bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Releases Activity

Compare commits

base: bitlair:main
Branches Tags
bitlair:main
bitlair:linting
..
compare: bitlair:linting
Branches Tags
bitlair:main
bitlair:linting

No commits in common. "main" and "linting" have entirely different histories.
main ... linting

126 changed files with 739 additions and 1498 deletions
Show stats Expand all files Collapse all files

17
.yamllint.yaml
View file

@ -1,17 +0,0 @@
---
extends: relaxed
rules:
# 80 chars should be enough, but don't fail if a line is longer
line-length:
max: 200
level: warning
empty-lines:
max: 2
max-start: 1
max-end: 1
colons:
max-spaces-after: -1
commas:
max-spaces-after: -1

2
authorized_keys/ak.keys
View file

@ -1,3 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL

6
authorized_keys/foobar.keys
View file

@ -1,4 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C

6
bank.yaml
View file

@ -1,8 +1,8 @@
---
- hosts: bank
roles:
- common
- bank
vars:
bank_revbank_git: https://github.com/bitlair/revbank.git
roles:
- { role: "common", tags: [ "common" ] }
- { role: "bank", tags: [ "bank" ] }

6
bar.yaml
View file

@ -4,6 +4,6 @@
vars:
raspi_rotate_display: "2"
roles:
- { role: "raspi", tags: [ "raspi" ] }
- { role: "common", tags: [ "common" ] }
- { role: "bank-terminal", tags: [ "bank-terminal" ] }
- raspi
- common
- bank-terminal

49
bitlair.yaml
View file

@ -1,67 +1,58 @@
---
- hosts: all
gather_facts: true
roles:
- { role: "common", tags: ["common"] }
- { role: "nft", tags: ["nft"] }
- { role: "common", tags: [ "common" ] }
- hosts: bank
roles:
- { role: "bank", tags: ["bank"] }
- hosts: homeassistant
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "bank", tags: [ "bank" ] }
- hosts: raspi
roles:
- { role: "raspi", tags: ["raspi"] }
- { role: "bank-terminal", tags: ["bank-terminal"] }
- { role: "raspi", tags: [ "raspi" ] }
- { role: "bank-terminal", tags: [ "bank-terminal" ] }
- hosts: fotos
roles:
- { role: "photos", tags: ["photos"] }
- { role: "photos", tags: [ "photos" ] }
- hosts: git-ci
roles:
- { role: "git-ci", tags: ["git-ci"] }
- { role: "git-ci", tags: [ "git-ci" ] }
- hosts: git
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "git-server", tags: ["git-server"] }
- { role: "acme", tags: [ "acme" ] }
- { role: "git-server", tags: [ "git-server" ] }
- hosts: monitoring
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "monitoring", tags: ["monitoring"] }
- { role: "acme", tags: [ "acme" ] }
- { role: "monitoring", tags: [ "monitoring" ] }
- hosts: mqtt
roles:
- { role: "mqtt", tags: ["mqtt"] }
- { role: "mqtt-internal", tags: [ "mqtt-internal" ] }
- hosts: music
roles:
- { role: "acme", tags: ["acme"] }
- { role: "go", tags: ["go"] }
- { role: "music", tags: ["music"] }
- { role: "acme", tags: [ "acme" ] }
- { role: "go", tags: [ "go" ] }
- { role: "music", tags: [ "music" ] }
- hosts: pad
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "etherpad", tags: ["etherpad"] }
- { role: "acme", tags: [ "acme" ] }
- { role: "etherpad", tags: [ "etherpad" ] }
- hosts: services
roles:
- { role: "services", tags: ["services"] }
- { role: "services", tags: [ "services" ] }
- hosts: wiki
roles:
- { role: "acme", tags: ["acme"] }
- { role: "nginx", tags: ["nginx"] }
- { role: "www", tags: ["www"] }
- { role: "acme", tags: [ "acme" ] }
- { role: "www", tags: [ "www" ] }

3
common.yaml
View file

@ -3,5 +3,4 @@
- hosts: debian
gather_facts: true
roles:
- { role: "common", tags: [ "common" ] }
- { role: "nft", tags: [ "nft" ] }
- common

4
fotos.yaml
View file

@ -2,5 +2,5 @@
- hosts: fotos
roles:
- { role: "common", tags: [ "common" ] }
- { role: "photos", tags: [ "photos" ] }
- common
- photos

4
git-ci.yaml
View file

@ -2,5 +2,5 @@
- hosts: git-ci
roles:
- { role: "common", tags: [ "common" ] }
- { role: "git-ci", tags: [ "git-ci" ] }
- common
- git-ci

7
git.yaml
View file

@ -2,7 +2,6 @@
- hosts: git
roles:
- { role: "common", tags: [ "common" ] }
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "git-server", tags: [ "git-server" ] }
- common
- acme
- git-server

36
group_vars/all.yaml
View file

@ -5,25 +5,23 @@ ansible_python_interpreter: auto_silent
notify_email: bestuur@bitlair.nl
acme_bootstrap_certs: no
trusted_ranges:
- { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
- { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
- { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" }
- { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" }
- { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" }
- { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" }
- { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
- { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ??
- { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" }
- { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" }
# - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
# - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
# - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
- { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
- { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
- { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" }
- { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
trusted_ports:
- ssh
# localhost
- { v: ipv4, cidr: 127.0.0.1/8 }
- { v: ipv6, cidr: "::1" }
# rf1928
- { v: ipv4, cidr: 10.0.0.0/8 }
- { v: ipv4, cidr: 172.16.0.0/12 }
- { v: ipv4, cidr: 192.168.0.0/16 }
# v6 local
- { v: ipv6, cidr: "fe80::/10" }
# vihamij
- { v: ipv4, cidr: 45.88.49.140 }
# eventinfra
- { v: ipv4, cidr: 204.2.64.0/20 }
- { v: ipv4, cidr: 100.64.0.0/10 }
- { v: ipv4, cidr: 185.205.52.194/32 }
- { v: ipv6, cidr: "2a02:166b:92::/48" }
root_access:
- ak

2
group_vars/bank.yaml
View file

@ -1,2 +0,0 @@
---

9
group_vars/fotos.yaml
View file

@ -1,15 +1,6 @@
root_access:
- ak
- foobar
- linor
- polyfloyd
- wilco
trusted_ports:
- ssh
- microsoft-ds
group_nft_input:
- "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"

4
group_vars/git-ci.yaml
View file

@ -1,5 +1 @@
---
forgejo_url: https://git.bitlair.nl
nft: false # Docker wil nog niet zo met nft

13
group_vars/git.yaml
View file

@ -1,18 +1,5 @@
---
acme_domains:
- "{{ git_server_domain }}"
git_server_domain: git.bitlair.nl
git_server_title: Gitlair
git_server_bootstrap_cert: no
group_nft_input:
- "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"
nginx_client_max_body_size: 4G
nginx_sites:
- server_name: "git.bitlair.nl"
localproxy: "9001"
snippets:
- "forgejo-nginx.j2"

13
group_vars/homeassistant.yaml
View file

@ -1,13 +0,0 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ homeassistant.bitlair.nl ]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "homeassistant.bitlair.nl"
localproxy: "8123"
snippets:
- "homeassistant-nginx.j2"

2
group_vars/kvm.yaml
View file

@ -1,2 +0,0 @@
---

2
group_vars/lights.yaml
View file

@ -1,2 +0,0 @@
---

13
group_vars/monitoring.yaml
View file

@ -1,10 +1,7 @@
monitoring_domain: dashboard.bitlair.nl
monitoring_bootstrap_cert: no
acme_san_domains:
- ["{{ monitoring_domain }}"]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
- ["{{ monitoring_domain }}", monitoring.bitlair.nl]
prometheus_scrape_configs:
- job_name: "node"
@ -20,7 +17,6 @@ prometheus_scrape_configs:
- "lights.bitlair.nl:9100"
- "music.bitlair.nl:9100"
- "service.bitlair.nl:9100"
- "user.bitlair.nl:9100"
- job_name: "mqtt"
static_configs:
- targets: [ "localhost:9883" ]
@ -34,7 +30,6 @@ prometheus_scrape_configs:
- https://bitlair.nl
- https://git.bitlair.nl
- https://pad.bitlair.nl
- https://user.bitlair.nl
# Legacy
- https://wiki.bitlair.nl
- https://portal.bitlair.nl
@ -45,9 +40,3 @@ prometheus_scrape_configs:
target_label: instance
- target_label: __address__
replacement: "{{ blackbox_exporter_web_listen_address }}"
nginx_sites:
- server_name: "dashboard.bitlair.nl"
localproxy: "9000"
snippets:
- "prometheus-nginx.j2"

8
group_vars/mqtt.yaml
View file

@ -1,8 +0,0 @@
---
nft_group_rules:
- { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
trusted_ports:
- ssh
- 1883

7
group_vars/music.yaml
View file

@ -1,8 +1,3 @@
---
# Fixme, nog niet kunnen testen, was down
nft: false
root_access:
- ak
- bob
@ -10,8 +5,6 @@ root_access:
- foobar
- polyfloyd
nginx_client_max_body_size: 512M
music_domain: music.bitlair.nl
acme_san_domains:
- [ music.bitlair.nl ]

27
group_vars/pad.yaml
View file

@ -1,28 +1 @@
---
acme_domains:
- pad.bitlair.nl
etherpad_domain: pad.bitlair.nl
nginx_sites:
- server_name: "pad.bitlair.nl"
# localproxy: "9001"
pre_config:
- "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
- "map $http_upgrade $connection_upgrade {"
- " default upgrade;"
- " '' close;"
- "}"
config:
- "location / {"
- " proxy_pass http://localhost:9001/;"
- " include proxy_params;"
- ""
- " # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
- " proxy_set_header Upgrade $http_upgrade;"
- " proxy_set_header Connection $connection_upgrade;"
- "}"
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"

4
group_vars/raspi.yaml
View file

@ -1,4 +0,0 @@
---
# Nog niet kunnen testen / geen toegang
nft: false

15
group_vars/services.yaml
View file

@ -1,15 +0,0 @@
---
group_nft_input: []
# test
nft_group_rules:
- { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" }
- { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"}
- { from: [ '204.2.64.86' ], port: "31337", proto: "tcp", comment: "irc-say vanaf home assistant" }
power_mqtt_targets:
- net: space
ip: 100.64.0.21
- net: unicorndept
ip: 100.64.0.187

6
group_vars/shell.yaml
View file

@ -1,6 +0,0 @@
---
manage_sshd_config: false
group_nft_input:
- "tcp dport { ssh } accept # Allow SSH from world"

25
group_vars/wiki.yaml
View file

@ -1,25 +0,0 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]
group_nft_input:
- "tcp dport { http, https } accept # Allow web-traffic from world"
- "tcp dport { 1883 } accept # mqtt from world"
nginx_sites:
- server_name: "bitlair.nl"
server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
snippets:
- "mqtt2web-nginx.j2"
- "spaceapi-nginx.j2"
- "www-nginx.j2"
- server_name: "bitair.nl"
server_alias: "www.bitair.nl"
snippets:
- "bitair-nginx.j2"
- server_name: "ravespace.nl"
server_alias: "www.ravespace.nl"
snippets:
- "ravespace-nginx.j2"

5
group_vars/www.yaml Normal file
View file

@ -0,0 +1,5 @@
acme_bootstrap_certs: yes
acme_san_domains:
- [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
- [ bitair.nl ]
- [ ravespace.nl ]

12
inventory
View file

@ -1,5 +1,4 @@
# Bitlair inventory
# Inventory
[raspi]
bank-pi.bitlair.nl
@ -40,12 +39,6 @@ service.bitlair.nl
[wiki]
wiki.bitlair.nl
[shell]
shell.bitlair.nl
[homeassistant]
homeassistant.bitlair.nl
[debian:children]
bank
fotos
@ -58,5 +51,4 @@ monitoring
music
services
wiki
shell
homeassistant

5
lint.sh
View file

@ -1,5 +0,0 @@
#!/bin/bash
j2lint `find ./ -type f -name '*.j2'`
ansible-lint bitlair.yaml

7
monitoring.yaml
View file

@ -2,7 +2,6 @@
- hosts: monitoring
roles:
- { role: "common", tags: [ "common" ] }
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "monitoring", tags: [ "monitoring" ] }
- common
- acme
- monitoring

6
mqtt-internal.yaml Normal file
View file

@ -0,0 +1,6 @@
---
- hosts: mqtt_internal
roles:
- common
- mqtt-internal

6
mqtt.yaml
View file

@ -1,6 +0,0 @@
---
- hosts: mqtt
roles:
- { role: "common", tags: [ "common" ] }
- { role: "mqtt", tags: [ "mqtt", "mqtt" ] }

9
music.yaml
View file

@ -2,8 +2,7 @@
- hosts: music
roles:
- { role: "common", tags: [ "common" ] }
- { role: "acme", tags: [ "acme" ] }
- { role: "go", tags: [ "go" ] }
# - { role: "nginx", tags: [ "nginx" ] }
- { role: "music", tags: [ "music" ] }
- common
- acme
- go
- music

8
pad.yaml
View file

@ -5,8 +5,6 @@
acme_san_domains:
- [ pad.bitlair.nl ]
roles:
- { role: "common", tags: [ "common" ] }
- { role: "nft", tags: [ "nft" ] }
- { role: "acme", tags: [ "acme" ] }
- { role: "nginx", tags: [ "nginx" ] }
- { role: "etherpad", tags: [ "etherpad" ] }
- common
- acme
- etherpad

4
roles/acme/handlers/main.yaml
View file

@ -1,9 +1,7 @@
---
- name: update_contact_info
ansible.builtin.command:
cmd: dehydrated --account
- name: run dehydrated
- name: query_certificates
ansible.builtin.command:
cmd: dehydrated --cron

112
roles/acme/tasks/main.yaml
View file

@ -1,46 +1,82 @@
---
- ansible.builtin.import_tasks:
file: remove_conflicting.yaml
tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated
ansible.builtin.apt:
state: present
pkg:
- dehydrated
tags:
- acme
tags: [ acme, acme_install ]
block:
- name: Install dependencies
ansible.builtin.apt:
name: ssl-cert
state: present
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: "directory"
path: "/etc/nginx/snippets"
owner: "root"
group: "root"
mode: "0755"
- name: Install Dehydrated
ansible.builtin.apt:
name: dehydrated
state: present
- name: Template dehydrated configfiles
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0640') }}"
notify: "{{ item.notify | default([]) }}"
with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
- { src: "cron", dest: "/etc/cron.d/dehydrated" }
- { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
- { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- name: Install config file
ansible.builtin.template:
src: config.sh
dest: /etc/dehydrated/conf.d/ansible.sh
owner: root
group: root
mode: 0755
notify: update_contact_info
- name: Register account
ansible.builtin.command:
args:
cmd: dehydrated --register --accept-terms
creates: /var/lib/dehydrated/accounts
- name: Install deploy hook
ansible.builtin.template:
src: deploy.sh
dest: /etc/dehydrated/conf.d/deploy.sh
owner: root
group: root
mode: 0755
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains | default([]) }}"
loop_control:
loop_var: domains
- name: Install cronjob
ansible.builtin.template:
src: cron
dest: /etc/cron.d/dehydrated
owner: root
group: root
mode: 0644
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: directory
path: /etc/nginx/snippets
owner: root
group: root
mode: 0755
- name: Install Nginx snippet
ansible.builtin.template:
src: nginx-snippet.conf
dest: /etc/nginx/snippets/acme.conf
owner: root
group: root
mode: 0644
- name: Register account
ansible.builtin.command:
cmd: dehydrated --register --accept-terms
args:
creates: /var/lib/dehydrated/accounts
- tags: [ acme, acme_certs ]
block:
- name: Configure certificates
ansible.builtin.template:
src: domains.txt
dest: /etc/dehydrated/domains.txt
owner: root
group: root
mode: 0644
notify: query_certificates
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop_control:
loop_var: domains

5
roles/acme/tasks/remove_conflicting.yaml
View file

@ -1,4 +1,9 @@
---
- name: Remove certbot from apt
ansible.builtin.apt:
name: [ letsencrypt, certbot ]
state: absent
autoremove: yes
- name: Remove variable directories
ansible.builtin.file:

1
roles/acme/tasks/san_domains_loop.yaml
View file

@ -1,5 +1,4 @@
---
- ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat

2
roles/acme/templates/config.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash
# {{ ansible_managed }}
# Managed by Ansible
CONTACT_EMAIL={{ notify_email }}

2
roles/acme/templates/cron
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
# Managed by Ansible
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

2
roles/acme/templates/deploy.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash
# {{ ansible_managed }}
# Managed by Ansible
systemctl reload nginx.service

2
roles/acme/templates/domains.txt
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
# Managed by Ansible
{% for domain in acme_domains|default([]) %}
{{ domain }}

2
roles/acme/templates/nginx-snippet.conf
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
# Managed by Ansible
location /.well-known/acme-challenge {
allow all;

2
roles/bank/defaults/main.yaml
View file

@ -1,3 +1,3 @@
bank_user: bank
bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git
bank_revbank_git: https://github.com/revspace/revbank.git
bank_local_tty: no

12
roles/bank/tasks/inflatinator.yaml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Install dependencies
ansible.builtin.apt:
name: [ links, python3-pyquery ]
state: present
- name: Clone revbank-inflatinator source
ansible.builtin.git:
repo: https://github.com/bitlair/revbank-inflatinator.git
version: main
dest: /opt/revbank-inflatinator
accept_hostkey: yes

1
roles/bank/tasks/login.yaml
View file

@ -11,7 +11,6 @@
ansible.builtin.blockinfile:
path: /etc/ssh/sshd_config
insertafter: EOF
validate: "/usr/sbin/sshd -t -f %s"
block: |-
Match User bank
PasswordAuthentication yes

4
roles/bank/tasks/main.yaml
View file

@ -6,3 +6,7 @@
- tags: [ bank, bank_revbank ]
ansible.builtin.import_tasks:
file: revbank.yaml
- tags: [ bank, bank_inflatinator ]
ansible.builtin.import_tasks:
file: inflatinator.yaml

2
roles/bank/templates/git.cron
View file

@ -1,4 +1,4 @@
SHELL=/bin/bash
#m h dom mon dow user command
0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto)
0 * * * * {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git push --mirror && git gc --auto)

2
roles/common/defaults/main.yaml
View file

@ -17,5 +17,3 @@ node_exporter: true
debian_packages_unwanted:
- netcat-traditional
- letsencrypt
- certbot

16
roles/common/handlers/main.yaml
View file

@ -1,29 +1,31 @@
---
- name: Update grub
- name: update grub
ansible.builtin.command:
cmd: update-grub
- name: Apt update
- name: reboot
ansible.builtin.reboot:
- name: apt update
ansible.builtin.apt:
update_cache: true
- name: Daemon reload
- name: daemon reload
ansible.builtin.systemd:
daemon_reload: true
- name: Reload sshd
- name: reload sshd
ansible.builtin.systemd:
name: ssh
state: reloaded
- name: Reload nginx
- name: reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: Persist iptables
- name: persist iptables
ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
with_items:
- { c: iptables, ip: v4 }
- { c: ip6tables, ip: v6 }
when: not nft | bool

3
roles/common/tasks/debian-upgrade.yaml
View file

@ -21,6 +21,9 @@
ansible.builtin.apt:
upgrade: full
- name: Reboot
ansible.builtin.reboot:
- name: autoremove
ansible.builtin.apt:
autoremove: yes

67
roles/common/tasks/main.yaml
View file

@ -15,12 +15,9 @@
group: "{{ item.group | default('root') }}"
with_items:
- { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
- { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" }
- { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" }
- { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
- { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
- { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
register: aptconfig
when:
- ansible_os_family == "Debian"
tags:
@ -59,8 +56,6 @@
- name: Install standard packages
ansible.builtin.apt:
cache_valid_time: 3600
update_cache: "{{ aptconfig.changed | bool | default(false) }}"
pkg:
- curl
- fzf
@ -68,6 +63,8 @@
- etckeeper
- git
- htop
- iptables
- iptables-persistent
- jq
- net-tools
- netcat-openbsd
@ -78,7 +75,6 @@
- vim
- unattended-upgrades
- apt-listchanges
- sudo-ldap
- name: Configure FZF for Bash
ansible.builtin.lineinfile:
@ -99,7 +95,7 @@
path: /etc/default/grub
regexp: '^GRUB_TIMEOUT='
line: "GRUB_TIMEOUT=1 # Managed by Ansible"
notify: Update grub
notify: update grub
- name: Configure cron email
ansible.builtin.lineinfile:
@ -112,7 +108,6 @@
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
validate: "/usr/sbin/sshd -t -f %s"
with_items:
- regexp: '^#?Port'
line: 'Port {{ ssh_port }}'
@ -120,6 +115,58 @@
line: 'PasswordAuthentication no'
- regexp: '^#?DebianBanner'
line: 'DebianBanner no'
when: manage_sshd_config | default(true)
notify: Reload sshd
notify: reload sshd
- name: Allow SSH
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ ssh_port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
- name: Allow ICMP
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.proto }}"
jump: ACCEPT
ip_version: "{{ item.ip }}"
with_items:
- { ip: ipv4, proto: icmp }
- { ip: ipv6, proto: ipv6-icmp }
notify: persist iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables
- name: Allow local connections
ansible.builtin.iptables:
chain: INPUT
source: "{{ item.cidr }}"
jump: ACCEPT
ip_version: "{{ item.v }}"
with_items: "{{ trusted_ranges }}"
notify: persist iptables
- name: Deny inbound connections
ansible.builtin.iptables:
chain: INPUT
policy: DROP
ip_version: "{{ item }}"
with_items:
- ipv4
- ipv6
notify: persist iptables

5
roles/common/tasks/network.yaml
View file

@ -13,6 +13,7 @@
with_items:
- { k: net.ipv4.ip_forward, v: "1" }
- { k: net.ipv6.conf.all.forwarding, v: "1" }
notify: reboot
when: network_br
- name: Make network interfaces really predictable
@ -21,7 +22,8 @@
regexp: ^GRUB_CMDLINE_LINUX
line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
notify:
- Update grub
- update grub
- reboot
when: network_br or network_dhcp or network_static
- name: Configure network interfaces
@ -31,6 +33,7 @@
owner: root
group: root
mode: 0644
notify: reboot
when: network_br or network_dhcp or network_static
- ansible.builtin.meta: flush_handlers

5
roles/common/tasks/vm.yaml
View file

@ -10,8 +10,9 @@
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 console=ttyS0,115200n1 console=tty0"'
line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
notify:
- Update grub
- update grub
- reboot
tags:
- questagent

1
roles/common/templates/apt-defaultrelease.j2
View file

@ -1 +0,0 @@
APT::Default-Release "{{ ansible_distribution_release }}";

19
roles/common/templates/apt-preferences-stable.j2
View file

@ -1,19 +0,0 @@
# Prefer packages from our release
# Prevent auto-installation from testing/unstable/sid/whatever
Package: *
Pin: release n={{ ansible_distribution_release }}
Pin-Priority: 900
Package: *
Pin: release n=sid
Pin-Priority: -10
Package: *
Pin: release n=testing
Pin-Priority: -10
Package: *
Pin: release n=unstable
Pin-Priority: -10

2
roles/common/templates/authorized_keys.j2
View file

@ -2,5 +2,5 @@
{% for name in root_access %}
# {{ name }}
{{ lookup('file', 'authorized_keys/' + name + '.keys') }}
{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
{% endfor %}

11
roles/common/templates/sources.list.j2
View file

@ -1,9 +1,9 @@
# {{ ansible_managed }}
{% if debian_source_repos | default(false) %}
{% set SRC = "" %}
{% if debian_source_repos|default(false) %}
{% set SRC = "" %}
{% else %}
{% set SRC = "# " %}
{% set SRC = "# " %}
{% endif %}
{% set components = "main contrib non-free-firmware" %}
@ -20,8 +20,5 @@ deb {{ debian_repourl }} {{ ansible_distribution_release }}-backports {{ compone
#
# Security patches
deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security main contrib non- free
# Testing/Unstable repos
deb {{ debian_repourl }} testing {{ components }}
deb {{ debian_repourl }} sid {{ components }}

2
roles/etherpad/handlers/main.yaml
View file

@ -2,7 +2,7 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: Restart etherpad
- name: restart etherpad
ansible.builtin.systemd:
name: etherpad
state: restarted

230
roles/etherpad/tasks/main.yaml
View file

@ -1,126 +1,140 @@
---
- tags: etherpad
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies
ansible.builtin.apt:
state: present
pkg:
- gpg
- postgresql
- python3-psycopg2
- apt-transport-https
- name: Install dependencies
ansible.builtin.apt:
name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
- name: Import nodesource signing key
ansible.builtin.shell:
cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-o /usr/share/keyrings/nodesource.gpg
args:
creates: /usr/share/keyrings/nodesource.gpg
notify: Apt update
- name: Import nodesource signing key
ansible.builtin.shell:
cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-o /usr/share/keyrings/nodesource.gpg
args:
creates: /usr/share/keyrings/nodesource.gpg
notify: apt update
- name: Install nodesource source list
ansible.builtin.template:
src: nodesource.list
dest: /etc/apt/sources.list.d/nodesource.list
owner: root
group: root
mode: 0644
notify: Apt update
- name: Install nodesource source list
ansible.builtin.template:
src: nodesource.list
dest: /etc/apt/sources.list.d/nodesource.list
owner: root
group: root
mode: 0644
notify: apt update
- name: Install nodejs apt preference
ansible.builtin.template:
src: nodejs-apt-pref
dest: /etc/apt/preferences.d/nodejs
owner: root
group: root
mode: 0644
notify: Apt update
- name: Install nodejs apt preference
ansible.builtin.template:
src: nodejs-apt-pref
dest: /etc/apt/preferences.d/nodejs
owner: root
group: root
mode: 0644
notify: apt update
- ansible.builtin.meta: flush_handlers
- ansible.builtin.meta: flush_handlers
- name: Install nodejs
ansible.builtin.apt:
name: nodejs
- name: Install nodejs
ansible.builtin.apt:
name: nodejs
- name: Add database user
become: true
become_method: su
become_user: postgres
no_log: yes
community.postgresql.postgresql_user:
name: etherpad
password: "{{ etherpad_db_password }}"
- name: Add database user
become: true
become_method: su
become_user: postgres
no_log: yes
community.postgresql.postgresql_user:
name: etherpad
password: "{{ etherpad_db_password }}"
- name: Add database
become: true
become_method: su
become_user: postgres
community.postgresql.postgresql_db:
name: "{{ etherpad_db_name }}"
owner: "{{ etherpad_db_user }}"
- name: Add database
become: true
become_method: su
become_user: postgres
community.postgresql.postgresql_db:
name: "{{ etherpad_db_name }}"
owner: "{{ etherpad_db_user }}"
- name: Add etherpad user
ansible.builtin.user:
name: etherpad
home: /var/lib/etherpad
- name: Add etherpad user
ansible.builtin.user:
name: etherpad
home: /var/lib/etherpad
- name: Create log file
ansible.builtin.file:
path: /var/log/etherpad.log
state: touch
owner: etherpad
group: etherpad
mode: 0644
- name: Create log file
ansible.builtin.file:
path: /var/log/etherpad.log
state: touch
owner: etherpad
group: etherpad
mode: 0644
- name: Create source directory
ansible.builtin.file:
path: /opt/etherpad
state: directory
owner: etherpad
group: etherpad
mode: 0755
- name: Create source directory
ansible.builtin.file:
path: /opt/etherpad
state: directory
owner: etherpad
group: etherpad
mode: 0755
- name: Clone etherpad source
become: yes
become_method: su
become_user: etherpad
ansible.builtin.git:
repo: https://github.com/ether/etherpad-lite.git
version: master
dest: /opt/etherpad
accept_hostkey: yes
notify: Restart etherpad
- name: Clone etherpad source
become: yes
become_method: su
become_user: etherpad
ansible.builtin.git:
repo: https://github.com/ether/etherpad-lite.git
version: master
dest: /opt/etherpad
accept_hostkey: yes
notify: restart etherpad
- name: Install etherpad config
ansible.builtin.template:
src: settings.json
dest: /opt/etherpad/settings.json
owner: root
group: root
mode: 0644
notify: Restart etherpad
- name: Install etherpad config
ansible.builtin.template:
src: settings.json
dest: /opt/etherpad/settings.json
owner: root
group: root
mode: 0644
notify: restart etherpad
- name: Install etherpad service
ansible.builtin.template:
src: etherpad.service
dest: /etc/systemd/system/etherpad.service
owner: root
group: root
mode: 0644
notify: Restart etherpad
- name: Install etherpad service
ansible.builtin.template:
src: etherpad.service
dest: /etc/systemd/system/etherpad.service
owner: root
group: root
mode: 0644
notify: restart etherpad
- name: Start etherpad
ansible.builtin.systemd:
daemon_reload: true
name: etherpad
state: started
enabled: true
- name: Start etherpad
ansible.builtin.systemd:
daemon_reload: true
name: etherpad
state: started
enabled: yes
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/etherpad
owner: root
group: root
mode: 0644
notify: Reload nginx
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/etherpad
owner: root
group: root
mode: 0644
notify: reload nginx
- name: Allow HTTP and HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables

2
roles/etherpad/tasks/requirements.yml
View file

@ -1,5 +1,3 @@
---
collections:
- name: community.postgresql
version: 2.3.2

2
roles/git-ci/defaults/main.yaml
View file

@ -1,2 +1,2 @@
runner_wd: /var/lib/forgejo-runner
runner_version: 6.3.0
runner_version: 3.4.1

84
roles/git-ci/tasks/main.yaml
View file

@ -1,50 +1,50 @@
---
- tags: forgejo_runner
block:
- name: Install dependencies
ansible.builtin.apt:
name: docker.io
- name: Install dependencies
ansible.builtin.apt:
name: docker.io
- name: Download forgejo-runner
ansible.builtin.get_url:
url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
dest: /usr/local/bin/forgejo-runner
mode: 0755
notify: restart forgejo-runner
- name: Download forgejo-runner
ansible.builtin.get_url:
url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
dest: /usr/local/bin/forgejo-runner
mode: 0755
notify: restart forgejo-runner
- name: Create runner dir
ansible.builtin.file:
state: directory
path: "{{ runner_wd }}"
owner: root
group: root
mode: 0755
- name: Create runner dir
ansible.builtin.file:
state: directory
path: "{{ runner_wd }}"
owner: root
group: root
mode: 0755
- name: Register runner
ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
args:
chdir: "{{ runner_wd }}"
creates: "{{ runner_wd }}/.runner"
- name: Register runner
ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
args:
chdir: "{{ runner_wd }}"
creates: "{{ runner_wd }}/.runner"
- name: Install service file
ansible.builtin.template:
src: forgejo-runner.service
dest: /etc/systemd/system/forgejo-runner.service
owner: root
group: root
mode: 0644
notify: restart forgejo-runner
- name: Install service file
ansible.builtin.template:
src: forgejo-runner.service
dest: /etc/systemd/system/forgejo-runner.service
owner: root
group: root
mode: 0644
notify: restart forgejo-runner
- name: Enable service
ansible.builtin.systemd:
name: forgejo-runner
enabled: yes
daemon_reload: true
- name: Enable service
ansible.builtin.systemd:
name: forgejo-runner
enabled: true
daemon_reload: true
- name: Start service
ansible.builtin.systemd:
name: forgejo-runner
state: started
daemon_reload: true
- name: Start service
ansible.builtin.systemd:
name: forgejo-runner
state: started
daemon_reload: true
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- ansible.builtin.meta: flush_handlers

36
roles/git-server/tasks/main.yaml
View file

@ -1,4 +1,6 @@
---
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install dependencies
ansible.builtin.apt:
@ -14,14 +16,14 @@
owner: root
group: root
mode: 0644
notify: Reload nginx
notify: reload nginx
- name: Enable nginx site
ansible.builtin.file:
src: /etc/nginx/sites-available/forgejo
dest: /etc/nginx/sites-enabled/forgejo
state: link
notify: Reload nginx
notify: reload nginx
- name: Create user
ansible.builtin.user:
@ -38,6 +40,7 @@
group: "{{ git_server_user }}"
mode: 0755
# TODO: Install initial config
- name: Install service file
@ -47,7 +50,7 @@
owner: root
group: root
mode: 0644
notify: Reload forgejo
notify: reload forgejo
- name: Install update script
ansible.builtin.template:
@ -61,12 +64,12 @@
ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
args:
creates: "{{ git_server_working_dir }}/forgejo"
notify: Reload forgejo
notify: reload forgejo
- name: Enable service
ansible.builtin.systemd:
name: forgejo
enabled: true
enabled: yes
daemon_reload: true
- name: Start service
@ -80,6 +83,23 @@
src: cronjob
dest: /etc/cron.d/forgejo
- name: Debug
ansible.builtin.debug:
msg: "If Forgejo has not been setup yet, please do so manually."
- name: Allow Git SSH, HTTP and HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv4, port: 80 }
- { ip: ipv4, port: 22 }
- { ip: ipv4, port: 443 }
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 22 }
- { ip: ipv6, port: 443 }
notify: persist iptables
- ansible.builtin.debug:
msg: If Forgejo has not been setup yet, please do so manually.

15
roles/go/tasks/main.yaml
View file

@ -19,11 +19,11 @@
register: go_latest_version_shell
- name: Format Go latest version variable
ansible.builtin.set_fact:
set_fact:
go_latest_version: "{{ go_latest_version_shell.stdout }}"
- name: Detect installed Go version
ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
register: go_installed_version_shell
changed_when: false
@ -31,20 +31,19 @@
set_fact:
go_installed_version: "{{ go_installed_version_shell.stdout }}"
- name: Debug
ansible.builtin.debug:
- debug:
msg:
- "Latest Go version: {{ go_latest_version}}"
- "Installed Go version: {{ go_installed_version }}"
- name: Remove installed go
ansible.builtin.file:
file:
state: absent
path: /usr/local/go
when: go_installed_version != go_latest_version
- name: Install Go
ansible.builtin.unarchive:
unarchive:
src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
dest: /usr/local
remote_src: yes
@ -53,7 +52,7 @@
when: go_installed_version != go_latest_version
- name: Configure Go environment
ansible.builtin.template:
template:
src: go.profile
dest: /etc/profile.d/go.sh
owner: root
@ -61,7 +60,7 @@
mode: 0644
- name: Link go binary
ansible.builtin.file:
file:
state: link
src: /usr/local/go/bin/go
dest: /usr/local/bin/go

57
roles/monitoring/tasks/main.yaml
View file

@ -1,26 +1,45 @@
---
- name: monitoring
tags: monitoring
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install nginx site
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-available/monitoring
owner: root
group: root
mode: 0644
notify: Reload nginx
- name: Install nginx site
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-available/monitoring
owner: root
group: root
mode: 0644
notify: reload nginx
- name: Enable nginx site
ansible.builtin.file:
src: /etc/nginx/sites-available/monitoring
dest: /etc/nginx/sites-enabled/monitoring
state: link
notify: Reload nginx
- name: Enable nginx site
ansible.builtin.file:
src: /etc/nginx/sites-available/monitoring
dest: /etc/nginx/sites-enabled/monitoring
state: link
notify: reload nginx
- name: Start nginx
ansible.builtin.systemd:
name: nginx
state: started
enabled: true
- name: Start nginx
ansible.builtin.systemd:
name: nginx
state: started
enabled: yes
- name: Allow HTTP/HTTPS
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ item.port }}"
ctstate: NEW
jump: ACCEPT
ip_version: "{{ item.ip }}"
action: insert
with_items:
- { ip: ipv6, port: 80 }
- { ip: ipv6, port: 443 }
notify: persist iptables
- name: mqtt_exporter
tags: mqtt_exporter

5
roles/monitoring/tasks/mqtt_exporter.yaml
View file

@ -10,7 +10,6 @@
- name: Install apt dependencies
ansible.builtin.apt:
name:
- jq
- python3-paho-mqtt
- python3-prometheus-client
- python3-yaml
@ -24,7 +23,7 @@
group: root
mode: 0644
notify:
- Daemon reload
- daemon reload
- restart mqtt_exporter
- name: Install config file
@ -35,7 +34,7 @@
group: root
mode: 0644
notify:
- Daemon reload
- daemon reload
- restart mqtt_exporter
- ansible.builtin.meta: flush_handlers

3
roles/monitoring/templates/grafana.ini
View file

@ -69,9 +69,6 @@ level = info
[grafana_com]
url = https://grafana.com
[auth]
oauth_allow_insecure_email_lookup=true
[auth.anonymous]
enabled = true
org_name = Bitlair

33
roles/monitoring/templates/mqtt_exporter_config.yaml
View file

@ -15,8 +15,7 @@ export:
- subscribe: bitlair/#
- subscribe: bitlair/climate/+location/#
- subscribe: bitlair/climate/+location/dust_mass/+size
- subscribe: bitlair/power/+net/+group/now_w
- subscribe: bitlair/power/+net/total_kwh
- subscribe: bitlair/power/+net/+group/#
- subscribe: bitlair/wifi/+ssid/#
- subscribe: bitlair/state
@ -36,10 +35,10 @@ export:
labels:
product: payload
- subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
- subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
metric_name: bitlair_internet_rx
value_regex: "^.+:(.+):"
- subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
- subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
metric_name: bitlair_internet_tx
value_regex: "^.+:.+:([\\d\\.]+)"
@ -57,29 +56,3 @@ export:
- subscribe: bitlair/power/shelly/+num/status/switch:0
metric_name: bitlair_power_shelly
value_json: .apower
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_nozzle_temperature
value_json: .print.nozzle_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_nozzle_target_temperature
value_json: .print.nozzle_target_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_bed_temperature
value_json: .print.bed_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_bed_target_temperature
value_json: .print.bed_target_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_chamber_temperature
value_json: .print.chamber_temper
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_ams_humidity
value_json: .print.ams.ams[0].humidity
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_print_progress
value_json: .print.mc_percent
- subscribe: bambulab/device/+serial/report
metric_name: bambulab_print_status
metric_type: info
value_json: .print.gcode_state

0
roles/mqtt/handlers/main.yaml → roles/mqtt-internal/handlers/main.yaml
View file

27
roles/mqtt-internal/tasks/main.yaml Normal file
View file

@ -0,0 +1,27 @@
---
- name: mqtt-internal
tags: mqtt_internal
block:
- name: Install dependencies
ansible.builtin.apt:
name:
- mosquitto
- avahi-daemon
- name: Configure Mosquitto
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/mosquitto/conf.d/{{ item }}"
owner: root
group: root
mode: 0644
notify: restart mosquitto
with_items:
- internal.conf
- public-bridge.conf
- name: Start mosquitto
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: yes

2
roles/mqtt/templates/internal.conf → roles/mqtt-internal/templates/internal.conf
View file

@ -1,4 +1,4 @@
# {{ ansible_managed }}
# Managed by Ansible
listener 1883 ::
listener 1883 0.0.0.0

3
roles/mqtt/templates/public-bridge.conf → roles/mqtt-internal/templates/public-bridge.conf
View file

@ -1,9 +1,8 @@
# {{ ansible_managed }}
# Managed by Ansible
connection public-bridge
address {{ mqtt_public_host }}
topic bambulab/# out
topic bitlair/alarm out
topic bitlair/climate/# out
topic bitlair/collectd/bitlair-5406/snmp/# out

1
roles/mqtt/defaults/main.yaml
View file

@ -1 +0,0 @@
mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem

32
roles/mqtt/tasks/main.yaml
View file

@ -1,32 +0,0 @@
---
- name: Install dependencies
ansible.builtin.apt:
name:
- mosquitto
- avahi-daemon
- name: Install bambulab cafile
# openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
ansible.builtin.copy:
dest: "{{ mqtt_bambulab_cafile }}"
content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
- name: Configure Mosquitto
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/mosquitto/conf.d/{{ item }}"
owner: root
group: root
mode: 0644
notify: restart mosquitto
with_items:
- bambulab.conf
- internal.conf
- public-bridge.conf
- name: Start mosquitto
ansible.builtin.systemd:
name: mosquitto
state: started
enabled: true

10
roles/mqtt/templates/bambulab.conf
View file

@ -1,10 +0,0 @@
# {{ ansible_managed }}
connection bambulab
address {{ lookup('passwordstore', 'bambulab subkey=host') }}:8883
bridge_cafile {{ mqtt_bambulab_cafile }}
bridge_insecure true
remote_username bblp
remote_password {{ lookup('passwordstore', 'bambulab subkey=key') }}
topic # in 2 bambulab/ ""

12
roles/music/handlers/main.yaml
View file

@ -2,37 +2,37 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: Restart trollibox
- name: restart trollibox
ansible.builtin.systemd:
name: trollibox
state: restarted
daemon_reload: true
- name: Rebuild librespot
- name: rebuild librespot
ansible.builtin.command:
cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
args:
chdir: /opt/librespot
- name: Restart librespot
- name: restart librespot
ansible.builtin.systemd:
name: librespot
state: restarted
daemon_reload: true
- name: Restart soundboard
- name: restart soundboard
ansible.builtin.systemd:
name: soundboard
state: restarted
daemon_reload: true
- name: Restart mpd-volume-to-mqtt
- name: restart mpd-volume-to-mqtt
ansible.builtin.systemd:
name: mpd-volume-to-mqtt
state: restarted
daemon_reload: true
- name: Restart skipbutton
- name: restart skipbutton
ansible.builtin.systemd:
name: skipbutton
state: restarted

6
roles/music/tasks/librespot.yaml
View file

@ -11,8 +11,8 @@
dest: /opt/librespot
accept_hostkey: yes
notify:
- Rebuild librespot
- Restart librespot
- rebuild librespot
- restart librespot
- name: Install service file
ansible.builtin.template:
@ -21,7 +21,7 @@
owner: root
group: root
mode: 0644
notify: Restart librespot
notify: restart librespot
- name: Enable Librespot
ansible.builtin.systemd:

38
roles/music/tasks/main.yaml
View file

@ -1,34 +1,30 @@
---
- name: Import mpd
- tags: music_mpd
ansible.builtin.import_tasks:
file: mpd.yaml
tags:
- music_mpd
- name: Import trollibox
- tags: music_trollibox
ansible.builtin.import_tasks:
file: trollibox.yaml
tags:
- music_trollibox
- name: Librespot
- tags: music_librespot
ansible.builtin.import_tasks:
file: librespot.yaml
tags:
- music_librespot
- name: Soundboard
- tags: music_soundboard
ansible.builtin.import_tasks:
file: soundboard.yaml
tags:
- music_soundboard
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/trollibox
owner: root
group: root
mode: 0644
notify: Reload nginx
- tags: music
block:
- ansible.builtin.import_tasks:
file: ../../../snippets/common-nginx.yaml
- name: Install nginx config
ansible.builtin.template:
src: nginx-site.conf
dest: /etc/nginx/sites-enabled/trollibox
owner: root
group: root
mode: 0644
notify: reload nginx

9
roles/music/tasks/mpd.yaml
View file

@ -1,5 +1,4 @@
---
- name: Install MPD
ansible.builtin.apt:
name:
@ -16,7 +15,7 @@
owner: root
group: root
mode: 0644
notify: Restart mpd-volume-to-mqtt
notify: restart mpd-volume-to-mqtt
- name: Install mpd-volume-to-mqtt service
ansible.builtin.template:
@ -25,7 +24,7 @@
owner: root
group: root
mode: 0644
notify: Restart mpd-volume-to-mqtt
notify: restart mpd-volume-to-mqtt
- name: Enable mpd-volume-to-mqtt
ansible.builtin.systemd:
@ -40,7 +39,7 @@
version: master
dest: /opt/skipbutton
accept_hostkey: yes
notify: Restart skipbutton
notify: restart skipbutton
- name: Install skipbutton service
ansible.builtin.template:
@ -49,7 +48,7 @@
owner: root
group: root
mode: 0644
notify: Restart skipbutton
notify: restart skipbutton
- name: Enable skipbutton
ansible.builtin.systemd:

6
roles/music/tasks/soundboard.yaml
View file

@ -10,7 +10,7 @@
version: main
dest: /opt/soundboard
accept_hostkey: yes
notify: Restart soundboard
notify: restart soundboard
- name: Create virtualenv
ansible.builtin.command:
@ -31,7 +31,7 @@
owner: root
group: root
mode: 0644
notify: Restart soundboard
notify: restart soundboard
- name: Install soundboard service file
ansible.builtin.template:
@ -40,7 +40,7 @@
owner: root
group: root
mode: 0644
notify: Restart soundboard
notify: restart soundboard
- name: Enable soundboard
ansible.builtin.systemd:

12
roles/music/tasks/trollibox.yaml
View file

@ -5,8 +5,8 @@
dest: /etc/trollibox.yaml
owner: root
group: root
mode: "0644"
notify: Restart trollibox
mode: 0644
notify: restart trollibox
- name: Get latest Trollibox version from Github API
ansible.builtin.get_url:
@ -25,8 +25,8 @@
remote_src: yes
dest: /usr/local/bin
include: [ trollibox ]
mode: "0755"
notify: Restart trollibox
mode: 0755
notify: restart trollibox
- name: Install service file
ansible.builtin.template:
@ -34,8 +34,8 @@
dest: /etc/systemd/system/trollibox.service
owner: root
group: root
mode: "0644"
notify: Restart trollibox
mode: 0644
notify: restart trollibox
- name: Enable Trollibox
ansible.builtin.systemd:

33
roles/nft/defaults/main.yaml
View file

@ -1,33 +0,0 @@
---
nft: true # Overrule om geen nftables uit te rollen
nft_main_config: "/etc/nftables.conf"
# Default policies per chain ( drop / reject / accept )
nft_policy_input: "drop"
nft_policy_forward: "accept"
nft_policy_output: "accept"
# Same for nat traffic
nft_policy_prerouting: "accept"
nft_policy_postrouting: "accept"
# Host/Port allows
nft_group_rules: []
# And per host/group additions to rules:
group_nft_input: []
group_nft_forward: []
group_nft_output: []
host_nft_input: []
host_nft_forward: []
host_nft_output: []
group_nft_postrouting: []
host_nft_postrouting: []
group_nft_prerouting: []
host_nft_prerouting: []
nft_defines: []
nft_defines_group: []

13
roles/nft/handlers/main.yaml
View file

@ -1,13 +0,0 @@
---
- name: Reload nftables
ansible.builtin.systemd:
name: "nftables"
state: reloaded
enabled: true
tags:
- nft
- nftservice
when:
- nft|bool

47
roles/nft/tasks/main.yaml
View file

@ -1,47 +0,0 @@
---
- name: Install nftables related packages
ansible.builtin.apt:
state: present
pkg:
- nftables
- net-tools
- ipset
- name: Template nftables.conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
mode: "0700"
validate: "{{ item.validate | default() }}"
with_items:
- { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
tags:
- nft
- nftconfig
when:
- nft | bool
notify:
- Reload nftables
- name: Cleanup netfilter packages
ansible.builtin.apt:
state: absent
pkg:
- netfilter-persistent
when:
- nft | bool
- name: Cleanup iptables stuff
ansible.builtin.file:
state: absent
path: "{{ item }}"
with_items:
- "/etc/iptables/rules/v4"
- "/etc/iptables/rules/v6"
- "/etc/iptables"
when:
- nft | bool

182
roles/nft/templates/nftables.conf.j2
View file

@ -1,182 +0,0 @@
#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
table inet filter {
# Named sets
set trusted4 {
type ipv4_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv4' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
set trusted6 {
type ipv6_addr
flags interval
elements = {
{% for ip in trusted_ranges %}
{% if ip.v == 'ipv6' %}
{{ ip.cidr }}, # {{ ip.comment | default('') }}
{% endif %}
{% endfor %}
}
}
# Firewall chains
chain input {
type filter hook input priority 0;
policy {{ nft_policy_input }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# Limit icmp echo/reply
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
# icmp6 from trusted ranges
ip6 nexthdr icmpv6 icmpv6 type echo-request accept
# icmpv6 from the rest of the world
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
# Loopback traffic
iifname lo accept
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
# Open ssh only for trusted machines
ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept
ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept
# Rules based on group-vars
{% for custom in nft_group_rules %}
{% if custom.comment is defined %}
# {{ custom.comment | default('') }}
{% endif %}
{{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
{% endfor %}
{% for rule in group_nft_input %}
# Group input rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_input %}
# Host input rules
{{ rule }}
{% endfor %}
}
chain forward {
type filter hook forward priority 0;
policy {{ nft_policy_forward }};
ct state established,related accept
{% for rule in group_nft_forward %}
# Group forward rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_forward %}
# Host forward rules
{{ rule }}
{% endfor %}
counter comment "count dropped incoming packets"
}
chain output {
type filter hook output priority 0;
policy {{ nft_policy_output }};
# Established connections
ct state established,related accept
ct state invalid counter drop comment "drop invalid packets"
# icmp
ip protocol icmp icmp type {
destination-unreachable,
echo-reply,
echo-request,
source-quench,
time-exceeded
} accept
# icmp6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,
echo-reply,
echo-request,
nd-neighbor-solicit,
nd-router-advert,
nd-neighbor-advert,
packet-too-big,
parameter-problem,
time-exceeded
} accept
{% for rule in group_nft_output %}
# Group output rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_output %}
# Host output rules
{{ rule }}
{% endfor %}
counter comment "count dropped outgoing packets"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 100
policy {{ nft_policy_prerouting }};
{% for rule in group_nft_prerouting %}
# Group prerouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_prerouting %}
# Host prerouting rules
{{ rule }}
{% endfor %}
}
chain postrouting {
type nat hook postrouting priority 100
policy {{ nft_policy_postrouting }};
{% for rule in group_nft_postrouting %}
# Group postrouting rules
{{ rule }}
{% endfor %}
{% for rule in host_nft_postrouting %}
# Host postrouting rules
{{ rule }}
{% endfor %}
}
}

15
roles/nginx/defaults/main.yaml
View file

@ -1,15 +0,0 @@
---
nginx_package: "nginx-light"
nginx_user: "www-data"
nginx_modules_dir: "/etc/nginx/modules-enabled"
nginx_tls_version: "TLSv1.2 TLSv1.3"
nginx_tls_cipherlist: "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
nginx_tls_curve: "prime256v1:secp384r1"
nginx_tls_cache_size: "10m"
nginx_tls_session_timeout: "1h"
nginx_ssl_stapling: "on"
nginx_ssl_stapling_verify: "on"
nginx_wk_acme: "/var/lib/dehydrated/acme-challenges"
nginx_client_max_body_size: "32m"

11
roles/nginx/handlers/main.yaml
View file

@ -1,11 +0,0 @@
---
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
enabled: true
listen: "Reload app-services"
when:
- nginx_sites is defined

80
roles/nginx/tasks/main.yaml
View file

@ -1,80 +0,0 @@
---
- name: Install nginx base package
ansible.builtin.apt:
name: "{{ nginx_package }}"
state: present
when:
- nginx_sites is defined
- name: Create sites-available / sites-enabled directories
ansible.builtin.file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0755') }}"
with_items:
- { path: "/etc/nginx/sites-available" }
- { path: "/etc/nginx/sites-enabled" }
notify: Reload nginx
when:
- nginx_sites is defined
- name: Template default nginx config files
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0644') }}"
force: "{{ item.force | default('yes') }}"
backup: true
loop_control:
label: "{{ item.dest }}"
with_items:
- { src: "etc-nginx.conf.j2", dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
- { src: "tls_params.j2", dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
- { src: "default.j2", dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
# - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
# - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
# - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
notify: "{{ item.notify | default(omit) }}"
when:
- nginx_sites is defined
- name: Template site-specific configs
ansible.builtin.template:
src: "site.conf.j2"
dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
owner: "{{ site.owner | default('root') }}"
group: "{{ site.group | default('root') }}"
mode: "{{ site.mode | default('0644') }}"
force: "{{ site.force | default('yes') }}"
backup: true
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
tags:
- nginxextra
- nginx_site
- name: Enable nginx sites
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
mode: "0644"
loop: "{{ nginx_sites }}"
loop_control:
loop_var: site
label: "{{ site.server_name }}"
notify: Reload nginx
when:
- nginx_sites is defined
ignore_errors: "{{ ansible_check_mode }}"

37
roles/nginx/templates/default.j2
View file

@ -1,37 +0,0 @@
# {{ ansible_managed }}
server {
listen 80 default_server;
listen [::]:80;
server_name {{ inventory_hostname }};
# Accept ACME-Challenges over http
location ^~ /.well-known/acme-challenge/ {
alias {{ nginx_wk_acme }}/;
}
# Block .ht files
location ~ /\.ht {
deny all;
}
# Redirect everything to https by default
location / {
return 301 https://$host$request_uri;
}
location /server_status {
# Enable Nginx stats
stub_status on;
# Only allow access from localhost
allow 127.0.0.1;
# Other request should be denied
deny all;
}
}
{% for line in nginx_default_extra | default([]) %}
{{ line }}
{% endfor %}

39
roles/nginx/templates/etc-nginx.conf.j2
View file

@ -1,39 +0,0 @@
# {{ ansible_managed }}
user {{ nginx_user }};
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 16384;
include {{ nginx_modules_dir }}/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Default nginx log format with $request time added
log_format bitlair '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
access_log /var/log/nginx/access.log bitlair;
gzip on;
gzip_disable "msie6";
{% for line in nginx_http_extra | default([]) %}
{{ line }}
{% endfor %}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

43
roles/nginx/templates/site.conf.j2
View file

@ -1,43 +0,0 @@
# {{ ansible_managed }}
{% for line in site.pre_config | default([]) %}
{{ line }}
{% endfor %}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
include /etc/nginx/tls_params;
ssl_certificate /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
index {{ nginx_index | default('index.php index.html index.htm') }};
client_max_body_size {{ nginx_client_max_body_size }};
location ~ /\.ht {
deny all;
}
access_log /var/log/nginx/{{ site.server_name }}.access.log bitlair;
error_log /var/log/nginx/{{ site.server_name }}.error.log;
{% if site.localproxy is defined %}
location / {
proxy_pass http://localhost:{{ site.localproxy }}/;
include proxy_params;
}
{% endif %}
# Include snippets
{% for file in site.snippets | default([]) %}
{% include "snippets/" ~ file %}
{% endfor %}
# Per site configuration
{% for line in site.config | default([]) %}
{{ line }}
{% endfor %}
}

1
roles/nginx/templates/snippets
View file

@ -1 +0,0 @@
../../../snippets/

22
roles/nginx/templates/tls_params.j2
View file

@ -1,22 +0,0 @@
# {{ ansible_managed }}
ssl_session_timeout {{ nginx_tls_session_timeout }};
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:{{ nginx_tls_cache_size }};
ssl_protocols {{ nginx_tls_version }};
ssl_ciphers {{ nginx_tls_cipherlist }};
ssl_ecdh_curve {{ nginx_tls_curve }};
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "sameorigin";
add_header X-Content-Type-Options "nosniff";
add_header X-Robots-Tag noindex;
# OCSP stapling
ssl_stapling {{ nginx_ssl_stapling }};
ssl_stapling_verify {{ nginx_ssl_stapling_verify }};

2
roles/photos/tasks/bambulab-fetch.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd:
name: bambulab-fetch
state: started
enabled: true
enabled: yes
daemon_reload: true

2
roles/photos/tasks/photo-gallery.yaml
View file

@ -33,5 +33,5 @@
ansible.builtin.systemd:
name: photo-gallery
state: started
enabled: true
enabled: yes
daemon_reload: true

7
roles/photos/tasks/photos2mqtt.yaml
View file

@ -6,9 +6,8 @@
- liblinux-inotify2-perl
- name: Install mqtt-simple
ansible.builtin.apt:
pkg: libnet-mqtt-simple-perl
default_release: testing
ansible.builtin.command:
cmd: cpan Net::MQTT::Simple
- name: Install photos2mqtt
ansible.builtin.template:
@ -32,5 +31,5 @@
ansible.builtin.systemd:
name: photos2mqtt
state: started
enabled: true
enabled: yes
daemon_reload: true

4
roles/photos/templates/bambulab-fetch.sh
View file

@ -4,8 +4,8 @@
set -eu
host={{ lookup('passwordstore', 'bambulab subkey=host') }}
pass={{ lookup('passwordstore', 'bambulab subkey=key') }}
host={{ lookup('passwordstore', 'fotos/bambulab subkey=host') }}
pass={{ lookup('passwordstore', 'fotos/bambulab subkey=key') }}
dir={{ photos_path }}
files=$(curl -ksl "ftps://bblp:$pass@$host:990/timelapse/" | grep ^video_)

4
roles/raspi/tasks/main.yaml
View file

@ -15,7 +15,7 @@
- name: Enable sshd
ansible.builtin.systemd:
name: sshd
enabled: true
enabled: yes
state: started
- name: Rotate display
@ -24,6 +24,7 @@
line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible"
regexp: "^#?display_rotate"
when: raspi_rotate_display is defined
notify: reboot
- name: Disable swap
block:
@ -44,3 +45,4 @@
path: /etc/dhcpcd.conf
line: "slaac hwaddr # Managed by Ansible"
regexp: "^#?slaac"
notify: reboot

21
roles/services/handlers/main.yaml
View file

@ -2,57 +2,56 @@
- ansible.builtin.import_tasks:
file: ../../common/handlers/main.yaml
- name: Restart irc-bot
- name: restart irc-bot
ansible.builtin.systemd:
name: irc-bot
state: restarted
daemon_reload: true
- name: Restart irc-photos
- name: restart irc-photos
ansible.builtin.systemd:
name: irc-photos
state: restarted
daemon_reload: true
- name: Restart irc-doorduino
- name: restart irc-doorduino
ansible.builtin.systemd:
name: irc-doorduino
state: restarted
daemon_reload: true
- name: Restart discord-bot
- name: restart discord-bot
ansible.builtin.systemd:
name: discord-bot
state: restarted
daemon_reload: true
- name: Restart siahsd
- name: restart siahsd
ansible.builtin.systemd:
name: siahsd
state: restarted
daemon_reload: true
- name: Restart spacestated
- name: restart spacestated
ansible.builtin.systemd:
name: spacestated
state: restarted
daemon_reload: true
- name: Restart mastodon-spacestate
- name: restart mastodon-spacestate
ansible.builtin.systemd:
name: mastodon-spacestate
state: restarted
daemon_reload: true
- name: Restart wifi-mqtt
- name: restart wifi-mqtt
ansible.builtin.systemd:
name: wifi-mqtt
state: restarted
daemon_reload: true
- name: Restart power-mqtt
- name: restart power-mqtt
ansible.builtin.systemd:
name: "power-mqtt@{{ item.net }}:{{ item.ip }}"
name: power-mqtt
state: restarted
daemon_reload: true
with_items: "{{ power_mqtt_targets }}"

Some files were not shown because too many files have changed in this diff Show more