Reorganise file structure into roles

.gitignore

@@ -1,5 +1,3 @@
-files/synapse/signing.key
+*.secret
-files/k5e
 host_vars
 hosts
-

group_vars/all/vars.yml

@@ -1,7 +1,13 @@
-# Package lists
+# Do not edit this directly.
+#
+# Use
+#  group_vars/inventory_name/vars.yml
+#  host_vars/your_hostname/vars.yml
+# for plaintext variables.
+#
+# For secrets, use the same paths with vault.yml instead of vars.yml.
 
-# Utilities
+### Misc settings
-util_pack:
 
 # Email address for Let's Encrypt and DNS
 email: dogeystamp@disroot.org
@@ -11,8 +17,6 @@ escalation_method: doas
 
 sshd_port: 2500
 
-domain: d.nerdpol.ovh
-
 # Username for unpriviledged user
 username: dogeystamp
 
@@ -33,9 +37,24 @@ webroot: /srv/http
 # Data root
 dataroot: /var/www/data
 
+# Extra packages
+util_pack:
+  - neovim
+  - neofetch
+  - fish
+  - htop
+  - tmux
+  - git
+  - cronie
+  - progress
+  - rsync
+  - man-db
 
 
-# Network settings (nameserver, address, etc.)
+
+### Network settings (nameserver, address, etc.)
+
+domain: d.nerdpol.ovh
 
 # Forward DNS queries to
 dns_forward: 1.1.1.1
@@ -51,13 +70,12 @@ local_ip: 192.168.0.3
 # Connection interface for static IP
 interface: eth0
 
-
+# Email to send renewal notices to
-
-# ACME variables
-
 acme_email: "{{ email }}"
 
-# Mediawiki farm variables
+
+
+### Mediawiki farm variables
 
 # Internal names for the wikis, used for filenames and URLs
 wiki_names:
@@ -66,31 +84,65 @@ wiki_names:
 
 
 
-# Placeholders for secret vault
+### Placeholders for secret vault (change these in host_vars/your_hostname/vault.yml)
-
-
-ddclient_pass: secret
-
 
+ddclient_pass: "secret"
 
 # Gitea secrets
 lfs_jwt_secret: "secret"
 jwt_secret: "secret"
 
-
-
 # Mediawiki secrets
-
 wgUpgradeKey: "secret"
-
 # This should have the same amount of elements as wiki_names.
 wgSecretKey:
   - "wiki_secret"
   - "rw_secret"
 
-
-
 # Matrix Synapse secrets
 registration_shared_secret: "secret"
 macaroon_secret_key: "secret"
 form_secret: "secret"
+
+
+
+### Role switches
+
+# Dotfile deployment
+enable_dotfiles: yes
+
+# LUKS crypto and filesystem mounts
+enable_filesystems: yes
+
+# Firewall (UFW)
+enable_firewall: yes
+
+# Use NetworkManager to configure a proper static IP address in LAN
+enable_connection: yes
+
+# Dynamic DNS client
+enable_ddclient: yes
+
+# Nameserver (if you can't do NAT hairpinning)
+enable_nameserver: yes
+
+# SSL ACME (Let's Encrypt)
+enable_ssl: yes
+
+# Git server
+enable_gitea: yes
+
+# Matrix server
+enable_synapse: yes
+
+# MediaWiki
+enable_wiki: yes
+
+# Personal website
+enable_website: yes
+
+# SFTP read-only user
+enable_sftpr: yes
+
+# Mailserver (local only)
+enable_mail: yes

roles/dotfiles/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: Fetch dotfiles
+  git:
+    repo: "{{ dots_repo }}"
+    dest: "/srv/dots/"
+  register: dotfiles
+
+- name: Create list of users to configure
+  set_fact:
+    users:
+      - "{{ ansible_user }}"
+      - "{{ username }}"
+
+- name: Remove existing dotfiles
+  file:
+    path: "/home/{{ item }}/.bashrc"
+    state: absent
+  with_items: "{{ users }}"
+  when: dotfiles.changed
+
+- name: Copy dotfiles
+  copy:
+    remote_src: yes
+    src: /srv/dots/
+    dest: "/home/{{ item }}/dots/"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+  with_items: "{{ users }}"
+  when: dotfiles.changed
+
+- name: Deploy dotfiles on login
+  template:
+    src: templates/bash_profile.j2
+    dest: "/home/{{ item }}/.bash_profile"
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    force: yes
+  with_items: "{{ users }}"
+  when: dotfiles.changed

roles/filesystems/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Deploy keyfile
+  copy:
+    src: k5e.secret
+    dest: /k5e
+    mode: 0600
+
+- name: Setup crypttab
+  community.general.crypttab:
+    backing_device: "{{ secondary_disk }}"
+    name: disk
+    state: present
+    password: /k5e
+
+- name: Decrypt secondary disk
+  luks_device:
+    device: "{{ secondary_disk }}"
+    keyfile: /k5e
+    name: disk
+    state: opened
+
+- name: Setup fstab
+  mount:
+    path: /mnt/disk
+    src: /dev/mapper/disk
+    state: mounted
+    fstype: ext4

roles/firewall/tasks/main.yml

@@ -1,9 +1,9 @@
-- name: Install firewall packages
+- name: Install packages
   community.general.pacman:
     name:
       - ufw
 
-- name: Deny all ports
+- name: Deny all ports by default
   community.general.ufw:
     policy: deny
 
@@ -29,7 +29,6 @@
     state: enabled
     src: "{{ local_subnet }}"
 
-
 - name: Enable firewall service
   service:
     name: ufw

roles/networking/connection/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: Install NetworkManager
+- name: Install packages
   community.general.pacman:
     name:
       - networkmanager
@@ -26,3 +26,10 @@
     ifname: "{{ interface }}"
     type: ethernet
   when: networkmanager_config.changed
+
+- name: Cronjob to remove externally managed eth0 connection
+  cron:
+    name: "Ensure eth0 is not externally managed"
+    minute: "*/10"
+    job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null"
+    state: present

roles/networking/ddclient/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: Install packages
+  community.general.pacman:
+    name: ddclient
+    state: present
+
+- name: Configure dynamic DNS
+  template:
+    src: ddclient.conf.j2
+    dest: /etc/ddclient/ddclient.conf
+
+- name: Enable dynamic DNS service
+  service:
+    name: ddclient
+    enabled: yes

roles/networking/nameserver/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart nameserver
+  service:
+    name: named
+    state: restarted

roles/networking/nameserver/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Install nameserver packages
+  community.general.pacman:
+    name: bind
+    state: present
+
+- name: Configure nameserver
+  template:
+    src: named.conf.j2
+    dest: /etc/named.conf
+  notify: Restart nameserver
+
+- name: Add nameserver zone
+  template:
+    src: local_zone.j2
+    dest: "/var/named/{{ domain }}"
+  notify: Restart nameserver
+
+- name: Enable nameserver
+  service:
+    name: named
+    enabled: yes
+    state: started

roles/networking/ssl/tasks/main.yml

@@ -1,12 +1,7 @@
-- name: Install webserver and miscellaneous networking packages
+- name: Ensure nginx is installed
   community.general.pacman:
-    name:
+    name: nginx
-      - bind
+    state: present
-      - ddclient
-      - firewalld
-      - nginx
-      - certbot
-      - certbot-nginx
 
 - name: Create directories for ACME
   file:
@@ -42,7 +37,7 @@
   register: result
   when: cert_file.stat.exists
 
-- name: Determine whether certificate should be regenerated
+- name: Determine whethe certificate should be regenerated
   set_fact:
     cert_regen: yes
   when: not cert_file.stat.exists or result.expired | bool
@@ -53,7 +48,7 @@
     dest: /etc/nginx/nginx.conf
   when: cert_regen is defined
 
-- name: Enable nginx service
+- name: Restart nginx service
   service:
     name: nginx
     state: restarted

roles/services/gitea/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart gitea
+  service:
+    name: gitea
+    state: restarted

roles/services/gitea/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: webserver

roles/services/gitea/tasks/main.yml

@@ -3,16 +3,11 @@
     name: gitea
     state: present
 
-- name: Ensure gitea is stopped
-  service:
-    name: gitea
-    state: stopped
-
 - name: Configure gitea
   template:
     src: templates/gitea_app.ini.j2
     dest: /etc/gitea/app.ini
-  register: gitea_conf
+  notify: Restart gitea
 
 - name: Change systemd unit file to allow access to dataroot
   lineinfile:
@@ -21,17 +16,21 @@
     regexp: "^ReadWritePaths.*"
     line: "ReadWritePaths={{ dataroot }}/gitea/"
     state: present
-  register: gitea_conf
+  notify: Restart gitea
+
+- name: Ensure gitea is stopped
+  service:
+    name: gitea
+    state: stopped
 
 - name: Change homedir of gitea
   user:
     name: gitea
     home: "{{ dataroot }}/gitea/"
-  register: gitea_conf
+  notify: Restart gitea
 
 - name: Enable gitea
   service:
     name: gitea
-    state: restarted
+    state: started
     enabled: yes
-  when: gitea_conf.changed

roles/services/synapse/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: webserver

roles/services/synapse/tasks/main.yml

@@ -5,17 +5,17 @@
 
 - name: Copy signing key
   copy:
-    src: synapse/signing.key
+    src: signing.key.secret
     dest: /etc/synapse/signing.key
 
 - name: Deploy matrix homeserver configuration
   template:
-    src: synapse/homeserver.yaml.j2
+    src: homeserver.yaml.j2
     dest: /etc/synapse/homeserver.yaml
 
 - name: Deploy matrix logging configuration
   template:
-    src: synapse/log.config.j2
+    src: log.config.j2
     dest: /etc/synapse/log.config
 
 - name: Change systemd unit file to allow access to dataroot

roles/services/webserver/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart webserver
+  service:
+    name: nginx
+    state: restarted

roles/services/webserver/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Install webserver packages
+  community.general.pacman:
+    name: nginx
+    state: present
+
+- name: Configure nginx
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+  notify: Restart webserver
+
+- name: Enable nginx service
+  service:
+    name: nginx
+    state: started
+    enabled: yes

roles/services/website/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: webserver

roles/services/website/tasks/main.yml

@@ -1,4 +1,4 @@
 - name: Fetch site source
   git:
-    dest: /srv/http/site
+    dest: "{{ webroot }}/site"
     repo: "{{ site_repo }}"

roles/services/wiki/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: webserver

roles/services/wiki/tasks/main.yml

@@ -18,12 +18,12 @@
 
 - name: Deploy wiki-farm main configuration file
   template:
-    src: mediawiki/LocalSettings.php.j2
+    src: LocalSettings.php.j2
     dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings.php"
 
 - name: Deploy configuration files for individual wikis
   template:
-    src: "mediawiki/LocalSettings_{{ item.1 }}.php.j2"
+    src: "LocalSettings_{{ item.1 }}.php.j2"
     dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php"
   with_indexed_items: "{{ wiki_names }}"
 
@@ -32,7 +32,7 @@
     src: "{{ item }}"
     dest: "{{ webroot }}/{{ wiki_names[0] }}/resources/assets/"
   with_fileglob:
-    - mediawiki/logos/*.png
+    - logos/*.png
 
 - name: Enable iconv extension
   lineinfile:

roles/system/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart sshd
+  service:
+    name: sshd
+    state: restarted

roles/system/tasks/essential.yml

@@ -0,0 +1,39 @@
+- name: Change hostname
+  hostname:
+    name: "{{ inventory_hostname }}"
+
+- name: Set MOTD
+  template:
+    src: motd.j2
+    dest: /etc/motd
+
+- name: Update packages
+  community.general.pacman:
+    update_cache: yes
+    upgrade: yes
+
+- name: Install utility packages
+  community.general.pacman:
+    name: "{{ util_pack }}"
+    state: present
+
+- name: Disable root login
+  user:
+    name: root
+    password: "*"
+
+- name: Create unpriviledged user
+  user:
+    name: "{{ username }}"
+
+- name: Deploy SSH key to unpriviledged user
+  ansible.posix.authorized_key:
+    user: "{{ username }}"
+    state: present
+    key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}"
+
+- name: Enable cron daemon
+  service:
+    name: cronie
+    state: started
+    enabled: yes

roles/system/tasks/main.yml

@@ -0,0 +1,2 @@
+- include_tasks: essential.yml
+- include_tasks: sshd.yml

roles/system/tasks/sshd.yml

@@ -0,0 +1,13 @@
+- name: Disable SSH password auth
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#PasswordAuthentication yes"
+    line: "PasswordAuthentication no"
+  notify: Restart sshd
+
+- name: Change SSH port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^#Port 22"
+    line: "Port {{ sshd_port }}"
+  notify: Restart sshd

run.yml

@@ -1,23 +1,42 @@
 ---
-- hosts: all
+- hosts: sv
   become: yes
 
-  tasks:
+  roles:
-    - include_tasks: "tasks/{{ task }}.yml"
+    - role: system
-      with_items:
+
-        - essential
+    - role: dotfiles
-        - sys_config
+      when: enable_dotfiles
-        - connection
+
-        - firewall
+    - role: filesystems
-        - sftp
+      when: enable_filesystems
-        - mail
+
-        - ssl
+    - role: networking/connection
-        - webserver
+      when: enable_connection
-        - gitea
+
-        - wiki
+    - role: networking/ddclient
-        - matrix
+      when: enable_ddclient
-        - site
+
-        - cronjobs
+    - role: networking/nameserver
-        - user_config
+      when: enable_nameserver
-      loop_control:
+
-        loop_var: task
+    - role: networking/ssl
+      when: enable_ssl
+
+    - role: services/gitea
+      when: enable_gitea
+
+    - role: services/wiki
+      when: enable_wiki
+
+    - role: services/synapse
+      when: enable_synapse
+
+    - role: services/website
+      when: enable_website
+
+    - role: services/sftp
+      when: enable_sftpr
+
+    - role: services/mail
+      when: enable_mail

tasks/cronjobs.yml

@@ -1,12 +0,0 @@
-- name: Cronjob to remove externally managed eth0 connection
-  cron:
-    name: "Ensure eth0 is not externally managed"
-    minute: "*/10"
-    job: "/usr/bin/nmcli connection down eth0 > /dev/null 2>&1; /usr/bin/nmcli connection down wired > /dev/null 2>&1; /usr/bin/nmcli connection up wired > /dev/null"
-    state: present
-
-- name: Enable cron daemon
-  service:
-    name: cronie
-    state: started
-    enabled: yes

tasks/essential.yml

@@ -1,86 +0,0 @@
-- name: Change hostname
-  hostname:
-    name: "{{ inventory_hostname }}"
-
-- name: Update packages
-  community.general.pacman:
-    update_cache: yes
-    upgrade: yes
-
-- name: Install utility packages
-  community.general.pacman:
-    name:
-      - neovim
-      - neofetch
-      - fish
-      - htop
-      - tmux
-      - git
-      - cronie
-      - progress
-      - rsync
-      - man-db
-
-    state: present
-
-- name: Disable SSH password auth
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#PasswordAuthentication yes"
-    line: "PasswordAuthentication no"
-  register: sshd_config
-
-- name: Change SSH port
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^#Port 22"
-    line: "Port {{ sshd_port }}"
-  register: sshd_config
-
-- name: Restart SSHD
-  service:
-    name: sshd
-    state: restarted
-  when: sshd_config.changed
-
-- name: Disable root login
-  user:
-    name: root
-    password: "*"
-
-- name: Create unpriviledged user
-  user:
-    name: "{{ username }}"
-
-- name: Deploy SSH key to unpriviledged user
-  ansible.posix.authorized_key:
-    user: "{{ username }}"
-    state: present
-    key: "{{ lookup('file', '~/.ssh/keys/{{ ansible_hostname }}.pub')}}"
-
-- name: Deploy keyfile
-  copy:
-    src: k5e
-    dest: /k5e
-    mode: 0600
-
-- name: Setup crypttab
-  community.general.crypttab:
-    backing_device: "{{ secondary_disk }}"
-    name: disk
-    state: present
-    password: /k5e
-
-- name: Decrypt secondary disk
-  luks_device:
-    device: "{{ secondary_disk }}"
-    keyfile: /k5e
-    name: disk
-    state: opened
-
-- name: Setup fstab
-  mount:
-    path: /mnt/disk
-    src: /dev/mapper/disk
-    state: mounted
-    fstype: ext4

tasks/sys_config.yml

@@ -1,4 +0,0 @@
-- name: Set MOTD
-  template:
-    src: motd.j2
-    dest: /etc/motd

tasks/webserver.yml

@@ -1,52 +0,0 @@
-- name: Install webserver and miscellaneous networking packages
-  community.general.pacman:
-    name:
-      - bind
-      - ddclient
-      - nginx
-      - certbot
-      - certbot-nginx
-
-    state: present
-
-- name: Configure dynamic DNS
-  template:
-    src: ddclient.conf.j2
-    dest: /etc/ddclient/ddclient.conf
-
-- name: Enable dynamic DNS service
-  service:
-    name: ddclient
-    enabled: yes
-
-- name: Configure nameserver
-  template:
-    src: named/named.conf.j2
-    dest: /etc/named.conf
-  register: named_conf
-
-- name: Add nameserver zone
-  template:
-    src: named/local_zone.j2
-    dest: "/var/named/{{ domain }}"
-  register: named_conf
-
-- name: Enable nameserver service
-  service:
-    name: named
-    state: started
-    enabled: yes
-  when: named_conf.changed
-
-- name: Configure nginx
-  template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/nginx.conf
-  register: nginx_conf
-
-- name: Enable nginx service
-  service:
-    name: nginx
-    state: restarted
-    enabled: yes
-  when: nginx_conf.changed