diff --git a/bitlair.yaml b/bitlair.yaml index 9a7b765..a2923fc 100644 --- a/bitlair.yaml +++ b/bitlair.yaml @@ -1,62 +1,63 @@ + --- - hosts: all gather_facts: true roles: - - { role: "common", tags: ["common"] } - - { role: "nft", tags: ["nft"] } + - { role: "common", tags: [ "common" ] } + - { role: "nft", tags: [ "nft" ] } - hosts: bank roles: - - { role: "bank", tags: ["bank"] } + - { role: "bank", tags: [ "bank" ] } - hosts: raspi roles: - - { role: "raspi", tags: ["raspi"] } - - { role: "bank-terminal", tags: ["bank-terminal"] } + - { role: "raspi", tags: [ "raspi" ] } + - { role: "bank-terminal", tags: [ "bank-terminal" ] } - hosts: fotos roles: - - { role: "photos", tags: ["photos"] } + - { role: "photos", tags: [ "photos" ] } - hosts: git-ci roles: - - { role: "git-ci", tags: ["git-ci"] } + - { role: "git-ci", tags: [ "git-ci" ] } - hosts: git roles: - - { role: "acme", tags: ["acme"] } - - { role: "nginx", tags: ["nginx"] } - - { role: "git-server", tags: ["git-server"] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "git-server", tags: [ "git-server" ] } - hosts: monitoring roles: - - { role: "acme", tags: ["acme"] } - - { role: "nginx", tags: ["nginx"] } - - { role: "monitoring", tags: ["monitoring"] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "monitoring", tags: [ "monitoring" ] } - hosts: mqtt roles: - - { role: "mqtt", tags: ["mqtt"] } + - { role: "mqtt", tags: [ "mqtt" ] } - hosts: music roles: - - { role: "acme", tags: ["acme"] } - - { role: "go", tags: ["go"] } - - { role: "music", tags: ["music"] } + - { role: "acme", tags: [ "acme" ] } + - { role: "go", tags: [ "go" ] } + - { role: "music", tags: [ "music" ] } - hosts: pad roles: - - { role: "acme", tags: ["acme"] } - - { role: "nginx", tags: ["nginx"] } - - { role: "etherpad", tags: ["etherpad"] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "etherpad", tags: [ "etherpad" ] } - hosts: services roles: - - { role: "services", tags: ["services"] } + - { role: "services", tags: [ "services" ] } - hosts: wiki roles: - - { role: "acme", tags: ["acme"] } - - { role: "nginx", tags: ["nginx"] } - - { role: "www", tags: ["www"] } + - { role: "acme", tags: [ "acme" ] } + - { role: "nginx", tags: [ "nginx" ] } + - { role: "www", tags: [ "www" ] } diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml index 260e159..248d854 100644 --- a/group_vars/monitoring.yaml +++ b/group_vars/monitoring.yaml @@ -1,7 +1,7 @@ monitoring_domain: dashboard.bitlair.nl monitoring_bootstrap_cert: no acme_san_domains: - - ["{{ monitoring_domain }}"] + - ["{{ monitoring_domain }}", monitoring.bitlair.nl] group_nft_input: - "# Allow web-traffic from world" @@ -21,7 +21,6 @@ prometheus_scrape_configs: - "lights.bitlair.nl:9100" - "music.bitlair.nl:9100" - "service.bitlair.nl:9100" - - "user.bitlair.nl:9100" - job_name: "mqtt" static_configs: - targets: [ "localhost:9883" ] @@ -35,7 +34,6 @@ prometheus_scrape_configs: - https://bitlair.nl - https://git.bitlair.nl - https://pad.bitlair.nl - - https://user.bitlair.nl # Legacy - https://wiki.bitlair.nl - https://portal.bitlair.nl diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 01bf029..0be3133 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -40,7 +40,7 @@ - name: Symlink SAN domains ansible.builtin.include_tasks: file: san_domains_loop.yaml - loop: "{{ acme_san_domains | default([]) }}" + loop: "{{ acme_san_domains|default([]) }}" loop_control: loop_var: domains diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml index 3f6d5b8..15ce290 100644 --- a/roles/common/handlers/main.yaml +++ b/roles/common/handlers/main.yaml @@ -1,27 +1,30 @@ --- -- name: Update grub +- name: update grub ansible.builtin.command: cmd: update-grub -- name: Apt update +- name: reboot + ansible.builtin.reboot: + +- name: apt update ansible.builtin.apt: update_cache: true -- name: Daemon reload +- name: daemon reload ansible.builtin.systemd: daemon_reload: true -- name: Reload sshd +- name: reload sshd ansible.builtin.systemd: name: ssh state: reloaded -- name: Reload nginx +- name: reload nginx ansible.builtin.systemd: name: nginx state: reloaded -- name: Persist iptables +- name: persist iptables ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}" with_items: - { c: iptables, ip: v4 } diff --git a/roles/common/tasks/debian-upgrade.yaml b/roles/common/tasks/debian-upgrade.yaml index f986713..3ff5041 100644 --- a/roles/common/tasks/debian-upgrade.yaml +++ b/roles/common/tasks/debian-upgrade.yaml @@ -21,6 +21,9 @@ ansible.builtin.apt: upgrade: full +- name: Reboot + ansible.builtin.reboot: + - name: autoremove ansible.builtin.apt: autoremove: yes diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 865de63..a02e163 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -76,7 +76,6 @@ - vim - unattended-upgrades - apt-listchanges - - sudo-ldap - name: Configure FZF for Bash ansible.builtin.lineinfile: @@ -97,7 +96,7 @@ path: /etc/default/grub regexp: '^GRUB_TIMEOUT=' line: "GRUB_TIMEOUT=1 # Managed by Ansible" - notify: Update grub + notify: update grub - name: Configure cron email ansible.builtin.lineinfile: @@ -119,5 +118,63 @@ - regexp: '^#?DebianBanner' line: 'DebianBanner no' when: manage_sshd_config | default(true) - notify: Reload sshd + notify: reload sshd +- name: Allow SSH + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ ssh_port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item }}" + with_items: + - ipv4 + - ipv6 + notify: persist iptables + when: not nft | bool + +- name: Allow ICMP + ansible.builtin.iptables: + chain: INPUT + protocol: "{{ item.proto }}" + jump: ACCEPT + ip_version: "{{ item.ip }}" + with_items: + - { ip: ipv4, proto: icmp } + - { ip: ipv6, proto: ipv6-icmp } + notify: persist iptables + when: not nft | bool + +- name: Allow related and established connections + ansible.builtin.iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + ip_version: "{{ item }}" + with_items: + - ipv4 + - ipv6 + notify: persist iptables + when: not nft | bool + +- name: Allow local connections + ansible.builtin.iptables: + chain: INPUT + source: "{{ item.cidr }}" + jump: ACCEPT + ip_version: "{{ item.v }}" + with_items: "{{ trusted_ranges }}" + notify: persist iptables + when: not nft | bool + +- name: Deny inbound connections + ansible.builtin.iptables: + chain: INPUT + policy: DROP + ip_version: "{{ item }}" + with_items: + - ipv4 + - ipv6 + notify: persist iptables + when: not nft | bool diff --git a/roles/common/tasks/network.yaml b/roles/common/tasks/network.yaml index 7e2a75b..9d5e471 100644 --- a/roles/common/tasks/network.yaml +++ b/roles/common/tasks/network.yaml @@ -13,6 +13,7 @@ with_items: - { k: net.ipv4.ip_forward, v: "1" } - { k: net.ipv6.conf.all.forwarding, v: "1" } + notify: reboot when: network_br - name: Make network interfaces really predictable @@ -21,7 +22,8 @@ regexp: ^GRUB_CMDLINE_LINUX line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible' notify: - - Update grub + - update grub + - reboot when: network_br or network_dhcp or network_static - name: Configure network interfaces @@ -31,6 +33,7 @@ owner: root group: root mode: 0644 + notify: reboot when: network_br or network_dhcp or network_static - ansible.builtin.meta: flush_handlers diff --git a/roles/common/tasks/vm.yaml b/roles/common/tasks/vm.yaml index e1921ec..505c03f 100644 --- a/roles/common/tasks/vm.yaml +++ b/roles/common/tasks/vm.yaml @@ -12,6 +12,7 @@ regexp: ^GRUB_CMDLINE_LINUX_DEFAULT line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"' notify: - - Update grub + - update grub + - reboot tags: - questagent diff --git a/roles/common/templates/authorized_keys.j2 b/roles/common/templates/authorized_keys.j2 index 9df7ff6..182dc36 100644 --- a/roles/common/templates/authorized_keys.j2 +++ b/roles/common/templates/authorized_keys.j2 @@ -2,5 +2,5 @@ {% for name in root_access %} # {{ name }} -{{ lookup('file', 'authorized_keys/' + name + '.keys') }} +{{ lookup('file', 'authorized_keys/'+name+'.keys') }} {% endfor %} diff --git a/roles/common/templates/sources.list.j2 b/roles/common/templates/sources.list.j2 index 3945e1d..9aac632 100644 --- a/roles/common/templates/sources.list.j2 +++ b/roles/common/templates/sources.list.j2 @@ -1,9 +1,9 @@ # {{ ansible_managed }} -{% if debian_source_repos | default(false) %} -{% set SRC = "" %} +{% if debian_source_repos|default(false) %} +{% set SRC = "" %} {% else %} -{% set SRC = "# " %} +{% set SRC = "# " %} {% endif %} {% set components = "main contrib non-free-firmware" %} diff --git a/roles/etherpad/handlers/main.yaml b/roles/etherpad/handlers/main.yaml index 7aea6eb..82924a6 100644 --- a/roles/etherpad/handlers/main.yaml +++ b/roles/etherpad/handlers/main.yaml @@ -2,7 +2,7 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: Restart etherpad +- name: restart etherpad ansible.builtin.systemd: name: etherpad state: restarted diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 0f4beb5..2adf731 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -15,7 +15,7 @@ -o /usr/share/keyrings/nodesource.gpg args: creates: /usr/share/keyrings/nodesource.gpg - notify: Apt update + notify: apt update - name: Install nodesource source list ansible.builtin.template: @@ -24,7 +24,7 @@ owner: root group: root mode: 0644 - notify: Apt update + notify: apt update - name: Install nodejs apt preference ansible.builtin.template: @@ -33,7 +33,7 @@ owner: root group: root mode: 0644 - notify: Apt update + notify: apt update - ansible.builtin.meta: flush_handlers @@ -88,7 +88,7 @@ version: master dest: /opt/etherpad accept_hostkey: yes - notify: Restart etherpad + notify: restart etherpad - name: Install etherpad config ansible.builtin.template: @@ -97,7 +97,7 @@ owner: root group: root mode: 0644 - notify: Restart etherpad + notify: restart etherpad - name: Install etherpad service ansible.builtin.template: @@ -106,14 +106,14 @@ owner: root group: root mode: 0644 - notify: Restart etherpad + notify: restart etherpad - name: Start etherpad ansible.builtin.systemd: daemon_reload: true name: etherpad state: started - enabled: true + enabled: yes - name: Install nginx config ansible.builtin.template: @@ -122,5 +122,21 @@ owner: root group: root mode: 0644 - notify: Reload nginx + notify: reload nginx +- name: Allow HTTP and HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables + when: not nft | bool diff --git a/roles/etherpad/tasks/requirements.yml b/roles/etherpad/tasks/requirements.yml index 0b8dbb8..060cde3 100644 --- a/roles/etherpad/tasks/requirements.yml +++ b/roles/etherpad/tasks/requirements.yml @@ -1,5 +1,3 @@ ---- - collections: - name: community.postgresql version: 2.3.2 diff --git a/roles/git-ci/tasks/main.yaml b/roles/git-ci/tasks/main.yaml index d677a61..a01a11a 100644 --- a/roles/git-ci/tasks/main.yaml +++ b/roles/git-ci/tasks/main.yaml @@ -1,50 +1,50 @@ --- +- tags: forgejo_runner + block: + - name: Install dependencies + ansible.builtin.apt: + name: docker.io -- name: Install dependencies - ansible.builtin.apt: - name: docker.io + - name: Download forgejo-runner + ansible.builtin.get_url: + url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64" + dest: /usr/local/bin/forgejo-runner + mode: 0755 + notify: restart forgejo-runner -- name: Download forgejo-runner - ansible.builtin.get_url: - url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64" - dest: /usr/local/bin/forgejo-runner - mode: 0755 - notify: restart forgejo-runner + - name: Create runner dir + ansible.builtin.file: + state: directory + path: "{{ runner_wd }}" + owner: root + group: root + mode: 0755 -- name: Create runner dir - ansible.builtin.file: - state: directory - path: "{{ runner_wd }}" - owner: root - group: root - mode: 0755 + - name: Register runner + ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" + args: + chdir: "{{ runner_wd }}" + creates: "{{ runner_wd }}/.runner" -- name: Register runner - ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" - args: - chdir: "{{ runner_wd }}" - creates: "{{ runner_wd }}/.runner" + - name: Install service file + ansible.builtin.template: + src: forgejo-runner.service + dest: /etc/systemd/system/forgejo-runner.service + owner: root + group: root + mode: 0644 + notify: restart forgejo-runner -- name: Install service file - ansible.builtin.template: - src: forgejo-runner.service - dest: /etc/systemd/system/forgejo-runner.service - owner: root - group: root - mode: 0644 - notify: restart forgejo-runner + - name: Enable service + ansible.builtin.systemd: + name: forgejo-runner + enabled: yes + daemon_reload: true -- name: Enable service - ansible.builtin.systemd: - name: forgejo-runner - enabled: true - daemon_reload: true + - name: Start service + ansible.builtin.systemd: + name: forgejo-runner + state: started + daemon_reload: true -- name: Start service - ansible.builtin.systemd: - name: forgejo-runner - state: started - daemon_reload: true - -- name: Flush handlers - ansible.builtin.meta: flush_handlers + - ansible.builtin.meta: flush_handlers diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index 5104ef5..112033e 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -14,14 +14,14 @@ owner: root group: root mode: 0644 - notify: Reload nginx + notify: reload nginx - name: Enable nginx site ansible.builtin.file: src: /etc/nginx/sites-available/forgejo dest: /etc/nginx/sites-enabled/forgejo state: link - notify: Reload nginx + notify: reload nginx - name: Create user ansible.builtin.user: @@ -38,6 +38,7 @@ group: "{{ git_server_user }}" mode: 0755 + # TODO: Install initial config - name: Install service file @@ -47,7 +48,7 @@ owner: root group: root mode: 0644 - notify: Reload forgejo + notify: reload forgejo - name: Install update script ansible.builtin.template: @@ -61,12 +62,12 @@ ansible.builtin.command: "{{ git_server_working_dir }}/update.sh" args: creates: "{{ git_server_working_dir }}/forgejo" - notify: Reload forgejo + notify: reload forgejo - name: Enable service ansible.builtin.systemd: name: forgejo - enabled: true + enabled: yes daemon_reload: true - name: Start service @@ -80,6 +81,24 @@ src: cronjob dest: /etc/cron.d/forgejo -- name: Debug - ansible.builtin.debug: - msg: "If Forgejo has not been setup yet, please do so manually." +- name: Allow Git SSH, HTTP and HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 22 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 22 } + - { ip: ipv6, port: 443 } + notify: persist iptables + when: not nft | bool + +- ansible.builtin.debug: + msg: If Forgejo has not been setup yet, please do so manually. diff --git a/roles/go/tasks/main.yaml b/roles/go/tasks/main.yaml index ab16901..b787d21 100644 --- a/roles/go/tasks/main.yaml +++ b/roles/go/tasks/main.yaml @@ -19,11 +19,11 @@ register: go_latest_version_shell - name: Format Go latest version variable - ansible.builtin.set_fact: + set_fact: go_latest_version: "{{ go_latest_version_shell.stdout }}" - name: Detect installed Go version - ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none" + shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none" register: go_installed_version_shell changed_when: false @@ -31,20 +31,19 @@ set_fact: go_installed_version: "{{ go_installed_version_shell.stdout }}" - - name: Debug - ansible.builtin.debug: + - debug: msg: - "Latest Go version: {{ go_latest_version}}" - "Installed Go version: {{ go_installed_version }}" - name: Remove installed go - ansible.builtin.file: + file: state: absent path: /usr/local/go when: go_installed_version != go_latest_version - name: Install Go - ansible.builtin.unarchive: + unarchive: src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz dest: /usr/local remote_src: yes @@ -53,7 +52,7 @@ when: go_installed_version != go_latest_version - name: Configure Go environment - ansible.builtin.template: + template: src: go.profile dest: /etc/profile.d/go.sh owner: root @@ -61,7 +60,7 @@ mode: 0644 - name: Link go binary - ansible.builtin.file: + file: state: link src: /usr/local/go/bin/go dest: /usr/local/bin/go diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index 2017d5b..f43992a 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -7,20 +7,35 @@ owner: root group: root mode: 0644 - notify: Reload nginx + notify: reload nginx - name: Enable nginx site ansible.builtin.file: src: /etc/nginx/sites-available/monitoring dest: /etc/nginx/sites-enabled/monitoring state: link - notify: Reload nginx + notify: reload nginx - name: Start nginx ansible.builtin.systemd: name: nginx state: started - enabled: true + enabled: yes + +- name: Allow HTTP/HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables + when: not nft | bool - name: mqtt_exporter tags: mqtt_exporter diff --git a/roles/monitoring/templates/grafana.ini b/roles/monitoring/templates/grafana.ini index a954c62..be8c995 100644 --- a/roles/monitoring/templates/grafana.ini +++ b/roles/monitoring/templates/grafana.ini @@ -69,9 +69,6 @@ level = info [grafana_com] url = https://grafana.com -[auth] -oauth_allow_insecure_email_lookup=true - [auth.anonymous] enabled = true org_name = Bitlair diff --git a/roles/mqtt/tasks/main.yaml b/roles/mqtt/tasks/main.yaml index 498f49c..89f9064 100644 --- a/roles/mqtt/tasks/main.yaml +++ b/roles/mqtt/tasks/main.yaml @@ -29,4 +29,4 @@ ansible.builtin.systemd: name: mosquitto state: started - enabled: true + enabled: yes diff --git a/roles/music/handlers/main.yaml b/roles/music/handlers/main.yaml index 2d77dbb..5ef0e4f 100644 --- a/roles/music/handlers/main.yaml +++ b/roles/music/handlers/main.yaml @@ -2,37 +2,37 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: Restart trollibox +- name: restart trollibox ansible.builtin.systemd: name: trollibox state: restarted daemon_reload: true -- name: Rebuild librespot +- name: rebuild librespot ansible.builtin.command: cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend args: chdir: /opt/librespot -- name: Restart librespot +- name: restart librespot ansible.builtin.systemd: name: librespot state: restarted daemon_reload: true -- name: Restart soundboard +- name: restart soundboard ansible.builtin.systemd: name: soundboard state: restarted daemon_reload: true -- name: Restart mpd-volume-to-mqtt +- name: restart mpd-volume-to-mqtt ansible.builtin.systemd: name: mpd-volume-to-mqtt state: restarted daemon_reload: true -- name: Restart skipbutton +- name: restart skipbutton ansible.builtin.systemd: name: skipbutton state: restarted diff --git a/roles/music/tasks/librespot.yaml b/roles/music/tasks/librespot.yaml index 2a8d19b..9bf3154 100644 --- a/roles/music/tasks/librespot.yaml +++ b/roles/music/tasks/librespot.yaml @@ -11,8 +11,8 @@ dest: /opt/librespot accept_hostkey: yes notify: - - Rebuild librespot - - Restart librespot + - rebuild librespot + - restart librespot - name: Install service file ansible.builtin.template: @@ -21,7 +21,7 @@ owner: root group: root mode: 0644 - notify: Restart librespot + notify: restart librespot - name: Enable Librespot ansible.builtin.systemd: diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml index e8a751c..cad6eb9 100644 --- a/roles/music/tasks/main.yaml +++ b/roles/music/tasks/main.yaml @@ -1,34 +1,28 @@ --- - -- name: Import mpd +- tags: music_mpd ansible.builtin.import_tasks: file: mpd.yaml - tags: - - music_mpd -- name: Import trollibox +- tags: music_trollibox ansible.builtin.import_tasks: file: trollibox.yaml - tags: - - music_trollibox -- name: Librespot +- tags: music_librespot ansible.builtin.import_tasks: file: librespot.yaml - tags: - - music_librespot -- name: Soundboard +- tags: music_soundboard ansible.builtin.import_tasks: file: soundboard.yaml - tags: - - music_soundboard -- name: Install nginx config - ansible.builtin.template: - src: nginx-site.conf - dest: /etc/nginx/sites-enabled/trollibox - owner: root - group: root - mode: 0644 - notify: Reload nginx +- tags: music + block: + + - name: Install nginx config + ansible.builtin.template: + src: nginx-site.conf + dest: /etc/nginx/sites-enabled/trollibox + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/music/tasks/mpd.yaml b/roles/music/tasks/mpd.yaml index eb88133..d372d12 100644 --- a/roles/music/tasks/mpd.yaml +++ b/roles/music/tasks/mpd.yaml @@ -1,5 +1,4 @@ --- - - name: Install MPD ansible.builtin.apt: name: @@ -16,7 +15,7 @@ owner: root group: root mode: 0644 - notify: Restart mpd-volume-to-mqtt + notify: restart mpd-volume-to-mqtt - name: Install mpd-volume-to-mqtt service ansible.builtin.template: @@ -25,7 +24,7 @@ owner: root group: root mode: 0644 - notify: Restart mpd-volume-to-mqtt + notify: restart mpd-volume-to-mqtt - name: Enable mpd-volume-to-mqtt ansible.builtin.systemd: @@ -40,7 +39,7 @@ version: master dest: /opt/skipbutton accept_hostkey: yes - notify: Restart skipbutton + notify: restart skipbutton - name: Install skipbutton service ansible.builtin.template: @@ -49,7 +48,7 @@ owner: root group: root mode: 0644 - notify: Restart skipbutton + notify: restart skipbutton - name: Enable skipbutton ansible.builtin.systemd: diff --git a/roles/music/tasks/soundboard.yaml b/roles/music/tasks/soundboard.yaml index a0ea558..6068976 100644 --- a/roles/music/tasks/soundboard.yaml +++ b/roles/music/tasks/soundboard.yaml @@ -10,7 +10,7 @@ version: main dest: /opt/soundboard accept_hostkey: yes - notify: Restart soundboard + notify: restart soundboard - name: Create virtualenv ansible.builtin.command: @@ -31,7 +31,7 @@ owner: root group: root mode: 0644 - notify: Restart soundboard + notify: restart soundboard - name: Install soundboard service file ansible.builtin.template: @@ -40,7 +40,7 @@ owner: root group: root mode: 0644 - notify: Restart soundboard + notify: restart soundboard - name: Enable soundboard ansible.builtin.systemd: diff --git a/roles/music/tasks/trollibox.yaml b/roles/music/tasks/trollibox.yaml index 0b20b4a..29c544a 100644 --- a/roles/music/tasks/trollibox.yaml +++ b/roles/music/tasks/trollibox.yaml @@ -5,8 +5,8 @@ dest: /etc/trollibox.yaml owner: root group: root - mode: "0644" - notify: Restart trollibox + mode: 0644 + notify: restart trollibox - name: Get latest Trollibox version from Github API ansible.builtin.get_url: @@ -25,8 +25,8 @@ remote_src: yes dest: /usr/local/bin include: [ trollibox ] - mode: "0755" - notify: Restart trollibox + mode: 0755 + notify: restart trollibox - name: Install service file ansible.builtin.template: @@ -34,8 +34,8 @@ dest: /etc/systemd/system/trollibox.service owner: root group: root - mode: "0644" - notify: Restart trollibox + mode: 0644 + notify: restart trollibox - name: Enable Trollibox ansible.builtin.systemd: diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2 index 583639b..ce52b65 100644 --- a/roles/nft/templates/nftables.conf.j2 +++ b/roles/nft/templates/nftables.conf.j2 @@ -73,15 +73,15 @@ set trusted6 { } accept # Open ssh only for trusted machines - ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept - ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept + ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept + ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept # Rules based on group-vars {% for custom in nft_group_rules %} {% if custom.comment is defined %} - # {{ custom.comment | default('') }} + # {{ custom.comment|default('') }} {% endif %} - {{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} + {{ custom.version|default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }} {% endfor %} diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml index 55f38e5..b6fd46e 100644 --- a/roles/nginx/defaults/main.yaml +++ b/roles/nginx/defaults/main.yaml @@ -4,6 +4,7 @@ nginx_package: "nginx-light" nginx_user: "www-data" nginx_modules_dir: "/etc/nginx/modules-enabled" + nginx_tls_version: "TLSv1.2 TLSv1.3" nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS" nginx_tls_curve: "prime256v1:secp384r1" @@ -13,3 +14,4 @@ nginx_ssl_stapling: "on" nginx_ssl_stapling_verify: "on" nginx_wk_acme: "/var/lib/dehydrated/acme-challenges" nginx_client_max_body_size: "32m" + diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2 index d48f46f..6a4dfb7 100644 --- a/roles/nginx/templates/site.conf.j2 +++ b/roles/nginx/templates/site.conf.j2 @@ -4,7 +4,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; + server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %}; include /etc/nginx/tls_params; ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem; @@ -28,7 +28,7 @@ server { # Include snippets {% for file in site.snippets | default([]) %} -{% include "snippets/" ~ file %} +{% include "snippets/" ~ file %} {% endfor %} # Per site configuration diff --git a/roles/photos/tasks/bambulab-fetch.yaml b/roles/photos/tasks/bambulab-fetch.yaml index b050af9..ef2d351 100644 --- a/roles/photos/tasks/bambulab-fetch.yaml +++ b/roles/photos/tasks/bambulab-fetch.yaml @@ -33,5 +33,5 @@ ansible.builtin.systemd: name: bambulab-fetch state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/photos/tasks/photo-gallery.yaml b/roles/photos/tasks/photo-gallery.yaml index 5a6cfff..6551040 100644 --- a/roles/photos/tasks/photo-gallery.yaml +++ b/roles/photos/tasks/photo-gallery.yaml @@ -33,5 +33,5 @@ ansible.builtin.systemd: name: photo-gallery state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml index 755a4ec..9f14cff 100644 --- a/roles/photos/tasks/photos2mqtt.yaml +++ b/roles/photos/tasks/photos2mqtt.yaml @@ -31,5 +31,5 @@ ansible.builtin.systemd: name: photos2mqtt state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/raspi/tasks/main.yaml b/roles/raspi/tasks/main.yaml index 1420e09..a787e5c 100644 --- a/roles/raspi/tasks/main.yaml +++ b/roles/raspi/tasks/main.yaml @@ -15,7 +15,7 @@ - name: Enable sshd ansible.builtin.systemd: name: sshd - enabled: true + enabled: yes state: started - name: Rotate display @@ -24,6 +24,7 @@ line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible" regexp: "^#?display_rotate" when: raspi_rotate_display is defined + notify: reboot - name: Disable swap block: @@ -44,3 +45,4 @@ path: /etc/dhcpcd.conf line: "slaac hwaddr # Managed by Ansible" regexp: "^#?slaac" + notify: reboot diff --git a/roles/services/handlers/main.yaml b/roles/services/handlers/main.yaml index fb69a73..125fc4d 100644 --- a/roles/services/handlers/main.yaml +++ b/roles/services/handlers/main.yaml @@ -2,55 +2,55 @@ - ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: Restart irc-bot +- name: restart irc-bot ansible.builtin.systemd: name: irc-bot state: restarted daemon_reload: true -- name: Restart irc-photos +- name: restart irc-photos ansible.builtin.systemd: name: irc-photos state: restarted daemon_reload: true -- name: Restart irc-doorduino +- name: restart irc-doorduino ansible.builtin.systemd: name: irc-doorduino state: restarted daemon_reload: true -- name: Restart discord-bot +- name: restart discord-bot ansible.builtin.systemd: name: discord-bot state: restarted daemon_reload: true -- name: Restart siahsd +- name: restart siahsd ansible.builtin.systemd: name: siahsd state: restarted daemon_reload: true -- name: Restart spacestated +- name: restart spacestated ansible.builtin.systemd: name: spacestated state: restarted daemon_reload: true -- name: Restart mastodon-spacestate +- name: restart mastodon-spacestate ansible.builtin.systemd: name: mastodon-spacestate state: restarted daemon_reload: true -- name: Restart wifi-mqtt +- name: restart wifi-mqtt ansible.builtin.systemd: name: wifi-mqtt state: restarted daemon_reload: true -- name: Restart power-mqtt +- name: restart power-mqtt ansible.builtin.systemd: name: power-mqtt state: restarted diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml index 1889db4..16c20d6 100644 --- a/roles/services/tasks/discord_bot.yaml +++ b/roles/services/tasks/discord_bot.yaml @@ -1,5 +1,4 @@ --- - - name: Install dependencies ansible.builtin.apt: name: @@ -25,8 +24,7 @@ version: main dest: /var/lib/discord-bot accept_hostkey: yes - notify: Restart discord-bot - ignore_errors: true + notify: restart discord-bot - name: Install service file ansible.builtin.template: @@ -34,12 +32,12 @@ dest: /etc/systemd/system/discord-bot.service owner: root group: root - mode: "0644" - notify: Restart discord-bot + mode: 0644 + notify: restart discord-bot - name: Start discord-bot ansible.builtin.systemd: name: discord-bot state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/services/tasks/ircbot.yaml b/roles/services/tasks/ircbot.yaml index e635302..6d9462a 100644 --- a/roles/services/tasks/ircbot.yaml +++ b/roles/services/tasks/ircbot.yaml @@ -5,8 +5,7 @@ version: master dest: /var/lib/irc-bot accept_hostkey: yes - ignore_errors: true - notify: Restart irc-bot + notify: restart irc-bot - name: Link irc-say ansible.builtin.file: @@ -24,13 +23,13 @@ vars: description: Bitlair IRC bot exec: /bin/bash /var/lib/irc-bot/irc-bot - notify: Restart irc-bot + notify: restart irc-bot - name: Start irc-bot ansible.builtin.systemd: name: irc-bot state: started - enabled: true + enabled: yes daemon_reload: true - name: Create helpers dir @@ -45,7 +44,7 @@ owner: root group: root mode: 0755 - notify: Restart irc-photos + notify: restart irc-photos - name: Install photos notification service ansible.builtin.template: @@ -58,13 +57,13 @@ description: Bitlair IRC photos notification requires: irc-bot.service exec: /bin/bash /var/lib/irc-helpers/photos.sh - notify: Restart irc-photos + notify: restart irc-photos - name: Start irc-photos ansible.builtin.systemd: name: irc-photos state: started - enabled: true + enabled: yes daemon_reload: true - name: Install doorduino notification @@ -74,7 +73,7 @@ owner: root group: root mode: 0755 - notify: Restart irc-doorduino + notify: restart irc-doorduino - name: Install doorduino notification service ansible.builtin.template: @@ -87,11 +86,11 @@ description: Bitlair IRC doorduino notification requires: irc-bot.service exec: /bin/bash /var/lib/irc-helpers/doorduino.sh - notify: Restart irc-doorduino + notify: restart irc-doorduino - name: Start irc-doorduino ansible.builtin.systemd: name: irc-doorduino state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/services/tasks/main.yaml b/roles/services/tasks/main.yaml index e082c5f..5f17300 100644 --- a/roles/services/tasks/main.yaml +++ b/roles/services/tasks/main.yaml @@ -1,43 +1,22 @@ --- - -- name: Import ircbot +- tags: services_ircbot ansible.builtin.import_tasks: file: ircbot.yaml - tags: - - services_ircbot -- name: Import services_discord_bot - ansible.builtin.import_tasks: - file: discord_bot.yaml - tags: - - services_discord_bot +- tags: services_discord_bot + ansible.builtin.import_tasks: discord_bot.yaml -- name: Import siahsd - ansible.builtin.import_tasks: - file: siahsd.yaml - tags: - - services_siahsd +- tags: services_siahsd + import_tasks: siahsd.yaml -- name: Import spacestated - ansible.builtin.import_tasks: - file: spacestated.yaml - tags: - - services_spacestated +- tags: services_spacestated + import_tasks: spacestated.yaml -- name: Import mastodon_spacestate.yaml - ansible.builtin.import_tasks: - file: mastodon_spacestate.yaml - tags: - - services_mastodon_spacestate +- tags: services_mastodon_spacestate + import_tasks: mastodon_spacestate.yaml -- name: import wifi_mqtt - ansible.builtin.import_tasks: - file: wifi_mqtt.yaml - tags: - - services_wifi_mqtt +- tags: services_wifi_mqtt + import_tasks: wifi_mqtt.yaml -- name: Import power_mqt - ansible.builtin.import_tasks: - file: power_mqtt.yaml - tags: - - services_power_mqtt +- tags: services_power_mqtt + import_tasks: power_mqtt.yaml diff --git a/roles/services/tasks/mastodon_spacestate.yaml b/roles/services/tasks/mastodon_spacestate.yaml index 53f979e..47886de 100644 --- a/roles/services/tasks/mastodon_spacestate.yaml +++ b/roles/services/tasks/mastodon_spacestate.yaml @@ -11,8 +11,7 @@ version: main dest: /var/lib/mastodon-spacestate accept_hostkey: yes - notify: Restart mastodon-spacestate - ignore_errors: true + notify: restart mastodon-spacestate - name: Install config ansible.builtin.template: @@ -21,7 +20,7 @@ owner: root group: root mode: 0655 - notify: Restart mastodon-spacestate + notify: restart mastodon-spacestate - name: Install service file ansible.builtin.template: @@ -30,11 +29,11 @@ owner: root group: root mode: 0644 - notify: Restart mastodon-spacestate + notify: restart mastodon-spacestate - name: Start mastodon-spacestate ansible.builtin.systemd: name: mastodon-spacestate state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/services/tasks/power_mqtt.yaml b/roles/services/tasks/power_mqtt.yaml index 406a274..3cc3e0f 100644 --- a/roles/services/tasks/power_mqtt.yaml +++ b/roles/services/tasks/power_mqtt.yaml @@ -10,7 +10,7 @@ owner: root group: root mode: 0755 - notify: Restart power-mqtt + notify: restart power-mqtt - name: Remove old service ansible.builtin.file: @@ -27,13 +27,13 @@ vars: description: "SMD630 to MQTT Probe" exec: "/var/lib/power-mqtt.py %i" - notify: Restart power-mqtt@ + notify: restart power-mqtt@ - name: Enable power-mqtt ansible.builtin.systemd: name: "power-mqtt@{{ item.net }}/{{ item.ip }}" state: started - enabled: true + enabled: yes daemon_reload: true with_items: - net: space diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml index c7c3b0b..ba88c8c 100644 --- a/roles/services/tasks/siahsd.yaml +++ b/roles/services/tasks/siahsd.yaml @@ -7,7 +7,6 @@ state: directory owner: siahsd group: nogroup - mode: "0750" with_items: - /var/log/siahsd - /var/lib/siahsd @@ -18,8 +17,8 @@ dest: /etc/siahsd.conf owner: root group: root - mode: "0644" - notify: Restart siahsd + mode: 0644 + notify: restart siahsd - name: Install service file ansible.builtin.template: @@ -27,13 +26,24 @@ dest: /etc/systemd/system/siahsd.service owner: root group: root - mode: "0644" - notify: Restart siahsd + mode: 0644 + notify: restart siahsd - name: Start siahsd ansible.builtin.systemd: name: siahsd state: started - enabled: true + enabled: yes daemon_reload: true +- name: Allow siahsd traffic + ansible.builtin.iptables: + chain: INPUT + protocol: udp + destination_port: "4000" + jump: ACCEPT + ip_version: "{{ item }}" + action: insert + with_items: [ ipv4, ipv6 ] + notify: persist iptables + when: not nft | bool diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml index 3cff5bb..7c00bfd 100644 --- a/roles/services/tasks/spacestated.yaml +++ b/roles/services/tasks/spacestated.yaml @@ -24,8 +24,7 @@ version: main dest: /var/lib/spacestated/spacestated accept_hostkey: yes - notify: Restart spacestated - ignore_errors: true + notify: restart spacestated - name: Install service file ansible.builtin.template: @@ -34,11 +33,11 @@ owner: root group: root mode: 0644 - notify: Restart spacestated + notify: restart spacestated - name: Start spacestated ansible.builtin.systemd: name: spacestated state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/services/tasks/wifi_mqtt.yaml b/roles/services/tasks/wifi_mqtt.yaml index 8bb8353..4c76f05 100644 --- a/roles/services/tasks/wifi_mqtt.yaml +++ b/roles/services/tasks/wifi_mqtt.yaml @@ -7,26 +7,25 @@ - make - name: Clone source - ansible.builtin.git: + git: repo: https://github.com/bitlair/wifi-mqtt.git version: main dest: /var/lib/wifi-mqtt accept_hostkey: yes - notify: Restart wifi-mqtt - ignore_errors: true + notify: restart wifi-mqtt - name: Install service file - ansible.builtin.template: + template: src: wifi-mqtt.service dest: /etc/systemd/system/wifi-mqtt.service owner: root group: root - mode: "0644" - notify: Restart wifi-mqtt + mode: 0644 + notify: restart wifi-mqtt - name: Start wifi-mqtt - ansible.builtin.systemd: + systemd: name: wifi-mqtt state: started - enabled: true + enabled: yes daemon_reload: true diff --git a/roles/www/handlers/main.yaml b/roles/www/handlers/main.yaml index dcafe97..d5296b9 100644 --- a/roles/www/handlers/main.yaml +++ b/roles/www/handlers/main.yaml @@ -1,15 +1,14 @@ --- -- name: Import handlers - ansible.builtin.import_tasks: +- ansible.builtin.import_tasks: file: ../../common/handlers/main.yaml -- name: Restart spaceapi +- name: restart spaceapi ansible.builtin.systemd: name: spaceapi state: restarted daemon_reload: true -- name: Restart mqtt2web +- name: restart mqtt2web ansible.builtin.systemd: name: mqtt2web state: restarted diff --git a/roles/www/tasks/main.yaml b/roles/www/tasks/main.yaml index 382706a..114218a 100644 --- a/roles/www/tasks/main.yaml +++ b/roles/www/tasks/main.yaml @@ -1,25 +1,16 @@ --- - -- name: Import calendar +- tags: www_calendar ansible.builtin.import_tasks: file: calendar.yaml - tags: - - www_calendar -- name: Import mediawiki +- tags: www_mediawiki ansible.builtin.import_tasks: file: mediawiki.yaml - tags: - - www_mediawiki -- name: Import mqtt +- tags: www_mqtt ansible.builtin.import_tasks: file: mqtt.yaml - tags: - - www_mqtt -- name: Import spaceapi +- tags: www_spaceapi ansible.builtin.import_tasks: file: spaceapi.yaml - tags: - - www_spaceapi diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index 2eb69f4..5113131 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -1,5 +1,4 @@ --- - - name: Install dependencies ansible.builtin.apt: name: php-fpm @@ -13,3 +12,19 @@ group: root mode: 0644 +- name: Allow HTTP/HTTPS + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 80 } + - { ip: ipv4, port: 443 } + - { ip: ipv6, port: 80 } + - { ip: ipv6, port: 443 } + notify: persist iptables + when: not nft | bool diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml index f96fadd..94dc0bf 100644 --- a/roles/www/tasks/mqtt.yaml +++ b/roles/www/tasks/mqtt.yaml @@ -1,5 +1,4 @@ --- - - name: Install dependencies ansible.builtin.apt: name: @@ -7,17 +6,32 @@ - liblinux-epoll-perl - mosquitto +- name: Allow MQTT + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item.port }}" + ctstate: NEW + jump: ACCEPT + ip_version: "{{ item.ip }}" + action: insert + with_items: + - { ip: ipv4, port: 1883 } + - { ip: ipv6, port: 1883 } + notify: persist iptables + when: not nft | bool + - name: Install mqtt-simple - community.general.cpanm: - name: Net::MQTT::Simple + ansible.builtin.command: + cmd: cpan Net::MQTT::Simple - name: Clone mqtt2web source ansible.builtin.git: repo: https://github.com/bitlair/mqtt2web.git version: master dest: /opt/mqtt2web - accept_hostkey: true - notify: Restart mqtt2web + accept_hostkey: yes + notify: restart mqtt2web - name: Install mqtt2web service file ansible.builtin.template: @@ -27,11 +41,10 @@ group: root mode: 0644 notify: - - Daemon reload - - Restart mqtt2web + - daemon reload + - restart mqtt2web -- name: Flush handlers - ansible.builtin.meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: Enable mqtt2web ansible.builtin.systemd: diff --git a/roles/www/tasks/spaceapi.yaml b/roles/www/tasks/spaceapi.yaml index 7c8a494..a819839 100644 --- a/roles/www/tasks/spaceapi.yaml +++ b/roles/www/tasks/spaceapi.yaml @@ -4,8 +4,8 @@ repo: https://github.com/bitlair/spaceapi.git version: main dest: /opt/spaceapi - accept_hostkey: true - notify: Restart spaceapi + accept_hostkey: yes + notify: restart spaceapi - name: Install spaceapi service file ansible.builtin.template: @@ -13,8 +13,8 @@ dest: /etc/systemd/system/spaceapi.service owner: root group: root - mode: "0644" - notify: Restart spaceapi + mode: 0644 + notify: restart spaceapi - name: Enable spaceapi ansible.builtin.systemd: