diff options
author | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-02 10:57:04 +0100 |
---|---|---|
committer | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-02 10:57:04 +0100 |
commit | 62ff27b05167118c4fa9b5b6b39300041acf80da (patch) | |
tree | 8c5e75a4cf3d43535857ae15d9ad6e3b2893dffe /ansible | |
parent | 1f3564a99e21af5bd4ac4d11fa3ec7c3885e5208 (diff) | |
download | infra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.gz infra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.bz2 infra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.xz infra-62ff27b05167118c4fa9b5b6b39300041acf80da.zip |
wireguard: Adding conflatorio.
dovecot: adding password management
postfix-satellite: removing apt update
ufw: handling missing variables. Allow ssh by default.
all.yml: taking passwords for postfix-satellite from dovecot.
Diffstat (limited to 'ansible')
-rw-r--r-- | ansible/all.yml | 16 | ||||
-rw-r--r-- | ansible/files/conflatorio/etc/wireguard/public.key | 1 | ||||
-rw-r--r-- | ansible/group_vars/all/dovedot-secret.yml | 43 | ||||
-rw-r--r-- | ansible/group_vars/all/postfix-secret.yml | 6 | ||||
-rw-r--r-- | ansible/group_vars/wireguard_net1.yml | 2 | ||||
-rw-r--r-- | ansible/host_vars/malabaricus/postfix.yml | 11 | ||||
-rw-r--r-- | ansible/roles/dovecot/tasks/main.yml | 20 | ||||
-rw-r--r-- | ansible/roles/postfix-satellite/tasks/postfix-satellite.yml | 15 | ||||
-rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 26 |
9 files changed, 104 insertions, 36 deletions
diff --git a/ansible/all.yml b/ansible/all.yml index 86b0688..99f0d6f 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -11,11 +11,27 @@ - knot roles: - postfix + - dovecot - hosts: - all !knot roles: - postfix-satellite + vars: + username: "{{ ansible_hostname }}.trygvis.io" + postfix: + sasl_password: + - host: "[trygvis.io]:587" + username: "{{ username }}" + password: "{{ dovecot__passwords[username] }}" + + tasks: + - tags: postfix-satellite + become: yes + lineinfile: + dest: /etc/postfix/sasl_passwd + state: absent + regex: "^\\[knot.trygvis.io\\]" - hosts: - linode-dns-update diff --git a/ansible/files/conflatorio/etc/wireguard/public.key b/ansible/files/conflatorio/etc/wireguard/public.key new file mode 100644 index 0000000..dc49595 --- /dev/null +++ b/ansible/files/conflatorio/etc/wireguard/public.key @@ -0,0 +1 @@ +Rdq2LKzVxDBuXhimgLA1ZW9qFKCypHhBSaBx+24w3gA= diff --git a/ansible/group_vars/all/dovedot-secret.yml b/ansible/group_vars/all/dovedot-secret.yml new file mode 100644 index 0000000..173bef0 --- /dev/null +++ b/ansible/group_vars/all/dovedot-secret.yml @@ -0,0 +1,43 @@ +$ANSIBLE_VAULT;1.1;AES256 +63353563353533356137306637316439636363303934346565346566373936623835656363623636 +3038366463373336356163616637346235633063626637350a393134653533373034326635643339 +37663334363134393939323064663364313437383531353431653364616564353339663138653832 +6264323030356539380a353466663139633339363166626436333336316561323930373234376361 +63313135336535386538373961353736356334313630316639363935613539633135643137383763 +31623631636539663736356261313139373832323833663936316238376566623538643737656463 +66353435653264666638613531313536616238643861616165613566306630643339303365333663 +33313432393862383333313030656137343334313636643235313330343138306365393664386561 +64333034316632366533343366303731653830633339633635636632653338633264313265643334 +63646534343036646135353264336366663062316636613532643537313963323930343663646337 +64626434356565643737393431373339616433356339316665303863623566363336363834373365 +39663061643235303335663838636435613230383438653439306437623663393932663231393530 +33666364363235616635616666333935306261623930616361373963313962356638396531316437 +62376332373861666636333466306361666137386439633265316433636431306663633361653764 +61326634643737383366373339386131376366326564633564636331353365363738303330656532 +30366330383636323333663432653363626262306637363037353233336365646432616634323132 +35613634333163616563646130653464393632353035623130336166343565303930303432646331 +32373235396531306336663333303938613963613261386566613933323535313761363066313432 +34366439333266366139626465366266363531623662386463653834396262663333303739363532 +37376137326562326334323163666533376439323336663937346262323662353664356137333665 +39643335393766643766393334373631643735626464613737376261663338626164643535663838 +37663836633064636466383665333939653335666635363964626531356462333939376264396263 +31623033616639333236623230343761343738326539336431646432316638333030666639366633 +38353661363532653762373565613830663466656330636433383337646366303134303934623963 +35373038303336396337376633343162356136346661336538663534363135323366323966393364 +63316163346332393765333932386531323138333564626562643737633066666433663235656233 +36653965613435313364626531663964323565626536306436356562386462613534626462646466 +30643861633537303839613333333434633633343833613565643636343930666337313139613730 +35366337383931316633613631353864336237326233626531646536633034333939653332653933 +36343231626634633963316530336132623933643438333266343963636438393434333536353832 +66396234303937383334306135346136643463363964383339323265376630326163343463333238 +63666634303030323433336338663565663630666636363337323839393434646265363631373665 +35653237326130323036666635616438343734383035393962333536323637626135386266656339 +32326162356338303431643736383566356266636662393065323334383362306466313431663433 +36366562303638663231363764363834346432353661623033346431333236623339306334633131 +62343361383636326139383634363366386131336337613366336363343430373466353465613662 +39663062386337626162346662376164303637326632643061336636643839363730653638366231 +35363163326235623438336432306235356630366435663530356438383039363563313339613839 +38633236333062343032616561636339626361663132626163376538386566636363303736326264 +31306333316661316363373065626435363066396438633936356438656164313362306262636638 +36376665386566346432306538376337386638613264653936306365633039646663383235306135 +3338313061353364303632663766303531626561653666393434 diff --git a/ansible/group_vars/all/postfix-secret.yml b/ansible/group_vars/all/postfix-secret.yml new file mode 100644 index 0000000..0924a65 --- /dev/null +++ b/ansible/group_vars/all/postfix-secret.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +66656639623865393533323337343131323763383364303365383461313364626363353034653861 +6264653564373334303230356137363438613535616164660a363135656563653066316364623266 +64613430396638633662386530343338396235386336306637646533353833626461323335363164 +6235643635313530330a396337623865353765323634633661396237383964646239626238383739 +3433 diff --git a/ansible/group_vars/wireguard_net1.yml b/ansible/group_vars/wireguard_net1.yml index 716778e..0dc958e 100644 --- a/ansible/group_vars/wireguard_net1.yml +++ b/ansible/group_vars/wireguard_net1.yml @@ -16,7 +16,7 @@ wireguard__clients: ipv4: 192.168.80.2 ipv6: fdf3:aad9:a885:0b3a::2 conflatorio: - state: absent + state: present ipv4: 192.168.80.3 ipv6: fdf3:aad9:a885:0b3a::3 fuckaduck: diff --git a/ansible/host_vars/malabaricus/postfix.yml b/ansible/host_vars/malabaricus/postfix.yml deleted file mode 100644 index a78e062..0000000 --- a/ansible/host_vars/malabaricus/postfix.yml +++ /dev/null @@ -1,11 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -62376638333038663363323337633031383533623661393361623265353762646633396234343038 -3465373234366261363965623166353662303366303463360a393937393333373631366263663234 -36303863613734393238343837383230393730646331303037316438353932666434383332653130 -6566346565376561630a623662653730633239376136326137653764393734656339626466363131 -37376130306364663961376637656366636139666365343132353331633138636339323938383664 -65326537323232366635613965653135393538623363346137636265643337633839316237666131 -32316339353736616439306531376466383935313032333238373637373031303465623038376238 -65356263666263636134646164626136326635623736646635326161663833613534316139636534 -65326663356139343330396635396134666362333531303635613735353534306562373333623165 -3938616134376462336131323934373538336132313036633063 diff --git a/ansible/roles/dovecot/tasks/main.yml b/ansible/roles/dovecot/tasks/main.yml new file mode 100644 index 0000000..1ee3b8d --- /dev/null +++ b/ansible/roles/dovecot/tasks/main.yml @@ -0,0 +1,20 @@ +- tags: + - dovecot + - packages + become: yes + apt: + name: python-passlib + install_recommends: no + +- tags: + - dovecot + - update-passwords + become: yes + with_dict: "{{ dovecot__passwords }}" + no_log: yes + htpasswd: + path: /etc/dovecot/users + name: "{{ item.key }}" + password: "{{ item.value }}" + crypt_scheme: sha512_crypt + state: "{{ 'absent' if not item.value or item.value.strip() == '' else 'present' }}" diff --git a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml index 5f8f02a..a92250a 100644 --- a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml +++ b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml @@ -1,15 +1,12 @@ -- name: Update apt cache - apt: - update_cache: yes - cache_valid_time: 3600 - name: Install package package: - name: "{{ item }}" + name: "{{ items }}" state: present - with_items: - - postfix - - libsasl2-modules - - swaks + vars: + items: + - postfix + - libsasl2-modules + - swaks - name: "Configure postfix: main.cf" tags: postfix-satellite-config diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index 0579f0a..b6a963b 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -2,17 +2,21 @@ - ufw become: yes block: - - when: - notify: ufw reload + - notify: ufw reload + vars: + state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}" + nat: + address: "{{ ufw__nat_address if ufw__nat_address is defined else '' }}" + prefix: "{{ ufw__nat_prefix if ufw__nat_prefix is defined else '' }}" blockinfile: path: /etc/ufw/before.rules insertbefore: "^# Don't delete these required lines" marker: "# NAT config: {mark}" - state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}" + state: "{{ state }}" content: | *nat :POSTROUTING ACCEPT [0:0] - -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE + -A POSTROUTING -s {{ nat.address }}/{{ nat.prefix }} -o eth0 -j MASQUERADE COMMIT - notify: ufw reload @@ -33,14 +37,6 @@ - ufw: state: enabled -# - ufw: -# default: allow -# direction: out - -# - ufw: -# policy: deny -# direction: out - -# - ufw: -# policy: allow -# direction: routed + - ufw: + name: OpenSSH + rule: allow |