created roles and playbooks for schreinerei och.

.gitignore

@@ -0,0 +1 @@
+.vault-pass

ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = inventory
+vault_password_file = .vault-pass
+python_interpreter = /usr/bin/python3
+host_key_checking = False
+remote_port = 9922

common.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Run common rolls for all hosts in common
+  hosts: common
+  become: true
+  roles:
+    - role: common
+      tags: common

common_first.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Run common rolls for all common hosts
+  hosts: common_first
+  become: true
+  roles:
+    - role: common
+      tags: common
+  vars:
+    ansible_user: "{{ host_vars_common_init_ssh_user }}"
+    ansible_ssh_pass: "{{ host_vars_common_init_ssh_pass }}"
+    ansible_become_password: "{{ host_vars_common_init_ssh_pass }}"
+    ansible_port: 9922
+    ansible_become_method: su

docker_npm.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Run Playbook for docker nginx-proxy-manager
+  hosts: npm
+  become: true
+  roles:
+    - role: docker
+      tags: docker
+    - role: docker_npm
+      tags: docker_npm

docker_unifi.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Deploy unifi network application
+  hosts: unifi
+  become: true
+  roles:
+    - role: docker
+      tags: docker
+    - role: docker_unifi_network_application
+      tags: docker_unifi_network_application

group_vars/all.yml

@@ -0,0 +1,24 @@
+---
+
+# vars for common roles 
+
+group_vars_ssh_users:
+  - lucas.rausch
+
+# docker vars
+docker_paths:
+  - /opt/docker/mounts
+  - /opt/docker/config
+# end docker
+
+# npm
+group_vars_npm_db_host: npm-db
+group_vars_npm_db_name: npm-db
+group_vars_npm_app_host: npm-app
+group_vars_npm_docker_paths:
+  - /opt/docker/config/npm
+# end npm
+
+# unifi vars
+unifi_docker_paths:
+  - /opt/docker/config/unifi

host_vars/vm-docker01.schreinerei-och.de.yml

@@ -0,0 +1,18 @@
+---
+
+host_vars_common_init_ssh_pass: Schr3in3rm3ister!
+host_vars_common_init_ssh_user: och
+proxy_type: npm
+
+# npm 
+host_vars_npm_db_root_password: Schr3in3rm3ister!
+host_vars_npm_db_user: och
+host_vars_npm_db_user_password: Schr3in3rm3ister!
+# end npm 
+
+# unifi vars
+unifi_mongo_host: unifi-db
+unifi_mongo_user: och
+unifi_mongo_user_pass: Schr3in3rm3ister! 
+unifi_mongo_db_name: unifi-db
+# end unifi vars

inventory/main.yml

@@ -0,0 +1,16 @@
+---
+
+all:
+  hosts:
+    vm-docker01.schreinerei-och.de:
+      ansible_host: 10.12.80.105
+  children:
+    common_first:
+      hosts:
+        vm-docker01.schreinerei-och.de:
+    npm:
+      hosts:
+        vm-docker01.schreinerei-och.de:
+    unifi:
+      hosts:
+        vm-docker01.schreinerei-och.de:

roles/common/files/sshd_config

@@ -0,0 +1,122 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 9922
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

roles/common/files/sudoers

@@ -0,0 +1,54 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        mail_badpass
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
+Defaults        use_pty
+
+# This preserves proxy settings from user environments of root
+# equivalent users (group sudo)
+#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
+
+# This allows running arbitrary commands, but so does ALL, and it means
+# different sudoers have their choice of editor respected.
+#Defaults:%sudo env_keep += "EDITOR"
+
+# Completely harmless preservation of a user preference.
+#Defaults:%sudo env_keep += "GREP_COLOR"
+
+# While you shouldn't normally run git as root, you need to with etckeeper
+#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
+
+# Per-user preferences; root won't have sensible values for them.
+#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
+
+# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
+#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
+
+# Ditto for GPG agent
+#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Members of the admin group may gain root privileges
+%admin ALL=(ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
+
+# See sudoers(5) for more information on "@include" directives:
+
+@includedir /etc/sudoers.d

roles/common/readme.md

@@ -0,0 +1,26 @@
+# Readme
+
+## general information 
+
+This role is created to give each host the exact same roleout of apps, services and users. 
+
+## on the first run
+
+on the first run you have to execute the playbook "common_first.yml" This *HAS TO BE DONE* so that all users and ssh-keys are deployed so you can administrate the server effectively.
+
+### set the following for the first run
+1. Create inventory group 'common_first' - also check that your hosts are reachable via network. If they are reachable via external, dont forget to set your ansible_port
+2. Enter the hostname of your server/client
+3. run the playbook
+4. remove the server/client from the inventory group
+5. reboot the server/client so the hostname is overwritten
+
+### (host)vars for first run 
+host_vars_init_ssh_user: 
+host_vars_init_ssh_pass: 
+ansible_port:
+> every linux pc has an initial user that is created on setup. Be sure to set those variables correctly
+
+## variables for common role
+### group vars
+group_vars_ssh_users:

roles/common/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Common | Install common packages
+  ansible.builtin.apt:
+    update_cache: true
+    name:
+      - molly-guard
+      - dnsutils
+      - sudo
+      - nano
+      - tree
+      - screen
+      - python3
+      - curl
+      - gnupg
+      - ca-certificates
+      - cloud-utils
+      - rsync
+      - htop
+      - unzip
+
+- name: Common | Allow to sudo with ssh-key
+  ansible.builtin.copy:
+    src: sudoers
+    dest: /etc/sudoers
+    owner: root
+    group: root
+    mode: '0440'
+
+- name: Common | Change sshd port
+  ansible.builtin.copy:
+    src: sshd_config
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Common | Change hostname
+  ansible.builtin.template:
+    src: hostname.j2
+    dest: /etc/hostname
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Common | Restart sshd service
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: Common | Deploy users
+  ansible.builtin.user:
+    name: "{{ item }}"
+    shell: /bin/bash
+    groups: sudo
+    append: true
+    create_home: true
+  with_items: "{{ group_vars_ssh_users }}"
+
+- name: Deploy SSHKeys for users
+  ansible.posix.authorized_key:
+    user: "{{ item }}"
+    state: present
+    key: "{{ lookup('file', 'ssh-keys/{{ item }}.pub') }}"
+  with_items: "{{ group_vars_ssh_users }}"

roles/common/templates/hostname.j2

@@ -0,0 +1 @@
+"{{ inventory_hostname }}"

roles/docker/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Füge Docker GPG-Schlüssel hinzu
+  ansible.builtin.get_url:
+    url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
+    dest: /etc/apt/keyrings/docker.asc
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Füge Docker-Repository hinzu
+  ansible.builtin.template:
+    src: docker.sources.j2
+    dest: /etc/apt/sources.list.d/docker.sources
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Docker | Install common packages
+  ansible.builtin.apt:
+    update_cache: true
+    state: present
+    package: "{{ item }}"
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-buildx-plugin
+    - docker-compose-plugin
+
+- name: Docker | Deploy docker folders
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: '0755'
+  with_items: "{{ docker_paths }}"

roles/docker/templates/docker.sources.j2

@@ -0,0 +1,5 @@
+Types: deb
+URIs: https://download.docker.com/linux/{{ ansible_distribution | lower }}
+Suites: {{ ansible_distribution_release | lower }}
+Components: stable
+Signed-By: /etc/apt/keyrings/docker.asc

roles/docker_npm/readme.md

@@ -0,0 +1,35 @@
+# Readme
+
+## General
+
+this playbook is used to deploy docker and nginxproxymanager as docker containers on any hosts.
+
+## inventory
+
+setup a group in your inventory with the name: npm
+also if this container is deployed, some other roles will be trying to use the variable 'proxy_type', be sure to set it in your host vars to 'npm'
+
+## vars
+
+### group vars
+
+````
+group_vars_npm_db_host: 
+group_vars_npm_db_name: 
+group_vars_npm_app_host: 
+group_vars_npm_docker_paths:
+  - /opt/docker/config/npm
+````
+
+### host vars
+host_vars_npm_db_root_password: 
+host_vars_npm_db_user: 
+host_vars_npm_db_user_password: 
+
+## first start
+
+login to your npm after the deployment
+
+url: http://ip/hostname:8082
+user: admin@example.com
+pass: changeme

roles/docker_npm/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+
+- name: NPM | create project folders
+  ansible.builtin.file:
+    state: directory
+    mode: '0755'
+    path: "{{ item }}"
+    owner: root
+    group: root
+  with_items: "{{ group_vars_npm_docker_paths }}"
+
+- name: NPM | create docker network "proxy"
+  community.docker.docker_network:
+    name: proxy
+    state: present
+
+- name: NPM | copy docker-compose file
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /opt/docker/config/npm/docker-compose.yml
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: NPM | start docker container
+  community.docker.docker_compose_v2:
+    project_src: /opt/docker/config/npm
+    state: present

roles/docker_npm/templates/docker-compose.yml.j2

@@ -0,0 +1,56 @@
+---
+
+services:
+  {{ group_vars_npm_db_host }}:
+    image: 'jc21/mariadb-aria:latest'
+    restart: unless-stopped
+    networks:
+      - npm
+    container_name: {{ group_vars_npm_db_host }}
+    environment:
+      MYSQL_ROOT_PASSWORD: {{ host_vars_npm_db_root_password }}
+      MYSQL_DATABASE: {{ group_vars_npm_db_name }}
+      MYSQL_USER: {{ host_vars_npm_db_user}}
+      MYSQL_PASSWORD: {{ host_vars_npm_db_user_password }}
+      MARIADB_AUTO_UPGRADE: '1'
+    volumes:
+      - mysql:/var/lib/mysql
+
+  {{ group_vars_npm_app_host }}:
+    image: 'jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    container_name: {{ group_vars_npm_app_host }}
+    networks:
+      - npm
+      - proxy
+    ports:
+      - '80:80' # Public HTTP Port
+      - '443:443' # Public HTTPS Port
+      - '8082:81' # Admin Web Port
+    environment:
+      DB_MYSQL_HOST: {{ group_vars_npm_db_host }}
+      DB_MYSQL_PORT: 3306
+      DB_MYSQL_USER: {{ host_vars_npm_db_user }}
+      DB_MYSQL_PASSWORD: {{ host_vars_npm_db_user_password }}
+      DB_MYSQL_NAME: nginx
+      DISABLE_IPV6: 'true'
+    volumes:
+      - data:/data
+      - letsencrypt:/etc/letsencrypt
+      - custom:/etc/nginx/custom
+    depends_on:
+      - {{ group_vars_npm_db_host }}
+networks:
+  proxy:
+    external: true
+  npm:
+
+volumes:
+  data:
+    driver: local
+  letsencrypt:
+    driver: local
+  custom:
+    driver: local
+  mysql:
+    driver: local

roles/docker_unifi_network_application/readme.md

@@ -0,0 +1,21 @@
+# Readme
+
+## General
+
+This playbook will deploy the unifi network application as docker container on the hosts which are speicified in your inventory under the name ````unifi ````
+
+it also changes the way that the unifi network application will be reachable after the deployment. if you set the variable proxy_type in your vars, the default port 8443 will be changed to 18443
+
+## vars 
+
+### group vars 
+
+unifi_docker_paths:
+  - /opt/docker/config/unifi
+
+### host vars
+
+unifi_mongo_host:
+unifi_mongo_user: 
+unifi_mongo_user_pass: 
+unifi_mongo_db_name: 

roles/docker_unifi_network_application/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Unifi | create project paths
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: '0755'
+  with_items: "{{ unifi_docker_paths }}"
+
+- name: Unifi | copy mongo-init.js
+  ansible.builtin.template:
+    src: mongo-init.js.j2
+    dest: /opt/docker/config/unifi/mongo-init.js
+    mode: '0644'
+
+- name: Unifi | copy unifi docker-compose.yml
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: /opt/docker/config/unifi/docker-compose.yml
+    mode: '0644'
+
+- name: Unifi | create docker proxy network if not available
+  community.docker.docker_network:
+    name: proxy
+
+- name: Unifi | start docker container
+  community.docker.docker_compose_v2:
+    project_src: /opt/docker/config/unifi/
+    state: present

roles/docker_unifi_network_application/templates/docker-compose.yml.j2

@@ -0,0 +1,63 @@
+---
+
+services:
+  unifi-db:
+    image: mongo:8.0-rc
+    container_name: {{ unifi_mongo_host }}
+    networks:
+      - unifi-network
+    volumes:
+      - db:/data/db
+      - ./mongo-init.js:/docker-entrypoint-initdb.d/mongo-init.js:ro
+    restart: unless-stopped
+
+  unifi-network-application:
+    image: lscr.io/linuxserver/unifi-network-application:latest
+    container_name: unifi-network-application
+    networks:
+      - unifi-network
+{% if proxy_type is defined %}
+      - proxy
+{% endif %}
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - MONGO_USER={{ unifi_mongo_user }}
+      - MONGO_PASS={{ unifi_mongo_user_pass }}
+      - MONGO_HOST={{ unifi_mongo_host }}
+      - MONGO_PORT=27017
+      - MONGO_DBNAME={{ unifi_mongo_db_name }}
+    volumes:
+      - config:/config
+{% if proxy_type is defined %}
+    expose:
+      - 8443
+{% endif %}
+    ports:
+{% if proxy_type %}
+      - 18443:8443
+{% else %}
+      - 8443:8443
+{% endif %}
+      - 3478:3478/udp
+      - 10001:10001/udp
+      - 8080:8080
+      - 1900:1900/udp #optional
+      - 8843:8843 #optional
+      - 8880:8880 #optional
+      - 6789:6789 #optional
+      - 5514:5514/udp #optional
+    restart: unless-stopped
+networks:
+  unifi-network:
+{% if proxy_type is defined %}
+  proxy:
+    external: true
+{% endif %}
+
+volumes:
+  config: 
+    driver: local
+  db:
+    driver: local

roles/docker_unifi_network_application/templates/mongo-init.js.j2

@@ -0,0 +1,2 @@
+db.getSiblingDB("{{ unifi_mongo_db_name }}").createUser({user: '{{ unifi_mongo_user }}', pwd: '{{ unifi_mongo_user_pass }}', roles: [{role: "dbOwner", db: "{{ unifi_mongo_db_name }}"}]});
+db.getSiblingDB("{{ unifi_mongo_db_name }}_stat").createUser({user: '{{ unifi_mongo_user }}', pwd: '{{ unifi_mongo_user_pass }}', roles: [{role: "dbOwner", db: "{{ unifi_mongo_db_name }}_stat"}]});

ssh-keys/lucas.rausch.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKyajijGYPokp4DQwIKCO5Vj05SRzD7PznigrTKUHK9 lucas@rausch.tech