kreativmonkey
/
ansible-server-infrastruktur
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

initial commit

Browse Source
master
kreativmonkey 6 years ago
commit 334c973974
79 changed files with 2605 additions and 0 deletions
Show Stats Download Patch File Download Diff File

13
.gitignore vendored
Unescape Escape View File

@ -0,0 +1,13 @@
# Created by https://www.gitignore.io/api/ansible
### Ansible ###
*.retry
*.pyc
*.retry
/borg-keys/
vault-secret.txt
# End of https://www.gitignore.io/api/ansible

8
LICENSE
Unescape Escape View File

@ -0,0 +1,8 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

42
README.md
Unescape Escape View File

@ -0,0 +1,42 @@
# ansible-playbooks
Sammlung der verwendeten [Ansible](ansible.com) Playbooks
## Playbooks
### install-arch.yml
Mit diesem Playbook kann bei Hetzner im Robot eine frische Arch Linux installation aufgesetzt werden. Der Server wird hierzu in den Rescue-Modus versetzt, aus Sicherheitsgründen wird dies derzeit nicht automatisiert durchgeführt. Danach werden die Festplatten formatiert und zu einem RAID1 Verbund vereint. Anschließend wird das aktuelle Arch Linux Image geladen und installiert. Nach der Netwerkkonfiguration und der Aktivierung von SSH wird der Server neu gestartet und der aktuelle SSH-Key aus der knownhosts datei gelöscht.
Start des Playbooks: ``ansible-playbook playbooks/install-arch.yml -l $host``
Für das Playbook werden folgende Variablen benötigt:
| Variable | Wert | Bedeutung |
| ------------ | --------------- | --------------------------------------------- |
| hostname | | Der Name des hosts der aufgesetzt werden soll |
| ipv4_address | | Die IPv4 addresse des hosts |
| ipv4_netmask | "/32" | Die verwendete Maske für das Netzwerk |
| ipv6_address | | siehe ipv4 |
| ipv6_netmask | "/128" | siehe ipv4 |
| ipv4_gateway | | die Adresse des Gateways |
| ipv6_gateway | | |
| filesystem | btrfs oder ext4 | Wahl des filesystems für den host |
Die Variablen werden unter host_vars in der datei <hostname> abgelegt.
## All-hosts-basic
Dieses Playbook richtet eine frische Installation ein indem es nützliche Tools installiert, User anlegt, das Netwerk einrichtet und somit eine Basis für ein System herstellt.
``ansible-playbook playbooks/all-hosts-basic.yml -l $host``
Informationen zu den Installierten tools finden sie in der Datei ``roles/tools/tasks/main.yml``.
Die Nutzer werden in ``group_vars/all/archusers.yml`` definiert und ihre Publickeys unter ``publickeys/<username>.pub`` abgelegt.
##
## ToDo
- borg-server einrichtung (auf Synology)
- Monitoring
- LXC-Container Installation und Verwaltung

446
ansible.cfg
Unescape Escape View File

@ -0,0 +1,446 @@
# config file for ansible -- https://ansible.com/
# ===============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
# some basic default values...
inventory = hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
remote_tmp = ~/.ansible/tmp
#local_tmp = ~/.ansible/tmp
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False
roles_path = roles
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
#gathering = implicit
# This only affects the gathering done by a play's gather_facts directive,
# by default gathering retrieves all facts subsets
# all - gather all subsets
# network - gather min and network facts
# hardware - gather hardware facts (longest facts to retrieve)
# virtual - gather min and virtual facts
# facter - import facts from facter
# ohai - import facts from ohai
# You can combine them using comma (ex: network,virtual)
# You can negate them using ! (ex: !hardware,!facter,!ohai)
# A minimal set of facts is always gathered.
#gather_subset = all
# some hardware related facts are collected
# with a maximum timeout of 10 seconds. This
# option lets you increase or decrease that
# timeout to something more suitable for the
# environment.
# gather_timeout = 10
# additional paths to search for roles in, colon separated
#roles_path = /etc/ansible/roles
# uncomment this to disable SSH key host checking
#host_key_checking = False
# change the default callback
#stdout_callback = skippy
# enable additional callbacks
#callback_whitelist = timer, mail
# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions.
#task_includes_static = True
#handler_includes_static = True
# Controls if a missing handler for a notification event is an error or a warning
#error_on_missing_handler = True
# change this for alternative sudo implementations
#sudo_exe = sudo
# What flags to pass to sudo
# WARNING: leaving out the defaults might create unexpected behaviours
#sudo_flags = -H -S -n
# SSH timeout
#timeout = 10
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log
# default module name for /usr/bin/ansible
#module_name = command
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace
# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#private_role_vars = yes
# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
# in some situations so the default is a static string:
#ansible_managed = Ansible managed
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True
# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args. This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed. If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#display_args_to_stdout = False
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False
# set plugin path directories here, separate with colons
#action_plugins = /usr/share/ansible/plugins/action
#cache_plugins = /usr/share/ansible/plugins/cache
#callback_plugins = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins = /usr/share/ansible/plugins/lookup
#inventory_plugins = /usr/share/ansible/plugins/inventory
#vars_plugins = /usr/share/ansible/plugins/vars
#filter_plugins = /usr/share/ansible/plugins/filter
#test_plugins = /usr/share/ansible/plugins/test
#terminal_plugins = /usr/share/ansible/plugins/terminal
#strategy_plugins = /usr/share/ansible/plugins/strategy
# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#strategy = free
# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
#bin_ansible_callbacks = False
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1
# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#cow_selection = default
#cow_selection = random
# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
# in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1
# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored. This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact_caching = memory
# retry files
# When a playbook fails by default a .retry file will be created in ~/
# You can disable this feature by setting retry_files_enabled to False
# and you can change the location of the files by setting retry_files_save_path
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry
# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
# prevents logging of task data, off by default
#no_log = False
# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
#no_target_syslog = False
# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine. This option is False by default for security. Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False
# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#var_compression_level = 9
# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system. The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#module_compression = 'ZIP_DEFLATED'
# This controls the cutoff point (in bytes) on --diff for files
# set to 0 for unlimited (RAM may suffer!).
#max_diff_size = 1048576
# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI. If this is True then multiple arguments are merged together. If
# it is False, then the last specified argument is used and the others are ignored.
#merge_multiple_cli_flags = False
# Controls showing custom stats at the end, off by default
#show_custom_stats = True
# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#network_group_modules=['eos', 'nxos', 'ios', 'iosxr', 'junos', 'vyos']
# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#allow_unsafe_lookups = False
[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False
[paramiko_connection]
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
#record_host_keys=False
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False
# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices. This is a problem for some network devices
# that close the connection after a key failure. Uncomment this line to
# disable the Paramiko look for keys function
#look_for_keys = False
# When using persistent connections with Paramiko, the connection runs in a
# background process. If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key. This will cause connections
# running in background processes to fail. Uncomment this line to have
# Paramiko automatically add host keys.
#host_key_auto_add = True
[ssh_connection]
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it, -C controls compression use
#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
# The base directory for the ControlPath sockets.
# This is the "%(directory)s" in the control_path option
#
# Example:
# control_path_dir = /tmp/.ansible/cp
#control_path_dir = ~/.ansible/cp
# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
#
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path =
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False
# Control the mechanism for transferring files (old)
# * smart = try sftp and then try scp [default]
# * True = use scp only
# * False = use sftp only
#scp_if_ssh = smart
# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
# * sftp = use sftp to transfer files
# * scp = use scp to transfer files
# * piped = use 'dd' over SSH to transfer files
# * smart = try sftp, scp, and piped, in that order [default]
#transfer_method = smart
# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#sftp_batch_mode = False
[persistent_connection]
# Configures the persistent connection timeout value in seconds. This value is
# how long the persistent connection will remain idle before it is destroyed.
# If the connection doesn't receive a request before the timeout value
# expires, the connection is shutdown. The default value is 30 seconds.
connect_timeout = 30
# Configures the persistent connection retries. This value configures the
# number of attempts the ansible-connection will make when trying to connect
# to the local domain socket. The default value is 30.
connect_retries = 30
# Configures the amount of time in seconds to wait between connection attempts
# to the local unix domain socket. This value works in conjunction with the
# connect_retries value to define how long to try to connect to the local
# domain socket when setting up a persistent connection. The default value is
# 1 second.
connect_interval = 1
[accelerate]
#accelerate_port = 5099
#accelerate_timeout = 30
#accelerate_connect_timeout = 5.0
# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30
# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p
# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
[diff]
# Always print diff when running ( same as always running with -D/--diff )
# always = no
# Set how many context lines to show in diff
# context = 3

35
group_vars/all/archusers.yml
Unescape Escape View File

@ -0,0 +1,35 @@
---
arch_groups:
- dev
- tu
- archboxes-sudo
- freifunk
arch_users:
aur_builder:
name: "aur_builder"
ssh_key: kreativmonkey.pub
kreativmnokey:
name: "Sebastian Preisner"
ssh_key: kreativmonkey.pub
groups:
- dev
ataflinsky:
name: "Ansgar Taflinsky"
ssh_key: ansgar.pub
groups:
- tu
- freifunk
adlerweb:
name: "Florian Knodt"
ssh_key: adlerweb.pub
groups:
- tu
- freifunk
niyawe:
name: "Niklas Yann Wettengel"
ssh_key: niyawe.pub
groups:
- dev
- freifunk

6
group_vars/all/borg.yml
Unescape Escape View File

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
36643833306339303332306161653634303135333138323633303632663238353964623439373133
3533313534613533393131646464656535383539366634650a313962376139616637643537616632
66653266393465343265636266363766636134313734616664353532316465393363663561343234
6132386334376366630a663063366531633965633462363731633435653366386532383232323239
66356134363937376134663864646165656265396135313232333136376561626630

27
group_vars/all/lxc-container.yml
Unescape Escape View File

@ -0,0 +1,27 @@
---
container:
webserver:
network:
ipv4: 10.0.1.100
ipv6: 2a01:4f8:191:248f::10
autostart: false
nginx.revproxy:
network:
ipv4: 10.0.1.10
ipv6: 2a01:4f8:191:248f::10
ports:
- "80"
autostart: true
nextcloud:
urls:
- www.oc4.de
network:
ipv4: 10.0.1.41
ipv6: 2a01:4f8:191:248f::41
autostart: true
clone: webserver
groups:
- delayedstart

7
group_vars/all/pet.yml
Unescape Escape View File

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
34646431336463346165343261336361323461633439656362376537356431623434383435373738
3635613563383066646262303635636230313532666262340a313063646136613931303237623562
35323630616134376365613534333330336236373137663837326264373338656466666135313938
3561626665636535360a333435613664643232623066393765643937643731346562663937366437
34613137383066386362633631623438356633363266633030356531666536646331353264383235
3461316138663930376539623931353564646466343338346136

10
group_vars/all/root_pubkeys.yml
Unescape Escape View File

@ -0,0 +1,10 @@
---
root_ssh_keys:
- kreativmonkey.pub
- ansgar.pub
- niyawe.pub
- adlerweb.pub
root_gpgkeys:
- 7792AF9901C0BC4B2B691A16A34BF64C69048539 # kreativmonkey

5
group_vars/all/sudo.yml
Unescape Escape View File

@ -0,0 +1,5 @@
---
sudo_users:
- kreativmonkey
- aur_builder

1
group_vars/hetzner.yml
Unescape Escape View File

@ -0,0 +1 @@
configure_network: true

24
host_vars/pegasus
Unescape Escape View File

@ -0,0 +1,24 @@
---
hostname: "pegasus"
ipv4_address: "144.76.32.10"
ipv4_netmask: "/32"
ipv6_address: "2a01:4f8:191:2309::2"
ipv6_netmask: "/128"
ipv4_gateway: "144.76.32.1"
ipv6_gateway: "fe80::1"
mac_address: "50:46:5d:9f:f5:d8"
lxc_ipv4_address: 10.0.1.1
lxc_ipv4_netmask: "/24"
lxc_ipv6_address: "2a01:4f8:191:2309::2"
lxc_ipv6_netmask: "/64"
filesystem: btrfs
# FIXME: this should probably be configured another way. maybe the
# mysql/postgres roles should deploy the credentials themselves
#postgres_backup_dir: "/var/lib/postgres/backup"
#mysql_backup_dir: "/root/backup-mysql"
#mysql_backup_defaults: "/root/.backup-my.cnf"
#kanboard_version: "v1.2.4"

10
hosts
Unescape Escape View File

@ -0,0 +1,10 @@
[hetzner]
predator
pegasus
[borg-clients]
predator
pegasus
[others]
ffmyk ansible_port=2227 ansible_host=144.76.33.144

13
playbooks/all-hosts-basic.yml
Unescape Escape View File

@ -0,0 +1,13 @@
- name: basic setup for all hosts
hosts: all
remote_user: root
roles:
- { role: common, tags: ['common'] }
- { role: tools, tags: ['tools'] }
# reconfiguring sshd may break the AUR on luna (unchecked)
- { role: sshd, tags: ['sshd'] }
- { role: root_ssh, tags: ['root_ssh'] }
- { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
- { role: netctl, tags: ['netctl'] }
- { role: bashit, tags: ['bashit'] }
- { role: archusers, tags: ['archusers'] }

8
playbooks/install-arch.yml
Unescape Escape View File

@ -0,0 +1,8 @@
# This script is for provisioning a server for first boot.
# Care: It is not idempotent by design.
- name: install_arch
hosts: all
remote_user: root
roles:
- install_arch

1
plugins/modules/aur

@ -0,0 +1 @@
Subproject commit 38d3785501466f0a9882d6e7748f51f45e798fb5

1
pubkeys/adlerweb.pub
Unescape Escape View File

@ -0,0 +1 @@
#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv2OexkRcyzBspaRlOtqt9/C3dZpDO/kbv/BOjQ/tepgYpVMD9PMiR/d4mral5q8BYV5ldLcn3CYHGNAOvWICQDidFGGz/WuzmHeMV1tHz35ZVqXFfKYApDNVCkVOC78hx/UtAFX4pmJn28/ZplmnayCnhK97mQGG5AsVrRNMDzu118ax+dGD+HeCSqBgEgx+9QkHojMbL3UydryIN82nQ328laDbgOFgT0MWURqERH3REZ0wGvLaYZEipVM2U+GrZ38/JrPnNex3bh7nbAHdPDZvuJY2p2pHS3JXy7aKsZ7McNVBVgLa8PlBq2aTlPd7QMf/InX12mJ2KwFpDHF94FEv8cAn0grbBTmDxvEd8rPxysmr4uShC60MJCYWWIFyn+ulnXdVaRYfTD6X/LBO8tk8qbHYJaganP8fwHnfvbFtoRDkbTNOtl9VT+s3l6C59H5Tlrd3+I5FNbXRzMmOPz23doVnXFjkUeYpDZhzJN9t4vkY1LknVKg5XO716KyDruqz8oCNxrVgmnBCF7mi5xgbrAPQG9MwtEUja4sid9qTcwD7/VDAhKD1U5A7hO2HU6rEhkg6UOgJXG8cMy40dYBDia4rJxQi/YkkWku3B9s7/APD8gunkpvSF1W9WPsWy/duIqzB3ZzUBJh/JZ+Hawi5c/Jz6BVJg81gPC5Q== adlerweb@OP-Server

2
pubkeys/ansgar.pub
Unescape Escape View File

@ -0,0 +1,2 @@
#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnUB+62q/uDfc+PALzkEbwhNxkkCVT1Au2qTb0LMGaqhKo337X2P1ElpSKva9fvvIS2q8u+xu7hchOPaIUMQk2qqR/wEbySQxKHwjuy55inepJSu5R1Wc6AMEcVo6edQJbo589etSx7XIAcUwB0OuMLQNSDyaBGd7LHHvmaAJPDFsAThHGDqj3bjxSC5mdNzjMaLe5XhLhscINV0vuFTdTMW4PYH/80Yw3xWVJkbYsYM+Zjx8ae/Int9flvJ/yjCtkfWYm33MZQuyENJp2jMZt4wD+VSaeVirCEW0KnhrlISjj8R+pHGFI+IDAM3mhHw5yWAfpP+SGsidspCjFpgzf ataflinski@fgm
#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFe1Ok0OFh1cf4uOaKzqoDKJ2dhsNuKf6/2OMDkj8iN4IieiyYzDNWgW/hTONh/Fo3KQKou7bcZ8cLCw1Ktl/WCH+UiNpNb+G7W8HkDmgmRHmUU9+6SnTDjUUMQCnT9I/Qa0cun0mnyIcfZqUN+mcRLTpbYjGMhcFc3wp4iGxsn57NU1l9BS1d8pLTM9dL9fHjzTDvwwIRW6v554yaO4eaBS1y7ntXrV7m7svWzmP8Q/obkbMbY1FE8ECcTqIvOCISPw6W+cMSQn/IUK7Oql+74atCCsE97WLws9MVRMYM1Y5zsWjROjjNwrb4Lndrk1ReCxjoZyixGR4d9vGxap9UgD1TS+Vd4c3xsph8R0B5/bsSFMTbBLrVWX42O/+AAB9n41O5b+2hqLpsYYxRds5PxT1wVgPbU7FlfQFemSeqLPKXe03u+ytDaFxzLXsJqbj4AiaqssMk0sq3GwJwQAo37g+rYgskfvaS8z3EbBh+Fc/ar0U8ZOv4BpME8THivXOr8D6AdrIw0z6TtiA1Top31ONvOezjBvMW/WpVZg0yQ8fPwoM379sPwefqCpEWhlwo02OUAwhu8YE2LVPnq78v3CiK0MzMO46+VLSWp7YOzYrfv7f2l9ZRgSPAFLRfMAmoxPqoUvgmXSff9UMf5AabnJM7V1VkxZjPxhDKsxLew== ansgar@manning

4
pubkeys/kreativmonkey.pub
Unescape Escape View File

@ -0,0 +1,4 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bbsrZLJ2271iSb04qpoUDlbrH19aTXUlzFaQSp1KO0BjCxdNvY1x6ZjkIPUC0YeaVGePu0cBJFWYZKpPRiz5hbWeFgaVvhbAlhxAMSlgdjLiN2alc92mBX40NhrpgSV/hGB5KAqqBQr9y01g9I5GRl9jdXgzUA9hhbqxls6tvXxGN2SJC3TFbUj+2PPpn8Cw2ZJiKsKZIoQfs9ZQuv2xDi7E6voqBALlYWd217ZgBezklrpm48dDisGI/WdZyllgk0XyxXwRSSD8QINTPjWmKXk5ZNH65J0KyDlnrZsgQuQbsN3jGgJsPfR6tydVITd1IXtSwawUYZ+JU8wwp6CR sebastian@gartenzwerk
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyfHUHDpsnwR0WB6ovtrpBVJaC/g5QB2E86RQyUWuAw7VlBuOTG3aqZEBfhKm3g5UyPHbXqJ4DJD0Ybt4yY1Vq/5I7TSFp9GTbwT0oyMECmBmPJblMaKsPIlvEQfYpq4D3IBI8Rg9OAqtwlfxw2JNLStnouEQjk7V0HFURUfjVMeDQexrdrOMqyPclxi+JUFur6drsh9nKpaVzKYKt5zXEDF9BD+y5bZp+QLog0nT1jz2Vrh1AZh0tpfiJDDUe1PAy8RVUYAA90OWD9mANVGsdlAf2qouy3yj2qcwUgRqG9UEKOk0+kykFUCwp7KP/SxhLEFjrfTBhJX1naAdaHKOOthJmCXVV8pIO72jr8qKQoNk1/jj7JCgvO5FFmPylCM3LeyYoJFH07Gf18nHdS29WYf17dIUUwvpMM5oJewAJMOlA79AkXBZFXoP3zoMOdaL2hga+bQP8MaX12MyPGya7rc+U89MX0N9W0qOcy/mEaWrRKoKA/jTa9+djf0gxWuMYrryi4uZnTHo3l6HM/UKY4iD1DAoA1bl42OAEkQ0lKVn9jXG4/wIGW7zEG/vwLtTsG7lcRp2wD5Wz7jAfA2b95Syel/Ldn7zJ2Hp1t8GmUol8okfwnXs+SCONM7pawr1ly7jYrvjD/NtLReRD6d8o6Fn8bjzG1gRlqBu3AVR44Q== kreativmonkey@DataCore
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9EwjHmm57L7WGeD6KU49D7NyNJLI7N5KR1GxUN+yPSnShD5BsfKyrfHS2U7SP6rN4RVhCh4D8OqpaZySuASD2ImWxD23A5SHy2AlaSedMb+a9Gi6ODeSZbvZIjutu9YMk7PtssfZxNi25gsbzWrERQM2mNpJtDjNx5jxA+EYbjOu8hhqV8+n7a9YRbahnhGQbp1H6DmiPIqELXCJAKr3iUb/ZZHlV9BF7eGMK9jYa24dHFtxAtojjbl8DhZzVJ+bHf6afXlDA4+qYjHnb/OMW23oSvHBtSPsfPaC53ML6BKymON56Os3lPTuCT5tvUN4qmMZksRWjGhiMLbd4noF sebastian@smartphone
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPrAGBSFCI9G/WRwkrsm8jys3ALBEvNVWv0TQr9F7hWAfn4KIlsAGHFuBrwfPEEARYOMnzPCoBv47Q+NHzpIyQVvJvQx1jUrTQ43k4RO0HAJy/5zlWW71yVSufVMMspsxUk7qL6kUTWoDKM9weIeSLGwoajtRFZKTYFzPpVaScS8hr0LRsFQ3gb+Gq0L0DZYNBdSf3lz2a6lNXwVnGCLv/lA2CGYyitUdXs0W8E7bisKHvj/zX+I+7k7+BK11GMP2AYbIt/D32sD2P/dZ9uxRSyqoY3xsEbzGFtlmcar/dOPpaYqVgZRcslloXaqqXBPkn/egIPlqIoovgs+tQQ64SIY1EaOKFQ+M5qi8uLUrpogoFnHAGYH5WNfeS10xr+8bOUyCHOWnH5w5ljvpvu2OzqX6WiNT4W2Z1gOuVnXLf0BtQ8fyg0yt2kf+tXPnEGwKrvv2t3YYpDENgwaVRN9sxwZ5vTnn8pqsdNhOEgARvbJyVvFu4kjFbtvjCDBsPzcEfV7yY/254Mpmk7VgsdJNx4x0Gvw6+g3Iw32GB/QJFML/6qWfczRkTFdu1JXKVVDEXmmQ7MnL+nNXONO+7EYNDUER8OtCogVj2dqAEZvS4wjYRJ0HZHGDeGY99dqDGHJyLFVDEUMQilOgkOGjoWMfdMPkxLP90LEdIbo0Nh5w== sebastian@Bulido

1
pubkeys/niyawe.pub
Unescape Escape View File

@ -0,0 +1 @@
#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnhIGQKlVX6CXJTR3RWkZubneGd0BsHN4Ebq95Gq+X01sD2tdjE6svle8CLXefGt4b7NIgqsRegamsuFH2grYpmLRP8V5YIgHbhMZnjVDHoGvPkTdV6G84a6Y9u8c6Jke2qtXqklVL1kRFY+b360bitDcrxdD1g0mbm03g5hFlYf/iG+8JQen4BrQppHZ69qjBg912RQR3nw2AUMpNUqLTa4GKEACUwyGHjiRSWnRnftGBuouR6cw4nFRQrjQ2Czywd3AaOXQZ0zgvLYROf6iEX3vvKnE2uSfUbpNH+ipHj7xjycDSO/m6xrpIjhvVHDK8LfCV2dc656IW+2SPVKlnbblUUD0TJvsVPHrRWLf5MRQ0TaDA5r0XsrLMb1bCPUzUdmp5i3nGlLRPYemH1+5/r4AXzbVWHFXzRQLxQgCP40SAvwXDzTReanKhfkVG98txTWBr8fwfrupSKjBR8s9we8twfl5kvWe37YEuhu1K91p82ceDpir3cGL9AmMXdEnU0ZyfI9eMfdMJ3d2lgMleTM1pVf9UUct2mkNmx3sELqSgEc4OFhudOkY+wkyllWAHsU1mN6+krbzoYhRjIAGQ5mLVsAhnKq0WQEaGxIZ3w48C+BknJJujiZS4bkvo1bwlT2gcSv6ztxVirWtSmV646C22WjV90V8Tsf2X/4WUmw== niyawe@niyawe.de

33
roles/archusers/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,33 @@
---
- name: create Arch Linux-specific groups
group: name="{{ item }}" state=present system=no
with_items: "{{ arch_groups }}"
- name: create Arch Linux-specific users
user:
name: "{{ item.key }}"
group: users
groups: "{{ item.value.groups | join(',') }}"
comment: "{{ item.value.name}}"
state: present
with_dict: "{{ arch_users }}"
- name: configure ssh keys
authorized_key:
user: "{{ item.key }}"
key: "{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}"
manage_dir: yes
state: present
exclusive: yes
when: item.value.ssh_key is defined
with_dict: "{{ arch_users }}"
- name: get list of remote users
find: paths="/home" file_type="directory"
register: all_users
- name: disable ssh keys of disabled users
file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
when: item not in "{{ arch_users }}"
with_items: "{{ all_users.files | map(attribute='path') | map('basename') | list }}"

5
roles/bashit/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,5 @@
- name: Install Bash-it
shell: ~/.bash_it/install.sh --silent
- name: reload source
command: source /root/.bashrc

45
roles/bashit/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,45 @@
---
- name: Check Bash-It Installation
stat:
path: ~/.bash_it
register: install
- name: Clone Bash-it
git:
repo: https://github.com/Bash-it/bash-it.git
dest: ~/.bash_it
depth: 1
update: no
notify:
- Install Bash-it
- reload source
when: not install.stat.exists
- name: Update Bash-it
shell: bash-it update
when: install.stat.exists
- name: setup-bashit-theme
lineinfile:
path: .bashrc
regexp: "(export BASH_IT_THEME=)[('a-z')]+"
line: "export BASH_IT_THEME='candy'"
- name: enable bashit plugins
shell: bashit enable plugins {{ .items }}
with_items:
- history
- git
- alias-completion
- autojump
- base
- tmux
- name: enable bashit aliases
shell: bashit enable aliases {{ .items }}
with_items:
- general
- git
- gitsvn
- tmux

2
roles/borg-client/defaults/main.yml
Unescape Escape View File

@ -0,0 +1,2 @@
backup_host: "kreativmonkey@core.oc4.de"
backup_dir: "/backup/{{inventory_hostname}}"

6
roles/borg-client/files/borg-backup.service
Unescape Escape View File

@ -0,0 +1,6 @@
[Unit]
Description=Borg backup
[Service]
Type=oneshot
ExecStart=/usr/local/bin/borg-backup.sh

9
roles/borg-client/files/borg-backup.timer
Unescape Escape View File

@ -0,0 +1,9 @@
[Unit]
Description=Borg backup
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target

64
roles/borg-client/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,64 @@
- name: install borg and tools
pacman: name=borg,perl-app-borgrestore state=present
- name: install borg-restore config
template: src=borg-restore.cfg.j2 dest=/etc/borg-restore.cfg owner=root group=root mode=0644
- name: check if borg repository already exists
command: borg list {{ backup_host }}:{{ backup_dir }}
register: borg_list
ignore_errors: True
- name: init borg repository
command: borg init -e keyfile {{ backup_host }}:{{ backup_dir }}
when: borg_list | failed
environment:
BORG_PASSPHRASE: ""
ignore_errors: True # This can sometimes fail if a backup is in progress :/
- name: install scripts
template: src={{item}}.j2 dest=/usr/local/bin/{{item}} owner=root group=root mode=0755
with_items:
- borg-backup.sh
- borg
- name: install postgres backup script
template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755
when: postgres_backup_dir is defined
- name: check whether postgres user exists
command: getent passwd postgres
register: check_postgres_user
ignore_errors: True
- name: make postgres backup directory
file: path=/var/lib/postgres/backup owner=postgres group=postgres state=directory
when: check_postgres_user|succeeded and postgres_backup_dir is defined
- name: install mysql backup script
template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755
when: mysql_backup_dir is defined
- name: install mysql backup config
template: src=backup-my.cnf.j2 dest={{mysql_backup_defaults}}
when: mysql_backup_defaults is defined
- name: create mysql backup directory
file: path={{mysql_backup_dir}} state=directory owner=root group=root
when: mysql_backup_dir is defined
- name: install xtrabackup for mysql backup
pacman: name=xtrabackup state=installed
when: mysql_backup_dir is defined
- name: install systemd timers for backup
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
with_items:
- borg-backup.timer
- borg-backup.service
- name: activate systemd timers for backup
service: name=borg-backup.timer enabled=yes state=started
- name: enable systemd ressource accounting
command: systemctl set-property borg-backup CPUAccounting=yes MemoryAccounting=yes

3
roles/borg-client/templates/backup-my.cnf.j2
Unescape Escape View File

@ -0,0 +1,3 @@
[client]
user = root
password = "{{mariadb_users.root}}"

8
roles/borg-client/templates/backup-mysql.sh.j2
Unescape Escape View File

@ -0,0 +1,8 @@
#!/bin/bash
mysql_opts="--defaults-file={{mysql_backup_defaults}}"
backupdir="{{mysql_backup_dir}}"
[[ ! -d "$backupdir" ]] && mkdir -p "$backupdir"
rm -rf "$backupdir"/*
xtrabackup $mysql_opts --backup --target-dir="$backupdir"

18
roles/borg-client/templates/backup-postgres.sh.j2
Unescape Escape View File

@ -0,0 +1,18 @@
#!/bin/bash
#
# Script to backup all postgres databases individually
#
# Requires local login with `postgres` user and either trusted or peer auth.
#
DBLIST=($(sudo -u postgres psql -d postgres -qt -c 'SELECT datname from pg_database'))
for db in "${DBLIST[@]}"; do
if [[ $db =~ template[01] ]]; then
continue;
fi
echo "Dumping $db to {{ postgres_backup_dir }}";
sudo -u postgres pg_dump --serializable-deferrable -Fc "$db" > "{{ postgres_backup_dir }}/$db.dump"
done
echo "Dumping globals to {{ postgres_backup_dir }}"
sudo -u postgres pg_dumpall --globals-only > "{{ postgres_backup_dir }}/globals.sql.dump"

52
roles/borg-client/templates/borg-backup.sh.j2
Unescape Escape View File

@ -0,0 +1,52 @@
#!/usr/bin/env bash
set -e
src="/"
snapshotdir="/backup-snap"
##
# usage : is_btrfs( $path )
# return : whether $path is on a btrfs
# source: makechrootpkg from devtools
##
is_btrfs() {
[[ -e "$1" && "$(stat -f -c %T "$1")" == btrfs ]]
}
delete_snapshot() {
btrfs subvolume delete --commit-after "$snapshotdir"
}
if is_btrfs "$src"; then
if [[ -d "$snapshotdir" ]]; then
delete_snapshot
fi
btrfs subvolume snapshot -r "$src" "$snapshotdir"
src="$snapshotdir"
fi
systemctl is-active postgresql && /usr/local/bin/backup-postgres.sh || true
if systemctl is-active mysqld || systemctl is-active mariadb; then
/usr/local/bin/backup-mysql.sh || true
fi
borg create \
--verbose \
--stats \
--list \
-compression lz4 \
-e '/home/*/.cache/' \
-e /var/tmp \
-e /proc \
-e /sys \
-e /dev \
-e /run \
-e /tmp \
-e /var/cache \
{{ backup_host }}:{{ backup_dir }}::$(date "+%Y%m%d-%H%M%S") "$src"
borg prune -v {{ backup_host }}:{{ backup_dir }} --keep-daily=7 --keep-weekly=4 --keep-monthly=6
if [[ -d "$snapshotdir" ]]; then
delete_snapshot
fi

12
roles/borg-client/templates/borg-restore.cfg.j2
Unescape Escape View File

@ -0,0 +1,12 @@
# We set the repo in the /usr/local/bin/borg wrapper which is enough
$borg_repo = "";
{% if filesystem == "btrfs" %}
@backup_prefixes = (
{regex => "^/", replacement => "backup-snap/"},
);
{% endif %}
1;
# vim: set ft=perl:

3
roles/borg-client/templates/borg.j2
Unescape Escape View File

@ -0,0 +1,3 @@
#!/bin/bash
BORG_REPO="{{ backup_host }}:{{ backup_dir }}" exec /usr/bin/borg "$@"

2
roles/common/defaults/main.yml
Unescape Escape View File

@ -0,0 +1,2 @@
---
configure_network: false

213
roles/common/files/dircolors
Unescape Escape View File

@ -0,0 +1,213 @@
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.
# Copyright (C) 1996, 1999-2010 Free Software Foundation, Inc.
# Copying and distribution of this file, with or without modification,
# are permitted provided the copyright notice and this notice are preserved.
# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.
# Below, there should be one TERM entry for each termtype that is colorizable
TERM Eterm
TERM ansi
TERM color-xterm
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cons25
TERM console
TERM cygwin
TERM dtterm
TERM eterm-color
TERM gnome
TERM gnome-256color
TERM jfbterm
TERM konsole
TERM kterm
TERM linux
TERM linux-c
TERM mach-color
TERM mlterm
TERM putty
TERM rxvt
TERM rxvt-256color
TERM rxvt-cygwin
TERM rxvt-cygwin-native
TERM rxvt-unicode
TERM rxvt-unicode256
TERM screen
TERM screen-256color
TERM screen-256color-bce
TERM screen-bce
TERM screen-w
TERM screen.linux
TERM vt100
TERM xterm
TERM xterm-16color
TERM xterm-256color
TERM xterm-88color
TERM xterm-color
TERM xterm-debian
TERM xterm-termite
# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
#NORMAL 00 # no color code at all
#FILE 00 # regular file: use no color at all
RESET 0 # reset to "normal" color
DIR 01;34 # directory
LINK 01;36 # symbolic link. (If you set this to 'target' instead of a
# numerical value, the color is as for the file pointed to.)
MULTIHARDLINK 00 # regular file with more than one link
FIFO 40;33 # pipe
SOCK 01;35 # socket
DOOR 01;35 # door
BLK 40;33;01 # block device driver
CHR 40;33;01 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file, or non-stat'able file
SETUID 37;41 # file that is setuid (u+s)
SETGID 30;43 # file that is setgid (g+s)
CAPABILITY 30;41 # file with capability
STICKY_OTHER_WRITABLE 30;42 # dir that is sticky and other-writable (+t,o+w)
OTHER_WRITABLE 34;42 # dir that is other-writable (o+w) and not sticky
STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable
# This is for files with execute permission:
EXEC 01;32
# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
# If you use DOS-style suffixes, you may want to uncomment the following:
#.cmd 01;32 # executables (bright green)
#.exe 01;32
#.com 01;32
#.btm 01;32
#.bat 01;32
# Or if you want to colorize scripts even if they do not have the
# executable bit actually set.
#.sh 01;32
#.csh 01;32
# archives or compressed (bright red)
.tar 01;31
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.lzma 01;31
.tlz 01;31
.txz 01;31
.zip 01;31
.z 01;31
.Z 01;31
.dz 01;31
.gz 01;31
.lz 01;31
.xz 01;31
.bz2 01;31
.bz 01;31
.tbz 01;31
.tbz2 01;31
.tz 01;31
.deb 01;31
.rpm 01;31
.jar 01;31
.rar 01;31
.ace 01;31
.zoo 01;31
.cpio 01;31
.7z 01;31
.rz 01;31
# image formats
.jpg 01;35
.jpeg 01;35
.gif 01;35
.bmp 01;35
.pbm 01;35
.pgm 01;35
.ppm 01;35
.tga 01;35
.xbm 01;35
.xpm 01;35
.tif 01;35
.tiff 01;35
.png 01;35
.svg 01;35
.svgz 01;35
.mng 01;35
.pcx 01;35
.mov 01;35
.mpg 01;35
.mpeg 01;35
.m2v 01;35
.mkv 01;35
.ogm 01;35
.mp4 01;35
.m4v 01;35
.mp4v 01;35
.vob 01;35
.qt 01;35
.nuv 01;35
.wmv 01;35
.asf 01;35
.rm 01;35
.rmvb 01;35
.flc 01;35
.avi 01;35
.fli 01;35
.flv 01;35
.gl 01;35
.dl 01;35
.xcf 01;35
.xwd 01;35
.yuv 01;35
.cgm 01;35
.emf 01;35
# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions
.axv 01;35
.anx 01;35
.ogv 01;35
.ogx 01;35
# audio formats
.aac 00;36
.au 00;36
.flac 00;36
.mid 00;36
.midi 00;36
.mka 00;36
.mp3 00;36
.mpc 00;36
.ogg 00;36
.ra 00;36
.wav 00;36
# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions
.axa 00;36
.oga 00;36
.spx 00;36
.xspf 00;36
# programming
.o 00;35
.c 01;33
.cc 03;33
.cpp 03;33
.h 00;33
.a 01;35
# documents
.pdf 01;33
.doc 01;33
.odt 01;33
.ods 01;33
.xls 01;33
.pptx 01;33
.ppt 01;33
.odp 01;33

259
roles/common/files/zshrc
Unescape Escape View File

@ -0,0 +1,259 @@
# Don't show input while loading
stty -echo
# some better colors for ls
eval "`dircolors ~/.dircolors`"
# Keybindings {{{
bindkey -e
bindkey '\e[1~' beginning-of-line
bindkey '\e[4~' end-of-line
bindkey '\e[3~' delete-char
bindkey '\e[2~' overwrite-mode
bindkey "^[[7~" beginning-of-line # Pos1
bindkey "^[[8~" end-of-line # End
bindkey "^[[A" history-beginning-search-backward
bindkey "^[[B" history-beginning-search-forward
# add edit command line feature ("alt-e")
autoload edit-command-line
zle -N edit-command-line
bindkey '\ee' edit-command-line
# }}}
# Variables {{{
export EDITOR=vim
export VISUAL=$EDITOR
export PAGER=less
export LESSCHARSET="UTF-8"
export LESSOPEN='|/usr/bin/lesspipe.sh %s 2>&-'
export LESS='-i -n -w -M -R -P%t?f%f \
:stdin .?pb%pb\%:?lbLine %lb:?bbByte %bb:-...'
# Less Colors for Man Pages
export LESS_TERMCAP_mb=$'\E[01;31m' # begin blinking
export LESS_TERMCAP_md=$'\E[01;38;5;74m' # begin bold
export LESS_TERMCAP_me=$'\E[0m' # end mode
export LESS_TERMCAP_se=$'\E[0m' # end standout-mode
export LESS_TERMCAP_so=$'\E[38;5;11m' # begin standout-mode - info box
export LESS_TERMCAP_ue=$'\E[0m' # end underline
export LESS_TERMCAP_us=$'\E[04;38;5;146m' # begin underline
# }}}
# Prompt {{{
if [[ $UID != 0 ]]; then
local username_color="%F{blue}"
else
local username_color="%F{red}"
fi
local host_color="%F{green}"
local path_color="%F{blue}"
PROMPT="${username_color}$USERNAME%f@${host_color}%B%M%b%f ${path_color}%B%~%b%f > "
#}
## Spelling prompt
SPROMPT='zsh: correct '%R' to '%r' ? ([Y]es/[N]o/[E]dit/[A]bort) '
# }}}
# History {{{
HISTFILE=~/.zsh/histfile
HISTSIZE=1000
SAVEHIST=50000
# }}}
# Other ZSH options {{{
autoload -U colors
colors
autoload -U zmv
# .. -> cd ../
setopt autocd
# cd /etc/**/foo/blub searches ;)
setopt extendedglob
# push cds to directory stack
setopt auto_pushd
# don't push something twice
setopt pushd_ignore_dups
# don't kill jobs when exiting shell
setopt no_hup
# and don't warn
setopt no_check_jobs
# show us when some command didn't exit with 0
setopt print_exit_value
# makepkg -g > PKGBUILD
# zsh: file exists: PKGBUILD
#
# work saved ;)
setopt no_clobber
setopt inc_append_history
setopt no_bg_nice
setopt share_history
#setopt bang_hist
setopt extended_history
#setopt hist_reduce_blanks
setopt hist_ignore_space
setopt hist_find_no_dups
setopt hist_ignore_dups
setopt nohistverify
setopt prompt_subst
#setopt hist_fcntl_lock
setopt always_to_end
unsetopt auto_remove_slash
# show the output of time if commands takes longer than n secs (only user+system)
REPORTTIME=5
# allow comments in interactive shells
setopt interactivecomments
# ignore lines starting with a space
setopt hist_ignore_space
# disable XON/XOFF flow control (^s/^q)
stty -ixon
# }}}
# Aliases {{{
# better ask before we lose data
alias rm='rm -Iv'
alias cp='cp -iv'
alias mv='mv -iv'
# I don't like bytes
alias dum='du -kh --max-depth=2'
alias dus='du -skh'
alias du='du -kh'
alias df="df -Th"
# function to make ls look nice is below
alias ls='ls -rhbtF --color=auto'
alias ll='ls -rhbtF --color=auto -l'
alias la='ls -rhbtF --color=auto -a'
alias lla='ls -rhbtF --color=auto -la'
alias lld='ls -rhbtF --color=auto -ld'
alias grep='grep --color'
alias mkdir='nocorrect mkdir'
alias wget='nocorrect noglob wget'
alias p='pacman'
alias sd='systemctl --no-pager'
alias is="iostat -Nyxm 2"
alias nocomment='egrep -v "^\s*(#|$)"'
alias wgetc="wget --content-disposition"
# }}}
# Completion stuff {{{
autoload -Uz compinit
compinit
unsetopt correct_all
zstyle :compinstall filename '$HOME/.zshrc'
# performance tweaks
zstyle ':completion:*' use-cache on
zstyle ':completion:*' cache-path $HOME/.zsh/cache
zstyle ':completion:*' use-perl on
# completion colours
zstyle ':completion:*' list-colors ${(s.:.)LS_COLORS}
zstyle ':completion:*' completer _complete _match _approximate
zstyle ':completion:*:match:*' original only
# ignore completion for commands we don't have
zstyle ':completion:*:functions' ignored-patterns '_*'
# get rid of .class and .o files for vim
zstyle ':completion:*:vim:*' ignored-patterns '*.(class|o)'
# show menu when tabbing
zstyle ':completion:*' menu yes select
# better completion for kill
zstyle ':completion:*:*:kill:*' command 'ps --forest -u$USER -o pid,%cpu,tty,cputime,cmd'
# Provide more processes in completion of programs like killall:
zstyle ':completion:*:processes-names' command 'ps c -u ${USER} -o command | uniq'
compdef pkill=killall
# bugged with zsh 4.3.10 for whatever reason
zstyle ':completion:*' file-sort time
#zstyle ':completion:*' file-sort name
# Ignore same file on rm
zstyle ':completion:*:(rm|kill|diff):*' ignore-line yes
zstyle ':completion:*:rm:*' file-patterns '*:all-files'
# e.g. ls foo//bar -> ls foo/bar
zstyle ':completion:*' squeeze-slashes true
# if in foo/bar don't show bar when cd ../<TAB>
zstyle ':completion:*:cd:*' ignore-parents parent pwd
# Prevent lost+found directory from being completed
zstyle ':completion:*:cd:*' ignored-patterns '(*/)#lost+found'
# ignore case when completing
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*'
# make some stuff look better
# from: http://ft.bewatermyfriend.org/comp/zsh/zshrc.d/compsys.html
zstyle ':completion:*:descriptions' format "- %{${fg[yellow]}%}%d%{${reset_color}%} -"
zstyle ':completion:*:messages' format "- %{${fg[cyan]}%}%d%{${reset_color}%} -"
zstyle ':completion:*:corrections' format "- %{${fg[yellow]}%}%d%{${reset_color}%} - (%{${fg[cyan]}%}errors %e%{${reset_color}%})"
zstyle ':completion:*:default' \
select-prompt \
"%{${fg[yellow]}%}Match %{${fg_bold[cyan]}%}%m%{${fg_no_bold[yellow]}%} Line %{${fg_bold[cyan]}%}%l%{${fg_no_bold[red]}%} %p%{${reset_color}%}"
zstyle ':completion:*:default' \
list-prompt \
"%{${fg[yellow]}%}Line %{${fg_bold[cyan]}%}%l%{${fg_no_bold[yellow]}%} Continue?%{${reset_color}%}"
zstyle ':completion:*:warnings' \
format \
"- %{${fg_no_bold[red]}%}no match%{${reset_color}%} - %{${fg_no_bold[yellow]}%}%d%{${reset_color}%}"
zstyle ':completion:*' group-name ''
# manual pages are sorted into sections
# from: http://ft.bewatermyfriend.org/comp/zsh/zshrc.d/compsys.html
zstyle ':completion:*:manuals' separate-sections true
zstyle ':completion:*:manuals.(^1*)' insert-sections true
### highlight the original input.
zstyle ':completion:*:original' \
list-colors "=*=$color[red];$color[bold]"
### highlight words like 'esac' or 'end'
zstyle ':completion:*:reserved-words' \
list-colors "=*=$color[red]"
### colorize hostname completion
zstyle ':completion:*:*:*:*:hosts' \
list-colors "=*=$color[cyan];$color[bg-black]"
### colorize username completion
zstyle ':completion:*:*:*:*:users' \
list-colors "=*=$color[red];$color[bg-black]"
### colorize processlist for 'kill'
zstyle ':completion:*:*:kill:*:processes' \
list-colors "=(#b) #([0-9]#) #([^ ]#)*=$color[none]=$color[yellow]=$color[green]"
# }}}
umask 077
stty -ctlecho
# Show again
stty echo
# vim: set ft=zsh:

7
roles/common/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,7 @@
---
- name: restarted journald
service: name=systemd-journald state=restarted
- name: systemd daemon-reload
command: systemctl daemon-reload

98
roles/common/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,98 @@
---
- name: configure pacman mirror
template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: remove ntp
pacman: name=ntp state=absent
- name: start and enable systemd-timesyncd
service: name=systemd-timesyncd enabled=yes state=started
- name: install smart
pacman: name=smartmontools state=present
- name: start and enable smart
service: name=smartd enabled=yes state=started
- name: install mlocate
pacman: name=mlocate state=present
- name: activate regular updatedb for mlocate
service: name=updatedb.timer enabled=yes state=started
- name: generate locales
locale_gen: name={{ item }} state=present
with_items:
- en_US.UTF-8
- de_DE.UTF-8
- name: configure locales
template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644
- name: generate ssh key for root
command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa"
- name: configure default qdisc
sysctl:
name: net.core.default_qdisc
value: "{{default_qdisc}}"
sysctl_file: /etc/sysctl.d/net.conf
when: default_qdisc is defined
- name: apply default qdisc to interfaces
command: tc qdisc replace dev {{item}} root {{default_qdisc}}
with_items: "{{ansible_interfaces | difference('lo')}}"
when: default_qdisc is defined
- name: configure tcp congestion control algorithm
sysctl:
name: net.ipv4.tcp_congestion_control
value: "{{tcp_congestion_control}}"
sysctl_set: yes
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_congestion_control is defined
- name: configure tcp receive window limits
sysctl:
name: net.ipv4.tcp_rmem
value: "{{tcp_rmem}}"
sysctl_set: yes
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_rmem is defined
- name: configure tcp send window limits
sysctl:
name: net.ipv4.tcp_wmem
value: "{{tcp_wmem}}"
sysctl_set: yes
sysctl_file: /etc/sysctl.d/net.conf
when: tcp_wmem is defined
- name: configure journald
template: src={{item}}.j2 dest=/etc/systemd/{{item}} owner=root group=root mode=644
with_items:
- journald.conf
notify:
- restarted journald
- name: install system.conf
template: src=system.conf.j2 dest=/etc/systemd/system.conf owner=root group=root mode=0644
notify:
- systemd daemon-reload
- name: create zsh directory
file: path=/root/.zsh state=directory owner=root group=root mode=0700
- name: install root shell config
copy: src={{item}} dest=/root/.{{item}} owner=root group=root mode=0644
with_items:
- zshrc
- dircolors
#- name: add kernel packages to IgnorePkg
# lineinfile:
# dest: /etc/pacman.conf
# insertafter: '^#IgnorePkg'
# regexp: '^IgnorePkg'
# line: 'IgnorePkg = linux linux-headers linux-hardened linux-hardened-headers linux-lts linux-lts-headers'

42
roles/common/templates/journald.conf.j2
Unescape Escape View File

@ -0,0 +1,42 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
RateLimitBurst=100000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
SystemMaxFiles=10000
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
#ForwardToConsole=no
ForwardToWall=no
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K

3
roles/common/templates/locale.conf.j2
Unescape Escape View File

@ -0,0 +1,3 @@
LANG=de_DE.UTF-8
LC_COLLATE=C
LANGUAGE=de_DE

25
roles/common/templates/mirrorlist.j2
Unescape Escape View File

@ -0,0 +1,25 @@
## Generated on 2016-07-03
##
## Germany
Server = http://mirror.hetzner.de/archlinux/$repo/os/$arch
Server = http://mirror.f4st.host/archlinux/$repo/os/$arch
Server = https://mirror.f4st.host/archlinux/$repo/os/$arch
Server = http://mirror.de.leaseweb.net/archlinux/$repo/os/$arch
Server = http://ftp.hosteurope.de/mirror/ftp.archlinux.org/$repo/os/$arch
Server = http://ftp.fau.de/archlinux/$repo/os/$arch
Server = http://mirror.selfnet.de/archlinux/$repo/os/$arch
Server = http://mirror.netcologne.de/archlinux/$repo/os/$arch
Server = http://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch
Server = http://mirrors.n-ix.net/archlinux/$repo/os/$arch
Server = http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch
Server = http://mirror.23media.de/archlinux/$repo/os/$arch
Server = https://ftp.fau.de/archlinux/$repo/os/$arch
Server = http://ftp-stud.hs-esslingen.de/pub/Mirrors/archlinux/$repo/os/$arch
Server = http://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch
Server = http://ftp.uni-hannover.de/archlinux/$repo/os/$arch
Server = http://linux.rz.rub.de/archlinux/$repo/os/$arch
Server = http://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch
Server = https://mirror.netcologne.de/archlinux/$repo/os/$arch
Server = http://ftp.uni-bayreuth.de/linux/archlinux/$repo/os/$arch
Server = http://mirror.euserv.net/linux/archlinux/$repo/os/$arch
Server = http://ftp.tu-chemnitz.de/pub/linux/archlinux/$repo/os/$arch

65
roles/common/templates/system.conf.j2
Unescape Escape View File

@ -0,0 +1,65 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See systemd-system.conf(5) for details.
[Manager]
#LogLevel=info
#LogTarget=journal-or-kmsg
#LogColor=yes
#LogLocation=no
#DumpCore=yes
#ShowStatus=yes
#CrashChangeVT=no
#CrashShell=no
#CrashReboot=no
#CtrlAltDelBurstAction=reboot-force
#CPUAffinity=1 2
#JoinControllers=cpu,cpuacct net_cls,net_prio
#RuntimeWatchdogSec=0
#ShutdownWatchdogSec=10min
#CapabilityBoundingSet=
#SystemCallArchitectures=
#TimerSlackNSec=
#DefaultTimerAccuracySec=1min
#DefaultStandardOutput=journal
#DefaultStandardError=inherit
#DefaultTimeoutStartSec=90s
#DefaultTimeoutStopSec=90s
#DefaultRestartSec=100ms
#DefaultStartLimitIntervalSec=10s
#DefaultStartLimitBurst=5
#DefaultEnvironment=
DefaultCPUAccounting=no
DefaultIOAccounting=no
DefaultIPAccounting=no
DefaultBlockIOAccounting=no
DefaultMemoryAccounting=no
DefaultTasksAccounting=yes
#DefaultTasksMax=15%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=
#DefaultLimitSTACK=
#DefaultLimitCORE=
#DefaultLimitRSS=
#DefaultLimitNOFILE=
#DefaultLimitAS=
#DefaultLimitNPROC=
#DefaultLimitMEMLOCK=
#DefaultLimitLOCKS=
#DefaultLimitSIGPENDING=
#DefaultLimitMSGQUEUE=
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#IPAddressAllow=
#IPAddressDeny=

11
roles/crond/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,11 @@
---
- name: install cronie
pacman: name=cronie state=present
- name: activate cronie.service
service: name=cronie enabled=yes state=started
- name: enable systemd ressource accounting
command: systemctl set-property cronie CPUAccounting=yes MemoryAccounting=yes

4
roles/dnsmasq/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,4 @@
- name: Install dnsmasq
pacman: name=dnsmasq status=present
- name:

7
roles/etckeeper/tasks/main.yaml
Unescape Escape View File

@ -0,0 +1,7 @@
- name: "Install etckeeper and dependencies"
packman: "name={{ item }} state=present"
with_items:
- git
- etckeeper
- name: "Setup etckeeper"

7
roles/firewalld/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,7 @@
---
- name: install firewalld
pacman: name=firewalld state=present
- name: start and enable firewalld
service: name=firewalld enabled={{configure_firewall}} state={{configure_firewall | ternary("started", "stopped") }}

6
roles/install_arch/files/resolv.conf
Unescape Escape View File

@ -0,0 +1,6 @@
nameserver 213.133.98.98
nameserver 213.133.100.100
nameserver 213.133.99.99
nameserver 2a01:4f8:0:a0a1::add:1010
nameserver 2a01:4f8:0:a102::add:9999
nameserver 2a01:4f8:0:a111::add:9898

11
roles/install_arch/files/sshd_config
Unescape Escape View File

@ -0,0 +1,11 @@
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

1
roles/install_arch/files/vconsole.conf
Unescape Escape View File

@ -0,0 +1 @@
KEYMAP=de-latin1

206
roles/install_arch/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,206 @@
---
- name: read /etc/motd
command: cat /etc/motd
register: motd_contents
- name: check whether we're running in the Hetzner rescue system
fail: msg="Not running in Hetzner rescue system!"
when: "'Hetzner Rescue' not in motd_contents.stdout"
- name: partition and format the disks
command: mkfs.btrfs -f -L rootfs -d raid1 /dev/sda /dev/sdb
when: filesystem == "btrfs"
- name: create BIOS boot partitions
command: sgdisk -n 1:0:10M /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: create RAID partitions
command: sgdisk -n 2:0:0 /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: set BIOS boot partition types
command: sgdisk -t 1:ef02 /dev/{{ item }}
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: set RAID partition types
command: sgdisk -t 2:fd00
when: filesystem == "ext4"
with_items:
- sda
- sdb
- name: create MDADM array
command: mdadm --create --level=1 --raid-devices=2 --run /dev/md0 /dev/sda2 /dev/sdb2
when: filesystem == "ext4"
- name: format the MDADM array
filesystem: dev=/dev/md0 fstype=ext4
when: filesystem == "ext4"
- name: mount the filesystem (btrfs)
mount: name=/mnt src='LABEL=rootfs' fstype=btrfs state=mounted
when: filesystem == "btrfs"
- name: mount the filesystem (ext4)
mount: name=/mnt src=/dev/md0 fstype=ext4 state=mounted
when: filesystem == "ext4"
- name: touch LOCK file on mountpoint
file: path=/mnt/LOCK state=touch
- name: download bootstrap image
unarchive:
src: https://mirrors.kernel.org/archlinux/iso/latest/archlinux-bootstrap-2018.05.01-x86_64.tar.gz
dest: /tmp/
copy: no
creates: /tmp/root.x86_64
- name: copy resolv.conf to bootstrap chroot
copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf
- name: mount /proc to bootstrap chroot
command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime
- name: mount /sys to bootstrap chroot
command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev
- name: mount /dev to bootstrap chroot
command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero
- name: mount /mnt to bootstrap chroot
command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK
- name: configure pacman mirror
template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644
- name: initialize pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --init
- name: populate pacman keyring inside bootstrap chroot
command: chroot /tmp/root.x86_64 pacman-key --populate archlinux
- name: install arch base from bootstrap chroot
command: chroot /tmp/root.x86_64 pacstrap /mnt base base-devel btrfs-progs grub openssh python2 creates=/tmp/root.x86_64/mnt/bin
- name: mount /proc to new chroot
command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime
- name: mount /sys to new chroot
command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev
- name: mount /dev to new chroot
command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero
- name: generate mdadm.conf
shell: mdadm --detail --scan >> /mnt/etc/mdadm.conf
when: filesystem == "ext4"
- name: setup locale.gen
lineinfile:
path: /mnt/etc/locale.gen
line: "de_DE.UTF-8 UTF-8 \nen_US.UTF-8 UTF-8"
- name: run locale-gen inside chroot
command: chroot /mnt locale-gen
- name: run systemd-firstboot
command: chroot /mnt systemd-firstboot --locale=de_DE.UTF-8 --timezone=UTC --hostname={{ hostname }}
- name: add mdadm_udev to mkinitcpio.conf
lineinfile:
dest: /mnt/etc/mkinitcpio.conf
backrefs: yes
regexp: '^(.*)block filesystems(.*)$'
line: '\1block mdadm_udev filesystems\2'
when: filesystem == "ext4"
- name: run mkinitcpio
command: chroot /mnt mkinitcpio -p linux
- name: configure network
template: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0644
with_items:
- { src: 'eth0.j2' , dest: '/mnt/etc/netctl/eth0' }
- { src: '99-hetzner.conf.j2' , dest: '/mnt/etc/sysctl.d/99-hetzner.conf' }
- { src: '80-net-setup-link.rules.j2', dest: '/mnt/etc/udev/rules.d/80-net-setup-link.rules' }
- name: disable systemd-networkd
command: chroot /mnt systemctl disable systemd-networkd.service
- name: enable netctl
command: chroot /mnt netctl enable eth0
- name: install grub
command: chroot /mnt grub-install --recheck {{ item }}
with_items:
- /dev/sda
- /dev/sdb
- name: configure grub
command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
- name: configure nss
lineinfile:
dest: /mnt/etc/nsswitch.conf
regexp: '^hosts:'
line: 'hosts: files mymachines resolve myhostname'
- name: enable services inside chroot
command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved
- set_fact: pubkey_list="{{ lookup('file', '../pubkeys/' + item) }}"
register: pubkeys
with_items: "{{ root_ssh_keys }}"
- set_fact: pubkey_string={{ pubkeys.results | map(attribute='ansible_facts.pubkey_list') | join('\n') }}
- name: add authorized key for root
authorized_key: user=root key="{{ pubkey_string }}" path=/tmp/root.x86_64/mnt/root/.ssh/authorized_keys exclusive=yes
- name: configure sshd
template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
- name: create symlink to resolv.conf
file: src=/run/systemd/resolve/resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes
- name: remove LOCK file on mountpoint
file: path=/mnt/LOCK state=absent
- name: reboot into new system
shell: sleep 5 && reboot &
args:
executable: /bin/bash
async: 10
poll: 0
- name: waiting for server to go down
local_action:
module: wait_for
host: "{{ inventory_hostname }}"
port: 22
delay: 1
timeout: 60
state: stopped
- name: remove server from local known_hosts file
local_action: shell ssh-keygen -R {{ inventory_hostname }}
ignore_errors: true
- name: waiting for server to come back
local_action:
module: wait_for
host: "{{ inventory_hostname }}"
port: 22
delay: 1
timeout: 60

13
roles/install_arch/templates/10-static-ethernet.network.j2
Unescape Escape View File

@ -0,0 +1,13 @@
[Match]
Name=e*
[Network]
Gateway={{ ipv4_gateway }}
Gateway={{ ipv6_gateway }}
[Address]
Address={{ ipv4_address }}{{ ipv4_netmask }}
Peer={{ ipv4_gateway }}{{ ipv4_netmask }}
[Address]
Address={{ ipv6_address }}{{ ipv6_netmask }}

1
roles/install_arch/templates/80-net-setup-link.rules.j2
Unescape Escape View File

@ -0,0 +1 @@
../../netctl/templates/80-net-setup-link.rules.j2

1
roles/install_arch/templates/99-hetzner.conf.j2
Unescape Escape View File

@ -0,0 +1 @@
../../netctl/templates/99-hetzner.conf.j2

1
roles/install_arch/templates/eth0.j2
Unescape Escape View File

@ -0,0 +1 @@
../../netctl/templates/eth0.j2

1
roles/install_arch/templates/mirrorlist.j2
Unescape Escape View File

@ -0,0 +1 @@
../../common/templates/mirrorlist.j2

1
roles/install_arch/templates/sshd_config.j2
Unescape Escape View File

@ -0,0 +1 @@
../../sshd/templates/sshd_config.j2

1
roles/lxc/files/50-lxc.conf
Unescape Escape View File

@ -0,0 +1 @@
fs.inotify.max_user_instances=1024

15
roles/lxc/files/lxc-auto-delayed.service
Unescape Escape View File

@ -0,0 +1,15 @@
[Unit]
Description=Autostart LXC Container
After=network.target
After=lxc-auto.service
[Service]
Type=forking
ExecStart=/usr/bin/lxc-autostart -g delayedstart
ExecStop=/usr/bin/lxc-autostart -s -g delayedstart
Delegate=true
TimeoutStartSec=0
TimeoutStopSec=5m
[Install]
WantedBy=multi-user.target

102
roles/lxc/files/lxc-create-alpine.sh
Unescape Escape View File

@ -0,0 +1,102 @@
#!/bin/bash
#Inputs
name=${1}
number=${2}
distro="alpine"
#if [ ${#} < 3 ]; then
# cat << EOF
#
#Usage: lxc-create-avc <container-name> <container number> [<packages>]
#
#EOF
#fi
packages="htop,ssmtp,vim"
if [ ${4} ]; then
packages="${packages},${3}"
fi
enable=""
if [ ${4} ]; then
nable="-e ${4}"
fi
#Variables
hwaddr="52:54:00:00:${number}:01"
ipv6="2a01:4f8:151:13cd::${number}/64"
# Create lxc Container
#lxc-create -B btrfs -t ${distro} -n ${name} -- --release latest-stable # -P ${packages} ${enable}
lxc-create -t download -n ${name}
cat > /var/lib/lxc/${name}/config << EOF
# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
lxc.rootfs = /var/lib/lxc/${name}/rootfs
lxc.utsname = ${name}
lxc.arch = x86_64
lxc.include = /usr/share/lxc/config/${distro}.common.conf
# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = ${hwaddr}
lxc.network.name = eth0
lxc.network.veth.pair = veth.${number}.0
lxc.network.ipv6 = ${ipv6}
lxc.network.ipv6.gateway = fe80::1
lxc.network.type = veth
lxc.network.link = br1
lxc.network.flags = up
lxc.network.hwaddr = 52:54:00:00:${number}:02
lxc.network.name = eth1
lxc.network.veth.pair = veth.${number}.1
lxc.network.ipv4 = 10.0.1.${number}/24
lxc.network.ipv4.gateway = 10.0.1.1
lxc.start.auto=1
lxc.cgroup.memory.limit_in_bytes = 1536M
lxc.cgroup.memory.memsw.limit_in_bytes = 2G
#lxc.mount.entry=/pathk path/in/container none bind,ro 0 0
EOF
# Inner etwork settings
cat > /var/lib/lxc/${name}/rootfs/etc/network/interfaces << EOF
auto eth0
iface eth0 inet6 manual
auto eth1
iface eth1 inet manual
EOF
cat > /var/lib/lxc/${name}/rootfs/etc/resolv.conf << EOF
nameserver 2a01:4f8:0:a0a1::add:1010
nameserver 2a01:4f8:0:a102::add:9999
nameserver 2001:470:20::2
nameserver 213.73.91.35
nameserver 213.133.98.98
nameserver 5.9.49.12
EOF
# SSMPT Settings
#cat > /var/lib/lxc/${name}/rootfs/etc/ssmtp/ssmtp.conf << EOF
#root=test@mein.com
#mailhub=smtp.mein.com:587
#rewriteDomain=mein.com
#hostname=${name}
#FromLineOverride=YES
#UseTLS=YES
#UseSTARTTLS=Yes
#AuthUser=test@mein.com
#AutPass=
#FromLineOverride=yes
#
#EOF

68
roles/lxc/files/lxc-create.sh
Unescape Escape View File

@ -0,0 +1,68 @@
#!/bin/bash
#Inputs
name=${1}
number=${2}
packages="bash-completion,htop,net-tools,ssmtp"
if [ ${3} ]; then
packages="${packages},${3}"
fi
enable=""
if [ ${4} ]; then
enable="-e ${4}"
fi
#Variables
hwaddr = "52:54:00:00:${number}:01"
ipv6 = "2a01:4f8:151:13cd::${number}/64"
# Create lxc Container
lxc-create -t archlinux -n ${name} -B overlayfs -- -P ${packages} ${enable}
cat > /var/lib/lxc/${name}/config << EOF
# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
lxc.rootfs = /var/lib/lxc/${name}/rootfs
lxc.utsname = ${name}
lxc.arch = x86_64
lxc.include = /usr/share/lxc/config/archlinux.common.conf
# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = ${hwaddr}
lxc.network.name = eth0
lxc.network.veth.pair = veth.${number}.0
lxc.network.ipv6= ${ipv6}
lxc.network.ipv6.gateway=fe80::1
lxc.network.type = veth
lxc.network.link = br1
lxc.network.flags = up
lxc.network.hwaddr = 52:54:00:00:${number}:02
lxc.network.name = eth1
lxc.network.veth.pair = veth.${number}.1
lxc.network.ipv4=10.0.1.${number}/24
lxc.network.ipv4.gateway=10.0.1.1
lxc.start.auto=1
lxc.cgroup.memory.limit_in_bytes = 2G
lxc.cgroup.memory.memsw.limit_in_bytes = 4G
#lxc.mount.entry=/pathk path/in/container none bind,ro 0 0
EOF
# SSMPT Settings
cat > /var/lib/lxc/${name}/rootfs/etc/ssmtp/ssmtp.conf << EOF
root=test@mein.com
mailhub=smtp.mein.com:587
rewriteDomain=mein.com
hostname=${name}
FromLineOverride=YES
UseTLS=YES
UseSTARTTLS=Yes
AuthUser=test@mein.com
AutPass=
FromLineOverride=yes
EOF

19
roles/lxc/files/lxcbtrfsconverter.sh
Unescape Escape View File

@ -0,0 +1,19 @@
#!/bin/sh
#
# LXC to btrfs subvolume converter
# Convert the LXC rootfs into a btrfs subvolume to
# backup with btrfs snapshots.
#
for rootfs in /var/lib/lxc/*/rootfs; do
{
mv "${rootfs}" "${rootfs}.saved"
btrfs subvolume create "${rootfs}"
mv "${rootfs}.saved"/* "${rootfs}"
rmdir "${rootfs}.saved"
echo "${rootfs} to subvolume\n"
}
done
#for rootfs in /var/lib/lxc/*/rootfs;
#do
# echo "${rootfs}"
#done

43
roles/lxc/tasks/mail.yaml
Unescape Escape View File

@ -0,0 +1,43 @@
- name: Installing LXC and dependensies
pacman: name={{ item }} state=present
with_items:
- lxc
- python
- dnsmasq
- name: Create LXC config and autostart files
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0644
with_items:
- { src: '../files/50-lxc.conf', dest: '/etc/sysctl.d/50-lxc.conf' }
- { src: '../files/lxc-auto-delayed.service', dest: '/etc/systemd/system/lxc-auto-delayed.service' }
- name: Setup LXC-Network
- name: Activate autostart for LXC-Container
systemd:
name: "{{ item }}"
enable: yes
deamon_reload: yes
with_items:
- lxc-auto.service
- lxc-auto-delayed.service
- name: Installing python-lxc for Ansible lxc support
pip:
name: lxc-python2
- name: Create some Bashscripts for simpliefy lxc usage
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0644
with_items:
- { src: '../files/lxc-create.sh', dest: '/root/lxc-create.sh' }
- { src: '../files/lxcbtrfsconverter.sh', dest: '/root/lxc-btrfsconverter.sh' }

41
roles/lxc_container/README.yml
Unescape Escape View File

@ -0,0 +1,41 @@
---
- hosts: webserver
tasks:
# Create the Container for the new Webserver
- name: Create Webserver for {{ domain }}
lxc_container:
name: webserver
state: sopped
backing_store: overlayfs
clone_name: {{ domain }}
clone_snapshot: true
container_config:
- "lxc.mount.entry =/var/lib/nginx.revproxy/rootfs/etc/letsencrypt/archive/{{ domain }} etc/letsencrypt/archive/{{ domain }} none bind 0 0"
- "lxc.mount.entry =/var/lib/nginx.revproxy/rootfs/etc/letsencrypt/live/{ domain } etc/letsencrypt/live/{{ domain }} none bind 0 0"
- name: Set default Nginx
template:
src: template/80nginx.j2
dest: /var/lib/lxc/nginx.revproxy/delta0/etc/nginx/site-available/{{ domain }}.conf
- name: Setup Letsencrypt for {{ domain }}
lxc_container:
name: rev.proxy
state: started
container_command: |
ln -s /etc/nginx/site-available/{{ domain }}.conf /etc/nginx/site-enabled/{{ domain }}.conf
systemctl reload nginx
certbot certonly -d {{ domain }} -d www.{{ domain }}
- name: Setup secure Nginx with LetsEncrypt
template:
src: template/443nginx.j2
dest: /var/lib/lxc/nginx.revproxy/delta0/etc/nginx/site-available/{{ domain }}.conf
- name: Restart Reverse.Proxy
lxc_container:
name: rev.proxy
state: started
container_command: |
systemctl reload nginx

17
roles/lxc_container/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,17 @@
- name: Create main LXC_Container
lxc_container:
name: {{ item.domain }}
state: started
template: archlinux
with_dict: "{{ containername }}"
when: item.clone not defined
- name: Create LXC_Container Clone
lxc_container:
name: webserver
state: sopped
backing_store: overlayfs
clone_name: {{ domain }}
clone_snapshot: true
container_config:
when: item.clone is "webserver"

39
roles/netctl/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,39 @@
- name: Disable Systemctl-Network
service:
name: systemd-networkd.service
enabled: no
state: stopped
- name: Hetzner network config
template: src=99-hetzner.conf.j2 dest=/etc/sysctl.d/99-hetzner.conf owner=root group=root mode=0644
- name: Setup udev rules for eth0
template: src=80-net-setup-link.rules.j2 dest=/etc/udev/rules.d/80-net-setup-link.rules
- name: Setup eth0 Network
template: src=eth0.j2 dest=/etc/netctl/eth0 owner=root group=root mode=0644
- name: start eth0 profile
command: netctl start eth0
- name: enable eth0 profile
command: netctl enable eth0
register: "enable_result"
changed_when:
- enable_result is success
- "('already' not in enable_result.stderr and 'ln' in enable_result.stdout)"
- name: Setup lxc br0 Network
template: src=br0.j2 dest=/etc/netctl/br0 owner=root group=root mode=0644
when: lxc_ipv4_address is defined
- name: start br0 network
command: netctl start br0
- name: enable br0 profile
command: netctl enable br0
register: "enable_result"
changed_when:
- enable_result is success
- "('already' not in enable_result.stderr and 'ln' in enable_result.stdout)"
when: lxc_ipv4_address is defined

2
roles/netctl/templates/80-net-setup-link.rules.j2
Unescape Escape View File

@ -0,0 +1,2 @@
# device: eth0
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="{{ ansible_default_ipv4.macaddress }}", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

28
roles/netctl/templates/99-hetzner.conf.j2
Unescape Escape View File

@ -0,0 +1,28 @@
### Hetzner Online GmbH installimage
# sysctl config
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.br0.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.br0.forwarding=1
# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.forwarding=1

7
roles/netctl/templates/br0.j2
Unescape Escape View File

@ -0,0 +1,7 @@
Interface=br0
Connection=bridge
BindsToInterface=()
IP=static
Address=('{{ lxc_ipv4_address }}{{ lxc_ipv4_netmask }}')
IP6=static
Address6=('{{ lxc_ipv6_address }}{{ lxc_ipv6_netmask }}')

10
roles/netctl/templates/eth0.j2
Unescape Escape View File

@ -0,0 +1,10 @@
Interface=eth0
Connection=ethernet
IP=static
Address=('{{ ipv4_address }}{{ ipv4_netmask }}')
Routes=('{{ ipv4_gateway }}{{ ipv4_netmask }}')
Gateway='{{ ipv4_gateway }}'
IP6=static
Address6=('{{ ipv6_address }}{{ ipv6_netmask }}')
Gateway6='{{ ipv6_gateway }}'

13
roles/pet/task/main.yaml
Unescape Escape View File

@ -0,0 +1,13 @@
- name: install Pet
aur:
name: pet-git
use: makepkg
upgrade: yes
become: yes
become_user: aur_builder
- name: Configure Pet
template: src=config.toml.j2 dest=/root/.config/pet/config.toml owner=root group=root mode=0644
- name: Sync Pet
command: pet sync

12
roles/pet/templates/config.toml.j2
Unescape Escape View File

@ -0,0 +1,12 @@
[General]
snippetfile = "/root/.config/pet/snippet.toml"
editor = "vim"
column = 40
selectcmd = "peco"
[Gist]
file_name = "pet-snippet.toml"
access_token = {{ gist_access_token }}
gist_id = {{ gist_id }}
public = false
auto_sync = true

4
roles/root_ssh/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,4 @@
---
- name: add authorized keys for root
template: src=authorized_keys.j2 dest=/root/.ssh/authorized_keys mode=0600 owner=root group=root

7
roles/root_ssh/templates/authorized_keys.j2
Unescape Escape View File

@ -0,0 +1,7 @@
#jinja2: lstrip_blocks: True
{% for user in root_ssh_keys | sort -%}
{{ lookup('file', '../pubkeys/' + user) }}
{% endfor %}
{% if 'dragon-backup' in group_names %}
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpfiW5/R2D95beJsIs1lxD5d2TeW4yJFHs4v38Qtsg3506MlBpyaMUdKOtilAfKoBBsLEuB3dPFa9at0CBLAG0/vk5A8dr543HhcZDx6XIaCenW+NeCvg3hln6tqtk7Wh+O0OaIE/ZNmGu6hQb0Q+myur2asd7behonYeUOsNvPVuc8aIHOdswYvXa+yhM70+i6sAc+BBM3v/cXXmUWFO+wIV4G7CqLbTeL2/O+Bv5gvQHwEZ1Xnc0ktksvLDZ8qNGD9Zlm5KmvCVAjJuqeMHuwtFhq/DtoS6R0RzvD2a0algYlyJtmfrs90Na49nGWdTDL91/kyGuezLCEUv1vCq0bYhQcTD+ltpo/rgxDYXyNKeV1bs7jN0O5+Z9hMUrgPuKDLwPdc0cqmHmM2fOjtYq1eoOxOPnbPvWTwOApRSoY0StSOBMjDd9PQYJdstvJNZ0mN+pbzIMd/oZeczcQVrBnWRt4GdQZiyEKvnnABPs9K1jlEKg+UCHw5Hu0EN6gzKxLbPT2Rfy6wVdQboHbtBs65tLLiAZQuldeFqFHpICJLXGHMAnKVhZyR4L9TQAwTrE5l7RRz4+MPhMx5poIqzWk5omit42PqdzRm58Xke+tKqA3D5mfCVKZwCvxvIMlbGFZUpTHU0Wl5cY6DyBjf9yThcp6Pz2p2tTlASrfxZraQ== root@dragon backup key
{% endif %}

2
roles/sshd/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,2 @@
- name: restart sshd
service: name=sshd state=restarted

33
roles/sshd/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,33 @@
- name: install openssh
pacman: name=openssh state=present
- name: configure sshd
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
notify:
- restart sshd
- name: set file permissions
file: path=/etc/ssh mode=0600
- name: install motd
template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644
- name: start and enable sshd
service: name=sshd enabled=yes state=started
- name: enable systemd ressource accounting
command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes
#- name: open firewall holes
# firewalld: service=ssh permanent=true state=enabled
# when: configure_firewall
#- name: add IP-Tables rule
# iptables:
# chain: INPUT
# protocol: tcp
# destination_port: 22
# ctstate: NEW
# syn: match
# jump: ACCEPT
# comment: Accept new SSH connections.

28
roles/sshd/templates/motd.j2
Unescape Escape View File

@ -0,0 +1,28 @@
Welcome to {{inventory_hostname}}.
{% if 'borg-clients' in group_names %}
Data on this system is regularly backed up automatically.
{% else %}
This system IS NOT backed up. Please ensure you DO NOT keep valuable data here!
{% endif %}
{% if 'buildservers' in group_names %}
Usage Info
- Use the devtools helpers to build packages.
- Don't forget to set your PACKAGER in ~/.makepkg.conf.
- Chroots are kept in /var/lib/archbuild (~chroots).
- SRCDEST is set to /var/lib/archbuilddest/srcdest (~srcdest).
- Take a look at mkpkg -hh if you want to build nightlies.
Package diff tools:
diffrepo : Lightweight alternative to checkpkg. Only diffs filenames.
pkgdiffrepo : Heavyweight alternative to checkpkg. Uses pkgdiff.
September 25, 2016
Pkgbuild.com was moved to a new server (again)! This one uses spinning rust
so we have plenty of space. Chroots are on a tmpfs to keep things fast.
October 11, 2016
Added gitpkg, an experimental script written to maintain GNOME git packages.
May also fit other packages.
{% endif %}

121
roles/sshd/templates/sshd_config.j2
Unescape Escape View File

@ -0,0 +1,121 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# unlink forwarded sockets; for gpg agent forwarding
StreamLocalBindUnlink yes
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

18
roles/sudo/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,18 @@
---
- name: install sudo
pacman: name=sudo state=present
- name: add sudo users to wheel
user: name="{{ item }}" append=yes groups=wheel
with_items: "{{ sudo_users }}"
tags: ['archusers']
- name: allow wheel group to use sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel ALL=\(ALL\) ALL'
insertafter: '^# %wheel ALL=\(ALL\) ALL'
line: '%wheel ALL=(ALL) ALL'
validate: 'visudo -cf %s'

66
roles/tools/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,66 @@
- name: Update and Upgrade System
pacman:
update_cache: yes
upgrade: yes
tags:
- install
- setup
- update
- name: install sysadmin tools
pacman: name={{ item }} state=present
with_items:
- lsof
- psmisc
- htop
- nethogs
- iftop
- rsync
- tmux
- mtr
- sshfs
- dfc
- tree
- dstat
- dmidecode
- net-tools
- ncdu
- nmap
- sysstat
- iptraf-ng
- vnstat
- tcpdump
- sudo
- mosh
- nmon
- name: install misc utils
pacman: name={{ item }} state=present
with_items:
- git
- wget
- curl
- arch-install-scripts
- debootstrap
- zsh
- colordiff
- multitail
- cloc
- ipcalc
- calc
- neovim
- python2
- neovim
- vim
- bash-completion
- pv
- rxvt-unicode-terminfo
- termite-terminfo
- p7zip
- unzip
- setconf
- kexec-tools
- ca-certificates
- name: start vnstatd
service: name=vnstat state=started enabled=true
Write Preview
Loading…
Cancel
Save