From 0439559ea3c9aa6ef79754ba626db483427b8151 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:43:30 +0200 Subject: [PATCH 01/27] catching up changes to nginx role --- roles/nginx/tasks/nginx.yml | 22 +++++++++++++++++++--- roles/nginx/templates/00-default.j2 | 5 +++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/roles/nginx/tasks/nginx.yml b/roles/nginx/tasks/nginx.yml index f8357c5..23298c3 100644 --- a/roles/nginx/tasks/nginx.yml +++ b/roles/nginx/tasks/nginx.yml @@ -26,7 +26,7 @@ - uwsgi - uwsgi-plugin-python3 - apache2-utils - - wwwsudois + #- wwwsudois update_cache: true state: latest environment: @@ -34,10 +34,24 @@ when: not skip_apt|default(false) tags: - packages - - wwwsudois - - www.sudo.is + # - wwwsudois + # - www.sudo.is - apt.sudo.is +- name: copy nginx_default_cert + copy: + src: "private/nginx_default_cert" + dest: "/usr/local/etc/certs/" + owner: root + group: root + mode: 0755 + tags: + - nginx-cert + - nginx-default-vhost + - nginx-default-cert + notify: reload nginx + vars: + prediff_cmd: echo - name: make cache dir file: @@ -103,6 +117,8 @@ tags: - nginx-config - nginx-default-vhost + - nginx-default-cert + - nginx-cert - name: cleanup file: diff --git a/roles/nginx/templates/00-default.j2 b/roles/nginx/templates/00-default.j2 index 6289d39..9abf2ad 100644 --- a/roles/nginx/templates/00-default.j2 +++ b/roles/nginx/templates/00-default.j2 @@ -64,8 +64,13 @@ server { ssl_session_timeout 5m; + {% if inventory_hostname == ansible_control_host -%} ssl_certificate /usr/local/etc/certs/{{ inventory_hostname }}/fullchain.pem; ssl_certificate_key /usr/local/etc/certs/{{ inventory_hostname }}/privkey.pem; + {% else -%} + ssl_certificate /usr/local/etc/certs/nginx_default_cert/pubkey.pem; + ssl_certificate_key /usr/local/etc/certs/nginx_default_cert/privkey.pem; + {% endif %} add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; -- 2.40.1 From d9f4fe1272baf8edcf144d30b07910be08b0fa8c Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:44:48 +0200 Subject: [PATCH 02/27] catching up changes to www role --- roles/www/templates/01-sudo.is.conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/www/templates/01-sudo.is.conf.j2 b/roles/www/templates/01-sudo.is.conf.j2 index 818d985..baf3057 100644 --- a/roles/www/templates/01-sudo.is.conf.j2 +++ b/roles/www/templates/01-sudo.is.conf.j2 @@ -44,11 +44,13 @@ server { include /etc/nginx/well-known.conf; include /etc/nginx/sudo-known.conf; + location /{{ www_stream }} { + proxy_pass https://{{ owntone_url }}/{{ www_stream_owntone }}; + } location {{ coolcats }} { include /etc/nginx/require_auth.conf; autoindex on; } - location ~* ^.+\.json$ { add_header Content-Type application/json; } -- 2.40.1 From b9dd1149ea193bd2561d0a9c623104d279cba58b Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:51:12 +0200 Subject: [PATCH 03/27] catching up changes to certbot role --- roles/certbot/tasks/certbot.yml | 27 ++++++++------- .../certbot/templates/letsencrypt-hook.py.j2 | 24 ++++++++------ roles/certbot/templates/letsencrypt-new.py.j2 | 33 ++++++++++++++----- 3 files changed, 54 insertions(+), 30 deletions(-) diff --git a/roles/certbot/tasks/certbot.yml b/roles/certbot/tasks/certbot.yml index d762b7e..1d62e5c 100644 --- a/roles/certbot/tasks/certbot.yml +++ b/roles/certbot/tasks/certbot.yml @@ -47,18 +47,21 @@ - dns-provider-domains.json tags: - certbot-dns-config + - certbot-domains -- name: template renewal configs - template: - src: renewal.ini.j2 - dest: /etc/letsencrypt/renewal/{{ item.name }}.conf - owner: root - group: root - mode: 0644 - with_items: "{{ letsencrypt_sni }}" - loop_control: - label: "{{ item.name }}" - when: false +# - name: template renewal configs +# template: +# src: renewal.ini.j2 +# dest: /etc/letsencrypt/renewal/{{ item.name }}.conf +# owner: root +# group: root +# mode: 0644 +# with_items: "{{ letsencrypt_sni }}" +# loop_control: +# label: "{{ item.name }}" +# when: false +# tags: +# - certbot-domains # - name: temp force renew all certs # command: /usr/local/bin/certbot certonly --force-renewal -d {{ item.name }} @@ -79,6 +82,8 @@ - letsencrypt.sh - letsencrypt-hook.py - letsencrypt-new.py + tags: + - certbot-scripts - name: cron file template: diff --git a/roles/certbot/templates/letsencrypt-hook.py.j2 b/roles/certbot/templates/letsencrypt-hook.py.j2 index 6bf0679..04b0d73 100644 --- a/roles/certbot/templates/letsencrypt-hook.py.j2 +++ b/roles/certbot/templates/letsencrypt-hook.py.j2 @@ -15,23 +15,27 @@ def renewed_cert(name): dest_dir = os.path.join(cert_repo, name) os.makedirs(dest_dir, exist_ok=True) - for fname in filenames: - src = os.path.join(src_dir, fname) - dest = os.path.join(dest_dir, fname) - shutil.copy(src, dest) + try: + for fname in filenames: + src = os.path.join(src_dir, fname) + dest = os.path.join(dest_dir, fname) + shutil.copy(src, dest) - privkey = os.path.join(dest_dir, 'privkey.pem') - os.chmod(privkey, 0o640) - shutil.chown(privkey, group="adm") + privkey = os.path.join(dest_dir, 'privkey.pem') + os.chmod(privkey, 0o640) + shutil.chown(privkey, group="adm") + + print(f"renewed: {name}") + matrixmsg.send(f"cert: `{name}`") + except FileNotFoundError: + matrixmsg.send(f"no files found for `{name}` in `RENEWED_DOAINS`") - print(f"renewed: {name}") - matrixmsg.send(f"cert: `{name}`") def main(): try: for name in os.environ['RENEWED_DOMAINS'].split(" "): renewed_cert(name) - except IndexError: + except KeyError: print("error: no 'RENEWED_DOMAINS' env var present!") diff --git a/roles/certbot/templates/letsencrypt-new.py.j2 b/roles/certbot/templates/letsencrypt-new.py.j2 index 49ba269..fda613e 100644 --- a/roles/certbot/templates/letsencrypt-new.py.j2 +++ b/roles/certbot/templates/letsencrypt-new.py.j2 @@ -3,21 +3,32 @@ import subprocess import sys import json +import argparse + + +def parse_args(): + parser = argparse.ArgumentParser() + parser.add_argument("fqdn", help="domain to request a cert for") + parser.add_argument("--wildcard", action="store_true", help="wildcard cert") + parser.add_argument("--www", action="store_true", help="include www.") + return parser.parse_args() + def main(): - try: - fqdn = sys.argv[1] - except IndexError: - print(f"usage: {sys.argv[0]} ") - sys.exit(1) + args = parse_args() + return certbot_new(args.fqdn, wildcard=args.wildcard, www=args.www) - return certbot_new(fqdn) -def certbot_new(fqdn): + +def certbot_new(fqdn, wildcard, www): dns_file = "dns-provider-domains.json" with open(f'/usr/local/etc/letsencrypt/{dns_file}', 'r') as f: domains = json.load(f) + # add a --with-www or something instead of guessing like this + # and make 'domain' a list 'domains', and append/extend 'certbot_cmd' + # with a -d for each. + dotted = fqdn.split('.') domain = ".".join(dotted[1:]) @@ -31,9 +42,13 @@ def certbot_new(fqdn): certbot_cmd = [ "/usr/local/bin/certbot", "certonly", - "-d", fqdn, - dns_flag + dns_flag, + "-d", fqdn ] + if wildcard: + certbot_cmd.extend(["-d", f"*.{fqdn}"]) + if www: + certbot_cmd.extend(["-d", f"www.{fqdn}"]) print(" ".join(certbot_cmd)) -- 2.40.1 From eff47572911613f8f0c0a62d1b13981133133fb5 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:52:05 +0200 Subject: [PATCH 04/27] catching up changes to pihole role --- roles/pihole/tasks/pihole.yml | 2 ++ roles/pihole/templates/02-zone-forward.conf.j2 | 3 +++ 2 files changed, 5 insertions(+) create mode 100644 roles/pihole/templates/02-zone-forward.conf.j2 diff --git a/roles/pihole/tasks/pihole.yml b/roles/pihole/tasks/pihole.yml index 1607358..314e4af 100644 --- a/roles/pihole/tasks/pihole.yml +++ b/roles/pihole/tasks/pihole.yml @@ -115,6 +115,7 @@ - pihole-config with_items: - "99-edns.conf" + - "02-zone-forward.conf" notify: restart pihole - name: template unbound config @@ -126,6 +127,7 @@ mode: 0644 tags: - unbound + - a-records with_items: - unbound.conf - a-records.conf diff --git a/roles/pihole/templates/02-zone-forward.conf.j2 b/roles/pihole/templates/02-zone-forward.conf.j2 new file mode 100644 index 0000000..9852946 --- /dev/null +++ b/roles/pihole/templates/02-zone-forward.conf.j2 @@ -0,0 +1,3 @@ +{% for item in pihole_zone_forwards -%} +server=/{{ item.zone | trim }}/{{ item.resolver | trim }} +{% endfor %} -- 2.40.1 From 2fe82feefe84bc206069f497aac3b5919936f2a8 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:52:56 +0200 Subject: [PATCH 05/27] AllowedUsers for ssh forwarding --- roles/lb/tasks/main.yml | 15 +++++++++++++++ roles/lb/templates/10-lb.conf.j2 | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 roles/lb/tasks/main.yml create mode 100644 roles/lb/templates/10-lb.conf.j2 diff --git a/roles/lb/tasks/main.yml b/roles/lb/tasks/main.yml new file mode 100644 index 0000000..c23a147 --- /dev/null +++ b/roles/lb/tasks/main.yml @@ -0,0 +1,15 @@ +--- + +# - name: sshd AllowedUsers config +# template: +# src: 10-lb.conf.j2 +# dest: /etc/ssh/sshd_config.d/10-lb.conf +# owner: root +# group: root +# mode: '0644' +# tags: +# - sshd +# - gitea +# notify: +# - reload ssh +# - restart ssh diff --git a/roles/lb/templates/10-lb.conf.j2 b/roles/lb/templates/10-lb.conf.j2 new file mode 100644 index 0000000..0cc0505 --- /dev/null +++ b/roles/lb/templates/10-lb.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +AllowUsers {{ lb_sshd_allow_users.join(" ") }} \ No newline at end of file -- 2.40.1 From 5c7506bb3efb8c61b8029988f9b9929d10b97836 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:53:32 +0200 Subject: [PATCH 06/27] catching up changes to gitea role --- roles/gitea/tasks/gitea.yml | 6 +++--- roles/gitea/templates/01-gitea.j2 | 4 ++++ roles/gitea/templates/sitemap.xml.j2 | 5 +++++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/gitea/tasks/gitea.yml b/roles/gitea/tasks/gitea.yml index 22bc744..86ebb7f 100644 --- a/roles/gitea/tasks/gitea.yml +++ b/roles/gitea/tasks/gitea.yml @@ -35,7 +35,7 @@ # from role/gitea/files/tmpl/ - name: data/gitea/templates - name: data/gitea/templates/custom - - name: data/gitea/templates/user/dashboard + #- name: data/gitea/templates/user/dashboard - name: data/gitea/conf - name: data/gitea/tmp @@ -92,8 +92,8 @@ - home.tmpl - custom/extra_links.tmpl - custom/extra_tabs.tmpl - - user/dashboard/feeds.tmpl - - user/dashboard/repolist.tmpl + #- user/dashboard/feeds.tmpl + #- user/dashboard/repolist.tmpl tags: - gitea-templates when: gitea_custom_tmpl_enabled diff --git a/roles/gitea/templates/01-gitea.j2 b/roles/gitea/templates/01-gitea.j2 index 2fb496e..e908f3c 100644 --- a/roles/gitea/templates/01-gitea.j2 +++ b/roles/gitea/templates/01-gitea.j2 @@ -67,6 +67,10 @@ server { # gitea itself can also serve this file alias {{ gitea_user.home }}/data/gitea/sitemap.xml; } + location /user/login { + return 302 /user/oauth2/{{ gitea_oidc_name }}; + } + location /user/forgot_password { return 302 https://{{ authelia_login_url }}/reset-password/step1; diff --git a/roles/gitea/templates/sitemap.xml.j2 b/roles/gitea/templates/sitemap.xml.j2 index 617293c..8f03e3b 100644 --- a/roles/gitea/templates/sitemap.xml.j2 +++ b/roles/gitea/templates/sitemap.xml.j2 @@ -1,6 +1,11 @@ + + https://www.{{ domain }}/ + 1.00 + + https://{{ gitea_url }}/ 1.00 -- 2.40.1 From 820a6da7bab4dbb75e20527ddf4165b930227013 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:54:19 +0200 Subject: [PATCH 07/27] catching up changes to jenkins role --- roles/jenkins/templates/01-apt.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/jenkins/templates/01-apt.conf.j2 b/roles/jenkins/templates/01-apt.conf.j2 index ac534c6..ad90df3 100644 --- a/roles/jenkins/templates/01-apt.conf.j2 +++ b/roles/jenkins/templates/01-apt.conf.j2 @@ -8,10 +8,13 @@ server { # listen [::]:443 ssl; include listen-proxy-protocol.conf; + include /etc/nginx/authelia_internal.conf; + server_name {{ apt_url }}; root /var/www/{{ apt_url }}; location / { + include /etc/nginx/require_auth.conf; index index.html index.htm; autoindex on; autoindex_exact_size off; -- 2.40.1 From 6f07cc5cafeac853a4fcb4844da286f112ce90f9 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:54:41 +0200 Subject: [PATCH 08/27] half baked jellyfin-cache role, not in use --- roles/jellyfin-cache/meta/main.yml | 4 + roles/jellyfin-cache/tasks/jellyfin-cache.yml | 0 roles/jellyfin-cache/tasks/main.yml | 3 + roles/jellyfin-cache/templates/haproxy.cfg.j2 | 135 ++++++++++++++++++ 4 files changed, 142 insertions(+) create mode 100644 roles/jellyfin-cache/meta/main.yml create mode 100644 roles/jellyfin-cache/tasks/jellyfin-cache.yml create mode 100644 roles/jellyfin-cache/tasks/main.yml create mode 100644 roles/jellyfin-cache/templates/haproxy.cfg.j2 diff --git a/roles/jellyfin-cache/meta/main.yml b/roles/jellyfin-cache/meta/main.yml new file mode 100644 index 0000000..5f8caca --- /dev/null +++ b/roles/jellyfin-cache/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - haproxy diff --git a/roles/jellyfin-cache/tasks/jellyfin-cache.yml b/roles/jellyfin-cache/tasks/jellyfin-cache.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/jellyfin-cache/tasks/main.yml b/roles/jellyfin-cache/tasks/main.yml new file mode 100644 index 0000000..e64c702 --- /dev/null +++ b/roles/jellyfin-cache/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - import_tasks: jellyfin-cache.yml + tags: jellyfin-cache diff --git a/roles/jellyfin-cache/templates/haproxy.cfg.j2 b/roles/jellyfin-cache/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..d2c1650 --- /dev/null +++ b/roles/jellyfin-cache/templates/haproxy.cfg.j2 @@ -0,0 +1,135 @@ + +# also change haproxy role like this +# +# haproxy roel should set up haproxy, not configure it +# +# this role templates its copy of haproxy.cfg +# and then the lb role templates a different copy +# but both have haproxy as dependency +# +# haproxy does not support to include config files +# or split up the config in multiple parts. + +# https://www.haproxy.com/de/blog/haproxy-log-customization/ +global + chroot /var/lib/haproxy + maxconn 60000 + + # default: + {# #stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + # #stats socket /run/haproxy/admin.sock user haproxy group haproxy mode 660 level admin + # #stats timeout 30s #} + + user haproxy + group haproxy + daemon + + {# # number of processes + # #nbproc 2 + # # number of threads + # #nbthread 4 + # + # # Default SSL material locations + # ca-base /etc/ssl/certs + # crt-base /etc/ssl/private + # + # # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + # ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + # ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + # ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets #} + +defaults + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +{# defaults + # + # + # # mode http + # #option dontlognull + # #option log-health-checks + # errorfile 400 /etc/haproxy/errors/400.http + # errorfile 403 /etc/haproxy/errors/403.http + # errorfile 408 /etc/haproxy/errors/408.http + # errorfile 500 /etc/haproxy/errors/500.http + # errorfile 502 /etc/haproxy/errors/502.http + # errorfile 503 /etc/haproxy/errors/503.http + # errorfile 504 /etc/haproxy/errors/504.http + # #log-format '{"type":"haproxy","timestamp":%Ts,"http_status":%ST,"http_request":"%r","remote_addr":"%ci","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":"%Tr","upstream_connect_time":"%Tc","session_duration":"%Tt","termination_state":"%ts"}' + # + # # http: + # # log-format '{"pid":%pid,"haproxy_frontend_type":"http","haproxy_process_concurrent_connections":%ac,"haproxy_frontend_concurrent_connections":%fc,"haproxy_backend_concurrent_connections":%bc,"haproxy_server_concurrent_connections":%sc,"haproxy_backend_queue":%bq,"haproxy_server_queue":%sq,"haproxy_client_request_send_time":%Tq,"haproxy_queue_wait_time":%Tw,"haproxy_server_wait_time":%Tc,"haproxy_server_response_send_time":%Tr,"response_time":%Td,"session_duration":%Tt,"request_termination_state":"%tsc","haproxy_server_connection_retries":%rc,"remote_addr":"%ci","remote_port":%cp,"frontend_addr":"%fi","frontend_port":%fp,"frontend_ssl_version":"%sslv","frontend_ssl_ciphers":"%sslc","request_method":"%HM","request_uri":"%[capture.req.uri,json(utf8s)]","request_http_version":"%HV","host":"%[capture.req.hdr(0)]","referer":"%[capture.req.hdr(1),json(utf8s)]","haproxy_frontend_name":"%f","haproxy_backend_name":"%b","haproxy_server_name":"%s","status":%ST,"response_size":%B,"request_size":%U}' #} + +listen health + bind :{{ haproxy_stats_port }} + # interface wg0 interface lo + mode http + + acl health_allowed src {{ wg_clients[ansible_control_host].ip }}/32 + acl health_allowed src 127.0.0.1/32 + http-request deny unless health_allowed + + stats enable + stats uri /stats + stats refresh 10s + stats admin unless FALSE {# unless LOCALHOST #} + + monitor-uri /health + option httpchk + option dontlognull + +frontend https-redirect + mode http + bind :80 + http-request redirect scheme https + + +frontend {{ lb_url }} + bind *:443 + mode tcp + log /dev/log local0 + option tcplog + + log-format '{"pid":%pid,"server_name":"%b", "haproxy_frontend_type":"tcp","haproxy_process_concurrent_connections":%ac,"haproxy_frontend_concurrent_connections":%fc,"haproxy_backend_concurrent_connections":%bc,"haproxy_server_concurrent_connections":%sc,"haproxy_backend_queue":%bq,"haproxy_server_queue":%sq,"haproxy_queue_wait_time":%Tw,"haproxy_server_wait_time":%Tc,"response_time":%Td,"session_duration":%Tt,"request_termination_state":"%tsc","haproxy_server_connection_retries":%rc,"remote_addr":"%ci","remote_port":%cp,"frontend_addr":"%fi","frontend_port":%fp,"frontend_ssl_version":"%sslv","frontend_ssl_ciphers":"%sslc","haproxy_frontend_name":"%f","haproxy_backend_name":"%b","haproxy_server_name":"%s","response_size":%B,"request_size":%U}' + + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + + {% for item in lb_tcp -%} + use_backend {{ item.fqdn }} if { req.ssl_sni -i {{ item.fqdn }} } + {% endfor %} + + {# balance leastconn #} + + +{# + # from backend (not used): + default-server check maxconn 20 + #} + +{% for item in lb_tcp -%} +{% if item.proxy_protocol|default(true) -%} +backend {{ item.fqdn }} + mode tcp + balance leastconn + {% if item.tcp_keepalive|default(false) -%} + option tcpka + {% endif -%} + {% for origin in item.origins -%} + server {{ origin.name }} {{ origin.name }}:{{ origin.port | default(40443) }} send-proxy-v2 check + {% endfor %} + +{% else -%} +backend {{ item.fqdn }} + mode tcp + option ssl-hello-chk + {% if item.tcp_keepalive|default(false) -%} + option tcpka + {% endif -%} + {% for origin in item.origins -%} + server {{ origin.name }} {{ origin.name }}:{{ origin.port | default(443) }} check + {% endfor %} + +{% endif %} +{% endfor %} -- 2.40.1 From 701c3c9ed68e6bd72e7ca5debad796cd752a9d5d Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:56:18 +0200 Subject: [PATCH 09/27] ignore playbook symlinks --- .gitignore | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/.gitignore b/.gitignore index 9c22647..938c0de 100644 --- a/.gitignore +++ b/.gitignore @@ -67,32 +67,4 @@ group_vars/ host_vars/ playbooks/ -/hosts.yml -/common.yml -/homeservers.yml -/hosts-sensors.yml -/hosts.yml -/letsencrypt.yml -/lychener54.yml -/monitoring-server.yml -/nextcloud.yml -/sensors.yml -/site.yml -/vpnservers.yml -/site2.yml -/mathom.yml -/haproxy.yml -/auth.yml -/mainframe.yml -/nginx.yml -/common.yml -/turn.yml -/sensnet.yml -/backup.yml -/jenkins.yml -/kvm.yml -/paperless.yml -/vaultwarden.yml -/mirrors.yml -/lb.yml -/gitea-proxy.yml +/*.yml -- 2.40.1 From d9ac2064a17910d3dbe3fb9f7411a288e38b43e6 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:57:00 +0200 Subject: [PATCH 10/27] commiting half baked podgrab role, not in use, and nginx config is in hass role (for some reason, seemed like a good idea at the time) --- roles/podgrab/handlers/main.yml | 6 +++++ roles/podgrab/tasks/main.yml | 3 +++ roles/podgrab/tasks/podgrab.yml | 47 +++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 roles/podgrab/handlers/main.yml create mode 100644 roles/podgrab/tasks/main.yml create mode 100644 roles/podgrab/tasks/podgrab.yml diff --git a/roles/podgrab/handlers/main.yml b/roles/podgrab/handlers/main.yml new file mode 100644 index 0000000..13ea23f --- /dev/null +++ b/roles/podgrab/handlers/main.yml @@ -0,0 +1,6 @@ +- name: restart podgrab container + docker_container: + name: podgrab + state: started + restart: true + when: podgrab_container is not defined or not podgrab_container.changed diff --git a/roles/podgrab/tasks/main.yml b/roles/podgrab/tasks/main.yml new file mode 100644 index 0000000..23367f7 --- /dev/null +++ b/roles/podgrab/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - import_tasks: podgrab.yml + tags: podgrab diff --git a/roles/podgrab/tasks/podgrab.yml b/roles/podgrab/tasks/podgrab.yml new file mode 100644 index 0000000..e6fe2be --- /dev/null +++ b/roles/podgrab/tasks/podgrab.yml @@ -0,0 +1,47 @@ +--- + +- name: create dir structure + file: + path: "{{ systemuserlist.archives.home }}/podgrab/{{ item.name }}" + state: directory + mode: "{{ item.mode | default('0755') }}" + owner: "{{ systemuserlist.archives.username }}" + group: media + loop_control: + label: "{{ item.name }}" + with_items: + - name: data + - name: config + tags: + - podgrab-dirs + +- name: start podgrab container + docker_container: + name: podgrab + image: akhilrex/podgrab + user: "{{ systemuserlist.archives.uid }}:{{ grouplist.media.gid }}" + detach: true + pull: true + restart_policy: "no" + state: "{{ podgrab_container_state | default('started') }}" + container_default_behavior: compatibility + networks_cli_compatible: false + network_mode: bridgewithdns + networks: + - name: bridgewithdns + env: + BASE_URL: "https://{{ hass_url }}/podcasts" + CHECK_FREQUENCY: "240" + ports: + - "127.0.0.1:{{ podgrab_port }}:8080" + mounts: + - type: bind + source: "{{ systemuserlist.archives.home }}/podgrab/data" + target: /assets + - type: bind + source: "{{ systemuserlist.archives.home }}/podgrab/config" + target: /config + tags: + - podgrab-container + - docker-containers + register: podgrab_container -- 2.40.1 From 25f2600cd730491c6061a319290a0997f38fc8b2 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:57:31 +0200 Subject: [PATCH 11/27] catching up changes to authelia role --- roles/authelia/handlers/main.yml | 1 - roles/authelia/tasks/authelia.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/authelia/handlers/main.yml b/roles/authelia/handlers/main.yml index 068c398..abfa19b 100644 --- a/roles/authelia/handlers/main.yml +++ b/roles/authelia/handlers/main.yml @@ -8,7 +8,6 @@ - name: restart authelia container docker_container: name: authelia - image: authelia/authelia state: started restart: true diff --git a/roles/authelia/tasks/authelia.yml b/roles/authelia/tasks/authelia.yml index a804d35..e437098 100644 --- a/roles/authelia/tasks/authelia.yml +++ b/roles/authelia/tasks/authelia.yml @@ -105,7 +105,7 @@ - name: start container docker_container: name: authelia - image: authelia/authelia:latest + image: ghcr.io/authelia/authelia:master restart_policy: "unless-stopped" auto_remove: false detach: true -- 2.40.1 From 6e8ea69fe87ec03a8f2bb1aa02c642aac23bb4ad Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:57:56 +0200 Subject: [PATCH 12/27] catching up changes to common roles --- .../tasks/common-letsencrypt.yml | 50 ++++++++++--------- roles/common/tasks/common.yml | 37 +++++++++++++- roles/common/tasks/main.yml | 1 + .../common/templates/reboot_required-cron.j2 | 6 +-- 4 files changed, 64 insertions(+), 30 deletions(-) diff --git a/roles/common-letsencrypt/tasks/common-letsencrypt.yml b/roles/common-letsencrypt/tasks/common-letsencrypt.yml index e3c3c5e..03ffffb 100644 --- a/roles/common-letsencrypt/tasks/common-letsencrypt.yml +++ b/roles/common-letsencrypt/tasks/common-letsencrypt.yml @@ -1,29 +1,31 @@ --- -- name: ensure hostname letsencrypt cert exists - command: - cmd: /usr/local/bin/letsencrypt-new.py {{ inventory_hostname }} - creates: /usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem - delegate_to: localhost - tags: - - letsencrypt-certs - - letsencrypt-hostname-cert +# - name: ensure hostname letsencrypt cert exists +# command: +# cmd: /usr/local/bin/letsencrypt-new.py {{ inventory_hostname }} +# creates: /usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem +# delegate_to: localhost +# tags: +# - letsencrypt-certs +# - letsencrypt-hostname-cert + +# - name: install hostname cert +# copy: +# src: "/usr/local/etc/letsencrypt/live/{{ item }}" +# dest: "/usr/local/etc/certs/" +# owner: root +# group: root +# mode: 0755 +# tags: +# - letsencrypt +# - letsencrypt-certs +# #notify: reload nginx +# vars: +# prediff_cmd: echo +# with_items: +# - "{{ inventory_hostname }}" + -- name: install hostname cert - copy: - src: "/usr/local/etc/letsencrypt/live/{{ item }}" - dest: "/usr/local/etc/certs/" - owner: root - group: root - mode: 0755 - tags: - - letsencrypt - - letsencrypt-certs - #notify: reload nginx - vars: - prediff_cmd: echo - with_items: - - "{{ inventory_hostname }}" - name: install current letsencrypt wildcards where they should be installed copy: @@ -35,6 +37,7 @@ tags: - letsencrypt - letsencrypt-wildcard + - letsencrypt-certs #notify: reload nginx vars: prediff_cmd: echo @@ -57,3 +60,4 @@ tags: - letsencrypt - letsencrypt-wildcard + - letsencrypt-certs diff --git a/roles/common/tasks/common.yml b/roles/common/tasks/common.yml index 5a1cf6e..e22f12e 100644 --- a/roles/common/tasks/common.yml +++ b/roles/common/tasks/common.yml @@ -6,6 +6,26 @@ tags: - hostname +- name: ensure hostname in /etc/hosts + lineinfile: + dest: /etc/hosts + line: "{{ etc_hosts_ip }} {{ inventory_hostname }} {{ inventory_hostname.split('.')[0] }}" + state: present + when: etc_hosts_ip is defined + tags: + - etc-hosts + +- name: ensure no 127.0.0.0/8 entries for hostname in /etc/hosts (when required) + lineinfile: + dest: /etc/hosts + regexp: "^127.*{{ item }}.*" + state: absent + with_items: + - "{{ inventory_hostname }}" + - "{{ inventory_hostname.split('.')[0] }}" + when: etc_hosts_rm|default(false) + tags: etc-hosts + # - name: set image hostname # hostname: # name: "sensor-image" @@ -238,6 +258,7 @@ - dnsutils - file - git + - gnupg - haveged - htop - iotop @@ -292,13 +313,14 @@ - requests - psutil - humanize # added because of telegraf/vnstat.py - state: latest + state: present executable: pip3 tags: - pip - common-pip - common-pip-packages - packages + - pip-latest - name: remove pip packages that are only needed on mainframe pip: @@ -346,7 +368,7 @@ - update-motd - landscape-client - landscape-common - autoremove: false + autoremove: true state: absent purge: true tags: packages @@ -590,3 +612,14 @@ tags: - packages - apt.sudo.is + +- name: ensure /deadspace exists + file: + path: /deadspace + state: directory + owner: root + group: "{{ grouplist.media.gid }}" + mode: "0775" + tags: + - deadspace + - deadspace-dir diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c307c38..6a3dcf6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -3,3 +3,4 @@ - import_tasks: common.yml tags: - common + - common-base diff --git a/roles/common/templates/reboot_required-cron.j2 b/roles/common/templates/reboot_required-cron.j2 index 7910552..6a2e088 100644 --- a/roles/common/templates/reboot_required-cron.j2 +++ b/roles/common/templates/reboot_required-cron.j2 @@ -1,10 +1,6 @@ # distributed from ansible # m h dom mon dow -*/30 * * * * root /usr/local/bin/reboot_required.py - - -# @reboot /usr/local/bin/reboot_required.py - +0 8 * * * root /usr/local/bin/reboot_required.py # -- 2.40.1 From c15f2399245976a9ee1528dcf56037d79bcf44f9 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:58:34 +0200 Subject: [PATCH 13/27] remove commented out hostname certs --- .../tasks/common-letsencrypt.yml | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/roles/common-letsencrypt/tasks/common-letsencrypt.yml b/roles/common-letsencrypt/tasks/common-letsencrypt.yml index 03ffffb..47ccaa1 100644 --- a/roles/common-letsencrypt/tasks/common-letsencrypt.yml +++ b/roles/common-letsencrypt/tasks/common-letsencrypt.yml @@ -1,32 +1,5 @@ --- -# - name: ensure hostname letsencrypt cert exists -# command: -# cmd: /usr/local/bin/letsencrypt-new.py {{ inventory_hostname }} -# creates: /usr/local/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem -# delegate_to: localhost -# tags: -# - letsencrypt-certs -# - letsencrypt-hostname-cert - -# - name: install hostname cert -# copy: -# src: "/usr/local/etc/letsencrypt/live/{{ item }}" -# dest: "/usr/local/etc/certs/" -# owner: root -# group: root -# mode: 0755 -# tags: -# - letsencrypt -# - letsencrypt-certs -# #notify: reload nginx -# vars: -# prediff_cmd: echo -# with_items: -# - "{{ inventory_hostname }}" - - - - name: install current letsencrypt wildcards where they should be installed copy: src: "/usr/local/etc/letsencrypt/live/{{ item }}" -- 2.40.1 From 8b1b246702ae846a40916f3d095b76b1a13961b2 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 00:59:27 +0200 Subject: [PATCH 14/27] commite experimental proxmox role --- .../files/proxmox-release-bullseye.gpg | Bin 0 -> 1187 bytes roles/proxmox/handlers/main.yml | 4 + roles/proxmox/tasks/main.yml | 4 + roles/proxmox/tasks/proxmox.yml | 74 ++++++++++++++++++ 4 files changed, 82 insertions(+) create mode 100644 roles/proxmox/files/proxmox-release-bullseye.gpg create mode 100644 roles/proxmox/handlers/main.yml create mode 100644 roles/proxmox/tasks/main.yml create mode 100644 roles/proxmox/tasks/proxmox.yml diff --git a/roles/proxmox/files/proxmox-release-bullseye.gpg b/roles/proxmox/files/proxmox-release-bullseye.gpg new file mode 100644 index 0000000000000000000000000000000000000000..d577ed1cf505d240b06d3fb277806cdd54f2793b GIT binary patch literal 1187 zcmV;U1YG->0u2OTsOZ!I5CGi~;`@a>0hNDbZ5$umM4I@2%Q`U>7)$A9NjZ?rtRgSC z4K>T}(&%Rd8C+tF-EN|{xdr`+1o9UKoO;Dzpqzedx2$SVNMA4WuJK2yCeggeM)J^I zh7R2#_ec=VmYxo{Y#VXEg!lRyaadnvj-B^_AsZd5x!~6MhZGDi=R&aOAeY_yE32DZ z2ceS&;mmm5k5J?pT$3hE)N6YvRD@2CYR)4R2!-xBNZU1;@N5^Q9yL=*Q)+#}mQm&?b~C@4+vITUJM zhZ52i2Jo!bJ7S`zVuFPj(aFcaYAe_LiZN>nj^1slXvQ*dLv*#LfipVSD0o`i@eUnx zEUr+~5t<=@&#ng%hI6>*ue>CIm7xV->ASgunZ3EKN<}*>`8KL@(C`e(p@%wy0h&g* z*eM)d@^CgQq5kY(SP<5I(*Nv&rGjxxlZd{FG{T6g6#5B&a{B> zZ3>+R`GZp}_YD9M0RRECI#6zY-M3{Wgtssc_2J+a&LHT zZ+I~5`i+#yWumB-dc0u~fZ6%5YUqJUwC5bQZY0XIREsod*(D-7 zTqZoY)^YSTfkqGYm;?ya^Eha`qulU?`l zrR)^4Hrd-UmY3)2$Myqd`jx57TaB0#GxM0_xQ%LRg98D)*zGttVrdaOrhn+j^%qO> zLRV8D9yx_eUCikXXiv{;h{1)wBWGaG8NB;Kp%lKyTSrcXY9ULtnTrJuzsWW2Q!mnQ zA}jd0O_?}kiTWX{GyPOya@;m9F3Ai0VSU3=Tj4P|zJ}aWpxt9x#pXT%ZTuZ-BaWMy z_jHWALfV37MyU;S>7Q+N8qDJez5spLY<~JL1x6Mu0Xl3(NSKu>izL?luX@Zj+}As$ z0?_ZdlU5&2XO_23qGaUnLBkT*e;ExnJBZ3{oN!t1!dM+1^ee!!!38CrVvL zlvl_XP}zxN=brSY$%=Oj`1@;E7i)Xh+(?KWV_0V~goh^OsXtDSvBii~Mk{C*hm($n BG?)MY literal 0 HcmV?d00001 diff --git a/roles/proxmox/handlers/main.yml b/roles/proxmox/handlers/main.yml new file mode 100644 index 0000000..4b641f7 --- /dev/null +++ b/roles/proxmox/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: update grub + command: update-grub diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml new file mode 100644 index 0000000..126e316 --- /dev/null +++ b/roles/proxmox/tasks/main.yml @@ -0,0 +1,4 @@ +--- + +- import_tasks: proxmox.yml + tags: proxmox diff --git a/roles/proxmox/tasks/proxmox.yml b/roles/proxmox/tasks/proxmox.yml new file mode 100644 index 0000000..bb4df0b --- /dev/null +++ b/roles/proxmox/tasks/proxmox.yml @@ -0,0 +1,74 @@ +--- + +- name: add apt repo + apt_repository: + repo: "deb [arch=amd64] http://download.proxmox.com/{{ ansible_lsb.id | lower }}/pve {{ ansible_lsb.codename | lower}} pve-no-subscription" + state: present + update_cache: false + filename: /etc/apt/sources.list.d/pve-install-repo + tags: + - packages + - proxmox-repo + +- name: copy gpg key for repo + copy: + src: proxmox-release-bullseye.gpg + dest: /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg + owner: root + group: root + mode: "0644" + tags: + - packages + +- name: apt-get update + apt: + update_cache: true + tags: + - packages + +# NOTE: not in ansible yet, docs say to do a "apt full-upgrade" now. + +- name: install proxmox kernel + apt: + name: pve-kernel-5.15 + state: present + tags: + - packages + +# NOTE: also not in ansible, reboot after this. + +- name: install poxmox ve + apt: + name: + - proxmox-ve + #- postfix + - open-iscsi + state: present + tags: + - packages + +- name: remove the enterprise repo that gets installed + file: + path: /etc/apt/sources.list.d/pve-enterprise.list + state: absent + tags: + - packages + register: enterprise_removed + +- name: update apt if enterprise repo removed + apt: + update_cache: true + tags: + - packages + when: enterprise_removed.changed + +- name: remove debian kernel and os-prober + apt: + name: + - linux-image-amd64 + - 'linux-image-5.10*' + - os-prober + state: absent + notify: update grub + tags: + - packages -- 2.40.1 From fc536db5a12ed7bbdc8d86c6d0eec9ddbc2a3f4c Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:02:28 +0200 Subject: [PATCH 15/27] catching up changes to telegraf role --- .../files/influxdb-archive-keyring.gpg | Bin 0 -> 1367 bytes roles/telegraf/tasks/telegraf.yml | 61 +++++++++++++++--- 2 files changed, 53 insertions(+), 8 deletions(-) create mode 100644 roles/telegraf/files/influxdb-archive-keyring.gpg diff --git a/roles/telegraf/files/influxdb-archive-keyring.gpg b/roles/telegraf/files/influxdb-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..a8cdc9a9d6968a0bcc6c0039b5809ec22f403c35 GIT binary patch literal 1367 zcmZQzU{GLWWMJ}kib!Jsg5)a(<{%7WLjbEe6C;=v$H2gHl!1{!W^VA@373s}k6$}+ zdFPG)ee$(GHq-%CC_vN$Rq!w{Fo8rMrZ6(FKxN<*(1t(|XC@ObOY#X}bw&Y(mC{|4 z`eYnl{-|)6>Ukv8agSo|x2uK!1a5283ZB+a>Wb;96mMeGt>>J1Y5(_!JeQV*d{?Po zrT#wWzlDutVfdNw1;-~#&U`KZ)@jQw&h%50UgcQaZP(O&`=C^5?}`GMpJ7|KA6|8| z_n?7J+DcWeNdb|)4LpDJ*0~*;bxo-6gtXq%dAE!2&Y9)yQ=Q5sY%=fa{^^_UT{lyf z_{z3en6t^kG$CKUJG1_*E?@nzyUuwlH$R=YZ_5Oi74b~&CmKDP;srAKf=f3|uD(0d zVd9e6zj7wmIBimut4z9|Df^STWJcLb(FEc6Ua3dVX0K8zUGR6RrLX$sKZk-oFKYjO zWa^D&JGk}jkI&+cI#g80FX$21de&^JTFVp97iHhlCvhn&b{wn-2z}dqctcG#gKzl# z;$Xhgx7o9fmqZ-j_@S-3_#0!PcjLsP3s&sd(CX}$3~?*Ung08RIwM$(z|&?{(0^BlWW#TJQFbP@_##X_IZW5_wQbxa;!gs zFZQJKs{LDIX8q;Z!1lbbZokINnM^`$tKQZg-M4yw+3cHQcY=GjH9gwS{i8lm_@?TX z#q~KBy{?r3=G*o@OL!qDI)BTOr(3raKK(P_aca(Iw>R1s%O3gn78h@}J$f!x=p&D%MaI7|KAe@PyHIAaBuAcG(y1LFo@%1JLshom=#E#{tiX*s18E{P?H3IU19*@@|? z3c;D_d6{|X3f`%e3O2>11qJyDU?N+k%PgWjhmB$ zotcSEl!J+ricC%>~SS(z>q_%(kw5!b_|HWFi3!KaCKFxM&-`;DD{U(yrp1WDeO;Ye$aA@;Z zRv(qTBGU;OU*tH~Ehs;5Dm`|N%eG}PEWbHbuU-~e_{MoB<5y$eMcc0IF?L@hqqA%W z&*5|Wa+)lYZ+zm`3SZi_U-*yygtJT)t(^ClY}=E4fJ^N+o0?VJUq;8x7HhM%x$U^s z9J6z80P8oVl&b#k>x8YQ_(ruDOkC|E!*aAZU!vuAL7%dT|7_a|^)mHKGxg7frkL4< zq{?f34-}gI)Nn#T|8<@_aoi?llft^Ta9GZFx%o{0&UR(t^@hEdY&1_b+{6WhfB3;GgL68Ggyh#lK`)UCSb-i%)df9GU&?t3IGo{ BOr-z- literal 0 HcmV?d00001 diff --git a/roles/telegraf/tasks/telegraf.yml b/roles/telegraf/tasks/telegraf.yml index 1833769..62c165c 100644 --- a/roles/telegraf/tasks/telegraf.yml +++ b/roles/telegraf/tasks/telegraf.yml @@ -36,11 +36,12 @@ - name: install humanize pip: name: humanize - state: latest + state: present executable: pip3 tags: - pip - packages + - pip-latest - name: template vnstat script template: @@ -63,32 +64,45 @@ # with_items: "{{ systemuserlist.telegraf.groups }}" # when: 'item in etc_groups.stdout_lines' -- name: add apt key for influxdata to install telegraf - apt_key: - url: https://repos.influxdata.com/influxdb.key - state: present - tags: - - packages +# sudo gpg --no-default-keyring --keyring /usr/share/keyrings/influxdb-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys D8FF8E1F7DF8B07E +# - name: add apt key for influxdata to install telegraf +# apt_key: +# url: https://repos.influxdata.com/influxdb.key +# state: present +# tags: +# - packages - name: set distro to debian if raspbian set_fact: distro: debian when: ansible_lsb.id == "Raspbian" + tags: + - influx-repo + - packages - name: otherwise use lsb id set_fact: distro: "{{ ansible_lsb.id }}" when: ansible_lsb.id != "Raspbian" + tags: + - influx-repo + - packages - name: set codename to bullseye if bookworm set_fact: codename: bullseye when: ansible_lsb.codename == "bookworm" + tags: + - influx-repo + - packages - name: set codename to focal if hirsute set_fact: codename: focal when: ansible_lsb.codename == "hirsute" + tags: + - influx-repo + - packages - name: otherwise use lsb codename set_fact: @@ -96,14 +110,45 @@ when: - ansible_lsb.codename != "bookworm" - ansible_lsb.codename != "hirsute" + tags: + - influx-repo + - packages + +- name: get influxdb key + get_url: + url: https://repos.influxdata.com/influxdb.key + dest: /etc/apt/trusted.gpg.d/influxdb.asc + tags: + - influx-repo + - packages + +- name: get dearmored influxdb key (the key downloaded in the other task doesnt work) + command: + cmd: gpg --no-default-keyring --keyring /usr/share/keyrings/influxdb-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys D8FF8E1F7DF8B07E + creates: /usr/share/keyrings/influxdb-archive-keyring.gpg + tags: + - influx-repo + - packages + +- name: remove repo definition without signed-by + apt_repository: + repo: deb https://repos.influxdata.com/{{ distro | lower }} {{ codename }} stable + state: absent + update_cache: false + tags: + - packages + - influx-repo - name: add repo for influxdata to install telegraf apt_repository: - repo: deb https://repos.influxdata.com/{{ distro | lower }} {{ codename }} stable + repo: deb [signed-by=/usr/share/keyrings/influxdb-archive-keyring.gpg] https://repos.influxdata.com/{{ distro | lower }} {{ codename }} stable + #repo: deb [signed-by=/etc/apt/trusted.gpg.d/influxdb.asc] https://repos.influxdata.com/{{ distro | lower }} {{ codename }} stable state: present + update_cache: false when: not skip_apt|default(false) tags: - packages + - influx-repo - name: install telegraf apt: -- 2.40.1 From 66a6be764ed5b03d9a7dda46c06ac37f8544a114 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:03:18 +0200 Subject: [PATCH 16/27] catching up changes to fde-dropbear role --- roles/fde-dropbear/tasks/fde-dropbear.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fde-dropbear/tasks/fde-dropbear.yml b/roles/fde-dropbear/tasks/fde-dropbear.yml index 5998179..56297ed 100644 --- a/roles/fde-dropbear/tasks/fde-dropbear.yml +++ b/roles/fde-dropbear/tasks/fde-dropbear.yml @@ -37,7 +37,7 @@ - name: authorized_keys for dropbear template: src: "private/sshkeys/{{ myusername }}.authorized_keys" - dest: /etc/dropbear/initramfs/authorized_keys + dest: "{{ dropbear_initramfs_dir|default('/etc/dropbear/initramfs') }}/authorized_keys" mode: 0700 force: true notify: update initramfs -- 2.40.1 From 1664ecc30a1e7c5683dada97ba8fbc1d29a8bbef Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:03:38 +0200 Subject: [PATCH 17/27] catching up changes to unifi role --- roles/unifi/tasks/unifi.yml | 38 ++++++++++++++----- roles/unifi/templates/02-unifi.conf.j2 | 51 ++++++++++++++------------ 2 files changed, 57 insertions(+), 32 deletions(-) diff --git a/roles/unifi/tasks/unifi.yml b/roles/unifi/tasks/unifi.yml index a734cc0..8e58820 100644 --- a/roles/unifi/tasks/unifi.yml +++ b/roles/unifi/tasks/unifi.yml @@ -30,12 +30,20 @@ - name: create dir structure file: - path: "{{ unifi_root }}" state: directory - mode: 0750 - owner: unifi - group: unifi - recurse: no + path: "{{ unifi_root }}/{{ item.name }}" + owner: "{{ systemuserlist.unifi.uid }}" + group: "{{ systemuserlist.unifi.gid }}" + mode: "{{ item.mode | default('0770') }}" + tags: + - unifi-dirs + loop_control: + label: "{{ item.name }}" + with_items: + - name: data + - name: log + - name: run + mode: "0775" # to adopt # ssh unifi-ap @@ -74,20 +82,32 @@ state: started init: true pull: true - #user: "{{ systemuserlist['unifi']['uid'] }}:{{ systemuserlist['unifi']['gid'] }}" + user: "{{ systemuserlist['unifi']['uid'] }}:{{ systemuserlist['unifi']['gid'] }}" env: TZ: "Europe/Berlin" RUNAS_UID0: "false" UNIFI_UID: "{{ systemuserlist['unifi']['uid'] }}" UNIFI_GID: "{{ systemuserlist['unifi']['gid'] }}" + UNIFI_HTTPS_PORT: "443" container_default_behavior: compatibility - volumes: - - "{{ unifi_root }}:/unifi" + network_mode: bridgewithdns + networks: + - name: bridgewithdns + ipv4_address: "{{ bridgewithdns.unifi }}" + mounts: + - type: bind + source: "{{ unifi_root }}/data" + target: "/unifi/data" + - type: bind + source: "{{ unifi_root }}/run" + target: "/unifi/run" + - type: bind + source: "{{ unifi_root }}/log" + target: "/unifi/log" ports: - "3478:3478/udp" # STUN - "6789:6789/tcp" # Speed test - "8080:8080/tcp" # Device/ controller comm. - - "127.0.0.1:8443:8443/tcp" # Controller GUI/API as seen in a web browser - "10001:10001/udp" # AP discovery tags: - unifi-container diff --git a/roles/unifi/templates/02-unifi.conf.j2 b/roles/unifi/templates/02-unifi.conf.j2 index 31e9347..a82a820 100644 --- a/roles/unifi/templates/02-unifi.conf.j2 +++ b/roles/unifi/templates/02-unifi.conf.j2 @@ -2,30 +2,40 @@ server { - listen 443 ssl; - listen [::]:443 ssl; # listen for ipv6 + listen 443 ssl; + server_name {{ unifi_url }} {{ unifi_url2 }}; - server_name {{ unifi_url }}; + ssl_session_timeout 5m; + ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem; - location /wss/ { - proxy_pass https://localhost:8443; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - } + include /etc/nginx/authelia_internal.conf; - location /inform { - proxy_pass http://localhost:8080; + location /wss/ { + #include /etc/nginx/require_auth.conf; + + proxy_pass https://{{ bridgewithdns.unifi }}:443; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + } + + location /inform { + proxy_pass http://localhost:8080; - proxy_redirect off; proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + } - } + location / { + #include /etc/nginx/require_auth.conf; - - location / { - proxy_pass https://localhost:8443/; + proxy_pass https://{{ bridgewithdns.unifi }}:443; proxy_redirect off; proxy_set_header Host $host; @@ -34,16 +44,11 @@ server { proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; - } + } access_log /var/log/nginx/access_{{ unifi_url }}.log main; error_log /var/log/nginx/error_{{ unifi_url }}.log warn; - ssl_session_timeout 5m; - - ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem; - ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem; - add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; -- 2.40.1 From 0c3050bae3e15ac083cadd73f28d5d740337d6a8 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:04:09 +0200 Subject: [PATCH 18/27] catching up changes to dotfiles role --- roles/dotfiles/defaults/main.yml | 14 ++++++++------ roles/dotfiles/tasks/dotfiles.yml | 16 +++++++++++++--- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/roles/dotfiles/defaults/main.yml b/roles/dotfiles/defaults/main.yml index 1464e98..80326aa 100644 --- a/roles/dotfiles/defaults/main.yml +++ b/roles/dotfiles/defaults/main.yml @@ -1,12 +1,14 @@ dotfiles_path: "/srv/dotfiles" dotfiles_repo: "https://git.sudo.is/ben/dotfiles.git" dotfiles: - - { src: 'zsh/.zshrc', dest: '.zshrc', root: yes } - - { src: 'zsh/jreese2.zsh-theme', dest: '.zsh.d/', root: yes} - - { src: 'emacs/.emacs', dest: '.emacs', root: yes } - - { src: 'tmux/.tmux.simple.conf', dest: '.tmux.conf', root: yes} - - { src: 'tmux/.tmux.remote.conf', dest: '.tmux.remote.conf', root: yes} - - { src: 'ssh/config', dest: '.ssh/config', root: no } + - { src: 'zsh/.zshrc', dest: '.zshrc', root: false } + - { src: 'zsh/jreese2.zsh-theme', dest: '.zsh.d/', root: false } + - { src: '.emacs.d', dest: '.emacs.d', root: false } + - { src: 'tmux/.tmux.simple.conf', dest: '.tmux.conf', root: true} + - { src: 'tmux/.tmux.remote.conf', dest: '.tmux.remote.conf', root: true} + - { src: 'ssh/config', dest: '.ssh/config', root: false } +dotfiles_rm: + - .emacs github_hostkey: "|1|UkAzHpv3U4bZhaeBPmtZZi80Dos=|UEE2HqFXOa7wHG34fg6S2qC6n4g= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" sudo_hostkey: "|1|JmGLvQJOAO/V8IIDJZgluT1CY84=|Isb+G3aPnbW0wdLidEphxiOppdM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBqctfVYBZfEuZj2JWrMjzh3y5QZsdrh40yv29gHaE3Yx4mOkB2eCUVm898r9Qm1e/5bYey/NHp6ZSEy1y7ZA6jJ8lbzFXxbYPXDysw5rvIyGKbe/A0WeFF88ZgZejcxvMZQVNDY/oOKw2lr6LDiCEne7wkaVKHxnztyw47nq963aSATrysCc45TNG93bGbNEGGqp47MUdL/ZAy2+zQnDtSq2JrQD9mgIiBOOdWMnAA87QgcHH536Zq7X3/JX309cDJjUfkedBMcrwcCy9juQEaQdKb6RdKICcI3vXvPZs877mskjptYcacWEMnTBRdutaYcBCF9DlehaqOY2ERdcR" diff --git a/roles/dotfiles/tasks/dotfiles.yml b/roles/dotfiles/tasks/dotfiles.yml index 3190fb0..d99b407 100644 --- a/roles/dotfiles/tasks/dotfiles.yml +++ b/roles/dotfiles/tasks/dotfiles.yml @@ -3,7 +3,7 @@ lineinfile: path: /etc/ssh/ssh_known_hosts line: "{{ item.key }}" - create: yes + create: true loop_control: label: "{{ item.name }}" with_items: @@ -38,7 +38,7 @@ - name: put my dotfiles in place if dotfiles repo isnt human-managed copy: - remote_src: yes + remote_src: true src: "{{ dotfiles_path }}/dotfiles/{{ item.src }}" dest: "~/{{ item.dest }}" with_items: @@ -52,7 +52,7 @@ - name: put dotfiles for root in place copy: - remote_src: yes + remote_src: true src: "{{ dotfiles_path }}/dotfiles/{{ item.src }}" dest: "/root/{{ item.dest }}" owner: root @@ -75,3 +75,13 @@ - "{{ dotfiles }}" when: - not item.root|bool + +- name: rm outdate dotfile links + file: + path: "~/{{ item }}" + state: absent + loop_control: + label: "{{ item }}" + become_user: "{{ myusername }}" + with_items: + - "{{ dotfiles_rm }}" -- 2.40.1 From aac65298d027e167b6e92a8076c36e12b78e5051 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:04:44 +0200 Subject: [PATCH 19/27] catching up changes to docker role --- roles/docker/tasks/docker.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/docker/tasks/docker.yml b/roles/docker/tasks/docker.yml index d712924..d17b812 100644 --- a/roles/docker/tasks/docker.yml +++ b/roles/docker/tasks/docker.yml @@ -104,10 +104,13 @@ - docker - docker-compose executable: pip3 + state: present tags: - packages - pip - docker-compose + - docker-pip + - pip-latest - name: set up bridged network with dns docker_network: @@ -119,6 +122,7 @@ internal: no tags: - docker-network + - docker-network-bridgewithdns - name: install systemd config for container template: @@ -187,6 +191,8 @@ file: state: directory path: "{{ systemuserlist[ansible_user].home }}/.docker" + owner: "{{ systemuserlist[ansible_user].uid }}" + group: "{{ systemuserlist[ansible_user].gid }}" mode: 0700 tags: - docker-auth @@ -195,6 +201,8 @@ copy: dest: "{{ systemuserlist[ansible_user].home }}/.docker/config.json" mode: 0750 + owner: "{{ systemuserlist[ansible_user].uid }}" + group: "{{ systemuserlist[ansible_user].gid }}" content: "{{ docker_config | to_nice_json }}" tags: - docker-auth -- 2.40.1 From 39db05e7ca0b8d89728ca5011300d2260c4cee83 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:05:03 +0200 Subject: [PATCH 20/27] catching up changes to backup role --- roles/backup/files/restic-backups.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/roles/backup/files/restic-backups.py b/roles/backup/files/restic-backups.py index 679f18e..89b7b19 100755 --- a/roles/backup/files/restic-backups.py +++ b/roles/backup/files/restic-backups.py @@ -17,7 +17,7 @@ def parse_args(): parser.add_argument('--config', default='/usr/local/etc/restic.json') parser.add_argument('--log-level', default='INFO') parser.add_argument('--dry-run', action='store_true') - parser.add_argument('--no-excludes', action='store_true') + parser.add_argument('--non-interactive', action='store_true') parser.add_argument('--log-file', default='/var/log/backup/restic-backups.log') @@ -85,19 +85,19 @@ def list_sshfs_mounts(): return [a['target'] for a in mounts['filesystems']] -def run_restic(repo_url, restic_args, no_excludes, dry_run): +def run_restic(repo_url, restic_args, dry_run, non_interactive): restic_cmd = ["restic", "-r", repo_url] restic_cmd.extend(restic_args) - if "backup" in restic_args and not no_excludes: + if "backup" in restic_args: restic_cmd.extend([ "--exclude-file", "/usr/local/etc/backup-excludes.txt" ]) - for item in list_sshfs_mounts(): - restic_cmd.extend([ - "--exclude", item - ]) + for item in list_sshfs_mounts(): + restic_cmd.extend([ + "--exclude", item + ]) logger.debug(" ".join(restic_cmd)) if dry_run: @@ -128,7 +128,11 @@ def main(): repo_config = config[args.repo] prepare_env(args.repo, repo_config) return run_restic( - repo_config['url'], restic_args, args.no_excludes, args.dry_run) + repo_config['url'], + restic_args, + args.dry_run, + args.non_interactive + ) if __name__ == "__main__": -- 2.40.1 From cf4c665e905fb6b1e25a9cf73af6b94bd7a84536 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:05:25 +0200 Subject: [PATCH 21/27] catching up changes to mainframe role --- roles/mainframe/tasks/mainframe.yml | 2 ++ roles/mainframe/templates/01-static.conf.j2 | 17 +++++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/roles/mainframe/tasks/mainframe.yml b/roles/mainframe/tasks/mainframe.yml index 1bd37a0..35e13d3 100644 --- a/roles/mainframe/tasks/mainframe.yml +++ b/roles/mainframe/tasks/mainframe.yml @@ -217,6 +217,8 @@ - nginx - mainframe-nginx - static-sites + - static + - www notify: reload nginx - name: archives log dir and cache diff --git a/roles/mainframe/templates/01-static.conf.j2 b/roles/mainframe/templates/01-static.conf.j2 index 45860fb..05db7d3 100644 --- a/roles/mainframe/templates/01-static.conf.j2 +++ b/roles/mainframe/templates/01-static.conf.j2 @@ -34,11 +34,16 @@ server { ssl_session_timeout 5m; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; + + # for /assets + #add_header X-Content-Type-Options "nosniff" always; + #add_header X-Permitted-Cross-Domain-Policies "none" always; + #add_header Referrer-Policy "no-referrer" always; + #add_header X-Download-Options "noopen" always; + #add_header X-Frame-Options "SAMEORIGIN" always; + #add_header X-XSS-Protection "1; mode=block" always; + + add_header "Access-Control-Allow-Origin" "*" always; + } -- 2.40.1 From c6eec8d596bdd2cf02ec921fe300262a0a1c9cb6 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:05:57 +0200 Subject: [PATCH 22/27] catching up changes to mariadb role --- roles/mariadb/templates/50-server.cnf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mariadb/templates/50-server.cnf.j2 b/roles/mariadb/templates/50-server.cnf.j2 index fc9a85b..13b3408 100644 --- a/roles/mariadb/templates/50-server.cnf.j2 +++ b/roles/mariadb/templates/50-server.cnf.j2 @@ -150,7 +150,7 @@ innodb_io_capacity=4000 # you can put MariaDB-only options here [mariadb] -# This group is only read by MariaDB-10.3 servers. +# This group is only read by MariaDB-10.6 servers. # If you use the same .cnf file for MariaDB of different versions, # use this group for options that older servers don't understand -# [mariadb-10.3] +# [mariadb-10.6] -- 2.40.1 From df7d323bc060fa6db7fec84cd7c23b18d1b155e1 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:06:19 +0200 Subject: [PATCH 23/27] catching up changes to openldap role --- roles/openldap/defaults/main.yml | 3 ++ roles/openldap/tasks/openldap.yml | 47 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml index 15ac975..7d7b67f 100644 --- a/roles/openldap/defaults/main.yml +++ b/roles/openldap/defaults/main.yml @@ -8,6 +8,9 @@ openldap_root: "{{ systemuserlist.openldap.home }}" ldap_human_users: "{{ userlist.values()|selectattr('ldap_enabled', 'true') }}" ldap_human_users_in_groups: "{{ ldap_human_users | selectattr('ldap_groups') }}" +ldap_system_users: "{{ systemuserlist.values()|selectattr('ldap_enabled', 'true') }}" +ldap_system_users_in_groups: "{{ ldap_system_users | selectattr('ldap_groups') }}" + ldap_only_users_enabled: "{{ ldap_only_users.values() | selectattr('ldap_enabled', 'true') }}" ldap_linux_usernames_disabled: "{{ userlist.values()|selectattr('ldap_enabled', 'false') | map(attribute='username') }}" diff --git a/roles/openldap/tasks/openldap.yml b/roles/openldap/tasks/openldap.yml index 6ec477e..7a5a096 100644 --- a/roles/openldap/tasks/openldap.yml +++ b/roles/openldap/tasks/openldap.yml @@ -187,11 +187,13 @@ bind_pw: "{{ openldap_admin_pass }}" tags: - ldap-users + - ldap-system-users with_items: - users - usergroups - groups - services + - systems - hosts # this module doesnt change existing users if they exist, so it is setting anything that a user @@ -242,6 +244,31 @@ - ldap-users - ldap-only-users +- name: add inventory system users + community.general.ldap_entry: + dn: "uid={{ item.username }},ou=systems,{{ openldap_dc }}" + objectClass: + - inetOrgPerson + - posixAccount + state: present + attributes: + sn: "{{ item.username }}" + cn: "{{ item.username }}" + mail: "{{ item.username }}@{{ openldap_domain }}" + displayName: "{{ item.username }}" + uidNumber: "{{ item.uid }}" + gidNumber: "{{ item.gid }}" + homeDirectory: "{{ item.home }}" + loginShell: "{{ item.shell | default('/dev/nologin')}}" + server_uri: ldap://{{ openldap_url }}/ + bind_dn: "{{ openldap_admin_user }}" + bind_pw: "{{ openldap_admin_pass }}" + loop_control: + label: "{{ item.username }}" + with_items: "{{ ldap_system_users }}" # see role/openldap/defaults/main.yml + tags: + - ldap-users + - ldap-system-users - name: add inventory user groups community.general.ldap_entry: @@ -299,6 +326,26 @@ tags: - ldap-users +- name: adding system users to groups + community.general.ldap_attrs: + dn: "cn={{ item[0] }},ou=groups,{{ openldap_dc }}" + attributes: + uniqueMember: "uid={{ item[1].username }},ou=systems,{{ openldap_dc }}" + state: "{%if item[0] in item[1].ldap_groups|default([])%}present{%else%}absent{%endif%}" + server_uri: ldap://{{ openldap_url }}/ + bind_dn: "{{ openldap_admin_user }}" + bind_pw: "{{ openldap_admin_pass }}" + loop_control: + label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}" + with_nested: + - "{{ openldap_groups }}" + - "{{ ldap_system_users }}" + # when: + # - item[1] in item[0].ldap_groups|default([]) + tags: + - ldap-users + - ldap-system-users + - name: adding inventory ldap_only_users to groups community.general.ldap_attrs: dn: "cn={{ item[0] }},ou=groups,{{ openldap_dc }}" -- 2.40.1 From 3fd4471dee5cf8bd1ba739fa48625ae711dd8f98 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:06:42 +0200 Subject: [PATCH 24/27] catching up changes to vaultwarden role --- roles/vaultwarden/tasks/vaultwarden.yml | 28 +++++++++---------- roles/vaultwarden/templates/01-vaultwarden.j2 | 11 ++------ 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/roles/vaultwarden/tasks/vaultwarden.yml b/roles/vaultwarden/tasks/vaultwarden.yml index 1f326d9..7cc036b 100644 --- a/roles/vaultwarden/tasks/vaultwarden.yml +++ b/roles/vaultwarden/tasks/vaultwarden.yml @@ -189,20 +189,20 @@ - vaultwarden-ldap - docker-containers -# - name: install certs -# copy: -# src: "/usr/local/etc/letsencrypt/live/{{ item }}" -# dest: "/usr/local/etc/certs/" -# owner: root -# group: root -# mode: 0755 -# tags: -# - letsencrypt-certs -# notify: reload nginx -# vars: -# prediff_cmd: echo -# with_items: -# - "{{ vaultwarden_url }}" +- name: install certs + copy: + src: "/usr/local/etc/letsencrypt/live/{{ item }}" + dest: "/usr/local/etc/certs/" + owner: root + group: root + mode: 0755 + tags: + - letsencrypt-certs + notify: reload nginx + vars: + prediff_cmd: echo + with_items: + - "{{ vaultwarden_url }}" - name: template nginx vhost for vaultwarden template: diff --git a/roles/vaultwarden/templates/01-vaultwarden.j2 b/roles/vaultwarden/templates/01-vaultwarden.j2 index f0d2680..2e7bbf1 100644 --- a/roles/vaultwarden/templates/01-vaultwarden.j2 +++ b/roles/vaultwarden/templates/01-vaultwarden.j2 @@ -9,6 +9,7 @@ upstream {{ item.container_name }}-ws { server {{ bridgewithdns[item.container_name] }}:3012; keepalive 2; } + server { listen 443 ssl http2; {% if inventory_hostname in wg_clients -%} @@ -21,12 +22,6 @@ server { include /etc/nginx/authelia_internal.conf; include /etc/nginx/sudo-known.conf; - - # Specify SSL Config when needed - #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; - #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem; - #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; - client_max_body_size 128M; location / { @@ -85,8 +80,8 @@ server { error_log /var/log/nginx/error_{{ vaultwarden_url }}.log warn; ssl_session_timeout 5m; - ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem; - ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem; + ssl_certificate /usr/local/etc/certs/{{ vaultwarden_url }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/certs/{{ vaultwarden_url }}/privkey.pem; fastcgi_hide_header X-Powered-By; } -- 2.40.1 From cb71913507772f2ebde39fac0947ae0aa9862473 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:07:41 +0200 Subject: [PATCH 25/27] catching up changes to wireguard role --- roles/wireguard/templates/wg-post-up.sh.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/wireguard/templates/wg-post-up.sh.j2 b/roles/wireguard/templates/wg-post-up.sh.j2 index 345177b..b169283 100644 --- a/roles/wireguard/templates/wg-post-up.sh.j2 +++ b/roles/wireguard/templates/wg-post-up.sh.j2 @@ -7,6 +7,10 @@ iptables -t nat -D POSTROUTING -s {{ wireguard_cidr }} -o {{ ansible_default_ipv iptables -t nat -A POSTROUTING -s {{ wireguard_cidr }} -o {{ ansible_default_ipv4.interface }} -j MASQUERADE {% endif %} +{% if wg_clients[inventory_hostname].multicast_enabled|default(false) -%} +ip link set multicast on dev wg0 +{% endif -%} + {% if wg_post_up_dns_route|default(false) %} sleep 5 -- 2.40.1 From aafc9db06fe53ebfa9b1ec4bbde00a7fd2e5dc86 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:08:06 +0200 Subject: [PATCH 26/27] add experimental/half-baked samba role --- roles/samba/handlers/main.yml | 9 + roles/samba/tasks/main.yml | 3 + roles/samba/tasks/samba.yml | 49 +++++ roles/samba/templates/smb.conf.j2 | 270 +++++++++++++++++++++++++ roles/samba/templates/smb.default.conf | 242 ++++++++++++++++++++++ 5 files changed, 573 insertions(+) create mode 100644 roles/samba/handlers/main.yml create mode 100644 roles/samba/tasks/main.yml create mode 100644 roles/samba/tasks/samba.yml create mode 100644 roles/samba/templates/smb.conf.j2 create mode 100644 roles/samba/templates/smb.default.conf diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml new file mode 100644 index 0000000..d9c979a --- /dev/null +++ b/roles/samba/handlers/main.yml @@ -0,0 +1,9 @@ +--- + +- name: restart samba + service: + name: "{{ item }}" + state: restarted + with_items: + - smbd + - nmbd diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml new file mode 100644 index 0000000..28660fb --- /dev/null +++ b/roles/samba/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - import_tasks: samba.yml + tags: samba diff --git a/roles/samba/tasks/samba.yml b/roles/samba/tasks/samba.yml new file mode 100644 index 0000000..8b5f80b --- /dev/null +++ b/roles/samba/tasks/samba.yml @@ -0,0 +1,49 @@ +--- + +- name: create dirs + file: + state: directory + path: /srv/samba/{{ item.path }} + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop_control: + label: "{{ item.path }}" + with_items: + - path: "" + owner: root + group: root + mode: '0775' + - path: printers + owner: nobody + group: nogroup + mode: '0775' + - path: drivers + owner: nobody + group: nogroup + mode: '0775' + - path: drivers/hp1010 + owner: nobody + group: nogroup + mode: '0775' + +- name: install samba + apt: + state: latest + name: + - samba + - smbclient + tags: + - packages + +- name: template smb.conf file + template: + src: smb.conf.j2 + dest: /etc/samba/smb.conf + owner: root + group: root + mode: 0644 + #validate: /usr/bin/testparm -s %s + notify: restart samba + tags: + - smb.conf diff --git a/roles/samba/templates/smb.conf.j2 b/roles/samba/templates/smb.conf.j2 new file mode 100644 index 0000000..15722cf --- /dev/null +++ b/roles/samba/templates/smb.conf.j2 @@ -0,0 +1,270 @@ +# distributed from ansible +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + + workgroup = WORKGROUP + #netbios name = {{ inventory_hostname.split('.')[0].upper() }} + #server string = %h server (Samba) + server string = {{ ansible_inventory_hostname.split('.')[0] }} + + interfaces = 127.0.0.0/8 {{ samba_interfaces | default([]) | join(" ") }} + bind interfaces only = yes + + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + + # Possible values are "standalone server", "member server", + # "classic primary domain controller", "classic backup domain + # controller", "active directory domain controller". + server role = standalone server + obey pam restrictions = yes + + unix password sync = yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + pam password change = yes + map to guest = bad user + + invalid users = root + + unix charset = UTF-8 + + # possible values: auto, user, domain, ads + security = user + + + + local master = yes + preferred master = yes + domain master = yes + + # printing = CUPS + # printcap name = sambacap + + # load printers = yes + # printcap = cups + + + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + # server role = standalone server + + # + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = no + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = no + + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = classic +# primary domain controller', 'server role = classic backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = no + +#======================= Share Definitions ======================= + +# Un-comment the following (and tweak the other settings below to suit) +# to enable the default home directory shares. This will share each +# user's home directory as \\server\username +;[homes] +; comment = Home Directories +; browseable = no + +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. +; read only = yes + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. +; create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. +; directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# Un-comment the following parameter to make sure that only "username" +# can connect to \\server\username +# This might need tweaking when using external authentication schemes +; valid users = %S + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 +# [music] +# comment = music files +# path = /deadspace/music +# guest ok = yes +# browseable = yes +# read only = yes + +# [drivers] +# comment = printer files +# path = /srv/samba/drivers +# guest ok = yes +# browsable = yes +# read only = no +# writable = yes + +# [printers] +# comment = All Printers +# path = /var/spool/samba +# guest ok = yes +# printable = yes + + +# Windows clients look for this share name as a source of downloadable +# printer drivers +[print$] + comment = Printer Drivers + path = /srv/samba/printers + guest ok = yes + browseable = yes + read only = no + writable = yes + +# [sambaprint] +# comment = "raw printer for samba" +# path = /var/spool/samba +# guest ok = yes +# #guest only = yes +# writable = no +# printable = yes +# printer name = samba +# #force user = nobody + +# [shredder] +# comment = "in the study" +# path = /var/spool/samba +# guest ok = yes +# writable = no +# printable = yes +# printer name = hp-LaserJet-1010 + + #guest only = yes + #force user = nobody + +# [sambajet] +# path = /var/spool/samba +# guest ok = yes +# guest only = yes +# force user = nobody +# printable = yes +# browseable = yes + + +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin diff --git a/roles/samba/templates/smb.default.conf b/roles/samba/templates/smb.default.conf new file mode 100644 index 0000000..8c38ffa --- /dev/null +++ b/roles/samba/templates/smb.default.conf @@ -0,0 +1,242 @@ +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = WORKGROUP + +# server string is the equivalent of the NT Description field + server string = %h server (Samba, Ubuntu) + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +; bind interfaces only = yes + + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Cap the size of the individual log files (in KiB). + max log size = 1000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = classic +# primary domain controller', 'server role = classic backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +# Un-comment the following (and tweak the other settings below to suit) +# to enable the default home directory shares. This will share each +# user's home directory as \\server\username +;[homes] +; comment = Home Directories +; browseable = no + +# By default, the home directories are exported read-only. Change the +# next parameter to 'no' if you want to be able to write to them. +; read only = yes + +# File creation mask is set to 0700 for security reasons. If you want to +# create files with group=rw permissions, set next parameter to 0775. +; create mask = 0700 + +# Directory creation mask is set to 0700 for security reasons. If you want to +# create dirs. with group=rw permissions, set next parameter to 0775. +; directory mask = 0700 + +# By default, \\server\username shares can be connected to by anyone +# with access to the samba server. +# Un-comment the following parameter to make sure that only "username" +# can connect to \\server\username +# This might need tweaking when using external authentication schemes +; valid users = %S + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +[printers] + comment = All Printers + browseable = no + path = /var/spool/samba + printable = yes + guest ok = no + read only = yes + create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +[print$] + comment = Printer Drivers + path = /var/lib/samba/printers + browseable = yes + read only = yes + guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin + -- 2.40.1 From 235676377e5d7835cc36f198449219616af20cd2 Mon Sep 17 00:00:00 2001 From: Ben Kristinsson Date: Mon, 1 May 2023 01:09:10 +0200 Subject: [PATCH 27/27] samba default config --- roles/samba/{templates => files}/smb.default.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/samba/{templates => files}/smb.default.conf (100%) diff --git a/roles/samba/templates/smb.default.conf b/roles/samba/files/smb.default.conf similarity index 100% rename from roles/samba/templates/smb.default.conf rename to roles/samba/files/smb.default.conf -- 2.40.1