From 334c97397495ec8e91cdd7e33f1e4846969eeae8 Mon Sep 17 00:00:00 2001 From: kreativmonkey Date: Mon, 28 May 2018 23:04:26 +0200 Subject: [PATCH] initial commit --- .gitignore | 13 + LICENSE | 8 + README.md | 42 ++ ansible.cfg | 446 ++++++++++++++++++ group_vars/all/archusers.yml | 35 ++ group_vars/all/borg.yml | 6 + group_vars/all/lxc-container.yml | 27 ++ group_vars/all/pet.yml | 7 + group_vars/all/root_pubkeys.yml | 10 + group_vars/all/sudo.yml | 5 + group_vars/hetzner.yml | 1 + host_vars/pegasus | 24 + hosts | 10 + playbooks/all-hosts-basic.yml | 13 + playbooks/install-arch.yml | 8 + plugins/modules/aur | 1 + pubkeys/adlerweb.pub | 1 + pubkeys/ansgar.pub | 2 + pubkeys/kreativmonkey.pub | 4 + pubkeys/niyawe.pub | 1 + roles/archusers/tasks/main.yml | 33 ++ roles/bashit/handlers/main.yml | 5 + roles/bashit/tasks/main.yml | 45 ++ roles/borg-client/defaults/main.yml | 2 + roles/borg-client/files/borg-backup.service | 6 + roles/borg-client/files/borg-backup.timer | 9 + roles/borg-client/tasks/main.yml | 64 +++ roles/borg-client/templates/backup-my.cnf.j2 | 3 + .../borg-client/templates/backup-mysql.sh.j2 | 8 + .../templates/backup-postgres.sh.j2 | 18 + roles/borg-client/templates/borg-backup.sh.j2 | 52 ++ .../borg-client/templates/borg-restore.cfg.j2 | 12 + roles/borg-client/templates/borg.j2 | 3 + roles/common/defaults/main.yml | 2 + roles/common/files/dircolors | 213 +++++++++ roles/common/files/zshrc | 259 ++++++++++ roles/common/handlers/main.yml | 7 + roles/common/tasks/main.yml | 98 ++++ roles/common/templates/journald.conf.j2 | 42 ++ roles/common/templates/locale.conf.j2 | 3 + roles/common/templates/mirrorlist.j2 | 25 + roles/common/templates/system.conf.j2 | 65 +++ roles/crond/tasks/main.yml | 11 + roles/dnsmasq/tasks/main.yml | 4 + roles/etckeeper/tasks/main.yaml | 7 + roles/firewalld/tasks/main.yml | 7 + roles/install_arch/files/resolv.conf | 6 + roles/install_arch/files/sshd_config | 11 + roles/install_arch/files/vconsole.conf | 1 + roles/install_arch/tasks/main.yml | 206 ++++++++ .../templates/10-static-ethernet.network.j2 | 13 + .../templates/80-net-setup-link.rules.j2 | 1 + .../install_arch/templates/99-hetzner.conf.j2 | 1 + roles/install_arch/templates/eth0.j2 | 1 + roles/install_arch/templates/mirrorlist.j2 | 1 + roles/install_arch/templates/sshd_config.j2 | 1 + roles/lxc/files/50-lxc.conf | 1 + roles/lxc/files/lxc-auto-delayed.service | 15 + roles/lxc/files/lxc-create-alpine.sh | 102 ++++ roles/lxc/files/lxc-create.sh | 68 +++ roles/lxc/files/lxcbtrfsconverter.sh | 19 + roles/lxc/tasks/mail.yaml | 43 ++ roles/lxc_container/README.yml | 41 ++ roles/lxc_container/tasks/main.yml | 17 + roles/netctl/tasks/main.yml | 39 ++ .../templates/80-net-setup-link.rules.j2 | 2 + roles/netctl/templates/99-hetzner.conf.j2 | 28 ++ roles/netctl/templates/br0.j2 | 7 + roles/netctl/templates/eth0.j2 | 10 + roles/pet/task/main.yaml | 13 + roles/pet/templates/config.toml.j2 | 12 + roles/root_ssh/tasks/main.yml | 4 + roles/root_ssh/templates/authorized_keys.j2 | 7 + roles/sshd/handlers/main.yml | 2 + roles/sshd/tasks/main.yml | 33 ++ roles/sshd/templates/motd.j2 | 28 ++ roles/sshd/templates/sshd_config.j2 | 121 +++++ roles/sudo/tasks/main.yml | 18 + roles/tools/tasks/main.yml | 66 +++ 79 files changed, 2605 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md create mode 100644 ansible.cfg create mode 100644 group_vars/all/archusers.yml create mode 100644 group_vars/all/borg.yml create mode 100644 group_vars/all/lxc-container.yml create mode 100644 group_vars/all/pet.yml create mode 100644 group_vars/all/root_pubkeys.yml create mode 100644 group_vars/all/sudo.yml create mode 100644 group_vars/hetzner.yml create mode 100644 host_vars/pegasus create mode 100644 hosts create mode 100644 playbooks/all-hosts-basic.yml create mode 100644 playbooks/install-arch.yml create mode 160000 plugins/modules/aur create mode 100644 pubkeys/adlerweb.pub create mode 100644 pubkeys/ansgar.pub create mode 100644 pubkeys/kreativmonkey.pub create mode 100644 pubkeys/niyawe.pub create mode 100644 roles/archusers/tasks/main.yml create mode 100644 roles/bashit/handlers/main.yml create mode 100644 roles/bashit/tasks/main.yml create mode 100644 roles/borg-client/defaults/main.yml create mode 100644 roles/borg-client/files/borg-backup.service create mode 100644 roles/borg-client/files/borg-backup.timer create mode 100644 roles/borg-client/tasks/main.yml create mode 100644 roles/borg-client/templates/backup-my.cnf.j2 create mode 100644 roles/borg-client/templates/backup-mysql.sh.j2 create mode 100644 roles/borg-client/templates/backup-postgres.sh.j2 create mode 100644 roles/borg-client/templates/borg-backup.sh.j2 create mode 100644 roles/borg-client/templates/borg-restore.cfg.j2 create mode 100644 roles/borg-client/templates/borg.j2 create mode 100644 roles/common/defaults/main.yml create mode 100644 roles/common/files/dircolors create mode 100644 roles/common/files/zshrc create mode 100644 roles/common/handlers/main.yml create mode 100644 roles/common/tasks/main.yml create mode 100644 roles/common/templates/journald.conf.j2 create mode 100644 roles/common/templates/locale.conf.j2 create mode 100644 roles/common/templates/mirrorlist.j2 create mode 100644 roles/common/templates/system.conf.j2 create mode 100644 roles/crond/tasks/main.yml create mode 100644 roles/dnsmasq/tasks/main.yml create mode 100644 roles/etckeeper/tasks/main.yaml create mode 100644 roles/firewalld/tasks/main.yml create mode 100644 roles/install_arch/files/resolv.conf create mode 100644 roles/install_arch/files/sshd_config create mode 100644 roles/install_arch/files/vconsole.conf create mode 100644 roles/install_arch/tasks/main.yml create mode 100644 roles/install_arch/templates/10-static-ethernet.network.j2 create mode 120000 roles/install_arch/templates/80-net-setup-link.rules.j2 create mode 120000 roles/install_arch/templates/99-hetzner.conf.j2 create mode 120000 roles/install_arch/templates/eth0.j2 create mode 120000 roles/install_arch/templates/mirrorlist.j2 create mode 120000 roles/install_arch/templates/sshd_config.j2 create mode 100644 roles/lxc/files/50-lxc.conf create mode 100644 roles/lxc/files/lxc-auto-delayed.service create mode 100755 roles/lxc/files/lxc-create-alpine.sh create mode 100755 roles/lxc/files/lxc-create.sh create mode 100755 roles/lxc/files/lxcbtrfsconverter.sh create mode 100644 roles/lxc/tasks/mail.yaml create mode 100644 roles/lxc_container/README.yml create mode 100644 roles/lxc_container/tasks/main.yml create mode 100644 roles/netctl/tasks/main.yml create mode 100644 roles/netctl/templates/80-net-setup-link.rules.j2 create mode 100644 roles/netctl/templates/99-hetzner.conf.j2 create mode 100644 roles/netctl/templates/br0.j2 create mode 100644 roles/netctl/templates/eth0.j2 create mode 100644 roles/pet/task/main.yaml create mode 100644 roles/pet/templates/config.toml.j2 create mode 100644 roles/root_ssh/tasks/main.yml create mode 100644 roles/root_ssh/templates/authorized_keys.j2 create mode 100644 roles/sshd/handlers/main.yml create mode 100644 roles/sshd/tasks/main.yml create mode 100644 roles/sshd/templates/motd.j2 create mode 100644 roles/sshd/templates/sshd_config.j2 create mode 100644 roles/sudo/tasks/main.yml create mode 100644 roles/tools/tasks/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9a86ad7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ + +# Created by https://www.gitignore.io/api/ansible + +### Ansible ### +*.retry + + +*.pyc +*.retry +/borg-keys/ +vault-secret.txt + +# End of https://www.gitignore.io/api/ansible diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..472ac23 --- /dev/null +++ b/LICENSE @@ -0,0 +1,8 @@ +MIT License +Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..8978c53 --- /dev/null +++ b/README.md @@ -0,0 +1,42 @@ +# ansible-playbooks + +Sammlung der verwendeten [Ansible](ansible.com) Playbooks + +## Playbooks + +### install-arch.yml +Mit diesem Playbook kann bei Hetzner im Robot eine frische Arch Linux installation aufgesetzt werden. Der Server wird hierzu in den Rescue-Modus versetzt, aus Sicherheitsgründen wird dies derzeit nicht automatisiert durchgeführt. Danach werden die Festplatten formatiert und zu einem RAID1 Verbund vereint. Anschließend wird das aktuelle Arch Linux Image geladen und installiert. Nach der Netwerkkonfiguration und der Aktivierung von SSH wird der Server neu gestartet und der aktuelle SSH-Key aus der knownhosts datei gelöscht. + +Start des Playbooks: ``ansible-playbook playbooks/install-arch.yml -l $host`` + +Für das Playbook werden folgende Variablen benötigt: + +| Variable | Wert | Bedeutung | +| ------------ | --------------- | --------------------------------------------- | +| hostname | | Der Name des hosts der aufgesetzt werden soll | +| ipv4_address | | Die IPv4 addresse des hosts | +| ipv4_netmask | "/32" | Die verwendete Maske für das Netzwerk | +| ipv6_address | | siehe ipv4 | +| ipv6_netmask | "/128" | siehe ipv4 | +| ipv4_gateway | | die Adresse des Gateways | +| ipv6_gateway | | | +| filesystem | btrfs oder ext4 | Wahl des filesystems für den host | + +Die Variablen werden unter host_vars in der datei abgelegt. + +## All-hosts-basic +Dieses Playbook richtet eine frische Installation ein indem es nützliche Tools installiert, User anlegt, das Netwerk einrichtet und somit eine Basis für ein System herstellt. + +``ansible-playbook playbooks/all-hosts-basic.yml -l $host`` + +Informationen zu den Installierten tools finden sie in der Datei ``roles/tools/tasks/main.yml``. +Die Nutzer werden in ``group_vars/all/archusers.yml`` definiert und ihre Publickeys unter ``publickeys/.pub`` abgelegt. + +## + + +## ToDo + +- borg-server einrichtung (auf Synology) +- Monitoring +- LXC-Container Installation und Verwaltung diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..8689568 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,446 @@ +# config file for ansible -- https://ansible.com/ +# =============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] + +# some basic default values... + +inventory = hosts +#library = /usr/share/my_modules/ +#module_utils = /usr/share/my_module_utils/ +remote_tmp = ~/.ansible/tmp +#local_tmp = ~/.ansible/tmp +#forks = 5 +#poll_interval = 15 +#sudo_user = root +#ask_sudo_pass = True +#ask_pass = True +#transport = smart +#remote_port = 22 +#module_lang = C +#module_set_locale = False +roles_path = roles + +# plays will gather facts by default, which contain information about +# the remote system. +# +# smart - gather by default, but don't regather if already gathered +# implicit - gather by default, turn off with gather_facts: False +# explicit - do not gather by default, must say gather_facts: True +#gathering = implicit + +# This only affects the gathering done by a play's gather_facts directive, +# by default gathering retrieves all facts subsets +# all - gather all subsets +# network - gather min and network facts +# hardware - gather hardware facts (longest facts to retrieve) +# virtual - gather min and virtual facts +# facter - import facts from facter +# ohai - import facts from ohai +# You can combine them using comma (ex: network,virtual) +# You can negate them using ! (ex: !hardware,!facter,!ohai) +# A minimal set of facts is always gathered. +#gather_subset = all + +# some hardware related facts are collected +# with a maximum timeout of 10 seconds. This +# option lets you increase or decrease that +# timeout to something more suitable for the +# environment. +# gather_timeout = 10 + +# additional paths to search for roles in, colon separated +#roles_path = /etc/ansible/roles + +# uncomment this to disable SSH key host checking +#host_key_checking = False + +# change the default callback +#stdout_callback = skippy +# enable additional callbacks +#callback_whitelist = timer, mail + +# Determine whether includes in tasks and handlers are "static" by +# default. As of 2.0, includes are dynamic by default. Setting these +# values to True will make includes behave more like they did in the +# 1.x versions. +#task_includes_static = True +#handler_includes_static = True + +# Controls if a missing handler for a notification event is an error or a warning +#error_on_missing_handler = True + +# change this for alternative sudo implementations +#sudo_exe = sudo + +# What flags to pass to sudo +# WARNING: leaving out the defaults might create unexpected behaviours +#sudo_flags = -H -S -n + +# SSH timeout +#timeout = 10 + +# default user to use for playbooks if user is not specified +# (/usr/bin/ansible will use current user as default) +#remote_user = root + +# logging is off by default unless this path is defined +# if so defined, consider logrotate +#log_path = /var/log/ansible.log + +# default module name for /usr/bin/ansible +#module_name = command + +# use this shell for commands executed under sudo +# you may need to change this to bin/bash in rare instances +# if sudo is constrained +#executable = /bin/sh + +# if inventory variables overlap, does the higher precedence one win +# or are hash values merged together? The default is 'replace' but +# this can also be set to 'merge'. +#hash_behaviour = replace + +# by default, variables from roles will be visible in the global variable +# scope. To prevent this, the following option can be enabled, and only +# tasks and handlers within the role will see the variables there +#private_role_vars = yes + +# list any Jinja2 extensions to enable here: +#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n + +# if set, always use this private key file for authentication, same as +# if passing --private-key to ansible or ansible-playbook +#private_key_file = /path/to/file + +# If set, configures the path to the Vault password file as an alternative to +# specifying --vault-password-file on the command line. +#vault_password_file = /path/to/vault_password_file + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. +#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} +# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence +# in some situations so the default is a static string: +#ansible_managed = Ansible managed + +# by default, ansible-playbook will display "Skipping [host]" if it determines a task +# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" +# messages. NOTE: the task header will still be shown regardless of whether or not the +# task is skipped. +#display_skipped_hosts = True + +# by default, if a task in a playbook does not include a name: field then +# ansible-playbook will construct a header that includes the task's action but +# not the task's args. This is a security feature because ansible cannot know +# if the *module* considers an argument to be no_log at the time that the +# header is printed. If your environment doesn't have a problem securing +# stdout from ansible-playbook (or you have manually specified no_log in your +# playbook on all of the tasks where you have secret information) then you can +# safely set this to True to get more informative messages. +#display_args_to_stdout = False + +# by default (as of 1.3), Ansible will raise errors when attempting to dereference +# Jinja2 variables that are not set in templates or action lines. Uncomment this line +# to revert the behavior to pre-1.3. +#error_on_undefined_vars = False + +# by default (as of 1.6), Ansible may display warnings based on the configuration of the +# system running ansible itself. This may include warnings about 3rd party packages or +# other conditions that should be resolved if possible. +# to disable these warnings, set the following value to False: +#system_warnings = True + +# by default (as of 1.4), Ansible may display deprecation warnings for language +# features that should no longer be used and will be removed in future versions. +# to disable these warnings, set the following value to False: +#deprecation_warnings = True + +# (as of 1.8), Ansible can optionally warn when usage of the shell and +# command module appear to be simplified by using a default Ansible module +# instead. These warnings can be silenced by adjusting the following +# setting or adding warn=yes or warn=no to the end of the command line +# parameter string. This will for example suggest using the git module +# instead of shelling out to the git command. +# command_warnings = False + + +# set plugin path directories here, separate with colons +#action_plugins = /usr/share/ansible/plugins/action +#cache_plugins = /usr/share/ansible/plugins/cache +#callback_plugins = /usr/share/ansible/plugins/callback +#connection_plugins = /usr/share/ansible/plugins/connection +#lookup_plugins = /usr/share/ansible/plugins/lookup +#inventory_plugins = /usr/share/ansible/plugins/inventory +#vars_plugins = /usr/share/ansible/plugins/vars +#filter_plugins = /usr/share/ansible/plugins/filter +#test_plugins = /usr/share/ansible/plugins/test +#terminal_plugins = /usr/share/ansible/plugins/terminal +#strategy_plugins = /usr/share/ansible/plugins/strategy + + +# by default, ansible will use the 'linear' strategy but you may want to try +# another one +#strategy = free + +# by default callbacks are not loaded for /bin/ansible, enable this if you +# want, for example, a notification or logging callback to also apply to +# /bin/ansible runs +#bin_ansible_callbacks = False + + +# don't like cows? that's unfortunate. +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 +#nocows = 1 + +# set which cowsay stencil you'd like to use by default. When set to 'random', +# a random stencil will be selected for each task. The selection will be filtered +# against the `cow_whitelist` option below. +#cow_selection = default +#cow_selection = random + +# when using the 'random' option for cowsay, stencils will be restricted to this list. +# it should be formatted as a comma-separated list with no spaces between names. +# NOTE: line continuations here are for formatting purposes only, as the INI parser +# in python does not support them. +#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ +# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ +# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www + +# don't like colors either? +# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 +#nocolor = 1 + +# if set to a persistent type (not 'memory', for example 'redis') fact values +# from previous runs in Ansible will be stored. This may be useful when +# wanting to use, for example, IP information from one group of servers +# without having to talk to them in the same playbook run to get their +# current IP information. +#fact_caching = memory + + +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path + +#retry_files_enabled = False +#retry_files_save_path = ~/.ansible-retry + +# squash actions +# Ansible can optimise actions that call modules with list parameters +# when looping. Instead of calling the module once per with_ item, the +# module is called once with all items at once. Currently this only works +# under limited circumstances, and only with parameters named 'name'. +#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper + +# prevents logging of task data, off by default +#no_log = False + +# prevents logging of tasks, but only on the targets, data is still logged on the master/controller +#no_target_syslog = False + +# controls whether Ansible will raise an error or warning if a task has no +# choice but to create world readable temporary files to execute a module on +# the remote machine. This option is False by default for security. Users may +# turn this on to have behaviour more like Ansible prior to 2.1.x. See +# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user +# for more secure ways to fix this than enabling this option. +#allow_world_readable_tmpfiles = False + +# controls the compression level of variables sent to +# worker processes. At the default of 0, no compression +# is used. This value must be an integer from 0 to 9. +#var_compression_level = 9 + +# controls what compression method is used for new-style ansible modules when +# they are sent to the remote system. The compression types depend on having +# support compiled into both the controller's python and the client's python. +# The names should match with the python Zipfile compression types: +# * ZIP_STORED (no compression. available everywhere) +# * ZIP_DEFLATED (uses zlib, the default) +# These values may be set per host via the ansible_module_compression inventory +# variable +#module_compression = 'ZIP_DEFLATED' + +# This controls the cutoff point (in bytes) on --diff for files +# set to 0 for unlimited (RAM may suffer!). +#max_diff_size = 1048576 + +# This controls how ansible handles multiple --tags and --skip-tags arguments +# on the CLI. If this is True then multiple arguments are merged together. If +# it is False, then the last specified argument is used and the others are ignored. +#merge_multiple_cli_flags = False + +# Controls showing custom stats at the end, off by default +#show_custom_stats = True + +# Controls which files to ignore when using a directory as inventory with +# possibly multiple sources (both static and dynamic) +#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo + +# This family of modules use an alternative execution path optimized for network appliances +# only update this setting if you know how this works, otherwise it can break module execution +#network_group_modules=['eos', 'nxos', 'ios', 'iosxr', 'junos', 'vyos'] + +# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as +# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain +# jinja2 templating language which will be run through the templating engine. +# ENABLING THIS COULD BE A SECURITY RISK +#allow_unsafe_lookups = False + +[privilege_escalation] +#become=True +#become_method=sudo +#become_user=root +#become_ask_pass=False + +[paramiko_connection] + +# uncomment this line to cause the paramiko connection plugin to not record new host +# keys encountered. Increases performance on new host additions. Setting works independently of the +# host key checking setting above. +#record_host_keys=False + +# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this +# line to disable this behaviour. +#pty=False + +# paramiko will default to looking for SSH keys initially when trying to +# authenticate to remote devices. This is a problem for some network devices +# that close the connection after a key failure. Uncomment this line to +# disable the Paramiko look for keys function +#look_for_keys = False + +# When using persistent connections with Paramiko, the connection runs in a +# background process. If the host doesn't already have a valid SSH key, by +# default Ansible will prompt to add the host key. This will cause connections +# running in background processes to fail. Uncomment this line to have +# Paramiko automatically add host keys. +#host_key_auto_add = True + +[ssh_connection] + +# ssh arguments to use +# Leaving off ControlPersist will result in poor performance, so use +# paramiko on older platforms rather than removing it, -C controls compression use +#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s + +# The base directory for the ControlPath sockets. +# This is the "%(directory)s" in the control_path option +# +# Example: +# control_path_dir = /tmp/.ansible/cp +#control_path_dir = ~/.ansible/cp + +# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, +# port and username (empty string in the config). The hash mitigates a common problem users +# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format. +# In those cases, a "too long for Unix domain socket" ssh error would occur. +# +# Example: +# control_path = %(directory)s/%%h-%%r +#control_path = + +# Enabling pipelining reduces the number of SSH operations required to +# execute a module on the remote server. This can result in a significant +# performance improvement when enabled, however when using "sudo:" you must +# first disable 'requiretty' in /etc/sudoers +# +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = False + +# Control the mechanism for transferring files (old) +# * smart = try sftp and then try scp [default] +# * True = use scp only +# * False = use sftp only +#scp_if_ssh = smart + +# Control the mechanism for transferring files (new) +# If set, this will override the scp_if_ssh option +# * sftp = use sftp to transfer files +# * scp = use scp to transfer files +# * piped = use 'dd' over SSH to transfer files +# * smart = try sftp, scp, and piped, in that order [default] +#transfer_method = smart + +# if False, sftp will not use batch mode to transfer files. This may cause some +# types of file transfer failures impossible to catch however, and should +# only be disabled if your sftp version has problems with batch mode +#sftp_batch_mode = False + +[persistent_connection] + +# Configures the persistent connection timeout value in seconds. This value is +# how long the persistent connection will remain idle before it is destroyed. +# If the connection doesn't receive a request before the timeout value +# expires, the connection is shutdown. The default value is 30 seconds. +connect_timeout = 30 + +# Configures the persistent connection retries. This value configures the +# number of attempts the ansible-connection will make when trying to connect +# to the local domain socket. The default value is 30. +connect_retries = 30 + +# Configures the amount of time in seconds to wait between connection attempts +# to the local unix domain socket. This value works in conjunction with the +# connect_retries value to define how long to try to connect to the local +# domain socket when setting up a persistent connection. The default value is +# 1 second. +connect_interval = 1 + +[accelerate] +#accelerate_port = 5099 +#accelerate_timeout = 30 +#accelerate_connect_timeout = 5.0 + +# The daemon timeout is measured in minutes. This time is measured +# from the last activity to the accelerate daemon. +#accelerate_daemon_timeout = 30 + +# If set to yes, accelerate_multi_key will allow multiple +# private keys to be uploaded to it, though each user must +# have access to the system via SSH to add a new key. The default +# is "no". +#accelerate_multi_key = yes + +[selinux] +# file systems that require special treatment when dealing with security context +# the default behaviour that copies the existing context or uses the user default +# needs to be changed to use the file system dependent context. +#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p + +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + +[colors] +#highlight = white +#verbose = blue +#warn = bright purple +#error = red +#debug = dark gray +#deprecate = purple +#skip = cyan +#unreachable = red +#ok = green +#changed = yellow +#diff_add = green +#diff_remove = red +#diff_lines = cyan + + +[diff] +# Always print diff when running ( same as always running with -D/--diff ) +# always = no + +# Set how many context lines to show in diff +# context = 3 diff --git a/group_vars/all/archusers.yml b/group_vars/all/archusers.yml new file mode 100644 index 0000000..d779bc8 --- /dev/null +++ b/group_vars/all/archusers.yml @@ -0,0 +1,35 @@ +--- + +arch_groups: + - dev + - tu + - archboxes-sudo + - freifunk + +arch_users: + aur_builder: + name: "aur_builder" + ssh_key: kreativmonkey.pub + kreativmnokey: + name: "Sebastian Preisner" + ssh_key: kreativmonkey.pub + groups: + - dev + ataflinsky: + name: "Ansgar Taflinsky" + ssh_key: ansgar.pub + groups: + - tu + - freifunk + adlerweb: + name: "Florian Knodt" + ssh_key: adlerweb.pub + groups: + - tu + - freifunk + niyawe: + name: "Niklas Yann Wettengel" + ssh_key: niyawe.pub + groups: + - dev + - freifunk diff --git a/group_vars/all/borg.yml b/group_vars/all/borg.yml new file mode 100644 index 0000000..e360ab8 --- /dev/null +++ b/group_vars/all/borg.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +36643833306339303332306161653634303135333138323633303632663238353964623439373133 +3533313534613533393131646464656535383539366634650a313962376139616637643537616632 +66653266393465343265636266363766636134313734616664353532316465393363663561343234 +6132386334376366630a663063366531633965633462363731633435653366386532383232323239 +66356134363937376134663864646165656265396135313232333136376561626630 diff --git a/group_vars/all/lxc-container.yml b/group_vars/all/lxc-container.yml new file mode 100644 index 0000000..718ac5a --- /dev/null +++ b/group_vars/all/lxc-container.yml @@ -0,0 +1,27 @@ +--- + +container: + webserver: + network: + ipv4: 10.0.1.100 + ipv6: 2a01:4f8:191:248f::10 + autostart: false + + nginx.revproxy: + network: + ipv4: 10.0.1.10 + ipv6: 2a01:4f8:191:248f::10 + ports: + - "80" + autostart: true + + nextcloud: + urls: + - www.oc4.de + network: + ipv4: 10.0.1.41 + ipv6: 2a01:4f8:191:248f::41 + autostart: true + clone: webserver + groups: + - delayedstart diff --git a/group_vars/all/pet.yml b/group_vars/all/pet.yml new file mode 100644 index 0000000..5fad05a --- /dev/null +++ b/group_vars/all/pet.yml @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +34646431336463346165343261336361323461633439656362376537356431623434383435373738 +3635613563383066646262303635636230313532666262340a313063646136613931303237623562 +35323630616134376365613534333330336236373137663837326264373338656466666135313938 +3561626665636535360a333435613664643232623066393765643937643731346562663937366437 +34613137383066386362633631623438356633363266633030356531666536646331353264383235 +3461316138663930376539623931353564646466343338346136 diff --git a/group_vars/all/root_pubkeys.yml b/group_vars/all/root_pubkeys.yml new file mode 100644 index 0000000..132f658 --- /dev/null +++ b/group_vars/all/root_pubkeys.yml @@ -0,0 +1,10 @@ +--- + +root_ssh_keys: + - kreativmonkey.pub + - ansgar.pub + - niyawe.pub + - adlerweb.pub + +root_gpgkeys: + - 7792AF9901C0BC4B2B691A16A34BF64C69048539 # kreativmonkey diff --git a/group_vars/all/sudo.yml b/group_vars/all/sudo.yml new file mode 100644 index 0000000..ecf889a --- /dev/null +++ b/group_vars/all/sudo.yml @@ -0,0 +1,5 @@ +--- + +sudo_users: + - kreativmonkey + - aur_builder diff --git a/group_vars/hetzner.yml b/group_vars/hetzner.yml new file mode 100644 index 0000000..715dffa --- /dev/null +++ b/group_vars/hetzner.yml @@ -0,0 +1 @@ +configure_network: true diff --git a/host_vars/pegasus b/host_vars/pegasus new file mode 100644 index 0000000..3c1dcbe --- /dev/null +++ b/host_vars/pegasus @@ -0,0 +1,24 @@ +--- + +hostname: "pegasus" + +ipv4_address: "144.76.32.10" +ipv4_netmask: "/32" +ipv6_address: "2a01:4f8:191:2309::2" +ipv6_netmask: "/128" +ipv4_gateway: "144.76.32.1" +ipv6_gateway: "fe80::1" +mac_address: "50:46:5d:9f:f5:d8" +lxc_ipv4_address: 10.0.1.1 +lxc_ipv4_netmask: "/24" +lxc_ipv6_address: "2a01:4f8:191:2309::2" +lxc_ipv6_netmask: "/64" +filesystem: btrfs + +# FIXME: this should probably be configured another way. maybe the +# mysql/postgres roles should deploy the credentials themselves +#postgres_backup_dir: "/var/lib/postgres/backup" +#mysql_backup_dir: "/root/backup-mysql" +#mysql_backup_defaults: "/root/.backup-my.cnf" + +#kanboard_version: "v1.2.4" diff --git a/hosts b/hosts new file mode 100644 index 0000000..1bb5da6 --- /dev/null +++ b/hosts @@ -0,0 +1,10 @@ +[hetzner] +predator +pegasus + +[borg-clients] +predator +pegasus + +[others] +ffmyk ansible_port=2227 ansible_host=144.76.33.144 diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml new file mode 100644 index 0000000..9fbddef --- /dev/null +++ b/playbooks/all-hosts-basic.yml @@ -0,0 +1,13 @@ +- name: basic setup for all hosts + hosts: all + remote_user: root + roles: + - { role: common, tags: ['common'] } + - { role: tools, tags: ['tools'] } + # reconfiguring sshd may break the AUR on luna (unchecked) + - { role: sshd, tags: ['sshd'] } + - { role: root_ssh, tags: ['root_ssh'] } + - { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" } + - { role: netctl, tags: ['netctl'] } + - { role: bashit, tags: ['bashit'] } + - { role: archusers, tags: ['archusers'] } diff --git a/playbooks/install-arch.yml b/playbooks/install-arch.yml new file mode 100644 index 0000000..d638e3f --- /dev/null +++ b/playbooks/install-arch.yml @@ -0,0 +1,8 @@ +# This script is for provisioning a server for first boot. +# Care: It is not idempotent by design. + +- name: install_arch + hosts: all + remote_user: root + roles: + - install_arch diff --git a/plugins/modules/aur b/plugins/modules/aur new file mode 160000 index 0000000..38d3785 --- /dev/null +++ b/plugins/modules/aur @@ -0,0 +1 @@ +Subproject commit 38d3785501466f0a9882d6e7748f51f45e798fb5 diff --git a/pubkeys/adlerweb.pub b/pubkeys/adlerweb.pub new file mode 100644 index 0000000..2f58a88 --- /dev/null +++ b/pubkeys/adlerweb.pub @@ -0,0 +1 @@ +#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv2OexkRcyzBspaRlOtqt9/C3dZpDO/kbv/BOjQ/tepgYpVMD9PMiR/d4mral5q8BYV5ldLcn3CYHGNAOvWICQDidFGGz/WuzmHeMV1tHz35ZVqXFfKYApDNVCkVOC78hx/UtAFX4pmJn28/ZplmnayCnhK97mQGG5AsVrRNMDzu118ax+dGD+HeCSqBgEgx+9QkHojMbL3UydryIN82nQ328laDbgOFgT0MWURqERH3REZ0wGvLaYZEipVM2U+GrZ38/JrPnNex3bh7nbAHdPDZvuJY2p2pHS3JXy7aKsZ7McNVBVgLa8PlBq2aTlPd7QMf/InX12mJ2KwFpDHF94FEv8cAn0grbBTmDxvEd8rPxysmr4uShC60MJCYWWIFyn+ulnXdVaRYfTD6X/LBO8tk8qbHYJaganP8fwHnfvbFtoRDkbTNOtl9VT+s3l6C59H5Tlrd3+I5FNbXRzMmOPz23doVnXFjkUeYpDZhzJN9t4vkY1LknVKg5XO716KyDruqz8oCNxrVgmnBCF7mi5xgbrAPQG9MwtEUja4sid9qTcwD7/VDAhKD1U5A7hO2HU6rEhkg6UOgJXG8cMy40dYBDia4rJxQi/YkkWku3B9s7/APD8gunkpvSF1W9WPsWy/duIqzB3ZzUBJh/JZ+Hawi5c/Jz6BVJg81gPC5Q== adlerweb@OP-Server diff --git a/pubkeys/ansgar.pub b/pubkeys/ansgar.pub new file mode 100644 index 0000000..2a7c36e --- /dev/null +++ b/pubkeys/ansgar.pub @@ -0,0 +1,2 @@ +#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnUB+62q/uDfc+PALzkEbwhNxkkCVT1Au2qTb0LMGaqhKo337X2P1ElpSKva9fvvIS2q8u+xu7hchOPaIUMQk2qqR/wEbySQxKHwjuy55inepJSu5R1Wc6AMEcVo6edQJbo589etSx7XIAcUwB0OuMLQNSDyaBGd7LHHvmaAJPDFsAThHGDqj3bjxSC5mdNzjMaLe5XhLhscINV0vuFTdTMW4PYH/80Yw3xWVJkbYsYM+Zjx8ae/Int9flvJ/yjCtkfWYm33MZQuyENJp2jMZt4wD+VSaeVirCEW0KnhrlISjj8R+pHGFI+IDAM3mhHw5yWAfpP+SGsidspCjFpgzf ataflinski@fgm +#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFe1Ok0OFh1cf4uOaKzqoDKJ2dhsNuKf6/2OMDkj8iN4IieiyYzDNWgW/hTONh/Fo3KQKou7bcZ8cLCw1Ktl/WCH+UiNpNb+G7W8HkDmgmRHmUU9+6SnTDjUUMQCnT9I/Qa0cun0mnyIcfZqUN+mcRLTpbYjGMhcFc3wp4iGxsn57NU1l9BS1d8pLTM9dL9fHjzTDvwwIRW6v554yaO4eaBS1y7ntXrV7m7svWzmP8Q/obkbMbY1FE8ECcTqIvOCISPw6W+cMSQn/IUK7Oql+74atCCsE97WLws9MVRMYM1Y5zsWjROjjNwrb4Lndrk1ReCxjoZyixGR4d9vGxap9UgD1TS+Vd4c3xsph8R0B5/bsSFMTbBLrVWX42O/+AAB9n41O5b+2hqLpsYYxRds5PxT1wVgPbU7FlfQFemSeqLPKXe03u+ytDaFxzLXsJqbj4AiaqssMk0sq3GwJwQAo37g+rYgskfvaS8z3EbBh+Fc/ar0U8ZOv4BpME8THivXOr8D6AdrIw0z6TtiA1Top31ONvOezjBvMW/WpVZg0yQ8fPwoM379sPwefqCpEWhlwo02OUAwhu8YE2LVPnq78v3CiK0MzMO46+VLSWp7YOzYrfv7f2l9ZRgSPAFLRfMAmoxPqoUvgmXSff9UMf5AabnJM7V1VkxZjPxhDKsxLew== ansgar@manning diff --git a/pubkeys/kreativmonkey.pub b/pubkeys/kreativmonkey.pub new file mode 100644 index 0000000..9b037e1 --- /dev/null +++ b/pubkeys/kreativmonkey.pub @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2bbsrZLJ2271iSb04qpoUDlbrH19aTXUlzFaQSp1KO0BjCxdNvY1x6ZjkIPUC0YeaVGePu0cBJFWYZKpPRiz5hbWeFgaVvhbAlhxAMSlgdjLiN2alc92mBX40NhrpgSV/hGB5KAqqBQr9y01g9I5GRl9jdXgzUA9hhbqxls6tvXxGN2SJC3TFbUj+2PPpn8Cw2ZJiKsKZIoQfs9ZQuv2xDi7E6voqBALlYWd217ZgBezklrpm48dDisGI/WdZyllgk0XyxXwRSSD8QINTPjWmKXk5ZNH65J0KyDlnrZsgQuQbsN3jGgJsPfR6tydVITd1IXtSwawUYZ+JU8wwp6CR sebastian@gartenzwerk +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyfHUHDpsnwR0WB6ovtrpBVJaC/g5QB2E86RQyUWuAw7VlBuOTG3aqZEBfhKm3g5UyPHbXqJ4DJD0Ybt4yY1Vq/5I7TSFp9GTbwT0oyMECmBmPJblMaKsPIlvEQfYpq4D3IBI8Rg9OAqtwlfxw2JNLStnouEQjk7V0HFURUfjVMeDQexrdrOMqyPclxi+JUFur6drsh9nKpaVzKYKt5zXEDF9BD+y5bZp+QLog0nT1jz2Vrh1AZh0tpfiJDDUe1PAy8RVUYAA90OWD9mANVGsdlAf2qouy3yj2qcwUgRqG9UEKOk0+kykFUCwp7KP/SxhLEFjrfTBhJX1naAdaHKOOthJmCXVV8pIO72jr8qKQoNk1/jj7JCgvO5FFmPylCM3LeyYoJFH07Gf18nHdS29WYf17dIUUwvpMM5oJewAJMOlA79AkXBZFXoP3zoMOdaL2hga+bQP8MaX12MyPGya7rc+U89MX0N9W0qOcy/mEaWrRKoKA/jTa9+djf0gxWuMYrryi4uZnTHo3l6HM/UKY4iD1DAoA1bl42OAEkQ0lKVn9jXG4/wIGW7zEG/vwLtTsG7lcRp2wD5Wz7jAfA2b95Syel/Ldn7zJ2Hp1t8GmUol8okfwnXs+SCONM7pawr1ly7jYrvjD/NtLReRD6d8o6Fn8bjzG1gRlqBu3AVR44Q== kreativmonkey@DataCore +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9EwjHmm57L7WGeD6KU49D7NyNJLI7N5KR1GxUN+yPSnShD5BsfKyrfHS2U7SP6rN4RVhCh4D8OqpaZySuASD2ImWxD23A5SHy2AlaSedMb+a9Gi6ODeSZbvZIjutu9YMk7PtssfZxNi25gsbzWrERQM2mNpJtDjNx5jxA+EYbjOu8hhqV8+n7a9YRbahnhGQbp1H6DmiPIqELXCJAKr3iUb/ZZHlV9BF7eGMK9jYa24dHFtxAtojjbl8DhZzVJ+bHf6afXlDA4+qYjHnb/OMW23oSvHBtSPsfPaC53ML6BKymON56Os3lPTuCT5tvUN4qmMZksRWjGhiMLbd4noF sebastian@smartphone +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPrAGBSFCI9G/WRwkrsm8jys3ALBEvNVWv0TQr9F7hWAfn4KIlsAGHFuBrwfPEEARYOMnzPCoBv47Q+NHzpIyQVvJvQx1jUrTQ43k4RO0HAJy/5zlWW71yVSufVMMspsxUk7qL6kUTWoDKM9weIeSLGwoajtRFZKTYFzPpVaScS8hr0LRsFQ3gb+Gq0L0DZYNBdSf3lz2a6lNXwVnGCLv/lA2CGYyitUdXs0W8E7bisKHvj/zX+I+7k7+BK11GMP2AYbIt/D32sD2P/dZ9uxRSyqoY3xsEbzGFtlmcar/dOPpaYqVgZRcslloXaqqXBPkn/egIPlqIoovgs+tQQ64SIY1EaOKFQ+M5qi8uLUrpogoFnHAGYH5WNfeS10xr+8bOUyCHOWnH5w5ljvpvu2OzqX6WiNT4W2Z1gOuVnXLf0BtQ8fyg0yt2kf+tXPnEGwKrvv2t3YYpDENgwaVRN9sxwZ5vTnn8pqsdNhOEgARvbJyVvFu4kjFbtvjCDBsPzcEfV7yY/254Mpmk7VgsdJNx4x0Gvw6+g3Iw32GB/QJFML/6qWfczRkTFdu1JXKVVDEXmmQ7MnL+nNXONO+7EYNDUER8OtCogVj2dqAEZvS4wjYRJ0HZHGDeGY99dqDGHJyLFVDEUMQilOgkOGjoWMfdMPkxLP90LEdIbo0Nh5w== sebastian@Bulido diff --git a/pubkeys/niyawe.pub b/pubkeys/niyawe.pub new file mode 100644 index 0000000..03e19fd --- /dev/null +++ b/pubkeys/niyawe.pub @@ -0,0 +1 @@ +#command="tmux -S /tmp/shareds attach -t shared" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDnhIGQKlVX6CXJTR3RWkZubneGd0BsHN4Ebq95Gq+X01sD2tdjE6svle8CLXefGt4b7NIgqsRegamsuFH2grYpmLRP8V5YIgHbhMZnjVDHoGvPkTdV6G84a6Y9u8c6Jke2qtXqklVL1kRFY+b360bitDcrxdD1g0mbm03g5hFlYf/iG+8JQen4BrQppHZ69qjBg912RQR3nw2AUMpNUqLTa4GKEACUwyGHjiRSWnRnftGBuouR6cw4nFRQrjQ2Czywd3AaOXQZ0zgvLYROf6iEX3vvKnE2uSfUbpNH+ipHj7xjycDSO/m6xrpIjhvVHDK8LfCV2dc656IW+2SPVKlnbblUUD0TJvsVPHrRWLf5MRQ0TaDA5r0XsrLMb1bCPUzUdmp5i3nGlLRPYemH1+5/r4AXzbVWHFXzRQLxQgCP40SAvwXDzTReanKhfkVG98txTWBr8fwfrupSKjBR8s9we8twfl5kvWe37YEuhu1K91p82ceDpir3cGL9AmMXdEnU0ZyfI9eMfdMJ3d2lgMleTM1pVf9UUct2mkNmx3sELqSgEc4OFhudOkY+wkyllWAHsU1mN6+krbzoYhRjIAGQ5mLVsAhnKq0WQEaGxIZ3w48C+BknJJujiZS4bkvo1bwlT2gcSv6ztxVirWtSmV646C22WjV90V8Tsf2X/4WUmw== niyawe@niyawe.de diff --git a/roles/archusers/tasks/main.yml b/roles/archusers/tasks/main.yml new file mode 100644 index 0000000..8447757 --- /dev/null +++ b/roles/archusers/tasks/main.yml @@ -0,0 +1,33 @@ +--- + +- name: create Arch Linux-specific groups + group: name="{{ item }}" state=present system=no + with_items: "{{ arch_groups }}" + +- name: create Arch Linux-specific users + user: + name: "{{ item.key }}" + group: users + groups: "{{ item.value.groups | join(',') }}" + comment: "{{ item.value.name}}" + state: present + with_dict: "{{ arch_users }}" + +- name: configure ssh keys + authorized_key: + user: "{{ item.key }}" + key: "{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}" + manage_dir: yes + state: present + exclusive: yes + when: item.value.ssh_key is defined + with_dict: "{{ arch_users }}" + +- name: get list of remote users + find: paths="/home" file_type="directory" + register: all_users + +- name: disable ssh keys of disabled users + file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent + when: item not in "{{ arch_users }}" + with_items: "{{ all_users.files | map(attribute='path') | map('basename') | list }}" diff --git a/roles/bashit/handlers/main.yml b/roles/bashit/handlers/main.yml new file mode 100644 index 0000000..1aef1fa --- /dev/null +++ b/roles/bashit/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Install Bash-it + shell: ~/.bash_it/install.sh --silent + +- name: reload source + command: source /root/.bashrc diff --git a/roles/bashit/tasks/main.yml b/roles/bashit/tasks/main.yml new file mode 100644 index 0000000..1eeaccd --- /dev/null +++ b/roles/bashit/tasks/main.yml @@ -0,0 +1,45 @@ +--- + +- name: Check Bash-It Installation + stat: + path: ~/.bash_it + register: install + +- name: Clone Bash-it + git: + repo: https://github.com/Bash-it/bash-it.git + dest: ~/.bash_it + depth: 1 + update: no + notify: + - Install Bash-it + - reload source + when: not install.stat.exists + +- name: Update Bash-it + shell: bash-it update + when: install.stat.exists + +- name: setup-bashit-theme + lineinfile: + path: .bashrc + regexp: "(export BASH_IT_THEME=)[('a-z')]+" + line: "export BASH_IT_THEME='candy'" + +- name: enable bashit plugins + shell: bashit enable plugins {{ .items }} + with_items: + - history + - git + - alias-completion + - autojump + - base + - tmux + +- name: enable bashit aliases + shell: bashit enable aliases {{ .items }} + with_items: + - general + - git + - gitsvn + - tmux diff --git a/roles/borg-client/defaults/main.yml b/roles/borg-client/defaults/main.yml new file mode 100644 index 0000000..bbdd3bb --- /dev/null +++ b/roles/borg-client/defaults/main.yml @@ -0,0 +1,2 @@ +backup_host: "kreativmonkey@core.oc4.de" +backup_dir: "/backup/{{inventory_hostname}}" diff --git a/roles/borg-client/files/borg-backup.service b/roles/borg-client/files/borg-backup.service new file mode 100644 index 0000000..3947918 --- /dev/null +++ b/roles/borg-client/files/borg-backup.service @@ -0,0 +1,6 @@ +[Unit] +Description=Borg backup + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/borg-backup.sh diff --git a/roles/borg-client/files/borg-backup.timer b/roles/borg-client/files/borg-backup.timer new file mode 100644 index 0000000..ac210a6 --- /dev/null +++ b/roles/borg-client/files/borg-backup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Borg backup + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/borg-client/tasks/main.yml b/roles/borg-client/tasks/main.yml new file mode 100644 index 0000000..5c4f8f7 --- /dev/null +++ b/roles/borg-client/tasks/main.yml @@ -0,0 +1,64 @@ +- name: install borg and tools + pacman: name=borg,perl-app-borgrestore state=present + +- name: install borg-restore config + template: src=borg-restore.cfg.j2 dest=/etc/borg-restore.cfg owner=root group=root mode=0644 + +- name: check if borg repository already exists + command: borg list {{ backup_host }}:{{ backup_dir }} + register: borg_list + ignore_errors: True + +- name: init borg repository + command: borg init -e keyfile {{ backup_host }}:{{ backup_dir }} + when: borg_list | failed + environment: + BORG_PASSPHRASE: "" + ignore_errors: True # This can sometimes fail if a backup is in progress :/ + +- name: install scripts + template: src={{item}}.j2 dest=/usr/local/bin/{{item}} owner=root group=root mode=0755 + with_items: + - borg-backup.sh + - borg + +- name: install postgres backup script + template: src=backup-postgres.sh.j2 dest=/usr/local/bin/backup-postgres.sh owner=root group=root mode=0755 + when: postgres_backup_dir is defined + +- name: check whether postgres user exists + command: getent passwd postgres + register: check_postgres_user + ignore_errors: True + +- name: make postgres backup directory + file: path=/var/lib/postgres/backup owner=postgres group=postgres state=directory + when: check_postgres_user|succeeded and postgres_backup_dir is defined + +- name: install mysql backup script + template: src=backup-mysql.sh.j2 dest=/usr/local/bin/backup-mysql.sh owner=root group=root mode=0755 + when: mysql_backup_dir is defined + +- name: install mysql backup config + template: src=backup-my.cnf.j2 dest={{mysql_backup_defaults}} + when: mysql_backup_defaults is defined + +- name: create mysql backup directory + file: path={{mysql_backup_dir}} state=directory owner=root group=root + when: mysql_backup_dir is defined + +- name: install xtrabackup for mysql backup + pacman: name=xtrabackup state=installed + when: mysql_backup_dir is defined + +- name: install systemd timers for backup + copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 + with_items: + - borg-backup.timer + - borg-backup.service + +- name: activate systemd timers for backup + service: name=borg-backup.timer enabled=yes state=started + +- name: enable systemd ressource accounting + command: systemctl set-property borg-backup CPUAccounting=yes MemoryAccounting=yes diff --git a/roles/borg-client/templates/backup-my.cnf.j2 b/roles/borg-client/templates/backup-my.cnf.j2 new file mode 100644 index 0000000..7b10b2c --- /dev/null +++ b/roles/borg-client/templates/backup-my.cnf.j2 @@ -0,0 +1,3 @@ +[client] +user = root +password = "{{mariadb_users.root}}" diff --git a/roles/borg-client/templates/backup-mysql.sh.j2 b/roles/borg-client/templates/backup-mysql.sh.j2 new file mode 100644 index 0000000..f56e646 --- /dev/null +++ b/roles/borg-client/templates/backup-mysql.sh.j2 @@ -0,0 +1,8 @@ +#!/bin/bash + +mysql_opts="--defaults-file={{mysql_backup_defaults}}" +backupdir="{{mysql_backup_dir}}" + +[[ ! -d "$backupdir" ]] && mkdir -p "$backupdir" +rm -rf "$backupdir"/* +xtrabackup $mysql_opts --backup --target-dir="$backupdir" diff --git a/roles/borg-client/templates/backup-postgres.sh.j2 b/roles/borg-client/templates/backup-postgres.sh.j2 new file mode 100644 index 0000000..ccb34fa --- /dev/null +++ b/roles/borg-client/templates/backup-postgres.sh.j2 @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Script to backup all postgres databases individually +# +# Requires local login with `postgres` user and either trusted or peer auth. +# + +DBLIST=($(sudo -u postgres psql -d postgres -qt -c 'SELECT datname from pg_database')) +for db in "${DBLIST[@]}"; do + if [[ $db =~ template[01] ]]; then + continue; + fi + echo "Dumping $db to {{ postgres_backup_dir }}"; + sudo -u postgres pg_dump --serializable-deferrable -Fc "$db" > "{{ postgres_backup_dir }}/$db.dump" +done + +echo "Dumping globals to {{ postgres_backup_dir }}" +sudo -u postgres pg_dumpall --globals-only > "{{ postgres_backup_dir }}/globals.sql.dump" diff --git a/roles/borg-client/templates/borg-backup.sh.j2 b/roles/borg-client/templates/borg-backup.sh.j2 new file mode 100644 index 0000000..5863d65 --- /dev/null +++ b/roles/borg-client/templates/borg-backup.sh.j2 @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +set -e + +src="/" +snapshotdir="/backup-snap" + +## +# usage : is_btrfs( $path ) +# return : whether $path is on a btrfs +# source: makechrootpkg from devtools +## +is_btrfs() { + [[ -e "$1" && "$(stat -f -c %T "$1")" == btrfs ]] +} + +delete_snapshot() { + btrfs subvolume delete --commit-after "$snapshotdir" +} + +if is_btrfs "$src"; then + if [[ -d "$snapshotdir" ]]; then + delete_snapshot + fi + btrfs subvolume snapshot -r "$src" "$snapshotdir" + src="$snapshotdir" +fi + +systemctl is-active postgresql && /usr/local/bin/backup-postgres.sh || true +if systemctl is-active mysqld || systemctl is-active mariadb; then + /usr/local/bin/backup-mysql.sh || true +fi + +borg create \ + --verbose \ + --stats \ + --list \ + -compression lz4 \ + -e '/home/*/.cache/' \ + -e /var/tmp \ + -e /proc \ + -e /sys \ + -e /dev \ + -e /run \ + -e /tmp \ + -e /var/cache \ + {{ backup_host }}:{{ backup_dir }}::$(date "+%Y%m%d-%H%M%S") "$src" +borg prune -v {{ backup_host }}:{{ backup_dir }} --keep-daily=7 --keep-weekly=4 --keep-monthly=6 + +if [[ -d "$snapshotdir" ]]; then + delete_snapshot +fi diff --git a/roles/borg-client/templates/borg-restore.cfg.j2 b/roles/borg-client/templates/borg-restore.cfg.j2 new file mode 100644 index 0000000..e7d956d --- /dev/null +++ b/roles/borg-client/templates/borg-restore.cfg.j2 @@ -0,0 +1,12 @@ +# We set the repo in the /usr/local/bin/borg wrapper which is enough +$borg_repo = ""; + +{% if filesystem == "btrfs" %} +@backup_prefixes = ( + {regex => "^/", replacement => "backup-snap/"}, +); +{% endif %} + +1; + +# vim: set ft=perl: diff --git a/roles/borg-client/templates/borg.j2 b/roles/borg-client/templates/borg.j2 new file mode 100644 index 0000000..a59bddd --- /dev/null +++ b/roles/borg-client/templates/borg.j2 @@ -0,0 +1,3 @@ +#!/bin/bash + +BORG_REPO="{{ backup_host }}:{{ backup_dir }}" exec /usr/bin/borg "$@" diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml new file mode 100644 index 0000000..0bda1e3 --- /dev/null +++ b/roles/common/defaults/main.yml @@ -0,0 +1,2 @@ +--- +configure_network: false diff --git a/roles/common/files/dircolors b/roles/common/files/dircolors new file mode 100644 index 0000000..a350fb7 --- /dev/null +++ b/roles/common/files/dircolors @@ -0,0 +1,213 @@ +# Configuration file for dircolors, a utility to help you set the +# LS_COLORS environment variable used by GNU ls with the --color option. +# Copyright (C) 1996, 1999-2010 Free Software Foundation, Inc. +# Copying and distribution of this file, with or without modification, +# are permitted provided the copyright notice and this notice are preserved. +# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the +# slackware version of dircolors) are recognized but ignored. +# Below, there should be one TERM entry for each termtype that is colorizable +TERM Eterm +TERM ansi +TERM color-xterm +TERM con132x25 +TERM con132x30 +TERM con132x43 +TERM con132x60 +TERM con80x25 +TERM con80x28 +TERM con80x30 +TERM con80x43 +TERM con80x50 +TERM con80x60 +TERM cons25 +TERM console +TERM cygwin +TERM dtterm +TERM eterm-color +TERM gnome +TERM gnome-256color +TERM jfbterm +TERM konsole +TERM kterm +TERM linux +TERM linux-c +TERM mach-color +TERM mlterm +TERM putty +TERM rxvt +TERM rxvt-256color +TERM rxvt-cygwin +TERM rxvt-cygwin-native +TERM rxvt-unicode +TERM rxvt-unicode256 +TERM screen +TERM screen-256color +TERM screen-256color-bce +TERM screen-bce +TERM screen-w +TERM screen.linux +TERM vt100 +TERM xterm +TERM xterm-16color +TERM xterm-256color +TERM xterm-88color +TERM xterm-color +TERM xterm-debian +TERM xterm-termite +# Below are the color init strings for the basic file types. A color init +# string consists of one or more of the following numeric codes: +# Attribute codes: +# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed +# Text color codes: +# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white +# Background color codes: +# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white +#NORMAL 00 # no color code at all +#FILE 00 # regular file: use no color at all +RESET 0 # reset to "normal" color +DIR 01;34 # directory +LINK 01;36 # symbolic link. (If you set this to 'target' instead of a + # numerical value, the color is as for the file pointed to.) +MULTIHARDLINK 00 # regular file with more than one link +FIFO 40;33 # pipe +SOCK 01;35 # socket +DOOR 01;35 # door +BLK 40;33;01 # block device driver +CHR 40;33;01 # character device driver +ORPHAN 40;31;01 # symlink to nonexistent file, or non-stat'able file +SETUID 37;41 # file that is setuid (u+s) +SETGID 30;43 # file that is setgid (g+s) +CAPABILITY 30;41 # file with capability +STICKY_OTHER_WRITABLE 30;42 # dir that is sticky and other-writable (+t,o+w) +OTHER_WRITABLE 34;42 # dir that is other-writable (o+w) and not sticky +STICKY 37;44 # dir with the sticky bit set (+t) and not other-writable +# This is for files with execute permission: +EXEC 01;32 +# List any file extensions like '.gz' or '.tar' that you would like ls +# to colorize below. Put the extension, a space, and the color init string. +# (and any comments you want to add after a '#') +# If you use DOS-style suffixes, you may want to uncomment the following: +#.cmd 01;32 # executables (bright green) +#.exe 01;32 +#.com 01;32 +#.btm 01;32 +#.bat 01;32 +# Or if you want to colorize scripts even if they do not have the +# executable bit actually set. +#.sh 01;32 +#.csh 01;32 + # archives or compressed (bright red) +.tar 01;31 +.tgz 01;31 +.arj 01;31 +.taz 01;31 +.lzh 01;31 +.lzma 01;31 +.tlz 01;31 +.txz 01;31 +.zip 01;31 +.z 01;31 +.Z 01;31 +.dz 01;31 +.gz 01;31 +.lz 01;31 +.xz 01;31 +.bz2 01;31 +.bz 01;31 +.tbz 01;31 +.tbz2 01;31 +.tz 01;31 +.deb 01;31 +.rpm 01;31 +.jar 01;31 +.rar 01;31 +.ace 01;31 +.zoo 01;31 +.cpio 01;31 +.7z 01;31 +.rz 01;31 +# image formats +.jpg 01;35 +.jpeg 01;35 +.gif 01;35 +.bmp 01;35 +.pbm 01;35 +.pgm 01;35 +.ppm 01;35 +.tga 01;35 +.xbm 01;35 +.xpm 01;35 +.tif 01;35 +.tiff 01;35 +.png 01;35 +.svg 01;35 +.svgz 01;35 +.mng 01;35 +.pcx 01;35 +.mov 01;35 +.mpg 01;35 +.mpeg 01;35 +.m2v 01;35 +.mkv 01;35 +.ogm 01;35 +.mp4 01;35 +.m4v 01;35 +.mp4v 01;35 +.vob 01;35 +.qt 01;35 +.nuv 01;35 +.wmv 01;35 +.asf 01;35 +.rm 01;35 +.rmvb 01;35 +.flc 01;35 +.avi 01;35 +.fli 01;35 +.flv 01;35 +.gl 01;35 +.dl 01;35 +.xcf 01;35 +.xwd 01;35 +.yuv 01;35 +.cgm 01;35 +.emf 01;35 +# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions +.axv 01;35 +.anx 01;35 +.ogv 01;35 +.ogx 01;35 +# audio formats +.aac 00;36 +.au 00;36 +.flac 00;36 +.mid 00;36 +.midi 00;36 +.mka 00;36 +.mp3 00;36 +.mpc 00;36 +.ogg 00;36 +.ra 00;36 +.wav 00;36 +# http://wiki.xiph.org/index.php/MIME_Types_and_File_Extensions +.axa 00;36 +.oga 00;36 +.spx 00;36 +.xspf 00;36 + +# programming +.o 00;35 +.c 01;33 +.cc 03;33 +.cpp 03;33 +.h 00;33 +.a 01;35 + +# documents +.pdf 01;33 +.doc 01;33 +.odt 01;33 +.ods 01;33 +.xls 01;33 +.pptx 01;33 +.ppt 01;33 +.odp 01;33 diff --git a/roles/common/files/zshrc b/roles/common/files/zshrc new file mode 100644 index 0000000..058a542 --- /dev/null +++ b/roles/common/files/zshrc @@ -0,0 +1,259 @@ +# Don't show input while loading +stty -echo + +# some better colors for ls +eval "`dircolors ~/.dircolors`" + +# Keybindings {{{ +bindkey -e +bindkey '\e[1~' beginning-of-line +bindkey '\e[4~' end-of-line +bindkey '\e[3~' delete-char +bindkey '\e[2~' overwrite-mode +bindkey "^[[7~" beginning-of-line # Pos1 +bindkey "^[[8~" end-of-line # End +bindkey "^[[A" history-beginning-search-backward +bindkey "^[[B" history-beginning-search-forward + +# add edit command line feature ("alt-e") +autoload edit-command-line +zle -N edit-command-line +bindkey '\ee' edit-command-line + +# }}} +# Variables {{{ +export EDITOR=vim +export VISUAL=$EDITOR +export PAGER=less + +export LESSCHARSET="UTF-8" +export LESSOPEN='|/usr/bin/lesspipe.sh %s 2>&-' +export LESS='-i -n -w -M -R -P%t?f%f \ +:stdin .?pb%pb\%:?lbLine %lb:?bbByte %bb:-...' + +# Less Colors for Man Pages +export LESS_TERMCAP_mb=$'\E[01;31m' # begin blinking +export LESS_TERMCAP_md=$'\E[01;38;5;74m' # begin bold +export LESS_TERMCAP_me=$'\E[0m' # end mode +export LESS_TERMCAP_se=$'\E[0m' # end standout-mode +export LESS_TERMCAP_so=$'\E[38;5;11m' # begin standout-mode - info box +export LESS_TERMCAP_ue=$'\E[0m' # end underline +export LESS_TERMCAP_us=$'\E[04;38;5;146m' # begin underline +# }}} +# Prompt {{{ +if [[ $UID != 0 ]]; then + local username_color="%F{blue}" +else + local username_color="%F{red}" +fi +local host_color="%F{green}" +local path_color="%F{blue}" +PROMPT="${username_color}$USERNAME%f@${host_color}%B%M%b%f ${path_color}%B%~%b%f > " +#} + +## Spelling prompt +SPROMPT='zsh: correct '%R' to '%r' ? ([Y]es/[N]o/[E]dit/[A]bort) ' + +# }}} +# History {{{ +HISTFILE=~/.zsh/histfile +HISTSIZE=1000 +SAVEHIST=50000 +# }}} +# Other ZSH options {{{ +autoload -U colors +colors + +autoload -U zmv + +# .. -> cd ../ +setopt autocd + +# cd /etc/**/foo/blub searches ;) +setopt extendedglob + +# push cds to directory stack +setopt auto_pushd + +# don't push something twice +setopt pushd_ignore_dups + +# don't kill jobs when exiting shell +setopt no_hup +# and don't warn +setopt no_check_jobs + +# show us when some command didn't exit with 0 +setopt print_exit_value + +# makepkg -g > PKGBUILD +# zsh: file exists: PKGBUILD +# +# work saved ;) +setopt no_clobber + +setopt inc_append_history +setopt no_bg_nice +setopt share_history +#setopt bang_hist +setopt extended_history +#setopt hist_reduce_blanks +setopt hist_ignore_space +setopt hist_find_no_dups +setopt hist_ignore_dups +setopt nohistverify +setopt prompt_subst +#setopt hist_fcntl_lock +setopt always_to_end + +unsetopt auto_remove_slash + +# show the output of time if commands takes longer than n secs (only user+system) +REPORTTIME=5 + +# allow comments in interactive shells +setopt interactivecomments + +# ignore lines starting with a space +setopt hist_ignore_space + +# disable XON/XOFF flow control (^s/^q) +stty -ixon + +# }}} +# Aliases {{{ +# better ask before we lose data +alias rm='rm -Iv' +alias cp='cp -iv' +alias mv='mv -iv' + +# I don't like bytes +alias dum='du -kh --max-depth=2' +alias dus='du -skh' +alias du='du -kh' +alias df="df -Th" + +# function to make ls look nice is below +alias ls='ls -rhbtF --color=auto' +alias ll='ls -rhbtF --color=auto -l' +alias la='ls -rhbtF --color=auto -a' +alias lla='ls -rhbtF --color=auto -la' +alias lld='ls -rhbtF --color=auto -ld' + +alias grep='grep --color' + +alias mkdir='nocorrect mkdir' +alias wget='nocorrect noglob wget' + +alias p='pacman' +alias sd='systemctl --no-pager' + +alias is="iostat -Nyxm 2" + +alias nocomment='egrep -v "^\s*(#|$)"' +alias wgetc="wget --content-disposition" +# }}} +# Completion stuff {{{ +autoload -Uz compinit +compinit + +unsetopt correct_all + +zstyle :compinstall filename '$HOME/.zshrc' + +# performance tweaks +zstyle ':completion:*' use-cache on +zstyle ':completion:*' cache-path $HOME/.zsh/cache +zstyle ':completion:*' use-perl on + +# completion colours +zstyle ':completion:*' list-colors ${(s.:.)LS_COLORS} + +zstyle ':completion:*' completer _complete _match _approximate +zstyle ':completion:*:match:*' original only + +# ignore completion for commands we don't have +zstyle ':completion:*:functions' ignored-patterns '_*' + +# get rid of .class and .o files for vim +zstyle ':completion:*:vim:*' ignored-patterns '*.(class|o)' + +# show menu when tabbing +zstyle ':completion:*' menu yes select + +# better completion for kill +zstyle ':completion:*:*:kill:*' command 'ps --forest -u$USER -o pid,%cpu,tty,cputime,cmd' + +# Provide more processes in completion of programs like killall: +zstyle ':completion:*:processes-names' command 'ps c -u ${USER} -o command | uniq' +compdef pkill=killall + +# bugged with zsh 4.3.10 for whatever reason +zstyle ':completion:*' file-sort time +#zstyle ':completion:*' file-sort name + +# Ignore same file on rm +zstyle ':completion:*:(rm|kill|diff):*' ignore-line yes +zstyle ':completion:*:rm:*' file-patterns '*:all-files' + +# e.g. ls foo//bar -> ls foo/bar +zstyle ':completion:*' squeeze-slashes true + +# if in foo/bar don't show bar when cd ../ +zstyle ':completion:*:cd:*' ignore-parents parent pwd + +# Prevent lost+found directory from being completed +zstyle ':completion:*:cd:*' ignored-patterns '(*/)#lost+found' + +# ignore case when completing +zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*' + +# make some stuff look better +# from: http://ft.bewatermyfriend.org/comp/zsh/zshrc.d/compsys.html +zstyle ':completion:*:descriptions' format "- %{${fg[yellow]}%}%d%{${reset_color}%} -" +zstyle ':completion:*:messages' format "- %{${fg[cyan]}%}%d%{${reset_color}%} -" +zstyle ':completion:*:corrections' format "- %{${fg[yellow]}%}%d%{${reset_color}%} - (%{${fg[cyan]}%}errors %e%{${reset_color}%})" +zstyle ':completion:*:default' \ + select-prompt \ + "%{${fg[yellow]}%}Match %{${fg_bold[cyan]}%}%m%{${fg_no_bold[yellow]}%} Line %{${fg_bold[cyan]}%}%l%{${fg_no_bold[red]}%} %p%{${reset_color}%}" +zstyle ':completion:*:default' \ + list-prompt \ + "%{${fg[yellow]}%}Line %{${fg_bold[cyan]}%}%l%{${fg_no_bold[yellow]}%} Continue?%{${reset_color}%}" +zstyle ':completion:*:warnings' \ + format \ + "- %{${fg_no_bold[red]}%}no match%{${reset_color}%} - %{${fg_no_bold[yellow]}%}%d%{${reset_color}%}" +zstyle ':completion:*' group-name '' + +# manual pages are sorted into sections +# from: http://ft.bewatermyfriend.org/comp/zsh/zshrc.d/compsys.html +zstyle ':completion:*:manuals' separate-sections true +zstyle ':completion:*:manuals.(^1*)' insert-sections true + +### highlight the original input. + zstyle ':completion:*:original' \ + list-colors "=*=$color[red];$color[bold]" + +### highlight words like 'esac' or 'end' + zstyle ':completion:*:reserved-words' \ + list-colors "=*=$color[red]" + +### colorize hostname completion + zstyle ':completion:*:*:*:*:hosts' \ + list-colors "=*=$color[cyan];$color[bg-black]" + +### colorize username completion + zstyle ':completion:*:*:*:*:users' \ + list-colors "=*=$color[red];$color[bg-black]" + +### colorize processlist for 'kill' + zstyle ':completion:*:*:kill:*:processes' \ + list-colors "=(#b) #([0-9]#) #([^ ]#)*=$color[none]=$color[yellow]=$color[green]" +# }}} + +umask 077 +stty -ctlecho + +# Show again +stty echo + +# vim: set ft=zsh: diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..b7dd785 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: restarted journald + service: name=systemd-journald state=restarted + +- name: systemd daemon-reload + command: systemctl daemon-reload diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..7734809 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,98 @@ +--- + +- name: configure pacman mirror + template: src=mirrorlist.j2 dest=/etc/pacman.d/mirrorlist owner=root group=root mode=0644 + +- name: remove ntp + pacman: name=ntp state=absent + +- name: start and enable systemd-timesyncd + service: name=systemd-timesyncd enabled=yes state=started + +- name: install smart + pacman: name=smartmontools state=present + +- name: start and enable smart + service: name=smartd enabled=yes state=started + +- name: install mlocate + pacman: name=mlocate state=present + +- name: activate regular updatedb for mlocate + service: name=updatedb.timer enabled=yes state=started + +- name: generate locales + locale_gen: name={{ item }} state=present + with_items: + - en_US.UTF-8 + - de_DE.UTF-8 + +- name: configure locales + template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644 + +- name: generate ssh key for root + command: ssh-keygen -b 4096 -N "" -f /root/.ssh/id_rsa creates="/root/.ssh/id_rsa" + +- name: configure default qdisc + sysctl: + name: net.core.default_qdisc + value: "{{default_qdisc}}" + sysctl_file: /etc/sysctl.d/net.conf + when: default_qdisc is defined + +- name: apply default qdisc to interfaces + command: tc qdisc replace dev {{item}} root {{default_qdisc}} + with_items: "{{ansible_interfaces | difference('lo')}}" + when: default_qdisc is defined + +- name: configure tcp congestion control algorithm + sysctl: + name: net.ipv4.tcp_congestion_control + value: "{{tcp_congestion_control}}" + sysctl_set: yes + sysctl_file: /etc/sysctl.d/net.conf + when: tcp_congestion_control is defined + +- name: configure tcp receive window limits + sysctl: + name: net.ipv4.tcp_rmem + value: "{{tcp_rmem}}" + sysctl_set: yes + sysctl_file: /etc/sysctl.d/net.conf + when: tcp_rmem is defined + +- name: configure tcp send window limits + sysctl: + name: net.ipv4.tcp_wmem + value: "{{tcp_wmem}}" + sysctl_set: yes + sysctl_file: /etc/sysctl.d/net.conf + when: tcp_wmem is defined + +- name: configure journald + template: src={{item}}.j2 dest=/etc/systemd/{{item}} owner=root group=root mode=644 + with_items: + - journald.conf + notify: + - restarted journald + +- name: install system.conf + template: src=system.conf.j2 dest=/etc/systemd/system.conf owner=root group=root mode=0644 + notify: + - systemd daemon-reload + +- name: create zsh directory + file: path=/root/.zsh state=directory owner=root group=root mode=0700 + +- name: install root shell config + copy: src={{item}} dest=/root/.{{item}} owner=root group=root mode=0644 + with_items: + - zshrc + - dircolors + +#- name: add kernel packages to IgnorePkg +# lineinfile: +# dest: /etc/pacman.conf +# insertafter: '^#IgnorePkg' +# regexp: '^IgnorePkg' +# line: 'IgnorePkg = linux linux-headers linux-hardened linux-hardened-headers linux-lts linux-lts-headers' diff --git a/roles/common/templates/journald.conf.j2 b/roles/common/templates/journald.conf.j2 new file mode 100644 index 0000000..7204769 --- /dev/null +++ b/roles/common/templates/journald.conf.j2 @@ -0,0 +1,42 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See journald.conf(5) for details. + +[Journal] +#Storage=auto +#Compress=yes +#Seal=yes +#SplitMode=uid +#SyncIntervalSec=5m +#RateLimitIntervalSec=30s +RateLimitBurst=100000 +#SystemMaxUse= +#SystemKeepFree= +#SystemMaxFileSize= +SystemMaxFiles=10000 +#RuntimeMaxUse= +#RuntimeKeepFree= +#RuntimeMaxFileSize= +#RuntimeMaxFiles=100 +#MaxRetentionSec= +#MaxFileSec=1month +#ForwardToSyslog=no +#ForwardToKMsg=no +#ForwardToConsole=no +ForwardToWall=no +#TTYPath=/dev/console +#MaxLevelStore=debug +#MaxLevelSyslog=debug +#MaxLevelKMsg=notice +#MaxLevelConsole=info +#MaxLevelWall=emerg +#LineMax=48K diff --git a/roles/common/templates/locale.conf.j2 b/roles/common/templates/locale.conf.j2 new file mode 100644 index 0000000..82044dc --- /dev/null +++ b/roles/common/templates/locale.conf.j2 @@ -0,0 +1,3 @@ +LANG=de_DE.UTF-8 +LC_COLLATE=C +LANGUAGE=de_DE diff --git a/roles/common/templates/mirrorlist.j2 b/roles/common/templates/mirrorlist.j2 new file mode 100644 index 0000000..9916206 --- /dev/null +++ b/roles/common/templates/mirrorlist.j2 @@ -0,0 +1,25 @@ +## Generated on 2016-07-03 +## +## Germany +Server = http://mirror.hetzner.de/archlinux/$repo/os/$arch +Server = http://mirror.f4st.host/archlinux/$repo/os/$arch +Server = https://mirror.f4st.host/archlinux/$repo/os/$arch +Server = http://mirror.de.leaseweb.net/archlinux/$repo/os/$arch +Server = http://ftp.hosteurope.de/mirror/ftp.archlinux.org/$repo/os/$arch +Server = http://ftp.fau.de/archlinux/$repo/os/$arch +Server = http://mirror.selfnet.de/archlinux/$repo/os/$arch +Server = http://mirror.netcologne.de/archlinux/$repo/os/$arch +Server = http://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch +Server = http://mirrors.n-ix.net/archlinux/$repo/os/$arch +Server = http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch +Server = http://mirror.23media.de/archlinux/$repo/os/$arch +Server = https://ftp.fau.de/archlinux/$repo/os/$arch +Server = http://ftp-stud.hs-esslingen.de/pub/Mirrors/archlinux/$repo/os/$arch +Server = http://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch +Server = http://ftp.uni-hannover.de/archlinux/$repo/os/$arch +Server = http://linux.rz.rub.de/archlinux/$repo/os/$arch +Server = http://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch +Server = https://mirror.netcologne.de/archlinux/$repo/os/$arch +Server = http://ftp.uni-bayreuth.de/linux/archlinux/$repo/os/$arch +Server = http://mirror.euserv.net/linux/archlinux/$repo/os/$arch +Server = http://ftp.tu-chemnitz.de/pub/linux/archlinux/$repo/os/$arch diff --git a/roles/common/templates/system.conf.j2 b/roles/common/templates/system.conf.j2 new file mode 100644 index 0000000..0e40646 --- /dev/null +++ b/roles/common/templates/system.conf.j2 @@ -0,0 +1,65 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See systemd-system.conf(5) for details. + +[Manager] +#LogLevel=info +#LogTarget=journal-or-kmsg +#LogColor=yes +#LogLocation=no +#DumpCore=yes +#ShowStatus=yes +#CrashChangeVT=no +#CrashShell=no +#CrashReboot=no +#CtrlAltDelBurstAction=reboot-force +#CPUAffinity=1 2 +#JoinControllers=cpu,cpuacct net_cls,net_prio +#RuntimeWatchdogSec=0 +#ShutdownWatchdogSec=10min +#CapabilityBoundingSet= +#SystemCallArchitectures= +#TimerSlackNSec= +#DefaultTimerAccuracySec=1min +#DefaultStandardOutput=journal +#DefaultStandardError=inherit +#DefaultTimeoutStartSec=90s +#DefaultTimeoutStopSec=90s +#DefaultRestartSec=100ms +#DefaultStartLimitIntervalSec=10s +#DefaultStartLimitBurst=5 +#DefaultEnvironment= +DefaultCPUAccounting=no +DefaultIOAccounting=no +DefaultIPAccounting=no +DefaultBlockIOAccounting=no +DefaultMemoryAccounting=no +DefaultTasksAccounting=yes +#DefaultTasksMax=15% +#DefaultLimitCPU= +#DefaultLimitFSIZE= +#DefaultLimitDATA= +#DefaultLimitSTACK= +#DefaultLimitCORE= +#DefaultLimitRSS= +#DefaultLimitNOFILE= +#DefaultLimitAS= +#DefaultLimitNPROC= +#DefaultLimitMEMLOCK= +#DefaultLimitLOCKS= +#DefaultLimitSIGPENDING= +#DefaultLimitMSGQUEUE= +#DefaultLimitNICE= +#DefaultLimitRTPRIO= +#DefaultLimitRTTIME= +#IPAddressAllow= +#IPAddressDeny= diff --git a/roles/crond/tasks/main.yml b/roles/crond/tasks/main.yml new file mode 100644 index 0000000..aca9870 --- /dev/null +++ b/roles/crond/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- name: install cronie + pacman: name=cronie state=present + +- name: activate cronie.service + service: name=cronie enabled=yes state=started + +- name: enable systemd ressource accounting + command: systemctl set-property cronie CPUAccounting=yes MemoryAccounting=yes + diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..37b3a87 --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,4 @@ +- name: Install dnsmasq + pacman: name=dnsmasq status=present + +- name: diff --git a/roles/etckeeper/tasks/main.yaml b/roles/etckeeper/tasks/main.yaml new file mode 100644 index 0000000..b1959a6 --- /dev/null +++ b/roles/etckeeper/tasks/main.yaml @@ -0,0 +1,7 @@ +- name: "Install etckeeper and dependencies" + packman: "name={{ item }} state=present" + with_items: + - git + - etckeeper + +- name: "Setup etckeeper" diff --git a/roles/firewalld/tasks/main.yml b/roles/firewalld/tasks/main.yml new file mode 100644 index 0000000..8dcfea8 --- /dev/null +++ b/roles/firewalld/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- name: install firewalld + pacman: name=firewalld state=present + +- name: start and enable firewalld + service: name=firewalld enabled={{configure_firewall}} state={{configure_firewall | ternary("started", "stopped") }} diff --git a/roles/install_arch/files/resolv.conf b/roles/install_arch/files/resolv.conf new file mode 100644 index 0000000..aebd887 --- /dev/null +++ b/roles/install_arch/files/resolv.conf @@ -0,0 +1,6 @@ +nameserver 213.133.98.98 +nameserver 213.133.100.100 +nameserver 213.133.99.99 +nameserver 2a01:4f8:0:a0a1::add:1010 +nameserver 2a01:4f8:0:a102::add:9999 +nameserver 2a01:4f8:0:a111::add:9898 diff --git a/roles/install_arch/files/sshd_config b/roles/install_arch/files/sshd_config new file mode 100644 index 0000000..b007873 --- /dev/null +++ b/roles/install_arch/files/sshd_config @@ -0,0 +1,11 @@ +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +AuthorizedKeysFile .ssh/authorized_keys +PasswordAuthentication no +ChallengeResponseAuthentication no +UsePAM no +PrintMotd no +Subsystem sftp /usr/lib/ssh/sftp-server +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com diff --git a/roles/install_arch/files/vconsole.conf b/roles/install_arch/files/vconsole.conf new file mode 100644 index 0000000..c1e444e --- /dev/null +++ b/roles/install_arch/files/vconsole.conf @@ -0,0 +1 @@ +KEYMAP=de-latin1 diff --git a/roles/install_arch/tasks/main.yml b/roles/install_arch/tasks/main.yml new file mode 100644 index 0000000..6f9b696 --- /dev/null +++ b/roles/install_arch/tasks/main.yml @@ -0,0 +1,206 @@ +--- + +- name: read /etc/motd + command: cat /etc/motd + register: motd_contents + +- name: check whether we're running in the Hetzner rescue system + fail: msg="Not running in Hetzner rescue system!" + when: "'Hetzner Rescue' not in motd_contents.stdout" + +- name: partition and format the disks + command: mkfs.btrfs -f -L rootfs -d raid1 /dev/sda /dev/sdb + when: filesystem == "btrfs" + +- name: create BIOS boot partitions + command: sgdisk -n 1:0:10M /dev/{{ item }} + when: filesystem == "ext4" + with_items: + - sda + - sdb + +- name: create RAID partitions + command: sgdisk -n 2:0:0 /dev/{{ item }} + when: filesystem == "ext4" + with_items: + - sda + - sdb + +- name: set BIOS boot partition types + command: sgdisk -t 1:ef02 /dev/{{ item }} + when: filesystem == "ext4" + with_items: + - sda + - sdb + +- name: set RAID partition types + command: sgdisk -t 2:fd00 + when: filesystem == "ext4" + with_items: + - sda + - sdb + +- name: create MDADM array + command: mdadm --create --level=1 --raid-devices=2 --run /dev/md0 /dev/sda2 /dev/sdb2 + when: filesystem == "ext4" + +- name: format the MDADM array + filesystem: dev=/dev/md0 fstype=ext4 + when: filesystem == "ext4" + +- name: mount the filesystem (btrfs) + mount: name=/mnt src='LABEL=rootfs' fstype=btrfs state=mounted + when: filesystem == "btrfs" + +- name: mount the filesystem (ext4) + mount: name=/mnt src=/dev/md0 fstype=ext4 state=mounted + when: filesystem == "ext4" + +- name: touch LOCK file on mountpoint + file: path=/mnt/LOCK state=touch + +- name: download bootstrap image + unarchive: + src: https://mirrors.kernel.org/archlinux/iso/latest/archlinux-bootstrap-2018.05.01-x86_64.tar.gz + dest: /tmp/ + copy: no + creates: /tmp/root.x86_64 + +- name: copy resolv.conf to bootstrap chroot + copy: remote_src=True src=/etc/resolv.conf dest=/tmp/root.x86_64/etc/resolv.conf + +- name: mount /proc to bootstrap chroot + command: mount --rbind /proc /tmp/root.x86_64/proc creates=/tmp/root.x86_64/proc/uptime + +- name: mount /sys to bootstrap chroot + command: mount --rbind /sys /tmp/root.x86_64/sys creates=/tmp/root.x86_64/sys/dev + +- name: mount /dev to bootstrap chroot + command: mount --rbind /dev /tmp/root.x86_64/dev creates=/tmp/root.x86_64/dev/zero + +- name: mount /mnt to bootstrap chroot + command: mount --rbind /mnt /tmp/root.x86_64/mnt creates=/tmp/root.x86_64/mnt/LOCK + +- name: configure pacman mirror + template: src=mirrorlist.j2 dest=/tmp/root.x86_64/etc/pacman.d/mirrorlist owner=root group=root mode=0644 + +- name: initialize pacman keyring inside bootstrap chroot + command: chroot /tmp/root.x86_64 pacman-key --init + +- name: populate pacman keyring inside bootstrap chroot + command: chroot /tmp/root.x86_64 pacman-key --populate archlinux + +- name: install arch base from bootstrap chroot + command: chroot /tmp/root.x86_64 pacstrap /mnt base base-devel btrfs-progs grub openssh python2 creates=/tmp/root.x86_64/mnt/bin + +- name: mount /proc to new chroot + command: mount --rbind /proc /mnt/proc creates=/mnt/proc/uptime + +- name: mount /sys to new chroot + command: mount --rbind /sys /mnt/sys creates=/mnt/sys/dev + +- name: mount /dev to new chroot + command: mount --rbind /dev /mnt/dev creates=/mnt/dev/zero + +- name: generate mdadm.conf + shell: mdadm --detail --scan >> /mnt/etc/mdadm.conf + when: filesystem == "ext4" + +- name: setup locale.gen + lineinfile: + path: /mnt/etc/locale.gen + line: "de_DE.UTF-8 UTF-8 \nen_US.UTF-8 UTF-8" + +- name: run locale-gen inside chroot + command: chroot /mnt locale-gen + +- name: run systemd-firstboot + command: chroot /mnt systemd-firstboot --locale=de_DE.UTF-8 --timezone=UTC --hostname={{ hostname }} + +- name: add mdadm_udev to mkinitcpio.conf + lineinfile: + dest: /mnt/etc/mkinitcpio.conf + backrefs: yes + regexp: '^(.*)block filesystems(.*)$' + line: '\1block mdadm_udev filesystems\2' + when: filesystem == "ext4" + +- name: run mkinitcpio + command: chroot /mnt mkinitcpio -p linux + +- name: configure network + template: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0644 + with_items: + - { src: 'eth0.j2' , dest: '/mnt/etc/netctl/eth0' } + - { src: '99-hetzner.conf.j2' , dest: '/mnt/etc/sysctl.d/99-hetzner.conf' } + - { src: '80-net-setup-link.rules.j2', dest: '/mnt/etc/udev/rules.d/80-net-setup-link.rules' } + +- name: disable systemd-networkd + command: chroot /mnt systemctl disable systemd-networkd.service + +- name: enable netctl + command: chroot /mnt netctl enable eth0 + +- name: install grub + command: chroot /mnt grub-install --recheck {{ item }} + with_items: + - /dev/sda + - /dev/sdb + +- name: configure grub + command: chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg + +- name: configure nss + lineinfile: + dest: /mnt/etc/nsswitch.conf + regexp: '^hosts:' + line: 'hosts: files mymachines resolve myhostname' + +- name: enable services inside chroot + command: chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved + +- set_fact: pubkey_list="{{ lookup('file', '../pubkeys/' + item) }}" + register: pubkeys + with_items: "{{ root_ssh_keys }}" + +- set_fact: pubkey_string={{ pubkeys.results | map(attribute='ansible_facts.pubkey_list') | join('\n') }} + +- name: add authorized key for root + authorized_key: user=root key="{{ pubkey_string }}" path=/tmp/root.x86_64/mnt/root/.ssh/authorized_keys exclusive=yes + +- name: configure sshd + template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644 + +- name: create symlink to resolv.conf + file: src=/run/systemd/resolve/resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes + +- name: remove LOCK file on mountpoint + file: path=/mnt/LOCK state=absent + +- name: reboot into new system + shell: sleep 5 && reboot & + args: + executable: /bin/bash + async: 10 + poll: 0 + +- name: waiting for server to go down + local_action: + module: wait_for + host: "{{ inventory_hostname }}" + port: 22 + delay: 1 + timeout: 60 + state: stopped + +- name: remove server from local known_hosts file + local_action: shell ssh-keygen -R {{ inventory_hostname }} + ignore_errors: true + +- name: waiting for server to come back + local_action: + module: wait_for + host: "{{ inventory_hostname }}" + port: 22 + delay: 1 + timeout: 60 diff --git a/roles/install_arch/templates/10-static-ethernet.network.j2 b/roles/install_arch/templates/10-static-ethernet.network.j2 new file mode 100644 index 0000000..c61415f --- /dev/null +++ b/roles/install_arch/templates/10-static-ethernet.network.j2 @@ -0,0 +1,13 @@ +[Match] +Name=e* + +[Network] +Gateway={{ ipv4_gateway }} +Gateway={{ ipv6_gateway }} + +[Address] +Address={{ ipv4_address }}{{ ipv4_netmask }} +Peer={{ ipv4_gateway }}{{ ipv4_netmask }} + +[Address] +Address={{ ipv6_address }}{{ ipv6_netmask }} diff --git a/roles/install_arch/templates/80-net-setup-link.rules.j2 b/roles/install_arch/templates/80-net-setup-link.rules.j2 new file mode 120000 index 0000000..8b4e50c --- /dev/null +++ b/roles/install_arch/templates/80-net-setup-link.rules.j2 @@ -0,0 +1 @@ +../../netctl/templates/80-net-setup-link.rules.j2 \ No newline at end of file diff --git a/roles/install_arch/templates/99-hetzner.conf.j2 b/roles/install_arch/templates/99-hetzner.conf.j2 new file mode 120000 index 0000000..2007e35 --- /dev/null +++ b/roles/install_arch/templates/99-hetzner.conf.j2 @@ -0,0 +1 @@ +../../netctl/templates/99-hetzner.conf.j2 \ No newline at end of file diff --git a/roles/install_arch/templates/eth0.j2 b/roles/install_arch/templates/eth0.j2 new file mode 120000 index 0000000..b717879 --- /dev/null +++ b/roles/install_arch/templates/eth0.j2 @@ -0,0 +1 @@ +../../netctl/templates/eth0.j2 \ No newline at end of file diff --git a/roles/install_arch/templates/mirrorlist.j2 b/roles/install_arch/templates/mirrorlist.j2 new file mode 120000 index 0000000..5a4b74d --- /dev/null +++ b/roles/install_arch/templates/mirrorlist.j2 @@ -0,0 +1 @@ +../../common/templates/mirrorlist.j2 \ No newline at end of file diff --git a/roles/install_arch/templates/sshd_config.j2 b/roles/install_arch/templates/sshd_config.j2 new file mode 120000 index 0000000..97f19c6 --- /dev/null +++ b/roles/install_arch/templates/sshd_config.j2 @@ -0,0 +1 @@ +../../sshd/templates/sshd_config.j2 \ No newline at end of file diff --git a/roles/lxc/files/50-lxc.conf b/roles/lxc/files/50-lxc.conf new file mode 100644 index 0000000..510a5e4 --- /dev/null +++ b/roles/lxc/files/50-lxc.conf @@ -0,0 +1 @@ +fs.inotify.max_user_instances=1024 \ No newline at end of file diff --git a/roles/lxc/files/lxc-auto-delayed.service b/roles/lxc/files/lxc-auto-delayed.service new file mode 100644 index 0000000..71fb68d --- /dev/null +++ b/roles/lxc/files/lxc-auto-delayed.service @@ -0,0 +1,15 @@ +[Unit] +Description=Autostart LXC Container +After=network.target +After=lxc-auto.service + +[Service] +Type=forking +ExecStart=/usr/bin/lxc-autostart -g delayedstart +ExecStop=/usr/bin/lxc-autostart -s -g delayedstart +Delegate=true +TimeoutStartSec=0 +TimeoutStopSec=5m + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/lxc/files/lxc-create-alpine.sh b/roles/lxc/files/lxc-create-alpine.sh new file mode 100755 index 0000000..790ab1a --- /dev/null +++ b/roles/lxc/files/lxc-create-alpine.sh @@ -0,0 +1,102 @@ +#!/bin/bash +#Inputs +name=${1} +number=${2} +distro="alpine" +#if [ ${#} < 3 ]; then +# cat << EOF +# +#Usage: lxc-create-avc [] +# +#EOF +#fi + +packages="htop,ssmtp,vim" +if [ ${4} ]; then + packages="${packages},${3}" +fi +enable="" +if [ ${4} ]; then + nable="-e ${4}" +fi + +#Variables +hwaddr="52:54:00:00:${number}:01" +ipv6="2a01:4f8:151:13cd::${number}/64" + +# Create lxc Container +#lxc-create -B btrfs -t ${distro} -n ${name} -- --release latest-stable # -P ${packages} ${enable} +lxc-create -t download -n ${name} +cat > /var/lib/lxc/${name}/config << EOF + +# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux +# Parameters passed to the template: +# For additional config options, please look at lxc.container.conf(5) +lxc.rootfs = /var/lib/lxc/${name}/rootfs +lxc.utsname = ${name} +lxc.arch = x86_64 +lxc.include = /usr/share/lxc/config/${distro}.common.conf + +# Network configuration +lxc.network.type = veth +lxc.network.link = br0 +lxc.network.flags = up +lxc.network.hwaddr = ${hwaddr} +lxc.network.name = eth0 +lxc.network.veth.pair = veth.${number}.0 +lxc.network.ipv6 = ${ipv6} +lxc.network.ipv6.gateway = fe80::1 + +lxc.network.type = veth +lxc.network.link = br1 +lxc.network.flags = up +lxc.network.hwaddr = 52:54:00:00:${number}:02 +lxc.network.name = eth1 +lxc.network.veth.pair = veth.${number}.1 +lxc.network.ipv4 = 10.0.1.${number}/24 +lxc.network.ipv4.gateway = 10.0.1.1 + +lxc.start.auto=1 + +lxc.cgroup.memory.limit_in_bytes = 1536M +lxc.cgroup.memory.memsw.limit_in_bytes = 2G + +#lxc.mount.entry=/pathk path/in/container none bind,ro 0 0 + +EOF + +# Inner etwork settings +cat > /var/lib/lxc/${name}/rootfs/etc/network/interfaces << EOF + +auto eth0 +iface eth0 inet6 manual + +auto eth1 +iface eth1 inet manual + +EOF + +cat > /var/lib/lxc/${name}/rootfs/etc/resolv.conf << EOF +nameserver 2a01:4f8:0:a0a1::add:1010 +nameserver 2a01:4f8:0:a102::add:9999 +nameserver 2001:470:20::2 +nameserver 213.73.91.35 +nameserver 213.133.98.98 +nameserver 5.9.49.12 + +EOF + +# SSMPT Settings +#cat > /var/lib/lxc/${name}/rootfs/etc/ssmtp/ssmtp.conf << EOF +#root=test@mein.com +#mailhub=smtp.mein.com:587 +#rewriteDomain=mein.com +#hostname=${name} +#FromLineOverride=YES +#UseTLS=YES +#UseSTARTTLS=Yes +#AuthUser=test@mein.com +#AutPass= +#FromLineOverride=yes +# +#EOF diff --git a/roles/lxc/files/lxc-create.sh b/roles/lxc/files/lxc-create.sh new file mode 100755 index 0000000..a3f2fbb --- /dev/null +++ b/roles/lxc/files/lxc-create.sh @@ -0,0 +1,68 @@ +#!/bin/bash +#Inputs +name=${1} +number=${2} +packages="bash-completion,htop,net-tools,ssmtp" +if [ ${3} ]; then + packages="${packages},${3}" +fi +enable="" +if [ ${4} ]; then + enable="-e ${4}" +fi +#Variables +hwaddr = "52:54:00:00:${number}:01" +ipv6 = "2a01:4f8:151:13cd::${number}/64" + +# Create lxc Container +lxc-create -t archlinux -n ${name} -B overlayfs -- -P ${packages} ${enable} +cat > /var/lib/lxc/${name}/config << EOF + +# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux +# Parameters passed to the template: +# For additional config options, please look at lxc.container.conf(5) +lxc.rootfs = /var/lib/lxc/${name}/rootfs +lxc.utsname = ${name} +lxc.arch = x86_64 +lxc.include = /usr/share/lxc/config/archlinux.common.conf + +# Network configuration +lxc.network.type = veth +lxc.network.link = br0 +lxc.network.flags = up +lxc.network.hwaddr = ${hwaddr} +lxc.network.name = eth0 +lxc.network.veth.pair = veth.${number}.0 +lxc.network.ipv6= ${ipv6} +lxc.network.ipv6.gateway=fe80::1 + +lxc.network.type = veth +lxc.network.link = br1 +lxc.network.flags = up +lxc.network.hwaddr = 52:54:00:00:${number}:02 +lxc.network.name = eth1 +lxc.network.veth.pair = veth.${number}.1 +lxc.network.ipv4=10.0.1.${number}/24 +lxc.network.ipv4.gateway=10.0.1.1 + +lxc.start.auto=1 + +lxc.cgroup.memory.limit_in_bytes = 2G +lxc.cgroup.memory.memsw.limit_in_bytes = 4G + +#lxc.mount.entry=/pathk path/in/container none bind,ro 0 0 +EOF + +# SSMPT Settings +cat > /var/lib/lxc/${name}/rootfs/etc/ssmtp/ssmtp.conf << EOF +root=test@mein.com +mailhub=smtp.mein.com:587 +rewriteDomain=mein.com +hostname=${name} +FromLineOverride=YES +UseTLS=YES +UseSTARTTLS=Yes +AuthUser=test@mein.com +AutPass= +FromLineOverride=yes +EOF diff --git a/roles/lxc/files/lxcbtrfsconverter.sh b/roles/lxc/files/lxcbtrfsconverter.sh new file mode 100755 index 0000000..7b6cd44 --- /dev/null +++ b/roles/lxc/files/lxcbtrfsconverter.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# LXC to btrfs subvolume converter +# Convert the LXC rootfs into a btrfs subvolume to +# backup with btrfs snapshots. +# +for rootfs in /var/lib/lxc/*/rootfs; do + { + mv "${rootfs}" "${rootfs}.saved" + btrfs subvolume create "${rootfs}" + mv "${rootfs}.saved"/* "${rootfs}" + rmdir "${rootfs}.saved" + echo "${rootfs} to subvolume\n" + } +done +#for rootfs in /var/lib/lxc/*/rootfs; +#do +# echo "${rootfs}" +#done diff --git a/roles/lxc/tasks/mail.yaml b/roles/lxc/tasks/mail.yaml new file mode 100644 index 0000000..c88d680 --- /dev/null +++ b/roles/lxc/tasks/mail.yaml @@ -0,0 +1,43 @@ +- name: Installing LXC and dependensies + pacman: name={{ item }} state=present + with_items: + - lxc + - python + - dnsmasq + +- name: Create LXC config and autostart files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 0644 + with_items: + - { src: '../files/50-lxc.conf', dest: '/etc/sysctl.d/50-lxc.conf' } + - { src: '../files/lxc-auto-delayed.service', dest: '/etc/systemd/system/lxc-auto-delayed.service' } + +- name: Setup LXC-Network + +- name: Activate autostart for LXC-Container + systemd: + name: "{{ item }}" + enable: yes + deamon_reload: yes + with_items: + - lxc-auto.service + - lxc-auto-delayed.service + +- name: Installing python-lxc for Ansible lxc support + pip: + name: lxc-python2 + +- name: Create some Bashscripts for simpliefy lxc usage + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: 0644 + with_items: + - { src: '../files/lxc-create.sh', dest: '/root/lxc-create.sh' } + - { src: '../files/lxcbtrfsconverter.sh', dest: '/root/lxc-btrfsconverter.sh' } diff --git a/roles/lxc_container/README.yml b/roles/lxc_container/README.yml new file mode 100644 index 0000000..6209a30 --- /dev/null +++ b/roles/lxc_container/README.yml @@ -0,0 +1,41 @@ +--- +- hosts: webserver + tasks: + + # Create the Container for the new Webserver + - name: Create Webserver for {{ domain }} + lxc_container: + name: webserver + state: sopped + backing_store: overlayfs + clone_name: {{ domain }} + clone_snapshot: true + container_config: + - "lxc.mount.entry =/var/lib/nginx.revproxy/rootfs/etc/letsencrypt/archive/{{ domain }} etc/letsencrypt/archive/{{ domain }} none bind 0 0" + - "lxc.mount.entry =/var/lib/nginx.revproxy/rootfs/etc/letsencrypt/live/{ domain } etc/letsencrypt/live/{{ domain }} none bind 0 0" + + - name: Set default Nginx + template: + src: template/80nginx.j2 + dest: /var/lib/lxc/nginx.revproxy/delta0/etc/nginx/site-available/{{ domain }}.conf + + - name: Setup Letsencrypt for {{ domain }} + lxc_container: + name: rev.proxy + state: started + container_command: | + ln -s /etc/nginx/site-available/{{ domain }}.conf /etc/nginx/site-enabled/{{ domain }}.conf + systemctl reload nginx + certbot certonly -d {{ domain }} -d www.{{ domain }} + + - name: Setup secure Nginx with LetsEncrypt + template: + src: template/443nginx.j2 + dest: /var/lib/lxc/nginx.revproxy/delta0/etc/nginx/site-available/{{ domain }}.conf + + - name: Restart Reverse.Proxy + lxc_container: + name: rev.proxy + state: started + container_command: | + systemctl reload nginx diff --git a/roles/lxc_container/tasks/main.yml b/roles/lxc_container/tasks/main.yml new file mode 100644 index 0000000..d2c372c --- /dev/null +++ b/roles/lxc_container/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Create main LXC_Container + lxc_container: + name: {{ item.domain }} + state: started + template: archlinux + with_dict: "{{ containername }}" + when: item.clone not defined + +- name: Create LXC_Container Clone + lxc_container: + name: webserver + state: sopped + backing_store: overlayfs + clone_name: {{ domain }} + clone_snapshot: true + container_config: + when: item.clone is "webserver" diff --git a/roles/netctl/tasks/main.yml b/roles/netctl/tasks/main.yml new file mode 100644 index 0000000..3c1a0ec --- /dev/null +++ b/roles/netctl/tasks/main.yml @@ -0,0 +1,39 @@ +- name: Disable Systemctl-Network + service: + name: systemd-networkd.service + enabled: no + state: stopped + +- name: Hetzner network config + template: src=99-hetzner.conf.j2 dest=/etc/sysctl.d/99-hetzner.conf owner=root group=root mode=0644 + +- name: Setup udev rules for eth0 + template: src=80-net-setup-link.rules.j2 dest=/etc/udev/rules.d/80-net-setup-link.rules + +- name: Setup eth0 Network + template: src=eth0.j2 dest=/etc/netctl/eth0 owner=root group=root mode=0644 + +- name: start eth0 profile + command: netctl start eth0 + +- name: enable eth0 profile + command: netctl enable eth0 + register: "enable_result" + changed_when: + - enable_result is success + - "('already' not in enable_result.stderr and 'ln' in enable_result.stdout)" + +- name: Setup lxc br0 Network + template: src=br0.j2 dest=/etc/netctl/br0 owner=root group=root mode=0644 + when: lxc_ipv4_address is defined + +- name: start br0 network + command: netctl start br0 + +- name: enable br0 profile + command: netctl enable br0 + register: "enable_result" + changed_when: + - enable_result is success + - "('already' not in enable_result.stderr and 'ln' in enable_result.stdout)" + when: lxc_ipv4_address is defined diff --git a/roles/netctl/templates/80-net-setup-link.rules.j2 b/roles/netctl/templates/80-net-setup-link.rules.j2 new file mode 100644 index 0000000..76ce3b8 --- /dev/null +++ b/roles/netctl/templates/80-net-setup-link.rules.j2 @@ -0,0 +1,2 @@ +# device: eth0 +SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="{{ ansible_default_ipv4.macaddress }}", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" diff --git a/roles/netctl/templates/99-hetzner.conf.j2 b/roles/netctl/templates/99-hetzner.conf.j2 new file mode 100644 index 0000000..a80ad99 --- /dev/null +++ b/roles/netctl/templates/99-hetzner.conf.j2 @@ -0,0 +1,28 @@ +### Hetzner Online GmbH installimage +# sysctl config +net.ipv4.ip_forward=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.br0.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.conf.br0.forwarding=1 +# ipv6 settings (no autoconfiguration) +net.ipv6.conf.default.autoconf=0 +net.ipv6.conf.default.accept_dad=0 +net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.default.accept_ra_defrtr=0 +net.ipv6.conf.default.accept_ra_rtr_pref=0 +net.ipv6.conf.default.accept_ra_pinfo=0 +net.ipv6.conf.default.accept_source_route=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv6.conf.default.forwarding=1 +net.ipv6.conf.all.autoconf=0 +net.ipv6.conf.all.accept_dad=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.all.accept_ra_defrtr=0 +net.ipv6.conf.all.accept_ra_rtr_pref=0 +net.ipv6.conf.all.accept_ra_pinfo=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.all.forwarding=1 diff --git a/roles/netctl/templates/br0.j2 b/roles/netctl/templates/br0.j2 new file mode 100644 index 0000000..ec00105 --- /dev/null +++ b/roles/netctl/templates/br0.j2 @@ -0,0 +1,7 @@ +Interface=br0 +Connection=bridge +BindsToInterface=() +IP=static +Address=('{{ lxc_ipv4_address }}{{ lxc_ipv4_netmask }}') +IP6=static +Address6=('{{ lxc_ipv6_address }}{{ lxc_ipv6_netmask }}') diff --git a/roles/netctl/templates/eth0.j2 b/roles/netctl/templates/eth0.j2 new file mode 100644 index 0000000..368110e --- /dev/null +++ b/roles/netctl/templates/eth0.j2 @@ -0,0 +1,10 @@ +Interface=eth0 +Connection=ethernet +IP=static +Address=('{{ ipv4_address }}{{ ipv4_netmask }}') +Routes=('{{ ipv4_gateway }}{{ ipv4_netmask }}') +Gateway='{{ ipv4_gateway }}' + +IP6=static +Address6=('{{ ipv6_address }}{{ ipv6_netmask }}') +Gateway6='{{ ipv6_gateway }}' diff --git a/roles/pet/task/main.yaml b/roles/pet/task/main.yaml new file mode 100644 index 0000000..2ce57a7 --- /dev/null +++ b/roles/pet/task/main.yaml @@ -0,0 +1,13 @@ +- name: install Pet + aur: + name: pet-git + use: makepkg + upgrade: yes + become: yes + become_user: aur_builder + +- name: Configure Pet + template: src=config.toml.j2 dest=/root/.config/pet/config.toml owner=root group=root mode=0644 + +- name: Sync Pet + command: pet sync diff --git a/roles/pet/templates/config.toml.j2 b/roles/pet/templates/config.toml.j2 new file mode 100644 index 0000000..3de98eb --- /dev/null +++ b/roles/pet/templates/config.toml.j2 @@ -0,0 +1,12 @@ +[General] + snippetfile = "/root/.config/pet/snippet.toml" + editor = "vim" + column = 40 + selectcmd = "peco" + +[Gist] + file_name = "pet-snippet.toml" + access_token = {{ gist_access_token }} + gist_id = {{ gist_id }} + public = false + auto_sync = true diff --git a/roles/root_ssh/tasks/main.yml b/roles/root_ssh/tasks/main.yml new file mode 100644 index 0000000..411652e --- /dev/null +++ b/roles/root_ssh/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- name: add authorized keys for root + template: src=authorized_keys.j2 dest=/root/.ssh/authorized_keys mode=0600 owner=root group=root diff --git a/roles/root_ssh/templates/authorized_keys.j2 b/roles/root_ssh/templates/authorized_keys.j2 new file mode 100644 index 0000000..bc7a2ff --- /dev/null +++ b/roles/root_ssh/templates/authorized_keys.j2 @@ -0,0 +1,7 @@ +#jinja2: lstrip_blocks: True +{% for user in root_ssh_keys | sort -%} + {{ lookup('file', '../pubkeys/' + user) }} +{% endfor %} +{% if 'dragon-backup' in group_names %} +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpfiW5/R2D95beJsIs1lxD5d2TeW4yJFHs4v38Qtsg3506MlBpyaMUdKOtilAfKoBBsLEuB3dPFa9at0CBLAG0/vk5A8dr543HhcZDx6XIaCenW+NeCvg3hln6tqtk7Wh+O0OaIE/ZNmGu6hQb0Q+myur2asd7behonYeUOsNvPVuc8aIHOdswYvXa+yhM70+i6sAc+BBM3v/cXXmUWFO+wIV4G7CqLbTeL2/O+Bv5gvQHwEZ1Xnc0ktksvLDZ8qNGD9Zlm5KmvCVAjJuqeMHuwtFhq/DtoS6R0RzvD2a0algYlyJtmfrs90Na49nGWdTDL91/kyGuezLCEUv1vCq0bYhQcTD+ltpo/rgxDYXyNKeV1bs7jN0O5+Z9hMUrgPuKDLwPdc0cqmHmM2fOjtYq1eoOxOPnbPvWTwOApRSoY0StSOBMjDd9PQYJdstvJNZ0mN+pbzIMd/oZeczcQVrBnWRt4GdQZiyEKvnnABPs9K1jlEKg+UCHw5Hu0EN6gzKxLbPT2Rfy6wVdQboHbtBs65tLLiAZQuldeFqFHpICJLXGHMAnKVhZyR4L9TQAwTrE5l7RRz4+MPhMx5poIqzWk5omit42PqdzRm58Xke+tKqA3D5mfCVKZwCvxvIMlbGFZUpTHU0Wl5cY6DyBjf9yThcp6Pz2p2tTlASrfxZraQ== root@dragon backup key +{% endif %} diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml new file mode 100644 index 0000000..d63f84c --- /dev/null +++ b/roles/sshd/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart sshd + service: name=sshd state=restarted diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml new file mode 100644 index 0000000..9541acf --- /dev/null +++ b/roles/sshd/tasks/main.yml @@ -0,0 +1,33 @@ +- name: install openssh + pacman: name=openssh state=present + +- name: configure sshd + template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 + notify: + - restart sshd + +- name: set file permissions + file: path=/etc/ssh mode=0600 + +- name: install motd + template: src=motd.j2 dest=/etc/motd owner=root group=root mode=0644 + +- name: start and enable sshd + service: name=sshd enabled=yes state=started + +- name: enable systemd ressource accounting + command: systemctl set-property sshd CPUAccounting=yes MemoryAccounting=yes + +#- name: open firewall holes +# firewalld: service=ssh permanent=true state=enabled +# when: configure_firewall + +#- name: add IP-Tables rule +# iptables: +# chain: INPUT +# protocol: tcp +# destination_port: 22 +# ctstate: NEW +# syn: match +# jump: ACCEPT +# comment: Accept new SSH connections. diff --git a/roles/sshd/templates/motd.j2 b/roles/sshd/templates/motd.j2 new file mode 100644 index 0000000..a358066 --- /dev/null +++ b/roles/sshd/templates/motd.j2 @@ -0,0 +1,28 @@ +Welcome to {{inventory_hostname}}. + +{% if 'borg-clients' in group_names %} +Data on this system is regularly backed up automatically. +{% else %} +This system IS NOT backed up. Please ensure you DO NOT keep valuable data here! +{% endif %} + +{% if 'buildservers' in group_names %} +Usage Info + - Use the devtools helpers to build packages. + - Don't forget to set your PACKAGER in ~/.makepkg.conf. + - Chroots are kept in /var/lib/archbuild (~chroots). + - SRCDEST is set to /var/lib/archbuilddest/srcdest (~srcdest). + - Take a look at mkpkg -hh if you want to build nightlies. + + Package diff tools: + diffrepo : Lightweight alternative to checkpkg. Only diffs filenames. + pkgdiffrepo : Heavyweight alternative to checkpkg. Uses pkgdiff. + +September 25, 2016 + Pkgbuild.com was moved to a new server (again)! This one uses spinning rust + so we have plenty of space. Chroots are on a tmpfs to keep things fast. + +October 11, 2016 + Added gitpkg, an experimental script written to maintain GNOME git packages. + May also fit other packages. +{% endif %} diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 new file mode 100644 index 0000000..be03114 --- /dev/null +++ b/roles/sshd/templates/sshd_config.j2 @@ -0,0 +1,121 @@ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +LogLevel VERBOSE + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# unlink forwarded sockets; for gpg agent forwarding +StreamLocalBindUnlink yes + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml new file mode 100644 index 0000000..9bbefb1 --- /dev/null +++ b/roles/sudo/tasks/main.yml @@ -0,0 +1,18 @@ +--- + +- name: install sudo + pacman: name=sudo state=present + +- name: add sudo users to wheel + user: name="{{ item }}" append=yes groups=wheel + with_items: "{{ sudo_users }}" + tags: ['archusers'] + +- name: allow wheel group to use sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%wheel ALL=\(ALL\) ALL' + insertafter: '^# %wheel ALL=\(ALL\) ALL' + line: '%wheel ALL=(ALL) ALL' + validate: 'visudo -cf %s' diff --git a/roles/tools/tasks/main.yml b/roles/tools/tasks/main.yml new file mode 100644 index 0000000..ff4db94 --- /dev/null +++ b/roles/tools/tasks/main.yml @@ -0,0 +1,66 @@ +- name: Update and Upgrade System + pacman: + update_cache: yes + upgrade: yes + tags: + - install + - setup + - update + +- name: install sysadmin tools + pacman: name={{ item }} state=present + with_items: + - lsof + - psmisc + - htop + - nethogs + - iftop + - rsync + - tmux + - mtr + - sshfs + - dfc + - tree + - dstat + - dmidecode + - net-tools + - ncdu + - nmap + - sysstat + - iptraf-ng + - vnstat + - tcpdump + - sudo + - mosh + - nmon + +- name: install misc utils + pacman: name={{ item }} state=present + with_items: + - git + - wget + - curl + - arch-install-scripts + - debootstrap + - zsh + - colordiff + - multitail + - cloc + - ipcalc + - calc + - neovim + - python2 + - neovim + - vim + - bash-completion + - pv + - rxvt-unicode-terminfo + - termite-terminfo + - p7zip + - unzip + - setconf + - kexec-tools + - ca-certificates + +- name: start vnstatd + service: name=vnstat state=started enabled=true