server_automation

This repo is destined for my server automations and setup.

10.8 KBYML
DirectoryView in Forgejo
entrance.yml
10.8 KB266 lines • yaml
1---
2# ============================================================================
3# Entrance IoT Gateway Playbook
4# ============================================================================
5#
6# Deploys Zigbee (Sonoff) and Matter over Thread (Home Assistant ZBT-1) gateway
7# for entrance area IoT devices including smart locks, sensors, and energy monitoring
8#
9# PREREQUISITES:
10# - Fresh Debian 11 or 12 installation
11# - SSH access with sudo privileges for ansible_user
12# - Internet connectivity for package downloads
13# - Static IP address recommended
14# - Sonoff Zigbee dongle and ZBT-1 Thread adapter connected via USB
15#
16# ============================================================================
17
18- name: "Entrance IoT Gateway Complete Setup"
19  hosts: entrance_servers
20  become: true
21  gather_facts: true
22  
23  pre_tasks:
24    - name: Verify entrance server requirements
25      assert:
26        that:
27          - ansible_distribution in ["Debian", "Ubuntu"]
28          - (ansible_distribution == "Debian" and ansible_distribution_major_version | int >= 11) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 20)
29          - ansible_memtotal_mb >= 512  # Minimum 512MB RAM
30          - ansible_processor_vcpus >= 1  # Minimum 1 CPU core
31        fail_msg: |
32          Entrance gateway system requirements not met:
33          - Requires Debian 11+ or Ubuntu 20.04+
34          - Minimum 512MB RAM (found {{ ansible_memtotal_mb }}MB)  
35          - Minimum 1 CPU core (found {{ ansible_processor_vcpus }})
36        success_msg: "Entrance gateway system requirements validated successfully"
37      tags: always
38
39    - name: Verify server is in entrance_servers group
40      fail:
41        msg: "This server must be in the [entrance_servers] inventory group. Check your inventory/hosts file."
42      when: "'entrance_servers' not in group_names"
43      tags: always
44
45    - name: Display entrance deployment information
46      debug:
47        msg: |
48          ============================================================================
49          Entrance IoT Gateway Installation Starting
50          ============================================================================
51          Target Host: {{ inventory_hostname }}
52          Target IP: {{ ansible_default_ipv4.address }}
53          OS: {{ ansible_distribution }} {{ ansible_distribution_version }}
54          Architecture: {{ ansible_architecture }}
55          User: {{ ha_edge_user }}
56          Services to Deploy:
57          - Zigbee2MQTT (Sonoff ZBDongle-E): {{ 'Enabled' if enable_z2m else 'Disabled' }}
58          - OpenThread Border Router (ZBT-1): {{ 'Enabled' if enable_otbr else 'Disabled' }}
59          - DSMR Reader (Energy Monitoring): {{ 'Enabled' if enable_dsmr else 'Disabled' }}
60          ============================================================================
61      tags: always
62
63  # ============================================================================
64  # ROLE EXECUTION ORDER (CRITICAL FOR PROPER INSTALLATION)
65  # ============================================================================
66  
67  roles:
68    # 1. SYSTEM SETUP - Basic system configuration and packages  
69    - role: system
70      tags: [system, setup]
71
72    # 2. DOCKER INSTALLATION - Install Docker using geerlingguy.docker
73    - role: geerlingguy.docker
74      tags: [docker, setup]
75
76    # 3. USER MANAGEMENT - Create entrance gateway user with proper groups
77    - role: user
78      tags: [user, setup]
79
80    # 4. DOCKER FRAMEWORK - Setup Docker directory structure
81    - role: docker-framework
82      tags: [docker, framework]
83
84    # 5. SECURITY HARDENING - Apply security settings
85    - role: geerlingguy.security  
86      tags: [security, hardening]
87
88    # 6. ENTRANCE GATEWAY - Complete IoT gateway installation
89    - role: entrance
90      tags: [entrance, gateway, iot]
91
92  # ============================================================================
93  # POST-INSTALLATION TASKS
94  # ============================================================================
95
96  post_tasks:
97    - name: Verify core services are running
98      systemd:
99        name: "{{ item }}"
100        state: started
101        enabled: yes
102      loop:
103        - docker
104        - NetworkManager
105      tags: ['verification']
106
107    - name: Verify UDEV rules are applied
108      command: udevadm control --reload-rules && udevadm trigger
109      changed_when: false
110      tags: ['verification', 'udev']
111
112    - name: Check for active USB devices
113      command: lsusb
114      register: usb_devices
115      changed_when: false
116      tags: ['verification', 'hardware']
117
118    - name: Verify Docker containers are running
119      command: docker ps --format "table {{.Names}}\t{{.Status}}"
120      register: docker_status
121      changed_when: false
122      tags: ['verification', 'docker']
123
124    - name: Display deployment completion summary
125      debug:
126        msg: |
127          ============================================================================
128          Entrance IoT Gateway Installation Complete!
129          ============================================================================
130          
131          🏠 Entrance Gateway Access:
132             Host: {{ inventory_hostname }}
133             IP Address: {{ ansible_default_ipv4.address }}
134             SSH Access: ssh {{ ha_edge_user }}@{{ ansible_default_ipv4.address }}
135          
136          🌐 Services Deployed:
137          {% if enable_z2m %}
138          - Zigbee2MQTT: Running on {{ ansible_default_ipv4.address }}:8080
139            * Zigbee Coordinator: {{ z2m_serial_symlink }}
140            * PAN ID: {{ z2m_pan_id }}
141            * Channel: {{ z2m_channel }}
142            * Adapter: {{ z2m_adapter }}
143          {% endif %}
144          {% if enable_otbr %}
145          - OpenThread Border Router: Running
146            * Thread Radio: {{ otbr_rcp_symlink }}
147            * Border Routing: {{ 'Enabled' if otbr_enable_border_routing else 'Disabled' }}
148            * Backbone Router: {{ 'Enabled' if otbr_enable_backbone_router else 'Disabled' }}
149            * NAT64: {{ 'Enabled' if otbr_nat64 else 'Disabled' }}
150          {% endif %}
151          {% if enable_dsmr %}
152          - DSMR Reader: Running on {{ ansible_default_ipv4.address }}:{{ dsmr_web_port }}
153            * P1 Meter: {{ dsmr_serial_symlink }}
154            * MQTT Prefix: {{ dsmr_mqtt_prefix }}
155          {% endif %}
156          
157          🔧 System Information:
158             OS: {{ ansible_distribution }} {{ ansible_distribution_version }}
159             Architecture: {{ ansible_architecture }}
160             User: {{ ha_edge_user }}
161             Docker Version: {{ docker_version.stdout | default('Unknown') }}
162             Timezone: {{ ha_edge_timezone }}
163          
164          📊 Hardware Status:
165             USB Devices Detected:
166             {{ usb_devices.stdout | default('None detected') | indent(14) }}
167             
168             Docker Containers:
169             {{ docker_status.stdout | default('None running') | indent(14) }}
170          
171          📚 Next Steps:
172             1. Configure MQTT credentials in vault for Zigbee2MQTT and DSMR Reader
173             2. Pair Zigbee devices via Zigbee2MQTT web interface
174             3. Configure Thread network settings if needed
175             4. Set up energy monitoring in Home Assistant
176             5. Configure firewall rules for service access
177          
178          💡 Useful Commands:
179             - Check container status: docker ps
180             - View Zigbee2MQTT logs: docker logs -f zigbee2mqtt
181             - View OTBR logs: docker logs -f otbr
182             - View DSMR logs: docker logs -f dsmr-reader
183             - Check UDEV rules: udevadm info /dev/ttyZigbee
184             - Monitor MQTT: mosquitto_sub -h {{ mqtt_host }} -t "#" -v
185          
186          ⚠️  Important Notes:
187             - Ensure Zigbee and Thread adapters are properly connected
188             - Configure MQTT broker credentials before starting services
189             - Set proper PAN ID and channel for Zigbee network
190             - Thread network may require additional configuration
191             - Monitor logs for device pairing and connectivity issues
192          
193          ============================================================================
194      tags: always
195
196    - name: Save installation details to file
197      copy:
198        content: |
199          Entrance IoT Gateway Installation Details
200          ========================================
201          
202          Installation Date: {{ ansible_date_time.iso8601 }}
203          Host: {{ inventory_hostname }}
204          IP Address: {{ ansible_default_ipv4.address }}
205          OS: {{ ansible_distribution }} {{ ansible_distribution_version }}
206          Architecture: {{ ansible_architecture }}
207          
208          User Configuration:
209          - Username: {{ ha_edge_user }}
210          - Groups: {{ ha_edge_groups | join(', ') }}
211          - Sudo Access: Passwordless
212          
213          Service Configuration:
214          {% if enable_z2m %}
215          - Zigbee2MQTT:
216            * Data Directory: {{ z2m_data_dir }}
217            * Serial Device: {{ z2m_serial_symlink }}
218            * PAN ID: {{ z2m_pan_id }}
219            * Channel: {{ z2m_channel }}
220            * Adapter: {{ z2m_adapter }}
221            * MQTT Host: {{ mqtt_host }}:{{ mqtt_port }}
222          {% endif %}
223          {% if enable_otbr %}
224          - OpenThread Border Router:
225            * RCP Device: {{ otbr_rcp_symlink }}
226            * Border Routing: {{ otbr_enable_border_routing }}
227            * Backbone Router: {{ otbr_enable_backbone_router }}
228            * NAT64: {{ otbr_nat64 }}
229          {% endif %}
230          {% if enable_dsmr %}
231          - DSMR Reader:
232            * Serial Device: {{ dsmr_serial_symlink }}
233            * Web Port: {{ dsmr_web_port }}
234            * MQTT Prefix: {{ dsmr_mqtt_prefix }}
235            * Database Host: {{ dsmr_pg_host }}
236          {% endif %}
237          
238          UDEV Rules:
239          {% for rule in udev_rules %}
240          - {{ rule.name }}: Vendor {{ rule.id_vendor }}, Product {{ rule.id_product }}
241          {% endfor %}
242          
243          Docker Configuration:
244          - Compose Root: {{ compose_root }}
245          - Users with Access: {{ docker_users | join(', ') }}
246          
247          Security:
248          - SSH Port: {{ security_ssh_port }}
249          - Root Login: Disabled  
250          - Password Authentication: Disabled
251          - Fail2ban: {{ security_fail2ban_enabled | default('Enabled') }}
252          - Auto Updates: {{ security_autoupdate_enabled }}
253          
254          Useful Commands:
255          - Check service status: docker ps
256          - View service logs: docker logs -f [container-name]
257          - Check USB devices: lsusb
258          - Verify UDEV rules: udevadm info [device-path]
259          - Monitor MQTT: mosquitto_sub -h {{ mqtt_host }} -t "#" -v
260          
261        dest: "/home/{{ ha_edge_user }}/entrance-gateway-installation-details.txt"
262        owner: "{{ ha_edge_user }}"
263        group: "{{ ha_edge_user }}"
264        mode: "0644"
265      tags: [entrance, documentation]
266