sjank/ltrace
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
52 commits 1 branch 0 tags 91 KiB
  • Jinja 92.5%
  • Shell 6.9%
  • Dockerfile 0.6%
Find a file
Exact
Stefan Jank bb344e2b82 Use postgres for nextcloud.
2026-04-06 13:45:22 +02:00
files Add README prerequisites, vault, and ansible public key 2026-03-02 21:29:50 +01:00
inventory Add monitoring for tcp. 2026-03-13 21:21:39 +01:00
playbooks Add nextcloud deployment: separate data volume, fix HTTPS redirects. 2026-04-06 10:51:44 +02:00
roles Use postgres for nextcloud. 2026-04-06 13:45:22 +02:00
scripts Add nextcloud deployment: separate data volume, fix HTTPS redirects. 2026-04-06 10:51:44 +02:00
.gitignore Add initial Ansible project structure 2026-03-02 20:08:11 +01:00
ansible.cfg Enable SSH host key checking. 2026-03-10 09:29:02 +01:00
CLAUDE.md Enable cadvisor. 2026-03-13 20:50:21 +01:00
README.md Add wireguard update playbook + script. 2026-03-10 21:13:20 +01:00

README.md

ltrace Infrastructure

Private infrastructure managed with Ansible.

Prerequisites

Control machine

  • Ansible installed
  • SSH key loaded in ssh-agent: 
    ssh-add ~/.ssh/ansible_key

Managed machines

Each host must be prepared manually before Ansible can manage it:

  1. Create the ansible user with passwordless sudo: 
    useradd -m -s /bin/bash ansible
echo "ansible ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible
  2. Copy the ansible public key to the user's authorized_keys: 
    mkdir -p /home/ansible/.ssh
echo "<contents of files/ansible_key.pub>" >> /home/ansible/.ssh/authorized_keys
chmod 700 /home/ansible/.ssh
chmod 600 /home/ansible/.ssh/authorized_keys
chown -R ansible:ansible /home/ansible/.ssh
  3. Install required packages: 
    apt-get install -y sudo python3 python3-apt

Services

VPN

Adding a host to VPN

On client machine, install wireguard:

apt-get install -y wireguard

Generate a key pair:

wg genkey | tee /etc/wireguard/private.key | wg pubkey > public.key

On the client machine, create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.0.0.2/32
PrivateKey = <your private key>

[Peer]
PublicKey = <server public key>
EndPoint = vpn.ltrace.de:51820
AllowedIPs = 10.0.0.0/24

Then, add a wireguard peer to inventory/host_vars/b/wireguard.yml

wireguard_peers:
    - name: laptop
      public_key: "<public.key>"
      allowed_ips: 10.0.0.2/32

Run scripts/wireguard.sh to update the VPN config.

Mail

Managing mail users

Mail accounts are stored in an Ansible Vault file at inventory/host_vars/<host>/vault.yml. Each account requires a pre-hashed password in SHA512-CRYPT format.

Adding a user

  1. Generate a password hash:

    doveadm pw -s SHA512-CRYPT -u user@example.com

  2. Edit the vault file for the target host:

    ansible-vault edit inventory/host_vars/b/vault.yml

    Add the account under vault_mail_accounts:

    vault_mail_accounts:
  - address: user@ltrace.de
    password_hash: "{SHA512-CRYPT}$6$..."

  3. Apply the playbook to deploy the updated accounts file:

    ansible-playbook playbooks/site.yml -l b

If vault.yml does not exist yet, create it with:

ansible-vault create inventory/host_vars/b/vault.yml

The vault password is read from .vault_pass (gitignored). See ansible.cfg for the configured vault password file path.

Managing mail aliases

Mail aliases are configured in inventory/host_vars/<host>/mail.yml under mail_aliases. Each entry maps a source address to one or more destination addresses.

mail_aliases:
  - from: alias@example.com
    to: [ user@example.com ]
  - from: team@example.com
    to: [ alice@example.com, bob@example.com ]

After editing, apply the playbook:

ansible-playbook playbooks/site.yml -l b

Usage

# Dry run
ansible-playbook playbooks/site.yml --check

# Apply to all hosts
ansible-playbook playbooks/site.yml

# Apply to a single host
ansible-playbook playbooks/site.yml -l b