Pyinfra that deploy my AdGuardHome DNS server.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

164 lines
3.7 KiB

9 months ago
7 months ago
9 months ago
7 months ago
9 months ago
9 months ago
9 months ago
9 months ago
9 months ago
  1. from pyinfra import host
  2. from pyinfra.operations import apt, server, files, systemd
  3. SUDO = True
  4. server.user(
  5. name='Add user benpro',
  6. user='benpro',
  7. groups=['sudo'],
  8. public_keys='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7yO0auvwFL8HTLMUq6lET6DMYLhqhd32rqFfZUsjL openpgp:0xA32E99AD',
  9. shell='/bin/bash',
  10. present=True,
  11. )
  12. server.hostname(
  13. name='Set the hostname',
  14. hostname='dns.benpro.fr',
  15. )
  16. apt.update(
  17. name='Update apt repositories',
  18. )
  19. apt.upgrade(
  20. name='Upgrade apt packages',
  21. )
  22. apt.packages(
  23. name='Install ufw',
  24. packages=['ufw'],
  25. update=False,
  26. )
  27. files.line(
  28. name='Set port 28 for SSH',
  29. path='/etc/ssh/sshd_config',
  30. line=r'Port .*',
  31. replace='Port 28',
  32. )
  33. systemd.service(
  34. name='Reload sshd',
  35. service='ssh.service',
  36. reloaded=True,
  37. )
  38. server.shell(
  39. name='Add ufw rules',
  40. commands=['ufw limit 28', 'ufw allow 80', 'ufw allow 443', 'ufw allow 853'],
  41. )
  42. server.shell(
  43. name='Enable ufw',
  44. commands=['yes | ufw enable'],
  45. )
  46. apt.packages(
  47. name='Install certbot',
  48. packages=['certbot'],
  49. update=False,
  50. )
  51. if not host.fact.directory('/etc/letsencrypt/live/dns.benpro.fr'):
  52. server.shell(
  53. name='Add certificate',
  54. commands=['certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --standalone -d dns.benpro.fr'],
  55. )
  56. server.group(
  57. name='Add group adguard',
  58. group=host.data.app_user,
  59. system=True,
  60. present=True,
  61. )
  62. server.user(
  63. name='Add user adguard',
  64. user=host.data.app_user,
  65. group=host.data.app_user,
  66. home=host.data.app_dir,
  67. ensure_home=True,
  68. system=True,
  69. present=True,
  70. )
  71. for items in ['fullchain.pem', 'privkey.pem']:
  72. server.shell(
  73. name='Make certificate available for Adguard ({})'.format(items),
  74. chdir=host.data.app_dir,
  75. commands=['cp -L /etc/letsencrypt/live/dns.benpro.fr/{} .'.format(items), 'chown adguard: {}'.format(items)]
  76. )
  77. files.download(
  78. name='Download AdGuard',
  79. src='https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz',
  80. dest='/home/adguard/AdGuardHome_linux_amd64.tar.gz',
  81. user=host.data.app_user,
  82. group=host.data.app_user,
  83. mode='640',
  84. cache_time=604800,
  85. )
  86. server.shell(
  87. name='Extract Adguard release file',
  88. chdir=host.data.app_dir,
  89. commands=['tar zxf AdGuardHome_linux_amd64.tar.gz','chown -R adguard: AdGuardHome'],
  90. )
  91. server.shell(
  92. name='Setcap on Adguard binary',
  93. chdir=host.data.app_dir,
  94. commands=['setcap \'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip\' AdGuardHome/AdGuardHome'],
  95. )
  96. if host.fact.systemd_enabled['AdGuardHome.service'] == False:
  97. server.shell(
  98. name='Install Adguard systemd service file',
  99. chdir=host.data.app_dir,
  100. commands=['AdGuardHome/AdGuardHome -s install'],
  101. )
  102. files.put(
  103. name='Update systemd service file',
  104. src='files/AdGuardHome.service',
  105. dest='/etc/systemd/system/AdGuardHome.service',
  106. mode='644',
  107. )
  108. files.put(
  109. name='Push AdGuardHome config',
  110. src='files/AdGuardHome.yaml',
  111. dest='/home/adguard/AdGuardHome/AdGuardHome.yaml',
  112. mode='640',
  113. user='adguard',
  114. group='adguard',
  115. )
  116. systemd.daemon_reload(
  117. name='Reload systemd',
  118. user_mode=False,
  119. )
  120. systemd.service(
  121. name='Restart and enable adguard service',
  122. service='AdGuardHome.service',
  123. running=True,
  124. restarted=True,
  125. enabled=True,
  126. )
  127. files.put(
  128. name='Set LE pre renewal-hook',
  129. src='files/stop-adguard.sh',
  130. dest='/etc/letsencrypt/renewal-hooks/pre/stop-adguard.sh',
  131. mode='755',
  132. )
  133. files.put(
  134. name='Set LE post renewal-hook',
  135. src='files/start-adguard.sh',
  136. dest='/etc/letsencrypt/renewal-hooks/post/start-adguard.sh',
  137. mode='755',
  138. )