Merge branch 'master' of ssh://gitea.mewissen.site:22422/rene/ansible-pull

group_vars/all

@@ -1,2 +1,4 @@
 snmpd_conf: /etc/snmp/snmpd.conf
 sudo: /usr/bin/sudo
+
+gitserver: gitea.mewissen.site

host_vars/coruscant.universe.local.yml

@@ -13,7 +13,7 @@ microcode_intel_install: true
 # purpose selection
 database: true
 mysql: true
-postgresql: false
+postgres: false
 dhcpserver: true
 fileserver: true
 mailserver: true

host_vars/mail.universe.local.yml

@@ -0,0 +1,8 @@
+postfix: true
+postgrey: true
+dovecot: true
+pigeonhole: true
+fetchmail: true
+mpop: true
+
+mynetworks: '192.168.1.0/24, 127.0.0.0/8, 192.168.122.0/24, 10.20.20.0/28, 172.16.0.0/12, 192.168.3.0/24'

host_vars/mailcow.yml

@@ -0,0 +1,17 @@
+---
+branch: master
+
+#ansible_cron_minute: "40"
+#ssh_port: 22
+#ssh_users: "user1 user2"
+copy_ssh_priv_keys: false
+
+# platform-specific
+linode_instance: false
+microcode_amd_install: false
+microcode_intel_install: false
+proxmox_instance: false
+raspberry_pi: false
+
+# server
+unattended_upgrades: true

host_vars/mariadb01

@@ -0,0 +1,42 @@
+---
+branch: master
+
+ansible_cron_minute: "*/5"
+
+ssh_port: 22
+ssh_users: "root rene"
+
+# platform-specific
+microcode_amd_install: false
+microcode_intel_install: true
+
+# purpose selection
+database: true
+mysql: true
+postgres: false
+redis: false
+dhcpserver: false
+fileserver: false
+mailserver: false
+nameserver: false
+printspooler: false
+proxyserver: false
+squid: false
+tinyproxy: false
+webserver: false
+apache: false
+nginx: false
+
+# application selection
+borgbackup: false
+broot: false
+docker: false
+pacaur: false
+paru: false
+ranger: false
+syncthing: false
+vifm: false
+yay: false
+
+# shell selection
+zsh: true

host_vars/mariadb02

@@ -0,0 +1 @@
+mariadb01

host_vars/mariadb03

@@ -0,0 +1 @@
+mariadb01

hosts

@@ -11,6 +11,8 @@ Samba-AD-DC
 librenms
 grafana
 backup
+haproxy01
+haproxy02
 
 [server:children]
 cluster
@@ -18,6 +20,7 @@ database
 dhcpserver
 docker
 fileserver
+icinga
 jitsimeet
 mailserver
 mastodon
@@ -28,6 +31,9 @@ webserver
 
 [database]
 coruscant.universe.local
+mariadb01
+mariadb02
+mariadb03
 
 [development]
 endor.universe.local
@@ -44,18 +50,30 @@ docker02
 
 [fileserver]
 coruscant.universe.local
+samba-ad-dc
 
 [glustertest]
 glustertest01
 glustertest02
 glustertest03
 
+[icinga_master]
+icinga
+
+[icinga_satellite]
+
+[icinga:children]
+icinga_master
+icinga_satellite
+
 [jitsimeet]
 mewimeet.de jitsi_fqdn=mewimeet.de
 
 [mailserver]
 coruscant.universe.local
 mail.mewissen.site
+mailcow
+mail.universe.local
 
 [mastodon]
 mewitoot.de

local.yml

@@ -56,17 +56,17 @@
   roles:
     - webserver
 
-# - hosts: mailserver
-#   tags: server,mailserver
-#   become: true
-#   roles:
-#     - mailserver
+- hosts: mailserver
+  tags: server,mailserver
+  become: true
+  roles:
+    - mailserver
 
-# - hosts: database
-#   tags: server,database
-#   become: true
-#   roles:
-#     - database
+- hosts: database
+  tags: server,database
+  become: true
+  roles:
+    - database
 
 # - hosts: dhcpserver
 #   tags: server,dhcpserver

roles/base/files/users/known_hosts

@@ -3,6 +3,7 @@
 |1|+ebqSRFuT6ZpVb032ycgNFK9aYk=|GG8wNwMN/MonLjYeRqZNVzr4/l8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4=
 |1|Nxpoqfn5XUKOUkUPrDsac1U2jx8=|bePErvLRXOGc2nM7s8bphY4QL3E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMj+ZCAgXVg4OhxpQHLDFanvm7/QP9qRA1zGIAy+1jK7/OTAu3pb6/C1wXufZMn4V1YEbzkeAh8RJeJXmprhdn4=
 gitlab.social.my-wan.de,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w=
+gitea.mewissen.site,192.168.1.240 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDNCQnHHKtHukjysSlErXQOlBPP1oalb9+wWaS6O+k+RMtnx9iZE02fgVUHuwYI3S7P8UNP12tQxFlXuuFqCQ0w=
 diskstation,192.168.1.234 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbDuuwpYg92O+O3ZVYyctZ5szXfE7GRUW4rDZjlEYTf2q8ieE2vezHo/sl2wZW1jCSevER2jYYbhvpoQVyiweI=
 192.168.1.250 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUVrBrOlUQamGWS9qO9mOTbzSW3L1VGhrgpBp6pNf/ekAmWRrxJ0bdEKjHI+YlDt7nNjffjsVlLUwtPtQI0nTI=
 vuduo2,172.16.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCRLsnDtDLuNBN8X8rmCNdrrIYCWfK7DrI/bPQAbSroCuwdHRLztd5doWJyVy6XjuJ2cVaal5xR11hit5qz0TQHhhXJbkViivRSDUuFKVZQajGmUjxMdE0vChqIn3ObIhtkf5ESTvxnroETMUQXzPe30EzO8tGlbV6cGrv80rhp9l1eWUt1pOzYe6pNEPVZiavJYD/rNWd/1xTqx8TCC3yeaWKFINAvo+C5wshKv31r7k9KXlliLMdbvBwkalbk8CK+AwJQsAapklVfQ4u/H0xpXUYlQU4c4kmjq2PTM8i6pLBtCRtfY2GUEu4OvjcHUl/WK1uICVWDPr7O7HLbtvVR
@@ -18,6 +19,7 @@ tuxedo-book-xp1511,192.168.1.220 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHA
 [91.39.133.154]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAcQ5x6vbWfPZ3BjPqGl0AH+CebvI8kuPwPxXkmL47gnQEgd8oPcSbMBSIvjfzMGXREBRU81p+5g9JokETKP4Fo=
 raspberrypi,172.16.0.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFsPOLPHU1pAapm6ljdg178ZqnANuSkdAa7PE22DksNQ9VVrvxY5h054pyaviDb2XxsHwYbAL0fP+4I2Slq4wGc=
 [gitlab.social.my-wan.de]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw=
+[gitea.mewissen.site]:22422 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMDiTJj4mw6nPZTk3W/Y7h6qHhYH/CCX90rR7wd7CbwFeddW6vgK9lqk64bqOdfD7Fgh1qvZXMSYEiDLYkx4iMw=
 debian-test,192.168.1.216 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHFoAceudj8VLkAAkBUS0A9g2yJRyVaTSqeLWo09aXFEwxf1L73qIoLJZhg15kKBB6bu/EKjyDHvO8mczbr92a8=
 139.162.139.175 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7RsWnr4soqIp+XxKn7NEGBePzNrwn4+7Bi4Mv75wVmh2u97itRxRz13CTp7ru80rTQcdce8Cx0i2K9A/aTwOQOvE6it6Typ1RfdXyf7POC3i2yoZTyLdtPcYUDUvS4EHnv1LS2v7ccOlOYTBjz6vzPkMQDRp9TW8LeaUNiqH3+IRKyQZ0omjAVqzqxr812IfEVo/vrqH2tFF9oNV921dJH01vbBBN1XYevCk6c6eJt5F/fZvr+yN98oxf5AyzCkJXvH+y/rnUdEfw7EruDsLMy2GRm8idWz+fNR4tlxYFMAEI+lMt/RJ0o3whJfB1rc+wS1c/BMjOAk+l7vBpksqmOehEF22jc3rrpdLnFRYj+hkFZInwz5ZoWQyGSG/tTLpXDpIwQZrIH4RF2KPxBlC7VJ5ljBrv9P7wHaXbxsdYGnxfNNCPuEQfYOariVlTAVHfoQYRLXFyXHMgDybvyS/xH5bi92WnDsLB22GIs5O6ARAf3s7Vscj1fSkXYmdfrQk=
 139.162.139.175 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+/wgiRWZnX4IjJmBOYEhSRkJ1DHsbwKUVx6eNNuIZy

roles/base/files/users/sudoers_wheel

@@ -0,0 +1 @@
+%wheel ALL=(ALL) ALL

roles/base/tasks/main.yml

@@ -11,7 +11,7 @@
   - include_tasks: system_setup/hosts.yml
   - import_tasks: system_setup/clock.yml
   - import_tasks: system_setup/locale.yml
-  - include_tasks: system-setup/wireguard.yml
+  - include_tasks: system_setup/wireguard.yml
     when:
       - wireguard is defined
       - wireguard == true

roles/base/tasks/software/packages_utilities.yml

@@ -13,16 +13,16 @@
       - neofetch
       - net-tools
       - "{{ nfs_client_package }}"
-      - python3-netaddr
+      - "{{ python_netaddr_package }}"
       - ranger
+      - sudo
       - rsync
       - tmux
       - traceroute
       - vifm
       - "{{ vim_package }}"
-      - vim-python-jedi
+      - "{{ vim_python_jedi_package }}"
       - wget
-      - unattended-upgrades
 
 - name: system setup | utilities | install cloud-init and gemu guest agent
   tags: packages,system,system setup
@@ -64,4 +64,5 @@
       - htop
       - exa
       - dnsutils
+      - unattended-upgrades
   when: ansible_distribution == "Debian"

roles/base/tasks/system_setup/hosts.yml

@@ -6,7 +6,8 @@
     owner: 'root'
     group: 'root'
   loop:
-    - { ip: '192.168.1.240', fqdn: 'gitlab.social.my-wan.de coruscant.universe.local'}
+    - { ip: '192.168.1.240', fqdn: 'coruscant.universe.local'}
+    - { ip: '192.168.1.238', fqdn: 'gitea.mewissen.site'}
   when:
     - set_hosts is defined
     - set_hosts == true

roles/base/tasks/system_setup/locale.yml

@@ -4,6 +4,7 @@
     name:
       - locales-all
     state: latest
+  when: ansible_distribution == 'Debian'
 
 - name: system setup | locale | add de_DE
   tags: locale,system,setup

roles/base/tasks/system_setup/openssh.yml

@@ -12,6 +12,19 @@
     enabled: yes
     state: started
 
+- name: system setup | openssh | create config dir
+  file:
+    path: "/etc/ssh/sshd_config.d"
+    state: directory
+
+- name: system setup | openssh | include sshd config dir in configuration
+  lineinfile:
+    path: "/etc/ssh/sshd_config"
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    state: present
+    insertbefore: "^#?Port.*$"
+  notify: restart_sshd
+
 - name: system setup | openssh | copy sshd custom config
   tags: openssh,ssh,system,settings
   copy:

roles/base/tasks/users/all.yml

@@ -44,7 +44,7 @@
     path: "{{ getent_passwd[user][4] }}/.ssh/config"
     state: present
     block: |
-      Host gitlab.social.my-wan.de
+      Host gitea.mewissen.site
         IdentityFile ~/.ssh/gitlab_read_ed25519
         IdentitiesOnly Yes
     create: True
@@ -64,7 +64,7 @@
     force: yes
   with_items:
     - { repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k' }
-    - { repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles' }
+    - { repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles' }
   ignore_errors: yes
 
 - name: users | {{ user }} | link dotfiles
@@ -83,8 +83,27 @@
     - { src: 'tmux/tmux.conf', dest: '.tmux.conf' }
   ignore_errors: yes
 
+- name: users | {{ user }} | create bash_profile
+  lineinfile:
+    path: "{{ getent_passwd[user][4] }}/.bash_profile"
+    state: present
+    line: "[ -f ~/.bashrc ] && . ~/.bashrc"
+    create: True
+    mode: "0644"
+    owner: "{{ user }}"
+    group: "{{ user }}"
+
 - name: users | {{ user }} | call dotfile install script
   become: yes
   become_user: '{{ user }}'
   shell: "POWERLINE=n BASHIT=y ZSHCUSTOM=n {{ getent_passwd[user][4] }}/dotfiles/install.sh"
   ignore_errors: yes
+
+- name: users | all | add sudoers file
+  copy:
+    src: users/sudoers_wheel
+    dest: /etc/sudoers.d/wheel
+    owner: root
+    group: root
+    mode: 0440
+  when: sudo_group == "wheel"

roles/base/tasks/users/rene.yml

@@ -4,7 +4,7 @@
   user:
     name: rene
     shell: "/usr/bin/zsh"
-    groups: "sudo"
+    groups: "{{ sudo_group }}"
     append: True
     password: "{{ rene_pass | password_hash('sha256') }}"
 
@@ -51,7 +51,7 @@
 #     dest: '/home/rene/{{ item.dir }}'
 #     key_file: '/home/rene/.ssh/gitlab_read_ed25519'
 #   with_items:
-#     - {repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/dotfiles.git', dir: 'dotfiles'}
+#     - {repo: 'ssh://git@gitea.mewissen.site:22422/rene/dotfiles.git', dir: 'dotfiles'}
 #     - {repo: 'https://github.com/romkatv/powerlevel10k.git', dir: 'powerlevel10k'}
 
 # - name: users | rene | link dotfiles

roles/base/tasks/users/root.yml

@@ -64,7 +64,7 @@
 
 - name: users | root | clone root_bins
   git:
-    repo: 'ssh://git@gitlab.social.my-wan.de:22422/rene/root-bin.git'
+    repo: 'ssh://git@gitea.mewissen.site:22422/rene/root-bin.git'
     dest: "{{ root_home }}/bin"
     key_file: '/root/.ssh/gitlab_read_ed25519'
   ignore_errors: True

roles/base/templates/provision.sh.j2

@@ -5,7 +5,7 @@
 ANSIBLEUSER="ansible"
 BRANCH="{{ branch | default('master') }}"
 LOGFILE="/var/log/ansible.log"
-REPO="https://gitlab.social.my-wan.de/rene/ansible-pull.git"
+REPO="https://gitea.mewissen.site/rene/ansible-pull.git"
 VAULT_KEY="</path/to/ansible_vault_key>"
 PRECMD="sudo systemd-inhibit --who='ansible-pull' --why='provisioning'"
 

roles/base/vars/Archlinux.yml

@@ -13,8 +13,12 @@ python_pip_package: python-pip
 python_psutil_package: python-psutil
 python_pyflakes_package: python-pyflakes
 python_virtualenv_package: python-virtualenv
+python_netaddr_package: python-netaddr
+vim_python_jedi_package: vim-jedi
 rename_package: perl-rename
 ruby_rake_package: ruby-rake
 sftp_path: /usr/lib/ssh/sftp-server
 sudo_group: wheel
-vim_package: gvim
+vim_package: vim
+
+sudo_group: wheel

roles/base/vars/Debian.yml

@@ -13,9 +13,12 @@ python_pip_package: python3-pip
 python_psutil_package: python-psutil
 python_pyflakes_package: python3-pyflakes
 python_virtualenv_package: python3-virtualenv
+python_netaddr_package: python3-netaddr
+vim_python_jedi_package: vim-python-jedi
 rename_package: rename
 ruby_rake_package: rake
 sftp_path: /usr/lib/openssh/sftp-server
 sudo_group: sudo
 vim_package: vim
 
+sudo_group: sudo

roles/docker/tasks/install_docker.yml

@@ -8,6 +8,7 @@
   - name: docker | install docker | execute convenience script
     shell:
       cmd: "/tmp/get-docker.sh"
+      creates: /usr/bin/docker
 
   - name: docker | install docker | cleanup
     file:

roles/mailserver/tasks/configure_postfix.yml

@@ -0,0 +1,75 @@
+- name: mailserver | postfix | configuration
+  shell:
+    cmd: "postconf {{item.key}}={{item.value}}"
+  loop:
+    - {key: "address_verify_map", value: "btree:/usr/lib/postfix/bin/verify"}                                                                             
+    - {key: "alias_database", value: "hash:/etc/mail/aliases"}                                                                                            
+    - {key: "alias_maps", value: "hash:/etc/mail/aliases"}                                                                                                
+    - {key: "biff", value: "no"}                                                                                                                          
+    - {key: "broken_sasl_auth_clients", value: "yes"}                                                                                                     
+    - {key: "compatibility_level", value: "2"}                                                                                                            
+    - {key: "debugger_command", value: "'PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5'"}
+    - {key: "default_destination_concurrency_limit", value: "2"}                                                                                          
+    - {key: "dovecot_destination_recipient_limit", value: "1"}                                                                                            
+    - {key: "header_checks", value: "regexp:/etc/postfix/header_checks"}                                                                                  
+    - {key: "inet_protocols", value: "'ipv4, ipv6'"}
+    - {key: "mailbox_size_limit", value: "0"}                                                                                                             
+    - {key: "mailbox_transport", value: "dovecot"}                                                                                                        
+    - {key: "maillog_file", value: "/var/log/postfix.log"}                                                                                                
+    - {key: "message_size_limit", value: "0"}                                                                                                             
+    - {key: "milter_default_action", value: "accept"}                                                                                                     
+    - {key: "mydestination", value: "'localhost, kashyyyk, coruscant'"}                                                                                     
+    - {key: "myhostname", value: "kashyyyk.universe.local"}                                                                                               
+    - {key: "mynetworks", value: "'{{ mynetworks }}'"}                           
+    - {key: "mynetworks_style", value: "subnet"}                                                                                                          
+    - {key: "readme_directory", value: "no"}                                                                                                              
+    - {key: "recipient_canonical_maps", value: "hash:/etc/postfix/recipient-canonical"}                                                                   
+    - {key: "recipient_delimiter", value: "+"}                                                                                                            
+    - {key: "sender_canonical_maps", value: "hash:/etc/postfix/sender-canonical"}                                                                         
+    - {key: "sender_dependent_relayhost_maps", value: "hash:/etc/postfix/sender_dependent_relayhost_map"}                                                 
+    - {key: "smtp_sasl_auth_enable", value: "yes"}                                                                                                        
+    - {key: "smtp_sasl_mechanism_filter", value: "'!gssapi, !external, static:all'"}                                                                        
+    - {key: "smtp_sasl_password_maps", value: "hash:/etc/postfix/saslpass"}                                                                               
+    - {key: "smtp_sasl_security_options", value: "noanonymous"}                                                                                           
+    - {key: "smtp_sender_dependent_authentication", value: "yes"}                                                                                         
+    - {key: "smtp_tls_CApath", value: "/etc/ssl/certs"}                                                                                                   
+    - {key: "smtp_tls_loglevel", value: "1"}                                                                                                              
+    - {key: "smtp_tls_policy_maps", value: "hash:/etc/postfix/smtp_tls_policy"} 
+    - {key: "smtp_tls_security_level", value: "may"}
+    - {key: "smtp_tls_session_cache_database", value: "btree:/var/lib/postfix/smtp_scache"}
+    - {key: "smtpd_data_restrictions", value: "reject_unauth_pipelining"}
+    - {key: "smtpd_etrn_restrictions", value: "'permit_mynetworks, reject'"}
+    - {key: "smtpd_helo_required", value: "yes"}
+    - {key: "smtpd_helo_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname'"}
+    - {key: "smtpd_recipient_restrictions", value: "'permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_recipient, check_sender_access hash:/etc/postfix/sender_restrictions, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_destination,'"}
+    - {key: "smtpd_relay_restrictions", value: "permit_sasl_authenticated"}
+    - {key: "smtpd_sasl_auth_enable", value: "yes"}
+    - {key: "smtpd_sasl_path", value: "/var/run/dovecot/auth-client"}
+    - {key: "smtpd_sasl_security_options", value: "noanonymous,noplaintext"}
+    - {key: "smtpd_sasl_tls_security_options", value: "noanonymous"}
+    - {key: "smtpd_sasl_type", value: "dovecot"}
+    - {key: "smtpd_sender_restrictions", value: "'hash:/etc/postfix/access, permit_mynetworks, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access'"}
+    - {key: "smtpd_tls_auth_only", value: "yes"}
+    - {key: "smtpd_tls_cert_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/fullchain.pem"}
+    - {key: "smtpd_tls_dh1024_param_file", value: "${config_directory}/dh2048.pem"}
+    - {key: "smtpd_tls_dh512_param_file", value: "${config_directory}/dh512.pem"}
+    - {key: "smtpd_tls_eecdh_grade", value: "strong"}
+    - {key: "smtpd_tls_exclude_ciphers", value: "'aNULL,MD5,RC4,DES,IDEA,SEED,3DES'"}
+    - {key: "smtpd_tls_key_file", value: "/etc/letsencrypt/live/tantooine.myfirewall.org/privkey.pem"}
+    - {key: "smtpd_tls_loglevel", value: "1"}
+    - {key: "smtpd_tls_mandatory_ciphers", value: "high"}
+    - {key: "smtpd_tls_mandatory_exclude_ciphers", value: "'aNULL,MD5,RC4,IDEA,SEED,3DES'"}
+    - {key: "smtpd_tls_security_level", value: "may"}
+    - {key: "smtpd_tls_session_cache_database", value: "btree:${data_directory}/smtpd_scache"}
+    - {key: "tls_high_cipherlist", value: "'EECDH+RSA+AES256+SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!IDEA'"}
+    - {key: "tls_preempt_cipherlist", value: "yes"}
+    - {key: "tls_ssl_options", value: "NO_COMPRESSION"}
+    - {key: "transport_maps", value: "hash:/etc/postfix/transport"}
+    - {key: "virtual_alias_maps", value: "hash:/etc/postfix/virtual"}
+    - {key: "virtual_gid_maps", value: "static:vmail"}
+    - {key: "virtual_mailbox_base", value: "/home/vmail"}
+    - {key: "virtual_mailbox_domains", value: "'$myhostname, $mydomain, imap.$mydomain, tantooine.homelinux.net, gallery-mewi1503.myphotos.cc, tantooine.myfirewall.org, tatooine.noip.me, mastodon.spdns.org, hubzilla.social.my-wan.de, friendica.social.my-wan.de, peertube.social.my-wan.de, pixelfed.social.my-wan.de'"}
+    - {key: "virtual_mailbox_maps", value: "hash:/etc/postfix/vmailbox"}
+    - {key: "virtual_transport", value: "lmtp:unix:private/dovecot-lmtp"}
+    - {key: "virtual_uid_maps", value: "static:vmail"}
+    

roles/mailserver/tasks/install_dovecot.yml

@@ -0,0 +1,6 @@
+- name: mailserver | dovecot | install packages
+  package:
+    name:
+      - dovecot
+      - pigeonhole
+    state: present

roles/mailserver/tasks/install_fetchmail.yml

@@ -0,0 +1,4 @@
+- name: mailserver | fetchmail | install packages
+  package:
+    name: fetchmail
+    state: present

roles/mailserver/tasks/install_postfix.yml

@@ -0,0 +1,9 @@
+- name: mailserver | postfix | install packages
+  package:
+    name: 
+      - postfix
+      - postfix-ldap
+      - postfix-mysql
+      - postfix-sqlite
+      - postgrey
+    state: present

roles/mailserver/tasks/main.yml

@@ -0,0 +1,22 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution }}.yml"
+  tags: always
+
+- block:
+  - block:
+    - include_tasks: install_postfix.yml
+    - include_tasks: configure_postfix.yml
+    when: postfix == true
+
+  - block:
+    - include_tasks: install_dovecot.yml
+    - include_tasks: configure_dovecot.yml
+    when: dovecot == true
+
+  - block:
+    - include_tasks: install_fetchmail.yml
+    - include_tasks: configure_fetchmail.yml
+    when: fetchmail == true
+
+  rescue:
+    - set_fact: task_failed=true

roles/mastodon/tasks/system_setup/letsencrypt.yml

@@ -29,5 +29,5 @@
     name: "letsencrypt renew"
     minute: "15"
     hour: "0"
-    job: "certbot renew && service nginx reload"
+    job: "certbot renew"
 

roles/server/tasks/system_setup/sshd.yml

@@ -0,0 +1,10 @@
+- name: server | sshd | install
+  package:
+    name: "{{ openssh_server_package }}"
+    state: latest
+
+- name: server | sshd | start
+  service:
+    name: sshd
+    state: started
+    enabled: True

roles/server/vars/Archlinux.yml

@@ -2,6 +2,7 @@ mta_package: msmtp-mta
 snmpd_package: net-snmp
 snmpd_user_file: "/var/net-snmp/snmpd.conf"
 wireguard_package: wireguard-tools
+openssh_server_package: openssh
 
 glusterfs_packages:
   - package: glusterfs

roles/server/vars/Debian.yml

@@ -2,6 +2,7 @@ mta_package: ssmtp
 snmpd_package: snmpd
 snmpd_user_file: "/var/lib/snmp/snmpd.conf"
 wireguard_package: wireguard
+openssh_server_package: openssh-server
 
 glusterfs_packages:
   - package: glusterfs-common

roles/webserver/tasks/install_php.yml

@@ -0,0 +1,6 @@
+- name: webserver | apache | installing php
+  package:
+    name:
+      - php
+      - php-mysqli
+    state: latest

roles/webserver/tasks/main.yml

@@ -14,6 +14,7 @@
     when:
       - nginx is defined
       - nginx == true
+  - import_tasks: install_php.yml
   - name: webserver | certbot | install certbot
     package:
       name: certbot

roles/webserver/vars/nextcloud.yml

@@ -1,26 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
-37353535366162623439373564306434376564326462326139323131333664663937313634313665
-6564393039653231663433646630646462306266666435310a303632646636356139656561323933
-63376565643266313563393135363033383234323031626465346335393762306139613261663664
-3339393161666262340a373562646538336137323833303139343331356266373064353361646533
-34363566646433333534313866323839623466306132613734356263393763666638373364633931
-66303035663035306131633639376236393966346566616334616536313134623933316338373133
-33626232303838633132613732653331626531336366383166313833353062656331376637336161
-32666439303238333365323538636636346134383337383433303863623965316430643730303230
-62363737633763363035346531643332343935363432326630323735356131376636343830366434
-35386661383833376663333031373764613739626165626132653632346430633166393436313731
-39646538346438666134633539666436643961353639393761326132366239363231316631613663
-63313733363435353965626465623935383062656635396534373538323931616135373865336632
-33333931353637663838333039613063353562346134663037396138323733323261663036363634
-63383966326138346539653932383632356465393962383265626336643538396466323934633634
-64663865633063613433306332306234303635346634303937643935373035353337373637626262
-66666535653965333161386665613034613835646438326161643766653232303430333636646633
-38363335313136393533616366323533663939643230626238616632353130666537336661633432
-39333430663563633866636436363937363634303462373065303363373231346236303931636230
-64643464306663313231326665373264323030343831366532643438666463646236643939316631
-34383335326438633364356338353334353061333565376631356263663465623866656635383030
-34303932393666316562653435343166393436376135613466663366393033333938376230383139
-35373434653866313233363037666431316630316166656638616634636339383834653265333034
-64303138336166663732633134343164373135386135666164373462633530636231303139653863
-30386239663861666565366361633565336333313065373130623063363235653963373564313434
-3430
+63353763353333663663346630323363623938333965663430333035326461363330306131653434
+3964343335373832383665396164646261356236643966360a393330386366646337326164373630
+32656237343062323836643234396435313636623735663166663766636166393830313336343065
+3333643038333839360a306635306434373731336137646232306438656338643233616237623435
+32396531366666623232313237643833613334333633646434656331363733373632316331393461
+33643430376564326463353337616437613338303839613632653738333563373730323731623638
+31656135623966336231353035613732343864303566386233663430666233636162323838656366
+36393534313665303766326638373133323964386438656639383030363265393032353761646239
+30336366363839326661313839666130356135353134396462646562653561383862623465313437
+31303034396662353261663865626565663961393930643763393761346634386639633362313066
+66663734613331616632653338666563333734656166333234326639646562623636653434396136
+63386434373364633764663162396164643032633133373835383238613732356537323764366463
+39643232656662353238376235643537643935366534646363616533633636303831333831353466
+66376433353164663130636466303630376434333161353839353863666136386566363334306235
+37383938633335663465656539646630613061666231626137393766326237613036303434663064
+30616637393863353533303832663032613666353833633933613032303336353139623537363936
+30366163666466326334373036393435643436343630366364353133396131336535653435356364
+61613330316332383332323732353539396465326538306532353734383033663234623464313934
+64386662346364663134613434613036363935636263616264386336663639346135316561623861
+61643732393936306332363637373330633735633535356563373037326530343332396263613037
+66643136613136643637316266383239643434376461326663666330653338366164656437316431
+62393933303466663139653666323737663137656533613439666132663266363238396330663932
+37363131343935383665336364323166316439396566313231613530333465613062306439626666
+31346165336332313637