From 3ae4b05e1779d6db8f824f33f2891c6272b6fc87 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 14 Jul 2024 14:54:58 +0200 Subject: [PATCH 01/62] mqtt: Bridge the bambulab printer --- mqtt-internal.yaml | 2 +- roles/mqtt-internal/defaults/main.yaml | 1 + roles/mqtt-internal/tasks/main.yaml | 7 +++++++ roles/mqtt-internal/templates/bambulab.conf | 10 ++++++++++ roles/mqtt-internal/templates/internal.conf | 2 +- roles/mqtt-internal/templates/public-bridge.conf | 2 +- 6 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 roles/mqtt-internal/defaults/main.yaml create mode 100644 roles/mqtt-internal/templates/bambulab.conf diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml index 1e941f8..bdf76a8 100644 --- a/mqtt-internal.yaml +++ b/mqtt-internal.yaml @@ -1,6 +1,6 @@ --- -- hosts: mqtt_internal +- hosts: mqtt roles: - common - mqtt-internal diff --git a/roles/mqtt-internal/defaults/main.yaml b/roles/mqtt-internal/defaults/main.yaml new file mode 100644 index 0000000..8cf4403 --- /dev/null +++ b/roles/mqtt-internal/defaults/main.yaml @@ -0,0 +1 @@ +mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt-internal/tasks/main.yaml index e468d01..371671c 100644 --- a/roles/mqtt-internal/tasks/main.yaml +++ b/roles/mqtt-internal/tasks/main.yaml @@ -8,6 +8,12 @@ - mosquitto - avahi-daemon + - name: Install bambulab cafile + # openssl s_client -showcerts -connect :8883 Date: Sun, 14 Jul 2024 14:56:29 +0200 Subject: [PATCH 02/62] photos: Update bambulab password path --- roles/photos/templates/bambulab-fetch.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/photos/templates/bambulab-fetch.sh b/roles/photos/templates/bambulab-fetch.sh index 1508ed3..d97bae1 100644 --- a/roles/photos/templates/bambulab-fetch.sh +++ b/roles/photos/templates/bambulab-fetch.sh @@ -4,8 +4,8 @@ set -eu -host={{ lookup('passwordstore', 'fotos/bambulab subkey=host') }} -pass={{ lookup('passwordstore', 'fotos/bambulab subkey=key') }} +host={{ lookup('passwordstore', 'bambulab subkey=host') }} +pass={{ lookup('passwordstore', 'bambulab subkey=key') }} dir={{ photos_path }} files=$(curl -ksl "ftps://bblp:$pass@$host:990/timelapse/" | grep ^video_) From 789282c82bd0eb1c986da9633eb490f8f27a2db9 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 20:02:12 +0200 Subject: [PATCH 03/62] Add validation on sshd-config changes --- roles/common/tasks/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index b0b39cf..10ce3a1 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -108,6 +108,7 @@ path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" + validate: "/usr/sbin/sshd -t -f %s" with_items: - regexp: '^#?Port' line: 'Port {{ ssh_port }}' From b29062a436dc6fae9c4040120d0bda72abfcd387 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 20:04:23 +0200 Subject: [PATCH 04/62] Move certbot/letsencrypt to debian_packages_unwanded --- roles/acme/tasks/remove_conflicting.yaml | 5 ----- roles/common/defaults/main.yaml | 2 ++ 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/acme/tasks/remove_conflicting.yaml b/roles/acme/tasks/remove_conflicting.yaml index 9c88555..dcbb573 100644 --- a/roles/acme/tasks/remove_conflicting.yaml +++ b/roles/acme/tasks/remove_conflicting.yaml @@ -1,9 +1,4 @@ --- -- name: Remove certbot from apt - ansible.builtin.apt: - name: [ letsencrypt, certbot ] - state: absent - autoremove: yes - name: Remove variable directories ansible.builtin.file: diff --git a/roles/common/defaults/main.yaml b/roles/common/defaults/main.yaml index 5512d86..82c6bcf 100644 --- a/roles/common/defaults/main.yaml +++ b/roles/common/defaults/main.yaml @@ -17,3 +17,5 @@ node_exporter: true debian_packages_unwanted: - netcat-traditional + - letsencrypt + - certbot From ce1babbeda57d1c01ba99e3fd40e4d62a62abe3d Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 20:20:56 +0200 Subject: [PATCH 05/62] Rework acme role --- roles/acme/handlers/main.yaml | 4 +- roles/acme/tasks/main.yaml | 112 ++++++++---------------- roles/acme/tasks/san_domains_loop.yaml | 1 + roles/acme/templates/config.sh | 2 +- roles/acme/templates/cron | 2 +- roles/acme/templates/deploy.sh | 2 +- roles/acme/templates/domains.txt | 2 +- roles/acme/templates/nginx-snippet.conf | 2 +- 8 files changed, 47 insertions(+), 80 deletions(-) diff --git a/roles/acme/handlers/main.yaml b/roles/acme/handlers/main.yaml index 508fc1a..7ff2509 100644 --- a/roles/acme/handlers/main.yaml +++ b/roles/acme/handlers/main.yaml @@ -1,7 +1,9 @@ +--- + - name: update_contact_info ansible.builtin.command: cmd: dehydrated --account -- name: query_certificates +- name: run dehydrated ansible.builtin.command: cmd: dehydrated --cron diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 653f49c..229f566 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -1,82 +1,46 @@ --- -- ansible.builtin.import_tasks: - file: remove_conflicting.yaml - tags: [ never, acme_remove_conflicting ] - name: Install Dehydrated - tags: [ acme, acme_install ] - block: - - name: Install dependencies - ansible.builtin.apt: - name: ssl-cert - state: present + ansible.builtin.apt: + state: present + pkg: + - dehydrated + tags: + - acme - - name: Install Dehydrated - ansible.builtin.apt: - name: dehydrated - state: present +- name: Create Nginx snippet snippets dir + ansible.builtin.file: + state: "directory" + path: "/etc/nginx/snippets" + owner: "root" + group: "root" + mode: "0755" - - name: Install config file - ansible.builtin.template: - src: config.sh - dest: /etc/dehydrated/conf.d/ansible.sh - owner: root - group: root - mode: 0755 - notify: update_contact_info +- name: Template dehydrated configfiles + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0640') }}" + notify: "{{ item.notify | default([]) }}" + with_items: + - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' } + - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' } + - { src: "cron", dest: "/etc/cron.d/dehydrated" } + - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" } + - { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" } - - name: Install deploy hook - ansible.builtin.template: - src: deploy.sh - dest: /etc/dehydrated/conf.d/deploy.sh - owner: root - group: root - mode: 0755 +- name: Register account + ansible.builtin.command: + args: + cmd: dehydrated --register --accept-terms + creates: /var/lib/dehydrated/accounts - - name: Install cronjob - ansible.builtin.template: - src: cron - dest: /etc/cron.d/dehydrated - owner: root - group: root - mode: 0644 +- name: Symlink SAN domains + ansible.builtin.include_tasks: + file: san_domains_loop.yaml + loop: "{{ acme_san_domains|default([]) }}" + loop_control: + loop_var: domains - - name: Create Nginx snippet snippets dir - ansible.builtin.file: - state: directory - path: /etc/nginx/snippets - owner: root - group: root - mode: 0755 - - - name: Install Nginx snippet - ansible.builtin.template: - src: nginx-snippet.conf - dest: /etc/nginx/snippets/acme.conf - owner: root - group: root - mode: 0644 - - - name: Register account - ansible.builtin.command: - cmd: dehydrated --register --accept-terms - args: - creates: /var/lib/dehydrated/accounts - -- tags: [ acme, acme_certs ] - block: - - name: Configure certificates - ansible.builtin.template: - src: domains.txt - dest: /etc/dehydrated/domains.txt - owner: root - group: root - mode: 0644 - notify: query_certificates - - - name: Symlink SAN domains - ansible.builtin.include_tasks: - file: san_domains_loop.yaml - loop: "{{ acme_san_domains|default([]) }}" - loop_control: - loop_var: domains diff --git a/roles/acme/tasks/san_domains_loop.yaml b/roles/acme/tasks/san_domains_loop.yaml index b878042..99d57b5 100644 --- a/roles/acme/tasks/san_domains_loop.yaml +++ b/roles/acme/tasks/san_domains_loop.yaml @@ -1,4 +1,5 @@ --- + - ansible.builtin.stat: path: "/var/lib/dehydrated/certs/{{ domains[0] }}" register: cert_stat diff --git a/roles/acme/templates/config.sh b/roles/acme/templates/config.sh index f51455d..2dae219 100644 --- a/roles/acme/templates/config.sh +++ b/roles/acme/templates/config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Managed by Ansible +# {{ ansible_managed }} CONTACT_EMAIL={{ notify_email }} diff --git a/roles/acme/templates/cron b/roles/acme/templates/cron index ecf8b99..c7d7c91 100644 --- a/roles/acme/templates/cron +++ b/roles/acme/templates/cron @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin diff --git a/roles/acme/templates/deploy.sh b/roles/acme/templates/deploy.sh index 3d962b6..cbcb1b1 100644 --- a/roles/acme/templates/deploy.sh +++ b/roles/acme/templates/deploy.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Managed by Ansible +# {{ ansible_managed }} systemctl reload nginx.service diff --git a/roles/acme/templates/domains.txt b/roles/acme/templates/domains.txt index 632b12b..eba6ded 100644 --- a/roles/acme/templates/domains.txt +++ b/roles/acme/templates/domains.txt @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} {% for domain in acme_domains|default([]) %} {{ domain }} diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf index c57ac6a..7425bc2 100644 --- a/roles/acme/templates/nginx-snippet.conf +++ b/roles/acme/templates/nginx-snippet.conf @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} location /.well-known/acme-challenge { allow all; From ea3b17ef2d9be9217868cc0b364162008214118d Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 20:21:56 +0200 Subject: [PATCH 06/62] Add validate to ssh config change --- roles/bank/tasks/login.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/bank/tasks/login.yaml b/roles/bank/tasks/login.yaml index cd0f9ba..7ed568e 100644 --- a/roles/bank/tasks/login.yaml +++ b/roles/bank/tasks/login.yaml @@ -11,6 +11,7 @@ ansible.builtin.blockinfile: path: /etc/ssh/sshd_config insertafter: EOF + validate: "/usr/sbin/sshd -t -f %s" block: |- Match User bank PasswordAuthentication yes From 8df1cba71c4984f42a4657c31558090b6a92e2a7 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 21:43:53 +0200 Subject: [PATCH 07/62] WIP: generiek nginx role --- authorized_keys/foobar.keys | 4 +- group_vars/all.yaml | 21 ++++--- group_vars/monitoring.yaml | 6 ++ monitoring.yaml | 7 ++- roles/acme/tasks/main.yaml | 2 +- roles/common/tasks/main.yaml | 3 + roles/nginx/defaults/main.yaml | 16 +++++ roles/nginx/handlers/main.yaml | 11 ++++ roles/nginx/tasks/main.yaml | 80 +++++++++++++++++++++++++ roles/nginx/templates/default.j2 | 37 ++++++++++++ roles/nginx/templates/etc-nginx.conf.j2 | 35 +++++++++++ roles/nginx/templates/site.conf.j2 | 36 +++++++++++ roles/nginx/templates/tls_params.j2 | 22 +++++++ snippets/prometheus-nginx.j2 | 13 ++++ 14 files changed, 278 insertions(+), 15 deletions(-) create mode 100644 roles/nginx/defaults/main.yaml create mode 100644 roles/nginx/handlers/main.yaml create mode 100644 roles/nginx/tasks/main.yaml create mode 100644 roles/nginx/templates/default.j2 create mode 100644 roles/nginx/templates/etc-nginx.conf.j2 create mode 100644 roles/nginx/templates/site.conf.j2 create mode 100644 roles/nginx/templates/tls_params.j2 create mode 100644 snippets/prometheus-nginx.j2 diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys index 6493dc3..f7fac20 100644 --- a/authorized_keys/foobar.keys +++ b/authorized_keys/foobar.keys @@ -1,2 +1,2 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 diff --git a/group_vars/all.yaml b/group_vars/all.yaml index bdafa45..fd209d8 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -6,22 +6,25 @@ notify_email: bestuur@bitlair.nl acme_bootstrap_certs: no trusted_ranges: # localhost - - { v: ipv4, cidr: 127.0.0.1/8 } + - { v: ipv4, cidr: "127.0.0.1/8" } - { v: ipv6, cidr: "::1" } # rf1928 - - { v: ipv4, cidr: 10.0.0.0/8 } - - { v: ipv4, cidr: 172.16.0.0/12 } - - { v: ipv4, cidr: 192.168.0.0/16 } + - { v: ipv4, cidr: "10.0.0.0/8" } + - { v: ipv4, cidr: "172.16.0.0/12" } + - { v: ipv4, cidr: "192.168.0.0/16" } # v6 local - { v: ipv6, cidr: "fe80::/10" } # vihamij - - { v: ipv4, cidr: 45.88.49.140 } + - { v: ipv4, cidr: "45.88.49.140" } # eventinfra - - { v: ipv4, cidr: 204.2.64.0/20 } - - - { v: ipv4, cidr: 100.64.0.0/10 } - - { v: ipv4, cidr: 185.205.52.194/32 } + - { v: ipv4, cidr: "204.2.64.0/20" } + # bitlair + - { v: ipv4, cidr: "100.64.0.0/10" } + - { v: ipv4, cidr: "185.205.52.194/32" } - { v: ipv6, cidr: "2a02:166b:92::/48" } + # foobar + - { v: ipv4, cidr: "31.187.251.213/32" } + - { v: ipv6, cidr: "2a0e:5700:4:2::/64" } root_access: - ak diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index b692290..51d9b97 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -40,3 +40,9 @@ prometheus_scrape_configs: target_label: instance - target_label: __address__ replacement: "{{ blackbox_exporter_web_listen_address }}" + +nginx_sites: + - server_name: "dashboard.bitlair.nl" + localproxy: "9000" + snippets: + - "prometheus-nginx.j2" diff --git a/monitoring.yaml b/monitoring.yaml index 9ad8623..9e05df0 100644 --- a/monitoring.yaml +++ b/monitoring.yaml @@ -2,6 +2,7 @@ - hosts: monitoring roles: - - common - - acme - - monitoring + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "monitoring", tags: [ "monitoring" ] } diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 229f566..0be3133 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -23,7 +23,7 @@ owner: "{{ item.owner | default('root') }}" group: "{{ item.group | default('root') }}" mode: "{{ item.mode | default('0640') }}" - notify: "{{ item.notify | default([]) }}" + notify: "{{ item.notify | default([]) }}" with_items: - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' } - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' } diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 10ce3a1..d20da44 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -18,6 +18,7 @@ - { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } + register: aptconfig when: - ansible_os_family == "Debian" tags: @@ -56,6 +57,8 @@ - name: Install standard packages ansible.builtin.apt: + cache_valid_time: 3600 + update_cache: "{{ aptconfig.changed | bool | default(false) }}" pkg: - curl - fzf diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml new file mode 100644 index 0000000..b9e4710 --- /dev/null +++ b/roles/nginx/defaults/main.yaml @@ -0,0 +1,16 @@ +--- + +nginx_package: "nginx-light" +nginx_user: "www-data" +nginx_modules_dir: "/etc/nginx/modules-enabled" + + +nginx_tls_version: "TLSv1.2 TLSv1.3" +nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" +nginx_tls_curve: "prime256v1:secp384r1" +nginx_tls_cache_size: "10m" +nginx_tls_session_timeout: "1h" +nginx_ssl_stapling: "on" +nginx_ssl_stapling_verify: "on" +nginx_wk_acme: "/var/lib/dehydrated/acme-challenges" + diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml new file mode 100644 index 0000000..e9738d0 --- /dev/null +++ b/roles/nginx/handlers/main.yaml @@ -0,0 +1,11 @@ +--- + +- name: Reload nginx + ansible.builtin.systemd: + name: nginx + state: reloaded + enabled: true + listen: "Reload app-services" + when: + - nginx_sites is defined + diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml new file mode 100644 index 0000000..78f6f9b --- /dev/null +++ b/roles/nginx/tasks/main.yaml @@ -0,0 +1,80 @@ +--- + +- name: Install nginx base package + ansible.builtin.apt: + name: "{{ nginx_package }}" + state: present + when: + - nginx_sites is defined + +- name: Create sites-available / sites-enabled directories + ansible.builtin.file: + state: directory + path: "{{ item.path }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0755') }}" + with_items: + - { path: "/etc/nginx/sites-available" } + - { path: "/etc/nginx/sites-enabled" } + notify: Reload nginx + when: + - nginx_sites is defined + +- name: Template default nginx config files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0644') }}" + force: "{{ item.force | default('yes') }}" + backup: true + loop_control: + label: "{{ item.dest }}" + with_items: + - { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" } + - { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" } + - { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" } +# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" } +# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' } +# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" } + notify: "{{ item.notify | default(omit) }}" + when: + - nginx_sites is defined + +- name: Template site-specific configs + ansible.builtin.template: + src: "site.conf.j2" + dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf" + owner: "{{ site.owner | default('root') }}" + group: "{{ site.group | default('root') }}" + mode: "{{ site.mode | default('0644') }}" + force: "{{ site.force | default('yes') }}" + backup: true + loop: "{{ nginx_sites }}" + loop_control: + loop_var: site + label: "{{ site.server_name }}" + notify: Reload nginx + when: + - nginx_sites is defined + tags: + - nginxextra + - nginx_site + +- name: Enable nginx sites + ansible.builtin.file: + src: "/etc/nginx/sites-available/{{ site.server_name }}.conf" + path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf" + state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}" + mode: "0644" + loop: "{{ nginx_sites }}" + loop_control: + loop_var: site + label: "{{ site.server_name }}" + notify: Reload nginx + when: + - nginx_sites is defined + ignore_errors: "{{ ansible_check_mode }}" + diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 new file mode 100644 index 0000000..b417134 --- /dev/null +++ b/roles/nginx/templates/default.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} + +server { + listen 80 default_server; + listen [::]:80 + + server_name {{ inventory_hostname }}; + + # Accept ACME-Challenges over http + location ^~ /.well-known/acme-challenge/ { + alias {{ nginx_wk_acme }}/; + } + + # Block .ht files + location ~ /\.ht { + deny all; + } + + # Redirect everything to https by default + location / { + return 301 https://$host$request_uri; + } + + location /server_status { + # Enable Nginx stats + stub_status on; + # Only allow access from localhost + allow 127.0.0.1; + # Other request should be denied + deny all; + } +} + +{% for line in nginx_default_extra | default([]) %} +{{ line }} +{% endfor %} + diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2 new file mode 100644 index 0000000..b4d4d7a --- /dev/null +++ b/roles/nginx/templates/etc-nginx.conf.j2 @@ -0,0 +1,35 @@ +# {{ ansible_managed }} + +user {{ nginx_user }}; +worker_processes auto; +pid /run/nginx.pid; +worker_rlimit_nofile 16384; +include {{ nginx_modules_dir }}/*.conf; + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Default nginx log format with $request time added + log_format bitlair '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" $request_time'; + access_log /var/log/nginx/access.log bitlair; + + gzip on; + gzip_disable "msie6"; + +{% for line in nginx_http_extra | default([]) %} + {{ line }} +{% endfor %} + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 new file mode 100644 index 0000000..09e4e0c --- /dev/null +++ b/roles/nginx/templates/site.conf.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; + + include /etc/nginx/tls_params; + ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem; + + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair; + error_log /var/log/nginx/{{ site.server_name }}.error.log; + +{% if site.localproxy is defined %} + location / { + proxy_pass http://localhost:{{ site.localproxy }}/; + include proxy_params; + } +{% endif %} + + # Include snippets +{% for file in site.snippets | default([]) %} +{% include "../../../snippets/" . file %} +{% endif %} + + # Per site configuration +{% for line in site.config | default([]) %} + {{ line }} +{% endfor %} +} diff --git a/roles/nginx/templates/tls_params.j2 b/roles/nginx/templates/tls_params.j2 new file mode 100644 index 0000000..7abe3b6 --- /dev/null +++ b/roles/nginx/templates/tls_params.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} + +ssl_session_timeout {{ nginx_tls_session_timeout }}; +ssl_session_tickets off; + +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }}; + +ssl_protocols {{ nginx_tls_version }}; +ssl_ciphers {{ nginx_tls_cipherlist }}; +ssl_ecdh_curve {{ nginx_tls_curve }}; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +add_header X-Frame-Options "sameorigin"; +add_header X-Content-Type-Options "nosniff"; +add_header X-Robots-Tag noindex; + +# OCSP stapling +ssl_stapling {{ nginx_ssl_stapling }}; +ssl_stapling_verify {{ nginx_ssl_stapling_verify }}; + diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2 new file mode 100644 index 0000000..a38e527 --- /dev/null +++ b/snippets/prometheus-nginx.j2 @@ -0,0 +1,13 @@ +# dashboard nginx config snippet + +location /prometheus/ { + proxy_pass http://localhost:9090/prometheus/; + include proxy_params; + +{% for host in bitlair_ip_whitelist %} + allow {{ host }}; +{% endif %} + allow "127.0.0.0/8" + allow "::1"; + deny all; +} From c783601fa94363b10cd2046be1cb954e9081abb1 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 14 Jul 2024 21:58:41 +0200 Subject: [PATCH 08/62] Working config for dashboard / prometheus / grafana --- roles/nginx/templates/etc-nginx.conf.j2 | 4 ++++ roles/nginx/templates/site.conf.j2 | 6 +++--- roles/nginx/templates/snippets | 1 + snippets/prometheus-nginx.j2 | 8 ++++---- 4 files changed, 12 insertions(+), 7 deletions(-) create mode 120000 roles/nginx/templates/snippets diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2 index b4d4d7a..3ef2e52 100644 --- a/roles/nginx/templates/etc-nginx.conf.j2 +++ b/roles/nginx/templates/etc-nginx.conf.j2 @@ -6,6 +6,10 @@ pid /run/nginx.pid; worker_rlimit_nofile 16384; include {{ nginx_modules_dir }}/*.conf; +events { + worker_connections 768; +} + http { sendfile on; tcp_nopush on; diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 09e4e0c..f0fec0c 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -8,7 +8,7 @@ server { include /etc/nginx/tls_params; ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/fullkey.pem; + ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem; location ~ /\.ht { deny all; @@ -26,8 +26,8 @@ server { # Include snippets {% for file in site.snippets | default([]) %} -{% include "../../../snippets/" . file %} -{% endif %} +{% include "snippets/" ~ file %} +{% endfor %} # Per site configuration {% for line in site.config | default([]) %} diff --git a/roles/nginx/templates/snippets b/roles/nginx/templates/snippets new file mode 120000 index 0000000..ce62fd7 --- /dev/null +++ b/roles/nginx/templates/snippets @@ -0,0 +1 @@ +../../../snippets/ \ No newline at end of file diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2 index a38e527..ca8ed55 100644 --- a/snippets/prometheus-nginx.j2 +++ b/snippets/prometheus-nginx.j2 @@ -4,10 +4,10 @@ location /prometheus/ { proxy_pass http://localhost:9090/prometheus/; include proxy_params; -{% for host in bitlair_ip_whitelist %} - allow {{ host }}; -{% endif %} - allow "127.0.0.0/8" +{% for host in trusted_ranges | default([]) %} + allow {{ host.cidr }}; +{% endfor %} + allow "127.0.0.0/8"; allow "::1"; deny all; } From 0ab35571b92ecc21e4698031b6ad0f5d3144a389 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Mon, 15 Jul 2024 00:32:50 +0200 Subject: [PATCH 09/62] monitoring: Add MQTT exporter config for the Bambu printer --- roles/monitoring/tasks/mqtt_exporter.yaml | 1 + .../templates/mqtt_exporter_config.yaml | 26 +++++++++++++++++++ .../templates/public-bridge.conf | 1 + 3 files changed, 28 insertions(+) diff --git a/roles/monitoring/tasks/mqtt_exporter.yaml b/roles/monitoring/tasks/mqtt_exporter.yaml index 4fda9d9..b41fc42 100644 --- a/roles/monitoring/tasks/mqtt_exporter.yaml +++ b/roles/monitoring/tasks/mqtt_exporter.yaml @@ -10,6 +10,7 @@ - name: Install apt dependencies ansible.builtin.apt: name: + - jq - python3-paho-mqtt - python3-prometheus-client - python3-yaml diff --git a/roles/monitoring/templates/mqtt_exporter_config.yaml b/roles/monitoring/templates/mqtt_exporter_config.yaml index 62a9690..39d147a 100644 --- a/roles/monitoring/templates/mqtt_exporter_config.yaml +++ b/roles/monitoring/templates/mqtt_exporter_config.yaml @@ -56,3 +56,29 @@ export: - subscribe: bitlair/power/shelly/+num/status/switch:0 metric_name: bitlair_power_shelly value_json: .apower + + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_nozzle_temperature + value_json: .print.nozzle_temper + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_nozzle_target_temperature + value_json: .print.nozzle_target_temper + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_bed_temperature + value_json: .print.bed_temper + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_bed_target_temperature + value_json: .print.bed_target_temper + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_chamber_temperature + value_json: .print.chamber_temper + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_ams_humidity + value_json: .print.ams.ams[0].humidity + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_print_progress + value_json: .print.mc_percent + - subscribe: bambulab/device/+serial/report + metric_name: bambulab_print_status + metric_type: info + value_json: .print.gcode_state diff --git a/roles/mqtt-internal/templates/public-bridge.conf b/roles/mqtt-internal/templates/public-bridge.conf index b1725cb..6040c03 100644 --- a/roles/mqtt-internal/templates/public-bridge.conf +++ b/roles/mqtt-internal/templates/public-bridge.conf @@ -3,6 +3,7 @@ connection public-bridge address {{ mqtt_public_host }} +topic bambulab/# out topic bitlair/alarm out topic bitlair/climate/# out topic bitlair/collectd/bitlair-5406/snmp/# out From 792f2749b68e17654e1fe5734183b84d10f9839e Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 20:55:48 +0200 Subject: [PATCH 10/62] Cleanup --- bank.yaml | 6 +-- bar.yaml | 6 +-- bitlair.yaml | 2 + group_vars/wiki.yaml | 21 ++++++++ group_vars/www.yaml | 5 -- mqtt-internal.yaml | 4 +- music.yaml | 9 ++-- pad.yaml | 7 +-- roles/etherpad/tasks/main.yaml | 3 -- roles/git-server/tasks/main.yaml | 2 - roles/monitoring/tasks/main.yaml | 3 -- roles/music/tasks/main.yaml | 2 - roles/www/tasks/mediawiki.yaml | 3 -- snippets/bitair-nginx.j2 | 2 + snippets/common-nginx.yaml | 18 ------- snippets/mqtt2web-nginx.j2 | 11 ++++ snippets/ravespace-nginx.j2 | 2 + snippets/spaceapi-nginx.j2 | 8 +++ snippets/www-nginx.j2 | 89 ++++++++++++++++++++++++++++++++ wiki.yaml | 8 +++ www.yaml | 7 --- 21 files changed, 160 insertions(+), 58 deletions(-) create mode 100644 group_vars/wiki.yaml delete mode 100644 group_vars/www.yaml create mode 100644 snippets/bitair-nginx.j2 delete mode 100644 snippets/common-nginx.yaml create mode 100644 snippets/mqtt2web-nginx.j2 create mode 100644 snippets/ravespace-nginx.j2 create mode 100644 snippets/spaceapi-nginx.j2 create mode 100644 snippets/www-nginx.j2 create mode 100644 wiki.yaml delete mode 100644 www.yaml diff --git a/bank.yaml b/bank.yaml index 43c92b7..837d27b 100644 --- a/bank.yaml +++ b/bank.yaml @@ -1,8 +1,8 @@ --- - hosts: bank - roles: - - common - - bank vars: bank_revbank_git: https://github.com/bitlair/revbank.git + roles: + - { role: "common", tags: [ "common" ] } + - { role: "bank", tags: [ "bank" ] } diff --git a/bar.yaml b/bar.yaml index 5752cc3..919a4d8 100644 --- a/bar.yaml +++ b/bar.yaml @@ -4,6 +4,6 @@ vars: raspi_rotate_display: "2" roles: - - raspi - - common - - bank-terminal + - { role: "raspi", tags: [ "raspi" ] } + - { role: "common", tags: [ "common" ] } + - { role: "bank-terminal", tags: [ "bank-terminal" ] } diff --git a/bitlair.yaml b/bitlair.yaml index ec019e7..71e06f0 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -31,6 +31,7 @@ - hosts: monitoring roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "monitoring", tags: [ "monitoring" ] } - hosts: mqtt @@ -55,4 +56,5 @@ - hosts: wiki roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "www", tags: [ "www" ] } diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml new file mode 100644 index 0000000..e9a1937 --- /dev/null +++ b/group_vars/wiki.yaml @@ -0,0 +1,21 @@ +acme_bootstrap_certs: yes +acme_san_domains: + - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] + - [ bitair.nl ] + - [ ravespace.nl ] + +nginx_sites: + - server_name: "bitlair.nl" + server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl" + snippets: + - "mqtt2web-nginx.j2" + - "spaceapi-nginx.j2" + - "www-nginx.j2" + - server_name: "bitair.nl" + server_alias: "www.bitair.nl" + snippets: + - "bitair-nginx.j2" + - server_name: "ravespace.nl" + server_alias: "www.ravespace.nl" + snippets: + - "ravespace-nginx.j2" diff --git a/group_vars/www.yaml b/group_vars/www.yaml deleted file mode 100644 index e1db9d5..0000000 --- a/group_vars/www.yaml +++ /dev/null @@ -1,5 +0,0 @@ -acme_bootstrap_certs: yes -acme_san_domains: - - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] - - [ bitair.nl ] - - [ ravespace.nl ] diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml index bdf76a8..4e106e0 100644 --- a/mqtt-internal.yaml +++ b/mqtt-internal.yaml @@ -2,5 +2,5 @@ - hosts: mqtt roles: - - common - - mqtt-internal + - { role: "common", tags: [ "common" ] } + - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] } diff --git a/music.yaml b/music.yaml index d12226c..e4ea70b 100644 --- a/music.yaml +++ b/music.yaml @@ -2,7 +2,8 @@ - hosts: music roles: - - common - - acme - - go - - music + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "go", tags: [ "go" ] } +# - { role: "nginx", tags: [ "nginx" ] } + - { role: "music", tags: [ "music" ] } diff --git a/pad.yaml b/pad.yaml index 90d227e..d9dc92f 100644 --- a/pad.yaml +++ b/pad.yaml @@ -5,6 +5,7 @@ acme_san_domains: - [ pad.bitlair.nl ] roles: - - common - - acme - - etherpad + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } +# - { role: "nginx", tags: [ "nginx" ] } + - { role: "etherpad", tags: [ "etherpad" ] } diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 2afe1f6..851cc02 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -1,9 +1,6 @@ --- - tags: etherpad block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install dependencies ansible.builtin.apt: name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ] diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index 4a5bb3c..c5fb328 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -1,6 +1,4 @@ --- -- ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - name: Install dependencies ansible.builtin.apt: diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index a13313c..398bb5f 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -2,9 +2,6 @@ - name: monitoring tags: monitoring block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install nginx site ansible.builtin.template: src: nginx-site.conf diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml index e91f146..cad6eb9 100644 --- a/roles/music/tasks/main.yaml +++ b/roles/music/tasks/main.yaml @@ -17,8 +17,6 @@ - tags: music block: - - ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - name: Install nginx config ansible.builtin.template: diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index 52dfccf..3835eeb 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -4,9 +4,6 @@ name: php-fpm state: present -- ansible.builtin.import_tasks: - file: ../../../snippets/common-nginx.yaml - - name: Install security.txt ansible.builtin.template: src: security.txt diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2 new file mode 100644 index 0000000..bfb75d6 --- /dev/null +++ b/snippets/bitair-nginx.j2 @@ -0,0 +1,2 @@ +root /opt/bitair.nl/; +index index.html; diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml deleted file mode 100644 index 98aa02b..0000000 --- a/snippets/common-nginx.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Install nginx - apt: - name: nginx - state: present - -- name: Disable nginx server_tokens - lineinfile: - path: /etc/nginx/nginx.conf - line: "\tserver_tokens off;" - regexp: "server_tokens" - notify: reload nginx - -- name: Clear default nginx site - file: - state: absent - path: /etc/nginx/sites-enabled/default - notify: reload nginx diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2 new file mode 100644 index 0000000..f719780 --- /dev/null +++ b/snippets/mqtt2web-nginx.j2 @@ -0,0 +1,11 @@ +# mqtt2web nginx config snippet + +location /mqtt/ { + proxy_pass http://localhost:8080/mqtt; + include proxy_params; + proxy_buffering off; + proxy_cache off; + proxy_http_version 1.1; + proxy_set_header Connection ''; + chunked_transfer_encoding off; +} diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2 new file mode 100644 index 0000000..492f366 --- /dev/null +++ b/snippets/ravespace-nginx.j2 @@ -0,0 +1,2 @@ +root /opt/ravespace.nl/; +index index.html; diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2 new file mode 100644 index 0000000..ba6829a --- /dev/null +++ b/snippets/spaceapi-nginx.j2 @@ -0,0 +1,8 @@ +# spaceapi nginx config snippet + +location = /statejson { + proxy_pass http://localhost:8888; + include proxy_params; + add_header 'Access-Control-Allow-Origin' '*'; +} + diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2 new file mode 100644 index 0000000..1ff42a9 --- /dev/null +++ b/snippets/www-nginx.j2 @@ -0,0 +1,89 @@ +root /opt/mediawiki-1.41.1/; + +# Photo gallery +location = /fotos { + return 302 $scheme://bitlair.nl/fotos/; +} + +location ~* ^/fotos/(.*)$ { + proxy_pass http://204.2.68.2:4567/$1$is_args$args; +} + +location ~ ^/state/(.+)$ { + alias /opt/spaceapi/assets/$1; +} + +location = /events.ics { + alias /var/lib/bitlair-calendar/events.ics; +} + +location ~ ^/(cache|maintenance|vendor|extensions)/ { + deny all; +} + +# Legacy space API stuff. +location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ { + root "/opt/legacy/"; + fastcgi_pass unix:/run/php/php-fpm.sock; + include fastcgi.conf; +} + +location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ { + root "/opt/legacy/"; +} + +location ~ ^/wp-content { + root "/opt/legacy/"; +} + +location = /statejson.php { + rewrite ^.+$ /statejson; +} + +# Mediawiki +location / { + try_files $uri $uri/ @rewrite; +} + +location ~ \.php$ { + try_files $uri @rewrite; + fastcgi_pass unix:/run/php/php-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; +} + +location @rewrite { +# rewrite ^/(.*)$ /index.php; + rewrite ^/(.*)$ /index.php?title=$1$args; +} + +location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ { + try_files $uri @rewrite; + expires 1M; +} + +location = /_.gif { + expires max; + empty_gif; +} + +#location /dumps { +# root /opt/bitlair-wiki/local; +# autoindex on; +#} + +# Legacy: redirect old prefix. +location /Pages/ { + rewrite ^/Pages/(.*) https://$server_name/$1$args redirect; +} + +# Matrix realm delegation +location = /.well-known/matrix/server { + add_header "Content-Type" "application/json"; + add_header "Access-Control-Allow-Origin" "*"; + alias /opt/matrix-delegation.json; +} + +location = /.well-known/security.txt { + alias /opt/security.txt; +} diff --git a/wiki.yaml b/wiki.yaml new file mode 100644 index 0000000..0a7dc96 --- /dev/null +++ b/wiki.yaml @@ -0,0 +1,8 @@ +--- + +- hosts: wiki + roles: + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "www", tags: [ "www" ] } diff --git a/www.yaml b/www.yaml deleted file mode 100644 index 6a66f2d..0000000 --- a/www.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- hosts: wiki - roles: - - common - - acme - - www From 980ec6c4f63653d707c2cb4977552b1506c9544b Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 21:06:43 +0200 Subject: [PATCH 11/62] pad to nginx role --- group_vars/pad.yaml | 6 ++++++ pad.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index b498398..1711b7d 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -1 +1,7 @@ +--- + etherpad_domain: pad.bitlair.nl + +nginx_sites: + - server_name: "pad.bitlair.nl" + localproxy: "9001" diff --git a/pad.yaml b/pad.yaml index d9dc92f..74638bf 100644 --- a/pad.yaml +++ b/pad.yaml @@ -7,5 +7,5 @@ roles: - { role: "common", tags: [ "common" ] } - { role: "acme", tags: [ "acme" ] } -# - { role: "nginx", tags: [ "nginx" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } From d0c1e4519650d17b8778923fc3f744e411c9c929 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 21:30:05 +0200 Subject: [PATCH 12/62] pad --- bitlair.yaml | 1 + roles/etherpad/tasks/main.yaml | 244 +++++++++++++++++---------------- 2 files changed, 125 insertions(+), 120 deletions(-) diff --git a/bitlair.yaml b/bitlair.yaml index 71e06f0..be65660 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -47,6 +47,7 @@ - hosts: pad roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } - hosts: services diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 851cc02..cebeca2 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -1,137 +1,141 @@ --- -- tags: etherpad - block: - - name: Install dependencies - ansible.builtin.apt: - name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ] - - name: Import nodesource signing key - ansible.builtin.shell: - cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor - -o /usr/share/keyrings/nodesource.gpg - args: - creates: /usr/share/keyrings/nodesource.gpg - notify: apt update +- name: Install dependencies + ansible.builtin.apt: + state: present + pkg: + - gpg + - postgresql + - python3-psycopg2 + - apt-transport-https - - name: Install nodesource source list - ansible.builtin.template: - src: nodesource.list - dest: /etc/apt/sources.list.d/nodesource.list - owner: root - group: root - mode: 0644 - notify: apt update +- name: Import nodesource signing key + ansible.builtin.shell: + cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor + -o /usr/share/keyrings/nodesource.gpg + args: + creates: /usr/share/keyrings/nodesource.gpg + notify: apt update - - name: Install nodejs apt preference - ansible.builtin.template: - src: nodejs-apt-pref - dest: /etc/apt/preferences.d/nodejs - owner: root - group: root - mode: 0644 - notify: apt update +- name: Install nodesource source list + ansible.builtin.template: + src: nodesource.list + dest: /etc/apt/sources.list.d/nodesource.list + owner: root + group: root + mode: 0644 + notify: apt update - - ansible.builtin.meta: flush_handlers +- name: Install nodejs apt preference + ansible.builtin.template: + src: nodejs-apt-pref + dest: /etc/apt/preferences.d/nodejs + owner: root + group: root + mode: 0644 + notify: apt update - - name: Install nodejs - ansible.builtin.apt: - name: nodejs +- ansible.builtin.meta: flush_handlers - - name: Add database user - become: true - become_method: su - become_user: postgres - no_log: yes - community.postgresql.postgresql_user: - name: etherpad - password: "{{ etherpad_db_password }}" +- name: Install nodejs + ansible.builtin.apt: + name: nodejs - - name: Add database - become: true - become_method: su - become_user: postgres - community.postgresql.postgresql_db: - name: "{{ etherpad_db_name }}" - owner: "{{ etherpad_db_user }}" +- name: Add database user + become: true + become_method: su + become_user: postgres + no_log: yes + community.postgresql.postgresql_user: + name: etherpad + password: "{{ etherpad_db_password }}" - - name: Add etherpad user - ansible.builtin.user: - name: etherpad - home: /var/lib/etherpad +- name: Add database + become: true + become_method: su + become_user: postgres + community.postgresql.postgresql_db: + name: "{{ etherpad_db_name }}" + owner: "{{ etherpad_db_user }}" - - name: Create log file - ansible.builtin.file: - path: /var/log/etherpad.log - state: touch - owner: etherpad - group: etherpad - mode: 0644 +- name: Add etherpad user + ansible.builtin.user: + name: etherpad + home: /var/lib/etherpad - - name: Create source directory - ansible.builtin.file: - path: /opt/etherpad - state: directory - owner: etherpad - group: etherpad - mode: 0755 +- name: Create log file + ansible.builtin.file: + path: /var/log/etherpad.log + state: touch + owner: etherpad + group: etherpad + mode: 0644 - - name: Clone etherpad source - become: yes - become_method: su - become_user: etherpad - ansible.builtin.git: - repo: https://github.com/ether/etherpad-lite.git - version: master - dest: /opt/etherpad - accept_hostkey: yes - notify: restart etherpad +- name: Create source directory + ansible.builtin.file: + path: /opt/etherpad + state: directory + owner: etherpad + group: etherpad + mode: 0755 - - name: Install etherpad config - ansible.builtin.template: - src: settings.json - dest: /opt/etherpad/settings.json - owner: root - group: root - mode: 0644 - notify: restart etherpad +- name: Clone etherpad source + become: yes + become_method: su + become_user: etherpad + ansible.builtin.git: + repo: https://github.com/ether/etherpad-lite.git + version: master + dest: /opt/etherpad + accept_hostkey: yes + notify: restart etherpad - - name: Install etherpad service - ansible.builtin.template: - src: etherpad.service - dest: /etc/systemd/system/etherpad.service - owner: root - group: root - mode: 0644 - notify: restart etherpad +- name: Install etherpad config + ansible.builtin.template: + src: settings.json + dest: /opt/etherpad/settings.json + owner: root + group: root + mode: 0644 + notify: restart etherpad - - name: Start etherpad - ansible.builtin.systemd: - daemon_reload: true - name: etherpad - state: started - enabled: yes +- name: Install etherpad service + ansible.builtin.template: + src: etherpad.service + dest: /etc/systemd/system/etherpad.service + owner: root + group: root + mode: 0644 + notify: restart etherpad - - name: Install nginx config - ansible.builtin.template: - src: nginx-site.conf - dest: /etc/nginx/sites-enabled/etherpad - owner: root - group: root - mode: 0644 - notify: reload nginx +- name: Start etherpad + ansible.builtin.systemd: + daemon_reload: true + name: etherpad + state: started + enabled: yes - - name: Allow HTTP and HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 80 } - - { ip: ipv4, port: 443 } - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables +- name: Install nginx config + ansible.builtin.template: + src: nginx-site.conf + dest: /etc/nginx/sites-enabled/etherpad + owner: root + group: root + mode: 0644 + notify: reload nginx + +- name: Allow HTTP and HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables From ecf68bd0cf48e31b2ef409e0d747d621c9343fa8 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 22:00:48 +0200 Subject: [PATCH 13/62] nginx role for git + music --- bitlair.yaml | 1 + git.yaml | 7 ++-- group_vars/git.yaml | 10 +++++ group_vars/music.yaml | 2 + roles/mqtt-internal/tasks/main.yaml | 58 ++++++++++++++--------------- roles/nginx/defaults/main.yaml | 1 + roles/nginx/templates/site.conf.j2 | 2 + snippets/forgejo-nginx.j2 | 3 ++ 8 files changed, 51 insertions(+), 33 deletions(-) create mode 100644 snippets/forgejo-nginx.j2 diff --git a/bitlair.yaml b/bitlair.yaml index be65660..1eed26c 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -26,6 +26,7 @@ - hosts: git roles: - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } - { role: "git-server", tags: [ "git-server" ] } - hosts: monitoring diff --git a/git.yaml b/git.yaml index 2161a4c..0ae1811 100644 --- a/git.yaml +++ b/git.yaml @@ -2,6 +2,7 @@ - hosts: git roles: - - common - - acme - - git-server + - { role: "common", tags: [ "common" ] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "git-server", tags: [ "git-server" ] } diff --git a/group_vars/git.yaml b/group_vars/git.yaml index ed549a9..dd039b3 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -1,5 +1,15 @@ +--- + acme_domains: - "{{ git_server_domain }}" git_server_domain: git.bitlair.nl git_server_title: Gitlair git_server_bootstrap_cert: no + +nginx_client_max_body_size: 4G + +nginx_sites: + - server_name: "git.bitlair.nl" + localproxy: "9001" + snippets: + - "forgejo-nginx.j2" diff --git a/group_vars/music.yaml b/group_vars/music.yaml index ee9235b..8acdf4e 100644 --- a/group_vars/music.yaml +++ b/group_vars/music.yaml @@ -5,6 +5,8 @@ root_access: - foobar - polyfloyd +nginx_client_max_body_size: 512M + music_domain: music.bitlair.nl acme_san_domains: - [ music.bitlair.nl ] diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt-internal/tasks/main.yaml index 371671c..89f9064 100644 --- a/roles/mqtt-internal/tasks/main.yaml +++ b/roles/mqtt-internal/tasks/main.yaml @@ -1,34 +1,32 @@ --- -- name: mqtt-internal - tags: mqtt_internal - block: - - name: Install dependencies - ansible.builtin.apt: - name: - - mosquitto - - avahi-daemon - - name: Install bambulab cafile - # openssl s_client -showcerts -connect :8883 :8883 Date: Thu, 18 Jul 2024 22:02:33 +0200 Subject: [PATCH 14/62] Role-tags for other playbooks --- common.yaml | 2 +- fotos.yaml | 4 ++-- git-ci.yaml | 4 ++-- services.yaml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/common.yaml b/common.yaml index 3e0cb27..0cbfe1b 100644 --- a/common.yaml +++ b/common.yaml @@ -3,4 +3,4 @@ - hosts: debian gather_facts: true roles: - - common + - { role: "common", tags: [ "common" ] } diff --git a/fotos.yaml b/fotos.yaml index f0edd7b..7357e31 100644 --- a/fotos.yaml +++ b/fotos.yaml @@ -2,5 +2,5 @@ - hosts: fotos roles: - - common - - photos + - { role: "common", tags: [ "common" ] } + - { role: "photos", tags: [ "photos" ] } diff --git a/git-ci.yaml b/git-ci.yaml index fa9f7b7..711dac4 100644 --- a/git-ci.yaml +++ b/git-ci.yaml @@ -2,5 +2,5 @@ - hosts: git-ci roles: - - common - - git-ci + - { role: "common", tags: [ "common" ] } + - { role: "git-ci", tags: [ "git-ci" ] } diff --git a/services.yaml b/services.yaml index 2a1bd65..e66fc11 100644 --- a/services.yaml +++ b/services.yaml @@ -2,5 +2,5 @@ - hosts: services roles: - - common - - services + - { role: "common", tags: [ "common" ] } + - { role: "services", tags: [ "services" ] } From e7e2458ba0fa643836d5c921c8ec4ef99d02b40d Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 18 Jul 2024 22:17:59 +0200 Subject: [PATCH 15/62] Rename mqtt-internal to mqtt --- bitlair.yaml | 2 +- mqtt-internal.yaml => mqtt.yaml | 2 +- roles/{mqtt-internal => mqtt}/defaults/main.yaml | 0 roles/{mqtt-internal => mqtt}/handlers/main.yaml | 0 roles/{mqtt-internal => mqtt}/tasks/main.yaml | 0 roles/{mqtt-internal => mqtt}/templates/bambulab.conf | 0 roles/{mqtt-internal => mqtt}/templates/internal.conf | 0 roles/{mqtt-internal => mqtt}/templates/public-bridge.conf | 0 8 files changed, 2 insertions(+), 2 deletions(-) rename mqtt-internal.yaml => mqtt.yaml (52%) rename roles/{mqtt-internal => mqtt}/defaults/main.yaml (100%) rename roles/{mqtt-internal => mqtt}/handlers/main.yaml (100%) rename roles/{mqtt-internal => mqtt}/tasks/main.yaml (100%) rename roles/{mqtt-internal => mqtt}/templates/bambulab.conf (100%) rename roles/{mqtt-internal => mqtt}/templates/internal.conf (100%) rename roles/{mqtt-internal => mqtt}/templates/public-bridge.conf (100%) diff --git a/bitlair.yaml b/bitlair.yaml index 1eed26c..b267d4c 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -37,7 +37,7 @@ - hosts: mqtt roles: - - { role: "mqtt-internal", tags: [ "mqtt-internal" ] } + - { role: "mqtt", tags: [ "mqtt" ] } - hosts: music roles: diff --git a/mqtt-internal.yaml b/mqtt.yaml similarity index 52% rename from mqtt-internal.yaml rename to mqtt.yaml index 4e106e0..7b691f3 100644 --- a/mqtt-internal.yaml +++ b/mqtt.yaml @@ -3,4 +3,4 @@ - hosts: mqtt roles: - { role: "common", tags: [ "common" ] } - - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] } + - { role: "mqtt", tags: [ "mqtt", "mqtt" ] } diff --git a/roles/mqtt-internal/defaults/main.yaml b/roles/mqtt/defaults/main.yaml similarity index 100% rename from roles/mqtt-internal/defaults/main.yaml rename to roles/mqtt/defaults/main.yaml diff --git a/roles/mqtt-internal/handlers/main.yaml b/roles/mqtt/handlers/main.yaml similarity index 100% rename from roles/mqtt-internal/handlers/main.yaml rename to roles/mqtt/handlers/main.yaml diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt/tasks/main.yaml similarity index 100% rename from roles/mqtt-internal/tasks/main.yaml rename to roles/mqtt/tasks/main.yaml diff --git a/roles/mqtt-internal/templates/bambulab.conf b/roles/mqtt/templates/bambulab.conf similarity index 100% rename from roles/mqtt-internal/templates/bambulab.conf rename to roles/mqtt/templates/bambulab.conf diff --git a/roles/mqtt-internal/templates/internal.conf b/roles/mqtt/templates/internal.conf similarity index 100% rename from roles/mqtt-internal/templates/internal.conf rename to roles/mqtt/templates/internal.conf diff --git a/roles/mqtt-internal/templates/public-bridge.conf b/roles/mqtt/templates/public-bridge.conf similarity index 100% rename from roles/mqtt-internal/templates/public-bridge.conf rename to roles/mqtt/templates/public-bridge.conf From a74dba45573044b37f4061646deb64734727712a Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Fri, 19 Jul 2024 09:50:57 +0200 Subject: [PATCH 16/62] Add index --- snippets/www-nginx.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2 index 1ff42a9..6b43e35 100644 --- a/snippets/www-nginx.j2 +++ b/snippets/www-nginx.j2 @@ -1,4 +1,5 @@ root /opt/mediawiki-1.41.1/; +index index.php index.html index.htm; # Photo gallery location = /fotos { From 848917a72c4323f9d4e10c13d64b7fb909d537f3 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 21:32:13 +0200 Subject: [PATCH 17/62] nft role + disable iptables when nft enabled --- bitlair.yaml | 2 + group_vars/all.yaml | 35 +++--- group_vars/git.yaml | 5 + group_vars/pad.yaml | 5 + pad.yaml | 1 + roles/common/handlers/main.yaml | 1 + roles/common/tasks/main.yaml | 7 +- roles/etherpad/tasks/main.yaml | 1 + roles/git-server/tasks/main.yaml | 1 + roles/monitoring/tasks/main.yaml | 69 +++++----- roles/nft/defaults/main.yaml | 33 +++++ roles/nft/handlers/main.yaml | 13 ++ roles/nft/tasks/main.yaml | 47 +++++++ roles/nft/templates/nftables.conf.j2 | 182 +++++++++++++++++++++++++++ roles/services/tasks/siahsd.yaml | 1 + roles/www/tasks/mediawiki.yaml | 1 + roles/www/tasks/mqtt.yaml | 1 + 17 files changed, 348 insertions(+), 57 deletions(-) create mode 100644 roles/nft/defaults/main.yaml create mode 100644 roles/nft/handlers/main.yaml create mode 100644 roles/nft/tasks/main.yaml create mode 100644 roles/nft/templates/nftables.conf.j2 diff --git a/bitlair.yaml b/bitlair.yaml index b267d4c..9f249d8 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -5,6 +5,7 @@ gather_facts: true roles: - { role: "common", tags: [ "common" ] } + - { role: "nft", tags: [ "nft" ] } - hosts: bank roles: @@ -47,6 +48,7 @@ - hosts: pad roles: + - { role: "nft", tags: [ "nft" ] } - { role: "acme", tags: [ "acme" ] } - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } diff --git a/group_vars/all.yaml b/group_vars/all.yaml index fd209d8..b9f854d 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -5,26 +5,21 @@ ansible_python_interpreter: auto_silent notify_email: bestuur@bitlair.nl acme_bootstrap_certs: no trusted_ranges: - # localhost - - { v: ipv4, cidr: "127.0.0.1/8" } - - { v: ipv6, cidr: "::1" } - # rf1928 - - { v: ipv4, cidr: "10.0.0.0/8" } - - { v: ipv4, cidr: "172.16.0.0/12" } - - { v: ipv4, cidr: "192.168.0.0/16" } - # v6 local - - { v: ipv6, cidr: "fe80::/10" } - # vihamij - - { v: ipv4, cidr: "45.88.49.140" } - # eventinfra - - { v: ipv4, cidr: "204.2.64.0/20" } - # bitlair - - { v: ipv4, cidr: "100.64.0.0/10" } - - { v: ipv4, cidr: "185.205.52.194/32" } - - { v: ipv6, cidr: "2a02:166b:92::/48" } - # foobar - - { v: ipv4, cidr: "31.187.251.213/32" } - - { v: ipv6, cidr: "2a0e:5700:4:2::/64" } + - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" } + - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" } + - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" } + - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" } + - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" } + - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra" } + - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" } + - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair" } + - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar" } +# - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" } +# - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" } +# - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset + - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } + - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } + - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar" } root_access: - ak diff --git a/group_vars/git.yaml b/group_vars/git.yaml index dd039b3..8705b22 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -6,6 +6,11 @@ git_server_domain: git.bitlair.nl git_server_title: Gitlair git_server_bootstrap_cert: no +nft: true +group_nft_input: + - "# Allow web-traffic from world" + - "tcp dport { http, https } accept" + nginx_client_max_body_size: 4G nginx_sites: diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index 1711b7d..e0a3ff1 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -5,3 +5,8 @@ etherpad_domain: pad.bitlair.nl nginx_sites: - server_name: "pad.bitlair.nl" localproxy: "9001" + +nft: true +group_nft_input: + - "# Allow web-traffic from world" + - "tcp dport { http, https } accept" diff --git a/pad.yaml b/pad.yaml index 74638bf..380e790 100644 --- a/pad.yaml +++ b/pad.yaml @@ -6,6 +6,7 @@ - [ pad.bitlair.nl ] roles: - { role: "common", tags: [ "common" ] } + - { role: "nft", tags: [ "nft" ] } - { role: "acme", tags: [ "acme" ] } - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml index b71cef9..15ce290 100644 --- a/roles/common/handlers/main.yaml +++ b/roles/common/handlers/main.yaml @@ -29,3 +29,4 @@ with_items: - { c: iptables, ip: v4 } - { c: ip6tables, ip: v6 } + when: not nft | bool diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index d20da44..41512a3 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -66,8 +66,6 @@ - etckeeper - git - htop - - iptables - - iptables-persistent - jq - net-tools - netcat-openbsd @@ -133,6 +131,7 @@ - ipv4 - ipv6 notify: persist iptables + when: not nft | bool - name: Allow ICMP ansible.builtin.iptables: @@ -144,6 +143,7 @@ - { ip: ipv4, proto: icmp } - { ip: ipv6, proto: ipv6-icmp } notify: persist iptables + when: not nft | bool - name: Allow related and established connections ansible.builtin.iptables: @@ -155,6 +155,7 @@ - ipv4 - ipv6 notify: persist iptables + when: not nft | bool - name: Allow local connections ansible.builtin.iptables: @@ -164,6 +165,7 @@ ip_version: "{{ item.v }}" with_items: "{{ trusted_ranges }}" notify: persist iptables + when: not nft | bool - name: Deny inbound connections ansible.builtin.iptables: @@ -174,3 +176,4 @@ - ipv4 - ipv6 notify: persist iptables + when: not nft | bool diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index cebeca2..2adf731 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -139,3 +139,4 @@ - { ip: ipv6, port: 80 } - { ip: ipv6, port: 443 } notify: persist iptables + when: not nft | bool diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index c5fb328..112033e 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -98,6 +98,7 @@ - { ip: ipv6, port: 22 } - { ip: ipv6, port: 443 } notify: persist iptables + when: not nft | bool - ansible.builtin.debug: msg: If Forgejo has not been setup yet, please do so manually. diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index 398bb5f..f43992a 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -1,42 +1,41 @@ --- -- name: monitoring - tags: monitoring - block: - - name: Install nginx site - ansible.builtin.template: - src: nginx-site.conf - dest: /etc/nginx/sites-available/monitoring - owner: root - group: root - mode: 0644 - notify: reload nginx - - name: Enable nginx site - ansible.builtin.file: - src: /etc/nginx/sites-available/monitoring - dest: /etc/nginx/sites-enabled/monitoring - state: link - notify: reload nginx +- name: Install nginx site + ansible.builtin.template: + src: nginx-site.conf + dest: /etc/nginx/sites-available/monitoring + owner: root + group: root + mode: 0644 + notify: reload nginx - - name: Start nginx - ansible.builtin.systemd: - name: nginx - state: started - enabled: yes +- name: Enable nginx site + ansible.builtin.file: + src: /etc/nginx/sites-available/monitoring + dest: /etc/nginx/sites-enabled/monitoring + state: link + notify: reload nginx - - name: Allow HTTP/HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables +- name: Start nginx + ansible.builtin.systemd: + name: nginx + state: started + enabled: yes + +- name: Allow HTTP/HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables + when: not nft | bool - name: mqtt_exporter tags: mqtt_exporter diff --git a/roles/nft/defaults/main.yaml b/roles/nft/defaults/main.yaml new file mode 100644 index 0000000..6538cf0 --- /dev/null +++ b/roles/nft/defaults/main.yaml @@ -0,0 +1,33 @@ +--- + +nft: false # totdat alles om is +nft_main_config: "/etc/nftables.conf" + +# Default policies per chain ( drop / reject / accept ) +nft_policy_input: "drop" +nft_policy_forward: "accept" +nft_policy_output: "accept" +# Same for nat traffic +nft_policy_prerouting: "accept" +nft_policy_postrouting: "accept" + +# Host/Port allows +nft_group_rules: [] + +# And per host/group additions to rules: +group_nft_input: [] +group_nft_forward: [] +group_nft_output: [] + +host_nft_input: [] +host_nft_forward: [] +host_nft_output: [] + +group_nft_postrouting: [] +host_nft_postrouting: [] +group_nft_prerouting: [] +host_nft_prerouting: [] + +nft_defines: [] +nft_defines_group: [] + diff --git a/roles/nft/handlers/main.yaml b/roles/nft/handlers/main.yaml new file mode 100644 index 0000000..dc77ef3 --- /dev/null +++ b/roles/nft/handlers/main.yaml @@ -0,0 +1,13 @@ +--- + +- name: Reload nftables + ansible.builtin.systemd: + name: "nftables" + state: reloaded + enabled: true + tags: + - nft + - nftservice + when: + - nft|bool + diff --git a/roles/nft/tasks/main.yaml b/roles/nft/tasks/main.yaml new file mode 100644 index 0000000..e74dc58 --- /dev/null +++ b/roles/nft/tasks/main.yaml @@ -0,0 +1,47 @@ +--- + +- name: Install nftables related packages + ansible.builtin.apt: + state: present + pkg: + - nftables + - net-tools + - ipset + +- name: Template nftables.conf + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "root" + group: "root" + mode: "0700" + validate: "{{ item.validate | default() }}" + with_items: + - { src: "nftables.conf.j2", dest: "{{ nft_main_config }}", + backup: "yes", validate: "/usr/sbin/nft -c -f %s" } + tags: + - nft + - nftconfig + when: + - nft | bool + notify: + - Reload nftables + +- name: Cleanup netfilter packages + ansible.builtin.apt: + state: absent + pkg: + - netfilter-persistent + when: + - nft | bool + +- name: Cleanup iptables stuff + ansible.builtin.file: + state: absent + path: "{{ item }}" + with_items: + - "/etc/iptables/rules/v4" + - "/etc/iptables/rules/v6" + - "/etc/iptables" + when: + - nft | bool diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2 new file mode 100644 index 0000000..dce3e2a --- /dev/null +++ b/roles/nft/templates/nftables.conf.j2 @@ -0,0 +1,182 @@ +#!/usr/sbin/nft -f +# {{ ansible_managed }} + +flush ruleset + +table inet filter { + +# Named sets +set trusted4 { + type ipv4_addr + flags interval + elements = { +{% for ip in trusted_ranges %} +{% if ip.v == 'ipv4' %} + {{ ip.cidr }}, # {{ ip.comment | default('') }} +{% endif %} +{% endfor %} + } +} + +set trusted6 { + type ipv6_addr + flags interval + elements = { +{% for ip in trusted_ranges %} +{% if ip.v == 'ipv6' %} + {{ ip.cidr }}, # {{ ip.comment | default('') }} +{% endif %} +{% endfor %} + } +} + + +# Firewall chains + chain input { + type filter hook input priority 0; + policy {{ nft_policy_input }}; + + # Established connections + ct state established,related accept + ct state invalid counter drop comment "drop invalid packets" + + # Limit icmp echo/reply + ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop + # icmp6 from trusted ranges + ip6 nexthdr icmpv6 icmpv6 type echo-request accept + # icmpv6 from the rest of the world + ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop + + # Loopback traffic + iifname lo accept + + # icmp + ip protocol icmp icmp type { + destination-unreachable, + echo-reply, + echo-request, + source-quench, + time-exceeded + } accept + + # icmp6 + ip6 nexthdr icmpv6 icmpv6 type { + destination-unreachable, + echo-reply, + echo-request, + nd-neighbor-solicit, + nd-router-advert, + nd-neighbor-advert, + packet-too-big, + parameter-problem, + time-exceeded + } accept + + # Open ssh only for trusted machines + ip saddr @trusted4 tcp dport { ssh } accept + ip6 saddr @trusted6 tcp dport { ssh } accept + + # Rules based on group-vars +{% for custom in nft_group_rules %} +{% if custom.comment is defined %} + # {{ custom.comment|default('') }} +{% endif %} + ip saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} + +{% endfor %} + +{% for rule in group_nft_input %} + # Group input rules + {{ rule }} +{% endfor %} +{% for rule in host_nft_input %} + # Host input rules + {{ rule }} +{% endfor %} + } + chain forward { + type filter hook forward priority 0; + policy {{ nft_policy_forward }}; + + ct state established,related accept + +{% for rule in group_nft_forward %} + # Group forward rules + {{ rule }} +{% endfor %} +{% for rule in host_nft_forward %} + # Host forward rules + {{ rule }} +{% endfor %} + + counter comment "count dropped incoming packets" + } + chain output { + type filter hook output priority 0; + policy {{ nft_policy_output }}; + + # Established connections + ct state established,related accept + ct state invalid counter drop comment "drop invalid packets" + + # icmp + ip protocol icmp icmp type { + destination-unreachable, + echo-reply, + echo-request, + source-quench, + time-exceeded + } accept + + # icmp6 + ip6 nexthdr icmpv6 icmpv6 type { + destination-unreachable, + echo-reply, + echo-request, + nd-neighbor-solicit, + nd-router-advert, + nd-neighbor-advert, + packet-too-big, + parameter-problem, + time-exceeded + } accept + +{% for rule in group_nft_output %} + # Group output rules + {{ rule }} +{% endfor %} +{% for rule in host_nft_output %} + # Host output rules + {{ rule }} +{% endfor %} + counter comment "count dropped outgoing packets" + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority 100 + policy {{ nft_policy_prerouting }}; +{% for rule in group_nft_prerouting %} + # Group prerouting rules + {{ rule }} +{% endfor %} +{% for rule in host_nft_prerouting %} + # Host prerouting rules + {{ rule }} +{% endfor %} + } + chain postrouting { + type nat hook postrouting priority 100 + policy {{ nft_policy_postrouting }}; + +{% for rule in group_nft_postrouting %} + # Group postrouting rules + {{ rule }} +{% endfor %} +{% for rule in host_nft_postrouting %} + # Host postrouting rules + {{ rule }} +{% endfor %} + } +} diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml index 2d924c8..ba88c8c 100644 --- a/roles/services/tasks/siahsd.yaml +++ b/roles/services/tasks/siahsd.yaml @@ -46,3 +46,4 @@ action: insert with_items: [ ipv4, ipv6 ] notify: persist iptables + when: not nft | bool diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index 3835eeb..5113131 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -27,3 +27,4 @@ - { ip: ipv6, port: 80 } - { ip: ipv6, port: 443 } notify: persist iptables + when: not nft | bool diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index 88fa7f9..94dc0bf 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -19,6 +19,7 @@ - { ip: ipv4, port: 1883 } - { ip: ipv6, port: 1883 } notify: persist iptables + when: not nft | bool - name: Install mqtt-simple ansible.builtin.command: From ff6649ab713fd799b72dc4ebc0eac3b24887dce9 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 21:32:29 +0200 Subject: [PATCH 18/62] linter script --- lint.sh | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 lint.sh diff --git a/lint.sh b/lint.sh new file mode 100755 index 0000000..bc0183d --- /dev/null +++ b/lint.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +j2lint `find ./ -type f -name '*.j2'` +ansible-lint bitlair.yaml + From aa242b0327cd54fb9edcfa21987a726ef3020c77 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 22:00:44 +0200 Subject: [PATCH 19/62] more firewall configs --- group_vars/bank.yaml | 3 +++ group_vars/fotos.yaml | 3 +++ group_vars/git-ci.yaml | 4 ++++ group_vars/lights.yaml | 3 +++ group_vars/mqtt.yaml | 6 ++++++ roles/nft/templates/nftables.conf.j2 | 2 +- 6 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 group_vars/bank.yaml create mode 100644 group_vars/lights.yaml create mode 100644 group_vars/mqtt.yaml diff --git a/group_vars/bank.yaml b/group_vars/bank.yaml new file mode 100644 index 0000000..29bf37c --- /dev/null +++ b/group_vars/bank.yaml @@ -0,0 +1,3 @@ +--- + +nft: true diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml index 5a9ca68..c69812c 100644 --- a/group_vars/fotos.yaml +++ b/group_vars/fotos.yaml @@ -1,6 +1,9 @@ + root_access: - ak - foobar - linor - polyfloyd - wilco + +nft: true diff --git a/group_vars/git-ci.yaml b/group_vars/git-ci.yaml index 18ed638..1e5fdac 100644 --- a/group_vars/git-ci.yaml +++ b/group_vars/git-ci.yaml @@ -1 +1,5 @@ +--- + forgejo_url: https://git.bitlair.nl + +nft: false diff --git a/group_vars/lights.yaml b/group_vars/lights.yaml new file mode 100644 index 0000000..29bf37c --- /dev/null +++ b/group_vars/lights.yaml @@ -0,0 +1,3 @@ +--- + +nft: true diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml new file mode 100644 index 0000000..dd9db4a --- /dev/null +++ b/group_vars/mqtt.yaml @@ -0,0 +1,6 @@ +--- + +nft: true + +nft_group_rules: + - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" } diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2 index dce3e2a..23481bb 100644 --- a/roles/nft/templates/nftables.conf.j2 +++ b/roles/nft/templates/nftables.conf.j2 @@ -81,7 +81,7 @@ set trusted6 { {% if custom.comment is defined %} # {{ custom.comment|default('') }} {% endif %} - ip saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} + {{ custom.version|default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} {% endfor %} From 31d38e8f06c8d45e71e398268452610e56373fc9 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 22:10:28 +0200 Subject: [PATCH 20/62] more nft --- group_vars/monitoring.yaml | 5 +++++ group_vars/services.yaml | 5 +++++ group_vars/wiki.yaml | 8 ++++++++ 3 files changed, 18 insertions(+) create mode 100644 group_vars/services.yaml diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index 51d9b97..f788245 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -3,6 +3,11 @@ monitoring_bootstrap_cert: no acme_san_domains: - ["{{ monitoring_domain }}", monitoring.bitlair.nl] +nft: true +group_nft_input: + - "# Allow web-traffic from world" + - "tcp dport { http, https } accept" + prometheus_scrape_configs: - job_name: "node" static_configs: diff --git a/group_vars/services.yaml b/group_vars/services.yaml new file mode 100644 index 0000000..2fdfaaf --- /dev/null +++ b/group_vars/services.yaml @@ -0,0 +1,5 @@ +--- + +nft: true +group_nft_input: [] +# - "udp dport 4000 accept # FIXME, werkt op dit moment toch niet hoor ik van AK diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml index e9a1937..6c517e7 100644 --- a/group_vars/wiki.yaml +++ b/group_vars/wiki.yaml @@ -4,6 +4,14 @@ acme_san_domains: - [ bitair.nl ] - [ ravespace.nl ] +nft: true + +group_nft_input: + - "# Allow web-traffic from world" + - "tcp dport { http, https } accept" + - "# mqtt from world" + - "tcp dport { 1883 } accept" + nginx_sites: - server_name: "bitlair.nl" server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl" From ba3c923b7788f40e7b0dbbe86b6d673c0a04fb42 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 22:14:35 +0200 Subject: [PATCH 21/62] Nft is now default --- bitlair.yaml | 1 - common.yaml | 1 + group_vars/bank.yaml | 1 - group_vars/fotos.yaml | 2 -- group_vars/git-ci.yaml | 2 +- group_vars/git.yaml | 1 - group_vars/kvm.yaml | 4 ++++ group_vars/lights.yaml | 1 - group_vars/monitoring.yaml | 1 - group_vars/mqtt.yaml | 2 -- group_vars/music.yaml | 5 +++++ group_vars/pad.yaml | 1 - group_vars/raspi.yaml | 4 ++++ group_vars/services.yaml | 1 - group_vars/wiki.yaml | 2 -- roles/nft/defaults/main.yaml | 2 +- 16 files changed, 16 insertions(+), 15 deletions(-) create mode 100644 group_vars/kvm.yaml create mode 100644 group_vars/raspi.yaml diff --git a/bitlair.yaml b/bitlair.yaml index 9f249d8..a2923fc 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -48,7 +48,6 @@ - hosts: pad roles: - - { role: "nft", tags: [ "nft" ] } - { role: "acme", tags: [ "acme" ] } - { role: "nginx", tags: [ "nginx" ] } - { role: "etherpad", tags: [ "etherpad" ] } diff --git a/common.yaml b/common.yaml index 0cbfe1b..dacc2ae 100644 --- a/common.yaml +++ b/common.yaml @@ -4,3 +4,4 @@ gather_facts: true roles: - { role: "common", tags: [ "common" ] } + - { role: "nft", tags: [ "nft" ] } diff --git a/group_vars/bank.yaml b/group_vars/bank.yaml index 29bf37c..cd21505 100644 --- a/group_vars/bank.yaml +++ b/group_vars/bank.yaml @@ -1,3 +1,2 @@ --- -nft: true diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml index c69812c..9ab05d7 100644 --- a/group_vars/fotos.yaml +++ b/group_vars/fotos.yaml @@ -5,5 +5,3 @@ root_access: - linor - polyfloyd - wilco - -nft: true diff --git a/group_vars/git-ci.yaml b/group_vars/git-ci.yaml index 1e5fdac..e0bdaab 100644 --- a/group_vars/git-ci.yaml +++ b/group_vars/git-ci.yaml @@ -2,4 +2,4 @@ forgejo_url: https://git.bitlair.nl -nft: false +nft: false # Docker wil nog niet zo met nft diff --git a/group_vars/git.yaml b/group_vars/git.yaml index 8705b22..2aaa490 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -6,7 +6,6 @@ git_server_domain: git.bitlair.nl git_server_title: Gitlair git_server_bootstrap_cert: no -nft: true group_nft_input: - "# Allow web-traffic from world" - "tcp dport { http, https } accept" diff --git a/group_vars/kvm.yaml b/group_vars/kvm.yaml new file mode 100644 index 0000000..9eed925 --- /dev/null +++ b/group_vars/kvm.yaml @@ -0,0 +1,4 @@ +--- + +# FIXME: nog niet kunnen testen, en mogelijk non-default config nodig ;) +nft: false diff --git a/group_vars/lights.yaml b/group_vars/lights.yaml index 29bf37c..cd21505 100644 --- a/group_vars/lights.yaml +++ b/group_vars/lights.yaml @@ -1,3 +1,2 @@ --- -nft: true diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index f788245..248d854 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -3,7 +3,6 @@ monitoring_bootstrap_cert: no acme_san_domains: - ["{{ monitoring_domain }}", monitoring.bitlair.nl] -nft: true group_nft_input: - "# Allow web-traffic from world" - "tcp dport { http, https } accept" diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml index dd9db4a..3b2167b 100644 --- a/group_vars/mqtt.yaml +++ b/group_vars/mqtt.yaml @@ -1,6 +1,4 @@ --- -nft: true - nft_group_rules: - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" } diff --git a/group_vars/music.yaml b/group_vars/music.yaml index 8acdf4e..8f0cc7c 100644 --- a/group_vars/music.yaml +++ b/group_vars/music.yaml @@ -1,3 +1,8 @@ +--- + +# Fixme, nog niet kunnen testen, was down +nft: false + root_access: - ak - bob diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index e0a3ff1..fd642a9 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -6,7 +6,6 @@ nginx_sites: - server_name: "pad.bitlair.nl" localproxy: "9001" -nft: true group_nft_input: - "# Allow web-traffic from world" - "tcp dport { http, https } accept" diff --git a/group_vars/raspi.yaml b/group_vars/raspi.yaml new file mode 100644 index 0000000..4b0461c --- /dev/null +++ b/group_vars/raspi.yaml @@ -0,0 +1,4 @@ +--- + +# Nog niet kunnen testen / geen toegang +nft: false diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 2fdfaaf..e76affe 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -1,5 +1,4 @@ --- -nft: true group_nft_input: [] # - "udp dport 4000 accept # FIXME, werkt op dit moment toch niet hoor ik van AK diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml index 6c517e7..1f2bd2c 100644 --- a/group_vars/wiki.yaml +++ b/group_vars/wiki.yaml @@ -4,8 +4,6 @@ acme_san_domains: - [ bitair.nl ] - [ ravespace.nl ] -nft: true - group_nft_input: - "# Allow web-traffic from world" - "tcp dport { http, https } accept" diff --git a/roles/nft/defaults/main.yaml b/roles/nft/defaults/main.yaml index 6538cf0..2d9c778 100644 --- a/roles/nft/defaults/main.yaml +++ b/roles/nft/defaults/main.yaml @@ -1,6 +1,6 @@ --- -nft: false # totdat alles om is +nft: true # Overrule om geen nftables uit te rollen nft_main_config: "/etc/nftables.conf" # Default policies per chain ( drop / reject / accept ) From 43406c49fc8c3e8b3e94b57ef3fab7c273cecb47 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 24 Jul 2024 22:39:05 +0200 Subject: [PATCH 22/62] Add shell / enable nft on kvm --- group_vars/all.yaml | 8 ++++---- group_vars/kvm.yaml | 2 -- inventory | 5 ++++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index b9f854d..928e710 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -10,16 +10,16 @@ trusted_ranges: - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" } - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" } - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" } - - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra" } + - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" } - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" } - - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair" } - - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar" } + - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ?? + - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" } # - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" } # - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" } # - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } - - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar" } + - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } root_access: - ak diff --git a/group_vars/kvm.yaml b/group_vars/kvm.yaml index 9eed925..cd21505 100644 --- a/group_vars/kvm.yaml +++ b/group_vars/kvm.yaml @@ -1,4 +1,2 @@ --- -# FIXME: nog niet kunnen testen, en mogelijk non-default config nodig ;) -nft: false diff --git a/inventory b/inventory index 7e430e1..5a50449 100644 --- a/inventory +++ b/inventory @@ -39,6 +39,9 @@ service.bitlair.nl [wiki] wiki.bitlair.nl +[shell] +shell.bitlair.nl + [debian:children] bank fotos @@ -51,4 +54,4 @@ monitoring music services wiki - +shell From cce26a439577ac6701a36e04bdaa04750ac62874 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 00:22:18 +0200 Subject: [PATCH 23/62] Begin with shell-config --- authorized_keys/ak.keys | 2 ++ authorized_keys/foobar.keys | 2 ++ group_vars/shell.yaml | 3 +++ roles/common/tasks/main.yaml | 1 + 4 files changed, 8 insertions(+) create mode 100644 group_vars/shell.yaml diff --git a/authorized_keys/ak.keys b/authorized_keys/ak.keys index 75593c5..a257da2 100644 --- a/authorized_keys/ak.keys +++ b/authorized_keys/ak.keys @@ -1 +1,3 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net +ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL + diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys index f7fac20..057bbbf 100644 --- a/authorized_keys/foobar.keys +++ b/authorized_keys/foobar.keys @@ -1,2 +1,4 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14 + diff --git a/group_vars/shell.yaml b/group_vars/shell.yaml new file mode 100644 index 0000000..238e2cc --- /dev/null +++ b/group_vars/shell.yaml @@ -0,0 +1,3 @@ +--- + +manage_sshd_config: false diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 41512a3..a02e163 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -117,6 +117,7 @@ line: 'PasswordAuthentication no' - regexp: '^#?DebianBanner' line: 'DebianBanner no' + when: manage_sshd_config | default(true) notify: reload sshd - name: Allow SSH From 631e09ff747cb072e9fbb7361f1ddf525a16ab6d Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 10:42:25 +0200 Subject: [PATCH 24/62] Fix mqtt + fotos firewall rules --- group_vars/all.yaml | 1 + group_vars/fotos.yaml | 5 +++++ group_vars/mqtt.yaml | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 928e710..18728b5 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -14,6 +14,7 @@ trusted_ranges: - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" } - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ?? - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" } + - { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" } # - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" } # - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" } # - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml index 9ab05d7..ce3dc05 100644 --- a/group_vars/fotos.yaml +++ b/group_vars/fotos.yaml @@ -5,3 +5,8 @@ root_access: - linor - polyfloyd - wilco + +group_nft_input: + - "# Allow traffic from wiki" + - "ip saddr 204.2.64.19 tcp dport { 4567 } accept" + diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml index 3b2167b..5b4604d 100644 --- a/group_vars/mqtt.yaml +++ b/group_vars/mqtt.yaml @@ -2,3 +2,7 @@ nft_group_rules: - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" } + +group_nft_input: + - ip saddr @trusted4 tcp dport { 1883 } accept + - ip6 saddr @trusted6 tcp dport { 1883 } accept From 35a63d7aaa7797c3ab87d8fcb6dfcf1376a0fcbf Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 10:53:44 +0200 Subject: [PATCH 25/62] Make trusted_ports list --- group_vars/all.yaml | 2 ++ group_vars/fotos.yaml | 4 ++++ group_vars/mqtt.yaml | 6 +++--- roles/nft/templates/nftables.conf.j2 | 4 ++-- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 18728b5..18707fc 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -21,6 +21,8 @@ trusted_ranges: - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } +trusted_ports: + - ssh root_access: - ak diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml index ce3dc05..ca34caa 100644 --- a/group_vars/fotos.yaml +++ b/group_vars/fotos.yaml @@ -6,6 +6,10 @@ root_access: - polyfloyd - wilco +trusted_ports: + - ssh + - microsoft-ds + group_nft_input: - "# Allow traffic from wiki" - "ip saddr 204.2.64.19 tcp dport { 4567 } accept" diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml index 5b4604d..af51b73 100644 --- a/group_vars/mqtt.yaml +++ b/group_vars/mqtt.yaml @@ -3,6 +3,6 @@ nft_group_rules: - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" } -group_nft_input: - - ip saddr @trusted4 tcp dport { 1883 } accept - - ip6 saddr @trusted6 tcp dport { 1883 } accept +trusted_ports: + - ssh + - 1883 diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2 index 23481bb..ce52b65 100644 --- a/roles/nft/templates/nftables.conf.j2 +++ b/roles/nft/templates/nftables.conf.j2 @@ -73,8 +73,8 @@ set trusted6 { } accept # Open ssh only for trusted machines - ip saddr @trusted4 tcp dport { ssh } accept - ip6 saddr @trusted6 tcp dport { ssh } accept + ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept + ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept # Rules based on group-vars {% for custom in nft_group_rules %} From d6812bf4770f9676b8df02ae5edfdb560ddf6066 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 15:20:07 +0200 Subject: [PATCH 26/62] Test ssh keysigning --- inventory | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory b/inventory index 5a50449..08ff7d1 100644 --- a/inventory +++ b/inventory @@ -1,4 +1,4 @@ -# Inventory +# Bitlair inventory [raspi] bank-pi.bitlair.nl From 77941971b1c5b2a9cd643775c16f52bcff2d3f4a Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Thu, 25 Jul 2024 15:23:07 +0200 Subject: [PATCH 27/62] Try again --- inventory | 1 + 1 file changed, 1 insertion(+) diff --git a/inventory b/inventory index 08ff7d1..e66fa9a 100644 --- a/inventory +++ b/inventory @@ -1,5 +1,6 @@ # Bitlair inventory + [raspi] bank-pi.bitlair.nl From e1bf3e1765b5255eff7413b5d392c6370dc9c7e2 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Sat, 27 Jul 2024 17:09:25 +0200 Subject: [PATCH 28/62] Allow ssh for git.bitlair --- group_vars/git.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/git.yaml b/group_vars/git.yaml index 2aaa490..03f8559 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -7,8 +7,8 @@ git_server_title: Gitlair git_server_bootstrap_cert: no group_nft_input: - - "# Allow web-traffic from world" - - "tcp dport { http, https } accept" + - "# Allow ssh(git) + web-traffic from world" + - "tcp dport { ssh, http, https } accept" nginx_client_max_body_size: 4G From abc64144a8b94ad8efa95b139140aefb8458e18e Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 31 Jul 2024 20:33:54 +0200 Subject: [PATCH 29/62] Linter + Dashboard fixes --- bitlair.yaml | 49 ++++++----- group_vars/monitoring.yaml | 4 +- roles/acme/tasks/main.yaml | 2 +- roles/common/handlers/main.yaml | 15 ++-- roles/common/tasks/debian-upgrade.yaml | 3 - roles/common/tasks/main.yaml | 62 +------------- roles/common/tasks/network.yaml | 5 +- roles/common/tasks/vm.yaml | 3 +- roles/common/templates/authorized_keys.j2 | 2 +- roles/common/templates/sources.list.j2 | 6 +- roles/etherpad/tasks/main.yaml | 32 ++----- roles/etherpad/tasks/requirements.yml | 2 + roles/git-ci/tasks/main.yaml | 84 +++++++++---------- roles/git-server/tasks/main.yaml | 35 ++------ roles/go/tasks/main.yaml | 15 ++-- roles/monitoring/tasks/main.yaml | 21 +---- roles/monitoring/templates/grafana.ini | 3 + roles/mqtt/tasks/main.yaml | 2 +- roles/music/handlers/main.yaml | 12 +-- roles/music/tasks/librespot.yaml | 6 +- roles/music/tasks/main.yaml | 36 ++++---- roles/music/tasks/mpd.yaml | 9 +- roles/music/tasks/soundboard.yaml | 6 +- roles/music/tasks/trollibox.yaml | 12 +-- roles/nft/templates/nftables.conf.j2 | 8 +- roles/nginx/defaults/main.yaml | 2 - roles/nginx/templates/site.conf.j2 | 4 +- roles/photos/tasks/bambulab-fetch.yaml | 2 +- roles/photos/tasks/photo-gallery.yaml | 2 +- roles/photos/tasks/photos2mqtt.yaml | 2 +- roles/raspi/tasks/main.yaml | 4 +- roles/services/tasks/discord_bot.yaml | 5 +- roles/services/tasks/ircbot.yaml | 6 +- roles/services/tasks/main.yaml | 47 ++++++++--- roles/services/tasks/mastodon_spacestate.yaml | 8 +- roles/services/tasks/power_mqtt.yaml | 6 +- roles/services/tasks/siahsd.yaml | 22 ++--- roles/services/tasks/spacestated.yaml | 6 +- roles/services/tasks/wifi_mqtt.yaml | 14 ++-- roles/www/handlers/main.yaml | 7 +- roles/www/tasks/main.yaml | 17 +++- roles/www/tasks/mediawiki.yaml | 17 +--- roles/www/tasks/mqtt.yaml | 31 ++----- roles/www/tasks/spaceapi.yaml | 8 +- 44 files changed, 265 insertions(+), 379 deletions(-) diff --git a/bitlair.yaml b/bitlair.yaml index a2923fc..9a7b765 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -1,63 +1,62 @@ - --- - hosts: all gather_facts: true roles: - - { role: "common", tags: [ "common" ] } - - { role: "nft", tags: [ "nft" ] } + - { role: "common", tags: ["common"] } + - { role: "nft", tags: ["nft"] } - hosts: bank roles: - - { role: "bank", tags: [ "bank" ] } + - { role: "bank", tags: ["bank"] } - hosts: raspi roles: - - { role: "raspi", tags: [ "raspi" ] } - - { role: "bank-terminal", tags: [ "bank-terminal" ] } + - { role: "raspi", tags: ["raspi"] } + - { role: "bank-terminal", tags: ["bank-terminal"] } - hosts: fotos roles: - - { role: "photos", tags: [ "photos" ] } + - { role: "photos", tags: ["photos"] } - hosts: git-ci roles: - - { role: "git-ci", tags: [ "git-ci" ] } + - { role: "git-ci", tags: ["git-ci"] } - hosts: git roles: - - { role: "acme", tags: [ "acme" ] } - - { role: "nginx", tags: [ "nginx" ] } - - { role: "git-server", tags: [ "git-server" ] } + - { role: "acme", tags: ["acme"] } + - { role: "nginx", tags: ["nginx"] } + - { role: "git-server", tags: ["git-server"] } - hosts: monitoring roles: - - { role: "acme", tags: [ "acme" ] } - - { role: "nginx", tags: [ "nginx" ] } - - { role: "monitoring", tags: [ "monitoring" ] } + - { role: "acme", tags: ["acme"] } + - { role: "nginx", tags: ["nginx"] } + - { role: "monitoring", tags: ["monitoring"] } - hosts: mqtt roles: - - { role: "mqtt", tags: [ "mqtt" ] } + - { role: "mqtt", tags: ["mqtt"] } - hosts: music roles: - - { role: "acme", tags: [ "acme" ] } - - { role: "go", tags: [ "go" ] } - - { role: "music", tags: [ "music" ] } + - { role: "acme", tags: ["acme"] } + - { role: "go", tags: ["go"] } + - { role: "music", tags: ["music"] } - hosts: pad roles: - - { role: "acme", tags: [ "acme" ] } - - { role: "nginx", tags: [ "nginx" ] } - - { role: "etherpad", tags: [ "etherpad" ] } + - { role: "acme", tags: ["acme"] } + - { role: "nginx", tags: ["nginx"] } + - { role: "etherpad", tags: ["etherpad"] } - hosts: services roles: - - { role: "services", tags: [ "services" ] } + - { role: "services", tags: ["services"] } - hosts: wiki roles: - - { role: "acme", tags: [ "acme" ] } - - { role: "nginx", tags: [ "nginx" ] } - - { role: "www", tags: [ "www" ] } + - { role: "acme", tags: ["acme"] } + - { role: "nginx", tags: ["nginx"] } + - { role: "www", tags: ["www"] } diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index 248d854..260e159 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -1,7 +1,7 @@ monitoring_domain: dashboard.bitlair.nl monitoring_bootstrap_cert: no acme_san_domains: - - ["{{ monitoring_domain }}", monitoring.bitlair.nl] + - ["{{ monitoring_domain }}"] group_nft_input: - "# Allow web-traffic from world" @@ -21,6 +21,7 @@ prometheus_scrape_configs: - "lights.bitlair.nl:9100" - "music.bitlair.nl:9100" - "service.bitlair.nl:9100" + - "user.bitlair.nl:9100" - job_name: "mqtt" static_configs: - targets: [ "localhost:9883" ] @@ -34,6 +35,7 @@ prometheus_scrape_configs: - https://bitlair.nl - https://git.bitlair.nl - https://pad.bitlair.nl + - https://user.bitlair.nl # Legacy - https://wiki.bitlair.nl - https://portal.bitlair.nl diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 0be3133..01bf029 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -40,7 +40,7 @@ - name: Symlink SAN domains ansible.builtin.include_tasks: file: san_domains_loop.yaml - loop: "{{ acme_san_domains|default([]) }}" + loop: "{{ acme_san_domains | default([]) }}" loop_control: loop_var: domains diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml index 15ce290..3f6d5b8 100644 --- a/roles/common/handlers/main.yaml +++ b/roles/common/handlers/main.yaml @@ -1,30 +1,27 @@ --- -- name: update grub +- name: Update grub ansible.builtin.command: cmd: update-grub -- name: reboot - ansible.builtin.reboot: - -- name: apt update +- name: Apt update ansible.builtin.apt: update_cache: true -- name: daemon reload +- name: Daemon reload ansible.builtin.systemd: daemon_reload: true -- name: reload sshd +- name: Reload sshd ansible.builtin.systemd: name: ssh state: reloaded -- name: reload nginx +- name: Reload nginx ansible.builtin.systemd: name: nginx state: reloaded -- name: persist iptables +- name: Persist iptables ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}" with_items: - { c: iptables, ip: v4 } diff --git a/roles/common/tasks/debian-upgrade.yaml b/roles/common/tasks/debian-upgrade.yaml index 3ff5041..f986713 100644 --- a/roles/common/tasks/debian-upgrade.yaml +++ b/roles/common/tasks/debian-upgrade.yaml @@ -21,9 +21,6 @@ ansible.builtin.apt: upgrade: full -- name: Reboot - ansible.builtin.reboot: - - name: autoremove ansible.builtin.apt: autoremove: yes diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index a02e163..fc597aa 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -96,7 +96,7 @@ path: /etc/default/grub regexp: '^GRUB_TIMEOUT=' line: "GRUB_TIMEOUT=1 # Managed by Ansible" - notify: update grub + notify: Update grub - name: Configure cron email ansible.builtin.lineinfile: @@ -118,63 +118,5 @@ - regexp: '^#?DebianBanner' line: 'DebianBanner no' when: manage_sshd_config | default(true) - notify: reload sshd + notify: Reload sshd -- name: Allow SSH - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ ssh_port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item }}" - with_items: - - ipv4 - - ipv6 - notify: persist iptables - when: not nft | bool - -- name: Allow ICMP - ansible.builtin.iptables: - chain: INPUT - protocol: "{{ item.proto }}" - jump: ACCEPT - ip_version: "{{ item.ip }}" - with_items: - - { ip: ipv4, proto: icmp } - - { ip: ipv6, proto: ipv6-icmp } - notify: persist iptables - when: not nft | bool - -- name: Allow related and established connections - ansible.builtin.iptables: - chain: INPUT - ctstate: ESTABLISHED,RELATED - jump: ACCEPT - ip_version: "{{ item }}" - with_items: - - ipv4 - - ipv6 - notify: persist iptables - when: not nft | bool - -- name: Allow local connections - ansible.builtin.iptables: - chain: INPUT - source: "{{ item.cidr }}" - jump: ACCEPT - ip_version: "{{ item.v }}" - with_items: "{{ trusted_ranges }}" - notify: persist iptables - when: not nft | bool - -- name: Deny inbound connections - ansible.builtin.iptables: - chain: INPUT - policy: DROP - ip_version: "{{ item }}" - with_items: - - ipv4 - - ipv6 - notify: persist iptables - when: not nft | bool diff --git a/roles/common/tasks/network.yaml b/roles/common/tasks/network.yaml index 9d5e471..7e2a75b 100644 --- a/roles/common/tasks/network.yaml +++ b/roles/common/tasks/network.yaml @@ -13,7 +13,6 @@ with_items: - { k: net.ipv4.ip_forward, v: "1" } - { k: net.ipv6.conf.all.forwarding, v: "1" } - notify: reboot when: network_br - name: Make network interfaces really predictable @@ -22,8 +21,7 @@ regexp: ^GRUB_CMDLINE_LINUX line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible' notify: - - update grub - - reboot + - Update grub when: network_br or network_dhcp or network_static - name: Configure network interfaces @@ -33,7 +31,6 @@ owner: root group: root mode: 0644 - notify: reboot when: network_br or network_dhcp or network_static - ansible.builtin.meta: flush_handlers diff --git a/roles/common/tasks/vm.yaml b/roles/common/tasks/vm.yaml index 505c03f..e1921ec 100644 --- a/roles/common/tasks/vm.yaml +++ b/roles/common/tasks/vm.yaml @@ -12,7 +12,6 @@ regexp: ^GRUB_CMDLINE_LINUX_DEFAULT line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"' notify: - - update grub - - reboot + - Update grub tags: - questagent diff --git a/roles/common/templates/authorized_keys.j2 b/roles/common/templates/authorized_keys.j2 index 182dc36..9df7ff6 100644 --- a/roles/common/templates/authorized_keys.j2 +++ b/roles/common/templates/authorized_keys.j2 @@ -2,5 +2,5 @@ {% for name in root_access %} # {{ name }} -{{ lookup('file', 'authorized_keys/'+name+'.keys') }} +{{ lookup('file', 'authorized_keys/' + name + '.keys') }} {% endfor %} diff --git a/roles/common/templates/sources.list.j2 b/roles/common/templates/sources.list.j2 index 9aac632..3945e1d 100644 --- a/roles/common/templates/sources.list.j2 +++ b/roles/common/templates/sources.list.j2 @@ -1,9 +1,9 @@ # {{ ansible_managed }} -{% if debian_source_repos|default(false) %} -{% set SRC = "" %} +{% if debian_source_repos | default(false) %} +{% set SRC = "" %} {% else %} -{% set SRC = "# " %} +{% set SRC = "# " %} {% endif %} {% set components = "main contrib non-free-firmware" %} diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 2adf731..0f4beb5 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -15,7 +15,7 @@ -o /usr/share/keyrings/nodesource.gpg args: creates: /usr/share/keyrings/nodesource.gpg - notify: apt update + notify: Apt update - name: Install nodesource source list ansible.builtin.template: @@ -24,7 +24,7 @@ owner: root group: root mode: 0644 - notify: apt update + notify: Apt update - name: Install nodejs apt preference ansible.builtin.template: @@ -33,7 +33,7 @@ owner: root group: root mode: 0644 - notify: apt update + notify: Apt update - ansible.builtin.meta: flush_handlers @@ -88,7 +88,7 @@ version: master dest: /opt/etherpad accept_hostkey: yes - notify: restart etherpad + notify: Restart etherpad - name: Install etherpad config ansible.builtin.template: @@ -97,7 +97,7 @@ owner: root group: root mode: 0644 - notify: restart etherpad + notify: Restart etherpad - name: Install etherpad service ansible.builtin.template: @@ -106,14 +106,14 @@ owner: root group: root mode: 0644 - notify: restart etherpad + notify: Restart etherpad - name: Start etherpad ansible.builtin.systemd: daemon_reload: true name: etherpad state: started - enabled: yes + enabled: true - name: Install nginx config ansible.builtin.template: @@ -122,21 +122,5 @@ owner: root group: root mode: 0644 - notify: reload nginx + notify: Reload nginx -- name: Allow HTTP and HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 80 } - - { ip: ipv4, port: 443 } - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables - when: not nft | bool diff --git a/roles/etherpad/tasks/requirements.yml b/roles/etherpad/tasks/requirements.yml index 060cde3..0b8dbb8 100644 --- a/roles/etherpad/tasks/requirements.yml +++ b/roles/etherpad/tasks/requirements.yml @@ -1,3 +1,5 @@ +--- + collections: - name: community.postgresql version: 2.3.2 diff --git a/roles/git-ci/tasks/main.yaml b/roles/git-ci/tasks/main.yaml index a01a11a..d677a61 100644 --- a/roles/git-ci/tasks/main.yaml +++ b/roles/git-ci/tasks/main.yaml @@ -1,50 +1,50 @@ --- -- tags: forgejo_runner - block: - - name: Install dependencies - ansible.builtin.apt: - name: docker.io - - name: Download forgejo-runner - ansible.builtin.get_url: - url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64" - dest: /usr/local/bin/forgejo-runner - mode: 0755 - notify: restart forgejo-runner +- name: Install dependencies + ansible.builtin.apt: + name: docker.io - - name: Create runner dir - ansible.builtin.file: - state: directory - path: "{{ runner_wd }}" - owner: root - group: root - mode: 0755 +- name: Download forgejo-runner + ansible.builtin.get_url: + url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64" + dest: /usr/local/bin/forgejo-runner + mode: 0755 + notify: restart forgejo-runner - - name: Register runner - ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" - args: - chdir: "{{ runner_wd }}" - creates: "{{ runner_wd }}/.runner" +- name: Create runner dir + ansible.builtin.file: + state: directory + path: "{{ runner_wd }}" + owner: root + group: root + mode: 0755 - - name: Install service file - ansible.builtin.template: - src: forgejo-runner.service - dest: /etc/systemd/system/forgejo-runner.service - owner: root - group: root - mode: 0644 - notify: restart forgejo-runner +- name: Register runner + ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" + args: + chdir: "{{ runner_wd }}" + creates: "{{ runner_wd }}/.runner" - - name: Enable service - ansible.builtin.systemd: - name: forgejo-runner - enabled: yes - daemon_reload: true +- name: Install service file + ansible.builtin.template: + src: forgejo-runner.service + dest: /etc/systemd/system/forgejo-runner.service + owner: root + group: root + mode: 0644 + notify: restart forgejo-runner - - name: Start service - ansible.builtin.systemd: - name: forgejo-runner - state: started - daemon_reload: true +- name: Enable service + ansible.builtin.systemd: + name: forgejo-runner + enabled: true + daemon_reload: true - - ansible.builtin.meta: flush_handlers +- name: Start service + ansible.builtin.systemd: + name: forgejo-runner + state: started + daemon_reload: true + +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index 112033e..5104ef5 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -14,14 +14,14 @@ owner: root group: root mode: 0644 - notify: reload nginx + notify: Reload nginx - name: Enable nginx site ansible.builtin.file: src: /etc/nginx/sites-available/forgejo dest: /etc/nginx/sites-enabled/forgejo state: link - notify: reload nginx + notify: Reload nginx - name: Create user ansible.builtin.user: @@ -38,7 +38,6 @@ group: "{{ git_server_user }}" mode: 0755 - # TODO: Install initial config - name: Install service file @@ -48,7 +47,7 @@ owner: root group: root mode: 0644 - notify: reload forgejo + notify: Reload forgejo - name: Install update script ansible.builtin.template: @@ -62,12 +61,12 @@ ansible.builtin.command: "{{ git_server_working_dir }}/update.sh" args: creates: "{{ git_server_working_dir }}/forgejo" - notify: reload forgejo + notify: Reload forgejo - name: Enable service ansible.builtin.systemd: name: forgejo - enabled: yes + enabled: true daemon_reload: true - name: Start service @@ -81,24 +80,6 @@ src: cronjob dest: /etc/cron.d/forgejo -- name: Allow Git SSH, HTTP and HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 80 } - - { ip: ipv4, port: 22 } - - { ip: ipv4, port: 443 } - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 22 } - - { ip: ipv6, port: 443 } - notify: persist iptables - when: not nft | bool - -- ansible.builtin.debug: - msg: If Forgejo has not been setup yet, please do so manually. +- name: Debug + ansible.builtin.debug: + msg: "If Forgejo has not been setup yet, please do so manually." diff --git a/roles/go/tasks/main.yaml b/roles/go/tasks/main.yaml index b787d21..ab16901 100644 --- a/roles/go/tasks/main.yaml +++ b/roles/go/tasks/main.yaml @@ -19,11 +19,11 @@ register: go_latest_version_shell - name: Format Go latest version variable - set_fact: + ansible.builtin.set_fact: go_latest_version: "{{ go_latest_version_shell.stdout }}" - name: Detect installed Go version - shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none" + ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none" register: go_installed_version_shell changed_when: false @@ -31,19 +31,20 @@ set_fact: go_installed_version: "{{ go_installed_version_shell.stdout }}" - - debug: + - name: Debug + ansible.builtin.debug: msg: - "Latest Go version: {{ go_latest_version}}" - "Installed Go version: {{ go_installed_version }}" - name: Remove installed go - file: + ansible.builtin.file: state: absent path: /usr/local/go when: go_installed_version != go_latest_version - name: Install Go - unarchive: + ansible.builtin.unarchive: src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz dest: /usr/local remote_src: yes @@ -52,7 +53,7 @@ when: go_installed_version != go_latest_version - name: Configure Go environment - template: + ansible.builtin.template: src: go.profile dest: /etc/profile.d/go.sh owner: root @@ -60,7 +61,7 @@ mode: 0644 - name: Link go binary - file: + ansible.builtin.file: state: link src: /usr/local/go/bin/go dest: /usr/local/bin/go diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index f43992a..2017d5b 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -7,35 +7,20 @@ owner: root group: root mode: 0644 - notify: reload nginx + notify: Reload nginx - name: Enable nginx site ansible.builtin.file: src: /etc/nginx/sites-available/monitoring dest: /etc/nginx/sites-enabled/monitoring state: link - notify: reload nginx + notify: Reload nginx - name: Start nginx ansible.builtin.systemd: name: nginx state: started - enabled: yes - -- name: Allow HTTP/HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables - when: not nft | bool + enabled: true - name: mqtt_exporter tags: mqtt_exporter diff --git a/roles/monitoring/templates/grafana.ini b/roles/monitoring/templates/grafana.ini index be8c995..a954c62 100644 --- a/roles/monitoring/templates/grafana.ini +++ b/roles/monitoring/templates/grafana.ini @@ -69,6 +69,9 @@ level = info [grafana_com] url = https://grafana.com +[auth] +oauth_allow_insecure_email_lookup=true + [auth.anonymous] enabled = true org_name = Bitlair diff --git a/roles/mqtt/tasks/main.yaml b/roles/mqtt/tasks/main.yaml index 89f9064..498f49c 100644 --- a/roles/mqtt/tasks/main.yaml +++ b/roles/mqtt/tasks/main.yaml @@ -29,4 +29,4 @@ ansible.builtin.systemd: name: mosquitto state: started - enabled: yes + enabled: true diff --git a/roles/music/handlers/main.yaml b/roles/music/handlers/main.yaml index 5ef0e4f..2d77dbb 100644 --- a/roles/music/handlers/main.yaml +++ b/roles/music/handlers/main.yaml @@ -2,37 +2,37 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: restart trollibox +- name: Restart trollibox ansible.builtin.systemd: name: trollibox state: restarted daemon_reload: true -- name: rebuild librespot +- name: Rebuild librespot ansible.builtin.command: cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend args: chdir: /opt/librespot -- name: restart librespot +- name: Restart librespot ansible.builtin.systemd: name: librespot state: restarted daemon_reload: true -- name: restart soundboard +- name: Restart soundboard ansible.builtin.systemd: name: soundboard state: restarted daemon_reload: true -- name: restart mpd-volume-to-mqtt +- name: Restart mpd-volume-to-mqtt ansible.builtin.systemd: name: mpd-volume-to-mqtt state: restarted daemon_reload: true -- name: restart skipbutton +- name: Restart skipbutton ansible.builtin.systemd: name: skipbutton state: restarted diff --git a/roles/music/tasks/librespot.yaml b/roles/music/tasks/librespot.yaml index 9bf3154..2a8d19b 100644 --- a/roles/music/tasks/librespot.yaml +++ b/roles/music/tasks/librespot.yaml @@ -11,8 +11,8 @@ dest: /opt/librespot accept_hostkey: yes notify: - - rebuild librespot - - restart librespot + - Rebuild librespot + - Restart librespot - name: Install service file ansible.builtin.template: @@ -21,7 +21,7 @@ owner: root group: root mode: 0644 - notify: restart librespot + notify: Restart librespot - name: Enable Librespot ansible.builtin.systemd: diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml index cad6eb9..e8a751c 100644 --- a/roles/music/tasks/main.yaml +++ b/roles/music/tasks/main.yaml @@ -1,28 +1,34 @@ --- -- tags: music_mpd + +- name: Import mpd ansible.builtin.import_tasks: file: mpd.yaml + tags: + - music_mpd -- tags: music_trollibox +- name: Import trollibox ansible.builtin.import_tasks: file: trollibox.yaml + tags: + - music_trollibox -- tags: music_librespot +- name: Librespot ansible.builtin.import_tasks: file: librespot.yaml + tags: + - music_librespot -- tags: music_soundboard +- name: Soundboard ansible.builtin.import_tasks: file: soundboard.yaml + tags: + - music_soundboard -- tags: music - block: - - - name: Install nginx config - ansible.builtin.template: - src: nginx-site.conf - dest: /etc/nginx/sites-enabled/trollibox - owner: root - group: root - mode: 0644 - notify: reload nginx +- name: Install nginx config + ansible.builtin.template: + src: nginx-site.conf + dest: /etc/nginx/sites-enabled/trollibox + owner: root + group: root + mode: 0644 + notify: Reload nginx diff --git a/roles/music/tasks/mpd.yaml b/roles/music/tasks/mpd.yaml index d372d12..eb88133 100644 --- a/roles/music/tasks/mpd.yaml +++ b/roles/music/tasks/mpd.yaml @@ -1,4 +1,5 @@ --- + - name: Install MPD ansible.builtin.apt: name: @@ -15,7 +16,7 @@ owner: root group: root mode: 0644 - notify: restart mpd-volume-to-mqtt + notify: Restart mpd-volume-to-mqtt - name: Install mpd-volume-to-mqtt service ansible.builtin.template: @@ -24,7 +25,7 @@ owner: root group: root mode: 0644 - notify: restart mpd-volume-to-mqtt + notify: Restart mpd-volume-to-mqtt - name: Enable mpd-volume-to-mqtt ansible.builtin.systemd: @@ -39,7 +40,7 @@ version: master dest: /opt/skipbutton accept_hostkey: yes - notify: restart skipbutton + notify: Restart skipbutton - name: Install skipbutton service ansible.builtin.template: @@ -48,7 +49,7 @@ owner: root group: root mode: 0644 - notify: restart skipbutton + notify: Restart skipbutton - name: Enable skipbutton ansible.builtin.systemd: diff --git a/roles/music/tasks/soundboard.yaml b/roles/music/tasks/soundboard.yaml index 6068976..a0ea558 100644 --- a/roles/music/tasks/soundboard.yaml +++ b/roles/music/tasks/soundboard.yaml @@ -10,7 +10,7 @@ version: main dest: /opt/soundboard accept_hostkey: yes - notify: restart soundboard + notify: Restart soundboard - name: Create virtualenv ansible.builtin.command: @@ -31,7 +31,7 @@ owner: root group: root mode: 0644 - notify: restart soundboard + notify: Restart soundboard - name: Install soundboard service file ansible.builtin.template: @@ -40,7 +40,7 @@ owner: root group: root mode: 0644 - notify: restart soundboard + notify: Restart soundboard - name: Enable soundboard ansible.builtin.systemd: diff --git a/roles/music/tasks/trollibox.yaml b/roles/music/tasks/trollibox.yaml index 29c544a..0b20b4a 100644 --- a/roles/music/tasks/trollibox.yaml +++ b/roles/music/tasks/trollibox.yaml @@ -5,8 +5,8 @@ dest: /etc/trollibox.yaml owner: root group: root - mode: 0644 - notify: restart trollibox + mode: "0644" + notify: Restart trollibox - name: Get latest Trollibox version from Github API ansible.builtin.get_url: @@ -25,8 +25,8 @@ remote_src: yes dest: /usr/local/bin include: [ trollibox ] - mode: 0755 - notify: restart trollibox + mode: "0755" + notify: Restart trollibox - name: Install service file ansible.builtin.template: @@ -34,8 +34,8 @@ dest: /etc/systemd/system/trollibox.service owner: root group: root - mode: 0644 - notify: restart trollibox + mode: "0644" + notify: Restart trollibox - name: Enable Trollibox ansible.builtin.systemd: diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2 index ce52b65..583639b 100644 --- a/roles/nft/templates/nftables.conf.j2 +++ b/roles/nft/templates/nftables.conf.j2 @@ -73,15 +73,15 @@ set trusted6 { } accept # Open ssh only for trusted machines - ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept - ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept + ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept + ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept # Rules based on group-vars {% for custom in nft_group_rules %} {% if custom.comment is defined %} - # {{ custom.comment|default('') }} + # {{ custom.comment | default('') }} {% endif %} - {{ custom.version|default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} + {{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} {% endfor %} diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml index b6fd46e..55f38e5 100644 --- a/roles/nginx/defaults/main.yaml +++ b/roles/nginx/defaults/main.yaml @@ -4,7 +4,6 @@ nginx_package: "nginx-light" nginx_user: "www-data" nginx_modules_dir: "/etc/nginx/modules-enabled" - nginx_tls_version: "TLSv1.2 TLSv1.3" nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" nginx_tls_curve: "prime256v1:secp384r1" @@ -14,4 +13,3 @@ nginx_ssl_stapling: "on" nginx_ssl_stapling_verify: "on" nginx_wk_acme: "/var/lib/dehydrated/acme-challenges" nginx_client_max_body_size: "32m" - diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 6a4dfb7..d48f46f 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -4,7 +4,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; + server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; include /etc/nginx/tls_params; ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; @@ -28,7 +28,7 @@ server { # Include snippets {% for file in site.snippets | default([]) %} -{% include "snippets/" ~ file %} +{% include "snippets/" ~ file %} {% endfor %} # Per site configuration diff --git a/roles/photos/tasks/bambulab-fetch.yaml b/roles/photos/tasks/bambulab-fetch.yaml index ef2d351..b050af9 100644 --- a/roles/photos/tasks/bambulab-fetch.yaml +++ b/roles/photos/tasks/bambulab-fetch.yaml @@ -33,5 +33,5 @@ ansible.builtin.systemd: name: bambulab-fetch state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/photos/tasks/photo-gallery.yaml b/roles/photos/tasks/photo-gallery.yaml index 6551040..5a6cfff 100644 --- a/roles/photos/tasks/photo-gallery.yaml +++ b/roles/photos/tasks/photo-gallery.yaml @@ -33,5 +33,5 @@ ansible.builtin.systemd: name: photo-gallery state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml index 9f14cff..755a4ec 100644 --- a/roles/photos/tasks/photos2mqtt.yaml +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -31,5 +31,5 @@ ansible.builtin.systemd: name: photos2mqtt state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/raspi/tasks/main.yaml b/roles/raspi/tasks/main.yaml index a787e5c..1420e09 100644 --- a/roles/raspi/tasks/main.yaml +++ b/roles/raspi/tasks/main.yaml @@ -15,7 +15,7 @@ - name: Enable sshd ansible.builtin.systemd: name: sshd - enabled: yes + enabled: true state: started - name: Rotate display @@ -24,7 +24,6 @@ line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible" regexp: "^#?display_rotate" when: raspi_rotate_display is defined - notify: reboot - name: Disable swap block: @@ -45,4 +44,3 @@ path: /etc/dhcpcd.conf line: "slaac hwaddr # Managed by Ansible" regexp: "^#?slaac" - notify: reboot diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 16c20d6..186b8f8 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -1,4 +1,5 @@ --- + - name: Install dependencies ansible.builtin.apt: name: @@ -32,12 +33,12 @@ dest: /etc/systemd/system/discord-bot.service owner: root group: root - mode: 0644 + mode: "0644" notify: restart discord-bot - name: Start discord-bot ansible.builtin.systemd: name: discord-bot state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/services/tasks/ircbot.yaml b/roles/services/tasks/ircbot.yaml index 6d9462a..e1e4649 100644 --- a/roles/services/tasks/ircbot.yaml +++ b/roles/services/tasks/ircbot.yaml @@ -29,7 +29,7 @@ ansible.builtin.systemd: name: irc-bot state: started - enabled: yes + enabled: true daemon_reload: true - name: Create helpers dir @@ -63,7 +63,7 @@ ansible.builtin.systemd: name: irc-photos state: started - enabled: yes + enabled: true daemon_reload: true - name: Install doorduino notification @@ -92,5 +92,5 @@ ansible.builtin.systemd: name: irc-doorduino state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/services/tasks/main.yaml b/roles/services/tasks/main.yaml index 5f17300..e082c5f 100644 --- a/roles/services/tasks/main.yaml +++ b/roles/services/tasks/main.yaml @@ -1,22 +1,43 @@ --- -- tags: services_ircbot + +- name: Import ircbot ansible.builtin.import_tasks: file: ircbot.yaml + tags: + - services_ircbot -- tags: services_discord_bot - ansible.builtin.import_tasks: discord_bot.yaml +- name: Import services_discord_bot + ansible.builtin.import_tasks: + file: discord_bot.yaml + tags: + - services_discord_bot -- tags: services_siahsd - import_tasks: siahsd.yaml +- name: Import siahsd + ansible.builtin.import_tasks: + file: siahsd.yaml + tags: + - services_siahsd -- tags: services_spacestated - import_tasks: spacestated.yaml +- name: Import spacestated + ansible.builtin.import_tasks: + file: spacestated.yaml + tags: + - services_spacestated -- tags: services_mastodon_spacestate - import_tasks: mastodon_spacestate.yaml +- name: Import mastodon_spacestate.yaml + ansible.builtin.import_tasks: + file: mastodon_spacestate.yaml + tags: + - services_mastodon_spacestate -- tags: services_wifi_mqtt - import_tasks: wifi_mqtt.yaml +- name: import wifi_mqtt + ansible.builtin.import_tasks: + file: wifi_mqtt.yaml + tags: + - services_wifi_mqtt -- tags: services_power_mqtt - import_tasks: power_mqtt.yaml +- name: Import power_mqt + ansible.builtin.import_tasks: + file: power_mqtt.yaml + tags: + - services_power_mqtt diff --git a/roles/services/tasks/mastodon_spacestate.yaml b/roles/services/tasks/mastodon_spacestate.yaml index 47886de..97786f9 100644 --- a/roles/services/tasks/mastodon_spacestate.yaml +++ b/roles/services/tasks/mastodon_spacestate.yaml @@ -11,7 +11,7 @@ version: main dest: /var/lib/mastodon-spacestate accept_hostkey: yes - notify: restart mastodon-spacestate + notify: Restart mastodon-spacestate - name: Install config ansible.builtin.template: @@ -20,7 +20,7 @@ owner: root group: root mode: 0655 - notify: restart mastodon-spacestate + notify: Restart mastodon-spacestate - name: Install service file ansible.builtin.template: @@ -29,11 +29,11 @@ owner: root group: root mode: 0644 - notify: restart mastodon-spacestate + notify: Restart mastodon-spacestate - name: Start mastodon-spacestate ansible.builtin.systemd: name: mastodon-spacestate state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/services/tasks/power_mqtt.yaml b/roles/services/tasks/power_mqtt.yaml index 3cc3e0f..406a274 100644 --- a/roles/services/tasks/power_mqtt.yaml +++ b/roles/services/tasks/power_mqtt.yaml @@ -10,7 +10,7 @@ owner: root group: root mode: 0755 - notify: restart power-mqtt + notify: Restart power-mqtt - name: Remove old service ansible.builtin.file: @@ -27,13 +27,13 @@ vars: description: "SMD630 to MQTT Probe" exec: "/var/lib/power-mqtt.py %i" - notify: restart power-mqtt@ + notify: Restart power-mqtt@ - name: Enable power-mqtt ansible.builtin.systemd: name: "power-mqtt@{{ item.net }}/{{ item.ip }}" state: started - enabled: yes + enabled: true daemon_reload: true with_items: - net: space diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml index ba88c8c..c7c3b0b 100644 --- a/roles/services/tasks/siahsd.yaml +++ b/roles/services/tasks/siahsd.yaml @@ -7,6 +7,7 @@ state: directory owner: siahsd group: nogroup + mode: "0750" with_items: - /var/log/siahsd - /var/lib/siahsd @@ -17,8 +18,8 @@ dest: /etc/siahsd.conf owner: root group: root - mode: 0644 - notify: restart siahsd + mode: "0644" + notify: Restart siahsd - name: Install service file ansible.builtin.template: @@ -26,24 +27,13 @@ dest: /etc/systemd/system/siahsd.service owner: root group: root - mode: 0644 - notify: restart siahsd + mode: "0644" + notify: Restart siahsd - name: Start siahsd ansible.builtin.systemd: name: siahsd state: started - enabled: yes + enabled: true daemon_reload: true -- name: Allow siahsd traffic - ansible.builtin.iptables: - chain: INPUT - protocol: udp - destination_port: "4000" - jump: ACCEPT - ip_version: "{{ item }}" - action: insert - with_items: [ ipv4, ipv6 ] - notify: persist iptables - when: not nft | bool diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 7c00bfd..54382f8 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -24,7 +24,7 @@ version: main dest: /var/lib/spacestated/spacestated accept_hostkey: yes - notify: restart spacestated + notify: Restart spacestated - name: Install service file ansible.builtin.template: @@ -33,11 +33,11 @@ owner: root group: root mode: 0644 - notify: restart spacestated + notify: Restart spacestated - name: Start spacestated ansible.builtin.systemd: name: spacestated state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/services/tasks/wifi_mqtt.yaml b/roles/services/tasks/wifi_mqtt.yaml index 4c76f05..688aeea 100644 --- a/roles/services/tasks/wifi_mqtt.yaml +++ b/roles/services/tasks/wifi_mqtt.yaml @@ -7,25 +7,25 @@ - make - name: Clone source - git: + ansible.builtin.git: repo: https://github.com/bitlair/wifi-mqtt.git version: main dest: /var/lib/wifi-mqtt accept_hostkey: yes - notify: restart wifi-mqtt + notify: Restart wifi-mqtt - name: Install service file - template: + ansible.builtin.template: src: wifi-mqtt.service dest: /etc/systemd/system/wifi-mqtt.service owner: root group: root - mode: 0644 - notify: restart wifi-mqtt + mode: "0644" + notify: Restart wifi-mqtt - name: Start wifi-mqtt - systemd: + ansible.builtin.systemd: name: wifi-mqtt state: started - enabled: yes + enabled: true daemon_reload: true diff --git a/roles/www/handlers/main.yaml b/roles/www/handlers/main.yaml index d5296b9..dcafe97 100644 --- a/roles/www/handlers/main.yaml +++ b/roles/www/handlers/main.yaml @@ -1,14 +1,15 @@ --- -- ansible.builtin.import_tasks: +- name: Import handlers + ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: restart spaceapi +- name: Restart spaceapi ansible.builtin.systemd: name: spaceapi state: restarted daemon_reload: true -- name: restart mqtt2web +- name: Restart mqtt2web ansible.builtin.systemd: name: mqtt2web state: restarted diff --git a/roles/www/tasks/main.yaml b/roles/www/tasks/main.yaml index 114218a..382706a 100644 --- a/roles/www/tasks/main.yaml +++ b/roles/www/tasks/main.yaml @@ -1,16 +1,25 @@ --- -- tags: www_calendar + +- name: Import calendar ansible.builtin.import_tasks: file: calendar.yaml + tags: + - www_calendar -- tags: www_mediawiki +- name: Import mediawiki ansible.builtin.import_tasks: file: mediawiki.yaml + tags: + - www_mediawiki -- tags: www_mqtt +- name: Import mqtt ansible.builtin.import_tasks: file: mqtt.yaml + tags: + - www_mqtt -- tags: www_spaceapi +- name: Import spaceapi ansible.builtin.import_tasks: file: spaceapi.yaml + tags: + - www_spaceapi diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index 5113131..2eb69f4 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -1,4 +1,5 @@ --- + - name: Install dependencies ansible.builtin.apt: name: php-fpm @@ -12,19 +13,3 @@ group: root mode: 0644 -- name: Allow HTTP/HTTPS - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 80 } - - { ip: ipv4, port: 443 } - - { ip: ipv6, port: 80 } - - { ip: ipv6, port: 443 } - notify: persist iptables - when: not nft | bool diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index 94dc0bf..f96fadd 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -1,4 +1,5 @@ --- + - name: Install dependencies ansible.builtin.apt: name: @@ -6,32 +7,17 @@ - liblinux-epoll-perl - mosquitto -- name: Allow MQTT - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item.port }}" - ctstate: NEW - jump: ACCEPT - ip_version: "{{ item.ip }}" - action: insert - with_items: - - { ip: ipv4, port: 1883 } - - { ip: ipv6, port: 1883 } - notify: persist iptables - when: not nft | bool - - name: Install mqtt-simple - ansible.builtin.command: - cmd: cpan Net::MQTT::Simple + community.general.cpanm: + name: Net::MQTT::Simple - name: Clone mqtt2web source ansible.builtin.git: repo: https://github.com/bitlair/mqtt2web.git version: master dest: /opt/mqtt2web - accept_hostkey: yes - notify: restart mqtt2web + accept_hostkey: true + notify: Restart mqtt2web - name: Install mqtt2web service file ansible.builtin.template: @@ -41,10 +27,11 @@ group: root mode: 0644 notify: - - daemon reload - - restart mqtt2web + - Daemon reload + - Restart mqtt2web -- ansible.builtin.meta: flush_handlers +- name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Enable mqtt2web ansible.builtin.systemd: diff --git a/roles/www/tasks/spaceapi.yaml b/roles/www/tasks/spaceapi.yaml index a819839..7c8a494 100644 --- a/roles/www/tasks/spaceapi.yaml +++ b/roles/www/tasks/spaceapi.yaml @@ -4,8 +4,8 @@ repo: https://github.com/bitlair/spaceapi.git version: main dest: /opt/spaceapi - accept_hostkey: yes - notify: restart spaceapi + accept_hostkey: true + notify: Restart spaceapi - name: Install spaceapi service file ansible.builtin.template: @@ -13,8 +13,8 @@ dest: /etc/systemd/system/spaceapi.service owner: root group: root - mode: 0644 - notify: restart spaceapi + mode: "0644" + notify: Restart spaceapi - name: Enable spaceapi ansible.builtin.systemd: From 67087c4f489154b82748269a19107b4f86082ddd Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 31 Jul 2024 21:18:50 +0200 Subject: [PATCH 30/62] Ignore errors on git task --- roles/common/tasks/main.yaml | 1 + roles/etherpad/handlers/main.yaml | 2 +- roles/services/handlers/main.yaml | 18 +++++++++--------- roles/services/tasks/discord_bot.yaml | 5 +++-- roles/services/tasks/ircbot.yaml | 13 +++++++------ roles/services/tasks/mastodon_spacestate.yaml | 1 + roles/services/tasks/spacestated.yaml | 1 + roles/services/tasks/wifi_mqtt.yaml | 1 + 8 files changed, 24 insertions(+), 18 deletions(-) diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index fc597aa..865de63 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -76,6 +76,7 @@ - vim - unattended-upgrades - apt-listchanges + - sudo-ldap - name: Configure FZF for Bash ansible.builtin.lineinfile: diff --git a/roles/etherpad/handlers/main.yaml b/roles/etherpad/handlers/main.yaml index 82924a6..7aea6eb 100644 --- a/roles/etherpad/handlers/main.yaml +++ b/roles/etherpad/handlers/main.yaml @@ -2,7 +2,7 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: restart etherpad +- name: Restart etherpad ansible.builtin.systemd: name: etherpad state: restarted diff --git a/roles/services/handlers/main.yaml b/roles/services/handlers/main.yaml index 125fc4d..fb69a73 100644 --- a/roles/services/handlers/main.yaml +++ b/roles/services/handlers/main.yaml @@ -2,55 +2,55 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: restart irc-bot +- name: Restart irc-bot ansible.builtin.systemd: name: irc-bot state: restarted daemon_reload: true -- name: restart irc-photos +- name: Restart irc-photos ansible.builtin.systemd: name: irc-photos state: restarted daemon_reload: true -- name: restart irc-doorduino +- name: Restart irc-doorduino ansible.builtin.systemd: name: irc-doorduino state: restarted daemon_reload: true -- name: restart discord-bot +- name: Restart discord-bot ansible.builtin.systemd: name: discord-bot state: restarted daemon_reload: true -- name: restart siahsd +- name: Restart siahsd ansible.builtin.systemd: name: siahsd state: restarted daemon_reload: true -- name: restart spacestated +- name: Restart spacestated ansible.builtin.systemd: name: spacestated state: restarted daemon_reload: true -- name: restart mastodon-spacestate +- name: Restart mastodon-spacestate ansible.builtin.systemd: name: mastodon-spacestate state: restarted daemon_reload: true -- name: restart wifi-mqtt +- name: Restart wifi-mqtt ansible.builtin.systemd: name: wifi-mqtt state: restarted daemon_reload: true -- name: restart power-mqtt +- name: Restart power-mqtt ansible.builtin.systemd: name: power-mqtt state: restarted diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 186b8f8..1889db4 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -25,7 +25,8 @@ version: main dest: /var/lib/discord-bot accept_hostkey: yes - notify: restart discord-bot + notify: Restart discord-bot + ignore_errors: true - name: Install service file ansible.builtin.template: @@ -34,7 +35,7 @@ owner: root group: root mode: "0644" - notify: restart discord-bot + notify: Restart discord-bot - name: Start discord-bot ansible.builtin.systemd: diff --git a/roles/services/tasks/ircbot.yaml b/roles/services/tasks/ircbot.yaml index e1e4649..e635302 100644 --- a/roles/services/tasks/ircbot.yaml +++ b/roles/services/tasks/ircbot.yaml @@ -5,7 +5,8 @@ version: master dest: /var/lib/irc-bot accept_hostkey: yes - notify: restart irc-bot + ignore_errors: true + notify: Restart irc-bot - name: Link irc-say ansible.builtin.file: @@ -23,7 +24,7 @@ vars: description: Bitlair IRC bot exec: /bin/bash /var/lib/irc-bot/irc-bot - notify: restart irc-bot + notify: Restart irc-bot - name: Start irc-bot ansible.builtin.systemd: @@ -44,7 +45,7 @@ owner: root group: root mode: 0755 - notify: restart irc-photos + notify: Restart irc-photos - name: Install photos notification service ansible.builtin.template: @@ -57,7 +58,7 @@ description: Bitlair IRC photos notification requires: irc-bot.service exec: /bin/bash /var/lib/irc-helpers/photos.sh - notify: restart irc-photos + notify: Restart irc-photos - name: Start irc-photos ansible.builtin.systemd: @@ -73,7 +74,7 @@ owner: root group: root mode: 0755 - notify: restart irc-doorduino + notify: Restart irc-doorduino - name: Install doorduino notification service ansible.builtin.template: @@ -86,7 +87,7 @@ description: Bitlair IRC doorduino notification requires: irc-bot.service exec: /bin/bash /var/lib/irc-helpers/doorduino.sh - notify: restart irc-doorduino + notify: Restart irc-doorduino - name: Start irc-doorduino ansible.builtin.systemd: diff --git a/roles/services/tasks/mastodon_spacestate.yaml b/roles/services/tasks/mastodon_spacestate.yaml index 97786f9..53f979e 100644 --- a/roles/services/tasks/mastodon_spacestate.yaml +++ b/roles/services/tasks/mastodon_spacestate.yaml @@ -12,6 +12,7 @@ dest: /var/lib/mastodon-spacestate accept_hostkey: yes notify: Restart mastodon-spacestate + ignore_errors: true - name: Install config ansible.builtin.template: diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 54382f8..3cff5bb 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -25,6 +25,7 @@ dest: /var/lib/spacestated/spacestated accept_hostkey: yes notify: Restart spacestated + ignore_errors: true - name: Install service file ansible.builtin.template: diff --git a/roles/services/tasks/wifi_mqtt.yaml b/roles/services/tasks/wifi_mqtt.yaml index 688aeea..8bb8353 100644 --- a/roles/services/tasks/wifi_mqtt.yaml +++ b/roles/services/tasks/wifi_mqtt.yaml @@ -13,6 +13,7 @@ dest: /var/lib/wifi-mqtt accept_hostkey: yes notify: Restart wifi-mqtt + ignore_errors: true - name: Install service file ansible.builtin.template: From f407329ecc659cbf1beecf5d62965d4c6ce40aa0 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 31 Jul 2024 22:23:28 +0200 Subject: [PATCH 31/62] Add unstable sources.list --- .yamllint.yaml | 17 +++++++++++++++++ roles/common/tasks/main.yaml | 2 ++ roles/common/templates/apt-defaultrelease.j2 | 1 + .../templates/apt-preferences-stable.j2 | 19 +++++++++++++++++++ roles/common/templates/sources.list.j2 | 5 ++++- roles/nginx/templates/site.conf.j2 | 1 + roles/photos/tasks/photos2mqtt.yaml | 4 ++-- roles/services/tasks/power_mqtt.yaml | 3 ++- roles/services/tasks/spacestated.yaml | 4 ++-- roles/www/tasks/mqtt.yaml | 2 +- 10 files changed, 51 insertions(+), 7 deletions(-) create mode 100644 .yamllint.yaml create mode 100644 roles/common/templates/apt-defaultrelease.j2 create mode 100644 roles/common/templates/apt-preferences-stable.j2 diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 0000000..d932357 --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,17 @@ +--- + +extends: relaxed + +rules: + # 80 chars should be enough, but don't fail if a line is longer + line-length: + max: 200 + level: warning + empty-lines: + max: 2 + max-start: 1 + max-end: 1 + colons: + max-spaces-after: -1 + commas: + max-spaces-after: -1 diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 865de63..29f7744 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -15,6 +15,8 @@ group: "{{ item.group | default('root') }}" with_items: - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" } + - { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" } + - { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" } - { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } diff --git a/roles/common/templates/apt-defaultrelease.j2 b/roles/common/templates/apt-defaultrelease.j2 new file mode 100644 index 0000000..1bab7c5 --- /dev/null +++ b/roles/common/templates/apt-defaultrelease.j2 @@ -0,0 +1 @@ +APT::Default-Release "{{ ansible_distribution_release }}"; diff --git a/roles/common/templates/apt-preferences-stable.j2 b/roles/common/templates/apt-preferences-stable.j2 new file mode 100644 index 0000000..8fc3cd0 --- /dev/null +++ b/roles/common/templates/apt-preferences-stable.j2 @@ -0,0 +1,19 @@ +# Prefer packages from our release +# Prevent auto-installation from testing/unstable/sid/whatever + +Package: * +Pin: release n={{ ansible_distribution_release }} +Pin-Priority: 900 + +Package: * +Pin: release n=sid +Pin-Priority: -10 + +Package: * +Pin: release n=testing +Pin-Priority: -10 + +Package: * +Pin: release n=unstable +Pin-Priority: -10 + diff --git a/roles/common/templates/sources.list.j2 b/roles/common/templates/sources.list.j2 index 3945e1d..2722b8f 100644 --- a/roles/common/templates/sources.list.j2 +++ b/roles/common/templates/sources.list.j2 @@ -20,5 +20,8 @@ deb {{ debian_repourl }} {{ ansible_distribution_release }}-backports {{ compone # # Security patches deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }} -{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security main contrib non- free +{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }} +# Testing/Unstable repos +deb {{ debian_repourl }} testing {{ components }} +deb {{ debian_repourl }} sid {{ components }} diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index d48f46f..786f7da 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -10,6 +10,7 @@ server { ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem; + index {{ nginx_index | default('index.php index.html index.htm') }}; client_max_body_size {{ nginx_client_max_body_size }}; location ~ /\.ht { diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml index 755a4ec..9e6e7b6 100644 --- a/roles/photos/tasks/photos2mqtt.yaml +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -6,8 +6,8 @@ - liblinux-inotify2-perl - name: Install mqtt-simple - ansible.builtin.command: - cmd: cpan Net::MQTT::Simple + community.general.cpanm: + name: Net::MQTT::Simple - name: Install photos2mqtt ansible.builtin.template: diff --git a/roles/services/tasks/power_mqtt.yaml b/roles/services/tasks/power_mqtt.yaml index 406a274..1042844 100644 --- a/roles/services/tasks/power_mqtt.yaml +++ b/roles/services/tasks/power_mqtt.yaml @@ -27,7 +27,7 @@ vars: description: "SMD630 to MQTT Probe" exec: "/var/lib/power-mqtt.py %i" - notify: Restart power-mqtt@ + notify: Restart power-mqtt - name: Enable power-mqtt ansible.builtin.systemd: @@ -40,3 +40,4 @@ ip: 0.0.0.0 - net: unicorndept ip: 0.0.0.0 + ignore_errors: true # FIXME diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 3cff5bb..dc92977 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -8,8 +8,8 @@ - make - name: Install mqtt-simple - ansible.builtin.command: - cmd: cpan Net::MQTT::Simple + community.general.cpanm: + name: Net::MQTT::Simple - name: Add user ansible.builtin.user: diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index f96fadd..44edb96 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -9,7 +9,7 @@ - name: Install mqtt-simple community.general.cpanm: - name: Net::MQTT::Simple + name: "Net::MQTT::Simple" - name: Clone mqtt2web source ansible.builtin.git: From f879be8c8422c5a08f23037d419eac6750e50804 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 31 Jul 2024 22:25:14 +0200 Subject: [PATCH 32/62] Mqtt --- roles/photos/tasks/photos2mqtt.yaml | 4 ++-- roles/services/tasks/spacestated.yaml | 4 ++-- roles/www/tasks/mqtt.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml index 9e6e7b6..b21f81f 100644 --- a/roles/photos/tasks/photos2mqtt.yaml +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -6,8 +6,8 @@ - liblinux-inotify2-perl - name: Install mqtt-simple - community.general.cpanm: - name: Net::MQTT::Simple + ansible.builtin.apt: + name: libnet-mqtt-simple-perl/testing - name: Install photos2mqtt ansible.builtin.template: diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index dc92977..7e5bda1 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -8,8 +8,8 @@ - make - name: Install mqtt-simple - community.general.cpanm: - name: Net::MQTT::Simple + ansible.builtin.apt: + name: libnet-mqtt-simple-perl/testing - name: Add user ansible.builtin.user: diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index 44edb96..d5d2d29 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -8,8 +8,8 @@ - mosquitto - name: Install mqtt-simple - community.general.cpanm: - name: "Net::MQTT::Simple" + ansible.builtin.apt: + name: libnet-mqtt-simple-perl/testing - name: Clone mqtt2web source ansible.builtin.git: From b699807642644939ebe837ac34bbeeffcb5c88ed Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 31 Jul 2024 22:33:26 +0200 Subject: [PATCH 33/62] mqtt install --- roles/photos/tasks/photos2mqtt.yaml | 3 ++- roles/services/tasks/spacestated.yaml | 3 ++- roles/www/tasks/mqtt.yaml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml index b21f81f..d9f2e05 100644 --- a/roles/photos/tasks/photos2mqtt.yaml +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -7,7 +7,8 @@ - name: Install mqtt-simple ansible.builtin.apt: - name: libnet-mqtt-simple-perl/testing + pkg: libnet-mqtt-simple-perl + default_release: testing - name: Install photos2mqtt ansible.builtin.template: diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 7e5bda1..92a0ace 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -9,7 +9,8 @@ - name: Install mqtt-simple ansible.builtin.apt: - name: libnet-mqtt-simple-perl/testing + pkg: libnet-mqtt-simple-perl + default_release: testing - name: Add user ansible.builtin.user: diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index d5d2d29..63d1dee 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -9,7 +9,8 @@ - name: Install mqtt-simple ansible.builtin.apt: - name: libnet-mqtt-simple-perl/testing + pkg: libnet-mqtt-simple-perl + default_release: testing - name: Clone mqtt2web source ansible.builtin.git: From d866b5044882b18fb001630bb2126397afcc033e Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 14 Aug 2024 20:28:25 +0200 Subject: [PATCH 34/62] Syntax --- roles/nginx/templates/default.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 index b417134..ad388c9 100644 --- a/roles/nginx/templates/default.j2 +++ b/roles/nginx/templates/default.j2 @@ -2,7 +2,7 @@ server { listen 80 default_server; - listen [::]:80 + listen [::]:80; server_name {{ inventory_hostname }}; From 3ac81cbbebd1589d29a9b626d614f34343b9d938 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Thu, 15 Aug 2024 18:24:04 +0200 Subject: [PATCH 35/62] Set up new power meters in Space 4 --- group_vars/services.yaml | 6 ++++++ roles/services/handlers/main.yaml | 3 ++- roles/services/tasks/power_mqtt.yaml | 9 ++------- roles/services/templates/power-mqtt.py | 4 ++-- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index e76affe..3870e5c 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -2,3 +2,9 @@ group_nft_input: [] # - "udp dport 4000 accept # FIXME, werkt op dit moment toch niet hoor ik van AK + +power_mqtt_targets: + - net: space + ip: 204.2.69.50 + - net: unicorndept + ip: 204.2.68.219 diff --git a/roles/services/handlers/main.yaml b/roles/services/handlers/main.yaml index fb69a73..ed04c9f 100644 --- a/roles/services/handlers/main.yaml +++ b/roles/services/handlers/main.yaml @@ -52,6 +52,7 @@ - name: Restart power-mqtt ansible.builtin.systemd: - name: power-mqtt + name: "power-mqtt@{{ item.net }}:{{ item.ip }}" state: restarted daemon_reload: true + with_items: "{{ power_mqtt_targets }}" diff --git a/roles/services/tasks/power_mqtt.yaml b/roles/services/tasks/power_mqtt.yaml index 1042844..5c18589 100644 --- a/roles/services/tasks/power_mqtt.yaml +++ b/roles/services/tasks/power_mqtt.yaml @@ -31,13 +31,8 @@ - name: Enable power-mqtt ansible.builtin.systemd: - name: "power-mqtt@{{ item.net }}/{{ item.ip }}" + name: "power-mqtt@{{ item.net }}:{{ item.ip }}" state: started enabled: true daemon_reload: true - with_items: - - net: space - ip: 0.0.0.0 - - net: unicorndept - ip: 0.0.0.0 - ignore_errors: true # FIXME + with_items: "{{ power_mqtt_targets }}" diff --git a/roles/services/templates/power-mqtt.py b/roles/services/templates/power-mqtt.py index db28aac..becccc7 100644 --- a/roles/services/templates/power-mqtt.py +++ b/roles/services/templates/power-mqtt.py @@ -5,12 +5,12 @@ import paho.mqtt.client as mqtt import paho.mqtt.subscribe as subscribe from time import sleep -import os +import sys import requests mqtt_host = '{{ mqtt_internal_host }}' -(net, sdm630_host) = os.argv[1].split('/') +(net, sdm630_host) = sys.argv[1].split(':') client = mqtt.Client() From c0f17ffb40b8e3f8e46dd2ea0210af994e56f423 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Mon, 26 Aug 2024 10:50:28 +0200 Subject: [PATCH 36/62] Firewall change voor AK --- group_vars/services.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 3870e5c..b978598 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -3,6 +3,9 @@ group_nft_input: [] # - "udp dport 4000 accept # FIXME, werkt op dit moment toch niet hoor ik van AK +nft_group_rules: + - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } + power_mqtt_targets: - net: space ip: 204.2.69.50 From c6edd95b5d3c0fe53166eb54fbcb127cfeeecd59 Mon Sep 17 00:00:00 2001 From: ak47 Date: Wed, 11 Sep 2024 21:35:23 +0200 Subject: [PATCH 37/62] add siahsd --- group_vars/services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index b978598..873163d 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -1,7 +1,7 @@ --- group_nft_input: [] -# - "udp dport 4000 accept # FIXME, werkt op dit moment toch niet hoor ik van AK + - { from: ['100.64.0.14' ], port: "4000", comment: "siahsd"} nft_group_rules: - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } From 6b1791cc8989f891f1ac06300939e60926ebacfe Mon Sep 17 00:00:00 2001 From: ak47 Date: Wed, 11 Sep 2024 21:35:33 +0200 Subject: [PATCH 38/62] Update group_vars/services.yaml --- group_vars/services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 873163d..c9e792c 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -1,7 +1,7 @@ --- group_nft_input: [] - - { from: ['100.64.0.14' ], port: "4000", comment: "siahsd"} + - { from: [ '100.64.0.14' ], port: "4000", comment: "siahsd"} nft_group_rules: - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } From e3c97c58e9c7b4f82058da620f675ce276c470df Mon Sep 17 00:00:00 2001 From: ak47 Date: Wed, 11 Sep 2024 21:36:15 +0200 Subject: [PATCH 39/62] Update group_vars/services.yaml --- group_vars/services.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index c9e792c..0c50a4d 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -1,10 +1,11 @@ --- group_nft_input: [] - - { from: [ '100.64.0.14' ], port: "4000", comment: "siahsd"} + # test nft_group_rules: - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } + - { from: [ '100.64.0.14' ], port: "4000", comment: "siahsd"} power_mqtt_targets: - net: space From 92a051ad78fb308e10b03ab502bc595f5ec57489 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 11 Sep 2024 21:39:37 +0200 Subject: [PATCH 40/62] UDP 4000 voor siahsd --- group_vars/services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 0c50a4d..56e575f 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -5,7 +5,7 @@ group_nft_input: [] nft_group_rules: - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } - - { from: [ '100.64.0.14' ], port: "4000", comment: "siahsd"} + - { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"} power_mqtt_targets: - net: space From 51662e1dc310c438ff12d1f27e8d0758da557c27 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 18 Sep 2024 23:57:02 +0200 Subject: [PATCH 41/62] homeassistant vm --- group_vars/homeassistant.yaml | 12 ++++++++++++ inventory | 4 ++++ roles/common/tasks/vm.yaml | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 group_vars/homeassistant.yaml diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml new file mode 100644 index 0000000..9f5146b --- /dev/null +++ b/group_vars/homeassistant.yaml @@ -0,0 +1,12 @@ +acme_bootstrap_certs: yes +acme_san_domains: + - [ homeassistant.bitlair.nl ] + +group_nft_input: + - "# Allow web-traffic from world" + - "tcp dport { http, https } accept" + - "# mqtt from world" + - "tcp dport { 1883 } accept" + +nginx_sites: + - server_name: "homeassistant.bitlair.nl" diff --git a/inventory b/inventory index e66fa9a..8d835ac 100644 --- a/inventory +++ b/inventory @@ -43,6 +43,9 @@ wiki.bitlair.nl [shell] shell.bitlair.nl +[homeassistant] +homeassistant.bitlair.nl + [debian:children] bank fotos @@ -56,3 +59,4 @@ music services wiki shell +homeassistant diff --git a/roles/common/tasks/vm.yaml b/roles/common/tasks/vm.yaml index e1921ec..f70850c 100644 --- a/roles/common/tasks/vm.yaml +++ b/roles/common/tasks/vm.yaml @@ -10,7 +10,7 @@ ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^GRUB_CMDLINE_LINUX_DEFAULT - line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"' + line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 console=ttyS0,115200n1 console=tty0"' notify: - Update grub tags: From 1adae2f702a4848bac67e5608a9bda835eafcd5e Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 25 Sep 2024 14:26:34 +0200 Subject: [PATCH 42/62] pad config --- group_vars/pad.yaml | 15 +++++++++++++++ roles/nginx/templates/site.conf.j2 | 4 ++++ 2 files changed, 19 insertions(+) diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index fd642a9..3d2f69c 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -1,10 +1,25 @@ --- +acme_domains: + - pad.bitlair.nl + etherpad_domain: pad.bitlair.nl nginx_sites: - server_name: "pad.bitlair.nl" localproxy: "9001" + pre_config: + - "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html" + - "map $http_upgrade $connection_upgrade {" + - " default upgrade;" + - " '' close;" + - "}" + config: + - "location / {" + - " # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html" + - " proxy_set_header Upgrade $http_upgrade;" + - " proxy_set_header Connection $connection_upgrade;" + - "}" group_nft_input: - "# Allow web-traffic from world" diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 786f7da..181e604 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -1,5 +1,9 @@ # {{ ansible_managed }} +{% for line in site.pre_config | default([]) %} +{{ line }} +{% endfor %} + server { listen 443 ssl http2; listen [::]:443 ssl http2; From fc443544d308cbafaef82b366c01287de2c04058 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 25 Sep 2024 14:32:35 +0200 Subject: [PATCH 43/62] pad, last fix --- group_vars/pad.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index 3d2f69c..a629003 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -7,7 +7,7 @@ etherpad_domain: pad.bitlair.nl nginx_sites: - server_name: "pad.bitlair.nl" - localproxy: "9001" +# localproxy: "9001" pre_config: - "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html" - "map $http_upgrade $connection_upgrade {" @@ -16,6 +16,9 @@ nginx_sites: - "}" config: - "location / {" + - " proxy_pass http://localhost:9001/;" + - " include proxy_params;" + - "" - " # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html" - " proxy_set_header Upgrade $http_upgrade;" - " proxy_set_header Connection $connection_upgrade;" From 381a0e2c2e6d250c96753c21690f8c123470d3df Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 25 Sep 2024 14:32:55 +0200 Subject: [PATCH 44/62] homeassistant --- bitlair.yaml | 5 +++++ group_vars/homeassistant.yaml | 3 +++ snippets/homeassistant-nginx.j2 | 14 ++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 snippets/homeassistant-nginx.j2 diff --git a/bitlair.yaml b/bitlair.yaml index 9a7b765..48db717 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -10,6 +10,11 @@ roles: - { role: "bank", tags: ["bank"] } +- hosts: homeassistant + roles: + - { role: "acme", tags: ["acme"] } + - { role: "nginx", tags: ["nginx"] } + - hosts: raspi roles: - { role: "raspi", tags: ["raspi"] } diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml index 9f5146b..d43165b 100644 --- a/group_vars/homeassistant.yaml +++ b/group_vars/homeassistant.yaml @@ -10,3 +10,6 @@ group_nft_input: nginx_sites: - server_name: "homeassistant.bitlair.nl" + localproxy: "8123" + snippets: + - "homeassistant-nginx.j2" diff --git a/snippets/homeassistant-nginx.j2 b/snippets/homeassistant-nginx.j2 new file mode 100644 index 0000000..d46617e --- /dev/null +++ b/snippets/homeassistant-nginx.j2 @@ -0,0 +1,14 @@ + location /api/ { + proxy_pass http://127.0.0.1:8123; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + } + + location / { + proxy_pass http://127.0.0.1:8123; + proxy_http_version 1.1; + proxy_set_header Host $host; + } + From fa31ab859007624478c1b0d56f6e8ec885b07dc4 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 29 Sep 2024 20:38:42 +0200 Subject: [PATCH 45/62] services: Fix power total_kwh --- roles/monitoring/templates/mqtt_exporter_config.yaml | 3 ++- roles/services/templates/power-mqtt.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/monitoring/templates/mqtt_exporter_config.yaml b/roles/monitoring/templates/mqtt_exporter_config.yaml index 39d147a..e1f1cbb 100644 --- a/roles/monitoring/templates/mqtt_exporter_config.yaml +++ b/roles/monitoring/templates/mqtt_exporter_config.yaml @@ -15,7 +15,8 @@ export: - subscribe: bitlair/# - subscribe: bitlair/climate/+location/# - subscribe: bitlair/climate/+location/dust_mass/+size - - subscribe: bitlair/power/+net/+group/# + - subscribe: bitlair/power/+net/+group/now_w + - subscribe: bitlair/power/+net/total_kwh - subscribe: bitlair/wifi/+ssid/# - subscribe: bitlair/state diff --git a/roles/services/templates/power-mqtt.py b/roles/services/templates/power-mqtt.py index becccc7..2fcd038 100644 --- a/roles/services/templates/power-mqtt.py +++ b/roles/services/templates/power-mqtt.py @@ -21,7 +21,7 @@ while True: sleep(10) try: data = requests.get(f'http://{sdm630_host}/api/v1/data').json() - client.publish('bitlair/power/total_kwh', data['total_power_import_kwh']) + client.publish(f'bitlair/power/{net}/total_kwh', data['total_power_import_kwh']) client.publish(f'bitlair/power/{net}/All/now_w', data['active_power_w']) client.publish(f'bitlair/power/{net}/L1/now_w', data['active_power_l1_w']) client.publish(f'bitlair/power/{net}/L2/now_w', data['active_power_l2_w']) From b51372bfb22da8de6ed052e099e760214d7e00d4 Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Mon, 2 Dec 2024 21:53:39 +0100 Subject: [PATCH 46/62] Firewall rules --- group_vars/all.yaml | 1 + group_vars/shell.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index 18707fc..dd6b832 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -20,6 +20,7 @@ trusted_ranges: # - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } + - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "eventinfra v6-range" } - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } trusted_ports: - ssh diff --git a/group_vars/shell.yaml b/group_vars/shell.yaml index 238e2cc..4c28989 100644 --- a/group_vars/shell.yaml +++ b/group_vars/shell.yaml @@ -1,3 +1,7 @@ --- manage_sshd_config: false + +group_nft_input: + - "# Allow SSH from world" + - "tcp dport { ssh } accept" From 69547fc540b38a01843f92ea33969c57f414561f Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Mon, 2 Dec 2024 21:57:47 +0100 Subject: [PATCH 47/62] Firewall comments --- group_vars/all.yaml | 2 +- group_vars/fotos.yaml | 3 +-- group_vars/git.yaml | 3 +-- group_vars/homeassistant.yaml | 6 ++---- group_vars/monitoring.yaml | 3 +-- group_vars/pad.yaml | 3 +-- group_vars/shell.yaml | 3 +-- group_vars/wiki.yaml | 6 ++---- 8 files changed, 10 insertions(+), 19 deletions(-) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index dd6b832..f439200 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -20,7 +20,7 @@ trusted_ranges: # - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" } - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } - - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "eventinfra v6-range" } + - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" } - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } trusted_ports: - ssh diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml index ca34caa..94751d2 100644 --- a/group_vars/fotos.yaml +++ b/group_vars/fotos.yaml @@ -11,6 +11,5 @@ trusted_ports: - microsoft-ds group_nft_input: - - "# Allow traffic from wiki" - - "ip saddr 204.2.64.19 tcp dport { 4567 } accept" + - "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki" diff --git a/group_vars/git.yaml b/group_vars/git.yaml index 03f8559..b938f18 100644 --- a/group_vars/git.yaml +++ b/group_vars/git.yaml @@ -7,8 +7,7 @@ git_server_title: Gitlair git_server_bootstrap_cert: no group_nft_input: - - "# Allow ssh(git) + web-traffic from world" - - "tcp dport { ssh, http, https } accept" + - "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world" nginx_client_max_body_size: 4G diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml index d43165b..4c826c5 100644 --- a/group_vars/homeassistant.yaml +++ b/group_vars/homeassistant.yaml @@ -3,10 +3,8 @@ acme_san_domains: - [ homeassistant.bitlair.nl ] group_nft_input: - - "# Allow web-traffic from world" - - "tcp dport { http, https } accept" - - "# mqtt from world" - - "tcp dport { 1883 } accept" + - "tcp dport { http, https } accept # Allow web-traffic from world" + - "tcp dport { 1883 } accept # mqtt from world" nginx_sites: - server_name: "homeassistant.bitlair.nl" diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index 260e159..61c5cae 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -4,8 +4,7 @@ acme_san_domains: - ["{{ monitoring_domain }}"] group_nft_input: - - "# Allow web-traffic from world" - - "tcp dport { http, https } accept" + - "tcp dport { http, https } accept # Allow web-traffic from world" prometheus_scrape_configs: - job_name: "node" diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml index a629003..6f4babc 100644 --- a/group_vars/pad.yaml +++ b/group_vars/pad.yaml @@ -25,5 +25,4 @@ nginx_sites: - "}" group_nft_input: - - "# Allow web-traffic from world" - - "tcp dport { http, https } accept" + - "tcp dport { http, https } accept # Allow web-traffic from world" diff --git a/group_vars/shell.yaml b/group_vars/shell.yaml index 4c28989..3d7c4b8 100644 --- a/group_vars/shell.yaml +++ b/group_vars/shell.yaml @@ -3,5 +3,4 @@ manage_sshd_config: false group_nft_input: - - "# Allow SSH from world" - - "tcp dport { ssh } accept" + - "tcp dport { ssh } accept # Allow SSH from world" diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml index 1f2bd2c..7bc009b 100644 --- a/group_vars/wiki.yaml +++ b/group_vars/wiki.yaml @@ -5,10 +5,8 @@ acme_san_domains: - [ ravespace.nl ] group_nft_input: - - "# Allow web-traffic from world" - - "tcp dport { http, https } accept" - - "# mqtt from world" - - "tcp dport { 1883 } accept" + - "tcp dport { http, https } accept # Allow web-traffic from world" + - "tcp dport { 1883 } accept # mqtt from world" nginx_sites: - server_name: "bitlair.nl" From 73a8fc9f05f99a2bbb053609cc555ea3f3753ce4 Mon Sep 17 00:00:00 2001 From: ak47 Date: Mon, 2 Dec 2024 22:14:03 +0100 Subject: [PATCH 48/62] Update snippets/www-nginx.j2 change blockchain IP --- snippets/www-nginx.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2 index 6b43e35..a831121 100644 --- a/snippets/www-nginx.j2 +++ b/snippets/www-nginx.j2 @@ -7,7 +7,7 @@ location = /fotos { } location ~* ^/fotos/(.*)$ { - proxy_pass http://204.2.68.2:4567/$1$is_args$args; + proxy_pass http://204.2.64.24:4567/$1$is_args$args; } location ~ ^/state/(.+)$ { From ea65af20debb2feb5f0bae7aa3d1e09c3d42522e Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 8 Dec 2024 19:05:38 +0100 Subject: [PATCH 49/62] services: Update power-meter addresses --- group_vars/services.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 56e575f..03142a0 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -9,6 +9,6 @@ nft_group_rules: power_mqtt_targets: - net: space - ip: 204.2.69.50 + ip: 100.64.0.21 - net: unicorndept - ip: 204.2.68.219 + ip: 100.64.0.187 From 55905adfa4990cc6a20850359d01913f96b228d3 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Thu, 12 Dec 2024 22:15:15 +0100 Subject: [PATCH 50/62] monitoring: Update internet traffic topics --- roles/monitoring/templates/mqtt_exporter_config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/monitoring/templates/mqtt_exporter_config.yaml b/roles/monitoring/templates/mqtt_exporter_config.yaml index e1f1cbb..9767cdf 100644 --- a/roles/monitoring/templates/mqtt_exporter_config.yaml +++ b/roles/monitoring/templates/mqtt_exporter_config.yaml @@ -36,10 +36,10 @@ export: labels: product: payload - - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15 + - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24 metric_name: bitlair_internet_rx value_regex: "^.+:(.+):" - - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15 + - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24 metric_name: bitlair_internet_tx value_regex: "^.+:.+:([\\d\\.]+)" From e3683744fc64eca7d4c96a2280876cfb501196e1 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 22 Dec 2024 18:14:16 +0100 Subject: [PATCH 51/62] bank: Update inflatinator dependencies --- roles/bank/tasks/inflatinator.service | 9 +++++++++ roles/bank/tasks/inflatinator.yaml | 23 ++++++++++++++++++++++- roles/monitoring/tasks/mqtt_exporter.yaml | 4 ++-- 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 roles/bank/tasks/inflatinator.service diff --git a/roles/bank/tasks/inflatinator.service b/roles/bank/tasks/inflatinator.service new file mode 100644 index 0000000..c4a2397 --- /dev/null +++ b/roles/bank/tasks/inflatinator.service @@ -0,0 +1,9 @@ +[Unit] +Description=Update product prices in Revbank + +[Service] +Type=oneshot +ExecStart=/opt/revbank-inflatinator/.venv/bin/python /opt/revbank-inflatinator/inflatinator/ /home/bank/revbank.products +EnvironmentFile=/etc/revbank-inflatinator/env.conf +User=bank +Group=bank diff --git a/roles/bank/tasks/inflatinator.yaml b/roles/bank/tasks/inflatinator.yaml index dc687a3..02452ad 100644 --- a/roles/bank/tasks/inflatinator.yaml +++ b/roles/bank/tasks/inflatinator.yaml @@ -1,7 +1,7 @@ --- - name: Install dependencies ansible.builtin.apt: - name: [ links, python3-pyquery ] + name: virtualenv state: present - name: Clone revbank-inflatinator source @@ -10,3 +10,24 @@ version: main dest: /opt/revbank-inflatinator accept_hostkey: yes + +- name: Create virtualenv + ansible.builtin.command: + cmd: virtualenv /opt/revbank-inflatinator/.venv + args: + creates: /opt/revbank-inflatinator/.venv + +- name: Install Python dependencies + ansible.builtin.shell: + cmd: . .venv/bin/activate && pip install -r requirements.txt + args: + chdir: /opt/revbank-inflatinator + +- name: Install service + ansible.builtin.template: + src: inflatinator.service + dest: /etc/systemd/system/revbank-inflatinator.service + owner: root + group: root + mode: 0644 + notify: Daemon reload diff --git a/roles/monitoring/tasks/mqtt_exporter.yaml b/roles/monitoring/tasks/mqtt_exporter.yaml index b41fc42..0ae5d07 100644 --- a/roles/monitoring/tasks/mqtt_exporter.yaml +++ b/roles/monitoring/tasks/mqtt_exporter.yaml @@ -24,7 +24,7 @@ group: root mode: 0644 notify: - - daemon reload + - Daemon reload - restart mqtt_exporter - name: Install config file @@ -35,7 +35,7 @@ group: root mode: 0644 notify: - - daemon reload + - Daemon reload - restart mqtt_exporter - ansible.builtin.meta: flush_handlers From ef6d87e3b107fdd40e834772a4f238db107648fc Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 23 Mar 2025 12:32:25 +0100 Subject: [PATCH 52/62] bank: Update git remotes --- roles/bank/defaults/main.yaml | 2 +- roles/bank/tasks/inflatinator.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/bank/defaults/main.yaml b/roles/bank/defaults/main.yaml index 136726e..b0fea92 100644 --- a/roles/bank/defaults/main.yaml +++ b/roles/bank/defaults/main.yaml @@ -1,3 +1,3 @@ bank_user: bank -bank_revbank_git: https://github.com/revspace/revbank.git +bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git bank_local_tty: no diff --git a/roles/bank/tasks/inflatinator.yaml b/roles/bank/tasks/inflatinator.yaml index 02452ad..9ae9427 100644 --- a/roles/bank/tasks/inflatinator.yaml +++ b/roles/bank/tasks/inflatinator.yaml @@ -6,7 +6,7 @@ - name: Clone revbank-inflatinator source ansible.builtin.git: - repo: https://github.com/bitlair/revbank-inflatinator.git + repo: https://git.bitlair.nl/bitlair/revbank-inflatinator.git version: main dest: /opt/revbank-inflatinator accept_hostkey: yes From ec051bf541bbbde94f5f6764daae38b9924f66b5 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 23 Mar 2025 13:23:12 +0100 Subject: [PATCH 53/62] git-ci: Update forgejo-runner --- roles/git-ci/defaults/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/git-ci/defaults/main.yaml b/roles/git-ci/defaults/main.yaml index 82807d7..2e805ee 100644 --- a/roles/git-ci/defaults/main.yaml +++ b/roles/git-ci/defaults/main.yaml @@ -1,2 +1,2 @@ runner_wd: /var/lib/forgejo-runner -runner_version: 3.4.1 +runner_version: 6.3.0 From f0fd0ee6f2463f4e9a298289353279e22d40670f Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 23 Mar 2025 17:34:59 +0100 Subject: [PATCH 54/62] bank: git pull -r before pushing --- roles/bank/templates/git.cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bank/templates/git.cron b/roles/bank/templates/git.cron index 2290e43..fa09df8 100644 --- a/roles/bank/templates/git.cron +++ b/roles/bank/templates/git.cron @@ -1,4 +1,4 @@ SHELL=/bin/bash #m h dom mon dow user command - 0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git push --mirror && git gc --auto) + 0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto) From 8b2ab2f2eb46645bdfd676a2aad7afc4b1d0933e Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sun, 23 Mar 2025 17:45:27 +0100 Subject: [PATCH 55/62] bank: Remove inflatinator Replaced by a Forgejo Action --- roles/bank/tasks/inflatinator.service | 9 -------- roles/bank/tasks/inflatinator.yaml | 33 --------------------------- roles/bank/tasks/main.yaml | 4 ---- 3 files changed, 46 deletions(-) delete mode 100644 roles/bank/tasks/inflatinator.service delete mode 100644 roles/bank/tasks/inflatinator.yaml diff --git a/roles/bank/tasks/inflatinator.service b/roles/bank/tasks/inflatinator.service deleted file mode 100644 index c4a2397..0000000 --- a/roles/bank/tasks/inflatinator.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Update product prices in Revbank - -[Service] -Type=oneshot -ExecStart=/opt/revbank-inflatinator/.venv/bin/python /opt/revbank-inflatinator/inflatinator/ /home/bank/revbank.products -EnvironmentFile=/etc/revbank-inflatinator/env.conf -User=bank -Group=bank diff --git a/roles/bank/tasks/inflatinator.yaml b/roles/bank/tasks/inflatinator.yaml deleted file mode 100644 index 9ae9427..0000000 --- a/roles/bank/tasks/inflatinator.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Install dependencies - ansible.builtin.apt: - name: virtualenv - state: present - -- name: Clone revbank-inflatinator source - ansible.builtin.git: - repo: https://git.bitlair.nl/bitlair/revbank-inflatinator.git - version: main - dest: /opt/revbank-inflatinator - accept_hostkey: yes - -- name: Create virtualenv - ansible.builtin.command: - cmd: virtualenv /opt/revbank-inflatinator/.venv - args: - creates: /opt/revbank-inflatinator/.venv - -- name: Install Python dependencies - ansible.builtin.shell: - cmd: . .venv/bin/activate && pip install -r requirements.txt - args: - chdir: /opt/revbank-inflatinator - -- name: Install service - ansible.builtin.template: - src: inflatinator.service - dest: /etc/systemd/system/revbank-inflatinator.service - owner: root - group: root - mode: 0644 - notify: Daemon reload diff --git a/roles/bank/tasks/main.yaml b/roles/bank/tasks/main.yaml index 7ad90f6..022642e 100644 --- a/roles/bank/tasks/main.yaml +++ b/roles/bank/tasks/main.yaml @@ -6,7 +6,3 @@ - tags: [ bank, bank_revbank ] ansible.builtin.import_tasks: file: revbank.yaml - -- tags: [ bank, bank_inflatinator ] - ansible.builtin.import_tasks: - file: inflatinator.yaml From b680bf6902e2ada4d583c18fa2cf67a2ac690953 Mon Sep 17 00:00:00 2001 From: BlackDragon Date: Wed, 26 Mar 2025 18:27:16 +0100 Subject: [PATCH 56/62] irc-say vanuit home assistant toe laten staan --- group_vars/services.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/services.yaml b/group_vars/services.yaml index 03142a0..7ab4b9c 100644 --- a/group_vars/services.yaml +++ b/group_vars/services.yaml @@ -6,6 +6,7 @@ group_nft_input: [] nft_group_rules: - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" } - { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"} + - { from: [ '204.2.64.86' ], port: "31337", proto: "tcp", comment: "irc-say vanaf home assistant" } power_mqtt_targets: - net: space From 75795f02380a413adce6776310b99e54385f8d42 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sat, 12 Apr 2025 19:18:38 +0200 Subject: [PATCH 57/62] nginx: Re-introduce bootstrap_certs --- group_vars/all.yaml | 1 - group_vars/homeassistant.yaml | 1 - group_vars/wiki.yaml | 1 - roles/nginx/tasks/main.yaml | 7 +++++++ roles/nginx/templates/site.conf.j2 | 4 ++++ 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/group_vars/all.yaml b/group_vars/all.yaml index f439200..3deb227 100644 --- a/group_vars/all.yaml +++ b/group_vars/all.yaml @@ -3,7 +3,6 @@ ansible_user: root ansible_python_interpreter: auto_silent notify_email: bestuur@bitlair.nl -acme_bootstrap_certs: no trusted_ranges: - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" } - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" } diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml index 4c826c5..53b604a 100644 --- a/group_vars/homeassistant.yaml +++ b/group_vars/homeassistant.yaml @@ -1,4 +1,3 @@ -acme_bootstrap_certs: yes acme_san_domains: - [ homeassistant.bitlair.nl ] diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml index 7bc009b..19dda0b 100644 --- a/group_vars/wiki.yaml +++ b/group_vars/wiki.yaml @@ -1,4 +1,3 @@ -acme_bootstrap_certs: yes acme_san_domains: - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ] - [ bitair.nl ] diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml index 78f6f9b..6afb741 100644 --- a/roles/nginx/tasks/main.yaml +++ b/roles/nginx/tasks/main.yaml @@ -7,6 +7,13 @@ when: - nginx_sites is defined +- name: Install bootstrap cert + ansible.builtin.apt: + name: "ssl-cert" + state: present + when: + - nginx_bootstrap_certs is defined and nginx_bootstrap_certs + - name: Create sites-available / sites-enabled directories ansible.builtin.file: state: directory diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index 181e604..1fb5a1d 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -11,8 +11,12 @@ server { server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; include /etc/nginx/tls_params; + {% if nginx_bootstrap_certs | default(false) %} + include "snippets/snakeoil.conf"; + {% else %} ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem; + {% endif %} index {{ nginx_index | default('index.php index.html index.htm') }}; client_max_body_size {{ nginx_client_max_body_size }}; From f5a61a557de8839119f0bd382b602107087ea14e Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sat, 12 Apr 2025 22:52:51 +0200 Subject: [PATCH 58/62] bank: Set up revbank-deposit --- bank.yaml | 6 +-- group_vars/bank.yaml | 15 +++++++ roles/bank/handlers/main.yaml | 6 +++ roles/bank/tasks/main.yaml | 4 ++ roles/bank/tasks/revbank-deposit.yaml | 47 ++++++++++++++++++++ roles/bank/templates/revbank-deposit.conf | 4 ++ roles/bank/templates/revbank-deposit.service | 18 ++++++++ 7 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 roles/bank/tasks/revbank-deposit.yaml create mode 100644 roles/bank/templates/revbank-deposit.conf create mode 100644 roles/bank/templates/revbank-deposit.service diff --git a/bank.yaml b/bank.yaml index 837d27b..c820bc3 100644 --- a/bank.yaml +++ b/bank.yaml @@ -1,8 +1,8 @@ --- - - hosts: bank - vars: - bank_revbank_git: https://github.com/bitlair/revbank.git roles: - { role: "common", tags: [ "common" ] } + - { role: "nft", tags: [ "nft" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "acme", tags: [ "acme" ] } - { role: "bank", tags: [ "bank" ] } diff --git a/group_vars/bank.yaml b/group_vars/bank.yaml index cd21505..1684cfa 100644 --- a/group_vars/bank.yaml +++ b/group_vars/bank.yaml @@ -1,2 +1,17 @@ --- +deposit_hostname: deposit.bitlair.nl +acme_domains: + - "{{ deposit_hostname }}" + +nginx_sites: + - server_name: "{{ deposit_hostname }}" + config: + - |- + location / { + proxy_pass http://localhost:8000/; + include proxy_params; + } + +group_nft_input: + - "tcp dport { http, https } accept # Allow web-traffic from world" diff --git a/roles/bank/handlers/main.yaml b/roles/bank/handlers/main.yaml index e7a11ce..a06cd29 100644 --- a/roles/bank/handlers/main.yaml +++ b/roles/bank/handlers/main.yaml @@ -1,3 +1,9 @@ --- - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml + +- name: Restart revbank-deposit + ansible.builtin.systemd: + name: revbank-deposit + state: restarted + daemon_reload: true diff --git a/roles/bank/tasks/main.yaml b/roles/bank/tasks/main.yaml index 022642e..fd9f58f 100644 --- a/roles/bank/tasks/main.yaml +++ b/roles/bank/tasks/main.yaml @@ -6,3 +6,7 @@ - tags: [ bank, bank_revbank ] ansible.builtin.import_tasks: file: revbank.yaml + +- tags: [ bank, bank_revbank_deposit ] + ansible.builtin.import_tasks: + file: revbank-deposit.yaml diff --git a/roles/bank/tasks/revbank-deposit.yaml b/roles/bank/tasks/revbank-deposit.yaml new file mode 100644 index 0000000..1190a53 --- /dev/null +++ b/roles/bank/tasks/revbank-deposit.yaml @@ -0,0 +1,47 @@ +--- +- name: Clone source + ansible.builtin.git: + repo: https://git.bitlair.nl/bitlair/revbank-deposit.git + version: main + dest: /usr/local/lib/revbank-deposit + accept_hostkey: yes + notify: Restart revbank-deposit + +- name: Install apt dependencies + ansible.builtin.apt: + name: + - python3-pip + - python3-virtualenv + +- name: Install pip dependencies + ansible.builtin.pip: + chdir: /usr/local/lib/revbank-deposit + virtualenv: .venv + requirements: requirements.txt + +- name: Configure revbank-deposit + ansible.builtin.template: + src: revbank-deposit.conf + dest: /etc/revbank-deposit.conf + owner: root + group: root + mode: 0600 + notify: Restart revbank-deposit + +- name: Install revbank-deposit service + ansible.builtin.template: + src: revbank-deposit.service + dest: /etc/systemd/system/revbank-deposit.service + owner: root + group: root + mode: 0644 + notify: Restart revbank-deposit + +- name: Start revbank-deposit + ansible.builtin.systemd: + daemon_reload: true + name: revbank-deposit + state: started + enabled: true + +- meta: flush_handlers diff --git a/roles/bank/templates/revbank-deposit.conf b/roles/bank/templates/revbank-deposit.conf new file mode 100644 index 0000000..7e02359 --- /dev/null +++ b/roles/bank/templates/revbank-deposit.conf @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +PUBLIC_URL=https://{{ deposit_hostname }} +MOLLIE_API_KEY={{ lookup('passwordstore', 'mollie subkey=apikey') }} diff --git a/roles/bank/templates/revbank-deposit.service b/roles/bank/templates/revbank-deposit.service new file mode 100644 index 0000000..83a93f5 --- /dev/null +++ b/roles/bank/templates/revbank-deposit.service @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +[Unit] +Description=Revbank Deposit +After=network.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10s +ExecStart=/usr/local/lib/revbank-deposit/.venv/bin/fastapi run main.py --host 127.0.0.1 +WorkingDirectory=/usr/local/lib/revbank-deposit +EnvironmentFile=/etc/revbank-deposit.conf +DynamicUser=true + +[Install] +WantedBy=multi-user.target + From 9181a83cdba2000983333d20b70cadeca77b891a Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Mon, 14 Apr 2025 22:47:13 +0200 Subject: [PATCH 59/62] bank: Copy revbank.products because I can not be bothered to fix this properly now --- roles/bank/templates/git.cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bank/templates/git.cron b/roles/bank/templates/git.cron index fa09df8..b703657 100644 --- a/roles/bank/templates/git.cron +++ b/roles/bank/templates/git.cron @@ -1,4 +1,4 @@ SHELL=/bin/bash #m h dom mon dow user command - 0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto) + 0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products) From 607a401cef6a0c48d9d981bb82b7aedc5f770d1e Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Wed, 16 Apr 2025 21:34:24 +0200 Subject: [PATCH 60/62] Add chat --- inventory | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/inventory b/inventory index 8d835ac..c380b07 100644 --- a/inventory +++ b/inventory @@ -46,6 +46,9 @@ shell.bitlair.nl [homeassistant] homeassistant.bitlair.nl +[chat] +chat.bitlair.nl + [debian:children] bank fotos @@ -60,3 +63,4 @@ services wiki shell homeassistant +chat From 6cff97e2bb594a700fca200349464c3978696990 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sat, 19 Apr 2025 15:39:02 +0200 Subject: [PATCH 61/62] Add CI for ansible-lint --- .config/ansible-lint.yml | 8 ++++++++ .forgejo/workflows/test.yaml | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 .config/ansible-lint.yml create mode 100644 .forgejo/workflows/test.yaml diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml new file mode 100644 index 0000000..658acbd --- /dev/null +++ b/.config/ansible-lint.yml @@ -0,0 +1,8 @@ +--- +skip_list: + - fqcn[action-core] + - name[casing] + - name[missing] + +exclude_paths: + - .forgejo diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml new file mode 100644 index 0000000..52f8c18 --- /dev/null +++ b/.forgejo/workflows/test.yaml @@ -0,0 +1,19 @@ +name: Test + +on: + push: + branches: + - main + +jobs: + + build: + runs-on: docker + container: + image: alpine:latest + + steps: + - run: apk add nodejs ansible ansible-lint + - uses: actions/checkout@v4 + + - run: ansible-lint From d0cd352b4ab03e697d92d350a00bfcc1749a1e6f Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Sat, 19 Apr 2025 16:24:47 +0200 Subject: [PATCH 62/62] Linting --- .ansible-lint | 14 ++++++++++++++ .gitignore | 3 +++ .yamllint.yaml | 5 +++++ bitlair.yaml | 39 ++++++++++++++++++++++++++------------- lint.sh | 1 + 5 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 .ansible-lint create mode 100644 .gitignore diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..c6123e8 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,14 @@ +#warn_list: # or 'skip_list' to silence them completely +skip_list: + - experimental + - var-naming[no-role-prefix] + - name +warn_list: + - '204' # Lines should be no longer than 160 chars + - no-handler + - ignore-errors + - fqcn-builtins + - fqcn + - partial-become[task] + - template-instead-of-copy +offline: true diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..781c027 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.password-store +.gitignore +.envrc diff --git a/.yamllint.yaml b/.yamllint.yaml index d932357..2d3284c 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -15,3 +15,8 @@ rules: max-spaces-after: -1 commas: max-spaces-after: -1 + comments: + min-spaces-from-content: 1 + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true diff --git a/bitlair.yaml b/bitlair.yaml index 48db717..d09757f 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -1,66 +1,79 @@ --- -- hosts: all +- name: common + hosts: all gather_facts: true roles: - { role: "common", tags: ["common"] } - { role: "nft", tags: ["nft"] } -- hosts: bank +- name: bank + hosts: bank roles: - { role: "bank", tags: ["bank"] } -- hosts: homeassistant +- name: homeassistant + hosts: homeassistant roles: - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } -- hosts: raspi +- name: raspi + hosts: raspi roles: - { role: "raspi", tags: ["raspi"] } - { role: "bank-terminal", tags: ["bank-terminal"] } -- hosts: fotos +- name: fotos + hosts: fotos roles: - { role: "photos", tags: ["photos"] } -- hosts: git-ci +- name: CI + hosts: git-ci roles: - { role: "git-ci", tags: ["git-ci"] } -- hosts: git +- name: git + hosts: git roles: - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } - { role: "git-server", tags: ["git-server"] } -- hosts: monitoring +- name: monitoring + hosts: monitoring roles: - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } - { role: "monitoring", tags: ["monitoring"] } -- hosts: mqtt +- name: mqtt + hosts: mqtt roles: - { role: "mqtt", tags: ["mqtt"] } -- hosts: music +- name: music + hosts: music roles: - { role: "acme", tags: ["acme"] } - { role: "go", tags: ["go"] } - { role: "music", tags: ["music"] } -- hosts: pad +- name: pad + hosts: pad roles: - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } - { role: "etherpad", tags: ["etherpad"] } -- hosts: services +- name: services + hosts: services roles: - { role: "services", tags: ["services"] } -- hosts: wiki +- name: wiki + hosts: wiki roles: - { role: "acme", tags: ["acme"] } - { role: "nginx", tags: ["nginx"] } diff --git a/lint.sh b/lint.sh index bc0183d..296c955 100755 --- a/lint.sh +++ b/lint.sh @@ -1,5 +1,6 @@ #!/bin/bash j2lint `find ./ -type f -name '*.j2'` +yamllint -c .yamllint.yaml . ansible-lint bitlair.yaml