From a357acfd540d506737f40703511f7528904c2176 Mon Sep 17 00:00:00 2001 From: Rene Mewissen Date: Fri, 28 Oct 2022 09:49:15 +0200 Subject: [PATCH 1/5] added docker01 host keys --- roles/base/files/users/known_hosts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/base/files/users/known_hosts b/roles/base/files/users/known_hosts index f55f7b7..e719c7e 100644 --- a/roles/base/files/users/known_hosts +++ b/roles/base/files/users/known_hosts @@ -46,3 +46,5 @@ localhost ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUg4UIbuIC0o9o/w50CjLUUsNzRtx/BmR 172.16.0.223 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Xoeu7qRbWJjaFSM18RuXfCkZdaCfEBSVpY0gQdPgghO/ofejF8EqwlfZ5gz4HfQQjJ3cLZ+l0hP08sARZDfeYRhLfn8YP+ZjmtWaOHewdyYnR9wcGgtsiV3cmJwItfG524NAhi1PbYE5MzdGGamOeDlhvBmNM/s215EJNheIkGl7SLXkSqEqnPQkX4OSHEI9PsWw/dEsyvMEkl5IMBOukoiHypDvLJr/wMyRRJEC9E794KJt4H/kJwxLUzk7IT6KIBsUf3we7fM6fwLdzfjGFS5t3nMDGiuph/x5xPzR4WipJ8dIDkClu+orSA/7tbOfV8zambchTQKaNmLKSHLj 172.16.0.223 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIFH5vIt3f7GLHbHFYNluoxswNXeJ4+0wmWyJR41IHjvww+M5zZfbOavxBHAfXV3Zyi85W89qSklvjy0wYDctH8= 192.168.1.222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3qDNg4d//HlwVMPhQXFBAGNflx3J7JFxEUcav7/qRs +docker01 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2ePwlU2sJtRqTK6s1GFmzAHbxrTsVw3Gdo8UGqmMJ9 +docker01 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAOkprfhz7eo55wTXSjM3nAjxSCnF7zQZ+IEViE4orduxve6WSB9pERj79kP2Mgt1Z4jk6HP9U9n+l4CkuLN6Bg= \ No newline at end of file From c83d0d6939fedd97161a6d9d1c4d21f90d0f4fb1 Mon Sep 17 00:00:00 2001 From: Rene Mewissen Date: Fri, 28 Oct 2022 09:49:41 +0200 Subject: [PATCH 2/5] make use of nginx proxy manager certificates --- host_vars/mail.universe.local.yml | 3 ++- roles/mailserver/tasks/configure_postfix.yml | 4 ++-- roles/mailserver/tasks/copy_certificates.yml | 3 +++ roles/mailserver/tasks/main.yml | 2 ++ 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 roles/mailserver/tasks/copy_certificates.yml diff --git a/host_vars/mail.universe.local.yml b/host_vars/mail.universe.local.yml index 6ba3a0f..df908db 100644 --- a/host_vars/mail.universe.local.yml +++ b/host_vars/mail.universe.local.yml @@ -5,4 +5,5 @@ pigeonhole: true fetchmail: true mpop: true -mynetworks: '192.168.1.0/24, 127.0.0.0/8, 192.168.122.0/24, 10.20.20.0/28, 172.16.0.0/12, 192.168.3.0/24' \ No newline at end of file +mynetworks: '192.168.1.0/24, 127.0.0.0/8, 192.168.122.0/24, 10.20.20.0/28, 172.16.0.0/12, 192.168.3.0/24' +nginx_proxy_manager_cert_id: npm-1 \ No newline at end of file diff --git a/roles/mailserver/tasks/configure_postfix.yml b/roles/mailserver/tasks/configure_postfix.yml index 04d3e82..9ee9c18 100644 --- a/roles/mailserver/tasks/configure_postfix.yml +++ b/roles/mailserver/tasks/configure_postfix.yml @@ -50,12 +50,12 @@ - {key: "smtpd_sasl_type", value: "dovecot"} - {key: "smtpd_sender_restrictions", value: "'hash:/etc/postfix/access, permit_mynetworks, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access'"} - {key: "smtpd_tls_auth_only", value: "yes"} - - {key: "smtpd_tls_cert_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/fullchain.pem"} + - {key: "smtpd_tls_cert_file", value: "/etc/letsencrypt/live/{{ nginx_proxy_manager_cert_id }}/fullchain.pem"} - {key: "smtpd_tls_dh1024_param_file", value: "${config_directory}/dh2048.pem"} - {key: "smtpd_tls_dh512_param_file", value: "${config_directory}/dh512.pem"} - {key: "smtpd_tls_eecdh_grade", value: "strong"} - {key: "smtpd_tls_exclude_ciphers", value: "'aNULL,MD5,RC4,DES,IDEA,SEED,3DES'"} - - {key: "smtpd_tls_key_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/privkey.pem"} + - {key: "smtpd_tls_key_file", value: "/etc/letsencrypt/live/{{ nginx_proxy_manager_cert_id }}/privkey.pem"} - {key: "smtpd_tls_loglevel", value: "1"} - {key: "smtpd_tls_mandatory_ciphers", value: "high"} - {key: "smtpd_tls_mandatory_exclude_ciphers", value: "'aNULL,MD5,RC4,IDEA,SEED,3DES'"} diff --git a/roles/mailserver/tasks/copy_certificates.yml b/roles/mailserver/tasks/copy_certificates.yml new file mode 100644 index 0000000..5675592 --- /dev/null +++ b/roles/mailserver/tasks/copy_certificates.yml @@ -0,0 +1,3 @@ +- name: mailserver | certificates | scp from docker01 + shell: + cmd: "rsync -rlptD docker01:/opt/docker/npm/letsencrypt /etc/" \ No newline at end of file diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml index 73d85eb..67e40a9 100644 --- a/roles/mailserver/tasks/main.yml +++ b/roles/mailserver/tasks/main.yml @@ -3,6 +3,8 @@ tags: always - block: + - include_tasks: copy_certificates.yml + - block: - include_tasks: install_postfix.yml - include_tasks: configure_postfix.yml From 81aea710f11210f209b45360264b2720f70b9b49 Mon Sep 17 00:00:00 2001 From: Rene Mewissen Date: Fri, 28 Oct 2022 19:03:36 +0200 Subject: [PATCH 3/5] start dovecot config --- roles/mailserver/tasks/configure_dovecot.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/mailserver/tasks/configure_dovecot.yml diff --git a/roles/mailserver/tasks/configure_dovecot.yml b/roles/mailserver/tasks/configure_dovecot.yml new file mode 100644 index 0000000..03db115 --- /dev/null +++ b/roles/mailserver/tasks/configure_dovecot.yml @@ -0,0 +1,5 @@ +- name: mailserver | configure dovecot | create config dir + file: + path: "/etc/dovecot/conf.d" + state: directory + recurse: True \ No newline at end of file From 7079278fffa3d3463ebc5fde3e4e1e530f75bb9e Mon Sep 17 00:00:00 2001 From: Rene Mewissen Date: Mon, 21 Nov 2022 13:51:58 +0100 Subject: [PATCH 4/5] prapare backup server --- .vscode/settings.json | 4 ++++ roles/backup/files/config/backup_remote.conf | 3 +++ roles/backup/files/config/jitsi_excludes.txt | 1 + roles/backup/files/config/jitsi_includes.txt | 6 ++++++ roles/backup/files/config/mail_excludes.txt | 1 + roles/backup/files/config/mail_includes.txt | 5 +++++ roles/backup/files/config/mewitoot_excludes.txt | 1 + roles/backup/files/config/mewitoot_includes.txt | 7 +++++++ roles/base/files/private_keys/backup_ed25519 | 7 +++++++ 9 files changed, 35 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 roles/backup/files/config/backup_remote.conf create mode 100644 roles/backup/files/config/jitsi_excludes.txt create mode 100644 roles/backup/files/config/jitsi_includes.txt create mode 100644 roles/backup/files/config/mail_excludes.txt create mode 100644 roles/backup/files/config/mail_includes.txt create mode 100644 roles/backup/files/config/mewitoot_excludes.txt create mode 100644 roles/backup/files/config/mewitoot_includes.txt create mode 100644 roles/base/files/private_keys/backup_ed25519 diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..9f0fcd6 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,4 @@ +{ + "editor.fontFamily": "'JetBrains Mono', 'NotoMono NF', 'DejaVuSansMono NF', 'MesloLGS NF', 'Droid Sans Mono', 'monospace', monospace, 'Droid Sans Fallback'", + "editor.fontSize": 17 +} \ No newline at end of file diff --git a/roles/backup/files/config/backup_remote.conf b/roles/backup/files/config/backup_remote.conf new file mode 100644 index 0000000..efa4cea --- /dev/null +++ b/roles/backup/files/config/backup_remote.conf @@ -0,0 +1,3 @@ +mail;/opt/backup/config/mail_includes.txt;/opt/backup/config/mail_excludes.txt +jitsi;/opt/backup/config/jitsi_includes.txt;/opt/backup/config/jitsi_excludes.txt +mewitoot;/opt/backup/config/mewitoot_includes.txt;/opt/backup/config/mewitoot_excludes.txt diff --git a/roles/backup/files/config/jitsi_excludes.txt b/roles/backup/files/config/jitsi_excludes.txt new file mode 100644 index 0000000..751553b --- /dev/null +++ b/roles/backup/files/config/jitsi_excludes.txt @@ -0,0 +1 @@ +*.bak diff --git a/roles/backup/files/config/jitsi_includes.txt b/roles/backup/files/config/jitsi_includes.txt new file mode 100644 index 0000000..72cf29d --- /dev/null +++ b/roles/backup/files/config/jitsi_includes.txt @@ -0,0 +1,6 @@ +/etc +/home +/root +/usr/share/jitsi-meet +/var/spool/cron +/var/www diff --git a/roles/backup/files/config/mail_excludes.txt b/roles/backup/files/config/mail_excludes.txt new file mode 100644 index 0000000..25be2eb --- /dev/null +++ b/roles/backup/files/config/mail_excludes.txt @@ -0,0 +1 @@ +dotfiles diff --git a/roles/backup/files/config/mail_includes.txt b/roles/backup/files/config/mail_includes.txt new file mode 100644 index 0000000..1bfc9f9 --- /dev/null +++ b/roles/backup/files/config/mail_includes.txt @@ -0,0 +1,5 @@ +/etc +/home +/opt/backup +/opt/mailcow-dockerized +/var/lib/docker/volumes diff --git a/roles/backup/files/config/mewitoot_excludes.txt b/roles/backup/files/config/mewitoot_excludes.txt new file mode 100644 index 0000000..751553b --- /dev/null +++ b/roles/backup/files/config/mewitoot_excludes.txt @@ -0,0 +1 @@ +*.bak diff --git a/roles/backup/files/config/mewitoot_includes.txt b/roles/backup/files/config/mewitoot_includes.txt new file mode 100644 index 0000000..2571ad0 --- /dev/null +++ b/roles/backup/files/config/mewitoot_includes.txt @@ -0,0 +1,7 @@ +/etc +/home +/root +/var/backups/postgresql +/var/cache/bind +/var/lib/bind +/var/spool/cron diff --git a/roles/base/files/private_keys/backup_ed25519 b/roles/base/files/private_keys/backup_ed25519 new file mode 100644 index 0000000..f04053f --- /dev/null +++ b/roles/base/files/private_keys/backup_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACC11KG9c+/tJQLzFpNKaYg5wO69qGnLma+b+Xr+zHgLGQAAAKBVvgLPVb4C +zwAAAAtzc2gtZWQyNTUxOQAAACC11KG9c+/tJQLzFpNKaYg5wO69qGnLma+b+Xr+zHgLGQ +AAAEDXqxgmtwQkJQM18+vIoUlDdzKdTlavht+6lQtvG9/ap7XUob1z7+0lAvMWk0ppiDnA +7r2oacuZr5v5ev7MeAsZAAAAHXJvb3RAY29ydXNjYW50LnVuaXZlcnNlLmxvY2Fs +-----END OPENSSH PRIVATE KEY----- \ No newline at end of file From 04cee14fd8d40f056857bec305c6089dfb69c7ec Mon Sep 17 00:00:00 2001 From: Rene Mewissen Date: Mon, 21 Nov 2022 13:53:03 +0100 Subject: [PATCH 5/5] encrypted sensible file --- roles/base/files/public_keys/backup_ed25519.pub | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/base/files/public_keys/backup_ed25519.pub b/roles/base/files/public_keys/backup_ed25519.pub index bab4c91..565bbc3 100644 --- a/roles/base/files/public_keys/backup_ed25519.pub +++ b/roles/base/files/public_keys/backup_ed25519.pub @@ -1 +1,10 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXUob1z7+0lAvMWk0ppiDnA7r2oacuZr5v5ev7MeAsZ root@coruscant.universe.local +$ANSIBLE_VAULT;1.1;AES256 +39376634373232333037646564313065326466623661356638343239333039663836363231316162 +3166333131373636666166623863323162643732303931620a643130383065633662343461366437 +32616232356536613435336363356435373437363935333637643764396630656561373235303065 +3732396536616537660a656138666562643739653263316431656533656461653438376262353565 +37656262383766656665383730626532626331316435383131653939373537326236353538376665 +38323765383039343537653236626631616265623332373133333232386338643832303664653730 +62666165383037636264646532386438646538313436333137383833333530373461316664613737 +37333530356139386131393339643838633834636462323364646533636165616433393932383533 +65666439656561646334646633326538363332626233663034636632646531663366