Merge branch 'release/0.4.0'

Author: davidderus

.gitignore

@@ -1,5 +1,2 @@
 .vagrant
-playbook.retry
-
-hosts
-variables.yml
+/*.yml

README.md

@@ -1,4 +1,4 @@
-# ansible-rpi 0.3.1
+# ansible-rpi 0.4.0
 
 ## Purpose
 
@@ -24,6 +24,7 @@ Tested on a Rpi 3 B+ and a Rpi 1 B.
   - Optionnal custom SSH banner
   - Optionnal Wifi config
   - Optionnal Mosh support
+  - Optionnal unsudo of the pi user
 - `download_server`: Turn the Rpi in a download server for ddl and torrents
   - Aria2 daemon
   - RPC interface for remote monitoring with optionnal SSL encryption
@@ -33,21 +34,26 @@ Tested on a Rpi 3 B+ and a Rpi 1 B.
   - Dynamic sources creation (*may be linked to previously configured network folders*)
   - Buffer handling optimized for a Raspberry
   - Optionnal `kodi` user with `kodi-standalone` and a minimal Openbox setup
+- `rpi_docker`: Setup and enable control of a distant Raspberry Pi Docker host via Ansible
+  - [HypriotOS](https://blog.hypriot.com/) oriented setup
+  - Docker containers and deamon are behind the firewall by default (*see Docker Support for more infos*)
+  - Ansible tools are setup (*allowing you to use docker_container, docker_image Ansible modules…*)
 
 ### Incoming
 
-- `swarm_node`: Setup a Rpi as a Docker Machine and join a Docker Swarm
+- Segmentation into roles
 
 ## Setup
 
 ### With examples
 
 ```
 # First
-cp hosts.inc hosts
+cp hosts.inc /etc/ansible/hosts
 
 # Then
-cp variables.yml.inc host_vars/my-host.yml
+cp playbook.yml.inc playbook.yml
+cp variables.yml.inc /etc/ansible/host_vars/my-host.yml
 ```
 
 ### Usage
@@ -66,6 +72,9 @@ Then the first time run:
 ansible-playbook playbook.yml -u pi --ask-pass
 ```
 
+**You can also store user name in inventory file and user's pass in your Ansible
+vault.**
+
 ### Dev with Vagrant
 
 First run:
@@ -86,6 +95,9 @@ ansible all -m ping -u neo
 ansible-playbook playbook.yml -u neo --ask-become-pass
 ```
 
+**You can also store user name in inventory file and user's pass in your Ansible
+vault.**
+
 ## User password generation
 
 `password_hash` is a useful Jinja filter but uses 656000 rounds for SHA512 hashing.
@@ -102,3 +114,41 @@ python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_c
 
 [1](https://github.com/ansible/ansible/issues/15326)
 [2](https://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module)
+
+## Docker Support
+
+In order to ease Docker handling on Rpi, I recommend the
+[HypriotOS image](http://blog.hypriot.com/downloads/).
+
+### Current state
+
+The `rpi_docker` role is tested with it, but may work with other setups.
+
+Modify the following vars in order to adapt to your device:
+
+```yml
+rd_limit_nofile: 1048576
+rd_limit_nproc: 1048576
+rd_limit_core: infinity
+```
+
+### Security
+
+The `common` role will secure the HypriotOS Rpi in a way that by default:
+
+- `docker-machine create` will **fail**
+  (_default user must have a NOPASSD sudo, see [](https://docs.docker.com/machine/drivers/generic/#/sudo-privileges)_)
+- Docker daemon tcp port (_2376_) will be unreachable (_however you can enable it manually in allowed_ports var_) but is started by default
+- Docker unix socket is accessible
+
+You may want to look to [this](https://github.com/DieterReuter/arm-docker-fixes/tree/master/001-fix-docker-machine-1.8.0-create-for-arm)
+for a manual `docker-machine` setup.
+
+Docker-machine and Raspbian Docker support may come in a future release.
+
+### Defaults
+
+- `storage_driver` is `overlay`
+- The `tlsverify` flag is enabled, and `tlscacert`, `tlscert`, `tlskey`
+- `LimitNOFILE` and `LimitNPROC` are set, but `LimitCORE` is not
+- iptables addition by Docker are deactivated

ansible.cfg

@@ -0,0 +1,10 @@
+[Service]
+ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --storage-driver overlay --tlsverify --tlscacert /etc/docker/ca.pem --tlscert /etc/docker/server.pem --tlskey /etc/docker/server-key.pem --label provider=generic 
+MountFlags=slave
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+Environment=
+
+[Install]
+WantedBy=multi-user.target

docker.service

@@ -0,0 +1,3 @@
+---
+
+ds_shared_group: "{{ server_shared_group }}"

group_vars/all

@@ -0,0 +1,4 @@
+---
+
+mc_shared_group: "{{ server_shared_group }}"
+mc_user_name: "{{ server_user_name }}"

group_vars/download-servers

@@ -0,0 +1,4 @@
+---
+
+# Needed for HypriotOS
+with_custom_hostname: False

group_vars/media-centers

@@ -0,0 +1,8 @@
+---
+
+# We're updating server variables for rpis
+
+server_host_name: "rpi-{{ server_user_name }}"
+server_shared_group: "rpi-{{ server_user_name }}-shared"
+
+server_user_groups: "{{ server_shared_group }},pi,adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi,tty"

group_vars/rpi-dockers

@@ -1,2 +1,2 @@
-[download_servers]
+[download-servers]
 vagrant    ansible_host=127.0.0.1    ansible_user=vagrant   ansible_port=2222    ansible_ssh_private_key_file=./.vagrant/machines/default/virtualbox/private_key

group_vars/rpis

@@ -1,2 +1,8 @@
-[download_servers]
+[servers:children]
+rpis
+
+[rpis]
+127.0.0.1
+
+[download-servers]
 127.0.0.1

host_vars/.gitignore

@@ -1,25 +1,33 @@
 ---
 
-- name: Configure and securise any Rpi
+- name: Configure and securise any Debian server
 
-  hosts: all
+  hosts: servers
   roles:
     - common
 
   become: yes
 
 - name: Setup and manage a download server
 
-  hosts: download_servers
+  hosts: download-servers
   roles:
     - download_server
 
   become: yes
 
 - name: Setup a media center
 
-  hosts: media_centers
+  hosts: media-centers
   roles:
     - media_center
 
   become: yes
+
+- name: Setup a Docker host
+
+  hosts: rpi-dockers
+  roles:
+    - rpi_docker
+
+  become: yes

hosts.dev

@@ -1,11 +1,15 @@
 ---
 
+# Locales
+server_locales:
+  - en_US.UTF-8
+
 # Packages
 required_packages:
   - ufw
   - fail2ban # Using defaults
   - unattended-upgrades # Using defaults
-  - logwatch
+  - logwatch # Using defaults
   - rsync
   - htop
   - curl
@@ -24,6 +28,7 @@ with_custom_hostname: False
 
 automount_local_devices: []
 automount_network_folders: []
+automount_group: "{{ server_shared_group|default('root') }}"
 
 ssmtp_mailhub: smtp.gmail.com:587
 ssmtp_auth_user: "{{ ssmtp_email }}"

hosts.inc

@@ -7,27 +7,27 @@
     - cifs-utils
 
 - name: Create local devices folders
-  file: dest=/mnt/{{ item.name }} state=directory mode=0770
-  with_items: "{{ automount_network_folders }}"
+  file: dest=/mnt/{{ item.name }} state=directory mode=0770 group={{ automount_group }}
+  with_items: "{{ automount_local_devices }}"
 
 - name: Mount local devices by label
   mount:
     name: "/mnt/{{ item.name }}"
-    src: "LABEL={{ item.label }}"
+    src: "UUID={{ item.uuid }}"
     fstype: "{{ item.type }}"
-    opts: "gid={{ rpi_shared_group }}"
+    opts: "auto,nofail,noatime,rw"
     state: mounted
   with_items: "{{ automount_local_devices }}"
 
-- name: Create remote folders
-  file: dest=/media/{{ item.name }} state=directory mode=0770
+- name: "Create remote folders for group {{ automount_group }}"
+  file: dest=/media/{{ item.name }} state=directory mode=0770 group={{ automount_group }}
   with_items: "{{ automount_network_folders }}"
 
 - name: Mount remote folders
   mount:
     name: "/media/{{ item.name }}"
     src: "{{ item.network_folder }}"
     fstype: "{{ item.type|default('cifs') }}"
-    opts: "domain={{ item.domain }},username={{ item.user }},password={{ item.password }},iocharset=utf8,file_mode=0770,dir_mode=0770,noperm,_netdev"
+    opts: "domain={{ item.domain }},username={{ item.user }},password={{ item.password }},file_mode=0770,dir_mode=0770,noperm,iocharset=utf8,_netdev"
     state: mounted
   with_items: "{{ automount_network_folders }}"

playbook.yml renamed to playbook.yml.inc

@@ -7,7 +7,7 @@
   apt: upgrade=yes
   register: upgrade_distribution
 
-- name: Rebooting Rpi
+- name: Rebooting server
   shell: sleep 2 && shutdown -r now "Ansible updates triggered"
   async: 1
   poll: 0
@@ -20,8 +20,8 @@
   when: upgrade_distribution|changed
 
 - name: Setup locale
-  lineinfile: dest=/etc/locale.gen regexp="^#{{item}}" line="{{item}}"
-  with_items: "{{ rpi_locale }}"
+  locale_gen: name={{item}} state=present
+  with_items: "{{ server_locales }}"
   register: update_locale
 
 - name: Generate locales
@@ -32,19 +32,10 @@
   apt: name={{ item }} state=latest
   with_items: "{{ required_packages }}"
 
-- name: Add new group for shared items (downloads and other roles)
-  group: state=present name={{ rpi_shared_group }}
-
-- name: Create new Rpi owner
-  user: name={{ rpi_user_name }}
-        groups={{ rpi_shared_group }},pi,adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi,tty
-        password={{ rpi_user_password_hash }}
+- name: Create new server owner
+  user: name={{ server_user_name }}
+        groups={{ server_user_groups }}
+        password={{ server_user_password_hash }}
         shell=/bin/bash
         append=yes
         state=present
-
-- name: Remove pi user from sudoers
-  lineinfile: dest=/etc/sudoers regexp="^pi ALL" state=absent backup=yes
-
-- name: Limit pi's groups
-  user: name=pi state=present groups=pi

roles/common/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Updating hostname (1/2)
-  hostname: name={{ rpi_host_name }}
+  hostname: name={{ server_host_name }}
   register: hostname_change
 
 # A second definitive update is needed on certain Rpis
@@ -14,7 +14,7 @@
 - name: Update /etc/hosts
   lineinfile: dest=/etc/hosts
               regexp="^127\.0\.1\.1"
-              line="127.0.1.1{{'\t'}}{{ rpi_host_name }}"
+              line="127.0.1.1{{'\t'}}{{ server_host_name }}"
               backup=yes
               state=present
 
@@ -32,7 +32,7 @@
   setup:
   when: hostname_change|changed
 
-- name: Rebooting Rpi
+- name: Rebooting server
   shell: sleep 2 && shutdown -r now "Ansible updates triggered"
   async: 1
   poll: 0

roles/common/tasks/automount.yml

@@ -20,7 +20,15 @@
   when: with_vim
 - include: mosh.yml
   when: with_mosh
+- include: shared_group.yml
+  when: server_shared_group is defined
 - include: automount.yml
   when: with_automount
 - include: zsh.yml
   when: with_zsh
+
+# Super optionnal (may break current process if you're using the user)
+
+- include: user_unsudo.yml server_unsudo_user={{ item }}
+  with_items: "{{ server_unsudoed_users|default([]) }}"
+  when: server_unsudoed_users is defined

roles/common/tasks/base.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Add new group for shared items between roles
+  group: state=present name={{ server_shared_group }}

roles/common/tasks/hostname.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Add authorized_keys for the user
-  authorized_key: user={{ rpi_user_name }} key="{{ lookup('file', item) }}"
+  authorized_key: user={{ server_user_name }} key="{{ lookup('file', item) }}"
   with_items:
     - "{{ ssh_public_keys }}"
 

roles/common/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Install SSMTP
-  apt: name=ssmtp state=installed update_cache=yes
+  apt: name=ssmtp state=installed
 
 - name: Set up ssmtp.conf
   template: src=ssmtp/ssmtp.conf.j2 dest=/etc/ssmtp/ssmtp.conf

roles/common/tasks/shared_group.yml

@@ -0,0 +1,7 @@
+---
+
+- name: "Remove {{ server_unsudo_user }} user from sudoers"
+  lineinfile: dest=/etc/sudoers regexp="^{{ server_unsudo_user }} ALL" state=absent backup=yes
+
+- name: "Limit {{ server_unsudo_user }}'s groups"
+  user: name={{ server_unsudo_user }} state=present groups={{ server_unsudo_user }}