From 3ba2c49a8c955e70af6499177e745bada376a3e2 Mon Sep 17 00:00:00 2001 From: DogeyStamp Date: Tue, 1 Mar 2022 17:43:44 -0500 Subject: [PATCH] Reorganise file structure into roles --- .gitignore | 4 +- group_vars/all/vars.yml | 96 ++++++++++++++---- roles/dotfiles/tasks/main.yml | 38 +++++++ roles/filesystems/tasks/main.yml | 26 +++++ .../firewall/tasks/main.yml | 5 +- .../networking/connection/tasks/main.yml | 9 +- roles/networking/ddclient/tasks/main.yml | 14 +++ .../ddclient/templates}/ddclient.conf.j2 | 0 roles/networking/nameserver/handlers/main.yml | 4 + roles/networking/nameserver/tasks/main.yml | 22 ++++ .../nameserver/templates}/local_zone.j2 | 0 .../nameserver/templates}/named.conf.j2 | 0 .../networking/ssl/tasks/main.yml | 15 +-- .../ssl/templates}/nginx_bare.conf.j2 | 0 roles/services/gitea/handlers/main.yml | 4 + roles/services/gitea/meta/main.yml | 2 + .../services/gitea/tasks/main.yml | 19 ++-- .../gitea/templates}/gitea_app.ini.j2 | 0 .../services/mail/tasks/main.yml | 0 .../services/sftp/tasks/main.yml | 0 roles/services/synapse/meta/main.yml | 2 + .../services/synapse/tasks/main.yml | 6 +- .../synapse/templates}/homeserver.yaml.j2 | 0 .../services/synapse/templates}/log.config.j2 | 0 roles/services/webserver/handlers/main.yml | 4 + roles/services/webserver/tasks/main.yml | 16 +++ .../webserver/templates}/nginx.conf.j2 | 0 roles/services/website/meta/main.yml | 2 + .../services/website/tasks/main.yml | 2 +- .../services/wiki/files}/logos/bepp.png | Bin .../services/wiki/files}/logos/rw.png | Bin roles/services/wiki/meta/main.yml | 2 + .../services/wiki/tasks/main.yml | 6 +- .../wiki/templates}/LocalSettings.php.j2 | 0 .../wiki/templates}/LocalSettings_rw.php.j2 | 0 .../wiki/templates}/LocalSettings_wiki.php.j2 | 0 roles/system/handlers/main.yml | 4 + roles/system/tasks/essential.yml | 39 +++++++ roles/system/tasks/main.yml | 2 + roles/system/tasks/sshd.yml | 13 +++ .../system/templates/bash_profile.j2 | 0 {templates => roles/system/templates}/motd.j2 | 0 run.yml | 59 +++++++---- tasks/cronjobs.yml | 12 --- tasks/essential.yml | 86 ---------------- tasks/sys_config.yml | 4 - tasks/webserver.yml | 52 ---------- 47 files changed, 339 insertions(+), 230 deletions(-) create mode 100644 roles/dotfiles/tasks/main.yml create mode 100644 roles/filesystems/tasks/main.yml rename tasks/firewall.yml => roles/firewall/tasks/main.yml (90%) rename tasks/connection.yml => roles/networking/connection/tasks/main.yml (62%) create mode 100644 roles/networking/ddclient/tasks/main.yml rename {templates => roles/networking/ddclient/templates}/ddclient.conf.j2 (100%) create mode 100644 roles/networking/nameserver/handlers/main.yml create mode 100644 roles/networking/nameserver/tasks/main.yml rename {templates/named => roles/networking/nameserver/templates}/local_zone.j2 (100%) rename {templates/named => roles/networking/nameserver/templates}/named.conf.j2 (100%) rename tasks/ssl.yml => roles/networking/ssl/tasks/main.yml (93%) rename {templates => roles/networking/ssl/templates}/nginx_bare.conf.j2 (100%) create mode 100644 roles/services/gitea/handlers/main.yml create mode 100644 roles/services/gitea/meta/main.yml rename tasks/gitea.yml => roles/services/gitea/tasks/main.yml (85%) rename {templates => roles/services/gitea/templates}/gitea_app.ini.j2 (100%) rename tasks/mail.yml => roles/services/mail/tasks/main.yml (100%) rename tasks/sftp.yml => roles/services/sftp/tasks/main.yml (100%) create mode 100644 roles/services/synapse/meta/main.yml rename tasks/matrix.yml => roles/services/synapse/tasks/main.yml (88%) rename {templates/synapse => roles/services/synapse/templates}/homeserver.yaml.j2 (100%) rename {templates/synapse => roles/services/synapse/templates}/log.config.j2 (100%) create mode 100644 roles/services/webserver/handlers/main.yml create mode 100644 roles/services/webserver/tasks/main.yml rename {templates => roles/services/webserver/templates}/nginx.conf.j2 (100%) create mode 100644 roles/services/website/meta/main.yml rename tasks/site.yml => roles/services/website/tasks/main.yml (66%) rename {files/mediawiki => roles/services/wiki/files}/logos/bepp.png (100%) rename {files/mediawiki => roles/services/wiki/files}/logos/rw.png (100%) create mode 100644 roles/services/wiki/meta/main.yml rename tasks/wiki.yml => roles/services/wiki/tasks/main.yml (93%) rename {templates/mediawiki => roles/services/wiki/templates}/LocalSettings.php.j2 (100%) rename {templates/mediawiki => roles/services/wiki/templates}/LocalSettings_rw.php.j2 (100%) rename {templates/mediawiki => roles/services/wiki/templates}/LocalSettings_wiki.php.j2 (100%) create mode 100644 roles/system/handlers/main.yml create mode 100644 roles/system/tasks/essential.yml create mode 100644 roles/system/tasks/main.yml create mode 100644 roles/system/tasks/sshd.yml rename templates/.bash_profile.j2 => roles/system/templates/bash_profile.j2 (100%) rename {templates => roles/system/templates}/motd.j2 (100%) delete mode 100644 tasks/cronjobs.yml delete mode 100644 tasks/essential.yml delete mode 100644 tasks/sys_config.yml delete mode 100644 tasks/webserver.yml diff --git a/.gitignore b/.gitignore index d988622..49525d8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,3 @@ -files/synapse/signing.key -files/k5e +*.secret host_vars hosts - diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 1b5d48e..2940dfc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -1,7 +1,13 @@ -# Package lists +# Do not edit this directly. +# +# Use +# group_vars/inventory_name/vars.yml +# host_vars/your_hostname/vars.yml +# for plaintext variables. +# +# For secrets, use the same paths with vault.yml instead of vars.yml. -# Utilities -util_pack: +### Misc settings # Email address for Let's Encrypt and DNS email: dogeystamp@disroot.org @@ -11,8 +17,6 @@ escalation_method: doas sshd_port: 2500 -domain: d.nerdpol.ovh - # Username for unpriviledged user username: dogeystamp @@ -33,9 +37,24 @@ webroot: /srv/http # Data root dataroot: /var/www/data +# Extra packages +util_pack: + - neovim + - neofetch + - fish + - htop + - tmux + - git + - cronie + - progress + - rsync + - man-db -# Network settings (nameserver, address, etc.) + +### Network settings (nameserver, address, etc.) + +domain: d.nerdpol.ovh # Forward DNS queries to dns_forward: 1.1.1.1 @@ -51,13 +70,12 @@ local_ip: 192.168.0.3 # Connection interface for static IP interface: eth0 - - -# ACME variables - +# Email to send renewal notices to acme_email: "{{ email }}" -# Mediawiki farm variables + + +### Mediawiki farm variables # Internal names for the wikis, used for filenames and URLs wiki_names: @@ -66,31 +84,65 @@ wiki_names: -# Placeholders for secret vault - - -ddclient_pass: secret - +### Placeholders for secret vault (change these in host_vars/your_hostname/vault.yml) +ddclient_pass: "secret" # Gitea secrets lfs_jwt_secret: "secret" jwt_secret: "secret" - - # Mediawiki secrets - wgUpgradeKey: "secret" - # This should have the same amount of elements as wiki_names. wgSecretKey: - "wiki_secret" - "rw_secret" - - # Matrix Synapse secrets registration_shared_secret: "secret" macaroon_secret_key: "secret" form_secret: "secret" + + + +### Role switches + +# Dotfile deployment +enable_dotfiles: yes + +# LUKS crypto and filesystem mounts +enable_filesystems: yes + +# Firewall (UFW) +enable_firewall: yes + +# Use NetworkManager to configure a proper static IP address in LAN +enable_connection: yes + +# Dynamic DNS client +enable_ddclient: yes + +# Nameserver (if you can't do NAT hairpinning) +enable_nameserver: yes + +# SSL ACME (Let's Encrypt) +enable_ssl: yes + +# Git server +enable_gitea: yes + +# Matrix server +enable_synapse: yes + +# MediaWiki +enable_wiki: yes + +# Personal website +enable_website: yes + +# SFTP read-only user +enable_sftpr: yes + +# Mailserver (local only) +enable_mail: yes diff --git a/roles/dotfiles/tasks/main.yml b/roles/dotfiles/tasks/main.yml new file mode 100644 index 0000000..74209d2 --- /dev/null +++ b/roles/dotfiles/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Fetch dotfiles + git: + repo: "{{ dots_repo }}" + dest: "/srv/dots/" + register: dotfiles + +- name: Create list of users to configure + set_fact: + users: + - "{{ ansible_user }}" + - "{{ username }}" + +- name: Remove existing dotfiles + file: + path: "/home/{{ item }}/.bashrc" + state: absent + with_items: "{{ users }}" + when: dotfiles.changed + +- name: Copy dotfiles + copy: + remote_src: yes + src: /srv/dots/ + dest: "/home/{{ item }}/dots/" + owner: "{{ item }}" + group: "{{ item }}" + with_items: "{{ users }}" + when: dotfiles.changed + +- name: Deploy dotfiles on login + template: + src: templates/bash_profile.j2 + dest: "/home/{{ item }}/.bash_profile" + owner: "{{ item }}" + group: "{{ item }}" + force: yes + with_items: "{{ users }}" + when: dotfiles.changed diff --git a/roles/filesystems/tasks/main.yml b/roles/filesystems/tasks/main.yml new file mode 100644 index 0000000..60736b1 --- /dev/null +++ b/roles/filesystems/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Deploy keyfile + copy: + src: k5e.secret + dest: /k5e + mode: 0600 + +- name: Setup crypttab + community.general.crypttab: + backing_device: "{{ secondary_disk }}" + name: disk + state: present + password: /k5e + +- name: Decrypt secondary disk + luks_device: + device: "{{ secondary_disk }}" + keyfile: /k5e + name: disk + state: opened + +- name: Setup fstab + mount: + path: /mnt/disk + src: /dev/mapper/disk + state: mounted + fstype: ext4 diff --git a/tasks/firewall.yml b/roles/firewall/tasks/main.yml similarity index 90% rename from tasks/firewall.yml rename to roles/firewall/tasks/main.yml index b330cac..2fe2f3c 100644 --- a/tasks/firewall.yml +++ b/roles/firewall/tasks/main.yml @@ -1,9 +1,9 @@ -- name: Install firewall packages +- name: Install packages community.general.pacman: name: - ufw -- name: Deny all ports +- name: Deny all ports by default community.general.ufw: policy: deny @@ -29,7 +29,6 @@ state: enabled src: "{{ local_subnet }}" - - name: Enable firewall service service: name: ufw diff --git a/tasks/connection.yml b/roles/networking/connection/tasks/main.yml similarity index 62% rename from tasks/connection.yml rename to roles/networking/connection/tasks/main.yml index 2ddc211..74ff3ff 100644 --- a/tasks/connection.yml +++ b/roles/networking/connection/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Install NetworkManager +- name: Install packages community.general.pacman: name: - networkmanager @@ -26,3 +26,10 @@ ifname: "{{ interface }}" type: ethernet when: networkmanager_config.changed + +- name: Cronjob to remove externally managed eth0 connection + cron: + name: "Ensure eth0 is not externally managed" + minute: "*/10" + job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null" + state: present diff --git a/roles/networking/ddclient/tasks/main.yml b/roles/networking/ddclient/tasks/main.yml new file mode 100644 index 0000000..f34a4ea --- /dev/null +++ b/roles/networking/ddclient/tasks/main.yml @@ -0,0 +1,14 @@ +- name: Install packages + community.general.pacman: + name: ddclient + state: present + +- name: Configure dynamic DNS + template: + src: ddclient.conf.j2 + dest: /etc/ddclient/ddclient.conf + +- name: Enable dynamic DNS service + service: + name: ddclient + enabled: yes diff --git a/templates/ddclient.conf.j2 b/roles/networking/ddclient/templates/ddclient.conf.j2 similarity index 100% rename from templates/ddclient.conf.j2 rename to roles/networking/ddclient/templates/ddclient.conf.j2 diff --git a/roles/networking/nameserver/handlers/main.yml b/roles/networking/nameserver/handlers/main.yml new file mode 100644 index 0000000..634e4ab --- /dev/null +++ b/roles/networking/nameserver/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart nameserver + service: + name: named + state: restarted diff --git a/roles/networking/nameserver/tasks/main.yml b/roles/networking/nameserver/tasks/main.yml new file mode 100644 index 0000000..dcad5ee --- /dev/null +++ b/roles/networking/nameserver/tasks/main.yml @@ -0,0 +1,22 @@ +- name: Install nameserver packages + community.general.pacman: + name: bind + state: present + +- name: Configure nameserver + template: + src: named.conf.j2 + dest: /etc/named.conf + notify: Restart nameserver + +- name: Add nameserver zone + template: + src: local_zone.j2 + dest: "/var/named/{{ domain }}" + notify: Restart nameserver + +- name: Enable nameserver + service: + name: named + enabled: yes + state: started diff --git a/templates/named/local_zone.j2 b/roles/networking/nameserver/templates/local_zone.j2 similarity index 100% rename from templates/named/local_zone.j2 rename to roles/networking/nameserver/templates/local_zone.j2 diff --git a/templates/named/named.conf.j2 b/roles/networking/nameserver/templates/named.conf.j2 similarity index 100% rename from templates/named/named.conf.j2 rename to roles/networking/nameserver/templates/named.conf.j2 diff --git a/tasks/ssl.yml b/roles/networking/ssl/tasks/main.yml similarity index 93% rename from tasks/ssl.yml rename to roles/networking/ssl/tasks/main.yml index 38b2041..614af4b 100644 --- a/tasks/ssl.yml +++ b/roles/networking/ssl/tasks/main.yml @@ -1,12 +1,7 @@ -- name: Install webserver and miscellaneous networking packages +- name: Ensure nginx is installed community.general.pacman: - name: - - bind - - ddclient - - firewalld - - nginx - - certbot - - certbot-nginx + name: nginx + state: present - name: Create directories for ACME file: @@ -42,7 +37,7 @@ register: result when: cert_file.stat.exists -- name: Determine whether certificate should be regenerated +- name: Determine whethe certificate should be regenerated set_fact: cert_regen: yes when: not cert_file.stat.exists or result.expired | bool @@ -53,7 +48,7 @@ dest: /etc/nginx/nginx.conf when: cert_regen is defined -- name: Enable nginx service +- name: Restart nginx service service: name: nginx state: restarted diff --git a/templates/nginx_bare.conf.j2 b/roles/networking/ssl/templates/nginx_bare.conf.j2 similarity index 100% rename from templates/nginx_bare.conf.j2 rename to roles/networking/ssl/templates/nginx_bare.conf.j2 diff --git a/roles/services/gitea/handlers/main.yml b/roles/services/gitea/handlers/main.yml new file mode 100644 index 0000000..a9565b9 --- /dev/null +++ b/roles/services/gitea/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart gitea + service: + name: gitea + state: restarted diff --git a/roles/services/gitea/meta/main.yml b/roles/services/gitea/meta/main.yml new file mode 100644 index 0000000..96c394a --- /dev/null +++ b/roles/services/gitea/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: webserver diff --git a/tasks/gitea.yml b/roles/services/gitea/tasks/main.yml similarity index 85% rename from tasks/gitea.yml rename to roles/services/gitea/tasks/main.yml index 949b1f9..a7646d3 100644 --- a/tasks/gitea.yml +++ b/roles/services/gitea/tasks/main.yml @@ -3,16 +3,11 @@ name: gitea state: present -- name: Ensure gitea is stopped - service: - name: gitea - state: stopped - - name: Configure gitea template: src: templates/gitea_app.ini.j2 dest: /etc/gitea/app.ini - register: gitea_conf + notify: Restart gitea - name: Change systemd unit file to allow access to dataroot lineinfile: @@ -21,17 +16,21 @@ regexp: "^ReadWritePaths.*" line: "ReadWritePaths={{ dataroot }}/gitea/" state: present - register: gitea_conf + notify: Restart gitea + +- name: Ensure gitea is stopped + service: + name: gitea + state: stopped - name: Change homedir of gitea user: name: gitea home: "{{ dataroot }}/gitea/" - register: gitea_conf + notify: Restart gitea - name: Enable gitea service: name: gitea - state: restarted + state: started enabled: yes - when: gitea_conf.changed diff --git a/templates/gitea_app.ini.j2 b/roles/services/gitea/templates/gitea_app.ini.j2 similarity index 100% rename from templates/gitea_app.ini.j2 rename to roles/services/gitea/templates/gitea_app.ini.j2 diff --git a/tasks/mail.yml b/roles/services/mail/tasks/main.yml similarity index 100% rename from tasks/mail.yml rename to roles/services/mail/tasks/main.yml diff --git a/tasks/sftp.yml b/roles/services/sftp/tasks/main.yml similarity index 100% rename from tasks/sftp.yml rename to roles/services/sftp/tasks/main.yml diff --git a/roles/services/synapse/meta/main.yml b/roles/services/synapse/meta/main.yml new file mode 100644 index 0000000..96c394a --- /dev/null +++ b/roles/services/synapse/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: webserver diff --git a/tasks/matrix.yml b/roles/services/synapse/tasks/main.yml similarity index 88% rename from tasks/matrix.yml rename to roles/services/synapse/tasks/main.yml index 8363ea3..511d310 100644 --- a/tasks/matrix.yml +++ b/roles/services/synapse/tasks/main.yml @@ -5,17 +5,17 @@ - name: Copy signing key copy: - src: synapse/signing.key + src: signing.key.secret dest: /etc/synapse/signing.key - name: Deploy matrix homeserver configuration template: - src: synapse/homeserver.yaml.j2 + src: homeserver.yaml.j2 dest: /etc/synapse/homeserver.yaml - name: Deploy matrix logging configuration template: - src: synapse/log.config.j2 + src: log.config.j2 dest: /etc/synapse/log.config - name: Change systemd unit file to allow access to dataroot diff --git a/templates/synapse/homeserver.yaml.j2 b/roles/services/synapse/templates/homeserver.yaml.j2 similarity index 100% rename from templates/synapse/homeserver.yaml.j2 rename to roles/services/synapse/templates/homeserver.yaml.j2 diff --git a/templates/synapse/log.config.j2 b/roles/services/synapse/templates/log.config.j2 similarity index 100% rename from templates/synapse/log.config.j2 rename to roles/services/synapse/templates/log.config.j2 diff --git a/roles/services/webserver/handlers/main.yml b/roles/services/webserver/handlers/main.yml new file mode 100644 index 0000000..175f83a --- /dev/null +++ b/roles/services/webserver/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart webserver + service: + name: nginx + state: restarted diff --git a/roles/services/webserver/tasks/main.yml b/roles/services/webserver/tasks/main.yml new file mode 100644 index 0000000..73c3780 --- /dev/null +++ b/roles/services/webserver/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Install webserver packages + community.general.pacman: + name: nginx + state: present + +- name: Configure nginx + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + notify: Restart webserver + +- name: Enable nginx service + service: + name: nginx + state: started + enabled: yes diff --git a/templates/nginx.conf.j2 b/roles/services/webserver/templates/nginx.conf.j2 similarity index 100% rename from templates/nginx.conf.j2 rename to roles/services/webserver/templates/nginx.conf.j2 diff --git a/roles/services/website/meta/main.yml b/roles/services/website/meta/main.yml new file mode 100644 index 0000000..96c394a --- /dev/null +++ b/roles/services/website/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: webserver diff --git a/tasks/site.yml b/roles/services/website/tasks/main.yml similarity index 66% rename from tasks/site.yml rename to roles/services/website/tasks/main.yml index 90cd258..fcf2d7c 100644 --- a/tasks/site.yml +++ b/roles/services/website/tasks/main.yml @@ -1,4 +1,4 @@ - name: Fetch site source git: - dest: /srv/http/site + dest: "{{ webroot }}/site" repo: "{{ site_repo }}" diff --git a/files/mediawiki/logos/bepp.png b/roles/services/wiki/files/logos/bepp.png similarity index 100% rename from files/mediawiki/logos/bepp.png rename to roles/services/wiki/files/logos/bepp.png diff --git a/files/mediawiki/logos/rw.png b/roles/services/wiki/files/logos/rw.png similarity index 100% rename from files/mediawiki/logos/rw.png rename to roles/services/wiki/files/logos/rw.png diff --git a/roles/services/wiki/meta/main.yml b/roles/services/wiki/meta/main.yml new file mode 100644 index 0000000..96c394a --- /dev/null +++ b/roles/services/wiki/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: webserver diff --git a/tasks/wiki.yml b/roles/services/wiki/tasks/main.yml similarity index 93% rename from tasks/wiki.yml rename to roles/services/wiki/tasks/main.yml index b3f7ce0..d10e1da 100644 --- a/tasks/wiki.yml +++ b/roles/services/wiki/tasks/main.yml @@ -18,12 +18,12 @@ - name: Deploy wiki-farm main configuration file template: - src: mediawiki/LocalSettings.php.j2 + src: LocalSettings.php.j2 dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings.php" - name: Deploy configuration files for individual wikis template: - src: "mediawiki/LocalSettings_{{ item.1 }}.php.j2" + src: "LocalSettings_{{ item.1 }}.php.j2" dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php" with_indexed_items: "{{ wiki_names }}" @@ -32,7 +32,7 @@ src: "{{ item }}" dest: "{{ webroot }}/{{ wiki_names[0] }}/resources/assets/" with_fileglob: - - mediawiki/logos/*.png + - logos/*.png - name: Enable iconv extension lineinfile: diff --git a/templates/mediawiki/LocalSettings.php.j2 b/roles/services/wiki/templates/LocalSettings.php.j2 similarity index 100% rename from templates/mediawiki/LocalSettings.php.j2 rename to roles/services/wiki/templates/LocalSettings.php.j2 diff --git a/templates/mediawiki/LocalSettings_rw.php.j2 b/roles/services/wiki/templates/LocalSettings_rw.php.j2 similarity index 100% rename from templates/mediawiki/LocalSettings_rw.php.j2 rename to roles/services/wiki/templates/LocalSettings_rw.php.j2 diff --git a/templates/mediawiki/LocalSettings_wiki.php.j2 b/roles/services/wiki/templates/LocalSettings_wiki.php.j2 similarity index 100% rename from templates/mediawiki/LocalSettings_wiki.php.j2 rename to roles/services/wiki/templates/LocalSettings_wiki.php.j2 diff --git a/roles/system/handlers/main.yml b/roles/system/handlers/main.yml new file mode 100644 index 0000000..784cf59 --- /dev/null +++ b/roles/system/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart sshd + service: + name: sshd + state: restarted diff --git a/roles/system/tasks/essential.yml b/roles/system/tasks/essential.yml new file mode 100644 index 0000000..764fd63 --- /dev/null +++ b/roles/system/tasks/essential.yml @@ -0,0 +1,39 @@ +- name: Change hostname + hostname: + name: "{{ inventory_hostname }}" + +- name: Set MOTD + template: + src: motd.j2 + dest: /etc/motd + +- name: Update packages + community.general.pacman: + update_cache: yes + upgrade: yes + +- name: Install utility packages + community.general.pacman: + name: "{{ util_pack }}" + state: present + +- name: Disable root login + user: + name: root + password: "*" + +- name: Create unpriviledged user + user: + name: "{{ username }}" + +- name: Deploy SSH key to unpriviledged user + ansible.posix.authorized_key: + user: "{{ username }}" + state: present + key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}" + +- name: Enable cron daemon + service: + name: cronie + state: started + enabled: yes diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml new file mode 100644 index 0000000..f00961a --- /dev/null +++ b/roles/system/tasks/main.yml @@ -0,0 +1,2 @@ +- include_tasks: essential.yml +- include_tasks: sshd.yml diff --git a/roles/system/tasks/sshd.yml b/roles/system/tasks/sshd.yml new file mode 100644 index 0000000..ae7824b --- /dev/null +++ b/roles/system/tasks/sshd.yml @@ -0,0 +1,13 @@ +- name: Disable SSH password auth + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#PasswordAuthentication yes" + line: "PasswordAuthentication no" + notify: Restart sshd + +- name: Change SSH port + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^#Port 22" + line: "Port {{ sshd_port }}" + notify: Restart sshd diff --git a/templates/.bash_profile.j2 b/roles/system/templates/bash_profile.j2 similarity index 100% rename from templates/.bash_profile.j2 rename to roles/system/templates/bash_profile.j2 diff --git a/templates/motd.j2 b/roles/system/templates/motd.j2 similarity index 100% rename from templates/motd.j2 rename to roles/system/templates/motd.j2 diff --git a/run.yml b/run.yml index 859e95d..f74330c 100644 --- a/run.yml +++ b/run.yml @@ -1,23 +1,42 @@ --- -- hosts: all +- hosts: sv become: yes - tasks: - - include_tasks: "tasks/{{ task }}.yml" - with_items: - - essential - - sys_config - - connection - - firewall - - sftp - - mail - - ssl - - webserver - - gitea - - wiki - - matrix - - site - - cronjobs - - user_config - loop_control: - loop_var: task + roles: + - role: system + + - role: dotfiles + when: enable_dotfiles + + - role: filesystems + when: enable_filesystems + + - role: networking/connection + when: enable_connection + + - role: networking/ddclient + when: enable_ddclient + + - role: networking/nameserver + when: enable_nameserver + + - role: networking/ssl + when: enable_ssl + + - role: services/gitea + when: enable_gitea + + - role: services/wiki + when: enable_wiki + + - role: services/synapse + when: enable_synapse + + - role: services/website + when: enable_website + + - role: services/sftp + when: enable_sftpr + + - role: services/mail + when: enable_mail diff --git a/tasks/cronjobs.yml b/tasks/cronjobs.yml deleted file mode 100644 index 43e1fef..0000000 --- a/tasks/cronjobs.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: Cronjob to remove externally managed eth0 connection - cron: - name: "Ensure eth0 is not externally managed" - minute: "*/10" - job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null" - state: present - -- name: Enable cron daemon - service: - name: cronie - state: started - enabled: yes diff --git a/tasks/essential.yml b/tasks/essential.yml deleted file mode 100644 index d5c3186..0000000 --- a/tasks/essential.yml +++ /dev/null @@ -1,86 +0,0 @@ -- name: Change hostname - hostname: - name: "{{ inventory_hostname }}" - -- name: Update packages - community.general.pacman: - update_cache: yes - upgrade: yes - -- name: Install utility packages - community.general.pacman: - name: - - neovim - - neofetch - - fish - - htop - - tmux - - git - - cronie - - progress - - rsync - - man-db - - state: present - -- name: Disable SSH password auth - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#PasswordAuthentication yes" - line: "PasswordAuthentication no" - register: sshd_config - -- name: Change SSH port - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^#Port 22" - line: "Port {{ sshd_port }}" - register: sshd_config - -- name: Restart SSHD - service: - name: sshd - state: restarted - when: sshd_config.changed - -- name: Disable root login - user: - name: root - password: "*" - -- name: Create unpriviledged user - user: - name: "{{ username }}" - -- name: Deploy SSH key to unpriviledged user - ansible.posix.authorized_key: - user: "{{ username }}" - state: present - key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}" - -- name: Deploy keyfile - copy: - src: k5e - dest: /k5e - mode: 0600 - -- name: Setup crypttab - community.general.crypttab: - backing_device: "{{ secondary_disk }}" - name: disk - state: present - password: /k5e - -- name: Decrypt secondary disk - luks_device: - device: "{{ secondary_disk }}" - keyfile: /k5e - name: disk - state: opened - -- name: Setup fstab - mount: - path: /mnt/disk - src: /dev/mapper/disk - state: mounted - fstype: ext4 diff --git a/tasks/sys_config.yml b/tasks/sys_config.yml deleted file mode 100644 index aa63363..0000000 --- a/tasks/sys_config.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Set MOTD - template: - src: motd.j2 - dest: /etc/motd diff --git a/tasks/webserver.yml b/tasks/webserver.yml deleted file mode 100644 index a226253..0000000 --- a/tasks/webserver.yml +++ /dev/null @@ -1,52 +0,0 @@ -- name: Install webserver and miscellaneous networking packages - community.general.pacman: - name: - - bind - - ddclient - - nginx - - certbot - - certbot-nginx - - state: present - -- name: Configure dynamic DNS - template: - src: ddclient.conf.j2 - dest: /etc/ddclient/ddclient.conf - -- name: Enable dynamic DNS service - service: - name: ddclient - enabled: yes - -- name: Configure nameserver - template: - src: named/named.conf.j2 - dest: /etc/named.conf - register: named_conf - -- name: Add nameserver zone - template: - src: named/local_zone.j2 - dest: "/var/named/{{ domain }}" - register: named_conf - -- name: Enable nameserver service - service: - name: named - state: started - enabled: yes - when: named_conf.changed - -- name: Configure nginx - template: - src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf - register: nginx_conf - -- name: Enable nginx service - service: - name: nginx - state: restarted - enabled: yes - when: nginx_conf.changed