diff --git a/.gitignore b/.gitignore index 5c199eb..844eec8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ # ---> Ansible *.retry - +.env \ No newline at end of file diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 50cae5e..ee84b5b 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -1,5 +1,11 @@ -[almalinux] +[almalinux-root] vps-root [almalinux-user] vps + +[all:vars] +user_name="jan" +domain="janvoelkel-de" +op_password_path="SSH/MyVPS jan/password" +dnf_text_editor="nano" \ No newline at end of file diff --git a/playbooks/add_user.yml b/playbooks/add_user.yml index 866e0f8..0d83289 100644 --- a/playbooks/add_user.yml +++ b/playbooks/add_user.yml @@ -3,8 +3,8 @@ hosts: almalinux-user become: yes vars_prompt: - - name: "username" - prompt: "Please enter the username to be created" + - name: "user_name" + prompt: "Please enter the user_name to be created" private: no # Der Benutzername wird sichtbar eingegeben - name: "user_password" prompt: "Please enter the password for the new user" diff --git a/playbooks/setup_server.yml b/playbooks/setup_server.yml index 41f2d2a..60347e1 100644 --- a/playbooks/setup_server.yml +++ b/playbooks/setup_server.yml @@ -1,18 +1,15 @@ ---- -- name: Server setup with roles - hosts: almalinux # Hier verwenden wir die Gruppe 'almalinux' aus der hosts.ini +# --- +# - name: Server setup with roles +# hosts: almalinux-root +# become: yes +# roles: +# - firewalld +# - dnf_tools +# - docker +# - create_user_with_root + +- name: Create directus with database + hosts: vps become: yes - vars_prompt: - - name: "username" - prompt: "Please enter the username to be created" - private: no # Der Benutzername wird sichtbar eingegeben - - name: "user_password" - prompt: "Please enter the password for the new user" - private: yes # Das Passwort wird versteckt eingegeben - - name: "ssh_public_key" - prompt: "Please enter the public key for ssh of your pc" - private: no roles: - # firewall - - create_user_with_root - # firewall \ No newline at end of file + - directus diff --git a/roles/create_user_with_root/files/authorized_keys b/roles/create_user_with_root/files/authorized_keys new file mode 100644 index 0000000..25348e4 --- /dev/null +++ b/roles/create_user_with_root/files/authorized_keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRnv0VogdTwQWhfYqKaIMzSll2JG4hvO9jryP8aJl4u MacBook Pro von Jan +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkNsib7eOmVt7EPp7R1QJ4iZRBu8MqsvGUaF9JdcbyU iPhone 16 Pro Max von Jan \ No newline at end of file diff --git a/roles/create_user_with_root/tasks/main.yml b/roles/create_user_with_root/tasks/main.yml index d7c3f45..a2b55f1 100644 --- a/roles/create_user_with_root/tasks/main.yml +++ b/roles/create_user_with_root/tasks/main.yml @@ -1,42 +1,58 @@ - name: Erstelle einen neuen User mit Sudo-Rechten user: - name: "{{ username }}" - password: "{{ user_password | password_hash('sha512') }}" # Das Passwort wird mit SHA-512 gehasht + name: "{{ user_name }}" + password: "{{ lookup('pipe', 'op read \"op://' + op_password_path + '\"') | password_hash('sha512') }}" state: present shell: /bin/bash - groups: wheel # Gibt Sudo-Rechte + groups: wheel append: yes - name: Erstelle den SSH-Ordner für den neuen User file: - path: "/home/{{ username }}/.ssh" + path: "/home/{{ user_name }}/.ssh" state: directory mode: '0700' - owner: "{{ username }}" - group: "{{ username }}" + owner: "{{ user_name }}" + group: "{{ user_name }}" - name: Setze die Berechtigungen für die authorized_keys-Datei file: - path: "/home/{{ username }}/.ssh/authorized_keys" + path: "/home/{{ user_name }}/.ssh/authorized_keys" state: touch mode: '0600' - owner: "{{ username }}" - group: "{{ username }}" + owner: "{{ user_name }}" + group: "{{ user_name }}" -- name: Add public key to enable user ssh - lineinfile: - path: "/home/{{ username }}/.ssh/authorized_keys" - line: '{{ ssh_public_key }}' - state: present +- name: Add public keys as authorized_keys + copy: + src: files/authorized_keys + dest: "/home/{{ user_name }}/.ssh/authorized_keys" -- name: Grant sudo privileges to the user +- name: Grant passwordless sudo privileges to the user lineinfile: path: /etc/sudoers - regexp: "^{{ username }} " - line: "{{ username }} ALL=(ALL) ALL" + regexp: "^{{ user_name }} " + line: "{{ user_name }} ALL=(ALL) NOPASSWD: ALL" validate: visudo -cf %s +- name: Ensure Docker group exists + ansible.builtin.group: + name: docker + state: present + +- name: Add user to Docker group + ansible.builtin.user: + name: "{{ user_name }}" + groups: docker + append: yes + +- name: Enable and start Docker service + ansible.builtin.service: + name: docker + state: started + enabled: yes + - name: Entferne den Root-SSH-Zugang lineinfile: path: /etc/ssh/sshd_config diff --git a/roles/directus/files/.env.example b/roles/directus/files/.env.example new file mode 100644 index 0000000..e8788a3 --- /dev/null +++ b/roles/directus/files/.env.example @@ -0,0 +1,24 @@ + +# database +POSTGRES_USER="database_user" # This variable needs to be specified here. +POSTGRES_PASSWORD="database_password" +POSTGRES_DB="database_name" + +# directus +SECRET="" +DB_CLIENT="pg" +DB_HOST="database" +DB_PORT="5432" +DB_DATABASE="database_name" +DB_USER="database_user" +DB_PASSWORD="database_password" +ADMIN_EMAIL="directus_login_mail" +ADMIN_PASSWORD="directus_login_password" +CACHE_ENABLED="true" +CACHE_AUTO_PURGE="true" +CACHE_STORE="redis" +REDIS="redis://cache:6379" + +# pgadmin4 +# PGADMIN_DEFAULT_EMAIL="pgadmin4_login_mail" +# PGADMIN_DEFAULT_PASSWORD="pgadmin4_login_password" \ No newline at end of file diff --git a/roles/directus/files/docker-compose.yml b/roles/directus/files/docker-compose.yml new file mode 100644 index 0000000..48f27e6 --- /dev/null +++ b/roles/directus/files/docker-compose.yml @@ -0,0 +1,52 @@ + +services: + database: + env_file: .env + healthcheck: + test: ["CMD", "pg_isready", "--host=localhost", "--username=${POSTGRES_USER}", "--dbname=${POSTGRES_DB}"] + interval: 10s + timeout: 5s + retries: 5 + start_interval: 5s + start_period: 30s + image: postgis/postgis:13-master + # platform: linux/amd64 # Required when running on platform other than amd64, like Apple M1/M2: + volumes: + - db:/var/lib/postgresql/data + + # pgadmin4: + # container_name: pgadmin4 + # depends_on: + # - database + # env_file: .env + # image: docker.io/dpage/pgadmin4:8.14 + # ports: + # - 5050:80 + # restart: unless-stopped + + cache: + healthcheck: + test: ["CMD-SHELL", "[ $$(redis-cli ping) = 'PONG' ]"] + interval: 10s + timeout: 5s + retries: 5 + start_interval: 5s + start_period: 30s + image: redis:6 + + directus: + depends_on: + database: + condition: service_healthy + cache: + condition: service_healthy + env_file: .env + image: directus/directus:11.5.1 + ports: + - 8055:8055 + volumes: + - ./uploads:/directus/uploads + - ./extensions:/directus/extensions + +volumes: + db: diff --git a/roles/directus/tasks/main.yml b/roles/directus/tasks/main.yml new file mode 100644 index 0000000..cf73a63 --- /dev/null +++ b/roles/directus/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Ensure project base directory exists + file: + path: "/opt/{{ domain }}" + state: directory + owner: "{{ user_name }}" + group: "{{ user_name }}" + mode: '0755' + +- name: Ensure Directus project directory exists + file: + path: "/opt/{{ domain }}/directus" + state: directory + owner: "{{ user_name }}" + group: "{{ user_name }}" + mode: '0755' + +- name: Copy docker compose file (directus) + copy: + src: "files/docker-compose.yml" + dest: "/opt/{{ domain }}/directus" + +- name: Copy env file (directus) + copy: + src: "files/.env" + dest: "/opt/{{ domain }}/directus" + +- name: Start docker container with compose file + community.docker.docker_compose_v2: + project_src: "/opt/{{ domain }}/directus" + files: + - "docker-compose.yml" diff --git a/roles/dnf_tools/tasks/main.yml b/roles/dnf_tools/tasks/main.yml new file mode 100644 index 0000000..797b557 --- /dev/null +++ b/roles/dnf_tools/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install DNF tools + dnf: + name: "{{ dnf_text_editor }}" + state: present \ No newline at end of file diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json new file mode 100644 index 0000000..edb637f --- /dev/null +++ b/roles/docker/files/daemon.json @@ -0,0 +1,3 @@ +{ + "iptables": false +} \ No newline at end of file diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..a45aeb0 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Remove old versions of Docker and conflicting packages + dnf: + name: + - docker + - docker-client + - docker-client-latest + - docker-common + - docker-latest + - docker-latest-logrotate + - docker-logrotate + - docker-engine + - podman + - runc + state: absent + +- name: Install DNF plugins + dnf: + name: dnf-plugins-core + state: present + +- name: Add Docker repository (RHEL official repo) + command: dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo + args: + creates: /etc/yum.repos.d/docker-ce.repo + +- name: Update package cache + command: dnf makecache + +- name: Install Docker CE, CLI and other components + dnf: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + +- name: Enable and start Docker service + systemd: + name: docker + state: started + enabled: yes + +- name: Disable iptables + copy: + src: files/daemon.json + dest: /etc/docker/daemon.json + +- name: Restart firewalld + command: firewall-cmd --reload + +- name: Restart Docker service + systemd: + name: docker + state: restarted diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml new file mode 100644 index 0000000..a2d17a3 --- /dev/null +++ b/roles/firewalld/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Install + package: + name: firewalld + state: present + +- name: Start and activate + service: + name: firewalld + state: started + enabled: yes + +- name: Block all ports + firewalld: + zone: public + service: ssh + permanent: yes + state: enabled \ No newline at end of file diff --git a/roles/setup_server/defaults/main.yml b/roles/setup_server/defaults/main.yml deleted file mode 100644 index c2e6879..0000000 --- a/roles/setup_server/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# roles/setup_server/defaults/main.yml - -username: jan diff --git a/roles/setup_server/handlers/main.yml b/roles/setup_server/handlers/main.yml deleted file mode 100644 index d1fe11d..0000000 --- a/roles/setup_server/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# roles/setup_server/handlers/main.yml - -- name: restart sshd - service: - name: sshd - state: restarted diff --git a/roles/setup_server/tasks/main.yml b/roles/setup_server/tasks/main.yml deleted file mode 100644 index 2517f66..0000000 --- a/roles/setup_server/tasks/main.yml +++ /dev/null @@ -1,109 +0,0 @@ ---- -# roles/setup_server/tasks/main.yml - -- name: Erstelle einen neuen User mit Sudo-Rechten - user: - name: "{{ username }}" - password: "{{ user_password | password_hash('sha512') }}" # Das Passwort wird mit SHA-512 gehasht - state: present - shell: /bin/bash - groups: wheel # Gibt Sudo-Rechte - append: yes - -- name: Erstelle den SSH-Ordner für den neuen User - file: - path: "/home/{{ username }}/.ssh" - state: directory - mode: '0700' - owner: "{{ username }}" - group: "{{ username }}" - -- name: Setze die Berechtigungen für die authorized_keys-Datei - file: - path: "/home/{{ username }}/.ssh/authorized_keys" - state: touch - mode: '0600' - owner: "{{ username }}" - group: "{{ username }}" - -- name: Entferne den Root-SSH-Zugang - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin' - line: 'PermitRootLogin no' - state: present - notify: - - restart sshd - -- name: Installiere firewalld - package: - name: firewalld - state: present - -- name: Starte und aktiviere firewalld - service: - name: firewalld - state: started - enabled: yes - -- name: Sperre alle Ports in firewalld - firewalld: - zone: public - service: ssh - permanent: yes - state: enabled - -# roles/setup_server/tasks/main.yml - -- name: Entferne alte Docker-Versionen, falls vorhanden - dnf: - name: - - docker - - docker-client - - docker-client-latest - - docker-common - - docker-latest - - docker-latest-logrotate - - docker-logrotate - - docker-engine - - podman - - runc - state: absent - -- name: Installiere DNF-Plugins und Docker-Repository - dnf: - name: dnf-plugins-core - state: present - -- name: Installiere Docker CE, CLI und andere Docker-Komponenten - dnf: - name: - - docker-ce - - docker-ce-cli - - containerd.io - - docker-buildx-plugin - - docker-compose-plugin - state: present - -- name: Aktiviere und starte Docker - service: - name: docker - state: started - enabled: yes - -- name: Füge den neuen User zur Docker-Gruppe hinzu - user: - name: "{{ username }}" - groups: docker - append: yes - -- name: Starte den Docker-Dienst neu, um Änderungen zu übernehmen - systemd: - name: docker - state: restarted - -- name: Deaktiviere Docker-Zone in firewalld - firewalld: - zone: docker - state: disabled - permanent: yes \ No newline at end of file