xlevus · xlevus · Oct 21, 2024 · Oct 21, 2024
diff --git a/src/ansible/inventory.yaml b/src/ansible/inventory.yaml
@@ -2,7 +2,31 @@ webservers:
   hosts:
     srv501663.hstgr.cloud:
       ansible_user: root
+      hostnames:
+        - leaderboard.coneheads.org
+        - srv501663.hstgr.cloud
 
-mosquitto:
-  children:
-    webservers:
+  vars:
+    mosquitto_users:
+      gymkhana: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        64343437653430373430303264633266303333656437636330346538333039363332313639356266
+        6165393664646332303062343464653238616634353733340a363832633936383639396234303366
+        63636362393437653834383564396136386337366362383066633864396131323564346436346365
+        3130313466383865390a656231626331633835616530663234353739613731343935363062393164
+        37623366643835333531393434666432623365666536393164363363646533386666
+
+
+pi_bridge:
+  hosts:
+    gk.home.xlevus.net:
+      hotspot_net: 10.91.0.0/24
+      hotspot_interface: wlan0
+      hotspot_ssid: gk
+      hotspot_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62313235316338376133356230396331373732633035623231613533363064306335356362363065
+          3131353766393562376635343162343132343835313766390a386465363262616533663937666436
+          62393666363535383939313132393963306662383264613633613064636432346162626465306330
+          6334383538303134340a386661363638323734633533326634633333333733363565663836616436
+          3963
diff --git a/src/ansible/playbook.pi_bridge.yaml b/src/ansible/playbook.pi_bridge.yaml
@@ -0,0 +1,7 @@
+---
+- name: Pi Bridge
+  become: true
+  hosts: 
+   - pi_bridge
+  roles:
+   - pi_bridge
diff --git a/src/ansible/playbook.yaml b/src/ansible/playbook.yaml
@@ -1,128 +1,8 @@
 ---
-- name: Docker
+- name: Web
   hosts: 
    - webservers
-   - mosquitto
-  roles: 
-   # - geerlingguy.docker
-
-- name: Webserver-Setup
-  hosts:
-    - webservers
-  tasks:
-    - name: Caddy Dir
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: directory
-        mode: 0700
-      with_items: 
-        - /etc/caddy
-        - /etc/gk
-        - /var/gk/web
-        - /var/gk/web/media
-        - /var/gk/web/static
-
-    - name: Secrets
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dst }}"
-        mode: 0600
-        decrypt: true
-      with_items:
-        - {src: web.SECRET_KEY, dst: /etc/gk/web.SECRET_KEY}
-
-    - name: Caddyfile
-      ansible.builtin.template:
-        src: Caddyfile.j2
-        dest: /etc/caddy/Caddyfile
-
-    - name: Network
-      community.docker.docker_network:
-        name: web
-
-    - name: Run Caddy
-      community.docker.docker_container:
-        name: caddy
-        image: caddy:latest
-        state: started
-        restart: true
-        restart_policy: always
-        pull: always
-        networks: 
-          - name: web
-        ports:
-          - "80:80"
-          - "443:443"
-          - "443:443/udp"
-        volumes:
-          - "/etc/caddy:/etc/caddy"
-          - "/var/gk/web/media:/var/gk/web/media"
-          - "/var/gk/web/static:/var/gk/web/static"
-
-    - name: Run App
-      community.docker.docker_container:
-        name: web
-        image: ghcr.io/xlevus/gymkhana/web:latest
-        state: started
-        pull: always
-        restart: true
-        volumes:
-          - "/etc/gk/web.SECRET_KEY:/etc/SECRET_KEY"
-          - "/var/gk/web:/data"
-        networks: 
-          - name: web
-        env:
-          DEBUG: "False"
-          ALLOWED_HOSTS: "srv501663.hstgr.cloud,leaderboard.coneheads.org"
-          CSRF_TRUSTED_ORIGINS: "https://srv501663.hstgr.cloud,https://leaderboard.coneheads.org"
-          DATABASE_URL: "sqlite:///data/db.sqlite"
-          SECRET_KEY_FILE: "/etc/SECRET_KEY"
-          STATIC_ROOT: "/data/static"
-          MEDIA_ROOT: "/data/media"
-          MEDIA_URL: "/media/"
-
-- name: Mosquitto
-  hosts:
-  - mosquitto
-  tasks:
-    - name: Mosquitto Directory
-      ansible.builtin.file:
-        path: "{{ item }}"
-        state: directory
-        mode: 0700
-      with_items: 
-        - /etc/mosquitto
-
-    - name: Mosquitto Config
-      ansible.builtin.copy: 
-        src: mosquitto/mosquitto.conf
-        dest: /etc/mosquitto/mosquitto.conf
-
-    - name: Mosquitto Passwords
-      community.docker.docker_container:
-        name: mqtt-passwd
-        image: eclipse-mosquitto:latest
-        detach: false
-        command: "mosquitto_passwd -b /mosquitto/config/passwd {{ item.key }} {{ item.value }}"
-        volumes:
-          - "/etc/mosquitto/passwd:/mosquitto/config/passwd"
-      no_log: true
-      loop: "{{ mosquitto_users|dict2items }}"
-      vars:
-        mosquitto_users:
-          gymkhana: !vault |
-            $ANSIBLE_VAULT;1.1;AES256
-            64343437653430373430303264633266303333656437636330346538333039363332313639356266
-            6165393664646332303062343464653238616634353733340a363832633936383639396234303366
-            63636362393437653834383564396136386337366362383066633864396131323564346436346365
-            3130313466383865390a656231626331633835616530663234353739613731343935363062393164
-            37623366643835333531393434666432623365666536393164363363646533386666
-
-    - name: Run Mosquitto
-      community.docker.docker_container:
-        name: mqtt
-        image: eclipse-mosquitto:latest
-        volumes:
-          - "/etc/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.config"
-          - "/etc/mosquitto/passwd:/mosquitto/config/passwd"
-
+  roles:
+  # - geerlingguy.docker
+   - web
+   - mosquitto_master
diff --git a/src/ansible/files/mosquitto/mosquitto.conf → ...les/mosquitto_master/files/mosquitto.conf b/src/ansible/files/mosquitto/mosquitto.conf → ...les/mosquitto_master/files/mosquitto.conf
@@ -1,3 +1,3 @@
 listener 1883 0.0.0.0
 allow_anonymous false
-password_file /mosquitto/config/passwd
+password_file /mosquitto/config/passwd
diff --git a/src/ansible/files/mosquitto/passwd → ...sible/roles/mosquitto_master/files/passwd b/src/ansible/files/mosquitto/passwd → ...sible/roles/mosquitto_master/files/passwd
diff --git a/src/ansible/roles/mosquitto_master/tasks/main.yaml b/src/ansible/roles/mosquitto_master/tasks/main.yaml
@@ -0,0 +1,35 @@
+---
+- name: Mosquitto Directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0700
+  with_items: 
+    - /etc/mosquitto
+
+- name: Mosquitto Config
+  ansible.builtin.copy: 
+    src: "{{ item }}"
+    dest: "/etc/mosquitto/{{ item }}"
+  with_items:
+    - mosquitto.conf
+    - passwd
+
+- name: Mosquitto Passwords
+  community.docker.docker_container:
+    name: mqtt-passwd
+    image: eclipse-mosquitto:latest
+    detach: false
+    command: "mosquitto_passwd -b /mosquitto/config/passwd {{ item.key }} {{ item.value }}"
+    volumes:
+      - "/etc/mosquitto/passwd:/mosquitto/config/passwd"
+  no_log: true
+  loop: "{{ mosquitto_users|dict2items }}"
+
+- name: Run Mosquitto
+  community.docker.docker_container:
+    name: mqtt
+    image: eclipse-mosquitto:latest
+    volumes:
+      - "/etc/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.config"
+      - "/etc/mosquitto/passwd:/mosquitto/config/passwd"
diff --git a/src/ansible/roles/pi_bridge/tasks/main.yaml b/src/ansible/roles/pi_bridge/tasks/main.yaml
@@ -0,0 +1,3 @@
+---
+- include_tasks: network.yaml
+- include_tasks: mosquitto.yaml
diff --git a/src/ansible/roles/pi_bridge/tasks/mosquitto.yaml b/src/ansible/roles/pi_bridge/tasks/mosquitto.yaml
@@ -0,0 +1,15 @@
+---
+- name: Install Mosquitto
+  ansible.builtin.apt:
+    name: mosquitto
+
+- name: Mosquitto Configuration
+  ansible.builtin.template:
+    src: mosquitto/bridge.conf.j2
+    dest: /etc/mosquitto/conf.d/bridge.conf
+
+- name: Start Mosquitto
+  ansible.builtin.systemd_service:
+    name: mosquitto
+    state: started
+    enabled: true
diff --git a/src/ansible/roles/pi_bridge/tasks/network.yaml b/src/ansible/roles/pi_bridge/tasks/network.yaml
@@ -0,0 +1,57 @@
+---
+
+- name: Install networking packages
+  ansible.builtin.apt:
+    state: present
+    pkg: 
+     - ufw
+     - udhcpd
+
+- name: uDHCPd configuration
+  ansible.builtin.template:
+    src: dhcpd/udhcpd.conf.j2
+    dest: /etc/udhcpd.conf
+
+- name: Start uDHCPd
+  ansible.builtin.systemd_service:
+    name: udhcpd
+    state: started
+    enabled: true
+
+- name: Enable Wifi Hotspot
+  community.general.nmcli:
+    type: wifi
+    conn_name: "{{ hotspot_ssid }}_ap"
+    ifname: "{{ hotspot_interface }}"
+    ssid: "{{ hotspot_ssid }}"
+    ip4: "{{ hotspot_net | ansible.utils.ipaddr('net') | ansible.utils.ipaddr('1') }}"
+    wifi:
+      mode: ap
+    wifi_sec:
+      key-mgmt: wpa-psk
+      psk: "{{ hotspot_password }}"
+    autoconnect: true
+    state: present
+
+- name: Firewall allow out
+  community.general.ufw:
+    direction: outgoing
+    policy: allow
+
+- name: Firewall deny in
+  community.general.ufw:
+    direction: incoming
+    policy: deny
+
+- name: Firewall allow services
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+  loop:
+    - ssh
+    - bootps
+    - bootpc
+
+- name: Firewall enable
+  community.general.ufw:
+    state: enabled
diff --git a/src/ansible/roles/pi_bridge/templates/dhcpd/udhcpd.conf.j2 b/src/ansible/roles/pi_bridge/templates/dhcpd/udhcpd.conf.j2
@@ -0,0 +1,3 @@
+interface {{ hotspot_interface }}
+start     {{ hotspot_net | ansible.utils.nthhost('10') }}
+end       {{ hotspot_net | ansible.utils.nthhost('-1') }}
diff --git a/src/ansible/roles/pi_bridge/templates/mosquitto/bridge.conf.j2 b/src/ansible/roles/pi_bridge/templates/mosquitto/bridge.conf.j2
@@ -0,0 +1,2 @@
+listener 1883 {{ hotspot_net | ansible.utils.ipaddr('net') | ansible.utils.ipaddr('1') }}
+allow_anonymous true
diff --git a/src/ansible/files/web.SECRET_KEY → src/ansible/roles/web/files/web.SECRET_KEY b/src/ansible/files/web.SECRET_KEY → src/ansible/roles/web/files/web.SECRET_KEY
diff --git a/src/ansible/roles/web/tasks/main.yaml b/src/ansible/roles/web/tasks/main.yaml
@@ -0,0 +1,71 @@
+---
+- name: Caddy Dir
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0700
+  with_items: 
+    - /etc/caddy
+    - /etc/gk
+    - /var/gk/web
+    - /var/gk/web/media
+    - /var/gk/web/static
+
+- name: Secrets
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dst }}"
+    mode: 0600
+    decrypt: true
+  with_items:
+    - {src: web.SECRET_KEY, dst: /etc/gk/web.SECRET_KEY}
+
+- name: Caddyfile
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+
+- name: Network
+  community.docker.docker_network:
+    name: web
+
+- name: Run Caddy
+  community.docker.docker_container:
+    name: caddy
+    image: caddy:latest
+    state: started
+    restart: true
+    restart_policy: always
+    pull: always
+    networks: 
+      - name: web
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - "/etc/caddy:/etc/caddy"
+      - "/var/gk/web/media:/var/gk/web/media"
+      - "/var/gk/web/static:/var/gk/web/static"
+
+- name: Run App
+  community.docker.docker_container:
+    name: web
+    image: ghcr.io/xlevus/gymkhana/web:latest
+    state: started
+    pull: always
+    restart: true
+    volumes:
+      - "/etc/gk/web.SECRET_KEY:/etc/SECRET_KEY"
+      - "/var/gk/web:/data"
+    networks: 
+      - name: web
+    env:
+      DEBUG: "False"
+      ALLOWED_HOSTS: "{{ hostnames|join(',') }}"
+      CSRF_TRUSTED_ORIGINS: "{{ hostnames | map('ansible.builtin.regex_replace', '^', 'https://') | join(',') }}"
+      DATABASE_URL: "sqlite:///data/db.sqlite"
+      SECRET_KEY_FILE: "/etc/SECRET_KEY"
+      STATIC_ROOT: "/data/static"
+      MEDIA_ROOT: "/data/media"
+      MEDIA_URL: "/media/"
diff --git a/src/ansible/templates/Caddyfile.j2 → src/ansible/roles/web/templates/Caddyfile.j2 b/src/ansible/templates/Caddyfile.j2 → src/ansible/roles/web/templates/Caddyfile.j2
@@ -1,4 +1,4 @@
-srv501663.hstgr.cloud, leaderboard.coneheads.org {
+{{ hostnames|join(", ") }} {
     log {
         output stdout
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		listener 1883 {{ hotspot_net \| ansible.utils.ipaddr('net') \| ansible.utils.ipaddr('1') }}
		allow_anonymous true