chore: add ansible host file

ansible/inventory/production/group_vars/web.yml

@@ -0,0 +1,5 @@
+users:
+  - username: 'artentica'
+    # groups: "admin,www-data"
+  - username: 'doctor'
+    # groups: "admin,www-data"

ansible/inventory/production/host_vars/mainServer.yml

@@ -0,0 +1,8 @@
+---
+ansible_host: 91.121.85.107
+ansible_port: 137
+data_center: RBX1
+rack: 07A01
+id: 172791
+reverse: ns352698.ip-91-121-85.eu
+...

ansible/inventory/production/hosts

@@ -0,0 +1,4 @@
+# file: production
+
+[web]
+mainServer

ansible/roles/packages/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+# - debug:
+#     msg: "{{ hostvars[inventory_hostname] }}"
+
+- name: Dependencies installation
+  pacman:
+    name:
+      - git
+      - vim
+      - htop
+      - zsh
+      - sudo
+
+    update_cache: yes
+    # upgrade: yes
+    state: latest
+...

ansible/roles/ssh/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# Default path of the ssh config file
+sshd_config_path: "/etc/ssh/sshd_config"
+...

ansible/roles/ssh/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted

ansible/roles/ssh/tasks/main.yml

@@ -0,0 +1,76 @@
+---
+# ansible_port can change throughout this role, keep a copy around
+- name: Set configured port fact
+  set_fact:
+    configured_port: "{{ ansible_port }}"
+
+- name: "Check port {{ ansible_port }}"
+  wait_for:
+    port: "{{ ansible_port }}"
+    state: "started"
+    host: "{{ ansible_host }}"
+    connect_timeout: "5"
+    timeout: "5"
+  delegate_to: "localhost"
+  ignore_errors: "yes"
+  register: ssh_port
+
+- debug:
+    msg: "{{ ansible_host }}"
+
+- name: "Check port 22"
+  wait_for:
+    port: "22"
+    state: "started"
+    host: "{{ ansible_host }}"
+    connect_timeout: "5"
+    timeout: "5"
+  delegate_to: "localhost"
+  ignore_errors: "yes"
+  register: ssh_port_default
+  when:
+    - ssh_port is defined
+    - ssh_port.state is undefined
+
+- name: Set SSH port to 22
+  set_fact:
+    ansible_port: 22
+  when: ssh_port_default.state is defined
+
+# - name: Security | Disallow password authentication
+#   lineinfile:
+#     dest: /etc/ssh/sshd_config
+#     regexp: "^[#]*PasswordAuthentication"
+#     line: "PasswordAuthentication no"
+#     state: present
+#   notify: restart ssh
+#   tags: ["ssh"]
+
+- name: Change sshd config
+  lineinfile:
+    dest: "{{ sshd_config_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - { regexp: '^Port', line: 'Port "{{configured_port}}"' }
+    - { regexp: '^[#]*PasswordAuthentication=', line: 'PasswordAuthentication no' }
+    - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
+  notify: "restart sshd"
+
+# We notified "Restart sshd" if we modified the sshd config.
+# By calling flush_handlers, we make sure the handler is run *right now*
+- name: Ensure SSH is reloaded if need be
+  meta: flush_handlers
+
+
+- name: "Set SSH port to {{ configured_port }}"
+  set_fact:
+    ansible_port: "{{ configured_port }}"
+  when: ssh_port_default.state is defined
+
+# Gather facts should be set to false when running this role since it will
+# fail if the Ansible SSH port is not set correctly.
+# We run setup to gather facts here once the SSH port is set up.
+- name: Run deferred setup to gather facts
+  setup:
+...

ansible/roles/swarm/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+packages:
+  - docker
+  - docker-compose
+  - python-pip
+
+docker_group: docker
+...

ansible/roles/swarm/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart docker
+  service:
+    name: docker
+    state: restarted
+...

ansible/roles/swarm/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+- name: install Docker and dependencies
+  pacman:
+    name: "{{ packages }}"
+    state: latest
+    update_cache: yes
+  with_items: "{{ packages }}"
+
+- name: "Ensure group {{ docker_group }} exists"
+  group:
+    name: "{{ docker_group }}"
+
+- name: Add  user to docker group
+  user:
+    name: "{{ item.username }}"
+    group: "{{ docker_group }}"
+  with_items: "{{ users }}"
+
+- name: Ensure Docker is running
+  service:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Init a new swarm with default parameters
+  docker_swarm:
+    state: present
+...

ansible/roles/users/files/artentica.key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSuo82KyqCWnmAPNTWbZq+vFaIH2YFJkLNvkANV65mc

ansible/roles/users/files/doctor.key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSuo82KyqCWnmAPNTWbZq+vFaIH2YFJkLNvkANV65mc

ansible/roles/users/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: "Create user: {{item.username}}"
+  user:
+    name: "{{ item.username }}"
+    groups: "admin"
+  with_items: "{{ users }}"
+
+- name: "Add authorized keys"
+  authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ lookup('file', 'files/'+ item.username + '.key.pub') }}"
+  with_items: "{{ users }}"
+
+- name: "Allow admin users to sudo without a password"
+  lineinfile:
+    dest: "/etc/sudoers" # path: in version 2.3
+    state: "present"
+    regexp: "^%admin"
+    line: "%admin ALL=(ALL) NOPASSWD: ALL"
+...

ansible/site.yml

@@ -0,0 +1,34 @@
+---
+- name: Server ssh only
+  hosts: web
+  remote_user: root
+  gather_facts: no
+  roles:
+    - role: ssh
+      tags:
+        - ssh
+
+- name: Server installation
+  hosts: web
+  remote_user: root
+  roles:
+    - role: packages
+      tags:
+        - packages
+
+- name: User configuration
+  hosts: web
+  remote_user: root
+  roles:
+    - role: users
+      tags:
+        - users
+
+- name: Swarm installation & configuration
+  hosts: web
+  remote_user: root
+  roles:
+    - role: swarm
+      tags:
+        - swarm
+...

postInstall.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+wget https://pkgbuild.com/~eschwartz/repo/x86_64-extracted/pacman-static
+chmod +x pacman-static
+./pacman-static --noconfirm -Syyu python
+rm ./pacman-static
+reboot -f

swarm/example.yml

@@ -0,0 +1,75 @@
+version: "3.8"
+
+
+networks:
+  traefik:
+    name: "dmz"
+    driver: overlay
+    attachable: true
+
+services:
+
+  traefik:
+    image: "traefik:v2.2"
+    command:
+      - "--global.sendanonymoususage=false" # désactivation de l'envoi de donnée
+      - "--global.checknewversion=false" # puisque dockerisé, on désactive le check de mise à jour
+      - "--accesslog=true" # Pour avoir les logs d'accès
+      - "--api=true" # Pour activer l'api
+      # Swarm
+      #traefik.http.services.myservice.loadbalancer.server.port=8080
+      - "--providers.docker.swarmMode=true"
+      - "--providers.docker.watch=true"
+      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
+      - "--api.insecure=true" # Activer pour exposer l'api sur 8080
+      - "--api.dashboard=true" # Pour activer le dashboard
+      - "--log.level=DEBUG"
+      #- "--providers.file.directory=/etc/traefik/conf.d/" # Permets de charger les configurations dans le répertoire (tout les yaml et toml)
+      #- "--providers.file.watch=true" # Permets de surveiller le répertoire précédent pour charger dynamiquement les configurations
+      - "--entrypoints.http.address=:80" # Création de l'entrypoint nommé web sur le port 80
+      - "--entrypoints.https.address=:443" # Création de l'entrypoint nommé websecure sur le port 443
+      #- "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Pour créer une redirection vers https
+      #- "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Pour rediriger vers l'entrypoint websecure (port 443)
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.email=server@vincentriouallon.ovh"
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.storage=/acme.json"
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.keytype=RSA2048"
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.letsencrypt-rsa2048.acme.tlschallenge=true"
+    networks:
+      - traefik
+    ports:
+      - "8080:8080"
+      - "443:443"
+      - "80:80"
+    deploy:
+      labels:
+        - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.enable=true"
+        - "traefik.docker.network=dmz"
+        - "traefik.http.routers.traefik.entrypoints=https"
+        - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  whoami:
+    image: "containous/whoami"
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=dmz"
+        - "traefik.docker.lbswarm=true"
+        - "traefik.http.routers.reverse_proxy_plex_insecure.rule=Host(`whoami.vincentriouallon.ovh`)"
+        - "traefik.http.routers.reverse_proxy_plex_insecure.middlewares=http-redirect@docker"
+        - "traefik.http.routers.reverse_proxy_plex.entrypoints=https"
+        - "traefik.http.routers.reverse_proxy_plex.tls=true"
+        - "traefik.http.routers.reverse_proxy_plex.tls.certresolver=letsencrypt-rsa2048"
+        - "traefik.http.routers.reverse_proxy_plex.rule=Host(`whoami.vincentriouallon.ovh`)"
+        - "traefik.http.services.reverse_proxy_plex.loadbalancer.passhostheader=true"
+        - "traefik.http.services.reverse_proxy_plex.loadbalancer.server.port=80"
+        - "traefik.http.services.reverse_proxy_plex.loadbalancer.server.scheme=http"
+
+