PHiAX/Raspberry-Pi-IaC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Fork of https://github.com/Kleinendorst/Raspberry-Pi-IaC for my own use.
13 commits 1 branch 0 tags 306 KiB
Find a file
Thomas Kleinendorst 3a0e231bf3 Configure the SSH hardening role 
This one is also disabled since it's not super useful to run more than
once. This role however doesn't report changes on reruns (as we've seen
for the os_hardening role).
2024-04-09 17:57:38 +02:00
.vscode Add and configure OS hardening role 2024-04-09 17:49:51 +02:00
cloudflare ddns Add test for existing DNS entry 2024-04-07 23:40:58 +02:00
inventory Add a simple playbook for testing 2024-04-09 17:03:04 +02:00
.gitignore Add DDNS script 2024-04-07 23:17:22 +02:00
LICENSE Initial commit 2024-04-07 12:37:40 +02:00
playbook.yml Configure the SSH hardening role 2024-04-09 17:57:38 +02:00
README.md Add and configure OS hardening role 2024-04-09 17:49:51 +02:00
requirements.yml Add and configure OS hardening role 2024-04-09 17:49:51 +02:00

README.md

Raspberry Pi IaC

Contains the Infrastructure as Code files which are used for provisioning my in house Raspberry Pi.

Prerequisites

The files within this repository should be run on a computer with Ansible installed which is only supported on MacOS and Linux systems. For Windows it can be run within a WSL distro (see this guide on how to set this up, make sure the repository is checked out on the WSL distribution itself).

Ansible control node prerequisites

  1. Install Ansible (see instructions).

  2. Install Ansible Galaxy content:

    ansible-galaxy install -r requirements.yml

Environment prerequisites

The Raspberry Pi IaC code contained within this repository provisions the Raspberry Pi itself but doesn't provision all surrounding infrastructure which is presumed to be managed by hand. The following relevant configuration is assumed:

  1. A prepared Raspberry Pi.
  2. Cloudflare should be setup for managing the domain records of kleinendorst.info.

Raspberry Pi preperation

The Raspberry Pi should be installed and running with reachable SSH from the network.

  1. Setup its MicroSD card using the Raspberry Pi Imager (download). For CHOOSE OS select the : Raspberry Pi OS (other) > Raspberry Pi OS Lite (64-bit) option.
  2. When asked: Would you like to apply OS customisation settings? select EDIT SETTINGS. Select and fill in the following settings:
    1. Set username and password
    2. Set locale settings
    3. Enable SSH > Use password authentication (we'll harden it later to use public keys).
    4. Disable Eject media when finished (probably not really important but I heard it could prevent problems on Windows).
  3. Start the Raspberry Pi with an ethernet cable attached.
  4. Find the assigned IP of the Raspberry Pi in the router and configure DHCP to statically asign this address to the Raspberry Pi.
  5. Add the new Raspberry Pi to the hosts file using the internal IP.
  6. Test if the Raspberry Pi is correctly configured by opening an SSH session to it (using its IP address). If this works the next step is to add SSH public keys for each computer that should provision/connect to the Raspberry Pi. It's important to perform this step before provisioning because that will disallow logging into SSH with a password.

Provisioning

Provision the Raspberry Pi by running:

ansible-playbook -i inventory playbook.yml