server_automation

This repo is destined for my server automations and setup.

11.5 KB•YML

connectivity.yml

11.5 KB • 304 lines • yaml

1---
2# Connectivity Services Playbook
3# Comprehensive deployment for DNS, VPN, and proxy services
4
5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS)
6- name: Connectivity Server DNS Configuration
7  hosts: connectivity_servers
8  become: yes
9  gather_facts: yes
10  
11  vars:
12    # Enable DNS server configuration
13    connectivity_dns_server_enabled: true
14    connectivity_stop_resolvd: true
15    connectivity_local_dns_setup: true
16    
17  pre_tasks:
18    - name: Verify connectivity server requirements
19      assert:
20        that:
21          - connectivity_docker_base_path is defined
22          - ansible_default_ipv4.address is defined
23          - connectivity_docker_owner is defined
24          - connectivity_docker_group is defined
25        fail_msg: "Connectivity server requirements not met. Check host variables."
26        
27    - name: Display connectivity DNS setup information
28      debug:
29        msg: |
30          Configuring DNS server on: {{ inventory_hostname }}
31          IP Address: {{ ansible_default_ipv4.address }}
32          Docker Base: {{ connectivity_docker_base_path }}
33          User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
34          
35          DNS Configuration Tasks:
36          - Stop systemd-resolved service
37          - Configure local DNS settings
38          - Set up DNS server infrastructure
39          - Prepare for Pi-hole + Unbound deployment
40
41  tasks:
42    # Stop and disable systemd-resolved
43    - name: Stop systemd-resolved service
44      systemd:
45        name: systemd-resolved
46        state: stopped
47        enabled: no
48      when: connectivity_stop_resolvd | default(true)
49      tags: ['dns', 'setup', 'resolvd']
50
51    - name: Mask systemd-resolved to prevent restart
52      systemd:
53        name: systemd-resolved
54        masked: yes
55      when: connectivity_stop_resolvd | default(true)
56      tags: ['dns', 'setup', 'resolvd']
57
58    # Configure local DNS settings
59    - name: Create resolv.conf with local DNS
60      copy:
61        content: |
62          # Local DNS server configuration
63          nameserver 127.0.0.1
64          nameserver {{ ansible_default_ipv4.address }}
65          nameserver 1.1.1.1
66          nameserver 8.8.8.8
67          options edns0
68          search home
69        dest: /etc/resolv.conf
70        owner: root
71        group: root
72        mode: '0644'
73      when: connectivity_local_dns_setup | default(true)
74      tags: ['dns', 'setup', 'resolv']
75
76    - name: Prevent resolv.conf from being overwritten
77      file:
78        path: /etc/resolv.conf
79        attributes: immutable
80      when: connectivity_local_dns_setup | default(true)
81      tags: ['dns', 'setup', 'resolv']
82
83    - name: Configure NetworkManager to use local DNS
84      lineinfile:
85        path: /etc/NetworkManager/NetworkManager.conf
86        regexp: '^dns='
87        line: 'dns=none'
88        create: yes
89      when: connectivity_local_dns_setup | default(true)
90      tags: ['dns', 'setup', 'networkmanager']
91
92    - name: Restart NetworkManager to apply DNS changes
93      systemd:
94        name: NetworkManager
95        state: restarted
96      when: connectivity_local_dns_setup | default(true)
97      tags: ['dns', 'setup', 'networkmanager']
98
99    - name: Verify DNS configuration
100      command: cat /etc/resolv.conf
101      register: resolv_conf_content
102      changed_when: false
103      tags: ['dns', 'verification']
104
105    - name: Display DNS configuration status
106      debug:
107        msg: |
108          DNS Server Configuration Complete:
109          - systemd-resolved: Stopped and masked
110          - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }}
111          - Fallback DNS: 1.1.1.1, 8.8.8.8
112          - resolv.conf protected from modification
113          - NetworkManager configured for manual DNS
114          
115          Current resolv.conf:
116          {{ resolv_conf_content.stdout }}
117      tags: ['dns', 'info']
118
119# PHASE 2: Deploy connectivity services  
120- name: Connectivity Services Deployment
121  hosts: connectivity_servers
122  become: yes
123  gather_facts: yes
124  
125  vars:
126    # Override defaults for connectivity-specific deployment
127    connectivity_enabled: true
128    connectivity_wireguard_enabled: true
129    connectivity_nginx_proxy_enabled: true
130    connectivity_dns_stack_enabled: true
131
132  pre_tasks:
133    - name: Verify connectivity server requirements
134      assert:
135        that:
136          - connectivity_docker_base_path is defined
137          - ansible_default_ipv4.address is defined
138          - connectivity_docker_owner is defined
139          - connectivity_docker_group is defined
140        fail_msg: "Connectivity server requirements not met. Check host variables."
141
142    - name: Display connectivity deployment information
143      debug:
144        msg: |
145          ð Deploying Connectivity Services to: {{ inventory_hostname }}
146          
147          ð Server Information:
148          - IP Address: {{ ansible_default_ipv4.address }}
149          - Docker Base: {{ connectivity_docker_base_path }}
150          - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
151          - DNS Server: Configured and ready
152          
153          ð Services to Deploy:
154          {% if connectivity_wireguard_enabled | default(true) %}
155          - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP)
156          - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP)
157          {% endif %}
158          {% if connectivity_nginx_proxy_enabled | default(true) %}
159          - Nginx Proxy Manager:
160            * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }})
161            * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }})
162            * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }})
163          {% endif %}
164          {% if connectivity_dns_stack_enabled | default(true) %}
165          - DNS Stack:
166            * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP)
167            * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }})
168            * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }})
169          {% endif %}
170          
171          ð¡ï¸  Security Features:
172          - Firewall rules configured for all services
173          - Docker container isolation
174          - Service-specific user permissions
175          - Encrypted VPN connections
176          - DNS-over-TLS with Unbound
177          
178          ð Directory Structure:
179          - Service configs: {{ connectivity_docker_base_path }}/[service-name]
180          - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env
181          - Backup configuration: {{ connectivity_docker_base_path }}/backups/
182
183  roles:
184    # Core prerequisites
185    - role: user
186      tags: ['core', 'user']
187
188    - role: system  
189      tags: ['core', 'system']
190
191    - role: geerlingguy.docker
192      tags: ['core', 'docker']
193
194    - role: docker-framework
195      tags: ['core', 'docker', 'framework']
196
197    - role: geerlingguy.security
198      tags: ['core', 'security']
199
200    # Connectivity-specific services
201    - role: connectivity
202      tags: ['connectivity', 'dns', 'vpn', 'proxy']
203
204    # Generic monitoring for connectivity server
205    - role: monitoring
206      tags: ['monitoring', 'netdata', 'connectivity']
207      vars:
208        monitoring_enabled: true
209        netdata_client_enabled: true
210        # Generic monitoring - no specialized hardware
211
212  post_tasks:
213    - name: Verify core services are running
214      systemd:
215        name: "{{ item }}"
216        state: started
217        enabled: yes
218      loop:
219        - docker
220        - NetworkManager
221      tags: ['verification', 'monitoring']
222
223    - name: Verify DNS server is responding
224      command: dig @127.0.0.1 google.com +short
225      register: local_dns_test
226      changed_when: false
227      ignore_errors: true
228      tags: ['verification', 'dns']
229
230    - name: Generate connectivity access summary
231      template:
232        src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2"
233        dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt"
234        owner: "{{ connectivity_docker_owner }}"
235        group: "{{ connectivity_docker_group }}"
236        mode: '0644'
237      vars:
238        role_path: "roles/connectivity"
239      tags: ['summary']
240
241
242    - name: Wait for all connectivity services to be healthy
243      uri:
244        url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}"
245        method: GET
246        status_code: [200, 302, 401]  # Some services redirect or require auth
247      loop:
248        - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" }
249        - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" }
250        - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" }
251      retries: 15
252      delay: 10
253      ignore_errors: yes
254      tags: ['verification', 'health-check']
255
256    - name: Display deployment completion summary
257      debug:
258        msg: |
259          ð Connectivity Services Deployment Complete!
260          
261          Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }})
262          
263          ð Service Status:
264          - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }}
265          - Docker: Active
266          - NetworkManager: Active
267          
268          ð Access Information:
269          {% if connectivity_wireguard_enabled | default(true) %}
270          - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }}
271          - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }}
272          {% endif %}
273          {% if connectivity_nginx_proxy_enabled | default(true) %}
274          - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }}
275          - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }}
276          - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }}
277          {% endif %}
278          {% if connectivity_dns_stack_enabled | default(true) %}
279          - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin
280          - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }}
281          - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }}
282          {% endif %}
283          
284          ð File Locations:
285          - Docker Configs: {{ connectivity_docker_base_path }}
286          - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt
287          
288          ð¡ï¸  Security Notes:
289          - systemd-resolved disabled and masked
290          - Local DNS server configured
291          - Firewall rules configured for all services
292          - All services running in Docker containers
293          
294          ð§ Management Commands:
295          - Restart All: docker restart $(docker ps -q)
296          - View Logs: docker compose logs -f (in service directories)
297          
298          ð¡ Important Notes:
299          - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server
300          - Set up WireGuard clients using the Web UI
301          - Configure reverse proxy rules in Nginx Proxy Manager
302          - Customize Pi-hole blocklists and local DNS entries
303          - Monitor service logs for connectivity issues
304      tags: ['always']

1--- 2# Connectivity Services Playbook 3# Comprehensive deployment for DNS, VPN, and proxy services 4 5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS) 6- name: Connectivity Server DNS Configuration 7 hosts: connectivity_servers 8 become: yes 9 gather_facts: yes 10 11 vars: 12 # Enable DNS server configuration 13 connectivity_dns_server_enabled: true 14 connectivity_stop_resolvd: true 15 connectivity_local_dns_setup: true 16 17 pre_tasks: 18 - name: Verify connectivity server requirements 19 assert: 20 that: 21 - connectivity_docker_base_path is defined 22 - ansible_default_ipv4.address is defined 23 - connectivity_docker_owner is defined 24 - connectivity_docker_group is defined 25 fail_msg: "Connectivity server requirements not met. Check host variables." 26 27 - name: Display connectivity DNS setup information 28 debug: 29 msg: | 30 Configuring DNS server on: {{ inventory_hostname }} 31 IP Address: {{ ansible_default_ipv4.address }} 32 Docker Base: {{ connectivity_docker_base_path }} 33 User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 34 35 DNS Configuration Tasks: 36 - Stop systemd-resolved service 37 - Configure local DNS settings 38 - Set up DNS server infrastructure 39 - Prepare for Pi-hole + Unbound deployment 40 41 tasks: 42 # Stop and disable systemd-resolved 43 - name: Stop systemd-resolved service 44 systemd: 45 name: systemd-resolved 46 state: stopped 47 enabled: no 48 when: connectivity_stop_resolvd | default(true) 49 tags: ['dns', 'setup', 'resolvd'] 50 51 - name: Mask systemd-resolved to prevent restart 52 systemd: 53 name: systemd-resolved 54 masked: yes 55 when: connectivity_stop_resolvd | default(true) 56 tags: ['dns', 'setup', 'resolvd'] 57 58 # Configure local DNS settings 59 - name: Create resolv.conf with local DNS 60 copy: 61 content: | 62 # Local DNS server configuration 63 nameserver 127.0.0.1 64 nameserver {{ ansible_default_ipv4.address }} 65 nameserver 1.1.1.1 66 nameserver 8.8.8.8 67 options edns0 68 search home 69 dest: /etc/resolv.conf 70 owner: root 71 group: root 72 mode: '0644' 73 when: connectivity_local_dns_setup | default(true) 74 tags: ['dns', 'setup', 'resolv'] 75 76 - name: Prevent resolv.conf from being overwritten 77 file: 78 path: /etc/resolv.conf 79 attributes: immutable 80 when: connectivity_local_dns_setup | default(true) 81 tags: ['dns', 'setup', 'resolv'] 82 83 - name: Configure NetworkManager to use local DNS 84 lineinfile: 85 path: /etc/NetworkManager/NetworkManager.conf 86 regexp: '^dns=' 87 line: 'dns=none' 88 create: yes 89 when: connectivity_local_dns_setup | default(true) 90 tags: ['dns', 'setup', 'networkmanager'] 91 92 - name: Restart NetworkManager to apply DNS changes 93 systemd: 94 name: NetworkManager 95 state: restarted 96 when: connectivity_local_dns_setup | default(true) 97 tags: ['dns', 'setup', 'networkmanager'] 98 99 - name: Verify DNS configuration 100 command: cat /etc/resolv.conf 101 register: resolv_conf_content 102 changed_when: false 103 tags: ['dns', 'verification'] 104 105 - name: Display DNS configuration status 106 debug: 107 msg: | 108 DNS Server Configuration Complete: 109 - systemd-resolved: Stopped and masked 110 - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }} 111 - Fallback DNS: 1.1.1.1, 8.8.8.8 112 - resolv.conf protected from modification 113 - NetworkManager configured for manual DNS 114 115 Current resolv.conf: 116 {{ resolv_conf_content.stdout }} 117 tags: ['dns', 'info'] 118 119# PHASE 2: Deploy connectivity services 120- name: Connectivity Services Deployment 121 hosts: connectivity_servers 122 become: yes 123 gather_facts: yes 124 125 vars: 126 # Override defaults for connectivity-specific deployment 127 connectivity_enabled: true 128 connectivity_wireguard_enabled: true 129 connectivity_nginx_proxy_enabled: true 130 connectivity_dns_stack_enabled: true 131 132 pre_tasks: 133 - name: Verify connectivity server requirements 134 assert: 135 that: 136 - connectivity_docker_base_path is defined 137 - ansible_default_ipv4.address is defined 138 - connectivity_docker_owner is defined 139 - connectivity_docker_group is defined 140 fail_msg: "Connectivity server requirements not met. Check host variables." 141 142 - name: Display connectivity deployment information 143 debug: 144 msg: | 145 ð Deploying Connectivity Services to: {{ inventory_hostname }} 146 147 ð Server Information: 148 - IP Address: {{ ansible_default_ipv4.address }} 149 - Docker Base: {{ connectivity_docker_base_path }} 150 - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 151 - DNS Server: Configured and ready 152 153 ð Services to Deploy: 154 {% if connectivity_wireguard_enabled | default(true) %} 155 - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP) 156 - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP) 157 {% endif %} 158 {% if connectivity_nginx_proxy_enabled | default(true) %} 159 - Nginx Proxy Manager: 160 * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }}) 161 * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }}) 162 * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }}) 163 {% endif %} 164 {% if connectivity_dns_stack_enabled | default(true) %} 165 - DNS Stack: 166 * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP) 167 * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }}) 168 * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }}) 169 {% endif %} 170 171 ð¡ï¸ Security Features: 172 - Firewall rules configured for all services 173 - Docker container isolation 174 - Service-specific user permissions 175 - Encrypted VPN connections 176 - DNS-over-TLS with Unbound 177 178 ð Directory Structure: 179 - Service configs: {{ connectivity_docker_base_path }}/[service-name] 180 - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env 181 - Backup configuration: {{ connectivity_docker_base_path }}/backups/ 182 183 roles: 184 # Core prerequisites 185 - role: user 186 tags: ['core', 'user'] 187 188 - role: system 189 tags: ['core', 'system'] 190 191 - role: geerlingguy.docker 192 tags: ['core', 'docker'] 193 194 - role: docker-framework 195 tags: ['core', 'docker', 'framework'] 196 197 - role: geerlingguy.security 198 tags: ['core', 'security'] 199 200 # Connectivity-specific services 201 - role: connectivity 202 tags: ['connectivity', 'dns', 'vpn', 'proxy'] 203 204 # Generic monitoring for connectivity server 205 - role: monitoring 206 tags: ['monitoring', 'netdata', 'connectivity'] 207 vars: 208 monitoring_enabled: true 209 netdata_client_enabled: true 210 # Generic monitoring - no specialized hardware 211 212 post_tasks: 213 - name: Verify core services are running 214 systemd: 215 name: "{{ item }}" 216 state: started 217 enabled: yes 218 loop: 219 - docker 220 - NetworkManager 221 tags: ['verification', 'monitoring'] 222 223 - name: Verify DNS server is responding 224 command: dig @127.0.0.1 google.com +short 225 register: local_dns_test 226 changed_when: false 227 ignore_errors: true 228 tags: ['verification', 'dns'] 229 230 - name: Generate connectivity access summary 231 template: 232 src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2" 233 dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt" 234 owner: "{{ connectivity_docker_owner }}" 235 group: "{{ connectivity_docker_group }}" 236 mode: '0644' 237 vars: 238 role_path: "roles/connectivity" 239 tags: ['summary'] 240 241 242 - name: Wait for all connectivity services to be healthy 243 uri: 244 url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}" 245 method: GET 246 status_code: [200, 302, 401] # Some services redirect or require auth 247 loop: 248 - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" } 249 - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" } 250 - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" } 251 retries: 15 252 delay: 10 253 ignore_errors: yes 254 tags: ['verification', 'health-check'] 255 256 - name: Display deployment completion summary 257 debug: 258 msg: | 259 ð Connectivity Services Deployment Complete! 260 261 Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }}) 262 263 ð Service Status: 264 - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }} 265 - Docker: Active 266 - NetworkManager: Active 267 268 ð Access Information: 269 {% if connectivity_wireguard_enabled | default(true) %} 270 - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }} 271 - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }} 272 {% endif %} 273 {% if connectivity_nginx_proxy_enabled | default(true) %} 274 - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }} 275 - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }} 276 - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }} 277 {% endif %} 278 {% if connectivity_dns_stack_enabled | default(true) %} 279 - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin 280 - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }} 281 - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }} 282 {% endif %} 283 284 ð File Locations: 285 - Docker Configs: {{ connectivity_docker_base_path }} 286 - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt 287 288 ð¡ï¸ Security Notes: 289 - systemd-resolved disabled and masked 290 - Local DNS server configured 291 - Firewall rules configured for all services 292 - All services running in Docker containers 293 294 ð§ Management Commands: 295 - Restart All: docker restart $(docker ps -q) 296 - View Logs: docker compose logs -f (in service directories) 297 298 ð¡ Important Notes: 299 - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server 300 - Set up WireGuard clients using the Web UI 301 - Configure reverse proxy rules in Nginx Proxy Manager 302 - Customize Pi-hole blocklists and local DNS entries 303 - Monitor service logs for connectivity issues 304 tags: ['always']