Compare commits

..

No commits in common. "ce14c82f0ea7b8e56983449a5c6f1c39a3a0b7c9" and "04c5bcc77c01a405cd3c385ee3bd35ca5dc7c2f4" have entirely different histories.

568 changed files with 15907 additions and 19677 deletions

9
.gitmodules vendored
View File

@ -1,9 +0,0 @@
[submodule "roles/minecraft"]
path = roles/minecraft
url = https://git.desu.ltd/salt/ansible-role-minecraft
[submodule "roles/terraria"]
path = roles/terraria
url = https://git.desu.ltd/salt/ansible-role-terraria
[submodule "roles/pleroma"]
path = roles/pleroma
url = https://git.desu.ltd/salt/ansible-role-pleroma

View File

@ -1,3 +1,3 @@
#!/usr/bin/env ansible-playbook
#!/usr/bin/ansible-playbook
# vim:ft=ansible:

View File

@ -1,55 +1,29 @@
# Salt's Ansible Repository
# Salt's Ansible Repo
Useful for management across all of 9iron, thefuck, and desu.
A collection of Ansible configuration to manage all of my machines.
## TODO
## Quickstart
This branch is kinda-sorta a port of master, so it still needs to reach some form of feature parity with it. Namely:
To quickly get a machine up and running, add it to the inventory and `./provision.yml` it. This ensures a basic, sane running environment from which you can do tuning. Ideally, though, you should have roles.
* Matrix(? Do I still want to keep this around? Is there a better alternative? Will my friends even use it?)
## Overview
* Port over configs for Nextcloud on web1.9iron.club
The main playbook, `site.yml`, can be separated into more or less two parts:
## Initialization
* The home machine half, tied together via Zerotier
Clone the repo, `cd` in. Done.
* The 9iron half, with public IPs and resolvable names
## Deployment
See `inventory/hosts.yml` for details on what machines have what roles and what configuration. I try my best to make self-explaning configuration, so everything should mostly make sense on a first read. If you have any questions, hit me up.
Adding a new server will require the following be fulfilled:
## Style Guide
* The server is accessible from the Ansible host;
* Quote strings when required, quote entire strings if they contain Jinja markup, not just the marked up section (yes I know I violate this in several places)
* The server has a user named `ansible` which:
* Use `yes` and `no` for booleans
* Accepts the public key located in `contrib/desu.pub`; and
* Use short form for simple tasks (still working on fixing that up)
* Has passwordless sudo capabilities as root
## Your Shit is Trash
* The server is added to `inventory/hosts.yml` in an appropriate place;
* DNS records for the machine are set; and
* The server is running Ubuntu 20.04 or greater
From there, running the playbook `site.yml` should get the machine up to snuff. To automate the host-local steps, use the script file `contrib/bootstrap.sh`.
## Ad-Hoc Commands
The inventory is configured to allow for ad-hoc commands with very little fuss. For example:
```bash
ansible -m shell -a 'systemctl is-failed ansible-pull.service' all
```
These commands must be run from the root of the repo.
## Ansible Galaxy
Several of the roles in this repository are sourced from Ansible Galaxy. They're mirrored here for both easy compatibility with `ansible-pull` and in case the sources go down. Despite this, they're still managed in `roles/requirements.yml` for ease of management, source tracking, and updating. Any forks or deviations from these sources should be thoroughly documented.
Should you need to reinitialize them, the following command (run from the root of the repo) will initialize all Galaxy assets:
```
ansible-galaxy install -r roles/requirements.yml
```
I know. Please file an issue.

View File

@ -1,11 +1,15 @@
[defaults]
gathering = smart
interpreter_python = python3
inventory = inventory
roles_path = roles
private_key_file = ~/.ssh/desu
host_key_checking = false # I'm constantly spinning machines up and down; no time for this
#ask_become_pass = true
# Connection info
private_key_file = ~/.ssh/ansible
host_key_checking = false
# Secrets
ask_become_pass = true
#ask_vault_pass = true
# Warnings
command_warnings = true
#deprecation_warnings = false
system_warnings = true

View File

@ -1,52 +0,0 @@
#! /bin/sh
#
# bootstrap.sh
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root"
exit 1
fi
if ! [ -f "./desu.pub" ]; then
echo "The public key \"desu.pub\" must sit in PWD. cd to contrib"
exit 2
fi
echo "Adding ansible user..."
if ! useradd ansible > /dev/null 2>&1; then
err=$?
case $err in
0)
;;
9)
echo "Continuing..."
;;
*)
echo "Encountered error $err adding user ansible"
exit 3
;;
esac
fi
echo "Adding key..."
mkdir -p ~ansible/.ssh
cat ./desu.pub > ~ansible/.ssh/authorized_keys
echo "Fixing perms..."
chmod 0600 ~ansible/.ssh/authorized_keys
chown -R ansible. ~ansible/.ssh
cat > /etc/sudoers.d/50-ansible << EOF
ansible ALL=(ALL:ALL) NOPASSWD:ALL
EOF
echo "Done!"

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible

3
deploy.sh Executable file
View File

@ -0,0 +1,3 @@
#! /bin/sh
ansible-playbook --ask-vault-pass site.yml "$@"

View File

@ -1,8 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
- name: restart cron
service: name=cron state=restarted
become: yes
- name: regen initramfs
command: /usr/sbin/update-initramfs -c -k all
become: yes

View File

@ -1,158 +1,207 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
# For homebrew roles and such, mostly Ansible-related setup
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
ansible_pull_commit: master
common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
## BACKEND
# ACME
acme:
#directory: "https://acme-staging-v02.api.letsencrypt.org/directory" # Testing ACME endpoint
directory: "https://acme-v02.api.letsencrypt.org/directory"
version: 2
webroot: /var/www/acme
aws:
# S3 Backups
backup_bucket: "9iron-backups-general"
# SES
ses:
user: !vault |
$ANSIBLE_VAULT;1.1;AES256
33643766376336316266373239386466373639633765333332353031373132383061346564633036
3337396261333264363562363364336235633831353133380a613164666161313265396261616634
38353531306238613735623433663138643231663139363735373537393337636362636534656166
3063373930343039320a663063663535633932323739653461336164643035633036663362666161
38316564326537303236333266303432326164393435663665363963326363306237
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
39306665653635383832623438656364616633643032663365643033316236333939363732363034
3566663361653862646636396339343963626561613839620a663731313337613734356261326437
31653763346663656165343632336366343562333836396232636431323635333965336137316237
3662393364636631310a643935313539353338333233356362623835363631383035666536343634
65663937643165613337373837633737653765303764303536386530616363343361326536633935
3565626161343562396663353538653136376138373334336435
# MySQL
mysql:
root_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62316565376333396465333931356163343363663063636233653536373033396230626639613964
3037613839373833646234626236643430393364643131610a333539373533663434373935376130
65323365313465316635646465376665616132653832316362363535366563363863636530313666
3036393134386131310a643734363261633166636263343538313533393738323934303137343163
39636637643035616236663364663562366133613233313139623937313531343564
# PSQL
psql:
ansible:
user: ansible
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383235373131383466383438653235666365386631356463633265623332643337633830663930
3639313565613138373165636264343030323961646539390a356134383764326631326635636139
63626263373063343036373266326235363839316662363031356264363365633161326264643766
3734386366633861640a643335636330323432626437646337353534653832383337396432636264
61356331646133653363353931306630373963316430626266346630646362666237
neighbor_block: "172.31.0.0/16"
# For backups
backup_s3_bucket: !vault |
$ANSIBLE_VAULT;1.1;AES256
61393939633736616361336162633564356434363963303737366236373332653265366132393439
3333643463306561616261636466303631373866353962310a356561633833633533353937323265
64656235616637366363323330346134656366663733393462346333613535633838333938653434
6133326433613239650a386333626339363263323134313830353963326265666336306130656534
6534
backup_s3_aws_access_key_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
61353734383466366564333832643738313238666235336332303539383639626263633231396261
6165393062393266343661643466633163383164383032340a333833656566336331323565386162
35646665353539616538353339616531346564636466643639326366353165313861373761396537
3731653463643838330a383065313135343763636534656133343666363237356462326236643631
34366564373661396434663633346635663331393538363362376265653334623538
backup_s3_aws_secret_access_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
64316231613337333231383837333930336561633164393762343838646136393165626361346637
3364643830346533623137643530323438366665393632320a633032336664616261353734343661
36646565383532616133353530343331663731663965656662363830363063303361373861663762
3032613362626233350a613464333230363830383334363032303730646134306331383733363036
34346334306633306664323337643433356336366633396239306539613539633535386238346662
6232313138393062626631386135383234376361643362353966
## WEBAPPS
# Gitea
gitea:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
62353264353465316661353738666161313036373761666163663733656461316536636334386335
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
31346337636665356630336234306534646362386663633734353166373761316139313734306630
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
33353062343164396465326365653561626363343961326363633231303736316436643935646161
3933353234613430373930663832643934613233383635613433
app_name: "9iron Gitea"
disable_registration: "false"
url: "git.9iron.club"
root: "/var/gitea"
efs:
name: "9iron-gitea"
region: "us-east-2"
subnet_id: "subnet-852935ed"
security_group: "sg-4f4b692c"
admin:
user: "salt"
email: "rehashedsalt@cock.li"
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
35613039646236306236363930353231303331633765303039373736626666666530323433356466
3062633166313332643039613561303431613735396339650a376664373137643439303465376365
35313266376539366134343562626164616666306338343538663361393964626565303331383234
3565646664333966650a323530356664366262653763363439613534303764366436376634373639
62303264653836656162366362316461656363353539343632616462626231643632
# Grafana
grafana:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65376335363732633132326630323161393861323833323631613630343262383137656138356262
3730386139393739373738626535376636666135646463350a623331333032346434343465666234
38393539623437376133363063633238383031326431653737346564323837343265653431633962
6665346237666165330a643635653863356633623535383063366632336437313730626233346664
33303465616532313339393634386166363162393661393037323835323035386663
url: "monitor.9iron.club"
webroot: "/var/www/grafana"
config_repo: "https://git.9iron.club/salt/grafana"
# Matrix
matrix:
server_name: "9iron.club"
url: "matrix.9iron.club"
enable_registration: "true"
admin_contact: "mailto:rehashedsalt@cock.li"
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
64663061333130386634323631353435376330636334623334663365633361336563393634333061
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
31356462653634323162343164633130366664323034373330613764663635326534303935303230
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
63316265366238383038653034326661633163346462396663346563666134393232
# Nextcloud
nextcloud:
db:
hostname: 172.31.47.215
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
37633035633563646266346264333636393931323664313166633133653461646333643731636661
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
66373234633939393034353439393465663131303661393164303335336435653734613064663964
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
61373135303632336237333836353764646639633735323566346366623766646266
efs:
name: "9iron-nextcloud"
region: "us-east-2"
subnet_id: "subnet-852935ed"
security_group: "sg-4f4b692c"
url: "nc.9iron.club"
# Pleroma
pleroma:
instance:
name: Cowfee
desc: owo
email: rehashedsalt@cock.li
notify_email: noreply@cowfee.moe
openreg: "true"
static_repo: "https://git.9iron.club/salt/pleroma"
db:
pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
34343838386134656236313462653531663839363030333630383332386535356431326436633137
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
61333039646332343838346633363035343434303036643465353062353062303961383138643564
3338393765393733340a626436653666363236643938613466643530326665653764333933393437
37613033653864643965323162373366306233626235663461326266376662663634353066386139
37636162313364623933396232366239633338363539626637373163333130373665373038363566
65646633636638653335356536323334646632366164633532636634376632356166306139393766
38633934623639366263
secret:
key_base: !vault |
$ANSIBLE_VAULT;1.1;AES256
36333934336635613533333137636532363937613764353933636566663031316262333837323064
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
37666666386637633839633737376465366439356461653363396665636137353264363762346461
3765616634653234630a623061393834373964653939626564363263383435666366356339663136
64613330656434653538363734393831353133316666326338366335383064356165333537383837
31633939353565303661626233623064653838636435376239376361663362636164653962383561
33366335623038653232613731333730363836653532363834663663343963303763323534343038
61666238346239636634
signing_salt: !vault |
$ANSIBLE_VAULT;1.1;AES256
31306137646362333433313630363538333234643339353530333038393061663132633161356231
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
64393536353362386336323662316262333763326138616364333237353262323232636335353436
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
3466
# snmpd
snmp:
location: "us-east-2"
contact: "Salt <rehashedsalt@cock.li>"
auth_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
36373662333533616331623933343364663532326261653636363732323138633836356633623934
6561333833343432353561366438313165383163366131630a653163666463356462633966666330
38323965303639356635613565633030373836643132336332373730303137376165616163646538
3162616233366236350a626130643230323264343938373134653034636232303130623134393531
61366330316330646137336161623166343835316432363433373333323232383166
priv_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
61316538316630333662633665646364356138613730633334653761626636633836363335383965
6332303265323236383130383366336662626331613866340a636139366135313134303538613833
61383662306163663634333538343733663836633834373462616265366365626533366334383031
6265643764656461320a313137326430386532653538346462323463386538303966303830343037
63333632656534333334383666666138353435383938623934663766623735656533
int_user_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31616561323762653439346630653231646137626638383930346437323139666163316131333534
6463313537316230363735346236323033386562373032330a326261393039663539353738643465
36666136663930663463373731663534316232643637623732346331383737643233626235613439
3733366462613133620a386336303434303130313636356339633939623638366236346234376566
65386530663137393830636134653632623366333837616364396161666464613166
# For zerotier
zerotier_network_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
35646131343239623265663562343333383362366633386462646465643163353866643633636135
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
30656433343263653035333637336165323931363966376264353164326135336131646362623734
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
65313231393433396538663463383731303661633663343066333264303330313133
# For geerlingguy.apache
apache_remove_default_vhost: yes
apache_ssl_cipher_suite: AES256+EECDH:AES256+EDH
apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# For geerlingguy.php
##RESERVED
# For gitea
secret_gitea_9iron_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
62353264353465316661353738666161313036373761666163663733656461316536636334386335
6161386630663739363439383237343065333239613134610a383036373735326536386464343164
31346337636665356630336234306534646362386663633734353166373761316139313734306630
3364306566323666310a323034303434613237643665643637633430353437316339356463646331
33353062343164396465326365653561626363343961326363633231303736316436643935646161
3933353234613430373930663832643934613233383635613433
secret_gitea_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
35343032343364306363646232613831386530313430663664396432353431393039626230626137
6339653038633534313562333431613362313263623130300a383930626437636466623763663334
64646239633830656338336135313261396536303739373731633830633366313262313035626233
6463663332623635320a356565666638306661356365643930303664346232303165373333613235
62396535653338396232616531323738656636613065336337333336306437363539303766623866
3932386635393061643737326163643164643365303866643766
gitea_secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34373339636233393231363531323338306330653139376661356336343133373836323065333665
3537613462316361646161653966643862633033646134370a643133393162313434383663643538
31343164666235316235393163376134636433386361353266613263363839366432356132383533
3434643430306234350a353037373530653865363931333237663133626537643730643634356162
33353632613637306336653734343332393661343539393034313437373636383732393062333530
3337633338323131373130376137393766363737393536386636
gitea_internal_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
34323237383664663266653034656437643363316538663338383262663931356665383363656466
3861653830626538303761303638663835316239343033370a323164303164613265363535643432
31393732393361666331396533333339623665623562643962323632653537666339346266393632
6639663137613232640a383633343038626638626434636230346634373533616564316262333833
64376163636230303361326532316665366633373035336164393033653366653564633339386338
35326462333364353032343238363230343235303037306532333765376464326234633739396534
31333332613964313031346534306236383434346430396233646132393962383636383631643461
37366163373863653164626365383761623431613164653932363730633134633032336266616335
61626133316161616335323630333461663163613430353438633235336331343934386464373866
62633234313261363537663061373931303832653531356566633739636264666635653936313965
623964653936646334313864643030653763
# For Nextcloud
secret_nextcloud_9iron_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
37633035633563646266346264333636393931323664313166633133653461646333643731636661
3966666665396239346662613764353333393038663762340a313236396331623061376462356437
66373234633939393034353439393465663131303661393164303335336435653734613064663964
3332313764623133630a393731613236373837316437653265636663666261383135636662373566
61373135303632336237333836353764646639633735323566346366623766646266
secret_nextcloud_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31626162623164373133356634323436373634616363663966313039313431643837326630346632
3066303432303064663838643533373933343166356437610a613134383566653035663462393538
37616538366337313265333333373432363031323336306436643839333337313735633463326133
6538383936643664370a663737333861303132313031373234396562653464653838343836663530
38396663633237383764613139346333636432613464356465663661653265323135363032633963
3335626335353431616365313232346431313439653132303833
secret_nextcloud_admin_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
66303362626535386438633666376264313563323034343938363034353435306463613364366636
3633343332643062633265643838346465623362323866610a666237636461376166373938626538
62326334356339326330623336363038323431363266306265386635343432383764623437386462
3534643731333331320a393462323264666135666134336536633639613065363339333131653433
37653732313664356330356139646336353735613336326563366361383737653538
# For OnlyOffice
secret_onlyoffice_9iron_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326366346266353162303566646632376434373966663533353737626539366662306163346562
3934666237323331303063636561613531613431303237360a323335333764356335326665626665
30396236656537626531616532353839303535336534303934316237343338336536323135653865
3036393663396633380a366461613536616264613237626164373631353137643963663830393833
34326639343831346333333461663634333434633136646163326634653439623138
# For Pleroma
secret_pleroma_9iron_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
34343838386134656236313462653531663839363030333630383332386535356431326436633137
3261323632653635383930333131333235373437653733300a363562666264616138623832666137
61333039646332343838346633363035343434303036643465353062353062303961383138643564
3338393765393733340a626436653666363236643938613466643530326665653764333933393437
37613033653864643965323162373366306233626235663461326266376662663634353066386139
37636162313364623933396232366239633338363539626637373163333130373665373038363566
65646633636638653335356536323334646632366164633532636634376632356166306139393766
38633934623639366263
secret_pleroma_key_base: !vault |
$ANSIBLE_VAULT;1.1;AES256
36333934336635613533333137636532363937613764353933636566663031316262333837323064
6534653062626461633462636335346132353564653038330a326330326235623530393337333063
37666666386637633839633737376465366439356461653363396665636137353264363762346461
3765616634653234630a623061393834373964653939626564363263383435666366356339663136
64613330656434653538363734393831353133316666326338366335383064356165333537383837
31633939353565303661626233623064653838636435376239376361663362636164653962383561
33366335623038653232613731333730363836653532363834663663343963303763323534343038
61666238346239636634
secret_pleroma_signing_salt: !vault |
$ANSIBLE_VAULT;1.1;AES256
31306137646362333433313630363538333234643339353530333038393061663132633161356231
3662386234633933633762363334333031306564353132380a633339323364633137396636616363
64393536353362386336323662316262333763326138616364333237353262323232636335353436
3563396435643363620a646337346561393863366361643536356363626334343264343861663131
3466
# For Matrix/Synapse
secret_matrix_9iron_db_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
64663061333130386634323631353435376330636334623334663365633361336563393634333061
6531393839336532376465356132646337663339333431340a383030373166653835386239643365
31356462653634323162343164633130366664323034373330613764663635326534303935303230
6233636463636134640a386436316462643434343739333232613264303635323261616634326562
63316265366238383038653034326661633163346462396663346563666134393232
## VIDYA
# tes3mp
tes3mp:
archive: "https://github.com/TES3MP/openmw-tes3mp/releases/download/0.7.0-alpha/tes3mp-server-GNU+Linux-x86_64-release-0.7.0-alpha-abc4090a0f-01d297f5c6.tar.gz"
name: "main"
dest: /opt/tes3mp
server:
name: "9iron TES3MP"
maxplayers: 8
password: dicks
port: 25565
master:
enabled: "true"
host: master.tes3mp.com
port: 25561

View File

@ -1,33 +1,73 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
all:
vars:
ansible_user: ansible
ansible_pull_repo: "https://git.desu.ltd/salt/ansible"
ansible_user: ubuntu
gitea_api_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
39646564383934343237626436363261643265663339616566353563613266396536373164646235
3630333032613536373532616363333464653138656164390a386565316164386263363935663264
62613737336539653835356634313636643732396330313863393861373664353966363437373338
6565336264613334650a613063393662643237333864316332613131386233396562333063646263
63636238356266363065656462626536346634646365363135643538316136346566306131626161
3166653266383332343332366530343532396435353134373939
ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
user_username: salt
user_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
37666131343936663962386535343939373161343337383436613961303637376136633736353533
3366623536646563383563373265313134663464396231370a303033353661336436386561366139
30393536393634653566646636366436656435623534626266343632313336336336346131383361
3366343932383930350a383637646261373135376138633533306530306339316235353262356135
34626466363266616265653064333365663663306330666632343864373335626265323230633331
33623431633665353964623437636231623366383733626266353162633762373035376638663936
62383065653836366431316461663862393130653761643937376565366435646665313961663534
64303363653631653433343361616635373966326433663466636164613062343561333036613937
35616666633737356331653632323639373330396433366639326466373639313630
children:
# Personal home machines
home:
vars:
ansible_become: yes
ansible_user: ansible
ansible_pull_time: "*-*-* 03:00:00"
aws:
backup_bucket: 9iron-backups-home
zerotier_network_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
35646131343239623265663562343333383362366633386462646465643163353866643633636135
6238643231313536323337343663313865323430323437630a353462393830376431376363373232
30656433343263653035333637336165323931363966376264353164326135336131646362623734
3339633961393864330a616437613534643231366634643362383438316233376334636264303361
65313231393433396538663463383731303661633663343066333264303330313133
hosts:
# dsk-cstm-0:
# ansible_host: 172.23.100.1
# lap-s76-lemp9-0:
# ansible_host: 172.23.100.3
# thefuck:
# vars:
# ansible_user: root
# hosts:
# game1.thefuck.how:
9iron:
children:
desktop:
dbservers:
vars:
hosts:
#vm-rice-0:
# ansible_host: 192.168.122.14
#dsk-cstm-0.desu.ltd:
lap-s76-lemp9-0.desu.ltd:
prod:
vars:
ansible_become: yes
children:
db:
hosts:
psql1.9iron.club:
psql1.desu.ltd:
web:
hosts:
web1.9iron.club:
web1.desu.ltd:
app:
#psql1.9iron.club:
webservers:
hosts:
#web1.9iron.club:
fedi1.9iron.club:
game:
hosts:
game1.thefuck.how:
gameservers:
vars:
steam_api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
39616163316634306633623435636633623966306537636639316439343839393231376661666335
6136333866633861313566306433393637613364386234360a303832626338373230396665336430
33346530626633616161613635656433356434366437383363663165303862316163323263323230
3334373531646364620a386165626130386265343235363639346230323930626330343235373662
38313431663734343931333462316633643935353038313934663466303834636533616165353961
6438356265656532396363323532616437353831613261323037

25
localhost-deploy.sh Executable file
View File

@ -0,0 +1,25 @@
#! /bin/bash
#
# localhost-deploy.sh
# Deploys configs for local machine and only local machine
# Copyright (C) 2020 Vintage Salt <rehashedsalt@cock.li>
#
# Distributed under terms of the MIT license.
#
set -e
if ! command -v ansible > /dev/null 2>&1; then
printf "Installing Ansible and related packages\n"
if command -v apt > /dev/null 2>&1; then
printf "Installing via APT\n"
sudo apt-get install libffi-dev python3-pip python3-setuptools -y
elif command -v apk > /dev/null 2>&1; then
printf "Installing via APK\n"
sudo apk add gcc musl-dev py3-cryptography py3-pip py3-setuptools
else
printf "No supported package manager found\nPlease install Ansible manually"
exit 1
fi
sudo pip3 install ansible
fi
ansible-playbook site.yml -l "$HOSTNAME" -e "ansible_user=$USER ansible_connection=local ansible_host=localhost" --ask-become-pass --ask-vault-pass "$@"

29
playbooks/appservers.yml Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: fedi1.9iron.club
pre_tasks:
- name: Assure cowfee record
route53:
state: present
overwrite: yes
zone: cowfee.moe
type: A
record: "cowfee.moe."
ttl: 3600
value: [ "{{ ipify_public_ip }}" ]
wait: yes
become: yes
tags: [ common, dns ]
roles:
- role: base-backups
tags: [ backups ]
- role: matrix
vars:
matrix_db_hostname: 172.31.47.215
tags: [ fedi, matrix ]
- role: pleroma
vars:
pleroma_url: cowfee.moe
pleroma_db_hostname: 172.31.47.215
tags: [ web, pleroma ]

View File

@ -1,90 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Database servers
---
- hosts: psql1.desu.ltd
roles:
- role: backup
vars:
backup_script: s3pgdump
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- postgresql
tags: [ motd ]
- role: postgresql
vars:
postgresql_global_config_options:
- option: listen_addresses
value: 192.168.164.156
postgresql_hba_entries:
- { type: local, database: all, user: postgres, auth_method: peer }
- { type: local, database: all, user: all, auth_method: peer }
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
# Used for internal access from other nodes
- { type: host, database: all, user: all, address: '192.168.0.0/16', auth_method: md5 }
postgresql_users:
- name: gitea-desultd
password: "{{ secret_gitea_db_pass }}"
- name: nextcloud-desultd
password: "{{ secret_nextcloud_db_pass }}"
postgresql_databases:
- name: gitea-desultd
owner: gitea-desultd
- name: nextcloud-desultd
owner: nextcloud-desultd
tags: [ db, psql ]
- hosts: psql1.9iron.club
roles:
- role: backup
vars:
backup_script: s3pgdump
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- postgresql
tags: [ motd ]
- role: postgresql
vars:
postgresql_hba_entries:
- { type: local, database: all, user: postgres, auth_method: peer }
- { type: local, database: all, user: all, auth_method: peer }
- { type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: md5 }
- { type: host, database: all, user: all, address: '::1/128', auth_method: md5 }
- { type: host, database: all, user: all, address: '172.31.0.0/16', auth_method: md5 }
postgresql_users:
- name: gitea
password: "{{ secret_gitea_9iron_db_pass }}"
- name: nextcloud
password: "{{ secret_nextcloud_9iron_db_pass }}"
- name: onlyoffice-9iron
password: "{{ secret_onlyoffice_9iron_db_pass }}"
- name: pleroma
password: "{{ secret_pleroma_9iron_db_pass }}"
- name: matrix
password: "{{ secret_matrix_9iron_db_pass }}"
postgresql_databases:
- name: gitea
lc_collate: C.UTF-8
lc_ctype: C.UTF-8
owner: gitea
- name: nextcloud
lc_collate: C.UTF-8
lc_ctype: C.UTF-8
owner: nextcloud
- name: onlyoffice-9iron
lc_collate: C.UTF-8
lc_ctype: C.UTF-8
owner: onlyoffice-9iron
- name: pleroma
lc_collate: C.UTF-8
lc_ctype: C.UTF-8
owner: pleroma
- name: matrix
lc_collate: C
lc_ctype: C
owner: matrix
tags: [ db, psql ]

8
playbooks/dbservers.yml Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- hosts: psql1.9iron.club
roles:
- role: base-backups
tags: [ backups ]
- role: postgresql
tags: [ db, psql ]

View File

@ -1,41 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
# Home desktops
- hosts: desktop
post_tasks:
- name: confirm liblzo2 dllmap
lineinfile:
path: /etc/mono/config
insertafter: "<configuration>"
line: '<dllmap dll="lzo2.dll" target="liblzo2.so.2" os="!windows"/>'
tags: [ desktop, mono ]
- name: give python3 cap_sys_ptrace
capabilities:
path: /usr/bin/python3.8
# Required for Randovania to access Dolphin memory
capability: cap_sys_ptrace=eip
tags: [ desktop, python, cap ]
roles:
- role: backup
vars:
backup_s3backup_tar_args_extra: h
backup_s3backup_list_extra:
- /home/salt/.backup/
tags: [ backup ]
- role: motd
tags: [ motd ]
- role: desktop
tags: [ desktop ]
- role: grub
tags: [ desktop, grub ]
- role: udev
vars:
udev_rules:
# Switch RCM stuff
- SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"
tags: [ desktop, udev ]
- role: pulseaudio
tags: [ desktop, pulse, pulseaudio ]
- role: zerotier
tags: [ desktop, zerotier ]

17
playbooks/dns.yml Normal file
View File

@ -0,0 +1,17 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- hosts: 9iron
tasks:
- name: Add machine to DNS zone
route53:
state: present
overwrite: yes
zone: 9iron.club
type: A
record: "{{ inventory_hostname }}."
ttl: 3600
value: [ "{{ ipify_public_ip }}" ]
wait: yes
become: yes
tags: [ common, dns ]

View File

@ -1,57 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Game servers
---
- hosts: game1.thefuck.how
vars_files:
- vars/factorio-main.yml
- vars/minecraft-valhelsia.yml
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /opt/minecraft/dammit
- /opt/minecraft/valhelsia
- /opt/minecraft/vanilla
- /opt/factorio
backup_s3backup_exclude_list_extra:
- /opt/minecraft/dammit/backups
- /opt/minecraft/valhelsia/backups
- /opt/minecraft/vanilla/backups
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- minecraft@dammit
- minecraft@valhelsia
- minecraft@vanilla
tags: [ motd ]
- role: minecraft
tags: [ game, minecraft, forge, valhelsia ]
- role: factorio
vars:
server_version: 1.0.0
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
service_name: factorio-main
service_root: /opt/factorio/main
factorio_server_settings:
name: "Krabby Land"
description: "Where a kid can have fun"
max_players: 8
visibility:
public: false
lan: false
admins: [ "rehashed_salt" ]
tags: [ game, factorio ]
- hosts: game1.thefuck.how
vars_files:
- vars/minecraft-vanilla.yml
roles:
- role: minecraft
tags: [ game, minecraft, paper, vanilla ]
- hosts: game1.thefuck.how
vars_files:
- vars/minecraft-dammit.yml
roles:
- role: minecraft
tags: [ game, minecraft, forge, dammit ]

50
playbooks/gameservers.yml Normal file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: gameservers
roles:
- role: base-backups
tags: [ backups ]
- hosts: game1.thefuck.how
roles:
- role: base-backups
tags: [ backups ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/salt/thefuck.how"
gitweb_url: "thefuck.how"
gitweb_webroot: "/var/www/thefuck.how"
tags: [ web, webroot ]
- role: minecraft
vars:
minecraft_name: valhelsia
minecraft_version: 1.16.3
minecraft_jre_xmx: 5G
minecraft_server_properties:
- opt: difficulty
value: hard
- opt: motd
value: "Let's get this out onto a tray. Nice, mmkay"
- opt: server-port
value: 25566
- opt: view-distance
value: 10
minecraft_forge_install: yes
minecraft_forge_version: 34.1.42
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
minecraft_forge_mods:
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
minecraft_forge_mods_remove:
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar
become: yes
tags: [ gameserver, minecraft, forge, valhelsia ]
# - role: minecraft-paper
# vars:
# paper_name: "thefuckhow"
# paper_mc_maxplayers: 16
# paper_mc_motd: "brett's new serber"
# paper_jre_xms: 1024m
# paper_jre_xmx: 2048m
# tags: [ gameserver, minecraft, paper ]

52
playbooks/home.yml Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: home
roles:
- role: base-backups
tags: [ backups ]
- role: desktop-zerotier
tags: [ zerotier ]
- role: desktop-common
vars:
mopidy_spotify_username: !vault |
$ANSIBLE_VAULT;1.1;AES256
62383664346563343663636261386261383865393535646465386435663535653036636665393133
3732653236663632633863346463346164663938396137370a326535633966343430633464653437
36646134393764313338323235356634353433623731336231626238653064633332306533343966
3362303836363065610a383362313738346534313435393537343931383465623466336632323632
65656663316561333462303761613963383236363532383866313038633232373132
mopidy_spotify_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
33303165663833663839323230643036363962393164373638333334643663626235353936343861
3834633461343533353366373330323264393361323433330a623837613037346633633065613761
63303234323734623938373134333932343965336665323939306336323836613130343866343838
3633383138646233330a366634303739643237333331613436623737663463316133666230366165
36306233336134636532383232303035343533373262373431353966656561633336
mopidy_spotify_client_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
32366664323864383162663963343438643930356531653064393135383364623162626533613433
6462633637396265373238383461623665393730396139320a626537353761323132386131616338
62323033666231326363616363343530333239303638626137613237393135613961613362313662
6233336234306466640a383834353935636138323837343765373966353365323634343439663435
39646138616533656361653765633161616238633335306363383030383832636330356162616264
3739646162313739646538306137623231313037386239343563
mopidy_spotify_client_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
34666538353333303865623932653237313465653363356665333336343832356530666666343266
6637653137643431346562333465323862356465303766630a336531653033393133396238326134
32393033643261373764663963353130626331646266363430353536326135663239363539613530
6265366565363862610a366561373362656637623863336665336562323838643665323461653937
38306234316364306134396138376230626630633733306432626637616239373838646433343761
3436643661633766616564663937346232353666386531363438
tags: [ desktop ]
- role: pulseaudio
tags: [ pulse, pulseaudio ]
- role: desktop-sddm
vars:
sddm_theme_name: "breeze"
tags: [ sddm, desktop ]
- hosts: dsk-cstm-0
roles:
- role: rgb-kraken
tags: [ desktop, kraken, rgb ]

11
playbooks/phone.yml Normal file
View File

@ -0,0 +1,11 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- hosts: phone
roles:
- role: base-backups
tags: [ backups ]
- role: desktop-zerotier
tags: [ zerotier ]
- role: phone-common
tags: [ phone, common ]

View File

@ -1,30 +0,0 @@
# vim:ft=ansible:
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
Protocols h2 http/1.1
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
apache_vhosts:
- servername: nc.9iron.club
extra_parameters: |
Redirect permanent / https://nc.9iron.club/
- servername: git.9iron.club
extra_parameters: |
Redirect permanent / https://git.9iron.club/
apache_vhosts_ssl:
- servername: git.9iron.club
extra_parameters: |
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem
- servername: nc.9iron.club
extra_parameters: |
Header always set Strict-Transport-Security "max-age=31536000"
documentroot: /var/www/nextcloud
certificate_file: /etc/letsencrypt/live/nc.9iron.club/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/nc.9iron.club/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/nc.9iron.club/chain.pem

View File

@ -1,10 +0,0 @@
# vim:ft=ansible:
certbot_admin_email: rehashedsalt@cock.li
certbot_create_if_missing: yes
certbot_create_method: standalone
certbot_create_standalone_stop_services:
- apache2
certbot_certs:
- domains:
- nc.9iron.club
- git.9iron.club

View File

@ -1,19 +0,0 @@
# vim:ft=ansible:
# Look and feel
gitea_app_name: "9iron Gitea"
# Core config
gitea_db_type: postgres
gitea_db_host: 172.31.47.215:5432
gitea_db_name: gitea
gitea_db_user: gitea
gitea_db_password: "{{ secret_gitea_9iron_db_pass }}"
gitea_http_domain: git.9iron.club
gitea_oauth2_enabled: no
gitea_repository_root: /var/gitea
gitea_require_signin: no
gitea_root_url: https://git.9iron.club
gitea_shell: "/bin/bash"
gitea_ssh_domain: git.9iron.club
gitea_ssh_port: 22
gitea_start_ssh: no
gitea_user: git

View File

@ -1,9 +0,0 @@
# vim:ft=ansible:
db_server_host: 172.31.47.215
db_server_name: onlyoffice-9iron
db_server_user: onlyoffice-9iron
db_server_pass: "{{ secret_onlyoffice_9iron_db_pass }}"
cluster_mode: no
enable_ssl: no

View File

@ -1,20 +0,0 @@
# vim:ft=ansible:
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
Protocols h2 http/1.1
apache_vhosts:
- servername: cowfee.moe
extra_parameters: |
Redirect permanent / https://cowfee.moe/
apache_vhosts_ssl:
- servername: cowfee.moe
extra_parameters: |
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:4000/ nocanon retry=1
ProxyPassReverse / https://127.0.0.1:4000/
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
certificate_file: /etc/letsencrypt/live/cowfee.moe/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/cowfee.moe/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/cowfee.moe/chain.pem

View File

@ -1,10 +0,0 @@
# vim:ft=ansible:
certbot_admin_email: rehashedsalt@cock.li
certbot_create_if_missing: yes
certbot_create_method: standalone
certbot_create_standalone_stop_services:
- apache2
certbot_certs:
- domains:
- cowfee.moe
- matrix.9iron.club

View File

@ -1,16 +0,0 @@
# vim:ft=ansible:
# Site config
pleroma_hostname: cowfee.moe
pleroma_open_registration: "true"
pleroma_instance_name: Cowfee
pleroma_instance_desc: owo
# Secret config
pleroma_secret_key_base: "{{ secret_pleroma_key_base }}"
pleroma_secret_signing_salt: "{{ secret_pleroma_signing_salt }}"
# DB config
pleroma_db_host: 172.31.47.215
pleroma_db_name: pleroma
pleroma_db_user: pleroma
pleroma_db_pass: "{{ secret_pleroma_9iron_db_pass }}"

View File

@ -1,22 +0,0 @@
# vim:ft=ansible:
apache_remove_default_vhost: yes
apache_packages_state: latest
apache_mods_enabled:
- headers.load
- http2.load
- mpm_worker.load
- proxy.load
- proxy_fcgi.load
- proxy_http.load
- rewrite.load
- ssl.load
apache_mods_disabled:
- mpm_event.load
- mpm_prefork.load
- php7.4.load
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
Protocols h2 http/1.1
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>

View File

@ -1,75 +0,0 @@
# vim:ft=ansible:
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
Protocols h2 http/1.1
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
apache_vhosts:
# desu.ltd
- servername: desu.ltd
extra_parameters: |
Redirect permanent / https://desu.ltd/
- servername: git.desu.ltd
extra_parameters: |
Redirect permanent / https://git.desu.ltd/
- servername: nc.desu.ltd
extra_parameters: |
Redirect permanent / https://nc.desu.ltd/
# 9iron.club
- servername: 9iron.club
extra_parameters: |
Redirect permanent / https://www.9iron.club/
- servername: www.9iron.club
extra_parameters: |
Redirect permanent / https://www.9iron.club/
apache_vhosts_ssl:
# desu.ltd
- servername: desu.ltd
documentroot: /var/www/desu.ltd
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
- servername: git.desu.ltd
extra_parameters: |
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:3000/ nocanon retry=1
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
- servername: nc.desu.ltd
extra_parameters: |
Header always set Strict-Transport-Security "max-age=31536000"
documentroot: /var/www/nc.desu.ltd
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
# 9iron.club
- servername: 9iron.club
extra_parameters: |
Redirect permanent / https://www.9iron.club/
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
- servername: www.9iron.club
extra_parameters: |
<Directory /var/www/www.9iron.club/files>
Options Indexes FollowSymLinks
</Directory>
documentroot: /var/www/www.9iron.club
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
# otwstudios.org
- servername: otwstudios.org
extra_parameters: |
Redirect permanent / https://www.otwstudios.org/
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem
- servername: www.otwstudios.org
documentroot: /var/www/www.otwstudios.org
certificate_file: /etc/letsencrypt/live/desu.ltd/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/desu.ltd/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/desu.ltd/chain.pem

View File

@ -1,15 +0,0 @@
# vim:ft=ansible:
certbot_admin_email: rehashedsalt@cock.li
certbot_create_if_missing: yes
certbot_create_method: standalone
certbot_create_standalone_stop_services:
- apache2
certbot_certs:
- domains:
- desu.ltd
- git.desu.ltd
- nc.desu.ltd
- web1.desu.ltd
- 9iron.club
- www.9iron.club
- otwstudios.org

View File

@ -1,19 +0,0 @@
# vim:ft=ansible:
# Look and feel
gitea_app_name: "Git Desu"
# Core config
gitea_db_type: postgres
gitea_db_host: 192.168.164.156:5432
gitea_db_name: gitea-desultd
gitea_db_user: gitea-desultd
gitea_db_password: "{{ secret_gitea_db_pass }}"
gitea_http_domain: git.desu.ltd
gitea_oauth2_enabled: no
gitea_repository_root: /srv/desu.ltd/git
gitea_require_signin: no
gitea_root_url: https://git.desu.ltd
gitea_shell: "/bin/bash"
gitea_ssh_domain: git.desu.ltd
gitea_ssh_port: 22
gitea_start_ssh: no
gitea_user: git

View File

@ -1,20 +0,0 @@
# vim:ft=ansible:
nextcloud_installation_dir: /var/www/nc.desu.ltd
nextcloud_data_dir: /srv/desu.ltd/nc
nextcloud_admin_user: admin
nextcloud_admin_pass: "{{ secret_nextcloud_admin_pass }}"
nextcloud_version: 19
nextcloud_urls:
- http://nc.desu.ltd:80
- https://nc.desu.ltd:443
nextcloud_config:
system:
trusted_domains:
"{{ nextcloud_urls | map('urlsplit', 'hostname') | list }}"
nextcloud_database:
backend: pgsql
name: nextcloud-desultd
user: nextcloud-desultd
pass: "{{ secret_nextcloud_db_pass }}"
host: 192.168.164.156
port: 5432

View File

@ -1,13 +0,0 @@
# vim:ft=ansible:
server_version: 1.0.0
download_checksum: sha256:81d9e1aa94435aeec4131c8869fa6e9331726bea1ea31db750b65ba42dbd1464
service_name: factorio-main
service_root: /opt/factorio/main
factorio_server_settings:
name: "Krabby Land"
description: "Where a kid can have fun"
max_players: 8
visibility:
public: false
lan: false
admins: [ "rehashed_salt" ]

View File

@ -1,34 +0,0 @@
# vim:ft=ansible:
minecraft_name: dammit
minecraft_version: 1.7.10
minecraft_jre_xmx: 4G
minecraft_restart_delay: 30
minecraft_server_properties:
- opt: allow-flight
value: "true"
- opt: difficulty
value: 3
- opt: motd
value: "I can't believe that I actually exist"
- opt: server-port
value: 25567
- opt: view-distance
value: 12
minecraft_forge_install: yes
minecraft_forge_version: 10.13.4.1614
minecraft_forge_versionstring: "{{ minecraft_version }}-{{ minecraft_forge_version }}-{{ minecraft_version }}"
minecraft_forge_jar_name: "forge-{{ minecraft_forge_versionstring }}-universal.jar"
minecraft_forge_packurl: "https://www.9iron.club/files/magic-1.7.10-2.zip"
minecraft_forge_mods:
- "https://media.forgecdn.net/files/2309/699/worldedit-forge-mc1.7.10-6.1.1-dist.jar"
minecraft_forge_mods_remove:
- DynamicSurroundings-1.7.10-1.0.6.2.jar
- favorites-1.2.jar
- FullscreenWindowed-1.7.10-1.3.0b.jar
- MouseTweaks-2.4.4-mc1.7.10.jar
- "Neat 1.0-1.jar"
- OptiFine_1.7.10_HD_U_E7.jar
- SoundFilters-0.8_for_1.7.X.jar
- Stellar+API-0.1.3.8.jar
- Stellar+Sky-0.1.5.7.jar
- World-Tooltips-1.7.10-1.2.3-79.jar

View File

@ -1,23 +0,0 @@
# vim:ft=ansible:
minecraft_enabled: no
minecraft_name: valhelsia
minecraft_version: 1.16.3
minecraft_jre_xmx: 5G
minecraft_server_properties:
- opt: difficulty
value: hard
- opt: motd
value: "Let's get this out onto a tray. Nice, mmkay"
- opt: server-port
value: 25566
- opt: view-distance
value: 10
minecraft_forge_install: yes
minecraft_forge_version: 34.1.42
minecraft_forge_packurl: "https://media.forgecdn.net/files/3110/654/Valhelsia_SERVER-pre5-3.1.0.zip"
minecraft_forge_mods:
- "https://media.forgecdn.net/files/3091/862/ftb-gui-library-1603.1.1.25.jar"
- "https://media.forgecdn.net/files/3105/153/ftb-chunks-1603.2.0.43.jar"
- "https://media.forgecdn.net/files/3113/275/industrial-foregoing-1.16.4-3.2.2-daea863.jar"
minecraft_forge_mods_remove:
- industrial-foregoing-1.16.3-3.1.1-a834e76.jar

View File

@ -1,18 +0,0 @@
# vim:ft=ansible:
minecraft_enabled: no
minecraft_name: vanilla
minecraft_version: 1.16.4
minecraft_jre_xmx: 1G
minecraft_jre_xms: 512M
minecraft_server_properties:
- opt: difficulty
value: normal
- opt: motd
value: "brett's new serber"
- opt: server-port
value: 25565
- opt: spawn-protection
value: 4
- opt: view-distance
value: 12
minecraft_paper_install: yes

View File

@ -1,3 +0,0 @@
# vim:ft=ansible:
netdata_git_version_tag: v1.28.0
netdata_hostname: "{{ inventory_hostname }}"

View File

@ -1,18 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Defaults for a simple php-fpm setup
php_enable_php_fpm: yes
php_memory_limit: 512M
php_packages_extra:
- libapache2-mod-php
- php-zip # For Nextcloud
- php-intl
- php-imagick
- php-redis
- php-bcmath
- php-gmp
- php-pgsql # For general DB stuff
# Nextcloud recommended opcache settings
php_opcache_max_accelerated_files: 10000
php_opcache_memory_consumption: 128
php_opcache_revalidate_freq: 2

View File

@ -1,185 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: web1.desu.ltd
tasks:
- name: configure nextcloud cronjob
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nc.desu.ltd/cron.php"
tags: [ nextcloud, cron ]
vars_files:
- vars/apache.yml
- vars/php-fpm.yml
- vars/desultd-apache.yml
- vars/desultd-certbot.yml
- vars/desultd-gitea.yml
- vars/desultd-nextcloud.yml
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /var/lib/gitea
- /var/www/nc.desu.ltd
- /var/www/www.9iron.club/files
- /srv/desu.ltd
backup_s3backup_exclude_list_extra:
- /var/lib/gitea/log
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- apache2
- gitea
- php7.4-fpm
tags: [ motd ]
- role: certbot
tags: [ web, certbot ]
- role: php
tags: [ web, php ]
- role: apache
tags: [ web, apache ]
- role: git
vars:
git_repos:
- repo: https://git.desu.ltd/salt/desultd
dest: /var/www/desu.ltd
- repo: https://git.desu.ltd/salt/9iron
dest: /var/www/www.9iron.club
- repo: https://git.desu.ltd/salt/gitea-custom
dest: /usr/local/bin/custom
tags: [ web, git ]
- role: nextcloud
tags: [ web, nextcloud ]
- role: gitea
tags: [ web, gitea ]
- hosts: web1.9iron.club
tasks:
- name: configure nextcloud cronjob
cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nextcloud/cron.php"
tags: [ nextcloud, cron ]
- name: register nextcloud efs
efs:
name: 9iron-gitea
region: us-east-2
targets:
- subnet_id: subnet-852935ed
security_groups: [ "sg-4f4b692c" ]
register: ncefs
tags: [ nextcloud, efs ]
- name: mount nextcloud efs
mount: path=/var/nextcloud src={{ ncefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
tags: [ nextcloud, efs ]
- name: register gitea efs
efs:
name: 9iron-gitea
region: us-east-2
targets:
- subnet_id: subnet-852935ed
security_groups: [ "sg-4f4b692c" ]
register: gitefs
tags: [ gitea, efs ]
- name: mount gitea efs
mount: path=/var/gitea src={{ gitefs.efs.filesystem_address }} fstype=nfs4 opts="nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport" state=mounted
tags: [ gitea, efs ]
vars_files:
- vars/apache.yml
- vars/php-fpm.yml
- vars/9iron-apache.yml
- vars/9iron-certbot.yml
- vars/9iron-gitea.yml
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /var/gitea
- /var/lib/gitea
- /var/nextcloud
- /var/www/nextcloud
backup_s3backup_exclude_list_extra:
- /var/lib/gitea/log
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- apache2
- gitea
- php7.4-fpm
tags: [ motd ]
- role: certbot
tags: [ web, certbot ]
- role: php
tags: [ web, php ]
- role: apache
tags: [ web, apache ]
- role: gitea
tags: [ web, gitea ]
- hosts: fedi1.9iron.club
vars_files:
- vars/apache.yml
- vars/9iron-pleroma.yml
- vars/9iron-pleroma-apache.yml
- vars/9iron-pleroma-certbot.yml
roles:
- role: backup
vars:
backup_s3backup_list_extra:
- /opt/pleroma
- /var/lib/pleroma
tags: [ backup ]
- role: motd
vars:
motd_watch_services_extra:
- apache2
- pleroma
tags: [ motd ]
- role: certbot
tags: [ web, certbot ]
- role: apache
tags: [ web, apache ]
- hosts: game1.thefuck.how
vars_files:
- vars/apache.yml
- vars/php-fpm.yml
roles:
- role: certbot
vars:
certbot_admin_email: rehashedsalt@cock.li
certbot_create_if_missing: yes
certbot_create_method: standalone
certbot_create_standalone_stop_services:
- apache2
certbot_certs:
- domains:
- thefuck.how
- game1.thefuck.how
tags: [ web, certbot ]
- role: php
tags: [ web, php ]
- role: apache
vars:
apache_vhosts:
- servername: thefuck.how
extra_parameters: |
Redirect permanent / https://thefuck.how/
- servername: game1.thefuck.how
extra_parameters: |
Redirect permanent / https://thefuck.how/
apache_vhosts_ssl:
- servername: thefuck.how
documentroot: /var/www/thefuck.how
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
- servername: game1.thefuck.how
extra_parameters: |
Redirect permanent / https://thefuck.how/
certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
tags: [ web, apache ]
- role: git
vars:
git_repos:
- repo: https://git.desu.ltd/salt/thefuckhow
dest: /var/www/thefuck.how
tags: [ web, git ]

39
playbooks/webservers.yml Normal file
View File

@ -0,0 +1,39 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: web1.9iron.club
roles:
- role: base-backups
tags: [ backups ]
- role: gitea
tags: [ web, gitea ]
# - role: grafana
# tags: [ web, grafana ]
- role: nextcloud
tags: [ web, nextcloud ]
- role: redirect
vars:
redirect_from: "9iron.club"
redirect_to: "www.9iron.club"
redirect_webroot: "/var/www/redirect"
tags: [ web, redirect, 9i ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/salt/www2"
gitweb_url: "www.9iron.club"
gitweb_webroot: "/var/www/www"
tags: [ web, webroot, 9i ]
- hosts: web1.9iron.club
roles:
- role: redirect
vars:
redirect_from: "otwstudios.org"
redirect_to: "www.otwstudios.org"
redirect_webroot: "/var/www/redirect"
tags: [ web, redirect, otw ]
- role: gitweb
vars:
gitweb_repo: "https://git.9iron.club/KidiroInfiniti/OTW_Site"
gitweb_url: "www.otwstudios.org"
gitweb_webroot: "/var/www/otwstudios.org"
tags: [ web, webroot, otw ]

9
provision.yml Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: all
roles:
- role: common
tags: [ common ]
- role: ansible-pull
tags: [ ansible, common ]

View File

@ -1,13 +1,15 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: db,web,game
- hosts: dbservers,webservers,gameservers
serial: 1
tasks:
- name: check for reboot-required
stat: path=/var/run/reboot-required
- name: Check for reboot-required
stat:
path: "/var/run/reboot-required"
register: s
- name: reboot
reboot: reboot_timeout=300
- name: Reboot
reboot:
reboot_timeout: 300
when: s.stat.exists
become: yes

View File

@ -1,3 +0,0 @@
# ansible-pull
This role configures and enables a period `ansible-pull` task through systemd, allowing for machines to ensure proper configuration periodically and of their own volition.

View File

@ -1,5 +1,5 @@
# vim:ft=ansible:
ansible_pull_boot_delay: 15min
ansible_pull_commit: master
ansible_pull_boot_delay: "15min"
# Use `systemd-analyze calendar` for testing
ansible_pull_time: "*-*-* 01:00:00"
ansible_pull_playbook: site.yml
ansible_pull_playbook: "site.yml"

View File

@ -1,5 +1,10 @@
#!/usr/bin/env ansible-playbook
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart ansiblepull timer
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started
systemd:
daemon_reload: yes
name: ansible-pull.timer
enabled: yes
state: restarted
become: yes

View File

@ -0,0 +1,4 @@
---
allow_duplicates: no
dependencies:
- role: ansible

View File

@ -1,16 +1,36 @@
#!/usr/bin/env ansible-playbook
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
- name: assure vault password file
copy: src=vaultpass dest="~/ansiblevaultpass" mode="0600"
---
- name: Set up ansible-pull
block:
- name: Copy Ansible password file
copy:
src: ansiblevaultpass
dest: ~/ansiblevaultpass
mode: "0600"
become: yes
become_user: ansible
- name: Configure systemd unit
block:
- name: Template out config
template: src=ansible-pull.cfg dest=~/ansible-pull.cfg
become: yes
become_user: ansible
- name: Template out services
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "ansible-pull.service", dest: "/etc/systemd/system/ansible-pull.service", mode: "0644" }
- { src: "ansible-pull.timer", dest: "/etc/systemd/system/ansible-pull.timer", mode: "0644" }
notify: restart ansiblepull timer
- name: Enable timer
systemd:
daemon_reload: yes
name: ansible-pull.timer
enabled: yes
state: started
notify: restart ansiblepull timer
when: ansible_service_mgr == "systemd"
become: yes
become_user: ansible
- name: install ansible
pip: name=ansible,ansible-base,ansible-lint state=latest
when: ansible_os_family != "Gentoo"
- name: configure systemd service
template: src=ansible-pull.service dest=/etc/systemd/system/ansible-pull.service
- name: configure systemd timer
template: src=ansible-pull.timer dest=/etc/systemd/system/ansible-pull.timer
notify: restart ansiblepull timer
- name: enable timer
systemd: daemon_reload=yes name=ansible-pull.timer enabled=yes state=started

View File

@ -0,0 +1,12 @@
[defaults]
gathering = smart
interpreter_python = python3
inventory = ansible-pull-repo/inventory
roles_path = ansible-pull-repo/roles
# Secrets
ask_become_pass = false
ask_vault_pass = false
# Warnings
command_warnings = true
#deprecation_warnings = false
system_warnings = true

View File

@ -3,15 +3,12 @@
Description=Ansible pull service
StartLimitIntervalSec=3600
StartLimitBurst=5
After=network-online.target
Wants=network-online.target
[Service]
User=ansible
Group=ansible
Type=oneshot
Environment=ANSIBLE_CONFIG=~/ansible-pull-repo/ansible-pull.cfg
ExecStart=ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -C "{{ ansible_pull_commit }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
Environment=ANSIBLE_CONFIG=~/ansible-pull.cfg
ExecStart=/usr/local/bin/ansible-pull --accept-host-key -U "{{ ansible_pull_repo }}" -d "~/ansible-pull-repo" --vault-password-file "~/ansiblevaultpass" "{{ ansible_pull_playbook }}"
Restart=on-failure
RestartSec=90

View File

@ -0,0 +1,135 @@
$ANSIBLE_VAULT;1.1;AES256
38366663623636336331373931396632616133633538633562353430656338666162393164346436
3939356235343431326165373231313930386639333466330a613864636237373735306636383631
66363165343164616333636336393561313633613130656664323663356162636265373639336665
3564333732373634370a656231613835663436326633346263316630346461316566363462666132
39346632316563333633363061336534356336363534613837386332393166383565336635633763
30336139326361313763303739393265316535643238663736646361656639373461396433396665
63363237303933373265613336616335343038326561346362323636333333313235366361653463
39386137356632373032343762303538656130366430643030383234343663366666373162393063
32656366313631613235643061366639323930363766363137393737646666383839336264373831
64316164613332353430373933633939373933303461663832333663313561643462666234633461
31653039323430613731656538343831376632376634336436643461643063643138396131316134
66373035326333613035643833363836613437376265373135326362323062633936323435383630
39646433356161663831356265346261363137666634646331306130306232343638346264303631
32303737643632393937363738623865303735633535316162366464393163653834386432663261
64303339343335666532663434353234353066663632633730373530313637666532363863313963
31326662633639376462303466646536323965643739636438613132333738373430363534396361
37616566303633663362326436666636343762653531313435356163636133643430393139623938
38643839373365313966636466393039626139366665346664643930353630613236303761306331
34656137643764633132643830666638333938316530613236643232633830643337623432656134
66636138326230623336653938323934316339393531393163343637386236613334636362613265
30386638636662393431363134353165613965306364373061613634303132336336396265323565
34303231356664376464363533626263626130653565653032656264616236656161343039333461
32303736383365346138313864633966623963633635313161623565363664303562316338366161
61386133663265316464646637336239396339386561306632313235363136316430636635626432
36333432623564376134343965653138353331663632346262396432356637623738323333366633
35396630386536653232396439663135343934653835643962353039323664383432326463323735
38643235643633316338396364393730333235316139353535643534303863356365353630653239
30306437383336303530316232666161646363646436666335613763306534356432663933323663
63633838633139373336376633643363393730313531353766656139326634613366356666623236
38353562653065386662656632373332653162383165666131386132613962643635663864656433
63343837363831396166616162353935383935653732346139366637306436386532646330343332
39666431616662393036616134666436393366303365336162646539656138636166656633313533
39626162346263306235346662343432396635636238383032623066343165366166656537613535
63383232303831323064636662366264663666353337373065326561343661396632353532346564
63616333363962366364373038336261613833623561636437343564656630663032313562386436
62656163636638323764313239336435383930303735623035313136326130373432376139623736
65613430353265356233373866653236633832373231333434643238326430356666626461663435
65623964313837353665373739613230633932653837643532623463366535323565636562356436
61616236366564323765653165323132326238633365353365333366363864636265656437373537
62356134343366373335393833666531366462306336396337313966326230393435383562343364
34313037393461383930373538653962623964313862326532333739373933303137313662376639
31396634323032393131323735333634356133316333383936366366623936643539323539613763
34363839353163616338396430643263336163653735656361656362336130653236363437373130
36343063306366303037666530616631333834633531363036343461633138393736623334643630
35323262323938366561363835616231316364343837383539656638346135663164623334616466
64653161313233373563343537326336336465623432636538323037386539343439373137666137
62393135316363643161393330656130663737303534356630376334633239346663356561376337
64343532313565393330316538376263353839383565643734336637666630663061316163343139
39393638356133613266656230313836623435613636336436616337653030376430376263323939
66623038383035373365643436353834623038646634636465353735356135643264623534313731
34343538356331646432653133386335623336303066663635326262623837663033303461376362
31373361353664383361326530333361336562663033303963636135666235626263303538366234
63313461666463376361373639336637306132353066393233626333376534356264356335373538
31306363613435303062623466303339363931396163373834323738336636656337333938653766
64386233663366343434376432303731653937313639376661336462323662373134643332326661
37396664363030343362613133393130373730646534616431303730633466353637353264646132
36373861613864393366653065353662626434396163663137636135333238313363303266623732
61646166666136306133633761373833633332616634333131303534306434366165613933323666
61666562626135396434316130303839643331316532663336343731393431643739376565363330
33623036613930333338353262643766336134386662336462616562353536616330666330306264
30633162636562613562363661653531356134613632633562306338353236393336313132663961
34313466383464616639643630376465396164383536666365353139383562386130626562353436
31303633623137663238663065363434336663336634363437646363656462333430653464643939
66333036646631353138646264386630356563333932633933643337396363343562623766356533
38316639353234666336383737383532353963633762313437356262383830643137353262383964
30396636626465336331313264666637393030663765393338333061623030633134313438386631
36336238386563313037373237366432323937663539663162396166663033626663646461323362
64643137613939363164616533366436353631396232663832393231316263646466653966333238
66393965623863393433323366366130666364376164336638666331666461316135353338343139
39636566393437396333633462396464616131333134613131323964353434613736313736376461
37373130626331623362613538353735613963363035656433626134336564303966383462363661
34353064643732666264323536316231643833326664386333396536336665316339303562323763
35646561613439643066613765623563386331363437353637376434656638373962383865396464
65353834356631316438386139316631336262356139663062346131336432333834616231666538
32346565343263646461363336353365626532613465623833623036663839613864333961666437
32633662626462386366363736323739366434323632373066373435633961623038363061386261
36333139636135623131653234346163353366316562653439336233316236386431383163653866
38393939646363613132323663643931306135626165626264666262323764336562636166626533
30613762353431643635656566656533346330306463353839393035343766656465343132363862
38306239663262336338353033303764633935303562643936373732396466616564323532326439
36623538363638376232616535363263373664386332623237313834613165393439323936383562
63373966643531346337333935393862346437316264656563316539303037343933393639363434
66616161626165373661653963323835383437656464383931363236376165633834343039323035
62386637373738653639643232636631366532626332356538663166653839303663643332323130
63386465323838666437646361653633626635303733626238326237623637623563303465353531
66333935333335396634356539313434616538336135306631353961623764376665653365356335
30656266313637383534353736346633393432343466666639376330313837353763343438653366
38346132336336656365323166303632633661383530626331613739303961386235346139366236
30636464336165353436303966633935323835353439363636386661383461363265323937653565
65383139613365613337623136626133393461663461613566623134396431613733663137373335
31666332393338666235653562356563643033353961386466386562346339653638626261306635
34353132353664373332323335646438646433386430313061643737623566613339653131623836
62633936626436626133303633366336373838336531336139616564623364626534383834313234
37666163623462656434316563363535646236666536396431626132323361343238303834366637
33623565313730386264336638306637623931323861333939376165323139376335326566333633
65316439613430383230323439613538396630306233356339613662333061643732346531656364
65623263336538346561356631386639363939643434343938373264373565613537336465363038
66363963626365633338663234643764316530353566376633313732336533333063613232333538
66396236313866343038656366633738666463356432613230636361316436666432373636363034
63353231346533303361363834333231633131613165366134353763363766613033656333626438
30333731383264323732313261336263326562316530663962313739383836326536363030333564
39333436396136623161373032643438633431303761333962623832333832366463626533653832
64323333306336616363613865393561656636633735616333333736633463396330353665626561
38316134626163376466643537336335313131353461316362383865363437643263636339383831
65383762663265636663396135386630326333393237356564616237393431633537633762616134
34353264346539663038663866386538306662316233353130663332643533623436393937366266
65303330633966613038393430303536363730643463663733653237343937336136353233303037
65613537656335356533666136366363323535636635323330623664626564656537356363633763
31313437363766663338313633663866663563393039363232656638363961336631303464306536
36396136346663323038386634343461336666636438323866356339623763656436643833393963
66396662366632653831393238396535623939306434396537643930393261336161396239383330
62336237396639663837623561383964346633353935366266373030633864393433623734613233
35653138303866656465363465313733616363633334663062363436376139633231626564376166
34643864333865633832616539333063396264376566666539633936646338623763353032353635
34633465613135376234303538636432346336383431343237323661393564306438333830393737
38356333363961643735356265613762396663323264336565623762356163626130623366623861
31626135613865613866666565663063656632653339333866396537343131636366393131346438
66626434656235376265386135333165366162346536623466303437313131336165346238383934
35353064663536373162613836383663396661633930616431653764353339613835393762396332
32363965653235646130323761316437376631383464306661623963306362343631666538653864
30613233336339373739363733346466313764383165643466316239613264393332626133363437
36666431613263393730393264326235353239633035653736626233343630623736646230653064
35393932396361623239326435356563623033316561373236613136333938363265376561386430
36393730353465376663343361306234346564623837363565373733373936623534353639623538
62316264613734326638636538653861663637623462306138636532653036343061396363363631
61316638653133636561363333363638396439643835363033336666346461356637336233386234
32336664376631336662613239353461633566633565623137643536343137373534663031626333
64613335656330666465366638373863306439636166346430363033313435626337373764313938
35306465656264643463653930303830333262616233333532616138383335626663636365626464
65613461633737646235343230346331313435386530383838613930633037356537623039333936
61353332386231623237613731363731383738383934613932613031633235663935386536323733
31393263353339633462326639306264356562393166366263626537313432366639376531386263
31643061303032303363653631323131656436663563363333646162643331376438343437663034
6332323532343937323062386135393566323732356533336162

View File

@ -0,0 +1,4 @@
---
allow_duplicates: no
dependencies:
- role: awscreds

View File

@ -0,0 +1,51 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up Ansible
block:
- name: Install Ansible-required packages via apt
apt:
name:
- python3-pip
- python3-boto
- python3-boto3
- python3-botocore
- python3-setuptools
become: true
when: ansible_os_family == "Debian"
- name: Install Ansible-required packages via apk
apk:
name:
- gcc
- musl-dev
- py3-boto
- py3-boto3
- py3-botocore
- py3-cryptography
- py3-pip
- py3-setuptools
when: ansible_distribution == "Alpine"
- name: Install Ansible-required packages via pip
pip:
name: "{{ packages }}"
state: latest
vars:
packages:
- ansible
- ansible-base
- ansible-lint
- name: Assure root .ssh directory
file:
path: ~/.ssh
state: directory
mode: "0600"
- name: Copy Ansible private key
copy:
src: ansiblekey
dest: ~/.ssh/ansible
mode: "0600"
- name: Clone Ansible repo
git:
dest: /etc/ansible
repo: "{{ ansible_pull_repo }}"
become: true

View File

@ -0,0 +1,30 @@
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
[mysqld]
max_allowed_packet=100M
skip-networking
innodb_file_format = Barracuda
innodb_large_prefix = 1
innodb_file_per_table = ON
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,8 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart apache
service:
name: apache2
state: restarted
become: yes

View File

@ -0,0 +1,2 @@
---
allow_duplicates: no

View File

@ -0,0 +1,76 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install, configure, and start Apache and PHP
block:
- name: Install Apache and PHP packages
apt:
name: "{{ packages }}"
vars:
packages:
- apache2
- libapache2-mod-php
- php
- php-gd
- php-json
- php-mysql
- php-curl
- php-mbstring
- php-intl
- php-xml
- php-zip
- php-cgi
- php-cli
- python3-passlib # For htpasswd support
- name: Find PHP config directory
find:
paths: /etc/php
patterns: '*'
file_type: directory
register: phpdirs
- name: Debug
debug:
var: phpdirs.files.0.path
- name: Copy configuration
copy:
src: "{{ item.src }}"
dest: "{{ phpdirs.files.0.path }}/{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "php-apache2.ini", dest: "apache2/php.ini", mode: "0644" }
- { src: "php-cgi.ini", dest: "cgi/php.ini", mode: "0644" }
- name: Create includes directory
file: path=/etc/apache2/includes state=directory
- name: Disable default website
file:
# This is a symlink so who cares
path: "/etc/apache2/sites-enabled/000-default.conf"
state: absent
- name: Configure modules
block:
- name: Disable modules
command:
argv:
- "/usr/sbin/a2dismod"
- "{{ item }}"
removes: "/etc/apache2/mods-enabled/{{ item }}.load"
loop:
- mpm_event
notify: restart apache
- name: Enable modules
command:
argv:
- "/usr/sbin/a2enmod"
- "{{ item }}"
creates: "/etc/apache2/mods-enabled/{{ item }}.load"
loop:
- headers
- mpm_prefork
# Fun fact: this works
- php*
- proxy
- proxy_http
- rewrite
- ssl
notify: restart apache
become: yes

View File

@ -1,3 +0,0 @@
*.retry
*/__pycache__
*.pyc

View File

@ -1,33 +0,0 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: apache
matrix:
- MOLECULE_DISTRO: ubi8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: centos6
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: ubuntu1404
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,20 +0,0 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View File

@ -1,156 +0,0 @@
# Ansible Role: Apache 2.x
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-apache.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-apache)
An Ansible Role that installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES and Solaris.
## Requirements
If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
apache_enablerepo: ""
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
apache_listen_ip: "*"
apache_listen_port: 80
apache_listen_port_ssl: 443
The IP address and ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts_template: "vhosts.conf.j2"
If set to true, a vhosts file, managed by this role's variables (see below), will be created and placed in the Apache configuration folder. If set to false, you can place your own vhosts file into Apache's configuration folder and skip the convenient (but more basic) one added by this role. You can also override the template used and set a path to your own template, if you need to further customize the layout of your VirtualHosts.
apache_remove_default_vhost: false
On Debian/Ubuntu, a default virtualhost is included in Apache's configuration. Set this to `true` to remove that default virtualhost configuration file.
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
# Add other global settings on subsequent lines.
You can add or override global Apache configuration settings in the role-provided vhosts file (assuming `apache_create_vhosts` is true) using this variable. By default it only sets the DirectoryIndex configuration.
apache_vhosts:
# Additional optional properties: 'serveradmin, serveralias, extra_parameters'.
- servername: "local.dev"
documentroot: "/var/www/html"
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `allow_override` (optional: defaults to the value of `apache_allow_override`), `options` (optional: defaults to the value of `apache_options`), `serveradmin` (optional), `serveralias` (optional) and `extra_parameters` (optional: you can add whatever additional configuration lines you'd like in here).
Here's an example using `extra_parameters` to add a RewriteRule to redirect all requests to the `www.` site:
- servername: "www.local.dev"
serveralias: "local.dev"
documentroot: "/var/www/html"
extra_parameters: |
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
The `|` denotes a multiline scalar block in YAML, so newlines are preserved in the resulting configuration file output.
apache_vhosts_ssl: []
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
apache_vhosts_ssl:
- servername: "local.dev"
documentroot: "/var/www/html"
certificate_file: "/home/vagrant/example.crt"
certificate_key_file: "/home/vagrant/example.key"
certificate_chain_file: "/path/to/certificate_chain.crt"
extra_parameters: |
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Other SSL directives can be managed with other SSL-related role variables.
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
apache_allow_override: "All"
apache_options: "-Indexes +FollowSymLinks"
The default values for the `AllowOverride` and `Options` directives for the `documentroot` directory of each vhost. A vhost can overwrite these values by specifying `allow_override` or `options`.
apache_mods_enabled:
- rewrite.load
- ssl.load
apache_mods_disabled: []
(Debian/Ubuntu ONLY) Which Apache mods to enable or disable (these will be symlinked into the appropriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
apache_packages:
- [platform-specific]
The list of packages to be installed. This defaults to a set of platform-specific packages for RedHat or Debian-based systems (see `vars/RedHat.yml` and `vars/Debian.yml` for the default values).
apache_state: started
Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run.
apache_packages_state: present
If you have enabled any additional repositories such as _ondrej/apache2_, [geerlingguy.repo-epel](https://github.com/geerlingguy/ansible-role-repo-epel), or [geerlingguy.repo-remi](https://github.com/geerlingguy/ansible-role-repo-remi), you may want an easy way to upgrade versions. You can set this to `latest` (combined with `apache_enablerepo` on RHEL) and can directly upgrade to a different Apache version from a different repo (instead of uninstalling and reinstalling Apache).
apache_ignore_missing_ssl_certificate: true
If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Lets Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates).
## .htaccess-based Basic Authorization
If you require Basic Auth support, you can add it either through a custom template, or by adding `extra_parameters` to a VirtualHost configuration, like so:
extra_parameters: |
<Directory "/var/www/password-protected-directory">
Require valid-user
AuthType Basic
AuthName "Please authenticate"
AuthUserFile /var/www/password-protected-directory/.htpasswd
</Directory>
To password protect everything within a VirtualHost directive, use the `Location` block instead of `Directory`:
<Location "/">
Require valid-user
....
</Location>
You would need to generate/upload your own `.htpasswd` file in your own playbook. There may be other roles that support this functionality in a more integrated way.
## Dependencies
None.
## Example Playbook
- hosts: webservers
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.apache }
*Inside `vars/main.yml`*:
apache_listen_port: 8080
apache_vhosts:
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

View File

@ -1,58 +0,0 @@
---
apache_enablerepo: ""
apache_listen_ip: "*"
apache_listen_port: 80
apache_listen_port_ssl: 443
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts_template: "vhosts.conf.j2"
# On Debian/Ubuntu, a default virtualhost is included in Apache's configuration.
# Set this to `true` to remove that default.
apache_remove_default_vhost: false
apache_global_vhost_settings: |
DirectoryIndex index.php index.html
apache_vhosts:
# Additional properties:
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
- servername: "local.dev"
documentroot: "/var/www/html"
apache_allow_override: "All"
apache_options: "-Indexes +FollowSymLinks"
apache_vhosts_ssl: []
# Additional properties:
# 'serveradmin, serveralias, allow_override, options, extra_parameters'.
# - servername: "local.dev",
# documentroot: "/var/www/html",
# certificate_file: "/path/to/certificate.crt",
# certificate_key_file: "/path/to/certificate.key",
# # Optional.
# certificate_chain_file: "/path/to/certificate_chain.crt"
apache_ignore_missing_ssl_certificate: true
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
# Only used on Debian/Ubuntu.
apache_mods_enabled:
- rewrite.load
- ssl.load
apache_mods_disabled: []
# Set initial apache state. Recommended values: `started` or `stopped`
apache_state: started
# Set apache state when configuration changes are made. Recommended values:
# `restarted` or `reloaded`
apache_restart_state: restarted
# Apache package state; use `present` to make sure it's installed, or `latest`
# if you want to upgrade or switch versions using a new repo.
apache_packages_state: present

View File

@ -1,5 +0,0 @@
---
- name: restart apache
service:
name: "{{ apache_service }}"
state: "{{ apache_restart_state }}"

View File

@ -1,2 +0,0 @@
install_date: Thu Oct 29 02:41:52 2020
version: 3.1.0

View File

@ -1,38 +0,0 @@
---
dependencies: []
galaxy_info:
author: geerlingguy
description: Apache 2.x for Linux.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Amazon
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- trusty
- xenial
- bionic
- name: Solaris
versions:
- 11.3
galaxy_tags:
- web
- apache
- webserver
- html
- httpd
allow_duplicates: true

View File

@ -1,29 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
options:
config-file: molecule/default/yaml-lint.yml
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
scenario:
name: default
verifier:
name: testinfra
lint:
name: flake8

View File

@ -1,21 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
apache_listen_port_ssl: 443
apache_create_vhosts: true
apache_vhosts_filename: "vhosts.conf"
apache_vhosts:
- servername: "example.com"
documentroot: "/var/www/vhosts/example_com"
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
roles:
- role: geerlingguy.apache

View File

@ -1,6 +0,0 @@
---
extends: default
rules:
line-length:
max: 120
level: warning

View File

@ -1,54 +0,0 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/ports.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Enable Apache mods.
file:
src: "{{ apache_server_root }}/mods-available/{{ item }}"
dest: "{{ apache_server_root }}/mods-enabled/{{ item }}"
state: link
with_items: "{{ apache_mods_enabled }}"
notify: restart apache
- name: Disable Apache mods.
file:
path: "{{ apache_server_root }}/mods-enabled/{{ item }}"
state: absent
with_items: "{{ apache_mods_disabled }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: "path={{ item.certificate_file }}"
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool
- name: Add vhost symlink in sites-enabled.
file:
src: "{{ apache_conf_path }}/sites-available/{{ apache_vhosts_filename }}"
dest: "{{ apache_conf_path }}/sites-enabled/{{ apache_vhosts_filename }}"
state: link
notify: restart apache
when: apache_create_vhosts | bool
- name: Remove default vhost in sites-enabled.
file:
path: "{{ apache_conf_path }}/sites-enabled/{{ apache_default_vhost_filename }}"
state: absent
notify: restart apache
when: apache_remove_default_vhost

View File

@ -1,36 +0,0 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/conf/{{ apache_daemon }}.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: path={{ item.certificate_file }}
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool
- name: Check if localhost cert exists (RHEL 8 and later).
stat:
path: /etc/pki/tls/certs/localhost.crt
register: localhost_cert
when: ansible_distribution_major_version | int >= 8
- name: Ensure httpd certs are installed (RHEL 8 and later).
command: /usr/libexec/httpd-ssl-gencerts
when:
- ansible_distribution_major_version | int >= 8
- not localhost_cert.stat.exists

View File

@ -1,19 +0,0 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/{{ apache_daemon }}.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool

View File

@ -1,24 +0,0 @@
---
- name: Configure Apache.
lineinfile:
dest: "{{ apache_server_root }}/listen.conf"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items: "{{ apache_ports_configuration_items }}"
notify: restart apache
- name: Check whether certificates defined in vhosts exist.
stat: path={{ item.certificate_file }}
register: apache_ssl_certificates
with_items: "{{ apache_vhosts_ssl }}"
- name: Add apache vhosts configuration.
template:
src: "{{ apache_vhosts_template }}"
dest: "{{ apache_conf_path }}/{{ apache_vhosts_filename }}"
owner: root
group: root
mode: 0644
notify: restart apache
when: apache_create_vhosts | bool

View File

@ -1,47 +0,0 @@
---
# Include variables and define needed variables.
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
- name: Include variables for Amazon Linux.
include_vars: "AmazonLinux.yml"
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: Define apache_packages.
set_fact:
apache_packages: "{{ __apache_packages | list }}"
when: apache_packages is not defined
# Setup/install tasks.
- include_tasks: "setup-{{ ansible_os_family }}.yml"
# Figure out what version of Apache is installed.
- name: Get installed version of Apache.
command: "{{ apache_daemon_path }}{{ apache_daemon }} -v"
changed_when: false
check_mode: false
register: _apache_version
- name: Create apache_version variable.
set_fact:
apache_version: "{{ _apache_version.stdout.split()[2].split('/')[1] }}"
- name: Include Apache 2.2 variables.
include_vars: apache-22.yml
when: "apache_version.split('.')[1] == '2'"
- name: Include Apache 2.4 variables.
include_vars: apache-24.yml
when: "apache_version.split('.')[1] == '4'"
# Configure Apache.
- name: Configure Apache.
include_tasks: "configure-{{ ansible_os_family }}.yml"
- name: Ensure Apache has selected state and enabled on boot.
service:
name: "{{ apache_service }}"
state: "{{ apache_state }}"
enabled: true

View File

@ -1,6 +0,0 @@
---
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=3600
- name: Ensure Apache is installed on Debian.
apt: "name={{ apache_packages }} state={{ apache_packages_state }}"

View File

@ -1,6 +0,0 @@
---
- name: Ensure Apache is installed on RHEL.
package:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"
enablerepo: "{{ apache_enablerepo | default(omit, true) }}"

View File

@ -1,5 +0,0 @@
---
- name: Ensure Apache is installed on Solaris.
pkg5:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"

View File

@ -1,5 +0,0 @@
---
- name: Ensure Apache is installed on Suse.
zypper:
name: "{{ apache_packages }}"
state: "{{ apache_packages_state }}"

View File

@ -1,82 +0,0 @@
{{ apache_global_vhost_settings }}
{# Set up VirtualHosts #}
{% for vhost in apache_vhosts %}
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}>
ServerName {{ vhost.servername }}
{% if vhost.serveralias is defined %}
ServerAlias {{ vhost.serveralias }}
{% endif %}
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
Options {{ vhost.options | default(apache_options) }}
{% if apache_vhosts_version == "2.2" %}
Order allow,deny
Allow from all
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters }}
{% endif %}
</VirtualHost>
{% endfor %}
{# Set up SSL VirtualHosts #}
{% for vhost in apache_vhosts_ssl %}
{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %}
<VirtualHost {{ apache_listen_ip }}:{{ apache_listen_port_ssl }}>
ServerName {{ vhost.servername }}
{% if vhost.serveralias is defined %}
ServerAlias {{ vhost.serveralias }}
{% endif %}
{% if vhost.documentroot is defined %}
DocumentRoot "{{ vhost.documentroot }}"
{% endif %}
SSLEngine on
SSLCipherSuite {{ apache_ssl_cipher_suite }}
SSLProtocol {{ apache_ssl_protocol }}
SSLHonorCipherOrder On
{% if apache_vhosts_version == "2.4" %}
SSLCompression off
{% endif %}
SSLCertificateFile {{ vhost.certificate_file }}
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
{% if vhost.certificate_chain_file is defined %}
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
{% endif %}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
{% if vhost.documentroot is defined %}
<Directory "{{ vhost.documentroot }}">
AllowOverride {{ vhost.allow_override | default(apache_allow_override) }}
Options {{ vhost.options | default(apache_options) }}
{% if apache_vhosts_version == "2.2" %}
Order allow,deny
Allow from all
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters }}
{% endif %}
</VirtualHost>
{% endif %}
{% endfor %}

View File

@ -1,18 +0,0 @@
---
apache_service: httpd
apache_daemon: httpd
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/httpd
apache_conf_path: /etc/httpd/conf.d
apache_vhosts_version: "2.4"
__apache_packages:
- httpd24
- httpd24-devel
- mod24_ssl
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"

View File

@ -1,14 +0,0 @@
---
apache_service: apache2
apache_daemon: apache2
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/apache2
apache_conf_path: /etc/apache2
__apache_packages:
- apache2
- apache2-utils
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"

View File

@ -1,20 +0,0 @@
---
apache_service: httpd
apache_daemon: httpd
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/httpd
apache_conf_path: /etc/httpd/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- httpd
- httpd-devel
- mod_ssl
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

View File

@ -1,19 +0,0 @@
---
apache_service: apache24
apache_daemon: httpd
apache_daemon_path: /usr/apache2/2.4/bin/
apache_server_root: /etc/apache2/2.4/
apache_conf_path: /etc/apache2/2.4/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- web/server/apache-24
- web/server/apache-24/module/apache-ssl
- web/server/apache-24/module/apache-security
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

View File

@ -1,18 +0,0 @@
---
apache_service: apache2
apache_daemon: httpd2
apache_daemon_path: /usr/sbin/
apache_server_root: /etc/apache2
apache_conf_path: /etc/apache2/conf.d
apache_vhosts_version: "2.2"
__apache_packages:
- apache2
- openssh
apache_ports_configuration_items:
- regexp: "^Listen "
line: "Listen {{ apache_listen_port }}"
- regexp: "^#?NameVirtualHost "
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"

View File

@ -1,12 +0,0 @@
---
apache_vhosts_version: "2.2"
apache_default_vhost_filename: 000-default
apache_ports_configuration_items:
- {
regexp: "^Listen ",
line: "Listen {{ apache_listen_port }}"
}
- {
regexp: "^#?NameVirtualHost ",
line: "NameVirtualHost {{ apache_listen_ip }}:{{ apache_listen_port }}"
}

View File

@ -1,8 +0,0 @@
---
apache_vhosts_version: "2.4"
apache_default_vhost_filename: 000-default.conf
apache_ports_configuration_items:
- {
regexp: "^Listen ",
line: "Listen {{ apache_listen_port }}"
}

View File

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
38616333383866663466353035306234356565643564383866633038636531616239393365636436
6538393064666337616565616636363331333062643235340a613061356630656333626664343038
39326661306439343666623339323430333662363864366364363664323833393039303938323035
3061396662656435660a366361363138386332633234633832613630643364316130643665343737
37303434633839323363376562303966363466323638616265303865343936396465616434666163
61666663373333643034363663323465326130393331636463666534343837646466653265343162
39343066323764646361323833303334643730633938633436343330626230303462666166356530
63623861383436636137623733633839333564363334323034313537616633666436333133396639
63666237366535386436343839653939373533656164333865613631386131343565363734333935
3861623666613138353061646564393465356532316631616231

View File

@ -0,0 +1,2 @@
---
allow_duplicates: no

View File

@ -0,0 +1,15 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Set up AWS credentials for root
block:
- name: Create .aws directory
file:
path: ~/.aws
state: directory
- name: Copy AWS credentials
copy:
src: awscredentials
dest: ~/.aws/credentials
mode: "0600"
become: true

View File

@ -1,28 +0,0 @@
# Which backup script to use. Configuration is somewhat unique to each script
backup_script: s3backup
# When to kick off backups using the systemd timer
backup_time: "*-*-* 02:00:00"
# What format should the datestamps in the filenames of any backups be in?
# Defaults to YYYY-MM-DD-hhmm
# So January 5th, 2021 at 3:41PM would be 2021-01-05-1541
backup_dateformat: "%Y-%m-%d-%H%M"
# S3 configuration for scripts that use it
# Which bucket to upload the backup to
backup_s3_bucket: replaceme
# Credentials for the bucket
backup_s3_aws_access_key_id: REPLACEME
backup_s3_aws_secret_access_key: REPLACEME
# List of files/directories to back up
# Note that tar is NOT instructed to recurse through symlinks
# If you want it to do that, end the path with a slash!
backup_s3backup_list: []
backup_s3backup_list_extra: []
# List of files/directories to --exclude
backup_s3backup_exclude_list: []
backup_s3backup_exclude_list_extra: []
# Arguments to pass to tar
# Note that passing f here is probably a bad idea
backup_s3backup_tar_args: cz
backup_s3backup_tar_args_extra: ""

View File

@ -1,6 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- name: restart backup timer
systemd: name=backup.timer state=restarted daemon_reload=yes
become: yes

View File

@ -1,12 +0,0 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- name: template out backup script
template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
- name: configure systemd service
template: src=backup.service dest=/etc/systemd/system/backup.service
- name: configure systemd timer
template: src=backup.timer dest=/etc/systemd/system/backup.timer
notify: restart backup timer
- name: enable timer
systemd: name=backup.timer state=started enabled=yes daemon_reload=yes

View File

@ -1,13 +0,0 @@
# vim:ft=systemd
[Unit]
Description=Nightly backup service
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
MemoryMax=256M
ExecStart=/opt/backup.sh
[Install]
WantedBy=multi-user.target

View File

@ -1,10 +0,0 @@
# vim:ft=systemd
[Unit]
Description=Nightly backup timer
[Timer]
Persistent=true
OnCalendar={{ backup_time }}
[Install]
WantedBy=timers.target

View File

@ -1,60 +0,0 @@
#! /bin/bash
#
# s3backup.sh
# General-purpose, Ansible-managed backup script to push directories to
# an S3 bucket
#
# NOTICE: THIS FILE CONTAINS SECRETS
# This file may contain the following secrets depending on configuration:
# * An AWS access key
# * An AWS session token
# These are NOT things you want arbitrary readers to access! Ansible will
# attempt to ensure this file has 0700 permissions, but that won't stop you
# from changing that yourself
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
# NOTICE: DO NOT MODIFY THIS FILE
# Any changes made will be clobbered by Ansible
# Please make any configuration changes in the main repo
set -e
# Directories to backup
# Ansible will determine the entries here
# We use a bash array because it affords us some level of sanitization, enough
# to let us back up items whose paths contain spaces
declare -a DIRS
{% for item in backup_s3backup_list + backup_s3backup_list_extra %}
DIRS+=("{{ item }}")
{% endfor %}
# End directories
# AWS S3 configuration
# NOTE: THIS IS SECRET INFORMATION
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
# Tar up all items in the backup list, recursively, and pipe them straight
# up to S3
if [ -z "${DIRS[*]}" ]; then
echo "No directories configured to back up!"
exit 0
fi
echo "Commencing backup on the following items:"
for dir in "${DIRS[@]}"; do
echo "- $dir"
done
echo "Will ignore the following items:"
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
echo "- {{ item }}"
{% endfor %}
echo "Will upload resultant backup to {{ backup_s3_bucket }}"
nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
--exclude "{{ item }}" \
{% endfor %}
"${DIRS[@]}" \
| aws s3 cp - \
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$(date "+{{ backup_dateformat }}").tar.gz"

View File

@ -1,47 +0,0 @@
#! /bin/bash
#
# s3pgdump.sh
# General-purpose, Ansible-managed backup script to dump PostgreSQL DBs to
# an S3 bucket
#
# NOTICE: THIS FILE CONTAINS SECRETS
# This file may contain the following secrets depending on configuration:
# * An AWS access key
# * An AWS session token
# These are NOT things you want arbitrary readers to access! Ansible will
# attempt to ensure this file has 0700 permissions, but that won't stop you
# from changing that yourself
# DO NOT ALLOW THIS FILE TO BE READ BY NON-ROOT USERS
# NOTICE: DO NOT MODIFY THIS FILE
# Any changes made will be clobbered by Ansible
# Please make any configuration changes in the main repo
set -e
# AWS S3 configuration
# NOTE: THIS IS SECRET INFORMATION
export AWS_ACCESS_KEY_ID="{{ backup_s3_aws_access_key_id }}"
export AWS_SECRET_ACCESS_KEY="{{ backup_s3_aws_secret_access_key }}"
# Populate a list of databases
declare -a DATABASES
while read line; do
DATABASES+=("$line")
done < <(sudo -u postgres psql -t -A -c "SELECT datname FROM pg_database where datname not in ('template0', 'template1', 'postgres');" 2>/dev/null)
# pgdump all DBs, compress them, and pipe straight up to S3
echo "Commencing backup on the following databases:"
for dir in "${DATABASES[@]}"; do
echo "- $dir"
done
echo "Will upload resultant backups to {{ backup_s3_bucket }}"
for db in "${DATABASES[@]}"; do
echo "Backing up $db"
sudo -u postgres pg_dump "$db" \
| gzip -v9 \
| aws s3 cp - \
"s3://{{ backup_s3_bucket }}/{{ inventory_hostname }}/$db-$(date "+{{ backup_dateformat }}").pgsql.gz"
done

View File

@ -0,0 +1,5 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
backups_outdir: "/opt/backups/out"
backups_boot_delay: 1h
backups_time: "*-*-* 02:00:00"

View File

@ -0,0 +1,10 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: restart backups timer
systemd:
daemon_reload: yes
name: 9iron-backup.timer
enabled: yes
state: restarted
become: yes

View File

@ -0,0 +1,6 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
allow_duplicates: no
dependencies:
- role: awscreds

Some files were not shown because too many files have changed in this diff Show More