bitwarden

playbooks/00_clone_git_repo.yml

@@ -0,0 +1,4 @@
+- hosts: datacenter
+  name: Clone git
+  become: true
+  tasks:

roles/autofs-client/tasks/main.yml

@@ -0,0 +1,42 @@
+- block:
+  - name: include vault
+    ansible.builtin.include_vars:
+      file: jaydee.yml
+  - name: Install autofs
+    ansible.builtin.apt:
+      name: 
+        - autofs
+        - cifs-utils
+      state: present
+
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/auto.auth"
+      content: |
+        username={{ samba_user }}
+        password={{ samba_password }}
+        
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/auto.nas"
+      content: |
+        nas-data   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/Data
+        nas-docker-data   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/docker_data
+        nas-photo   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/Photo
+        nas-public   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/Public
+        nas-install   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/install
+        nas-media   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/Media
+        nas-downloads   -fstype=cifs,credentials=/etc/auto.auth,dir_mode=0755,file_mode=0755,uid=jd,rw    ://nas.home.lan/downloads
+
+  - name: Reconfigure zabbix agent Server
+    ansible.builtin.lineinfile:
+      path: /etc/auto.master
+      regexp: "^/media/nas.*"
+      insertafter: '^/media/nas'
+      line: "/media/nas   /etc/auto.nas --timeout 360 --ghost"
+
+  - name: Restart docker service
+    ansible.builtin.service:
+      name: autofs
+      state: restarted
+  become: true

roles/docker/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart_docker
+  ansible.builtin.service:
+    name: docker.service
+    state: restarted

roles/docker/tasks/main.yml

@@ -0,0 +1,57 @@
+- block:
+  - name: Install docker
+    ansible.builtin.apt:
+      name: 
+        - ca-certificates
+        - curl 
+        - telnet
+        - net-tools
+        - python3-pip
+        - python3-dev
+      state: present
+      update_cache: true
+  - name: Get keys for raspotify
+    ansible.builtin.shell:
+      install -m 0755 -d /etc/apt/keyrings
+
+  - name: Get keys for raspotify
+    ansible.builtin.shell:
+      curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+
+  - name: Get keys for raspotify
+    ansible.builtin.shell:
+      chmod a+r /etc/apt/keyrings/docker.asc
+
+  - name: Get keys for raspotify
+    ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+  - name: Install docker
+    ansible.builtin.apt:
+      name: 
+        - docker-ce
+        - docker-ce-cli
+        - containerd.io
+        - docker-buildx-plugin
+        - docker-compose-plugin
+      update_cache: true
+
+  - name: Create a directory docker.service.d
+    ansible.builtin.file:
+      path: /etc/systemd/system/docker.service.d/
+      state: directory
+      mode: '0755'
+
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/systemd/system/docker.service.d/override.conf"
+      content: |
+        [Service]
+        ExecStart=
+        ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375
+    notify: restart_docker
+
+  - name: Just force systemd to reread configs
+    ansible.builtin.systemd:
+      daemon_reload: true
+
+  become: true

roles/ldap-client/tasks/main.yml

@@ -0,0 +1,149 @@
+- block:
+  - name: Install ldap packages
+    ansible.builtin.apt:
+      name: 
+        - libpam-ldapd
+        - ldap-utils
+        - libnss-ldapd
+  # - name: Reconfigure ldap base
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^base "
+  #     line: "base dc=sectorq,dc=eu"
+
+  # - name: Reconfigure ldap uri
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^uri ldap.*"
+  #     line: "uri ldaps://ldap-server.loc/"
+  # - name: Reconfigure ldap version
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^ldap_version.*"
+  #     line: "ldap_version 3"
+
+  # - name: Reconfigure ldap rootbinddn
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/ldap.conf
+  #     regexp: "^rootbinddn.*"
+  #     line: "rootbinddn cn=admin,dc=sectorq,dc=eu"
+  - name: Reconfigure common-session
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-session
+      regexp: "^session optional pam_mkhomedir.so.*"
+      line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077"
+  - name: Reconfigure common-session
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-session
+      regexp: "^session.*pam_ldap.so.*"
+      line: "session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000"      
+  - name: Reconfigure common-password
+    ansible.builtin.lineinfile:
+      path: /etc/pam.d/common-password
+      regexp: "^password.*success=1 user_unknown=ignore default=die.*"
+      line: "password        [success=1 default=ignore]     pam_ldap.so minimum_uid=1000 try_first_pass"
+  - name: Reconfigure nsswitch passwd
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^passwd:.*"
+      line: "passwd:         compat systemd ldap"
+  - name: Reconfigure nsswitch group
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^group:.*"
+      line: "group:          compat systemd ldap"
+  - name: Reconfigure nsswitch shadow
+    ansible.builtin.lineinfile:
+      path: /etc/nsswitch.conf
+      regexp: "^shadow:.*"
+      line: "shadow:         compat ldap"
+
+  - name: Reconfigure nslcd uri
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^uri ldap.*"
+      line: "uri ldap://192.168.77.101:2389/"
+
+
+  - name: Reconfigure ldap base
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^base "
+      line: "base dc=sectorq,dc=eu"
+
+
+  - name: Reconfigure nslcd binddn
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^binddn"
+      line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu"
+      
+  - name: Reconfigure nslcd bindpw
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^bindpw"
+      line: "bindpw {{ ldap_admin_password }}"
+  # - name: Reconfigure ldap base
+  #   ansible.builtin.lineinfile:
+  #     path: /etc/nslcd.conf
+  #     regexp: "^#ssl"
+  #     line: "ssl start_tls"
+  - name: Reconfigure nslcd tls_reqcert
+    ansible.builtin.lineinfile:
+      path: /etc/nslcd.conf
+      regexp: "^tls_reqcert"
+      line: "tls_reqcert allow"
+  - name: Restart nslcd service
+    ansible.builtin.service:
+      name: nslcd.service
+      state: restarted
+
+  - name: Creating a file with content
+    copy:
+      dest: "/usr/local/bin/fetchSSHKeysFromLDAP"
+      content: |
+        #!/usr/bin/bash
+        ldapsearch  -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' |     sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'  
+      mode: '0755'
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^#AuthorizedKeysCommand *"
+      line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP"
+
+  - name: Reconfigure sshd
+    ansible.builtin.lineinfile:
+      path: /etc/ssh/sshd_config
+      regexp: "^#AuthorizedKeysCommandUser *"
+      line: "AuthorizedKeysCommandUser root"
+  - name: Create a directory LDAP if it does not exist
+    ansible.builtin.file:
+      path: /etc/ldap/
+      state: directory
+      mode: '0755'
+  - name: Creating a file with content
+    copy:
+      dest: "/etc/ldap/ldap.conf"
+      content: |
+        #
+        # LDAP Defaults
+        #
+
+        # See ldap.conf(5) for details
+        # This file should be world readable but not world writable.
+
+        BASE    dc=sectorq,dc=eu
+        URI     ldap://192.168.77.101:2389
+
+        #SIZELIMIT      12
+        #TIMELIMIT      15
+        #DEREF          never
+
+        # TLS certificates (needed for GnuTLS)
+        TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+  
+  - name: Restart sshd service
+    ansible.builtin.service:
+      name: sshd.service
+      state: restarted
+  become: true

roles/matter-server/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart_matter_server
+  ansible.builtin.shell: docker restart matter-server
+
+  become: true

roles/matter-server/tasks/main.yml

@@ -0,0 +1,10 @@
+- block:
+  - name: Reconfigure config
+    ansible.builtin.lineinfile:
+      path: /etc/sysctl.conf
+      regexp: "^Unet.ipv4.igmp_max_memberships.*"
+      line: "net.ipv4.igmp_max_memberships = 75"
+  - name: Restart agent
+    ansible.builtin.shell: echo 76 > /proc/sys/net/ipv4/igmp_max_memberships
+    notify: restart_matter_server
+  become: true

roles/mqtt-srv/tasks/main.yml

@@ -0,0 +1,116 @@
+- block:
+  - name: include vault
+    ansible.builtin.include_vars:
+      file: ../jaydee.yml
+  - name: Delete content & directory
+    ansible.builtin.file:
+      state: absent
+      path: "{{ dest_folder }}"
+  - name: GIT pull
+    tags:
+      - git_pull
+    git:
+      repo: "https://{{ git_user | urlencode }}:{{ git_password_mqtt | urlencode }}@gitlab.sectorq.eu/jaydee/mqtt_srv.git"
+      dest: "{{ dest_folder }}"
+      update: yes
+      clone: yes
+      version: main
+  - debug:
+      msg: "{{ inventory_hostname }}"
+
+  - name: Upload service config
+    ansible.builtin.copy:
+      src: "{{ dest_folder }}/mqtt_srv.service"
+      dest: /etc/systemd/system/mqtt_srv.service
+      remote_src: true
+    when: inventory_hostname != 'nas.home.lan' 
+
+  - name: Upload service script
+    ansible.builtin.copy:
+      src: "{{ dest_folder }}/mqtt_srv.py"
+      dest: /usr/bin/mqtt_srv.py
+      mode: '755'
+      owner: root
+      remote_src: true
+    when: inventory_hostname != 'nas.home.lan'
+    
+  - name: Upload service script config
+    ansible.builtin.copy:
+      src: "{{ dest_folder }}/mqtt_srv.cfg"
+      dest: /etc/mqtt_srv/mqtt_srv.cfg
+      mode: '755'
+      owner: root
+      remote_src: true
+    when: inventory_hostname != 'nas.home.lan'
+
+    
+  # - name: Upload service script1
+  #   ansible.builtin.copy:
+  #     src: scripts/mqtt_srv.sh
+  #     dest: /jffs/scripts/mqtt_srv/
+  #     mode: '755'
+  #     owner: admin
+  #   when: inventory_hostname in groups['router']
+  #   become: false
+
+
+  # - name: Upload service script
+  #   ansible.builtin.copy:
+  #     src: scripts/mqtt_srv.py
+  #     dest: /jffs/scripts/mqtt_srv/
+  #     mode: '755'
+  #     owner: admin
+  #   when: inventory_hostname in groups['router']
+  #   become: false
+
+  - name: Upload service script1
+    ansible.builtin.copy:
+      src: "{{ dest_folder }}/mqtt_srv.sh"
+      dest: /etc/init.d/
+      mode: '755'
+      owner: admin
+      remote_src: true
+    when: inventory_hostname == 'nas.home.lan'
+
+  - debug:
+      msg: "{{ dest_folder }}"
+  - name: Upload service script2
+    ansible.builtin.copy:
+      src: "{{ dest_folder }}/mqtt_srv.py"
+      dest: /usr/bin/mqtt_srv.py
+      mode: '755'
+      owner: admin
+      remote_src: true
+    when: inventory_hostname == 'nas.home.lan'
+
+  - name: Install bottle python package
+    ansible.builtin.shell: pip  install {{ item }}  --break-system-packages
+    loop:
+      - paho-mqtt
+      - getmac
+      - ping3
+      - psutil
+      - autorandr
+    when: inventory_hostname != 'nas.home.lan'
+
+  - name: Just force systemd to reread configs (2.4 and above)
+    ansible.builtin.systemd:
+      daemon_reload: true
+    when: inventory_hostname != 'nas.home.lan'
+
+
+
+  - name: Restart mqtt_srv service
+    ansible.builtin.service:
+      name: mqtt_srv.service
+      state: restarted
+      enabled: true
+    when: inventory_hostname != 'nas.home.lan'
+
+  - name: Restart mqtt service
+    ansible.builtin.shell: "(/etc/init.d/mqtt_srv.sh restart >/dev/null 2>&1 &)"
+    async: 10
+    poll: 0
+    when: inventory_hostname == 'nas.home.lan'
+
+  become: "{{ 'no' if inventory_hostname == 'nas.home.lan' else 'yes' }}"

roles/mqtt-srv/vars/main.yml

@@ -0,0 +1 @@
+dest_folder: "/tmp/ans_repo"

roles/timeshift/tasks/main.yml

@@ -0,0 +1,9 @@
+- name: Install timeshift packages
+  ansible.builtin.apt:
+    name: 
+      - timeshift
+    update_cache: yes
+  become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
+  ignore_errors: true
+  when: inventory_hostname != 'nas.home.lan'
+

roles/zabbix-agent/tasks/main.yml

@@ -0,0 +1,154 @@
+- block:
+  - name: Get config for not nas
+    ansible.builtin.set_fact:
+      zabbix_agent_cfg: "/etc/zabbix/zabbix_agent2.conf"
+    when: inventory_hostname != 'nas.home.lan'
+    
+  - name: Get config for nas
+    ansible.builtin.set_fact:
+      zabbix_agent_cfg: "/opt/ZabbixAgent/etc/zabbix_agentd.conf"
+    when: inventory_hostname  == 'nas.home.lan'
+
+  - name: Print all available facts
+    ansible.builtin.debug:
+      msg: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
+
+  - name: Print all available facts
+    ansible.builtin.debug:
+      var: ansible_facts.architecture
+  - name: Print all available facts
+    ansible.builtin.debug:
+      var: ansible_distribution
+  - name: Print all available facts
+    ansible.builtin.debug:
+      var: ansible_distribution_major_version
+  # - name: Upload zabbix package
+  #   ansible.builtin.copy:
+  #     src: packages/zabbix-release_6.4-1+ubuntu22.04_all.deb
+  #     dest: /tmp/
+  - name: Install a .deb package from the internet11
+    ansible.builtin.apt:
+      deb: https://repo.zabbix.com/zabbix/6.4/ubuntu-arm64/pool/main/z/zabbix-release/zabbix-release_6.4-1+ubuntu22.04_all.deb
+    when:
+      - ansible_facts.architecture != "armv7l" and  ( ansible_distribution == "Ubuntu" or ansible_distribution == "Linux Mint" )
+
+  - name: Install a .deb package from the internet2
+    ansible.builtin.apt:
+      #deb: https://repo.zabbix.com/zabbix/6.4/raspbian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb
+      deb: https://repo.zabbix.com/zabbix/7.0/raspbian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian11_all.deb
+    retries: 5
+    delay: 5
+    when:
+      - ansible_facts.architecture == "armv7l" or ansible_facts.architecture == "aarch64"
+
+    ignore_errors: true
+
+  - name: Install a .deb package from the internet3
+    ansible.builtin.apt:
+      deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian11_all.deb
+      
+    when:
+      - ansible_facts.architecture != "armv7l"  and ansible_distribution == "Debian"  and ansible_distribution_major_version  == "11"
+    
+  - name: Install a .deb package from the internet4
+    ansible.builtin.apt:
+      #deb: https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
+      deb: https://repo.zabbix.com/zabbix/7.0/debian/pool/main/z/zabbix-release/zabbix-release_7.0-1+debian12_all.deb
+    when:
+      - ansible_facts.architecture != "armv7l" and  ansible_facts.architecture != "aarch64" and ansible_distribution == "Debian"  and ansible_distribution_major_version  == "12"
+    ignore_errors: true
+
+  # - name: Install a .deb package localy
+  #   ansible.builtin.apt:
+  #     deb: /tmp/zabbix-release_6.4-1+ubuntu22.04_all.deb
+  - name: Install zabbix packages
+    ansible.builtin.apt:
+      name: 
+        - zabbix-agent2
+        - zabbix-agent2-plugin-mongodb
+        - zabbix-agent2-plugin-postgresql
+        # - zabbix-agent2-plugin-mysql
+      update_cache: yes
+    ignore_errors: true
+    when: inventory_hostname != 'nas.home.lan'
+
+  - name: Reconfigure zabbix agent Server
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^Server=.*"
+      insertafter: '^# Server='
+      line: "Server=192.168.77.0/24,192.168.80.0/28"
+    become: "{{ false if inventory_hostname == 'nas.home.lan' else true }}"
+
+  - name: Reconfigure zabbix agent ServerActive
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^ServerActive=.*"
+      line: "ServerActive={{ ZABBIX_SERVER }}"
+
+  - name: Reconfigure zabbix agent ListenPort
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^ListenPort=.*"
+      line: "ListenPort=10050"
+  # - name: Reconfigure zabbix agent ListenIP
+  #   ansible.builtin.lineinfile:
+  #     path: /"{{ zabbix_agent_cfg }}"
+  #     regexp: "^ListenIP=.*"
+  #     line: "ListenIP=0.0.0.0"
+
+  - name: Reconfigure zabbix-agent2 hostname
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^Hostname=.*"
+      line: "Hostname={{ inventory_hostname }}"
+
+  - name: Reconfigure zabbix-agent2 config
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      insertafter: '^# UserParameter='
+      regexp: "^UserParameter=system.certs.*"
+      line: "UserParameter=system.certs,python3 /share/ZFS530_DATA/.qpkg/ZabbixAgent/cert_check2.py"
+    when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' 
+
+  - name: Reconfigure zabbix-agent2 config
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      insertafter: '^# UserParameter='
+      line: "UserParameter=rpi.hw.temp,/usr/bin/vcgencmd measure_temp"
+    when: inventory_hostname == 'rpi5.home.lan'
+
+  - name: Reconfigure zabbix-agent2 hostname
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^HostMetadata=.*"
+      insertafter: '^# HostMetadata='
+      line: "HostMetadata=linux;jaydee"
+  - name: Reconfigure zabbix-agent2 hostname
+    ansible.builtin.lineinfile:
+      path: "{{ zabbix_agent_cfg }}"
+      regexp: "^HostMetadata=.*"
+      insertafter: '^# HostMetadata='
+      line: "HostMetadata=server;jaydee"
+    when: inventory_hostname == 'nas.home.lan' or inventory_hostname == 'm-server.home.lan' 
+
+  - name: Add the user 'to group video
+    ansible.builtin.user:
+      name: zabbix
+      groups: video
+      append: yes
+    when: inventory_hostname != 'nas.home.lan'
+
+  - name: Restart zabbix-agent2 service
+    ansible.builtin.service:
+      name: zabbix-agent2.service
+      state: restarted
+      enabled: true
+    when: inventory_hostname != 'nas.home.lan'
+
+  - name: Restart agent
+    ansible.builtin.shell: /etc/init.d/ZabbixAgent.sh restart
+    when: inventory_hostname == 'nas.home.lan'
+
+
+  become: true

roles/zabbix-agent/vars/main.yml

@@ -0,0 +1 @@
+ZABBIX_SERVER: "zabbix.home.lan"