diff --git a/inventory/group_vars/9iron.club.yml b/inventory/group_vars/9iron.club.yml index acdb0f4..e396640 100644 --- a/inventory/group_vars/9iron.club.yml +++ b/inventory/group_vars/9iron.club.yml @@ -33,6 +33,16 @@ mysql_root_password: !vault | 65323365313465316635646465376665616132653832316362363535366563363863636530313666 3036393134386131310a643734363261633166636263343538313533393738323934303137343163 39636637643035616236663364663562366133613233313139623937313531343564 +# PSQL +psql_ansible_user: ansible +psql_ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30383235373131383466383438653235666365386631356463633265623332643337633830663930 + 3639313565613138373165636264343030323961646539390a356134383764326631326635636139 + 63626263373063343036373266326235363839316662363031356264363365633161326264643766 + 3734386366633861640a643335636330323432626437646337353534653832383337396432636264 + 61356331646133653363353931306630373963316430626266346630646362666237 +psql_neighbor_address: "172.31.0.0/16" ## WEBAPPS # Dokuwiki @@ -92,6 +102,40 @@ nextcloud_mysql_password: !vault | 3332313764623133630a393731613236373837316437653265636663666261383135636662373566 61373135303632336237333836353764646639633735323566346366623766646266 nextcloud_url: "nc.9iron.club" +# Pleroma +pleroma_instance_desc: owo +pleroma_instance_email: rehashedsalt@cock.li +pleroma_instance_name: Cowfee +pleroma_instance_notify_email: noreply@cowfee.moe +pleroma_openreg: "true" +pleroma_static_repo: "https://git.9iron.club/salt/pleroma" +pleroma_db_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34343838386134656236313462653531663839363030333630383332386535356431326436633137 + 3261323632653635383930333131333235373437653733300a363562666264616138623832666137 + 61333039646332343838346633363035343434303036643465353062353062303961383138643564 + 3338393765393733340a626436653666363236643938613466643530326665653764333933393437 + 37613033653864643965323162373366306233626235663461326266376662663634353066386139 + 37636162313364623933396232366239633338363539626637373163333130373665373038363566 + 65646633636638653335356536323334646632366164633532636634376632356166306139393766 + 38633934623639366263 +pleroma_secret_key_base: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36333934336635613533333137636532363937613764353933636566663031316262333837323064 + 6534653062626461633462636335346132353564653038330a326330326235623530393337333063 + 37666666386637633839633737376465366439356461653363396665636137353264363762346461 + 3765616634653234630a623061393834373964653939626564363263383435666366356339663136 + 64613330656434653538363734393831353133316666326338366335383064356165333537383837 + 31633939353565303661626233623064653838636435376239376361663362636164653962383561 + 33366335623038653232613731333730363836653532363834663663343963303763323534343038 + 61666238346239636634 +pleroma_signing_salt: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31306137646362333433313630363538333234643339353530333038393061663132633161356231 + 3662386234633933633762363334333031306564353132380a633339323364633137396636616363 + 64393536353362386336323662316262333763326138616364333237353262323232636335353436 + 3563396435643363620a646337346561393863366361643536356363626334343264343861663131 + 3466 # snmpd snmp_location: "us-east-2" snmp_contact: "Salt " diff --git a/inventory/hosts.yml b/inventory/hosts.yml index 6a243df..4ba1a5f 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -41,6 +41,8 @@ all: zone: 9iron.club children: dbservers: + vars: + backups_frequency: 12h hosts: psql1.9iron.club: webservers: @@ -60,12 +62,3 @@ all: 6438356265656532396363323532616437353831613261323037 hosts: game1.9iron.club: - cowfee.moe: - vars: - zone: cowfee.moe - children: - webservers-cofe: - hosts: - web1.cowfee.moe: - vars: - backups_frequency: 2h diff --git a/playbooks/webservers.yml b/playbooks/webservers.yml index 8a077af..0e314e0 100644 --- a/playbooks/webservers.yml +++ b/playbooks/webservers.yml @@ -2,11 +2,42 @@ # vim:ft=ansible: --- - hosts: fedi1.9iron.club + pre_tasks: + - name: Assure cowfee record + route53: + state: present + overwrite: yes + zone: cowfee.moe + type: A + record: "cowfee.moe." + ttl: 300 + value: [ "{{ ipify_public_ip }}" ] + wait: yes + become: yes + tags: [ common, dns ] roles: - role: backups tags: [ backups ] - role: matrix tags: [ fedi, matrix ] + - role: pleroma + vars: + pleroma_url: cowfee.moe + pleroma_db_hostname: "{{ hostvars['psql1.9iron.club']['ansible_default_ipv4']['address'] }}" + tags: [ web, pleroma ] + - role: adam + vars: + adam_name: lain + adam_auth_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33346238356561313736653431666439363835663134303339366536663964333138666530343166 + 6132353938663563316265346630613231616362643937380a616132386464653438343739613937 + 32626230326430396563316363613139306535663832336531636239633364383432373739646436 + 3338376362313539360a383763313439633331313531323232653866633065333933633061326465 + 64343165613961346362353162316530623132633164643461616633633335666232633833313561 + 33306532343963383331623663616161626533633261383238646164663362396261633736636362 + 373764613833343634346333613639626535 + tags: [ discord, adam ] - hosts: web1.9iron.club roles: - role: backups @@ -37,20 +68,3 @@ roles: - role: backups tags: [ backups ] - - role: pleroma - vars: - pleroma_url: cowfee.moe - tags: [ web, pleroma ] - - role: adam - vars: - adam_name: lain - adam_auth_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33346238356561313736653431666439363835663134303339366536663964333138666530343166 - 6132353938663563316265346630613231616362643937380a616132386464653438343739613937 - 32626230326430396563316363613139306535663832336531636239633364383432373739646436 - 3338376362313539360a383763313439633331313531323232653866633065333933633061326465 - 64343165613961346362353162316530623132633164643461616633633335666232633833313561 - 33306532343963383331623663616161626533633261383238646164663362396261633736636362 - 373764613833343634346333613639626535 - tags: [ discord, adam ] diff --git a/roles/pleroma/meta/main.yml b/roles/pleroma/meta/main.yml index 93df141..7e415bc 100644 --- a/roles/pleroma/meta/main.yml +++ b/roles/pleroma/meta/main.yml @@ -2,4 +2,3 @@ allow_duplicates: no dependencies: - role: apache-php - - role: postgresql diff --git a/roles/pleroma/tasks/main.yml b/roles/pleroma/tasks/main.yml index 00868da..fa04bfc 100644 --- a/roles/pleroma/tasks/main.yml +++ b/roles/pleroma/tasks/main.yml @@ -28,14 +28,23 @@ postgresql_user: name: pleroma password: "{{ pleroma_db_password }}" + login_host: "{{ pleroma_db_hostname }}" + login_user: "{{ psql_ansible_user }}" + login_password: "{{ psql_ansible_password }}" - name: Create DB postgresql_db: name: pleroma owner: pleroma + login_host: "{{ pleroma_db_hostname }}" + login_user: "{{ psql_ansible_user }}" + login_password: "{{ psql_ansible_password }}" - name: Create extensions postgresql_ext: db: pleroma name: "{{ item }}" + login_host: "{{ pleroma_db_hostname }}" + login_user: "{{ psql_ansible_user }}" + login_password: "{{ psql_ansible_password }}" loop: - citext - pg_trgm diff --git a/roles/pleroma/templates/backup.sh b/roles/pleroma/templates/backup.sh index 2da62ac..6659e86 100644 --- a/roles/pleroma/templates/backup.sh +++ b/roles/pleroma/templates/backup.sh @@ -43,12 +43,6 @@ if (( currentbackupcount >= retention * 2 )); then fi # WE MAKE BACKUP NOW SERGEI date="$(date -Iseconds)" -log "Stopping Pleroma" -systemctl stop pleroma -log "Creating DB backup" -sudo -Hu postgres pg_dump -d pleroma --format=custom | gzip > "$OUTDIR/{{ pleroma_url }}-$date-db.pgdump.gz" -log "Enabling Pleroma" -systemctl start pleroma log "Creating uploads backup" tar czhf "$OUTDIR/{{ pleroma_url }}-$date-uploads.tar.gz" "/var/lib/pleroma/uploads" # Note that we don't tar up static, here diff --git a/roles/pleroma/templates/config.exs b/roles/pleroma/templates/config.exs index e6ace03..6ebc839 100644 --- a/roles/pleroma/templates/config.exs +++ b/roles/pleroma/templates/config.exs @@ -30,7 +30,7 @@ config :pleroma, Pleroma.Repo, username: "pleroma", password: "{{ pleroma_db_password }}", database: "pleroma", - hostname: "localhost", + hostname: "{{ pleroma_db_hostname }}", pool_size: 10 config :pleroma, :database, rum_enabled: false diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index 4aabf10..d7840a0 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -12,8 +12,11 @@ - python3-psycopg2 - name: Template out configs template: - src: postgresql.conf - dest: /etc/postgresql/10/main/postgresql.conf + src: "{{ item }}" + dest: "/etc/postgresql/10/main/{{ item }}" + loop: + - postgresql.conf + - pg_hba.conf notify: restart psql - name: Start PostgreSQL systemd: @@ -27,6 +30,10 @@ name: "{{ psql_ansible_user }}" password: "{{ psql_ansible_password }}" role_attr_flags: SUPERUSER + - name: Create maintenance DB + postgresql_db: + name: "{{ psql_ansible_user }}" + owner: "{{ psql_ansible_user }}" become: yes become_user: postgres - name: Template out backup module diff --git a/roles/postgresql/templates/pg_hba.conf b/roles/postgresql/templates/pg_hba.conf new file mode 100644 index 0000000..c3f6268 --- /dev/null +++ b/roles/postgresql/templates/pg_hba.conf @@ -0,0 +1,101 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all peer +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +# IPv4 neighbor connections: +host all all {{ psql_neighbor_address }} md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all peer +host replication all 127.0.0.1/32 md5 +host replication all ::1/128 md5 diff --git a/site.yml b/site.yml index cc07d67..8e0cb9c 100755 --- a/site.yml +++ b/site.yml @@ -27,7 +27,7 @@ 64303363653631653433343361616635373966326433663466636164613062343561333036613937 35616666633737356331653632323639373330396433366639326466373639313630 tags: [ common, user ] -- hosts: 9iron.club,cowfee.moe +- hosts: 9iron.club roles: - role: snmpd tags: [ common, snmpd ]