/
/
/
This repo is destined for my server automations and setup.
1---
2# Connectivity Services Playbook
3# Comprehensive deployment for DNS, VPN, and proxy services
4
5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS)
6- name: Connectivity Server DNS Configuration
7 hosts: connectivity_servers
8 become: yes
9 gather_facts: yes
10
11 vars:
12 # Enable DNS server configuration
13 connectivity_dns_server_enabled: true
14 connectivity_stop_resolvd: true
15 connectivity_local_dns_setup: true
16
17 pre_tasks:
18 - name: Verify connectivity server requirements
19 assert:
20 that:
21 - connectivity_docker_base_path is defined
22 - ansible_default_ipv4.address is defined
23 - connectivity_docker_owner is defined
24 - connectivity_docker_group is defined
25 fail_msg: "Connectivity server requirements not met. Check host variables."
26
27 - name: Display connectivity DNS setup information
28 debug:
29 msg: |
30 Configuring DNS server on: {{ inventory_hostname }}
31 IP Address: {{ ansible_default_ipv4.address }}
32 Docker Base: {{ connectivity_docker_base_path }}
33 User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
34
35 DNS Configuration Tasks:
36 - Stop systemd-resolved service
37 - Configure local DNS settings
38 - Set up DNS server infrastructure
39 - Prepare for Pi-hole + Unbound deployment
40
41 tasks:
42 # Stop and disable systemd-resolved
43 - name: Stop systemd-resolved service
44 systemd:
45 name: systemd-resolved
46 state: stopped
47 enabled: no
48 when: connectivity_stop_resolvd | default(true)
49 tags: ['dns', 'setup', 'resolvd']
50
51 - name: Mask systemd-resolved to prevent restart
52 systemd:
53 name: systemd-resolved
54 masked: yes
55 when: connectivity_stop_resolvd | default(true)
56 tags: ['dns', 'setup', 'resolvd']
57
58 # Configure local DNS settings
59 - name: Create resolv.conf with local DNS
60 copy:
61 content: |
62 # Local DNS server configuration
63 nameserver 127.0.0.1
64 nameserver {{ ansible_default_ipv4.address }}
65 nameserver 1.1.1.1
66 nameserver 8.8.8.8
67 options edns0
68 search home
69 dest: /etc/resolv.conf
70 owner: root
71 group: root
72 mode: '0644'
73 when: connectivity_local_dns_setup | default(true)
74 tags: ['dns', 'setup', 'resolv']
75
76 - name: Prevent resolv.conf from being overwritten
77 file:
78 path: /etc/resolv.conf
79 attributes: immutable
80 when: connectivity_local_dns_setup | default(true)
81 tags: ['dns', 'setup', 'resolv']
82
83 - name: Configure NetworkManager to use local DNS
84 lineinfile:
85 path: /etc/NetworkManager/NetworkManager.conf
86 regexp: '^dns='
87 line: 'dns=none'
88 create: yes
89 when: connectivity_local_dns_setup | default(true)
90 tags: ['dns', 'setup', 'networkmanager']
91
92 - name: Restart NetworkManager to apply DNS changes
93 systemd:
94 name: NetworkManager
95 state: restarted
96 when: connectivity_local_dns_setup | default(true)
97 tags: ['dns', 'setup', 'networkmanager']
98
99 - name: Verify DNS configuration
100 command: cat /etc/resolv.conf
101 register: resolv_conf_content
102 changed_when: false
103 tags: ['dns', 'verification']
104
105 - name: Display DNS configuration status
106 debug:
107 msg: |
108 DNS Server Configuration Complete:
109 - systemd-resolved: Stopped and masked
110 - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }}
111 - Fallback DNS: 1.1.1.1, 8.8.8.8
112 - resolv.conf protected from modification
113 - NetworkManager configured for manual DNS
114
115 Current resolv.conf:
116 {{ resolv_conf_content.stdout }}
117 tags: ['dns', 'info']
118
119# PHASE 2: Deploy connectivity services
120- name: Connectivity Services Deployment
121 hosts: connectivity_servers
122 become: yes
123 gather_facts: yes
124
125 vars:
126 # Override defaults for connectivity-specific deployment
127 connectivity_enabled: true
128 connectivity_wireguard_enabled: true
129 connectivity_nginx_proxy_enabled: true
130 connectivity_dns_stack_enabled: true
131
132 pre_tasks:
133 - name: Verify connectivity server requirements
134 assert:
135 that:
136 - connectivity_docker_base_path is defined
137 - ansible_default_ipv4.address is defined
138 - connectivity_docker_owner is defined
139 - connectivity_docker_group is defined
140 fail_msg: "Connectivity server requirements not met. Check host variables."
141
142 - name: Display connectivity deployment information
143 debug:
144 msg: |
145 ð Deploying Connectivity Services to: {{ inventory_hostname }}
146
147 ð Server Information:
148 - IP Address: {{ ansible_default_ipv4.address }}
149 - Docker Base: {{ connectivity_docker_base_path }}
150 - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
151 - DNS Server: Configured and ready
152
153 ð Services to Deploy:
154 {% if connectivity_wireguard_enabled | default(true) %}
155 - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP)
156 - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP)
157 {% endif %}
158 {% if connectivity_nginx_proxy_enabled | default(true) %}
159 - Nginx Proxy Manager:
160 * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }})
161 * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }})
162 * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }})
163 {% endif %}
164 {% if connectivity_dns_stack_enabled | default(true) %}
165 - DNS Stack:
166 * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP)
167 * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }})
168 * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }})
169 {% endif %}
170
171 ð¡ï¸ Security Features:
172 - Firewall rules configured for all services
173 - Docker container isolation
174 - Service-specific user permissions
175 - Encrypted VPN connections
176 - DNS-over-TLS with Unbound
177
178 ð Directory Structure:
179 - Service configs: {{ connectivity_docker_base_path }}/[service-name]
180 - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env
181 - Management scripts: {{ connectivity_docker_base_path }}/scripts/
182 - Backup configuration: {{ connectivity_docker_base_path }}/backups/
183
184 ð§ Management Tools:
185 - Health Check: {{ connectivity_docker_base_path }}/scripts/connectivity-health-check.sh
186 - Status: {{ connectivity_docker_base_path }}/scripts/connectivity-status.sh
187 - Logs: {{ connectivity_docker_base_path }}/scripts/connectivity-logs.sh
188 - Restart: {{ connectivity_docker_base_path }}/scripts/connectivity-restart.sh
189
190 roles:
191 # Core prerequisites
192 - role: user
193 tags: ['core', 'user']
194
195 - role: system
196 tags: ['core', 'system']
197
198 - role: geerlingguy.docker
199 tags: ['core', 'docker']
200
201 - role: docker-framework
202 tags: ['core', 'docker', 'framework']
203
204 - role: geerlingguy.security
205 tags: ['core', 'security']
206
207 # Connectivity-specific services
208 - role: connectivity
209 tags: ['connectivity', 'dns', 'vpn', 'proxy']
210
211 post_tasks:
212 - name: Verify core services are running
213 systemd:
214 name: "{{ item }}"
215 state: started
216 enabled: yes
217 loop:
218 - docker
219 - NetworkManager
220 tags: ['verification', 'monitoring']
221
222 - name: Verify DNS server is responding
223 command: dig @127.0.0.1 google.com +short
224 register: local_dns_test
225 changed_when: false
226 ignore_errors: true
227 tags: ['verification', 'dns']
228
229 - name: Generate connectivity access summary
230 template:
231 src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2"
232 dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt"
233 owner: "{{ connectivity_docker_owner }}"
234 group: "{{ connectivity_docker_group }}"
235 mode: '0644'
236 vars:
237 role_path: "roles/connectivity"
238 tags: ['summary']
239
240 - name: Install connectivity management scripts system-wide
241 copy:
242 src: "{{ role_path }}/templates/{{ item }}"
243 dest: "/usr/local/bin/{{ item | regex_replace('\\.j2$', '') }}"
244 owner: root
245 group: root
246 mode: '0755'
247 loop:
248 - connectivity-status.sh.j2
249 - connectivity-logs.sh.j2
250 - connectivity-restart.sh.j2
251 - dns-test.sh.j2
252 vars:
253 role_path: "roles/connectivity"
254 tags: ['management', 'scripts']
255
256 - name: Wait for all connectivity services to be healthy
257 uri:
258 url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}"
259 method: GET
260 status_code: [200, 302, 401] # Some services redirect or require auth
261 loop:
262 - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" }
263 - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" }
264 - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" }
265 retries: 15
266 delay: 10
267 ignore_errors: yes
268 tags: ['verification', 'health-check']
269
270 - name: Display deployment completion summary
271 debug:
272 msg: |
273 ð Connectivity Services Deployment Complete!
274
275 Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }})
276
277 ð Service Status:
278 - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }}
279 - Docker: Active
280 - NetworkManager: Active
281
282 ð Access Information:
283 {% if connectivity_wireguard_enabled | default(true) %}
284 - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }}
285 - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }}
286 {% endif %}
287 {% if connectivity_nginx_proxy_enabled | default(true) %}
288 - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }}
289 - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }}
290 - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }}
291 {% endif %}
292 {% if connectivity_dns_stack_enabled | default(true) %}
293 - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin
294 - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }}
295 - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }}
296 {% endif %}
297
298 ð File Locations:
299 - Docker Configs: {{ connectivity_docker_base_path }}
300 - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt
301 - Health Check: {{ connectivity_docker_base_path }}/scripts/connectivity-health-check.sh
302 - DNS Test: /usr/local/bin/dns-test.sh
303
304 ð¡ï¸ Security Notes:
305 - systemd-resolved disabled and masked
306 - Local DNS server configured
307 - Firewall rules configured for all services
308 - All services running in Docker containers
309
310 ð§ Management Commands:
311 - Health Check: {{ connectivity_docker_base_path }}/scripts/connectivity-health-check.sh
312 - DNS Test: dns-test.sh
313 - Restart All: docker restart $(docker ps -q)
314 - View Logs: docker compose logs -f (in service directories)
315
316 ð¡ Important Notes:
317 - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server
318 - Set up WireGuard clients using the Web UI
319 - Configure reverse proxy rules in Nginx Proxy Manager
320 - Customize Pi-hole blocklists and local DNS entries
321 - Monitor service logs for connectivity issues
322 tags: ['always']