.gitignore

@@ -1,24 +0,0 @@
-# Ansible temporäre Dateien
-*.retry
-*.pyc
-*.log
-
-# SSH Keys (NIEMALS pushen!)
-id_rsa
-id_rsa.pub
-id_ed25519
-id_ed25519.pub
-*.pem
-*.key
-
-# Ansible Vault (falls du unverschlüsselte Secrets hast - verschlüsselte sind ok)
-# secrets.yml
-
-# Inventar (falls du echte IPs/Passwörter nicht pushen willst - bei Homelab meist ok, aber pass auf)
-# inventory/hosts.ini  <-- Entscheide selbst. Wenn Passwörter drin sind: NICHT pushen.
-# Besser: Passwörter nur in ansible-vault oder gar nicht im File.
-
-# Backup files
-*.bak
-*.swp
-

ansible/inventory/hosts.ini

@@ -0,0 +1,17 @@
+# GRUPPE: alle Debian LXC Container
+[lxc_debian]
+# +Format: Alias_Name ansible_host=IP-Adresse
+test1         ansible_host=192.168.178.49 enable_wireguard_routing=True
+
+# +Pi-Hole Beispiel, Host-Variable gewinnt vor Gruppen-Variable
+#pihole      ansible_host=192.168.178.11 enable_wireguard_routing=True
+
+# VARIABLEN fuer die Gruppe [lxc_debian]
+[lxc_debian:vars]
+# +Login immer als root
+ansible_user=root
+# +WireGuard Routen Konfig
+wg_gateway=192.168.178.12
+wg_subnet=10.0.0.0/24
+# +WireGuard Route default disable
+enable_wireguard_routing=False

ansible/roles/debian_base/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# Dieser Handler wird aufgerufen, wenn wir die Route in /etc/network/interfaces eingetragen haben.
+# # Er sorgt dafür, dass die Route SOFORT aktiv ist, ohne Reboot.
+
+- name: Set route live
+  command: ip route add {{ wg_subnet }} via {{ wg_gateway }} dev eth0
+  # ignore_errors: Falls die Route zufällig doch schon da ist (manuell gesetzt), stürzt Ansible nicht ab.
+  ignore_errors: true
+  # Wir führen das auch nur aus, wenn WireGuard Routing aktiv sein soll (Sicherheitshalber)
+  when: enable_wireguard_routing | default(false) | bool
+

ansible/roles/debian_base/tasks/main.yml

@@ -7,7 +7,6 @@
   apt:
     name: locales
     state: present
-    update_cache: yes
 
 - name: Generate locales (en_US and de_DE)
   locale_gen:
@@ -39,9 +38,7 @@
   ignore_errors: true
   changed_when: false
 
-## Wireguard Options
+- name: Ensure WireGuard static route in in /etc/network/interfaces
-
-- name: Ensure WireGuard route is PRESENT in /etc/network/interfaces
   lineinfile:
     path: /etc/network/interfaces
     regexp: '^up ip route add {{ wg_subnet }} via {{ wg_gateway }}'
@@ -49,13 +46,3 @@
     state: present
   when: enable_wireguard_routing | default(false) | bool
   notify: Set route live
-
-- name: Ensure WireGuard route is ABSENT  in /etc/network/interfaces
-  lineinfile:
-    path: /etc/network/interfaces
-    regexp: '^up ip route add {{ wg_subnet }} via {{ wg_gateway }}'
-    state: absent
-  when: not (enable_wireguard_routing | default(false) | bool)
-  notify: Remove route live
-
-

inventory/hosts.ini

@@ -1,39 +0,0 @@
-#########################################################################
-[lxc_debian]
-dns           ansible_host=192.168.178.11
-#wireguard    ansible_host=192.168.178.12
-#web1         ansible_host=192.168.178.13
-web-conectare ansible_host=192.168.178.14 enable_wireguard_routing=True
-vaultwarden   ansible_host=192.168.178.15 enable_wireguard_routing=True
-guacamole     ansible_host=192.168.178.16 enable_wireguard_routing=True
-#vm-kiosk1    ansible_host=192.168.178.17
-#vm-kiosk2    ansible_host=192.168.178.18
-#monitoring   ansible_host=192.168.178.19 enable_wireguard_routing=True
-gitea         ansible_host=192.168.178.20 enable_wireguard_routing=True
-ansible       ansible_host=192.168.178.21 enable_wireguard_routing=True
-#test2        ansible_host=192.168.178.48 enable_wireguard_routing=True
-#test1        ansible_host=192.168.178.49
-
-[lxc_debian:vars]
-ansible_user=root
-ansible_become=no
-# +WireGuard Routen Konfig
-wg_gateway=192.168.178.12
-wg_subnet=10.0.0.0/24
-# +WireGuard Route default disable
-enable_wireguard_routing=False
-
-
-#########################################################################
-[vps_servers]
-gwVPS         ansible_host=10.0.0.2 nginx_enabled=True
-prodVPS       ansible_host=10.0.0.3 postfix_enabled=True
-
-[vps_servers:vars]
-ansible_user=ansible
-ansible_become=yes
-ansible_port=2222
-enable_wireguard_routing=False
-
-[monitoring]
-monitorSrv    ansible_host=192.168.178.22 enable_wireguard_routing=True

playbooks/cleanup_checkmk.yml

@@ -1,7 +0,0 @@
----
-- name: Cleanup Checkmk artifacts
-  hosts: all  # Auf ALLEN Servern ausführen (Homelab + VPS)
-  become: yes
-  roles:
-    - cleanup_checkmk
-

playbooks/setup_monitoring.yml

@@ -1,29 +0,0 @@
----
-- name: Install Node Exporter
-  hosts: all
-  roles:
-    - node_exporter
-
-- name: Install Prometheus Server
-  hosts: monitoring
-  roles:
-    - prometheus
-
-- name: Setup Exporters on VPS
-  hosts: vps_servers
-  tasks:
-    - name: Install Postfix Exporter
-      include_role:
-        name: postfix_exporter
-      when: postfix_enabled | default(False)
-
-    - name: Install Nginx Exporter
-      include_role:
-        name: nginx_exporter
-      when: nginx_enabled | default(False)
-
-- name: Update Prometheus Config
-  hosts: monitoring
-  roles:
-    - prometheus
-

roles/checkmk_agent/handlers/main.yml

@@ -1,7 +0,0 @@
----
-- name: Restart xinetd
-  systemd:
-    name: xinetd
-    state: restarted
-    daemon_reload: yes
-    enabled: yes

roles/checkmk_agent/tasks/main.yml

@@ -1,54 +0,0 @@
----
-- name: Download Checkmk Agent from Monitoring Server
-  get_url:
-    url: "http://{{ checkmk_server_ip }}/cmk/check_mk/agents/check-mk-agent_2.4.0p3-1_all.deb"
-    dest: /tmp/check-mk-agent.deb
-    mode: '0644'
-
-- name: Install Checkmk Agent
-  apt:
-    deb: /tmp/check-mk-agent.deb
-    state: present
-
-- name: Install xinetd (Legacy Mode Wrapper)
-  apt:
-    name: xinetd
-    state: present
-
-- name: Disable Checkmk Systemd Daemon (LXC compatibility fix)
-  systemd:
-    name: cmk-agent-ctl-daemon
-    state: stopped
-    enabled: no
-  ignore_errors: true
-
-- name: Create xinetd config for Checkmk
-  copy:
-    dest: /etc/xinetd.d/check-mk-agent
-    content: |
-      service check-mk-agent
-      {
-        type = UNLISTED
-        port = 6556
-        socket_type = stream
-        protocol = tcp
-        wait = no
-        user = root
-        server = /usr/bin/check_mk_agent
-        log_on_success = 
-        disable = no
-      }
-    mode: '0644'
-  notify: Restart xinetd
-
-- name: Ensure Checkmk Socket is enabled and active
-  systemd:
-    name: check-mk-agent.socket
-    enabled: yes
-    state: started
-
-- name: Ensure xinetd is started and enabled
-  service:
-    name: xinetd
-    state: started
-    enabled: yes

roles/cleanup_checkmk/tasks/main.yml

@@ -1,55 +0,0 @@
----
-- name: Stop Checkmk Agent service (systemd)
-  systemd:
-    name: check-mk-agent.socket
-    state: stopped
-    enabled: no
-  ignore_errors: yes  # Falls er schon weg ist oder nie da war
-
-- name: Stop xinetd service
-  systemd:
-    name: xinetd
-    state: stopped
-    enabled: no
-  ignore_errors: yes
-
-- name: Purge check-mk-agent package
-  apt:
-    name: check-mk-agent
-    state: absent
-    purge: yes
-
-- name: Purge xinetd package
-  apt:
-    name: xinetd
-    state: absent
-    purge: yes
-
-- name: Remove Checkmk directories and configs
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/check_mk
-    - /var/lib/check_mk_agent
-    - /usr/lib/check_mk_agent
-    - /etc/xinetd.d/check_mk
-    - /etc/xinetd.d/check-mk-agent
-    - /usr/local/bin/fail2ban_spool.sh  # Unser manuelles Skript
-    - /usr/lib/check_mk_agent/local/fail2ban_check # Unser Local Check
-
-- name: Remove Fail2Ban spool cronjob
-  cron:
-    name: "Checkmk Fail2Ban Spool"
-    state: absent
-  # Hinweis: Das entfernt den Cronjob nur, wenn er einen Namen/Kommentar hätte. 
-  # Da wir ihn manuell als "Raw Zeile" eingefügt haben, findet Ansible ihn so oft nicht.
-  # Wir nutzen daher brute-force sed, um sicher zu gehen:
-
-- name: Remove raw cronjob line for fail2ban
-  lineinfile:
-    path: /var/spool/cron/crontabs/root
-    regexp: 'fail2ban_spool\.sh'
-    state: absent
-  ignore_errors: yes # Falls Datei nicht existiert
-

roles/debian_base/handlers/main.yml

@@ -1,21 +0,0 @@
----
-# Dieser Handler wird aufgerufen, wenn wir die Route in /etc/network/interfaces eingetragen haben.
-# # Er sorgt dafür, dass die Route SOFORT aktiv ist, ohne Reboot.
-
-- name: Set route live
-  command: ip route add {{ wg_subnet }} via {{ wg_gateway }} dev eth0
-  # wenn sie schon existiert Exit Code 2
-  register: route_add_result
-  failed_when: 
-    - route_add_result.rc != 0
-    - "'File exists' not in route_add_result.sterr"
-  changed_when: route_add_result.rc == 0
-
-- name: Remove route live
-  command: ip route del {{  wg_subnet }} via {{  wg_gateway }} dev eth0
-  # wenn schon weg, dann Exit Code 2
-  register: route_del_result
-  failed_when:
-    - route_del_result.rc != 0
-    - "'No such process' not in route_del_result.stderr"
-    - "'No such device' not in route_del_result.stderr"

roles/nginx_exporter/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: Restart nginx_exporter
-  service:
-    name: prometheus-nginx-exporter
-    state: restarted
-

roles/nginx_exporter/tasks/main.yml

@@ -1,14 +0,0 @@
-- name: Install prometheus-nginx-exporter via apt
-  apt:
-    name: prometheus-nginx-exporter
-    state: present
-  notify: Restart nginx_exporter
-
-- name: Ensure nginx_exporter service is started
-  service:
-    name: prometheus-nginx-exporter
-    state: started
-    enabled: yes
-  # Hinweis: Standard-Arguments in /etc/default/prometheus-nginx-exporter müssen oft angepasst werden
-  # damit er auf http://127.0.0.1:8080/stub_status schaut.
-

roles/node_exporter/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: Restart node_exporter
-  systemd:
-    name: node_exporter
-    state: restarted
-    daemon_reload: yes

roles/node_exporter/tasks/main.yml

@@ -1,55 +0,0 @@
----
-- name: Create node_exporter user
-  user:
-    name: node_exporter
-    shell: /bin/false
-    system: yes
-
-#- name: Download node_exporter
-#  get_url:
-#    url: "https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz"
-#    dest: "/tmp/node_exporter.tar.gz"
-
-- name: Download node_exporter (Robust Method)
-  block:
-    - name: Try downloading with get_url
-      get_url:
-        url: "https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz"
-        dest: "/tmp/node_exporter.tar.gz"
-  rescue:
-    - name: Install curl for fallback
-      apt:
-        name: curl
-        state: present
-
-    - name: Fallback downloading with curl
-      command: >
-        curl -L -o /tmp/node_exporter.tar.gz https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz
-      args:
-        creates: /tmp/node_exporter.tar.gz
-
-- name: Unarchive node_exporter
-  unarchive:
-    src: "/tmp/node_exporter.tar.gz"
-    dest: "/tmp"
-    remote_src: yes
-
-- name: Install node_exporter binary
-  copy:
-    src: "/tmp/node_exporter-1.7.0.linux-amd64/node_exporter"
-    dest: "/usr/local/bin/node_exporter"
-    mode: '0755'
-    remote_src: yes
-  notify: Restart node_exporter
-
-- name: Create systemd service file
-  template:
-    src: node_exporter.service.j2
-    dest: /etc/systemd/system/node_exporter.service
-  notify: Restart node_exporter
-
-- name: Enable and start node_exporter
-  systemd:
-    name: node_exporter
-    state: started
-    enabled: yes

roles/node_exporter/templates/node_exporter.service.j2

@@ -1,13 +0,0 @@
-[Unit]
-Description=Node Exporter
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-User=node_exporter
-Group=node_exporter
-Type=simple
-ExecStart=/usr/local/bin/node_exporter
-
-[Install]
-WantedBy=multi-user.target

roles/postfix_exporter/handlers/main.yml

@@ -1,7 +0,0 @@
----
-- name: Restart postfix_exporter
-  systemd:
-    name: prometheus-postfix-exporter
-    state: restarted
-    daemon_reload: yes
-

roles/postfix_exporter/tasks/main.yml

@@ -1,16 +0,0 @@
----
-- name: Install prometheus-postfix-exporter
-  apt:
-    name: prometheus-postfix-exporter
-    state: present
-  notify: Restart postfix_exporter
-
-# Das Paket startet den Service oft automatisch als "prometheus-postfix-exporter"
-# Wir müssen sicherstellen, dass er läuft und enabled ist.
-
-- name: Ensure service is started and enabled
-  systemd:
-    name: prometheus-postfix-exporter
-    state: started
-    enabled: yes
-

roles/prometheus/handlers/main.yml

@@ -1,7 +0,0 @@
----
-- name: Restart prometheus
-  systemd:
-    name: prometheus
-    state: restarted
-    daemon_reload: yes
-

roles/prometheus/tasks/main.yml

@@ -1,67 +0,0 @@
----
-- name: Create prometheus user
-  user:
-    name: prometheus
-    shell: /bin/false
-    system: yes
-
-- name: Create directories
-  file:
-    path: "{{ item }}"
-    state: directory
-    owner: prometheus
-    group: prometheus
-    mode: '0755'
-  loop:
-    - /etc/prometheus
-    - /var/lib/prometheus
-
-- name: Download Prometheus
-  get_url:
-    url: "https://github.com/prometheus/prometheus/releases/download/v2.45.0/prometheus-2.45.0.linux-amd64.tar.gz"
-    dest: "/tmp/prometheus.tar.gz"
-
-- name: Unarchive Prometheus
-  unarchive:
-    src: "/tmp/prometheus.tar.gz"
-    dest: "/tmp"
-    remote_src: yes
-
-- name: Install binaries
-  copy:
-    src: "/tmp/prometheus-2.45.0.linux-amd64/{{ item }}"
-    dest: "/usr/local/bin/{{ item }}"
-    mode: '0755'
-    remote_src: yes
-  loop:
-    - prometheus
-    - promtool
-  notify: Restart prometheus
-
-- name: Copy console libraries
-  copy:
-    src: "/tmp/prometheus-2.45.0.linux-amd64/{{ item }}/"
-    dest: "/etc/prometheus/{{ item }}/"
-    remote_src: yes
-  loop:
-    - consoles
-    - console_libraries
-
-- name: Configure Prometheus (Auto-Discovery)
-  template:
-    src: prometheus.yml.j2
-    dest: /etc/prometheus/prometheus.yml
-  notify: Restart prometheus
-
-- name: Create systemd service
-  template:
-    src: prometheus.service.j2
-    dest: /etc/systemd/system/prometheus.service
-  notify: Restart prometheus
-
-- name: Start Prometheus
-  systemd:
-    name: prometheus
-    state: started
-    enabled: yes
-

roles/prometheus/templates/prometheus.service.j2

@@ -1,21 +0,0 @@
-[Unit]
-Description=Prometheus
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-User=prometheus
-Group=prometheus
-Type=simple
-ExecStart=/usr/local/bin/prometheus \
-    --config.file /etc/prometheus/prometheus.yml \
-    --storage.tsdb.path /var/lib/prometheus/ \
-    --web.console.templates=/etc/prometheus/consoles \
-    --web.console.libraries=/etc/prometheus/console_libraries
-# Wichtig für LXC:
-NoNewPrivileges=yes
-PrivateTmp=false
-
-[Install]
-WantedBy=multi-user.target
-

roles/prometheus/templates/prometheus.yml

@@ -1,19 +0,0 @@
-global:
-  scrape_interval: 15s
-
-scrape_configs:
-  - job_name: 'prometheus'
-    static_configs:
-      - targets: ['localhost:9090']
-
-  - job_name: 'node_exporter'
-    static_configs:
-      - targets:
-# Hier loopen wir durch ALLE Hosts im Inventory
-{% for host in groups['all'] %}
-# Wir nehmen nur Hosts, die eine IP haben (manche Gruppen sind leer)
-{% if hostvars[host]['ansible_host'] is defined %}
-        - '{{ hostvars[host]["ansible_host"] }}:9100'
-{% endif %}
-{% endfor %}
-

roles/prometheus/templates/prometheus.yml.j2

@@ -1,38 +0,0 @@
-global:
-  scrape_interval: 15s
-  evaluation_interval: 15s
-
-scrape_configs:
-  - job_name: 'prometheus'
-    static_configs:
-      - targets:
-          - 'localhost:9090'
-
-  - job_name: 'node_exporter'
-    static_configs:
-      - targets:
-{% for host in groups['all'] %}
-          - '{{ hostvars[host].ansible_host }}:9100'
-{% endfor %}
-
-  - job_name: 'postfix_exporter'
-    static_configs:
-      - targets:
-{% for host in groups['vps_servers'] %}
-          # Hier filtern wir idealerweise, ob Postfix drauf ist.
-          # Einfachheitshalber nehmen wir erstmal an, prodVPS ist der Mailserver.
-          # Oder wir nutzen eine Variable im Inventory: postfix_enabled=true
-{% if hostvars[host]['postfix_enabled'] is defined and hostvars[host]['postfix_enabled'] %}
-          - '{{ hostvars[host].ansible_host }}:9154'
-{% endif %}
-{% endfor %}
-
-  - job_name: 'nginx_exporter'
-    static_configs:
-      - targets:
-{% for host in groups['vps_servers'] %}
-{% if hostvars[host]['nginx_enabled'] is defined and hostvars[host]['nginx_enabled'] %}
-          - '{{ hostvars[host].ansible_host }}:9113'
-{% endif %}
-{% endfor %}
-

roles/prometheus/templates/prometheus.yml.j2.old

@@ -1,28 +0,0 @@
-global:
-  scrape_interval: 15s
-
-scrape_configs:
-  - job_name: 'prometheus'
-    static_configs:
-      - targets: ['localhost:9090']
-
-  - job_name: 'node_exporter'
-    static_configs:
-      - targets:
-# Hier loopen wir durch ALLE Hosts im Inventory
-{% for host in groups['all'] %}
-# Wir nehmen nur Hosts, die eine IP haben (manche Gruppen sind leer)
-{% if hostvars[host]['ansible_host'] is defined %}
-        - '{{ hostvars[host]["ansible_host"] }}:9100'
-{% endif %}
-{% endfor %}
-
-  - job_name: 'postfix_exporter'
-    static_configs:
-      - targets:
-{% for host in groups['all'] %}
-{% if hostvars[host]['postfix_enabled'] is defined and hostvars[host]['postfix_enabled'] %}
-        - '{{ hostvars[host]["ansible_host"] }}:9154'
-{% endif %}
-{% endfor %}
-

wasIstWas.txt

@@ -0,0 +1,25 @@
+1) ansible/ansible.cfg
+    Grundsaetzliches Verhalten von Ansible
+    Regelwerk fuers Projekt
+
+2) ansible/inventory/hosts.ini
+    Ist das "Telefonbuch" - hier stehen alle Server drin die Ansible kennen soll
+    Man kann diese gruppieren
+
+
+
+
+
+
+
+
+
+Haben alle Ziel-Hosts deinen SSH-Key?
+Falls nicht: ssh-copy-id root@192.168.178.12 (für Pihole), .20 (Gitea) usw.
+
+Testlauf:
+
+bash
+cd ~/projects/infra-konstrukt/ansible
+ansible-playbook playbooks/site.yml --check
+(Das --check ist der Trockenlauf. Er zeigt dir, was er tun WÜRDE.)