BlackDragon/ansible
1
0
Fork 0
forked from bitlair/ansible
Code Pull requests Activity

Merge pull request 'Linter + Dashboard fixes' (#3) from more-linter into main

Browse source 
Reviewed-on: bitlair/ansible#3
This commit is contained in:
Mark Janssen 2024-07-31 21:19:08 +02:00
commit 9ac932a92e
46 changed files with 289 additions and 397 deletions
Download patch file Download diff file Expand all files Collapse all files

49
bitlair.yaml
View file

@ -1,63 +1,62 @@
---
- hosts: all
gather_facts: true
roles:
- { role: "common", tags: [ "common" ] }
- { role: "nft", tags: [ "nft" ] }
- { role: "common", tags: ["common"] }
- { role: "nft", tags: ["nft"] }
- hosts: bank
roles:
- { role: "bank", tags: [ "bank" ] }
- { role: "bank", tags: ["bank"] }
- hosts: raspi
roles:
- { role: "raspi", tags: [ "raspi" ] }
- { role: "bank-terminal", tags: [ "bank-terminal" ] }
- { role: "raspi", tags: ["raspi"] }
- { role: "bank-terminal", tags: ["bank-terminal"] }
- hosts: fotos
roles:
- { role: "photos", tags: [ "photos" ] }
- { role: "photos", tags: ["photos"] }
- hosts: git-ci
roles:
- { role: "git-ci", tags: [ "git-ci" ] }
- { role: "git-ci", tags: ["git-ci"] }
- hosts: git
roles:
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "git-server", tags: [ "git-server" ] }
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "git-server", tags: ["git-server"] }
- hosts: monitoring
roles:
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "monitoring", tags: [ "monitoring" ] }
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "monitoring", tags: ["monitoring"] }
- hosts: mqtt
roles:
- { role: "mqtt", tags: [ "mqtt" ] }
- { role: "mqtt", tags: ["mqtt"] }
- hosts: music
roles:
- { role: "acme", tags: [ "acme" ] }
- { role: "go", tags: [ "go" ] }
- { role: "music", tags: [ "music" ] }
- { role: "acme", tags: ["acme"] }
- { role: "go", tags: ["go"] }
- { role: "music", tags: ["music"] }
- hosts: pad
roles:
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "etherpad", tags: [ "etherpad" ] }
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "etherpad", tags: ["etherpad"] }
- hosts: services
roles:
- { role: "services", tags: [ "services" ] }
- { role: "services", tags: ["services"] }
- hosts: wiki
roles:
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "www", tags: [ "www" ] }
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "www", tags: ["www"] }

4
group_vars/monitoring.yaml
View file

@ -1,7 +1,7 @@
monitoring_domain: dashboard.bitlair.nl
monitoring_bootstrap_cert: no
acme_san_domains:
- ["{{ monitoring_domain }}", monitoring.bitlair.nl]
- ["{{ monitoring_domain }}"]
group_nft_input:
- "# Allow web-traffic from world"
@ -21,6 +21,7 @@ prometheus_scrape_configs:
- "lights.bitlair.nl:9100"
- "music.bitlair.nl:9100"
- "service.bitlair.nl:9100"
- "user.bitlair.nl:9100"
- job_name: "mqtt"
static_configs:
- targets: [ "localhost:9883" ]
@ -34,6 +35,7 @@ prometheus_scrape_configs:
- https://bitlair.nl
- https://git.bitlair.nl
- https://pad.bitlair.nl
- https://user.bitlair.nl
# Legacy
- https://wiki.bitlair.nl
- https://portal.bitlair.nl

2
roles/acme/tasks/main.yaml
View file

@ -40,7 +40,7 @@
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop: "{{ acme_san_domains | default([]) }}"
loop_control:
loop_var: domains

15
roles/common/handlers/main.yaml
View file

@ -1,30 +1,27 @@
---
- name: update grub
- name: Update grub
ansible.builtin.command:
cmd: update-grub
- name: reboot
ansible.builtin.reboot:
- name: apt update
- name: Apt update
ansible.builtin.apt:
update_cache: true
- name: daemon reload
- name: Daemon reload
ansible.builtin.systemd:
daemon_reload: true
- name: reload sshd
- name: Reload sshd
ansible.builtin.systemd:
name: ssh
state: reloaded
- name: reload nginx
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: persist iptables
- name: Persist iptables
ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
with_items:
- { c: iptables, ip: v4 }

3
roles/common/tasks/debian-upgrade.yaml
View file

@ -21,9 +21,6 @@
ansible.builtin.apt:
upgrade: full
- name: Reboot
ansible.builtin.reboot:
- name: autoremove
ansible.builtin.apt:
autoremove: yes

63
roles/common/tasks/main.yaml
View file

@ -76,6 +76,7 @@
- vim
- unattended-upgrades
- apt-listchanges
- sudo-ldap
- name: Configure FZF for Bash
ansible.builtin.lineinfile:
@ -96,7 +97,7 @@
path: /etc/default/grub
regexp: '^GRUB_TIMEOUT='
line: "GRUB_TIMEOUT=1 # Managed by Ansible"
notify: update grub
notify: Update grub
- name: Configure cron email
ansible.builtin.lineinfile:
@ -118,63 +119,5 @@
- regexp: '^#?DebianBanner'
line: 'DebianBanner no'
when: manage_sshd_config | default(true)
notify: reload sshd
notify: Reload sshd
- name: Allow SSH
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ ssh_port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
when: not nft | bool
- name: Allow ICMP
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.proto }}"
jump: ACCEPT
ip_version: "{{ item.ip }}"
with_items:
- { ip: ipv4, proto: icmp }
- { ip: ipv6, proto: ipv6-icmp }
notify: persist iptables
when: not nft | bool
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
when: not nft | bool
- name: Allow local connections
ansible.builtin.iptables:
chain: INPUT
source: "{{ item.cidr }}"
jump: ACCEPT
ip_version: "{{ item.v }}"
with_items: "{{ trusted_ranges }}"
notify: persist iptables
when: not nft | bool
- name: Deny inbound connections
ansible.builtin.iptables:
chain: INPUT
policy: DROP
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
when: not nft | bool

5
roles/common/tasks/network.yaml
View file

@ -13,7 +13,6 @@
with_items:
- { k: net.ipv4.ip_forward, v: "1" }
- { k: net.ipv6.conf.all.forwarding, v: "1" }
notify: reboot
when: network_br
- name: Make network interfaces really predictable
@ -22,8 +21,7 @@
regexp: ^GRUB_CMDLINE_LINUX
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
notify:
- update grub
- reboot
- Update grub
when: network_br or network_dhcp or network_static
- name: Configure network interfaces
@ -33,7 +31,6 @@
owner: root
group: root
mode: 0644
notify: reboot
when: network_br or network_dhcp or network_static
- ansible.builtin.meta: flush_handlers

3
roles/common/tasks/vm.yaml
View file

@ -12,7 +12,6 @@
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
notify:
- update grub
- reboot
- Update grub
tags:
- questagent

2
roles/common/templates/authorized_keys.j2
View file

@ -2,5 +2,5 @@
{% for name in root_access %}
# {{ name }}
{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
{{ lookup('file', 'authorized_keys/' + name + '.keys') }}
{% endfor %}

6
roles/common/templates/sources.list.j2
View file

@ -1,9 +1,9 @@
# {{ ansible_managed }}
{% if debian_source_repos|default(false) %}
{% set SRC = "" %}
{% if debian_source_repos | default(false) %}
{% set SRC = "" %}
{% else %}
{% set SRC = "# " %}
{% set SRC = "# " %}
{% endif %}
{% set components = "main contrib non-free-firmware" %}

2
roles/etherpad/handlers/main.yaml
View file

@ -2,7 +2,7 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: restart etherpad
- name: Restart etherpad
ansible.builtin.systemd:
name: etherpad
state: restarted

32
roles/etherpad/tasks/main.yaml
View file

@ -15,7 +15,7 @@
-o /usr/share/keyrings/nodesource.gpg
args:
creates: /usr/share/keyrings/nodesource.gpg
notify: apt update
notify: Apt update
- name: Install nodesource source list
ansible.builtin.template:
@ -24,7 +24,7 @@
owner: root
group: root
mode: 0644
notify: apt update
notify: Apt update
- name: Install nodejs apt preference
ansible.builtin.template:
@ -33,7 +33,7 @@
owner: root
group: root
mode: 0644
notify: apt update
notify: Apt update
- ansible.builtin.meta: flush_handlers
@ -88,7 +88,7 @@
version: master
dest: /opt/etherpad
accept_hostkey: yes
notify: restart etherpad
notify: Restart etherpad
- name: Install etherpad config
ansible.builtin.template:
@ -97,7 +97,7 @@
owner: root
group: root
mode: 0644
notify: restart etherpad
notify: Restart etherpad
- name: Install etherpad service
ansible.builtin.template:
@ -106,14 +106,14 @@
owner: root
group: root
mode: 0644
notify: restart etherpad
notify: Restart etherpad
- name: Start etherpad
ansible.builtin.systemd:
daemon_reload: true
name: etherpad
state: started
enabled: yes
enabled: true
- name: Install nginx config
ansible.builtin.template:
@ -122,21 +122,5 @@
owner: root
group: root
mode: 0644
notify: reload nginx
notify: Reload nginx
- name: Allow HTTP and HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables
when: not nft | bool

2
roles/etherpad/tasks/requirements.yml
View file

@ -1,3 +1,5 @@
---
collections:
- name: community.postgresql
version: 2.3.2

84
roles/git-ci/tasks/main.yaml
View file

@ -1,50 +1,50 @@
---
- tags: forgejo_runner
block:
- name: Install dependencies
ansible.builtin.apt:
name: docker.io
- name: Download forgejo-runner
ansible.builtin.get_url:
url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
dest: /usr/local/bin/forgejo-runner
mode: 0755
notify: restart forgejo-runner
- name: Install dependencies
ansible.builtin.apt:
name: docker.io
- name: Create runner dir
ansible.builtin.file:
state: directory
path: "{{ runner_wd }}"
owner: root
group: root
mode: 0755
- name: Download forgejo-runner
ansible.builtin.get_url:
url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
dest: /usr/local/bin/forgejo-runner
mode: 0755
notify: restart forgejo-runner
- name: Register runner
ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
args:
chdir: "{{ runner_wd }}"
creates: "{{ runner_wd }}/.runner"
- name: Create runner dir
ansible.builtin.file:
state: directory
path: "{{ runner_wd }}"
owner: root
group: root
mode: 0755
- name: Install service file
ansible.builtin.template:
src: forgejo-runner.service
dest: /etc/systemd/system/forgejo-runner.service
owner: root
group: root
mode: 0644
notify: restart forgejo-runner
- name: Register runner
ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
args:
chdir: "{{ runner_wd }}"
creates: "{{ runner_wd }}/.runner"
- name: Enable service
ansible.builtin.systemd:
name: forgejo-runner
enabled: yes
daemon_reload: true
- name: Install service file
ansible.builtin.template:
src: forgejo-runner.service
dest: /etc/systemd/system/forgejo-runner.service
owner: root
group: root
mode: 0644
notify: restart forgejo-runner
- name: Start service
ansible.builtin.systemd:
name: forgejo-runner
state: started
daemon_reload: true
- name: Enable service
ansible.builtin.systemd:
name: forgejo-runner
enabled: true
daemon_reload: true
- ansible.builtin.meta: flush_handlers
- name: Start service
ansible.builtin.systemd:
name: forgejo-runner
state: started
daemon_reload: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers

35
roles/git-server/tasks/main.yaml
View file

@ -14,14 +14,14 @@
owner: root
group: root
mode: 0644
notify: reload nginx
notify: Reload nginx
- name: Enable nginx site
ansible.builtin.file:
src: /etc/nginx/sites-available/forgejo
dest: /etc/nginx/sites-enabled/forgejo
state: link
notify: reload nginx
notify: Reload nginx
- name: Create user
ansible.builtin.user:
@ -38,7 +38,6 @@
group: "{{ git_server_user }}"
mode: 0755
# TODO: Install initial config
- name: Install service file
@ -48,7 +47,7 @@
owner: root
group: root
mode: 0644
notify: reload forgejo
notify: Reload forgejo
- name: Install update script
ansible.builtin.template:
@ -62,12 +61,12 @@
ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
args:
creates: "{{ git_server_working_dir }}/forgejo"
notify: reload forgejo
notify: Reload forgejo
- name: Enable service
ansible.builtin.systemd:
name: forgejo
enabled: yes
enabled: true
daemon_reload: true
- name: Start service
@ -81,24 +80,6 @@
src: cronjob
dest: /etc/cron.d/forgejo
- name: Allow Git SSH, HTTP and HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 22 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 22 }
- { ip: ipv6, port: 443 }
notify: persist iptables
when: not nft | bool
- ansible.builtin.debug:
msg: If Forgejo has not been setup yet, please do so manually.
- name: Debug
ansible.builtin.debug:
msg: "If Forgejo has not been setup yet, please do so manually."

15
roles/go/tasks/main.yaml
View file

@ -19,11 +19,11 @@
register: go_latest_version_shell
- name: Format Go latest version variable
set_fact:
ansible.builtin.set_fact:
go_latest_version: "{{ go_latest_version_shell.stdout }}"
- name: Detect installed Go version
shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
register: go_installed_version_shell
changed_when: false
@ -31,19 +31,20 @@
set_fact:
go_installed_version: "{{ go_installed_version_shell.stdout }}"
- debug:
- name: Debug
ansible.builtin.debug:
msg:
- "Latest Go version: {{ go_latest_version}}"
- "Installed Go version: {{ go_installed_version }}"
- name: Remove installed go
file:
ansible.builtin.file:
state: absent
path: /usr/local/go
when: go_installed_version != go_latest_version
- name: Install Go
unarchive:
ansible.builtin.unarchive:
src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
dest: /usr/local
remote_src: yes
@ -52,7 +53,7 @@
when: go_installed_version != go_latest_version
- name: Configure Go environment
template:
ansible.builtin.template:
src: go.profile
dest: /etc/profile.d/go.sh
owner: root
@ -60,7 +61,7 @@
mode: 0644
- name: Link go binary
file:
ansible.builtin.file:
state: link
src: /usr/local/go/bin/go
dest: /usr/local/bin/go

21
roles/monitoring/tasks/main.yaml
View file

@ -7,35 +7,20 @@
owner: root
group: root
mode: 0644
notify: reload nginx
notify: Reload nginx
- name: Enable nginx site
ansible.builtin.file:
src: /etc/nginx/sites-available/monitoring
dest: /etc/nginx/sites-enabled/monitoring
state: link
notify: reload nginx
notify: Reload nginx
- name: Start nginx
ansible.builtin.systemd:
name: nginx
state: started
enabled: yes
- name: Allow HTTP/HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables
when: not nft | bool
enabled: true
- name: mqtt_exporter
tags: mqtt_exporter

3
roles/monitoring/templates/grafana.ini
View file

@ -69,6 +69,9 @@ level = info
[grafana_com]
url = https://grafana.com
[auth]
oauth_allow_insecure_email_lookup=true
[auth.anonymous]
enabled = true
org_name = Bitlair

2
roles/mqtt/tasks/main.yaml
View file

@ -29,4 +29,4 @@
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: yes
enabled: true

12
roles/music/handlers/main.yaml
View file

@ -2,37 +2,37 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: restart trollibox
- name: Restart trollibox
ansible.builtin.systemd:
name: trollibox
state: restarted
daemon_reload: true
- name: rebuild librespot
- name: Rebuild librespot
ansible.builtin.command:
cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
args:
chdir: /opt/librespot
- name: restart librespot
- name: Restart librespot
ansible.builtin.systemd:
name: librespot
state: restarted
daemon_reload: true
- name: restart soundboard
- name: Restart soundboard
ansible.builtin.systemd:
name: soundboard
state: restarted
daemon_reload: true
- name: restart mpd-volume-to-mqtt
- name: Restart mpd-volume-to-mqtt
ansible.builtin.systemd:
name: mpd-volume-to-mqtt
state: restarted
daemon_reload: true
- name: restart skipbutton
- name: Restart skipbutton
ansible.builtin.systemd:
name: skipbutton
state: restarted

6
roles/music/tasks/librespot.yaml
View file

@ -11,8 +11,8 @@
dest: /opt/librespot
accept_hostkey: yes
notify:
- rebuild librespot
- restart librespot
- Rebuild librespot
- Restart librespot
- name: Install service file
ansible.builtin.template:
@ -21,7 +21,7 @@
owner: root
group: root
mode: 0644
notify: restart librespot
notify: Restart librespot
- name: Enable Librespot
ansible.builtin.systemd:

36
roles/music/tasks/main.yaml
View file

@ -1,28 +1,34 @@
---
- tags: music_mpd
- name: Import mpd
ansible.builtin.import_tasks:
file: mpd.yaml
tags:
- music_mpd
- tags: music_trollibox
- name: Import trollibox
ansible.builtin.import_tasks:
file: trollibox.yaml
tags:
- music_trollibox
- tags: music_librespot
- name: Librespot
ansible.builtin.import_tasks:
file: librespot.yaml
tags:
- music_librespot
- tags: music_soundboard
- name: Soundboard
ansible.builtin.import_tasks:
file: soundboard.yaml
tags:
- music_soundboard
- tags: music
block:
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/trollibox
owner: root
group: root
mode: 0644
notify: reload nginx
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/trollibox
owner: root
group: root
mode: 0644
notify: Reload nginx

9
roles/music/tasks/mpd.yaml
View file

@ -1,4 +1,5 @@
---
- name: Install MPD
ansible.builtin.apt:
name:
@ -15,7 +16,7 @@
owner: root
group: root
mode: 0644
notify: restart mpd-volume-to-mqtt
notify: Restart mpd-volume-to-mqtt
- name: Install mpd-volume-to-mqtt service
ansible.builtin.template:
@ -24,7 +25,7 @@
owner: root
group: root
mode: 0644
notify: restart mpd-volume-to-mqtt
notify: Restart mpd-volume-to-mqtt
- name: Enable mpd-volume-to-mqtt
ansible.builtin.systemd:
@ -39,7 +40,7 @@
version: master
dest: /opt/skipbutton
accept_hostkey: yes
notify: restart skipbutton
notify: Restart skipbutton
- name: Install skipbutton service
ansible.builtin.template:
@ -48,7 +49,7 @@
owner: root
group: root
mode: 0644
notify: restart skipbutton
notify: Restart skipbutton
- name: Enable skipbutton
ansible.builtin.systemd:

6
roles/music/tasks/soundboard.yaml
View file

@ -10,7 +10,7 @@
version: main
dest: /opt/soundboard
accept_hostkey: yes
notify: restart soundboard
notify: Restart soundboard
- name: Create virtualenv
ansible.builtin.command:
@ -31,7 +31,7 @@
owner: root
group: root
mode: 0644
notify: restart soundboard
notify: Restart soundboard
- name: Install soundboard service file
ansible.builtin.template:
@ -40,7 +40,7 @@
owner: root
group: root
mode: 0644
notify: restart soundboard
notify: Restart soundboard
- name: Enable soundboard
ansible.builtin.systemd:

12
roles/music/tasks/trollibox.yaml
View file

@ -5,8 +5,8 @@
dest: /etc/trollibox.yaml
owner: root
group: root
mode: 0644
notify: restart trollibox
mode: "0644"
notify: Restart trollibox
- name: Get latest Trollibox version from Github API
ansible.builtin.get_url:
@ -25,8 +25,8 @@
remote_src: yes
dest: /usr/local/bin
include: [ trollibox ]
mode: 0755
notify: restart trollibox
mode: "0755"
notify: Restart trollibox
- name: Install service file
ansible.builtin.template:
@ -34,8 +34,8 @@
dest: /etc/systemd/system/trollibox.service
owner: root
group: root
mode: 0644
notify: restart trollibox
mode: "0644"
notify: Restart trollibox
- name: Enable Trollibox
ansible.builtin.systemd:

8
roles/nft/templates/nftables.conf.j2
View file

@ -73,15 +73,15 @@ set trusted6 {
} accept
# Open ssh only for trusted machines
ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept
ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept
ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept
ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept
# Rules based on group-vars
{% for custom in nft_group_rules %}
{% if custom.comment is defined %}
# {{ custom.comment|default('') }}
# {{ custom.comment | default('') }}
{% endif %}
{{ custom.version|default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
{{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
{% endfor %}

2
roles/nginx/defaults/main.yaml
View file

@ -4,7 +4,6 @@ nginx_package: "nginx-light"
nginx_user: "www-data"
nginx_modules_dir: "/etc/nginx/modules-enabled"
nginx_tls_version: "TLSv1.2 TLSv1.3"
nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
nginx_tls_curve: "prime256v1:secp384r1"
@ -14,4 +13,3 @@ nginx_ssl_stapling: "on"
nginx_ssl_stapling_verify: "on"
nginx_wk_acme: "/var/lib/dehydrated/acme-challenges"
nginx_client_max_body_size: "32m"

4
roles/nginx/templates/site.conf.j2
View file

@ -4,7 +4,7 @@ server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
include /etc/nginx/tls_params;
ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
@ -28,7 +28,7 @@ server {
# Include snippets
{% for file in site.snippets | default([]) %}
{% include "snippets/" ~ file %}
{% include "snippets/" ~ file %}
{% endfor %}
# Per site configuration

2
roles/photos/tasks/bambulab-fetch.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd:
name: bambulab-fetch
state: started
enabled: yes
enabled: true
daemon_reload: true

2
roles/photos/tasks/photo-gallery.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd:
name: photo-gallery
state: started
enabled: yes
enabled: true
daemon_reload: true

2
roles/photos/tasks/photos2mqtt.yaml
View file

@ -31,5 +31,5 @@
ansible.builtin.systemd:
name: photos2mqtt
state: started
enabled: yes
enabled: true
daemon_reload: true

4
roles/raspi/tasks/main.yaml
View file

@ -15,7 +15,7 @@
- name: Enable sshd
ansible.builtin.systemd:
name: sshd
enabled: yes
enabled: true
state: started
- name: Rotate display
@ -24,7 +24,6 @@
line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible"
regexp: "^#?display_rotate"
when: raspi_rotate_display is defined
notify: reboot
- name: Disable swap
block:
@ -45,4 +44,3 @@
path: /etc/dhcpcd.conf
line: "slaac hwaddr # Managed by Ansible"
regexp: "^#?slaac"
notify: reboot

18
roles/services/handlers/main.yaml
View file

@ -2,55 +2,55 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: restart irc-bot
- name: Restart irc-bot
ansible.builtin.systemd:
name: irc-bot
state: restarted
daemon_reload: true
- name: restart irc-photos
- name: Restart irc-photos
ansible.builtin.systemd:
name: irc-photos
state: restarted
daemon_reload: true
- name: restart irc-doorduino
- name: Restart irc-doorduino
ansible.builtin.systemd:
name: irc-doorduino
state: restarted
daemon_reload: true
- name: restart discord-bot
- name: Restart discord-bot
ansible.builtin.systemd:
name: discord-bot
state: restarted
daemon_reload: true
- name: restart siahsd
- name: Restart siahsd
ansible.builtin.systemd:
name: siahsd
state: restarted
daemon_reload: true
- name: restart spacestated
- name: Restart spacestated
ansible.builtin.systemd:
name: spacestated
state: restarted
daemon_reload: true
- name: restart mastodon-spacestate
- name: Restart mastodon-spacestate
ansible.builtin.systemd:
name: mastodon-spacestate
state: restarted
daemon_reload: true
- name: restart wifi-mqtt
- name: Restart wifi-mqtt
ansible.builtin.systemd:
name: wifi-mqtt
state: restarted
daemon_reload: true
- name: restart power-mqtt
- name: Restart power-mqtt
ansible.builtin.systemd:
name: power-mqtt
state: restarted

10
roles/services/tasks/discord_bot.yaml
View file

@ -1,4 +1,5 @@
---
- name: Install dependencies
ansible.builtin.apt:
name:
@ -24,7 +25,8 @@
version: main
dest: /var/lib/discord-bot
accept_hostkey: yes
notify: restart discord-bot
notify: Restart discord-bot
ignore_errors: true
- name: Install service file
ansible.builtin.template:
@ -32,12 +34,12 @@
dest: /etc/systemd/system/discord-bot.service
owner: root
group: root
mode: 0644
notify: restart discord-bot
mode: "0644"
notify: Restart discord-bot
- name: Start discord-bot
ansible.builtin.systemd:
name: discord-bot
state: started
enabled: yes
enabled: true
daemon_reload: true

19
roles/services/tasks/ircbot.yaml
View file

@ -5,7 +5,8 @@
version: master
dest: /var/lib/irc-bot
accept_hostkey: yes
notify: restart irc-bot
ignore_errors: true
notify: Restart irc-bot
- name: Link irc-say
ansible.builtin.file:
@ -23,13 +24,13 @@
vars:
description: Bitlair IRC bot
exec: /bin/bash /var/lib/irc-bot/irc-bot
notify: restart irc-bot
notify: Restart irc-bot
- name: Start irc-bot
ansible.builtin.systemd:
name: irc-bot
state: started
enabled: yes
enabled: true
daemon_reload: true
- name: Create helpers dir
@ -44,7 +45,7 @@
owner: root
group: root
mode: 0755
notify: restart irc-photos
notify: Restart irc-photos
- name: Install photos notification service
ansible.builtin.template:
@ -57,13 +58,13 @@
description: Bitlair IRC photos notification
requires: irc-bot.service
exec: /bin/bash /var/lib/irc-helpers/photos.sh
notify: restart irc-photos
notify: Restart irc-photos
- name: Start irc-photos
ansible.builtin.systemd:
name: irc-photos
state: started
enabled: yes
enabled: true
daemon_reload: true
- name: Install doorduino notification
@ -73,7 +74,7 @@
owner: root
group: root
mode: 0755
notify: restart irc-doorduino
notify: Restart irc-doorduino
- name: Install doorduino notification service
ansible.builtin.template:
@ -86,11 +87,11 @@
description: Bitlair IRC doorduino notification
requires: irc-bot.service
exec: /bin/bash /var/lib/irc-helpers/doorduino.sh
notify: restart irc-doorduino
notify: Restart irc-doorduino
- name: Start irc-doorduino
ansible.builtin.systemd:
name: irc-doorduino
state: started
enabled: yes
enabled: true
daemon_reload: true

47
roles/services/tasks/main.yaml
View file

@ -1,22 +1,43 @@
---
- tags: services_ircbot
- name: Import ircbot
ansible.builtin.import_tasks:
file: ircbot.yaml
tags:
- services_ircbot
- tags: services_discord_bot
ansible.builtin.import_tasks: discord_bot.yaml
- name: Import services_discord_bot
ansible.builtin.import_tasks:
file: discord_bot.yaml
tags:
- services_discord_bot
- tags: services_siahsd
import_tasks: siahsd.yaml
- name: Import siahsd
ansible.builtin.import_tasks:
file: siahsd.yaml
tags:
- services_siahsd
- tags: services_spacestated
import_tasks: spacestated.yaml
- name: Import spacestated
ansible.builtin.import_tasks:
file: spacestated.yaml
tags:
- services_spacestated
- tags: services_mastodon_spacestate
import_tasks: mastodon_spacestate.yaml
- name: Import mastodon_spacestate.yaml
ansible.builtin.import_tasks:
file: mastodon_spacestate.yaml
tags:
- services_mastodon_spacestate
- tags: services_wifi_mqtt
import_tasks: wifi_mqtt.yaml
- name: import wifi_mqtt
ansible.builtin.import_tasks:
file: wifi_mqtt.yaml
tags:
- services_wifi_mqtt
- tags: services_power_mqtt
import_tasks: power_mqtt.yaml
- name: Import power_mqt
ansible.builtin.import_tasks:
file: power_mqtt.yaml
tags:
- services_power_mqtt

9
roles/services/tasks/mastodon_spacestate.yaml
View file

@ -11,7 +11,8 @@
version: main
dest: /var/lib/mastodon-spacestate
accept_hostkey: yes
notify: restart mastodon-spacestate
notify: Restart mastodon-spacestate
ignore_errors: true
- name: Install config
ansible.builtin.template:
@ -20,7 +21,7 @@
owner: root
group: root
mode: 0655
notify: restart mastodon-spacestate
notify: Restart mastodon-spacestate
- name: Install service file
ansible.builtin.template:
@ -29,11 +30,11 @@
owner: root
group: root
mode: 0644
notify: restart mastodon-spacestate
notify: Restart mastodon-spacestate
- name: Start mastodon-spacestate
ansible.builtin.systemd:
name: mastodon-spacestate
state: started
enabled: yes
enabled: true
daemon_reload: true

6
roles/services/tasks/power_mqtt.yaml
View file

@ -10,7 +10,7 @@
owner: root
group: root
mode: 0755
notify: restart power-mqtt
notify: Restart power-mqtt
- name: Remove old service
ansible.builtin.file:
@ -27,13 +27,13 @@
vars:
description: "SMD630 to MQTT Probe"
exec: "/var/lib/power-mqtt.py %i"
notify: restart power-mqtt@
notify: Restart power-mqtt@
- name: Enable power-mqtt
ansible.builtin.systemd:
name: "power-mqtt@{{ item.net }}/{{ item.ip }}"
state: started
enabled: yes
enabled: true
daemon_reload: true
with_items:
- net: space

22
roles/services/tasks/siahsd.yaml
View file

@ -7,6 +7,7 @@
state: directory
owner: siahsd
group: nogroup
mode: "0750"
with_items:
- /var/log/siahsd
- /var/lib/siahsd
@ -17,8 +18,8 @@
dest: /etc/siahsd.conf
owner: root
group: root
mode: 0644
notify: restart siahsd
mode: "0644"
notify: Restart siahsd
- name: Install service file
ansible.builtin.template:
@ -26,24 +27,13 @@
dest: /etc/systemd/system/siahsd.service
owner: root
group: root
mode: 0644
notify: restart siahsd
mode: "0644"
notify: Restart siahsd
- name: Start siahsd
ansible.builtin.systemd:
name: siahsd
state: started
enabled: yes
enabled: true
daemon_reload: true
- name: Allow siahsd traffic
ansible.builtin.iptables:
chain: INPUT
protocol: udp
destination_port: "4000"
jump: ACCEPT
ip_version: "{{ item }}"
action: insert
with_items: [ ipv4, ipv6 ]
notify: persist iptables
when: not nft | bool

7
roles/services/tasks/spacestated.yaml
View file

@ -24,7 +24,8 @@
version: main
dest: /var/lib/spacestated/spacestated
accept_hostkey: yes
notify: restart spacestated
notify: Restart spacestated
ignore_errors: true
- name: Install service file
ansible.builtin.template:
@ -33,11 +34,11 @@
owner: root
group: root
mode: 0644
notify: restart spacestated
notify: Restart spacestated
- name: Start spacestated
ansible.builtin.systemd:
name: spacestated
state: started
enabled: yes
enabled: true
daemon_reload: true

15
roles/services/tasks/wifi_mqtt.yaml
View file

@ -7,25 +7,26 @@
- make
- name: Clone source
git:
ansible.builtin.git:
repo: https://github.com/bitlair/wifi-mqtt.git
version: main
dest: /var/lib/wifi-mqtt
accept_hostkey: yes
notify: restart wifi-mqtt
notify: Restart wifi-mqtt
ignore_errors: true
- name: Install service file
template:
ansible.builtin.template:
src: wifi-mqtt.service
dest: /etc/systemd/system/wifi-mqtt.service
owner: root
group: root
mode: 0644
notify: restart wifi-mqtt
mode: "0644"
notify: Restart wifi-mqtt
- name: Start wifi-mqtt
systemd:
ansible.builtin.systemd:
name: wifi-mqtt
state: started
enabled: yes
enabled: true
daemon_reload: true

7
roles/www/handlers/main.yaml
View file

@ -1,14 +1,15 @@
---
- ansible.builtin.import_tasks:
- name: Import handlers
ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: restart spaceapi
- name: Restart spaceapi
ansible.builtin.systemd:
name: spaceapi
state: restarted
daemon_reload: true
- name: restart mqtt2web
- name: Restart mqtt2web
ansible.builtin.systemd:
name: mqtt2web
state: restarted

17
roles/www/tasks/main.yaml
View file

@ -1,16 +1,25 @@
---
- tags: www_calendar
- name: Import calendar
ansible.builtin.import_tasks:
file: calendar.yaml
tags:
- www_calendar
- tags: www_mediawiki
- name: Import mediawiki
ansible.builtin.import_tasks:
file: mediawiki.yaml
tags:
- www_mediawiki
- tags: www_mqtt
- name: Import mqtt
ansible.builtin.import_tasks:
file: mqtt.yaml
tags:
- www_mqtt
- tags: www_spaceapi
- name: Import spaceapi
ansible.builtin.import_tasks:
file: spaceapi.yaml
tags:
- www_spaceapi

17
roles/www/tasks/mediawiki.yaml
View file

@ -1,4 +1,5 @@
---
- name: Install dependencies
ansible.builtin.apt:
name: php-fpm
@ -12,19 +13,3 @@
group: root
mode: 0644
- name: Allow HTTP/HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables
when: not nft | bool

31
roles/www/tasks/mqtt.yaml
View file

@ -1,4 +1,5 @@
---
- name: Install dependencies
ansible.builtin.apt:
name:
@ -6,32 +7,17 @@
- liblinux-epoll-perl
- mosquitto
- name: Allow MQTT
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 1883 }
- { ip: ipv6, port: 1883 }
notify: persist iptables
when: not nft | bool
- name: Install mqtt-simple
ansible.builtin.command:
cmd: cpan Net::MQTT::Simple
community.general.cpanm:
name: Net::MQTT::Simple
- name: Clone mqtt2web source
ansible.builtin.git:
repo: https://github.com/bitlair/mqtt2web.git
version: master
dest: /opt/mqtt2web
accept_hostkey: yes
notify: restart mqtt2web
accept_hostkey: true
notify: Restart mqtt2web
- name: Install mqtt2web service file
ansible.builtin.template:
@ -41,10 +27,11 @@
group: root
mode: 0644
notify:
- daemon reload
- restart mqtt2web
- Daemon reload
- Restart mqtt2web
- ansible.builtin.meta: flush_handlers
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Enable mqtt2web
ansible.builtin.systemd:

8
roles/www/tasks/spaceapi.yaml
View file

@ -4,8 +4,8 @@
repo: https://github.com/bitlair/spaceapi.git
version: main
dest: /opt/spaceapi
accept_hostkey: yes
notify: restart spaceapi
accept_hostkey: true
notify: Restart spaceapi
- name: Install spaceapi service file
ansible.builtin.template:
@ -13,8 +13,8 @@
dest: /etc/systemd/system/spaceapi.service
owner: root
group: root
mode: 0644
notify: restart spaceapi
mode: "0644"
notify: Restart spaceapi
- name: Enable spaceapi
ansible.builtin.systemd: