diff --git a/inventory/group_vars/9iron.club.yml b/inventory/group_vars/9iron.club.yml index 26d19a0..77b9476 100644 --- a/inventory/group_vars/9iron.club.yml +++ b/inventory/group_vars/9iron.club.yml @@ -3,50 +3,54 @@ ## BACKEND # ACME -acme_directory: "https://acme-v02.api.letsencrypt.org/directory" -#acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint -acme_version: 2 -acme_webroot: "/var/www/acme" -# AWS Backups -aws_backup_bucket: "9iron-backups-general" -# AWS SES -aws_ses_user: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 33643766376336316266373239386466373639633765333332353031373132383061346564633036 - 3337396261333264363562363364336235633831353133380a613164666161313265396261616634 - 38353531306238613735623433663138643231663139363735373537393337636362636534656166 - 3063373930343039320a663063663535633932323739653461336164643035633036663362666161 - 38316564326537303236333266303432326164393435663665363963326363306237 -aws_ses_pass: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 39306665653635383832623438656364616633643032663365643033316236333939363732363034 - 3566663361653862646636396339343963626561613839620a663731313337613734356261326437 - 31653763346663656165343632336366343562333836396232636431323635333965336137316237 - 3662393364636631310a643935313539353338333233356362623835363631383035666536343634 - 65663937643165613337373837633737653765303764303536386530616363343361326536633935 - 3565626161343562396663353538653136376138373334336435 +acme: + #directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint + directory: "https://acme-v02.api.letsencrypt.org/directory" + version: 2 + webroot: /var/www/acme +aws: + # S3 Backups + backup_bucket: "9iron-backups-general" + # SES + ses: + user: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 33643766376336316266373239386466373639633765333332353031373132383061346564633036 + 3337396261333264363562363364336235633831353133380a613164666161313265396261616634 + 38353531306238613735623433663138643231663139363735373537393337636362636534656166 + 3063373930343039320a663063663535633932323739653461336164643035633036663362666161 + 38316564326537303236333266303432326164393435663665363963326363306237 + pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39306665653635383832623438656364616633643032663365643033316236333939363732363034 + 3566663361653862646636396339343963626561613839620a663731313337613734356261326437 + 31653763346663656165343632336366343562333836396232636431323635333965336137316237 + 3662393364636631310a643935313539353338333233356362623835363631383035666536343634 + 65663937643165613337373837633737653765303764303536386530616363343361326536633935 + 3565626161343562396663353538653136376138373334336435 # MySQL -mysql_root_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62316565376333396465333931356163343363663063636233653536373033396230626639613964 - 3037613839373833646234626236643430393364643131610a333539373533663434373935376130 - 65323365313465316635646465376665616132653832316362363535366563363863636530313666 - 3036393134386131310a643734363261633166636263343538313533393738323934303137343163 - 39636637643035616236663364663562366133613233313139623937313531343564 +mysql: + root_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62316565376333396465333931356163343363663063636233653536373033396230626639613964 + 3037613839373833646234626236643430393364643131610a333539373533663434373935376130 + 65323365313465316635646465376665616132653832316362363535366563363863636530313666 + 3036393134386131310a643734363261633166636263343538313533393738323934303137343163 + 39636637643035616236663364663562366133613233313139623937313531343564 # PSQL -psql_ansible_user: ansible -psql_ansible_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 30383235373131383466383438653235666365386631356463633265623332643337633830663930 - 3639313565613138373165636264343030323961646539390a356134383764326631326635636139 - 63626263373063343036373266326235363839316662363031356264363365633161326264643766 - 3734386366633861640a643335636330323432626437646337353534653832383337396432636264 - 61356331646133653363353931306630373963316430626266346630646362666237 -psql_neighbor_address: "172.31.0.0/16" +psql: + ansible: + user: ansible + pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30383235373131383466383438653235666365386631356463633265623332643337633830663930 + 3639313565613138373165636264343030323961646539390a356134383764326631326635636139 + 63626263373063343036373266326235363839316662363031356264363365633161326264643766 + 3734386366633861640a643335636330323432626437646337353534653832383337396432636264 + 61356331646133653363353931306630373963316430626266346630646362666237 + neighbor_block: "172.31.0.0/16" ## WEBAPPS -# Dokuwiki -dokuwiki_url: "wiki.9iron.club" # Gitea gitea_mysql_password: !vault | $ANSIBLE_VAULT;1.1;AES256 diff --git a/roles/backups/templates/backup.sh b/roles/backups/templates/backup.sh index 347ebc3..3839f65 100644 --- a/roles/backups/templates/backup.sh +++ b/roles/backups/templates/backup.sh @@ -53,7 +53,7 @@ for file in "$MODULESDIR"/*; do } done # If we have a fancy schmancy bucket, use it -s3bucket="{{ aws_backup_bucket }}" +s3bucket="{{ aws.backup_bucket }}" if command -v aws > /dev/null 2>&1 && aws s3 ls "s3://$s3bucket" > /dev/null 2>&1; then log "Moving files to S3 bucket $s3bucket" nice -n 10 aws s3 mv "$BACKUPSDIR" "s3://$s3bucket" \ diff --git a/roles/desktop/templates/backup.sh b/roles/desktop/templates/backup.sh index 51b91dc..f367966 100644 --- a/roles/desktop/templates/backup.sh +++ b/roles/desktop/templates/backup.sh @@ -34,7 +34,7 @@ if (( currentbackupcount >= retention )); then fi fi # WE MAKE BACKUP NOW SERGEI -s3bucket="{{ aws_backup_bucket }}" +s3bucket="{{ aws.backup_bucket }}" for dir in /home/*; do username="$(basename -- "$dir")" forcefile="$dir/.backup/force" diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 4a7d178..ab10022 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -9,7 +9,7 @@ mysql_db: name: gitea login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" state: present notify: gitea add default user - name: Create user @@ -19,7 +19,7 @@ password: "{{ gitea_mysql_password }}" priv: "gitea.*:ALL,GRANT" login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" - name: Set up Apache block: - name: Enable modules diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index ddfac5c..e69bab1 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -9,7 +9,7 @@ mysql_db: name: grafana login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" state: present - name: Create user mysql_user: @@ -18,7 +18,7 @@ password: "{{ grafana_mysql_password }}" priv: "grafana.*:ALL,GRANT" login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" - name: Set up Apache block: - name: Enable modules diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml index 5d28eec..c497316 100644 --- a/roles/matrix/tasks/main.yml +++ b/roles/matrix/tasks/main.yml @@ -27,8 +27,8 @@ name: matrix password: "{{ matrix_db_password }}" login_host: "{{ matrix_db_hostname }}" - login_user: "{{ psql_ansible_user }}" - login_password: "{{ psql_ansible_password }}" + login_user: "{{ psql.ansible.user }}" + login_password: "{{ psql.ansible.pass }}" - name: Create DB postgresql_db: name: matrix @@ -36,8 +36,8 @@ lc_collate: C lc_ctype: C login_host: "{{ matrix_db_hostname }}" - login_user: "{{ psql_ansible_user }}" - login_password: "{{ psql_ansible_password }}" + login_user: "{{ psql.ansible.user }}" + login_password: "{{ psql.ansible.pass }}" when: matrix_db_hostname is defined - name: Set up Apache block: diff --git a/roles/matrix/templates/homeserver.yaml b/roles/matrix/templates/homeserver.yaml index cbc7d94..4c48d19 100644 --- a/roles/matrix/templates/homeserver.yaml +++ b/roles/matrix/templates/homeserver.yaml @@ -121,8 +121,8 @@ trusted_key_servers: email: smtp_host: email-smtp.us-east-1.amazonaws.com smtp_port: 587 - smtp_user: "{{ aws_ses_user }}" - smtp_pass: "{{ aws_ses_pass }}" + smtp_user: "{{ aws.ses.user }}" + smtp_pass: "{{ aws.ses.pass }}" require_transport_security: true notif_from: "%(app)s " app_name: "9iron Matrix" diff --git a/roles/matrix/templates/homeserver.yaml.orig b/roles/matrix/templates/homeserver.yaml.orig index bbaf89a..a8df787 100644 --- a/roles/matrix/templates/homeserver.yaml.orig +++ b/roles/matrix/templates/homeserver.yaml.orig @@ -1707,8 +1707,8 @@ password_config: email: smtp_host: email-smtp.us-east-1.amazonaws.com smtp_port: 587 - smtp_user: "{{ aws_ses_user }}" - smtp_pass: "{{ aws_ses_pass }}" + smtp_user: "{{ aws.ses.user }}" + smtp_pass: "{{ aws.ses.pass }}" require_transport_security: true # notif_from defines the "From" address to use when sending emails. diff --git a/roles/minecraft/templates/recover.sh b/roles/minecraft/templates/recover.sh index 93d287e..5728191 100644 --- a/roles/minecraft/templates/recover.sh +++ b/roles/minecraft/templates/recover.sh @@ -14,7 +14,7 @@ export MINECRAFT_DIR="/var/minecraft/{{ mcname }}" cd "$MINECRAFT_DIR" || exit 50 # Make sure we have a backup -if ! aws s3 ls "s3://{{ aws_backup_bucket }}/{{ mcname }}/" > /dev/null 2>&1; then +if ! aws s3 ls "s3://{{ aws.backup_bucket }}/{{ mcname }}/" > /dev/null 2>&1; then echo "No backups available" exit 0 fi @@ -30,9 +30,9 @@ if [ -d "world" ]; then fi # Get our latest good backup -backup="$(aws s3 ls "s3://{{ aws_backup_bucket }}/{{ mcname }}/" | tail -n 1 | awk '{print $4}')" +backup="$(aws s3 ls "s3://{{ aws.backup_bucket }}/{{ mcname }}/" | tail -n 1 | awk '{print $4}')" echo "Restoring backup: $backup" -aws s3 cp "s3://{{ aws_backup_bucket }}/{{ mcname }}/$backup" world.tgz +aws s3 cp "s3://{{ aws.backup_bucket }}/{{ mcname }}/$backup" world.tgz # Decompress it tar xzf world.tgz # Find the world diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml index 86e8ae5..2f836d0 100644 --- a/roles/mysql/tasks/main.yml +++ b/roles/mysql/tasks/main.yml @@ -17,9 +17,9 @@ mysql_user: name: root host: localhost - password: "{{ mysql_root_password }}" + password: "{{ mysql.root_password }}" login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" check_implicit_admin: yes priv: "*.*:ALL,GRANT" become: yes diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 8206a81..d912b81 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -15,7 +15,7 @@ mysql_db: name: nextcloud login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" state: present - name: Create Nextcloud user mysql_user: @@ -24,7 +24,7 @@ password: "{{ nextcloud_mysql_password }}" priv: "nextcloud.*:ALL,GRANT" login_user: root - login_password: "{{ mysql_root_password }}" + login_password: "{{ mysql.root_password }}" - name: Set up Apache block: - name: Create webroot diff --git a/roles/pleroma/tasks/main.yml b/roles/pleroma/tasks/main.yml index da798a0..bd20687 100644 --- a/roles/pleroma/tasks/main.yml +++ b/roles/pleroma/tasks/main.yml @@ -30,22 +30,22 @@ name: pleroma password: "{{ pleroma_db_password }}" login_host: "{{ pleroma_db_hostname }}" - login_user: "{{ psql_ansible_user }}" - login_password: "{{ psql_ansible_password }}" + login_user: "{{ psql.ansible.user }}" + login_password: "{{ psql.ansible.pass }}" - name: Create DB postgresql_db: name: pleroma owner: pleroma login_host: "{{ pleroma_db_hostname }}" - login_user: "{{ psql_ansible_user }}" - login_password: "{{ psql_ansible_password }}" + login_user: "{{ psql.ansible.user }}" + login_password: "{{ psql.ansible.pass }}" - name: Create extensions postgresql_ext: db: pleroma name: "{{ item }}" login_host: "{{ pleroma_db_hostname }}" - login_user: "{{ psql_ansible_user }}" - login_password: "{{ psql_ansible_password }}" + login_user: "{{ psql.ansible.user }}" + login_password: "{{ psql.ansible.pass }}" loop: - citext - pg_trgm diff --git a/roles/pleroma/templates/config.exs b/roles/pleroma/templates/config.exs index 6ebc839..e836ed8 100644 --- a/roles/pleroma/templates/config.exs +++ b/roles/pleroma/templates/config.exs @@ -39,8 +39,8 @@ config :pleroma, Pleroma.Emails.Mailer, enabled: true, adapter: Swoosh.Adapters.SMTP, relay: "email-smtp.us-east-1.amazonaws.com", - username: "{{ aws_ses_user }}", - password: "{{ aws_ses_pass }}", + username: "{{ aws.ses.user }}", + password: "{{ aws.ses.pass }}", ssl: true, auth: :always diff --git a/roles/pleroma/templates/recover.sh b/roles/pleroma/templates/recover.sh index f1261f7..40c42ef 100644 --- a/roles/pleroma/templates/recover.sh +++ b/roles/pleroma/templates/recover.sh @@ -14,7 +14,7 @@ export PLEROMA_DIR="/opt/pleroma" cd "$PLEROMA_DIR" || exit 50 # Make sure we have a backup -if ! aws s3 ls "s3://{{ aws_backup_bucket }}/{{ pleroma_url }}/" > /dev/null 2>&1; then +if ! aws s3 ls "s3://{{ aws.backup_bucket }}/{{ pleroma_url }}/" > /dev/null 2>&1; then echo "No backups available" exit 0 fi @@ -30,13 +30,13 @@ if [ -d /var/lib/pleroma/uploads ]; then fi # Get our latest good uploads backup -backup_up="$(aws s3 ls "s3://{{ aws_backup_bucket }}/{{ pleroma_url }}/" | grep uploads | tail -n 1 | awk '{print $4}')" +backup_up="$(aws s3 ls "s3://{{ aws.backup_bucket }}/{{ pleroma_url }}/" | grep uploads | tail -n 1 | awk '{print $4}')" # And our latest good DB backup -backup_db="$(aws s3 ls "s3://{{ aws_backup_bucket }}/{{ pleroma_url }}/" | grep pgdump | tail -n 1 | awk '{print $4}')" +backup_db="$(aws s3 ls "s3://{{ aws.backup_bucket }}/{{ pleroma_url }}/" | grep pgdump | tail -n 1 | awk '{print $4}')" echo "Restoring backup: $backup_up $backup_db" # Get our backups -aws s3 cp "s3://{{ aws_backup_bucket }}/{{ pleroma_url }}/$backup_up" uploads.tgz -aws s3 cp "s3://{{ aws_backup_bucket }}/{{ pleroma_url }}/$backup_db" db.pgdump.gz +aws s3 cp "s3://{{ aws.backup_bucket }}/{{ pleroma_url }}/$backup_up" uploads.tgz +aws s3 cp "s3://{{ aws.backup_bucket }}/{{ pleroma_url }}/$backup_db" db.pgdump.gz # Decompress tar xzf uploads.tgz gunzip db.pgdump.gz diff --git a/roles/postfix-ses/templates/sasl_passwd b/roles/postfix-ses/templates/sasl_passwd index 7dd36dd..f5a8b23 100644 --- a/roles/postfix-ses/templates/sasl_passwd +++ b/roles/postfix-ses/templates/sasl_passwd @@ -1 +1 @@ -[email-smtp.us-east-1.amazonaws.com]:587 {{ aws_ses_user }}:{{ aws_ses_pass }} +[email-smtp.us-east-1.amazonaws.com]:587 {{ aws.ses.user }}:{{ aws.ses.pass }} diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml index d7840a0..b633ebd 100644 --- a/roles/postgresql/tasks/main.yml +++ b/roles/postgresql/tasks/main.yml @@ -27,13 +27,13 @@ block: - name: Create DB user postgresql_user: - name: "{{ psql_ansible_user }}" - password: "{{ psql_ansible_password }}" + name: "{{ psql.ansible.user }}" + password: "{{ psql.ansible.pass }}" role_attr_flags: SUPERUSER - name: Create maintenance DB postgresql_db: - name: "{{ psql_ansible_user }}" - owner: "{{ psql_ansible_user }}" + name: "{{ psql.ansible.user }}" + owner: "{{ psql.ansible.user }}" become: yes become_user: postgres - name: Template out backup module diff --git a/roles/postgresql/templates/pg_hba.conf b/roles/postgresql/templates/pg_hba.conf index c3f6268..1ba12f4 100644 --- a/roles/postgresql/templates/pg_hba.conf +++ b/roles/postgresql/templates/pg_hba.conf @@ -91,7 +91,7 @@ local all all peer # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv4 neighbor connections: -host all all {{ psql_neighbor_address }} md5 +host all all {{ psql.neighbor_block }} md5 # IPv6 local connections: host all all ::1/128 md5 # Allow replication connections from localhost, by a user with the