diff --git a/group_vars/all b/group_vars/all index 44bcfe4..8a1896b 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,2 +1,4 @@ snmpd_conf: /etc/snmp/snmpd.conf -sudo: /usr/bin/sudo \ No newline at end of file +sudo: /usr/bin/sudo + +gitserver: gitea.mewissen.site \ No newline at end of file diff --git a/host_vars/coruscant.universe.local.yml b/host_vars/coruscant.universe.local.yml index 0891e02..53f06db 100644 --- a/host_vars/coruscant.universe.local.yml +++ b/host_vars/coruscant.universe.local.yml @@ -13,7 +13,7 @@ microcode_intel_install: true # purpose selection database: true mysql: true -postgresql: false +postgres: false dhcpserver: true fileserver: true mailserver: true diff --git a/host_vars/mail.universe.local.yml b/host_vars/mail.universe.local.yml new file mode 100644 index 0000000..6ba3a0f --- /dev/null +++ b/host_vars/mail.universe.local.yml @@ -0,0 +1,8 @@ +postfix: true +postgrey: true +dovecot: true +pigeonhole: true +fetchmail: true +mpop: true + +mynetworks: '192.168.1.0/24, 127.0.0.0/8, 192.168.122.0/24, 10.20.20.0/28, 172.16.0.0/12, 192.168.3.0/24' \ No newline at end of file diff --git a/host_vars/mailcow.yml b/host_vars/mailcow.yml new file mode 100644 index 0000000..566860f --- /dev/null +++ b/host_vars/mailcow.yml @@ -0,0 +1,17 @@ +--- +branch: master + +#ansible_cron_minute: "40" +#ssh_port: 22 +#ssh_users: "user1 user2" +copy_ssh_priv_keys: false + +# platform-specific +linode_instance: false +microcode_amd_install: false +microcode_intel_install: false +proxmox_instance: false +raspberry_pi: false + +# server +unattended_upgrades: true diff --git a/host_vars/mariadb01 b/host_vars/mariadb01 new file mode 100644 index 0000000..9d8109d --- /dev/null +++ b/host_vars/mariadb01 @@ -0,0 +1,42 @@ +--- +branch: master + +ansible_cron_minute: "*/5" + +ssh_port: 22 +ssh_users: "root rene" + +# platform-specific +microcode_amd_install: false +microcode_intel_install: true + +# purpose selection +database: true +mysql: true +postgres: false +redis: false +dhcpserver: false +fileserver: false +mailserver: false +nameserver: false +printspooler: false +proxyserver: false +squid: false +tinyproxy: false +webserver: false +apache: false +nginx: false + +# application selection +borgbackup: false +broot: false +docker: false +pacaur: false +paru: false +ranger: false +syncthing: false +vifm: false +yay: false + +# shell selection +zsh: true \ No newline at end of file diff --git a/host_vars/mariadb02 b/host_vars/mariadb02 new file mode 120000 index 0000000..de15b25 --- /dev/null +++ b/host_vars/mariadb02 @@ -0,0 +1 @@ +mariadb01 \ No newline at end of file diff --git a/host_vars/mariadb03 b/host_vars/mariadb03 new file mode 120000 index 0000000..de15b25 --- /dev/null +++ b/host_vars/mariadb03 @@ -0,0 +1 @@ +mariadb01 \ No newline at end of file diff --git a/hosts b/hosts index d48057d..31b6ce8 100644 --- a/hosts +++ b/hosts @@ -11,6 +11,8 @@ Samba-AD-DC librenms grafana backup +haproxy01 +haproxy02 [server:children] cluster @@ -18,6 +20,7 @@ database dhcpserver docker fileserver +icinga jitsimeet mailserver mastodon @@ -28,6 +31,9 @@ webserver [database] coruscant.universe.local +mariadb01 +mariadb02 +mariadb03 [development] endor.universe.local @@ -44,18 +50,30 @@ docker02 [fileserver] coruscant.universe.local +samba-ad-dc [glustertest] glustertest01 glustertest02 glustertest03 +[icinga_master] +icinga + +[icinga_satellite] + +[icinga:children] +icinga_master +icinga_satellite + [jitsimeet] mewimeet.de jitsi_fqdn=mewimeet.de [mailserver] coruscant.universe.local mail.mewissen.site +mailcow +mail.universe.local [mastodon] mewitoot.de diff --git a/local.yml b/local.yml index 83ab497..811735f 100644 --- a/local.yml +++ b/local.yml @@ -56,17 +56,17 @@ roles: - webserver -# - hosts: mailserver -# tags: server,mailserver -# become: true -# roles: -# - mailserver +- hosts: mailserver + tags: server,mailserver + become: true + roles: + - mailserver -# - hosts: database -# tags: server,database -# become: true -# roles: -# - database +- hosts: database + tags: server,database + become: true + roles: + - database # - hosts: dhcpserver # tags: server,dhcpserver diff --git a/roles/base/files/users/known_hosts b/roles/base/files/users/known_hosts index fabf5aa..f55f7b7 100644 --- a/roles/base/files/users/known_hosts +++ b/roles/base/files/users/known_hosts @@ -3,6 +3,7 @@ |1|+ebqSRFuT6ZpVb032ycgNFK9aYk=|GG8wNwMN/MonLjYeRqZNVzr4/l8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4= |1|Nxpoqfn5XUKOUkUPrDsac1U2jx8=|bePErvLRXOGc2nM7s8bphY4QL3E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4= gitlab.social.my-wan.de,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w= +gitea.mewissen.site,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w= diskstation,192.168.1.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbDuuwpYg92O+O3ZVYyctZ5szXfE7GRUW4rDZjlEYTf2q8ieE2vezHo/sl2wZW1jCSevER2jYYbhvpoQVyiweI= 192.168.1.250 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUVrBrOlUQamGWS9qO9mOTbzSW3L1VGhrgpBp6pNf/ekAmWRrxJ0bdEKjHI+YlDt7nNjffjsVlLUwtPtQI0nTI= vuduo2,172.16.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCRLsnDtDLuNBN8X8rmCNdrrIYCWfK7DrI/bPQAbSroCuwdHRLztd5doWJyVy6XjuJ2cVaal5xR11hit5qz0TQHhhXJbkViivRSDUuFKVZQajGmUjxMdE0vChqIn3ObIhtkf5ESTvxnroETMUQXzPe30EzO8tGlbV6cGrv80rhp9l1eWUt1pOzYe6pNEPVZiavJYD/rNWd/1xTqx8TCC3yeaWKFINAvo+C5wshKv31r7k9KXlliLMdbvBwkalbk8CK+AwJQsAapklVfQ4u/H0xpXUYlQU4c4kmjq2PTM8i6pLBtCRtfY2GUEu4OvjcHUl/WK1uICVWDPr7O7HLbtvVR @@ -18,6 +19,7 @@ tuxedo-book-xp1511,192.168.1.220 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHA [91.39.133.154]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcQ5x6vbWfPZ3BjPqGl0AH+CebvI8kuPwPxXkmL47gnQEgd8oPcSbMBSIvjfzMGXREBRU81p+5g9JokETKP4Fo= raspberrypi,172.16.0.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFsPOLPHU1pAapm6ljdg178ZqnANuSkdAa7PE22DksNQ9VVrvxY5h054pyaviDb2XxsHwYbAL0fP+4I2Slq4wGc= [gitlab.social.my-wan.de]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw= +[gitea.mewissen.site]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw= debian-test,192.168.1.216 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHFoAceudj8VLkAAkBUS0A9g2yJRyVaTSqeLWo09aXFEwxf1L73qIoLJZhg15kKBB6bu/EKjyDHvO8mczbr92a8= 139.162.139.175 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7RsWnr4soqIp+XxKn7NEGBePzNrwn4+7Bi4Mv75wVmh2u97itRxRz13CTp7ru80rTQcdce8Cx0i2K9A/aTwOQOvE6it6Typ1RfdXyf7POC3i2yoZTyLdtPcYUDUvS4EHnv1LS2v7ccOlOYTBjz6vzPkMQDRp9TW8LeaUNiqH3+IRKyQZ0omjAVqzqxr812IfEVo/vrqH2tFF9oNV921dJH01vbBBN1XYevCk6c6eJt5F/fZvr+yN98oxf5AyzCkJXvH+y/rnUdEfw7EruDsLMy2GRm8idWz+fNR4tlxYFMAEI+lMt/RJ0o3whJfB1rc+wS1c/BMjOAk+l7vBpksqmOehEF22jc3rrpdLnFRYj+hkFZInwz5ZoWQyGSG/tTLpXDpIwQZrIH4RF2KPxBlC7VJ5ljBrv9P7wHaXbxsdYGnxfNNCPuEQfYOariVlTAVHfoQYRLXFyXHMgDybvyS/xH5bi92WnDsLB22GIs5O6ARAf3s7Vscj1fSkXYmdfrQk= 139.162.139.175 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+/wgiRWZnX4IjJmBOYEhSRkJ1DHsbwKUVx6eNNuIZy diff --git a/roles/base/files/users/sudoers_wheel b/roles/base/files/users/sudoers_wheel new file mode 100644 index 0000000..188cf57 --- /dev/null +++ b/roles/base/files/users/sudoers_wheel @@ -0,0 +1 @@ +%wheel ALL=(ALL) ALL \ No newline at end of file diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 51d37c9..9f88602 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,7 +11,7 @@ - include_tasks: system_setup/hosts.yml - import_tasks: system_setup/clock.yml - import_tasks: system_setup/locale.yml - - include_tasks: system-setup/wireguard.yml + - include_tasks: system_setup/wireguard.yml when: - wireguard is defined - wireguard == true diff --git a/roles/base/tasks/software/packages_utilities.yml b/roles/base/tasks/software/packages_utilities.yml index 1b25903..acca0df 100644 --- a/roles/base/tasks/software/packages_utilities.yml +++ b/roles/base/tasks/software/packages_utilities.yml @@ -13,16 +13,16 @@ - neofetch - net-tools - "{{ nfs_client_package }}" - - python3-netaddr + - "{{ python_netaddr_package }}" - ranger + - sudo - rsync - tmux - traceroute - vifm - "{{ vim_package }}" - - vim-python-jedi + - "{{ vim_python_jedi_package }}" - wget - - unattended-upgrades - name: system setup | utilities | install cloud-init and gemu guest agent tags: packages,system,system setup @@ -64,4 +64,5 @@ - htop - exa - dnsutils + - unattended-upgrades when: ansible_distribution == "Debian" \ No newline at end of file diff --git a/roles/base/tasks/system_setup/hosts.yml b/roles/base/tasks/system_setup/hosts.yml index 0b808f6..eaca382 100644 --- a/roles/base/tasks/system_setup/hosts.yml +++ b/roles/base/tasks/system_setup/hosts.yml @@ -6,7 +6,8 @@ owner: 'root' group: 'root' loop: - - { ip: '192.168.1.240', fqdn: 'gitlab.social.my-wan.de coruscant.universe.local'} + - { ip: '192.168.1.240', fqdn: 'coruscant.universe.local'} + - { ip: '192.168.1.238', fqdn: 'gitea.mewissen.site'} when: - set_hosts is defined - set_hosts == true \ No newline at end of file diff --git a/roles/base/tasks/system_setup/locale.yml b/roles/base/tasks/system_setup/locale.yml index 81d3c67..570eb18 100644 --- a/roles/base/tasks/system_setup/locale.yml +++ b/roles/base/tasks/system_setup/locale.yml @@ -4,6 +4,7 @@ name: - locales-all state: latest + when: ansible_distribution == 'Debian' - name: system setup | locale | add de_DE tags: locale,system,setup diff --git a/roles/base/tasks/system_setup/openssh.yml b/roles/base/tasks/system_setup/openssh.yml index 5241d8a..e4d0e38 100644 --- a/roles/base/tasks/system_setup/openssh.yml +++ b/roles/base/tasks/system_setup/openssh.yml @@ -12,6 +12,19 @@ enabled: yes state: started +- name: system setup | openssh | create config dir + file: + path: "/etc/ssh/sshd_config.d" + state: directory + +- name: system setup | openssh | include sshd config dir in configuration + lineinfile: + path: "/etc/ssh/sshd_config" + line: "Include /etc/ssh/sshd_config.d/*.conf" + state: present + insertbefore: "^#?Port.*$" + notify: restart_sshd + - name: system setup | openssh | copy sshd custom config tags: openssh,ssh,system,settings copy: diff --git a/roles/base/tasks/users/all.yml b/roles/base/tasks/users/all.yml index f705366..bd98d38 100644 --- a/roles/base/tasks/users/all.yml +++ b/roles/base/tasks/users/all.yml @@ -44,7 +44,7 @@ path: "{{ getent_passwd[user][4] }}/.ssh/config" state: present block: | - Host gitlab.social.my-wan.de + Host gitea.mewissen.site IdentityFile ~/.ssh/gitlab_read_ed25519 IdentitiesOnly Yes create: True @@ -64,7 +64,7 @@ force: yes with_items: - { repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k' } - - { repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles' } + - { repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles' } ignore_errors: yes - name: users | {{ user }} | link dotfiles @@ -83,8 +83,27 @@ - { src: 'tmux/tmux.conf', dest: '.tmux.conf' } ignore_errors: yes +- name: users | {{ user }} | create bash_profile + lineinfile: + path: "{{ getent_passwd[user][4] }}/.bash_profile" + state: present + line: "[ -f ~/.bashrc ] && . ~/.bashrc" + create: True + mode: "0644" + owner: "{{ user }}" + group: "{{ user }}" + - name: users | {{ user }} | call dotfile install script become: yes become_user: '{{ user }}' shell: "POWERLINE=n BASHIT=y ZSHCUSTOM=n {{ getent_passwd[user][4] }}/dotfiles/install.sh" - ignore_errors: yes \ No newline at end of file + ignore_errors: yes + +- name: users | all | add sudoers file + copy: + src: users/sudoers_wheel + dest: /etc/sudoers.d/wheel + owner: root + group: root + mode: 0440 + when: sudo_group == "wheel" \ No newline at end of file diff --git a/roles/base/tasks/users/rene.yml b/roles/base/tasks/users/rene.yml index 200629e..1734e94 100644 --- a/roles/base/tasks/users/rene.yml +++ b/roles/base/tasks/users/rene.yml @@ -4,7 +4,7 @@ user: name: rene shell: "/usr/bin/zsh" - groups: "sudo" + groups: "{{ sudo_group }}" append: True password: "{{ rene_pass | password_hash('sha256') }}" @@ -51,7 +51,7 @@ # dest: '/home/rene/{{ item.dir }}' # key_file: '/home/rene/.ssh/gitlab_read_ed25519' # with_items: -# - {repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles'} +# - {repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles'} # - {repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k'} # - name: users | rene | link dotfiles diff --git a/roles/base/tasks/users/root.yml b/roles/base/tasks/users/root.yml index acebb3c..eba7330 100644 --- a/roles/base/tasks/users/root.yml +++ b/roles/base/tasks/users/root.yml @@ -64,7 +64,7 @@ - name: users | root | clone root_bins git: - repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/root-bin.git' + repo: 'ssh://git@gitea.mewissen.site:22422/rene/root-bin.git' dest: "{{ root_home }}/bin" key_file: '/root/.ssh/gitlab_read_ed25519' ignore_errors: True diff --git a/roles/base/templates/provision.sh.j2 b/roles/base/templates/provision.sh.j2 index b804fdc..6bfaa25 100644 --- a/roles/base/templates/provision.sh.j2 +++ b/roles/base/templates/provision.sh.j2 @@ -5,7 +5,7 @@ ANSIBLEUSER="ansible" BRANCH="{{ branch | default('master') }}" LOGFILE="/var/log/ansible.log" -REPO="https://gitlab.social.my-wan.de/rene/ansible-pull.git" +REPO="https://gitea.mewissen.site/rene/ansible-pull.git" VAULT_KEY="" PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'" diff --git a/roles/base/vars/Archlinux.yml b/roles/base/vars/Archlinux.yml index 5576989..978689f 100644 --- a/roles/base/vars/Archlinux.yml +++ b/roles/base/vars/Archlinux.yml @@ -13,8 +13,12 @@ python_pip_package: python-pip python_psutil_package: python-psutil python_pyflakes_package: python-pyflakes python_virtualenv_package: python-virtualenv +python_netaddr_package: python-netaddr +vim_python_jedi_package: vim-jedi rename_package: perl-rename ruby_rake_package: ruby-rake sftp_path: /usr/lib/ssh/sftp-server sudo_group: wheel -vim_package: gvim +vim_package: vim + +sudo_group: wheel \ No newline at end of file diff --git a/roles/base/vars/Debian.yml b/roles/base/vars/Debian.yml index 38c7297..38685e5 100644 --- a/roles/base/vars/Debian.yml +++ b/roles/base/vars/Debian.yml @@ -13,9 +13,12 @@ python_pip_package: python3-pip python_psutil_package: python-psutil python_pyflakes_package: python3-pyflakes python_virtualenv_package: python3-virtualenv +python_netaddr_package: python3-netaddr +vim_python_jedi_package: vim-python-jedi rename_package: rename ruby_rake_package: rake sftp_path: /usr/lib/openssh/sftp-server sudo_group: sudo vim_package: vim +sudo_group: sudo \ No newline at end of file diff --git a/roles/docker/tasks/install_docker.yml b/roles/docker/tasks/install_docker.yml index c60f20b..ce2a809 100644 --- a/roles/docker/tasks/install_docker.yml +++ b/roles/docker/tasks/install_docker.yml @@ -8,6 +8,7 @@ - name: docker | install docker | execute convenience script shell: cmd: "/tmp/get-docker.sh" + creates: /usr/bin/docker - name: docker | install docker | cleanup file: diff --git a/roles/mailserver/tasks/configure_postfix.yml b/roles/mailserver/tasks/configure_postfix.yml new file mode 100644 index 0000000..04d3e82 --- /dev/null +++ b/roles/mailserver/tasks/configure_postfix.yml @@ -0,0 +1,75 @@ +- name: mailserver | postfix | configuration + shell: + cmd: "postconf {{item.key}}={{item.value}}" + loop: + - {key: "address_verify_map", value: "btree:/usr/lib/postfix/bin/verify"} + - {key: "alias_database", value: "hash:/etc/mail/aliases"} + - {key: "alias_maps", value: "hash:/etc/mail/aliases"} + - {key: "biff", value: "no"} + - {key: "broken_sasl_auth_clients", value: "yes"} + - {key: "compatibility_level", value: "2"} + - {key: "debugger_command", value: "'PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5'"} + - {key: "default_destination_concurrency_limit", value: "2"} + - {key: "dovecot_destination_recipient_limit", value: "1"} + - {key: "header_checks", value: "regexp:/etc/postfix/header_checks"} + - {key: "inet_protocols", value: "'ipv4, ipv6'"} + - {key: "mailbox_size_limit", value: "0"} + - {key: "mailbox_transport", value: "dovecot"} + - {key: "maillog_file", value: "/var/log/postfix.log"} + - {key: "message_size_limit", value: "0"} + - {key: "milter_default_action", value: "accept"} + - {key: "mydestination", value: "'localhost, kashyyyk, coruscant'"} + - {key: "myhostname", value: "kashyyyk.universe.local"} + - {key: "mynetworks", value: "'{{ mynetworks }}'"} + - {key: "mynetworks_style", value: "subnet"} + - {key: "readme_directory", value: "no"} + - {key: "recipient_canonical_maps", value: "hash:/etc/postfix/recipient-canonical"} + - {key: "recipient_delimiter", value: "+"} + - {key: "sender_canonical_maps", value: "hash:/etc/postfix/sender-canonical"} + - {key: "sender_dependent_relayhost_maps", value: "hash:/etc/postfix/sender_dependent_relayhost_map"} + - {key: "smtp_sasl_auth_enable", value: "yes"} + - {key: "smtp_sasl_mechanism_filter", value: "'!gssapi, !external, static:all'"} + - {key: "smtp_sasl_password_maps", value: "hash:/etc/postfix/saslpass"} + - {key: "smtp_sasl_security_options", value: "noanonymous"} + - {key: "smtp_sender_dependent_authentication", value: "yes"} + - {key: "smtp_tls_CApath", value: "/etc/ssl/certs"} + - {key: "smtp_tls_loglevel", value: "1"} + - {key: "smtp_tls_policy_maps", value: "hash:/etc/postfix/smtp_tls_policy"} + - {key: "smtp_tls_security_level", value: "may"} + - {key: "smtp_tls_session_cache_database", value: "btree:/var/lib/postfix/smtp_scache"} + - {key: "smtpd_data_restrictions", value: "reject_unauth_pipelining"} + - {key: "smtpd_etrn_restrictions", value: "'permit_mynetworks, reject'"} + - {key: "smtpd_helo_required", value: "yes"} + - {key: "smtpd_helo_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname'"} + - {key: "smtpd_recipient_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_recipient, check_sender_access hash:/etc/postfix/sender_restrictions, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_destination,'"} + - {key: "smtpd_relay_restrictions", value: "permit_sasl_authenticated"} + - {key: "smtpd_sasl_auth_enable", value: "yes"} + - {key: "smtpd_sasl_path", value: "/var/run/dovecot/auth-client"} + - {key: "smtpd_sasl_security_options", value: "noanonymous,noplaintext"} + - {key: "smtpd_sasl_tls_security_options", value: "noanonymous"} + - {key: "smtpd_sasl_type", value: "dovecot"} + - {key: "smtpd_sender_restrictions", value: "'hash:/etc/postfix/access, permit_mynetworks, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access'"} + - {key: "smtpd_tls_auth_only", value: "yes"} + - {key: "smtpd_tls_cert_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/fullchain.pem"} + - {key: "smtpd_tls_dh1024_param_file", value: "${config_directory}/dh2048.pem"} + - {key: "smtpd_tls_dh512_param_file", value: "${config_directory}/dh512.pem"} + - {key: "smtpd_tls_eecdh_grade", value: "strong"} + - {key: "smtpd_tls_exclude_ciphers", value: "'aNULL,MD5,RC4,DES,IDEA,SEED,3DES'"} + - {key: "smtpd_tls_key_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/privkey.pem"} + - {key: "smtpd_tls_loglevel", value: "1"} + - {key: "smtpd_tls_mandatory_ciphers", value: "high"} + - {key: "smtpd_tls_mandatory_exclude_ciphers", value: "'aNULL,MD5,RC4,IDEA,SEED,3DES'"} + - {key: "smtpd_tls_security_level", value: "may"} + - {key: "smtpd_tls_session_cache_database", value: "btree:${data_directory}/smtpd_scache"} + - {key: "tls_high_cipherlist", value: "'EECDH+RSA+AES256+SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!IDEA'"} + - {key: "tls_preempt_cipherlist", value: "yes"} + - {key: "tls_ssl_options", value: "NO_COMPRESSION"} + - {key: "transport_maps", value: "hash:/etc/postfix/transport"} + - {key: "virtual_alias_maps", value: "hash:/etc/postfix/virtual"} + - {key: "virtual_gid_maps", value: "static:vmail"} + - {key: "virtual_mailbox_base", value: "/home/vmail"} + - {key: "virtual_mailbox_domains", value: "'$myhostname, $mydomain, imap.$mydomain, tantooine.homelinux.net, gallery-mewi1503.myphotos.cc, tantooine.myfirewall.org, tatooine.noip.me, mastodon.spdns.org, hubzilla.social.my-wan.de, friendica.social.my-wan.de, peertube.social.my-wan.de, pixelfed.social.my-wan.de'"} + - {key: "virtual_mailbox_maps", value: "hash:/etc/postfix/vmailbox"} + - {key: "virtual_transport", value: "lmtp:unix:private/dovecot-lmtp"} + - {key: "virtual_uid_maps", value: "static:vmail"} + \ No newline at end of file diff --git a/roles/mailserver/tasks/install_dovecot.yml b/roles/mailserver/tasks/install_dovecot.yml new file mode 100644 index 0000000..c66a99f --- /dev/null +++ b/roles/mailserver/tasks/install_dovecot.yml @@ -0,0 +1,6 @@ +- name: mailserver | dovecot | install packages + package: + name: + - dovecot + - pigeonhole + state: present \ No newline at end of file diff --git a/roles/mailserver/tasks/install_fetchmail.yml b/roles/mailserver/tasks/install_fetchmail.yml new file mode 100644 index 0000000..55c4e6f --- /dev/null +++ b/roles/mailserver/tasks/install_fetchmail.yml @@ -0,0 +1,4 @@ +- name: mailserver | fetchmail | install packages + package: + name: fetchmail + state: present \ No newline at end of file diff --git a/roles/mailserver/tasks/install_postfix.yml b/roles/mailserver/tasks/install_postfix.yml new file mode 100644 index 0000000..a2d9988 --- /dev/null +++ b/roles/mailserver/tasks/install_postfix.yml @@ -0,0 +1,9 @@ +- name: mailserver | postfix | install packages + package: + name: + - postfix + - postfix-ldap + - postfix-mysql + - postfix-sqlite + - postgrey + state: present \ No newline at end of file diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml new file mode 100644 index 0000000..73d85eb --- /dev/null +++ b/roles/mailserver/tasks/main.yml @@ -0,0 +1,22 @@ +# Load distro-specific variables +- include_vars: "{{ ansible_distribution }}.yml" + tags: always + +- block: + - block: + - include_tasks: install_postfix.yml + - include_tasks: configure_postfix.yml + when: postfix == true + + - block: + - include_tasks: install_dovecot.yml + - include_tasks: configure_dovecot.yml + when: dovecot == true + + - block: + - include_tasks: install_fetchmail.yml + - include_tasks: configure_fetchmail.yml + when: fetchmail == true + + rescue: + - set_fact: task_failed=true \ No newline at end of file diff --git a/roles/mailserver/vars/Archlinux.yml b/roles/mailserver/vars/Archlinux.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/mastodon/tasks/system_setup/letsencrypt.yml b/roles/mastodon/tasks/system_setup/letsencrypt.yml index c98536f..933124f 100644 --- a/roles/mastodon/tasks/system_setup/letsencrypt.yml +++ b/roles/mastodon/tasks/system_setup/letsencrypt.yml @@ -29,5 +29,5 @@ name: "letsencrypt renew" minute: "15" hour: "0" - job: "certbot renew && service nginx reload" + job: "certbot renew" diff --git a/roles/server/tasks/system_setup/sshd.yml b/roles/server/tasks/system_setup/sshd.yml new file mode 100644 index 0000000..6d702cf --- /dev/null +++ b/roles/server/tasks/system_setup/sshd.yml @@ -0,0 +1,10 @@ +- name: server | sshd | install + package: + name: "{{ openssh_server_package }}" + state: latest + +- name: server | sshd | start + service: + name: sshd + state: started + enabled: True \ No newline at end of file diff --git a/roles/server/vars/Archlinux.yml b/roles/server/vars/Archlinux.yml index 9b6ba48..b43f913 100644 --- a/roles/server/vars/Archlinux.yml +++ b/roles/server/vars/Archlinux.yml @@ -2,6 +2,7 @@ mta_package: msmtp-mta snmpd_package: net-snmp snmpd_user_file: "/var/net-snmp/snmpd.conf" wireguard_package: wireguard-tools +openssh_server_package: openssh glusterfs_packages: - package: glusterfs \ No newline at end of file diff --git a/roles/server/vars/Debian.yml b/roles/server/vars/Debian.yml index 07ea0a6..3b6cb19 100644 --- a/roles/server/vars/Debian.yml +++ b/roles/server/vars/Debian.yml @@ -2,6 +2,7 @@ mta_package: ssmtp snmpd_package: snmpd snmpd_user_file: "/var/lib/snmp/snmpd.conf" wireguard_package: wireguard +openssh_server_package: openssh-server glusterfs_packages: - package: glusterfs-common diff --git a/roles/webserver/tasks/install_php.yml b/roles/webserver/tasks/install_php.yml new file mode 100644 index 0000000..d7fe13c --- /dev/null +++ b/roles/webserver/tasks/install_php.yml @@ -0,0 +1,6 @@ +- name: webserver | apache | installing php + package: + name: + - php + - php-mysqli + state: latest diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml index 73c33a5..239d87e 100644 --- a/roles/webserver/tasks/main.yml +++ b/roles/webserver/tasks/main.yml @@ -14,6 +14,7 @@ when: - nginx is defined - nginx == true + - import_tasks: install_php.yml - name: webserver | certbot | install certbot package: name: certbot diff --git a/roles/webserver/vars/nextcloud.yml b/roles/webserver/vars/nextcloud.yml index 922e1a5..40dd664 100644 --- a/roles/webserver/vars/nextcloud.yml +++ b/roles/webserver/vars/nextcloud.yml @@ -1,26 +1,25 @@ $ANSIBLE_VAULT;1.1;AES256 -37353535366162623439373564306434376564326462326139323131333664663937313634313665 -6564393039653231663433646630646462306266666435310a303632646636356139656561323933 -63376565643266313563393135363033383234323031626465346335393762306139613261663664 -3339393161666262340a373562646538336137323833303139343331356266373064353361646533 -34363566646433333534313866323839623466306132613734356263393763666638373364633931 -66303035663035306131633639376236393966346566616334616536313134623933316338373133 -33626232303838633132613732653331626531336366383166313833353062656331376637336161 -32666439303238333365323538636636346134383337383433303863623965316430643730303230 -62363737633763363035346531643332343935363432326630323735356131376636343830366434 -35386661383833376663333031373764613739626165626132653632346430633166393436313731 -39646538346438666134633539666436643961353639393761326132366239363231316631613663 -63313733363435353965626465623935383062656635396534373538323931616135373865336632 -33333931353637663838333039613063353562346134663037396138323733323261663036363634 -63383966326138346539653932383632356465393962383265626336643538396466323934633634 -64663865633063613433306332306234303635346634303937643935373035353337373637626262 -66666535653965333161386665613034613835646438326161643766653232303430333636646633 -38363335313136393533616366323533663939643230626238616632353130666537336661633432 -39333430663563633866636436363937363634303462373065303363373231346236303931636230 -64643464306663313231326665373264323030343831366532643438666463646236643939316631 -34383335326438633364356338353334353061333565376631356263663465623866656635383030 -34303932393666316562653435343166393436376135613466663366393033333938376230383139 -35373434653866313233363037666431316630316166656638616634636339383834653265333034 -64303138336166663732633134343164373135386135666164373462633530636231303139653863 -30386239663861666565366361633565336333313065373130623063363235653963373564313434 -3430 +63353763353333663663346630323363623938333965663430333035326461363330306131653434 +3964343335373832383665396164646261356236643966360a393330386366646337326164373630 +32656237343062323836643234396435313636623735663166663766636166393830313336343065 +3333643038333839360a306635306434373731336137646232306438656338643233616237623435 +32396531366666623232313237643833613334333633646434656331363733373632316331393461 +33643430376564326463353337616437613338303839613632653738333563373730323731623638 +31656135623966336231353035613732343864303566386233663430666233636162323838656366 +36393534313665303766326638373133323964386438656639383030363265393032353761646239 +30336366363839326661313839666130356135353134396462646562653561383862623465313437 +31303034396662353261663865626565663961393930643763393761346634386639633362313066 +66663734613331616632653338666563333734656166333234326639646562623636653434396136 +63386434373364633764663162396164643032633133373835383238613732356537323764366463 +39643232656662353238376235643537643935366534646363616533633636303831333831353466 +66376433353164663130636466303630376434333161353839353863666136386566363334306235 +37383938633335663465656539646630613061666231626137393766326237613036303434663064 +30616637393863353533303832663032613666353833633933613032303336353139623537363936 +30366163666466326334373036393435643436343630366364353133396131336535653435356364 +61613330316332383332323732353539396465326538306532353734383033663234623464313934 +64386662346364663134613434613036363935636263616264386336663639346135316561623861 +61643732393936306332363637373330633735633535356563373037326530343332396263613037 +66643136613136643637316266383239643434376461326663666330653338366164656437316431 +62393933303466663139653666323737663137656533613439666132663266363238396330663932 +37363131343935383665336364323166316439396566313231613530333465613062306439626666 +31346165336332313637