Merge branch 'master' of git.9iron.club:salt/ansible

README.md

@@ -1,10 +1,10 @@
-# Salt's Ansible Scripts
+# Salt's Ansible Repo
 
-A collection of Ansible scripts to manage all of my machines.
+A collection of Ansible configuration to manage all of my machines.
 
 ## Quickstart
 
-To quickly get a machine up and running, add it to the inventory, role it out, and `./provision.yml` it. The playbook assures a sane running environment and then sets up ansible-pull on a timer that immediately triggers. Leave it be, come back 10 minutes later and polish it up as required.
+To quickly get a machine up and running, add it to the inventory and `./provision.yml` it. This ensures a basic, sane running environment from which you can do tuning. Ideally, though, you should have roles.
 
 ## Overview
 

inventory/group_vars/9iron.club.yml

@@ -84,7 +84,9 @@ gitea:
               62303264653836656162366362316461656363353539343632616462626231643632
 # Grafana
 grafana:
-  mysql_password: !vault |
+  db:
+    hostname: 172.31.47.215
+    pass: !vault |
               $ANSIBLE_VAULT;1.1;AES256
               65376335363732633132326630323161393861323833323631613630343262383137656138356262
               3730386139393739373738626535376636666135646463350a623331333032346434343465666234

roles/ansible/tasks/main.yml

@@ -32,6 +32,7 @@
       vars:
         packages:
           - ansible
+          - ansible-base
           - ansible-lint
     - name: Assure root .ssh directory
       file:

roles/base-backups/templates/9iron-backup.service

@@ -1,11 +1,14 @@
 # vim:ft=dosini:
 [Unit]
 Description=9iron backup service
+StartLimitIntervalSec=3600
+StartLimitBurst=5
 
 [Service]
-Type=oneshot
 MemoryMax=256M
 ExecStart=/opt/backups/backup.sh
+Restart=on-failure
+RestartSec=90
 
 [Install]
 WantedBy=multi-user.target

roles/common/handlers/main.yml

@@ -6,6 +6,3 @@
     name: cron
     state: restarted
   become: yes
-- name: regen initramfs
-  command: /usr/sbin/update-initramfs -c -k all
-  become: yes

roles/desktop-common/handlers/main.yml

@@ -9,3 +9,6 @@
     name: sshd.service
     state: restarted
   become: yes
+- name: regen initramfs
+  command: /usr/sbin/update-initramfs -c -k all
+  become: yes

roles/desktop-common/tasks/packages.yml

@@ -25,16 +25,14 @@
     apt_repository:
       repo: "{{ item }}"
     loop:
-      # Spotify
+      # Debs
-      - "deb http://repository.spotify.com stable non-free"
+      - "deb http://repository.spotify.com stable non-free" # Spotify
-      # Monodevelop
+      - "deb https://download.mono-project.com/repo/ubuntu vs-bionic main" # Monodevelop
-      - "deb https://download.mono-project.com/repo/ubuntu vs-bionic main"
+      - "deb https://packages.riot.im/debian/ default main" # Element
-      # Element
-      - "deb https://packages.riot.im/debian/ default main"
       # First-party PPAs
       - "ppa:phoerious/keepassxc" # KeepassXC
       # Third-party PPAs
-      - "ppa:system76-dev/stable"
+      - "ppa:system76-dev/stable" # Love my lemp9
       - "ppa:drewwalton19216801/dolphin-master-cosmic" # Because Dolphin doesn't update their shit
       - "ppa:kgilmer/speed-ricer" # Rice rice rice
       - "ppa:lutris-team/lutris" # Lutris is kickass
@@ -52,22 +50,22 @@
         - build-essential
         - cmake
         - debhelper
-        - devscripts
+        - devscripts # Tons of cool shit in here, mostly for packaging tho
         - dh-make
         - earlyoom
         - fastboot
         - ffmpeg
         - git
         - imagemagick
-        - libinput-tools
+        - libinput-tools # Allows for libinput debugging
         - lua-check # I am good ComputerCraft guy
-        - neofetch
+        - neofetch # I never use it but whatever I guess
         - network-manager-openconnect
         - network-manager-openvpn
         - network-manager-vpnc # For default route configuration
-        - npm
+        - npm # I'm sorry
         - openjdk-8-jre # For Minecraft
-        - pbuilder
+        - pbuilder # Deb creation tool that does it all in a container
         - pwgen
         - python3-appdirs
         - python3-eyed3
@@ -75,10 +73,10 @@
         - python3-pyqt5
         - python3-usb # fuselee-gelee
         - python3-venv
-        - qt5-default # For Multimc, should be installed on Kubuntu
+        - qt5-default # For Multimc, should be installed on Kubuntu by default regardless
         - traceroute
         - tree
-        - units
+        - units # How many bytes are in a mile?
         - vim
         - wamerican # Dictionaries because I have like two scripts that use them
         - wamerican-large
@@ -96,76 +94,77 @@
         # DE
         - bspwm
         - compton
-        - conky-all
+        - conky-all # Why this is in several packages is beyond me
         - dunst
-        - hsetroot
+        - hsetroot # Works around a bug with Compton and a gray root window
-        - i3lock
+        - i3lock # Don't actually use this anymore (wew ksmserver)
         - ibus
-        - ibus-mozc
+        - ibus-mozc # Jap
-        - kubuntu-desktop
+        - kubuntu-desktop # Sanity
         - mozc-utils-gui
         - nitrogen
         - papirus-icon-theme
         - pavucontrol-qt
         - polybar
         - qt5ct
-        - xbacklight
+        - xbacklight # This works on literally none of my machines but fuck it
         # Desktop applications
-        - barrier
+        - barrier # FOSS Synergy
-        - cantata
+        - cantata # MPD client
         - chromium-browser
         - chromium-chromedriver # Because Selenium
         - clonezilla
         - dolphin-emu-master
         - dolphin-plugins
         - element-desktop
-        - filelight
+        - filelight # Sweet disk usage util
         - filezilla
         - firefox
-        - g810-led
+        - g810-led # For Logitech peripherals
         - gimp
-        - inkscape
+        - inkscape # I use it for like two things
-        - joy2key
+        - joy2key # Neat little wrapper to bind joypad keys to keyboard keys
         - joystick
         - kcolorchooser
-        - kde-config-plymouth
+        - kde-config-plymouth # Realistically not required, but whatever
-        - kdenlive
+        - kdenlive # For the one video I edit a year
         - kdepim
         - keepassxc
-        - krita
+        - krita # I don't ever end up using this, maybe I'll pick it up for spritework
-        - libnotify-bin
+        - libnotify-bin # Used for several of my scripts
         - libretro-desmume
         - libretro-mgba
         - libretro-mupen64plus
         - libretro-snes9x
         - lutris
         - mesa-vulkan-drivers
-        - mono-complete
+        - mono-complete # Initial installation of this package may take an eternity
         - monodevelop
         - mpv
         - mupen64plus-qt
         - nextcloud-desktop
         - obs-studio
-        - plymouth-theme-spinner
+        - plymouth-theme-spinner # Gives us the good UEFI logo bootup
-        - pulseeffects
+        - pulseeffects # I need to be an echoey boi
         - q4wine
         - qbittorrent
-        - rdesktop
+        - rdesktop # CLI RDP client, works real nice
         - redshift
         - retroarch
         - rofi
-        - scrot
+        - scrot # For scripted screenshots
         - spotify-client
         - steam-installer
         - syncthing-gtk
         - telegram-desktop
-        - torbrowser-launcher
+        - torbrowser-launcher # Sometimes it's bugged but it's still nice to have
         - virt-manager
         - vulkan-tools
         - vulkan-utils
         - winetricks
         - xdotool
         - zim
+        # Other architectures, misc
         - "libgl1-mesa-dri:i386"
         - "mesa-vulkan-drivers:i386"
         # Games
@@ -174,7 +173,7 @@
     apt:
       name:
         - firmware-manager
-        - kamoso
+        - kamoso # Camera util
         - system76-acpi-dkms
         - system76-dkms
         - system76-firmware
@@ -184,7 +183,7 @@
   - name: Install Focal-exclusive desktop applications
     apt:
       name:
-        - piper
+        - piper # Peripheral LED management
     when: ansible_distribution_release == "focal"
   - name: Install packages without recommends
     apt:
@@ -200,6 +199,8 @@
       - "https://downloads.slack-edge.com/linux_releases/slack-desktop-4.8.0-amd64.deb"
       - "https://github.com/MultiMC/MultiMC5/releases/download/0.6.8/multimc_1.4-1.deb"
       - "https://zoom.us/client/latest/zoom_amd64.deb"
+    # We ignore errors here in case we have a more up-to-date package on the target machine and/or face a URL timeout
+    ignore_errors: yes
   - name: Install desktop applications through pip3
     pip:
       executable: "/usr/bin/pip3"
@@ -208,11 +209,7 @@
         - pmbootstrap
         - protontricks
         - youtube-dl
-  - name: Install desktop applications through Snap
+    # Just in case we have legacy apps floating around
-    snap:
-      name:
-        - sengi
-        - scrcpy # Remote Android viewing
   - name: Remove Snap applications
     snap:
       name:
@@ -220,6 +217,8 @@
         - pixelorama
         - riot-web
         - slack
+        - scrcpy
+        - sengi
         - spotify
       state: absent
   - name: Remove desktop applications through APT

roles/gitea/meta/main.yml

@@ -2,5 +2,4 @@
 allow_duplicates: no
 dependencies:
   - role: apache-php
-  - role: mysql
   - role: redis

roles/gitea/templates/gitea.service

@@ -2,7 +2,6 @@
 Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
-Requires=mariadb.service
 Requires=redis.service
 
 [Service]

roles/grafana/meta/main.yml

@@ -2,4 +2,3 @@
 allow_duplicates: no
 dependencies:
   - role: apache-php
-  - role: mysql

roles/grafana/tasks/main.yml

@@ -3,22 +3,24 @@
 ---
 - name: Install, configure, and start Grafana
   block:
-    - name: Create and configure DB
+    - name: Set up PostgreSQL
       block:
+        - name: Create DB user
+          postgresql_user:
+            name: grafana
+            password: "{{ grafana.db.pass }}"
+            login_host: "{{ grafana.db.hostname }}"
+            login_user: "{{ psql.ansible.user }}"
+            login_password: "{{ psql.ansible.pass }}"
         - name: Create DB
-          mysql_db:
+          postgresql_db:
             name: grafana
-            login_user: root
+            owner: grafana
-            login_password: "{{ mysql.root_password }}"
+            encoding: UNICODE
-            state: present
+            login_host: "{{ grafana.db.hostname }}"
-        - name: Create user
+            login_user: "{{ psql.ansible.user }}"
-          mysql_user:
+            login_password: "{{ psql.ansible.pass }}"
-            name: grafana
+      tags: [ postgresql ]
-            host: localhost
-            password: "{{ grafana.mysql_password }}"
-            priv: "grafana.*:ALL,GRANT"
-            login_user: root
-            login_password: "{{ mysql.root_password }}"
     - name: Configure Grafana
       block:
         - name: Create configuration directories

roles/grafana/templates/grafana.ini

@@ -73,12 +73,12 @@ http_port = 3001
 # as separate properties or as on string using the url properties.
 
 # Either "mysql", "postgres" or "sqlite3", it's your choice
-type = mysql
+type = postgres
-host = 127.0.0.1:3306
+host = {{ grafana.db.hostname }}:5432
 name = grafana
 user = grafana
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-password = {{ grafana.mysql_password }}
+password = {{ grafana.db.pass }}
 
 # Use either URL or the previous fields to configure the database
 # Example: mysql://user:secret@host:port/database

roles/nextcloud/templates/backup.sh

@@ -44,8 +44,14 @@ fi
 # WE MAKE BACKUP NOW SERGEI
 if cd "{{ nextcloud_webroot }}"; then
 	date="$(date -Iseconds)"
+{% if aws.backup_bucket is defined %}
+	# We have an AWS bucket to back straight up to
+	log "Piping data backup straight to S3"
+	tar czh "/var/nextcloud" --exclude "/var/nextcloud/*/files_trashbin" | aws s3 cp - "s3://{{ aws.backup_bucket }}/{{ nextcloud.url }}/{{ nextcloud.url }}-$date-data.tar.gz" --storage-class STANDARD
+{% else %}
 	log "Creating data backup"
 	tar czhf "$OUTDIR/{{ nextcloud.url }}-$date-data.tar.gz" "/var/nextcloud" --exclude "/var/nextcloud/*/files_trashbin"
+{% endif %}
 	log "Creating webroot backup"
 	tar czf "$OUTDIR/{{ nextcloud.url }}-$date-webroot.tar.gz" "{{ nextcloud_webroot }}"
 else