salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Exodia, obliterate

Browse Source
This commit is contained in:
Salt 2020-10-16 22:17:38 -05:00
parent 63a1fa91f0
commit ad70b4aca0
220 changed files with 0 additions and 16451 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -1,29 +0,0 @@
# Salt's Ansible Repo
A collection of Ansible configuration to manage all of my machines.
## Quickstart
To quickly get a machine up and running, add it to the inventory and `./provision.yml` it. This ensures a basic, sane running environment from which you can do tuning. Ideally, though, you should have roles.
## Overview
The main playbook, `site.yml`, can be separated into more or less two parts:
* The home machine half, tied together via Zerotier
* The 9iron half, with public IPs and resolvable names
See `inventory/hosts.yml` for details on what machines have what roles and what configuration. I try my best to make self-explaning configuration, so everything should mostly make sense on a first read. If you have any questions, hit me up.
## Style Guide
* Quote strings when required, quote entire strings if they contain Jinja markup, not just the marked up section (yes I know I violate this in several places)
* Use `yes` and `no` for booleans
* Use short form for simple tasks (still working on fixing that up)
## Your Shit is Trash
I know. Please file an issue.

12
ansible-pull.cfg
View File

@ -1,12 +0,0 @@
[defaults]
gathering = smart
interpreter_python = python3
inventory = inventory
roles_path = roles
# Secrets
ask_become_pass = false
ask_vault_pass = false
# Warnings
command_warnings = true
#deprecation_warnings = false
system_warnings = true

19
ansible.cfg
View File

@ -1,19 +0,0 @@
[defaults]
gathering = smart
interpreter_python = python3
inventory = inventory
roles_path = roles
# Connection info
private_key_file = ~/.ssh/ansible
host_key_checking = false
# Secrets
ask_become_pass = true
ask_vault_pass = true
# Warnings
command_warnings = true
#deprecation_warnings = false
system_warnings = true
[ssh_connection]
pipelining = true
ssh_extra_args =-o ForwardAgent=yes -o StrictHostKeyChecking=no

207
inventory/group_vars/all.yml
View File

@ -1,207 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
## BACKEND
# ACME
acme:
#directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint
directory: "https://acme-v02.api.letsencrypt.org/directory"
version: 2
webroot: /var/www/acme
aws:
# S3 Backups
backup_bucket: "9iron-backups-general"
# SES
ses:
user: !vault |
$ANSIBLE_VAULT;1.1;AES256
33643766376336316266373239386466373639633765333332353031373132383061346564633036
3337396261333264363562363364336235633831353133380a613164666161313265396261616634
38353531306238613735623433663138643231663139363735373537393337636362636534656166
3063373930343039320a663063663535633932323739653461336164643035633036663362666161
38316564326537303236333266303432326164393435663665363963326363306237
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
39306665653635383832623438656364616633643032663365643033316236333939363732363034
3566663361653862646636396339343963626561613839620a663731313337613734356261326437
31653763346663656165343632336366343562333836396232636431323635333965336137316237
3662393364636631310a643935313539353338333233356362623835363631383035666536343634
65663937643165613337373837633737653765303764303536386530616363343361326536633935
3565626161343562396663353538653136376138373334336435
# MySQL
mysql:
root_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62316565376333396465333931356163343363663063636233653536373033396230626639613964
3037613839373833646234626236643430393364643131610a333539373533663434373935376130
65323365313465316635646465376665616132653832316362363535366563363863636530313666
3036393134386131310a643734363261633166636263343538313533393738323934303137343163
39636637643035616236663364663562366133613233313139623937313531343564
# PSQL
psql:
ansible:
user: ansible
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383235373131383466383438653235666365386631356463633265623332643337633830663930
3639313565613138373165636264343030323961646539390a356134383764326631326635636139
63626263373063343036373266326235363839316662363031356264363365633161326264643766
3734386366633861640a643335636330323432626437646337353534653832383337396432636264
61356331646133653363353931306630373963316430626266346630646362666237
neighbor_block: "172.31.0.0/16"
## WEBAPPS
# Gitea
gitea:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
62353264353465316661353738666161313036373761666163663733656461316536636334386335
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
31346337636665356630336234306534646362386663633734353166373761316139313734306630
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
33353062343164396465326365653561626363343961326363633231303736316436643935646161
3933353234613430373930663832643934613233383635613433
app_name: "9iron Gitea"
disable_registration: "false"
url: "git.9iron.club"
root: "/var/gitea"
efs:
name: "9iron-gitea"
region: "us-east-2"
subnet_id: "subnet-852935ed"
security_group: "sg-4f4b692c"
admin:
user: "salt"
email: "rehashedsalt@cock.li"
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
35613039646236306236363930353231303331633765303039373736626666666530323433356466
3062633166313332643039613561303431613735396339650a376664373137643439303465376365
35313266376539366134343562626164616666306338343538663361393964626565303331383234
3565646664333966650a323530356664366262653763363439613534303764366436376634373639
62303264653836656162366362316461656363353539343632616462626231643632
# Grafana
grafana:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65376335363732633132326630323161393861323833323631613630343262383137656138356262
3730386139393739373738626535376636666135646463350a623331333032346434343465666234
38393539623437376133363063633238383031326431653737346564323837343265653431633962
6665346237666165330a643635653863356633623535383063366632336437313730626233346664
33303465616532313339393634386166363162393661393037323835323035386663
url: "monitor.9iron.club"
webroot: "/var/www/grafana"
config_repo: "https://git.9iron.club/salt/grafana"
# Matrix
matrix:
server_name: "9iron.club"
url: "matrix.9iron.club"
enable_registration: "true"
admin_contact: "mailto:rehashedsalt@cock.li"
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64663061333130386634323631353435376330636334623334663365633361336563393634333061
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
31356462653634323162343164633130366664323034373330613764663635326534303935303230
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
63316265366238383038653034326661633163346462396663346563666134393232
# Nextcloud
nextcloud:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
37633035633563646266346264333636393931323664313166633133653461646333643731636661
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
66373234633939393034353439393465663131303661393164303335336435653734613064663964
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
61373135303632336237333836353764646639633735323566346366623766646266
efs:
name: "9iron-nextcloud"
region: "us-east-2"
subnet_id: "subnet-852935ed"
security_group: "sg-4f4b692c"
url: "nc.9iron.club"
# Pleroma
pleroma:
instance:
name: Cowfee
desc: owo
email: rehashedsalt@cock.li
notify_email: noreply@cowfee.moe
openreg: "true"
static_repo: "https://git.9iron.club/salt/pleroma"
db:
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
34343838386134656236313462653531663839363030333630383332386535356431326436633137
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
61333039646332343838346633363035343434303036643465353062353062303961383138643564
3338393765393733340a626436653666363236643938613466643530326665653764333933393437
37613033653864643965323162373366306233626235663461326266376662663634353066386139
37636162313364623933396232366239633338363539626637373163333130373665373038363566
65646633636638653335356536323334646632366164633532636634376632356166306139393766
38633934623639366263
secret:
key_base: !vault |
$ANSIBLE_VAULT;1.1;AES256
36333934336635613533333137636532363937613764353933636566663031316262333837323064
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
37666666386637633839633737376465366439356461653363396665636137353264363762346461
3765616634653234630a623061393834373964653939626564363263383435666366356339663136
64613330656434653538363734393831353133316666326338366335383064356165333537383837
31633939353565303661626233623064653838636435376239376361663362636164653962383561
33366335623038653232613731333730363836653532363834663663343963303763323534343038
61666238346239636634
signing_salt: !vault |
$ANSIBLE_VAULT;1.1;AES256
31306137646362333433313630363538333234643339353530333038393061663132633161356231
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
64393536353362386336323662316262333763326138616364333237353262323232636335353436
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
3466
# snmpd
snmp:
location: "us-east-2"
contact: "Salt <rehashedsalt@cock.li>"
auth_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
36373662333533616331623933343364663532326261653636363732323138633836356633623934
6561333833343432353561366438313165383163366131630a653163666463356462633966666330
38323965303639356635613565633030373836643132336332373730303137376165616163646538
3162616233366236350a626130643230323264343938373134653034636232303130623134393531
61366330316330646137336161623166343835316432363433373333323232383166
priv_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
61316538316630333662633665646364356138613730633334653761626636633836363335383965
6332303265323236383130383366336662626331613866340a636139366135313134303538613833
61383662306163663634333538343733663836633834373462616265366365626533366334383031
6265643764656461320a313137326430386532653538346462323463386538303966303830343037
63333632656534333334383666666138353435383938623934663766623735656533
int_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31616561323762653439346630653231646137626638383930346437323139666163316131333534
6463313537316230363735346236323033386562373032330a326261393039663539353738643465
36666136663930663463373731663534316232643637623732346331383737643233626235613439
3733366462613133620a386336303434303130313636356339633939623638366236346234376566
65386530663137393830636134653632623366333837616364396161666464613166
## VIDYA
# tes3mp
tes3mp:
archive: "https://github.com/TES3MP/openmw-tes3mp/releases/download/0.7.0-alpha/tes3mp-server-GNU+Linux-x86_64-release-0.7.0-alpha-abc4090a0f-01d297f5c6.tar.gz"
name: "main"
dest: /opt/tes3mp
server:
name: "9iron TES3MP"
maxplayers: 8
password: dicks
port: 25565
master:
enabled: "true"
host: master.tes3mp.com
port: 25561

73
inventory/hosts.yml
View File

@ -1,73 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
all:
vars:
ansible_pull_repo: "https://git.9iron.club/salt/ansible"
ansible_user: ubuntu
gitea_api_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
39646564383934343237626436363261643265663339616566353563613266396536373164646235
3630333032613536373532616363333464653138656164390a386565316164386263363935663264
62613737336539653835356634313636643732396330313863393861373664353966363437373338
6565336264613334650a613063393662643237333864316332613131386233396562333063646263
63636238356266363065656462626536346634646365363135643538316136346566306131626161
3166653266383332343332366530343532396435353134373939
ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
user_username: salt
user_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
37666131343936663962386535343939373161343337383436613961303637376136633736353533
3366623536646563383563373265313134663464396231370a303033353661336436386561366139
30393536393634653566646636366436656435623534626266343632313336336336346131383361
3366343932383930350a383637646261373135376138633533306530306339316235353262356135
34626466363266616265653064333365663663306330666632343864373335626265323230633331
33623431633665353964623437636231623366383733626266353162633762373035376638663936
62383065653836366431316461663862393130653761643937376565366435646665313961663534
64303363653631653433343361616635373966326433663466636164613062343561333036613937
35616666633737356331653632323639373330396433366639326466373639313630
children:
# Personal home machines
home:
vars:
ansible_user: ansible
ansible_pull_time: "*-*-* 03:00:00"
aws:
backup_bucket: 9iron-backups-home
zerotier_network_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
35646131343239623265663562343333383362366633386462646465643163353866643633636135
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
30656433343263653035333637336165323931363966376264353164326135336131646362623734
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
65313231393433396538663463383731303661633663343066333264303330313133
hosts:
dsk-cstm-0:
ansible_host: 172.23.100.1
lap-s76-lemp9-0:
ansible_host: 172.23.100.3
thefuck:
vars:
ansible_user: root
hosts:
game1.thefuck.how:
9iron:
children:
dbservers:
vars:
hosts:
psql1.9iron.club:
webservers:
hosts:
web1.9iron.club:
fedi1.9iron.club:
gameservers:
vars:
steam_api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
39616163316634306633623435636633623966306537636639316439343839393231376661666335
6136333866633861313566306433393637613364386234360a303832626338373230396665336430
33346530626633616161613635656433356434366437383363663165303862316163323263323230
3334373531646364620a386165626130386265343235363639346230323930626330343235373662
38313431663734343931333462316633643935353038313934663466303834636533616165353961
6438356265656532396363323532616437353831613261323037

25
localhost-deploy.sh
View File

@ -1,25 +0,0 @@
#! /bin/bash
#
# localhost-deploy.sh
# Deploys configs for local machine and only local machine
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
if ! command -v ansible > /dev/null 2>&1; then
printf "Installing Ansible and related packages\n"
if command -v apt > /dev/null 2>&1; then
printf "Installing via APT\n"
sudo apt-get install libffi-dev python3-pip python3-setuptools -y
elif command -v apk > /dev/null 2>&1; then
printf "Installing via APK\n"
sudo apk add gcc musl-dev py3-cryptography py3-pip py3-setuptools
else
printf "No supported package manager found\nPlease install Ansible manually"
exit 1
fi
sudo pip3 install ansible
fi
ansible-playbook site.yml -l "$HOSTNAME" -e "ansible_user=$USER ansible_connection=local ansible_host=localhost" --ask-become-pass --ask-vault-pass "$@"

42
playbooks/appservers.yml
View File

@ -1,42 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: fedi1.9iron.club
pre_tasks:
- name: Assure cowfee record
route53:
state: present
overwrite: yes
zone: cowfee.moe
type: A
record: "cowfee.moe."
ttl: 3600
value: [ "{{ ipify_public_ip }}" ]
wait: yes
become: yes
tags: [ common, dns ]
roles:
- role: base-backups
tags: [ backups ]
- role: matrix
vars:
matrix_db_hostname: 172.31.47.215
tags: [ fedi, matrix ]
- role: pleroma
vars:
pleroma_url: cowfee.moe
pleroma_db_hostname: 172.31.47.215
tags: [ web, pleroma ]
- role: adam
vars:
adam_name: lain
adam_auth_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
33346238356561313736653431666439363835663134303339366536663964333138666530343166
6132353938663563316265346630613231616362643937380a616132386464653438343739613937
32626230326430396563316363613139306535663832336531636239633364383432373739646436
3338376362313539360a383763313439633331313531323232653866633065333933633061326465
64343165613961346362353162316530623132633164643461616633633335666232633833313561
33306532343963383331623663616161626533633261383238646164663362396261633736636362
373764613833343634346333613639626535
tags: [ discord, adam ]

8
playbooks/dbservers.yml
View File

@ -1,8 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- hosts: psql1.9iron.club
roles:
- role: base-backups
tags: [ backups ]
- role: postgresql
tags: [ db, psql ]

17
playbooks/dns.yml
View File

@ -1,17 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- hosts: 9iron
tasks:
- name: Add machine to DNS zone
route53:
state: present
overwrite: yes
zone: 9iron.club
type: A
record: "{{ inventory_hostname }}."
ttl: 3600
value: [ "{{ ipify_public_ip }}" ]
wait: yes
become: yes
tags: [ common, dns ]

25
playbooks/gameservers.yml
View File

@ -1,25 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: gameservers
roles:
- role: base-backups
tags: [ backups ]
- hosts: game1.thefuck.how
roles:
- role: base-backups
tags: [ backups ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/salt/thefuck.how"
gitweb_url: "thefuck.how"
gitweb_webroot: "/var/www/thefuck.how"
tags: [ web, webroot ]
- role: minecraft-paper
vars:
paper_name: "thefuckhow"
paper_mc_maxplayers: 16
paper_mc_motd: "Brett's new serber"
paper_jre_xms: 1024m
paper_jre_xmx: 2048m
tags: [ gameserver, minecraft, paper ]

52
playbooks/home.yml
View File

@ -1,52 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: home
roles:
- role: base-backups
tags: [ backups ]
- role: desktop-zerotier
tags: [ zerotier ]
- role: desktop-common
vars:
mopidy_spotify_username: !vault |
$ANSIBLE_VAULT;1.1;AES256
62383664346563343663636261386261383865393535646465386435663535653036636665393133
3732653236663632633863346463346164663938396137370a326535633966343430633464653437
36646134393764313338323235356634353433623731336231626238653064633332306533343966
3362303836363065610a383362313738346534313435393537343931383465623466336632323632
65656663316561333462303761613963383236363532383866313038633232373132
mopidy_spotify_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33303165663833663839323230643036363962393164373638333334643663626235353936343861
3834633461343533353366373330323264393361323433330a623837613037346633633065613761
63303234323734623938373134333932343965336665323939306336323836613130343866343838
3633383138646233330a366634303739643237333331613436623737663463316133666230366165
36306233336134636532383232303035343533373262373431353966656561633336
mopidy_spotify_client_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
32366664323864383162663963343438643930356531653064393135383364623162626533613433
6462633637396265373238383461623665393730396139320a626537353761323132386131616338
62323033666231326363616363343530333239303638626137613237393135613961613362313662
6233336234306466640a383834353935636138323837343765373966353365323634343439663435
39646138616533656361653765633161616238633335306363383030383832636330356162616264
3739646162313739646538306137623231313037386239343563
mopidy_spotify_client_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
34666538353333303865623932653237313465653363356665333336343832356530666666343266
6637653137643431346562333465323862356465303766630a336531653033393133396238326134
32393033643261373764663963353130626331646266363430353536326135663239363539613530
6265366565363862610a366561373362656637623863336665336562323838643665323461653937
38306234316364306134396138376230626630633733306432626637616239373838646433343761
3436643661633766616564663937346232353666386531363438
tags: [ desktop ]
- role: pulseaudio
tags: [ pulse, pulseaudio ]
- role: desktop-sddm
vars:
sddm_theme_name: "breeze"
tags: [ sddm, desktop ]
- hosts: dsk-cstm-0
roles:
- role: rgb-kraken
tags: [ desktop, kraken, rgb ]

11
playbooks/phone.yml
View File

@ -1,11 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- hosts: phone
roles:
- role: base-backups
tags: [ backups ]
- role: desktop-zerotier
tags: [ zerotier ]
- role: phone-common
tags: [ phone, common ]

47
playbooks/webservers.yml
View File

@ -1,47 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: web1.9iron.club
roles:
- role: base-backups
tags: [ backups ]
- role: gitea
tags: [ web, gitea ]
- role: grafana
tags: [ web, grafana ]
- role: nextcloud
tags: [ web, nextcloud ]
- role: redirect
vars:
redirect_from: "9iron.club"
redirect_to: "www.9iron.club"
redirect_webroot: "/var/www/redirect"
tags: [ web, redirect, 9i ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/salt/www2"
gitweb_url: "www.9iron.club"
gitweb_webroot: "/var/www/www"
tags: [ web, webroot, 9i ]
- hosts: web1.9iron.club
roles:
- role: redirect
vars:
redirect_from: "otwstudios.org"
redirect_to: "www.otwstudios.org"
redirect_webroot: "/var/www/redirect"
tags: [ web, redirect, otw ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/KidiroInfiniti/OTW_Site"
gitweb_url: "www.otwstudios.org"
gitweb_webroot: "/var/www/otwstudios.org"
tags: [ web, webroot, otw ]
- hosts: web1.9iron.club
roles:
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/salt/desultd"
gitweb_url: "desu.ltd"
gitweb_webroot: "/var/www/desultd"
tags: [ web, webroot, desu ]

9
provision.yml
View File

@ -1,9 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: all
roles:
- role: common
tags: [ common ]
- role: ansible-pull
tags: [ ansible, common ]

15
reboot.yml
View File

@ -1,15 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: dbservers,webservers,gameservers
serial: 1
tasks:
- name: Check for reboot-required
stat:
path: "/var/run/reboot-required"
register: s
- name: Reboot
reboot:
reboot_timeout: 300
when: s.stat.exists
become: yes

4
roles/adam/defaults/main.yml
View File

@ -1,4 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
adam_name: adam
adam_repo: "https://git.9iron.club/salt/adam"

60
roles/adam/tasks/main.yml
View File

@ -1,60 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- name: Set up Adam
block:
- name: Install required packages
apt:
name:
- libopus0
- nodejs
- npm
- name: Install packages without recommends
apt:
install_recommends: no
name:
- ffmpeg
- name: Create Adam user
user:
name: discord-adam
- name: Assure data directory
file:
path: "/var/adam"
state: directory
# Sticky, SetGID
mode: 3775
owner: root
group: discord-adam
- name: Set up bot root
block:
- name: Create specific data directory
file:
path: "/var/adam/{{ adam_name }}"
state: directory
mode: 0755
- name: Clone bot repo
git:
repo: "{{ adam_repo }}"
dest: "/var/adam/{{ adam_name }}"
- name: Initialize NPM modules
npm:
path: "/var/adam/{{ adam_name }}"
- name: Template out authentication token
template:
src: "auth.json"
dest: "/var/adam/{{ adam_name }}/auth.json"
mode: "0600"
become: yes
become_user: discord-adam
- name: Set up system configuration
block:
- name: Template out service
template:
src: "adam@.service"
dest: "/etc/systemd/system/adam@.service"
- name: Start and enable service
systemd:
daemon_reload: yes
name: "adam@{{ adam_name }}.service"
enabled: yes
state: started
become: yes

29
roles/adam/templates/adam@.service
View File

@ -1,29 +0,0 @@
#
# Licensed under the terms of the MIT license
# vim:ft=dosini:
#
[Unit]
Description=Adam Bot %i
After=network.target
[Service]
User=discord-adam
Group=discord-adam
WorkingDirectory=/var/adam/%i
PrivateUsers=true
ProtectSystem=full
ProtectHome=true
# Implies MountFlags=slave
ProtectKernelTunables=true
# Implies NoNewPrivileges=yes
ProtectKernelModules=true
# Implies MountAPIVFS=yes
ProtectControlGroups=true
ExecStart=/usr/bin/node index.js
Restart=always
[Install]
WantedBy=multi-user.target

3
roles/adam/templates/auth.json
View File

@ -1,3 +0,0 @@
{
"token": "{{ adam_auth_token }}"
}

5
roles/ansible-pull/defaults/main.yml
View File

@ -1,5 +0,0 @@
# vim:ft=ansible:
ansible_pull_boot_delay: "15min"
# Use `systemd-analyze calendar` for testing
ansible_pull_time: "*-*-* 01:00:00"
ansible_pull_playbook: "site.yml"

6
roles/ansible-pull/files/ansiblevaultpass
View File

@ -1,6 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31383561303637303735386663306631333063623336643030643634333262336664363461613239
6230623439393465656161663432393732633662383833640a373433343236353835363130653937
31346233663237383666306536633962613534623735366531666561656335393964316230633161
3930636537313364380a376432363431346636363565383734613638316161643036623636656532
66333038393738663464343534633766643734393165626538633962376161376262

10
roles/ansible-pull/handlers/main.yml
View File

@ -1,10 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart ansiblepull timer
systemd:
daemon_reload: yes
name: ansible-pull.timer
enabled: yes
state: restarted
become: yes

4
roles/ansible-pull/meta/main.yml
View File

@ -1,4 +0,0 @@
---
allow_duplicates: no
dependencies:
- role: ansible

32
roles/ansible-pull/tasks/main.yml
View File

@ -1,32 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up ansible-pull
block:
- name: Copy Ansible password file
copy:
src: ansiblevaultpass
dest: ~/ansiblevaultpass
mode: "0600"
become: yes
become_user: ansible
- name: Configure systemd unit
block:
- name: Template out services
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "ansible-pull.service", dest: "/etc/systemd/system/ansible-pull.service", mode: "0644" }
- { src: "ansible-pull.timer", dest: "/etc/systemd/system/ansible-pull.timer", mode: "0644" }
notify: restart ansiblepull timer
- name: Enable timer
systemd:
daemon_reload: yes
name: ansible-pull.timer
enabled: yes
state: started
notify: restart ansiblepull timer
when: ansible_service_mgr == "systemd"
become: yes

16
roles/ansible-pull/templates/ansible-pull.service
View File

@ -1,16 +0,0 @@
# vim:ft=dosini:
[Unit]
Description=Ansible pull service
StartLimitIntervalSec=3600
StartLimitBurst=5
[Service]
User=ansible
Group=ansible
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
ExecStart=/usr/local/bin/ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
Restart=on-failure
RestartSec=90
[Install]
WantedBy=multi-user.target

11
roles/ansible-pull/templates/ansible-pull.timer
View File

@ -1,11 +0,0 @@
# vim:ft=dosini:
[Unit]
Description=Ansible pull timer
[Timer]
Persistent=true
OnBootSec={{ ansible_pull_boot_delay }}
OnCalendar={{ ansible_pull_time }}
[Install]
WantedBy=timers.target

135
roles/ansible/files/ansiblekey
View File

@ -1,135 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38366663623636336331373931396632616133633538633562353430656338666162393164346436
3939356235343431326165373231313930386639333466330a613864636237373735306636383631
66363165343164616333636336393561313633613130656664323663356162636265373639336665
3564333732373634370a656231613835663436326633346263316630346461316566363462666132
39346632316563333633363061336534356336363534613837386332393166383565336635633763
30336139326361313763303739393265316535643238663736646361656639373461396433396665
63363237303933373265613336616335343038326561346362323636333333313235366361653463
39386137356632373032343762303538656130366430643030383234343663366666373162393063
32656366313631613235643061366639323930363766363137393737646666383839336264373831
64316164613332353430373933633939373933303461663832333663313561643462666234633461
31653039323430613731656538343831376632376634336436643461643063643138396131316134
66373035326333613035643833363836613437376265373135326362323062633936323435383630
39646433356161663831356265346261363137666634646331306130306232343638346264303631
32303737643632393937363738623865303735633535316162366464393163653834386432663261
64303339343335666532663434353234353066663632633730373530313637666532363863313963
31326662633639376462303466646536323965643739636438613132333738373430363534396361
37616566303633663362326436666636343762653531313435356163636133643430393139623938
38643839373365313966636466393039626139366665346664643930353630613236303761306331
34656137643764633132643830666638333938316530613236643232633830643337623432656134
66636138326230623336653938323934316339393531393163343637386236613334636362613265
30386638636662393431363134353165613965306364373061613634303132336336396265323565
34303231356664376464363533626263626130653565653032656264616236656161343039333461
32303736383365346138313864633966623963633635313161623565363664303562316338366161
61386133663265316464646637336239396339386561306632313235363136316430636635626432
36333432623564376134343965653138353331663632346262396432356637623738323333366633
35396630386536653232396439663135343934653835643962353039323664383432326463323735
38643235643633316338396364393730333235316139353535643534303863356365353630653239
30306437383336303530316232666161646363646436666335613763306534356432663933323663
63633838633139373336376633643363393730313531353766656139326634613366356666623236
38353562653065386662656632373332653162383165666131386132613962643635663864656433
63343837363831396166616162353935383935653732346139366637306436386532646330343332
39666431616662393036616134666436393366303365336162646539656138636166656633313533
39626162346263306235346662343432396635636238383032623066343165366166656537613535
63383232303831323064636662366264663666353337373065326561343661396632353532346564
63616333363962366364373038336261613833623561636437343564656630663032313562386436
62656163636638323764313239336435383930303735623035313136326130373432376139623736
65613430353265356233373866653236633832373231333434643238326430356666626461663435
65623964313837353665373739613230633932653837643532623463366535323565636562356436
61616236366564323765653165323132326238633365353365333366363864636265656437373537
62356134343366373335393833666531366462306336396337313966326230393435383562343364
34313037393461383930373538653962623964313862326532333739373933303137313662376639
31396634323032393131323735333634356133316333383936366366623936643539323539613763
34363839353163616338396430643263336163653735656361656362336130653236363437373130
36343063306366303037666530616631333834633531363036343461633138393736623334643630
35323262323938366561363835616231316364343837383539656638346135663164623334616466
64653161313233373563343537326336336465623432636538323037386539343439373137666137
62393135316363643161393330656130663737303534356630376334633239346663356561376337
64343532313565393330316538376263353839383565643734336637666630663061316163343139
39393638356133613266656230313836623435613636336436616337653030376430376263323939
66623038383035373365643436353834623038646634636465353735356135643264623534313731
34343538356331646432653133386335623336303066663635326262623837663033303461376362
31373361353664383361326530333361336562663033303963636135666235626263303538366234
63313461666463376361373639336637306132353066393233626333376534356264356335373538
31306363613435303062623466303339363931396163373834323738336636656337333938653766
64386233663366343434376432303731653937313639376661336462323662373134643332326661
37396664363030343362613133393130373730646534616431303730633466353637353264646132
36373861613864393366653065353662626434396163663137636135333238313363303266623732
61646166666136306133633761373833633332616634333131303534306434366165613933323666
61666562626135396434316130303839643331316532663336343731393431643739376565363330
33623036613930333338353262643766336134386662336462616562353536616330666330306264
30633162636562613562363661653531356134613632633562306338353236393336313132663961
34313466383464616639643630376465396164383536666365353139383562386130626562353436
31303633623137663238663065363434336663336634363437646363656462333430653464643939
66333036646631353138646264386630356563333932633933643337396363343562623766356533
38316639353234666336383737383532353963633762313437356262383830643137353262383964
30396636626465336331313264666637393030663765393338333061623030633134313438386631
36336238386563313037373237366432323937663539663162396166663033626663646461323362
64643137613939363164616533366436353631396232663832393231316263646466653966333238
66393965623863393433323366366130666364376164336638666331666461316135353338343139
39636566393437396333633462396464616131333134613131323964353434613736313736376461
37373130626331623362613538353735613963363035656433626134336564303966383462363661
34353064643732666264323536316231643833326664386333396536336665316339303562323763
35646561613439643066613765623563386331363437353637376434656638373962383865396464
65353834356631316438386139316631336262356139663062346131336432333834616231666538
32346565343263646461363336353365626532613465623833623036663839613864333961666437
32633662626462386366363736323739366434323632373066373435633961623038363061386261
36333139636135623131653234346163353366316562653439336233316236386431383163653866
38393939646363613132323663643931306135626165626264666262323764336562636166626533
30613762353431643635656566656533346330306463353839393035343766656465343132363862
38306239663262336338353033303764633935303562643936373732396466616564323532326439
36623538363638376232616535363263373664386332623237313834613165393439323936383562
63373966643531346337333935393862346437316264656563316539303037343933393639363434
66616161626165373661653963323835383437656464383931363236376165633834343039323035
62386637373738653639643232636631366532626332356538663166653839303663643332323130
63386465323838666437646361653633626635303733626238326237623637623563303465353531
66333935333335396634356539313434616538336135306631353961623764376665653365356335
30656266313637383534353736346633393432343466666639376330313837353763343438653366
38346132336336656365323166303632633661383530626331613739303961386235346139366236
30636464336165353436303966633935323835353439363636386661383461363265323937653565
65383139613365613337623136626133393461663461613566623134396431613733663137373335
31666332393338666235653562356563643033353961386466386562346339653638626261306635
34353132353664373332323335646438646433386430313061643737623566613339653131623836
62633936626436626133303633366336373838336531336139616564623364626534383834313234
37666163623462656434316563363535646236666536396431626132323361343238303834366637
33623565313730386264336638306637623931323861333939376165323139376335326566333633
65316439613430383230323439613538396630306233356339613662333061643732346531656364
65623263336538346561356631386639363939643434343938373264373565613537336465363038
66363963626365633338663234643764316530353566376633313732336533333063613232333538
66396236313866343038656366633738666463356432613230636361316436666432373636363034
63353231346533303361363834333231633131613165366134353763363766613033656333626438
30333731383264323732313261336263326562316530663962313739383836326536363030333564
39333436396136623161373032643438633431303761333962623832333832366463626533653832
64323333306336616363613865393561656636633735616333333736633463396330353665626561
38316134626163376466643537336335313131353461316362383865363437643263636339383831
65383762663265636663396135386630326333393237356564616237393431633537633762616134
34353264346539663038663866386538306662316233353130663332643533623436393937366266
65303330633966613038393430303536363730643463663733653237343937336136353233303037
65613537656335356533666136366363323535636635323330623664626564656537356363633763
31313437363766663338313633663866663563393039363232656638363961336631303464306536
36396136346663323038386634343461336666636438323866356339623763656436643833393963
66396662366632653831393238396535623939306434396537643930393261336161396239383330
62336237396639663837623561383964346633353935366266373030633864393433623734613233
35653138303866656465363465313733616363633334663062363436376139633231626564376166
34643864333865633832616539333063396264376566666539633936646338623763353032353635
34633465613135376234303538636432346336383431343237323661393564306438333830393737
38356333363961643735356265613762396663323264336565623762356163626130623366623861
31626135613865613866666565663063656632653339333866396537343131636366393131346438
66626434656235376265386135333165366162346536623466303437313131336165346238383934
35353064663536373162613836383663396661633930616431653764353339613835393762396332
32363965653235646130323761316437376631383464306661623963306362343631666538653864
30613233336339373739363733346466313764383165643466316239613264393332626133363437
36666431613263393730393264326235353239633035653736626233343630623736646230653064
35393932396361623239326435356563623033316561373236613136333938363265376561386430
36393730353465376663343361306234346564623837363565373733373936623534353639623538
62316264613734326638636538653861663637623462306138636532653036343061396363363631
61316638653133636561363333363638396439643835363033336666346461356637336233386234
32336664376631336662613239353461633566633565623137643536343137373534663031626333
64613335656330666465366638373863306439636166346430363033313435626337373764313938
35306465656264643463653930303830333262616233333532616138383335626663636365626464
65613461633737646235343230346331313435386530383838613930633037356537623039333936
61353332386231623237613731363731383738383934613932613031633235663935386536323733
31393263353339633462326639306264356562393166366263626537313432366639376531386263
31643061303032303363653631323131656436663563363333646162643331376438343437663034
6332323532343937323062386135393566323732356533336162

4
roles/ansible/meta/main.yml
View File

@ -1,4 +0,0 @@
---
allow_duplicates: no
dependencies:
- role: awscreds

51
roles/ansible/tasks/main.yml
View File

@ -1,51 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up Ansible
block:
- name: Install Ansible-required packages via apt
apt:
name:
- python3-pip
- python3-boto
- python3-boto3
- python3-botocore
- python3-setuptools
become: true
when: ansible_os_family == "Debian"
- name: Install Ansible-required packages via apk
apk:
name:
- gcc
- musl-dev
- py3-boto
- py3-boto3
- py3-botocore
- py3-cryptography
- py3-pip
- py3-setuptools
when: ansible_distribution == "Alpine"
- name: Install Ansible-required packages via pip
pip:
name: "{{ packages }}"
state: latest
vars:
packages:
- ansible
- ansible-base
- ansible-lint
- name: Assure root .ssh directory
file:
path: ~/.ssh
state: directory
mode: "0600"
- name: Copy Ansible private key
copy:
src: ansiblekey
dest: ~/.ssh/ansible
mode: "0600"
- name: Clone Ansible repo
git:
dest: /etc/ansible
repo: "{{ ansible_pull_repo }}"
become: true

30
roles/apache-php/files/my.cnf
View File

@ -1,30 +0,0 @@
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
[mysqld]
max_allowed_packet=100M
skip-networking
innodb_file_format = Barracuda
innodb_large_prefix = 1
innodb_file_per_table = ON
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

1933
roles/apache-php/files/php-apache2.ini
View File

File diff suppressed because it is too large Load Diff

1933
roles/apache-php/files/php-cgi.ini
View File

File diff suppressed because it is too large Load Diff

8
roles/apache-php/handlers/main.yml
View File

@ -1,8 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart apache
service:
name: apache2
state: restarted
become: yes

2
roles/apache-php/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

72
roles/apache-php/tasks/main.yml
View File

@ -1,72 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install, configure, and start Apache and PHP
block:
- name: Install Apache and PHP packages
apt:
name: "{{ packages }}"
vars:
packages:
- apache2
- libapache2-mod-php
- php
- php-gd
- php-json
- php-mysql
- php-curl
- php-mbstring
- php-intl
- php-xml
- php-zip
- php-cgi
- php-cli
- python3-passlib # For htpasswd support
- name: Find PHP config directory
find:
paths: /etc/php
patterns: '*'
file_type: directory
register: phpdirs
- name: Debug
debug:
var: phpdirs.files.0.path
- name: Copy configuration
copy:
src: "{{ item.src }}"
dest: "{{ phpdirs.files.0.path }}/{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "php-apache2.ini", dest: "apache2/php.ini", mode: "0644" }
- { src: "php-cgi.ini", dest: "cgi/php.ini", mode: "0644" }
- name: Disable default website
file:
# This is a symlink so who cares
path: "/etc/apache2/sites-enabled/000-default.conf"
state: absent
- name: Configure modules
block:
- name: Disable modules
command:
argv:
- "/usr/sbin/a2dismod"
- "{{ item }}"
removes: "/etc/apache2/mods-enabled/{{ item }}.load"
loop:
- mpm_event
notify: restart apache
- name: Enable modules
command:
argv:
- "/usr/sbin/a2enmod"
- "{{ item }}"
creates: "/etc/apache2/mods-enabled/{{ item }}.load"
loop:
- headers
- mpm_prefork
# Fun fact: this works
- php*
- rewrite
- ssl
notify: restart apache
become: yes

11
roles/awscreds/files/awscredentials
View File

@ -1,11 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38616333383866663466353035306234356565643564383866633038636531616239393365636436
6538393064666337616565616636363331333062643235340a613061356630656333626664343038
39326661306439343666623339323430333662363864366364363664323833393039303938323035
3061396662656435660a366361363138386332633234633832613630643364316130643665343737
37303434633839323363376562303966363466323638616265303865343936396465616434666163
61666663373333643034363663323465326130393331636463666534343837646466653265343162
39343066323764646361323833303334643730633938633436343330626230303462666166356530
63623861383436636137623733633839333564363334323034313537616633666436333133396639
63666237366535386436343839653939373533656164333865613631386131343565363734333935
3861623666613138353061646564393465356532316631616231

2
roles/awscreds/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

15
roles/awscreds/tasks/main.yml
View File

@ -1,15 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up AWS credentials for root
block:
- name: Create .aws directory
file:
path: ~/.aws
state: directory
- name: Copy AWS credentials
copy:
src: awscredentials
dest: ~/.aws/credentials
mode: "0600"
become: true

5
roles/base-backups/defaults/main.yml
View File

@ -1,5 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
backups_outdir: "/opt/backups/out"
backups_boot_delay: 1h
backups_time: "*-*-* 02:00:00"

10
roles/base-backups/handlers/main.yml
View File

@ -1,10 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart backups timer
systemd:
daemon_reload: yes
name: 9iron-backup.timer
enabled: yes
state: restarted
become: yes

6
roles/base-backups/meta/main.yml
View File

@ -1,6 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
allow_duplicates: no
dependencies:
- role: awscreds

41
roles/base-backups/tasks/main.yml
View File

@ -1,41 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up general backups
block:
- name: Create backups directories
file:
state: directory
mode: "0700"
path: "{{ item }}"
loop:
- "/opt/backups"
- "/opt/backups/modules"
- "{{ backups_outdir }}"
- name: Create /backups symlink
file:
state: link
path: "/backups"
src: "{{ backups_outdir }}"
- name: Template out backup script
template:
src: "backup.sh"
dest: "/opt/backups/backup.sh"
mode: "0700"
- name: Template out services
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "9iron-backup.service", dest: "/etc/systemd/system/9iron-backup.service", mode: "0644" }
- { src: "9iron-backup.timer", dest: "/etc/systemd/system/9iron-backup.timer", mode: "0644" }
notify: restart backups timer
- name: Enable timer
systemd:
daemon_reload: yes
name: 9iron-backup.timer
enabled: yes
state: started
notify: restart backups timer
become: yes

14
roles/base-backups/templates/9iron-backup.service
View File

@ -1,14 +0,0 @@
# vim:ft=dosini:
[Unit]
Description=9iron backup service
StartLimitIntervalSec=3600
StartLimitBurst=5
[Service]
MemoryMax=256M
ExecStart=/opt/backups/backup.sh
Restart=on-failure
RestartSec=90
[Install]
WantedBy=multi-user.target

11
roles/base-backups/templates/9iron-backup.timer
View File

@ -1,11 +0,0 @@
# vim:ft=dosini:
[Unit]
Description=9iron backup timer
[Timer]
Persistent=true
OnBootSec={{ backups_boot_delay }}
OnCalendar={{ backups_time }}
[Install]
WantedBy=timers.target

65
roles/base-backups/templates/backup.sh
View File

@ -1,65 +0,0 @@
#! /bin/bash
#
# backup.sh
# General-purpose backup script that accepts subtasks
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
export BACKUPSDIR="/backups"
export OUTDIR="$BACKUPSDIR/out"
export MODULESDIR="/opt/backups/modules"
export DATE="$(date -Iseconds)"
# Helper functions
log() {
[ -z "$1" ] && return 1
printf "$(date -Iseconds): $1\n"
}
# Sanity checks
if ! [ -d "$MODULESDIR" ]; then
log "Unable to find modules directory: $MODULESDIR"
exit 1
fi
# Source an RC, if we have it
if [ -r "$MODULESDIR/backuprc" ]; then
source "$MODULESDIR/backuprc"
fi
# More sanity checks
if ! [ -d "$BACKUPSDIR" ]; then
log "Unable to find backups directory: $BACKUPSDIR"
exit 2
fi
# Do the do
log "Beginning backups"
for file in "$MODULESDIR"/*; do
# Just keep going if we don't have any tasks to do
[ -f "$file" ] || continue
# Execute the module and alert if it fails
log "Executing module: $file"
(
# Define a log function for our module to use
log() {
[ -z "$1" ] && return 1
printf "$(date -Iseconds): $1\n"
}
source "$file"
) || {
log "Error executing module: $file"
}
done
# If we have a fancy schmancy bucket, use it
s3bucket="{{ aws.backup_bucket }}"
if command -v aws > /dev/null 2>&1 && aws s3 ls "s3://$s3bucket" > /dev/null 2>&1; then
log "Moving files to S3 bucket $s3bucket"
nice -n 10 aws s3 mv "$BACKUPSDIR" "s3://$s3bucket" \
--recursive \
--only-show-errors \
--exclude "*.log" \
--storage-class STANDARD
fi

8
roles/base-snmpd/handlers/main.yml
View File

@ -1,8 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart snmpd
systemd:
name: snmpd
state: restarted
become: yes

21
roles/base-snmpd/tasks/main.yml
View File

@ -1,21 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install snmpd
block:
- name: Install snmpd
apt:
name:
- snmpd
- name: Template out config
template:
src: snmpd.conf
dest: /etc/snmp/snmpd.conf
mode: "0600"
notify: restart snmpd
- name: Enable snmpd
systemd:
name: snmpd
enabled: yes
state: started
become: yes

165
roles/base-snmpd/templates/snmpd.conf
View File

@ -1,165 +0,0 @@
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
# Create users
createUser authOnlyUser SHA {{ snmp.auth_user_pass }}
createUser authPrivUser SHA {{ snmp.priv_user_pass }}
createUser internalUser SHA {{ snmp.int_user_pass }}
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# Full access from the local host
#rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
# rocommunity6 is for IPv6
rocommunity6 public default -V systemonly
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ow]user and r[ow]community, together with suitable views, should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation {{ snmp.location }}
sysContact {{ snmp.contact }}
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705

4
roles/base-user/defaults/main.yml
View File

@ -1,4 +0,0 @@
# vim:ft=ansible:
user_username: salt
user_shell: /bin/bash
user_password: "!"

2
roles/base-user/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

88
roles/base-user/tasks/main.yml
View File

@ -1,88 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Assure user
user:
name: "{{ user_username }}"
shell: "{{ user_shell }}"
password: "{{ user_password }}"
become: yes
- name: Add user to sudo
user:
name: "{{ user_username }}"
groups: sudo
append: yes
become: yes
when: ansible_os_family == "Debian"
- name: Add user to wheel
user:
name: "{{ user_username }}"
groups: wheel
append: yes
become: yes
when: ansible_os_family != "Debian"
- name: Bootstrap user
block:
- name: Assure .ssh directory
file:
path: $HOME/.ssh
state: directory
mode: "0700"
- name: Generate keypair
openssh_keypair:
comment: "{{ user_username }}@{{ inventory_hostname_short }}"
path: $HOME/.ssh/id_ed25519
mode: "0600"
register: keypair
- name: Register keypair with Gitea
uri:
url: "https://git.9iron.club/api/v1/user/keys"
method: POST
headers:
accept: "application/json"
Authorization: "token {{ gitea_api_token }}"
body_format: json
body:
key: "{{ keypair.public_key }}"
read_only: yes
title: "{{ inventory_hostname }}-ed25519"
status_code: 201
when: keypair is changed
- name: Configure authorized hosts
authorized_key:
user: "{{ user_username }}"
manage_dir: yes
key: "{{ item.key }}"
state: "{{ item.state }}"
loop:
- { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc03Q21k7rDuIbZ91dIMOSAM7EpT75YFzOoYL6CfHLZbRDsYTVgUSHYL9lfgGiW9CYL9Gp8QT9eLzIdfgn4e8OMMuoW1jayM9nj6iY3tmWlinuzs535j04Us/aY1Gka+f0qf/vJfRAwO0VN92xmLxW4pQMD/r5DKQ3yppvohnAAPeOhoFeLbEPiBgb1ktNxtQF9GdIOdDIEE+dV0UA07dJskTdJGG9Zbff7VEcQXknhaLdclye+BHlNkRv+MvFu4jPnBNttPiM4TSBgOD88U68M6MsYBJ+2e+7cTiO2DWy9bTtAnhWHD468fdS3S9h62l2lsrGBa5dRpc8RCpPXFo/ salt@dsk-cstm-0", state: present }
- { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyOzdOFNONNhr++/2L3iSN04JsLwYHkapslDMEImI0x4chvdfdA9OkEOZHP5EoMUG6uWL3xZZdQ9Egp931oHDc4W5ylPQ1VtqQ2vcyffCfBTOEaUeEgw2tHBDngMqBgTajMSFvTbaC7JNSIdcGP1KTCCYZ3f8DPjVmG8FAKq1kDnCyI4sXHQswi/AbIBrOsWSW+qjrQdD/jU7T2LPQbU9FB+afinDizhGXUzkmbRkOD5z/YsyrWDfaKhGS4EwJpZbEwT7ocnCaQSa74xYLwUlBONhg3u2wq00mrh7vc2WbeGB7VoCsojPIj5r6KoCKzRBVog2HLQ4W7QqfSW/nXR21 salt@lap-th-e560-0", state: present }
- { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsZVQJr3d5G9nhlAilU8SKK7AInw8bgUTbIof7LEPD16Fg21KKAIcpYqWgw53EwuwFN8KJjDHKQasfnGZ++vIdpaNKB5HAAHapHxMREpwKzDf9Z+phfi2S5rdIodeCz62DVo0DSd4NZGF1q2FGgVTIsnOVLRBiu5xBIP6BElMmAn+afsBHiuN68YVUxqTnwX+brQXcxhG/D0UuNHUgf2VZ95vNktgad03/1g9FbKI4CIVoUazHeavTFzOYewfSzOGo9T6VOxe0Tm/GYjokO+XGtn5LtITFAEjAMEyhUb3JCtmPuof153BaP11ELqURUp1Os5Spxq2nsxGpdSebzty157uf9wFPGnbsSk5ehEE9pQodzCZlrHu85oKFGtwtdYmAvQd8LvrIb+tRFV2LX3AL/H0KdAGOCBvQG0bIAWmosZSzTT0zC1ESA97ncpzP8VYJJtwvhxyJOpsA3udHScQAZllrTjh6S18RJts1GtLv2d7ogFBzRAGn+/dsekX5ghU= salt@lap-s76-lemp9-0", state: present }
- { key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgLG6Y+R58AaS8hxrAVtpYRon1JiXG65KoHLR1hr8GtQXAaJuTIzzvD3LJbZ3OxSctZCzfu85SZ+7ex6yHAD0RfPASAGZarHOWSFuTULtIYaz0lGopfmHrVT9yV2df0zhqz3E2FEJaMe1CXkDufJrD3IkPZSTd24NY83hJGWxSM9SbiCqAf+c3DSWWhCC75WXdIfPs6d5CF/pYY6T1kD9AJC4K6JhP3LtieFBGZfpd6EamZ/Y1wvlFbkjV+rLDvYE4BF4WNYcJP1CTEgtOTAbACMqSdQ6544JUVvKNE7J9haOzTK0gYcp05zvgHvgju9TuPizlYEjPgypxNZBPXQisat3KXLenGS4+4gLloFrkZ4f2IfJidLrBd99GAina2OMHsCfQrazhuzvIoXI/5ww+k28GgF264HA8ZNkhPgZf3tbDmSHIZPvshRRvYOfURwiwl9T9xwdoJet5qdPrXk6EmX6f5TUIUdB8eeXcLecQDfvwgbDePdxz02sEw4LymK0= salt@ph-pine-0", state: present }
- name: Check for dotfile initialization
stat: path=$HOME/.dotfiles
register: p
- name: Initialize dotfiles
block:
- name: Clone bootstrap script
git:
accept_hostkey: yes
repo: git@git.9iron.club:salt/bootstrap
dest: $HOME/bootstrap
depth: 1
force: yes
- name: Execute bootstrap script
shell: "cd && ~/bootstrap/bootstrap.sh > bootstrap.log 2>&1"
- name: Disable untracked files on dotfiles
git_config:
name: status.showUntrackedFiles
value: "no"
scope: local
repo: ~/.dotfiles
- name: Remove bootstrap script directory
file:
path: ~/bootstrap
state: absent
when: not p.stat.exists
become: yes
become_user: "{{ user_username }}"

19
roles/common/files/motd-news
View File

@ -1,19 +0,0 @@
# Enable/disable the dynamic MOTD news service
# This is a useful way to provide dynamic, informative
# information pertinent to the users and administrators
# of the local system
ENABLED=0
# Configure the source of dynamic MOTD news
# White space separated list of 0 to many news services
# For security reasons, these must be https
# and have a valid certificate
# Canonical runs a service at motd.ubuntu.com, and you
# can easily run one too
URLS="https://motd.ubuntu.com"
# Specify the time in seconds, you're willing to wait for
# dynamic MOTD news
# Note that news messages are fetched in the background by
# a systemd timer, so this should never block boot or login
WAIT=5

8
roles/common/handlers/main.yml
View File

@ -1,8 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart cron
service:
name: cron
state: restarted
become: yes

2
roles/common/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

41
roles/common/tasks/ansibleuser.yml
View File

@ -1,41 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- name: Configure Ansible system user
block:
- name: Create Ansible system user
user:
name: ansible
password_lock: yes
system: yes
become: yes
- name: Enroll Ansible user in sudo
user:
name: ansible
groups: sudo
when: ansible_os_family == "Debian"
- name: Enroll Ansible user in wheel
user:
name: ansible
groups: wheel
when: ansible_os_family != "Debian"
- name: Ensure perms on Ansible user home
file:
path: "/home/ansible"
mode: "0700"
- name: Ensure ownership of Ansible user home
file:
path: "/home/ansible"
owner: ansible
group: ansible
recurse: yes
- name: Add Ansible key to user
authorized_key:
user: ansible
manage_dir: yes
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8pjK7Z6V9IjxRtLB9Xwt5Rujj0iMQqOVExRkmkIzjEcblV/cqtwx4fOijoN9eQlmrjQg05rBWoHJoUiLH5LimU2HPQt9vSDSt/tTXNafhvi3St3nz+GA9yCwAkJfvz2QL/vnU7sfveYC2xmWZC0xjcG4bl8pL2GJgfyh4OnfS9vNRTpn1kAJ/Fl4vRLtRaFx1WzF3/RJUOkesYLegawSRJsaIamJFI5YxHe5VeTnFefVtssgbGrOj19uRDIZkBW/5uWsnNPVwbGUT089qioS11QFJaVOQCgU/E+4lxCHlRfLQ+gnXvaQV3j0JFk/I1bZNlCcNLHc0ZasXIqV+BUaR4au35QkDBjh38DCxesZ775tudXUp7KP6OHCC9i9ncIkum3mE+4K+0KAlS0oevUQdfguXkRQ6q3vydxEgWbBOx3jHi7i5AwvOnJqZRmUnfFp0qfhGfcS2pLEZhUcd0bOM6qAyK1XD5XRzXoVLS9bdHNUwCaIWie0tOYMLLmNooTU= ansible"
- name: Add Ansible user sudoers rule
template:
src: 90-ansible
dest: "/etc/sudoers.d/90-ansible"
mode: "0440"
become: yes

63
roles/common/tasks/main.yml
View File

@ -1,63 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure basic system settings
block:
- name: Install packages
include_tasks: packages.yml
- name: Copy system configs
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "hosts", dest: "/etc/hosts", mode: "0644" }
- { src: "issue", dest: "/etc/issue", mode: "0644" }
- name: Set hostname
hostname:
name: "{{ inventory_hostname }}"
when: ansible_os_family == "Debian"
- name: Set hostname for PMOS
hostname:
name: "{{ inventory_hostname }}"
use: alpine
when: ansible_distribution == "Alpine"
- name: Set timezone
timezone:
name: "America/Chicago"
notify: restart cron
when: ansible_os_family == "Debian"
- name: Configure MOTD
block:
- name: Disable MOTD news
copy:
src: "motd-news"
dest: "/etc/default/motd-news"
tags: [ motd ]
- name: Disable default update-motd tasks
file:
path: "/etc/update-motd.d/{{ item }}"
state: absent
loop:
- "00-header"
- "10-help-text"
- "50-landscape-sysinfo"
- "50-motd-news"
- "80-esm"
- "80-livepatch"
- "90-updates-available"
- "91-release-upgrade"
- "92-unattended-upgrades"
- "95-hwe-eol"
- "97-overlayroot"
tags: [ motd ]
when: ansible_distribution == "Ubuntu"
- name: Add update-motd tasks
template:
src: 50-ansible-motd.sh
dest: /etc/update-motd.d/50-ansible
mode: "0755"
tags: [ motd ]
- name: Configure Ansible user
include_tasks: ansibleuser.yml
become: yes

58
roles/common/tasks/packages.yml
View File

@ -1,58 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install packages via APT
block:
- name: Update and upgrade apt packages
apt:
upgrade: yes
update_cache: yes
# One day
cache_valid_time: 86400
- name: Install basic packages
apt:
name:
- acl
- apt-file
- aptitude
- awscli
- htop
- ncdu
- net-tools
- openssh-server
- pwgen
- python3-apt
- screen
- vim
- whois
- name: Install basic packages without recommends
apt:
install_recommends: no
name:
- smartmontools
- name: Remove packages
apt:
state: absent
name:
- unattended-upgrades
become: yes
when: ansible_os_family == "Debian"
- name: Install packages via APK
block:
- name: Update and upgrade packages
apk:
upgrade: yes
update_cache: yes
- name: Install basic packages
apk:
name:
- acl
- coreutils
- gcc
- git
- htop
- ncdu
- screen
- vim
become: yes
when: ansible_distribution == "Alpine"

34
roles/common/templates/50-ansible-motd.sh
View File

@ -1,34 +0,0 @@
#! /bin/sh
#
# 50-ansible-motd.sh
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
# Service statuses
if command -v systemctl > /dev/null 2>&1; then
len=20
printf "Services:\n"
for unit in \
9iron-backup \
ansible-pull
do
systemctl status $unit > /dev/null 2>&1
case $? in
0)
printf " * %-${len}.${len}s\e[32mRunning\e[0m\n" $unit
;;
1|2)
printf " * %-${len}.${len}s\e[31mDead\e[0m\n" $unit
;;
3)
printf " * %-${len}.${len}s\e[34mExited\e[0m\n" $unit
;;
*)
printf " * %-${len}.${len}s\e[33mUnknown\e[0m\n" "$unit"
;;
esac
done
fi

3
roles/common/templates/90-ansible
View File

@ -1,3 +0,0 @@
# Managed by Ansible
ansible ALL=(ALL) NOPASSWD:ALL

11
roles/common/templates/hosts
View File

@ -1,11 +0,0 @@
127.0.0.1 localhost
127.0.0.1 {{ inventory_hostname }}
127.0.0.1 {{ inventory_hostname_short }}
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

2
roles/common/templates/issue
View File

@ -1,2 +0,0 @@
{{ ansible_distribution }} {{ ansible_distribution_version }} \l

14
roles/desktop-common/handlers/main.yml
View File

@ -1,14 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: reload udev
command: /usr/bin/udevadm trigger
become: yes
- name: restart sshd
systemd:
name: sshd.service
state: restarted
become: yes
- name: regen initramfs
command: /usr/sbin/update-initramfs -c -k all
become: yes

2
roles/desktop-common/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

13
roles/desktop-common/tasks/dkms.yml
View File

@ -1,13 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install DKMS modules
block:
- name: Install hid-nintendo
include_role:
name: dkms
vars:
dkms_repo: "https://github.com/nicman23/dkms-hid-nintendo"
dkms_name: "nintendo-1.0"
become: yes
tags: [ dkms ]

74
roles/desktop-common/tasks/main.yml
View File

@ -1,74 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure desktop system
block:
- name: Create config directories
file:
path: "{{ item }}"
state: directory
recurse: yes
loop:
- "/etc/X11/xorg.conf.d"
- name: Nuke some configs
file:
path: "{{ item }}"
state: absent
loop:
# Works around a bug where this causes failed logins
- "/etc/X11/Xsession.d/70im-config_launch"
- name: Copy system configs
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "sshd_config", dest: "/etc/ssh/sshd_config", mode: "0644" }
- { src: "nomouseaccel.conf", dest: "/etc/X11/xorg.conf.d/90-mouse-acceleration.conf", mode: "0644" }
- { src: "touchpad.conf", dest: "/etc/X11/xorg.conf.d/90-touchpad.conf", mode: "0644" }
- { src: "grubconfig", dest: "/etc/default/grub", mode: "0644" }
- name: Copy udev rules
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "g810-led.rules", dest: "/etc/udev/rules.d/50-g810-led.rules", mode: "0644" }
- { src: "switch-rcm.rules", dest: "/etc/udev/rules.d/50-switch-rcm.rules", mode: "0644" }
notify: reload udev
tags: [ udev ]
- name: Configure custom kernel modules
include_tasks: dkms.yml
tags: [ dkms ]
- name: Configure SSH
include_tasks: sshd.yml
- name: Configure system packages
include_tasks: packages.yml
- name: Configure Mopidy
include_tasks: mopidy.yml
- name: Set up Plymouth bgrt
alternatives:
name: default.plymouth
path: /usr/share/plymouth/themes/bgrt/bgrt.plymouth
notify: regen initramfs
- name: Stop services
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop:
- mopidy.service
- motd-news.timer
- name: Start services
systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- syncthing@salt.service
- name: Template out backup module
template:
src: "backup.sh"
dest: "/opt/backups/modules/desktop.sh"
mode: "0600"
become: yes

46
roles/desktop-common/tasks/mopidy.yml
View File

@ -1,46 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure system packages
block:
- name: Add mopidy repo key
apt_key:
url: "https://apt.mopidy.com/mopidy.gpg"
- name: Add repos
apt_repository:
repo: "{{ item }}"
loop:
# These repos work for Buster and >=19.10
- "deb https://apt.mopidy.com/ buster main contrib non-free"
- "deb-src https://apt.mopidy.com/ buster main contrib non-free"
- name: Update APT cache
apt:
update_cache: yes
cache_valid_time: 86400
- name: Install packages
apt:
name:
- mpc
- mopidy
- mopidy-mpd
- mopidy-spotify
- name: Template out config
block:
- name: Create config directory
file:
path: "~/.config/mopidy"
state: directory
mode: "0755"
- name: Template out config
template:
src: mopidy.conf
mode: "0600"
dest: "~/.config/mopidy/mopidy.conf"
become_user: "{{ user_username }}"
become: yes
- name: Remove MPD
apt:
name:
- mpd
state: absent
become: yes

245
roles/desktop-common/tasks/packages.yml
View File

@ -1,245 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure system packages
block:
- name: Enable i386 architecture
lineinfile:
dest: /var/lib/dpkg/arch
line: i386
create: yes
- name: Add repo keys from keyserver
apt_key:
keyserver: 'keyserver.ubuntu.com'
id: "{{ item }}"
loop:
- "3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF" # Monodevelop
- name: Add repo keys by URL
apt_key:
url: "{{ item }}"
loop:
- "https://packagecloud.io/slacktechnologies/slack/gpgkey" # Slack
- "https://syncthing.net/release-key.txt" # Syncthing
- "https://packages.riot.im/debian/riot-im-archive-keyring.gpg" # Element
- "https://download.spotify.com/debian/pubkey.gpg" # Spotify 1
- "https://download.spotify.com/debian/pubkey_0D811D58.gpg" # Spotify 2
- name: Add repos
apt_repository:
repo: "{{ item }}"
loop:
# Debs
- "deb https://packagecloud.io/slacktechnologies/slack/debian/ jessie main" # Slack
- "deb http://repository.spotify.com stable non-free" # Spotify
- "deb https://apt.syncthing.net/ syncthing stable" # Syncthing
- "deb https://download.mono-project.com/repo/ubuntu vs-bionic main" # Monodevelop
- "deb https://packages.riot.im/debian/ default main" # Element
# My PPA
#- "ppa:rehashedsalt/personal"
# First-party PPAs
- "ppa:phoerious/keepassxc" # KeepassXC
# Third-party PPAs
- "ppa:system76-dev/stable" # Love my lemp9
- "ppa:drewwalton19216801/dolphin-master-cosmic" # Because Dolphin doesn't update their shit
- "ppa:kgilmer/speed-ricer" # Rice rice rice
- "ppa:lutris-team/lutris" # Lutris is kickass
- name: Update and upgrade apt packages
apt:
upgrade: "yes"
update_cache: yes
# One day
cache_valid_time: 86400
- name: Install packages
apt:
name:
# Terminal packages
- adb
- bison
- build-essential
- cmake
- debhelper
- devscripts # Tons of cool shit in here, mostly for packaging tho
- dh-make
- earlyoom
- fastboot
- ffmpeg
- flex
- git
- glances # For temperature monitoring, mostly. It's pretty heavy
- imagemagick
- libinput-tools # Allows for libinput debugging
- lua-check # I am good ComputerCraft guy
- neofetch # I never use it but whatever I guess
- network-manager-openconnect
- network-manager-openvpn
- network-manager-vpnc # For default route configuration
- nmap # For those times when you wanna scan a guy
- npm # I'm sorry
- openjdk-8-jre # For Minecraft
- pbuilder # Deb creation tool that does it all in a container
- pwgen
- python3-appdirs
- python3-eyed3
- python3-pip
- python3-pyqt5
- python3-usb # fuselee-gelee
- python3-venv
- qt5-default # For Multimc, should be installed on Kubuntu by default regardless
- traceroute
- tree
- units # How many bytes are in a mile?
- vagrant
- vagrant-libvirt
- vim
- wamerican # Dictionaries because I have like two scripts that use them
- wamerican-large
- wamerican-huge
- wamerican-insane
- wine
- wine-binfmt
- xz-utils # For Ansible deb support
# Fonts
- fonts-fork-awesome
- fonts-inconsolata
- fonts-material-design-icons-iconfont
- fonts-noto
- fonts-roboto
# DE
- bspwm
- conky-all # Why this is in several packages is beyond me
- dunst
- hsetroot # Works around a bug with Compton and a gray root window
- i3lock # Don't actually use this anymore (wew ksmserver)
- ibus
- ibus-mozc # Jap
- kubuntu-desktop # Sanity
- mozc-utils-gui
- nitrogen
- papirus-icon-theme
- pavucontrol-qt
- picom
- polybar
- qt5ct
- xbacklight # This works on literally none of my machines but fuck it
# Desktop applications
- alsa-tools-gui # For reprobing my front jack, I guess??
- barrier # FOSS Synergy
- cantata # MPD client
- chromium-browser
- chromium-chromedriver # Because Selenium
- clonezilla
- dolphin-emu-master
- dolphin-plugins
- element-desktop
- filelight # Sweet disk usage util
- filezilla
- firefox
- g810-led # For Logitech peripherals
- gimp
- inkscape # I use it for like two things
- joy2key # Neat little wrapper to bind joypad keys to keyboard keys
- joystick
- kcolorchooser
- kde-config-plymouth # Realistically not required, but whatever
- kdenlive # For the one video I edit a year
- kdepim
- keepassxc
- krita # I don't ever end up using this, maybe I'll pick it up for spritework
- libnotify-bin # Used for several of my scripts
- libretro-desmume
- libretro-mgba
- libretro-mupen64plus
- libretro-snes9x
- lutris
- mesa-vulkan-drivers
- mono-complete # Initial installation of this package may take an eternity
- monodevelop
- mpv
- mupen64plus-qt
- nextcloud-desktop
- obs-studio
- plymouth-theme-spinner # Gives us the good UEFI logo bootup
- pulseeffects # I need to be an echoey boi
- q4wine
- qbittorrent
- rdesktop # CLI RDP client, works real nice
- redshift
- retroarch
- rofi
- scrot # For scripted screenshots
- slack-desktop
- spotify-client
- steam-installer
- syncthing-gtk
- telegram-desktop
- torbrowser-launcher # Sometimes it's bugged but it's still nice to have
- virt-manager
- vulkan-tools
- vulkan-utils
- winetricks
- xdotool
- xserver-xephyr
- zim
# Other architectures, misc
- "libgl1-mesa-dri:i386"
- "mesa-vulkan-drivers:i386"
# Games
- minetest
- name: Install System76-exclusive packages
apt:
name:
- firmware-manager
- kamoso # Camera util
- system76-acpi-dkms
- system76-dkms
- system76-firmware
- system76-io-dkms
- system76-power
when: ansible_system_vendor == "System76"
- name: Install Focal-exclusive desktop applications
apt:
name:
- piper # Peripheral LED management
when: ansible_distribution_release == "focal"
- name: Install packages without recommends
apt:
install_recommends: no
name:
- php # Dev stuff
- php-xml
- name: Install out-of-repo packages
apt:
deb: "{{ item }}"
loop:
- "https://dl.discordapp.net/apps/linux/0.0.12/discord-0.0.12.deb"
- "https://github.com/MultiMC/MultiMC5/releases/download/0.6.8/multimc_1.4-1.deb"
- "https://zoom.us/client/latest/zoom_amd64.deb"
# We ignore errors here in case we have a more up-to-date package on the target machine and/or face a URL timeout
ignore_errors: yes
- name: Install desktop applications through pip3
pip:
executable: "/usr/bin/pip3"
state: latest
name:
- pmbootstrap
- protontricks
- youtube-dl
# Just in case we have legacy apps floating around
- name: Remove Snap applications
snap:
name:
- discord
- pixelorama
- riot-web
- slack
- scrcpy
- sengi
- spotify
state: absent
- name: Remove desktop applications through APT
apt:
name:
- ktorrent
- mpd
- thunderbird
state: absent
become: yes

19
roles/desktop-common/tasks/sshd.yml
View File

@ -1,19 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure desktop system
block:
- name: Copy system configs
template:
src: sshd_config
dest: "/etc/ssh/sshd_config"
mode: "0644"
notify: restart sshd
- name: Start services
systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- sshd.service
become: yes

8
roles/desktop-common/templates/apache2-vhost.conf
View File

@ -1,8 +0,0 @@
# Configuration for {{ inventory_hostname }} local Apache
# vim:ft=apache:
# Website configuration
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/var/www/localhost"
</VirtualHost>

67
roles/desktop-common/templates/backup.sh
View File

@ -1,67 +0,0 @@
#! /bin/bash
#
# desktop.sh
# Backup script for desktops. Meant to be sourced by our main backup script
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
export OUTDIR="$BACKUPSDIR/{{ inventory_hostname_short }}"
retention=7 # 7-day retention period
# Sanity checks
if [ -z "$BACKUPSDIR" ]; then
log "BACKUPSDIR was undefined. Run the main backup script instead of this one."
return 1
fi
if ! [ -d "$OUTDIR" ]; then
if ! mkdir "$OUTDIR"; then
log "Unable to find or create output directory: $OUTDIR"
return 2
fi
fi
# Purge oldest backup if we need to
currentbackupcount="$(ls -1 "$OUTDIR" | wc -l)"
if (( currentbackupcount >= retention )); then
lastbackup="$(find "$OUTDIR" -name \*.tar.gz 2>/dev/null | sort | head -n 1)"
if [ -f "$lastbackup" ]; then
log "Removing old backup: $lastbackup"
rm "$lastbackup"
fi
fi
# WE MAKE BACKUP NOW SERGEI
s3bucket="{{ aws.backup_bucket }}"
for dir in /home/*; do
username="$(basename -- "$dir")"
forcefile="$dir/.backup/force"
[ -d "$dir/.backup" ] || continue
for file in "$dir/.backup/"*; do [ -e "$file" ] || continue; done
tar czhf "$OUTDIR/desktop-$username-{{ inventory_hostname_short }}-$(date -Iseconds).tar.gz" "$dir/.backup/"*
# if (( "$(date +%d)" == "1" )) || [ -f "$forcefile" ]; then
# log "Detected conditions for monthly dump"
# if command -v aws > /dev/null 2>&1 && aws s3 ls "s3://$s3bucket" > /dev/null 2>&1; then
# # Time for huge backups piped straight to S3
# tar cz \
# --exclude "$dir/.ansible" \
# --exclude "$dir/.backup" \
# --exclude "$dir/.cache" \
# --exclude "$dir/.steam" \
# --exclude "$dir/Downloads" \
# --exclude "$dir/Dropbox" \
# --exclude "$dir/Nextcloud" \
# --exclude "$dir/snap" \
# "$dir/."* \
# | aws s3 cp - "s3://$s3bucket/{{ inventory_hostname_short }}/desktop-$username-{{ inventory_hostname_short }}-$(date -Iseconds)-full.tar.gz" \
# --only-show-errors \
# --storage-class STANDARD_IA
# else
# log "Could not satisfy requirements for AWS CLI"
# fi
# [ -f "$forcefile" ] && rm "$forcefile"
# fi
done

22
roles/desktop-common/templates/g810-led.rules
View File

@ -1,22 +0,0 @@
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"

40
roles/desktop-common/templates/grubconfig
View File

@ -1,40 +0,0 @@
# vim:ft=bash:
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET="true"
GRUB_TIMEOUT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_RECORDFAIL_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""
# Work around probing for other OSs resetting timeout
GRUB_DISABLE_OS_PROBER="true"
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

132
roles/desktop-common/templates/mopidy.conf
View File

@ -1,132 +0,0 @@
# For further information about options in this file see:
# http://docs.mopidy.com/
#
# The initial commented out values reflect the defaults as of:
# Mopidy 2.2.3
# Mopidy-File 2.2.3
# Mopidy-HTTP 2.2.3
# Mopidy-Local 2.2.3
# Mopidy-M3U 2.2.3
# Mopidy-MPD 2.2.3
# Mopidy-SoftwareMixer 2.2.3
# Mopidy-Stream 2.2.3
#
# Available options and defaults might have changed since then,
# run `mopidy config` to see the current effective config and
# `mopidy --version` to check the current version.
[core]
#cache_dir = $XDG_CACHE_DIR/mopidy
#config_dir = $XDG_CONFIG_DIR/mopidy
#data_dir = $XDG_DATA_DIR/mopidy
#max_tracklist_length = 10000
#restore_state = false
[logging]
#color = true
#console_format = %(levelname)-8s %(message)s
#debug_format = %(levelname)-8s %(asctime)s [%(process)d:%(threadName)s] %(name)s\n %(message)s
#debug_file = mopidy.log
#config_file =
[audio]
#mixer = software
mixer_volume = 60
#output = autoaudiosink
#buffer_time =
[proxy]
#scheme =
#hostname =
#port =
#username =
#password =
[mpd]
#enabled = true
#hostname = 127.0.0.1
#port = 6600
#password =
#max_connections = 20
#connection_timeout = 60
#zeroconf = Mopidy MPD server on $hostname
#command_blacklist =
# listall
# listallinfo
#default_playlist_scheme = m3u
[http]
enabled = false
#hostname = 127.0.0.1
#port = 6680
#static_dir =
#zeroconf = Mopidy HTTP server on $hostname
#allowed_origins =
#csrf_protection = true
[stream]
#enabled = true
#protocols =
# http
# https
# mms
# rtmp
# rtmps
# rtsp
#metadata_blacklist =
#timeout = 5000
[m3u]
#enabled = true
#base_dir = $XDG_MUSIC_DIR
#default_encoding = latin-1
#default_extension = .m3u8
#playlists_dir =
[softwaremixer]
#enabled = true
[file]
#enabled = true
#media_dirs =
# $XDG_MUSIC_DIR|Music
# ~/|Home
#excluded_file_extensions =
# .directory
# .html
# .jpeg
# .jpg
# .log
# .nfo
# .pdf
# .png
# .txt
# .zip
#show_dotfiles = false
#follow_symlinks = false
#metadata_timeout = 1000
[local]
#enabled = true
#library = json
#media_dir = $XDG_MUSIC_DIR
#scan_timeout = 1000
#scan_flush_threshold = 100
#scan_follow_symlinks = false
#excluded_file_extensions =
# .directory
# .html
# .jpeg
# .jpg
# .log
# .nfo
# .pdf
# .png
# .txt
# .zip
[spotify]
username = {{ mopidy_spotify_username }}
password = {{ mopidy_spotify_password }}
client_id = {{ mopidy_spotify_client_id }}
client_secret = {{ mopidy_spotify_client_secret }}

9
roles/desktop-common/templates/nomouseaccel.conf
View File

@ -1,9 +0,0 @@
# This file managed via Ansible
# vim:ft=xf86conf
Section "InputClass"
Identifier "mouse"
MatchIsPointer "yes"
# Options
Option "AccelProfile" "flat"
Option "AccelSpeed" "-1"
EndSection

112
roles/desktop-common/templates/sshd_config
View File

@ -1,112 +0,0 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

1
roles/desktop-common/templates/switch-rcm.rules
View File

@ -1 +0,0 @@
SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"

12
roles/desktop-common/templates/touchpad.conf
View File

@ -1,12 +0,0 @@
# This file managed via Ansible
# vim:ft=xf86conf
Section "InputClass"
Identifier "touchpad"
MatchIsTouchpad "yes"
Driver "libinput"
# Options
Option "DisableWhileTyping" "yes"
Option "Tapping" "yes"
Option "TappingButtonMap" "lrm" # 1/2/3-finger taps
Option "TappingDrag" "yes"
EndSection

2
roles/desktop-sddm/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

43
roles/desktop-sddm/tasks/main.yml
View File

@ -1,43 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install and configure SDDM
block:
- name: Install SDDM
apt:
name:
- sddm
- name: Create config directory
file:
path: /etc/sddm.conf.d
state: directory
- name: Template out config
template:
src: main.conf
dest: /etc/sddm.conf.d/50-ansible.conf
mode: "0644"
- name: Install theme
block:
- name: Remove KDE config
file:
path: /etc/sddm.conf.d/kde_settings.conf
state: absent
- name: Download theme
get_url:
url: "{{ sddm_theme }}"
dest: "/usr/share/sddm/themes/ansible.zip"
register: t
- name: Unpack theme
unarchive:
src: "/usr/share/sddm/themes/ansible.zip"
dest: "/usr/share/sddm/themes"
remote_src: yes
when: t is changed
when: sddm_theme is defined
- name: Template out theme config
template:
src: theme.conf
dest: /etc/sddm.conf.d/51-ansible-theme.conf
mode: "0644"
when: sddm_theme_name is defined
become: yes

11
roles/desktop-sddm/templates/main.conf
View File

@ -1,11 +0,0 @@
# This configuration file managed by Ansible
# Make your adjustments in a separate file after this one in the load order
# vim:ft=dosini
[General]
Numlock=on
[Users]
MinimumUid=1000
MaximumUid=60000
HideUsers=ansible

6
roles/desktop-sddm/templates/theme.conf
View File

@ -1,6 +0,0 @@
# This configuration file managed by Ansible
# Make your adjustments in a separate file after this one in the load order
# vim:ft=dosini
[Theme]
Current={{ sddm_theme_name }}

9
roles/desktop-zerotier/handlers/main.yml
View File

@ -1,9 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart zerotier
systemd:
daemon_reload: yes
name: zerotier-one.service
state: restarted
become: yes

2
roles/desktop-zerotier/meta/main.yml
View File

@ -1,2 +0,0 @@
---
allow_duplicates: no

35
roles/desktop-zerotier/tasks/main.yml
View File

@ -1,35 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Configure system packages
block:
- name: Add zerotier repo key
apt_key:
url: "https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg"
- name: Add repos
apt_repository:
repo: "{{ item }}"
loop:
# These repos work for Buster and >=19.10
- "deb http://download.zerotier.com/debian/buster buster main"
- name: Update APT cache
apt:
update_cache: yes
cache_valid_time: 86400
- name: Install packages
apt:
name:
- zerotier-one
- name: Template out unit
template:
src: zerotier-one.service
dest: /etc/systemd/system/zerotier-one.service
notify: restart zerotier
- name: Join network
command:
argv:
- "zerotier-cli"
- "join"
- "{{ zerotier_network_id }}"
changed_when: no
become: yes

14
roles/desktop-zerotier/templates/zerotier-one.service
View File

@ -1,14 +0,0 @@
[Unit]
Description=ZeroTier One
After=network.target
Wants=network-online.target
[Service]
ExecStart=/usr/sbin/zerotier-one
Restart=always
KillMode=process
# Issue 738
TimeoutStopSec=10
[Install]
WantedBy=multi-user.target

9
roles/dkms/handlers/main.yml
View File

@ -1,9 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: dkms autoinstall
command:
argv:
- /usr/sbin/dkms
- autoinstall
become: yes

15
roles/dkms/tasks/main.yml
View File

@ -1,15 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install DKMS module
block:
- name: Install packages
apt:
name:
- dkms
- name: Clone repository
git:
repo: "{{ dkms_repo }}"
dest: "/usr/src/{{ dkms_name }}"
notify: dkms autoinstall
become: yes

3
roles/dokuwiki/defaults/main.yml
View File

@ -1,3 +0,0 @@
# vim:ft=ansible:
dokuwiki_tgz: "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz"
dokuwiki_webroot: "/var/www/dokuwiki"

4
roles/dokuwiki/meta/main.yml
View File

@ -1,4 +0,0 @@
---
allow_duplicates: no
dependencies:
- role: apache-php

64
roles/dokuwiki/tasks/main.yml
View File

@ -1,64 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install, configure, and start Dokuwiki
block:
- name: Set up Apache
block:
- name: Create webroot
file:
path: "{{ dokuwiki_webroot }}"
mode: "0755"
recurse: yes
state: directory
- name: Check for existing installation
stat:
path: "{{ dokuwiki_webroot }}/index.php"
register: stat_webroot_index
- name: Install Dokuwiki
block:
- name: Download Dokuwiki
get_url:
dest: /var/www/dokuwiki.tgz
url: "{{ dokuwiki_tgz }}"
- name: Extract Dokuwiki
unarchive:
src: /var/www/dokuwiki.tgz
remote_src: yes
dest: "{{ dokuwiki_webroot }}"
extra_opts: [--strip-components=1]
notify: restart apache
- name: Chown webroot
file:
path: "{{ dokuwiki_webroot }}"
state: directory
recurse: yes
owner: www-data
group: www-data
- name: Cleanup
file:
path: /var/www/dokuwiki.tgz
state: absent
when: not stat_webroot_index.stat.exists
- name: Copy over virtual host configs
template:
src: apache2-vhost-ssl.conf
dest: "/etc/apache2/sites-available/{{ dokuwiki_url }}.conf"
notify: restart apache
- name: Enable config
command:
cmd: "a2ensite {{ dokuwiki_url }}.conf"
creates: "/etc/apache2/sites-enabled/{{ dokuwiki_url }}.conf"
notify: restart apache
- name: Generate certificate
include_role:
name: https
vars:
website_url: "{{ dokuwiki_url }}"
website_webroot: "{{ dokuwiki_webroot }}"
- name: Template out backup module
template:
src: "backup.sh"
dest: "/opt/backups/modules/{{ dokuwiki_url }}.sh"
mode: "0600"
become: yes

35
roles/dokuwiki/templates/apache2-vhost-ssl.conf
View File

@ -1,35 +0,0 @@
# Configuration for {{ dokuwiki_url }}
# vim:ft=apache:
# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
# Website configuration
<VirtualHost *:80>
ServerName {{ dokuwiki_url }}
Redirect permanent / https://{{ dokuwiki_url }}
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/cert/crt/{{ dokuwiki_url }}.crt
SSLCertificateKeyFile /etc/pki/cert/private/{{ dokuwiki_url }}.key
SSLCertificateChainFile /etc/pki/cert/crt/{{ dokuwiki_url}}-fullchain.crt
SSLProtocol {{ ssl_protocol }}
SSLCipherSuite {{ ssl_cipher_suite }}
<FilesMatch "\.(cgi|shtml|phtml|php)$">\
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ServerName {{ dokuwiki_url }}
DocumentRoot {{ dokuwiki_webroot }}
<Directory "{{ dokuwiki_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

38
roles/dokuwiki/templates/backup.sh
View File

@ -1,38 +0,0 @@
#! /bin/bash
#
# gitea.sh
# Backup script for Gitea. Meant to be sourced by our main backup script
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
export OUTDIR="$BACKUPSDIR/{{ dokuwiki_url }}"
retention=7 # 7-day retention period
# Sanity checks
if [ -z "$BACKUPSDIR" ]; then
log "BACKUPSDIR was undefined. Run the main backup script instead of this one."
return 1
fi
if ! [ -d "$OUTDIR" ]; then
if ! mkdir "$OUTDIR"; then
log "Unable to find or create output directory: $OUTDIR"
return 2
fi
fi
# Purge oldest backup if we need to
currentbackupcount="$(ls -1 "$OUTDIR" | wc -l)"
if (( currentbackupcount >= retention )); then
lastbackup="$(find "$OUTDIR" -name \*.tar.gz 2>/dev/null | sort | head -n 1)"
if [ -f "$lastbackup" ]; then
log "Removing old backup: $lastbackup"
rm "$lastbackup"
fi
fi
# WE MAKE BACKUP NOW SERGEI
tar czf "$OUTDIR/{{ dokuwiki_url }}-$(date -Iseconds).tar.gz" "{{ dokuwiki_webroot }}"

7
roles/gitea/defaults/main.yml
View File

@ -1,7 +0,0 @@
# vim:ft=ansible:
gitea.root: "/home/git/gitea-repositories"
gitea.app_name: "Ansible Gitea"
gitea_push_create_user: "true"
gitea_push_create_org: "false"
gitea.disable_registration: "true"
gitea_webroot: "/var/www/gitea"

11
roles/gitea/handlers/main.yml
View File

@ -1,11 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart gitea
systemd:
daemon_reload: yes
name: gitea.service
state: restarted
become: yes
- name: gitea add default user
include_tasks: tasks/add_default_user.yml

5
roles/gitea/meta/main.yml
View File

@ -1,5 +0,0 @@
---
allow_duplicates: no
dependencies:
- role: apache-php
- role: redis

32
roles/gitea/tasks/add_default_user.yml
View File

@ -1,32 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- block:
- name: Create user
command:
argv:
- /usr/local/bin/gitea
- admin
- create-user
- --username
- "{{ gitea.admin.user }}"
- --password
- "{{ gitea.admin.pass }}"
- --email
- "{{ gitea.admin.email }}"
- --config
- /etc/gitea/app.ini
- name: Promote user to admin
command:
argv:
- /usr/bin/mysql
- gitea
- -u
- gitea
- -p
- "{{ gitea.mysql_password }}"
- -e
- 'UPDATE user SET is_admin = 1 WHERE name = "{{ gitea.admin.user }}";'
become: yes
become_user: git

160
roles/gitea/tasks/main.yml
View File

@ -1,160 +0,0 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up Gitea
block:
- name: Set up PostgreSQL
block:
- name: Create DB user
postgresql_user:
name: gitea
password: "{{ gitea.db.pass }}"
login_host: "{{ gitea.db.hostname }}"
login_user: "{{ psql.ansible.user }}"
login_password: "{{ psql.ansible.pass }}"
- name: Create DB
postgresql_db:
name: gitea
owner: gitea
encoding: UNICODE
login_host: "{{ gitea.db.hostname }}"
login_user: "{{ psql.ansible.user }}"
login_password: "{{ psql.ansible.pass }}"
tags: [ postgresql ]
- name: Set up Apache
block:
- name: Enable modules
command:
cmd: a2enmod "{{ item }}"
creates: "/etc/apache2/mods-enabled/{{ item }}.load"
loop:
- proxy
- proxy_http
notify: restart apache
- name: Template out vhost
template:
src: "apache2-vhost-ssl.conf"
dest: "/etc/apache2/sites-available/{{ gitea.url }}.conf"
notify: restart apache
- name: Create webroot
file:
state: directory
path: "{{ gitea_webroot }}"
- name: Enable site
command:
cmd: "a2ensite {{ gitea.url }}.conf"
creates: "/etc/apache2/sites-enabled/{{ gitea.url }}.conf"
notify: restart apache
- name: Generate certificate
include_role:
name: https
vars:
website_url: "{{ gitea.url }}"
- name: Install git
apt:
name: git
- name: Install Gitea
get_url:
url: "https://dl.gitea.io/gitea/1.12/gitea-1.12-linux-amd64"
dest: "/usr/local/bin/gitea"
mode: "0755"
notify: restart gitea
- name: Create Gitea user
user:
name: git
password: "!"
home: "/home/git"
shell: "/bin/bash"
- name: Create directory structure
file:
state: directory
owner: git
group: git
mode: "0750"
path: "/var/lib/{{ item }}"
loop:
- "gitea"
- "gitea/custom"
- "gitea/data"
- "gitea/log"
- name: Create config directory
file:
state: directory
recurse: yes
mode: "0750"
owner: "root"
group: "git"
path: "/etc/gitea"
- name: Create repositories directory
file:
state: directory
mode: "0700"
owner: git
group: git
path: "{{ gitea.root }}"
- name: Set up EFS mount
block:
- name: Install required packages
apt:
name:
- nfs-client
- name: Create EFS
efs:
name: "{{ gitea.efs.name }}"
encrypt: yes
region: "{{ gitea.efs.region }}"
targets:
- subnet_id: "{{ gitea.efs.subnet_id }}"
security_groups: [ "{{ gitea.efs.security_group }}" ]
register: efs
- name: Mount EFS
mount:
path: "{{ gitea.root }}"
src: "{{ efs.efs.filesystem_address }}"
fstype: nfs4
opts: "nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport"
state: mounted
when: gitea.efs.name is defined
tags: [ giteaefs ]
- name: Check for config
stat: path="/etc/gitea/app.ini"
register: p
- name: Deploy config
block:
- name: Generate INTERNAL_TOKEN
command: /usr/local/bin/gitea generate secret INTERNAL_TOKEN
register: gitea_internal_token
- name: Generate SECRET_KEY
command: /usr/local/bin/gitea generate secret SECRET_KEY
register: gitea_secret_key
- name: Generate JWT_SECRET
command: /usr/local/bin/gitea generate secret JWT_SECRET
register: gitea_jwt_secret
- name: Generate LFS_JWT_SECRET
command: /usr/local/bin/gitea generate secret LFS_JWT_SECRET
register: gitea_lfs_jwt_secret
- name: Template out app.ini
template:
src: "app.ini"
dest: "/etc/gitea/app.ini"
mode: "0640"
owner: "root"
group: "git"
when: not p.stat.exists
- name: Template out service
template:
src: "gitea.service"
dest: "/etc/systemd/system/gitea.service"
notify: restart gitea
- name: Start and enable service
systemd:
daemon_reload: yes
name: "gitea.service"
enabled: yes
state: "started"
- name: Template out backup module
template:
src: "backup.sh"
dest: "/opt/backups/modules/{{ gitea.url }}.sh"
mode: "0600"
become: yes

37
roles/gitea/templates/apache2-vhost-ssl.conf
View File

@ -1,37 +0,0 @@
# Configuration for {{ gitea.url }}
# vim:ft=apache:
# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
# Need this for SSL proxying, apparently
SSLProxyEngine on
# Website configuration
<VirtualHost *:80>
ServerName {{ gitea.url }}
Redirect permanent / https://{{ gitea.url }}
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/cert/crt/{{ gitea.url }}.crt
SSLCertificateKeyFile /etc/pki/cert/private/{{ gitea.url }}.key
SSLCertificateChainFile /etc/pki/cert/crt/{{ gitea.url }}-fullchain.crt
SSLProtocol {{ ssl_protocol }}
SSLCipherSuite {{ ssl_cipher_suite }}
ServerName {{ gitea.url }}
DocumentRoot {{ gitea_webroot }}
<Directory "{{ gitea_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
ProxyPassReverse / https://127.0.0.1:3000/
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
# Used for embedding in Nextcloud
Header unset X-Frame-Options
</VirtualHost>

74
roles/gitea/templates/app.ini
View File

@ -1,74 +0,0 @@
APP_NAME = {{ gitea.app_name }}
RUN_USER = git
RUN_MODE = prod
[database]
DB_TYPE = postgres
HOST = {{ gitea.db.hostname }}:5432
NAME = gitea
USER = gitea
PASSWD = {{ gitea.db.pass }}
SSL_MODE = disable
CHARSET = utf8
PATH = /var/lib/gitea/data/gitea.db
[log]
MODE = file
LEVEL = info
ROOT_PATH = /var/lib/gitea/log
[mailer]
ENABLED = false
[oauth2]
JWT_SECRET = {{ gitea_jwt_secret.stdout }}
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = false
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[repository]
ENABLE_PUSH_CREATE_USER = {{ gitea_push_create_user }}
ENABLE_PUSH_CREATE_ORG = {{ gitea_push_create_org }}
ROOT = {{ gitea.root }}
[security]
INTERNAL_TOKEN = {{ gitea_internal_token.stdout }}
INSTALL_LOCK = true
PASSWORD_COMPLEXITY = off
SECRET_KEY = {{ gitea_secret_key.stdout }}
[server]
SSH_DOMAIN = {{ gitea.url }}
DOMAIN = {{ gitea.url }}
HTTP_PORT = 3000
ROOT_URL = https://{{ gitea.url }}/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret.stdout }}
OFFLINE_MODE = true
[service]
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = {{ gitea.disable_registration }}
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = bad.company
[session]
PROVIDER = file
[ui]
DEFAULT_THEME = arc-green

47
roles/gitea/templates/backup.sh
View File

@ -1,47 +0,0 @@
#! /bin/bash
#
# gitea.sh
# Backup script for Gitea. Meant to be sourced by our main backup script
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
export OUTDIR="$BACKUPSDIR/{{ gitea.url }}"
retention=7 # 7-day retention period
# Sanity checks
if [ -z "$BACKUPSDIR" ]; then
log "BACKUPSDIR was undefined. Run the main backup script instead of this one."
return 1
fi
if ! [ -d "$OUTDIR" ]; then
if ! mkdir "$OUTDIR"; then
log "Unable to find or create output directory: $OUTDIR"
return 2
fi
fi
# Enforce permissions on our output directory since the git user will need them
chown root.git "$OUTDIR"
chmod 770 "$OUTDIR"
# Purge oldest backup if we need to
currentbackupcount="$(ls -1 "$OUTDIR" | wc -l)"
if (( currentbackupcount >= retention )); then
lastbackup="$(find "$OUTDIR" -name \*.zip 2>/dev/null | sort | head -n 1)"
if [ -f "$lastbackup" ]; then
log "Removing old backup: $lastbackup"
rm "$lastbackup"
fi
fi
# WE MAKE BACKUP NOW SERGEI
if cd "$OUTDIR"; then
log "Initiating gitea dump"
su git -c "gitea dump -c /etc/gitea/app.ini"
else
log "Could not change directory: $OUTDIR"
return 3
fi

Some files were not shown because too many files have changed in this diff Show More