Make Raspberry Pi up and running in a few command
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
roles [*] Easier email override for fail2ban Dec 17, 2017
.gitignore [*] Tracking playbook after all Mar 25, 2017

ansible-rpi 0.8.0


Make Raspberry Pi up and running in a few command.

Tested on a Rpi 3 B+ and a Rpi 1 B.


common role

Setup the Rpi with with updates and better security

  • Locale setup
  • System upgrade (including kernel)
  • Adding some useful packages (curl, vim, tmux, git…)
  • UFW firewall rules allowing user-specified ports and protocols
  • Logwatch for system status emails (via SSMTP)
  • SSH with key-only authentification
  • Custom sudo user for rpi (thus disabling pi as Rpi sudoer)
  • oh-my-zsh install and vim as default editor
  • Dynamic network folder and local drive setup (Works with SAMBA and include basic credentials management)
  • Fail2Ban configuration to send mail via SSMTP, handle a custom SSH port and some user-defined services
  • Optional hostname update and Zeroconf
  • Optional custom SSH banner
  • Optional Wifi config
  • Optional Mosh support
  • Optional unsudo of the pi user
  • Optionally add a list of user to the sudoers with NOPASSWD

download_server role

Turn the Rpi in a download server for ddl and torrents

  • Aria2 daemon
  • RPC interface for remote monitoring with optional SSL encryption
  • Shared downloads directory (may be replaced by a previously configured network folder)

media_center role

Turn your Raspberry into a decent customizable media center

  • Kodi basic installation with separate user
  • Dynamic sources creation (may be linked to previously configured network folders)
  • Buffer handling optimized for a Raspberry
  • Optional kodi user with kodi-standalone and a minimal Openbox setup
  • Optional Tvheadend install with basic config

rpi_docker role

Setup and enable control of a distant Raspberry Pi Docker host via Ansible

  • HypriotOS oriented setup
  • Docker containers and deamon are behind the firewall by default (see Docker Support for more infos)
  • Ansible tools are setup (allowing you to use docker_container, docker_image Ansible modules…)

unbound role

Transform your Raspberry Pi into a DNS Server

  • Unbound setup & configuration
  • Add DNS entries
  • Generation of DNS entries from ansible inventory (A entries and reverse)
  • Forward to another DNS
  • IPv4 only for reverse

Note: Source code is in a separate role.

audio_center role

Turns your Raspberry into a Spotify player

This role requires a PREMIUM Spotify account

  • Setup an headless Spotify Connect client (librespot)
  • Update audio config


With examples

# First
cp /etc/ansible/hosts

# Then
cp playbook.yml
cp /etc/ansible/host_vars/my-host.yml


First update the hosts file to target your Rpis.

I recommend using an up-to-date Raspbian Lite image.

Make sure that the Rpi is SSHable (latest raspbian lite images come with SSH disabled by default, creating a file with name "ssh" in boot partition is required to enable it.).

Then the first time run:

ansible-playbook playbook.yml -u pi --ask-pass

You can also store user name in inventory file and user's pass in your Ansible vault.

Dev with Vagrant

First run:

ansible-playbook playbook.yml -i

Next runs:

# Editing the hosts file may be required to update the SSH port
# A vagrant reload may also be needed
# Checks access with
ansible all -m ping -u neo

# Execute updated playbook
ansible-playbook playbook.yml -u neo --ask-become-pass

You can also store user name in inventory file and user's pass in your Ansible vault.

User password generation

password_hash is a useful Jinja filter but uses 656000 rounds for SHA512 hashing.

The default is 5000 in glibc [1], and it adds an important computing cost on a Rpi.

This may cause axtra slowness on user authentification (ie. sudo password prompt)

Please use the following command to generate a user password hash [2]:

python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass(), rounds=5000)"

1 2

Docker Support

In order to ease Docker handling on Rpi, I recommend the HypriotOS image.

Current state

The rpi_docker role is tested with it, but may work with other setups.

Modify the following vars in order to adapt to your device:

rd_limit_nofile: 1048576
rd_limit_nproc: 1048576
rd_limit_core: infinity


The common role will secure the HypriotOS Rpi in a way that by default:

  • docker-machine create will fail (default user must have a NOPASSD sudo, see )
  • Docker daemon tcp port (2376) will be unreachable (however you can enable it manually in allowed_ports var) but is started by default
  • Docker unix socket is accessible

You may want to look to this for a manual docker-machine setup.

Docker-machine and Raspbian Docker support may come in a future release.


  • storage_driver is overlay
  • The tlsverify flag is enabled, and tlscacert, tlscert, tlskey
  • LimitNOFILE and LimitNPROC are set, but LimitCORE is not
  • iptables addition by Docker are deactivated


  • [] Sudoers file rewrite
  • [] Segmentation into roles
  • [] Contribution guidelines
  • [] …