il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.0.0 Release IaaS

Browse Source
This commit is contained in:
Il Lee
2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
ansible/roles/fw/handlers/main.yaml Normal file
View File

@@ -0,0 +1,63 @@
---
- name: Restart chrony
ansible.builtin.systemd:
name: "chrony.service"
state: "restarted"
enabled: true
daemon_reload: true
become: true
changed_when: false
listen: "notification_restart_chrony"
ignore_errors: true # noqa: ignore-errors
- name: Update suricata rules
ansible.builtin.command:
suricata-update --disable-conf /etc/suricata/disable.conf --enable-conf /etc/suricata/enable.conf --local /etc/suricata/rules/local.rules
become: true
changed_when: false
listen: "notification_update_suricata_rules"
ignore_errors: true # noqa: ignore-errors
- name: Restart suricata
ansible.builtin.systemd:
name: "suricata.service"
state: "restarted"
enabled: true
daemon_reload: true
become: true
changed_when: false
listen: "notification_restart_suricata"
ignore_errors: true # noqa: ignore-errors
- name: Restart bind9
ansible.builtin.systemd:
name: "named.service"
state: "restarted"
enabled: true
daemon_reload: true
become: true
changed_when: false
listen: "notification_restart_bind"
ignore_errors: true # noqa: ignore-errors
- name: Restart blocky
ansible.builtin.systemd:
name: "blocky.service"
state: "restarted"
enabled: "true"
daemon_reload: true
become: true
changed_when: false
listen: "notification_restart_blocky"
ignore_errors: true # noqa: ignore-errors
- name: Restart kea-dhcp4
ansible.builtin.systemd:
name: "kea-dhcp4-server.service"
state: "restarted"
enabled: true
daemon_reload: true
become: true
changed_when: false
listen: "notification_restart_kea4"
ignore_errors: true # noqa: ignore-errors

103
ansible/roles/fw/tasks/services/set_bind.yaml Normal file
View File

@@ -0,0 +1,103 @@
---
- name: Check bind9 installation
ansible.builtin.shell: |
command -v named
become: true # named is located in /usr/sbin, which means root permission is needed.
changed_when: false
failed_when: false
register: "is_bind_installed"
ignore_errors: true
- name: Set bind9 zone files
ansible.builtin.set_fact:
bind_zone_files:
- "db.ilnmors.internal"
- "db.ilnmors.com"
- "db.1.168.192.in-addr.arpa"
- "db.10.168.192.in-addr.arpa"
- "db.1.00df.ip6.arpa"
- "db.10.00df.ip6.arpa"
- name: Install bind9
ansible.builtin.apt:
name: "bind9"
state: "present"
become: true
when: is_bind_installed.rc != 0
- name: Deploy acem.key
ansible.builtin.copy:
content: "{{ hostvars['console']['bind']['acme_key'] }}"
dest: "/etc/bind/acme.key"
owner: "bind"
group: "bind"
mode: "0640"
become: true
notify: "notification_restart_bind"
no_log: true
- name: Deploy db files
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/bind/lib/{{ item }}"
dest: "/var/lib/bind/{{ item }}"
owner: "bind"
group: "bind"
mode: "0640"
loop: "{{ bind_zone_files }}"
become: true
notify: "notification_restart_bind"
no_log: true
- name: Clean BIND journal files
ansible.builtin.file:
path: "/var/lib/bind/{{ item }}.jnl"
state: absent
loop: "{{ bind_zone_files }}"
become: true
notify: "notification_restart_bind"
no_log: true
- name: Deploy named.conf
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/bind/etc/named.conf.j2"
dest: "/etc/bind/named.conf"
owner: "root"
group: "bind"
mode: "0640"
validate: "/usr/bin/named-checkconf -z %s"
become: true
notify: "notification_restart_bind"
no_log: true
- name: Create named.service.d
ansible.builtin.file:
path: "/etc/systemd/system/named.service.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Set named.service.d/override.conf
ansible.builtin.copy:
dest: "/etc/systemd/system/named.service.d/override.conf"
content: |
[Service]
Restart=always
RestartSec=60
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "notification_restart_bind"
- name: Enable bind9 service
ansible.builtin.systemd:
name: "named.service"
state: "started"
enabled: true
become: true
# Verify working
# dig A fw.ilnmors.internal @fd00:10::3
# dig AAAA fw.ilnmors.internal @fd00:10::3

117
ansible/roles/fw/tasks/services/set_blocky.yaml Normal file
View File

@@ -0,0 +1,117 @@
---
- name: Gather system facts (hardware)
ansible.builtin.setup:
gather_subset:
- hardware
become: true
- name: Create blocky group
ansible.builtin.group:
name: "blocky"
gid: 953
state: "present"
become: true
- name: Create blocky user
ansible.builtin.user:
name: "blocky"
uid: 953
group: "blocky"
shell: "/usr/sbin/nologin"
password_lock: true
comment: "Blocky DNS User"
state: "present"
become: true
- name: Create blocky etc directory
ansible.builtin.file:
path: "{{ item }}"
owner: "blocky"
group: "blocky"
mode: "0750"
state: "directory"
loop:
- "/etc/blocky"
- "/etc/blocky/ssl"
become: true
- name: Deploy blocky binary file (x86_64)
ansible.builtin.unarchive:
src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
dest: "/usr/local/bin/"
owner: "root"
group: "root"
mode: "0755"
extra_opts:
- "--strip-components=0"
- "--wildcards"
- "blocky"
become: true
when: ansible_facts['architecture'] == "x86_64"
notify: "notification_restart_blocky"
- name: Deploy blocky binary file (aarch64)
ansible.builtin.unarchive:
src: "{{ hostvars['console']['node']['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
dest: "/usr/local/bin/"
owner: "root"
group: "root"
mode: "0755"
extra_opts:
- "--strip-components=0"
- "--wildcards"
- "blocky"
become: true
when: ansible_facts['architecture'] == "aarch64"
notify: "notification_restart_blocky"
- name: Deploy blocky config
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/blocky/etc/config.yaml.j2"
dest: "/etc/blocky/config.yaml"
owner: "blocky"
group: "blocky"
mode: "0640"
become: true
notify: "notification_restart_blocky"
no_log: true
- name: Deploy blocky certificate and key
ansible.builtin.copy:
content: |
{{ item.value }}
dest: "/etc/blocky/ssl/{{ item.name }}"
owner: "blocky"
group: "blocky"
mode: "{{ item.mode }}"
loop:
- name: "blocky.crt"
value: |
{{ hostvars['console']['blocky']['crt'] | trim }}
{{ hostvars['console']['ca']['intermediate']['crt'] }}
mode: "0440"
- name: "blocky.key"
value: "{{ hostvars['console']['blocky']['key'] }}"
mode: "0400"
become: true
notify: "notification_restart_blocky"
no_log: true
- name: Deploy blocky service
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/blocky/blocky.service"
dest: "/etc/systemd/system/blocky.service"
owner: "root"
group: "root"
mode: "0644"
validate: "/usr/bin/systemd-analyze verify %s"
become: true
notify: "notification_restart_blocky"
- name: Enable blocky service
ansible.builtin.systemd:
name: "blocky.service"
state: "started"
enabled: true
daemon_reload: true
become: true

55
ansible/roles/fw/tasks/services/set_chrony.yaml Normal file
View File

@@ -0,0 +1,55 @@
---
- name: Check chrnoy installation
ansible.builtin.shell: |
command -v chronyc
changed_when: false
failed_when: false
register: "is_chrony_installed"
ignore_errors: true
- name: Install chrony
ansible.builtin.apt:
name: "chrony"
state: "present"
become: true
when: is_chrony_installed.rc != 0
- name: Deploy local acl file
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/chrony/local-acl.conf.j2"
dest: "/etc/chrony/conf.d/local-acl.conf"
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "notification_restart_chrony"
- name: Create chrony.service.d
ansible.builtin.file:
path: "/etc/systemd/system/chrony.service.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Set chrony.service.d/override.conf
ansible.builtin.copy:
dest: "/etc/systemd/system/chrony.service.d/override.conf"
content: |
[Service]
Restart=always
RestartSec=60
owner: "root"
group: "root"
mode: "0644"
become: true
notify: "notification_restart_chrony"
- name: Enable chrony service
ansible.builtin.systemd:
name: "chrony.service"
state: "started"
enabled: true
daemon_reload: true
become: true

41
ansible/roles/fw/tasks/services/set_ddns.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
- name: Create ddns secret env file
ansible.builtin.copy:
content: |
ZONE_ID={{ hostvars['console']['ddns']['zone_id'] }}
API_KEY={{ hostvars['console']['ddns']['api_key'] }}
dest: "/etc/secrets/{{ node['uid'] }}/ddns.env"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0400"
become: true
no_log: true
- name: Deploy ddns script
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/ddns.sh"
dest: "/usr/local/bin"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0711"
become: true
- name: Deploy ddns service files
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}"
dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}"
owner: "{{ ansible_user }}"
group: "svadmins"
mode: "0600"
validate: "/usr/bin/systemd-analyze verify %s"
loop:
- "ddns.service"
- "ddns.timer"
- name: Register ddns timer
ansible.builtin.systemd:
name: "ddns.timer"
state: "started"
enabled: true
daemon_reload: true
scope: "user"

57
ansible/roles/fw/tasks/services/set_kea.yaml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Check Kea dhcp4 installation
ansible.builtin.shell: |
command -v kea-dhcp4
become: true # kea-dhcp4 is located in /usr/sbin, which means root permission is needed.
changed_when: false
failed_when: false
register: "is_kea4_installed"
ignore_errors: true
- name: Install kea dhcp 4
ansible.builtin.apt:
name:
- "kea-dhcp4-server"
state: "present"
become: true
when: is_kea4_installed.rc != 0
- name: Deploy kea dhcp4 conf
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/kea/kea-dhcp4.conf.j2"
dest: "/etc/kea/kea-dhcp4.conf"
owner: "_kea"
group: "_kea"
mode: "0600"
become: true
notify: "notification_restart_kea4"
- name: Create kea-dhcp-server.service.d
ansible.builtin.file:
path: "/etc/systemd/system/kea-dhcp4-server.service.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Set kea-dhcp-server.service.d/override.conf
ansible.builtin.copy:
dest: "/etc/systemd/system/kea-dhcp4-server.service.d/override.conf"
content: |
[Service]
Restart=always
RestartSec=60
owner: "root"
group: "root"
mode: "0644"
become: true
notify:
- "notification_restart_kea4"
- name: Enable kea service
ansible.builtin.systemd:
name: "kea-dhcp4-server.service"
state: "started"
enabled: true
become: true

141
ansible/roles/fw/tasks/services/set_suricata.yaml Normal file
View File

@@ -0,0 +1,141 @@
---
- name: Check suricata installation
ansible.builtin.shell: |
command -v suricata
changed_when: false
failed_when: false
register: "is_suricata_installed"
ignore_errors: true
- name: Install suricata
ansible.builtin.apt:
name:
- "suricata"
- "suricata-update"
state: "present"
become: true
when: is_suricata_installed.rc != 0
- name: Deploy suricata-update service files
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
validate: "/usr/bin/systemd-analyze verify %s"
loop:
- "suricata-update.service"
- "suricata-update.timer"
become: true
- name: Deploy suricata custom configurations
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/{{ item }}"
dest: "/etc/suricata/{{ item }}"
owner: "root"
group: "root"
mode: "0644"
loop:
- "disable.conf"
- "enable.conf"
become: true
notify:
- "notification_update_suricata_rules"
- "notification_restart_suricata"
- name: Deploy suricata custom rules
ansible.builtin.copy:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/local.rules"
dest: "/etc/suricata/rules/local.rules"
owner: "root"
group: "root"
mode: "0644"
become: true
notify:
- "notification_update_suricata_rules"
- "notification_restart_suricata"
- name: Check suricata rules
ansible.builtin.stat:
path: "/var/lib/suricata/rules/suricata.rules"
register: "is_suricata_rules_file"
- name: Update suricata rules
ansible.builtin.command:
suricata-update
become: true
when: not is_suricata_rules_file.stat.exists
changed_when: true
- name: Enable auto suricata rules update
ansible.builtin.systemd:
name: "suricata-update.timer"
state: "started"
enabled: true
daemon_reload: true
become: true
- name: Deploy suricata.yaml
ansible.builtin.template:
src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/suricata/etc/suricata.yaml.j2"
dest: "/etc/suricata/suricata.yaml"
owner: "root"
group: "root"
mode: "0644"
validate: "/usr/bin/suricata -T -c %s"
become: true
notify: "notification_restart_suricata"
- name: Create suricata.service.d
ansible.builtin.file:
path: "/etc/systemd/system/suricata.service.d"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Set suricata.service.d/override.conf
ansible.builtin.copy:
dest: "/etc/systemd/system/suricata.service.d/override.conf"
content: |
[Service]
Restart=always
RestartSec=60
owner: "root"
group: "root"
mode: "0644"
become: true
notify:
- "notification_restart_suricata"
- name: Enable suricata service
ansible.builtin.systemd:
name: "suricata.service"
state: "started"
enabled: true
daemon_reload: true
become: true
- name: Set suricata logs logrotate
ansible.builtin.copy:
content: |
/var/log/suricata/*.log /var/log/suricata/*.json {
weekly
missingok
rotate 4
compress
delaycompress
notifempty
maxsize 500M
sharedscripts
postrotate
/usr/bin/systemctl reload suricata > /dev/null 2>/dev/null || true
endscript
}
dest: "/etc/logrotate.d/suricata"
owner: "root"
group: "root"
mode: "0644"
become: true