server_automation

This repo is destined for my server automations and setup.

11.3 KB•YML

connectivity.yml

11.3 KB • 300 lines • yaml

1---
2# Connectivity Services Playbook
3# Comprehensive deployment for DNS, VPN, and proxy services
4
5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS)
6- name: Connectivity Server DNS Configuration
7  hosts: connectivity_servers
8  become: yes
9  gather_facts: yes
10  
11  vars:
12    # Enable DNS server configuration
13    connectivity_dns_server_enabled: true
14    connectivity_stop_resolvd: true
15    connectivity_local_dns_setup: true
16    
17  pre_tasks:
18    - name: Verify connectivity server requirements
19      assert:
20        that:
21          - connectivity_docker_base_path is defined
22          - ansible_default_ipv4.address is defined
23          - connectivity_docker_owner is defined
24          - connectivity_docker_group is defined
25        fail_msg: "Connectivity server requirements not met. Check host variables."
26        
27    - name: Display connectivity DNS setup information
28      debug:
29        msg: |
30          Configuring DNS server on: {{ inventory_hostname }}
31          IP Address: {{ ansible_default_ipv4.address }}
32          Docker Base: {{ connectivity_docker_base_path }}
33          User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
34          
35          DNS Configuration Tasks:
36          - Stop systemd-resolved service
37          - Configure local DNS settings
38          - Set up DNS server infrastructure
39          - Prepare for Pi-hole + Unbound deployment
40
41  tasks:
42    # Stop and disable systemd-resolved
43    - name: Stop systemd-resolved service
44      systemd:
45        name: systemd-resolved
46        state: stopped
47        enabled: no
48      when: connectivity_stop_resolvd | default(true)
49      tags: ['dns', 'setup', 'resolvd']
50
51    - name: Mask systemd-resolved to prevent restart
52      systemd:
53        name: systemd-resolved
54        masked: yes
55      when: connectivity_stop_resolvd | default(true)
56      tags: ['dns', 'setup', 'resolvd']
57
58    # Configure local DNS settings
59    - name: Create resolv.conf with local DNS
60      copy:
61        content: |
62          # Local DNS server configuration
63          nameserver 127.0.0.1
64          nameserver {{ ansible_default_ipv4.address }}
65          nameserver 1.1.1.1
66          nameserver 8.8.8.8
67          options edns0
68          search home
69        dest: /etc/resolv.conf
70        owner: root
71        group: root
72        mode: '0644'
73      when: connectivity_local_dns_setup | default(true)
74      tags: ['dns', 'setup', 'resolv']
75
76    - name: Prevent resolv.conf from being overwritten
77      file:
78        path: /etc/resolv.conf
79        attributes: immutable
80      when: connectivity_local_dns_setup | default(true)
81      tags: ['dns', 'setup', 'resolv']
82
83    - name: Configure NetworkManager to use local DNS
84      lineinfile:
85        path: /etc/NetworkManager/NetworkManager.conf
86        regexp: '^dns='
87        line: 'dns=none'
88        create: yes
89      when: connectivity_local_dns_setup | default(true)
90      tags: ['dns', 'setup', 'networkmanager']
91
92    - name: Restart NetworkManager to apply DNS changes
93      systemd:
94        name: NetworkManager
95        state: restarted
96      when: connectivity_local_dns_setup | default(true)
97      tags: ['dns', 'setup', 'networkmanager']
98
99    - name: Verify DNS configuration
100      command: cat /etc/resolv.conf
101      register: resolv_conf_content
102      changed_when: false
103      tags: ['dns', 'verification']
104
105    - name: Display DNS configuration status
106      debug:
107        msg: |
108          DNS Server Configuration Complete:
109          - systemd-resolved: Stopped and masked
110          - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }}
111          - Fallback DNS: 1.1.1.1, 8.8.8.8
112          - resolv.conf protected from modification
113          - NetworkManager configured for manual DNS
114          
115          Current resolv.conf:
116          {{ resolv_conf_content.stdout }}
117      tags: ['dns', 'info']
118
119# PHASE 2: Deploy connectivity services  
120- name: Connectivity Services Deployment
121  hosts: connectivity_servers
122  become: yes
123  gather_facts: yes
124  
125  vars:
126    # Override defaults for connectivity-specific deployment
127    connectivity_enabled: true
128    connectivity_wireguard_enabled: true
129    connectivity_nginx_proxy_enabled: true
130    connectivity_dns_stack_enabled: true
131
132  pre_tasks:
133    - name: Verify connectivity server requirements
134      assert:
135        that:
136          - connectivity_docker_base_path is defined
137          - ansible_default_ipv4.address is defined
138          - connectivity_docker_owner is defined
139          - connectivity_docker_group is defined
140        fail_msg: "Connectivity server requirements not met. Check host variables."
141
142    - name: Display connectivity deployment information
143      debug:
144        msg: |
145          ð Deploying Connectivity Services to: {{ inventory_hostname }}
146          
147          ð Server Information:
148          - IP Address: {{ ansible_default_ipv4.address }}
149          - Docker Base: {{ connectivity_docker_base_path }}
150          - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }}
151          - DNS Server: Configured and ready
152          
153          ð Services to Deploy:
154          {% if connectivity_wireguard_enabled | default(true) %}
155          - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP)
156          - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP)
157          {% endif %}
158          {% if connectivity_nginx_proxy_enabled | default(true) %}
159          - Nginx Proxy Manager:
160            * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }})
161            * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }})
162            * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }})
163          {% endif %}
164          {% if connectivity_dns_stack_enabled | default(true) %}
165          - DNS Stack:
166            * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP)
167            * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }})
168            * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }})
169          {% endif %}
170          
171          ð¡ï¸  Security Features:
172          - Firewall rules configured for all services
173          - Docker container isolation
174          - Service-specific user permissions
175          - Encrypted VPN connections
176          - DNS-over-TLS with Unbound
177          
178          ð Directory Structure:
179          - Service configs: {{ connectivity_docker_base_path }}/[service-name]
180          - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env
181          - Backup configuration: {{ connectivity_docker_base_path }}/backups/
182
183  roles:
184    # Core prerequisites
185    - role: user
186      tags: ['core', 'user']
187
188    - role: system  
189      tags: ['core', 'system']
190
191    - role: geerlingguy.docker
192      tags: ['core', 'docker']
193
194    - role: docker-framework
195      tags: ['core', 'docker', 'framework']
196
197    - role: geerlingguy.security
198      tags: ['core', 'security']
199
200    # Connectivity-specific services
201    - role: connectivity
202      tags: ['connectivity', 'dns', 'vpn', 'proxy']
203
204    # Monitoring for connectivity server
205    - role: monitoring
206      tags: [monitoring, glances]
207
208  post_tasks:
209    - name: Verify core services are running
210      systemd:
211        name: "{{ item }}"
212        state: started
213        enabled: yes
214      loop:
215        - docker
216        - NetworkManager
217      tags: ['verification', 'monitoring']
218
219    - name: Verify DNS server is responding
220      command: dig @127.0.0.1 google.com +short
221      register: local_dns_test
222      changed_when: false
223      ignore_errors: true
224      tags: ['verification', 'dns']
225
226    - name: Generate connectivity access summary
227      template:
228        src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2"
229        dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt"
230        owner: "{{ connectivity_docker_owner }}"
231        group: "{{ connectivity_docker_group }}"
232        mode: '0644'
233      vars:
234        role_path: "roles/connectivity"
235      tags: ['summary']
236
237
238    - name: Wait for all connectivity services to be healthy
239      uri:
240        url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}"
241        method: GET
242        status_code: [200, 302, 401]  # Some services redirect or require auth
243      loop:
244        - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" }
245        - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" }
246        - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" }
247      retries: 15
248      delay: 10
249      ignore_errors: yes
250      tags: ['verification', 'health-check']
251
252    - name: Display deployment completion summary
253      debug:
254        msg: |
255          ð Connectivity Services Deployment Complete!
256          
257          Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }})
258          
259          ð Service Status:
260          - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }}
261          - Docker: Active
262          - NetworkManager: Active
263          
264          ð Access Information:
265          {% if connectivity_wireguard_enabled | default(true) %}
266          - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }}
267          - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }}
268          {% endif %}
269          {% if connectivity_nginx_proxy_enabled | default(true) %}
270          - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }}
271          - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }}
272          - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }}
273          {% endif %}
274          {% if connectivity_dns_stack_enabled | default(true) %}
275          - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin
276          - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }}
277          - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }}
278          {% endif %}
279          
280          ð File Locations:
281          - Docker Configs: {{ connectivity_docker_base_path }}
282          - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt
283          
284          ð¡ï¸  Security Notes:
285          - systemd-resolved disabled and masked
286          - Local DNS server configured
287          - Firewall rules configured for all services
288          - All services running in Docker containers
289          
290          ð§ Management Commands:
291          - Restart All: docker restart $(docker ps -q)
292          - View Logs: docker compose logs -f (in service directories)
293          
294          ð¡ Important Notes:
295          - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server
296          - Set up WireGuard clients using the Web UI
297          - Configure reverse proxy rules in Nginx Proxy Manager
298          - Customize Pi-hole blocklists and local DNS entries
299          - Monitor service logs for connectivity issues
300      tags: ['always']

1--- 2# Connectivity Services Playbook 3# Comprehensive deployment for DNS, VPN, and proxy services 4 5# PHASE 1: DNS Server Configuration (stop resolvd, set local DNS) 6- name: Connectivity Server DNS Configuration 7 hosts: connectivity_servers 8 become: yes 9 gather_facts: yes 10 11 vars: 12 # Enable DNS server configuration 13 connectivity_dns_server_enabled: true 14 connectivity_stop_resolvd: true 15 connectivity_local_dns_setup: true 16 17 pre_tasks: 18 - name: Verify connectivity server requirements 19 assert: 20 that: 21 - connectivity_docker_base_path is defined 22 - ansible_default_ipv4.address is defined 23 - connectivity_docker_owner is defined 24 - connectivity_docker_group is defined 25 fail_msg: "Connectivity server requirements not met. Check host variables." 26 27 - name: Display connectivity DNS setup information 28 debug: 29 msg: | 30 Configuring DNS server on: {{ inventory_hostname }} 31 IP Address: {{ ansible_default_ipv4.address }} 32 Docker Base: {{ connectivity_docker_base_path }} 33 User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 34 35 DNS Configuration Tasks: 36 - Stop systemd-resolved service 37 - Configure local DNS settings 38 - Set up DNS server infrastructure 39 - Prepare for Pi-hole + Unbound deployment 40 41 tasks: 42 # Stop and disable systemd-resolved 43 - name: Stop systemd-resolved service 44 systemd: 45 name: systemd-resolved 46 state: stopped 47 enabled: no 48 when: connectivity_stop_resolvd | default(true) 49 tags: ['dns', 'setup', 'resolvd'] 50 51 - name: Mask systemd-resolved to prevent restart 52 systemd: 53 name: systemd-resolved 54 masked: yes 55 when: connectivity_stop_resolvd | default(true) 56 tags: ['dns', 'setup', 'resolvd'] 57 58 # Configure local DNS settings 59 - name: Create resolv.conf with local DNS 60 copy: 61 content: | 62 # Local DNS server configuration 63 nameserver 127.0.0.1 64 nameserver {{ ansible_default_ipv4.address }} 65 nameserver 1.1.1.1 66 nameserver 8.8.8.8 67 options edns0 68 search home 69 dest: /etc/resolv.conf 70 owner: root 71 group: root 72 mode: '0644' 73 when: connectivity_local_dns_setup | default(true) 74 tags: ['dns', 'setup', 'resolv'] 75 76 - name: Prevent resolv.conf from being overwritten 77 file: 78 path: /etc/resolv.conf 79 attributes: immutable 80 when: connectivity_local_dns_setup | default(true) 81 tags: ['dns', 'setup', 'resolv'] 82 83 - name: Configure NetworkManager to use local DNS 84 lineinfile: 85 path: /etc/NetworkManager/NetworkManager.conf 86 regexp: '^dns=' 87 line: 'dns=none' 88 create: yes 89 when: connectivity_local_dns_setup | default(true) 90 tags: ['dns', 'setup', 'networkmanager'] 91 92 - name: Restart NetworkManager to apply DNS changes 93 systemd: 94 name: NetworkManager 95 state: restarted 96 when: connectivity_local_dns_setup | default(true) 97 tags: ['dns', 'setup', 'networkmanager'] 98 99 - name: Verify DNS configuration 100 command: cat /etc/resolv.conf 101 register: resolv_conf_content 102 changed_when: false 103 tags: ['dns', 'verification'] 104 105 - name: Display DNS configuration status 106 debug: 107 msg: | 108 DNS Server Configuration Complete: 109 - systemd-resolved: Stopped and masked 110 - Local DNS: Configured to use 127.0.0.1 and {{ ansible_default_ipv4.address }} 111 - Fallback DNS: 1.1.1.1, 8.8.8.8 112 - resolv.conf protected from modification 113 - NetworkManager configured for manual DNS 114 115 Current resolv.conf: 116 {{ resolv_conf_content.stdout }} 117 tags: ['dns', 'info'] 118 119# PHASE 2: Deploy connectivity services 120- name: Connectivity Services Deployment 121 hosts: connectivity_servers 122 become: yes 123 gather_facts: yes 124 125 vars: 126 # Override defaults for connectivity-specific deployment 127 connectivity_enabled: true 128 connectivity_wireguard_enabled: true 129 connectivity_nginx_proxy_enabled: true 130 connectivity_dns_stack_enabled: true 131 132 pre_tasks: 133 - name: Verify connectivity server requirements 134 assert: 135 that: 136 - connectivity_docker_base_path is defined 137 - ansible_default_ipv4.address is defined 138 - connectivity_docker_owner is defined 139 - connectivity_docker_group is defined 140 fail_msg: "Connectivity server requirements not met. Check host variables." 141 142 - name: Display connectivity deployment information 143 debug: 144 msg: | 145 ð Deploying Connectivity Services to: {{ inventory_hostname }} 146 147 ð Server Information: 148 - IP Address: {{ ansible_default_ipv4.address }} 149 - Docker Base: {{ connectivity_docker_base_path }} 150 - User: {{ connectivity_docker_owner }}:{{ connectivity_docker_group }} 151 - DNS Server: Configured and ready 152 153 ð Services to Deploy: 154 {% if connectivity_wireguard_enabled | default(true) %} 155 - WireGuard VPN (Port {{ connectivity_wireguard_port | default(51820) }} UDP) 156 - WireGuard Web UI (Port {{ connectivity_wireguard_web_port | default(51821) }} TCP) 157 {% endif %} 158 {% if connectivity_nginx_proxy_enabled | default(true) %} 159 - Nginx Proxy Manager: 160 * Admin UI (Port {{ connectivity_nginx_proxy_admin_port | default(81) }}) 161 * HTTP Proxy (Port {{ connectivity_nginx_proxy_http_port | default(80) }}) 162 * HTTPS Proxy (Port {{ connectivity_nginx_proxy_https_port | default(443) }}) 163 {% endif %} 164 {% if connectivity_dns_stack_enabled | default(true) %} 165 - DNS Stack: 166 * Pi-hole DNS (Port {{ connectivity_pihole_dns_port | default(53) }} UDP/TCP) 167 * Pi-hole Web UI (Port {{ connectivity_pihole_web_port | default(8080) }}) 168 * Unbound Recursive DNS (Port {{ connectivity_unbound_port | default(5335) }}) 169 {% endif %} 170 171 ð¡ï¸ Security Features: 172 - Firewall rules configured for all services 173 - Docker container isolation 174 - Service-specific user permissions 175 - Encrypted VPN connections 176 - DNS-over-TLS with Unbound 177 178 ð Directory Structure: 179 - Service configs: {{ connectivity_docker_base_path }}/[service-name] 180 - Environment files: {{ connectivity_docker_base_path }}/[service-name]/.env 181 - Backup configuration: {{ connectivity_docker_base_path }}/backups/ 182 183 roles: 184 # Core prerequisites 185 - role: user 186 tags: ['core', 'user'] 187 188 - role: system 189 tags: ['core', 'system'] 190 191 - role: geerlingguy.docker 192 tags: ['core', 'docker'] 193 194 - role: docker-framework 195 tags: ['core', 'docker', 'framework'] 196 197 - role: geerlingguy.security 198 tags: ['core', 'security'] 199 200 # Connectivity-specific services 201 - role: connectivity 202 tags: ['connectivity', 'dns', 'vpn', 'proxy'] 203 204 # Monitoring for connectivity server 205 - role: monitoring 206 tags: [monitoring, glances] 207 208 post_tasks: 209 - name: Verify core services are running 210 systemd: 211 name: "{{ item }}" 212 state: started 213 enabled: yes 214 loop: 215 - docker 216 - NetworkManager 217 tags: ['verification', 'monitoring'] 218 219 - name: Verify DNS server is responding 220 command: dig @127.0.0.1 google.com +short 221 register: local_dns_test 222 changed_when: false 223 ignore_errors: true 224 tags: ['verification', 'dns'] 225 226 - name: Generate connectivity access summary 227 template: 228 src: "{{ role_path }}/templates/connectivity-access-summary.txt.j2" 229 dest: "{{ connectivity_docker_base_path }}/connectivity-access-info.txt" 230 owner: "{{ connectivity_docker_owner }}" 231 group: "{{ connectivity_docker_group }}" 232 mode: '0644' 233 vars: 234 role_path: "roles/connectivity" 235 tags: ['summary'] 236 237 238 - name: Wait for all connectivity services to be healthy 239 uri: 240 url: "http://{{ ansible_default_ipv4.address }}:{{ item.port }}{{ item.path | default('') }}" 241 method: GET 242 status_code: [200, 302, 401] # Some services redirect or require auth 243 loop: 244 - { port: "{{ connectivity_wireguard_web_port | default(51821) }}", path: "/", service: "WireGuard Web UI" } 245 - { port: "{{ connectivity_nginx_proxy_admin_port | default(81) }}", path: "/", service: "Nginx Proxy Manager" } 246 - { port: "{{ connectivity_pihole_web_port | default(8080) }}", path: "/admin", service: "Pi-hole" } 247 retries: 15 248 delay: 10 249 ignore_errors: yes 250 tags: ['verification', 'health-check'] 251 252 - name: Display deployment completion summary 253 debug: 254 msg: | 255 ð Connectivity Services Deployment Complete! 256 257 Server: {{ inventory_hostname }} ({{ ansible_default_ipv4.address }}) 258 259 ð Service Status: 260 - DNS Server: {{ 'Responding' if local_dns_test.rc == 0 else 'Not responding' }} 261 - Docker: Active 262 - NetworkManager: Active 263 264 ð Access Information: 265 {% if connectivity_wireguard_enabled | default(true) %} 266 - WireGuard VPN: udp://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port | default(51820) }} 267 - WireGuard Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port | default(51821) }} 268 {% endif %} 269 {% if connectivity_nginx_proxy_enabled | default(true) %} 270 - Nginx Proxy Manager: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_admin_port | default(81) }} 271 - HTTP Proxy: http://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_http_port | default(80) }} 272 - HTTPS Proxy: https://{{ ansible_default_ipv4.address }}:{{ connectivity_nginx_proxy_https_port | default(443) }} 273 {% endif %} 274 {% if connectivity_dns_stack_enabled | default(true) %} 275 - Pi-hole Admin: http://{{ ansible_default_ipv4.address }}:{{ connectivity_pihole_web_port | default(8080) }}/admin 276 - Pi-hole Password: {{ connectivity_pihole_password | default('Set in vault') }} 277 - DNS Server: {{ ansible_default_ipv4.address }}:{{ connectivity_pihole_dns_port | default(53) }} 278 {% endif %} 279 280 ð File Locations: 281 - Docker Configs: {{ connectivity_docker_base_path }} 282 - Access Info: {{ connectivity_docker_base_path }}/connectivity-access-info.txt 283 284 ð¡ï¸ Security Notes: 285 - systemd-resolved disabled and masked 286 - Local DNS server configured 287 - Firewall rules configured for all services 288 - All services running in Docker containers 289 290 ð§ Management Commands: 291 - Restart All: docker restart $(docker ps -q) 292 - View Logs: docker compose logs -f (in service directories) 293 294 ð¡ Important Notes: 295 - Configure client devices to use {{ ansible_default_ipv4.address }} as DNS server 296 - Set up WireGuard clients using the Web UI 297 - Configure reverse proxy rules in Nginx Proxy Manager 298 - Customize Pi-hole blocklists and local DNS entries 299 - Monitor service logs for connectivity issues 300 tags: ['always']