An Ansible repository for the configuration of systems and resources managed by n3tuk.
| Playbook | task Command |
Description |
|---|---|---|
n/a |
develop |
A task-specific command which will run linting and validation of the code and configuration within this repository. |
n/a |
ping |
A task-specific command which will attempt to ping all hosts configured in the inventory using the standard become process. |
bootstrap.yaml |
play:bootstrap |
A play which will bootstrap any host listed under the bootstrap group, and is normally used for both physical nodes as well as virtual machines. |
baseline.yaml |
play:baseline |
A play which will configure physical and virtual machines to baselined settings. |
users.yaml |
play:users |
A play which will create or update of all the users and groups on a system. |
update.yaml |
update |
A play which will update all Arch Linux repositories of using pacman (but not upgrade the packages). |
upgrade.yaml |
upgrade |
A play which will update and upgrade all Arch Linux packages of using pacman. |
authentik.yaml |
play:authentik |
A play which will deploy and configure the Authentik identity provider alongside PostgreSQL, cloudflared, and Tailscale. |
ca.yaml |
play:ca |
A play which will deploy and configure the step-ca Certificate Authority alongside PostgreSQL and Tailscale. |
dns.yaml |
play:dns |
A play which will deploy and configure the bind DNS service. |
All Ansible plays run via task can be configured with limit overrides using
limit= appended after the task:
$ task play:bootstrap limit=proxmox-01.services.n3t.uk
task: [bootstrap] ansible-playbook \
--syntax-check plays/bootstrap.yaml
...| Role | Description |
|---|---|
filesystems |
A role to configure physical partitions and filesystems, as well as physical volumes, volume groups, and logical volumes under LVM too, with support for encrypted physical filesystems with cryptsetup. |
bootstrap |
A role to bootstrap an Arch Linux installation under a configured mount point, usually set up with filesystems above. |
networking |
A role to configure the networking on Proxmox hosts, setting up the Thunderbolt mesh network between all the hosts in a Cluster, as well as necessary settings for Proxmox itself. |
issue |
A role to configure /etc/issue on the system to describe the host and display an access warning message. |
ca |
A role to install the n3t.uk Root Certificate Authoritiy certificate into the the trusted store on each system, allowing tools and utilities to trust certificates issued under it. |
kernels |
A role to install selected Linux kernels and configure them for booting on this system. |
systemd |
A role to update the local configuration for systemd on this system, including systemd itself, systemd-oomd, and systemd-timesyncd for NTP support. |
systemd_networkd |
A role to enable systemd-networkd and install the required configuration for the local ethernet port, as well as any VLANs and Bridges required for virtual machine access to the network. |
systemd_resolved |
A role to enable systemd-resolved for local DNS resolution, including setting up the stub resolver, and configuring the DNS settings for this system. |
firewalld |
A role to enable firewalls for local firewall management, including setting up default zones and rules for this system. |
bird |
A role to enable bird for local dynamic routing management using iBGP. |
starship |
A role to install and configure starship as a command-line prompt management utility, and allow it to clearly define the use and purpose of the system in both file and bash. |
fish |
A role to install and configure fish with some basic settings and to run starship for users. |
bash |
A role to install and configure bash with some basic settings and to run starship for users. |
sudo |
A role to install and configure sudo on this system with standadised defaults and limited access based on groups. |
ssh |
A role to install and configure the ssh service on this system to enable secure defaults and remote access for configured and supported users. |
pacman |
A role to install and configure the pacman utility on this system to additional Arch Linux repositories and custom settings. |
users |
A role to install and configure the users and groups on the system, including the root user. |
haproxy |
A role to configure HAProxy on a system with standard settings, but not to configure any virtual hosts which it may serve. |
caddy |
A role to configure Caddy Load Balancer along with the initial virtual host for Proxmox with Cloudflare ACME certificate issuance. |
nginx |
A role to configure nginx on a system with standard settings, but not to configure any virtual hosts which it may serve. |
cache |
A role to configure a caching proxy virtual host in nginx which will proxy and cache Arch Linux repositories and packages. |
logrotate |
A role to configure logrotate with sensible defaults to support the rotation and compression of historical log files. |
netdata |
A role to configure Netdata either as a parent node for centralised storage and processing, or a child to collect data and stream it to a parent node. |
vault |
A role to install and configure Hashicorp Vault along with associated proxies, certificates, and firewall rules. |
tailscale |
A role to install and configure Tailscale on a system to allow it to connect to the n3t.uk Tailscale network for secure remote access. |
ufw |
A role to install and configure UFW (Uncomplicated Firewall) on a virtual machine to manage the firewall rules and enhance security. |
authentik |
A role to install and configure Authentik on a virtual machine to manage authentication and authorization for applications. |
postgresql |
A role to install and configure PostgreSQL on a virtual machine to manage relational databases. |
valkey |
A role to install and configure Valkey on a virtual machine to manage in-memory data structures. |
stepca |
A role to install and configure step-ca on a virtual machine to provide Certificate Authority services. |
bind |
A role to install and configure bind on a virtual machine to provide DNS services based on view configurations. |