kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 18:30:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:26abfd441ac333e35e01eda0254ad9bebc7147f2
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:2a33c6a6dcb96020cafcae695b01bebea3c6c099
Branches Tags
kevinveenbirkenbach:master

No commits in common. "26abfd441ac333e35e01eda0254ad9bebc7147f2" and "2a33c6a6dcb96020cafcae695b01bebea3c6c099" have entirely different histories.
26abfd441a ... 2a33c6a6dc

70 changed files with 319 additions and 1383 deletions
Show Stats Expand all files Collapse all files

0
docs/ARCHITECTURE.md
View File

0
docs/CHANGELOG.md
View File

1
docs/COMMON_APPLICATIONS.md
View File

@ -37,6 +37,7 @@ Caters to a range of devices and needs for hardware driver installation and conf
Enhances system security with roles focused on security measures, user configurations, and SSH settings. It's vital for protecting both server environments and end-user systems.
- **[System Security](./roles/system-security/)**: Enhances overall system security.
- **[User Administrator](./roles/user-administrator/)**: Setup for system administrator user.
- **[User Alarm](./roles/user-alarm/)**: Manages the alarm user.
- **[PC SSH](./roles/pc-ssh/)**: Configuration of SSH for secure remote access.
- **[SSHD](./roles/sshd/)**: Configures SSH daemon settings.
- **[System Maintenance Lock](./roles/system-maintenance-lock)**: Locks maintenance services to prevent dangerous inteactions between services

0
docs/CONTRIBUTING.md
View File

0
docs/FAQ.md
View File

0
docs/INSTALLATION.md
View File

0
docs/SECURITY.md
View File

0
docs/USAGE.md
View File

0
docs/VISION.md → docs/VISION_STATEMENT.md
View File

28
roles/backup-data-to-usb/README.md
View File

@ -1,25 +1,17 @@
# Automated USB Backup
# backup-data-to-usb
## Description
This Ansible role automates data backups to a swappable USB device. It triggers the backup process automatically when the USB is mounted, allowing for customizable source and destination paths and integrating with systemd for reliable execution.
## Overview
Optimized for Archlinux, this role ensures that backups are performed consistently with minimal manual intervention. It leverages efficient synchronization methods and provides a seamless integration with systemd to manage the backup service.
## Purpose
The primary purpose of this role is to simplify the backup process for systems that rely on removable USB devices. It is designed to reduce the risk of data loss by automating backups, ensuring that data is safely and consistently synchronized whenever the device is connected.
This Ansible role automates the process of performing backups to a swappable USB device.
## Features
- **Automatic Trigger:** Initiates the backup process immediately upon USB mount.
- **Customizable Paths:** Easily configure the source directory and backup destination.
- **Systemd Integration:** Manages the backup process via a dedicated systemd service.
- **Efficient Synchronization:** Utilizes rsync with incremental backup strategies for optimal performance.
- **Optimized for Archlinux:** Tailored for Archlinux systems using the rolling release model.
- Automatically starts the backup process when mounted to a specific destination.
- Supports customization of the backup source path and destination.
- Provides a systemd service to run the backup script.
## Author
This role was created and is maintained by Kevin Veen-Birkenbach.
## Credits
Developed and maintained by **Kevin Veen-Birkenbach**. Special thanks to [OpenAI ChatGPT](https://chat.openai.com/share/a75ca771-d8a4-4b75-9912-c515ba371ae4) for its assistance in developing this role.
This software was created with the assistance of [OpenAI ChatGPT](https://chat.openai.com/share/a75ca771-d8a4-4b75-9912-c515ba371ae4).

23
roles/backup-data-to-usb/meta/main.yml
View File

@ -1,27 +1,4 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Automated backups to a swappable USB device."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- backup
- usb
- systemd
- automation
- archlinux
repository: https://s.veen.world/cymais
issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais
dependencies:
- role: cleanup-backups-service
- role: system-maintenance-lock

20
roles/backup-directory-validator/README.md
View File

@ -1,20 +0,0 @@
# Backup Directory Validator
## Description
This Ansible role pulls the [directory-validator](https://github.com/kevinveenbirkenbach/directory-validator.git) repository to a predefined location. It is used by the backup-docker-to-local and cleanup-failed-docker-backups roles to verify whether backups have been successfully created.
## Overview
The role retrieves the latest version of the directory-validator from its Git repository and installs it into the designated folder (configured via the `backup_directory_validator_folder` variable). A fact is set to ensure that the repository is pulled only once per playbook run.
## Purpose
The primary purpose of this role is to validate backup directories. By fetching the directory-validator tool, it enables dependent roles to assess the integrity and success of backup operations.
## Features
- **Git Repository Pull:** Automatically pulls the latest version of the directory-validator from Git.
- **Idempotent Execution:** Ensures that the repository is fetched only once per playbook run.
- **Backup Verification:** Serves as a validation step for other backup-related roles.
- **Configurable Destination:** The target folder is customizable via the `backup_directory_validator_folder` variable.

26
roles/backup-directory-validator/meta/main.yml
View File

@ -1,26 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Setup the directory validator to validate backup directories"
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- backup
- validator
- directory
- git
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

26
roles/backup-docker-to-local/README.md
View File

@ -1,26 +0,0 @@
# Backup Docker to Local
## Description
This Ansible role automates the process of backing up Docker volumes to a local folder. It pulls the [backup-docker-to-local repository](https://github.com/kevinveenbirkenbach/backup-docker-to-local.git), installs required software, configures systemd services for both standard and "everything" backup modes, and seeds backup database entries as needed.
## Overview
Optimized for Archlinux, this role ensures that Docker volume backups are performed reliably with minimal manual intervention. It integrates with several dependent roles to verify backup success and manage related tasks, including:
- [backup-directory-validator](../backup-directory-validator/) Validates backup directories.
- [cleanup-failed-docker-backups](../cleanup-failed-docker-backups/) Cleans up unsuccessful backup attempts.
- [systemd-timer](../systemd-timer/) Schedules recurring backup tasks.
- [backups-provider](../backups-provider/) Manages backup sources.
- [system-maintenance-lock](../system-maintenance-lock/) Ensures coordinated maintenance operations.
## Purpose
Backup Docker Volumes to Local is a comprehensive solution that leverages rsync to create incremental backups of Docker volumes, providing seamless recovery for both file and database data. Ideal for ensuring the integrity and security of your container data, this role sets up the necessary environment to safeguard your Docker volumes.
## Features
- **Required Software Installation:** Installs necessary packages (e.g., lsof, python-pandas) via pacman.
- **Git Repository Pull:** Automatically pulls the latest version of the [backup-docker-to-local repository](https://github.com/kevinveenbirkenbach/backup-docker-to-local.git).
- **Systemd Service Configuration:** Deploys and reloads two systemd service templates to manage backup tasks.
- **Database Seeding:** Includes tasks to seed and manage a backup database (`databases.csv`) for tracking backup details.
- **Dependency Integration:** Works in conjunction with the dependent roles listed above to verify and manage backups.

24
roles/backup-docker-to-local/meta/main.yml
View File

@ -1,27 +1,3 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Automates the backup of Docker volumes to a local folder"
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- backup
- docker
- local
- systemd
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- git
- backups-provider

25
roles/backup-remote-to-local/Administration.md
View File

@ -1,25 +0,0 @@
# Administration Tasks
## Debug Instructions
### Live Monitoring
To track what the service is doing, execute one of the following commands:
#### Using systemctl
```bash
watch -n2 "systemctl status backup-remote-to-local.cymais.service"
```
#### Using journalctl
```bash
journalctl -fu backup-remote-to-local.cymais.service
```
### Viewing History
```bash
sudo journalctl -u backup-remote-to-local.cymais.service
```

49
roles/backup-remote-to-local/README.md
View File

@ -1,31 +1,34 @@
# Backup Remote to Local
# role backup-remote-to-local
## Description
## goal
This script allows to pull backups from a remote server.
This role pulls backups from a remote server and stores them locally using rsync with retry logic. It is designed to retrieve remote backup data and integrate with your overall backup scheme.
## scheme
It is part of the following scheme:
![backup scheme](https://www.veen.world/wp-content/uploads/2020/12/server-backup-768x567.jpg) <br />
Further information you will find [in this blog post](https://www.veen.world/2020/12/26/how-i-backup-dedicated-root-servers/).
## Overview
## debug
Optimized for Archlinux, this role is a key component of a comprehensive backup system. It works in conjunction with other roles to ensure that backup data is collected, verified, and maintained. The role uses a Bash script to pull backups, manage remote connections, and handle incremental backup creation.
### live
To track what the service is doing execute one of the following commands:
## Purpose
#### systemctl
```bash
watch -n2 "systemctl status backup-remote-to-local.cymais.service"
```
Backup Remote to Local is a robust solution for retrieving backup data from remote servers. By leveraging rsync, it creates incremental backups that support both file and database recovery. This ensures the integrity and security of your backup data across distributed environments.
#### journalctl
```bash
journalctl -fu backup-remote-to-local.cymais.service
```
## Features
### history
```bash
sudo journalctl -u backup-remote-to-local
```
- **Remote Backup Retrieval:** Pulls backups from a remote server using secure SSH connections.
- **Incremental Backup with rsync:** Uses rsync with options for archive, backup, and hard linking to efficiently manage changes.
- **Retry Logic:** Implements a retry mechanism to handle transient network issues or remote errors.
- **Integration with Other Roles:** Works alongside roles like backup-directory-validator, cleanup-failed-docker-backups, systemd-timer, backups-provider, and system-maintenance-lock.
- **Administrative Debugging:** Detailed debug instructions and administrative tasks are provided in a separate file.
## Further Information
- **Backup Scheme:**
![backup scheme](https://www.veen.world/wp-content/uploads/2020/12/server-backup-768x567.jpg)
More details can be found in [this blog post](https://www.veen.world/2020/12/26/how-i-backup-dedicated-root-servers/).
## Administration & Debugging
For detailed debug instructions and administrative tasks, please refer to the [Administration Tasks](Administration.md) file.
## see
- https://superuser.com/questions/363444/how-do-i-get-the-output-and-exit-value-of-a-subshell-when-using-bash-e
- https://gist.github.com/otkrsk/b0ffd4018e8a79b9010c461af298471e
- https://serverfault.com/questions/304125/rsync-seems-incompatible-with-bashrc-causes-is-your-shell-clean

26
roles/backup-remote-to-local/meta/main.yml
View File

@ -1,29 +1,3 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Pulls backups from a remote server and stores them locally using rsync with retry logic. This role is part of a comprehensive backup scheme and works in conjunction with other roles to ensure reliable backup operations."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- backup
- remote
- local
- docker
- systemd
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- git
- systemd-notifier

39
roles/backups-provider-user/README.md
View File

@ -1,29 +1,14 @@
# Backups Provider User
# role backups-provider-user
User for backups
## Description
## todo
- optimize authorized_keys.j2 for multiple pull clients
This role sets up a dedicated backup user (`backup`) for performing secure backup operations. It creates the user, configures a restricted SSH environment with a custom `authorized_keys` template and an SSH wrapper script, and grants necessary sudo rights for executing rsync. This configuration helps ensure controlled and secure access specifically for backup processes.
## Overview
The role is a critical component in a secure backup scheme. By isolating backup operations to a dedicated user, it minimizes the risk of unauthorized actions. The role configures the SSH environment so that only specific, allowed commands can be executed, and it sets up passwordless sudo rights for rsync, ensuring smooth and secure backup operations.
## Purpose
The purpose of this role is to enhance the security of your backup system by providing a dedicated user with strict command restrictions. This controlled environment limits the potential damage from a compromised backup account while still allowing efficient backup operations.
## Features
- **User Creation:** Creates a dedicated `backup` user with a home directory.
- **SSH Environment Setup:** Establishes a secure `.ssh` directory and deploys a restricted `authorized_keys` file via a Jinja2 template.
- **SSH Wrapper Script:** Implements a custom SSH wrapper that logs and filters incoming SSH commands, enforcing security policies.
- **Sudo Configuration:** Grants passwordless sudo rights for rsync, enabling secure and automated backup transfers.
- **Integration:** Supports seamless integration with your backup infrastructure by limiting the backup user's permissions to only the required commands.
## Further Information
For more details on how the role works and advanced configuration options, please see the related references below:
- [Ansible Playbooks Lookups](https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3)
- [Restrict SSH to rsync](http://gergap.de/restrict-ssh-to-rsync.html)
- [SSH Command Restrictions via authorized_keys](https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken)
- [Rsync and sudo integration](https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine)
# see
- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
- http://gergap.de/restrict-ssh-to-rsync.html
- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676

24
roles/backups-provider-user/meta/main.yml
View File

@ -1,26 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Sets up a dedicated backup user with restricted SSH commands for backup operations. This role configures a backup user with custom SSH key restrictions and sudo rights, ensuring secure and controlled access for backup processes."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- backup
- ssh
- user
- security
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- sshd

22
roles/postfix/README.md
View File

@ -1,22 +0,0 @@
# Postfix
## Description
This role installs and configures [Postfix](https://en.wikipedia.org/wiki/Postfix_(software)) a mail transfer agent on the target system. It deploys a preconfigured aliases file (using a Jinja2 template) that defines mail redirections and standard aliases for local mail delivery.
## Overview
Optimized for secure and reliable mail delivery, this role:
- Installs Postfix via [pacman](https://wiki.archlinux.org/title/Pacman).
- Provides a default aliases file to route system mail appropriately.
- Configures essential Postfix parameters via a templated main configuration file (if needed).
## Purpose
The primary purpose of this role is to set up a robust mail transfer agent configuration for local mail delivery. It ensures that system-generated mail (such as error messages) is delivered to the correct administrative address.
## Features
- **Postfix Installation:** Ensures the [Postfix](https://en.wikipedia.org/wiki/Postfix_(software)) package is installed.
- **Aliases Configuration:** Deploys a default aliases file to direct system mail.
- **System Integration:** Works in conjunction with the administrator user role for secure mail routing.

24
roles/postfix/meta/main.yml
View File

@ -1,26 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs and configures Postfix to provide a robust mail transfer agent setup with a preconfigured aliases file for local mail delivery."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- postfix
- mail
- aliases
- configuration
- security
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- user-administrator

20
roles/python-pip/README.md
View File

@ -1,20 +0,0 @@
# Python-Pip
## Description
This role installs the [python-pip](https://en.wikipedia.org/wiki/Pip_(package_manager)) package on the target system. It ensures that the pip package manager is available for installing Python packages.
## Overview
Optimized for simplicity and idempotency, this role:
- Installs the python-pip package using [pacman](https://wiki.archlinux.org/title/Pacman).
- Sets a flag to ensure the installation tasks run only once.
## Purpose
The primary purpose of this role is to provide a reliable installation of the Python package manager, pip, ensuring that subsequent Python package installations can proceed without issues.
## Features
- **Pip Installation:** Installs python-pip if not already present.
- **Idempotency:** Ensures tasks are executed only once.

25
roles/python-pip/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs the python-pip package to provide the Python package manager, ensuring that Python packages can be installed reliably on the target system."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- python
- pip
- package
- installation
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

51
roles/restart-docker/README.md
View File

@ -1,30 +1,47 @@
# Docker Auto Restart
## Description
This role automates the restart process for Docker Compose instances within a specified directory. It deploys a Python script that checks for the presence of docker-compose.yml files and restarts the associated services—using a hard restart for certain directories if needed.
This role was implemented to address the classic issue: ["Have you tried turning it off and on again?"](https://www.youtube.com/watch?v=rksCTVFtjM4). The problem initially arose with the `fetchmail` container in [Mailu](../roles/docker/mailu), which fails if only some containers, and not the full docker-compose composition, are restarted.
## Overview
Optimized for containerized environments, this role:
- Sets up the necessary directories and scripts for restarting Docker Compose instances.
- Configures a systemd service (and optionally a timer) to execute the restart script.
- Handles both standard restarts and hard restarts for specific containers (e.g., for Mailu).
## Purpose
The primary purpose of this role is to ensure that all Docker Compose services are restarted consistently, resolving issues that may arise from partial restarts. This helps maintain overall service stability and minimizes downtime.
This role automates the restart process for all `docker-compose` instances within a specified directory. It ensures consistent restarts of services while avoiding issues caused by partial restarts.
## Features
- Automatically detects and restarts `docker-compose` instances in the given directory.
- Uses a Python script to perform service restarts with `docker-compose restart`.
- Integrates with `systemd` for scheduled or manual execution.
- Designed for idempotency and ease of integration.
- **Automated Detection:** Scans a specified parent directory for docker-compose.yml files.
- **Service Restart:** Executes a Python script to restart Docker services via docker-compose.
- **Conditional Hard Restart:** Applies a hard restart procedure for specific directories (e.g., Mailu).
- **Systemd Integration:** Configures a systemd service and optionally a timer for scheduled restarts.
## Requirements
- `docker-compose` must be installed on the target system.
- Python 3.x is required to execute the provided script.
- This role depends on the `system-maintenance-lock` role for handling system-wide locking during restarts.
## Installation
1. Clone or include this role in your Ansible project.
2. Define the required variables in your playbook or inventory:
```yaml
path_administrator_scripts: "/path/to/administrator/scripts/"
restart_docker_folder: "/path/to/restart/volumes/"
on_calendar_restart_dockers: "daily"
```
## Usage
Include this role in your playbook:
```yaml
- hosts: all
roles:
- docker-auto-restart
```
# Context
This role was implemented to address the classic issue: ["Have you tried turning it off and on again?"](https://www.youtube.com/watch?v=rksCTVFtjM4). The problem initially arose with the `fetchmail` container in [Mailu](../roles/docker/mailu), which fails if only some containers, and not the full docker-compose composition, are restarted.
The role will:
1. Set up the necessary directories and scripts.
2. Configure a `systemd` service to restart docker-compose instances.
3. Optionally schedule restarts via a systemd timer.
## Credits
## Acknowledgments
This role was developed with the assistance of [ChatGPT](https://openai.com/chatgpt), including insights and optimizations from this [conversation](https://chatgpt.com/share/674c6870-fcc4-800f-a19e-b20621b24317). Special thanks for providing guidance on error handling, Ansible best practices, and Python integration.
---
Feel free to contribute or provide feedback via the [repository issues page](https://github.com/kevinveenbirkenbach/cymais/issues).

27
roles/restart-docker/meta/main.yml
View File

@ -1,29 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Automates the restart of Docker Compose instances by detecting docker-compose.yml files and executing a restart script, ensuring consistent service availability."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
- name: Ubuntu
versions:
- all
galaxy_tags:
- docker
- restart
- update
- systemd
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- system-maintenance-lock

31
roles/sshd/README.md
View File

@ -1,26 +1,11 @@
# SSHD
# role sshd
## dependencies
This role depends on that a well configured user administrator exist.
For this reason this role depends on the role user-administrator.
A wrong configuration of this role can lead to an lockout of the system which just will be reversal via chroot.
## Description
This role configures the SSH daemon ([sshd](https://man7.org/linux/man-pages/man5/sshd_config.5.html)) on the target system by deploying a templated configuration file. It ensures that secure and proper SSH settings are applied, reducing the risk of misconfiguration and potential lockout.
## Overview
Optimized for secure remote access, this role:
- Generates an SSH daemon configuration file from a Jinja2 template.
- Sets appropriate ownership and permissions on the configuration file.
- Notifies systemd to restart the SSH daemon when changes are made.
## Purpose
The primary purpose of this role is to establish a secure SSH environment by deploying a well-configured sshd_config file. This helps prevent unauthorized access and potential system lockouts, while ensuring that the SSH service runs smoothly.
## Features
- **SSH Configuration Deployment:** Creates an sshd_config file with best-practice settings.
- **Systemd Integration:** Automatically restarts the SSH service upon configuration changes.
- **Security Enhancements:** Enforces secure defaults such as disabled root login and public key authentication.
## Further Information
## PAM
- https://www.google.com/search?client=firefox-b-d&q=sshd+why+to+deactivate+pam
# see
- https://man7.org/linux/man-pages/man5/sshd_config.5.html

23
roles/sshd/meta/main.yml
View File

@ -1,25 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Configures a secure SSH daemon environment by deploying a templated sshd_config file and restarting the SSH service as needed."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- sshd
- ssh
- security
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- user-administrator

20
roles/sudo/README.md
View File

@ -1,20 +0,0 @@
# Sudo
## Description
This role installs the [sudo](https://en.wikipedia.org/wiki/Sudo) package and deploys a default sudoers file to ensure secure and consistent privilege escalation on the target system. It uses a preconfigured sudoers file that follows best practices and includes directives to read drop-in files from `/etc/sudoers.d`.
## Overview
Optimized for security and ease of administration, this role guarantees that sudo is installed and configured according to recommended practices. The provided sudoers file includes essential comments, host/user aliases, and defaults to help prevent misconfigurations.
## Purpose
The primary purpose of this role is to ensure that the target system has a reliable sudo configuration. By installing the [sudo](https://en.wikipedia.org/wiki/Sudo) package and deploying a standard sudoers file, the role facilitates proper administrative access and minimizes potential security risks.
## Features
- **Sudo Package Installation:** Installs the [sudo](https://en.wikipedia.org/wiki/Sudo) package if it is not already present.
- **Default Sudoers Configuration:** Deploys a default sudoers file with best-practice settings.
- **Drop-in Inclusion:** Ensures that configuration files from `/etc/sudoers.d` are included.
- **Security Focus:** Provides commented guidelines to avoid common sudo misconfigurations.

24
roles/sudo/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs and configures the sudo package with a default sudoers file to ensure secure privilege escalation and system administration."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- sudo
- security
- administration
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

25
roles/system-aur-helper/README.md
View File

@ -1,24 +1 @@
# System AUR Helper
## Description
This role ensures that the AUR helper [yay](https://wiki.archlinux.org/title/Yay) is installed on the system. It installs yay via [pacman](https://wiki.archlinux.org/title/Pacman) and creates a dedicated `aur_builder` user to facilitate building AUR packages.
## Overview
The role performs the following tasks:
- Installs the AUR helper [yay](https://wiki.archlinux.org/title/Yay) using pacman.
- Creates an `aur_builder` user with a home directory and adds the user to the wheel group.
- Grants the `aur_builder` user passwordless [sudo](https://en.wikipedia.org/wiki/Sudo) rights for running pacman.
## Purpose
The primary purpose of this role is to streamline AUR package management on Arch Linux systems by ensuring that the required AUR helper is installed and properly configured.
## Features
- **Yay Installation:** Installs the AUR helper [yay](https://wiki.archlinux.org/title/Yay) on Arch Linux.
- **User Creation:** Creates a dedicated `aur_builder` user.
- **Sudo Configuration:** Grants passwordless sudo rights to `aur_builder` for pacman.
## More Information
- https://github.com/kewlfft/ansible-aur
https://github.com/kewlfft/ansible-aur

24
roles/system-aur-helper/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs the AUR helper yay and configures an aur_builder user with appropriate sudo privileges to facilitate AUR package management on Arch Linux systems."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- aur
- yay
- archlinux
- package-management
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

38
roles/system-btrfs-auto-balancer/README.md
View File

@ -1,24 +1,30 @@
# System Btrfs Auto Balancer
# System Btrfs Auto Balancer Role 📦
## Description
This Ansible role automates the management and balancing of Btrfs file systems. It ensures that the Btrfs file system is maintained efficiently without manual intervention.
This role automates the management and balancing of Btrfs file systems. It clones the latest version of the [auto-btrfs-balancer](https://github.com/kevinveenbirkenbach/auto-btrfs-balancer.git) repository and configures a systemd service and timer to run the balancing script automatically.
## Features ✨
## Overview
- **Automatic Cloning of Repository:** Fetches the latest `auto-btrfs-balancer` repository from GitHub.
- **Systemd Service Configuration:** Creates and configures a Systemd service to automatically run the balancing script.
- **Systemd Timer Integration:** Integrates a Systemd timer to run the balancing service at regular intervals.
- **Error Notification:** Notifies via Systemd in case of errors during the balancing process.
Optimized for automated file system management, this role:
- Clones the auto-btrfs-balancer repository.
- Configures a systemd service to run the balancing script.
- Integrates a systemd timer for regular execution.
- Notifies via systemd in case of errors during the balancing process.
## Prerequisites 📋
## Purpose
- **Ansible:** This role requires Ansible to run.
- **Systemd:** Target systems must support Systemd.
- **Git:** Git must be installed to clone the repository.
The primary purpose of this role is to maintain optimal performance of Btrfs file systems by automating balancing tasks, ensuring efficient storage allocation and performance.
## Features
## Author ✍️
- **Repository Cloning:** Automatically fetches the latest auto-btrfs-balancer repository.
- **Service Configuration:** Sets up a systemd service for running the balancing script.
- **Timer Integration:** Schedules the balancing process via a systemd timer.
- **Error Notification:** Notifies on failure using systemd-notifier.
This role was created by [Kevin Veen-Birkenbach](https://www.veen.world).
- **Email:** kevin@veen.world
- **Website:** [veen.world](https://www.veen.world)
## Contact ☎️
For questions or support, you can reach Kevin Veen-Birkenbach via [email](mailto:kevin@veen.world).
## Created with AI
This README.md was created with the assistance of ChatGPT. You can view the conversation [here](https://chatgpt.com/share/dcec1b4a-c7a8-4cf8-a87a-987eb0500857).

23
roles/system-btrfs-auto-balancer/meta/main.yml
View File

@ -1,26 +1,3 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Automates the balancing of Btrfs file systems by cloning the auto-btrfs-balancer repository and configuring a systemd service and timer for regular execution."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- btrfs
- balancing
- filesystem
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- git
- systemd-notifier

25
roles/system-maintenance-lock/README.md
View File

@ -1,25 +1,10 @@
# System Maintenance Lock
## Description
This role provides a locking mechanism to ensure that critical services are not interrupted during maintenance activities such as updates, backups, or patch applications. It waits for specified services to stop and prevents conflicting operations.
# Role: System-Maintenance-Lock
## Overview
The `system-maintenance-lock` role is a critical part of maintaining the integrity and performance of a system. It ensures that specific services are not interrupted or conflicted with by other system processes. This role is particularly vital during system updates, backups, or other maintenance activities where conflicting processes could cause issues.
The role performs the following:
- Blocks execution until specified services have stopped.
- Implements retry logic with a configurable timeout.
- Ensures that maintenance tasks are executed only when the system is in a safe state.
## Usage
This role is used in scenarios where system stability and integrity are paramount, such as during system upgrades, backup processes, or when applying critical patches.
## Purpose
The primary purpose of this role is to safeguard system stability during maintenance by preventing conflicts with running services. It ensures that maintenance operations proceed only when the environment is ready.
## Features
- **Service Locking:** Blocks maintenance tasks until critical services are stopped.
- **Timeout and Retry Logic:** Configurable wait times and maximum attempts.
- **Conflict Avoidance:** Prevents interference between maintenance operations and running services.
## Credits
## Created with AI
Created with ChatGPT. Conversation is [here](https://chat.openai.com/share/a886b86b-8de6-4eca-9fba-e36c9f20d536) available.

24
roles/system-maintenance-lock/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Ensures system integrity during maintenance activities by blocking execution until critical services have stopped, using a locking mechanism with timeout and retry logic."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- maintenance
- lock
- system
- administration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

21
roles/system-security/README.md
View File

@ -1,21 +0,0 @@
# System Security
## Description
This role configures security-related settings on the target system to ensure that essential security services are properly managed. It reinforces system security by integrating with related roles and enforcing best practices.
## Overview
The role focuses on:
- Configuring key security services such as [SSH](https://en.wikipedia.org/wiki/Secure_Shell).
- Integrating with other security roles to maintain a robust system security posture.
- Ensuring that security configurations are applied consistently across the system.
## Purpose
The primary purpose of this role is to enhance overall system security by managing and configuring essential security services and settings.
## Features
- **Security Configuration:** Applies recommended security settings for core services.
- **Integration:** Works alongside related roles such as [sshd](https://en.wikipedia.org/wiki/SSH_daemon) to provide comprehensive security management.

23
roles/system-security/meta/main.yml
View File

@ -1,24 +1,3 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Configures security-related settings on the target system and ensures essential security services are properly managed."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- security
- ssh
- system
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- user-alarm
- sshd

30
roles/system-storage-optimizer/README.md
View File

@ -1,29 +1,23 @@
# System Storage Optimizer Role
## Description
This role optimizes storage allocation for Docker volumes by migrating volumes between SSD (rapid storage) and HDD (mass storage) based on container image types. It creates symbolic links to maintain consistent storage paths after migration.
## Overview
The role performs the following tasks:
- Migrates Docker volumes with database workloads to rapid storage (SSD) for improved performance.
- Moves non-database Docker volumes to mass storage (HDD) to optimize storage usage.
- Manages container stopping and restarting during the migration process.
- Creates symbolic links to preserve consistent file paths.
## Purpose
The primary purpose of this role is to enhance system performance by ensuring that Docker volumes are stored on the most appropriate storage medium, optimizing both speed and capacity.
The `system-storage-optimizer` role is designed for managing and optimizing storage allocation of Docker volumes. It automates the process of moving Docker volumes between SSD (rapid storage) and HDD (mass storage) based on the container image types, enhancing performance and efficiency.
## Features
- **Dynamic Volume Migration:** Moves Docker volumes based on container image types.
- **Symbolic Link Creation:** Maintains consistent access paths after migration.
- **Container Management:** Safely stops and starts containers during volume migration.
- **Performance Optimization:** Improves overall system performance by leveraging appropriate storage media.
- Dynamically moves Docker volumes based on container image types.
- Utilizes SSDs for database-related volumes for faster access.
- Moves non-database volumes to HDDs for efficient mass storage.
- Handles container stopping and starting during the optimization process.
- Creates symbolic links to maintain consistent paths.
## Credits
## Usage
To deploy this role, include it in your Ansible playbook and define the necessary paths for SSD and HDD storage.
## Additional Information
For detailed context and the development history of this role, refer to [this conversation](https://chat.openai.com/share/40fef8a6-5e9b-4b5e-8e68-7f2fd9abf5cc).

24
roles/system-storage-optimizer/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Optimizes storage allocation for Docker volumes by migrating volumes between SSD and HDD based on container image types, and creates symbolic links to maintain consistent paths."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- storage
- docker
- optimization
- performance
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

22
roles/system-swapfile/README.md
View File

@ -1,22 +0,0 @@
# System Swapfile Role
## Description
This role automates the creation of a swapfile on the target system by cloning a swapfile creation script from a Git repository and executing it with the specified swapfile size.
## Overview
The role performs the following tasks:
- Clones the swapfile creation script from the Git repository.
- Executes the script with the provided swapfile size to create a swapfile.
- Helps ensure that the system has adequate swap space for improved performance and stability.
## Purpose
The primary purpose of this role is to automate the process of swapfile creation, ensuring that the system has sufficient swap space to handle memory-intensive tasks and maintain overall performance.
## Features
- **Script Cloning:** Retrieves the latest swapfile creation script from a Git repository.
- **Swapfile Creation:** Executes the script to create a swapfile of a specified size.
- **Performance Enhancement:** Ensures adequate swap space for optimal system performance.

25
roles/system-swapfile/meta/main.yml
View File

@ -1,25 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Automates the creation of a swapfile on the target system by cloning and executing a swapfile creation script, ensuring adequate swap space for improved system performance."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- swapfile
- system
- performance
- automation
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- git
- pc-git

48
roles/systemd-notifier-email/README.md
View File

@ -1,24 +1,40 @@
# Automated Email Alerts for Service Failures
# systemd-notifier-email Ansible Role
Author: Kevin Veen-Birkenbach (kevin@veen.world)
## Description
This role installs and configures the necessary components for sending email notifications via systemd when a service fails. It sets up the `systemd-notifier-email` service and configures email parameters and templates using msmtp.
This Ansible role installs the necessary components for sending email notifications through systemd when any service fails. It configures the `systemd-notifier-email` service and handles the setup of email parameters and templates.
## Overview
Features include:
Optimized for secure and reliable service failure notifications, this role is an integral part of the overall `systemd-notifier` suite. It ensures that, upon failure of a critical service, an email alert is sent automatically to enable prompt troubleshooting.
- Installation and configuration of an email sending service.
- Customizable email templates for service failure notifications.
## Purpose
The primary purpose of this role is to provide a comprehensive solution for automated email notifications in a systemd environment. By integrating with msmtp and customizable templates, it delivers clear and timely alerts about service failures, thereby enhancing system reliability.
## Features
- **Service Installation & Configuration:** Installs msmtp and configures the email sending service.
- **Customizable Templates:** Supports tailoring email templates for service failure notifications.
- **Secure Notifications:** Integrates with systemd to trigger email alerts when services fail.
- **Suite Integration:** Part of the `systemd-notifier` suite, offering a unified approach to service failure notifications.
## Further Information
This role is part of the `systemd-notifier` suite, which provides a comprehensive solution for service failure notifications in a systemd environment.
This role was created as part of a conversation with OpenAI's ChatGPT and can be found [here](https://chat.openai.com/share/96e4ca12-0888-41c0-9cfc-29c0180f0dba).
## Requirements
This role has the following requirements:
- Access to an SMTP server for sending email notifications.
- Availability of the `msmtp` package on the target system.
## Role Variables
The following variables can be customized in the role's `vars/main.yml` file:
- `systemd_notifier_email_folder`: The path to the folder where email-related scripts and configurations will be stored.
## Usage
To use this role, include it as a dependency in your playbook or role that requires email notifications. Ensure that the `systemd-notifier-email` role is correctly referenced and configured.
## Contact Information
For any questions or feedback, please contact the author:
Author: Kevin Veen-Birkenbach
Email: kevin@veen.world

25
roles/systemd-notifier-email/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs and configures components for sending email notifications through systemd using msmtp. This role is part of the systemd-notifier suite, providing automated alerts when services fail."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- email
- systemd
- notifications
- automation
- msmtp
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

41
roles/systemd-notifier-telegram/README.md
View File

@ -1,24 +1,37 @@
# Automated Telegram Alerts for Service Failures
## Description
This role installs and configures the necessary components for sending notifications via systemd when a service fails. It sets up the `systemd-notifier-telegram` service and configures parameters and customizable templates for sending messages through [Telegram](https://telegram.org).
This Ansible role installs the necessary components for sending Telegram notifications through systemd when any service fails. It configures the `systemd-notifier-telegram` service and handles the setup of Telegram bot parameters and notification templates.
## Overview
Features include:
Optimized for real-time alerts, this role is a key component of the overall [`systemd-notifier` suite](../). It ensures that, upon failure of a critical service, a Telegram message is automatically sent to notify administrators and enable prompt troubleshooting.
- Installation and configuration of a Telegram notifier service.
- Customizable templates for Telegram messages sent on service failure.
## Purpose
This role is part of the `systemd-notifier` suite, which provides a comprehensive solution for service failure notifications in a systemd environment.
The primary purpose of this role is to provide a robust solution for automated Telegram notifications in a systemd environment. By integrating with Telegrams Bot API and using customizable message templates, it delivers clear and timely alerts about service failures, thereby enhancing system observability and reliability.
## Requirements
## Features
This role has the following requirements:
- **Service Installation & Configuration:** Installs and configures necessary components (including the `curl` package).
- **Customizable Templates:** Supports tailored Telegram message templates for service failure notifications.
- **Secure Notifications:** Leverages systemd to trigger alerts automatically when services fail.
- **Suite Integration:** Part of the [`systemd-notifier` suite](../) which includes related roles such as [systemd-notifier-email](../systemd-notifier-email/README.md) and others.
- Access to a Telegram bot token for sending messages.
- Availability of the `curl` package on the target system.
## Further Information
## Role Variables
This role was developed as part of a conversation with OpenAI's ChatGPT and can be found [here](https://chat.openai.com/share/96e4ca12-0888-41c0-9cfc-29c0180f0dba).
The following variables can be customized in the role's `vars/main.yml` file:
- `systemd_telegram_folder`: The path to the folder where Telegram-related scripts and configurations will be stored.
- `systemd_telegram_script`: The full path to the systemd-telegram.sh script.
This role was created as part of a conversation with OpenAI's ChatGPT and can be found [here](https://chat.openai.com/share/96e4ca12-0888-41c0-9cfc-29c0180f0dba).
## Usage
To use this role, include it as a dependency in your playbook or role that requires Telegram notifications. Ensure that the `systemd-notifier-telegram` role is correctly referenced and configured.
## Contact Information
For any questions or feedback, please contact the author:
Author: Kevin Veen-Birkenbach
Email: kevin@veen.world

25
roles/systemd-notifier-telegram/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs and configures components for sending Telegram notifications through systemd. This role is part of the systemd-notifier suite, providing automated alerts when services fail."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- telegram
- systemd
- notifications
- automation
- curl
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

33
roles/systemd-notifier/README.md
View File

@ -1,20 +1,33 @@
# Unified Service Failure Notifier
# systemd-notifier Ansible Role
Author: Kevin Veen-Birkenbach (kevin@veen.world)
## Description
This role installs a systemd service that sends notifications via both [systemd-notifier-telegram](../systemd-notifier-telegram/README.md) and [systemd-notifier-email](../systemd-notifier-email/README.md) when any service fails.
This Ansible role installs a systemd service that sends notifications via both `systemd-notifier-telegram` and `systemd-notifier-email` when any service fails.
## Overview
Features include:
Optimized for prompt and comprehensive failure alerts, this role configures a unified notification service. It leverages the capabilities of both Telegram and Email notifications to ensure that administrators are quickly informed about service issues, enabling rapid troubleshooting.
- Configuration of a systemd service for notification.
- Dependency management for the `systemd-notifier-telegram` and `systemd-notifier-email` roles.
## Purpose
This role was created as part of a conversation with OpenAI's ChatGPT and can be found [here](https://chat.openai.com/share/96e4ca12-0888-41c0-9cfc-29c0180f0dba).
The primary purpose of this role is to provide a centralized mechanism for service failure notifications. By integrating with both the Telegram and Email notifier roles, it delivers reliable alerts through multiple channels, enhancing overall system observability and responsiveness.
## Role Dependencies
This role has the following dependencies:
- `systemd-notifier-telegram`
- `systemd-notifier-email`
## Features
- **Unified Notification Service:** Installs a systemd service that triggers both Telegram and Email alerts.
- **Dependency Integration:** Works seamlessly with the [systemd-notifier-telegram](../systemd-notifier-telegram/README.md) and [systemd-notifier-email](../systemd-notifier-email/README.md) roles.
- **Automated Service Management:** Automatically restarts the notifier service upon configuration changes.
- **Centralized Alerting:** Provides a unified approach to monitor and notify about service failures.
- Installs a systemd service for sending notifications.
- Integrates with both Telegram and Email for notification delivery.
## Contact Information
For any questions or feedback, please contact the author:
Author: Kevin Veen-Birkenbach
Email: kevin@veen.world

23
roles/systemd-notifier/meta/main.yml
View File

@ -1,27 +1,4 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Installs a unified systemd notification service that sends alerts via both Telegram and Email when a service fails."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- systemd
- notifier
- telegram
- email
- notifications
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- role: systemd-notifier-telegram
- role: systemd-notifier-email

23
roles/systemd-timer/README.md
View File

@ -1,23 +0,0 @@
# Systemd Timer
## Description
This role configures a systemd timer to periodically start a corresponding service. It uses a Jinja2 template to create a timer unit file that specifies the scheduling parameters (such as OnCalendar and RandomizedDelaySec) and then restarts the timer service accordingly.
## Overview
Optimized for automated task scheduling in a [systemd](https://en.wikipedia.org/wiki/Systemd) environment, this role:
- Generates a timer unit file for a given service (using the `service_name` variable).
- Reloads and restarts the timer using systemd to ensure that changes take effect.
- Supports dynamic configuration of scheduling parameters via variables like `on_calendar` and `randomized_delay_sec`.
## Purpose
The primary purpose of this role is to provide a reusable mechanism for scheduling recurring tasks on a system. By creating and managing a systemd timer unit, the role ensures that specified services are automatically started at defined intervals, enhancing system automation and reliability.
## Features
- **Dynamic Timer Configuration:** Uses a Jinja2 template to create a timer unit file based on provided variables.
- **Automated Service Management:** Automatically reloads the systemd daemon and restarts the timer when changes are detected.
- **Flexible Scheduling:** Supports configuration of parameters such as OnCalendar and RandomizedDelaySec for precise control over task timing.
- **Persistent Timers:** Optionally enables persistent timer behavior to ensure missed activations are handled.

25
roles/systemd-timer/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Configures a systemd timer to periodically start a specified service. This role automates the creation, reloading, and restarting of systemd timer units for recurring tasks."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- systemd
- timer
- automation
- scheduling
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

25
roles/update-apt/README.md
View File

@ -1,22 +1,5 @@
# Update Debian-based Systems
# role update-apt
This role updates the packages
## Description
This role updates packages on Debian-based systems. It refreshes the apt cache and performs a distribution upgrade to ensure all packages are at their latest version.
## Overview
Designed for Debian and Ubuntu systems, this role:
- Updates the package cache using apt.
- Upgrades all packages to their latest available versions.
- Notes that full upgrades must be performed manually on nonrolling release systems.
## Purpose
The role is intended to keep Debian-based systems up-to-date by automating the package update process, ensuring that security patches and software improvements are applied promptly.
## Features
- **Apt Cache Refresh:** Updates the package index.
- **Distribution Upgrade:** Performs a dist-upgrade to update all installed packages.
- **Debian-Specific:** Tailored for Debian-based distributions.
# upgrade
Keep in mind that you have to do the upgrade manual because debian based distributions are no runing release

25
roles/update-apt/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Updates packages on Debian-based systems by refreshing the apt cache and performing a distribution upgrade."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Debian
versions:
- all
galaxy_tags:
- apt
- update
- debian
- system
- maintenance
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

26
roles/update-docker/README.md
View File

@ -1,27 +1,5 @@
# Update Docker
# Update-Docker Role
## Description
This Ansible role is used to update Docker Compose instances. It includes a Python script that checks for updates to Docker images and applies them if necessary.
This role updates Docker Compose instances by checking for changes in Docker image digests and applying updates if necessary. It utilizes a Python script to handle git pulls and Docker image pulls, and rebuilds containers when changes are detected.
## Overview
The role performs the following:
- Deploys a Python script to check for Docker image updates.
- Configures a systemd service to run the update script.
- Restarts the Docker update service upon configuration changes.
- Supports additional procedures for specific Docker applications (e.g., Discourse, Mastodon, Nextcloud).
## Purpose
The role is designed to ensure that Docker images remain current by automatically detecting changes and rebuilding containers as needed. This helps maintain a secure and efficient container environment.
## Features
- **Docker Image Monitoring:** Checks for changes in image digests.
- **Automated Updates:** Pulls new images and rebuilds containers when necessary.
- **Service Management:** Configures and restarts a systemd service to handle updates.
- **Application-Specific Procedures:** Includes hooks for updating specific Docker applications.
## Credits
It was created with the help of ChatGPT. The conversation is available [here](https://chat.openai.com/share/165418b8-25fa-433b-baca-caded941e22a)

28
roles/update-docker/meta/main.yml
View File

@ -1,30 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Updates Docker Compose instances by detecting changes in Docker image digests and rebuilding containers when necessary. This role automates Docker image pulls and container rebuilds."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
- name: Ubuntu
versions:
- all
galaxy_tags:
- docker
- update
- compose
- images
- systemd
- maintenance
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- system-maintenance-lock

19
roles/update-pacman/README.md
View File

@ -1,19 +0,0 @@
# Update-Pacman Role
## Description
This role updates the package cache and upgrades installed packages on Arch Linux systems using [pacman](https://wiki.archlinux.org/title/Pacman).
## Overview
Optimized for Arch Linux, this role uses pacman to refresh the package cache and upgrade all installed packages to their latest available versions. It automates system updates to ensure that the system remains secure and up-to-date with the latest software improvements and security patches.
## Purpose
The primary purpose of this role is to streamline system maintenance on Arch Linux systems. By automating the package update process, it helps maintain system stability and security without manual intervention.
## Features
- **Package Cache Refresh:** Automatically updates the pacman cache to retrieve the latest package lists.
- **Full System Upgrade:** Upgrades all installed packages to the latest versions.
- **Arch Linux Focused:** Specifically tailored for Arch Linux environments using pacman.

25
roles/update-pacman/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Updates the package cache and upgrades all installed packages on Arch Linux systems using pacman."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- pacman
- update
- archlinux
- system
- maintenance
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

39
roles/update-yay/README.md
View File

@ -1,22 +1,33 @@
# Update-Yay Role
# Ansible Role: update-yay
## Description
This Ansible role is designed for updating AUR packages on Arch Linux systems using `yay`. It automates the process of upgrading AUR packages, ensuring that your system stays up-to-date with the latest versions available in the Arch User Repository (AUR).
This role updates AUR packages on Arch Linux systems using [yay](https://wiki.archlinux.org/title/Yay). It automates the process of upgrading AUR packages, ensuring that your system stays current with the latest software available in the Arch User Repository.
## Requirements
## Overview
The role requires that `yay` (Yet Another Yaourt) - an AUR helper - is already installed on the system. If `yay` is not installed, the role `system-aur-helper` should handle its installation.
The role performs the following:
- Checks if the [yay](https://wiki.archlinux.org/title/Yay) AUR helper is installed.
- Upgrades AUR packages using the `kewlfft.aur.aur` module with yay.
- Works exclusively on Arch Linux systems.
## Role Dependencies
## Purpose
- `system-aur-helper`: This dependency is essential for ensuring that `yay` is available on the system. If `yay` is not installed, this role will manage its installation.
The primary purpose of this role is to ensure that AUR packages on Arch Linux are updated automatically. This helps maintain system stability and ensures that the latest features and fixes from the AUR are applied.
## Role Variables
## Features
There are no specific variables that need to be defined by the user for this role. The role utilizes the `kewlfft.aur.aur` module with predefined parameters to manage AUR packages.
- **AUR Package Upgrades:** Uses yay to upgrade AUR packages.
- **Conditional Execution:** Only runs if yay is installed on the system.
- **Arch Linux Focused:** Specifically designed for Arch Linux systems.
## Role Tasks
- **Upgrade AUR Packages**: The main task of this role is to upgrade the system using `yay`, focusing solely on AUR packages. This task does not require elevated privileges (become: false).
## Example Playbook
Here's an example of how to include the `update-yay` role in your playbook:
```yaml
- hosts: all
roles:
- role: update-yay
```
## Author Information
This role was created by Kevin Veen-Birkenbach.

25
roles/update-yay/meta/main.yml
View File

@ -1,27 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Updates AUR packages on Arch Linux systems using yay. This role automates the upgrade process for AUR packages, ensuring that the system remains up-to-date with the latest versions available in the Arch User Repository."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- aur
- update
- archlinux
- yay
- system
- maintenance
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- system-aur-helper

29
roles/update/meta/main.yml
View File

@ -1,29 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Centralizes system update operations by conditionally invoking platform-specific update roles and Docker image updates."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
- name: Debian
versions:
- all
galaxy_tags:
- update
- system
- maintenance
- docker
- apt
- pacman
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

28
roles/update/tasks/README.md
View File

@ -1,26 +1,2 @@
# Update System
## Description
This role serves as a central orchestrator for system updates. It conditionally executes various update roles based on the target system and available directories, ensuring that packages and Docker images are kept up-to-date.
## Overview
This role performs the following tasks:
- Checks if the Docker Compose instances directory exists.
- Executes system updates using platform-specific methods:
- Uses [pacman](https://wiki.archlinux.org/title/Pacman) for Arch Linux.
- Uses [apt](https://en.wikipedia.org/wiki/APT_(software)) for Debian-based systems.
- Invokes the Docker update role if Docker Compose instances are found.
- Checks for the presence of the [yay](https://wiki.archlinux.org/title/Yay) AUR helper and, if installed, triggers an update for AUR packages.
## Purpose
The primary purpose of this role is to streamline system maintenance by delegating updates to the appropriate update roles based on the systems platform and current configuration.
## Features
- **Conditional Execution:** Runs update roles based on the operating system and available directories.
- **Multi-Platform Support:** Supports both Arch Linux and Debian-based distributions.
- **Docker Image Updates:** Triggers Docker image updates when applicable.
- **AUR Package Updates:** Checks for the AUR helper and updates AUR packages if present.
# update
starts all of the different system update roles based on conditions

32
roles/user-administrator/README.md
View File

@ -1,25 +1,9 @@
# Administrator User
# Role Administrator
This role creates an standard administrator user.
This user needs to type in his password before executing sudo.
For security reasons it's recommended to use this user instead of the standard root user.
This user should not be used to login to other systems. It's just there to let administration tasks run.
For this reason no ssh-keys are generated.
## Description
This role creates a dedicated administrator user for local administrative tasks. The administrator account is configured to require a password when executing [sudo](https://en.wikipedia.org/wiki/Sudo), ensuring secure privilege escalation. For security reasons, it is recommended to use this dedicated administrator user instead of the default root account. The role also sets up SSH-related configuration by copying an authorized_keys file from inventory data.
## Overview
Optimized for secure system management, this role performs the following:
- Creates an administrator user with a home directory.
- Configures proper permissions for the administrators home directory and associated scripts.
- Sets up an SSH authorized_keys file from inventory data (if available), leveraging [SSH](https://en.wikipedia.org/wiki/Secure_Shell) best practices.
- Grants [sudo](https://en.wikipedia.org/wiki/Sudo) privileges to the administrator user with password authentication using a dedicated sudoers file.
## Purpose
The primary purpose of this role is to provide a secure and dedicated administrator account solely for running local administration tasks. This approach minimizes security risks associated with using the root account and enforces best practices in user privilege management.
## Features
- **User Creation:** Establishes an administrator user with a home directory and generated SSH keys.
- **Home Directory Configuration:** Sets secure permissions on the administrators home directory and script folder.
- **SSH Authorized Keys:** Copies a preconfigured authorized_keys file for additional security.
- **Sudo Privileges:** Deploys a dedicated sudoers configuration to grant the administrator user [sudo](https://en.wikipedia.org/wiki/Sudo) rights with password prompt.
- **Modular Integration:** Integrates with common routines and roles to further enhance system security.
## Author
This role was created by [Kevin Veen-Birkenbach](https://www.veen.world/)

26
roles/user-administrator/meta/main.yml
View File

@ -1,28 +1,2 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Creates a dedicated administrator user for local administrative tasks, ensuring secure privilege escalation and proper system management. This role configures the administrator account, sets up the home directory, SSH settings, and grants sudo privileges with password authentication."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- user
- administrator
- security
- sudo
- ssh
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- sudo
- user

9
roles/user-alarm/tasks/main.yml Normal file
View File

@ -0,0 +1,9 @@
# This role is deprecated and can be removed in the future
# The alarm user should be managed by
# @see the repository https://github.com/kevinveenbirkenbach/linux-image-manager
# @see the commit https://github.com/kevinveenbirkenbach/linux-image-manager/commit/bbb54a42377d316b5264330aae36018020f1b981
- name: remove the user alarm
user:
name: alarm
state: absent
remove: yes

33
roles/user-root/README.md
View File

@ -1,26 +1,21 @@
# Root User
## Description
This role manages the generation and handling of an SSH key for the [root user](https://en.wikipedia.org/wiki/Superuser) on a target system. It ensures that an SSH key is generated if one does not already exist and outputs the public key, enabling secure SSH access for the root user in automated environments.
## Overview
This Ansible role is designed to manage the generation and handling of an SSH key for the root user on a target system. It ensures that an SSH key is generated if it does not already exist and displays the public key. This role is particularly useful for setting up secure SSH access for root users in automated environments.
Optimized for secure system administration, this role performs the following tasks:
- Verifies the existence of a root SSH public key.
- Generates a new [RSA 4096-bit](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) SSH key pair for the root user if one is missing.
- Displays and outputs the generated public SSH key.
- Ensures that the key generation and display tasks run only once to maintain idempotency.
- Facilitates secure remote access using best practices for [SSH](https://en.wikipedia.org/wiki/Secure_Shell).
## Role Variables
- `run_once_user_root`: A variable to ensure that certain tasks are only run once. This is used for idempotency purposes.
## Purpose
## Tasks
1. **Check if the SSH key for root already exists**: Verifies the existence of an SSH public key for the root user.
2. **Generate a SSH key for root if it does not exist**: Generates a new SSH key pair (RSA 4096 bits) for the root user if it is not already present.
3. **Display the public SSH key**: Outputs the content of the generated public SSH key.
4. **Output the public SSH key**: Debug task to display the SSH public key in the Ansible output.
5. **Run the user_root tasks once**: Sets a fact to ensure that the tasks for generating and displaying the key are executed only once.
The primary purpose of this role is to enhance the security of the system by ensuring that a valid SSH key is available for the [root user](https://en.wikipedia.org/wiki/Superuser). By automating the generation and output of the public key, it reduces manual intervention and helps maintain a secure configuration for administrative access.
## Important Notes
- Running this role will affect the root user's SSH configuration on the target system. Ensure you understand the implications of modifying root SSH keys.
- Always test the role in a controlled environment before deploying to production.
## Features
- **SSH Key Verification:** Checks whether a root SSH public key exists.
- **SSH Key Generation:** Generates a new [RSA 4096-bit](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) SSH key pair for the root user if needed.
- **Public Key Output:** Displays and outputs the generated public SSH key.
- **Idempotency:** Ensures that key generation and output tasks execute only once.
- **Secure Remote Access:** Facilitates secure remote access by providing a verified public key for use with [SSH](https://en.wikipedia.org/wiki/Secure_Shell).
## Author
This role was created by [Kevin Veen-Birkenbach](https://www.veen.world/)

27
roles/user-root/meta/main.yml
View File

@ -1,27 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Manages the generation and handling of an SSH key for the root user. This role ensures secure remote access by generating a new RSA 4096-bit key pair if one does not exist, and displays the public key for further use."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- ssh
- root
- administrator
- security
- user
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- user

25
roles/user/README.md
View File

@ -1,24 +1 @@
# User Role
## Description
This role executes tasks that are relevant for all users by configuring essential shell files. It deploys customized templates for [`.bashrc`](https://wiki.archlinux.org/title/Bash#Startup_files) and [`.bash_profile`](https://wiki.archlinux.org/title/Bash#Login_shells) for any specified user. This ensures a consistent and enhanced shell environment across the system.
## Overview
Optimized for modular configuration, this role uses Jinja2 templates to create:
- A customized [`.bashrc`](https://wiki.archlinux.org/title/Bash#Startup_files) that sets up a dynamic welcome message, system information, and useful aliases.
- A standardized [`.bash_profile`](https://wiki.archlinux.org/title/Bash#Login_shells) that sources the `.bashrc` to ensure consistent behavior upon login.
The role adapts its file paths based on the target user (e.g. the [root user](https://en.wikipedia.org/wiki/Superuser) or a standard user), ensuring proper ownership and permissions.
## Purpose
The primary purpose of this role is to establish a consistent and informative shell environment for all users. By standardizing shell configuration, it helps improve usability and system management through clear and structured output upon login.
## Features
- **Shell Configuration:** Deploys customized [`.bashrc`](https://wiki.archlinux.org/title/Bash#Startup_files) and [`.bash_profile`](https://wiki.archlinux.org/title/Bash#Login_shells) files.
- **Dynamic Content:** Displays system information, load averages, memory usage, disk usage, CPU details, and top processes upon login.
- **User-Specific Customization:** Adapts file locations and ownership based on the target user.
- **Enhanced Usability:** Sets color-coded prompts and aliases for a better command-line experience.
This role executes tasks which are relevant for all users

25
roles/user/meta/main.yml
View File

@ -1,25 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Executes common tasks for user environment configuration."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Linux
versions:
- all
galaxy_tags:
- user
- bash
- ssh
- configuration
- administration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []

32
roles/wireguard/Administration.md
View File

@ -1,32 +0,0 @@
# Administration
## Client
### Setup wireguard
```bash
pacman -S wireguard-tools
```
### Create Client Keys
```bash
wg_private_key="$(wg genkey)"
wg_public_key="$(echo "$wg_private_key" | wg pubkey)"
echo "PrivateKey: $wg_private_key"
echo "PublicKey: $wg_public_key"
echo "PresharedKey: $(wg genpsk)"
```
### Activate Configuration
```bash
cp /path/to/wg0.conf /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.cymais.service --now
```
### Check status
```bash
systemctl status wg-quick@wg0.cymais.service
```
## Further Information
- https://golb.hplar.ch/2019/01/expose-server-vpn.html
- https://wiki.archlinux.org/index.php/WireGuard
- https://wireguard.how/server/raspbian/
- https://www.scaleuptech.com/de/blog/was-ist-und-wie-funktioniert-subnetting/

51
roles/wireguard/README.md
View File

@ -1,27 +1,34 @@
# Wireguard
# Role Native Wireguard
Manages wireguard on host.
## Description
## Client
### Setup wireguard
```bash
pacman -S wireguard-tools
```
This role manages [Wireguard](https://www.wireguard.com/) on the host. It installs the necessary Wireguard packages, configures sysctl settings for IPv4/IPv6 forwarding, and deploys the Wireguard configuration file to enable the VPN service using [wg-quick](https://www.wireguard.com/quickstart/).
### Create Client Keys
```bash
wg_private_key="$(wg genkey)"
wg_public_key="$(echo "$wg_private_key" | wg pubkey)"
echo "PrivateKey: $wg_private_key"
echo "PublicKey: $wg_public_key"
echo "PresharedKey: $(wg genpsk)"
```
## Overview
### Activate Configuration
```bash
cp /path/to/wg0.conf /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.cymais.service --now
```
Optimized for both [Arch Linux](https://wiki.archlinux.org/index.php/WireGuard) and [Ubuntu/Debian](https://wireguard.com/install/), this role performs the following tasks:
- Installs Wireguard tools using the appropriate package manager.
- Copies a sysctl configuration file to enable IP forwarding and proper IPv6 settings.
- Deploys a host-specific Wireguard configuration file to `/etc/wireguard/wg0.cymais.conf`.
- Uses systemd handlers to restart the Wireguard service and reload sysctl settings.
### Check status
```bash
systemctl status wg-quick@wg0.cymais.service
```
## Purpose
The primary purpose of this role is to set up and manage a Wireguard VPN configuration on the host. By automating package installation and configuration file deployment, it ensures that the VPN service is enabled with optimal network settings for secure connectivity.
## Features
- **Multi-Platform Support:** Installs Wireguard tools using [pacman](https://wiki.archlinux.org/title/Pacman) on Arch Linux and [apt](https://en.wikipedia.org/wiki/APT_(software)) on Ubuntu/Debian.
- **Sysctl Configuration:** Deploys a sysctl configuration file to manage IPv4/IPv6 forwarding and related network parameters.
- **Wireguard Configuration:** Copies a host-specific Wireguard configuration file to `/etc/wireguard/wg0.cymais.conf`.
- **Service Management:** Provides handlers to restart the Wireguard service and reload sysctl settings.
## Administration
For detailed client setup instructions, please see the [Administration](./Administration.md) file.
## See
- https://golb.hplar.ch/2019/01/expose-server-vpn.html
- https://wiki.archlinux.org/index.php/WireGuard
- https://wireguard.how/server/raspbian/
- https://www.scaleuptech.com/de/blog/was-ist-und-wie-funktioniert-subnetting/

28
roles/wireguard/meta/main.yml
View File

@ -1,28 +0,0 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Manages Wireguard VPN configuration on the host. Installs necessary tools, deploys sysctl settings for IP forwarding, and copies the Wireguard configuration file to enable secure VPN connectivity."
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
- name: Ubuntu
versions:
- all
galaxy_tags:
- wireguard
- vpn
- networking
- systemd
- configuration
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies: []