I've done some cleaning up and refactored the Ansible playbooks to use roles as suggested by Ansible's best practices. I'm not super happy with how the system is configured--right now global configuration is in the inventory file under the [all:vars] group. This is a good spot to configure the entire system in one file but feels a little unwieldily. I'll be looking more into other options here to see if there's a simpler and more flexible way to configure the system.
I've also added quite a few roles to form the base of the server, including:
- MQTT server: installs mosquitto server and configures it to use SSL secured MQTT communication.
- MQTT client: installs mosquitto client tools, Paho MQTT python client library, and the SSL certs for communication with the server. This role can be installed on both the Ubuntu-based server and Debian-based devices like the Raspberry Pi or Beaglebone Black.
- Security: installs and configures fail2ban brute force attack protection package. Ubuntu server is also pretty well locked down by only allowing SSH login with keys (i.e. no password auth allowed), and denying root the ability to login. I want to look more into other useful security software / configs, but am pretty happy with security for now.
- Web server: installs nginx web server. There's not much configured right now, but I plan to put some basic web apps on to help manage the server & communicate with devices.
- SMTP email relay: installs postfix mail transport and configures it to relay mail to an SMTP server like gmail. This is handy for allowing the server to send emails, like from fail2ban warnings or perhaps notifications of MQTT events. Surprisingly this was by far the most complex package to automate with Ansible, mostly because installing postfix requires answering some question prompts which are difficult to do with automation.
One more major package I want to install is a Python WSGI app server that can host web applications written in Python. I plan to make a few simple web apps for reading and writing MQTT messages and would prefer to write them in Python with the Flask web app framework. I've looked into some options here and it looks like it comes down to either uWSGI or Gunicorn. From my testing uWSGI is kind of painful to setup so I might go for Gunicorn.