Compare commits
197 Commits
04c5bcc77c
...
ce14c82f0e
Author | SHA1 | Date | |
---|---|---|---|
ce14c82f0e | |||
d22ee2e0f0 | |||
62db0e9ce8 | |||
6ead681d5c | |||
23fac2d48e | |||
1eae9d247b | |||
46eb6a73d7 | |||
7851fb89aa | |||
92baa6cf62 | |||
7d4f7b5753 | |||
5ed0257e9c | |||
c347bdf493 | |||
2f6d016532 | |||
d54de87611 | |||
acec77ca5b | |||
7e8e9563fd | |||
0ea78b63c8 | |||
d34844351b | |||
39f3b1f852 | |||
14ea44130a | |||
cb0ab9c59d | |||
0faa6e6816 | |||
c23d989748 | |||
85adaf51c8 | |||
43ca19b493 | |||
b2fc3ff377 | |||
e469f406b0 | |||
bf9d9fbad0 | |||
9e66c3a03e | |||
f1ccf47b27 | |||
e1ed70b055 | |||
2febec023f | |||
dbc9f7d6ae | |||
e59f9ce63e | |||
d71bfdbe6f | |||
cf51bbd83c | |||
49b156c5dc | |||
ca920a1f83 | |||
4e6c96fabd | |||
abcfaea0a5 | |||
c3743ee5a5 | |||
dc52392ebb | |||
db9859c40d | |||
7ad0888c1c | |||
682bd4f4bd | |||
b60d199ce9 | |||
37a5cd7d52 | |||
ec4081e972 | |||
1f30710d4d | |||
707fb153b6 | |||
fb8dda7bb2 | |||
3e418b8a23 | |||
4184839ad8 | |||
3867c95b13 | |||
2ae954f2e8 | |||
a17b579ffa | |||
8e470bdd62 | |||
9c75583854 | |||
9224394b85 | |||
ca5dd0b190 | |||
3dfc6fbc71 | |||
c503167c3b | |||
0097a08ea8 | |||
6c5b012f05 | |||
d28034408e | |||
d8640bae9b | |||
198722b71e | |||
2d7d1e0db6 | |||
e649bbbae2 | |||
2810f5262a | |||
a01ce39e0a | |||
41600e2204 | |||
f1280f1e5e | |||
0fcbc3be6d | |||
7689c42e51 | |||
78db2b0cc1 | |||
31c4e91f7f | |||
ed4fe73467 | |||
33a203cc94 | |||
1710d1108b | |||
9bec0ffb58 | |||
a5b83e1a59 | |||
1933ba21c0 | |||
eb97eb4a7a | |||
978ffc21ac | |||
6d3caf8a46 | |||
bac2a2ee56 | |||
d730598946 | |||
2c52a0171c | |||
cf2ce15ca0 | |||
7726fffb08 | |||
b5d4646724 | |||
caf9a54358 | |||
026cddb787 | |||
87f997c418 | |||
2f886dd2ba | |||
b8f46fc807 | |||
bf37b4d66d | |||
3b17b4e39c | |||
5cfbca0534 | |||
6d9d3a4784 | |||
74cd565cad | |||
d353eefa2c | |||
58a9827b28 | |||
00fb2bb32e | |||
4cbc53a687 | |||
b93f95ba99 | |||
d95416e831 | |||
36c61436ed | |||
42ccb2bcc6 | |||
1e356d6436 | |||
42dac8cecd | |||
46c3e3f2df | |||
fc7a6529a7 | |||
ba868fa76c | |||
516a42972d | |||
262767149a | |||
0f49adf860 | |||
5b635e5b68 | |||
105753d17a | |||
123683b0d9 | |||
8a16230550 | |||
7abe303c98 | |||
011772060e | |||
9f672b4eb0 | |||
ccaadd0a3d | |||
3c3bb9f9b4 | |||
0c1b3deeee | |||
3259ebd573 | |||
8cca1900d7 | |||
238d0a2b18 | |||
9a1b7d69a6 | |||
77df2896d6 | |||
3c445d0f90 | |||
6016996574 | |||
74f2b82a1e | |||
8699cae9f1 | |||
ebb5dfc6d6 | |||
6f47952df8 | |||
89076f2f1c | |||
72181dddd1 | |||
89cca37d10 | |||
b27714c850 | |||
9177c84213 | |||
2b822eb1a6 | |||
7824679f2e | |||
775bbeff5f | |||
d0d4437cdd | |||
dff10b6aaa | |||
1b731d0825 | |||
21c1b1254e | |||
07a28018b0 | |||
e3d89690c1 | |||
deca70a065 | |||
e0eeb4fa5b | |||
a47e09bd1d | |||
3f93c4c2d6 | |||
9ee8068785 | |||
cd063c93bd | |||
99adf1356f | |||
4ad6032708 | |||
1a40402c11 | |||
63c982defb | |||
8c7ef95aa6 | |||
ddc5c881de | |||
f893458e51 | |||
b55b061573 | |||
9e5782e4e0 | |||
dc541c12de | |||
7ab0a230eb | |||
a660f8bb06 | |||
6e5d07547d | |||
1a761523db | |||
4f96ddf379 | |||
5b2591339b | |||
ff07224bb6 | |||
11d0cad9fb | |||
c0a5a866c4 | |||
348dd94260 | |||
70c609c94a | |||
e9e1936b50 | |||
912bdad794 | |||
76c99e5e6e | |||
92f81f8010 | |||
e169fb873b | |||
538164a83d | |||
12064603ca | |||
655d8c15b5 | |||
a7f32f7c48 | |||
300c4ddb94 | |||
161d2f7be4 | |||
8bbbb7c969 | |||
668fe20fac | |||
d11deec1d8 | |||
8b7ad3b450 | |||
9cc70a00e6 | |||
ad70b4aca0 |
9
.gitmodules
vendored
Normal file
9
.gitmodules
vendored
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[submodule "roles/minecraft"]
|
||||||
|
path = roles/minecraft
|
||||||
|
url = https://git.desu.ltd/salt/ansible-role-minecraft
|
||||||
|
[submodule "roles/terraria"]
|
||||||
|
path = roles/terraria
|
||||||
|
url = https://git.desu.ltd/salt/ansible-role-terraria
|
||||||
|
[submodule "roles/pleroma"]
|
||||||
|
path = roles/pleroma
|
||||||
|
url = https://git.desu.ltd/salt/ansible-role-pleroma
|
@ -1,3 +1,3 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
|
|
||||||
|
56
README.md
56
README.md
@ -1,29 +1,55 @@
|
|||||||
# Salt's Ansible Repo
|
# Salt's Ansible Repository
|
||||||
|
|
||||||
A collection of Ansible configuration to manage all of my machines.
|
Useful for management across all of 9iron, thefuck, and desu.
|
||||||
|
|
||||||
## Quickstart
|
## TODO
|
||||||
|
|
||||||
To quickly get a machine up and running, add it to the inventory and `./provision.yml` it. This ensures a basic, sane running environment from which you can do tuning. Ideally, though, you should have roles.
|
This branch is kinda-sorta a port of master, so it still needs to reach some form of feature parity with it. Namely:
|
||||||
|
|
||||||
## Overview
|
* Matrix(? Do I still want to keep this around? Is there a better alternative? Will my friends even use it?)
|
||||||
|
|
||||||
The main playbook, `site.yml`, can be separated into more or less two parts:
|
* Port over configs for Nextcloud on web1.9iron.club
|
||||||
|
|
||||||
* The home machine half, tied together via Zerotier
|
## Initialization
|
||||||
|
|
||||||
* The 9iron half, with public IPs and resolvable names
|
Clone the repo, `cd` in. Done.
|
||||||
|
|
||||||
See `inventory/hosts.yml` for details on what machines have what roles and what configuration. I try my best to make self-explaning configuration, so everything should mostly make sense on a first read. If you have any questions, hit me up.
|
## Deployment
|
||||||
|
|
||||||
## Style Guide
|
Adding a new server will require the following be fulfilled:
|
||||||
|
|
||||||
* Quote strings when required, quote entire strings if they contain Jinja markup, not just the marked up section (yes I know I violate this in several places)
|
* The server is accessible from the Ansible host;
|
||||||
|
|
||||||
* Use `yes` and `no` for booleans
|
* The server has a user named `ansible` which:
|
||||||
|
|
||||||
* Use short form for simple tasks (still working on fixing that up)
|
* Accepts the public key located in `contrib/desu.pub`; and
|
||||||
|
|
||||||
## Your Shit is Trash
|
* Has passwordless sudo capabilities as root
|
||||||
|
|
||||||
I know. Please file an issue.
|
* The server is added to `inventory/hosts.yml` in an appropriate place;
|
||||||
|
|
||||||
|
* DNS records for the machine are set; and
|
||||||
|
|
||||||
|
* The server is running Ubuntu 20.04 or greater
|
||||||
|
|
||||||
|
From there, running the playbook `site.yml` should get the machine up to snuff. To automate the host-local steps, use the script file `contrib/bootstrap.sh`.
|
||||||
|
|
||||||
|
## Ad-Hoc Commands
|
||||||
|
|
||||||
|
The inventory is configured to allow for ad-hoc commands with very little fuss. For example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ansible -m shell -a 'systemctl is-failed ansible-pull.service' all
|
||||||
|
```
|
||||||
|
|
||||||
|
These commands must be run from the root of the repo.
|
||||||
|
|
||||||
|
## Ansible Galaxy
|
||||||
|
|
||||||
|
Several of the roles in this repository are sourced from Ansible Galaxy. They're mirrored here for both easy compatibility with `ansible-pull` and in case the sources go down. Despite this, they're still managed in `roles/requirements.yml` for ease of management, source tracking, and updating. Any forks or deviations from these sources should be thoroughly documented.
|
||||||
|
|
||||||
|
Should you need to reinitialize them, the following command (run from the root of the repo) will initialize all Galaxy assets:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-galaxy install -r roles/requirements.yml
|
||||||
|
```
|
||||||
|
10
ansible.cfg
10
ansible.cfg
@ -1,15 +1,11 @@
|
|||||||
[defaults]
|
[defaults]
|
||||||
gathering = smart
|
|
||||||
interpreter_python = python3
|
interpreter_python = python3
|
||||||
inventory = inventory
|
inventory = inventory
|
||||||
roles_path = roles
|
roles_path = roles
|
||||||
# Connection info
|
private_key_file = ~/.ssh/desu
|
||||||
private_key_file = ~/.ssh/ansible
|
host_key_checking = false # I'm constantly spinning machines up and down; no time for this
|
||||||
host_key_checking = false
|
#ask_become_pass = true
|
||||||
# Secrets
|
|
||||||
ask_become_pass = true
|
|
||||||
#ask_vault_pass = true
|
#ask_vault_pass = true
|
||||||
# Warnings
|
|
||||||
command_warnings = true
|
command_warnings = true
|
||||||
#deprecation_warnings = false
|
#deprecation_warnings = false
|
||||||
system_warnings = true
|
system_warnings = true
|
||||||
|
52
contrib/bootstrap.sh
Executable file
52
contrib/bootstrap.sh
Executable file
@ -0,0 +1,52 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
#
|
||||||
|
# bootstrap.sh
|
||||||
|
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
|
||||||
|
#
|
||||||
|
# Distributed under terms of the MIT license.
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [ "$(id -u)" != "0" ]; then
|
||||||
|
echo "This script must be run as root"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ -f "./desu.pub" ]; then
|
||||||
|
echo "The public key \"desu.pub\" must sit in PWD. cd to contrib"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Adding ansible user..."
|
||||||
|
|
||||||
|
if ! useradd ansible > /dev/null 2>&1; then
|
||||||
|
err=$?
|
||||||
|
case $err in
|
||||||
|
0)
|
||||||
|
;;
|
||||||
|
9)
|
||||||
|
echo "Continuing..."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Encountered error $err adding user ansible"
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Adding key..."
|
||||||
|
|
||||||
|
mkdir -p ~ansible/.ssh
|
||||||
|
cat ./desu.pub > ~ansible/.ssh/authorized_keys
|
||||||
|
|
||||||
|
echo "Fixing perms..."
|
||||||
|
|
||||||
|
chmod 0600 ~ansible/.ssh/authorized_keys
|
||||||
|
chown -R ansible. ~ansible/.ssh
|
||||||
|
cat > /etc/sudoers.d/50-ansible << EOF
|
||||||
|
ansible ALL=(ALL:ALL) NOPASSWD:ALL
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Done!"
|
||||||
|
|
1
contrib/desu.pub
Normal file
1
contrib/desu.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible
|
8
handlers/main.yml
Normal file
8
handlers/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
- name: restart cron
|
||||||
|
service: name=cron state=restarted
|
||||||
|
become: yes
|
||||||
|
- name: regen initramfs
|
||||||
|
command: /usr/sbin/update-initramfs -c -k all
|
||||||
|
become: yes
|
@ -1,61 +1,54 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
|
|
||||||
## BACKEND
|
# For homebrew roles and such, mostly Ansible-related setup
|
||||||
# ACME
|
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
||||||
acme:
|
ansible_pull_commit: master
|
||||||
#directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint
|
common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
|
||||||
directory: "https://acme-v02.api.letsencrypt.org/directory"
|
|
||||||
version: 2
|
|
||||||
webroot: /var/www/acme
|
|
||||||
aws:
|
|
||||||
# S3 Backups
|
|
||||||
backup_bucket: "9iron-backups-general"
|
|
||||||
# SES
|
|
||||||
ses:
|
|
||||||
user: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
33643766376336316266373239386466373639633765333332353031373132383061346564633036
|
|
||||||
3337396261333264363562363364336235633831353133380a613164666161313265396261616634
|
|
||||||
38353531306238613735623433663138643231663139363735373537393337636362636534656166
|
|
||||||
3063373930343039320a663063663535633932323739653461336164643035633036663362666161
|
|
||||||
38316564326537303236333266303432326164393435663665363963326363306237
|
|
||||||
pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
39306665653635383832623438656364616633643032663365643033316236333939363732363034
|
|
||||||
3566663361653862646636396339343963626561613839620a663731313337613734356261326437
|
|
||||||
31653763346663656165343632336366343562333836396232636431323635333965336137316237
|
|
||||||
3662393364636631310a643935313539353338333233356362623835363631383035666536343634
|
|
||||||
65663937643165613337373837633737653765303764303536386530616363343361326536633935
|
|
||||||
3565626161343562396663353538653136376138373334336435
|
|
||||||
# MySQL
|
|
||||||
mysql:
|
|
||||||
root_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
62316565376333396465333931356163343363663063636233653536373033396230626639613964
|
|
||||||
3037613839373833646234626236643430393364643131610a333539373533663434373935376130
|
|
||||||
65323365313465316635646465376665616132653832316362363535366563363863636530313666
|
|
||||||
3036393134386131310a643734363261633166636263343538313533393738323934303137343163
|
|
||||||
39636637643035616236663364663562366133613233313139623937313531343564
|
|
||||||
# PSQL
|
|
||||||
psql:
|
|
||||||
ansible:
|
|
||||||
user: ansible
|
|
||||||
pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
30383235373131383466383438653235666365386631356463633265623332643337633830663930
|
|
||||||
3639313565613138373165636264343030323961646539390a356134383764326631326635636139
|
|
||||||
63626263373063343036373266326235363839316662363031356264363365633161326264643766
|
|
||||||
3734386366633861640a643335636330323432626437646337353534653832383337396432636264
|
|
||||||
61356331646133653363353931306630373963316430626266346630646362666237
|
|
||||||
neighbor_block: "172.31.0.0/16"
|
|
||||||
|
|
||||||
## WEBAPPS
|
# For backups
|
||||||
# Gitea
|
backup_s3_bucket: !vault |
|
||||||
gitea:
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
db:
|
61393939633736616361336162633564356434363963303737366236373332653265366132393439
|
||||||
hostname: 172.31.47.215
|
3333643463306561616261636466303631373866353962310a356561633833633533353937323265
|
||||||
pass: !vault |
|
64656235616637366363323330346134656366663733393462346333613535633838333938653434
|
||||||
|
6133326433613239650a386333626339363263323134313830353963326265666336306130656534
|
||||||
|
6534
|
||||||
|
backup_s3_aws_access_key_id: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
61353734383466366564333832643738313238666235336332303539383639626263633231396261
|
||||||
|
6165393062393266343661643466633163383164383032340a333833656566336331323565386162
|
||||||
|
35646665353539616538353339616531346564636466643639326366353165313861373761396537
|
||||||
|
3731653463643838330a383065313135343763636534656133343666363237356462326236643631
|
||||||
|
34366564373661396434663633346635663331393538363362376265653334623538
|
||||||
|
backup_s3_aws_secret_access_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
64316231613337333231383837333930336561633164393762343838646136393165626361346637
|
||||||
|
3364643830346533623137643530323438366665393632320a633032336664616261353734343661
|
||||||
|
36646565383532616133353530343331663731663965656662363830363063303361373861663762
|
||||||
|
3032613362626233350a613464333230363830383334363032303730646134306331383733363036
|
||||||
|
34346334306633306664323337643433356336366633396239306539613539633535386238346662
|
||||||
|
6232313138393062626631386135383234376361643362353966
|
||||||
|
|
||||||
|
|
||||||
|
# For zerotier
|
||||||
|
zerotier_network_id: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
35646131343239623265663562343333383362366633386462646465643163353866643633636135
|
||||||
|
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
|
||||||
|
30656433343263653035333637336165323931363966376264353164326135336131646362623734
|
||||||
|
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
|
||||||
|
65313231393433396538663463383731303661633663343066333264303330313133
|
||||||
|
|
||||||
|
# For geerlingguy.apache
|
||||||
|
apache_remove_default_vhost: yes
|
||||||
|
apache_ssl_cipher_suite: AES256+EECDH:AES256+EDH
|
||||||
|
apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
|
||||||
|
# For geerlingguy.php
|
||||||
|
##RESERVED
|
||||||
|
|
||||||
|
# For gitea
|
||||||
|
secret_gitea_9iron_db_pass: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
62353264353465316661353738666161313036373761666163663733656461316536636334386335
|
62353264353465316661353738666161313036373761666163663733656461316536636334386335
|
||||||
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
|
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
|
||||||
@ -63,80 +56,71 @@ gitea:
|
|||||||
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
|
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
|
||||||
33353062343164396465326365653561626363343961326363633231303736316436643935646161
|
33353062343164396465326365653561626363343961326363633231303736316436643935646161
|
||||||
3933353234613430373930663832643934613233383635613433
|
3933353234613430373930663832643934613233383635613433
|
||||||
app_name: "9iron Gitea"
|
secret_gitea_db_pass: !vault |
|
||||||
disable_registration: "false"
|
|
||||||
url: "git.9iron.club"
|
|
||||||
root: "/var/gitea"
|
|
||||||
efs:
|
|
||||||
name: "9iron-gitea"
|
|
||||||
region: "us-east-2"
|
|
||||||
subnet_id: "subnet-852935ed"
|
|
||||||
security_group: "sg-4f4b692c"
|
|
||||||
admin:
|
|
||||||
user: "salt"
|
|
||||||
email: "rehashedsalt@cock.li"
|
|
||||||
pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
35613039646236306236363930353231303331633765303039373736626666666530323433356466
|
35343032343364306363646232613831386530313430663664396432353431393039626230626137
|
||||||
3062633166313332643039613561303431613735396339650a376664373137643439303465376365
|
6339653038633534313562333431613362313263623130300a383930626437636466623763663334
|
||||||
35313266376539366134343562626164616666306338343538663361393964626565303331383234
|
64646239633830656338336135313261396536303739373731633830633366313262313035626233
|
||||||
3565646664333966650a323530356664366262653763363439613534303764366436376634373639
|
6463663332623635320a356565666638306661356365643930303664346232303165373333613235
|
||||||
62303264653836656162366362316461656363353539343632616462626231643632
|
62396535653338396232616531323738656636613065336337333336306437363539303766623866
|
||||||
# Grafana
|
3932386635393061643737326163643164643365303866643766
|
||||||
grafana:
|
gitea_secret_key: !vault |
|
||||||
db:
|
|
||||||
hostname: 172.31.47.215
|
|
||||||
pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
65376335363732633132326630323161393861323833323631613630343262383137656138356262
|
34373339636233393231363531323338306330653139376661356336343133373836323065333665
|
||||||
3730386139393739373738626535376636666135646463350a623331333032346434343465666234
|
3537613462316361646161653966643862633033646134370a643133393162313434383663643538
|
||||||
38393539623437376133363063633238383031326431653737346564323837343265653431633962
|
31343164666235316235393163376134636433386361353266613263363839366432356132383533
|
||||||
6665346237666165330a643635653863356633623535383063366632336437313730626233346664
|
3434643430306234350a353037373530653865363931333237663133626537643730643634356162
|
||||||
33303465616532313339393634386166363162393661393037323835323035386663
|
33353632613637306336653734343332393661343539393034313437373636383732393062333530
|
||||||
url: "monitor.9iron.club"
|
3337633338323131373130376137393766363737393536386636
|
||||||
webroot: "/var/www/grafana"
|
gitea_internal_token: !vault |
|
||||||
config_repo: "https://git.9iron.club/salt/grafana"
|
|
||||||
# Matrix
|
|
||||||
matrix:
|
|
||||||
server_name: "9iron.club"
|
|
||||||
url: "matrix.9iron.club"
|
|
||||||
enable_registration: "true"
|
|
||||||
admin_contact: "mailto:rehashedsalt@cock.li"
|
|
||||||
db_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
64663061333130386634323631353435376330636334623334663365633361336563393634333061
|
34323237383664663266653034656437643363316538663338383262663931356665383363656466
|
||||||
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
|
3861653830626538303761303638663835316239343033370a323164303164613265363535643432
|
||||||
31356462653634323162343164633130366664323034373330613764663635326534303935303230
|
31393732393361666331396533333339623665623562643962323632653537666339346266393632
|
||||||
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
|
6639663137613232640a383633343038626638626434636230346634373533616564316262333833
|
||||||
63316265366238383038653034326661633163346462396663346563666134393232
|
64376163636230303361326532316665366633373035336164393033653366653564633339386338
|
||||||
# Nextcloud
|
35326462333364353032343238363230343235303037306532333765376464326234633739396534
|
||||||
nextcloud:
|
31333332613964313031346534306236383434346430396233646132393962383636383631643461
|
||||||
db:
|
37366163373863653164626365383761623431613164653932363730633134633032336266616335
|
||||||
hostname: 172.31.47.215
|
61626133316161616335323630333461663163613430353438633235336331343934386464373866
|
||||||
pass: !vault |
|
62633234313261363537663061373931303832653531356566633739636264666635653936313965
|
||||||
|
623964653936646334313864643030653763
|
||||||
|
|
||||||
|
# For Nextcloud
|
||||||
|
secret_nextcloud_9iron_db_pass: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
37633035633563646266346264333636393931323664313166633133653461646333643731636661
|
37633035633563646266346264333636393931323664313166633133653461646333643731636661
|
||||||
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
|
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
|
||||||
66373234633939393034353439393465663131303661393164303335336435653734613064663964
|
66373234633939393034353439393465663131303661393164303335336435653734613064663964
|
||||||
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
|
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
|
||||||
61373135303632336237333836353764646639633735323566346366623766646266
|
61373135303632336237333836353764646639633735323566346366623766646266
|
||||||
efs:
|
secret_nextcloud_db_pass: !vault |
|
||||||
name: "9iron-nextcloud"
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
region: "us-east-2"
|
31626162623164373133356634323436373634616363663966313039313431643837326630346632
|
||||||
subnet_id: "subnet-852935ed"
|
3066303432303064663838643533373933343166356437610a613134383566653035663462393538
|
||||||
security_group: "sg-4f4b692c"
|
37616538366337313265333333373432363031323336306436643839333337313735633463326133
|
||||||
url: "nc.9iron.club"
|
6538383936643664370a663737333861303132313031373234396562653464653838343836663530
|
||||||
# Pleroma
|
38396663633237383764613139346333636432613464356465663661653265323135363032633963
|
||||||
pleroma:
|
3335626335353431616365313232346431313439653132303833
|
||||||
instance:
|
secret_nextcloud_admin_pass: !vault |
|
||||||
name: Cowfee
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
desc: owo
|
66303362626535386438633666376264313563323034343938363034353435306463613364366636
|
||||||
email: rehashedsalt@cock.li
|
3633343332643062633265643838346465623362323866610a666237636461376166373938626538
|
||||||
notify_email: noreply@cowfee.moe
|
62326334356339326330623336363038323431363266306265386635343432383764623437386462
|
||||||
openreg: "true"
|
3534643731333331320a393462323264666135666134336536633639613065363339333131653433
|
||||||
static_repo: "https://git.9iron.club/salt/pleroma"
|
37653732313664356330356139646336353735613336326563366361383737653538
|
||||||
db:
|
|
||||||
pass: !vault |
|
# For OnlyOffice
|
||||||
|
secret_onlyoffice_9iron_db_pass: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
31326366346266353162303566646632376434373966663533353737626539366662306163346562
|
||||||
|
3934666237323331303063636561613531613431303237360a323335333764356335326665626665
|
||||||
|
30396236656537626531616532353839303535336534303934316237343338336536323135653865
|
||||||
|
3036393663396633380a366461613536616264613237626164373631353137643963663830393833
|
||||||
|
34326639343831346333333461663634333434633136646163326634653439623138
|
||||||
|
|
||||||
|
# For Pleroma
|
||||||
|
secret_pleroma_9iron_db_pass: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
34343838386134656236313462653531663839363030333630383332386535356431326436633137
|
34343838386134656236313462653531663839363030333630383332386535356431326436633137
|
||||||
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
|
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
|
||||||
@ -146,8 +130,7 @@ pleroma:
|
|||||||
37636162313364623933396232366239633338363539626637373163333130373665373038363566
|
37636162313364623933396232366239633338363539626637373163333130373665373038363566
|
||||||
65646633636638653335356536323334646632366164633532636634376632356166306139393766
|
65646633636638653335356536323334646632366164633532636634376632356166306139393766
|
||||||
38633934623639366263
|
38633934623639366263
|
||||||
secret:
|
secret_pleroma_key_base: !vault |
|
||||||
key_base: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
36333934336635613533333137636532363937613764353933636566663031316262333837323064
|
36333934336635613533333137636532363937613764353933636566663031316262333837323064
|
||||||
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
|
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
|
||||||
@ -157,51 +140,19 @@ pleroma:
|
|||||||
31633939353565303661626233623064653838636435376239376361663362636164653962383561
|
31633939353565303661626233623064653838636435376239376361663362636164653962383561
|
||||||
33366335623038653232613731333730363836653532363834663663343963303763323534343038
|
33366335623038653232613731333730363836653532363834663663343963303763323534343038
|
||||||
61666238346239636634
|
61666238346239636634
|
||||||
signing_salt: !vault |
|
secret_pleroma_signing_salt: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
31306137646362333433313630363538333234643339353530333038393061663132633161356231
|
31306137646362333433313630363538333234643339353530333038393061663132633161356231
|
||||||
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
|
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
|
||||||
64393536353362386336323662316262333763326138616364333237353262323232636335353436
|
64393536353362386336323662316262333763326138616364333237353262323232636335353436
|
||||||
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
|
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
|
||||||
3466
|
3466
|
||||||
# snmpd
|
|
||||||
snmp:
|
|
||||||
location: "us-east-2"
|
|
||||||
contact: "Salt <rehashedsalt@cock.li>"
|
|
||||||
auth_user_pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
36373662333533616331623933343364663532326261653636363732323138633836356633623934
|
|
||||||
6561333833343432353561366438313165383163366131630a653163666463356462633966666330
|
|
||||||
38323965303639356635613565633030373836643132336332373730303137376165616163646538
|
|
||||||
3162616233366236350a626130643230323264343938373134653034636232303130623134393531
|
|
||||||
61366330316330646137336161623166343835316432363433373333323232383166
|
|
||||||
priv_user_pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
61316538316630333662633665646364356138613730633334653761626636633836363335383965
|
|
||||||
6332303265323236383130383366336662626331613866340a636139366135313134303538613833
|
|
||||||
61383662306163663634333538343733663836633834373462616265366365626533366334383031
|
|
||||||
6265643764656461320a313137326430386532653538346462323463386538303966303830343037
|
|
||||||
63333632656534333334383666666138353435383938623934663766623735656533
|
|
||||||
int_user_pass: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
31616561323762653439346630653231646137626638383930346437323139666163316131333534
|
|
||||||
6463313537316230363735346236323033386562373032330a326261393039663539353738643465
|
|
||||||
36666136663930663463373731663534316232643637623732346331383737643233626235613439
|
|
||||||
3733366462613133620a386336303434303130313636356339633939623638366236346234376566
|
|
||||||
65386530663137393830636134653632623366333837616364396161666464613166
|
|
||||||
|
|
||||||
## VIDYA
|
# For Matrix/Synapse
|
||||||
# tes3mp
|
secret_matrix_9iron_db_pass: !vault |
|
||||||
tes3mp:
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
archive: "https://github.com/TES3MP/openmw-tes3mp/releases/download/0.7.0-alpha/tes3mp-server-GNU+Linux-x86_64-release-0.7.0-alpha-abc4090a0f-01d297f5c6.tar.gz"
|
64663061333130386634323631353435376330636334623334663365633361336563393634333061
|
||||||
name: "main"
|
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
|
||||||
dest: /opt/tes3mp
|
31356462653634323162343164633130366664323034373330613764663635326534303935303230
|
||||||
server:
|
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
|
||||||
name: "9iron TES3MP"
|
63316265366238383038653034326661633163346462396663346563666134393232
|
||||||
maxplayers: 8
|
|
||||||
password: dicks
|
|
||||||
port: 25565
|
|
||||||
master:
|
|
||||||
enabled: "true"
|
|
||||||
host: master.tes3mp.com
|
|
||||||
port: 25561
|
|
||||||
|
@ -1,73 +1,33 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
all:
|
all:
|
||||||
vars:
|
vars:
|
||||||
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
ansible_user: ansible
|
||||||
ansible_user: ubuntu
|
|
||||||
gitea_api_token: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
39646564383934343237626436363261643265663339616566353563613266396536373164646235
|
|
||||||
3630333032613536373532616363333464653138656164390a386565316164386263363935663264
|
|
||||||
62613737336539653835356634313636643732396330313863393861373664353966363437373338
|
|
||||||
6565336264613334650a613063393662643237333864316332613131386233396562333063646263
|
|
||||||
63636238356266363065656462626536346634646365363135643538316136346566306131626161
|
|
||||||
3166653266383332343332366530343532396435353134373939
|
|
||||||
ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
|
|
||||||
ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
|
||||||
user_username: salt
|
|
||||||
user_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
37666131343936663962386535343939373161343337383436613961303637376136633736353533
|
|
||||||
3366623536646563383563373265313134663464396231370a303033353661336436386561366139
|
|
||||||
30393536393634653566646636366436656435623534626266343632313336336336346131383361
|
|
||||||
3366343932383930350a383637646261373135376138633533306530306339316235353262356135
|
|
||||||
34626466363266616265653064333365663663306330666632343864373335626265323230633331
|
|
||||||
33623431633665353964623437636231623366383733626266353162633762373035376638663936
|
|
||||||
62383065653836366431316461663862393130653761643937376565366435646665313961663534
|
|
||||||
64303363653631653433343361616635373966326433663466636164613062343561333036613937
|
|
||||||
35616666633737356331653632323639373330396433366639326466373639313630
|
|
||||||
children:
|
children:
|
||||||
# Personal home machines
|
|
||||||
home:
|
home:
|
||||||
vars:
|
vars:
|
||||||
ansible_user: ansible
|
ansible_become: yes
|
||||||
ansible_pull_time: "*-*-* 03:00:00"
|
|
||||||
aws:
|
|
||||||
backup_bucket: 9iron-backups-home
|
|
||||||
zerotier_network_id: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
35646131343239623265663562343333383362366633386462646465643163353866643633636135
|
|
||||||
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
|
|
||||||
30656433343263653035333637336165323931363966376264353164326135336131646362623734
|
|
||||||
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
|
|
||||||
65313231393433396538663463383731303661633663343066333264303330313133
|
|
||||||
hosts:
|
|
||||||
# dsk-cstm-0:
|
|
||||||
# ansible_host: 172.23.100.1
|
|
||||||
# lap-s76-lemp9-0:
|
|
||||||
# ansible_host: 172.23.100.3
|
|
||||||
# thefuck:
|
|
||||||
# vars:
|
|
||||||
# ansible_user: root
|
|
||||||
# hosts:
|
|
||||||
# game1.thefuck.how:
|
|
||||||
9iron:
|
|
||||||
children:
|
children:
|
||||||
dbservers:
|
desktop:
|
||||||
|
hosts:
|
||||||
|
#vm-rice-0:
|
||||||
|
# ansible_host: 192.168.122.14
|
||||||
|
#dsk-cstm-0.desu.ltd:
|
||||||
|
lap-s76-lemp9-0.desu.ltd:
|
||||||
|
prod:
|
||||||
vars:
|
vars:
|
||||||
|
ansible_become: yes
|
||||||
|
children:
|
||||||
|
db:
|
||||||
hosts:
|
hosts:
|
||||||
#psql1.9iron.club:
|
psql1.9iron.club:
|
||||||
webservers:
|
psql1.desu.ltd:
|
||||||
|
web:
|
||||||
|
hosts:
|
||||||
|
web1.9iron.club:
|
||||||
|
web1.desu.ltd:
|
||||||
|
app:
|
||||||
hosts:
|
hosts:
|
||||||
#web1.9iron.club:
|
|
||||||
fedi1.9iron.club:
|
fedi1.9iron.club:
|
||||||
gameservers:
|
game:
|
||||||
vars:
|
hosts:
|
||||||
steam_api_key: !vault |
|
game1.thefuck.how:
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
39616163316634306633623435636633623966306537636639316439343839393231376661666335
|
|
||||||
6136333866633861313566306433393637613364386234360a303832626338373230396665336430
|
|
||||||
33346530626633616161613635656433356434366437383363663165303862316163323263323230
|
|
||||||
3334373531646364620a386165626130386265343235363639346230323930626330343235373662
|
|
||||||
38313431663734343931333462316633643935353038313934663466303834636533616165353961
|
|
||||||
6438356265656532396363323532616437353831613261323037
|
|
||||||
|
@ -1,25 +0,0 @@
|
|||||||
#! /bin/bash
|
|
||||||
#
|
|
||||||
# localhost-deploy.sh
|
|
||||||
# Deploys configs for local machine and only local machine
|
|
||||||
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
|
|
||||||
#
|
|
||||||
# Distributed under terms of the MIT license.
|
|
||||||
#
|
|
||||||
set -e
|
|
||||||
if ! command -v ansible > /dev/null 2>&1; then
|
|
||||||
printf "Installing Ansible and related packages\n"
|
|
||||||
if command -v apt > /dev/null 2>&1; then
|
|
||||||
printf "Installing via APT\n"
|
|
||||||
sudo apt-get install libffi-dev python3-pip python3-setuptools -y
|
|
||||||
elif command -v apk > /dev/null 2>&1; then
|
|
||||||
printf "Installing via APK\n"
|
|
||||||
sudo apk add gcc musl-dev py3-cryptography py3-pip py3-setuptools
|
|
||||||
else
|
|
||||||
printf "No supported package manager found\nPlease install Ansible manually"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
sudo pip3 install ansible
|
|
||||||
fi
|
|
||||||
ansible-playbook site.yml -l "$HOSTNAME" -e "ansible_user=$USER ansible_connection=local ansible_host=localhost" --ask-become-pass --ask-vault-pass "$@"
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: fedi1.9iron.club
|
|
||||||
pre_tasks:
|
|
||||||
- name: Assure cowfee record
|
|
||||||
route53:
|
|
||||||
state: present
|
|
||||||
overwrite: yes
|
|
||||||
zone: cowfee.moe
|
|
||||||
type: A
|
|
||||||
record: "cowfee.moe."
|
|
||||||
ttl: 3600
|
|
||||||
value: [ "{{ ipify_public_ip }}" ]
|
|
||||||
wait: yes
|
|
||||||
become: yes
|
|
||||||
tags: [ common, dns ]
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: matrix
|
|
||||||
vars:
|
|
||||||
matrix_db_hostname: 172.31.47.215
|
|
||||||
tags: [ fedi, matrix ]
|
|
||||||
- role: pleroma
|
|
||||||
vars:
|
|
||||||
pleroma_url: cowfee.moe
|
|
||||||
pleroma_db_hostname: 172.31.47.215
|
|
||||||
tags: [ web, pleroma ]
|
|
90
playbooks/db.yml
Executable file
90
playbooks/db.yml
Executable file
@ -0,0 +1,90 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
# Database servers
|
||||||
|
---
|
||||||
|
- hosts: psql1.desu.ltd
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_script: s3pgdump
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- postgresql
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: postgresql
|
||||||
|
vars:
|
||||||
|
postgresql_global_config_options:
|
||||||
|
- option: listen_addresses
|
||||||
|
value: 192.168.164.156
|
||||||
|
postgresql_hba_entries:
|
||||||
|
- { type: local, database: all, user: postgres, auth_method: peer }
|
||||||
|
- { type: local, database: all, user: all, auth_method: peer }
|
||||||
|
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
|
||||||
|
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
|
||||||
|
# Used for internal access from other nodes
|
||||||
|
- { type: host, database: all, user: all, address: '192.168.0.0/16', auth_method: md5 }
|
||||||
|
postgresql_users:
|
||||||
|
- name: gitea-desultd
|
||||||
|
password: "{{ secret_gitea_db_pass }}"
|
||||||
|
- name: nextcloud-desultd
|
||||||
|
password: "{{ secret_nextcloud_db_pass }}"
|
||||||
|
postgresql_databases:
|
||||||
|
- name: gitea-desultd
|
||||||
|
owner: gitea-desultd
|
||||||
|
- name: nextcloud-desultd
|
||||||
|
owner: nextcloud-desultd
|
||||||
|
tags: [ db, psql ]
|
||||||
|
- hosts: psql1.9iron.club
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_script: s3pgdump
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- postgresql
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: postgresql
|
||||||
|
vars:
|
||||||
|
postgresql_hba_entries:
|
||||||
|
- { type: local, database: all, user: postgres, auth_method: peer }
|
||||||
|
- { type: local, database: all, user: all, auth_method: peer }
|
||||||
|
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
|
||||||
|
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
|
||||||
|
- { type: host, database: all, user: all, address: '172.31.0.0/16', auth_method: md5 }
|
||||||
|
postgresql_users:
|
||||||
|
- name: gitea
|
||||||
|
password: "{{ secret_gitea_9iron_db_pass }}"
|
||||||
|
- name: nextcloud
|
||||||
|
password: "{{ secret_nextcloud_9iron_db_pass }}"
|
||||||
|
- name: onlyoffice-9iron
|
||||||
|
password: "{{ secret_onlyoffice_9iron_db_pass }}"
|
||||||
|
- name: pleroma
|
||||||
|
password: "{{ secret_pleroma_9iron_db_pass }}"
|
||||||
|
- name: matrix
|
||||||
|
password: "{{ secret_matrix_9iron_db_pass }}"
|
||||||
|
postgresql_databases:
|
||||||
|
- name: gitea
|
||||||
|
lc_collate: C.UTF-8
|
||||||
|
lc_ctype: C.UTF-8
|
||||||
|
owner: gitea
|
||||||
|
- name: nextcloud
|
||||||
|
lc_collate: C.UTF-8
|
||||||
|
lc_ctype: C.UTF-8
|
||||||
|
owner: nextcloud
|
||||||
|
- name: onlyoffice-9iron
|
||||||
|
lc_collate: C.UTF-8
|
||||||
|
lc_ctype: C.UTF-8
|
||||||
|
owner: onlyoffice-9iron
|
||||||
|
- name: pleroma
|
||||||
|
lc_collate: C.UTF-8
|
||||||
|
lc_ctype: C.UTF-8
|
||||||
|
owner: pleroma
|
||||||
|
- name: matrix
|
||||||
|
lc_collate: C
|
||||||
|
lc_ctype: C
|
||||||
|
owner: matrix
|
||||||
|
tags: [ db, psql ]
|
@ -1,8 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
- hosts: psql1.9iron.club
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: postgresql
|
|
||||||
tags: [ db, psql ]
|
|
41
playbooks/desktop.yml
Executable file
41
playbooks/desktop.yml
Executable file
@ -0,0 +1,41 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
---
|
||||||
|
# Home desktops
|
||||||
|
- hosts: desktop
|
||||||
|
post_tasks:
|
||||||
|
- name: confirm liblzo2 dllmap
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/mono/config
|
||||||
|
insertafter: "<configuration>"
|
||||||
|
line: '<dllmap dll="lzo2.dll" target="liblzo2.so.2" os="!windows"/>'
|
||||||
|
tags: [ desktop, mono ]
|
||||||
|
- name: give python3 cap_sys_ptrace
|
||||||
|
capabilities:
|
||||||
|
path: /usr/bin/python3.8
|
||||||
|
# Required for Randovania to access Dolphin memory
|
||||||
|
capability: cap_sys_ptrace=eip
|
||||||
|
tags: [ desktop, python, cap ]
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_s3backup_tar_args_extra: h
|
||||||
|
backup_s3backup_list_extra:
|
||||||
|
- /home/salt/.backup/
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: desktop
|
||||||
|
tags: [ desktop ]
|
||||||
|
- role: grub
|
||||||
|
tags: [ desktop, grub ]
|
||||||
|
- role: udev
|
||||||
|
vars:
|
||||||
|
udev_rules:
|
||||||
|
# Switch RCM stuff
|
||||||
|
- SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"
|
||||||
|
tags: [ desktop, udev ]
|
||||||
|
- role: pulseaudio
|
||||||
|
tags: [ desktop, pulse, pulseaudio ]
|
||||||
|
- role: zerotier
|
||||||
|
tags: [ desktop, zerotier ]
|
@ -1,17 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
|
|
||||||
- hosts: 9iron
|
|
||||||
tasks:
|
|
||||||
- name: Add machine to DNS zone
|
|
||||||
route53:
|
|
||||||
state: present
|
|
||||||
overwrite: yes
|
|
||||||
zone: 9iron.club
|
|
||||||
type: A
|
|
||||||
record: "{{ inventory_hostname }}."
|
|
||||||
ttl: 3600
|
|
||||||
value: [ "{{ ipify_public_ip }}" ]
|
|
||||||
wait: yes
|
|
||||||
become: yes
|
|
||||||
tags: [ common, dns ]
|
|
57
playbooks/game.yml
Executable file
57
playbooks/game.yml
Executable file
@ -0,0 +1,57 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
# Game servers
|
||||||
|
---
|
||||||
|
- hosts: game1.thefuck.how
|
||||||
|
vars_files:
|
||||||
|
- vars/factorio-main.yml
|
||||||
|
- vars/minecraft-valhelsia.yml
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_s3backup_list_extra:
|
||||||
|
- /opt/minecraft/dammit
|
||||||
|
- /opt/minecraft/valhelsia
|
||||||
|
- /opt/minecraft/vanilla
|
||||||
|
- /opt/factorio
|
||||||
|
backup_s3backup_exclude_list_extra:
|
||||||
|
- /opt/minecraft/dammit/backups
|
||||||
|
- /opt/minecraft/valhelsia/backups
|
||||||
|
- /opt/minecraft/vanilla/backups
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- minecraft@dammit
|
||||||
|
- minecraft@valhelsia
|
||||||
|
- minecraft@vanilla
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: minecraft
|
||||||
|
tags: [ game, minecraft, forge, valhelsia ]
|
||||||
|
- role: factorio
|
||||||
|
vars:
|
||||||
|
server_version: 1.0.0
|
||||||
|
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
|
||||||
|
service_name: factorio-main
|
||||||
|
service_root: /opt/factorio/main
|
||||||
|
factorio_server_settings:
|
||||||
|
name: "Krabby Land"
|
||||||
|
description: "Where a kid can have fun"
|
||||||
|
max_players: 8
|
||||||
|
visibility:
|
||||||
|
public: false
|
||||||
|
lan: false
|
||||||
|
admins: [ "rehashed_salt" ]
|
||||||
|
tags: [ game, factorio ]
|
||||||
|
- hosts: game1.thefuck.how
|
||||||
|
vars_files:
|
||||||
|
- vars/minecraft-vanilla.yml
|
||||||
|
roles:
|
||||||
|
- role: minecraft
|
||||||
|
tags: [ game, minecraft, paper, vanilla ]
|
||||||
|
- hosts: game1.thefuck.how
|
||||||
|
vars_files:
|
||||||
|
- vars/minecraft-dammit.yml
|
||||||
|
roles:
|
||||||
|
- role: minecraft
|
||||||
|
tags: [ game, minecraft, forge, dammit ]
|
@ -1,50 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: gameservers
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- hosts: game1.thefuck.how
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: gitweb
|
|
||||||
vars:
|
|
||||||
gitweb_repo: "https://git.9iron.club/salt/thefuck.how"
|
|
||||||
gitweb_url: "thefuck.how"
|
|
||||||
gitweb_webroot: "/var/www/thefuck.how"
|
|
||||||
tags: [ web, webroot ]
|
|
||||||
- role: minecraft
|
|
||||||
vars:
|
|
||||||
minecraft_name: valhelsia
|
|
||||||
minecraft_version: 1.16.3
|
|
||||||
minecraft_jre_xmx: 5G
|
|
||||||
minecraft_server_properties:
|
|
||||||
- opt: difficulty
|
|
||||||
value: hard
|
|
||||||
- opt: motd
|
|
||||||
value: "Let's get this out onto a tray. Nice, mmkay"
|
|
||||||
- opt: server-port
|
|
||||||
value: 25566
|
|
||||||
- opt: view-distance
|
|
||||||
value: 10
|
|
||||||
minecraft_forge_install: yes
|
|
||||||
minecraft_forge_version: 34.1.42
|
|
||||||
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
|
|
||||||
minecraft_forge_mods:
|
|
||||||
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
|
|
||||||
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
|
|
||||||
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
|
|
||||||
minecraft_forge_mods_remove:
|
|
||||||
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar
|
|
||||||
become: yes
|
|
||||||
tags: [ gameserver, minecraft, forge, valhelsia ]
|
|
||||||
# - role: minecraft-paper
|
|
||||||
# vars:
|
|
||||||
# paper_name: "thefuckhow"
|
|
||||||
# paper_mc_maxplayers: 16
|
|
||||||
# paper_mc_motd: "brett's new serber"
|
|
||||||
# paper_jre_xms: 1024m
|
|
||||||
# paper_jre_xmx: 2048m
|
|
||||||
# tags: [ gameserver, minecraft, paper ]
|
|
@ -1,52 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: home
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: desktop-zerotier
|
|
||||||
tags: [ zerotier ]
|
|
||||||
- role: desktop-common
|
|
||||||
vars:
|
|
||||||
mopidy_spotify_username: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
62383664346563343663636261386261383865393535646465386435663535653036636665393133
|
|
||||||
3732653236663632633863346463346164663938396137370a326535633966343430633464653437
|
|
||||||
36646134393764313338323235356634353433623731336231626238653064633332306533343966
|
|
||||||
3362303836363065610a383362313738346534313435393537343931383465623466336632323632
|
|
||||||
65656663316561333462303761613963383236363532383866313038633232373132
|
|
||||||
mopidy_spotify_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
33303165663833663839323230643036363962393164373638333334643663626235353936343861
|
|
||||||
3834633461343533353366373330323264393361323433330a623837613037346633633065613761
|
|
||||||
63303234323734623938373134333932343965336665323939306336323836613130343866343838
|
|
||||||
3633383138646233330a366634303739643237333331613436623737663463316133666230366165
|
|
||||||
36306233336134636532383232303035343533373262373431353966656561633336
|
|
||||||
mopidy_spotify_client_id: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
32366664323864383162663963343438643930356531653064393135383364623162626533613433
|
|
||||||
6462633637396265373238383461623665393730396139320a626537353761323132386131616338
|
|
||||||
62323033666231326363616363343530333239303638626137613237393135613961613362313662
|
|
||||||
6233336234306466640a383834353935636138323837343765373966353365323634343439663435
|
|
||||||
39646138616533656361653765633161616238633335306363383030383832636330356162616264
|
|
||||||
3739646162313739646538306137623231313037386239343563
|
|
||||||
mopidy_spotify_client_secret: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
34666538353333303865623932653237313465653363356665333336343832356530666666343266
|
|
||||||
6637653137643431346562333465323862356465303766630a336531653033393133396238326134
|
|
||||||
32393033643261373764663963353130626331646266363430353536326135663239363539613530
|
|
||||||
6265366565363862610a366561373362656637623863336665336562323838643665323461653937
|
|
||||||
38306234316364306134396138376230626630633733306432626637616239373838646433343761
|
|
||||||
3436643661633766616564663937346232353666386531363438
|
|
||||||
tags: [ desktop ]
|
|
||||||
- role: pulseaudio
|
|
||||||
tags: [ pulse, pulseaudio ]
|
|
||||||
- role: desktop-sddm
|
|
||||||
vars:
|
|
||||||
sddm_theme_name: "breeze"
|
|
||||||
tags: [ sddm, desktop ]
|
|
||||||
- hosts: dsk-cstm-0
|
|
||||||
roles:
|
|
||||||
- role: rgb-kraken
|
|
||||||
tags: [ desktop, kraken, rgb ]
|
|
@ -1,11 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: phone
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: desktop-zerotier
|
|
||||||
tags: [ zerotier ]
|
|
||||||
- role: phone-common
|
|
||||||
tags: [ phone, common ]
|
|
30
playbooks/vars/9iron-apache.yml
Normal file
30
playbooks/vars/9iron-apache.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
<FilesMatch \.php$>
|
||||||
|
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||||
|
</FilesMatch>
|
||||||
|
apache_vhosts:
|
||||||
|
- servername: nc.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://nc.9iron.club/
|
||||||
|
- servername: git.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://git.9iron.club/
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
- servername: git.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
|
||||||
|
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
|
||||||
|
- servername: nc.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Header always set Strict-Transport-Security "max-age=31536000"
|
||||||
|
documentroot: /var/www/nextcloud
|
||||||
|
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
|
10
playbooks/vars/9iron-certbot.yml
Normal file
10
playbooks/vars/9iron-certbot.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
certbot_admin_email: rehashedsalt@cock.li
|
||||||
|
certbot_create_if_missing: yes
|
||||||
|
certbot_create_method: standalone
|
||||||
|
certbot_create_standalone_stop_services:
|
||||||
|
- apache2
|
||||||
|
certbot_certs:
|
||||||
|
- domains:
|
||||||
|
- nc.9iron.club
|
||||||
|
- git.9iron.club
|
19
playbooks/vars/9iron-gitea.yml
Normal file
19
playbooks/vars/9iron-gitea.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
# Look and feel
|
||||||
|
gitea_app_name: "9iron Gitea"
|
||||||
|
# Core config
|
||||||
|
gitea_db_type: postgres
|
||||||
|
gitea_db_host: 172.31.47.215:5432
|
||||||
|
gitea_db_name: gitea
|
||||||
|
gitea_db_user: gitea
|
||||||
|
gitea_db_password: "{{ secret_gitea_9iron_db_pass }}"
|
||||||
|
gitea_http_domain: git.9iron.club
|
||||||
|
gitea_oauth2_enabled: no
|
||||||
|
gitea_repository_root: /var/gitea
|
||||||
|
gitea_require_signin: no
|
||||||
|
gitea_root_url: https://git.9iron.club
|
||||||
|
gitea_shell: "/bin/bash"
|
||||||
|
gitea_ssh_domain: git.9iron.club
|
||||||
|
gitea_ssh_port: 22
|
||||||
|
gitea_start_ssh: no
|
||||||
|
gitea_user: git
|
9
playbooks/vars/9iron-onlyoffice.yml
Normal file
9
playbooks/vars/9iron-onlyoffice.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
db_server_host: 172.31.47.215
|
||||||
|
db_server_name: onlyoffice-9iron
|
||||||
|
db_server_user: onlyoffice-9iron
|
||||||
|
db_server_pass: "{{ secret_onlyoffice_9iron_db_pass }}"
|
||||||
|
|
||||||
|
cluster_mode: no
|
||||||
|
|
||||||
|
enable_ssl: no
|
20
playbooks/vars/9iron-pleroma-apache.yml
Normal file
20
playbooks/vars/9iron-pleroma-apache.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
apache_vhosts:
|
||||||
|
- servername: cowfee.moe
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://cowfee.moe/
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
- servername: cowfee.moe
|
||||||
|
extra_parameters: |
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
ProxyPass / http://127.0.0.1:4000/ nocanon retry=1
|
||||||
|
ProxyPassReverse / https://127.0.0.1:4000/
|
||||||
|
RequestHeader set X_FORWARDED_PROTO 'https'
|
||||||
|
RequestHeader set X-Forwarded-Ssl on
|
||||||
|
certificate_file: /etc/letsencrypt/live/cowfee.moe/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/cowfee.moe/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/cowfee.moe/chain.pem
|
10
playbooks/vars/9iron-pleroma-certbot.yml
Normal file
10
playbooks/vars/9iron-pleroma-certbot.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
certbot_admin_email: rehashedsalt@cock.li
|
||||||
|
certbot_create_if_missing: yes
|
||||||
|
certbot_create_method: standalone
|
||||||
|
certbot_create_standalone_stop_services:
|
||||||
|
- apache2
|
||||||
|
certbot_certs:
|
||||||
|
- domains:
|
||||||
|
- cowfee.moe
|
||||||
|
- matrix.9iron.club
|
16
playbooks/vars/9iron-pleroma.yml
Normal file
16
playbooks/vars/9iron-pleroma.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
# Site config
|
||||||
|
pleroma_hostname: cowfee.moe
|
||||||
|
pleroma_open_registration: "true"
|
||||||
|
pleroma_instance_name: Cowfee
|
||||||
|
pleroma_instance_desc: owo
|
||||||
|
|
||||||
|
# Secret config
|
||||||
|
pleroma_secret_key_base: "{{ secret_pleroma_key_base }}"
|
||||||
|
pleroma_secret_signing_salt: "{{ secret_pleroma_signing_salt }}"
|
||||||
|
|
||||||
|
# DB config
|
||||||
|
pleroma_db_host: 172.31.47.215
|
||||||
|
pleroma_db_name: pleroma
|
||||||
|
pleroma_db_user: pleroma
|
||||||
|
pleroma_db_pass: "{{ secret_pleroma_9iron_db_pass }}"
|
22
playbooks/vars/apache.yml
Normal file
22
playbooks/vars/apache.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
apache_remove_default_vhost: yes
|
||||||
|
apache_packages_state: latest
|
||||||
|
apache_mods_enabled:
|
||||||
|
- headers.load
|
||||||
|
- http2.load
|
||||||
|
- mpm_worker.load
|
||||||
|
- proxy.load
|
||||||
|
- proxy_fcgi.load
|
||||||
|
- proxy_http.load
|
||||||
|
- rewrite.load
|
||||||
|
- ssl.load
|
||||||
|
apache_mods_disabled:
|
||||||
|
- mpm_event.load
|
||||||
|
- mpm_prefork.load
|
||||||
|
- php7.4.load
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
<FilesMatch \.php$>
|
||||||
|
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||||
|
</FilesMatch>
|
75
playbooks/vars/desultd-apache.yml
Normal file
75
playbooks/vars/desultd-apache.yml
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
<FilesMatch \.php$>
|
||||||
|
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||||
|
</FilesMatch>
|
||||||
|
apache_vhosts:
|
||||||
|
# desu.ltd
|
||||||
|
- servername: desu.ltd
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://desu.ltd/
|
||||||
|
- servername: git.desu.ltd
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://git.desu.ltd/
|
||||||
|
- servername: nc.desu.ltd
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://nc.desu.ltd/
|
||||||
|
# 9iron.club
|
||||||
|
- servername: 9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://www.9iron.club/
|
||||||
|
- servername: www.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://www.9iron.club/
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
# desu.ltd
|
||||||
|
- servername: desu.ltd
|
||||||
|
documentroot: /var/www/desu.ltd
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
- servername: git.desu.ltd
|
||||||
|
extra_parameters: |
|
||||||
|
ProxyPreserveHost On
|
||||||
|
ProxyRequests Off
|
||||||
|
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
- servername: nc.desu.ltd
|
||||||
|
extra_parameters: |
|
||||||
|
Header always set Strict-Transport-Security "max-age=31536000"
|
||||||
|
documentroot: /var/www/nc.desu.ltd
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
# 9iron.club
|
||||||
|
- servername: 9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://www.9iron.club/
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
- servername: www.9iron.club
|
||||||
|
extra_parameters: |
|
||||||
|
<Directory /var/www/www.9iron.club/files>
|
||||||
|
Options Indexes FollowSymLinks
|
||||||
|
</Directory>
|
||||||
|
documentroot: /var/www/www.9iron.club
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
# otwstudios.org
|
||||||
|
- servername: otwstudios.org
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://www.otwstudios.org/
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||||
|
- servername: www.otwstudios.org
|
||||||
|
documentroot: /var/www/www.otwstudios.org
|
||||||
|
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
15
playbooks/vars/desultd-certbot.yml
Normal file
15
playbooks/vars/desultd-certbot.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
certbot_admin_email: rehashedsalt@cock.li
|
||||||
|
certbot_create_if_missing: yes
|
||||||
|
certbot_create_method: standalone
|
||||||
|
certbot_create_standalone_stop_services:
|
||||||
|
- apache2
|
||||||
|
certbot_certs:
|
||||||
|
- domains:
|
||||||
|
- desu.ltd
|
||||||
|
- git.desu.ltd
|
||||||
|
- nc.desu.ltd
|
||||||
|
- web1.desu.ltd
|
||||||
|
- 9iron.club
|
||||||
|
- www.9iron.club
|
||||||
|
- otwstudios.org
|
19
playbooks/vars/desultd-gitea.yml
Normal file
19
playbooks/vars/desultd-gitea.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
# Look and feel
|
||||||
|
gitea_app_name: "Git Desu"
|
||||||
|
# Core config
|
||||||
|
gitea_db_type: postgres
|
||||||
|
gitea_db_host: 192.168.164.156:5432
|
||||||
|
gitea_db_name: gitea-desultd
|
||||||
|
gitea_db_user: gitea-desultd
|
||||||
|
gitea_db_password: "{{ secret_gitea_db_pass }}"
|
||||||
|
gitea_http_domain: git.desu.ltd
|
||||||
|
gitea_oauth2_enabled: no
|
||||||
|
gitea_repository_root: /srv/desu.ltd/git
|
||||||
|
gitea_require_signin: no
|
||||||
|
gitea_root_url: https://git.desu.ltd
|
||||||
|
gitea_shell: "/bin/bash"
|
||||||
|
gitea_ssh_domain: git.desu.ltd
|
||||||
|
gitea_ssh_port: 22
|
||||||
|
gitea_start_ssh: no
|
||||||
|
gitea_user: git
|
20
playbooks/vars/desultd-nextcloud.yml
Normal file
20
playbooks/vars/desultd-nextcloud.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
nextcloud_installation_dir: /var/www/nc.desu.ltd
|
||||||
|
nextcloud_data_dir: /srv/desu.ltd/nc
|
||||||
|
nextcloud_admin_user: admin
|
||||||
|
nextcloud_admin_pass: "{{ secret_nextcloud_admin_pass }}"
|
||||||
|
nextcloud_version: 19
|
||||||
|
nextcloud_urls:
|
||||||
|
- http://nc.desu.ltd:80
|
||||||
|
- https://nc.desu.ltd:443
|
||||||
|
nextcloud_config:
|
||||||
|
system:
|
||||||
|
trusted_domains:
|
||||||
|
"{{ nextcloud_urls | map('urlsplit', 'hostname') | list }}"
|
||||||
|
nextcloud_database:
|
||||||
|
backend: pgsql
|
||||||
|
name: nextcloud-desultd
|
||||||
|
user: nextcloud-desultd
|
||||||
|
pass: "{{ secret_nextcloud_db_pass }}"
|
||||||
|
host: 192.168.164.156
|
||||||
|
port: 5432
|
13
playbooks/vars/factorio-main.yml
Normal file
13
playbooks/vars/factorio-main.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
server_version: 1.0.0
|
||||||
|
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
|
||||||
|
service_name: factorio-main
|
||||||
|
service_root: /opt/factorio/main
|
||||||
|
factorio_server_settings:
|
||||||
|
name: "Krabby Land"
|
||||||
|
description: "Where a kid can have fun"
|
||||||
|
max_players: 8
|
||||||
|
visibility:
|
||||||
|
public: false
|
||||||
|
lan: false
|
||||||
|
admins: [ "rehashed_salt" ]
|
34
playbooks/vars/minecraft-dammit.yml
Normal file
34
playbooks/vars/minecraft-dammit.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
minecraft_name: dammit
|
||||||
|
minecraft_version: 1.7.10
|
||||||
|
minecraft_jre_xmx: 4G
|
||||||
|
minecraft_restart_delay: 30
|
||||||
|
minecraft_server_properties:
|
||||||
|
- opt: allow-flight
|
||||||
|
value: "true"
|
||||||
|
- opt: difficulty
|
||||||
|
value: 3
|
||||||
|
- opt: motd
|
||||||
|
value: "I can't believe that I actually exist"
|
||||||
|
- opt: server-port
|
||||||
|
value: 25567
|
||||||
|
- opt: view-distance
|
||||||
|
value: 12
|
||||||
|
minecraft_forge_install: yes
|
||||||
|
minecraft_forge_version: 10.13.4.1614
|
||||||
|
minecraft_forge_versionstring: "{{ minecraft_version }}-{{ minecraft_forge_version }}-{{ minecraft_version }}"
|
||||||
|
minecraft_forge_jar_name: "forge-{{ minecraft_forge_versionstring }}-universal.jar"
|
||||||
|
minecraft_forge_packurl: "https://www.9iron.club/files/magic-1.7.10-2.zip"
|
||||||
|
minecraft_forge_mods:
|
||||||
|
- "https://media.forgecdn.net/files/2309/699/worldedit-forge-mc1.7.10-6.1.1-dist.jar"
|
||||||
|
minecraft_forge_mods_remove:
|
||||||
|
- DynamicSurroundings-1.7.10-1.0.6.2.jar
|
||||||
|
- favorites-1.2.jar
|
||||||
|
- FullscreenWindowed-1.7.10-1.3.0b.jar
|
||||||
|
- MouseTweaks-2.4.4-mc1.7.10.jar
|
||||||
|
- "Neat 1.0-1.jar"
|
||||||
|
- OptiFine_1.7.10_HD_U_E7.jar
|
||||||
|
- SoundFilters-0.8_for_1.7.X.jar
|
||||||
|
- Stellar+API-0.1.3.8.jar
|
||||||
|
- Stellar+Sky-0.1.5.7.jar
|
||||||
|
- World-Tooltips-1.7.10-1.2.3-79.jar
|
23
playbooks/vars/minecraft-valhelsia.yml
Normal file
23
playbooks/vars/minecraft-valhelsia.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
minecraft_enabled: no
|
||||||
|
minecraft_name: valhelsia
|
||||||
|
minecraft_version: 1.16.3
|
||||||
|
minecraft_jre_xmx: 5G
|
||||||
|
minecraft_server_properties:
|
||||||
|
- opt: difficulty
|
||||||
|
value: hard
|
||||||
|
- opt: motd
|
||||||
|
value: "Let's get this out onto a tray. Nice, mmkay"
|
||||||
|
- opt: server-port
|
||||||
|
value: 25566
|
||||||
|
- opt: view-distance
|
||||||
|
value: 10
|
||||||
|
minecraft_forge_install: yes
|
||||||
|
minecraft_forge_version: 34.1.42
|
||||||
|
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
|
||||||
|
minecraft_forge_mods:
|
||||||
|
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
|
||||||
|
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
|
||||||
|
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
|
||||||
|
minecraft_forge_mods_remove:
|
||||||
|
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar
|
18
playbooks/vars/minecraft-vanilla.yml
Normal file
18
playbooks/vars/minecraft-vanilla.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
minecraft_enabled: no
|
||||||
|
minecraft_name: vanilla
|
||||||
|
minecraft_version: 1.16.4
|
||||||
|
minecraft_jre_xmx: 1G
|
||||||
|
minecraft_jre_xms: 512M
|
||||||
|
minecraft_server_properties:
|
||||||
|
- opt: difficulty
|
||||||
|
value: normal
|
||||||
|
- opt: motd
|
||||||
|
value: "brett's new serber"
|
||||||
|
- opt: server-port
|
||||||
|
value: 25565
|
||||||
|
- opt: spawn-protection
|
||||||
|
value: 4
|
||||||
|
- opt: view-distance
|
||||||
|
value: 12
|
||||||
|
minecraft_paper_install: yes
|
3
playbooks/vars/netdata.yml
Normal file
3
playbooks/vars/netdata.yml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# vim:ft=ansible:
|
||||||
|
netdata_git_version_tag: v1.28.0
|
||||||
|
netdata_hostname: "{{ inventory_hostname }}"
|
18
playbooks/vars/php-fpm.yml
Normal file
18
playbooks/vars/php-fpm.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
# Defaults for a simple php-fpm setup
|
||||||
|
php_enable_php_fpm: yes
|
||||||
|
php_memory_limit: 512M
|
||||||
|
php_packages_extra:
|
||||||
|
- libapache2-mod-php
|
||||||
|
- php-zip # For Nextcloud
|
||||||
|
- php-intl
|
||||||
|
- php-imagick
|
||||||
|
- php-redis
|
||||||
|
- php-bcmath
|
||||||
|
- php-gmp
|
||||||
|
- php-pgsql # For general DB stuff
|
||||||
|
# Nextcloud recommended opcache settings
|
||||||
|
php_opcache_max_accelerated_files: 10000
|
||||||
|
php_opcache_memory_consumption: 128
|
||||||
|
php_opcache_revalidate_freq: 2
|
185
playbooks/web.yml
Executable file
185
playbooks/web.yml
Executable file
@ -0,0 +1,185 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
# Webservers
|
||||||
|
---
|
||||||
|
- hosts: web1.desu.ltd
|
||||||
|
tasks:
|
||||||
|
- name: configure nextcloud cronjob
|
||||||
|
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nc.desu.ltd/cron.php"
|
||||||
|
tags: [ nextcloud, cron ]
|
||||||
|
vars_files:
|
||||||
|
- vars/apache.yml
|
||||||
|
- vars/php-fpm.yml
|
||||||
|
- vars/desultd-apache.yml
|
||||||
|
- vars/desultd-certbot.yml
|
||||||
|
- vars/desultd-gitea.yml
|
||||||
|
- vars/desultd-nextcloud.yml
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_s3backup_list_extra:
|
||||||
|
- /var/lib/gitea
|
||||||
|
- /var/www/nc.desu.ltd
|
||||||
|
- /var/www/www.9iron.club/files
|
||||||
|
- /srv/desu.ltd
|
||||||
|
backup_s3backup_exclude_list_extra:
|
||||||
|
- /var/lib/gitea/log
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- apache2
|
||||||
|
- gitea
|
||||||
|
- php7.4-fpm
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: certbot
|
||||||
|
tags: [ web, certbot ]
|
||||||
|
- role: php
|
||||||
|
tags: [ web, php ]
|
||||||
|
- role: apache
|
||||||
|
tags: [ web, apache ]
|
||||||
|
- role: git
|
||||||
|
vars:
|
||||||
|
git_repos:
|
||||||
|
- repo: https://git.desu.ltd/salt/desultd
|
||||||
|
dest: /var/www/desu.ltd
|
||||||
|
- repo: https://git.desu.ltd/salt/9iron
|
||||||
|
dest: /var/www/www.9iron.club
|
||||||
|
- repo: https://git.desu.ltd/salt/gitea-custom
|
||||||
|
dest: /usr/local/bin/custom
|
||||||
|
tags: [ web, git ]
|
||||||
|
- role: nextcloud
|
||||||
|
tags: [ web, nextcloud ]
|
||||||
|
- role: gitea
|
||||||
|
tags: [ web, gitea ]
|
||||||
|
- hosts: web1.9iron.club
|
||||||
|
tasks:
|
||||||
|
- name: configure nextcloud cronjob
|
||||||
|
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nextcloud/cron.php"
|
||||||
|
tags: [ nextcloud, cron ]
|
||||||
|
- name: register nextcloud efs
|
||||||
|
efs:
|
||||||
|
name: 9iron-gitea
|
||||||
|
region: us-east-2
|
||||||
|
targets:
|
||||||
|
- subnet_id: subnet-852935ed
|
||||||
|
security_groups: [ "sg-4f4b692c" ]
|
||||||
|
register: ncefs
|
||||||
|
tags: [ nextcloud, efs ]
|
||||||
|
- name: mount nextcloud efs
|
||||||
|
mount: path=/var/nextcloud src={{ ncefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
|
||||||
|
tags: [ nextcloud, efs ]
|
||||||
|
- name: register gitea efs
|
||||||
|
efs:
|
||||||
|
name: 9iron-gitea
|
||||||
|
region: us-east-2
|
||||||
|
targets:
|
||||||
|
- subnet_id: subnet-852935ed
|
||||||
|
security_groups: [ "sg-4f4b692c" ]
|
||||||
|
register: gitefs
|
||||||
|
tags: [ gitea, efs ]
|
||||||
|
- name: mount gitea efs
|
||||||
|
mount: path=/var/gitea src={{ gitefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
|
||||||
|
tags: [ gitea, efs ]
|
||||||
|
vars_files:
|
||||||
|
- vars/apache.yml
|
||||||
|
- vars/php-fpm.yml
|
||||||
|
- vars/9iron-apache.yml
|
||||||
|
- vars/9iron-certbot.yml
|
||||||
|
- vars/9iron-gitea.yml
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_s3backup_list_extra:
|
||||||
|
- /var/gitea
|
||||||
|
- /var/lib/gitea
|
||||||
|
- /var/nextcloud
|
||||||
|
- /var/www/nextcloud
|
||||||
|
backup_s3backup_exclude_list_extra:
|
||||||
|
- /var/lib/gitea/log
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- apache2
|
||||||
|
- gitea
|
||||||
|
- php7.4-fpm
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: certbot
|
||||||
|
tags: [ web, certbot ]
|
||||||
|
- role: php
|
||||||
|
tags: [ web, php ]
|
||||||
|
- role: apache
|
||||||
|
tags: [ web, apache ]
|
||||||
|
- role: gitea
|
||||||
|
tags: [ web, gitea ]
|
||||||
|
- hosts: fedi1.9iron.club
|
||||||
|
vars_files:
|
||||||
|
- vars/apache.yml
|
||||||
|
- vars/9iron-pleroma.yml
|
||||||
|
- vars/9iron-pleroma-apache.yml
|
||||||
|
- vars/9iron-pleroma-certbot.yml
|
||||||
|
roles:
|
||||||
|
- role: backup
|
||||||
|
vars:
|
||||||
|
backup_s3backup_list_extra:
|
||||||
|
- /opt/pleroma
|
||||||
|
- /var/lib/pleroma
|
||||||
|
tags: [ backup ]
|
||||||
|
- role: motd
|
||||||
|
vars:
|
||||||
|
motd_watch_services_extra:
|
||||||
|
- apache2
|
||||||
|
- pleroma
|
||||||
|
tags: [ motd ]
|
||||||
|
- role: certbot
|
||||||
|
tags: [ web, certbot ]
|
||||||
|
- role: apache
|
||||||
|
tags: [ web, apache ]
|
||||||
|
- hosts: game1.thefuck.how
|
||||||
|
vars_files:
|
||||||
|
- vars/apache.yml
|
||||||
|
- vars/php-fpm.yml
|
||||||
|
roles:
|
||||||
|
- role: certbot
|
||||||
|
vars:
|
||||||
|
certbot_admin_email: rehashedsalt@cock.li
|
||||||
|
certbot_create_if_missing: yes
|
||||||
|
certbot_create_method: standalone
|
||||||
|
certbot_create_standalone_stop_services:
|
||||||
|
- apache2
|
||||||
|
certbot_certs:
|
||||||
|
- domains:
|
||||||
|
- thefuck.how
|
||||||
|
- game1.thefuck.how
|
||||||
|
tags: [ web, certbot ]
|
||||||
|
- role: php
|
||||||
|
tags: [ web, php ]
|
||||||
|
- role: apache
|
||||||
|
vars:
|
||||||
|
apache_vhosts:
|
||||||
|
- servername: thefuck.how
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://thefuck.how/
|
||||||
|
- servername: game1.thefuck.how
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://thefuck.how/
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
- servername: thefuck.how
|
||||||
|
documentroot: /var/www/thefuck.how
|
||||||
|
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
|
||||||
|
- servername: game1.thefuck.how
|
||||||
|
extra_parameters: |
|
||||||
|
Redirect permanent / https://thefuck.how/
|
||||||
|
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
|
||||||
|
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
|
||||||
|
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
|
||||||
|
tags: [ web, apache ]
|
||||||
|
- role: git
|
||||||
|
vars:
|
||||||
|
git_repos:
|
||||||
|
- repo: https://git.desu.ltd/salt/thefuckhow
|
||||||
|
dest: /var/www/thefuck.how
|
||||||
|
tags: [ web, git ]
|
@ -1,39 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: web1.9iron.club
|
|
||||||
roles:
|
|
||||||
- role: base-backups
|
|
||||||
tags: [ backups ]
|
|
||||||
- role: gitea
|
|
||||||
tags: [ web, gitea ]
|
|
||||||
# - role: grafana
|
|
||||||
# tags: [ web, grafana ]
|
|
||||||
- role: nextcloud
|
|
||||||
tags: [ web, nextcloud ]
|
|
||||||
- role: redirect
|
|
||||||
vars:
|
|
||||||
redirect_from: "9iron.club"
|
|
||||||
redirect_to: "www.9iron.club"
|
|
||||||
redirect_webroot: "/var/www/redirect"
|
|
||||||
tags: [ web, redirect, 9i ]
|
|
||||||
- role: gitweb
|
|
||||||
vars:
|
|
||||||
gitweb_repo: "https://git.9iron.club/salt/www2"
|
|
||||||
gitweb_url: "www.9iron.club"
|
|
||||||
gitweb_webroot: "/var/www/www"
|
|
||||||
tags: [ web, webroot, 9i ]
|
|
||||||
- hosts: web1.9iron.club
|
|
||||||
roles:
|
|
||||||
- role: redirect
|
|
||||||
vars:
|
|
||||||
redirect_from: "otwstudios.org"
|
|
||||||
redirect_to: "www.otwstudios.org"
|
|
||||||
redirect_webroot: "/var/www/redirect"
|
|
||||||
tags: [ web, redirect, otw ]
|
|
||||||
- role: gitweb
|
|
||||||
vars:
|
|
||||||
gitweb_repo: "https://git.9iron.club/KidiroInfiniti/OTW_Site"
|
|
||||||
gitweb_url: "www.otwstudios.org"
|
|
||||||
gitweb_webroot: "/var/www/otwstudios.org"
|
|
||||||
tags: [ web, webroot, otw ]
|
|
@ -1,9 +0,0 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- hosts: all
|
|
||||||
roles:
|
|
||||||
- role: common
|
|
||||||
tags: [ common ]
|
|
||||||
- role: ansible-pull
|
|
||||||
tags: [ ansible, common ]
|
|
12
reboot.yml
12
reboot.yml
@ -1,15 +1,13 @@
|
|||||||
#!/usr/bin/env ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
---
|
---
|
||||||
- hosts: dbservers,webservers,gameservers
|
- hosts: db,web,game
|
||||||
serial: 1
|
serial: 1
|
||||||
tasks:
|
tasks:
|
||||||
- name: Check for reboot-required
|
- name: check for reboot-required
|
||||||
stat:
|
stat: path=/var/run/reboot-required
|
||||||
path: "/var/run/reboot-required"
|
|
||||||
register: s
|
register: s
|
||||||
- name: Reboot
|
- name: reboot
|
||||||
reboot:
|
reboot: reboot_timeout=300
|
||||||
reboot_timeout: 300
|
|
||||||
when: s.stat.exists
|
when: s.stat.exists
|
||||||
become: yes
|
become: yes
|
||||||
|
3
roles/ansible-pull/README.md
Normal file
3
roles/ansible-pull/README.md
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# ansible-pull
|
||||||
|
|
||||||
|
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.
|
@ -1,5 +1,5 @@
|
|||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
ansible_pull_boot_delay: "15min"
|
ansible_pull_boot_delay: 15min
|
||||||
# Use `systemd-analyze calendar` for testing
|
ansible_pull_commit: master
|
||||||
ansible_pull_time: "*-*-* 01:00:00"
|
ansible_pull_time: "*-*-* 01:00:00"
|
||||||
ansible_pull_playbook: "site.yml"
|
ansible_pull_playbook: site.yml
|
||||||
|
@ -1,10 +1,5 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
---
|
|
||||||
- name: restart ansiblepull timer
|
- name: restart ansiblepull timer
|
||||||
systemd:
|
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
||||||
daemon_reload: yes
|
|
||||||
name: ansible-pull.timer
|
|
||||||
enabled: yes
|
|
||||||
state: restarted
|
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
allow_duplicates: no
|
|
||||||
dependencies:
|
|
||||||
- role: ansible
|
|
@ -1,36 +1,16 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
#!/usr/bin/env ansible-playbook
|
||||||
# vim:ft=ansible:
|
# vim:ft=ansible:
|
||||||
---
|
- name: assure vault password file
|
||||||
- name: Set up ansible-pull
|
copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
|
||||||
block:
|
|
||||||
- name: Copy Ansible password file
|
|
||||||
copy:
|
|
||||||
src: ansiblevaultpass
|
|
||||||
dest: ~/ansiblevaultpass
|
|
||||||
mode: "0600"
|
|
||||||
become: yes
|
become: yes
|
||||||
become_user: ansible
|
become_user: ansible
|
||||||
- name: Configure systemd unit
|
- name: install ansible
|
||||||
block:
|
pip: name=ansible,ansible-base,ansible-lint state=latest
|
||||||
- name: Template out config
|
when: ansible_os_family != "Gentoo"
|
||||||
template: src=ansible-pull.cfg dest=~/ansible-pull.cfg
|
- name: configure systemd service
|
||||||
become: yes
|
template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service
|
||||||
become_user: ansible
|
- name: configure systemd timer
|
||||||
- name: Template out services
|
template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer
|
||||||
template:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
loop:
|
|
||||||
- { src: "ansible-pull.service", dest: "/etc/systemd/system/ansible-pull.service", mode: "0644" }
|
|
||||||
- { src: "ansible-pull.timer", dest: "/etc/systemd/system/ansible-pull.timer", mode: "0644" }
|
|
||||||
notify: restart ansiblepull timer
|
notify: restart ansiblepull timer
|
||||||
- name: Enable timer
|
- name: enable timer
|
||||||
systemd:
|
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
||||||
daemon_reload: yes
|
|
||||||
name: ansible-pull.timer
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
notify: restart ansiblepull timer
|
|
||||||
when: ansible_service_mgr == "systemd"
|
|
||||||
become: yes
|
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
[defaults]
|
|
||||||
gathering = smart
|
|
||||||
interpreter_python = python3
|
|
||||||
inventory = ansible-pull-repo/inventory
|
|
||||||
roles_path = ansible-pull-repo/roles
|
|
||||||
# Secrets
|
|
||||||
ask_become_pass = false
|
|
||||||
ask_vault_pass = false
|
|
||||||
# Warnings
|
|
||||||
command_warnings = true
|
|
||||||
#deprecation_warnings = false
|
|
||||||
system_warnings = true
|
|
@ -3,12 +3,15 @@
|
|||||||
Description=Ansible pull service
|
Description=Ansible pull service
|
||||||
StartLimitIntervalSec=3600
|
StartLimitIntervalSec=3600
|
||||||
StartLimitBurst=5
|
StartLimitBurst=5
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
User=ansible
|
User=ansible
|
||||||
Group=ansible
|
Group=ansible
|
||||||
Environment=ANSIBLE_CONFIG=~/ansible-pull.cfg
|
Type=oneshot
|
||||||
ExecStart=/usr/local/bin/ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
|
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
|
||||||
|
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=90
|
RestartSec=90
|
||||||
|
|
||||||
|
@ -1,135 +0,0 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
38366663623636336331373931396632616133633538633562353430656338666162393164346436
|
|
||||||
3939356235343431326165373231313930386639333466330a613864636237373735306636383631
|
|
||||||
66363165343164616333636336393561313633613130656664323663356162636265373639336665
|
|
||||||
3564333732373634370a656231613835663436326633346263316630346461316566363462666132
|
|
||||||
39346632316563333633363061336534356336363534613837386332393166383565336635633763
|
|
||||||
30336139326361313763303739393265316535643238663736646361656639373461396433396665
|
|
||||||
63363237303933373265613336616335343038326561346362323636333333313235366361653463
|
|
||||||
39386137356632373032343762303538656130366430643030383234343663366666373162393063
|
|
||||||
32656366313631613235643061366639323930363766363137393737646666383839336264373831
|
|
||||||
64316164613332353430373933633939373933303461663832333663313561643462666234633461
|
|
||||||
31653039323430613731656538343831376632376634336436643461643063643138396131316134
|
|
||||||
66373035326333613035643833363836613437376265373135326362323062633936323435383630
|
|
||||||
39646433356161663831356265346261363137666634646331306130306232343638346264303631
|
|
||||||
32303737643632393937363738623865303735633535316162366464393163653834386432663261
|
|
||||||
64303339343335666532663434353234353066663632633730373530313637666532363863313963
|
|
||||||
31326662633639376462303466646536323965643739636438613132333738373430363534396361
|
|
||||||
37616566303633663362326436666636343762653531313435356163636133643430393139623938
|
|
||||||
38643839373365313966636466393039626139366665346664643930353630613236303761306331
|
|
||||||
34656137643764633132643830666638333938316530613236643232633830643337623432656134
|
|
||||||
66636138326230623336653938323934316339393531393163343637386236613334636362613265
|
|
||||||
30386638636662393431363134353165613965306364373061613634303132336336396265323565
|
|
||||||
34303231356664376464363533626263626130653565653032656264616236656161343039333461
|
|
||||||
32303736383365346138313864633966623963633635313161623565363664303562316338366161
|
|
||||||
61386133663265316464646637336239396339386561306632313235363136316430636635626432
|
|
||||||
36333432623564376134343965653138353331663632346262396432356637623738323333366633
|
|
||||||
35396630386536653232396439663135343934653835643962353039323664383432326463323735
|
|
||||||
38643235643633316338396364393730333235316139353535643534303863356365353630653239
|
|
||||||
30306437383336303530316232666161646363646436666335613763306534356432663933323663
|
|
||||||
63633838633139373336376633643363393730313531353766656139326634613366356666623236
|
|
||||||
38353562653065386662656632373332653162383165666131386132613962643635663864656433
|
|
||||||
63343837363831396166616162353935383935653732346139366637306436386532646330343332
|
|
||||||
39666431616662393036616134666436393366303365336162646539656138636166656633313533
|
|
||||||
39626162346263306235346662343432396635636238383032623066343165366166656537613535
|
|
||||||
63383232303831323064636662366264663666353337373065326561343661396632353532346564
|
|
||||||
63616333363962366364373038336261613833623561636437343564656630663032313562386436
|
|
||||||
62656163636638323764313239336435383930303735623035313136326130373432376139623736
|
|
||||||
65613430353265356233373866653236633832373231333434643238326430356666626461663435
|
|
||||||
65623964313837353665373739613230633932653837643532623463366535323565636562356436
|
|
||||||
61616236366564323765653165323132326238633365353365333366363864636265656437373537
|
|
||||||
62356134343366373335393833666531366462306336396337313966326230393435383562343364
|
|
||||||
34313037393461383930373538653962623964313862326532333739373933303137313662376639
|
|
||||||
31396634323032393131323735333634356133316333383936366366623936643539323539613763
|
|
||||||
34363839353163616338396430643263336163653735656361656362336130653236363437373130
|
|
||||||
36343063306366303037666530616631333834633531363036343461633138393736623334643630
|
|
||||||
35323262323938366561363835616231316364343837383539656638346135663164623334616466
|
|
||||||
64653161313233373563343537326336336465623432636538323037386539343439373137666137
|
|
||||||
62393135316363643161393330656130663737303534356630376334633239346663356561376337
|
|
||||||
64343532313565393330316538376263353839383565643734336637666630663061316163343139
|
|
||||||
39393638356133613266656230313836623435613636336436616337653030376430376263323939
|
|
||||||
66623038383035373365643436353834623038646634636465353735356135643264623534313731
|
|
||||||
34343538356331646432653133386335623336303066663635326262623837663033303461376362
|
|
||||||
31373361353664383361326530333361336562663033303963636135666235626263303538366234
|
|
||||||
63313461666463376361373639336637306132353066393233626333376534356264356335373538
|
|
||||||
31306363613435303062623466303339363931396163373834323738336636656337333938653766
|
|
||||||
64386233663366343434376432303731653937313639376661336462323662373134643332326661
|
|
||||||
37396664363030343362613133393130373730646534616431303730633466353637353264646132
|
|
||||||
36373861613864393366653065353662626434396163663137636135333238313363303266623732
|
|
||||||
61646166666136306133633761373833633332616634333131303534306434366165613933323666
|
|
||||||
61666562626135396434316130303839643331316532663336343731393431643739376565363330
|
|
||||||
33623036613930333338353262643766336134386662336462616562353536616330666330306264
|
|
||||||
30633162636562613562363661653531356134613632633562306338353236393336313132663961
|
|
||||||
34313466383464616639643630376465396164383536666365353139383562386130626562353436
|
|
||||||
31303633623137663238663065363434336663336634363437646363656462333430653464643939
|
|
||||||
66333036646631353138646264386630356563333932633933643337396363343562623766356533
|
|
||||||
38316639353234666336383737383532353963633762313437356262383830643137353262383964
|
|
||||||
30396636626465336331313264666637393030663765393338333061623030633134313438386631
|
|
||||||
36336238386563313037373237366432323937663539663162396166663033626663646461323362
|
|
||||||
64643137613939363164616533366436353631396232663832393231316263646466653966333238
|
|
||||||
66393965623863393433323366366130666364376164336638666331666461316135353338343139
|
|
||||||
39636566393437396333633462396464616131333134613131323964353434613736313736376461
|
|
||||||
37373130626331623362613538353735613963363035656433626134336564303966383462363661
|
|
||||||
34353064643732666264323536316231643833326664386333396536336665316339303562323763
|
|
||||||
35646561613439643066613765623563386331363437353637376434656638373962383865396464
|
|
||||||
65353834356631316438386139316631336262356139663062346131336432333834616231666538
|
|
||||||
32346565343263646461363336353365626532613465623833623036663839613864333961666437
|
|
||||||
32633662626462386366363736323739366434323632373066373435633961623038363061386261
|
|
||||||
36333139636135623131653234346163353366316562653439336233316236386431383163653866
|
|
||||||
38393939646363613132323663643931306135626165626264666262323764336562636166626533
|
|
||||||
30613762353431643635656566656533346330306463353839393035343766656465343132363862
|
|
||||||
38306239663262336338353033303764633935303562643936373732396466616564323532326439
|
|
||||||
36623538363638376232616535363263373664386332623237313834613165393439323936383562
|
|
||||||
63373966643531346337333935393862346437316264656563316539303037343933393639363434
|
|
||||||
66616161626165373661653963323835383437656464383931363236376165633834343039323035
|
|
||||||
62386637373738653639643232636631366532626332356538663166653839303663643332323130
|
|
||||||
63386465323838666437646361653633626635303733626238326237623637623563303465353531
|
|
||||||
66333935333335396634356539313434616538336135306631353961623764376665653365356335
|
|
||||||
30656266313637383534353736346633393432343466666639376330313837353763343438653366
|
|
||||||
38346132336336656365323166303632633661383530626331613739303961386235346139366236
|
|
||||||
30636464336165353436303966633935323835353439363636386661383461363265323937653565
|
|
||||||
65383139613365613337623136626133393461663461613566623134396431613733663137373335
|
|
||||||
31666332393338666235653562356563643033353961386466386562346339653638626261306635
|
|
||||||
34353132353664373332323335646438646433386430313061643737623566613339653131623836
|
|
||||||
62633936626436626133303633366336373838336531336139616564623364626534383834313234
|
|
||||||
37666163623462656434316563363535646236666536396431626132323361343238303834366637
|
|
||||||
33623565313730386264336638306637623931323861333939376165323139376335326566333633
|
|
||||||
65316439613430383230323439613538396630306233356339613662333061643732346531656364
|
|
||||||
65623263336538346561356631386639363939643434343938373264373565613537336465363038
|
|
||||||
66363963626365633338663234643764316530353566376633313732336533333063613232333538
|
|
||||||
66396236313866343038656366633738666463356432613230636361316436666432373636363034
|
|
||||||
63353231346533303361363834333231633131613165366134353763363766613033656333626438
|
|
||||||
30333731383264323732313261336263326562316530663962313739383836326536363030333564
|
|
||||||
39333436396136623161373032643438633431303761333962623832333832366463626533653832
|
|
||||||
64323333306336616363613865393561656636633735616333333736633463396330353665626561
|
|
||||||
38316134626163376466643537336335313131353461316362383865363437643263636339383831
|
|
||||||
65383762663265636663396135386630326333393237356564616237393431633537633762616134
|
|
||||||
34353264346539663038663866386538306662316233353130663332643533623436393937366266
|
|
||||||
65303330633966613038393430303536363730643463663733653237343937336136353233303037
|
|
||||||
65613537656335356533666136366363323535636635323330623664626564656537356363633763
|
|
||||||
31313437363766663338313633663866663563393039363232656638363961336631303464306536
|
|
||||||
36396136346663323038386634343461336666636438323866356339623763656436643833393963
|
|
||||||
66396662366632653831393238396535623939306434396537643930393261336161396239383330
|
|
||||||
62336237396639663837623561383964346633353935366266373030633864393433623734613233
|
|
||||||
35653138303866656465363465313733616363633334663062363436376139633231626564376166
|
|
||||||
34643864333865633832616539333063396264376566666539633936646338623763353032353635
|
|
||||||
34633465613135376234303538636432346336383431343237323661393564306438333830393737
|
|
||||||
38356333363961643735356265613762396663323264336565623762356163626130623366623861
|
|
||||||
31626135613865613866666565663063656632653339333866396537343131636366393131346438
|
|
||||||
66626434656235376265386135333165366162346536623466303437313131336165346238383934
|
|
||||||
35353064663536373162613836383663396661633930616431653764353339613835393762396332
|
|
||||||
32363965653235646130323761316437376631383464306661623963306362343631666538653864
|
|
||||||
30613233336339373739363733346466313764383165643466316239613264393332626133363437
|
|
||||||
36666431613263393730393264326235353239633035653736626233343630623736646230653064
|
|
||||||
35393932396361623239326435356563623033316561373236613136333938363265376561386430
|
|
||||||
36393730353465376663343361306234346564623837363565373733373936623534353639623538
|
|
||||||
62316264613734326638636538653861663637623462306138636532653036343061396363363631
|
|
||||||
61316638653133636561363333363638396439643835363033336666346461356637336233386234
|
|
||||||
32336664376631336662613239353461633566633565623137643536343137373534663031626333
|
|
||||||
64613335656330666465366638373863306439636166346430363033313435626337373764313938
|
|
||||||
35306465656264643463653930303830333262616233333532616138383335626663636365626464
|
|
||||||
65613461633737646235343230346331313435386530383838613930633037356537623039333936
|
|
||||||
61353332386231623237613731363731383738383934613932613031633235663935386536323733
|
|
||||||
31393263353339633462326639306264356562393166366263626537313432366639376531386263
|
|
||||||
31643061303032303363653631323131656436663563363333646162643331376438343437663034
|
|
||||||
6332323532343937323062386135393566323732356533336162
|
|
@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
allow_duplicates: no
|
|
||||||
dependencies:
|
|
||||||
- role: awscreds
|
|
@ -1,51 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- name: Set up Ansible
|
|
||||||
block:
|
|
||||||
- name: Install Ansible-required packages via apt
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- python3-pip
|
|
||||||
- python3-boto
|
|
||||||
- python3-boto3
|
|
||||||
- python3-botocore
|
|
||||||
- python3-setuptools
|
|
||||||
become: true
|
|
||||||
when: ansible_os_family == "Debian"
|
|
||||||
- name: Install Ansible-required packages via apk
|
|
||||||
apk:
|
|
||||||
name:
|
|
||||||
- gcc
|
|
||||||
- musl-dev
|
|
||||||
- py3-boto
|
|
||||||
- py3-boto3
|
|
||||||
- py3-botocore
|
|
||||||
- py3-cryptography
|
|
||||||
- py3-pip
|
|
||||||
- py3-setuptools
|
|
||||||
when: ansible_distribution == "Alpine"
|
|
||||||
- name: Install Ansible-required packages via pip
|
|
||||||
pip:
|
|
||||||
name: "{{ packages }}"
|
|
||||||
state: latest
|
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
- ansible
|
|
||||||
- ansible-base
|
|
||||||
- ansible-lint
|
|
||||||
- name: Assure root .ssh directory
|
|
||||||
file:
|
|
||||||
path: ~/.ssh
|
|
||||||
state: directory
|
|
||||||
mode: "0600"
|
|
||||||
- name: Copy Ansible private key
|
|
||||||
copy:
|
|
||||||
src: ansiblekey
|
|
||||||
dest: ~/.ssh/ansible
|
|
||||||
mode: "0600"
|
|
||||||
- name: Clone Ansible repo
|
|
||||||
git:
|
|
||||||
dest: /etc/ansible
|
|
||||||
repo: "{{ ansible_pull_repo }}"
|
|
||||||
become: true
|
|
@ -1,30 +0,0 @@
|
|||||||
# The MariaDB configuration file
|
|
||||||
#
|
|
||||||
# The MariaDB/MySQL tools read configuration files in the following order:
|
|
||||||
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
|
|
||||||
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
|
|
||||||
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
|
|
||||||
# 4. "~/.my.cnf" to set user-specific options.
|
|
||||||
#
|
|
||||||
# If the same option is defined multiple times, the last one will apply.
|
|
||||||
#
|
|
||||||
# One can use all long options that the program supports.
|
|
||||||
# Run program with --help to get a list of available options and with
|
|
||||||
# --print-defaults to see which it would actually understand and use.
|
|
||||||
|
|
||||||
[mysqld]
|
|
||||||
max_allowed_packet=100M
|
|
||||||
skip-networking
|
|
||||||
innodb_file_format = Barracuda
|
|
||||||
innodb_large_prefix = 1
|
|
||||||
innodb_file_per_table = ON
|
|
||||||
|
|
||||||
#
|
|
||||||
# This group is read both both by the client and the server
|
|
||||||
# use it for options that affect everything
|
|
||||||
#
|
|
||||||
[client-server]
|
|
||||||
|
|
||||||
# Import all .cnf files from configuration directory
|
|
||||||
!includedir /etc/mysql/conf.d/
|
|
||||||
!includedir /etc/mysql/mariadb.conf.d/
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,8 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- name: restart apache
|
|
||||||
service:
|
|
||||||
name: apache2
|
|
||||||
state: restarted
|
|
||||||
become: yes
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
allow_duplicates: no
|
|
@ -1,76 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- name: Install, configure, and start Apache and PHP
|
|
||||||
block:
|
|
||||||
- name: Install Apache and PHP packages
|
|
||||||
apt:
|
|
||||||
name: "{{ packages }}"
|
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
- apache2
|
|
||||||
- libapache2-mod-php
|
|
||||||
- php
|
|
||||||
- php-gd
|
|
||||||
- php-json
|
|
||||||
- php-mysql
|
|
||||||
- php-curl
|
|
||||||
- php-mbstring
|
|
||||||
- php-intl
|
|
||||||
- php-xml
|
|
||||||
- php-zip
|
|
||||||
- php-cgi
|
|
||||||
- php-cli
|
|
||||||
- python3-passlib # For htpasswd support
|
|
||||||
- name: Find PHP config directory
|
|
||||||
find:
|
|
||||||
paths: /etc/php
|
|
||||||
patterns: '*'
|
|
||||||
file_type: directory
|
|
||||||
register: phpdirs
|
|
||||||
- name: Debug
|
|
||||||
debug:
|
|
||||||
var: phpdirs.files.0.path
|
|
||||||
- name: Copy configuration
|
|
||||||
copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ phpdirs.files.0.path }}/{{ item.dest }}"
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
loop:
|
|
||||||
- { src: "php-apache2.ini", dest: "apache2/php.ini", mode: "0644" }
|
|
||||||
- { src: "php-cgi.ini", dest: "cgi/php.ini", mode: "0644" }
|
|
||||||
- name: Create includes directory
|
|
||||||
file: path=/etc/apache2/includes state=directory
|
|
||||||
- name: Disable default website
|
|
||||||
file:
|
|
||||||
# This is a symlink so who cares
|
|
||||||
path: "/etc/apache2/sites-enabled/000-default.conf"
|
|
||||||
state: absent
|
|
||||||
- name: Configure modules
|
|
||||||
block:
|
|
||||||
- name: Disable modules
|
|
||||||
command:
|
|
||||||
argv:
|
|
||||||
- "/usr/sbin/a2dismod"
|
|
||||||
- "{{ item }}"
|
|
||||||
removes: "/etc/apache2/mods-enabled/{{ item }}.load"
|
|
||||||
loop:
|
|
||||||
- mpm_event
|
|
||||||
notify: restart apache
|
|
||||||
- name: Enable modules
|
|
||||||
command:
|
|
||||||
argv:
|
|
||||||
- "/usr/sbin/a2enmod"
|
|
||||||
- "{{ item }}"
|
|
||||||
creates: "/etc/apache2/mods-enabled/{{ item }}.load"
|
|
||||||
loop:
|
|
||||||
- headers
|
|
||||||
- mpm_prefork
|
|
||||||
# Fun fact: this works
|
|
||||||
- php*
|
|
||||||
- proxy
|
|
||||||
- proxy_http
|
|
||||||
- rewrite
|
|
||||||
- ssl
|
|
||||||
notify: restart apache
|
|
||||||
become: yes
|
|
3
roles/apache/.gitignore
vendored
Normal file
3
roles/apache/.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
*.retry
|
||||||
|
*/__pycache__
|
||||||
|
*.pyc
|
33
roles/apache/.travis.yml
Normal file
33
roles/apache/.travis.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
language: python
|
||||||
|
services: docker
|
||||||
|
|
||||||
|
env:
|
||||||
|
global:
|
||||||
|
- ROLE_NAME: apache
|
||||||
|
matrix:
|
||||||
|
- MOLECULE_DISTRO: ubi8
|
||||||
|
- MOLECULE_DISTRO: centos7
|
||||||
|
- MOLECULE_DISTRO: centos6
|
||||||
|
- MOLECULE_DISTRO: ubuntu1804
|
||||||
|
- MOLECULE_DISTRO: ubuntu1604
|
||||||
|
- MOLECULE_DISTRO: ubuntu1404
|
||||||
|
- MOLECULE_DISTRO: debian10
|
||||||
|
- MOLECULE_DISTRO: debian9
|
||||||
|
|
||||||
|
install:
|
||||||
|
# Install test dependencies.
|
||||||
|
- pip install molecule docker
|
||||||
|
|
||||||
|
before_script:
|
||||||
|
# Use actual Ansible Galaxy role name for the project directory.
|
||||||
|
- cd ../
|
||||||
|
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
|
||||||
|
- cd geerlingguy.$ROLE_NAME
|
||||||
|
|
||||||
|
script:
|
||||||
|
# Run tests.
|
||||||
|
- molecule test
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
20
roles/apache/LICENSE
Normal file
20
roles/apache/LICENSE
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2017 Jeff Geerling
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||||
|
this software and associated documentation files (the "Software"), to deal in
|
||||||
|
the Software without restriction, including without limitation the rights to
|
||||||
|
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||||
|
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||||
|
subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||||
|
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||||
|
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||||
|
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
156
roles/apache/README.md
Normal file
156
roles/apache/README.md
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
# Ansible Role: Apache 2.x
|
||||||
|
|
||||||
|
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-apache.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-apache)
|
||||||
|
|
||||||
|
An Ansible Role that installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES and Solaris.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
|
||||||
|
|
||||||
|
If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info.
|
||||||
|
|
||||||
|
## Role Variables
|
||||||
|
|
||||||
|
Available variables are listed below, along with default values (see `defaults/main.yml`):
|
||||||
|
|
||||||
|
apache_enablerepo: ""
|
||||||
|
|
||||||
|
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
|
||||||
|
|
||||||
|
apache_listen_ip: "*"
|
||||||
|
apache_listen_port: 80
|
||||||
|
apache_listen_port_ssl: 443
|
||||||
|
|
||||||
|
The IP address and ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
|
||||||
|
|
||||||
|
apache_create_vhosts: true
|
||||||
|
apache_vhosts_filename: "vhosts.conf"
|
||||||
|
apache_vhosts_template: "vhosts.conf.j2"
|
||||||
|
|
||||||
|
If set to true, a vhosts file, managed by this role's variables (see below), will be created and placed in the Apache configuration folder. If set to false, you can place your own vhosts file into Apache's configuration folder and skip the convenient (but more basic) one added by this role. You can also override the template used and set a path to your own template, if you need to further customize the layout of your VirtualHosts.
|
||||||
|
|
||||||
|
apache_remove_default_vhost: false
|
||||||
|
|
||||||
|
On Debian/Ubuntu, a default virtualhost is included in Apache's configuration. Set this to `true` to remove that default virtualhost configuration file.
|
||||||
|
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
# Add other global settings on subsequent lines.
|
||||||
|
|
||||||
|
You can add or override global Apache configuration settings in the role-provided vhosts file (assuming `apache_create_vhosts` is true) using this variable. By default it only sets the DirectoryIndex configuration.
|
||||||
|
|
||||||
|
apache_vhosts:
|
||||||
|
# Additional optional properties: 'serveradmin, serveralias, extra_parameters'.
|
||||||
|
- servername: "local.dev"
|
||||||
|
documentroot: "/var/www/html"
|
||||||
|
|
||||||
|
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `allow_override` (optional: defaults to the value of `apache_allow_override`), `options` (optional: defaults to the value of `apache_options`), `serveradmin` (optional), `serveralias` (optional) and `extra_parameters` (optional: you can add whatever additional configuration lines you'd like in here).
|
||||||
|
|
||||||
|
Here's an example using `extra_parameters` to add a RewriteRule to redirect all requests to the `www.` site:
|
||||||
|
|
||||||
|
- servername: "www.local.dev"
|
||||||
|
serveralias: "local.dev"
|
||||||
|
documentroot: "/var/www/html"
|
||||||
|
extra_parameters: |
|
||||||
|
RewriteCond %{HTTP_HOST} !^www\. [NC]
|
||||||
|
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
||||||
|
|
||||||
|
The `|` denotes a multiline scalar block in YAML, so newlines are preserved in the resulting configuration file output.
|
||||||
|
|
||||||
|
apache_vhosts_ssl: []
|
||||||
|
|
||||||
|
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
|
||||||
|
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
- servername: "local.dev"
|
||||||
|
documentroot: "/var/www/html"
|
||||||
|
certificate_file: "/home/vagrant/example.crt"
|
||||||
|
certificate_key_file: "/home/vagrant/example.key"
|
||||||
|
certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||||
|
extra_parameters: |
|
||||||
|
RewriteCond %{HTTP_HOST} !^www\. [NC]
|
||||||
|
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
||||||
|
|
||||||
|
Other SSL directives can be managed with other SSL-related role variables.
|
||||||
|
|
||||||
|
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||||
|
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||||
|
|
||||||
|
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
|
||||||
|
|
||||||
|
apache_allow_override: "All"
|
||||||
|
apache_options: "-Indexes +FollowSymLinks"
|
||||||
|
|
||||||
|
The default values for the `AllowOverride` and `Options` directives for the `documentroot` directory of each vhost. A vhost can overwrite these values by specifying `allow_override` or `options`.
|
||||||
|
|
||||||
|
apache_mods_enabled:
|
||||||
|
- rewrite.load
|
||||||
|
- ssl.load
|
||||||
|
apache_mods_disabled: []
|
||||||
|
|
||||||
|
(Debian/Ubuntu ONLY) Which Apache mods to enable or disable (these will be symlinked into the appropriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
|
||||||
|
|
||||||
|
apache_packages:
|
||||||
|
- [platform-specific]
|
||||||
|
|
||||||
|
The list of packages to be installed. This defaults to a set of platform-specific packages for RedHat or Debian-based systems (see `vars/RedHat.yml` and `vars/Debian.yml` for the default values).
|
||||||
|
|
||||||
|
apache_state: started
|
||||||
|
|
||||||
|
Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run.
|
||||||
|
|
||||||
|
apache_packages_state: present
|
||||||
|
|
||||||
|
If you have enabled any additional repositories such as _ondrej/apache2_, [geerlingguy.repo-epel](https://github.com/geerlingguy/ansible-role-repo-epel), or [geerlingguy.repo-remi](https://github.com/geerlingguy/ansible-role-repo-remi), you may want an easy way to upgrade versions. You can set this to `latest` (combined with `apache_enablerepo` on RHEL) and can directly upgrade to a different Apache version from a different repo (instead of uninstalling and reinstalling Apache).
|
||||||
|
|
||||||
|
apache_ignore_missing_ssl_certificate: true
|
||||||
|
|
||||||
|
If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Let’s Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates).
|
||||||
|
|
||||||
|
## .htaccess-based Basic Authorization
|
||||||
|
|
||||||
|
If you require Basic Auth support, you can add it either through a custom template, or by adding `extra_parameters` to a VirtualHost configuration, like so:
|
||||||
|
|
||||||
|
extra_parameters: |
|
||||||
|
<Directory "/var/www/password-protected-directory">
|
||||||
|
Require valid-user
|
||||||
|
AuthType Basic
|
||||||
|
AuthName "Please authenticate"
|
||||||
|
AuthUserFile /var/www/password-protected-directory/.htpasswd
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
To password protect everything within a VirtualHost directive, use the `Location` block instead of `Directory`:
|
||||||
|
|
||||||
|
<Location "/">
|
||||||
|
Require valid-user
|
||||||
|
....
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
You would need to generate/upload your own `.htpasswd` file in your own playbook. There may be other roles that support this functionality in a more integrated way.
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
## Example Playbook
|
||||||
|
|
||||||
|
- hosts: webservers
|
||||||
|
vars_files:
|
||||||
|
- vars/main.yml
|
||||||
|
roles:
|
||||||
|
- { role: geerlingguy.apache }
|
||||||
|
|
||||||
|
*Inside `vars/main.yml`*:
|
||||||
|
|
||||||
|
apache_listen_port: 8080
|
||||||
|
apache_vhosts:
|
||||||
|
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT / BSD
|
||||||
|
|
||||||
|
## Author Information
|
||||||
|
|
||||||
|
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
|
58
roles/apache/defaults/main.yml
Normal file
58
roles/apache/defaults/main.yml
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apache_enablerepo: ""
|
||||||
|
|
||||||
|
apache_listen_ip: "*"
|
||||||
|
apache_listen_port: 80
|
||||||
|
apache_listen_port_ssl: 443
|
||||||
|
|
||||||
|
apache_create_vhosts: true
|
||||||
|
apache_vhosts_filename: "vhosts.conf"
|
||||||
|
apache_vhosts_template: "vhosts.conf.j2"
|
||||||
|
|
||||||
|
# On Debian/Ubuntu, a default virtualhost is included in Apache's configuration.
|
||||||
|
# Set this to `true` to remove that default.
|
||||||
|
apache_remove_default_vhost: false
|
||||||
|
|
||||||
|
apache_global_vhost_settings: |
|
||||||
|
DirectoryIndex index.php index.html
|
||||||
|
|
||||||
|
apache_vhosts:
|
||||||
|
# Additional properties:
|
||||||
|
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
|
||||||
|
- servername: "local.dev"
|
||||||
|
documentroot: "/var/www/html"
|
||||||
|
|
||||||
|
apache_allow_override: "All"
|
||||||
|
apache_options: "-Indexes +FollowSymLinks"
|
||||||
|
|
||||||
|
apache_vhosts_ssl: []
|
||||||
|
# Additional properties:
|
||||||
|
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
|
||||||
|
# - servername: "local.dev",
|
||||||
|
# documentroot: "/var/www/html",
|
||||||
|
# certificate_file: "/path/to/certificate.crt",
|
||||||
|
# certificate_key_file: "/path/to/certificate.key",
|
||||||
|
# # Optional.
|
||||||
|
# certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||||
|
|
||||||
|
apache_ignore_missing_ssl_certificate: true
|
||||||
|
|
||||||
|
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||||
|
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||||
|
|
||||||
|
# Only used on Debian/Ubuntu.
|
||||||
|
apache_mods_enabled:
|
||||||
|
- rewrite.load
|
||||||
|
- ssl.load
|
||||||
|
apache_mods_disabled: []
|
||||||
|
|
||||||
|
# Set initial apache state. Recommended values: `started` or `stopped`
|
||||||
|
apache_state: started
|
||||||
|
|
||||||
|
# Set apache state when configuration changes are made. Recommended values:
|
||||||
|
# `restarted` or `reloaded`
|
||||||
|
apache_restart_state: restarted
|
||||||
|
|
||||||
|
# Apache package state; use `present` to make sure it's installed, or `latest`
|
||||||
|
# if you want to upgrade or switch versions using a new repo.
|
||||||
|
apache_packages_state: present
|
5
roles/apache/handlers/main.yml
Normal file
5
roles/apache/handlers/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: restart apache
|
||||||
|
service:
|
||||||
|
name: "{{ apache_service }}"
|
||||||
|
state: "{{ apache_restart_state }}"
|
2
roles/apache/meta/.galaxy_install_info
Normal file
2
roles/apache/meta/.galaxy_install_info
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
install_date: Thu Oct 29 02:41:52 2020
|
||||||
|
version: 3.1.0
|
38
roles/apache/meta/main.yml
Normal file
38
roles/apache/meta/main.yml
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
---
|
||||||
|
dependencies: []
|
||||||
|
|
||||||
|
galaxy_info:
|
||||||
|
author: geerlingguy
|
||||||
|
description: Apache 2.x for Linux.
|
||||||
|
company: "Midwestern Mac, LLC"
|
||||||
|
license: "license (BSD, MIT)"
|
||||||
|
min_ansible_version: 2.4
|
||||||
|
platforms:
|
||||||
|
- name: EL
|
||||||
|
versions:
|
||||||
|
- all
|
||||||
|
- name: Fedora
|
||||||
|
versions:
|
||||||
|
- all
|
||||||
|
- name: Amazon
|
||||||
|
versions:
|
||||||
|
- all
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- all
|
||||||
|
- name: Ubuntu
|
||||||
|
versions:
|
||||||
|
- trusty
|
||||||
|
- xenial
|
||||||
|
- bionic
|
||||||
|
- name: Solaris
|
||||||
|
versions:
|
||||||
|
- 11.3
|
||||||
|
galaxy_tags:
|
||||||
|
- web
|
||||||
|
- apache
|
||||||
|
- webserver
|
||||||
|
- html
|
||||||
|
- httpd
|
||||||
|
|
||||||
|
allow_duplicates: true
|
29
roles/apache/molecule/default/molecule.yml
Normal file
29
roles/apache/molecule/default/molecule.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
dependency:
|
||||||
|
name: galaxy
|
||||||
|
driver:
|
||||||
|
name: docker
|
||||||
|
lint:
|
||||||
|
name: yamllint
|
||||||
|
options:
|
||||||
|
config-file: molecule/default/yaml-lint.yml
|
||||||
|
platforms:
|
||||||
|
- name: instance
|
||||||
|
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
|
||||||
|
command: ${MOLECULE_DOCKER_COMMAND:-""}
|
||||||
|
volumes:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||||
|
privileged: true
|
||||||
|
pre_build_image: true
|
||||||
|
provisioner:
|
||||||
|
name: ansible
|
||||||
|
lint:
|
||||||
|
name: ansible-lint
|
||||||
|
playbooks:
|
||||||
|
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
|
||||||
|
scenario:
|
||||||
|
name: default
|
||||||
|
verifier:
|
||||||
|
name: testinfra
|
||||||
|
lint:
|
||||||
|
name: flake8
|
21
roles/apache/molecule/default/playbook.yml
Normal file
21
roles/apache/molecule/default/playbook.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
- name: Converge
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
|
||||||
|
vars:
|
||||||
|
apache_listen_port_ssl: 443
|
||||||
|
apache_create_vhosts: true
|
||||||
|
apache_vhosts_filename: "vhosts.conf"
|
||||||
|
apache_vhosts:
|
||||||
|
- servername: "example.com"
|
||||||
|
documentroot: "/var/www/vhosts/example_com"
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: Update apt cache.
|
||||||
|
apt: update_cache=yes cache_valid_time=600
|
||||||
|
when: ansible_os_family == 'Debian'
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- role: geerlingguy.apache
|
6
roles/apache/molecule/default/yaml-lint.yml
Normal file
6
roles/apache/molecule/default/yaml-lint.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
extends: default
|
||||||
|
rules:
|
||||||
|
line-length:
|
||||||
|
max: 120
|
||||||
|
level: warning
|
54
roles/apache/tasks/configure-Debian.yml
Normal file
54
roles/apache/tasks/configure-Debian.yml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
---
|
||||||
|
- name: Configure Apache.
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ apache_server_root }}/ports.conf"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ apache_ports_configuration_items }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Enable Apache mods.
|
||||||
|
file:
|
||||||
|
src: "{{ apache_server_root }}/mods-available/{{ item }}"
|
||||||
|
dest: "{{ apache_server_root }}/mods-enabled/{{ item }}"
|
||||||
|
state: link
|
||||||
|
with_items: "{{ apache_mods_enabled }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Disable Apache mods.
|
||||||
|
file:
|
||||||
|
path: "{{ apache_server_root }}/mods-enabled/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ apache_mods_disabled }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Check whether certificates defined in vhosts exist.
|
||||||
|
stat: "path={{ item.certificate_file }}"
|
||||||
|
register: apache_ssl_certificates
|
||||||
|
with_items: "{{ apache_vhosts_ssl }}"
|
||||||
|
|
||||||
|
- name: Add apache vhosts configuration.
|
||||||
|
template:
|
||||||
|
src: "{{ apache_vhosts_template }}"
|
||||||
|
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_create_vhosts | bool
|
||||||
|
|
||||||
|
- name: Add vhost symlink in sites-enabled.
|
||||||
|
file:
|
||||||
|
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
|
||||||
|
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
|
||||||
|
state: link
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_create_vhosts | bool
|
||||||
|
|
||||||
|
- name: Remove default vhost in sites-enabled.
|
||||||
|
file:
|
||||||
|
path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}"
|
||||||
|
state: absent
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_remove_default_vhost
|
36
roles/apache/tasks/configure-RedHat.yml
Normal file
36
roles/apache/tasks/configure-RedHat.yml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
- name: Configure Apache.
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ apache_server_root }}/conf/{{ apache_daemon }}.conf"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ apache_ports_configuration_items }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Check whether certificates defined in vhosts exist.
|
||||||
|
stat: path={{ item.certificate_file }}
|
||||||
|
register: apache_ssl_certificates
|
||||||
|
with_items: "{{ apache_vhosts_ssl }}"
|
||||||
|
|
||||||
|
- name: Add apache vhosts configuration.
|
||||||
|
template:
|
||||||
|
src: "{{ apache_vhosts_template }}"
|
||||||
|
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_create_vhosts | bool
|
||||||
|
|
||||||
|
- name: Check if localhost cert exists (RHEL 8 and later).
|
||||||
|
stat:
|
||||||
|
path: /etc/pki/tls/certs/localhost.crt
|
||||||
|
register: localhost_cert
|
||||||
|
when: ansible_distribution_major_version | int >= 8
|
||||||
|
|
||||||
|
- name: Ensure httpd certs are installed (RHEL 8 and later).
|
||||||
|
command: /usr/libexec/httpd-ssl-gencerts
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version | int >= 8
|
||||||
|
- not localhost_cert.stat.exists
|
19
roles/apache/tasks/configure-Solaris.yml
Normal file
19
roles/apache/tasks/configure-Solaris.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
- name: Configure Apache.
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ apache_server_root }}/{{ apache_daemon }}.conf"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ apache_ports_configuration_items }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Add apache vhosts configuration.
|
||||||
|
template:
|
||||||
|
src: "{{ apache_vhosts_template }}"
|
||||||
|
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_create_vhosts | bool
|
24
roles/apache/tasks/configure-Suse.yml
Normal file
24
roles/apache/tasks/configure-Suse.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
- name: Configure Apache.
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ apache_server_root }}/listen.conf"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ apache_ports_configuration_items }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: Check whether certificates defined in vhosts exist.
|
||||||
|
stat: path={{ item.certificate_file }}
|
||||||
|
register: apache_ssl_certificates
|
||||||
|
with_items: "{{ apache_vhosts_ssl }}"
|
||||||
|
|
||||||
|
- name: Add apache vhosts configuration.
|
||||||
|
template:
|
||||||
|
src: "{{ apache_vhosts_template }}"
|
||||||
|
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: restart apache
|
||||||
|
when: apache_create_vhosts | bool
|
47
roles/apache/tasks/main.yml
Normal file
47
roles/apache/tasks/main.yml
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
---
|
||||||
|
# Include variables and define needed variables.
|
||||||
|
- name: Include OS-specific variables.
|
||||||
|
include_vars: "{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
- name: Include variables for Amazon Linux.
|
||||||
|
include_vars: "AmazonLinux.yml"
|
||||||
|
when:
|
||||||
|
- ansible_distribution == "Amazon"
|
||||||
|
- ansible_distribution_major_version == "NA"
|
||||||
|
|
||||||
|
- name: Define apache_packages.
|
||||||
|
set_fact:
|
||||||
|
apache_packages: "{{ __apache_packages | list }}"
|
||||||
|
when: apache_packages is not defined
|
||||||
|
|
||||||
|
# Setup/install tasks.
|
||||||
|
- include_tasks: "setup-{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
# Figure out what version of Apache is installed.
|
||||||
|
- name: Get installed version of Apache.
|
||||||
|
command: "{{ apache_daemon_path }}{{ apache_daemon }} -v"
|
||||||
|
changed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: _apache_version
|
||||||
|
|
||||||
|
- name: Create apache_version variable.
|
||||||
|
set_fact:
|
||||||
|
apache_version: "{{ _apache_version.stdout.split()[2].split('/')[1] }}"
|
||||||
|
|
||||||
|
- name: Include Apache 2.2 variables.
|
||||||
|
include_vars: apache-22.yml
|
||||||
|
when: "apache_version.split('.')[1] == '2'"
|
||||||
|
|
||||||
|
- name: Include Apache 2.4 variables.
|
||||||
|
include_vars: apache-24.yml
|
||||||
|
when: "apache_version.split('.')[1] == '4'"
|
||||||
|
|
||||||
|
# Configure Apache.
|
||||||
|
- name: Configure Apache.
|
||||||
|
include_tasks: "configure-{{ ansible_os_family }}.yml"
|
||||||
|
|
||||||
|
- name: Ensure Apache has selected state and enabled on boot.
|
||||||
|
service:
|
||||||
|
name: "{{ apache_service }}"
|
||||||
|
state: "{{ apache_state }}"
|
||||||
|
enabled: true
|
6
roles/apache/tasks/setup-Debian.yml
Normal file
6
roles/apache/tasks/setup-Debian.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Update apt cache.
|
||||||
|
apt: update_cache=yes cache_valid_time=3600
|
||||||
|
|
||||||
|
- name: Ensure Apache is installed on Debian.
|
||||||
|
apt: "name={{ apache_packages }} state={{ apache_packages_state }}"
|
6
roles/apache/tasks/setup-RedHat.yml
Normal file
6
roles/apache/tasks/setup-RedHat.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure Apache is installed on RHEL.
|
||||||
|
package:
|
||||||
|
name: "{{ apache_packages }}"
|
||||||
|
state: "{{ apache_packages_state }}"
|
||||||
|
enablerepo: "{{ apache_enablerepo | default(omit, true) }}"
|
5
roles/apache/tasks/setup-Solaris.yml
Normal file
5
roles/apache/tasks/setup-Solaris.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure Apache is installed on Solaris.
|
||||||
|
pkg5:
|
||||||
|
name: "{{ apache_packages }}"
|
||||||
|
state: "{{ apache_packages_state }}"
|
5
roles/apache/tasks/setup-Suse.yml
Normal file
5
roles/apache/tasks/setup-Suse.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure Apache is installed on Suse.
|
||||||
|
zypper:
|
||||||
|
name: "{{ apache_packages }}"
|
||||||
|
state: "{{ apache_packages_state }}"
|
82
roles/apache/templates/vhosts.conf.j2
Normal file
82
roles/apache/templates/vhosts.conf.j2
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
{{ apache_global_vhost_settings }}
|
||||||
|
|
||||||
|
{# Set up VirtualHosts #}
|
||||||
|
{% for vhost in apache_vhosts %}
|
||||||
|
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}>
|
||||||
|
ServerName {{ vhost.servername }}
|
||||||
|
{% if vhost.serveralias is defined %}
|
||||||
|
ServerAlias {{ vhost.serveralias }}
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.documentroot is defined %}
|
||||||
|
DocumentRoot "{{ vhost.documentroot }}"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if vhost.serveradmin is defined %}
|
||||||
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.documentroot is defined %}
|
||||||
|
<Directory "{{ vhost.documentroot }}">
|
||||||
|
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
|
||||||
|
Options {{ vhost.options | default(apache_options) }}
|
||||||
|
{% if apache_vhosts_version == "2.2" %}
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
{% else %}
|
||||||
|
Require all granted
|
||||||
|
{% endif %}
|
||||||
|
</Directory>
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.extra_parameters is defined %}
|
||||||
|
{{ vhost.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{# Set up SSL VirtualHosts #}
|
||||||
|
{% for vhost in apache_vhosts_ssl %}
|
||||||
|
{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %}
|
||||||
|
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port_ssl }}>
|
||||||
|
ServerName {{ vhost.servername }}
|
||||||
|
{% if vhost.serveralias is defined %}
|
||||||
|
ServerAlias {{ vhost.serveralias }}
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.documentroot is defined %}
|
||||||
|
DocumentRoot "{{ vhost.documentroot }}"
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCipherSuite {{ apache_ssl_cipher_suite }}
|
||||||
|
SSLProtocol {{ apache_ssl_protocol }}
|
||||||
|
SSLHonorCipherOrder On
|
||||||
|
{% if apache_vhosts_version == "2.4" %}
|
||||||
|
SSLCompression off
|
||||||
|
{% endif %}
|
||||||
|
SSLCertificateFile {{ vhost.certificate_file }}
|
||||||
|
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
|
||||||
|
{% if vhost.certificate_chain_file is defined %}
|
||||||
|
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if vhost.serveradmin is defined %}
|
||||||
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.documentroot is defined %}
|
||||||
|
<Directory "{{ vhost.documentroot }}">
|
||||||
|
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
|
||||||
|
Options {{ vhost.options | default(apache_options) }}
|
||||||
|
{% if apache_vhosts_version == "2.2" %}
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
{% else %}
|
||||||
|
Require all granted
|
||||||
|
{% endif %}
|
||||||
|
</Directory>
|
||||||
|
{% endif %}
|
||||||
|
{% if vhost.extra_parameters is defined %}
|
||||||
|
{{ vhost.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
18
roles/apache/vars/AmazonLinux.yml
Normal file
18
roles/apache/vars/AmazonLinux.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apache_service: httpd
|
||||||
|
apache_daemon: httpd
|
||||||
|
apache_daemon_path: /usr/sbin/
|
||||||
|
apache_server_root: /etc/httpd
|
||||||
|
apache_conf_path: /etc/httpd/conf.d
|
||||||
|
|
||||||
|
apache_vhosts_version: "2.4"
|
||||||
|
|
||||||
|
__apache_packages:
|
||||||
|
- httpd24
|
||||||
|
- httpd24-devel
|
||||||
|
- mod24_ssl
|
||||||
|
- openssh
|
||||||
|
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- regexp: "^Listen "
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
14
roles/apache/vars/Debian.yml
Normal file
14
roles/apache/vars/Debian.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apache_service: apache2
|
||||||
|
apache_daemon: apache2
|
||||||
|
apache_daemon_path: /usr/sbin/
|
||||||
|
apache_server_root: /etc/apache2
|
||||||
|
apache_conf_path: /etc/apache2
|
||||||
|
|
||||||
|
__apache_packages:
|
||||||
|
- apache2
|
||||||
|
- apache2-utils
|
||||||
|
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- regexp: "^Listen "
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
20
roles/apache/vars/RedHat.yml
Normal file
20
roles/apache/vars/RedHat.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
apache_service: httpd
|
||||||
|
apache_daemon: httpd
|
||||||
|
apache_daemon_path: /usr/sbin/
|
||||||
|
apache_server_root: /etc/httpd
|
||||||
|
apache_conf_path: /etc/httpd/conf.d
|
||||||
|
|
||||||
|
apache_vhosts_version: "2.2"
|
||||||
|
|
||||||
|
__apache_packages:
|
||||||
|
- httpd
|
||||||
|
- httpd-devel
|
||||||
|
- mod_ssl
|
||||||
|
- openssh
|
||||||
|
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- regexp: "^Listen "
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
||||||
|
- regexp: "^#?NameVirtualHost "
|
||||||
|
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
19
roles/apache/vars/Solaris.yml
Normal file
19
roles/apache/vars/Solaris.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
apache_service: apache24
|
||||||
|
apache_daemon: httpd
|
||||||
|
apache_daemon_path: /usr/apache2/2.4/bin/
|
||||||
|
apache_server_root: /etc/apache2/2.4/
|
||||||
|
apache_conf_path: /etc/apache2/2.4/conf.d
|
||||||
|
|
||||||
|
apache_vhosts_version: "2.2"
|
||||||
|
|
||||||
|
__apache_packages:
|
||||||
|
- web/server/apache-24
|
||||||
|
- web/server/apache-24/module/apache-ssl
|
||||||
|
- web/server/apache-24/module/apache-security
|
||||||
|
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- regexp: "^Listen "
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
||||||
|
- regexp: "^#?NameVirtualHost "
|
||||||
|
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
18
roles/apache/vars/Suse.yml
Normal file
18
roles/apache/vars/Suse.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apache_service: apache2
|
||||||
|
apache_daemon: httpd2
|
||||||
|
apache_daemon_path: /usr/sbin/
|
||||||
|
apache_server_root: /etc/apache2
|
||||||
|
apache_conf_path: /etc/apache2/conf.d
|
||||||
|
|
||||||
|
apache_vhosts_version: "2.2"
|
||||||
|
|
||||||
|
__apache_packages:
|
||||||
|
- apache2
|
||||||
|
- openssh
|
||||||
|
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- regexp: "^Listen "
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
||||||
|
- regexp: "^#?NameVirtualHost "
|
||||||
|
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
12
roles/apache/vars/apache-22.yml
Normal file
12
roles/apache/vars/apache-22.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
apache_vhosts_version: "2.2"
|
||||||
|
apache_default_vhost_filename: 000-default
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- {
|
||||||
|
regexp: "^Listen ",
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
||||||
|
}
|
||||||
|
- {
|
||||||
|
regexp: "^#?NameVirtualHost ",
|
||||||
|
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
||||||
|
}
|
8
roles/apache/vars/apache-24.yml
Normal file
8
roles/apache/vars/apache-24.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apache_vhosts_version: "2.4"
|
||||||
|
apache_default_vhost_filename: 000-default.conf
|
||||||
|
apache_ports_configuration_items:
|
||||||
|
- {
|
||||||
|
regexp: "^Listen ",
|
||||||
|
line: "Listen {{ apache_listen_port }}"
|
||||||
|
}
|
@ -1,11 +0,0 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
38616333383866663466353035306234356565643564383866633038636531616239393365636436
|
|
||||||
6538393064666337616565616636363331333062643235340a613061356630656333626664343038
|
|
||||||
39326661306439343666623339323430333662363864366364363664323833393039303938323035
|
|
||||||
3061396662656435660a366361363138386332633234633832613630643364316130643665343737
|
|
||||||
37303434633839323363376562303966363466323638616265303865343936396465616434666163
|
|
||||||
61666663373333643034363663323465326130393331636463666534343837646466653265343162
|
|
||||||
39343066323764646361323833303334643730633938633436343330626230303462666166356530
|
|
||||||
63623861383436636137623733633839333564363334323034313537616633666436333133396639
|
|
||||||
63666237366535386436343839653939373533656164333865613631386131343565363734333935
|
|
||||||
3861623666613138353061646564393465356532316631616231
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
allow_duplicates: no
|
|
@ -1,15 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- name: Set up AWS credentials for root
|
|
||||||
block:
|
|
||||||
- name: Create .aws directory
|
|
||||||
file:
|
|
||||||
path: ~/.aws
|
|
||||||
state: directory
|
|
||||||
- name: Copy AWS credentials
|
|
||||||
copy:
|
|
||||||
src: awscredentials
|
|
||||||
dest: ~/.aws/credentials
|
|
||||||
mode: "0600"
|
|
||||||
become: true
|
|
28
roles/backup/defaults/main.yml
Normal file
28
roles/backup/defaults/main.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# Which backup script to use. Configuration is somewhat unique to each script
|
||||||
|
backup_script: s3backup
|
||||||
|
# When to kick off backups using the systemd timer
|
||||||
|
backup_time: "*-*-* 02:00:00"
|
||||||
|
# What format should the datestamps in the filenames of any backups be in?
|
||||||
|
# Defaults to YYYY-MM-DD-hhmm
|
||||||
|
# So January 5th, 2021 at 3:41PM would be 2021-01-05-1541
|
||||||
|
backup_dateformat: "%Y-%m-%d-%H%M"
|
||||||
|
|
||||||
|
# S3 configuration for scripts that use it
|
||||||
|
# Which bucket to upload the backup to
|
||||||
|
backup_s3_bucket: replaceme
|
||||||
|
# Credentials for the bucket
|
||||||
|
backup_s3_aws_access_key_id: REPLACEME
|
||||||
|
backup_s3_aws_secret_access_key: REPLACEME
|
||||||
|
|
||||||
|
# List of files/directories to back up
|
||||||
|
# Note that tar is NOT instructed to recurse through symlinks
|
||||||
|
# If you want it to do that, end the path with a slash!
|
||||||
|
backup_s3backup_list: []
|
||||||
|
backup_s3backup_list_extra: []
|
||||||
|
# List of files/directories to --exclude
|
||||||
|
backup_s3backup_exclude_list: []
|
||||||
|
backup_s3backup_exclude_list_extra: []
|
||||||
|
# Arguments to pass to tar
|
||||||
|
# Note that passing f here is probably a bad idea
|
||||||
|
backup_s3backup_tar_args: cz
|
||||||
|
backup_s3backup_tar_args_extra: ""
|
6
roles/backup/handlers/main.yml
Normal file
6
roles/backup/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
---
|
||||||
|
- name: restart backup timer
|
||||||
|
systemd: name=backup.timer state=restarted daemon_reload=yes
|
||||||
|
become: yes
|
12
roles/backup/tasks/main.yml
Normal file
12
roles/backup/tasks/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
# vim:ft=ansible:
|
||||||
|
---
|
||||||
|
- name: template out backup script
|
||||||
|
template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
|
||||||
|
- name: configure systemd service
|
||||||
|
template: src=backup.service dest=/etc/systemd/system/backup.service
|
||||||
|
- name: configure systemd timer
|
||||||
|
template: src=backup.timer dest=/etc/systemd/system/backup.timer
|
||||||
|
notify: restart backup timer
|
||||||
|
- name: enable timer
|
||||||
|
systemd: name=backup.timer state=started enabled=yes daemon_reload=yes
|
13
roles/backup/templates/backup.service
Normal file
13
roles/backup/templates/backup.service
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# vim:ft=systemd
|
||||||
|
[Unit]
|
||||||
|
Description=Nightly backup service
|
||||||
|
After=network-online.target
|
||||||
|
Wants=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
MemoryMax=256M
|
||||||
|
ExecStart=/opt/backup.sh
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
10
roles/backup/templates/backup.timer
Normal file
10
roles/backup/templates/backup.timer
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# vim:ft=systemd
|
||||||
|
[Unit]
|
||||||
|
Description=Nightly backup timer
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
Persistent=true
|
||||||
|
OnCalendar={{ backup_time }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
60
roles/backup/templates/s3backup.sh
Normal file
60
roles/backup/templates/s3backup.sh
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
# s3backup.sh
|
||||||
|
# General-purpose, Ansible-managed backup script to push directories to
|
||||||
|
# an S3 bucket
|
||||||
|
#
|
||||||
|
# NOTICE: THIS FILE CONTAINS SECRETS
|
||||||
|
# This file may contain the following secrets depending on configuration:
|
||||||
|
# * An AWS access key
|
||||||
|
# * An AWS session token
|
||||||
|
# These are NOT things you want arbitrary readers to access! Ansible will
|
||||||
|
# attempt to ensure this file has 0700 permissions, but that won't stop you
|
||||||
|
# from changing that yourself
|
||||||
|
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
|
||||||
|
|
||||||
|
# NOTICE: DO NOT MODIFY THIS FILE
|
||||||
|
# Any changes made will be clobbered by Ansible
|
||||||
|
# Please make any configuration changes in the main repo
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Directories to backup
|
||||||
|
# Ansible will determine the entries here
|
||||||
|
|
||||||
|
# We use a bash array because it affords us some level of sanitization, enough
|
||||||
|
# to let us back up items whose paths contain spaces
|
||||||
|
declare -a DIRS
|
||||||
|
{% for item in backup_s3backup_list + backup_s3backup_list_extra %}
|
||||||
|
DIRS+=("{{ item }}")
|
||||||
|
{% endfor %}
|
||||||
|
# End directories
|
||||||
|
|
||||||
|
# AWS S3 configuration
|
||||||
|
# NOTE: THIS IS SECRET INFORMATION
|
||||||
|
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
|
||||||
|
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
|
||||||
|
|
||||||
|
# Tar up all items in the backup list, recursively, and pipe them straight
|
||||||
|
# up to S3
|
||||||
|
if [ -z "${DIRS[*]}" ]; then
|
||||||
|
echo "No directories configured to back up!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
echo "Commencing backup on the following items:"
|
||||||
|
for dir in "${DIRS[@]}"; do
|
||||||
|
echo "- $dir"
|
||||||
|
done
|
||||||
|
echo "Will ignore the following items:"
|
||||||
|
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
|
||||||
|
echo "- {{ item }}"
|
||||||
|
{% endfor %}
|
||||||
|
echo "Will upload resultant backup to {{ backup_s3_bucket }}"
|
||||||
|
nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
|
||||||
|
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
|
||||||
|
--exclude "{{ item }}" \
|
||||||
|
{% endfor %}
|
||||||
|
"${DIRS[@]}" \
|
||||||
|
| aws s3 cp - \
|
||||||
|
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$(date "+{{ backup_dateformat }}").tar.gz"
|
||||||
|
|
47
roles/backup/templates/s3pgdump.sh
Normal file
47
roles/backup/templates/s3pgdump.sh
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
# s3pgdump.sh
|
||||||
|
# General-purpose, Ansible-managed backup script to dump PostgreSQL DBs to
|
||||||
|
# an S3 bucket
|
||||||
|
#
|
||||||
|
|
||||||
|
# NOTICE: THIS FILE CONTAINS SECRETS
|
||||||
|
# This file may contain the following secrets depending on configuration:
|
||||||
|
# * An AWS access key
|
||||||
|
# * An AWS session token
|
||||||
|
# These are NOT things you want arbitrary readers to access! Ansible will
|
||||||
|
# attempt to ensure this file has 0700 permissions, but that won't stop you
|
||||||
|
# from changing that yourself
|
||||||
|
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
|
||||||
|
|
||||||
|
# NOTICE: DO NOT MODIFY THIS FILE
|
||||||
|
# Any changes made will be clobbered by Ansible
|
||||||
|
# Please make any configuration changes in the main repo
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# AWS S3 configuration
|
||||||
|
# NOTE: THIS IS SECRET INFORMATION
|
||||||
|
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
|
||||||
|
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
|
||||||
|
|
||||||
|
# Populate a list of databases
|
||||||
|
declare -a DATABASES
|
||||||
|
while read line; do
|
||||||
|
DATABASES+=("$line")
|
||||||
|
done < <(sudo -u postgres psql -t -A -c "SELECT datname FROM pg_database where datname not in ('template0', 'template1', 'postgres');" 2>/dev/null)
|
||||||
|
|
||||||
|
# pgdump all DBs, compress them, and pipe straight up to S3
|
||||||
|
echo "Commencing backup on the following databases:"
|
||||||
|
for dir in "${DATABASES[@]}"; do
|
||||||
|
echo "- $dir"
|
||||||
|
done
|
||||||
|
echo "Will upload resultant backups to {{ backup_s3_bucket }}"
|
||||||
|
for db in "${DATABASES[@]}"; do
|
||||||
|
echo "Backing up $db"
|
||||||
|
sudo -u postgres pg_dump "$db" \
|
||||||
|
| gzip -v9 \
|
||||||
|
| aws s3 cp - \
|
||||||
|
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$db-$(date "+{{ backup_dateformat }}").pgsql.gz"
|
||||||
|
done
|
||||||
|
|
@ -1,5 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
backups_outdir: "/opt/backups/out"
|
|
||||||
backups_boot_delay: 1h
|
|
||||||
backups_time: "*-*-* 02:00:00"
|
|
@ -1,10 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
- name: restart backups timer
|
|
||||||
systemd:
|
|
||||||
daemon_reload: yes
|
|
||||||
name: 9iron-backup.timer
|
|
||||||
enabled: yes
|
|
||||||
state: restarted
|
|
||||||
become: yes
|
|
@ -1,6 +0,0 @@
|
|||||||
#!/usr/bin/ansible-playbook
|
|
||||||
# vim:ft=ansible:
|
|
||||||
---
|
|
||||||
allow_duplicates: no
|
|
||||||
dependencies:
|
|
||||||
- role: awscreds
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user