📦 bryopsida / pi-monger

A collection of ansible-pull compatible playbooks for maintaining RPIs

★ 0 stars ⑂ 0 forks 👁 0 watching

ansible-pullcis-benchmarkscloud-initraspberry-piscapubuntu

📥 Clone https://github.com/bryopsida/pi-monger.git

HTTPS git clone https://github.com/bryopsida/pi-monger.git

SSH git clone git@github.com:bryopsida/pi-monger.git

CLI gh repo clone bryopsida/pi-monger

ZIP Desktop VS Code

renovate[bot] chore(deps): update k3s digest to 3407337 (#289) 265b30c 22 hours ago 📝 History

📂 main View all commits →

📁 .github

📁 inventory

📁 plays

📁 roles

📄 .gitignore

📄 .gitmodules

📄 ansible.cfg

📄 k3s

📄 kubespray

📄 Makefile

📄 README.md

📄 renovate.json

📄 requirements.yml

📄 wazuh

📄 README.md

PI Monger

What is this?

A collection of ansible roles and playbooks with a focus on being used with ansible-pull to actively maintain Raspberry PIs. Actively maintain means the plays are idempotent and intended to be run on a cron to prevent drift.

Pre-Requisites (tested)

RPI4
Ubuntu Server 22.04 or 24.04

If Ubuntu 24.04 is used, oscap hardening is not yet supported
Ansible installed
Initial ansible-pull run with sudo
Network connectivity to github to pull this repo, or network connectivity to a clone of this repo

TODOs

Add test pipeline where pull runs on main, and then tries to run the pull on incoming branch, use multipass
Add instructions for providing secrets/vaults to plays with cloud-init
Add instructions to run initial ansible-pull
Add instructions on how to add ansible-pull to sdcard cloud-init to run ansible-pull on first boot
Implement update system role
Implement auto pull role that sets up recurring ansible-pulls to the same play on a cron
Implement nodejs role for installing and maintaining a node.js lts version
Implement role that uses complianceascode security content and oscap to harden system
Implement java role for installing and maintaining a java install
Implement node-red role that installs node-red and takes patches on cron
Implement monitoring role that reports system information to an external syste
Implement falco role

Falco service install

Can manage falco rules
Implement pi-hole role
Implement adguard home role
Investigate and implement FDE if possible
Implement Clevis role
Implement k3s role
Implement envoy role that installs reverse proxy

Add ability to manage/define virtual hosts and SNI routing.
Implement cloudflared role
Implement firewalld role
Implement role to manage static hostnames /etc/hosts
Implement role to manage static ip addresses via netplan
Disable cloud-init and shred user-data after first pull
Add watch subscription to trigger runs on change instead of cron/polled updates

Running initial ansible-pull

sudo ansible-pull -U https://github.com/bryopsida/pi-monger.git -i inventory/localhost.ini plays/<pick your falvor>.yaml

If you are cloning your own repo and running it locally, replace the url after -U.

Cloud-Init

Example cloud-init.yaml

``yaml #cloud-config packages: - ansible runcmd: - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i inventory/localhost.ini plays/nodejs.yaml %%CODEBLOCK1%% yaml ... packages: - avahi-daemon - ansible # add ansible ... %%CODEBLOCK2%% yaml ... runcmd: - localectl set-x11-keymap "us" pc105 - setupcon -k --force || true - ansible-pull -U https://github.com/bryopsida/pi-monger.git -C main -i inventory/localhost.ini plays/nodejs.yaml ... %%CODEBLOCK3%% yaml #cloud-config packages: - ansible write_files: - content: | <ssh private key with read access to server holding vault> path: /root/.ssh/ansible permissions: '0400' owner: 'root:root' - content: | <ssh public key with read access to server holding vault> path: /root/.ssh/ansible.pub permissions: '0444' owner: 'root:root' runcmd: - scp -o StrictHostKeyChecking=no -r -i /root/.ssh/ansible ansible@<servername with ansible files>:/home/ansible/ansible-files /root - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i /root/ansible-files/inventory/localhost.ini --vault-password-file /root/ansible-files/vault-password plays/nodejs.yaml %%CODEBLOCK4%% ini [all] localhost ansible_connection=local [all:vars] auto_pull_inventory=/root/ansible-files/inventory/localhost.ini auto_pull_secure_copy_enabled=true auto_pull_secure_copy_host=<hostname of your ssh server with ansible-files> %%CODEBLOCK5%% shell tree ansible-files ansible-files ├── inventory │ └── localhost.ini └── vault-password 2 directories, 2 files %%CODEBLOCK6%% yaml #cloud-config hostname: <your desired hostname> manage_etc_hosts: true packages: - avahi-daemon - ansible apt: conf: | Acquire { Check-Date "false"; }; users: - name: <your desired username> groups: users,adm,dialout,audio,netdev,video,plugdev,cdrom,games,input,gpio,spi,i2c,render,sudo shell: /bin/bash lock_passwd: false passwd: <passwd hash> ssh_authorized_keys: - <ssh pub key> sudo: ALL=(ALL) NOPASSWD:ALL write_files: - content: | -----BEGIN OPENSSH PRIVATE KEY----- <redacted> -----END OPENSSH PRIVATE KEY----- path: /root/.ssh/ansible permissions: '0400' owner: 'root:root' - content: | ssh-ed25519 redacted username@host path: /root/.ssh/ansible.pub permissions: '0444' owner: 'root:root' timezone: <your timezone> runcmd: - localectl set-x11-keymap "us" pc105 - setupcon -k --force || true - scp -o StrictHostKeyChecking=no -r -i /root/.ssh/ansible ansible@your.ansible.server.name:/home/ansible/ansible-files /root - ansible-pull -U https://github.com/bryopsida/pi-monger.git -i /root/ansible-files/inventory/localhost.ini --vault-password-file /root/ansible-files/vault-password plays/nodejs.yaml``