commit
c5b89633ce
8 changed files with 170 additions and 0 deletions
@ -0,0 +1 @@ |
|||
*.retry |
|||
@ -0,0 +1,6 @@ |
|||
[rpi] |
|||
raspberry-pi.itix.fr |
|||
|
|||
[rpi:vars] |
|||
pihole_webadmin_enabled=no |
|||
pihole_lighttpd_enabled=no |
|||
@ -0,0 +1,9 @@ |
|||
--- |
|||
|
|||
- name: Install and configure my Raspberry PI |
|||
hosts: rpi |
|||
become: yes |
|||
roles: |
|||
- base |
|||
- pihole |
|||
|
|||
@ -0,0 +1,4 @@ |
|||
--- |
|||
|
|||
- name: restart sshd |
|||
service: name=sshd state=reloaded |
|||
@ -0,0 +1,73 @@ |
|||
--- |
|||
|
|||
- name: Create groups |
|||
group: name={{ item.name }} state=present |
|||
with_items: "{{ itix_groups }}" |
|||
tags: bootstrap |
|||
|
|||
- name: Create users |
|||
user: state=present name={{ item.login }} group={{ item.group }} groups={{ item.groups }} uid={{ item.uid }} comment={{ item.comment }} password={{ item.password }} |
|||
with_items: "{{ itix_users }}" |
|||
tags: bootstrap |
|||
|
|||
- name: Create the .ssh directory for users |
|||
file: state=directory owner={{ item.login }} group={{ item.group }} mode=0700 path=/home/{{ item.login }}/.ssh |
|||
with_items: "{{ itix_users }}" |
|||
tags: bootstrap |
|||
|
|||
- name: Set a strong root password (only usable from console) |
|||
user: name=root password={{ root_password }} |
|||
tags: bootstrap |
|||
|
|||
- name: Set SSH key for users |
|||
authorized_key: user={{ item.login }} key="{{ item.ssh_public_key }}" |
|||
with_items: "{{ itix_users }}" |
|||
when: "item.ssh_public_key is defined" |
|||
tags: bootstrap |
|||
|
|||
- name: Tell SSHD not to use DNS |
|||
lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *UseDNS +" line="UseDNS no" |
|||
notify: restart sshd |
|||
tags: config |
|||
|
|||
- name: Tell SSHD to forbid root accesses |
|||
lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PermitRootLogin +" line="PermitRootLogin no" |
|||
notify: restart sshd |
|||
tags: config |
|||
|
|||
- name: Tell SSHD to forbid password accesses |
|||
lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PasswordAuthentication +" line="PasswordAuthentication no" |
|||
notify: restart sshd |
|||
tags: config |
|||
|
|||
- name: Install some software |
|||
dnf: name={{ item }} state=installed |
|||
with_items: |
|||
- vim-enhanced |
|||
- tmux |
|||
- unzip |
|||
- tcpdump |
|||
- telnet |
|||
- strace |
|||
- man-pages |
|||
- man |
|||
- iptraf |
|||
- wget |
|||
- openssh-clients |
|||
tags: rpm |
|||
|
|||
- name: Fix /etc/environment to include PATH |
|||
lineinfile: dest=/etc/environment regexp="^PATH=" line="PATH=/bin:/usr/bin:/sbin:/usr/sbin" |
|||
tags: config |
|||
|
|||
- name: Set the hostname |
|||
command: hostnamectl set-hostname {{ inventory_hostname_short }} --static |
|||
tags: |
|||
- config |
|||
- dns |
|||
|
|||
- name: Ensure consistent locale across systems (1/2) |
|||
lineinfile: dest=/etc/locale.conf regexp="^LANG=" line="LANG=en_US.utf8" |
|||
|
|||
- name: Ensure consistent locale across systems (2/2) |
|||
lineinfile: dest=/etc/locale.conf line="LC_CTYPE=en_US.utf8" |
|||
@ -0,0 +1,6 @@ |
|||
--- |
|||
pihole_version: v3.3.1 |
|||
pihole_installer_sha256sum: cafa86b43a496dad113eac4afe1ce89eed0ada3f9a555e2d8c1742d60d1d11f2 |
|||
pihole_query_logging_enabled: yes |
|||
pihole_webadmin_enabled: yes |
|||
pihole_lighttpd_enabled: yes |
|||
@ -0,0 +1,49 @@ |
|||
--- |
|||
|
|||
- name: Create a folder for the pi-hole installer |
|||
file: |
|||
path: /usr/local/src/pi-hole |
|||
state: directory |
|||
|
|||
- name: 'Fetch the pi-hole installer' |
|||
get_url: |
|||
dest: /usr/local/src/pi-hole/basic-install.sh |
|||
url: https://raw.githubusercontent.com/pi-hole/pi-hole/{{ pihole_version }}/automated%20install/basic-install.sh |
|||
validate_certs: yes |
|||
sha256sum: '{{ pihole_installer_sha256sum|default(omit) }}' |
|||
mode: 0755 |
|||
register: pihole_installer |
|||
|
|||
- name: 'Make sure /etc/pihole exists' |
|||
file: |
|||
state: directory |
|||
path: /etc/pihole |
|||
owner: root |
|||
group: root |
|||
mode: 0755 |
|||
|
|||
- name: 'Generate the pi-hole unattended installation script' |
|||
template: |
|||
src: setupVars.conf.j2 |
|||
dest: /etc/pihole/setupVars.conf |
|||
owner: root |
|||
group: root |
|||
mode: 0644 |
|||
register: pihole_config |
|||
|
|||
- name: Run the pi-hole installer |
|||
command: /usr/local/src/pi-hole/basic-install.sh --unattended |
|||
when: pihole_config.changed or pihole_installer.changed |
|||
|
|||
- name: Fix dnsmasq logfile ownership |
|||
file: |
|||
path: /var/log/pihole.log |
|||
setype: dnsmasq_var_log_t |
|||
seuser: system_u |
|||
register: log_file_permissions |
|||
|
|||
- name: Restart dnsmasq |
|||
service: |
|||
name: dnsmasq |
|||
state: restarted |
|||
when: log_file_permissions.changed |
|||
@ -0,0 +1,22 @@ |
|||
PIHOLE_INTERFACE={{ ansible_default_ipv4.interface }} |
|||
{% if "address" in ansible_default_ipv4 %} |
|||
IPV4_ADDRESS={{ ansible_default_ipv4.address }}/{{ ansible_default_ipv4.netmask|ipaddr('prefix') }} |
|||
{% else %} |
|||
IPV4_ADDRESS= |
|||
{% endif %} |
|||
{% if "address" in ansible_default_ipv6 %} |
|||
IPV6_ADDRESS={{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.netmask|ipaddr('prefix') }} |
|||
{% else %} |
|||
IPV6_ADDRESS= |
|||
{% endif %} |
|||
{% for pihole_dns_ipaddress in ansible_dns.nameservers|default([]) %} |
|||
PIHOLE_DNS_{{loop.index}}={{ pihole_dns_ipaddress }} |
|||
{% endfor %} |
|||
QUERY_LOGGING={{ pihole_query_logging_enabled|bool|ternary('true', 'false') }} |
|||
INSTALL_WEB={{ pihole_webadmin_enabled|bool|ternary('true', 'false') }} |
|||
LIGHTTPD_ENABLED={{ pihole_lighttpd_enabled|bool|ternary('1', '0') }} |
|||
{% if pihole_webadmin_password is defined %} |
|||
WEBPASSWORD={{ pihole_webadmin_password|hash('sha256')|hash('sha256') }} |
|||
{% elif pihole_webadmin_password_hash is defined %} |
|||
WEBPASSWORD={{ pihole_webadmin_password_hash }} |
|||
{% endif %} |
|||
Loading…
Reference in new issue