Merge branch 'master' of ssh://gitea.mewissen.site:22422/rene/ansible-pull

2022-11-19 13:04:44 +01:00
parent 9e61ed5e91 7deb01af83
commit 80f658e634
36 changed files with 320 additions and 51 deletions
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,2 +1,4 @@
 snmpd_conf: /etc/snmp/snmpd.conf
 sudo: /usr/bin/sudo
 gitserver: gitea.mewissen.site
--- a/host_vars/coruscant.universe.local.yml
+++ b/host_vars/coruscant.universe.local.yml
@@ -13,7 +13,7 @@ microcode_intel_install: true
 # purpose selection
 database: true
 mysql: true
-postgresql: false
+postgres: false
 dhcpserver: true
 fileserver: true
 mailserver: true
--- a/host_vars/mail.universe.local.yml
+++ b/host_vars/mail.universe.local.yml
@@ -0,0 +1,8 @@
 postfix: true
 postgrey: true
 dovecot: true
 pigeonhole: true
 fetchmail: true
 mpop: true
 mynetworks: '192.168.1.0/24, 127.0.0.0/8, 192.168.122.0/24, 10.20.20.0/28, 172.16.0.0/12, 192.168.3.0/24'
--- a/host_vars/mailcow.yml
+++ b/host_vars/mailcow.yml
@@ -0,0 +1,17 @@
 ---
 branch: master
 #ansible_cron_minute: "40"
 #ssh_port: 22
 #ssh_users: "user1 user2"
 copy_ssh_priv_keys: false
 # platform-specific
 linode_instance: false
 microcode_amd_install: false
 microcode_intel_install: false
 proxmox_instance: false
 raspberry_pi: false
 # server
 unattended_upgrades: true
--- a/host_vars/mariadb01
+++ b/host_vars/mariadb01
@@ -0,0 +1,42 @@
 ---
 branch: master
 ansible_cron_minute: "*/5"
 ssh_port: 22
 ssh_users: "root rene"
 # platform-specific
 microcode_amd_install: false
 microcode_intel_install: true
 # purpose selection
 database: true
 mysql: true
 postgres: false
 redis: false
 dhcpserver: false
 fileserver: false
 mailserver: false
 nameserver: false
 printspooler: false
 proxyserver: false
 squid: false
 tinyproxy: false
 webserver: false
 apache: false
 nginx: false
 # application selection
 borgbackup: false
 broot: false
 docker: false
 pacaur: false
 paru: false
 ranger: false
 syncthing: false
 vifm: false
 yay: false
 # shell selection
 zsh: true
--- a/host_vars/mariadb02
+++ b/host_vars/mariadb02
@@ -0,0 +1 @@
 mariadb01
--- a/host_vars/mariadb03
+++ b/host_vars/mariadb03
@@ -0,0 +1 @@
 mariadb01
--- a/18
+++ b/18
@@ -11,6 +11,8 @@ Samba-AD-DC
 librenms
 grafana
 backup
 haproxy01
 haproxy02
 [server:children]
 cluster
@@ -18,6 +20,7 @@ database
 dhcpserver
 docker
 fileserver
 icinga
 jitsimeet
 mailserver
 mastodon
@@ -28,6 +31,9 @@ webserver
 [database]
 coruscant.universe.local
 mariadb01
 mariadb02
 mariadb03
 [development]
 endor.universe.local
@@ -44,18 +50,30 @@ docker02
 [fileserver]
 coruscant.universe.local
 samba-ad-dc
 [glustertest]
 glustertest01
 glustertest02
 glustertest03
 [icinga_master]
 icinga
 [icinga_satellite]
 [icinga:children]
 icinga_master
 icinga_satellite
 [jitsimeet]
 mewimeet.de jitsi_fqdn=mewimeet.de
 [mailserver]
 coruscant.universe.local
 mail.mewissen.site
 mailcow
 mail.universe.local
 [mastodon]
 mewitoot.de
--- a/local.yml
+++ b/local.yml
@@ -56,17 +56,17 @@
  roles:
    - webserver
-# - hosts: mailserver
+- hosts: mailserver
-#   tags: server,mailserver
+  tags: server,mailserver
-#   become: true
+  become: true
-#   roles:
+  roles:
-#     - mailserver
+    - mailserver
-# - hosts: database
+- hosts: database
-#   tags: server,database
+  tags: server,database
-#   become: true
+  become: true
-#   roles:
+  roles:
-#     - database
+    - database
 # - hosts: dhcpserver
 #   tags: server,dhcpserver
--- a/roles/base/files/users/known_hosts
+++ b/roles/base/files/users/known_hosts
@@ -3,6 +3,7 @@
 |1|+ebqSRFuT6ZpVb032ycgNFK9aYk=|GG8wNwMN/MonLjYeRqZNVzr4/l8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4=
 |1|Nxpoqfn5XUKOUkUPrDsac1U2jx8=|bePErvLRXOGc2nM7s8bphY4QL3E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4=
 gitlab.social.my-wan.de,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w=
 gitea.mewissen.site,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w=
 diskstation,192.168.1.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbDuuwpYg92O+O3ZVYyctZ5szXfE7GRUW4rDZjlEYTf2q8ieE2vezHo/sl2wZW1jCSevER2jYYbhvpoQVyiweI=
 192.168.1.250 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUVrBrOlUQamGWS9qO9mOTbzSW3L1VGhrgpBp6pNf/ekAmWRrxJ0bdEKjHI+YlDt7nNjffjsVlLUwtPtQI0nTI=
 vuduo2,172.16.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCRLsnDtDLuNBN8X8rmCNdrrIYCWfK7DrI/bPQAbSroCuwdHRLztd5doWJyVy6XjuJ2cVaal5xR11hit5qz0TQHhhXJbkViivRSDUuFKVZQajGmUjxMdE0vChqIn3ObIhtkf5ESTvxnroETMUQXzPe30EzO8tGlbV6cGrv80rhp9l1eWUt1pOzYe6pNEPVZiavJYD/rNWd/1xTqx8TCC3yeaWKFINAvo+C5wshKv31r7k9KXlliLMdbvBwkalbk8CK+AwJQsAapklVfQ4u/H0xpXUYlQU4c4kmjq2PTM8i6pLBtCRtfY2GUEu4OvjcHUl/WK1uICVWDPr7O7HLbtvVR
@@ -18,6 +19,7 @@ tuxedo-book-xp1511,192.168.1.220 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHA
 [91.39.133.154]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcQ5x6vbWfPZ3BjPqGl0AH+CebvI8kuPwPxXkmL47gnQEgd8oPcSbMBSIvjfzMGXREBRU81p+5g9JokETKP4Fo=
 raspberrypi,172.16.0.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFsPOLPHU1pAapm6ljdg178ZqnANuSkdAa7PE22DksNQ9VVrvxY5h054pyaviDb2XxsHwYbAL0fP+4I2Slq4wGc=
 [gitlab.social.my-wan.de]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw=
 [gitea.mewissen.site]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw=
 debian-test,192.168.1.216 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHFoAceudj8VLkAAkBUS0A9g2yJRyVaTSqeLWo09aXFEwxf1L73qIoLJZhg15kKBB6bu/EKjyDHvO8mczbr92a8=
 139.162.139.175 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7RsWnr4soqIp+XxKn7NEGBePzNrwn4+7Bi4Mv75wVmh2u97itRxRz13CTp7ru80rTQcdce8Cx0i2K9A/aTwOQOvE6it6Typ1RfdXyf7POC3i2yoZTyLdtPcYUDUvS4EHnv1LS2v7ccOlOYTBjz6vzPkMQDRp9TW8LeaUNiqH3+IRKyQZ0omjAVqzqxr812IfEVo/vrqH2tFF9oNV921dJH01vbBBN1XYevCk6c6eJt5F/fZvr+yN98oxf5AyzCkJXvH+y/rnUdEfw7EruDsLMy2GRm8idWz+fNR4tlxYFMAEI+lMt/RJ0o3whJfB1rc+wS1c/BMjOAk+l7vBpksqmOehEF22jc3rrpdLnFRYj+hkFZInwz5ZoWQyGSG/tTLpXDpIwQZrIH4RF2KPxBlC7VJ5ljBrv9P7wHaXbxsdYGnxfNNCPuEQfYOariVlTAVHfoQYRLXFyXHMgDybvyS/xH5bi92WnDsLB22GIs5O6ARAf3s7Vscj1fSkXYmdfrQk=
 139.162.139.175 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+/wgiRWZnX4IjJmBOYEhSRkJ1DHsbwKUVx6eNNuIZy
--- a/roles/base/files/users/sudoers_wheel
+++ b/roles/base/files/users/sudoers_wheel
@@ -0,0 +1 @@
 %wheel ALL=(ALL) ALL
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -11,7 +11,7 @@
  - include_tasks: system_setup/hosts.yml
  - import_tasks: system_setup/clock.yml
  - import_tasks: system_setup/locale.yml
-  - include_tasks: system-setup/wireguard.yml
+  - include_tasks: system_setup/wireguard.yml
    when:
      - wireguard is defined
      - wireguard == true
--- a/roles/base/tasks/software/packages_utilities.yml
+++ b/roles/base/tasks/software/packages_utilities.yml
@@ -13,16 +13,16 @@
      - neofetch
      - net-tools
      - "{{ nfs_client_package }}"
-      - python3-netaddr
+      - "{{ python_netaddr_package }}"
      - ranger
      - sudo
      - rsync
      - tmux
      - traceroute
      - vifm
      - "{{ vim_package }}"
-      - vim-python-jedi
+      - "{{ vim_python_jedi_package }}"
      - wget
      - unattended-upgrades
 - name: system setup | utilities | install cloud-init and gemu guest agent
  tags: packages,system,system setup
@@ -64,4 +64,5 @@
      - htop
      - exa
      - dnsutils
      - unattended-upgrades
  when: ansible_distribution == "Debian"
--- a/roles/base/tasks/system_setup/hosts.yml
+++ b/roles/base/tasks/system_setup/hosts.yml
@@ -6,7 +6,8 @@
    owner: 'root'
    group: 'root'
  loop:
-    - { ip: '192.168.1.240', fqdn: 'gitlab.social.my-wan.de coruscant.universe.local'}
+    - { ip: '192.168.1.240', fqdn: 'coruscant.universe.local'}
    - { ip: '192.168.1.238', fqdn: 'gitea.mewissen.site'}
  when:
    - set_hosts is defined
    - set_hosts == true
--- a/roles/base/tasks/system_setup/locale.yml
+++ b/roles/base/tasks/system_setup/locale.yml
@@ -4,6 +4,7 @@
    name:
      - locales-all
    state: latest
  when: ansible_distribution == 'Debian'
 - name: system setup | locale | add de_DE
  tags: locale,system,setup
--- a/roles/base/tasks/system_setup/openssh.yml
+++ b/roles/base/tasks/system_setup/openssh.yml
@@ -12,6 +12,19 @@
    enabled: yes
    state: started
 - name: system setup | openssh | create config dir
  file:
    path: "/etc/ssh/sshd_config.d"
    state: directory
 - name: system setup | openssh | include sshd config dir in configuration
  lineinfile:
    path: "/etc/ssh/sshd_config"
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    state: present
    insertbefore: "^#?Port.*$"
  notify: restart_sshd
 - name: system setup | openssh | copy sshd custom config
  tags: openssh,ssh,system,settings
  copy:
--- a/roles/base/tasks/users/all.yml
+++ b/roles/base/tasks/users/all.yml
@@ -44,7 +44,7 @@
    path: "{{ getent_passwd[user][4] }}/.ssh/config"
    state: present
    block: |
-      Host gitlab.social.my-wan.de
+      Host gitea.mewissen.site
        IdentityFile ~/.ssh/gitlab_read_ed25519
        IdentitiesOnly Yes
    create: True
@@ -64,7 +64,7 @@
    force: yes
  with_items:
    - { repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k' }
-    - { repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles' }
+    - { repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles' }
  ignore_errors: yes
 - name: users | {{ user }} | link dotfiles
@@ -83,8 +83,27 @@
    - { src: 'tmux/tmux.conf', dest: '.tmux.conf' }
  ignore_errors: yes
 - name: users | {{ user }} | create bash_profile
  lineinfile:
    path: "{{ getent_passwd[user][4] }}/.bash_profile"
    state: present
    line: "[ -f ~/.bashrc ] && . ~/.bashrc"
    create: True
    mode: "0644"
    owner: "{{ user }}"
    group: "{{ user }}"
 - name: users | {{ user }} | call dotfile install script
  become: yes
  become_user: '{{ user }}'
  shell: "POWERLINE=n BASHIT=y ZSHCUSTOM=n {{ getent_passwd[user][4] }}/dotfiles/install.sh"
  ignore_errors: yes
 - name: users | all | add sudoers file
  copy:
    src: users/sudoers_wheel
    dest: /etc/sudoers.d/wheel
    owner: root
    group: root
    mode: 0440
  when: sudo_group == "wheel"
--- a/roles/base/tasks/users/rene.yml
+++ b/roles/base/tasks/users/rene.yml
@@ -4,7 +4,7 @@
  user:
    name: rene
    shell: "/usr/bin/zsh"
-    groups: "sudo"
+    groups: "{{ sudo_group }}"
    append: True
    password: "{{ rene_pass | password_hash('sha256') }}"
@@ -51,7 +51,7 @@
 #     dest: '/home/rene/{{ item.dir }}'
 #     key_file: '/home/rene/.ssh/gitlab_read_ed25519'
 #   with_items:
-#     - {repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles'}
+#     - {repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles'}
 #     - {repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k'}
 # - name: users | rene | link dotfiles
--- a/roles/base/tasks/users/root.yml
+++ b/roles/base/tasks/users/root.yml
@@ -64,7 +64,7 @@
 - name: users | root | clone root_bins
  git:
-    repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/root-bin.git'
+    repo: 'ssh://git@gitea.mewissen.site:22422/rene/root-bin.git'
    dest: "{{ root_home }}/bin"
    key_file: '/root/.ssh/gitlab_read_ed25519'
  ignore_errors: True
--- a/roles/base/templates/provision.sh.j2
+++ b/roles/base/templates/provision.sh.j2
@@ -5,7 +5,7 @@
 ANSIBLEUSER="ansible"
 BRANCH="{{ branch | default('master') }}"
 LOGFILE="/var/log/ansible.log"
-REPO="https://gitlab.social.my-wan.de/rene/ansible-pull.git"
+REPO="https://gitea.mewissen.site/rene/ansible-pull.git"
 VAULT_KEY="</path/to/ansible_vault_key>"
 PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'"
--- a/roles/base/vars/Archlinux.yml
+++ b/roles/base/vars/Archlinux.yml
@@ -13,8 +13,12 @@ python_pip_package: python-pip
 python_psutil_package: python-psutil
 python_pyflakes_package: python-pyflakes
 python_virtualenv_package: python-virtualenv
 python_netaddr_package: python-netaddr
 vim_python_jedi_package: vim-jedi
 rename_package: perl-rename
 ruby_rake_package: ruby-rake
 sftp_path: /usr/lib/ssh/sftp-server
 sudo_group: wheel
-vim_package: gvim
+vim_package: vim
 sudo_group: wheel
--- a/roles/base/vars/Debian.yml
+++ b/roles/base/vars/Debian.yml
@@ -13,9 +13,12 @@ python_pip_package: python3-pip
 python_psutil_package: python-psutil
 python_pyflakes_package: python3-pyflakes
 python_virtualenv_package: python3-virtualenv
 python_netaddr_package: python3-netaddr
 vim_python_jedi_package: vim-python-jedi
 rename_package: rename
 ruby_rake_package: rake
 sftp_path: /usr/lib/openssh/sftp-server
 sudo_group: sudo
 vim_package: vim
 sudo_group: sudo
--- a/roles/docker/tasks/install_docker.yml
+++ b/roles/docker/tasks/install_docker.yml
@@ -8,6 +8,7 @@
  - name: docker | install docker | execute convenience script
    shell:
      cmd: "/tmp/get-docker.sh"
      creates: /usr/bin/docker
  - name: docker | install docker | cleanup
    file:
--- a/roles/mailserver/tasks/configure_postfix.yml
+++ b/roles/mailserver/tasks/configure_postfix.yml
@@ -0,0 +1,75 @@
 - name: mailserver | postfix | configuration
  shell:
    cmd: "postconf {{item.key}}={{item.value}}"
  loop:
    - {key: "address_verify_map", value: "btree:/usr/lib/postfix/bin/verify"}                                                                             
    - {key: "alias_database", value: "hash:/etc/mail/aliases"}                                                                                            
    - {key: "alias_maps", value: "hash:/etc/mail/aliases"}                                                                                                
    - {key: "biff", value: "no"}                                                                                                                          
    - {key: "broken_sasl_auth_clients", value: "yes"}                                                                                                     
    - {key: "compatibility_level", value: "2"}                                                                                                            
    - {key: "debugger_command", value: "'PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5'"}
    - {key: "default_destination_concurrency_limit", value: "2"}                                                                                          
    - {key: "dovecot_destination_recipient_limit", value: "1"}                                                                                            
    - {key: "header_checks", value: "regexp:/etc/postfix/header_checks"}                                                                                  
    - {key: "inet_protocols", value: "'ipv4, ipv6'"}
    - {key: "mailbox_size_limit", value: "0"}                                                                                                             
    - {key: "mailbox_transport", value: "dovecot"}                                                                                                        
    - {key: "maillog_file", value: "/var/log/postfix.log"}                                                                                                
    - {key: "message_size_limit", value: "0"}                                                                                                             
    - {key: "milter_default_action", value: "accept"}                                                                                                     
    - {key: "mydestination", value: "'localhost, kashyyyk, coruscant'"}                                                                                     
    - {key: "myhostname", value: "kashyyyk.universe.local"}                                                                                               
    - {key: "mynetworks", value: "'{{ mynetworks }}'"}                           
    - {key: "mynetworks_style", value: "subnet"}                                                                                                          
    - {key: "readme_directory", value: "no"}                                                                                                              
    - {key: "recipient_canonical_maps", value: "hash:/etc/postfix/recipient-canonical"}                                                                   
    - {key: "recipient_delimiter", value: "+"}                                                                                                            
    - {key: "sender_canonical_maps", value: "hash:/etc/postfix/sender-canonical"}                                                                         
    - {key: "sender_dependent_relayhost_maps", value: "hash:/etc/postfix/sender_dependent_relayhost_map"}                                                 
    - {key: "smtp_sasl_auth_enable", value: "yes"}                                                                                                        
    - {key: "smtp_sasl_mechanism_filter", value: "'!gssapi, !external, static:all'"}                                                                        
    - {key: "smtp_sasl_password_maps", value: "hash:/etc/postfix/saslpass"}                                                                               
    - {key: "smtp_sasl_security_options", value: "noanonymous"}                                                                                           
    - {key: "smtp_sender_dependent_authentication", value: "yes"}                                                                                         
    - {key: "smtp_tls_CApath", value: "/etc/ssl/certs"}                                                                                                   
    - {key: "smtp_tls_loglevel", value: "1"}                                                                                                              
    - {key: "smtp_tls_policy_maps", value: "hash:/etc/postfix/smtp_tls_policy"} 
    - {key: "smtp_tls_security_level", value: "may"}
    - {key: "smtp_tls_session_cache_database", value: "btree:/var/lib/postfix/smtp_scache"}
    - {key: "smtpd_data_restrictions", value: "reject_unauth_pipelining"}
    - {key: "smtpd_etrn_restrictions", value: "'permit_mynetworks, reject'"}
    - {key: "smtpd_helo_required", value: "yes"}
    - {key: "smtpd_helo_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname'"}
    - {key: "smtpd_recipient_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_recipient, check_sender_access hash:/etc/postfix/sender_restrictions, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_destination,'"}
    - {key: "smtpd_relay_restrictions", value: "permit_sasl_authenticated"}
    - {key: "smtpd_sasl_auth_enable", value: "yes"}
    - {key: "smtpd_sasl_path", value: "/var/run/dovecot/auth-client"}
    - {key: "smtpd_sasl_security_options", value: "noanonymous,noplaintext"}
    - {key: "smtpd_sasl_tls_security_options", value: "noanonymous"}
    - {key: "smtpd_sasl_type", value: "dovecot"}
    - {key: "smtpd_sender_restrictions", value: "'hash:/etc/postfix/access, permit_mynetworks, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access'"}
    - {key: "smtpd_tls_auth_only", value: "yes"}
    - {key: "smtpd_tls_cert_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/fullchain.pem"}
    - {key: "smtpd_tls_dh1024_param_file", value: "${config_directory}/dh2048.pem"}
    - {key: "smtpd_tls_dh512_param_file", value: "${config_directory}/dh512.pem"}
    - {key: "smtpd_tls_eecdh_grade", value: "strong"}
    - {key: "smtpd_tls_exclude_ciphers", value: "'aNULL,MD5,RC4,DES,IDEA,SEED,3DES'"}
    - {key: "smtpd_tls_key_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/privkey.pem"}
    - {key: "smtpd_tls_loglevel", value: "1"}
    - {key: "smtpd_tls_mandatory_ciphers", value: "high"}
    - {key: "smtpd_tls_mandatory_exclude_ciphers", value: "'aNULL,MD5,RC4,IDEA,SEED,3DES'"}
    - {key: "smtpd_tls_security_level", value: "may"}
    - {key: "smtpd_tls_session_cache_database", value: "btree:${data_directory}/smtpd_scache"}
    - {key: "tls_high_cipherlist", value: "'EECDH+RSA+AES256+SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!IDEA'"}
    - {key: "tls_preempt_cipherlist", value: "yes"}
    - {key: "tls_ssl_options", value: "NO_COMPRESSION"}
    - {key: "transport_maps", value: "hash:/etc/postfix/transport"}
    - {key: "virtual_alias_maps", value: "hash:/etc/postfix/virtual"}
    - {key: "virtual_gid_maps", value: "static:vmail"}
    - {key: "virtual_mailbox_base", value: "/home/vmail"}
    - {key: "virtual_mailbox_domains", value: "'$myhostname, $mydomain, imap.$mydomain, tantooine.homelinux.net, gallery-mewi1503.myphotos.cc, tantooine.myfirewall.org, tatooine.noip.me, mastodon.spdns.org, hubzilla.social.my-wan.de, friendica.social.my-wan.de, peertube.social.my-wan.de, pixelfed.social.my-wan.de'"}
    - {key: "virtual_mailbox_maps", value: "hash:/etc/postfix/vmailbox"}
    - {key: "virtual_transport", value: "lmtp:unix:private/dovecot-lmtp"}
    - {key: "virtual_uid_maps", value: "static:vmail"}
--- a/roles/mailserver/tasks/install_dovecot.yml
+++ b/roles/mailserver/tasks/install_dovecot.yml
@@ -0,0 +1,6 @@
 - name: mailserver | dovecot | install packages
  package:
    name:
      - dovecot
      - pigeonhole
    state: present
--- a/roles/mailserver/tasks/install_fetchmail.yml
+++ b/roles/mailserver/tasks/install_fetchmail.yml
@@ -0,0 +1,4 @@
 - name: mailserver | fetchmail | install packages
  package:
    name: fetchmail
    state: present
--- a/roles/mailserver/tasks/install_postfix.yml
+++ b/roles/mailserver/tasks/install_postfix.yml
@@ -0,0 +1,9 @@
 - name: mailserver | postfix | install packages
  package:
    name: 
      - postfix
      - postfix-ldap
      - postfix-mysql
      - postfix-sqlite
      - postgrey
    state: present
--- a/roles/mailserver/tasks/main.yml
+++ b/roles/mailserver/tasks/main.yml
@@ -0,0 +1,22 @@
 # Load distro-specific variables
 - include_vars: "{{ ansible_distribution }}.yml"
  tags: always
 - block:
  - block:
    - include_tasks: install_postfix.yml
    - include_tasks: configure_postfix.yml
    when: postfix == true
  - block:
    - include_tasks: install_dovecot.yml
    - include_tasks: configure_dovecot.yml
    when: dovecot == true
  - block:
    - include_tasks: install_fetchmail.yml
    - include_tasks: configure_fetchmail.yml
    when: fetchmail == true
  rescue:
    - set_fact: task_failed=true
--- a/roles/mailserver/vars/Archlinux.yml
+++ b/roles/mailserver/vars/Archlinux.yml
--- a/roles/mastodon/tasks/system_setup/letsencrypt.yml
+++ b/roles/mastodon/tasks/system_setup/letsencrypt.yml
@@ -29,5 +29,5 @@
    name: "letsencrypt renew"
    minute: "15"
    hour: "0"
-    job: "certbot renew && service nginx reload"
+    job: "certbot renew"
--- a/roles/server/tasks/system_setup/sshd.yml
+++ b/roles/server/tasks/system_setup/sshd.yml
@@ -0,0 +1,10 @@
 - name: server | sshd | install
  package:
    name: "{{ openssh_server_package }}"
    state: latest
 - name: server | sshd | start
  service:
    name: sshd
    state: started
    enabled: True
--- a/roles/server/vars/Archlinux.yml
+++ b/roles/server/vars/Archlinux.yml
@@ -2,6 +2,7 @@ mta_package: msmtp-mta
 snmpd_package: net-snmp
 snmpd_user_file: "/var/net-snmp/snmpd.conf"
 wireguard_package: wireguard-tools
 openssh_server_package: openssh
 glusterfs_packages:
  - package: glusterfs
--- a/roles/server/vars/Debian.yml
+++ b/roles/server/vars/Debian.yml
@@ -2,6 +2,7 @@ mta_package: ssmtp
 snmpd_package: snmpd
 snmpd_user_file: "/var/lib/snmp/snmpd.conf"
 wireguard_package: wireguard
 openssh_server_package: openssh-server
 glusterfs_packages:
  - package: glusterfs-common
--- a/roles/webserver/tasks/install_php.yml
+++ b/roles/webserver/tasks/install_php.yml
@@ -0,0 +1,6 @@
 - name: webserver | apache | installing php
  package:
    name:
      - php
      - php-mysqli
    state: latest
--- a/roles/webserver/tasks/main.yml
+++ b/roles/webserver/tasks/main.yml
@@ -14,6 +14,7 @@
    when:
      - nginx is defined
      - nginx == true
  - import_tasks: install_php.yml
  - name: webserver | certbot | install certbot
    package:
      name: certbot
--- a/roles/webserver/vars/nextcloud.yml
+++ b/roles/webserver/vars/nextcloud.yml
@@ -1,26 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
-37353535366162623439373564306434376564326462326139323131333664663937313634313665
+63353763353333663663346630323363623938333965663430333035326461363330306131653434
-6564393039653231663433646630646462306266666435310a303632646636356139656561323933
+3964343335373832383665396164646261356236643966360a393330386366646337326164373630
-63376565643266313563393135363033383234323031626465346335393762306139613261663664
+32656237343062323836643234396435313636623735663166663766636166393830313336343065
-3339393161666262340a373562646538336137323833303139343331356266373064353361646533
+3333643038333839360a306635306434373731336137646232306438656338643233616237623435
-34363566646433333534313866323839623466306132613734356263393763666638373364633931
+32396531366666623232313237643833613334333633646434656331363733373632316331393461
-66303035663035306131633639376236393966346566616334616536313134623933316338373133
+33643430376564326463353337616437613338303839613632653738333563373730323731623638
-33626232303838633132613732653331626531336366383166313833353062656331376637336161
+31656135623966336231353035613732343864303566386233663430666233636162323838656366
-32666439303238333365323538636636346134383337383433303863623965316430643730303230
+36393534313665303766326638373133323964386438656639383030363265393032353761646239
-62363737633763363035346531643332343935363432326630323735356131376636343830366434
+30336366363839326661313839666130356135353134396462646562653561383862623465313437
-35386661383833376663333031373764613739626165626132653632346430633166393436313731
+31303034396662353261663865626565663961393930643763393761346634386639633362313066
-39646538346438666134633539666436643961353639393761326132366239363231316631613663
+66663734613331616632653338666563333734656166333234326639646562623636653434396136
-63313733363435353965626465623935383062656635396534373538323931616135373865336632
+63386434373364633764663162396164643032633133373835383238613732356537323764366463
-33333931353637663838333039613063353562346134663037396138323733323261663036363634
+39643232656662353238376235643537643935366534646363616533633636303831333831353466
-63383966326138346539653932383632356465393962383265626336643538396466323934633634
+66376433353164663130636466303630376434333161353839353863666136386566363334306235
-64663865633063613433306332306234303635346634303937643935373035353337373637626262
+37383938633335663465656539646630613061666231626137393766326237613036303434663064
-66666535653965333161386665613034613835646438326161643766653232303430333636646633
+30616637393863353533303832663032613666353833633933613032303336353139623537363936
-38363335313136393533616366323533663939643230626238616632353130666537336661633432
+30366163666466326334373036393435643436343630366364353133396131336535653435356364
-39333430663563633866636436363937363634303462373065303363373231346236303931636230
+61613330316332383332323732353539396465326538306532353734383033663234623464313934
-64643464306663313231326665373264323030343831366532643438666463646236643939316631
+64386662346364663134613434613036363935636263616264386336663639346135316561623861
-34383335326438633364356338353334353061333565376631356263663465623866656635383030
+61643732393936306332363637373330633735633535356563373037326530343332396263613037
-34303932393666316562653435343166393436376135613466663366393033333938376230383139
+66643136613136643637316266383239643434376461326663666330653338366164656437316431
-35373434653866313233363037666431316630316166656638616634636339383834653265333034
+62393933303466663139653666323737663137656533613439666132663266363238396330663932
-64303138336166663732633134343164373135386135666164373462633530636231303139653863
+37363131343935383665336364323166316439396566313231613530333465613062306439626666
-30386239663861666565366361633565336333313065373130623063363235653963373564313434
+31346165336332313637
 3430