Skip to content

Introduction

Overview

Solti-Ensemble is an Ansible collection providing shared infrastructure services and utilities for the SOLTI ecosystem. Unlike solti-monitoring (which focuses on observability), solti-ensemble provides foundational services that applications consume.

Purpose: - Shared infrastructure services (databases, storage, networking) - Security hardening utilities - Development environment setup - Service lifecycle management

What Solti-Ensemble Provides

Infrastructure Services

MariaDB - Database server with security-focused setup - Automated installation and configuration - Security hardening (removes anonymous users, test database) - Backup functionality - Support for Debian 12 and Rocky Linux 9

NFS Client - Network file system integration - Multiple NFS share management - Cross-platform compatibility (Debian, Rocky, Ubuntu) - Optimized mount options for performance

WireGuard - Modern VPN connectivity - Secure key generation and management - Client configuration for Rocky Linux 9 and Debian 12 - Automatic backups of configurations

Security Tools

SSHD Hardening - SSH daemon security - Restricts cryptographic algorithms to secure options - Disables dangerous features - Generates secure key pairs - Filters weak Diffie-Hellman moduli

Claude SecTest - AI-powered security auditing - Multi-script security auditing framework - Git-based change tracking - Claude AI analysis integration - ISPConfig3 server auditing

Fail2ban Config - Intrusion prevention - Automated fail2ban configuration - Custom jail configurations - Log monitoring setup

Development Tools

Gitea - Self-hosted Git service - Lightweight alternative to GitLab/GitHub - SSL support - Multiple database backends (SQLite, MySQL, PostgreSQL) - User management

VS Code - Development environment - Visual Studio Code installation - Microsoft official repository - Automatic updates

Podman - Container runtime - Daemonless container engine - Rootless container support - Docker alternative - Podman Compose functionality

Application Services

Ghost - Headless CMS platform - Blog and content management - Node.js-based deployment - Database integration

ISPConfig Utilities - Backup management - Certificate convergence - Configuration management

Architecture Pattern

Solti-Ensemble follows the shared services pattern:

Applications (ISPConfig, Gitea, Ghost)
Ensemble Services (MariaDB, WireGuard, NFS)
Base Infrastructure (Podman, SSH Hardening)

Key Principles: - Services are independently deployable - Each role manages complete lifecycle (install, configure, remove) - Security by default - Cross-platform support (Debian, Rocky, Ubuntu) - Integration with SOLTI ecosystem

Deployment Philosophy

State Management: - All roles support state: present (install) and state: absent (remove) - Optional data cleanup with remove_data: true - Idempotent operations (safe to re-run)

Security First: - Secure defaults enabled - Optional hardening features - Credential management via Ansible Vault - Minimal attack surface

Testing: - Molecule-based testing framework - Multi-platform validation (Podman, Proxmox, GitHub Actions) - Integration test focus

Integration with SOLTI Ecosystem

Consumed by: - solti-monitoring (uses WireGuard, NFS) - Custom applications (use MariaDB, Gitea) - Development workflows (use Podman, VS Code)

Provides to: - Database services for applications - VPN connectivity for distributed monitoring - Storage backends for data persistence - Security hardening for all hosts

Current Status

Mature Roles: - MariaDB - Production-ready - WireGuard - Production-ready - SSHD Hardening - Production-ready - NFS Client - Production-ready

Active Development: - Gitea - Stabilizing - Ghost - Early stage - ISPConfig utilities - Specialized use cases

Security Tools: - Claude SecTest - Mature, actively maintained - Fail2ban Config - Production-ready

Getting Started

Installation

ansible-galaxy collection install jackaltx.solti_ensemble

Basic Usage

- hosts: servers
  roles:
    - jackaltx.solti_ensemble.sshd_harden
    - jackaltx.solti_ensemble.mariadb
    - jackaltx.solti_ensemble.wireguard

With Variables

- hosts: database_servers
  vars:
    mariadb_mysql_root_password: "{{ vault_mariadb_root }}"
    mariadb_security: true
    mariadb_bind_address: "0.0.0.0"
  roles:
    - jackaltx.solti_ensemble.mariadb

Documentation Structure

This book is organized into chapters:

  1. Getting Started - Installation and quick start
  2. Infrastructure Services - Database, storage, networking
  3. Security Tools - Hardening and auditing
  4. Development Tools - IDE, containers, Git hosting
  5. Application Services - Ghost, ISPConfig utilities
  6. Testing Framework - Molecule, verification, CI/CD
  7. Reference Deployments - Real-world examples

Reference Deployment

Production Example (ispconfig3-server.example.com): - WireGuard client for secure monitoring - MariaDB for ISPConfig database - SSHD hardening applied - NFS client for shared storage - Fail2ban for intrusion prevention

Characteristics: - Linode VPS (public cloud) - Debian-based - Multiple ensemble services deployed - Integration with solti-monitoring

Next Steps

For New Users: - Start with "Getting Started" chapter - Review specific role documentation - Check example playbooks

For Integration: - See "Integration Patterns" for connecting services - Review "Security Best Practices" - Check "Testing Framework" for validation

References

  • GitHub Repository: http://github.com/jackaltx/solti_ensemble_collection
  • Documentation: http://docs.jackaltx.com
  • Issues: http://github.com/jackaltx/solti_ensemble_collection/issue/tracker
  • Part of SOLTI Ecosystem: See solti-monitoring, solti-containers, solti-conductor