Skip to content

Ansible playbooks to build your team's encrypted private cloud, messenger, VPN with blackjack and GitLab

License

Notifications You must be signed in to change notification settings

reefactor/org.backbone

Repository files navigation

org.backbone

Collection of ansible playbooks for most popular IT infastructure tools ready for deploy and maintainance.

Bootstrap from zero to playground in 30 minutes with automated vagrant tests.

Build your own team IT infrastructure with blackjack encrypted private cloud, messenger, VPN and GitLab.

Features

Collaboration
Infrastructure
Privacy
Security

.. and more in the roadmap

Prerequisites

  • Python to run ansible playbooks
  • Vagrant with Virtualbox is optional for automated testing sandbox
apt install python3-pip
pip3 install -r requirements.txt
ansible-galaxy install -r requirements.yml
curl -O https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb
dpkg -i vagrant_2.2.9_x86_64.deb
apt install virtualbox

HOW-TO

VPN

ansible-playbook playbooks/openvpn-server.yml
Add user key to VPN

See example test test_deploy_openvpn.sh

  1. Add username entry into list of openvpn_clients_active in environments/test/group_vars/openvpn. Client may reserve static VPN IP or dynamic otherwise.

  2. Generate OpenVPN server keys for client:

ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml

VPN keys are now downloaded to local dir ./.vpnkeys/test.

Encrypt zip with strong key and send username.7z and the password via separate channels.

ls -l ./.vpnkeys/test/
7za a -p${ATLEAST16SYMBOLS_PASSWORD} -mhe=on vpnkeys/username.7z vpnkeys/username.zip
  1. Deploy client keys (add host to VPN network)

Add target host VM to openvpn_clients_group, tag it with openvpn_client_name=username variable and run playbook:

ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml
Revoke VPN key
  1. Add client's name into openvpn_clients_revoke blacklist of environments/test/inventory
  2. Update OpenVPN server:
ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml --limit openvpn-server
Add ssh user
  • put user's public ssh key into roles/users/files (or download via roles/users/files/update_pub_keys.sh)
  • add pub key file to Add users list of roles/users/tasks/main.yml
  • add to authorized_key lists of roles/users/tasks/main.yml
  • update environment:
ansible-playbook playbooks/users.yml
Remove ssh user
  • delete user's public ssh key file from roles/users/files
  • add to blacklist Delete users of roles/users/tasks/main.yml
  • remove from authorized_key list
  • update environment:
ansible-playbook playbooks/users.yml

Monitoring

  1. Deploy example in vagrant vbox with tests/test_deploy_monitoring.sh

  2. Open Grafana UI in http://192.168.10.101:3000 with login admin and password admin configured in docker-compose.yml

DNS

ansible-playbook -i environments/test/inventory playbooks/dns.yml -l dns
  1. Deploy example in vagrant vbox with test_deploy_dns.sh

  2. Open Webmin UI in https://192.168.10.101:10000 with root password secretpassword configured in docker-compose.yml

Roadmap

  • Provisioning with Terraform in addition to Vagrant
  • Errors tracking with Sentry

Tools

TCP tunnel with docker and socat

Use cases:

  • Expose port from docker internal network via additional docker container with sockat tunnel.
  • tcp port forwarding from local to remote host

0.0.0.0:$HOSTPORT -> $TARGET_HOST:$TARGET_PORT (via socat on port 12345 in docker container named socat-tunnel)