Compare commits
18 Commits
Author | SHA1 | Date |
---|---|---|
Michael Grote | abbd3a4027 | |
Michael Grote | fec3d05853 | |
Michael Grote | 2711b53443 | |
Michael Grote | 76e80bef32 | |
Michael Grote | 65e11720b4 | |
Michael Grote | 4816028a69 | |
Michael Grote | 27814973f9 | |
Michael Grote | 8b24cb052d | |
Michael Grote | 821621a542 | |
Michael Grote | 79a5973721 | |
Michael Grote | 1fed3f9fca | |
Michael Grote | e7e4a4919a | |
Michael Grote | 938cc8c287 | |
Michael Grote | 3330df558a | |
Michael Grote | 76fae15233 | |
Michael Grote | d67020db21 | |
Michael Grote | 1d21878b43 | |
Michael Grote | 6db5b9d2b8 |
|
@ -20,29 +20,6 @@ dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
|
|||
### mgrote_netplan
|
||||
netplan_configure: true
|
||||
|
||||
### mgrote_restic
|
||||
restic_user: root
|
||||
restic_group: restic
|
||||
restic_conf_dir: /etc/restic
|
||||
restic_exclude: |
|
||||
._*
|
||||
desktop.ini
|
||||
.Trash-*
|
||||
**/**cache***/**
|
||||
**/**Cache***/**
|
||||
**/**AppData***/**
|
||||
# https://github.com/restic/restic/issues/1005
|
||||
# https://forum.restic.net/t/exclude-syntax-confusion/1531/12
|
||||
restic_mount_timeout: "10 min"
|
||||
restic_failure_delay: "30 s"
|
||||
restic_schedule: "0/6:00" # alle 6 Stunden
|
||||
restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
|
||||
restic_repository: "//fileserver3.mgrote.net/restic"
|
||||
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
|
||||
restic_mount_user: restic
|
||||
restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
|
||||
restic_fail_mail: "{{ my_mail }}"
|
||||
|
||||
### mgrote_user
|
||||
users:
|
||||
- username: mg
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
### oefenweb.ufw
|
||||
ufw_rules:
|
||||
- rule: allow
|
||||
to_port: 22
|
||||
protocol: tcp
|
||||
comment: 'ssh'
|
||||
from_ip: 192.168.2.0/24
|
||||
ufw_default_incoming_policy: deny
|
||||
ufw_default_outgoing_policy: allow
|
||||
|
||||
### apt_install_packages
|
||||
apt_packages_extra:
|
||||
- qemu
|
||||
- virt-manager
|
||||
- tmux
|
||||
- keychain
|
||||
- jq
|
||||
- vim
|
||||
- cifs-utils
|
||||
- nextcloud-desktop
|
||||
- keepassxc
|
||||
- openssh-server
|
||||
- sshpass
|
||||
- ansible
|
||||
- linux-oem-22.04c
|
||||
- vlc
|
||||
- rofi
|
||||
- wireguard
|
||||
- wine
|
||||
|
||||
### mgrote_user
|
||||
users:
|
||||
- username: mg
|
||||
password: "{{ lookup('keepass', 'mg_irantu_hash', 'password') }}"
|
||||
update_password: always
|
||||
groups: ssh, sudo
|
||||
state: present
|
||||
public_ssh_key: "{{ ssh_public_key_mg }}"
|
||||
allow_sudo: true
|
||||
allow_passwordless_sudo: true
|
||||
- username: ansible-user
|
||||
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
|
||||
update_password: always
|
||||
groups: ssh, sudo
|
||||
state: present
|
||||
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
|
||||
allow_sudo: true
|
||||
allow_passwordless_sudo: true
|
||||
|
||||
### mgrote.wireguard
|
||||
wireguard_profiles:
|
||||
- name: wg0
|
||||
privatekey: "{{ lookup('keepass', 'wireguard_irantu_private_key', 'password') }}"
|
||||
address: 10.25.25.4/24
|
||||
dns: 192.168.2.37
|
||||
publickey: yUDu0ReEz6CjFW6Ecoh2oN/eAGRtVQP38Bu5hJnv1w0=
|
||||
allowedips: 192.168.2.0/24, 192.168.3.0/24
|
||||
endpoint: mgrote.net:13231
|
||||
- name: wg1
|
||||
privatekey: "{{ lookup('keepass', 'wireguard_irantu_private_key', 'password') }}"
|
||||
address: 10.25.25.4/24
|
||||
dns: 192.168.2.37
|
||||
publickey: yUDu0ReEz6CjFW6Ecoh2oN/eAGRtVQP38Bu5hJnv1w0=
|
||||
allowedips: 0.0.0.0/0
|
||||
endpoint: mgrote.net:13231
|
||||
...
|
|
@ -32,6 +32,10 @@ all:
|
|||
hosts:
|
||||
pve5.mgrote.net:
|
||||
pbs.mgrote.net:
|
||||
irantu.mgrote.net:
|
||||
laptop:
|
||||
hosts:
|
||||
irantu.mgrote.net:
|
||||
gitea:
|
||||
hosts:
|
||||
gitea.mgrote.net:
|
||||
|
@ -39,6 +43,7 @@ all:
|
|||
production:
|
||||
hosts:
|
||||
fileserver3.mgrote.net:
|
||||
irantu.mgrote.net:
|
||||
ansible2.mgrote.net:
|
||||
pve5.mgrote.net:
|
||||
gitea.mgrote.net:
|
||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- hosts: laptop
|
||||
roles:
|
||||
- { role: mgrote_wireguard, tags: "wireguard", become: true }
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# Repositories
|
||||
repos:
|
||||
- "deb http://packages.linuxmint.com victoria main upstream import backport"
|
||||
- "deb http://de.archive.ubuntu.com/ubuntu jammy main restricted universe multiverse" # TODO
|
||||
- "deb http://de.archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse"
|
||||
- "deb http://de.archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse"
|
||||
- "deb http://de.archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse"
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
# Repositories
|
||||
repos:
|
||||
- "deb http://packages.linuxmint.com vera main upstream import backport"
|
||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} main restricted universe multiverse"
|
||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-updates main restricted universe multiverse"
|
||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-backports main restricted universe multiverse"
|
||||
- "deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse"
|
||||
- "deb http://archive.canonical.com/ubuntu/ {{ ansible_distribution_release }} partner"
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
wireguard_conf_dir: /etc/wireguard
|
||||
#wireguard_profiles:
|
||||
# - name: wg0
|
||||
# privatekey:
|
||||
# address:
|
||||
# dns:
|
||||
# publickey:
|
||||
# allowedips:
|
||||
# endpoint:
|
||||
...
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: Ensure resolvconf is configured # noqa no-changed-when
|
||||
become: true
|
||||
ansible.builtin.command: ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf
|
||||
...
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: Ensure package exists
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- wireguard
|
||||
state: present
|
||||
notify:
|
||||
- Ensure resolvconf is configured
|
||||
|
||||
- name: Ensure profiles are templated
|
||||
become: true
|
||||
ansible.builtin.template:
|
||||
src: "wg.conf.j2"
|
||||
dest: "{{ wireguard_conf_dir }}/{{ item.name }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
when:
|
||||
- wireguard_profiles is defined
|
||||
loop: wireguard_profiles
|
||||
...
|
|
@ -0,0 +1,10 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ privatekey }}
|
||||
Address = {{ address }}
|
||||
DNS = {{ dns }}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ publickey }}
|
||||
AllowedIPs = {{ allowedips }}
|
||||
Endpoint = {{ endpoint }}
|
||||
PersistentKeepalive = 25
|
Loading…
Reference in New Issue