Skip to content

Latest commit



151 lines (112 loc) · 6.4 KB

File metadata and controls

151 lines (112 loc) · 6.4 KB


An Ansible playbook that sets up multiple Debian servers with Proxmox and some hardening. It includes dynamic inventory for environments in the UniFi ecosystem, but you can also use non-dynamic inventory


  • Ansible control node with ansible-core available (for some nice chicken-egg there is the role "ansible_control" included)
  • All controlled nodes assume a standard Debian installation that was configured using preseed.cfg from ./debian-preseed
  • Most notably, you will need a public-private keypair for user "ansible" and store this in the...
  • ...private git repository containing sensitive information (ssh-keys) named 'home' as a peer of 'home-infra'
  • This repository should have ansible-vault, inventory and ssh-keys subdirectories

Sensitive info

  • Configure your vault password by setting it in .vault_pass
  • Point to this file in your ansible.cfg, by setting "vault_password_file = .vault_pass" in the [defaults]-section
  • To keep it out of this repository, I have configured ansible.cfg to point to a separate repository, also in your home folder. Create the .vault_pass there (i.e.: ../home)
  • Run all commands from the directory where ansible.cfg is residing, or else it will not pick up the location of .vault_pass
  • Set your sensitive info by running: ansible-vault encrypt_string 'some_sensitive_value' --name 'variable_containing_sensitive_stuff'
  • In case of a password - the "some_sensitive_value" should already be hashed with mkpasswd -m sha-512


ansible-vault encrypt_string 'SuperSecretPassword' --name 'root_pass'

The resulting string will be able to be used in your .yaml

  • This playbook expects to run as user 'ansible' that has a key-pair. The public key is provided in the preseed-stage
  • Expect to type the private key's passphrase a lot, unless you use ssh-agent (automated in first-run):
  • ssh-agent bash
  • ssh-add full-path-to-private-key


Either specify a regular inventory file (such as the included /inventory/hosts). Include the ansible_host in the entry, so that a typical entry may look as follows:

pve01 ansible_host=

The repository also includes a dynamic inventory, which currently is based on a UniFi environment. It will query the Unifi-controller for a list of currently active clients. It compares this list against a known list of mac-addresses, that you wish to configure with Ansible. These mac-addresses are in the /inventory/hosts_by_mac.json file, you will need to specify an entry as follows:

    "group": "jumpservers",
    "name": "pi04",
    "mac": "b8:27:eb:d6:0c:d2"
    "otherkeysareignored": "woopwoop",

The markup speaks for itself, I hope. There are two types of special entries, the first details a group of groups, allowing nesting:

    "group": "groupofgroups",
    "children": [

The second details an entry for which you already have the IP-address (because it is maybe outside Unifi scope). It has all the default groups, but MANDATORILY also a "hostname" entry and a "ansible_host" entry with the IP. Later I will try and fix the doubling of hostname and name, but for now, this is what it is...

    "group": "util",
    "hostname": "adpi0",
    "name": "adpi0",
    "mac": "e4:5f:01:82:c0:16",
    "ansible_host": ""

Services included

  • [Proxmox]
  • [log2ram]
  • [Samba Active Directory Domain Controller]
  • Needs expanding - just doing this for the linter


  • Sets force-colors in .bashrc (for the interactive_user)
  • Edits journald to reduce journal sizes. Also vacuums to 10M
  • Sets IPv6 to not autoconfigure
  • Sets hostname and changes /etc/hosts to reflect
  • Removes the has_journal flag from the root filesystem. Also sets noatime,nodiratime
  • Adds passwordless sudo for members of the sudo group
  • Installs powertop and sets powertop --auto-tune to run at startup


  • Installs log2ram - moves /var/log to a memory-based disk



  • Overwrites the MBR on the /dev/sda. This will prompt a PXE-based boot next restart.
  • Set "-e pve_reset=true" on the command-line

Role samba-ad-dc

To use preseed

  • Dedicate a server to the "util_server" role, which will take of all this stuff
  • Change your DHCP service to provide the correct details in PXE boot stage.
  • If you wish to follow along manually:
  • Publish ./debian-preseed/preseed.cfg on a webserver
  • Boot a target node with a Debian Install boot volume (i.e. a USB key)
  • Choose "HELP" on the installer menu
  • At the boot: prompt, type: auto url=http://webserver/preseed.cfg" there, replacing webserver with the address to your webserver that is hosting the preseed-file
  • The preseed file will take care of the installer questions and leave you with a waal70 approved base image


  • See ./debian-preseed/
  • See the details in the util_server role

To run the playbook: try this

./ (to load the ssh-agent with the appropriate keys) ansible-playbook site.yml (to kick off the full monty script)

Choose --limit inventory_name to limit the execution to certain hosts. Choose the numbered yaml-files to only select a portion of the roles.


  • FIX: Ansible master now requires an earlier ssh connection, in order to save fingerprint - should be not necessary
  • TODO: Networking is left on DHCP - change to static config
  • TODO: server_hardening role is not used now
  • FIX: setting ^has_journal is hit and miss - does not seem to work all the time - fix this!
  • Change repository adding by using the new 822 ansible task
  • TODO: install default dockers on jumpserver
  • TODO: get the linter to work
  • TODO: make linter run automatically
  • TODO: only on PR? Yes, only on PR! Kickoff of process will be automatic