Compare commits
18 Commits
Author | SHA1 | Date |
---|---|---|
Michael Grote | abbd3a4027 | |
Michael Grote | fec3d05853 | |
Michael Grote | 2711b53443 | |
Michael Grote | 76e80bef32 | |
Michael Grote | 65e11720b4 | |
Michael Grote | 4816028a69 | |
Michael Grote | 27814973f9 | |
Michael Grote | 8b24cb052d | |
Michael Grote | 821621a542 | |
Michael Grote | 79a5973721 | |
Michael Grote | 1fed3f9fca | |
Michael Grote | e7e4a4919a | |
Michael Grote | 938cc8c287 | |
Michael Grote | 3330df558a | |
Michael Grote | 76fae15233 | |
Michael Grote | d67020db21 | |
Michael Grote | 1d21878b43 | |
Michael Grote | 6db5b9d2b8 |
|
@ -20,29 +20,6 @@ dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git
|
||||||
### mgrote_netplan
|
### mgrote_netplan
|
||||||
netplan_configure: true
|
netplan_configure: true
|
||||||
|
|
||||||
### mgrote_restic
|
|
||||||
restic_user: root
|
|
||||||
restic_group: restic
|
|
||||||
restic_conf_dir: /etc/restic
|
|
||||||
restic_exclude: |
|
|
||||||
._*
|
|
||||||
desktop.ini
|
|
||||||
.Trash-*
|
|
||||||
**/**cache***/**
|
|
||||||
**/**Cache***/**
|
|
||||||
**/**AppData***/**
|
|
||||||
# https://github.com/restic/restic/issues/1005
|
|
||||||
# https://forum.restic.net/t/exclude-syntax-confusion/1531/12
|
|
||||||
restic_mount_timeout: "10 min"
|
|
||||||
restic_failure_delay: "30 s"
|
|
||||||
restic_schedule: "0/6:00" # alle 6 Stunden
|
|
||||||
restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
|
|
||||||
restic_repository: "//fileserver3.mgrote.net/restic"
|
|
||||||
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
|
|
||||||
restic_mount_user: restic
|
|
||||||
restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
|
|
||||||
restic_fail_mail: "{{ my_mail }}"
|
|
||||||
|
|
||||||
### mgrote_user
|
### mgrote_user
|
||||||
users:
|
users:
|
||||||
- username: mg
|
- username: mg
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
### oefenweb.ufw
|
||||||
|
ufw_rules:
|
||||||
|
- rule: allow
|
||||||
|
to_port: 22
|
||||||
|
protocol: tcp
|
||||||
|
comment: 'ssh'
|
||||||
|
from_ip: 192.168.2.0/24
|
||||||
|
ufw_default_incoming_policy: deny
|
||||||
|
ufw_default_outgoing_policy: allow
|
||||||
|
|
||||||
|
### apt_install_packages
|
||||||
|
apt_packages_extra:
|
||||||
|
- qemu
|
||||||
|
- virt-manager
|
||||||
|
- tmux
|
||||||
|
- keychain
|
||||||
|
- jq
|
||||||
|
- vim
|
||||||
|
- cifs-utils
|
||||||
|
- nextcloud-desktop
|
||||||
|
- keepassxc
|
||||||
|
- openssh-server
|
||||||
|
- sshpass
|
||||||
|
- ansible
|
||||||
|
- linux-oem-22.04c
|
||||||
|
- vlc
|
||||||
|
- rofi
|
||||||
|
- wireguard
|
||||||
|
- wine
|
||||||
|
|
||||||
|
### mgrote_user
|
||||||
|
users:
|
||||||
|
- username: mg
|
||||||
|
password: "{{ lookup('keepass', 'mg_irantu_hash', 'password') }}"
|
||||||
|
update_password: always
|
||||||
|
groups: ssh, sudo
|
||||||
|
state: present
|
||||||
|
public_ssh_key: "{{ ssh_public_key_mg }}"
|
||||||
|
allow_sudo: true
|
||||||
|
allow_passwordless_sudo: true
|
||||||
|
- username: ansible-user
|
||||||
|
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
|
||||||
|
update_password: always
|
||||||
|
groups: ssh, sudo
|
||||||
|
state: present
|
||||||
|
public_ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJcBwOjanQV6sFWaTetqpl20SVe3aRzGjKbsp7hKkDCE mg@irantu
|
||||||
|
allow_sudo: true
|
||||||
|
allow_passwordless_sudo: true
|
||||||
|
|
||||||
|
### mgrote.wireguard
|
||||||
|
wireguard_profiles:
|
||||||
|
- name: wg0
|
||||||
|
privatekey: "{{ lookup('keepass', 'wireguard_irantu_private_key', 'password') }}"
|
||||||
|
address: 10.25.25.4/24
|
||||||
|
dns: 192.168.2.37
|
||||||
|
publickey: yUDu0ReEz6CjFW6Ecoh2oN/eAGRtVQP38Bu5hJnv1w0=
|
||||||
|
allowedips: 192.168.2.0/24, 192.168.3.0/24
|
||||||
|
endpoint: mgrote.net:13231
|
||||||
|
- name: wg1
|
||||||
|
privatekey: "{{ lookup('keepass', 'wireguard_irantu_private_key', 'password') }}"
|
||||||
|
address: 10.25.25.4/24
|
||||||
|
dns: 192.168.2.37
|
||||||
|
publickey: yUDu0ReEz6CjFW6Ecoh2oN/eAGRtVQP38Bu5hJnv1w0=
|
||||||
|
allowedips: 0.0.0.0/0
|
||||||
|
endpoint: mgrote.net:13231
|
||||||
|
...
|
|
@ -32,6 +32,10 @@ all:
|
||||||
hosts:
|
hosts:
|
||||||
pve5.mgrote.net:
|
pve5.mgrote.net:
|
||||||
pbs.mgrote.net:
|
pbs.mgrote.net:
|
||||||
|
irantu.mgrote.net:
|
||||||
|
laptop:
|
||||||
|
hosts:
|
||||||
|
irantu.mgrote.net:
|
||||||
gitea:
|
gitea:
|
||||||
hosts:
|
hosts:
|
||||||
gitea.mgrote.net:
|
gitea.mgrote.net:
|
||||||
|
@ -39,6 +43,7 @@ all:
|
||||||
production:
|
production:
|
||||||
hosts:
|
hosts:
|
||||||
fileserver3.mgrote.net:
|
fileserver3.mgrote.net:
|
||||||
|
irantu.mgrote.net:
|
||||||
ansible2.mgrote.net:
|
ansible2.mgrote.net:
|
||||||
pve5.mgrote.net:
|
pve5.mgrote.net:
|
||||||
gitea.mgrote.net:
|
gitea.mgrote.net:
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- hosts: laptop
|
||||||
|
roles:
|
||||||
|
- { role: mgrote_wireguard, tags: "wireguard", become: true }
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
# Repositories
|
||||||
|
repos:
|
||||||
|
- "deb http://packages.linuxmint.com victoria main upstream import backport"
|
||||||
|
- "deb http://de.archive.ubuntu.com/ubuntu jammy main restricted universe multiverse" # TODO
|
||||||
|
- "deb http://de.archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse"
|
||||||
|
- "deb http://de.archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse"
|
||||||
|
- "deb http://de.archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse"
|
|
@ -1,9 +0,0 @@
|
||||||
---
|
|
||||||
# Repositories
|
|
||||||
repos:
|
|
||||||
- "deb http://packages.linuxmint.com vera main upstream import backport"
|
|
||||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} main restricted universe multiverse"
|
|
||||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-updates main restricted universe multiverse"
|
|
||||||
- "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-backports main restricted universe multiverse"
|
|
||||||
- "deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse"
|
|
||||||
- "deb http://archive.canonical.com/ubuntu/ {{ ansible_distribution_release }} partner"
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
wireguard_conf_dir: /etc/wireguard
|
||||||
|
#wireguard_profiles:
|
||||||
|
# - name: wg0
|
||||||
|
# privatekey:
|
||||||
|
# address:
|
||||||
|
# dns:
|
||||||
|
# publickey:
|
||||||
|
# allowedips:
|
||||||
|
# endpoint:
|
||||||
|
...
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Ensure resolvconf is configured # noqa no-changed-when
|
||||||
|
become: true
|
||||||
|
ansible.builtin.command: ln -s /usr/bin/resolvectl /usr/local/bin/resolvconf
|
||||||
|
...
|
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
- name: Ensure package exists
|
||||||
|
become: true
|
||||||
|
ansible.builtin.package:
|
||||||
|
name:
|
||||||
|
- wireguard
|
||||||
|
state: present
|
||||||
|
notify:
|
||||||
|
- Ensure resolvconf is configured
|
||||||
|
|
||||||
|
- name: Ensure profiles are templated
|
||||||
|
become: true
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "wg.conf.j2"
|
||||||
|
dest: "{{ wireguard_conf_dir }}/{{ item.name }}.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
when:
|
||||||
|
- wireguard_profiles is defined
|
||||||
|
loop: wireguard_profiles
|
||||||
|
...
|
|
@ -0,0 +1,10 @@
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = {{ privatekey }}
|
||||||
|
Address = {{ address }}
|
||||||
|
DNS = {{ dns }}
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ publickey }}
|
||||||
|
AllowedIPs = {{ allowedips }}
|
||||||
|
Endpoint = {{ endpoint }}
|
||||||
|
PersistentKeepalive = 25
|
Loading…
Reference in New Issue