Compare commits
No commits in common. "ce14c82f0ea7b8e56983449a5c6f1c39a3a0b7c9" and "04c5bcc77c01a405cd3c385ee3bd35ca5dc7c2f4" have entirely different histories.
ce14c82f0e
...
04c5bcc77c
9
.gitmodules
vendored
9
.gitmodules
vendored
@ -1,9 +0,0 @@
|
||||
[submodule "roles/minecraft"]
|
||||
path = roles/minecraft
|
||||
url = https://git.desu.ltd/salt/ansible-role-minecraft
|
||||
[submodule "roles/terraria"]
|
||||
path = roles/terraria
|
||||
url = https://git.desu.ltd/salt/ansible-role-terraria
|
||||
[submodule "roles/pleroma"]
|
||||
path = roles/pleroma
|
||||
url = https://git.desu.ltd/salt/ansible-role-pleroma
|
@ -1,3 +1,3 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
|
||||
|
56
README.md
56
README.md
@ -1,55 +1,29 @@
|
||||
# Salt's Ansible Repository
|
||||
# Salt's Ansible Repo
|
||||
|
||||
Useful for management across all of 9iron, thefuck, and desu.
|
||||
A collection of Ansible configuration to manage all of my machines.
|
||||
|
||||
## TODO
|
||||
## Quickstart
|
||||
|
||||
This branch is kinda-sorta a port of master, so it still needs to reach some form of feature parity with it. Namely:
|
||||
To quickly get a machine up and running, add it to the inventory and `./provision.yml` it. This ensures a basic, sane running environment from which you can do tuning. Ideally, though, you should have roles.
|
||||
|
||||
* Matrix(? Do I still want to keep this around? Is there a better alternative? Will my friends even use it?)
|
||||
## Overview
|
||||
|
||||
* Port over configs for Nextcloud on web1.9iron.club
|
||||
The main playbook, `site.yml`, can be separated into more or less two parts:
|
||||
|
||||
## Initialization
|
||||
* The home machine half, tied together via Zerotier
|
||||
|
||||
Clone the repo, `cd` in. Done.
|
||||
* The 9iron half, with public IPs and resolvable names
|
||||
|
||||
## Deployment
|
||||
See `inventory/hosts.yml` for details on what machines have what roles and what configuration. I try my best to make self-explaning configuration, so everything should mostly make sense on a first read. If you have any questions, hit me up.
|
||||
|
||||
Adding a new server will require the following be fulfilled:
|
||||
## Style Guide
|
||||
|
||||
* The server is accessible from the Ansible host;
|
||||
* Quote strings when required, quote entire strings if they contain Jinja markup, not just the marked up section (yes I know I violate this in several places)
|
||||
|
||||
* The server has a user named `ansible` which:
|
||||
* Use `yes` and `no` for booleans
|
||||
|
||||
* Accepts the public key located in `contrib/desu.pub`; and
|
||||
* Use short form for simple tasks (still working on fixing that up)
|
||||
|
||||
* Has passwordless sudo capabilities as root
|
||||
## Your Shit is Trash
|
||||
|
||||
* The server is added to `inventory/hosts.yml` in an appropriate place;
|
||||
|
||||
* DNS records for the machine are set; and
|
||||
|
||||
* The server is running Ubuntu 20.04 or greater
|
||||
|
||||
From there, running the playbook `site.yml` should get the machine up to snuff. To automate the host-local steps, use the script file `contrib/bootstrap.sh`.
|
||||
|
||||
## Ad-Hoc Commands
|
||||
|
||||
The inventory is configured to allow for ad-hoc commands with very little fuss. For example:
|
||||
|
||||
```bash
|
||||
ansible -m shell -a 'systemctl is-failed ansible-pull.service' all
|
||||
```
|
||||
|
||||
These commands must be run from the root of the repo.
|
||||
|
||||
## Ansible Galaxy
|
||||
|
||||
Several of the roles in this repository are sourced from Ansible Galaxy. They're mirrored here for both easy compatibility with `ansible-pull` and in case the sources go down. Despite this, they're still managed in `roles/requirements.yml` for ease of management, source tracking, and updating. Any forks or deviations from these sources should be thoroughly documented.
|
||||
|
||||
Should you need to reinitialize them, the following command (run from the root of the repo) will initialize all Galaxy assets:
|
||||
|
||||
```
|
||||
ansible-galaxy install -r roles/requirements.yml
|
||||
```
|
||||
I know. Please file an issue.
|
||||
|
10
ansible.cfg
10
ansible.cfg
@ -1,11 +1,15 @@
|
||||
[defaults]
|
||||
gathering = smart
|
||||
interpreter_python = python3
|
||||
inventory = inventory
|
||||
roles_path = roles
|
||||
private_key_file = ~/.ssh/desu
|
||||
host_key_checking = false # I'm constantly spinning machines up and down; no time for this
|
||||
#ask_become_pass = true
|
||||
# Connection info
|
||||
private_key_file = ~/.ssh/ansible
|
||||
host_key_checking = false
|
||||
# Secrets
|
||||
ask_become_pass = true
|
||||
#ask_vault_pass = true
|
||||
# Warnings
|
||||
command_warnings = true
|
||||
#deprecation_warnings = false
|
||||
system_warnings = true
|
||||
|
@ -1,52 +0,0 @@
|
||||
#! /bin/sh
|
||||
#
|
||||
# bootstrap.sh
|
||||
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
|
||||
#
|
||||
# Distributed under terms of the MIT license.
|
||||
#
|
||||
|
||||
set -e
|
||||
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "This script must be run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -f "./desu.pub" ]; then
|
||||
echo "The public key \"desu.pub\" must sit in PWD. cd to contrib"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
echo "Adding ansible user..."
|
||||
|
||||
if ! useradd ansible > /dev/null 2>&1; then
|
||||
err=$?
|
||||
case $err in
|
||||
0)
|
||||
;;
|
||||
9)
|
||||
echo "Continuing..."
|
||||
;;
|
||||
*)
|
||||
echo "Encountered error $err adding user ansible"
|
||||
exit 3
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo "Adding key..."
|
||||
|
||||
mkdir -p ~ansible/.ssh
|
||||
cat ./desu.pub > ~ansible/.ssh/authorized_keys
|
||||
|
||||
echo "Fixing perms..."
|
||||
|
||||
chmod 0600 ~ansible/.ssh/authorized_keys
|
||||
chown -R ansible. ~ansible/.ssh
|
||||
cat > /etc/sudoers.d/50-ansible << EOF
|
||||
ansible ALL=(ALL:ALL) NOPASSWD:ALL
|
||||
EOF
|
||||
|
||||
echo "Done!"
|
||||
|
@ -1 +0,0 @@
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible
|
3
deploy.sh
Executable file
3
deploy.sh
Executable file
@ -0,0 +1,3 @@
|
||||
#! /bin/sh
|
||||
ansible-playbook --ask-vault-pass site.yml "$@"
|
||||
|
@ -1,8 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- name: restart cron
|
||||
service: name=cron state=restarted
|
||||
become: yes
|
||||
- name: regen initramfs
|
||||
command: /usr/sbin/update-initramfs -c -k all
|
||||
become: yes
|
@ -1,158 +1,207 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
|
||||
# For homebrew roles and such, mostly Ansible-related setup
|
||||
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
||||
ansible_pull_commit: master
|
||||
common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
|
||||
## BACKEND
|
||||
# ACME
|
||||
acme:
|
||||
#directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint
|
||||
directory: "https://acme-v02.api.letsencrypt.org/directory"
|
||||
version: 2
|
||||
webroot: /var/www/acme
|
||||
aws:
|
||||
# S3 Backups
|
||||
backup_bucket: "9iron-backups-general"
|
||||
# SES
|
||||
ses:
|
||||
user: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33643766376336316266373239386466373639633765333332353031373132383061346564633036
|
||||
3337396261333264363562363364336235633831353133380a613164666161313265396261616634
|
||||
38353531306238613735623433663138643231663139363735373537393337636362636534656166
|
||||
3063373930343039320a663063663535633932323739653461336164643035633036663362666161
|
||||
38316564326537303236333266303432326164393435663665363963326363306237
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39306665653635383832623438656364616633643032663365643033316236333939363732363034
|
||||
3566663361653862646636396339343963626561613839620a663731313337613734356261326437
|
||||
31653763346663656165343632336366343562333836396232636431323635333965336137316237
|
||||
3662393364636631310a643935313539353338333233356362623835363631383035666536343634
|
||||
65663937643165613337373837633737653765303764303536386530616363343361326536633935
|
||||
3565626161343562396663353538653136376138373334336435
|
||||
# MySQL
|
||||
mysql:
|
||||
root_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62316565376333396465333931356163343363663063636233653536373033396230626639613964
|
||||
3037613839373833646234626236643430393364643131610a333539373533663434373935376130
|
||||
65323365313465316635646465376665616132653832316362363535366563363863636530313666
|
||||
3036393134386131310a643734363261633166636263343538313533393738323934303137343163
|
||||
39636637643035616236663364663562366133613233313139623937313531343564
|
||||
# PSQL
|
||||
psql:
|
||||
ansible:
|
||||
user: ansible
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
30383235373131383466383438653235666365386631356463633265623332643337633830663930
|
||||
3639313565613138373165636264343030323961646539390a356134383764326631326635636139
|
||||
63626263373063343036373266326235363839316662363031356264363365633161326264643766
|
||||
3734386366633861640a643335636330323432626437646337353534653832383337396432636264
|
||||
61356331646133653363353931306630373963316430626266346630646362666237
|
||||
neighbor_block: "172.31.0.0/16"
|
||||
|
||||
# For backups
|
||||
backup_s3_bucket: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61393939633736616361336162633564356434363963303737366236373332653265366132393439
|
||||
3333643463306561616261636466303631373866353962310a356561633833633533353937323265
|
||||
64656235616637366363323330346134656366663733393462346333613535633838333938653434
|
||||
6133326433613239650a386333626339363263323134313830353963326265666336306130656534
|
||||
6534
|
||||
backup_s3_aws_access_key_id: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61353734383466366564333832643738313238666235336332303539383639626263633231396261
|
||||
6165393062393266343661643466633163383164383032340a333833656566336331323565386162
|
||||
35646665353539616538353339616531346564636466643639326366353165313861373761396537
|
||||
3731653463643838330a383065313135343763636534656133343666363237356462326236643631
|
||||
34366564373661396434663633346635663331393538363362376265653334623538
|
||||
backup_s3_aws_secret_access_key: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
64316231613337333231383837333930336561633164393762343838646136393165626361346637
|
||||
3364643830346533623137643530323438366665393632320a633032336664616261353734343661
|
||||
36646565383532616133353530343331663731663965656662363830363063303361373861663762
|
||||
3032613362626233350a613464333230363830383334363032303730646134306331383733363036
|
||||
34346334306633306664323337643433356336366633396239306539613539633535386238346662
|
||||
6232313138393062626631386135383234376361643362353966
|
||||
## WEBAPPS
|
||||
# Gitea
|
||||
gitea:
|
||||
db:
|
||||
hostname: 172.31.47.215
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62353264353465316661353738666161313036373761666163663733656461316536636334386335
|
||||
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
|
||||
31346337636665356630336234306534646362386663633734353166373761316139313734306630
|
||||
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
|
||||
33353062343164396465326365653561626363343961326363633231303736316436643935646161
|
||||
3933353234613430373930663832643934613233383635613433
|
||||
app_name: "9iron Gitea"
|
||||
disable_registration: "false"
|
||||
url: "git.9iron.club"
|
||||
root: "/var/gitea"
|
||||
efs:
|
||||
name: "9iron-gitea"
|
||||
region: "us-east-2"
|
||||
subnet_id: "subnet-852935ed"
|
||||
security_group: "sg-4f4b692c"
|
||||
admin:
|
||||
user: "salt"
|
||||
email: "rehashedsalt@cock.li"
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35613039646236306236363930353231303331633765303039373736626666666530323433356466
|
||||
3062633166313332643039613561303431613735396339650a376664373137643439303465376365
|
||||
35313266376539366134343562626164616666306338343538663361393964626565303331383234
|
||||
3565646664333966650a323530356664366262653763363439613534303764366436376634373639
|
||||
62303264653836656162366362316461656363353539343632616462626231643632
|
||||
# Grafana
|
||||
grafana:
|
||||
db:
|
||||
hostname: 172.31.47.215
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
65376335363732633132326630323161393861323833323631613630343262383137656138356262
|
||||
3730386139393739373738626535376636666135646463350a623331333032346434343465666234
|
||||
38393539623437376133363063633238383031326431653737346564323837343265653431633962
|
||||
6665346237666165330a643635653863356633623535383063366632336437313730626233346664
|
||||
33303465616532313339393634386166363162393661393037323835323035386663
|
||||
url: "monitor.9iron.club"
|
||||
webroot: "/var/www/grafana"
|
||||
config_repo: "https://git.9iron.club/salt/grafana"
|
||||
# Matrix
|
||||
matrix:
|
||||
server_name: "9iron.club"
|
||||
url: "matrix.9iron.club"
|
||||
enable_registration: "true"
|
||||
admin_contact: "mailto:rehashedsalt@cock.li"
|
||||
db_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
64663061333130386634323631353435376330636334623334663365633361336563393634333061
|
||||
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
|
||||
31356462653634323162343164633130366664323034373330613764663635326534303935303230
|
||||
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
|
||||
63316265366238383038653034326661633163346462396663346563666134393232
|
||||
# Nextcloud
|
||||
nextcloud:
|
||||
db:
|
||||
hostname: 172.31.47.215
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37633035633563646266346264333636393931323664313166633133653461646333643731636661
|
||||
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
|
||||
66373234633939393034353439393465663131303661393164303335336435653734613064663964
|
||||
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
|
||||
61373135303632336237333836353764646639633735323566346366623766646266
|
||||
efs:
|
||||
name: "9iron-nextcloud"
|
||||
region: "us-east-2"
|
||||
subnet_id: "subnet-852935ed"
|
||||
security_group: "sg-4f4b692c"
|
||||
url: "nc.9iron.club"
|
||||
# Pleroma
|
||||
pleroma:
|
||||
instance:
|
||||
name: Cowfee
|
||||
desc: owo
|
||||
email: rehashedsalt@cock.li
|
||||
notify_email: noreply@cowfee.moe
|
||||
openreg: "true"
|
||||
static_repo: "https://git.9iron.club/salt/pleroma"
|
||||
db:
|
||||
pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34343838386134656236313462653531663839363030333630383332386535356431326436633137
|
||||
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
|
||||
61333039646332343838346633363035343434303036643465353062353062303961383138643564
|
||||
3338393765393733340a626436653666363236643938613466643530326665653764333933393437
|
||||
37613033653864643965323162373366306233626235663461326266376662663634353066386139
|
||||
37636162313364623933396232366239633338363539626637373163333130373665373038363566
|
||||
65646633636638653335356536323334646632366164633532636634376632356166306139393766
|
||||
38633934623639366263
|
||||
secret:
|
||||
key_base: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36333934336635613533333137636532363937613764353933636566663031316262333837323064
|
||||
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
|
||||
37666666386637633839633737376465366439356461653363396665636137353264363762346461
|
||||
3765616634653234630a623061393834373964653939626564363263383435666366356339663136
|
||||
64613330656434653538363734393831353133316666326338366335383064356165333537383837
|
||||
31633939353565303661626233623064653838636435376239376361663362636164653962383561
|
||||
33366335623038653232613731333730363836653532363834663663343963303763323534343038
|
||||
61666238346239636634
|
||||
signing_salt: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31306137646362333433313630363538333234643339353530333038393061663132633161356231
|
||||
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
|
||||
64393536353362386336323662316262333763326138616364333237353262323232636335353436
|
||||
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
|
||||
3466
|
||||
# snmpd
|
||||
snmp:
|
||||
location: "us-east-2"
|
||||
contact: "Salt <rehashedsalt@cock.li>"
|
||||
auth_user_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36373662333533616331623933343364663532326261653636363732323138633836356633623934
|
||||
6561333833343432353561366438313165383163366131630a653163666463356462633966666330
|
||||
38323965303639356635613565633030373836643132336332373730303137376165616163646538
|
||||
3162616233366236350a626130643230323264343938373134653034636232303130623134393531
|
||||
61366330316330646137336161623166343835316432363433373333323232383166
|
||||
priv_user_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61316538316630333662633665646364356138613730633334653761626636633836363335383965
|
||||
6332303265323236383130383366336662626331613866340a636139366135313134303538613833
|
||||
61383662306163663634333538343733663836633834373462616265366365626533366334383031
|
||||
6265643764656461320a313137326430386532653538346462323463386538303966303830343037
|
||||
63333632656534333334383666666138353435383938623934663766623735656533
|
||||
int_user_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31616561323762653439346630653231646137626638383930346437323139666163316131333534
|
||||
6463313537316230363735346236323033386562373032330a326261393039663539353738643465
|
||||
36666136663930663463373731663534316232643637623732346331383737643233626235613439
|
||||
3733366462613133620a386336303434303130313636356339633939623638366236346234376566
|
||||
65386530663137393830636134653632623366333837616364396161666464613166
|
||||
|
||||
|
||||
# For zerotier
|
||||
zerotier_network_id: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35646131343239623265663562343333383362366633386462646465643163353866643633636135
|
||||
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
|
||||
30656433343263653035333637336165323931363966376264353164326135336131646362623734
|
||||
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
|
||||
65313231393433396538663463383731303661633663343066333264303330313133
|
||||
|
||||
# For geerlingguy.apache
|
||||
apache_remove_default_vhost: yes
|
||||
apache_ssl_cipher_suite: AES256+EECDH:AES256+EDH
|
||||
apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
||||
|
||||
# For geerlingguy.php
|
||||
##RESERVED
|
||||
|
||||
# For gitea
|
||||
secret_gitea_9iron_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62353264353465316661353738666161313036373761666163663733656461316536636334386335
|
||||
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
|
||||
31346337636665356630336234306534646362386663633734353166373761316139313734306630
|
||||
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
|
||||
33353062343164396465326365653561626363343961326363633231303736316436643935646161
|
||||
3933353234613430373930663832643934613233383635613433
|
||||
secret_gitea_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35343032343364306363646232613831386530313430663664396432353431393039626230626137
|
||||
6339653038633534313562333431613362313263623130300a383930626437636466623763663334
|
||||
64646239633830656338336135313261396536303739373731633830633366313262313035626233
|
||||
6463663332623635320a356565666638306661356365643930303664346232303165373333613235
|
||||
62396535653338396232616531323738656636613065336337333336306437363539303766623866
|
||||
3932386635393061643737326163643164643365303866643766
|
||||
gitea_secret_key: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34373339636233393231363531323338306330653139376661356336343133373836323065333665
|
||||
3537613462316361646161653966643862633033646134370a643133393162313434383663643538
|
||||
31343164666235316235393163376134636433386361353266613263363839366432356132383533
|
||||
3434643430306234350a353037373530653865363931333237663133626537643730643634356162
|
||||
33353632613637306336653734343332393661343539393034313437373636383732393062333530
|
||||
3337633338323131373130376137393766363737393536386636
|
||||
gitea_internal_token: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34323237383664663266653034656437643363316538663338383262663931356665383363656466
|
||||
3861653830626538303761303638663835316239343033370a323164303164613265363535643432
|
||||
31393732393361666331396533333339623665623562643962323632653537666339346266393632
|
||||
6639663137613232640a383633343038626638626434636230346634373533616564316262333833
|
||||
64376163636230303361326532316665366633373035336164393033653366653564633339386338
|
||||
35326462333364353032343238363230343235303037306532333765376464326234633739396534
|
||||
31333332613964313031346534306236383434346430396233646132393962383636383631643461
|
||||
37366163373863653164626365383761623431613164653932363730633134633032336266616335
|
||||
61626133316161616335323630333461663163613430353438633235336331343934386464373866
|
||||
62633234313261363537663061373931303832653531356566633739636264666635653936313965
|
||||
623964653936646334313864643030653763
|
||||
|
||||
# For Nextcloud
|
||||
secret_nextcloud_9iron_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37633035633563646266346264333636393931323664313166633133653461646333643731636661
|
||||
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
|
||||
66373234633939393034353439393465663131303661393164303335336435653734613064663964
|
||||
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
|
||||
61373135303632336237333836353764646639633735323566346366623766646266
|
||||
secret_nextcloud_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31626162623164373133356634323436373634616363663966313039313431643837326630346632
|
||||
3066303432303064663838643533373933343166356437610a613134383566653035663462393538
|
||||
37616538366337313265333333373432363031323336306436643839333337313735633463326133
|
||||
6538383936643664370a663737333861303132313031373234396562653464653838343836663530
|
||||
38396663633237383764613139346333636432613464356465663661653265323135363032633963
|
||||
3335626335353431616365313232346431313439653132303833
|
||||
secret_nextcloud_admin_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66303362626535386438633666376264313563323034343938363034353435306463613364366636
|
||||
3633343332643062633265643838346465623362323866610a666237636461376166373938626538
|
||||
62326334356339326330623336363038323431363266306265386635343432383764623437386462
|
||||
3534643731333331320a393462323264666135666134336536633639613065363339333131653433
|
||||
37653732313664356330356139646336353735613336326563366361383737653538
|
||||
|
||||
# For OnlyOffice
|
||||
secret_onlyoffice_9iron_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31326366346266353162303566646632376434373966663533353737626539366662306163346562
|
||||
3934666237323331303063636561613531613431303237360a323335333764356335326665626665
|
||||
30396236656537626531616532353839303535336534303934316237343338336536323135653865
|
||||
3036393663396633380a366461613536616264613237626164373631353137643963663830393833
|
||||
34326639343831346333333461663634333434633136646163326634653439623138
|
||||
|
||||
# For Pleroma
|
||||
secret_pleroma_9iron_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34343838386134656236313462653531663839363030333630383332386535356431326436633137
|
||||
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
|
||||
61333039646332343838346633363035343434303036643465353062353062303961383138643564
|
||||
3338393765393733340a626436653666363236643938613466643530326665653764333933393437
|
||||
37613033653864643965323162373366306233626235663461326266376662663634353066386139
|
||||
37636162313364623933396232366239633338363539626637373163333130373665373038363566
|
||||
65646633636638653335356536323334646632366164633532636634376632356166306139393766
|
||||
38633934623639366263
|
||||
secret_pleroma_key_base: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36333934336635613533333137636532363937613764353933636566663031316262333837323064
|
||||
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
|
||||
37666666386637633839633737376465366439356461653363396665636137353264363762346461
|
||||
3765616634653234630a623061393834373964653939626564363263383435666366356339663136
|
||||
64613330656434653538363734393831353133316666326338366335383064356165333537383837
|
||||
31633939353565303661626233623064653838636435376239376361663362636164653962383561
|
||||
33366335623038653232613731333730363836653532363834663663343963303763323534343038
|
||||
61666238346239636634
|
||||
secret_pleroma_signing_salt: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31306137646362333433313630363538333234643339353530333038393061663132633161356231
|
||||
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
|
||||
64393536353362386336323662316262333763326138616364333237353262323232636335353436
|
||||
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
|
||||
3466
|
||||
|
||||
# For Matrix/Synapse
|
||||
secret_matrix_9iron_db_pass: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
64663061333130386634323631353435376330636334623334663365633361336563393634333061
|
||||
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
|
||||
31356462653634323162343164633130366664323034373330613764663635326534303935303230
|
||||
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
|
||||
63316265366238383038653034326661633163346462396663346563666134393232
|
||||
## VIDYA
|
||||
# tes3mp
|
||||
tes3mp:
|
||||
archive: "https://github.com/TES3MP/openmw-tes3mp/releases/download/0.7.0-alpha/tes3mp-server-GNU+Linux-x86_64-release-0.7.0-alpha-abc4090a0f-01d297f5c6.tar.gz"
|
||||
name: "main"
|
||||
dest: /opt/tes3mp
|
||||
server:
|
||||
name: "9iron TES3MP"
|
||||
maxplayers: 8
|
||||
password: dicks
|
||||
port: 25565
|
||||
master:
|
||||
enabled: "true"
|
||||
host: master.tes3mp.com
|
||||
port: 25561
|
||||
|
@ -1,33 +1,73 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
all:
|
||||
vars:
|
||||
ansible_user: ansible
|
||||
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
|
||||
ansible_user: ubuntu
|
||||
gitea_api_token: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39646564383934343237626436363261643265663339616566353563613266396536373164646235
|
||||
3630333032613536373532616363333464653138656164390a386565316164386263363935663264
|
||||
62613737336539653835356634313636643732396330313863393861373664353966363437373338
|
||||
6565336264613334650a613063393662643237333864316332613131386233396562333063646263
|
||||
63636238356266363065656462626536346634646365363135643538316136346566306131626161
|
||||
3166653266383332343332366530343532396435353134373939
|
||||
ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
|
||||
ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
||||
user_username: salt
|
||||
user_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37666131343936663962386535343939373161343337383436613961303637376136633736353533
|
||||
3366623536646563383563373265313134663464396231370a303033353661336436386561366139
|
||||
30393536393634653566646636366436656435623534626266343632313336336336346131383361
|
||||
3366343932383930350a383637646261373135376138633533306530306339316235353262356135
|
||||
34626466363266616265653064333365663663306330666632343864373335626265323230633331
|
||||
33623431633665353964623437636231623366383733626266353162633762373035376638663936
|
||||
62383065653836366431316461663862393130653761643937376565366435646665313961663534
|
||||
64303363653631653433343361616635373966326433663466636164613062343561333036613937
|
||||
35616666633737356331653632323639373330396433366639326466373639313630
|
||||
children:
|
||||
# Personal home machines
|
||||
home:
|
||||
vars:
|
||||
ansible_become: yes
|
||||
ansible_user: ansible
|
||||
ansible_pull_time: "*-*-* 03:00:00"
|
||||
aws:
|
||||
backup_bucket: 9iron-backups-home
|
||||
zerotier_network_id: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35646131343239623265663562343333383362366633386462646465643163353866643633636135
|
||||
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
|
||||
30656433343263653035333637336165323931363966376264353164326135336131646362623734
|
||||
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
|
||||
65313231393433396538663463383731303661633663343066333264303330313133
|
||||
hosts:
|
||||
# dsk-cstm-0:
|
||||
# ansible_host: 172.23.100.1
|
||||
# lap-s76-lemp9-0:
|
||||
# ansible_host: 172.23.100.3
|
||||
# thefuck:
|
||||
# vars:
|
||||
# ansible_user: root
|
||||
# hosts:
|
||||
# game1.thefuck.how:
|
||||
9iron:
|
||||
children:
|
||||
desktop:
|
||||
dbservers:
|
||||
vars:
|
||||
hosts:
|
||||
#vm-rice-0:
|
||||
# ansible_host: 192.168.122.14
|
||||
#dsk-cstm-0.desu.ltd:
|
||||
lap-s76-lemp9-0.desu.ltd:
|
||||
prod:
|
||||
vars:
|
||||
ansible_become: yes
|
||||
children:
|
||||
db:
|
||||
hosts:
|
||||
psql1.9iron.club:
|
||||
psql1.desu.ltd:
|
||||
web:
|
||||
hosts:
|
||||
web1.9iron.club:
|
||||
web1.desu.ltd:
|
||||
app:
|
||||
#psql1.9iron.club:
|
||||
webservers:
|
||||
hosts:
|
||||
#web1.9iron.club:
|
||||
fedi1.9iron.club:
|
||||
game:
|
||||
hosts:
|
||||
game1.thefuck.how:
|
||||
gameservers:
|
||||
vars:
|
||||
steam_api_key: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39616163316634306633623435636633623966306537636639316439343839393231376661666335
|
||||
6136333866633861313566306433393637613364386234360a303832626338373230396665336430
|
||||
33346530626633616161613635656433356434366437383363663165303862316163323263323230
|
||||
3334373531646364620a386165626130386265343235363639346230323930626330343235373662
|
||||
38313431663734343931333462316633643935353038313934663466303834636533616165353961
|
||||
6438356265656532396363323532616437353831613261323037
|
||||
|
25
localhost-deploy.sh
Executable file
25
localhost-deploy.sh
Executable file
@ -0,0 +1,25 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# localhost-deploy.sh
|
||||
# Deploys configs for local machine and only local machine
|
||||
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
|
||||
#
|
||||
# Distributed under terms of the MIT license.
|
||||
#
|
||||
set -e
|
||||
if ! command -v ansible > /dev/null 2>&1; then
|
||||
printf "Installing Ansible and related packages\n"
|
||||
if command -v apt > /dev/null 2>&1; then
|
||||
printf "Installing via APT\n"
|
||||
sudo apt-get install libffi-dev python3-pip python3-setuptools -y
|
||||
elif command -v apk > /dev/null 2>&1; then
|
||||
printf "Installing via APK\n"
|
||||
sudo apk add gcc musl-dev py3-cryptography py3-pip py3-setuptools
|
||||
else
|
||||
printf "No supported package manager found\nPlease install Ansible manually"
|
||||
exit 1
|
||||
fi
|
||||
sudo pip3 install ansible
|
||||
fi
|
||||
ansible-playbook site.yml -l "$HOSTNAME" -e "ansible_user=$USER ansible_connection=local ansible_host=localhost" --ask-become-pass --ask-vault-pass "$@"
|
||||
|
29
playbooks/appservers.yml
Normal file
29
playbooks/appservers.yml
Normal file
@ -0,0 +1,29 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: fedi1.9iron.club
|
||||
pre_tasks:
|
||||
- name: Assure cowfee record
|
||||
route53:
|
||||
state: present
|
||||
overwrite: yes
|
||||
zone: cowfee.moe
|
||||
type: A
|
||||
record: "cowfee.moe."
|
||||
ttl: 3600
|
||||
value: [ "{{ ipify_public_ip }}" ]
|
||||
wait: yes
|
||||
become: yes
|
||||
tags: [ common, dns ]
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: matrix
|
||||
vars:
|
||||
matrix_db_hostname: 172.31.47.215
|
||||
tags: [ fedi, matrix ]
|
||||
- role: pleroma
|
||||
vars:
|
||||
pleroma_url: cowfee.moe
|
||||
pleroma_db_hostname: 172.31.47.215
|
||||
tags: [ web, pleroma ]
|
@ -1,90 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
# Database servers
|
||||
---
|
||||
- hosts: psql1.desu.ltd
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_script: s3pgdump
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- postgresql
|
||||
tags: [ motd ]
|
||||
- role: postgresql
|
||||
vars:
|
||||
postgresql_global_config_options:
|
||||
- option: listen_addresses
|
||||
value: 192.168.164.156
|
||||
postgresql_hba_entries:
|
||||
- { type: local, database: all, user: postgres, auth_method: peer }
|
||||
- { type: local, database: all, user: all, auth_method: peer }
|
||||
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
|
||||
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
|
||||
# Used for internal access from other nodes
|
||||
- { type: host, database: all, user: all, address: '192.168.0.0/16', auth_method: md5 }
|
||||
postgresql_users:
|
||||
- name: gitea-desultd
|
||||
password: "{{ secret_gitea_db_pass }}"
|
||||
- name: nextcloud-desultd
|
||||
password: "{{ secret_nextcloud_db_pass }}"
|
||||
postgresql_databases:
|
||||
- name: gitea-desultd
|
||||
owner: gitea-desultd
|
||||
- name: nextcloud-desultd
|
||||
owner: nextcloud-desultd
|
||||
tags: [ db, psql ]
|
||||
- hosts: psql1.9iron.club
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_script: s3pgdump
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- postgresql
|
||||
tags: [ motd ]
|
||||
- role: postgresql
|
||||
vars:
|
||||
postgresql_hba_entries:
|
||||
- { type: local, database: all, user: postgres, auth_method: peer }
|
||||
- { type: local, database: all, user: all, auth_method: peer }
|
||||
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
|
||||
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
|
||||
- { type: host, database: all, user: all, address: '172.31.0.0/16', auth_method: md5 }
|
||||
postgresql_users:
|
||||
- name: gitea
|
||||
password: "{{ secret_gitea_9iron_db_pass }}"
|
||||
- name: nextcloud
|
||||
password: "{{ secret_nextcloud_9iron_db_pass }}"
|
||||
- name: onlyoffice-9iron
|
||||
password: "{{ secret_onlyoffice_9iron_db_pass }}"
|
||||
- name: pleroma
|
||||
password: "{{ secret_pleroma_9iron_db_pass }}"
|
||||
- name: matrix
|
||||
password: "{{ secret_matrix_9iron_db_pass }}"
|
||||
postgresql_databases:
|
||||
- name: gitea
|
||||
lc_collate: C.UTF-8
|
||||
lc_ctype: C.UTF-8
|
||||
owner: gitea
|
||||
- name: nextcloud
|
||||
lc_collate: C.UTF-8
|
||||
lc_ctype: C.UTF-8
|
||||
owner: nextcloud
|
||||
- name: onlyoffice-9iron
|
||||
lc_collate: C.UTF-8
|
||||
lc_ctype: C.UTF-8
|
||||
owner: onlyoffice-9iron
|
||||
- name: pleroma
|
||||
lc_collate: C.UTF-8
|
||||
lc_ctype: C.UTF-8
|
||||
owner: pleroma
|
||||
- name: matrix
|
||||
lc_collate: C
|
||||
lc_ctype: C
|
||||
owner: matrix
|
||||
tags: [ db, psql ]
|
8
playbooks/dbservers.yml
Normal file
8
playbooks/dbservers.yml
Normal file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- hosts: psql1.9iron.club
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: postgresql
|
||||
tags: [ db, psql ]
|
@ -1,41 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
# Home desktops
|
||||
- hosts: desktop
|
||||
post_tasks:
|
||||
- name: confirm liblzo2 dllmap
|
||||
lineinfile:
|
||||
path: /etc/mono/config
|
||||
insertafter: "<configuration>"
|
||||
line: '<dllmap dll="lzo2.dll" target="liblzo2.so.2" os="!windows"/>'
|
||||
tags: [ desktop, mono ]
|
||||
- name: give python3 cap_sys_ptrace
|
||||
capabilities:
|
||||
path: /usr/bin/python3.8
|
||||
# Required for Randovania to access Dolphin memory
|
||||
capability: cap_sys_ptrace=eip
|
||||
tags: [ desktop, python, cap ]
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_tar_args_extra: h
|
||||
backup_s3backup_list_extra:
|
||||
- /home/salt/.backup/
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
tags: [ motd ]
|
||||
- role: desktop
|
||||
tags: [ desktop ]
|
||||
- role: grub
|
||||
tags: [ desktop, grub ]
|
||||
- role: udev
|
||||
vars:
|
||||
udev_rules:
|
||||
# Switch RCM stuff
|
||||
- SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"
|
||||
tags: [ desktop, udev ]
|
||||
- role: pulseaudio
|
||||
tags: [ desktop, pulse, pulseaudio ]
|
||||
- role: zerotier
|
||||
tags: [ desktop, zerotier ]
|
17
playbooks/dns.yml
Normal file
17
playbooks/dns.yml
Normal file
@ -0,0 +1,17 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
|
||||
- hosts: 9iron
|
||||
tasks:
|
||||
- name: Add machine to DNS zone
|
||||
route53:
|
||||
state: present
|
||||
overwrite: yes
|
||||
zone: 9iron.club
|
||||
type: A
|
||||
record: "{{ inventory_hostname }}."
|
||||
ttl: 3600
|
||||
value: [ "{{ ipify_public_ip }}" ]
|
||||
wait: yes
|
||||
become: yes
|
||||
tags: [ common, dns ]
|
@ -1,57 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
# Game servers
|
||||
---
|
||||
- hosts: game1.thefuck.how
|
||||
vars_files:
|
||||
- vars/factorio-main.yml
|
||||
- vars/minecraft-valhelsia.yml
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /opt/minecraft/dammit
|
||||
- /opt/minecraft/valhelsia
|
||||
- /opt/minecraft/vanilla
|
||||
- /opt/factorio
|
||||
backup_s3backup_exclude_list_extra:
|
||||
- /opt/minecraft/dammit/backups
|
||||
- /opt/minecraft/valhelsia/backups
|
||||
- /opt/minecraft/vanilla/backups
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- minecraft@dammit
|
||||
- minecraft@valhelsia
|
||||
- minecraft@vanilla
|
||||
tags: [ motd ]
|
||||
- role: minecraft
|
||||
tags: [ game, minecraft, forge, valhelsia ]
|
||||
- role: factorio
|
||||
vars:
|
||||
server_version: 1.0.0
|
||||
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
|
||||
service_name: factorio-main
|
||||
service_root: /opt/factorio/main
|
||||
factorio_server_settings:
|
||||
name: "Krabby Land"
|
||||
description: "Where a kid can have fun"
|
||||
max_players: 8
|
||||
visibility:
|
||||
public: false
|
||||
lan: false
|
||||
admins: [ "rehashed_salt" ]
|
||||
tags: [ game, factorio ]
|
||||
- hosts: game1.thefuck.how
|
||||
vars_files:
|
||||
- vars/minecraft-vanilla.yml
|
||||
roles:
|
||||
- role: minecraft
|
||||
tags: [ game, minecraft, paper, vanilla ]
|
||||
- hosts: game1.thefuck.how
|
||||
vars_files:
|
||||
- vars/minecraft-dammit.yml
|
||||
roles:
|
||||
- role: minecraft
|
||||
tags: [ game, minecraft, forge, dammit ]
|
50
playbooks/gameservers.yml
Normal file
50
playbooks/gameservers.yml
Normal file
@ -0,0 +1,50 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: gameservers
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- hosts: game1.thefuck.how
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: gitweb
|
||||
vars:
|
||||
gitweb_repo: "https://git.9iron.club/salt/thefuck.how"
|
||||
gitweb_url: "thefuck.how"
|
||||
gitweb_webroot: "/var/www/thefuck.how"
|
||||
tags: [ web, webroot ]
|
||||
- role: minecraft
|
||||
vars:
|
||||
minecraft_name: valhelsia
|
||||
minecraft_version: 1.16.3
|
||||
minecraft_jre_xmx: 5G
|
||||
minecraft_server_properties:
|
||||
- opt: difficulty
|
||||
value: hard
|
||||
- opt: motd
|
||||
value: "Let's get this out onto a tray. Nice, mmkay"
|
||||
- opt: server-port
|
||||
value: 25566
|
||||
- opt: view-distance
|
||||
value: 10
|
||||
minecraft_forge_install: yes
|
||||
minecraft_forge_version: 34.1.42
|
||||
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
|
||||
minecraft_forge_mods:
|
||||
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
|
||||
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
|
||||
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
|
||||
minecraft_forge_mods_remove:
|
||||
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar
|
||||
become: yes
|
||||
tags: [ gameserver, minecraft, forge, valhelsia ]
|
||||
# - role: minecraft-paper
|
||||
# vars:
|
||||
# paper_name: "thefuckhow"
|
||||
# paper_mc_maxplayers: 16
|
||||
# paper_mc_motd: "brett's new serber"
|
||||
# paper_jre_xms: 1024m
|
||||
# paper_jre_xmx: 2048m
|
||||
# tags: [ gameserver, minecraft, paper ]
|
52
playbooks/home.yml
Normal file
52
playbooks/home.yml
Normal file
@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: home
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: desktop-zerotier
|
||||
tags: [ zerotier ]
|
||||
- role: desktop-common
|
||||
vars:
|
||||
mopidy_spotify_username: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62383664346563343663636261386261383865393535646465386435663535653036636665393133
|
||||
3732653236663632633863346463346164663938396137370a326535633966343430633464653437
|
||||
36646134393764313338323235356634353433623731336231626238653064633332306533343966
|
||||
3362303836363065610a383362313738346534313435393537343931383465623466336632323632
|
||||
65656663316561333462303761613963383236363532383866313038633232373132
|
||||
mopidy_spotify_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33303165663833663839323230643036363962393164373638333334643663626235353936343861
|
||||
3834633461343533353366373330323264393361323433330a623837613037346633633065613761
|
||||
63303234323734623938373134333932343965336665323939306336323836613130343866343838
|
||||
3633383138646233330a366634303739643237333331613436623737663463316133666230366165
|
||||
36306233336134636532383232303035343533373262373431353966656561633336
|
||||
mopidy_spotify_client_id: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
32366664323864383162663963343438643930356531653064393135383364623162626533613433
|
||||
6462633637396265373238383461623665393730396139320a626537353761323132386131616338
|
||||
62323033666231326363616363343530333239303638626137613237393135613961613362313662
|
||||
6233336234306466640a383834353935636138323837343765373966353365323634343439663435
|
||||
39646138616533656361653765633161616238633335306363383030383832636330356162616264
|
||||
3739646162313739646538306137623231313037386239343563
|
||||
mopidy_spotify_client_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34666538353333303865623932653237313465653363356665333336343832356530666666343266
|
||||
6637653137643431346562333465323862356465303766630a336531653033393133396238326134
|
||||
32393033643261373764663963353130626331646266363430353536326135663239363539613530
|
||||
6265366565363862610a366561373362656637623863336665336562323838643665323461653937
|
||||
38306234316364306134396138376230626630633733306432626637616239373838646433343761
|
||||
3436643661633766616564663937346232353666386531363438
|
||||
tags: [ desktop ]
|
||||
- role: pulseaudio
|
||||
tags: [ pulse, pulseaudio ]
|
||||
- role: desktop-sddm
|
||||
vars:
|
||||
sddm_theme_name: "breeze"
|
||||
tags: [ sddm, desktop ]
|
||||
- hosts: dsk-cstm-0
|
||||
roles:
|
||||
- role: rgb-kraken
|
||||
tags: [ desktop, kraken, rgb ]
|
11
playbooks/phone.yml
Normal file
11
playbooks/phone.yml
Normal file
@ -0,0 +1,11 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: phone
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: desktop-zerotier
|
||||
tags: [ zerotier ]
|
||||
- role: phone-common
|
||||
tags: [ phone, common ]
|
@ -1,30 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
Protocols h2 http/1.1
|
||||
<FilesMatch \.php$>
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
</FilesMatch>
|
||||
apache_vhosts:
|
||||
- servername: nc.9iron.club
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://nc.9iron.club/
|
||||
- servername: git.9iron.club
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://git.9iron.club/
|
||||
apache_vhosts_ssl:
|
||||
- servername: git.9iron.club
|
||||
extra_parameters: |
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
|
||||
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
|
||||
- servername: nc.9iron.club
|
||||
extra_parameters: |
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
documentroot: /var/www/nextcloud
|
||||
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
|
@ -1,10 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
certbot_admin_email: rehashedsalt@cock.li
|
||||
certbot_create_if_missing: yes
|
||||
certbot_create_method: standalone
|
||||
certbot_create_standalone_stop_services:
|
||||
- apache2
|
||||
certbot_certs:
|
||||
- domains:
|
||||
- nc.9iron.club
|
||||
- git.9iron.club
|
@ -1,19 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
# Look and feel
|
||||
gitea_app_name: "9iron Gitea"
|
||||
# Core config
|
||||
gitea_db_type: postgres
|
||||
gitea_db_host: 172.31.47.215:5432
|
||||
gitea_db_name: gitea
|
||||
gitea_db_user: gitea
|
||||
gitea_db_password: "{{ secret_gitea_9iron_db_pass }}"
|
||||
gitea_http_domain: git.9iron.club
|
||||
gitea_oauth2_enabled: no
|
||||
gitea_repository_root: /var/gitea
|
||||
gitea_require_signin: no
|
||||
gitea_root_url: https://git.9iron.club
|
||||
gitea_shell: "/bin/bash"
|
||||
gitea_ssh_domain: git.9iron.club
|
||||
gitea_ssh_port: 22
|
||||
gitea_start_ssh: no
|
||||
gitea_user: git
|
@ -1,9 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
db_server_host: 172.31.47.215
|
||||
db_server_name: onlyoffice-9iron
|
||||
db_server_user: onlyoffice-9iron
|
||||
db_server_pass: "{{ secret_onlyoffice_9iron_db_pass }}"
|
||||
|
||||
cluster_mode: no
|
||||
|
||||
enable_ssl: no
|
@ -1,20 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
Protocols h2 http/1.1
|
||||
apache_vhosts:
|
||||
- servername: cowfee.moe
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://cowfee.moe/
|
||||
apache_vhosts_ssl:
|
||||
- servername: cowfee.moe
|
||||
extra_parameters: |
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyPass / http://127.0.0.1:4000/ nocanon retry=1
|
||||
ProxyPassReverse / https://127.0.0.1:4000/
|
||||
RequestHeader set X_FORWARDED_PROTO 'https'
|
||||
RequestHeader set X-Forwarded-Ssl on
|
||||
certificate_file: /etc/letsencrypt/live/cowfee.moe/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/cowfee.moe/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/cowfee.moe/chain.pem
|
@ -1,10 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
certbot_admin_email: rehashedsalt@cock.li
|
||||
certbot_create_if_missing: yes
|
||||
certbot_create_method: standalone
|
||||
certbot_create_standalone_stop_services:
|
||||
- apache2
|
||||
certbot_certs:
|
||||
- domains:
|
||||
- cowfee.moe
|
||||
- matrix.9iron.club
|
@ -1,16 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
# Site config
|
||||
pleroma_hostname: cowfee.moe
|
||||
pleroma_open_registration: "true"
|
||||
pleroma_instance_name: Cowfee
|
||||
pleroma_instance_desc: owo
|
||||
|
||||
# Secret config
|
||||
pleroma_secret_key_base: "{{ secret_pleroma_key_base }}"
|
||||
pleroma_secret_signing_salt: "{{ secret_pleroma_signing_salt }}"
|
||||
|
||||
# DB config
|
||||
pleroma_db_host: 172.31.47.215
|
||||
pleroma_db_name: pleroma
|
||||
pleroma_db_user: pleroma
|
||||
pleroma_db_pass: "{{ secret_pleroma_9iron_db_pass }}"
|
@ -1,22 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
apache_remove_default_vhost: yes
|
||||
apache_packages_state: latest
|
||||
apache_mods_enabled:
|
||||
- headers.load
|
||||
- http2.load
|
||||
- mpm_worker.load
|
||||
- proxy.load
|
||||
- proxy_fcgi.load
|
||||
- proxy_http.load
|
||||
- rewrite.load
|
||||
- ssl.load
|
||||
apache_mods_disabled:
|
||||
- mpm_event.load
|
||||
- mpm_prefork.load
|
||||
- php7.4.load
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
Protocols h2 http/1.1
|
||||
<FilesMatch \.php$>
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
</FilesMatch>
|
@ -1,75 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
Protocols h2 http/1.1
|
||||
<FilesMatch \.php$>
|
||||
SetHandler "proxy:fcgi://127.0.0.1:9000"
|
||||
</FilesMatch>
|
||||
apache_vhosts:
|
||||
# desu.ltd
|
||||
- servername: desu.ltd
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://desu.ltd/
|
||||
- servername: git.desu.ltd
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://git.desu.ltd/
|
||||
- servername: nc.desu.ltd
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://nc.desu.ltd/
|
||||
# 9iron.club
|
||||
- servername: 9iron.club
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://www.9iron.club/
|
||||
- servername: www.9iron.club
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://www.9iron.club/
|
||||
apache_vhosts_ssl:
|
||||
# desu.ltd
|
||||
- servername: desu.ltd
|
||||
documentroot: /var/www/desu.ltd
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
- servername: git.desu.ltd
|
||||
extra_parameters: |
|
||||
ProxyPreserveHost On
|
||||
ProxyRequests Off
|
||||
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
- servername: nc.desu.ltd
|
||||
extra_parameters: |
|
||||
Header always set Strict-Transport-Security "max-age=31536000"
|
||||
documentroot: /var/www/nc.desu.ltd
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
# 9iron.club
|
||||
- servername: 9iron.club
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://www.9iron.club/
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
- servername: www.9iron.club
|
||||
extra_parameters: |
|
||||
<Directory /var/www/www.9iron.club/files>
|
||||
Options Indexes FollowSymLinks
|
||||
</Directory>
|
||||
documentroot: /var/www/www.9iron.club
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
# otwstudios.org
|
||||
- servername: otwstudios.org
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://www.otwstudios.org/
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
||||
- servername: www.otwstudios.org
|
||||
documentroot: /var/www/www.otwstudios.org
|
||||
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
|
@ -1,15 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
certbot_admin_email: rehashedsalt@cock.li
|
||||
certbot_create_if_missing: yes
|
||||
certbot_create_method: standalone
|
||||
certbot_create_standalone_stop_services:
|
||||
- apache2
|
||||
certbot_certs:
|
||||
- domains:
|
||||
- desu.ltd
|
||||
- git.desu.ltd
|
||||
- nc.desu.ltd
|
||||
- web1.desu.ltd
|
||||
- 9iron.club
|
||||
- www.9iron.club
|
||||
- otwstudios.org
|
@ -1,19 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
# Look and feel
|
||||
gitea_app_name: "Git Desu"
|
||||
# Core config
|
||||
gitea_db_type: postgres
|
||||
gitea_db_host: 192.168.164.156:5432
|
||||
gitea_db_name: gitea-desultd
|
||||
gitea_db_user: gitea-desultd
|
||||
gitea_db_password: "{{ secret_gitea_db_pass }}"
|
||||
gitea_http_domain: git.desu.ltd
|
||||
gitea_oauth2_enabled: no
|
||||
gitea_repository_root: /srv/desu.ltd/git
|
||||
gitea_require_signin: no
|
||||
gitea_root_url: https://git.desu.ltd
|
||||
gitea_shell: "/bin/bash"
|
||||
gitea_ssh_domain: git.desu.ltd
|
||||
gitea_ssh_port: 22
|
||||
gitea_start_ssh: no
|
||||
gitea_user: git
|
@ -1,20 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
nextcloud_installation_dir: /var/www/nc.desu.ltd
|
||||
nextcloud_data_dir: /srv/desu.ltd/nc
|
||||
nextcloud_admin_user: admin
|
||||
nextcloud_admin_pass: "{{ secret_nextcloud_admin_pass }}"
|
||||
nextcloud_version: 19
|
||||
nextcloud_urls:
|
||||
- http://nc.desu.ltd:80
|
||||
- https://nc.desu.ltd:443
|
||||
nextcloud_config:
|
||||
system:
|
||||
trusted_domains:
|
||||
"{{ nextcloud_urls | map('urlsplit', 'hostname') | list }}"
|
||||
nextcloud_database:
|
||||
backend: pgsql
|
||||
name: nextcloud-desultd
|
||||
user: nextcloud-desultd
|
||||
pass: "{{ secret_nextcloud_db_pass }}"
|
||||
host: 192.168.164.156
|
||||
port: 5432
|
@ -1,13 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
server_version: 1.0.0
|
||||
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
|
||||
service_name: factorio-main
|
||||
service_root: /opt/factorio/main
|
||||
factorio_server_settings:
|
||||
name: "Krabby Land"
|
||||
description: "Where a kid can have fun"
|
||||
max_players: 8
|
||||
visibility:
|
||||
public: false
|
||||
lan: false
|
||||
admins: [ "rehashed_salt" ]
|
@ -1,34 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
minecraft_name: dammit
|
||||
minecraft_version: 1.7.10
|
||||
minecraft_jre_xmx: 4G
|
||||
minecraft_restart_delay: 30
|
||||
minecraft_server_properties:
|
||||
- opt: allow-flight
|
||||
value: "true"
|
||||
- opt: difficulty
|
||||
value: 3
|
||||
- opt: motd
|
||||
value: "I can't believe that I actually exist"
|
||||
- opt: server-port
|
||||
value: 25567
|
||||
- opt: view-distance
|
||||
value: 12
|
||||
minecraft_forge_install: yes
|
||||
minecraft_forge_version: 10.13.4.1614
|
||||
minecraft_forge_versionstring: "{{ minecraft_version }}-{{ minecraft_forge_version }}-{{ minecraft_version }}"
|
||||
minecraft_forge_jar_name: "forge-{{ minecraft_forge_versionstring }}-universal.jar"
|
||||
minecraft_forge_packurl: "https://www.9iron.club/files/magic-1.7.10-2.zip"
|
||||
minecraft_forge_mods:
|
||||
- "https://media.forgecdn.net/files/2309/699/worldedit-forge-mc1.7.10-6.1.1-dist.jar"
|
||||
minecraft_forge_mods_remove:
|
||||
- DynamicSurroundings-1.7.10-1.0.6.2.jar
|
||||
- favorites-1.2.jar
|
||||
- FullscreenWindowed-1.7.10-1.3.0b.jar
|
||||
- MouseTweaks-2.4.4-mc1.7.10.jar
|
||||
- "Neat 1.0-1.jar"
|
||||
- OptiFine_1.7.10_HD_U_E7.jar
|
||||
- SoundFilters-0.8_for_1.7.X.jar
|
||||
- Stellar+API-0.1.3.8.jar
|
||||
- Stellar+Sky-0.1.5.7.jar
|
||||
- World-Tooltips-1.7.10-1.2.3-79.jar
|
@ -1,23 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
minecraft_enabled: no
|
||||
minecraft_name: valhelsia
|
||||
minecraft_version: 1.16.3
|
||||
minecraft_jre_xmx: 5G
|
||||
minecraft_server_properties:
|
||||
- opt: difficulty
|
||||
value: hard
|
||||
- opt: motd
|
||||
value: "Let's get this out onto a tray. Nice, mmkay"
|
||||
- opt: server-port
|
||||
value: 25566
|
||||
- opt: view-distance
|
||||
value: 10
|
||||
minecraft_forge_install: yes
|
||||
minecraft_forge_version: 34.1.42
|
||||
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
|
||||
minecraft_forge_mods:
|
||||
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
|
||||
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
|
||||
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
|
||||
minecraft_forge_mods_remove:
|
||||
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar
|
@ -1,18 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
minecraft_enabled: no
|
||||
minecraft_name: vanilla
|
||||
minecraft_version: 1.16.4
|
||||
minecraft_jre_xmx: 1G
|
||||
minecraft_jre_xms: 512M
|
||||
minecraft_server_properties:
|
||||
- opt: difficulty
|
||||
value: normal
|
||||
- opt: motd
|
||||
value: "brett's new serber"
|
||||
- opt: server-port
|
||||
value: 25565
|
||||
- opt: spawn-protection
|
||||
value: 4
|
||||
- opt: view-distance
|
||||
value: 12
|
||||
minecraft_paper_install: yes
|
@ -1,3 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
netdata_git_version_tag: v1.28.0
|
||||
netdata_hostname: "{{ inventory_hostname }}"
|
@ -1,18 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
# Defaults for a simple php-fpm setup
|
||||
php_enable_php_fpm: yes
|
||||
php_memory_limit: 512M
|
||||
php_packages_extra:
|
||||
- libapache2-mod-php
|
||||
- php-zip # For Nextcloud
|
||||
- php-intl
|
||||
- php-imagick
|
||||
- php-redis
|
||||
- php-bcmath
|
||||
- php-gmp
|
||||
- php-pgsql # For general DB stuff
|
||||
# Nextcloud recommended opcache settings
|
||||
php_opcache_max_accelerated_files: 10000
|
||||
php_opcache_memory_consumption: 128
|
||||
php_opcache_revalidate_freq: 2
|
@ -1,185 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
# Webservers
|
||||
---
|
||||
- hosts: web1.desu.ltd
|
||||
tasks:
|
||||
- name: configure nextcloud cronjob
|
||||
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nc.desu.ltd/cron.php"
|
||||
tags: [ nextcloud, cron ]
|
||||
vars_files:
|
||||
- vars/apache.yml
|
||||
- vars/php-fpm.yml
|
||||
- vars/desultd-apache.yml
|
||||
- vars/desultd-certbot.yml
|
||||
- vars/desultd-gitea.yml
|
||||
- vars/desultd-nextcloud.yml
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /var/lib/gitea
|
||||
- /var/www/nc.desu.ltd
|
||||
- /var/www/www.9iron.club/files
|
||||
- /srv/desu.ltd
|
||||
backup_s3backup_exclude_list_extra:
|
||||
- /var/lib/gitea/log
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- apache2
|
||||
- gitea
|
||||
- php7.4-fpm
|
||||
tags: [ motd ]
|
||||
- role: certbot
|
||||
tags: [ web, certbot ]
|
||||
- role: php
|
||||
tags: [ web, php ]
|
||||
- role: apache
|
||||
tags: [ web, apache ]
|
||||
- role: git
|
||||
vars:
|
||||
git_repos:
|
||||
- repo: https://git.desu.ltd/salt/desultd
|
||||
dest: /var/www/desu.ltd
|
||||
- repo: https://git.desu.ltd/salt/9iron
|
||||
dest: /var/www/www.9iron.club
|
||||
- repo: https://git.desu.ltd/salt/gitea-custom
|
||||
dest: /usr/local/bin/custom
|
||||
tags: [ web, git ]
|
||||
- role: nextcloud
|
||||
tags: [ web, nextcloud ]
|
||||
- role: gitea
|
||||
tags: [ web, gitea ]
|
||||
- hosts: web1.9iron.club
|
||||
tasks:
|
||||
- name: configure nextcloud cronjob
|
||||
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nextcloud/cron.php"
|
||||
tags: [ nextcloud, cron ]
|
||||
- name: register nextcloud efs
|
||||
efs:
|
||||
name: 9iron-gitea
|
||||
region: us-east-2
|
||||
targets:
|
||||
- subnet_id: subnet-852935ed
|
||||
security_groups: [ "sg-4f4b692c" ]
|
||||
register: ncefs
|
||||
tags: [ nextcloud, efs ]
|
||||
- name: mount nextcloud efs
|
||||
mount: path=/var/nextcloud src={{ ncefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
|
||||
tags: [ nextcloud, efs ]
|
||||
- name: register gitea efs
|
||||
efs:
|
||||
name: 9iron-gitea
|
||||
region: us-east-2
|
||||
targets:
|
||||
- subnet_id: subnet-852935ed
|
||||
security_groups: [ "sg-4f4b692c" ]
|
||||
register: gitefs
|
||||
tags: [ gitea, efs ]
|
||||
- name: mount gitea efs
|
||||
mount: path=/var/gitea src={{ gitefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
|
||||
tags: [ gitea, efs ]
|
||||
vars_files:
|
||||
- vars/apache.yml
|
||||
- vars/php-fpm.yml
|
||||
- vars/9iron-apache.yml
|
||||
- vars/9iron-certbot.yml
|
||||
- vars/9iron-gitea.yml
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /var/gitea
|
||||
- /var/lib/gitea
|
||||
- /var/nextcloud
|
||||
- /var/www/nextcloud
|
||||
backup_s3backup_exclude_list_extra:
|
||||
- /var/lib/gitea/log
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- apache2
|
||||
- gitea
|
||||
- php7.4-fpm
|
||||
tags: [ motd ]
|
||||
- role: certbot
|
||||
tags: [ web, certbot ]
|
||||
- role: php
|
||||
tags: [ web, php ]
|
||||
- role: apache
|
||||
tags: [ web, apache ]
|
||||
- role: gitea
|
||||
tags: [ web, gitea ]
|
||||
- hosts: fedi1.9iron.club
|
||||
vars_files:
|
||||
- vars/apache.yml
|
||||
- vars/9iron-pleroma.yml
|
||||
- vars/9iron-pleroma-apache.yml
|
||||
- vars/9iron-pleroma-certbot.yml
|
||||
roles:
|
||||
- role: backup
|
||||
vars:
|
||||
backup_s3backup_list_extra:
|
||||
- /opt/pleroma
|
||||
- /var/lib/pleroma
|
||||
tags: [ backup ]
|
||||
- role: motd
|
||||
vars:
|
||||
motd_watch_services_extra:
|
||||
- apache2
|
||||
- pleroma
|
||||
tags: [ motd ]
|
||||
- role: certbot
|
||||
tags: [ web, certbot ]
|
||||
- role: apache
|
||||
tags: [ web, apache ]
|
||||
- hosts: game1.thefuck.how
|
||||
vars_files:
|
||||
- vars/apache.yml
|
||||
- vars/php-fpm.yml
|
||||
roles:
|
||||
- role: certbot
|
||||
vars:
|
||||
certbot_admin_email: rehashedsalt@cock.li
|
||||
certbot_create_if_missing: yes
|
||||
certbot_create_method: standalone
|
||||
certbot_create_standalone_stop_services:
|
||||
- apache2
|
||||
certbot_certs:
|
||||
- domains:
|
||||
- thefuck.how
|
||||
- game1.thefuck.how
|
||||
tags: [ web, certbot ]
|
||||
- role: php
|
||||
tags: [ web, php ]
|
||||
- role: apache
|
||||
vars:
|
||||
apache_vhosts:
|
||||
- servername: thefuck.how
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://thefuck.how/
|
||||
- servername: game1.thefuck.how
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://thefuck.how/
|
||||
apache_vhosts_ssl:
|
||||
- servername: thefuck.how
|
||||
documentroot: /var/www/thefuck.how
|
||||
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
|
||||
- servername: game1.thefuck.how
|
||||
extra_parameters: |
|
||||
Redirect permanent / https://thefuck.how/
|
||||
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
|
||||
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
|
||||
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
|
||||
tags: [ web, apache ]
|
||||
- role: git
|
||||
vars:
|
||||
git_repos:
|
||||
- repo: https://git.desu.ltd/salt/thefuckhow
|
||||
dest: /var/www/thefuck.how
|
||||
tags: [ web, git ]
|
39
playbooks/webservers.yml
Normal file
39
playbooks/webservers.yml
Normal file
@ -0,0 +1,39 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: web1.9iron.club
|
||||
roles:
|
||||
- role: base-backups
|
||||
tags: [ backups ]
|
||||
- role: gitea
|
||||
tags: [ web, gitea ]
|
||||
# - role: grafana
|
||||
# tags: [ web, grafana ]
|
||||
- role: nextcloud
|
||||
tags: [ web, nextcloud ]
|
||||
- role: redirect
|
||||
vars:
|
||||
redirect_from: "9iron.club"
|
||||
redirect_to: "www.9iron.club"
|
||||
redirect_webroot: "/var/www/redirect"
|
||||
tags: [ web, redirect, 9i ]
|
||||
- role: gitweb
|
||||
vars:
|
||||
gitweb_repo: "https://git.9iron.club/salt/www2"
|
||||
gitweb_url: "www.9iron.club"
|
||||
gitweb_webroot: "/var/www/www"
|
||||
tags: [ web, webroot, 9i ]
|
||||
- hosts: web1.9iron.club
|
||||
roles:
|
||||
- role: redirect
|
||||
vars:
|
||||
redirect_from: "otwstudios.org"
|
||||
redirect_to: "www.otwstudios.org"
|
||||
redirect_webroot: "/var/www/redirect"
|
||||
tags: [ web, redirect, otw ]
|
||||
- role: gitweb
|
||||
vars:
|
||||
gitweb_repo: "https://git.9iron.club/KidiroInfiniti/OTW_Site"
|
||||
gitweb_url: "www.otwstudios.org"
|
||||
gitweb_webroot: "/var/www/otwstudios.org"
|
||||
tags: [ web, webroot, otw ]
|
9
provision.yml
Executable file
9
provision.yml
Executable file
@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: all
|
||||
roles:
|
||||
- role: common
|
||||
tags: [ common ]
|
||||
- role: ansible-pull
|
||||
tags: [ ansible, common ]
|
12
reboot.yml
12
reboot.yml
@ -1,13 +1,15 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- hosts: db,web,game
|
||||
- hosts: dbservers,webservers,gameservers
|
||||
serial: 1
|
||||
tasks:
|
||||
- name: check for reboot-required
|
||||
stat: path=/var/run/reboot-required
|
||||
- name: Check for reboot-required
|
||||
stat:
|
||||
path: "/var/run/reboot-required"
|
||||
register: s
|
||||
- name: reboot
|
||||
reboot: reboot_timeout=300
|
||||
- name: Reboot
|
||||
reboot:
|
||||
reboot_timeout: 300
|
||||
when: s.stat.exists
|
||||
become: yes
|
||||
|
@ -1,3 +0,0 @@
|
||||
# ansible-pull
|
||||
|
||||
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.
|
@ -1,5 +1,5 @@
|
||||
# vim:ft=ansible:
|
||||
ansible_pull_boot_delay: 15min
|
||||
ansible_pull_commit: master
|
||||
ansible_pull_boot_delay: "15min"
|
||||
# Use `systemd-analyze calendar` for testing
|
||||
ansible_pull_time: "*-*-* 01:00:00"
|
||||
ansible_pull_playbook: site.yml
|
||||
ansible_pull_playbook: "site.yml"
|
||||
|
@ -1,5 +1,10 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: restart ansiblepull timer
|
||||
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
name: ansible-pull.timer
|
||||
enabled: yes
|
||||
state: restarted
|
||||
become: yes
|
||||
|
4
roles/ansible-pull/meta/main.yml
Normal file
4
roles/ansible-pull/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
allow_duplicates: no
|
||||
dependencies:
|
||||
- role: ansible
|
@ -1,16 +1,36 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
- name: assure vault password file
|
||||
copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
|
||||
---
|
||||
- name: Set up ansible-pull
|
||||
block:
|
||||
- name: Copy Ansible password file
|
||||
copy:
|
||||
src: ansiblevaultpass
|
||||
dest: ~/ansiblevaultpass
|
||||
mode: "0600"
|
||||
become: yes
|
||||
become_user: ansible
|
||||
- name: Configure systemd unit
|
||||
block:
|
||||
- name: Template out config
|
||||
template: src=ansible-pull.cfg dest=~/ansible-pull.cfg
|
||||
become: yes
|
||||
become_user: ansible
|
||||
- name: Template out services
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
loop:
|
||||
- { src: "ansible-pull.service", dest: "/etc/systemd/system/ansible-pull.service", mode: "0644" }
|
||||
- { src: "ansible-pull.timer", dest: "/etc/systemd/system/ansible-pull.timer", mode: "0644" }
|
||||
notify: restart ansiblepull timer
|
||||
- name: Enable timer
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
name: ansible-pull.timer
|
||||
enabled: yes
|
||||
state: started
|
||||
notify: restart ansiblepull timer
|
||||
when: ansible_service_mgr == "systemd"
|
||||
become: yes
|
||||
become_user: ansible
|
||||
- name: install ansible
|
||||
pip: name=ansible,ansible-base,ansible-lint state=latest
|
||||
when: ansible_os_family != "Gentoo"
|
||||
- name: configure systemd service
|
||||
template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service
|
||||
- name: configure systemd timer
|
||||
template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer
|
||||
notify: restart ansiblepull timer
|
||||
- name: enable timer
|
||||
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
|
||||
|
12
roles/ansible-pull/templates/ansible-pull.cfg
Normal file
12
roles/ansible-pull/templates/ansible-pull.cfg
Normal file
@ -0,0 +1,12 @@
|
||||
[defaults]
|
||||
gathering = smart
|
||||
interpreter_python = python3
|
||||
inventory = ansible-pull-repo/inventory
|
||||
roles_path = ansible-pull-repo/roles
|
||||
# Secrets
|
||||
ask_become_pass = false
|
||||
ask_vault_pass = false
|
||||
# Warnings
|
||||
command_warnings = true
|
||||
#deprecation_warnings = false
|
||||
system_warnings = true
|
@ -3,15 +3,12 @@
|
||||
Description=Ansible pull service
|
||||
StartLimitIntervalSec=3600
|
||||
StartLimitBurst=5
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
User=ansible
|
||||
Group=ansible
|
||||
Type=oneshot
|
||||
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
|
||||
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
|
||||
Environment=ANSIBLE_CONFIG=~/ansible-pull.cfg
|
||||
ExecStart=/usr/local/bin/ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
|
||||
Restart=on-failure
|
||||
RestartSec=90
|
||||
|
||||
|
135
roles/ansible/files/ansiblekey
Normal file
135
roles/ansible/files/ansiblekey
Normal file
@ -0,0 +1,135 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38366663623636336331373931396632616133633538633562353430656338666162393164346436
|
||||
3939356235343431326165373231313930386639333466330a613864636237373735306636383631
|
||||
66363165343164616333636336393561313633613130656664323663356162636265373639336665
|
||||
3564333732373634370a656231613835663436326633346263316630346461316566363462666132
|
||||
39346632316563333633363061336534356336363534613837386332393166383565336635633763
|
||||
30336139326361313763303739393265316535643238663736646361656639373461396433396665
|
||||
63363237303933373265613336616335343038326561346362323636333333313235366361653463
|
||||
39386137356632373032343762303538656130366430643030383234343663366666373162393063
|
||||
32656366313631613235643061366639323930363766363137393737646666383839336264373831
|
||||
64316164613332353430373933633939373933303461663832333663313561643462666234633461
|
||||
31653039323430613731656538343831376632376634336436643461643063643138396131316134
|
||||
66373035326333613035643833363836613437376265373135326362323062633936323435383630
|
||||
39646433356161663831356265346261363137666634646331306130306232343638346264303631
|
||||
32303737643632393937363738623865303735633535316162366464393163653834386432663261
|
||||
64303339343335666532663434353234353066663632633730373530313637666532363863313963
|
||||
31326662633639376462303466646536323965643739636438613132333738373430363534396361
|
||||
37616566303633663362326436666636343762653531313435356163636133643430393139623938
|
||||
38643839373365313966636466393039626139366665346664643930353630613236303761306331
|
||||
34656137643764633132643830666638333938316530613236643232633830643337623432656134
|
||||
66636138326230623336653938323934316339393531393163343637386236613334636362613265
|
||||
30386638636662393431363134353165613965306364373061613634303132336336396265323565
|
||||
34303231356664376464363533626263626130653565653032656264616236656161343039333461
|
||||
32303736383365346138313864633966623963633635313161623565363664303562316338366161
|
||||
61386133663265316464646637336239396339386561306632313235363136316430636635626432
|
||||
36333432623564376134343965653138353331663632346262396432356637623738323333366633
|
||||
35396630386536653232396439663135343934653835643962353039323664383432326463323735
|
||||
38643235643633316338396364393730333235316139353535643534303863356365353630653239
|
||||
30306437383336303530316232666161646363646436666335613763306534356432663933323663
|
||||
63633838633139373336376633643363393730313531353766656139326634613366356666623236
|
||||
38353562653065386662656632373332653162383165666131386132613962643635663864656433
|
||||
63343837363831396166616162353935383935653732346139366637306436386532646330343332
|
||||
39666431616662393036616134666436393366303365336162646539656138636166656633313533
|
||||
39626162346263306235346662343432396635636238383032623066343165366166656537613535
|
||||
63383232303831323064636662366264663666353337373065326561343661396632353532346564
|
||||
63616333363962366364373038336261613833623561636437343564656630663032313562386436
|
||||
62656163636638323764313239336435383930303735623035313136326130373432376139623736
|
||||
65613430353265356233373866653236633832373231333434643238326430356666626461663435
|
||||
65623964313837353665373739613230633932653837643532623463366535323565636562356436
|
||||
61616236366564323765653165323132326238633365353365333366363864636265656437373537
|
||||
62356134343366373335393833666531366462306336396337313966326230393435383562343364
|
||||
34313037393461383930373538653962623964313862326532333739373933303137313662376639
|
||||
31396634323032393131323735333634356133316333383936366366623936643539323539613763
|
||||
34363839353163616338396430643263336163653735656361656362336130653236363437373130
|
||||
36343063306366303037666530616631333834633531363036343461633138393736623334643630
|
||||
35323262323938366561363835616231316364343837383539656638346135663164623334616466
|
||||
64653161313233373563343537326336336465623432636538323037386539343439373137666137
|
||||
62393135316363643161393330656130663737303534356630376334633239346663356561376337
|
||||
64343532313565393330316538376263353839383565643734336637666630663061316163343139
|
||||
39393638356133613266656230313836623435613636336436616337653030376430376263323939
|
||||
66623038383035373365643436353834623038646634636465353735356135643264623534313731
|
||||
34343538356331646432653133386335623336303066663635326262623837663033303461376362
|
||||
31373361353664383361326530333361336562663033303963636135666235626263303538366234
|
||||
63313461666463376361373639336637306132353066393233626333376534356264356335373538
|
||||
31306363613435303062623466303339363931396163373834323738336636656337333938653766
|
||||
64386233663366343434376432303731653937313639376661336462323662373134643332326661
|
||||
37396664363030343362613133393130373730646534616431303730633466353637353264646132
|
||||
36373861613864393366653065353662626434396163663137636135333238313363303266623732
|
||||
61646166666136306133633761373833633332616634333131303534306434366165613933323666
|
||||
61666562626135396434316130303839643331316532663336343731393431643739376565363330
|
||||
33623036613930333338353262643766336134386662336462616562353536616330666330306264
|
||||
30633162636562613562363661653531356134613632633562306338353236393336313132663961
|
||||
34313466383464616639643630376465396164383536666365353139383562386130626562353436
|
||||
31303633623137663238663065363434336663336634363437646363656462333430653464643939
|
||||
66333036646631353138646264386630356563333932633933643337396363343562623766356533
|
||||
38316639353234666336383737383532353963633762313437356262383830643137353262383964
|
||||
30396636626465336331313264666637393030663765393338333061623030633134313438386631
|
||||
36336238386563313037373237366432323937663539663162396166663033626663646461323362
|
||||
64643137613939363164616533366436353631396232663832393231316263646466653966333238
|
||||
66393965623863393433323366366130666364376164336638666331666461316135353338343139
|
||||
39636566393437396333633462396464616131333134613131323964353434613736313736376461
|
||||
37373130626331623362613538353735613963363035656433626134336564303966383462363661
|
||||
34353064643732666264323536316231643833326664386333396536336665316339303562323763
|
||||
35646561613439643066613765623563386331363437353637376434656638373962383865396464
|
||||
65353834356631316438386139316631336262356139663062346131336432333834616231666538
|
||||
32346565343263646461363336353365626532613465623833623036663839613864333961666437
|
||||
32633662626462386366363736323739366434323632373066373435633961623038363061386261
|
||||
36333139636135623131653234346163353366316562653439336233316236386431383163653866
|
||||
38393939646363613132323663643931306135626165626264666262323764336562636166626533
|
||||
30613762353431643635656566656533346330306463353839393035343766656465343132363862
|
||||
38306239663262336338353033303764633935303562643936373732396466616564323532326439
|
||||
36623538363638376232616535363263373664386332623237313834613165393439323936383562
|
||||
63373966643531346337333935393862346437316264656563316539303037343933393639363434
|
||||
66616161626165373661653963323835383437656464383931363236376165633834343039323035
|
||||
62386637373738653639643232636631366532626332356538663166653839303663643332323130
|
||||
63386465323838666437646361653633626635303733626238326237623637623563303465353531
|
||||
66333935333335396634356539313434616538336135306631353961623764376665653365356335
|
||||
30656266313637383534353736346633393432343466666639376330313837353763343438653366
|
||||
38346132336336656365323166303632633661383530626331613739303961386235346139366236
|
||||
30636464336165353436303966633935323835353439363636386661383461363265323937653565
|
||||
65383139613365613337623136626133393461663461613566623134396431613733663137373335
|
||||
31666332393338666235653562356563643033353961386466386562346339653638626261306635
|
||||
34353132353664373332323335646438646433386430313061643737623566613339653131623836
|
||||
62633936626436626133303633366336373838336531336139616564623364626534383834313234
|
||||
37666163623462656434316563363535646236666536396431626132323361343238303834366637
|
||||
33623565313730386264336638306637623931323861333939376165323139376335326566333633
|
||||
65316439613430383230323439613538396630306233356339613662333061643732346531656364
|
||||
65623263336538346561356631386639363939643434343938373264373565613537336465363038
|
||||
66363963626365633338663234643764316530353566376633313732336533333063613232333538
|
||||
66396236313866343038656366633738666463356432613230636361316436666432373636363034
|
||||
63353231346533303361363834333231633131613165366134353763363766613033656333626438
|
||||
30333731383264323732313261336263326562316530663962313739383836326536363030333564
|
||||
39333436396136623161373032643438633431303761333962623832333832366463626533653832
|
||||
64323333306336616363613865393561656636633735616333333736633463396330353665626561
|
||||
38316134626163376466643537336335313131353461316362383865363437643263636339383831
|
||||
65383762663265636663396135386630326333393237356564616237393431633537633762616134
|
||||
34353264346539663038663866386538306662316233353130663332643533623436393937366266
|
||||
65303330633966613038393430303536363730643463663733653237343937336136353233303037
|
||||
65613537656335356533666136366363323535636635323330623664626564656537356363633763
|
||||
31313437363766663338313633663866663563393039363232656638363961336631303464306536
|
||||
36396136346663323038386634343461336666636438323866356339623763656436643833393963
|
||||
66396662366632653831393238396535623939306434396537643930393261336161396239383330
|
||||
62336237396639663837623561383964346633353935366266373030633864393433623734613233
|
||||
35653138303866656465363465313733616363633334663062363436376139633231626564376166
|
||||
34643864333865633832616539333063396264376566666539633936646338623763353032353635
|
||||
34633465613135376234303538636432346336383431343237323661393564306438333830393737
|
||||
38356333363961643735356265613762396663323264336565623762356163626130623366623861
|
||||
31626135613865613866666565663063656632653339333866396537343131636366393131346438
|
||||
66626434656235376265386135333165366162346536623466303437313131336165346238383934
|
||||
35353064663536373162613836383663396661633930616431653764353339613835393762396332
|
||||
32363965653235646130323761316437376631383464306661623963306362343631666538653864
|
||||
30613233336339373739363733346466313764383165643466316239613264393332626133363437
|
||||
36666431613263393730393264326235353239633035653736626233343630623736646230653064
|
||||
35393932396361623239326435356563623033316561373236613136333938363265376561386430
|
||||
36393730353465376663343361306234346564623837363565373733373936623534353639623538
|
||||
62316264613734326638636538653861663637623462306138636532653036343061396363363631
|
||||
61316638653133636561363333363638396439643835363033336666346461356637336233386234
|
||||
32336664376631336662613239353461633566633565623137643536343137373534663031626333
|
||||
64613335656330666465366638373863306439636166346430363033313435626337373764313938
|
||||
35306465656264643463653930303830333262616233333532616138383335626663636365626464
|
||||
65613461633737646235343230346331313435386530383838613930633037356537623039333936
|
||||
61353332386231623237613731363731383738383934613932613031633235663935386536323733
|
||||
31393263353339633462326639306264356562393166366263626537313432366639376531386263
|
||||
31643061303032303363653631323131656436663563363333646162643331376438343437663034
|
||||
6332323532343937323062386135393566323732356533336162
|
4
roles/ansible/meta/main.yml
Normal file
4
roles/ansible/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
allow_duplicates: no
|
||||
dependencies:
|
||||
- role: awscreds
|
51
roles/ansible/tasks/main.yml
Normal file
51
roles/ansible/tasks/main.yml
Normal file
@ -0,0 +1,51 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: Set up Ansible
|
||||
block:
|
||||
- name: Install Ansible-required packages via apt
|
||||
apt:
|
||||
name:
|
||||
- python3-pip
|
||||
- python3-boto
|
||||
- python3-boto3
|
||||
- python3-botocore
|
||||
- python3-setuptools
|
||||
become: true
|
||||
when: ansible_os_family == "Debian"
|
||||
- name: Install Ansible-required packages via apk
|
||||
apk:
|
||||
name:
|
||||
- gcc
|
||||
- musl-dev
|
||||
- py3-boto
|
||||
- py3-boto3
|
||||
- py3-botocore
|
||||
- py3-cryptography
|
||||
- py3-pip
|
||||
- py3-setuptools
|
||||
when: ansible_distribution == "Alpine"
|
||||
- name: Install Ansible-required packages via pip
|
||||
pip:
|
||||
name: "{{ packages }}"
|
||||
state: latest
|
||||
vars:
|
||||
packages:
|
||||
- ansible
|
||||
- ansible-base
|
||||
- ansible-lint
|
||||
- name: Assure root .ssh directory
|
||||
file:
|
||||
path: ~/.ssh
|
||||
state: directory
|
||||
mode: "0600"
|
||||
- name: Copy Ansible private key
|
||||
copy:
|
||||
src: ansiblekey
|
||||
dest: ~/.ssh/ansible
|
||||
mode: "0600"
|
||||
- name: Clone Ansible repo
|
||||
git:
|
||||
dest: /etc/ansible
|
||||
repo: "{{ ansible_pull_repo }}"
|
||||
become: true
|
30
roles/apache-php/files/my.cnf
Normal file
30
roles/apache-php/files/my.cnf
Normal file
@ -0,0 +1,30 @@
|
||||
# The MariaDB configuration file
|
||||
#
|
||||
# The MariaDB/MySQL tools read configuration files in the following order:
|
||||
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
|
||||
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
|
||||
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
|
||||
# 4. "~/.my.cnf" to set user-specific options.
|
||||
#
|
||||
# If the same option is defined multiple times, the last one will apply.
|
||||
#
|
||||
# One can use all long options that the program supports.
|
||||
# Run program with --help to get a list of available options and with
|
||||
# --print-defaults to see which it would actually understand and use.
|
||||
|
||||
[mysqld]
|
||||
max_allowed_packet=100M
|
||||
skip-networking
|
||||
innodb_file_format = Barracuda
|
||||
innodb_large_prefix = 1
|
||||
innodb_file_per_table = ON
|
||||
|
||||
#
|
||||
# This group is read both both by the client and the server
|
||||
# use it for options that affect everything
|
||||
#
|
||||
[client-server]
|
||||
|
||||
# Import all .cnf files from configuration directory
|
||||
!includedir /etc/mysql/conf.d/
|
||||
!includedir /etc/mysql/mariadb.conf.d/
|
1933
roles/apache-php/files/php-apache2.ini
Normal file
1933
roles/apache-php/files/php-apache2.ini
Normal file
File diff suppressed because it is too large
Load Diff
1933
roles/apache-php/files/php-cgi.ini
Normal file
1933
roles/apache-php/files/php-cgi.ini
Normal file
File diff suppressed because it is too large
Load Diff
8
roles/apache-php/handlers/main.yml
Normal file
8
roles/apache-php/handlers/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: restart apache
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
||||
become: yes
|
2
roles/apache-php/meta/main.yml
Normal file
2
roles/apache-php/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
allow_duplicates: no
|
76
roles/apache-php/tasks/main.yml
Normal file
76
roles/apache-php/tasks/main.yml
Normal file
@ -0,0 +1,76 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: Install, configure, and start Apache and PHP
|
||||
block:
|
||||
- name: Install Apache and PHP packages
|
||||
apt:
|
||||
name: "{{ packages }}"
|
||||
vars:
|
||||
packages:
|
||||
- apache2
|
||||
- libapache2-mod-php
|
||||
- php
|
||||
- php-gd
|
||||
- php-json
|
||||
- php-mysql
|
||||
- php-curl
|
||||
- php-mbstring
|
||||
- php-intl
|
||||
- php-xml
|
||||
- php-zip
|
||||
- php-cgi
|
||||
- php-cli
|
||||
- python3-passlib # For htpasswd support
|
||||
- name: Find PHP config directory
|
||||
find:
|
||||
paths: /etc/php
|
||||
patterns: '*'
|
||||
file_type: directory
|
||||
register: phpdirs
|
||||
- name: Debug
|
||||
debug:
|
||||
var: phpdirs.files.0.path
|
||||
- name: Copy configuration
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ phpdirs.files.0.path }}/{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
loop:
|
||||
- { src: "php-apache2.ini", dest: "apache2/php.ini", mode: "0644" }
|
||||
- { src: "php-cgi.ini", dest: "cgi/php.ini", mode: "0644" }
|
||||
- name: Create includes directory
|
||||
file: path=/etc/apache2/includes state=directory
|
||||
- name: Disable default website
|
||||
file:
|
||||
# This is a symlink so who cares
|
||||
path: "/etc/apache2/sites-enabled/000-default.conf"
|
||||
state: absent
|
||||
- name: Configure modules
|
||||
block:
|
||||
- name: Disable modules
|
||||
command:
|
||||
argv:
|
||||
- "/usr/sbin/a2dismod"
|
||||
- "{{ item }}"
|
||||
removes: "/etc/apache2/mods-enabled/{{ item }}.load"
|
||||
loop:
|
||||
- mpm_event
|
||||
notify: restart apache
|
||||
- name: Enable modules
|
||||
command:
|
||||
argv:
|
||||
- "/usr/sbin/a2enmod"
|
||||
- "{{ item }}"
|
||||
creates: "/etc/apache2/mods-enabled/{{ item }}.load"
|
||||
loop:
|
||||
- headers
|
||||
- mpm_prefork
|
||||
# Fun fact: this works
|
||||
- php*
|
||||
- proxy
|
||||
- proxy_http
|
||||
- rewrite
|
||||
- ssl
|
||||
notify: restart apache
|
||||
become: yes
|
3
roles/apache/.gitignore
vendored
3
roles/apache/.gitignore
vendored
@ -1,3 +0,0 @@
|
||||
*.retry
|
||||
*/__pycache__
|
||||
*.pyc
|
@ -1,33 +0,0 @@
|
||||
---
|
||||
language: python
|
||||
services: docker
|
||||
|
||||
env:
|
||||
global:
|
||||
- ROLE_NAME: apache
|
||||
matrix:
|
||||
- MOLECULE_DISTRO: ubi8
|
||||
- MOLECULE_DISTRO: centos7
|
||||
- MOLECULE_DISTRO: centos6
|
||||
- MOLECULE_DISTRO: ubuntu1804
|
||||
- MOLECULE_DISTRO: ubuntu1604
|
||||
- MOLECULE_DISTRO: ubuntu1404
|
||||
- MOLECULE_DISTRO: debian10
|
||||
- MOLECULE_DISTRO: debian9
|
||||
|
||||
install:
|
||||
# Install test dependencies.
|
||||
- pip install molecule docker
|
||||
|
||||
before_script:
|
||||
# Use actual Ansible Galaxy role name for the project directory.
|
||||
- cd ../
|
||||
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
|
||||
- cd geerlingguy.$ROLE_NAME
|
||||
|
||||
script:
|
||||
# Run tests.
|
||||
- molecule test
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
@ -1,20 +0,0 @@
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2017 Jeff Geerling
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@ -1,156 +0,0 @@
|
||||
# Ansible Role: Apache 2.x
|
||||
|
||||
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-apache.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-apache)
|
||||
|
||||
An Ansible Role that installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES and Solaris.
|
||||
|
||||
## Requirements
|
||||
|
||||
If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
|
||||
|
||||
If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info.
|
||||
|
||||
## Role Variables
|
||||
|
||||
Available variables are listed below, along with default values (see `defaults/main.yml`):
|
||||
|
||||
apache_enablerepo: ""
|
||||
|
||||
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
|
||||
|
||||
apache_listen_ip: "*"
|
||||
apache_listen_port: 80
|
||||
apache_listen_port_ssl: 443
|
||||
|
||||
The IP address and ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
|
||||
|
||||
apache_create_vhosts: true
|
||||
apache_vhosts_filename: "vhosts.conf"
|
||||
apache_vhosts_template: "vhosts.conf.j2"
|
||||
|
||||
If set to true, a vhosts file, managed by this role's variables (see below), will be created and placed in the Apache configuration folder. If set to false, you can place your own vhosts file into Apache's configuration folder and skip the convenient (but more basic) one added by this role. You can also override the template used and set a path to your own template, if you need to further customize the layout of your VirtualHosts.
|
||||
|
||||
apache_remove_default_vhost: false
|
||||
|
||||
On Debian/Ubuntu, a default virtualhost is included in Apache's configuration. Set this to `true` to remove that default virtualhost configuration file.
|
||||
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
# Add other global settings on subsequent lines.
|
||||
|
||||
You can add or override global Apache configuration settings in the role-provided vhosts file (assuming `apache_create_vhosts` is true) using this variable. By default it only sets the DirectoryIndex configuration.
|
||||
|
||||
apache_vhosts:
|
||||
# Additional optional properties: 'serveradmin, serveralias, extra_parameters'.
|
||||
- servername: "local.dev"
|
||||
documentroot: "/var/www/html"
|
||||
|
||||
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `allow_override` (optional: defaults to the value of `apache_allow_override`), `options` (optional: defaults to the value of `apache_options`), `serveradmin` (optional), `serveralias` (optional) and `extra_parameters` (optional: you can add whatever additional configuration lines you'd like in here).
|
||||
|
||||
Here's an example using `extra_parameters` to add a RewriteRule to redirect all requests to the `www.` site:
|
||||
|
||||
- servername: "www.local.dev"
|
||||
serveralias: "local.dev"
|
||||
documentroot: "/var/www/html"
|
||||
extra_parameters: |
|
||||
RewriteCond %{HTTP_HOST} !^www\. [NC]
|
||||
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
||||
|
||||
The `|` denotes a multiline scalar block in YAML, so newlines are preserved in the resulting configuration file output.
|
||||
|
||||
apache_vhosts_ssl: []
|
||||
|
||||
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
|
||||
|
||||
apache_vhosts_ssl:
|
||||
- servername: "local.dev"
|
||||
documentroot: "/var/www/html"
|
||||
certificate_file: "/home/vagrant/example.crt"
|
||||
certificate_key_file: "/home/vagrant/example.key"
|
||||
certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||
extra_parameters: |
|
||||
RewriteCond %{HTTP_HOST} !^www\. [NC]
|
||||
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
||||
|
||||
Other SSL directives can be managed with other SSL-related role variables.
|
||||
|
||||
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||
|
||||
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
|
||||
|
||||
apache_allow_override: "All"
|
||||
apache_options: "-Indexes +FollowSymLinks"
|
||||
|
||||
The default values for the `AllowOverride` and `Options` directives for the `documentroot` directory of each vhost. A vhost can overwrite these values by specifying `allow_override` or `options`.
|
||||
|
||||
apache_mods_enabled:
|
||||
- rewrite.load
|
||||
- ssl.load
|
||||
apache_mods_disabled: []
|
||||
|
||||
(Debian/Ubuntu ONLY) Which Apache mods to enable or disable (these will be symlinked into the appropriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
|
||||
|
||||
apache_packages:
|
||||
- [platform-specific]
|
||||
|
||||
The list of packages to be installed. This defaults to a set of platform-specific packages for RedHat or Debian-based systems (see `vars/RedHat.yml` and `vars/Debian.yml` for the default values).
|
||||
|
||||
apache_state: started
|
||||
|
||||
Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run.
|
||||
|
||||
apache_packages_state: present
|
||||
|
||||
If you have enabled any additional repositories such as _ondrej/apache2_, [geerlingguy.repo-epel](https://github.com/geerlingguy/ansible-role-repo-epel), or [geerlingguy.repo-remi](https://github.com/geerlingguy/ansible-role-repo-remi), you may want an easy way to upgrade versions. You can set this to `latest` (combined with `apache_enablerepo` on RHEL) and can directly upgrade to a different Apache version from a different repo (instead of uninstalling and reinstalling Apache).
|
||||
|
||||
apache_ignore_missing_ssl_certificate: true
|
||||
|
||||
If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Let’s Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates).
|
||||
|
||||
## .htaccess-based Basic Authorization
|
||||
|
||||
If you require Basic Auth support, you can add it either through a custom template, or by adding `extra_parameters` to a VirtualHost configuration, like so:
|
||||
|
||||
extra_parameters: |
|
||||
<Directory "/var/www/password-protected-directory">
|
||||
Require valid-user
|
||||
AuthType Basic
|
||||
AuthName "Please authenticate"
|
||||
AuthUserFile /var/www/password-protected-directory/.htpasswd
|
||||
</Directory>
|
||||
|
||||
To password protect everything within a VirtualHost directive, use the `Location` block instead of `Directory`:
|
||||
|
||||
<Location "/">
|
||||
Require valid-user
|
||||
....
|
||||
</Location>
|
||||
|
||||
You would need to generate/upload your own `.htpasswd` file in your own playbook. There may be other roles that support this functionality in a more integrated way.
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
||||
|
||||
## Example Playbook
|
||||
|
||||
- hosts: webservers
|
||||
vars_files:
|
||||
- vars/main.yml
|
||||
roles:
|
||||
- { role: geerlingguy.apache }
|
||||
|
||||
*Inside `vars/main.yml`*:
|
||||
|
||||
apache_listen_port: 8080
|
||||
apache_vhosts:
|
||||
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
|
||||
|
||||
## License
|
||||
|
||||
MIT / BSD
|
||||
|
||||
## Author Information
|
||||
|
||||
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
|
@ -1,58 +0,0 @@
|
||||
---
|
||||
apache_enablerepo: ""
|
||||
|
||||
apache_listen_ip: "*"
|
||||
apache_listen_port: 80
|
||||
apache_listen_port_ssl: 443
|
||||
|
||||
apache_create_vhosts: true
|
||||
apache_vhosts_filename: "vhosts.conf"
|
||||
apache_vhosts_template: "vhosts.conf.j2"
|
||||
|
||||
# On Debian/Ubuntu, a default virtualhost is included in Apache's configuration.
|
||||
# Set this to `true` to remove that default.
|
||||
apache_remove_default_vhost: false
|
||||
|
||||
apache_global_vhost_settings: |
|
||||
DirectoryIndex index.php index.html
|
||||
|
||||
apache_vhosts:
|
||||
# Additional properties:
|
||||
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
|
||||
- servername: "local.dev"
|
||||
documentroot: "/var/www/html"
|
||||
|
||||
apache_allow_override: "All"
|
||||
apache_options: "-Indexes +FollowSymLinks"
|
||||
|
||||
apache_vhosts_ssl: []
|
||||
# Additional properties:
|
||||
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
|
||||
# - servername: "local.dev",
|
||||
# documentroot: "/var/www/html",
|
||||
# certificate_file: "/path/to/certificate.crt",
|
||||
# certificate_key_file: "/path/to/certificate.key",
|
||||
# # Optional.
|
||||
# certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||
|
||||
apache_ignore_missing_ssl_certificate: true
|
||||
|
||||
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||
|
||||
# Only used on Debian/Ubuntu.
|
||||
apache_mods_enabled:
|
||||
- rewrite.load
|
||||
- ssl.load
|
||||
apache_mods_disabled: []
|
||||
|
||||
# Set initial apache state. Recommended values: `started` or `stopped`
|
||||
apache_state: started
|
||||
|
||||
# Set apache state when configuration changes are made. Recommended values:
|
||||
# `restarted` or `reloaded`
|
||||
apache_restart_state: restarted
|
||||
|
||||
# Apache package state; use `present` to make sure it's installed, or `latest`
|
||||
# if you want to upgrade or switch versions using a new repo.
|
||||
apache_packages_state: present
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
- name: restart apache
|
||||
service:
|
||||
name: "{{ apache_service }}"
|
||||
state: "{{ apache_restart_state }}"
|
@ -1,2 +0,0 @@
|
||||
install_date: Thu Oct 29 02:41:52 2020
|
||||
version: 3.1.0
|
@ -1,38 +0,0 @@
|
||||
---
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
author: geerlingguy
|
||||
description: Apache 2.x for Linux.
|
||||
company: "Midwestern Mac, LLC"
|
||||
license: "license (BSD, MIT)"
|
||||
min_ansible_version: 2.4
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- all
|
||||
- name: Fedora
|
||||
versions:
|
||||
- all
|
||||
- name: Amazon
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- name: Solaris
|
||||
versions:
|
||||
- 11.3
|
||||
galaxy_tags:
|
||||
- web
|
||||
- apache
|
||||
- webserver
|
||||
- html
|
||||
- httpd
|
||||
|
||||
allow_duplicates: true
|
@ -1,29 +0,0 @@
|
||||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
driver:
|
||||
name: docker
|
||||
lint:
|
||||
name: yamllint
|
||||
options:
|
||||
config-file: molecule/default/yaml-lint.yml
|
||||
platforms:
|
||||
- name: instance
|
||||
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
|
||||
command: ${MOLECULE_DOCKER_COMMAND:-""}
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
lint:
|
||||
name: ansible-lint
|
||||
playbooks:
|
||||
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
|
||||
scenario:
|
||||
name: default
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
@ -1,21 +0,0 @@
|
||||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
vars:
|
||||
apache_listen_port_ssl: 443
|
||||
apache_create_vhosts: true
|
||||
apache_vhosts_filename: "vhosts.conf"
|
||||
apache_vhosts:
|
||||
- servername: "example.com"
|
||||
documentroot: "/var/www/vhosts/example_com"
|
||||
|
||||
pre_tasks:
|
||||
- name: Update apt cache.
|
||||
apt: update_cache=yes cache_valid_time=600
|
||||
when: ansible_os_family == 'Debian'
|
||||
changed_when: false
|
||||
|
||||
roles:
|
||||
- role: geerlingguy.apache
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
extends: default
|
||||
rules:
|
||||
line-length:
|
||||
max: 120
|
||||
level: warning
|
@ -1,54 +0,0 @@
|
||||
---
|
||||
- name: Configure Apache.
|
||||
lineinfile:
|
||||
dest: "{{ apache_server_root }}/ports.conf"
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ports_configuration_items }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Enable Apache mods.
|
||||
file:
|
||||
src: "{{ apache_server_root }}/mods-available/{{ item }}"
|
||||
dest: "{{ apache_server_root }}/mods-enabled/{{ item }}"
|
||||
state: link
|
||||
with_items: "{{ apache_mods_enabled }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Disable Apache mods.
|
||||
file:
|
||||
path: "{{ apache_server_root }}/mods-enabled/{{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ apache_mods_disabled }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Check whether certificates defined in vhosts exist.
|
||||
stat: "path={{ item.certificate_file }}"
|
||||
register: apache_ssl_certificates
|
||||
with_items: "{{ apache_vhosts_ssl }}"
|
||||
|
||||
- name: Add apache vhosts configuration.
|
||||
template:
|
||||
src: "{{ apache_vhosts_template }}"
|
||||
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: restart apache
|
||||
when: apache_create_vhosts | bool
|
||||
|
||||
- name: Add vhost symlink in sites-enabled.
|
||||
file:
|
||||
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
|
||||
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
|
||||
state: link
|
||||
notify: restart apache
|
||||
when: apache_create_vhosts | bool
|
||||
|
||||
- name: Remove default vhost in sites-enabled.
|
||||
file:
|
||||
path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}"
|
||||
state: absent
|
||||
notify: restart apache
|
||||
when: apache_remove_default_vhost
|
@ -1,36 +0,0 @@
|
||||
---
|
||||
- name: Configure Apache.
|
||||
lineinfile:
|
||||
dest: "{{ apache_server_root }}/conf/{{ apache_daemon }}.conf"
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ports_configuration_items }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Check whether certificates defined in vhosts exist.
|
||||
stat: path={{ item.certificate_file }}
|
||||
register: apache_ssl_certificates
|
||||
with_items: "{{ apache_vhosts_ssl }}"
|
||||
|
||||
- name: Add apache vhosts configuration.
|
||||
template:
|
||||
src: "{{ apache_vhosts_template }}"
|
||||
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: restart apache
|
||||
when: apache_create_vhosts | bool
|
||||
|
||||
- name: Check if localhost cert exists (RHEL 8 and later).
|
||||
stat:
|
||||
path: /etc/pki/tls/certs/localhost.crt
|
||||
register: localhost_cert
|
||||
when: ansible_distribution_major_version | int >= 8
|
||||
|
||||
- name: Ensure httpd certs are installed (RHEL 8 and later).
|
||||
command: /usr/libexec/httpd-ssl-gencerts
|
||||
when:
|
||||
- ansible_distribution_major_version | int >= 8
|
||||
- not localhost_cert.stat.exists
|
@ -1,19 +0,0 @@
|
||||
---
|
||||
- name: Configure Apache.
|
||||
lineinfile:
|
||||
dest: "{{ apache_server_root }}/{{ apache_daemon }}.conf"
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ports_configuration_items }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Add apache vhosts configuration.
|
||||
template:
|
||||
src: "{{ apache_vhosts_template }}"
|
||||
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: restart apache
|
||||
when: apache_create_vhosts | bool
|
@ -1,24 +0,0 @@
|
||||
---
|
||||
- name: Configure Apache.
|
||||
lineinfile:
|
||||
dest: "{{ apache_server_root }}/listen.conf"
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ports_configuration_items }}"
|
||||
notify: restart apache
|
||||
|
||||
- name: Check whether certificates defined in vhosts exist.
|
||||
stat: path={{ item.certificate_file }}
|
||||
register: apache_ssl_certificates
|
||||
with_items: "{{ apache_vhosts_ssl }}"
|
||||
|
||||
- name: Add apache vhosts configuration.
|
||||
template:
|
||||
src: "{{ apache_vhosts_template }}"
|
||||
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: restart apache
|
||||
when: apache_create_vhosts | bool
|
@ -1,47 +0,0 @@
|
||||
---
|
||||
# Include variables and define needed variables.
|
||||
- name: Include OS-specific variables.
|
||||
include_vars: "{{ ansible_os_family }}.yml"
|
||||
|
||||
- name: Include variables for Amazon Linux.
|
||||
include_vars: "AmazonLinux.yml"
|
||||
when:
|
||||
- ansible_distribution == "Amazon"
|
||||
- ansible_distribution_major_version == "NA"
|
||||
|
||||
- name: Define apache_packages.
|
||||
set_fact:
|
||||
apache_packages: "{{ __apache_packages | list }}"
|
||||
when: apache_packages is not defined
|
||||
|
||||
# Setup/install tasks.
|
||||
- include_tasks: "setup-{{ ansible_os_family }}.yml"
|
||||
|
||||
# Figure out what version of Apache is installed.
|
||||
- name: Get installed version of Apache.
|
||||
command: "{{ apache_daemon_path }}{{ apache_daemon }} -v"
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: _apache_version
|
||||
|
||||
- name: Create apache_version variable.
|
||||
set_fact:
|
||||
apache_version: "{{ _apache_version.stdout.split()[2].split('/')[1] }}"
|
||||
|
||||
- name: Include Apache 2.2 variables.
|
||||
include_vars: apache-22.yml
|
||||
when: "apache_version.split('.')[1] == '2'"
|
||||
|
||||
- name: Include Apache 2.4 variables.
|
||||
include_vars: apache-24.yml
|
||||
when: "apache_version.split('.')[1] == '4'"
|
||||
|
||||
# Configure Apache.
|
||||
- name: Configure Apache.
|
||||
include_tasks: "configure-{{ ansible_os_family }}.yml"
|
||||
|
||||
- name: Ensure Apache has selected state and enabled on boot.
|
||||
service:
|
||||
name: "{{ apache_service }}"
|
||||
state: "{{ apache_state }}"
|
||||
enabled: true
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: Update apt cache.
|
||||
apt: update_cache=yes cache_valid_time=3600
|
||||
|
||||
- name: Ensure Apache is installed on Debian.
|
||||
apt: "name={{ apache_packages }} state={{ apache_packages_state }}"
|
@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: Ensure Apache is installed on RHEL.
|
||||
package:
|
||||
name: "{{ apache_packages }}"
|
||||
state: "{{ apache_packages_state }}"
|
||||
enablerepo: "{{ apache_enablerepo | default(omit, true) }}"
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
- name: Ensure Apache is installed on Solaris.
|
||||
pkg5:
|
||||
name: "{{ apache_packages }}"
|
||||
state: "{{ apache_packages_state }}"
|
@ -1,5 +0,0 @@
|
||||
---
|
||||
- name: Ensure Apache is installed on Suse.
|
||||
zypper:
|
||||
name: "{{ apache_packages }}"
|
||||
state: "{{ apache_packages_state }}"
|
@ -1,82 +0,0 @@
|
||||
{{ apache_global_vhost_settings }}
|
||||
|
||||
{# Set up VirtualHosts #}
|
||||
{% for vhost in apache_vhosts %}
|
||||
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}>
|
||||
ServerName {{ vhost.servername }}
|
||||
{% if vhost.serveralias is defined %}
|
||||
ServerAlias {{ vhost.serveralias }}
|
||||
{% endif %}
|
||||
{% if vhost.documentroot is defined %}
|
||||
DocumentRoot "{{ vhost.documentroot }}"
|
||||
{% endif %}
|
||||
|
||||
{% if vhost.serveradmin is defined %}
|
||||
ServerAdmin {{ vhost.serveradmin }}
|
||||
{% endif %}
|
||||
{% if vhost.documentroot is defined %}
|
||||
<Directory "{{ vhost.documentroot }}">
|
||||
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
|
||||
Options {{ vhost.options | default(apache_options) }}
|
||||
{% if apache_vhosts_version == "2.2" %}
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
{% else %}
|
||||
Require all granted
|
||||
{% endif %}
|
||||
</Directory>
|
||||
{% endif %}
|
||||
{% if vhost.extra_parameters is defined %}
|
||||
{{ vhost.extra_parameters }}
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{# Set up SSL VirtualHosts #}
|
||||
{% for vhost in apache_vhosts_ssl %}
|
||||
{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %}
|
||||
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port_ssl }}>
|
||||
ServerName {{ vhost.servername }}
|
||||
{% if vhost.serveralias is defined %}
|
||||
ServerAlias {{ vhost.serveralias }}
|
||||
{% endif %}
|
||||
{% if vhost.documentroot is defined %}
|
||||
DocumentRoot "{{ vhost.documentroot }}"
|
||||
{% endif %}
|
||||
|
||||
SSLEngine on
|
||||
SSLCipherSuite {{ apache_ssl_cipher_suite }}
|
||||
SSLProtocol {{ apache_ssl_protocol }}
|
||||
SSLHonorCipherOrder On
|
||||
{% if apache_vhosts_version == "2.4" %}
|
||||
SSLCompression off
|
||||
{% endif %}
|
||||
SSLCertificateFile {{ vhost.certificate_file }}
|
||||
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
|
||||
{% if vhost.certificate_chain_file is defined %}
|
||||
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
|
||||
{% endif %}
|
||||
|
||||
{% if vhost.serveradmin is defined %}
|
||||
ServerAdmin {{ vhost.serveradmin }}
|
||||
{% endif %}
|
||||
{% if vhost.documentroot is defined %}
|
||||
<Directory "{{ vhost.documentroot }}">
|
||||
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
|
||||
Options {{ vhost.options | default(apache_options) }}
|
||||
{% if apache_vhosts_version == "2.2" %}
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
{% else %}
|
||||
Require all granted
|
||||
{% endif %}
|
||||
</Directory>
|
||||
{% endif %}
|
||||
{% if vhost.extra_parameters is defined %}
|
||||
{{ vhost.extra_parameters }}
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
@ -1,18 +0,0 @@
|
||||
---
|
||||
apache_service: httpd
|
||||
apache_daemon: httpd
|
||||
apache_daemon_path: /usr/sbin/
|
||||
apache_server_root: /etc/httpd
|
||||
apache_conf_path: /etc/httpd/conf.d
|
||||
|
||||
apache_vhosts_version: "2.4"
|
||||
|
||||
__apache_packages:
|
||||
- httpd24
|
||||
- httpd24-devel
|
||||
- mod24_ssl
|
||||
- openssh
|
||||
|
||||
apache_ports_configuration_items:
|
||||
- regexp: "^Listen "
|
||||
line: "Listen {{ apache_listen_port }}"
|
@ -1,14 +0,0 @@
|
||||
---
|
||||
apache_service: apache2
|
||||
apache_daemon: apache2
|
||||
apache_daemon_path: /usr/sbin/
|
||||
apache_server_root: /etc/apache2
|
||||
apache_conf_path: /etc/apache2
|
||||
|
||||
__apache_packages:
|
||||
- apache2
|
||||
- apache2-utils
|
||||
|
||||
apache_ports_configuration_items:
|
||||
- regexp: "^Listen "
|
||||
line: "Listen {{ apache_listen_port }}"
|
@ -1,20 +0,0 @@
|
||||
---
|
||||
apache_service: httpd
|
||||
apache_daemon: httpd
|
||||
apache_daemon_path: /usr/sbin/
|
||||
apache_server_root: /etc/httpd
|
||||
apache_conf_path: /etc/httpd/conf.d
|
||||
|
||||
apache_vhosts_version: "2.2"
|
||||
|
||||
__apache_packages:
|
||||
- httpd
|
||||
- httpd-devel
|
||||
- mod_ssl
|
||||
- openssh
|
||||
|
||||
apache_ports_configuration_items:
|
||||
- regexp: "^Listen "
|
||||
line: "Listen {{ apache_listen_port }}"
|
||||
- regexp: "^#?NameVirtualHost "
|
||||
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
@ -1,19 +0,0 @@
|
||||
---
|
||||
apache_service: apache24
|
||||
apache_daemon: httpd
|
||||
apache_daemon_path: /usr/apache2/2.4/bin/
|
||||
apache_server_root: /etc/apache2/2.4/
|
||||
apache_conf_path: /etc/apache2/2.4/conf.d
|
||||
|
||||
apache_vhosts_version: "2.2"
|
||||
|
||||
__apache_packages:
|
||||
- web/server/apache-24
|
||||
- web/server/apache-24/module/apache-ssl
|
||||
- web/server/apache-24/module/apache-security
|
||||
|
||||
apache_ports_configuration_items:
|
||||
- regexp: "^Listen "
|
||||
line: "Listen {{ apache_listen_port }}"
|
||||
- regexp: "^#?NameVirtualHost "
|
||||
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
@ -1,18 +0,0 @@
|
||||
---
|
||||
apache_service: apache2
|
||||
apache_daemon: httpd2
|
||||
apache_daemon_path: /usr/sbin/
|
||||
apache_server_root: /etc/apache2
|
||||
apache_conf_path: /etc/apache2/conf.d
|
||||
|
||||
apache_vhosts_version: "2.2"
|
||||
|
||||
__apache_packages:
|
||||
- apache2
|
||||
- openssh
|
||||
|
||||
apache_ports_configuration_items:
|
||||
- regexp: "^Listen "
|
||||
line: "Listen {{ apache_listen_port }}"
|
||||
- regexp: "^#?NameVirtualHost "
|
||||
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
@ -1,12 +0,0 @@
|
||||
---
|
||||
apache_vhosts_version: "2.2"
|
||||
apache_default_vhost_filename: 000-default
|
||||
apache_ports_configuration_items:
|
||||
- {
|
||||
regexp: "^Listen ",
|
||||
line: "Listen {{ apache_listen_port }}"
|
||||
}
|
||||
- {
|
||||
regexp: "^#?NameVirtualHost ",
|
||||
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
|
||||
}
|
@ -1,8 +0,0 @@
|
||||
---
|
||||
apache_vhosts_version: "2.4"
|
||||
apache_default_vhost_filename: 000-default.conf
|
||||
apache_ports_configuration_items:
|
||||
- {
|
||||
regexp: "^Listen ",
|
||||
line: "Listen {{ apache_listen_port }}"
|
||||
}
|
11
roles/awscreds/files/awscredentials
Normal file
11
roles/awscreds/files/awscredentials
Normal file
@ -0,0 +1,11 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38616333383866663466353035306234356565643564383866633038636531616239393365636436
|
||||
6538393064666337616565616636363331333062643235340a613061356630656333626664343038
|
||||
39326661306439343666623339323430333662363864366364363664323833393039303938323035
|
||||
3061396662656435660a366361363138386332633234633832613630643364316130643665343737
|
||||
37303434633839323363376562303966363466323638616265303865343936396465616434666163
|
||||
61666663373333643034363663323465326130393331636463666534343837646466653265343162
|
||||
39343066323764646361323833303334643730633938633436343330626230303462666166356530
|
||||
63623861383436636137623733633839333564363334323034313537616633666436333133396639
|
||||
63666237366535386436343839653939373533656164333865613631386131343565363734333935
|
||||
3861623666613138353061646564393465356532316631616231
|
2
roles/awscreds/meta/main.yml
Normal file
2
roles/awscreds/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
allow_duplicates: no
|
15
roles/awscreds/tasks/main.yml
Normal file
15
roles/awscreds/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: Set up AWS credentials for root
|
||||
block:
|
||||
- name: Create .aws directory
|
||||
file:
|
||||
path: ~/.aws
|
||||
state: directory
|
||||
- name: Copy AWS credentials
|
||||
copy:
|
||||
src: awscredentials
|
||||
dest: ~/.aws/credentials
|
||||
mode: "0600"
|
||||
become: true
|
@ -1,28 +0,0 @@
|
||||
# Which backup script to use. Configuration is somewhat unique to each script
|
||||
backup_script: s3backup
|
||||
# When to kick off backups using the systemd timer
|
||||
backup_time: "*-*-* 02:00:00"
|
||||
# What format should the datestamps in the filenames of any backups be in?
|
||||
# Defaults to YYYY-MM-DD-hhmm
|
||||
# So January 5th, 2021 at 3:41PM would be 2021-01-05-1541
|
||||
backup_dateformat: "%Y-%m-%d-%H%M"
|
||||
|
||||
# S3 configuration for scripts that use it
|
||||
# Which bucket to upload the backup to
|
||||
backup_s3_bucket: replaceme
|
||||
# Credentials for the bucket
|
||||
backup_s3_aws_access_key_id: REPLACEME
|
||||
backup_s3_aws_secret_access_key: REPLACEME
|
||||
|
||||
# List of files/directories to back up
|
||||
# Note that tar is NOT instructed to recurse through symlinks
|
||||
# If you want it to do that, end the path with a slash!
|
||||
backup_s3backup_list: []
|
||||
backup_s3backup_list_extra: []
|
||||
# List of files/directories to --exclude
|
||||
backup_s3backup_exclude_list: []
|
||||
backup_s3backup_exclude_list_extra: []
|
||||
# Arguments to pass to tar
|
||||
# Note that passing f here is probably a bad idea
|
||||
backup_s3backup_tar_args: cz
|
||||
backup_s3backup_tar_args_extra: ""
|
@ -1,6 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: restart backup timer
|
||||
systemd: name=backup.timer state=restarted daemon_reload=yes
|
||||
become: yes
|
@ -1,12 +0,0 @@
|
||||
#!/usr/bin/env ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: template out backup script
|
||||
template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
|
||||
- name: configure systemd service
|
||||
template: src=backup.service dest=/etc/systemd/system/backup.service
|
||||
- name: configure systemd timer
|
||||
template: src=backup.timer dest=/etc/systemd/system/backup.timer
|
||||
notify: restart backup timer
|
||||
- name: enable timer
|
||||
systemd: name=backup.timer state=started enabled=yes daemon_reload=yes
|
@ -1,13 +0,0 @@
|
||||
# vim:ft=systemd
|
||||
[Unit]
|
||||
Description=Nightly backup service
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
MemoryMax=256M
|
||||
ExecStart=/opt/backup.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,10 +0,0 @@
|
||||
# vim:ft=systemd
|
||||
[Unit]
|
||||
Description=Nightly backup timer
|
||||
|
||||
[Timer]
|
||||
Persistent=true
|
||||
OnCalendar={{ backup_time }}
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
@ -1,60 +0,0 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# s3backup.sh
|
||||
# General-purpose, Ansible-managed backup script to push directories to
|
||||
# an S3 bucket
|
||||
#
|
||||
# NOTICE: THIS FILE CONTAINS SECRETS
|
||||
# This file may contain the following secrets depending on configuration:
|
||||
# * An AWS access key
|
||||
# * An AWS session token
|
||||
# These are NOT things you want arbitrary readers to access! Ansible will
|
||||
# attempt to ensure this file has 0700 permissions, but that won't stop you
|
||||
# from changing that yourself
|
||||
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
|
||||
|
||||
# NOTICE: DO NOT MODIFY THIS FILE
|
||||
# Any changes made will be clobbered by Ansible
|
||||
# Please make any configuration changes in the main repo
|
||||
|
||||
set -e
|
||||
|
||||
# Directories to backup
|
||||
# Ansible will determine the entries here
|
||||
|
||||
# We use a bash array because it affords us some level of sanitization, enough
|
||||
# to let us back up items whose paths contain spaces
|
||||
declare -a DIRS
|
||||
{% for item in backup_s3backup_list + backup_s3backup_list_extra %}
|
||||
DIRS+=("{{ item }}")
|
||||
{% endfor %}
|
||||
# End directories
|
||||
|
||||
# AWS S3 configuration
|
||||
# NOTE: THIS IS SECRET INFORMATION
|
||||
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
|
||||
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
|
||||
|
||||
# Tar up all items in the backup list, recursively, and pipe them straight
|
||||
# up to S3
|
||||
if [ -z "${DIRS[*]}" ]; then
|
||||
echo "No directories configured to back up!"
|
||||
exit 0
|
||||
fi
|
||||
echo "Commencing backup on the following items:"
|
||||
for dir in "${DIRS[@]}"; do
|
||||
echo "- $dir"
|
||||
done
|
||||
echo "Will ignore the following items:"
|
||||
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
|
||||
echo "- {{ item }}"
|
||||
{% endfor %}
|
||||
echo "Will upload resultant backup to {{ backup_s3_bucket }}"
|
||||
nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
|
||||
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
|
||||
--exclude "{{ item }}" \
|
||||
{% endfor %}
|
||||
"${DIRS[@]}" \
|
||||
| aws s3 cp - \
|
||||
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$(date "+{{ backup_dateformat }}").tar.gz"
|
||||
|
@ -1,47 +0,0 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# s3pgdump.sh
|
||||
# General-purpose, Ansible-managed backup script to dump PostgreSQL DBs to
|
||||
# an S3 bucket
|
||||
#
|
||||
|
||||
# NOTICE: THIS FILE CONTAINS SECRETS
|
||||
# This file may contain the following secrets depending on configuration:
|
||||
# * An AWS access key
|
||||
# * An AWS session token
|
||||
# These are NOT things you want arbitrary readers to access! Ansible will
|
||||
# attempt to ensure this file has 0700 permissions, but that won't stop you
|
||||
# from changing that yourself
|
||||
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
|
||||
|
||||
# NOTICE: DO NOT MODIFY THIS FILE
|
||||
# Any changes made will be clobbered by Ansible
|
||||
# Please make any configuration changes in the main repo
|
||||
|
||||
set -e
|
||||
|
||||
# AWS S3 configuration
|
||||
# NOTE: THIS IS SECRET INFORMATION
|
||||
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
|
||||
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
|
||||
|
||||
# Populate a list of databases
|
||||
declare -a DATABASES
|
||||
while read line; do
|
||||
DATABASES+=("$line")
|
||||
done < <(sudo -u postgres psql -t -A -c "SELECT datname FROM pg_database where datname not in ('template0', 'template1', 'postgres');" 2>/dev/null)
|
||||
|
||||
# pgdump all DBs, compress them, and pipe straight up to S3
|
||||
echo "Commencing backup on the following databases:"
|
||||
for dir in "${DATABASES[@]}"; do
|
||||
echo "- $dir"
|
||||
done
|
||||
echo "Will upload resultant backups to {{ backup_s3_bucket }}"
|
||||
for db in "${DATABASES[@]}"; do
|
||||
echo "Backing up $db"
|
||||
sudo -u postgres pg_dump "$db" \
|
||||
| gzip -v9 \
|
||||
| aws s3 cp - \
|
||||
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$db-$(date "+{{ backup_dateformat }}").pgsql.gz"
|
||||
done
|
||||
|
5
roles/base-backups/defaults/main.yml
Normal file
5
roles/base-backups/defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
backups_outdir: "/opt/backups/out"
|
||||
backups_boot_delay: 1h
|
||||
backups_time: "*-*-* 02:00:00"
|
10
roles/base-backups/handlers/main.yml
Normal file
10
roles/base-backups/handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: restart backups timer
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
name: 9iron-backup.timer
|
||||
enabled: yes
|
||||
state: restarted
|
||||
become: yes
|
6
roles/base-backups/meta/main.yml
Normal file
6
roles/base-backups/meta/main.yml
Normal file
@ -0,0 +1,6 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
allow_duplicates: no
|
||||
dependencies:
|
||||
- role: awscreds
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user