notes:
281 - systemd-resolved disabled and masked
282 - Local DNS server configured
283 - Firewall rules configured for all services
284 - All services running in Docker containers
285
286 ð§ Management Commands:
287 - Restart All: docker restart $(docker ps -q)
288 - View Logs: docker compose logs -f (in service directories)
289
290 ð¡ Important Notes:
291 - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server
292 - Set up WireGuard clients using the Web UI
293 - Configure reverse proxy rules in Nginx Proxy Manager
294 - Customize Pi-hole blocklists and local DNS entries
295 - Monitor service logs for connectivity issues
296 tags: ['always']