aboutsummaryrefslogtreecommitdiff
path: root/ansible
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2019-01-02 10:57:04 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2019-01-02 10:57:04 +0100
commit62ff27b05167118c4fa9b5b6b39300041acf80da (patch)
tree8c5e75a4cf3d43535857ae15d9ad6e3b2893dffe /ansible
parent1f3564a99e21af5bd4ac4d11fa3ec7c3885e5208 (diff)
downloadinfra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.gz
infra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.bz2
infra-62ff27b05167118c4fa9b5b6b39300041acf80da.tar.xz
infra-62ff27b05167118c4fa9b5b6b39300041acf80da.zip
wireguard: Adding conflatorio.
dovecot: adding password management postfix-satellite: removing apt update ufw: handling missing variables. Allow ssh by default. all.yml: taking passwords for postfix-satellite from dovecot.
Diffstat (limited to 'ansible')
-rw-r--r--ansible/all.yml16
-rw-r--r--ansible/files/conflatorio/etc/wireguard/public.key1
-rw-r--r--ansible/group_vars/all/dovedot-secret.yml43
-rw-r--r--ansible/group_vars/all/postfix-secret.yml6
-rw-r--r--ansible/group_vars/wireguard_net1.yml2
-rw-r--r--ansible/host_vars/malabaricus/postfix.yml11
-rw-r--r--ansible/roles/dovecot/tasks/main.yml20
-rw-r--r--ansible/roles/postfix-satellite/tasks/postfix-satellite.yml15
-rw-r--r--ansible/roles/ufw/tasks/main.yml26
9 files changed, 104 insertions, 36 deletions
diff --git a/ansible/all.yml b/ansible/all.yml
index 86b0688..99f0d6f 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -11,11 +11,27 @@
- knot
roles:
- postfix
+ - dovecot
- hosts:
- all !knot
roles:
- postfix-satellite
+ vars:
+ username: "{{ ansible_hostname }}.trygvis.io"
+ postfix:
+ sasl_password:
+ - host: "[trygvis.io]:587"
+ username: "{{ username }}"
+ password: "{{ dovecot__passwords[username] }}"
+
+ tasks:
+ - tags: postfix-satellite
+ become: yes
+ lineinfile:
+ dest: /etc/postfix/sasl_passwd
+ state: absent
+ regex: "^\\[knot.trygvis.io\\]"
- hosts:
- linode-dns-update
diff --git a/ansible/files/conflatorio/etc/wireguard/public.key b/ansible/files/conflatorio/etc/wireguard/public.key
new file mode 100644
index 0000000..dc49595
--- /dev/null
+++ b/ansible/files/conflatorio/etc/wireguard/public.key
@@ -0,0 +1 @@
+Rdq2LKzVxDBuXhimgLA1ZW9qFKCypHhBSaBx+24w3gA=
diff --git a/ansible/group_vars/all/dovedot-secret.yml b/ansible/group_vars/all/dovedot-secret.yml
new file mode 100644
index 0000000..173bef0
--- /dev/null
+++ b/ansible/group_vars/all/dovedot-secret.yml
@@ -0,0 +1,43 @@
+$ANSIBLE_VAULT;1.1;AES256
+63353563353533356137306637316439636363303934346565346566373936623835656363623636
+3038366463373336356163616637346235633063626637350a393134653533373034326635643339
+37663334363134393939323064663364313437383531353431653364616564353339663138653832
+6264323030356539380a353466663139633339363166626436333336316561323930373234376361
+63313135336535386538373961353736356334313630316639363935613539633135643137383763
+31623631636539663736356261313139373832323833663936316238376566623538643737656463
+66353435653264666638613531313536616238643861616165613566306630643339303365333663
+33313432393862383333313030656137343334313636643235313330343138306365393664386561
+64333034316632366533343366303731653830633339633635636632653338633264313265643334
+63646534343036646135353264336366663062316636613532643537313963323930343663646337
+64626434356565643737393431373339616433356339316665303863623566363336363834373365
+39663061643235303335663838636435613230383438653439306437623663393932663231393530
+33666364363235616635616666333935306261623930616361373963313962356638396531316437
+62376332373861666636333466306361666137386439633265316433636431306663633361653764
+61326634643737383366373339386131376366326564633564636331353365363738303330656532
+30366330383636323333663432653363626262306637363037353233336365646432616634323132
+35613634333163616563646130653464393632353035623130336166343565303930303432646331
+32373235396531306336663333303938613963613261386566613933323535313761363066313432
+34366439333266366139626465366266363531623662386463653834396262663333303739363532
+37376137326562326334323163666533376439323336663937346262323662353664356137333665
+39643335393766643766393334373631643735626464613737376261663338626164643535663838
+37663836633064636466383665333939653335666635363964626531356462333939376264396263
+31623033616639333236623230343761343738326539336431646432316638333030666639366633
+38353661363532653762373565613830663466656330636433383337646366303134303934623963
+35373038303336396337376633343162356136346661336538663534363135323366323966393364
+63316163346332393765333932386531323138333564626562643737633066666433663235656233
+36653965613435313364626531663964323565626536306436356562386462613534626462646466
+30643861633537303839613333333434633633343833613565643636343930666337313139613730
+35366337383931316633613631353864336237326233626531646536633034333939653332653933
+36343231626634633963316530336132623933643438333266343963636438393434333536353832
+66396234303937383334306135346136643463363964383339323265376630326163343463333238
+63666634303030323433336338663565663630666636363337323839393434646265363631373665
+35653237326130323036666635616438343734383035393962333536323637626135386266656339
+32326162356338303431643736383566356266636662393065323334383362306466313431663433
+36366562303638663231363764363834346432353661623033346431333236623339306334633131
+62343361383636326139383634363366386131336337613366336363343430373466353465613662
+39663062386337626162346662376164303637326632643061336636643839363730653638366231
+35363163326235623438336432306235356630366435663530356438383039363563313339613839
+38633236333062343032616561636339626361663132626163376538386566636363303736326264
+31306333316661316363373065626435363066396438633936356438656164313362306262636638
+36376665386566346432306538376337386638613264653936306365633039646663383235306135
+3338313061353364303632663766303531626561653666393434
diff --git a/ansible/group_vars/all/postfix-secret.yml b/ansible/group_vars/all/postfix-secret.yml
new file mode 100644
index 0000000..0924a65
--- /dev/null
+++ b/ansible/group_vars/all/postfix-secret.yml
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+66656639623865393533323337343131323763383364303365383461313364626363353034653861
+6264653564373334303230356137363438613535616164660a363135656563653066316364623266
+64613430396638633662386530343338396235386336306637646533353833626461323335363164
+6235643635313530330a396337623865353765323634633661396237383964646239626238383739
+3433
diff --git a/ansible/group_vars/wireguard_net1.yml b/ansible/group_vars/wireguard_net1.yml
index 716778e..0dc958e 100644
--- a/ansible/group_vars/wireguard_net1.yml
+++ b/ansible/group_vars/wireguard_net1.yml
@@ -16,7 +16,7 @@ wireguard__clients:
ipv4: 192.168.80.2
ipv6: fdf3:aad9:a885:0b3a::2
conflatorio:
- state: absent
+ state: present
ipv4: 192.168.80.3
ipv6: fdf3:aad9:a885:0b3a::3
fuckaduck:
diff --git a/ansible/host_vars/malabaricus/postfix.yml b/ansible/host_vars/malabaricus/postfix.yml
deleted file mode 100644
index a78e062..0000000
--- a/ansible/host_vars/malabaricus/postfix.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-62376638333038663363323337633031383533623661393361623265353762646633396234343038
-3465373234366261363965623166353662303366303463360a393937393333373631366263663234
-36303863613734393238343837383230393730646331303037316438353932666434383332653130
-6566346565376561630a623662653730633239376136326137653764393734656339626466363131
-37376130306364663961376637656366636139666365343132353331633138636339323938383664
-65326537323232366635613965653135393538623363346137636265643337633839316237666131
-32316339353736616439306531376466383935313032333238373637373031303465623038376238
-65356263666263636134646164626136326635623736646635326161663833613534316139636534
-65326663356139343330396635396134666362333531303635613735353534306562373333623165
-3938616134376462336131323934373538336132313036633063
diff --git a/ansible/roles/dovecot/tasks/main.yml b/ansible/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..1ee3b8d
--- /dev/null
+++ b/ansible/roles/dovecot/tasks/main.yml
@@ -0,0 +1,20 @@
+- tags:
+ - dovecot
+ - packages
+ become: yes
+ apt:
+ name: python-passlib
+ install_recommends: no
+
+- tags:
+ - dovecot
+ - update-passwords
+ become: yes
+ with_dict: "{{ dovecot__passwords }}"
+ no_log: yes
+ htpasswd:
+ path: /etc/dovecot/users
+ name: "{{ item.key }}"
+ password: "{{ item.value }}"
+ crypt_scheme: sha512_crypt
+ state: "{{ 'absent' if not item.value or item.value.strip() == '' else 'present' }}"
diff --git a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
index 5f8f02a..a92250a 100644
--- a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
+++ b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
@@ -1,15 +1,12 @@
-- name: Update apt cache
- apt:
- update_cache: yes
- cache_valid_time: 3600
- name: Install package
package:
- name: "{{ item }}"
+ name: "{{ items }}"
state: present
- with_items:
- - postfix
- - libsasl2-modules
- - swaks
+ vars:
+ items:
+ - postfix
+ - libsasl2-modules
+ - swaks
- name: "Configure postfix: main.cf"
tags: postfix-satellite-config
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index 0579f0a..b6a963b 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -2,17 +2,21 @@
- ufw
become: yes
block:
- - when:
- notify: ufw reload
+ - notify: ufw reload
+ vars:
+ state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
+ nat:
+ address: "{{ ufw__nat_address if ufw__nat_address is defined else '' }}"
+ prefix: "{{ ufw__nat_prefix if ufw__nat_prefix is defined else '' }}"
blockinfile:
path: /etc/ufw/before.rules
insertbefore: "^# Don't delete these required lines"
marker: "# NAT config: {mark}"
- state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
+ state: "{{ state }}"
content: |
*nat
:POSTROUTING ACCEPT [0:0]
- -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE
+ -A POSTROUTING -s {{ nat.address }}/{{ nat.prefix }} -o eth0 -j MASQUERADE
COMMIT
- notify: ufw reload
@@ -33,14 +37,6 @@
- ufw:
state: enabled
-# - ufw:
-# default: allow
-# direction: out
-
-# - ufw:
-# policy: deny
-# direction: out
-
-# - ufw:
-# policy: allow
-# direction: routed
+ - ufw:
+ name: OpenSSH
+ rule: allow