Initial commit

Author: blackandred

.env-dist

@@ -0,0 +1,5 @@
+INVENTORY_GIT_URL=
+
+# better do not change
+RKD_WHITELIST_GROUPS=:node
+RKD_ALIAS_GROUPS="->:node"

.gitignore

@@ -3,3 +3,11 @@
 *__pycache__*
 /.venv
 .venv-setup.log
+/inventory
+/.env
+/.temp/dynamic_vars/*
+
+
+
+
+!.gitkeep

.rkd/makefile.py

@@ -1,27 +1,48 @@
 version: org.riotkit.rkd/yaml/v1
 imports: []
 tasks:
-    :hello:
-        description: Hello world task
-        arguments:
-            "--name":
-                help: "Your name"
-                required: True
+    :node:setup:
+        description: Sets up the inventory
         steps: |
-            echo "Hello $ARG_NAME"
+            if [[ -d inventory ]]; then
+                cd inventory; git pull; cd ..
+            else
+                git clone $INVENTORY_GIT_URL inventory
+            fi
 
-    :hello:python:
-        description: Hello world task
-        arguments:
-            "--name":
-                help: "Your name"
-                required: True
+    :node:copy-host-defaults:
+        description: "Copy default values for hosts in the inventory (warning: it will override existing files)"
+        steps: cp -prv .templates/* ./
+
+    :node:list:playbooks:
+        description: List all available playbooks
         steps: |
             #!python
+            import os
+            for element in os.scandir('playbooks'):
+                print(element.name)
 
-            # those two lines are optional (for your eyes and for IDE - you can also import those classes there)
-            ctx: ExecutionContext
-            this: TaskInterface
-
-            print('Hello %s' % ctx.get_arg('--name'))
             return True
+
+    :node:clean:
+        description: Clean up temporary files
+        steps: "rm /tmp/.rkt-ansible.*.yaml"
+
+    :node:deploy:
+        description: Run a deployment
+        arguments:
+            "playbook":
+                help: "Playbook name, see :list:playbooks"
+            "--args":
+                help: "Additional Ansible commandline arguments"
+                required: False
+            "--role":
+                help: "Limit to a given role"
+                required: False
+        steps: |
+            if [[ $ARG_ROLE ]]; then
+                ARG_ARGS="$ARG_ARGS -t $ARG_ROLE"
+            fi
+
+            ansible-playbook ./playbooks/$ARG_PLAYBOOK -i inventory/hosts.cfg ${ARG_ARGS}
+

.rkd/makefile.yaml

@@ -0,0 +1,57 @@
+
+# https://github.com/zwiazeksyndykalistowpolski/server-multi-user
+default_role_users:
+    technical_entrypoint: "/project/make.sh"
+    enable_technical_entrypoint: false
+
+    # technical administrator used for automatic deployments
+    technical_account: "tech.admin"
+    technical_password: 'xyz'        # mkpasswd --method=SHA-512, also important - single quotes are important
+    technical_account_id: 1800
+    technical_group: "technical"
+    technical_group_id: 4055
+    users:
+        accounts: []
+
+
+# https://github.com/zwiazeksyndykalistowpolski/server-basic-security
+default_role_basic_security:
+    ssh_idle_time: "36000"
+    ssh_permit_root_login: no
+    ssh_input_port: "{{ ssh_target_port }}"
+    change_root_password: no
+    root_password: ""
+    configure_firewall: yes
+    firewall_interface: ens192  # important: adjust this to your needs, invalid value may cut off access to the machine
+    firewall_whitelist_local_network_addresses: true
+    firewall_allowed_outgoing_ports:
+        - "22"
+        - "{{ ssh_target_port }}"
+        - "80"
+        - "443"
+
+
+# https://github.com/zwiazeksyndykalistowpolski/server-basic-software
+default_role_basic_software:
+    docker: yes
+    docker_schedule_clean_up: yes
+    # Enforce docker to be updated (WARNING: will turn off and turn on docker)
+    enforce_docker_update: no
+
+
+# https://github.com/riotkit-org/server-tweak
+default_role_tune:
+    # Be careful with setting this to "no", even security upgrades are able to break docker daemon. Its better to manually upgrade system.
+    remove_unattended_upgrades: yes
+    remove_qemu_guest_agent: yes
+    tune_docker: yes
+    adjust_swappiness: yes
+    swappiness: 10
+
+
+# https://github.com/riotkit-org/server-logs
+default_role_logs:
+    configure_logrotate: no
+    configure_systemd: yes
+    systemd_max_logs_disk_space: 100M
+    systemd_max_file_sec: 1month

.templates/inventory/group_vars/all.yaml

@@ -1,3 +1,37 @@
-# riotkit-universal-node
+RiotKit Universal Node
+======================
 
-Ansible do unwersalnej konfiguracji serwerów, które mają docelowo uruchamiać środowisko dockerowe
+Turns a typical cheap virtual node into a dockerized applications environment. Natively integrates with RiotKit's Harbor 2+ for webservices deployment.
+
+First time setup
+----------------
+
+```bash
+cp .env-dist .env
+nano .env
+
+rkd :setup
+rkd :copy-host-defaults
+```
+
+Features
+--------
+
+- Structure and automation
+- User accounts management
+- Basic security (firewall ports, fail2ban, partial disk encryption)
+- Extensibility
+- Native integration with RiotKit Harbor
+- Logs rotation and logs privacy management
+- Inventory in separate GIT repository
+
+Cheap node specification
+------------------------
+
+This set of playbooks needs to run at least on this specification:
+
+- CPU: 1-4 cores
+- RAM: 1-4 GB
+- HDD: 20-40 GB SSD (including OS)
+- OS: Ubuntu 16.04+ or latest Debian Stable or Latest Armbian
+- Host type: Physical ARM or KVM

README.md

@@ -0,0 +1,70 @@
+#
+# Make sure we still know the port, even when we changed the port for security reasons on previous runs
+#
+- hosts: all
+  gather_facts: no
+  roles:
+      - role: blackandred.server_ssh_fallback_port
+        when: ssh_fallback_port is defined and ssh_fallback_port > 0
+        vars:
+            fallback_ssh_port: "{{ ssh_fallback_port }}"
+
+
+#
+# Run all roles one-by-one
+#
+- hosts: all
+  gather_facts: yes
+  force_handlers: yes
+  tasks:
+      # ==========
+      # Multi User
+      # ==========
+      - name: Users management role
+        when: role_users is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_users | combine(role_users | default({}), recursive=True) }}"
+
+          - include_role: name=blackandred.server_multi_user
+            tags: users
+
+      # ==============
+      # Basic Software
+      # ==============
+      - name: Basic Software role
+        when: role_basic_software is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_basic_software | combine(role_basic_software | default({}), recursive=True) }}"
+
+          - include_role: name=blackandred.server_basic_software
+            tags: basic_software
+
+      # ========
+      # Tweaking
+      # ========
+      - name: Tweaking role
+        when: role_tune is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_tune | combine(role_tune | default({}), recursive=True) }}"
+
+          - include_role: name=blackandred.server_tune
+            tags: tune
+
+      # ====
+      # Logs
+      # ====
+      - name: Logs role
+        when: role_logs is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_logs | combine(role_logs | default({}), recursive=True) }}"
+
+          - include_role: name=blackandred.server_logs
+            tags: logs

playbooks/encrypt-disks.yml

@@ -0,0 +1,62 @@
+#
+# UPDATE MACHINE PLAYBOOK
+# =======================
+#  Performs packages upgrade on target machine. Considers a fact that docker daemon could be corrupted after update
+#  and will attempt to restart it with all dependent services
+#
+
+
+#
+# Make sure we still know the port, even when we changed the port for security reasons on previous runs
+#
+- hosts: all
+  gather_facts: no
+  roles:
+      - role: blackandred.server_ssh_fallback_port
+        when: ssh_fallback_port is defined and ssh_fallback_port > 0
+        vars:
+            fallback_ssh_port: "{{ ssh_fallback_port }}"
+
+
+#
+# Run all roles one-by-one
+#
+- hosts: all
+  gather_facts: yes
+  force_handlers: yes
+  tasks:
+      - name: Detect docker version
+        become: yes
+        shell: "dpkg -s docker-ce | grep -i version | awk '{print $2}'"
+        register: docker_version_before
+
+      - name: Perform system upgrade
+        become: yes
+        apt:
+            update_cache: yes
+            upgrade: dist
+
+      - name: Detect docker version
+        become: yes
+        shell: "dpkg -s docker-ce | grep -i version | awk '{print $2}'"
+        register: docker_version_after
+
+      - name: Stop dependent services
+        become: yes
+        systemd:
+            name: "{{ item }}"
+            state: stopped
+        with_items: "{{ docker_dependent_services }}"
+
+      - name: Restart docker daemon
+        become: yes
+        systemd:
+            name: docker
+            state: restarted
+
+      - name: Bring dependent services back
+        become: yes
+        systemd:
+            name: "{{ item }}"
+            state: started
+        with_items: "{{ docker_dependent_services }}"