Add chat

Replaced by a Forgejo Action

.yamllint.yaml

@@ -0,0 +1,17 @@
+---
+
+extends: relaxed
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 200
+    level: warning
+  empty-lines:
+    max: 2
+    max-start: 1
+    max-end: 1
+  colons:
+    max-spaces-after: -1
+  commas:
+    max-spaces-after: -1

authorized_keys/ak.keys

@@ -1 +1,3 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL
+

authorized_keys/foobar.keys

@@ -1,2 +1,4 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14
+

bank.yaml

@@ -1,8 +1,8 @@
 ---
-
 - hosts: bank
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - bank
+    - { role: "nft", tags: [ "nft" ] }
-  vars:
+    - { role: "nginx", tags: [ "nginx" ] }
-    bank_revbank_git: https://github.com/bitlair/revbank.git
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "bank", tags: [ "bank" ] }

bar.yaml

@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - raspi
+    - { role: "raspi", tags: [ "raspi" ] }
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - bank-terminal
+    - { role: "bank-terminal", tags: [ "bank-terminal" ] }

bitlair.yaml

@@ -1,58 +1,67 @@
-
 ---
 
 - hosts: all
   gather_facts: true
   roles:
-    - { role: "common", tags: [ "common" ] }
+    - { role: "common", tags: ["common"] }
+    - { role: "nft", tags: ["nft"] }
 
 - hosts: bank
   roles:
-    - { role: "bank", tags: [ "bank" ] }
+    - { role: "bank", tags: ["bank"] }
+
+- hosts: homeassistant
+  roles:
+    - { role: "acme", tags: ["acme"] }
+    - { role: "nginx", tags: ["nginx"] }
 
 - hosts: raspi
   roles:
-    - { role: "raspi", tags: [ "raspi" ] }
+    - { role: "raspi", tags: ["raspi"] }
-    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
+    - { role: "bank-terminal", tags: ["bank-terminal"] }
 
 - hosts: fotos
   roles:
-    - { role: "photos", tags: [ "photos" ] }
+    - { role: "photos", tags: ["photos"] }
 
 - hosts: git-ci
   roles:
-    - { role: "git-ci", tags: [ "git-ci" ] }
+    - { role: "git-ci", tags: ["git-ci"] }
 
 - hosts: git
   roles:
-    - { role: "acme", tags: [ "acme" ] }
+    - { role: "acme", tags: ["acme"] }
-    - { role: "git-server", tags: [ "git-server" ] }
+    - { role: "nginx", tags: ["nginx"] }
+    - { role: "git-server", tags: ["git-server"] }
 
 - hosts: monitoring
   roles:
-    - { role: "acme", tags: [ "acme" ] }
+    - { role: "acme", tags: ["acme"] }
-    - { role: "monitoring", tags: [ "monitoring" ] }
+    - { role: "nginx", tags: ["nginx"] }
+    - { role: "monitoring", tags: ["monitoring"] }
 
 - hosts: mqtt
   roles:
-    - { role: "mqtt-internal", tags: [ "mqtt-internal" ] }
+    - { role: "mqtt", tags: ["mqtt"] }
 
 - hosts: music
   roles:
-    - { role: "acme", tags: [ "acme" ] }
+    - { role: "acme", tags: ["acme"] }
-    - { role: "go", tags: [ "go" ] }
+    - { role: "go", tags: ["go"] }
-    - { role: "music", tags: [ "music" ] }
+    - { role: "music", tags: ["music"] }
 
 - hosts: pad
   roles:
-    - { role: "acme", tags: [ "acme" ] }
+    - { role: "acme", tags: ["acme"] }
-    - { role: "etherpad", tags: [ "etherpad" ] }
+    - { role: "nginx", tags: ["nginx"] }
+    - { role: "etherpad", tags: ["etherpad"] }
 
 - hosts: services
   roles:
-    - { role: "services", tags: [ "services" ] }
+    - { role: "services", tags: ["services"] }
 
 - hosts: wiki
   roles:
-    - { role: "acme", tags: [ "acme" ] }
+    - { role: "acme", tags: ["acme"] }
-    - { role: "www", tags: [ "www" ] }
+    - { role: "nginx", tags: ["nginx"] }
+    - { role: "www", tags: ["www"] }

common.yaml

@@ -3,4 +3,5 @@
 - hosts: debian
   gather_facts: true
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
+    - { role: "nft", tags: [ "nft" ] }

fotos.yaml

@@ -2,5 +2,5 @@
 
 - hosts: fotos
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - photos
+    - { role: "photos", tags: [ "photos" ] }

git-ci.yaml

@@ -2,5 +2,5 @@
 
 - hosts: git-ci
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - git-ci
+    - { role: "git-ci", tags: [ "git-ci" ] }

git.yaml

@@ -2,6 +2,7 @@
 
 - hosts: git
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - acme
+    - { role: "acme", tags: [ "acme" ] }
-    - git-server
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "git-server", tags: [ "git-server" ] }

group_vars/all.yaml

@@ -3,25 +3,26 @@
 ansible_user: root
 ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
-acme_bootstrap_certs: no
 trusted_ranges:
-    # localhost
+  - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
-  - { v: ipv4, cidr: 127.0.0.1/8 }
+  - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
-  - { v: ipv6, cidr: "::1" }
+  - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" }
-    # rf1928
+  - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" }
-  - { v: ipv4, cidr: 10.0.0.0/8 }
+  - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" }
-  - { v: ipv4, cidr: 172.16.0.0/12 }
+  - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" }
-  - { v: ipv4, cidr: 192.168.0.0/16 }
+  - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
-    # v6 local
+  - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ??
-  - { v: ipv6, cidr: "fe80::/10" }
+  - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" }
-    # vihamij
+  - { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" }
-  - { v: ipv4, cidr: 45.88.49.140 }
+#  - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
-    # eventinfra
+#  - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
-  - { v: ipv4, cidr: 204.2.64.0/20 }
+#  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
-
+  - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
-  - { v: ipv4, cidr: 100.64.0.0/10 }
+  - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
-  - { v: ipv4, cidr: 185.205.52.194/32 }
+  - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" }
-  - { v: ipv6, cidr: "2a02:166b:92::/48" }
+  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
+trusted_ports:
+  - ssh
 
 root_access:
   - ak

group_vars/bank.yaml

@@ -0,0 +1,17 @@
+---
+deposit_hostname: deposit.bitlair.nl
+
+acme_domains:
+ - "{{ deposit_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ deposit_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://localhost:8000/;
+          include proxy_params;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

group_vars/fotos.yaml

@@ -1,6 +1,15 @@
+
 root_access:
   - ak
   - foobar
   - linor
   - polyfloyd
   - wilco
+
+trusted_ports:
+  - ssh
+  - microsoft-ds
+
+group_nft_input:
+  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"
+

group_vars/git-ci.yaml

@@ -1 +1,5 @@
+---
+
 forgejo_url: https://git.bitlair.nl
+
+nft: false # Docker wil nog niet zo met nft

group_vars/git.yaml

@@ -1,5 +1,18 @@
+---
+
 acme_domains:
   - "{{ git_server_domain }}"
 git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
+
+group_nft_input:
+  - "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"
+
+nginx_client_max_body_size: 4G
+
+nginx_sites:
+  - server_name: "git.bitlair.nl"
+    localproxy: "9001"
+    snippets: 
+      - "forgejo-nginx.j2"

group_vars/homeassistant.yaml

@@ -0,0 +1,12 @@
+acme_san_domains:
+  - [ homeassistant.bitlair.nl ]
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport { 1883 } accept # mqtt from world"
+
+nginx_sites:
+  - server_name: "homeassistant.bitlair.nl"
+    localproxy: "8123"
+    snippets: 
+      - "homeassistant-nginx.j2"

group_vars/kvm.yaml

@@ -0,0 +1,2 @@
+---
+

group_vars/lights.yaml

@@ -0,0 +1,2 @@
+---
+

group_vars/monitoring.yaml

@@ -1,7 +1,10 @@
 monitoring_domain: dashboard.bitlair.nl
 monitoring_bootstrap_cert: no
 acme_san_domains:
-  - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
+  - ["{{ monitoring_domain }}"]
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
 
 prometheus_scrape_configs:
   - job_name: "node"
@@ -17,6 +20,7 @@ prometheus_scrape_configs:
         - "lights.bitlair.nl:9100"
         - "music.bitlair.nl:9100"
         - "service.bitlair.nl:9100"
+        - "user.bitlair.nl:9100"
   - job_name: "mqtt"
     static_configs:
       - targets: [ "localhost:9883" ]
@@ -30,6 +34,7 @@ prometheus_scrape_configs:
         - https://bitlair.nl
         - https://git.bitlair.nl
         - https://pad.bitlair.nl
+        - https://user.bitlair.nl
           # Legacy
         - https://wiki.bitlair.nl
         - https://portal.bitlair.nl
@@ -40,3 +45,9 @@ prometheus_scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: "{{ blackbox_exporter_web_listen_address }}"
+
+nginx_sites:
+  - server_name: "dashboard.bitlair.nl"
+    localproxy: "9000"
+    snippets:
+      - "prometheus-nginx.j2"

group_vars/mqtt.yaml

@@ -0,0 +1,8 @@
+---
+
+nft_group_rules:
+  - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
+
+trusted_ports:
+  - ssh
+  - 1883

group_vars/music.yaml

@@ -1,3 +1,8 @@
+---
+
+# Fixme, nog niet kunnen testen, was down
+nft: false
+
 root_access:
   - ak
   - bob
@@ -5,6 +10,8 @@ root_access:
   - foobar
   - polyfloyd
 
+nginx_client_max_body_size: 512M
+
 music_domain: music.bitlair.nl
 acme_san_domains:
   - [ music.bitlair.nl ]

group_vars/pad.yaml

@@ -1 +1,28 @@
+---
+
+acme_domains:
+ - pad.bitlair.nl
+
 etherpad_domain: pad.bitlair.nl
+
+nginx_sites:
+  - server_name: "pad.bitlair.nl"
+#    localproxy: "9001"
+    pre_config:
+      - "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
+      - "map $http_upgrade $connection_upgrade {"
+      - "   default upgrade;"
+      - "   ''      close;"
+      - "}"
+    config:
+      - "location / {"
+      - "  proxy_pass http://localhost:9001/;"
+      - "  include proxy_params;"
+      - ""
+      - "  # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
+      - "  proxy_set_header  Upgrade $http_upgrade;"
+      - "  proxy_set_header  Connection $connection_upgrade;"
+      - "}"
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

group_vars/raspi.yaml

@@ -0,0 +1,4 @@
+---
+
+# Nog niet kunnen testen / geen toegang
+nft: false

group_vars/services.yaml

@@ -0,0 +1,15 @@
+---
+
+group_nft_input: []
+  # test
+
+nft_group_rules:
+  - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" }
+  - { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"}
+  - { from: [ '204.2.64.86' ], port: "31337", proto: "tcp", comment: "irc-say vanaf home assistant" }
+
+power_mqtt_targets:
+  - net: space
+    ip: 100.64.0.21
+  - net: unicorndept
+    ip: 100.64.0.187

group_vars/shell.yaml

@@ -0,0 +1,6 @@
+---
+
+manage_sshd_config: false
+
+group_nft_input:
+  - "tcp dport { ssh } accept # Allow SSH from world"

group_vars/wiki.yaml

@@ -0,0 +1,24 @@
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport { 1883 } accept # mqtt from world"
+
+nginx_sites:
+  - server_name: "bitlair.nl"
+    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
+    snippets:
+      - "mqtt2web-nginx.j2"
+      - "spaceapi-nginx.j2"
+      - "www-nginx.j2"
+  - server_name: "bitair.nl"
+    server_alias: "www.bitair.nl"
+    snippets:
+      - "bitair-nginx.j2"
+  - server_name: "ravespace.nl"
+    server_alias: "www.ravespace.nl"
+    snippets:
+      - "ravespace-nginx.j2"

group_vars/www.yaml

@@ -1,5 +0,0 @@
-acme_bootstrap_certs: yes
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]

inventory

@@ -1,4 +1,5 @@
-# Inventory
+# Bitlair inventory
+
 
 [raspi]
 bank-pi.bitlair.nl
@@ -39,6 +40,15 @@ service.bitlair.nl
 [wiki]
 wiki.bitlair.nl
 
+[shell]
+shell.bitlair.nl
+
+[homeassistant]
+homeassistant.bitlair.nl
+
+[chat]
+chat.bitlair.nl
+
 [debian:children]
 bank
 fotos
@@ -51,4 +61,6 @@ monitoring
 music
 services
 wiki
-
+shell
+homeassistant
+chat

lint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+j2lint `find ./ -type f -name '*.j2'`
+ansible-lint bitlair.yaml
+

monitoring.yaml

@@ -2,6 +2,7 @@
 
 - hosts: monitoring
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - acme
+    - { role: "acme", tags: [ "acme" ] }
-    - monitoring
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "monitoring", tags: [ "monitoring" ] }

mqtt-internal.yaml

@@ -1,6 +0,0 @@
----
-
-- hosts: mqtt_internal
-  roles:
-    - common
-    - mqtt-internal

mqtt.yaml

@@ -0,0 +1,6 @@
+---
+
+- hosts: mqtt
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "mqtt", tags: [ "mqtt", "mqtt" ] }

music.yaml

@@ -2,7 +2,8 @@
 
 - hosts: music
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - acme
+    - { role: "acme", tags: [ "acme" ] }
-    - go
+    - { role: "go", tags: [ "go" ] }
-    - music
+#    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "music", tags: [ "music" ] }

pad.yaml

@@ -5,6 +5,8 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - common
+    - { role: "common", tags: [ "common" ] }
-    - acme
+    - { role: "nft", tags: [ "nft" ] }
-    - etherpad
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "etherpad", tags: [ "etherpad" ] }

roles/acme/handlers/main.yaml

@@ -1,7 +1,9 @@
+---
+
 - name: update_contact_info
   ansible.builtin.command:
     cmd: dehydrated --account
 
-- name: query_certificates
+- name: run dehydrated
   ansible.builtin.command:
     cmd: dehydrated --cron

roles/acme/tasks/main.yaml

@@ -1,82 +1,46 @@
 ---
-- ansible.builtin.import_tasks:
-    file: remove_conflicting.yaml
-  tags: [ never, acme_remove_conflicting ]
 
 - name: Install Dehydrated
-  tags: [ acme, acme_install ]
+  ansible.builtin.apt:
-  block:
+    state: present
-    - name: Install dependencies
+    pkg:
-      ansible.builtin.apt:
+      - dehydrated
-        name: ssl-cert
+  tags:
-        state: present
+    - acme
 
-    - name: Install Dehydrated
+- name: Create Nginx snippet snippets dir
-      ansible.builtin.apt:
+  ansible.builtin.file:
-        name: dehydrated
+    state: "directory"
-        state: present
+    path: "/etc/nginx/snippets"
+    owner: "root"
+    group: "root"
+    mode: "0755"
 
-    - name: Install config file
+- name: Template dehydrated configfiles
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: config.sh
+    src: "{{ item.src }}"
-        dest: /etc/dehydrated/conf.d/ansible.sh
+    dest: "{{ item.dest }}"
-        owner: root
+    owner: "{{ item.owner | default('root') }}"
-        group: root
+    group: "{{ item.group | default('root') }}"
-        mode: 0755
+    mode: "{{ item.mode | default('0640') }}"
-      notify: update_contact_info
+  notify: "{{ item.notify | default([]) }}"
+  with_items:
+    - { src: "config.sh",          dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
+    - { src: "deploy.sh",          dest: "/etc/dehydrated/conf.d/deploy.sh",  mode: '0755' }
+    - { src: "cron",               dest: "/etc/cron.d/dehydrated" }
+    - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
+    - { src: "domains.txt",        dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
 
-    - name: Install deploy hook
+- name: Register account
-      ansible.builtin.template:
+  ansible.builtin.command:
-        src: deploy.sh
+  args:
-        dest: /etc/dehydrated/conf.d/deploy.sh
+    cmd: dehydrated --register --accept-terms
-        owner: root
+    creates: /var/lib/dehydrated/accounts
-        group: root
-        mode: 0755
 
-    - name: Install cronjob
+- name: Symlink SAN domains
-      ansible.builtin.template:
+  ansible.builtin.include_tasks:
-        src: cron
+    file: san_domains_loop.yaml
-        dest: /etc/cron.d/dehydrated
+  loop: "{{ acme_san_domains | default([]) }}"
-        owner: root
+  loop_control:
-        group: root
+    loop_var: domains
-        mode: 0644
 
-    - name: Create Nginx snippet snippets dir
-      ansible.builtin.file:
-        state: directory
-        path: /etc/nginx/snippets
-        owner: root
-        group: root
-        mode: 0755
-
-    - name: Install Nginx snippet
-      ansible.builtin.template:
-        src: nginx-snippet.conf
-        dest: /etc/nginx/snippets/acme.conf
-        owner: root
-        group: root
-        mode: 0644
-
-    - name: Register account
-      ansible.builtin.command:
-        cmd: dehydrated --register --accept-terms
-      args:
-        creates: /var/lib/dehydrated/accounts
-
-- tags: [ acme, acme_certs ]
-  block:
-    - name: Configure certificates
-      ansible.builtin.template:
-        src: domains.txt
-        dest: /etc/dehydrated/domains.txt
-        owner: root
-        group: root
-        mode: 0644
-      notify: query_certificates
-
-    - name: Symlink SAN domains
-      ansible.builtin.include_tasks:
-        file: san_domains_loop.yaml
-      loop: "{{ acme_san_domains|default([]) }}"
-      loop_control:
-        loop_var: domains

roles/acme/tasks/remove_conflicting.yaml

@@ -1,9 +1,4 @@
 ---
-- name: Remove certbot from apt
-  ansible.builtin.apt:
-    name: [ letsencrypt, certbot ]
-    state: absent
-    autoremove: yes
 
 - name: Remove variable directories
   ansible.builtin.file:

roles/acme/tasks/san_domains_loop.yaml

@@ -1,4 +1,5 @@
 ---
+
 - ansible.builtin.stat:
     path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
   register: cert_stat

roles/acme/templates/config.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-# Managed by Ansible
+# {{ ansible_managed }}
 
 CONTACT_EMAIL={{ notify_email }}

roles/acme/templates/cron

@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 SHELL=/bin/sh
 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

roles/acme/templates/deploy.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-# Managed by Ansible
+# {{ ansible_managed }}
 
 systemctl reload nginx.service

roles/acme/templates/domains.txt

@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 {% for domain in acme_domains|default([]) %}
 {{ domain }}

roles/acme/templates/nginx-snippet.conf

@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 location /.well-known/acme-challenge {
 	allow all;

roles/bank/defaults/main.yaml

@@ -1,3 +1,3 @@
 bank_user: bank
-bank_revbank_git: https://github.com/revspace/revbank.git
+bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git
 bank_local_tty: no

roles/bank/handlers/main.yaml

@@ -1,3 +1,9 @@
 ---
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
+
+- name: Restart revbank-deposit
+  ansible.builtin.systemd:
+    name: revbank-deposit
+    state: restarted
+    daemon_reload: true

roles/bank/tasks/inflatinator.yaml

@@ -1,12 +0,0 @@
----
-- name: Install dependencies
-  ansible.builtin.apt:
-    name: [ links, python3-pyquery ]
-    state: present
-
-- name: Clone revbank-inflatinator source
-  ansible.builtin.git:
-    repo: https://github.com/bitlair/revbank-inflatinator.git
-    version: main
-    dest: /opt/revbank-inflatinator
-    accept_hostkey: yes

roles/bank/tasks/login.yaml

@@ -11,6 +11,7 @@
   ansible.builtin.blockinfile:
     path: /etc/ssh/sshd_config
     insertafter: EOF
+    validate: "/usr/sbin/sshd -t -f %s"
     block: |-
       Match User bank
           PasswordAuthentication yes

roles/bank/tasks/main.yaml

@@ -7,6 +7,6 @@
   ansible.builtin.import_tasks:
     file: revbank.yaml
 
-- tags: [ bank, bank_inflatinator ]
+- tags: [ bank, bank_revbank_deposit ]
   ansible.builtin.import_tasks:
-    file: inflatinator.yaml
+    file: revbank-deposit.yaml

roles/bank/tasks/revbank-deposit.yaml

@@ -0,0 +1,47 @@
+---
+- name: Clone source
+  ansible.builtin.git:
+    repo: https://git.bitlair.nl/bitlair/revbank-deposit.git
+    version: main
+    dest: /usr/local/lib/revbank-deposit
+    accept_hostkey: yes
+  notify: Restart revbank-deposit
+
+- name: Install apt dependencies
+  ansible.builtin.apt:
+    name:
+      - python3-pip
+      - python3-virtualenv
+
+- name: Install pip dependencies
+  ansible.builtin.pip:
+    chdir: /usr/local/lib/revbank-deposit
+    virtualenv: .venv
+    requirements: requirements.txt
+
+- name: Configure revbank-deposit
+  ansible.builtin.template:
+    src: revbank-deposit.conf
+    dest: /etc/revbank-deposit.conf
+    owner: root
+    group: root
+    mode: 0600
+  notify: Restart revbank-deposit
+
+- name: Install revbank-deposit service
+  ansible.builtin.template:
+    src: revbank-deposit.service
+    dest: /etc/systemd/system/revbank-deposit.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart revbank-deposit
+
+- name: Start revbank-deposit
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: revbank-deposit
+    state: started
+    enabled: true
+
+- meta: flush_handlers

roles/bank/templates/git.cron

@@ -1,4 +1,4 @@
 SHELL=/bin/bash
 
 #m   h  dom mon dow user             command
- 0   *  *   *   *   {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git push --mirror && git gc --auto)
+ 0   *  *   *   *   {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products)

roles/bank/templates/revbank-deposit.conf

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+PUBLIC_URL=https://{{ deposit_hostname }}
+MOLLIE_API_KEY={{ lookup('passwordstore', 'mollie subkey=apikey') }}

roles/bank/templates/revbank-deposit.service

@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Revbank Deposit
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10s
+ExecStart=/usr/local/lib/revbank-deposit/.venv/bin/fastapi run main.py --host 127.0.0.1
+WorkingDirectory=/usr/local/lib/revbank-deposit
+EnvironmentFile=/etc/revbank-deposit.conf
+DynamicUser=true
+
+[Install]
+WantedBy=multi-user.target
+

roles/common/defaults/main.yaml

@@ -17,3 +17,5 @@ node_exporter: true
 
 debian_packages_unwanted:
   - netcat-traditional
+  - letsencrypt
+  - certbot

roles/common/handlers/main.yaml

@@ -1,31 +1,29 @@
 ---
-- name: update grub
+- name: Update grub
   ansible.builtin.command:
     cmd: update-grub
 
-- name: reboot
+- name: Apt update
-  ansible.builtin.reboot:
-
-- name: apt update
   ansible.builtin.apt:
     update_cache: true
 
-- name: daemon reload
+- name: Daemon reload
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: reload sshd
+- name: Reload sshd
   ansible.builtin.systemd:
     name: ssh
     state: reloaded
 
-- name: reload nginx
+- name: Reload nginx
   ansible.builtin.systemd:
     name: nginx
     state: reloaded
 
-- name: persist iptables
+- name: Persist iptables
   ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
   with_items:
     - { c: iptables, ip: v4 }
     - { c: ip6tables, ip: v6 }
+  when: not nft | bool

roles/common/tasks/debian-upgrade.yaml

@@ -21,9 +21,6 @@
   ansible.builtin.apt:
     upgrade: full
 
-- name: Reboot
-  ansible.builtin.reboot:
-
 - name: autoremove
   ansible.builtin.apt:
     autoremove: yes

roles/common/tasks/main.yaml

@@ -15,9 +15,12 @@
     group: "{{ item.group | default('root') }}"
   with_items:
     - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
+    - { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" }
+    - { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" }
     - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
     - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
     - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
+  register: aptconfig
   when:
     - ansible_os_family == "Debian"
   tags:
@@ -56,6 +59,8 @@
 
 - name: Install standard packages
   ansible.builtin.apt:
+    cache_valid_time: 3600
+    update_cache: "{{ aptconfig.changed | bool | default(false) }}"
     pkg:
       - curl
       - fzf
@@ -63,8 +68,6 @@
       - etckeeper
       - git
       - htop
-      - iptables
-      - iptables-persistent
       - jq
       - net-tools
       - netcat-openbsd
@@ -75,6 +78,7 @@
       - vim
       - unattended-upgrades
       - apt-listchanges
+      - sudo-ldap
 
 - name: Configure FZF for Bash
   ansible.builtin.lineinfile:
@@ -95,7 +99,7 @@
     path: /etc/default/grub
     regexp: '^GRUB_TIMEOUT='
     line: "GRUB_TIMEOUT=1 # Managed by Ansible"
-  notify: update grub
+  notify: Update grub
 
 - name: Configure cron email
   ansible.builtin.lineinfile:
@@ -108,6 +112,7 @@
     path: /etc/ssh/sshd_config
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
+    validate: "/usr/sbin/sshd -t -f %s"
   with_items:
     - regexp: '^#?Port'
       line: 'Port {{ ssh_port }}'
@@ -115,58 +120,6 @@
       line: 'PasswordAuthentication no'
     - regexp: '^#?DebianBanner'
       line: 'DebianBanner no'
-  notify: reload sshd
+  when: manage_sshd_config | default(true)
+  notify: Reload sshd
 
-- name: Allow SSH
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ ssh_port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables
-
-- name: Allow ICMP
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: "{{ item.proto }}"
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-  with_items:
-    - { ip: ipv4, proto: icmp }
-    - { ip: ipv6, proto: ipv6-icmp }
-  notify: persist iptables
-
-- name: Allow related and established connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    ctstate: ESTABLISHED,RELATED
-    jump: ACCEPT
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables
-
-- name: Allow local connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    source: "{{ item.cidr }}"
-    jump: ACCEPT
-    ip_version: "{{ item.v }}"
-  with_items: "{{ trusted_ranges }}"
-  notify: persist iptables
-
-- name: Deny inbound connections
-  ansible.builtin.iptables:
-    chain: INPUT
-    policy: DROP
-    ip_version: "{{ item }}"
-  with_items:
-    - ipv4
-    - ipv6
-  notify: persist iptables

roles/common/tasks/network.yaml

@@ -13,7 +13,6 @@
   with_items:
     - { k: net.ipv4.ip_forward, v: "1" }
     - { k: net.ipv6.conf.all.forwarding, v: "1" }
-  notify: reboot
   when: network_br
 
 - name: Make network interfaces really predictable
@@ -22,8 +21,7 @@
     regexp: ^GRUB_CMDLINE_LINUX
     line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
   notify:
-    - update grub
+    - Update grub
-    - reboot
   when: network_br or network_dhcp or network_static
 
 - name: Configure network interfaces
@@ -33,7 +31,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: reboot
   when: network_br or network_dhcp or network_static
 
 - ansible.builtin.meta: flush_handlers

roles/common/tasks/vm.yaml

@@ -10,9 +10,8 @@
   ansible.builtin.lineinfile:
     path: /etc/default/grub
     regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
-    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 console=ttyS0,115200n1 console=tty0"'
   notify:
-    - update grub
+    - Update grub
-    - reboot
   tags:
     - questagent

roles/common/templates/apt-defaultrelease.j2

@@ -0,0 +1 @@
+APT::Default-Release "{{ ansible_distribution_release }}";

roles/common/templates/apt-preferences-stable.j2

@@ -0,0 +1,19 @@
+# Prefer packages from our release
+# Prevent auto-installation from testing/unstable/sid/whatever
+
+Package: *
+Pin: release n={{ ansible_distribution_release }}
+Pin-Priority: 900
+
+Package: *
+Pin: release n=sid
+Pin-Priority: -10
+
+Package: *
+Pin: release n=testing
+Pin-Priority: -10
+
+Package: *
+Pin: release n=unstable
+Pin-Priority: -10
+

roles/common/templates/authorized_keys.j2

@@ -2,5 +2,5 @@
 
 {% for name in root_access %}
 # {{ name }}
-{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
+{{ lookup('file', 'authorized_keys/' + name + '.keys') }}
 {% endfor %}

roles/common/templates/sources.list.j2

@@ -1,9 +1,9 @@
 # {{ ansible_managed }}
 
-{% if debian_source_repos|default(false) %}
+{% if debian_source_repos | default(false) %}
-{% set SRC = "" %}
+{%   set SRC = "" %}
 {% else %}
-{% set SRC = "# " %}
+{%   set SRC = "# " %}
 {% endif %}
 {% set components = "main contrib non-free-firmware" %}
 
@@ -20,5 +20,8 @@ deb {{ debian_repourl }} {{ ansible_distribution_release }}-backports {{ compone
 #
 # Security patches
 deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
-{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security main contrib non-  free
+{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
 
+# Testing/Unstable repos
+deb {{ debian_repourl }} testing {{ components }}
+deb {{ debian_repourl }} sid {{ components }}

roles/etherpad/handlers/main.yaml

@@ -2,7 +2,7 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart etherpad
+- name: Restart etherpad
   ansible.builtin.systemd:
     name: etherpad
     state: restarted

roles/etherpad/tasks/main.yaml

@@ -1,140 +1,126 @@
 ---
-- tags: etherpad
-  block:
-    - ansible.builtin.import_tasks:
-        file: ../../../snippets/common-nginx.yaml
 
-    - name: Install dependencies
+- name: Install dependencies
-      ansible.builtin.apt:
+  ansible.builtin.apt:
-        name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
+    state: present
+    pkg: 
+      - gpg
+      - postgresql
+      - python3-psycopg2
+      - apt-transport-https
 
-    - name: Import nodesource signing key
+- name: Import nodesource signing key
-      ansible.builtin.shell:
+  ansible.builtin.shell:
-        cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
+    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-          -o /usr/share/keyrings/nodesource.gpg
+      -o /usr/share/keyrings/nodesource.gpg
-      args:
+  args:
-        creates: /usr/share/keyrings/nodesource.gpg
+    creates: /usr/share/keyrings/nodesource.gpg
-      notify: apt update
+  notify: Apt update
 
-    - name: Install nodesource source list
+- name: Install nodesource source list
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nodesource.list
+    src: nodesource.list
-        dest: /etc/apt/sources.list.d/nodesource.list
+    dest: /etc/apt/sources.list.d/nodesource.list
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: apt update
+  notify: Apt update
 
-    - name: Install nodejs apt preference
+- name: Install nodejs apt preference
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nodejs-apt-pref
+    src: nodejs-apt-pref
-        dest: /etc/apt/preferences.d/nodejs
+    dest: /etc/apt/preferences.d/nodejs
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: apt update
+  notify: Apt update
 
-    - ansible.builtin.meta: flush_handlers
+- ansible.builtin.meta: flush_handlers
 
-    - name: Install nodejs
+- name: Install nodejs
-      ansible.builtin.apt:
+  ansible.builtin.apt:
-        name: nodejs
+    name: nodejs
 
-    - name: Add database user
+- name: Add database user
-      become: true
+  become: true
-      become_method: su
+  become_method: su
-      become_user: postgres
+  become_user: postgres
-      no_log: yes
+  no_log: yes
-      community.postgresql.postgresql_user:
+  community.postgresql.postgresql_user:
-        name: etherpad
+    name: etherpad
-        password: "{{ etherpad_db_password }}"
+    password: "{{ etherpad_db_password }}"
 
-    - name: Add database
+- name: Add database
-      become: true
+  become: true
-      become_method: su
+  become_method: su
-      become_user: postgres
+  become_user: postgres
-      community.postgresql.postgresql_db:
+  community.postgresql.postgresql_db:
-        name: "{{ etherpad_db_name }}"
+    name: "{{ etherpad_db_name }}"
-        owner: "{{ etherpad_db_user }}"
+    owner: "{{ etherpad_db_user }}"
 
-    - name: Add etherpad user
+- name: Add etherpad user
-      ansible.builtin.user:
+  ansible.builtin.user:
-        name: etherpad
+    name: etherpad
-        home: /var/lib/etherpad
+    home: /var/lib/etherpad
 
-    - name: Create log file
+- name: Create log file
-      ansible.builtin.file:
+  ansible.builtin.file:
-        path: /var/log/etherpad.log
+    path: /var/log/etherpad.log
-        state: touch
+    state: touch
-        owner: etherpad
+    owner: etherpad
-        group: etherpad
+    group: etherpad
-        mode: 0644
+    mode: 0644
 
-    - name: Create source directory
+- name: Create source directory
-      ansible.builtin.file:
+  ansible.builtin.file:
-        path: /opt/etherpad
+    path: /opt/etherpad
-        state: directory
+    state: directory
-        owner: etherpad
+    owner: etherpad
-        group: etherpad
+    group: etherpad
-        mode: 0755
+    mode: 0755
 
-    - name: Clone etherpad source
+- name: Clone etherpad source
-      become: yes
+  become: yes
-      become_method: su
+  become_method: su
-      become_user: etherpad
+  become_user: etherpad
-      ansible.builtin.git:
+  ansible.builtin.git:
-        repo: https://github.com/ether/etherpad-lite.git
+    repo: https://github.com/ether/etherpad-lite.git
-        version: master
+    version: master
-        dest: /opt/etherpad
+    dest: /opt/etherpad
-        accept_hostkey: yes
+    accept_hostkey: yes
-      notify: restart etherpad
+  notify: Restart etherpad
 
-    - name: Install etherpad config
+- name: Install etherpad config
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: settings.json
+    src: settings.json
-        dest: /opt/etherpad/settings.json
+    dest: /opt/etherpad/settings.json
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: restart etherpad
+  notify: Restart etherpad
 
-    - name: Install etherpad service
+- name: Install etherpad service
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: etherpad.service
+    src: etherpad.service
-        dest: /etc/systemd/system/etherpad.service
+    dest: /etc/systemd/system/etherpad.service
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: restart etherpad
+  notify: Restart etherpad
 
-    - name: Start etherpad
+- name: Start etherpad
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        daemon_reload: true
+    daemon_reload: true
-        name: etherpad
+    name: etherpad
-        state: started
+    state: started
-        enabled: yes
+    enabled: true
 
-    - name: Install nginx config
+- name: Install nginx config
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nginx-site.conf
+    src: nginx-site.conf
-        dest: /etc/nginx/sites-enabled/etherpad
+    dest: /etc/nginx/sites-enabled/etherpad
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: reload nginx
+  notify: Reload nginx
 
-    - name: Allow HTTP and HTTPS
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ item.port }}"
-        ctstate: NEW
-        jump: ACCEPT
-        ip_version: "{{ item.ip }}"
-        action: insert
-      with_items:
-        - { ip: ipv4, port: 80 }
-        - { ip: ipv4, port: 443 }
-        - { ip: ipv6, port: 80 }
-        - { ip: ipv6, port: 443 }
-      notify: persist iptables

roles/etherpad/tasks/requirements.yml

@@ -1,3 +1,5 @@
+---
+
 collections:
   - name: community.postgresql
     version: 2.3.2

roles/git-ci/defaults/main.yaml

@@ -1,2 +1,2 @@
 runner_wd: /var/lib/forgejo-runner
-runner_version: 3.4.1
+runner_version: 6.3.0

roles/git-ci/tasks/main.yaml

@@ -1,50 +1,50 @@
 ---
-- tags: forgejo_runner
-  block:
-    - name: Install dependencies
-      ansible.builtin.apt:
-        name: docker.io
 
-    - name: Download forgejo-runner
+- name: Install dependencies
-      ansible.builtin.get_url:
+  ansible.builtin.apt:
-        url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
+    name: docker.io
-        dest: /usr/local/bin/forgejo-runner
-        mode: 0755
-      notify: restart forgejo-runner
 
-    - name: Create runner dir
+- name: Download forgejo-runner
-      ansible.builtin.file:
+  ansible.builtin.get_url:
-        state: directory
+    url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
-        path: "{{ runner_wd }}"
+    dest: /usr/local/bin/forgejo-runner
-        owner: root
+    mode: 0755
-        group: root
+  notify: restart forgejo-runner
-        mode: 0755
 
-    - name: Register runner
+- name: Create runner dir
-      ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
+  ansible.builtin.file:
-      args:
+    state: directory
-        chdir: "{{ runner_wd }}"
+    path: "{{ runner_wd }}"
-        creates: "{{ runner_wd }}/.runner"
+    owner: root
+    group: root
+    mode: 0755
 
-    - name: Install service file
+- name: Register runner
-      ansible.builtin.template:
+  ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
-        src: forgejo-runner.service
+  args:
-        dest: /etc/systemd/system/forgejo-runner.service
+    chdir: "{{ runner_wd }}"
-        owner: root
+    creates: "{{ runner_wd }}/.runner"
-        group: root
-        mode: 0644
-      notify: restart forgejo-runner
 
-    - name: Enable service
+- name: Install service file
-      ansible.builtin.systemd:
+  ansible.builtin.template:
-        name: forgejo-runner
+    src: forgejo-runner.service
-        enabled: yes
+    dest: /etc/systemd/system/forgejo-runner.service
-        daemon_reload: true
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart forgejo-runner
 
-    - name: Start service
+- name: Enable service
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: forgejo-runner
+    name: forgejo-runner
-        state: started
+    enabled: true
-        daemon_reload: true
+    daemon_reload: true
 
-    - ansible.builtin.meta: flush_handlers
+- name: Start service
+  ansible.builtin.systemd:
+    name: forgejo-runner
+    state: started
+    daemon_reload: true
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/git-server/tasks/main.yaml

@@ -1,6 +1,4 @@
 ---
-- ansible.builtin.import_tasks:
-    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:
@@ -16,14 +14,14 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Enable nginx site
   ansible.builtin.file:
     src: /etc/nginx/sites-available/forgejo
     dest: /etc/nginx/sites-enabled/forgejo
     state: link
-  notify: reload nginx
+  notify: Reload nginx
 
 - name: Create user
   ansible.builtin.user:
@@ -40,7 +38,6 @@
     group: "{{ git_server_user }}"
     mode: 0755
 
-
 # TODO: Install initial config
 
 - name: Install service file
@@ -50,7 +47,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: reload forgejo
+  notify: Reload forgejo
 
 - name: Install update script
   ansible.builtin.template:
@@ -64,12 +61,12 @@
   ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
   args:
     creates: "{{ git_server_working_dir }}/forgejo"
-  notify: reload forgejo
+  notify: Reload forgejo
 
 - name: Enable service
   ansible.builtin.systemd:
     name: forgejo
-    enabled: yes
+    enabled: true
     daemon_reload: true
 
 - name: Start service
@@ -83,23 +80,6 @@
     src: cronjob
     dest: /etc/cron.d/forgejo
 
-- name: Allow Git SSH, HTTP and HTTPS
+- name: Debug
-  ansible.builtin.iptables:
+  ansible.builtin.debug:
-    chain: INPUT
+    msg: "If Forgejo has not been setup yet, please do so manually."
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 80 }
-    - { ip: ipv4, port: 22 }
-    - { ip: ipv4, port: 443 }
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 22 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
-
-- ansible.builtin.debug:
-    msg: If Forgejo has not been setup yet, please do so manually.

roles/go/tasks/main.yaml

@@ -19,11 +19,11 @@
       register: go_latest_version_shell
 
     - name: Format Go latest version variable
-      set_fact:
+      ansible.builtin.set_fact:
         go_latest_version: "{{ go_latest_version_shell.stdout }}"
 
     - name: Detect installed Go version
-      shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
+      ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
       register: go_installed_version_shell
       changed_when: false
 
@@ -31,19 +31,20 @@
       set_fact:
         go_installed_version: "{{ go_installed_version_shell.stdout }}"
 
-    - debug:
+    - name: Debug
+      ansible.builtin.debug:
         msg:
           - "Latest Go version: {{ go_latest_version}}"
           - "Installed Go version: {{ go_installed_version }}"
 
     - name: Remove installed go
-      file:
+      ansible.builtin.file:
         state: absent
         path: /usr/local/go
       when: go_installed_version != go_latest_version
 
     - name: Install Go
-      unarchive:
+      ansible.builtin.unarchive:
         src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
         dest: /usr/local
         remote_src: yes
@@ -52,7 +53,7 @@
       when: go_installed_version != go_latest_version
 
     - name: Configure Go environment
-      template:
+      ansible.builtin.template:
         src: go.profile
         dest: /etc/profile.d/go.sh
         owner: root
@@ -60,7 +61,7 @@
         mode: 0644
 
     - name: Link go binary
-      file:
+      ansible.builtin.file:
         state: link
         src: /usr/local/go/bin/go
         dest: /usr/local/bin/go

roles/monitoring/tasks/main.yaml

@@ -1,45 +1,26 @@
 ---
-- name: monitoring
-  tags: monitoring
-  block:
-    - ansible.builtin.import_tasks:
-        file: ../../../snippets/common-nginx.yaml
 
-    - name: Install nginx site
+- name: Install nginx site
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nginx-site.conf
+    src: nginx-site.conf
-        dest: /etc/nginx/sites-available/monitoring
+    dest: /etc/nginx/sites-available/monitoring
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: 0644
+    mode: 0644
-      notify: reload nginx
+  notify: Reload nginx
 
-    - name: Enable nginx site
+- name: Enable nginx site
-      ansible.builtin.file:
+  ansible.builtin.file:
-        src: /etc/nginx/sites-available/monitoring
+    src: /etc/nginx/sites-available/monitoring
-        dest: /etc/nginx/sites-enabled/monitoring
+    dest: /etc/nginx/sites-enabled/monitoring
-        state: link
+    state: link
-      notify: reload nginx
+  notify: Reload nginx
 
-    - name: Start nginx
+- name: Start nginx
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: nginx
+    name: nginx
-        state: started
+    state: started
-        enabled: yes
+    enabled: true
-
-    - name: Allow HTTP/HTTPS
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ item.port }}"
-        ctstate: NEW
-        jump: ACCEPT
-        ip_version: "{{ item.ip }}"
-        action: insert
-      with_items:
-        - { ip: ipv6, port: 80 }
-        - { ip: ipv6, port: 443 }
-      notify: persist iptables
 
 - name: mqtt_exporter
   tags: mqtt_exporter

roles/monitoring/tasks/mqtt_exporter.yaml

@@ -10,6 +10,7 @@
 - name: Install apt dependencies
   ansible.builtin.apt:
     name:
+      - jq
       - python3-paho-mqtt
       - python3-prometheus-client
       - python3-yaml
@@ -23,7 +24,7 @@
     group: root
     mode: 0644
   notify:
-    - daemon reload
+    - Daemon reload
     - restart mqtt_exporter
 
 - name: Install config file
@@ -34,7 +35,7 @@
     group: root
     mode: 0644
   notify:
-    - daemon reload
+    - Daemon reload
     - restart mqtt_exporter
 
 - ansible.builtin.meta: flush_handlers

roles/monitoring/templates/grafana.ini

@@ -69,6 +69,9 @@ level = info
 [grafana_com]
 url = https://grafana.com
 
+[auth]
+oauth_allow_insecure_email_lookup=true
+
 [auth.anonymous]
 enabled = true
 org_name = Bitlair

roles/monitoring/templates/mqtt_exporter_config.yaml

@@ -15,7 +15,8 @@ export:
   - subscribe: bitlair/#
   - subscribe: bitlair/climate/+location/#
   - subscribe: bitlair/climate/+location/dust_mass/+size
-  - subscribe: bitlair/power/+net/+group/#
+  - subscribe: bitlair/power/+net/+group/now_w
+  - subscribe: bitlair/power/+net/total_kwh
   - subscribe: bitlair/wifi/+ssid/#
 
   - subscribe: bitlair/state
@@ -35,10 +36,10 @@ export:
     labels:
       product: payload
 
-  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
+  - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
     metric_name: bitlair_internet_rx
     value_regex: "^.+:(.+):"
-  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
+  - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
     metric_name: bitlair_internet_tx
     value_regex: "^.+:.+:([\\d\\.]+)"
 
@@ -56,3 +57,29 @@ export:
   - subscribe: bitlair/power/shelly/+num/status/switch:0
     metric_name: bitlair_power_shelly
     value_json: .apower
+
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_nozzle_temperature
+    value_json: .print.nozzle_temper
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_nozzle_target_temperature
+    value_json: .print.nozzle_target_temper
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_bed_temperature
+    value_json: .print.bed_temper
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_bed_target_temperature
+    value_json: .print.bed_target_temper
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_chamber_temperature
+    value_json: .print.chamber_temper
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_ams_humidity
+    value_json: .print.ams.ams[0].humidity
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_print_progress
+    value_json: .print.mc_percent
+  - subscribe: bambulab/device/+serial/report
+    metric_name: bambulab_print_status
+    metric_type: info
+    value_json: .print.gcode_state

roles/mqtt-internal/tasks/main.yaml

@@ -1,27 +0,0 @@
----
-- name: mqtt-internal
-  tags: mqtt_internal
-  block:
-    - name: Install dependencies
-      ansible.builtin.apt:
-        name:
-          - mosquitto
-          - avahi-daemon
-
-    - name: Configure Mosquitto
-      ansible.builtin.template:
-        src: "{{ item }}"
-        dest: "/etc/mosquitto/conf.d/{{ item }}"
-        owner: root
-        group: root
-        mode: 0644
-      notify: restart mosquitto
-      with_items:
-        - internal.conf
-        - public-bridge.conf
-
-    - name: Start mosquitto
-      ansible.builtin.systemd:
-        name: mosquitto
-        state: started
-        enabled: yes

roles/mqtt/defaults/main.yaml

@@ -0,0 +1 @@
+mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem

roles/mqtt/tasks/main.yaml

@@ -0,0 +1,32 @@
+---
+
+- name: Install dependencies
+  ansible.builtin.apt:
+    name:
+      - mosquitto
+      - avahi-daemon
+
+- name: Install bambulab cafile
+  # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
+  ansible.builtin.copy:
+    dest: "{{ mqtt_bambulab_cafile }}"
+    content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
+
+- name: Configure Mosquitto
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/etc/mosquitto/conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart mosquitto
+  with_items:
+    - bambulab.conf
+    - internal.conf
+    - public-bridge.conf
+
+- name: Start mosquitto
+  ansible.builtin.systemd:
+    name: mosquitto
+    state: started
+    enabled: true

roles/mqtt/templates/bambulab.conf

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+connection bambulab
+address {{ lookup('passwordstore', 'bambulab subkey=host') }}:8883
+bridge_cafile {{ mqtt_bambulab_cafile }}
+bridge_insecure true
+remote_username bblp
+remote_password {{ lookup('passwordstore', 'bambulab subkey=key') }}
+
+topic # in 2 bambulab/ ""

roles/mqtt/templates/internal.conf

@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 listener 1883 ::
 listener 1883 0.0.0.0

roles/mqtt/templates/public-bridge.conf

@@ -1,8 +1,9 @@
-# Managed by Ansible
+# {{ ansible_managed }}
 
 connection public-bridge
 address {{ mqtt_public_host }}
 
+topic bambulab/# out
 topic bitlair/alarm out
 topic bitlair/climate/# out
 topic bitlair/collectd/bitlair-5406/snmp/# out

roles/music/handlers/main.yaml

@@ -2,37 +2,37 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: restart trollibox
+- name: Restart trollibox
   ansible.builtin.systemd:
     name: trollibox
     state: restarted
     daemon_reload: true
 
-- name: rebuild librespot
+- name: Rebuild librespot
   ansible.builtin.command:
     cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
   args:
     chdir: /opt/librespot
 
-- name: restart librespot
+- name: Restart librespot
   ansible.builtin.systemd:
     name: librespot
     state: restarted
     daemon_reload: true
 
-- name: restart soundboard
+- name: Restart soundboard
   ansible.builtin.systemd:
     name: soundboard
     state: restarted
     daemon_reload: true
 
-- name: restart mpd-volume-to-mqtt
+- name: Restart mpd-volume-to-mqtt
   ansible.builtin.systemd:
     name: mpd-volume-to-mqtt
     state: restarted
     daemon_reload: true
 
-- name: restart skipbutton
+- name: Restart skipbutton
   ansible.builtin.systemd:
     name: skipbutton
     state: restarted

roles/music/tasks/librespot.yaml

@@ -11,8 +11,8 @@
     dest: /opt/librespot
     accept_hostkey: yes
   notify:
-    - rebuild librespot
+    - Rebuild librespot
-    - restart librespot
+    - Restart librespot
 
 - name: Install service file
   ansible.builtin.template:
@@ -21,7 +21,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart librespot
+  notify: Restart librespot
 
 - name: Enable Librespot
   ansible.builtin.systemd:

roles/music/tasks/main.yaml

@@ -1,30 +1,34 @@
 ---
-- tags: music_mpd
+
+- name: Import mpd
   ansible.builtin.import_tasks:
     file: mpd.yaml
+  tags:
+    - music_mpd
 
-- tags: music_trollibox
+- name: Import trollibox
   ansible.builtin.import_tasks:
     file: trollibox.yaml
+  tags:
+    - music_trollibox
 
-- tags: music_librespot
+- name: Librespot
   ansible.builtin.import_tasks:
     file: librespot.yaml
+  tags:
+    - music_librespot
 
-- tags: music_soundboard
+- name: Soundboard
   ansible.builtin.import_tasks:
     file: soundboard.yaml
+  tags:
+    - music_soundboard
 
-- tags: music
+- name: Install nginx config
-  block:
+  ansible.builtin.template:
-    - ansible.builtin.import_tasks:
+    src: nginx-site.conf
-        file: ../../../snippets/common-nginx.yaml
+    dest: /etc/nginx/sites-enabled/trollibox
-
+    owner: root
-    - name: Install nginx config
+    group: root
-      ansible.builtin.template:
+    mode: 0644
-        src: nginx-site.conf
+  notify: Reload nginx
-        dest: /etc/nginx/sites-enabled/trollibox
-        owner: root
-        group: root
-        mode: 0644
-      notify: reload nginx

roles/music/tasks/mpd.yaml

@@ -1,4 +1,5 @@
 ---
+
 - name: Install MPD
   ansible.builtin.apt:
     name:
@@ -15,7 +16,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart mpd-volume-to-mqtt
+  notify: Restart mpd-volume-to-mqtt
 
 - name: Install mpd-volume-to-mqtt service
   ansible.builtin.template:
@@ -24,7 +25,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart mpd-volume-to-mqtt
+  notify: Restart mpd-volume-to-mqtt
 
 - name: Enable mpd-volume-to-mqtt
   ansible.builtin.systemd:
@@ -39,7 +40,7 @@
     version: master
     dest: /opt/skipbutton
     accept_hostkey: yes
-  notify: restart skipbutton
+  notify: Restart skipbutton
 
 - name: Install skipbutton service
   ansible.builtin.template:
@@ -48,7 +49,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart skipbutton
+  notify: Restart skipbutton
 
 - name: Enable skipbutton
   ansible.builtin.systemd:

roles/music/tasks/soundboard.yaml

@@ -10,7 +10,7 @@
     version: main
     dest: /opt/soundboard
     accept_hostkey: yes
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Create virtualenv
   ansible.builtin.command:
@@ -31,7 +31,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Install soundboard service file
   ansible.builtin.template:
@@ -40,7 +40,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: restart soundboard
+  notify: Restart soundboard
 
 - name: Enable soundboard
   ansible.builtin.systemd:

roles/music/tasks/trollibox.yaml

@@ -5,8 +5,8 @@
     dest: /etc/trollibox.yaml
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Get latest Trollibox version from Github API
   ansible.builtin.get_url:
@@ -25,8 +25,8 @@
     remote_src: yes
     dest: /usr/local/bin
     include: [ trollibox ]
-    mode: 0755
+    mode: "0755"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Install service file
   ansible.builtin.template:
@@ -34,8 +34,8 @@
     dest: /etc/systemd/system/trollibox.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
-  notify: restart trollibox
+  notify: Restart trollibox
 
 - name: Enable Trollibox
   ansible.builtin.systemd:

roles/nft/defaults/main.yaml

@@ -0,0 +1,33 @@
+---
+
+nft: true   # Overrule om geen nftables uit te rollen
+nft_main_config:            "/etc/nftables.conf"
+
+# Default policies per chain ( drop / reject / accept )
+nft_policy_input:           "drop"
+nft_policy_forward:         "accept"
+nft_policy_output:          "accept"
+# Same for nat traffic
+nft_policy_prerouting:  "accept"
+nft_policy_postrouting: "accept"
+
+# Host/Port allows
+nft_group_rules: []
+
+# And per host/group additions to rules:
+group_nft_input: []
+group_nft_forward: []
+group_nft_output: []
+
+host_nft_input: []
+host_nft_forward: []
+host_nft_output: []
+
+group_nft_postrouting: []
+host_nft_postrouting: []
+group_nft_prerouting: []
+host_nft_prerouting: []
+
+nft_defines: []
+nft_defines_group: []
+

roles/nft/handlers/main.yaml

@@ -0,0 +1,13 @@
+---
+
+- name: Reload nftables
+  ansible.builtin.systemd:
+    name: "nftables"
+    state: reloaded
+    enabled: true
+  tags:
+    - nft
+    - nftservice
+  when:
+    - nft|bool
+

roles/nft/tasks/main.yaml

@@ -0,0 +1,47 @@
+---
+
+- name: Install nftables related packages
+  ansible.builtin.apt:
+    state: present
+    pkg:
+      - nftables
+      - net-tools
+      - ipset
+
+- name: Template nftables.conf
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+    mode: "0700"
+    validate: "{{ item.validate | default() }}"
+  with_items:
+    - { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
+        backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
+  tags:
+    - nft
+    - nftconfig
+  when:
+    - nft | bool
+  notify:
+    - Reload nftables
+
+- name: Cleanup netfilter packages
+  ansible.builtin.apt:
+    state: absent
+    pkg:
+      - netfilter-persistent
+  when:
+    - nft | bool
+
+- name: Cleanup iptables stuff
+  ansible.builtin.file:
+    state: absent
+    path: "{{ item }}"
+  with_items:
+    - "/etc/iptables/rules/v4"
+    - "/etc/iptables/rules/v6"
+    - "/etc/iptables"
+  when:
+    - nft | bool

roles/nft/templates/nftables.conf.j2

@@ -0,0 +1,182 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+
+# Named sets
+set trusted4 {
+    type ipv4_addr
+    flags interval
+    elements = {
+{% for ip in trusted_ranges %}
+{%     if ip.v == 'ipv4' %}
+        {{ ip.cidr }}, # {{ ip.comment | default('') }}
+{%     endif %}
+{% endfor %}
+    }
+}
+
+set trusted6 {
+    type ipv6_addr
+    flags interval
+    elements = {
+{% for ip in trusted_ranges %}
+{%     if ip.v == 'ipv6' %}
+        {{ ip.cidr }}, # {{ ip.comment | default('') }}
+{%     endif %}
+{% endfor %}
+    }
+}
+
+
+# Firewall chains
+    chain input {
+        type filter hook input priority 0;
+        policy {{ nft_policy_input }};
+
+        # Established connections
+        ct state established,related accept
+        ct state invalid counter drop comment "drop invalid packets"
+
+        # Limit icmp echo/reply
+        ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
+        # icmp6 from trusted ranges
+        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+        # icmpv6 from the rest of the world
+        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
+
+        # Loopback traffic
+        iifname lo accept
+
+        # icmp
+        ip protocol icmp icmp type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            source-quench,
+            time-exceeded
+        } accept
+
+        # icmp6
+        ip6 nexthdr icmpv6 icmpv6 type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            nd-neighbor-solicit,
+            nd-router-advert,
+            nd-neighbor-advert,
+            packet-too-big,
+            parameter-problem,
+            time-exceeded
+        } accept
+
+        # Open ssh only for trusted machines
+        ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept
+        ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept
+
+        # Rules based on group-vars
+{% for custom in nft_group_rules %}
+{%     if custom.comment is defined %}
+        # {{ custom.comment | default('') }}
+{%     endif %}
+        {{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
+
+{% endfor %}
+
+{% for rule in group_nft_input %}
+        # Group input rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_input %}
+        # Host input rules
+        {{ rule }}
+{% endfor %}
+    }
+    chain forward {
+        type filter hook forward priority 0;
+        policy {{ nft_policy_forward }};
+
+        ct state established,related accept
+
+{% for rule in group_nft_forward %}
+        # Group forward rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_forward %}
+        # Host forward rules
+        {{ rule }}
+{% endfor %}
+
+        counter comment "count dropped incoming packets"
+    }
+    chain output {
+        type filter hook output priority 0;
+        policy {{ nft_policy_output }};
+
+        # Established connections
+        ct state established,related accept
+        ct state invalid counter drop comment "drop invalid packets"
+
+        # icmp
+        ip protocol icmp icmp type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            source-quench,
+            time-exceeded
+        } accept
+
+        # icmp6
+        ip6 nexthdr icmpv6 icmpv6 type {
+            destination-unreachable,
+            echo-reply,
+            echo-request,
+            nd-neighbor-solicit,
+            nd-router-advert,
+            nd-neighbor-advert,
+            packet-too-big,
+            parameter-problem,
+            time-exceeded
+        } accept
+
+{% for rule in group_nft_output %}
+        # Group output rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_output %}
+        # Host output rules
+        {{ rule }}
+{% endfor %}
+        counter comment "count dropped outgoing packets"
+    }
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority 100
+        policy {{ nft_policy_prerouting }};
+{% for rule in group_nft_prerouting %}
+        # Group prerouting rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_prerouting %}
+        # Host prerouting rules
+        {{ rule }}
+{% endfor %}
+    }
+    chain postrouting {
+        type nat hook postrouting priority 100
+        policy {{ nft_policy_postrouting }};
+
+{% for rule in group_nft_postrouting %}
+        # Group postrouting rules
+        {{ rule }}
+{% endfor %}
+{% for rule in host_nft_postrouting %}
+        # Host postrouting rules
+        {{ rule }}
+{% endfor %}
+    }
+}

roles/nginx/defaults/main.yaml

@@ -0,0 +1,15 @@
+---
+
+nginx_package:              "nginx-light"
+nginx_user:                 "www-data"
+nginx_modules_dir:          "/etc/nginx/modules-enabled"
+
+nginx_tls_version:          "TLSv1.2 TLSv1.3"
+nginx_tls_cipherlist:       "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
+nginx_tls_curve:            "prime256v1:secp384r1"
+nginx_tls_cache_size:       "10m"
+nginx_tls_session_timeout:  "1h"
+nginx_ssl_stapling:         "on"
+nginx_ssl_stapling_verify:  "on"
+nginx_wk_acme:              "/var/lib/dehydrated/acme-challenges"
+nginx_client_max_body_size: "32m"

roles/nginx/handlers/main.yaml

@@ -0,0 +1,11 @@
+---
+
+- name: Reload nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded
+    enabled: true
+  listen: "Reload app-services"
+  when:
+    - nginx_sites is defined
+

roles/nginx/tasks/main.yaml

@@ -0,0 +1,87 @@
+---
+
+- name: Install nginx base package
+  ansible.builtin.apt:
+    name: "{{ nginx_package }}"
+    state: present
+  when:
+    - nginx_sites is defined
+
+- name: Install bootstrap cert
+  ansible.builtin.apt:
+    name: "ssl-cert"
+    state: present
+  when:
+    - nginx_bootstrap_certs is defined and nginx_bootstrap_certs
+
+- name: Create sites-available / sites-enabled directories
+  ansible.builtin.file:
+    state: directory
+    path: "{{ item.path }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+    mode: "{{ item.mode | default('0755') }}"
+  with_items:
+    - { path: "/etc/nginx/sites-available" }
+    - { path: "/etc/nginx/sites-enabled" }
+  notify: Reload nginx
+  when:
+    - nginx_sites is defined
+
+- name: Template default nginx config files
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+    mode: "{{ item.mode | default('0644') }}"
+    force: "{{ item.force | default('yes') }}"
+    backup: true
+  loop_control:
+    label: "{{ item.dest }}"
+  with_items:
+    - { src: "etc-nginx.conf.j2",   dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
+    - { src: "tls_params.j2",       dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
+    - { src: "default.j2",          dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
+#    - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
+#    - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
+#    - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
+  notify: "{{ item.notify | default(omit) }}"
+  when:
+    - nginx_sites is defined
+
+- name: Template site-specific configs
+  ansible.builtin.template:
+    src: "site.conf.j2"
+    dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
+    owner: "{{ site.owner | default('root') }}"
+    group: "{{ site.group | default('root') }}"
+    mode:  "{{ site.mode  | default('0644') }}"
+    force: "{{ site.force | default('yes') }}"
+    backup: true
+  loop: "{{ nginx_sites }}"
+  loop_control:
+    loop_var: site
+    label: "{{ site.server_name }}"
+  notify: Reload nginx
+  when:
+    - nginx_sites is defined
+  tags:
+    - nginxextra
+    - nginx_site
+
+- name: Enable nginx sites
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
+    path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
+    state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
+    mode: "0644"
+  loop: "{{ nginx_sites }}"
+  loop_control:
+    loop_var: site
+    label: "{{ site.server_name }}"
+  notify: Reload nginx
+  when:
+    - nginx_sites is defined
+  ignore_errors: "{{ ansible_check_mode }}"
+

roles/nginx/templates/default.j2

@@ -0,0 +1,37 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80 default_server;
+    listen [::]:80;
+
+    server_name {{ inventory_hostname }};
+
+    # Accept ACME-Challenges over http
+    location ^~ /.well-known/acme-challenge/ {
+        alias {{ nginx_wk_acme }}/;
+    }
+
+    # Block .ht files
+    location ~ /\.ht {
+        deny all;
+    }
+
+    # Redirect everything to https by default
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /server_status {
+        # Enable Nginx stats
+        stub_status on;
+        # Only allow access from localhost
+        allow 127.0.0.1;
+        # Other request should be denied
+        deny all;
+    }
+}
+
+{% for line in nginx_default_extra | default([]) %}
+{{ line }}
+{% endfor %}
+

roles/nginx/templates/etc-nginx.conf.j2

@@ -0,0 +1,39 @@
+# {{ ansible_managed }}
+
+user                {{ nginx_user }};
+worker_processes    auto;
+pid                 /run/nginx.pid;
+worker_rlimit_nofile 16384;
+include             {{ nginx_modules_dir }}/*.conf;
+
+events {
+       worker_connections 768;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Default nginx log format with $request time added
+    log_format bitlair '$remote_addr - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" $request_time';
+    access_log /var/log/nginx/access.log bitlair;
+
+    gzip on;
+    gzip_disable "msie6";
+
+{% for line in nginx_http_extra | default([]) %}
+    {{ line }}
+{% endfor %}
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}

roles/nginx/templates/site.conf.j2

@@ -0,0 +1,47 @@
+# {{ ansible_managed }}
+
+{% for line in site.pre_config | default([]) %}
+{{ line }}
+{% endfor %}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
+
+    include /etc/nginx/tls_params;
+    {% if nginx_bootstrap_certs | default(false) %}
+    include "snippets/snakeoil.conf";
+    {% else %}
+    ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
+    ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
+    {% endif %}
+
+    index {{ nginx_index | default('index.php index.html index.htm') }};
+    client_max_body_size {{ nginx_client_max_body_size }};
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    access_log  /var/log/nginx/{{ site.server_name }}.access.log bitlair;
+    error_log   /var/log/nginx/{{ site.server_name }}.error.log;
+
+{% if site.localproxy is defined %}
+    location / {
+        proxy_pass http://localhost:{{ site.localproxy }}/;
+        include proxy_params;
+    }
+{% endif %}
+
+    # Include snippets
+{% for file in site.snippets | default([]) %}
+{%   include "snippets/" ~ file %}
+{% endfor %}
+
+    # Per site configuration
+{% for line in site.config | default([]) %}
+    {{ line }}
+{% endfor %}
+}

roles/nginx/templates/snippets

@@ -0,0 +1 @@
+../../../snippets/

roles/nginx/templates/tls_params.j2

@@ -0,0 +1,22 @@
+# {{ ansible_managed }}
+
+ssl_session_timeout         {{ nginx_tls_session_timeout }};
+ssl_session_tickets         off;
+
+ssl_prefer_server_ciphers   on;
+ssl_session_cache           shared:SSL:{{ nginx_tls_cache_size }};
+
+ssl_protocols               {{ nginx_tls_version }};
+ssl_ciphers                 {{ nginx_tls_cipherlist }};
+ssl_ecdh_curve              {{ nginx_tls_curve }};
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header                  X-Frame-Options "sameorigin";
+add_header                  X-Content-Type-Options "nosniff";
+add_header                  X-Robots-Tag noindex;
+
+# OCSP stapling
+ssl_stapling                {{ nginx_ssl_stapling }};
+ssl_stapling_verify         {{ nginx_ssl_stapling_verify }};
+

roles/photos/tasks/bambulab-fetch.yaml

@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: bambulab-fetch
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true

roles/photos/tasks/photo-gallery.yaml

@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: photo-gallery
     state: started
-    enabled: yes
+    enabled: true
     daemon_reload: true