bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Releases Activity

Compare commits

base: bitlair:main
Branches Tags
bitlair:main
bitlair:linting
BlackDragon:main
BlackDragon:linting
..
compare: BlackDragon:linting
Branches Tags
BlackDragon:main
BlackDragon:linting
bitlair:main
bitlair:linting

No commits in common. "main" and "linting" have entirely different histories.
main ... linting

130 changed files with 740 additions and 1605 deletions
Show stats Expand all files Collapse all files

17
.yamllint.yaml
View file

@ -1,17 +0,0 @@
---
extends: relaxed
rules:
# 80 chars should be enough, but don't fail if a line is longer
line-length:
max: 200
level: warning
empty-lines:
max: 2
max-start: 1
max-end: 1
colons:
max-spaces-after: -1
commas:
max-spaces-after: -1

2
authorized_keys/ak.keys
View file

@ -1,3 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL

6
authorized_keys/foobar.keys
View file

@ -1,4 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14

10
bank.yaml
View file

@ -1,8 +1,8 @@
--- ---
- hosts: bank - hosts: bank
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "nft", tags: [ "nft" ] } - bank
- { role: "nginx", tags: [ "nginx" ] } vars:
- { role: "acme", tags: [ "acme" ] } bank_revbank_git: https://github.com/bitlair/revbank.git
- { role: "bank", tags: [ "bank" ] }

6
bar.yaml
View file

@ -4,6 +4,6 @@
vars: vars:
raspi_rotate_display: "2" raspi_rotate_display: "2"
roles: roles:
- { role: "raspi", tags: [ "raspi" ] } - raspi
- { role: "common", tags: [ "common" ] } - common
- { role: "bank-terminal", tags: [ "bank-terminal" ] } - bank-terminal

49
bitlair.yaml
View file

@ -1,67 +1,58 @@
--- ---
- hosts: all - hosts: all
gather_facts: true gather_facts: true
roles: roles:
- { role: "common", tags: ["common"] } - { role: "common", tags: [ "common" ] }
- { role: "nft", tags: ["nft"] }
- hosts: bank - hosts: bank
roles: roles:
- { role: "bank", tags: ["bank"] } - { role: "bank", tags: [ "bank" ] }
- hosts: homeassistant
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- hosts: raspi - hosts: raspi
roles: roles:
- { role: "raspi", tags: ["raspi"] } - { role: "raspi", tags: [ "raspi" ] }
- { role: "bank-terminal", tags: ["bank-terminal"] } - { role: "bank-terminal", tags: [ "bank-terminal" ] }
- hosts: fotos - hosts: fotos
roles: roles:
- { role: "photos", tags: ["photos"] } - { role: "photos", tags: [ "photos" ] }
- hosts: git-ci - hosts: git-ci
roles: roles:
- { role: "git-ci", tags: ["git-ci"] } - { role: "git-ci", tags: [ "git-ci" ] }
- hosts: git - hosts: git
roles: roles:
- { role: "acme", tags: ["acme"] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: ["nginx"] } - { role: "git-server", tags: [ "git-server" ] }
- { role: "git-server", tags: ["git-server"] }
- hosts: monitoring - hosts: monitoring
roles: roles:
- { role: "acme", tags: ["acme"] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: ["nginx"] } - { role: "monitoring", tags: [ "monitoring" ] }
- { role: "monitoring", tags: ["monitoring"] }
- hosts: mqtt - hosts: mqtt
roles: roles:
- { role: "mqtt", tags: ["mqtt"] } - { role: "mqtt-internal", tags: [ "mqtt-internal" ] }
- hosts: music - hosts: music
roles: roles:
- { role: "acme", tags: ["acme"] } - { role: "acme", tags: [ "acme" ] }
- { role: "go", tags: ["go"] } - { role: "go", tags: [ "go" ] }
- { role: "music", tags: ["music"] } - { role: "music", tags: [ "music" ] }
- hosts: pad - hosts: pad
roles: roles:
- { role: "acme", tags: ["acme"] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: ["nginx"] } - { role: "etherpad", tags: [ "etherpad" ] }
- { role: "etherpad", tags: ["etherpad"] }
- hosts: services - hosts: services
roles: roles:
- { role: "services", tags: ["services"] } - { role: "services", tags: [ "services" ] }
- hosts: wiki - hosts: wiki
roles: roles:
- { role: "acme", tags: ["acme"] } - { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: ["nginx"] } - { role: "www", tags: [ "www" ] }
- { role: "www", tags: ["www"] }

3
common.yaml
View file

@ -3,5 +3,4 @@
- hosts: debian - hosts: debian
gather_facts: true gather_facts: true
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "nft", tags: [ "nft" ] }

4
fotos.yaml
View file

@ -2,5 +2,5 @@
- hosts: fotos - hosts: fotos
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "photos", tags: [ "photos" ] } - photos

4
git-ci.yaml
View file

@ -2,5 +2,5 @@
- hosts: git-ci - hosts: git-ci
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "git-ci", tags: [ "git-ci" ] } - git-ci

7
git.yaml
View file

@ -2,7 +2,6 @@
- hosts: git - hosts: git
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "nginx", tags: [ "nginx" ] } - git-server
- { role: "git-server", tags: [ "git-server" ] }

37
group_vars/all.yaml
View file

@ -3,26 +3,25 @@
ansible_user: root ansible_user: root
ansible_python_interpreter: auto_silent ansible_python_interpreter: auto_silent
notify_email: bestuur@bitlair.nl notify_email: bestuur@bitlair.nl
acme_bootstrap_certs: no
trusted_ranges: trusted_ranges:
- { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" } # localhost
- { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" } - { v: ipv4, cidr: 127.0.0.1/8 }
- { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" } - { v: ipv6, cidr: "::1" }
- { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" } # rf1928
- { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" } - { v: ipv4, cidr: 10.0.0.0/8 }
- { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" } - { v: ipv4, cidr: 172.16.0.0/12 }
- { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" } - { v: ipv4, cidr: 192.168.0.0/16 }
- { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ?? # v6 local
- { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" } - { v: ipv6, cidr: "fe80::/10" }
- { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" } # vihamij
# - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" } - { v: ipv4, cidr: 45.88.49.140 }
# - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" } # eventinfra
# - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset - { v: ipv4, cidr: 204.2.64.0/20 }
- { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
- { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" } - { v: ipv4, cidr: 100.64.0.0/10 }
- { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" } - { v: ipv4, cidr: 185.205.52.194/32 }
- { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" } - { v: ipv6, cidr: "2a02:166b:92::/48" }
trusted_ports:
- ssh
root_access: root_access:
- ak - ak

17
group_vars/bank.yaml
View file

@ -1,17 +0,0 @@
---
deposit_hostname: deposit.bitlair.nl
acme_domains:
- "{{ deposit_hostname }}"
nginx_sites:
- server_name: "{{ deposit_hostname }}"
config:
- |-
location / {
proxy_pass http://localhost:8000/;
include proxy_params;
}
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"

9
group_vars/fotos.yaml
View file

@ -1,15 +1,6 @@
root_access: root_access:
- ak - ak
- foobar - foobar
- linor - linor
- polyfloyd - polyfloyd
- wilco - wilco
trusted_ports:
- ssh
- microsoft-ds
group_nft_input:
- "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"

4
group_vars/git-ci.yaml
View file

@ -1,5 +1 @@
---
forgejo_url: https://git.bitlair.nl forgejo_url: https://git.bitlair.nl
nft: false # Docker wil nog niet zo met nft

13
group_vars/git.yaml
View file

@ -1,18 +1,5 @@
---
acme_domains: acme_domains:
- "{{ git_server_domain }}" - "{{ git_server_domain }}"
git_server_domain: git.bitlair.nl git_server_domain: git.bitlair.nl
git_server_title: Gitlair git_server_title: Gitlair
git_server_bootstrap_cert: no git_server_bootstrap_cert: no
group_nft_input:
- "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"
nginx_client_max_body_size: 4G
nginx_sites:
- server_name: "git.bitlair.nl"
localproxy: "9001"
snippets:
- "forgejo-nginx.j2"

12
group_vars/homeassistant.yaml
View file

@ -1,12 +0,0 @@
acme_san_domains:
- [ homeassistant.bitlair.nl ]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "homeassistant.bitlair.nl"
localproxy: "8123"
snippets:
- "homeassistant-nginx.j2"

2
group_vars/kvm.yaml
View file

@ -1,2 +0,0 @@
---

2
group_vars/lights.yaml
View file

@ -1,2 +0,0 @@
---

13
group_vars/monitoring.yaml
View file

@ -1,10 +1,7 @@
monitoring_domain: dashboard.bitlair.nl monitoring_domain: dashboard.bitlair.nl
monitoring_bootstrap_cert: no monitoring_bootstrap_cert: no
acme_san_domains: acme_san_domains:
- ["{{ monitoring_domain }}"] - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
prometheus_scrape_configs: prometheus_scrape_configs:
- job_name: "node" - job_name: "node"
@ -20,7 +17,6 @@ prometheus_scrape_configs:
- "lights.bitlair.nl:9100" - "lights.bitlair.nl:9100"
- "music.bitlair.nl:9100" - "music.bitlair.nl:9100"
- "service.bitlair.nl:9100" - "service.bitlair.nl:9100"
- "user.bitlair.nl:9100"
- job_name: "mqtt" - job_name: "mqtt"
static_configs: static_configs:
- targets: [ "localhost:9883" ] - targets: [ "localhost:9883" ]
@ -34,7 +30,6 @@ prometheus_scrape_configs:
- https://bitlair.nl - https://bitlair.nl
- https://git.bitlair.nl - https://git.bitlair.nl
- https://pad.bitlair.nl - https://pad.bitlair.nl
- https://user.bitlair.nl
# Legacy # Legacy
- https://wiki.bitlair.nl - https://wiki.bitlair.nl
- https://portal.bitlair.nl - https://portal.bitlair.nl
@ -45,9 +40,3 @@ prometheus_scrape_configs:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: "{{ blackbox_exporter_web_listen_address }}" replacement: "{{ blackbox_exporter_web_listen_address }}"
nginx_sites:
- server_name: "dashboard.bitlair.nl"
localproxy: "9000"
snippets:
- "prometheus-nginx.j2"

8
group_vars/mqtt.yaml
View file

@ -1,8 +0,0 @@
---
nft_group_rules:
- { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
trusted_ports:
- ssh
- 1883

7
group_vars/music.yaml
View file

@ -1,8 +1,3 @@
---
# Fixme, nog niet kunnen testen, was down
nft: false
root_access: root_access:
- ak - ak
- bob - bob
@ -10,8 +5,6 @@ root_access:
- foobar - foobar
- polyfloyd - polyfloyd
nginx_client_max_body_size: 512M
music_domain: music.bitlair.nl music_domain: music.bitlair.nl
acme_san_domains: acme_san_domains:
- [ music.bitlair.nl ] - [ music.bitlair.nl ]

27
group_vars/pad.yaml
View file

@ -1,28 +1 @@
---
acme_domains:
- pad.bitlair.nl
etherpad_domain: pad.bitlair.nl etherpad_domain: pad.bitlair.nl
nginx_sites:
- server_name: "pad.bitlair.nl"
# localproxy: "9001"
pre_config:
- "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
- "map $http_upgrade $connection_upgrade {"
- " default upgrade;"
- " '' close;"
- "}"
config:
- "location / {"
- " proxy_pass http://localhost:9001/;"
- " include proxy_params;"
- ""
- " # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
- " proxy_set_header Upgrade $http_upgrade;"
- " proxy_set_header Connection $connection_upgrade;"
- "}"
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"

4
group_vars/raspi.yaml
View file

@ -1,4 +0,0 @@
---
# Nog niet kunnen testen / geen toegang
nft: false

15
group_vars/services.yaml
View file

@ -1,15 +0,0 @@
---
group_nft_input: []
# test
nft_group_rules:
- { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" }
- { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"}
- { from: [ '204.2.64.86' ], port: "31337", proto: "tcp", comment: "irc-say vanaf home assistant" }
power_mqtt_targets:
- net: space
ip: 100.64.0.21
- net: unicorndept
ip: 100.64.0.187

6
group_vars/shell.yaml
View file

@ -1,6 +0,0 @@
---
manage_sshd_config: false
group_nft_input:
- "tcp dport { ssh } accept # Allow SSH from world"

24
group_vars/wiki.yaml
View file

@ -1,24 +0,0 @@
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "bitlair.nl"
server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
snippets:
- "mqtt2web-nginx.j2"
- "spaceapi-nginx.j2"
- "www-nginx.j2"
- server_name: "bitair.nl"
server_alias: "www.bitair.nl"
snippets:
- "bitair-nginx.j2"
- server_name: "ravespace.nl"
server_alias: "www.ravespace.nl"
snippets:
- "ravespace-nginx.j2"

5
group_vars/www.yaml Normal file
View file

@ -0,0 +1,5 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]

16
inventory
View file

@ -1,5 +1,4 @@
# Bitlair inventory # Inventory
[raspi] [raspi]
bank-pi.bitlair.nl bank-pi.bitlair.nl
@ -40,15 +39,6 @@ service.bitlair.nl
[wiki] [wiki]
wiki.bitlair.nl wiki.bitlair.nl
[shell]
shell.bitlair.nl
[homeassistant]
homeassistant.bitlair.nl
[chat]
chat.bitlair.nl
[debian:children] [debian:children]
bank bank
fotos fotos
@ -61,6 +51,4 @@ monitoring
music music
services services
wiki wiki
shell
homeassistant
chat

5
lint.sh
View file

@ -1,5 +0,0 @@
#!/bin/bash
j2lint `find ./ -type f -name '*.j2'`
ansible-lint bitlair.yaml

7
monitoring.yaml
View file

@ -2,7 +2,6 @@
- hosts: monitoring - hosts: monitoring
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "nginx", tags: [ "nginx" ] } - monitoring
- { role: "monitoring", tags: [ "monitoring" ] }

6
mqtt-internal.yaml Normal file
View file

@ -0,0 +1,6 @@
---
- hosts: mqtt_internal
roles:
- common
- mqtt-internal

6
mqtt.yaml
View file

@ -1,6 +0,0 @@
---
- hosts: mqtt
roles:
- { role: "common", tags: [ "common" ] }
- { role: "mqtt", tags: [ "mqtt", "mqtt" ] }

9
music.yaml
View file

@ -2,8 +2,7 @@
- hosts: music - hosts: music
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "acme", tags: [ "acme" ] } - acme
- { role: "go", tags: [ "go" ] } - go
# - { role: "nginx", tags: [ "nginx" ] } - music
- { role: "music", tags: [ "music" ] }

8
pad.yaml
View file

@ -5,8 +5,6 @@
acme_san_domains: acme_san_domains:
- [ pad.bitlair.nl ] - [ pad.bitlair.nl ]
roles: roles:
- { role: "common", tags: [ "common" ] } - common
- { role: "nft", tags: [ "nft" ] } - acme
- { role: "acme", tags: [ "acme" ] } - etherpad
- { role: "nginx", tags: [ "nginx" ] }
- { role: "etherpad", tags: [ "etherpad" ] }

4
roles/acme/handlers/main.yaml
View file

@ -1,9 +1,7 @@
---
- name: update_contact_info - name: update_contact_info
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --account cmd: dehydrated --account
- name: run dehydrated - name: query_certificates
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --cron cmd: dehydrated --cron

112
roles/acme/tasks/main.yaml
View file

@ -1,46 +1,82 @@
--- ---
- ansible.builtin.import_tasks:
file: remove_conflicting.yaml
tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated - name: Install Dehydrated
ansible.builtin.apt: tags: [ acme, acme_install ]
state: present block:
pkg: - name: Install dependencies
- dehydrated ansible.builtin.apt:
tags: name: ssl-cert
- acme state: present
- name: Create Nginx snippet snippets dir - name: Install Dehydrated
ansible.builtin.file: ansible.builtin.apt:
state: "directory" name: dehydrated
path: "/etc/nginx/snippets" state: present
owner: "root"
group: "root"
mode: "0755"
- name: Template dehydrated configfiles - name: Install config file
ansible.builtin.template: ansible.builtin.template:
src: "{{ item.src }}" src: config.sh
dest: "{{ item.dest }}" dest: /etc/dehydrated/conf.d/ansible.sh
owner: "{{ item.owner | default('root') }}" owner: root
group: "{{ item.group | default('root') }}" group: root
mode: "{{ item.mode | default('0640') }}" mode: 0755
notify: "{{ item.notify | default([]) }}" notify: update_contact_info
with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
- { src: "cron", dest: "/etc/cron.d/dehydrated" }
- { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
- { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- name: Register account - name: Install deploy hook
ansible.builtin.command: ansible.builtin.template:
args: src: deploy.sh
cmd: dehydrated --register --accept-terms dest: /etc/dehydrated/conf.d/deploy.sh
creates: /var/lib/dehydrated/accounts owner: root
group: root
mode: 0755
- name: Symlink SAN domains - name: Install cronjob
ansible.builtin.include_tasks: ansible.builtin.template:
file: san_domains_loop.yaml src: cron
loop: "{{ acme_san_domains | default([]) }}" dest: /etc/cron.d/dehydrated
loop_control: owner: root
loop_var: domains group: root
mode: 0644
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: directory
path: /etc/nginx/snippets
owner: root
group: root
mode: 0755
- name: Install Nginx snippet
ansible.builtin.template:
src: nginx-snippet.conf
dest: /etc/nginx/snippets/acme.conf
owner: root
group: root
mode: 0644
- name: Register account
ansible.builtin.command:
cmd: dehydrated --register --accept-terms
args:
creates: /var/lib/dehydrated/accounts
- tags: [ acme, acme_certs ]
block:
- name: Configure certificates
ansible.builtin.template:
src: domains.txt
dest: /etc/dehydrated/domains.txt
owner: root
group: root
mode: 0644
notify: query_certificates
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop_control:
loop_var: domains

5
roles/acme/tasks/remove_conflicting.yaml
View file

@ -1,4 +1,9 @@
--- ---
- name: Remove certbot from apt
ansible.builtin.apt:
name: [ letsencrypt, certbot ]
state: absent
autoremove: yes
- name: Remove variable directories - name: Remove variable directories
ansible.builtin.file: ansible.builtin.file:

1
roles/acme/tasks/san_domains_loop.yaml
View file

@ -1,5 +1,4 @@
--- ---
- ansible.builtin.stat: - ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}" path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat register: cert_stat

2
roles/acme/templates/config.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# {{ ansible_managed }} # Managed by Ansible
CONTACT_EMAIL={{ notify_email }} CONTACT_EMAIL={{ notify_email }}

2
roles/acme/templates/cron
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }} # Managed by Ansible
SHELL=/bin/sh SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

2
roles/acme/templates/deploy.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# {{ ansible_managed }} # Managed by Ansible
systemctl reload nginx.service systemctl reload nginx.service

2
roles/acme/templates/domains.txt
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }} # Managed by Ansible
{% for domain in acme_domains|default([]) %} {% for domain in acme_domains|default([]) %}
{{ domain }} {{ domain }}

2
roles/acme/templates/nginx-snippet.conf
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }} # Managed by Ansible
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
allow all; allow all;

2
roles/bank/defaults/main.yaml
View file

@ -1,3 +1,3 @@
bank_user: bank bank_user: bank
bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git bank_revbank_git: https://github.com/revspace/revbank.git
bank_local_tty: no bank_local_tty: no

6
roles/bank/handlers/main.yaml
View file

@ -1,9 +1,3 @@
--- ---
- ansible.builtin.import_tasks: - ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml file: ../../common/handlers/main.yaml
- name: Restart revbank-deposit
ansible.builtin.systemd:
name: revbank-deposit
state: restarted
daemon_reload: true

12
roles/bank/tasks/inflatinator.yaml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Install dependencies
ansible.builtin.apt:
name: [ links, python3-pyquery ]
state: present
- name: Clone revbank-inflatinator source
ansible.builtin.git:
repo: https://github.com/bitlair/revbank-inflatinator.git
version: main
dest: /opt/revbank-inflatinator
accept_hostkey: yes

1
roles/bank/tasks/login.yaml
View file

@ -11,7 +11,6 @@
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
insertafter: EOF insertafter: EOF
validate: "/usr/sbin/sshd -t -f %s"
block: |- block: |-
Match User bank Match User bank
PasswordAuthentication yes PasswordAuthentication yes

4
roles/bank/tasks/main.yaml
View file

@ -7,6 +7,6 @@
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: revbank.yaml file: revbank.yaml
- tags: [ bank, bank_revbank_deposit ] - tags: [ bank, bank_inflatinator ]
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: revbank-deposit.yaml file: inflatinator.yaml

47
roles/bank/tasks/revbank-deposit.yaml
View file

@ -1,47 +0,0 @@
---
- name: Clone source
ansible.builtin.git:
repo: https://git.bitlair.nl/bitlair/revbank-deposit.git
version: main
dest: /usr/local/lib/revbank-deposit
accept_hostkey: yes
notify: Restart revbank-deposit
- name: Install apt dependencies
ansible.builtin.apt:
name:
- python3-pip
- python3-virtualenv
- name: Install pip dependencies
ansible.builtin.pip:
chdir: /usr/local/lib/revbank-deposit
virtualenv: .venv
requirements: requirements.txt
- name: Configure revbank-deposit
ansible.builtin.template:
src: revbank-deposit.conf
dest: /etc/revbank-deposit.conf
owner: root
group: root
mode: 0600
notify: Restart revbank-deposit
- name: Install revbank-deposit service
ansible.builtin.template:
src: revbank-deposit.service
dest: /etc/systemd/system/revbank-deposit.service
owner: root
group: root
mode: 0644
notify: Restart revbank-deposit
- name: Start revbank-deposit
ansible.builtin.systemd:
daemon_reload: true
name: revbank-deposit
state: started
enabled: true
- meta: flush_handlers

2
roles/bank/templates/git.cron
View file

@ -1,4 +1,4 @@
SHELL=/bin/bash SHELL=/bin/bash
#m h dom mon dow user command #m h dom mon dow user command
0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products) 0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git push --mirror && git gc --auto)

4
roles/bank/templates/revbank-deposit.conf
View file

@ -1,4 +0,0 @@
# {{ ansible_managed }}
PUBLIC_URL=https://{{ deposit_hostname }}
MOLLIE_API_KEY={{ lookup('passwordstore', 'mollie subkey=apikey') }}

18
roles/bank/templates/revbank-deposit.service
View file

@ -1,18 +0,0 @@
# {{ ansible_managed }}
[Unit]
Description=Revbank Deposit
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=10s
ExecStart=/usr/local/lib/revbank-deposit/.venv/bin/fastapi run main.py --host 127.0.0.1
WorkingDirectory=/usr/local/lib/revbank-deposit
EnvironmentFile=/etc/revbank-deposit.conf
DynamicUser=true
[Install]
WantedBy=multi-user.target

2
roles/common/defaults/main.yaml
View file

@ -17,5 +17,3 @@ node_exporter: true
debian_packages_unwanted: debian_packages_unwanted:
- netcat-traditional - netcat-traditional
- letsencrypt
- certbot

16
roles/common/handlers/main.yaml
View file

@ -1,29 +1,31 @@
--- ---
- name: Update grub - name: update grub
ansible.builtin.command: ansible.builtin.command:
cmd: update-grub cmd: update-grub
- name: Apt update - name: reboot
ansible.builtin.reboot:
- name: apt update
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
- name: Daemon reload - name: daemon reload
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
- name: Reload sshd - name: reload sshd
ansible.builtin.systemd: ansible.builtin.systemd:
name: ssh name: ssh
state: reloaded state: reloaded
- name: Reload nginx - name: reload nginx
ansible.builtin.systemd: ansible.builtin.systemd:
name: nginx name: nginx
state: reloaded state: reloaded
- name: Persist iptables - name: persist iptables
ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}" ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
with_items: with_items:
- { c: iptables, ip: v4 } - { c: iptables, ip: v4 }
- { c: ip6tables, ip: v6 } - { c: ip6tables, ip: v6 }
when: not nft | bool

3
roles/common/tasks/debian-upgrade.yaml
View file

@ -21,6 +21,9 @@
ansible.builtin.apt: ansible.builtin.apt:
upgrade: full upgrade: full
- name: Reboot
ansible.builtin.reboot:
- name: autoremove - name: autoremove
ansible.builtin.apt: ansible.builtin.apt:
autoremove: yes autoremove: yes

67
roles/common/tasks/main.yaml
View file

@ -15,12 +15,9 @@
group: "{{ item.group | default('root') }}" group: "{{ item.group | default('root') }}"
with_items: with_items:
- { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" } - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
- { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" }
- { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" }
- { src: "sources.list.j2", dest: "/etc/apt/sources.list" } - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
- { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
- { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
register: aptconfig
when: when:
- ansible_os_family == "Debian" - ansible_os_family == "Debian"
tags: tags:
@ -59,8 +56,6 @@
- name: Install standard packages - name: Install standard packages
ansible.builtin.apt: ansible.builtin.apt:
cache_valid_time: 3600
update_cache: "{{ aptconfig.changed | bool | default(false) }}"
pkg: pkg:
- curl - curl
- fzf - fzf
@ -68,6 +63,8 @@
- etckeeper - etckeeper
- git - git
- htop - htop
- iptables
- iptables-persistent
- jq - jq
- net-tools - net-tools
- netcat-openbsd - netcat-openbsd
@ -78,7 +75,6 @@
- vim - vim
- unattended-upgrades - unattended-upgrades
- apt-listchanges - apt-listchanges
- sudo-ldap
- name: Configure FZF for Bash - name: Configure FZF for Bash
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -99,7 +95,7 @@
path: /etc/default/grub path: /etc/default/grub
regexp: '^GRUB_TIMEOUT=' regexp: '^GRUB_TIMEOUT='
line: "GRUB_TIMEOUT=1 # Managed by Ansible" line: "GRUB_TIMEOUT=1 # Managed by Ansible"
notify: Update grub notify: update grub
- name: Configure cron email - name: Configure cron email
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -112,7 +108,6 @@
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
validate: "/usr/sbin/sshd -t -f %s"
with_items: with_items:
- regexp: '^#?Port' - regexp: '^#?Port'
line: 'Port {{ ssh_port }}' line: 'Port {{ ssh_port }}'
@ -120,6 +115,58 @@
line: 'PasswordAuthentication no' line: 'PasswordAuthentication no'
- regexp: '^#?DebianBanner' - regexp: '^#?DebianBanner'
line: 'DebianBanner no' line: 'DebianBanner no'
when: manage_sshd_config | default(true) notify: reload sshd
notify: Reload sshd
- name: Allow SSH
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ ssh_port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
- name: Allow ICMP
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.proto }}"
jump: ACCEPT
ip_version: "{{ item.ip }}"
with_items:
- { ip: ipv4, proto: icmp }
- { ip: ipv6, proto: ipv6-icmp }
notify: persist iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
- name: Allow local connections
ansible.builtin.iptables:
chain: INPUT
source: "{{ item.cidr }}"
jump: ACCEPT
ip_version: "{{ item.v }}"
with_items: "{{ trusted_ranges }}"
notify: persist iptables
- name: Deny inbound connections
ansible.builtin.iptables:
chain: INPUT
policy: DROP
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables

5
roles/common/tasks/network.yaml
View file

@ -13,6 +13,7 @@
with_items: with_items:
- { k: net.ipv4.ip_forward, v: "1" } - { k: net.ipv4.ip_forward, v: "1" }
- { k: net.ipv6.conf.all.forwarding, v: "1" } - { k: net.ipv6.conf.all.forwarding, v: "1" }
notify: reboot
when: network_br when: network_br
- name: Make network interfaces really predictable - name: Make network interfaces really predictable
@ -21,7 +22,8 @@
regexp: ^GRUB_CMDLINE_LINUX regexp: ^GRUB_CMDLINE_LINUX
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible' line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
notify: notify:
- Update grub - update grub
- reboot
when: network_br or network_dhcp or network_static when: network_br or network_dhcp or network_static
- name: Configure network interfaces - name: Configure network interfaces
@ -31,6 +33,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: reboot
when: network_br or network_dhcp or network_static when: network_br or network_dhcp or network_static
- ansible.builtin.meta: flush_handlers - ansible.builtin.meta: flush_handlers

5
roles/common/tasks/vm.yaml
View file

@ -10,8 +10,9 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/default/grub path: /etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 console=ttyS0,115200n1 console=tty0"' line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
notify: notify:
- Update grub - update grub
- reboot
tags: tags:
- questagent - questagent

1
roles/common/templates/apt-defaultrelease.j2
View file

@ -1 +0,0 @@
APT::Default-Release "{{ ansible_distribution_release }}";

19
roles/common/templates/apt-preferences-stable.j2
View file

@ -1,19 +0,0 @@
# Prefer packages from our release
# Prevent auto-installation from testing/unstable/sid/whatever
Package: *
Pin: release n={{ ansible_distribution_release }}
Pin-Priority: 900
Package: *
Pin: release n=sid
Pin-Priority: -10
Package: *
Pin: release n=testing
Pin-Priority: -10
Package: *
Pin: release n=unstable
Pin-Priority: -10

2
roles/common/templates/authorized_keys.j2
View file

@ -2,5 +2,5 @@
{% for name in root_access %} {% for name in root_access %}
# {{ name }} # {{ name }}
{{ lookup('file', 'authorized_keys/' + name + '.keys') }} {{ lookup('file', 'authorized_keys/'+name+'.keys') }}
{% endfor %} {% endfor %}

11
roles/common/templates/sources.list.j2
View file

@ -1,9 +1,9 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% if debian_source_repos | default(false) %} {% if debian_source_repos|default(false) %}
{% set SRC = "" %} {% set SRC = "" %}
{% else %} {% else %}
{% set SRC = "# " %} {% set SRC = "# " %}
{% endif %} {% endif %}
{% set components = "main contrib non-free-firmware" %} {% set components = "main contrib non-free-firmware" %}
@ -20,8 +20,5 @@ deb {{ debian_repourl }} {{ ansible_distribution_release }}-backports {{ compone
# #
# Security patches # Security patches
deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }} deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }} {{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security main contrib non- free
# Testing/Unstable repos
deb {{ debian_repourl }} testing {{ components }}
deb {{ debian_repourl }} sid {{ components }}

2
roles/etherpad/handlers/main.yaml
View file

@ -2,7 +2,7 @@
- ansible.builtin.import_tasks: - ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml file: ../../common/handlers/main.yaml
- name: Restart etherpad - name: restart etherpad
ansible.builtin.systemd: ansible.builtin.systemd:
name: etherpad name: etherpad
state: restarted state: restarted

230
roles/etherpad/tasks/main.yaml
View file

@ -1,126 +1,140 @@
--- ---
- tags: etherpad
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies - name: Install dependencies
ansible.builtin.apt: ansible.builtin.apt:
state: present name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
pkg:
- gpg
- postgresql
- python3-psycopg2
- apt-transport-https
- name: Import nodesource signing key - name: Import nodesource signing key
ansible.builtin.shell: ansible.builtin.shell:
cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-o /usr/share/keyrings/nodesource.gpg -o /usr/share/keyrings/nodesource.gpg
args: args:
creates: /usr/share/keyrings/nodesource.gpg creates: /usr/share/keyrings/nodesource.gpg
notify: Apt update notify: apt update
- name: Install nodesource source list - name: Install nodesource source list
ansible.builtin.template: ansible.builtin.template:
src: nodesource.list src: nodesource.list
dest: /etc/apt/sources.list.d/nodesource.list dest: /etc/apt/sources.list.d/nodesource.list
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Apt update notify: apt update
- name: Install nodejs apt preference - name: Install nodejs apt preference
ansible.builtin.template: ansible.builtin.template:
src: nodejs-apt-pref src: nodejs-apt-pref
dest: /etc/apt/preferences.d/nodejs dest: /etc/apt/preferences.d/nodejs
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Apt update notify: apt update
- ansible.builtin.meta: flush_handlers - ansible.builtin.meta: flush_handlers
- name: Install nodejs - name: Install nodejs
ansible.builtin.apt: ansible.builtin.apt:
name: nodejs name: nodejs
- name: Add database user - name: Add database user
become: true become: true
become_method: su become_method: su
become_user: postgres become_user: postgres
no_log: yes no_log: yes
community.postgresql.postgresql_user: community.postgresql.postgresql_user:
name: etherpad name: etherpad
password: "{{ etherpad_db_password }}" password: "{{ etherpad_db_password }}"
- name: Add database - name: Add database
become: true become: true
become_method: su become_method: su
become_user: postgres become_user: postgres
community.postgresql.postgresql_db: community.postgresql.postgresql_db:
name: "{{ etherpad_db_name }}" name: "{{ etherpad_db_name }}"
owner: "{{ etherpad_db_user }}" owner: "{{ etherpad_db_user }}"
- name: Add etherpad user - name: Add etherpad user
ansible.builtin.user: ansible.builtin.user:
name: etherpad name: etherpad
home: /var/lib/etherpad home: /var/lib/etherpad
- name: Create log file - name: Create log file
ansible.builtin.file: ansible.builtin.file:
path: /var/log/etherpad.log path: /var/log/etherpad.log
state: touch state: touch
owner: etherpad owner: etherpad
group: etherpad group: etherpad
mode: 0644 mode: 0644
- name: Create source directory - name: Create source directory
ansible.builtin.file: ansible.builtin.file:
path: /opt/etherpad path: /opt/etherpad
state: directory state: directory
owner: etherpad owner: etherpad
group: etherpad group: etherpad
mode: 0755 mode: 0755
- name: Clone etherpad source - name: Clone etherpad source
become: yes become: yes
become_method: su become_method: su
become_user: etherpad become_user: etherpad
ansible.builtin.git: ansible.builtin.git:
repo: https://github.com/ether/etherpad-lite.git repo: https://github.com/ether/etherpad-lite.git
version: master version: master
dest: /opt/etherpad dest: /opt/etherpad
accept_hostkey: yes accept_hostkey: yes
notify: Restart etherpad notify: restart etherpad
- name: Install etherpad config - name: Install etherpad config
ansible.builtin.template: ansible.builtin.template:
src: settings.json src: settings.json
dest: /opt/etherpad/settings.json dest: /opt/etherpad/settings.json
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart etherpad notify: restart etherpad
- name: Install etherpad service - name: Install etherpad service
ansible.builtin.template: ansible.builtin.template:
src: etherpad.service src: etherpad.service
dest: /etc/systemd/system/etherpad.service dest: /etc/systemd/system/etherpad.service
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart etherpad notify: restart etherpad
- name: Start etherpad - name: Start etherpad
ansible.builtin.systemd: ansible.builtin.systemd:
daemon_reload: true daemon_reload: true
name: etherpad name: etherpad
state: started state: started
enabled: true enabled: yes
- name: Install nginx config - name: Install nginx config
ansible.builtin.template: ansible.builtin.template:
src: nginx-site.conf src: nginx-site.conf
dest: /etc/nginx/sites-enabled/etherpad dest: /etc/nginx/sites-enabled/etherpad
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload nginx notify: reload nginx
- name: Allow HTTP and HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables

2
roles/etherpad/tasks/requirements.yml
View file

@ -1,5 +1,3 @@
---
collections: collections:
- name: community.postgresql - name: community.postgresql
version: 2.3.2 version: 2.3.2

2
roles/git-ci/defaults/main.yaml
View file

@ -1,2 +1,2 @@
runner_wd: /var/lib/forgejo-runner runner_wd: /var/lib/forgejo-runner
runner_version: 6.3.0 runner_version: 3.4.1

84
roles/git-ci/tasks/main.yaml
View file

@ -1,50 +1,50 @@
--- ---
- tags: forgejo_runner
block:
- name: Install dependencies
ansible.builtin.apt:
name: docker.io
- name: Install dependencies - name: Download forgejo-runner
ansible.builtin.apt: ansible.builtin.get_url:
name: docker.io url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
dest: /usr/local/bin/forgejo-runner
mode: 0755
notify: restart forgejo-runner
- name: Download forgejo-runner - name: Create runner dir
ansible.builtin.get_url: ansible.builtin.file:
url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64" state: directory
dest: /usr/local/bin/forgejo-runner path: "{{ runner_wd }}"
mode: 0755 owner: root
notify: restart forgejo-runner group: root
mode: 0755
- name: Create runner dir - name: Register runner
ansible.builtin.file: ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
state: directory args:
path: "{{ runner_wd }}" chdir: "{{ runner_wd }}"
owner: root creates: "{{ runner_wd }}/.runner"
group: root
mode: 0755
- name: Register runner - name: Install service file
ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}" ansible.builtin.template:
args: src: forgejo-runner.service
chdir: "{{ runner_wd }}" dest: /etc/systemd/system/forgejo-runner.service
creates: "{{ runner_wd }}/.runner" owner: root
group: root
mode: 0644
notify: restart forgejo-runner
- name: Install service file - name: Enable service
ansible.builtin.template: ansible.builtin.systemd:
src: forgejo-runner.service name: forgejo-runner
dest: /etc/systemd/system/forgejo-runner.service enabled: yes
owner: root daemon_reload: true
group: root
mode: 0644
notify: restart forgejo-runner
- name: Enable service - name: Start service
ansible.builtin.systemd: ansible.builtin.systemd:
name: forgejo-runner name: forgejo-runner
enabled: true state: started
daemon_reload: true daemon_reload: true
- name: Start service - ansible.builtin.meta: flush_handlers
ansible.builtin.systemd:
name: forgejo-runner
state: started
daemon_reload: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers

36
roles/git-server/tasks/main.yaml
View file

@ -1,4 +1,6 @@
--- ---
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies - name: Install dependencies
ansible.builtin.apt: ansible.builtin.apt:
@ -14,14 +16,14 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload nginx notify: reload nginx
- name: Enable nginx site - name: Enable nginx site
ansible.builtin.file: ansible.builtin.file:
src: /etc/nginx/sites-available/forgejo src: /etc/nginx/sites-available/forgejo
dest: /etc/nginx/sites-enabled/forgejo dest: /etc/nginx/sites-enabled/forgejo
state: link state: link
notify: Reload nginx notify: reload nginx
- name: Create user - name: Create user
ansible.builtin.user: ansible.builtin.user:
@ -38,6 +40,7 @@
group: "{{ git_server_user }}" group: "{{ git_server_user }}"
mode: 0755 mode: 0755
# TODO: Install initial config # TODO: Install initial config
- name: Install service file - name: Install service file
@ -47,7 +50,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload forgejo notify: reload forgejo
- name: Install update script - name: Install update script
ansible.builtin.template: ansible.builtin.template:
@ -61,12 +64,12 @@
ansible.builtin.command: "{{ git_server_working_dir }}/update.sh" ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
args: args:
creates: "{{ git_server_working_dir }}/forgejo" creates: "{{ git_server_working_dir }}/forgejo"
notify: Reload forgejo notify: reload forgejo
- name: Enable service - name: Enable service
ansible.builtin.systemd: ansible.builtin.systemd:
name: forgejo name: forgejo
enabled: true enabled: yes
daemon_reload: true daemon_reload: true
- name: Start service - name: Start service
@ -80,6 +83,23 @@
src: cronjob src: cronjob
dest: /etc/cron.d/forgejo dest: /etc/cron.d/forgejo
- name: Debug - name: Allow Git SSH, HTTP and HTTPS
ansible.builtin.debug: ansible.builtin.iptables:
msg: "If Forgejo has not been setup yet, please do so manually." chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 22 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 22 }
- { ip: ipv6, port: 443 }
notify: persist iptables
- ansible.builtin.debug:
msg: If Forgejo has not been setup yet, please do so manually.

15
roles/go/tasks/main.yaml
View file

@ -19,11 +19,11 @@
register: go_latest_version_shell register: go_latest_version_shell
- name: Format Go latest version variable - name: Format Go latest version variable
ansible.builtin.set_fact: set_fact:
go_latest_version: "{{ go_latest_version_shell.stdout }}" go_latest_version: "{{ go_latest_version_shell.stdout }}"
- name: Detect installed Go version - name: Detect installed Go version
ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none" shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
register: go_installed_version_shell register: go_installed_version_shell
changed_when: false changed_when: false
@ -31,20 +31,19 @@
set_fact: set_fact:
go_installed_version: "{{ go_installed_version_shell.stdout }}" go_installed_version: "{{ go_installed_version_shell.stdout }}"
- name: Debug - debug:
ansible.builtin.debug:
msg: msg:
- "Latest Go version: {{ go_latest_version}}" - "Latest Go version: {{ go_latest_version}}"
- "Installed Go version: {{ go_installed_version }}" - "Installed Go version: {{ go_installed_version }}"
- name: Remove installed go - name: Remove installed go
ansible.builtin.file: file:
state: absent state: absent
path: /usr/local/go path: /usr/local/go
when: go_installed_version != go_latest_version when: go_installed_version != go_latest_version
- name: Install Go - name: Install Go
ansible.builtin.unarchive: unarchive:
src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
dest: /usr/local dest: /usr/local
remote_src: yes remote_src: yes
@ -53,7 +52,7 @@
when: go_installed_version != go_latest_version when: go_installed_version != go_latest_version
- name: Configure Go environment - name: Configure Go environment
ansible.builtin.template: template:
src: go.profile src: go.profile
dest: /etc/profile.d/go.sh dest: /etc/profile.d/go.sh
owner: root owner: root
@ -61,7 +60,7 @@
mode: 0644 mode: 0644
- name: Link go binary - name: Link go binary
ansible.builtin.file: file:
state: link state: link
src: /usr/local/go/bin/go src: /usr/local/go/bin/go
dest: /usr/local/bin/go dest: /usr/local/bin/go

57
roles/monitoring/tasks/main.yaml
View file

@ -1,26 +1,45 @@
--- ---
- name: monitoring
tags: monitoring
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install nginx site - name: Install nginx site
ansible.builtin.template: ansible.builtin.template:
src: nginx-site.conf src: nginx-site.conf
dest: /etc/nginx/sites-available/monitoring dest: /etc/nginx/sites-available/monitoring
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Reload nginx notify: reload nginx
- name: Enable nginx site - name: Enable nginx site
ansible.builtin.file: ansible.builtin.file:
src: /etc/nginx/sites-available/monitoring src: /etc/nginx/sites-available/monitoring
dest: /etc/nginx/sites-enabled/monitoring dest: /etc/nginx/sites-enabled/monitoring
state: link state: link
notify: Reload nginx notify: reload nginx
- name: Start nginx - name: Start nginx
ansible.builtin.systemd: ansible.builtin.systemd:
name: nginx name: nginx
state: started state: started
enabled: true enabled: yes
- name: Allow HTTP/HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables
- name: mqtt_exporter - name: mqtt_exporter
tags: mqtt_exporter tags: mqtt_exporter

5
roles/monitoring/tasks/mqtt_exporter.yaml
View file

@ -10,7 +10,6 @@
- name: Install apt dependencies - name: Install apt dependencies
ansible.builtin.apt: ansible.builtin.apt:
name: name:
- jq
- python3-paho-mqtt - python3-paho-mqtt
- python3-prometheus-client - python3-prometheus-client
- python3-yaml - python3-yaml
@ -24,7 +23,7 @@
group: root group: root
mode: 0644 mode: 0644
notify: notify:
- Daemon reload - daemon reload
- restart mqtt_exporter - restart mqtt_exporter
- name: Install config file - name: Install config file
@ -35,7 +34,7 @@
group: root group: root
mode: 0644 mode: 0644
notify: notify:
- Daemon reload - daemon reload
- restart mqtt_exporter - restart mqtt_exporter
- ansible.builtin.meta: flush_handlers - ansible.builtin.meta: flush_handlers

3
roles/monitoring/templates/grafana.ini
View file

@ -69,9 +69,6 @@ level = info
[grafana_com] [grafana_com]
url = https://grafana.com url = https://grafana.com
[auth]
oauth_allow_insecure_email_lookup=true
[auth.anonymous] [auth.anonymous]
enabled = true enabled = true
org_name = Bitlair org_name = Bitlair

33
roles/monitoring/templates/mqtt_exporter_config.yaml
View file

@ -15,8 +15,7 @@ export:
- subscribe: bitlair/# - subscribe: bitlair/#
- subscribe: bitlair/climate/+location/# - subscribe: bitlair/climate/+location/#
- subscribe: bitlair/climate/+location/dust_mass/+size - subscribe: bitlair/climate/+location/dust_mass/+size
- subscribe: bitlair/power/+net/+group/now_w - subscribe: bitlair/power/+net/+group/#
- subscribe: bitlair/power/+net/total_kwh
- subscribe: bitlair/wifi/+ssid/# - subscribe: bitlair/wifi/+ssid/#
- subscribe: bitlair/state - subscribe: bitlair/state
@ -36,10 +35,10 @@ export:
labels: labels:
product: payload product: payload
- subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24 - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
metric_name: bitlair_internet_rx metric_name: bitlair_internet_rx
value_regex: "^.+:(.+):" value_regex: "^.+:(.+):"
- subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24 - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
metric_name: bitlair_internet_tx metric_name: bitlair_internet_tx
value_regex: "^.+:.+:([\\d\\.]+)" value_regex: "^.+:.+:([\\d\\.]+)"
@ -57,29 +56,3 @@ export:
- subscribe: bitlair/power/shelly/+num/status/switch:0 - subscribe: bitlair/power/shelly/+num/status/switch:0
metric_name: bitlair_power_shelly metric_name: bitlair_power_shelly
value_json: .apower value_json: .apower
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_nozzle_temperature
value_json: .print.nozzle_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_nozzle_target_temperature
value_json: .print.nozzle_target_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_bed_temperature
value_json: .print.bed_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_bed_target_temperature
value_json: .print.bed_target_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_chamber_temperature
value_json: .print.chamber_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_ams_humidity
value_json: .print.ams.ams[0].humidity
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_print_progress
value_json: .print.mc_percent
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_print_status
metric_type: info
value_json: .print.gcode_state

0
roles/mqtt/handlers/main.yaml → roles/mqtt-internal/handlers/main.yaml
View file

27
roles/mqtt-internal/tasks/main.yaml Normal file
View file

@ -0,0 +1,27 @@
---
- name: mqtt-internal
tags: mqtt_internal
block:
- name: Install dependencies
ansible.builtin.apt:
name:
- mosquitto
- avahi-daemon
- name: Configure Mosquitto
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/mosquitto/conf.d/{{ item }}"
owner: root
group: root
mode: 0644
notify: restart mosquitto
with_items:
- internal.conf
- public-bridge.conf
- name: Start mosquitto
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: yes

2
roles/mqtt/templates/internal.conf → roles/mqtt-internal/templates/internal.conf
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }} # Managed by Ansible
listener 1883 :: listener 1883 ::
listener 1883 0.0.0.0 listener 1883 0.0.0.0

3
roles/mqtt/templates/public-bridge.conf → roles/mqtt-internal/templates/public-bridge.conf
View file

@ -1,9 +1,8 @@
# {{ ansible_managed }} # Managed by Ansible
connection public-bridge connection public-bridge
address {{ mqtt_public_host }} address {{ mqtt_public_host }}
topic bambulab/# out
topic bitlair/alarm out topic bitlair/alarm out
topic bitlair/climate/# out topic bitlair/climate/# out
topic bitlair/collectd/bitlair-5406/snmp/# out topic bitlair/collectd/bitlair-5406/snmp/# out

1
roles/mqtt/defaults/main.yaml
View file

@ -1 +0,0 @@
mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem

32
roles/mqtt/tasks/main.yaml
View file

@ -1,32 +0,0 @@
---
- name: Install dependencies
ansible.builtin.apt:
name:
- mosquitto
- avahi-daemon
- name: Install bambulab cafile
# openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
ansible.builtin.copy:
dest: "{{ mqtt_bambulab_cafile }}"
content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
- name: Configure Mosquitto
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/mosquitto/conf.d/{{ item }}"
owner: root
group: root
mode: 0644
notify: restart mosquitto
with_items:
- bambulab.conf
- internal.conf
- public-bridge.conf
- name: Start mosquitto
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: true

10
roles/mqtt/templates/bambulab.conf
View file

@ -1,10 +0,0 @@
# {{ ansible_managed }}
connection bambulab
address {{ lookup('passwordstore', 'bambulab subkey=host') }}:8883
bridge_cafile {{ mqtt_bambulab_cafile }}
bridge_insecure true
remote_username bblp
remote_password {{ lookup('passwordstore', 'bambulab subkey=key') }}
topic # in 2 bambulab/ ""

12
roles/music/handlers/main.yaml
View file

@ -2,37 +2,37 @@
- ansible.builtin.import_tasks: - ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml file: ../../common/handlers/main.yaml
- name: Restart trollibox - name: restart trollibox
ansible.builtin.systemd: ansible.builtin.systemd:
name: trollibox name: trollibox
state: restarted state: restarted
daemon_reload: true daemon_reload: true
- name: Rebuild librespot - name: rebuild librespot
ansible.builtin.command: ansible.builtin.command:
cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
args: args:
chdir: /opt/librespot chdir: /opt/librespot
- name: Restart librespot - name: restart librespot
ansible.builtin.systemd: ansible.builtin.systemd:
name: librespot name: librespot
state: restarted state: restarted
daemon_reload: true daemon_reload: true
- name: Restart soundboard - name: restart soundboard
ansible.builtin.systemd: ansible.builtin.systemd:
name: soundboard name: soundboard
state: restarted state: restarted
daemon_reload: true daemon_reload: true
- name: Restart mpd-volume-to-mqtt - name: restart mpd-volume-to-mqtt
ansible.builtin.systemd: ansible.builtin.systemd:
name: mpd-volume-to-mqtt name: mpd-volume-to-mqtt
state: restarted state: restarted
daemon_reload: true daemon_reload: true
- name: Restart skipbutton - name: restart skipbutton
ansible.builtin.systemd: ansible.builtin.systemd:
name: skipbutton name: skipbutton
state: restarted state: restarted

6
roles/music/tasks/librespot.yaml
View file

@ -11,8 +11,8 @@
dest: /opt/librespot dest: /opt/librespot
accept_hostkey: yes accept_hostkey: yes
notify: notify:
- Rebuild librespot - rebuild librespot
- Restart librespot - restart librespot
- name: Install service file - name: Install service file
ansible.builtin.template: ansible.builtin.template:
@ -21,7 +21,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart librespot notify: restart librespot
- name: Enable Librespot - name: Enable Librespot
ansible.builtin.systemd: ansible.builtin.systemd:

38
roles/music/tasks/main.yaml
View file

@ -1,34 +1,30 @@
--- ---
- tags: music_mpd
- name: Import mpd
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: mpd.yaml file: mpd.yaml
tags:
- music_mpd
- name: Import trollibox - tags: music_trollibox
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: trollibox.yaml file: trollibox.yaml
tags:
- music_trollibox
- name: Librespot - tags: music_librespot
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: librespot.yaml file: librespot.yaml
tags:
- music_librespot
- name: Soundboard - tags: music_soundboard
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: soundboard.yaml file: soundboard.yaml
tags:
- music_soundboard
- name: Install nginx config - tags: music
ansible.builtin.template: block:
src: nginx-site.conf - ansible.builtin.import_tasks:
dest: /etc/nginx/sites-enabled/trollibox file: ../../../snippets/common-nginx.yaml
owner: root
group: root - name: Install nginx config
mode: 0644 ansible.builtin.template:
notify: Reload nginx src: nginx-site.conf
dest: /etc/nginx/sites-enabled/trollibox
owner: root
group: root
mode: 0644
notify: reload nginx

9
roles/music/tasks/mpd.yaml
View file

@ -1,5 +1,4 @@
--- ---
- name: Install MPD - name: Install MPD
ansible.builtin.apt: ansible.builtin.apt:
name: name:
@ -16,7 +15,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart mpd-volume-to-mqtt notify: restart mpd-volume-to-mqtt
- name: Install mpd-volume-to-mqtt service - name: Install mpd-volume-to-mqtt service
ansible.builtin.template: ansible.builtin.template:
@ -25,7 +24,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart mpd-volume-to-mqtt notify: restart mpd-volume-to-mqtt
- name: Enable mpd-volume-to-mqtt - name: Enable mpd-volume-to-mqtt
ansible.builtin.systemd: ansible.builtin.systemd:
@ -40,7 +39,7 @@
version: master version: master
dest: /opt/skipbutton dest: /opt/skipbutton
accept_hostkey: yes accept_hostkey: yes
notify: Restart skipbutton notify: restart skipbutton
- name: Install skipbutton service - name: Install skipbutton service
ansible.builtin.template: ansible.builtin.template:
@ -49,7 +48,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart skipbutton notify: restart skipbutton
- name: Enable skipbutton - name: Enable skipbutton
ansible.builtin.systemd: ansible.builtin.systemd:

6
roles/music/tasks/soundboard.yaml
View file

@ -10,7 +10,7 @@
version: main version: main
dest: /opt/soundboard dest: /opt/soundboard
accept_hostkey: yes accept_hostkey: yes
notify: Restart soundboard notify: restart soundboard
- name: Create virtualenv - name: Create virtualenv
ansible.builtin.command: ansible.builtin.command:
@ -31,7 +31,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart soundboard notify: restart soundboard
- name: Install soundboard service file - name: Install soundboard service file
ansible.builtin.template: ansible.builtin.template:
@ -40,7 +40,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
notify: Restart soundboard notify: restart soundboard
- name: Enable soundboard - name: Enable soundboard
ansible.builtin.systemd: ansible.builtin.systemd:

12
roles/music/tasks/trollibox.yaml
View file

@ -5,8 +5,8 @@
dest: /etc/trollibox.yaml dest: /etc/trollibox.yaml
owner: root owner: root
group: root group: root
mode: "0644" mode: 0644
notify: Restart trollibox notify: restart trollibox
- name: Get latest Trollibox version from Github API - name: Get latest Trollibox version from Github API
ansible.builtin.get_url: ansible.builtin.get_url:
@ -25,8 +25,8 @@
remote_src: yes remote_src: yes
dest: /usr/local/bin dest: /usr/local/bin
include: [ trollibox ] include: [ trollibox ]
mode: "0755" mode: 0755
notify: Restart trollibox notify: restart trollibox
- name: Install service file - name: Install service file
ansible.builtin.template: ansible.builtin.template:
@ -34,8 +34,8 @@
dest: /etc/systemd/system/trollibox.service dest: /etc/systemd/system/trollibox.service
owner: root owner: root
group: root group: root
mode: "0644" mode: 0644
notify: Restart trollibox notify: restart trollibox
- name: Enable Trollibox - name: Enable Trollibox
ansible.builtin.systemd: ansible.builtin.systemd:

33
roles/nft/defaults/main.yaml
View file

@ -1,33 +0,0 @@
---
nft: true # Overrule om geen nftables uit te rollen
nft_main_config: "/etc/nftables.conf"
# Default policies per chain ( drop / reject / accept )
nft_policy_input: "drop"
nft_policy_forward: "accept"
nft_policy_output: "accept"
# Same for nat traffic
nft_policy_prerouting: "accept"
nft_policy_postrouting: "accept"
# Host/Port allows
nft_group_rules: []
# And per host/group additions to rules:
group_nft_input: []
group_nft_forward: []
group_nft_output: []
host_nft_input: []
host_nft_forward: []
host_nft_output: []
group_nft_postrouting: []
host_nft_postrouting: []
group_nft_prerouting: []
host_nft_prerouting: []
nft_defines: []
nft_defines_group: []

13
roles/nft/handlers/main.yaml
View file

@ -1,13 +0,0 @@
---
- name: Reload nftables
ansible.builtin.systemd:
name: "nftables"
state: reloaded
enabled: true
tags:
- nft
- nftservice
when:
- nft|bool

47
roles/nft/tasks/main.yaml
View file

@ -1,47 +0,0 @@
---
- name: Install nftables related packages
ansible.builtin.apt:
state: present
pkg:
- nftables
- net-tools
- ipset
- name: Template nftables.conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0700"
validate: "{{ item.validate | default() }}"
with_items:
- { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
tags:
- nft
- nftconfig
when:
- nft | bool
notify:
- Reload nftables
- name: Cleanup netfilter packages
ansible.builtin.apt:
state: absent
pkg:
- netfilter-persistent
when:
- nft | bool
- name: Cleanup iptables stuff
ansible.builtin.file:
state: absent
path: "{{ item }}"
with_items:
- "/etc/iptables/rules/v4"
- "/etc/iptables/rules/v6"
- "/etc/iptables"
when:
- nft | bool

182
roles/nft/templates/nftables.conf.j2
View file

@ -1,182 +0,0 @@
#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
table inet filter {
# Named sets
set trusted4 {
type ipv4_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv4' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
set trusted6 {
type ipv6_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv6' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
# Firewall chains
chain input {
type filter hook input priority 0;
policy {{ nft_policy_input }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# Limit icmp echo/reply
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
# icmp6 from trusted ranges
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
# icmpv6 from the rest of the world
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
# Loopback traffic
iifname lo accept
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
# Open ssh only for trusted machines
ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept
ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept
# Rules based on group-vars
{% for custom in nft_group_rules %}
{% if custom.comment is defined %}
# {{ custom.comment | default('') }}
{% endif %}
{{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
{% endfor %}
{% for rule in group_nft_input %}
# Group input rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_input %}
# Host input rules
{{ rule }}
{% endfor %}
}
chain forward {
type filter hook forward priority 0;
policy {{ nft_policy_forward }};
ct state established,related accept
{% for rule in group_nft_forward %}
# Group forward rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_forward %}
# Host forward rules
{{ rule }}
{% endfor %}
counter comment "count dropped incoming packets"
}
chain output {
type filter hook output priority 0;
policy {{ nft_policy_output }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
{% for rule in group_nft_output %}
# Group output rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_output %}
# Host output rules
{{ rule }}
{% endfor %}
counter comment "count dropped outgoing packets"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 100
policy {{ nft_policy_prerouting }};
{% for rule in group_nft_prerouting %}
# Group prerouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_prerouting %}
# Host prerouting rules
{{ rule }}
{% endfor %}
}
chain postrouting {
type nat hook postrouting priority 100
policy {{ nft_policy_postrouting }};
{% for rule in group_nft_postrouting %}
# Group postrouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_postrouting %}
# Host postrouting rules
{{ rule }}
{% endfor %}
}
}

15
roles/nginx/defaults/main.yaml
View file

@ -1,15 +0,0 @@
---
nginx_package: "nginx-light"
nginx_user: "www-data"
nginx_modules_dir: "/etc/nginx/modules-enabled"
nginx_tls_version: "TLSv1.2 TLSv1.3"
nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
nginx_tls_curve: "prime256v1:secp384r1"
nginx_tls_cache_size: "10m"
nginx_tls_session_timeout: "1h"
nginx_ssl_stapling: "on"
nginx_ssl_stapling_verify: "on"
nginx_wk_acme: "/var/lib/dehydrated/acme-challenges"
nginx_client_max_body_size: "32m"

11
roles/nginx/handlers/main.yaml
View file

@ -1,11 +0,0 @@
---
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
enabled: true
listen: "Reload app-services"
when:
- nginx_sites is defined

87
roles/nginx/tasks/main.yaml
View file

@ -1,87 +0,0 @@
---
- name: Install nginx base package
ansible.builtin.apt:
name: "{{ nginx_package }}"
state: present
when:
- nginx_sites is defined
- name: Install bootstrap cert
ansible.builtin.apt:
name: "ssl-cert"
state: present
when:
- nginx_bootstrap_certs is defined and nginx_bootstrap_certs
- name: Create sites-available / sites-enabled directories
ansible.builtin.file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0755') }}"
with_items:
- { path: "/etc/nginx/sites-available" }
- { path: "/etc/nginx/sites-enabled" }
notify: Reload nginx
when:
- nginx_sites is defined
- name: Template default nginx config files
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0644') }}"
force: "{{ item.force | default('yes') }}"
backup: true
loop_control:
label: "{{ item.dest }}"
with_items:
- { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
- { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
- { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
notify: "{{ item.notify | default(omit) }}"
when:
- nginx_sites is defined
- name: Template site-specific configs
ansible.builtin.template:
src: "site.conf.j2"
dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
owner: "{{ site.owner | default('root') }}"
group: "{{ site.group | default('root') }}"
mode: "{{ site.mode | default('0644') }}"
force: "{{ site.force | default('yes') }}"
backup: true
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
tags:
- nginxextra
- nginx_site
- name: Enable nginx sites
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
mode: "0644"
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
ignore_errors: "{{ ansible_check_mode }}"

37
roles/nginx/templates/default.j2
View file

@ -1,37 +0,0 @@
# {{ ansible_managed }}
server {
listen 80 default_server;
listen [::]:80;
server_name {{ inventory_hostname }};
# Accept ACME-Challenges over http
location ^~ /.well-known/acme-challenge/ {
alias {{ nginx_wk_acme }}/;
}
# Block .ht files
location ~ /\.ht {
deny all;
}
# Redirect everything to https by default
location / {
return 301 https://$host$request_uri;
}
location /server_status {
# Enable Nginx stats
stub_status on;
# Only allow access from localhost
allow 127.0.0.1;
# Other request should be denied
deny all;
}
}
{% for line in nginx_default_extra | default([]) %}
{{ line }}
{% endfor %}

39
roles/nginx/templates/etc-nginx.conf.j2
View file

@ -1,39 +0,0 @@
# {{ ansible_managed }}
user {{ nginx_user }};
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 16384;
include {{ nginx_modules_dir }}/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Default nginx log format with $request time added
log_format bitlair '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
access_log /var/log/nginx/access.log bitlair;
gzip on;
gzip_disable "msie6";
{% for line in nginx_http_extra | default([]) %}
{{ line }}
{% endfor %}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

47
roles/nginx/templates/site.conf.j2
View file

@ -1,47 +0,0 @@
# {{ ansible_managed }}
{% for line in site.pre_config | default([]) %}
{{ line }}
{% endfor %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
include /etc/nginx/tls_params;
{% if nginx_bootstrap_certs | default(false) %}
include "snippets/snakeoil.conf";
{% else %}
ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
{% endif %}
index {{ nginx_index | default('index.php index.html index.htm') }};
client_max_body_size {{ nginx_client_max_body_size }};
location ~ /\.ht {
deny all;
}
access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair;
error_log /var/log/nginx/{{ site.server_name }}.error.log;
{% if site.localproxy is defined %}
location / {
proxy_pass http://localhost:{{ site.localproxy }}/;
include proxy_params;
}
{% endif %}
# Include snippets
{% for file in site.snippets | default([]) %}
{% include "snippets/" ~ file %}
{% endfor %}
# Per site configuration
{% for line in site.config | default([]) %}
{{ line }}
{% endfor %}
}

1
roles/nginx/templates/snippets
View file

@ -1 +0,0 @@
../../../snippets/

22
roles/nginx/templates/tls_params.j2
View file

@ -1,22 +0,0 @@
# {{ ansible_managed }}
ssl_session_timeout {{ nginx_tls_session_timeout }};
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }};
ssl_protocols {{ nginx_tls_version }};
ssl_ciphers {{ nginx_tls_cipherlist }};
ssl_ecdh_curve {{ nginx_tls_curve }};
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "sameorigin";
add_header X-Content-Type-Options "nosniff";
add_header X-Robots-Tag noindex;
# OCSP stapling
ssl_stapling {{ nginx_ssl_stapling }};
ssl_stapling_verify {{ nginx_ssl_stapling_verify }};

2
roles/photos/tasks/bambulab-fetch.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: bambulab-fetch name: bambulab-fetch
state: started state: started
enabled: true enabled: yes
daemon_reload: true daemon_reload: true

2
roles/photos/tasks/photo-gallery.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: photo-gallery name: photo-gallery
state: started state: started
enabled: true enabled: yes
daemon_reload: true daemon_reload: true

Some files were not shown because too many files have changed in this diff Show more