Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
301 lines (276 sloc) 10.6 KB
# Configures the Raspberry Pi that handles my home automation
#
# It assumes my user has already been created by rpi_provisioning.yml
- hosts: raspberrypi
remote_user: "{{ admin_user }}"
become: yes
vars:
admin_user: chesterbr
admin_email: cd@pobox.com
external_hostname: chesterbr.duckdns.org
backup_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32333432316339373564633937666663323762323834356135396163343361653732346637386365
3266636330393331636436393936633035383539616535390a306163346136353464636366373938
34626237613062626636653366346363653662393439613839363661376235363162643939346332
3265386661626665360a666662336663363265383066623439323061623737336439366335393032
37323364626232333262663065666430386436336161633565353963663263336537323863623361
34333136323362343562623338396537363531343530366236323666356536386363316638323038
66326134636339393761336337633731636631613030386438303230323965653333383239356339
63643530626335636561633238316630373665393438633861356563306434613462663665346666
61313535626434633164356430383135386533613231346566373536323934623364326166396364
37623030636230393637666636383839633461356235656462616132666264333663656435326334
376631333062666237336238303630623033
duckdns_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
30626238633131363461363936396234316334306531623366393931663433313065396330343437
3635386336633039663232393165336334316665663533640a366564663366313662636532376530
35363032326132636432386434333831363733346363626436396361396261306265393030666238
6261613764323161320a623239396135663163306438613839326638626236336161323932373335
31653637393635376165653064336565306262303332303432376638633365626431663637636566
3464623366386333636231663736383932623865336663656531
handlers:
- name: restart ssh
service: name=ssh state=restarted
- name: restart unattended-upgrades
service: name=unattended-upgrades state=restarted
- name: restart lirc
service: name=lircd state=restarted
- name: reboot
reboot:
tasks:
- name: Add my user to all groups that pi normally belongs to
user:
name: "{{ admin_user }}"
groups: pi,adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi
append: yes
- name: Update packages info (if older than a couple days)
apt: update_cache=yes cache_valid_time=7200
- name: Install general utilities
apt: name={{ packages }} state=present
vars:
packages:
- git # Required for Ansible git (and for life, IMHO).
- python-setuptools # Required for Ansible pip ¯\_(ツ)_/¯
- python3-gpiozero # Provides pinout (and I ❤️ pinout).
- libudev-dev # Not 100% sure, but Home Assistant +
- libopenzwave1.5-dev # ZWave seems to require these two.
- name: Install fail2ban.
block:
- apt: name=fail2ban state=present
- service: name=fail2ban state=started enabled=yes
- name: Update SSH configuration to be more secure (no password/root logins).
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
notify: restart ssh
# Uncomment if you don't want the local pi user
# - name: Drop the pi user (we don't need it and can't even use it remotely at this point)
# user: name={{ admin_user }} state=absent remove=yes
- name: Install unattended upgrades package and dependencies.
apt: name={{ packages }} state=present
vars:
packages:
- unattended-upgrades
- apt-listchanges
- bsd-mailx
- name: Updated unattended-upgrades config to reboot if needed,
auto-fix, reboot time, email, etc
lineinfile:
dest: "/etc/apt/apt.conf.d/50unattended-upgrades"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- regexp: "(\/\/)? ?Unattended-Upgrade::AutoFixInterruptedDpkg \""
line: Unattended-Upgrade::AutoFixInterruptedDpkg "true";
- regexp: "(\/\/)? ?Unattended-Upgrade::MinimalSteps \""
line: Unattended-Upgrade::MinimalSteps "true";
- regexp: "(\/\/)? ?Unattended-Upgrade::Automatic-Reboot \""
line: Unattended-Upgrade::Automatic-Reboot "true";
- regexp: "(\/\/)? ?Unattended-Upgrade::Automatic-Reboot-Time \""
line: Unattended-Upgrade::Automatic-Reboot-Time "02:00";
- regexp: "(\/\/)? ?Unattended-Upgrade::Mail \""
line: Unattended-Upgrade::Mail "{{ admin_email }}";
- regexp: "(\/\/)? ?Unattended-Upgrade::MailOnlyOnError \""
line: Unattended-Upgrade::MailOnlyOnError "false";
- regexp: "(\/\/)? ?Unattended-Upgrade::Remove-Unused-Dependencies \""
line: Unattended-Upgrade::Remove-Unused-Dependencies "true";
notify: restart unattended-upgrades
- name: (Re)configure firewall (ufw)
tags:
- firewall
block:
- apt: name=ufw state=present
- ufw: rule=allow port={{ item }}
with_items:
- 22 # ssh
- 80 # http (mostly to generate/renew certs)
- 443 # https (mostly to generate/renew certs)
- 8123 # Home Assistant
- ufw: state=enabled policy=reject direction=incoming
- name: Install certbot (so we can have letsencrypt ssl certificates)
apt: name=certbot state=present
- name: Create script that generates/renews/copies certificates as needed
template:
src: templates/update_and_copy_certificates.sh.j2
dest: /root/update_and_copy_certificates.sh
owner: root
mode: 0700
- name: Configure dynamic DNS provider (DuckDNS)
block:
- template:
src: templates/duck.sh.j2
dest: /root/duck.sh
mode: 0700
- cron:
name: Refresh DuckDNS address
minute: "*/5"
job: /root/duck.sh
- name: Run the script once (so we have certificates to play with)
command: bash -lc "/root/update_and_copy_certificates.sh"
args:
creates: /home/{{ admin_user }}/privkey.pem
- name: Schedule certbot to rebuild the certs when needed \
(and copy/fix perms so HomeAssistant can use them)
cron:
name: Update ssl certificates
minute: 0
hour: 4
job: /root/update_and_copy_certificates.sh
- name: Install packages required for Bluetooth
apt: name={{ packages }} state=present
vars:
packages:
- bluetooth
- bluez
- bluez-firmware
- libbluetooth-dev
- name: Check if we have already built 433Utils
stat:
path: /usr/bin/codesend
register: codesend
- name: Build and install RF (433Mhz) control software (433Utils), \
then enable my user to run it
when: codesend.stat.exists == false
block:
- apt: name=wiringpi state=present
- git:
repo: git://github.com/ninjablocks/433Utils.git
dest: /root/433Utils
recursive: yes
- command: make
args:
chdir: /root/433Utils/RPi_utils
- copy:
src: /root/433Utils/RPi_utils/{{ item }}
dest: /usr/bin/{{ item }}
mode: 0755
remote_src: yes
with_items:
- codesend
- RFSniffer
- name: Install and configure LIRC (infrared), using GPIO22 for output and GPIO23 for input
block:
- apt: name=lirc state=present
- lineinfile:
dest: /boot/config.txt
regexp: "^#? ?dtoverlay="
line: "dtoverlay=lirc-rpi,gpio_in_pin=23,gpio_out_pin=22"
state: present
notify: reboot
- blockinfile:
dest: /etc/modules
block: |
lirc_dev
lirc_rpi gpio_in_pin=23 gpio_out_pin=22
notify: reboot
- template:
src: templates/lirc_hardware_conf.j2
dest: /etc/lirc/hardware.conf
notify: restart lirc
- template:
src: templates/lirc_options.conf.j2
dest: /etc/lirc/lirc_options.conf
notify: restart lirc
- template:
src: templates/Sharp_LCDTV-845-039-40B0.lircd.conf.j2
dest: /etc/lirc/lircd.conf.d/Sharp_LCDTV-845-039-40B0.lircd.conf
notify: restart lirc
- template:
src: templates/tv_source.lua.j2
dest: /home/{{ admin_user }}/tv_source.lua
mode: 0700
owner: "{{ admin_user }}"
- name: Configure Home Assistant backups
block:
- apt: name={{ packages }} state=present
vars:
packages:
- samba-common
- smbclient
- samba-common-bin
- cifs-utils
- copy:
content: "{{ backup_password }}"
dest: /home/{{ admin_user }}/.backup-password
become: no
- template:
src: templates/ha-backup.sh.j2
dest: /home/{{ admin_user }}/ha-backup.sh
mode: 0700
become: no
- cron:
name: Backup homeassistant configs
minute: 0
hour: 3
user: "{{ admin_user }}"
job: /home/{{ admin_user }}/ha-backup.sh
- name: Check if Home Assistant (config) is present...
stat:
path: /home/{{ admin_user }}/.homeassistant
register: homeassistant_config
- name: ...if not, restore config from backup and install Home Assistant \
(on a virtualenv, on my user, with configs from backup)
when: homeassistant_config.stat.exists == false
block:
- command: bash -lc "./ha-backup.sh restore"
args:
chdir: /home/{{ admin_user }}
creates: /home/{{ admin_user }}/.homeassistant
become: no
- apt: name={{ packages }} state=present
vars:
packages:
- python3-pip
- python3-venv
- build-essential
- libssl-dev
- libffi-dev
- python3-dev
- pip:
name: virtualenv
executable: pip3
- pip:
name:
- wheel
- homeassistant
virtualenv: /home/{{ admin_user }}/homeassistant
become: no
- template:
src: templates/homeassistant.service.j2
dest: /lib/systemd/system/homeassistant.service
mode: 0644
- systemd:
daemon_reload: yes
name: homeassistant.service
enabled: true
state: stopped
notify: reboot
You can’t perform that action at this time.