Merge branch 'master' of ssh://dev.ccchb.de:2222/ccchb/ansible

This commit is contained in:
Crest 2024-10-01 13:17:46 +02:00
commit 7c9d689845
26 changed files with 171 additions and 146 deletions

View file

@ -1,19 +1,18 @@
---
- hosts:
- name: Install py-netaddr
hosts:
- localhost
become: yes
become: true
tasks:
- name: Install py-netaddr package
package:
ansible.builtin.package:
name: net/py-netaddr
state: present
- hosts:
- name: Deploy bhyve to virtual machine hosts
hosts:
- emma
become: yes
become: true
tags: bhyve
roles:
- bhyve

View file

@ -1,5 +1,6 @@
---
- hosts: debian
become: yes
- name: Prepare debian hosts
hosts: debian
become: true
roles:
- debian

View file

@ -1,9 +1,8 @@
---
- hosts:
- name: Deploy DNS servers
hosts:
- mail
become: yes
become: true
roles:
- nsd
- unbound

View file

@ -1,6 +1,7 @@
---
- hosts: gitea
become: yes
- name: Deploy Forgejo
hosts: gitea
become: true
roles:
- gitea
- gitea-ccchb

View file

@ -1,8 +1,7 @@
---
- hosts:
- name: Deploy haproxy
hosts:
- emma
become: yes
become: true
roles:
- haproxy

View file

@ -229,3 +229,19 @@ bhyve_guests:
volsize: 128g
volblocksize: 64k
primarycache: metadata
- name: verein
index: 10
enabled: true
ram: 2G
cpus: 2
image: debian-12.6.0-amd64-netinst.iso
password: foobar
order:
- DISKS
disks:
- name: disk
properties:
volsize: 128g
volblocksize: 64k
primarycache: metadata

View file

@ -1,7 +1,8 @@
---
- hosts:
- name: Deploy XMPP server
hosts:
- jabber
become: yes
become: true
tags: [jabber]
roles:
- certbot

View file

@ -1,22 +1,24 @@
---
- hosts:
- name: Install passlib
hosts:
- localhost
become: yes
become: true
tasks:
- name: Install passlib
package:
ansible.builtin.package:
name: py39-passlib
state: present
- hosts:
- name: Deploy mail servers
hosts:
- mail
become: yes
become: true
roles:
- dovecot
- rspamd
- postfix
- mlmmj
- role: dovecot
tags: [dovecot]
- role: rspamd
tags: [rspamd]
- role: postfix
tags: [postfix]
- role: mlmmj
tags: [mlmmj]

View file

@ -1,5 +1,6 @@
---
- hosts: nextcloud
become: yes
- name: Deploy NextCloud
hosts: nextcloud
become: true
roles:
- nextcloud

View file

@ -1,8 +1,7 @@
---
- hosts:
- name: Deploy local NTP server
hosts:
- mail
become: yes
become: true
roles:
- openntpd

View file

@ -1,8 +1,7 @@
---
- hosts:
- name: Deploy restic
hosts:
- mail
become: yes
become: true
roles:
- restic

View file

@ -1,39 +1,4 @@
---
- name: Install defaults
package:
name:
- zsh
- name: Download .zshrc from grml
get_url:
url: https://raw.githubusercontent.com/grml/grml-etc-core/v0.12.5/etc/zsh/zshrc
dest: /etc/zsh/zshrc
checksum: sha256:ad88c76951693c2f9c38773ed2602a9fd5c74431615c4a23aaff679b295919ce
validate_certs: false
- name: Update SSH configuration
notify: reload sshd
replace:
dest: /etc/ssh/sshd_config
regexp: '^([\#\s]*)?{{ item.key }}\s+([\w_-]+)'
replace: "{{item.key}} {{item.value}}"
with_items:
- key: PermitRootLogin
value: without-password
- key: PasswordAuthentication
value: 'no'
- key: ChallengeResponseAuthentication
value: 'no'
- key: PrintLastLog
value: 'yes'
- key: UseDNS
value: 'no'
- name: Change shell of user root
user:
name: root
shell: /usr/bin/zsh
- name: Enable sshd
systemd:
name: sshd
@ -44,32 +9,7 @@
notify: restart network
when: ipv4 is defined or ipv6 is defined
template:
src: systemd.network
dest: /etc/systemd/network/main.network
src: interfaces.j2
dest: /etc/network/interfaces
owner: root
mode: 644
- name: enable systemd-networkd
notify: restart network
systemd:
name: systemd-networkd
state: started
enabled: yes
- name: disable networking
systemd:
name: networking
enabled: no
- name: start systemd-resolved
systemd:
name: systemd-resolved
state: started
enabled: yes
- name: symling /etc/resolve
file:
src: /run/systemd/resolve/stub-resolv.conf
dest: /etc/resolv.conf
state: link
force: yes

View file

@ -0,0 +1,16 @@
# The primary network interface
allow-hotplug enp0s3
{% if ipv4 is defined %}
iface enp0s3 inet static
address {{ipv4}}/31
gateway {{ipv4route}}
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers {{ipv4route}}
dns-search emma.ccchb.de
{% endif %}
{% if ipv6 is defined %}
iface enp0s3 inet6 static
address {{ipv6}}/127
gateway {{ipv6route}}
{% endif %}

View file

View file

@ -0,0 +1,3 @@
{
"log-driver": "journald"
}

View file

@ -0,0 +1,5 @@
---
- name: Restart docker
ansible.builtin.service:
name: docker
state: restarted

View file

@ -0,0 +1,33 @@
---
- name: Install Docker's GPG key in apt's keyring
ansible.builtin.apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
tags: docker install
- name: Setup Docker's apt repository
ansible.builtin.apt_repository:
repo: deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable
state: present
filename: docker
tags: docker install
- name: Install Docker
ansible.builtin.package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose-plugin
state: present
tags: docker install
notify:
- Restart docker
- name: Configure Docker daemon
ansible.builtin.file:
src: daemon.json
dest: /etc/docker/daemon.json
owner: root
group: root
mode: '0644'

View file

@ -1,20 +1,20 @@
---
- name: Reload s6-rc
service:
ansible.builtin.service:
name: s6-rc
state: reloaded
- name: Restart Postfix
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix
ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix
- name: Restart Postfix log
command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log
ansible.builtin.command: s6-svc -wU -T 5000 -ru {{ s6_scan_dir }}/postfix-log
- name: Reload Postfix
command: s6-svc -h {{ s6_scan_dir }}/postfix
ansible.builtin.command: s6-svc -h {{ s6_scan_dir }}/postfix
- name: Rebuild Postfix maps
command: 'postmap {{ item.type }}:{{ item.name }}'
ansible.builtin.command: 'postmap {{ item.type }}:{{ item.name }}'
args:
chdir: /usr/local/etc/postfix
when: item.type in postfix_rebuild_types

View file

@ -1,27 +1,27 @@
---
- name: Install Postfix
package:
ansible.builtin.package:
name: postfix
state: present
notify:
- Restart Postfix
- name: Create /usr/local/etc/mail
file:
ansible.builtin.file:
path: /usr/local/etc/mail
state: directory
owner: root
group: wheel
mode: 0755
mode: '0755'
- name: Install Postfix mailer.conf
copy:
ansible.builtin.copy:
dest: /usr/local/etc/mail/mailer.conf
src: /usr/local/share/postfix/mailer.conf.postfix
remote_src: yes
remote_src: true
owner: root
group: wheel
mode: 0644
mode: '0644'
- name: Disable sendmail
sysrc:
@ -29,22 +29,22 @@
value: NONE
- name: Make sure sendmail is stopped
service:
ansible.builtin.service:
name: sendmail
state: stopped
- name: Disable sendmail periodic tasks
lineinfile:
ansible.builtin.lineinfile:
path: /etc/periodic.conf
owner: root
group: wheel
mode: 0444
mode: '0444'
regexp: '^{{ item }}='
line: '{{ item }}="NO"'
with_items: '{{ sendmail_periodic }}'
- name: Add /var/log/postfix to fstab
mount:
ansible.posix.mount:
path: /var/log/postfix
src: tmpfs
fstype: tmpfs
@ -52,19 +52,19 @@
state: mounted
- name: Create Postfix service directories
file:
ansible.builtin.file:
path: '{{ s6_etc_dir }}/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
mode: '0755'
with_items: '{{ postfix_service_dirs }}'
- name: Generate Postfix service scripts
template:
ansible.builtin.template:
dest: '{{ s6_etc_dir }}/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
mode: '0555'
owner: root
group: wheel
with_items: '{{ postfix_service_scripts }}'
@ -73,24 +73,24 @@
- Restart Postfix
- name: Generate Postfix service configuration
copy:
ansible.builtin.copy:
dest: '{{ s6_etc_dir }}/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
mode: '0444'
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
label: '{{ item.name }} = {{ item.content }}'
notify:
- Reload s6-rc
- Restart Postfix
with_items: '{{ postfix_service_config }}'
- name: Generate Postfix maps
template:
ansible.builtin.template:
dest: '/usr/local/etc/postfix/{{ item.name }}'
src: '{{ item.name }}.j2'
mode: 0444
mode: '0444'
owner: root
group: wheel
with_items: '{{ postfix_maps }}'
@ -108,7 +108,7 @@
- Reload Postfix
- name: Configure Postfix services
lineinfile:
ansible.builtin.lineinfile:
path: /usr/local/etc/postfix/master.cf
regexp: '^{{ item.name }} +{{ item.type }}'
value: '{{ item.value }}'
@ -126,15 +126,15 @@
- Restart Postfix
- name: Flush handlers
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: Start Postfix
command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix
ansible.builtin.command: fdmove -c 2 1 s6-rc -l {{ s6_live_dir }} -u -v 2 change postfix
register: change
changed_when: change.stdout | length > 0
- name: Enable Postfix
lineinfile:
ansible.builtin.lineinfile:
path: '{{ s6_etc_dir }}/service/enabled/contents'
regexp: "^postfix$"
line: "postfix"
@ -142,4 +142,4 @@
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers
ansible.builtin.meta: flush_handlers

View file

@ -63,6 +63,7 @@ postfix_virtual_aliases:
- hostmaster@ccchb.de crest@ccchb.de
- thoddi@ccchb.de mail@thoddi.de
- docloc@ccchb.de docloc@posteo.net
- fritz@ccchb.de fritz@grimpen.net
- root@lists.ccchb.de crest@ccchb.de
- crest@lists.ccchb.de crest@ccchb.de
@ -354,6 +355,14 @@ postfix_config:
value: 'aNULL'
state: present
- name: smtpd_tls_mandatory_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_protocols
value: 'TLSv1.2 TLSv1.3'
state: present
- name: smtpd_tls_received_header
value: 'yes'
state: present
@ -371,7 +380,8 @@ postfix_config:
state: present
- name: tls_high_cipherlist
value: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
value: |-
'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
state: present
- name: tls_ssl_options

7
s6.yml
View file

@ -1,8 +1,7 @@
---
- hosts:
- name: Deploy s6 on FreeBSD
hosts:
- emma
become: yes
become: true
roles:
- s6-rc

View file

@ -1,6 +1,7 @@
---
- hosts: debian frab
become: yes
- name: Perform user management
hosts: debian frab
become: true
tags: [user_mgmt]
roles:
- user_mgmt

View file

@ -1,7 +1,8 @@
---
- hosts:
- name: Deploy MediaWiki
hosts:
- wiki
become: yes
become: true
roles:
- mediawiki
- certbot