o Adding rosin and numquam.

o Adding unattended-upgrades.

12 files changed, 331 insertions, 3 deletions

diff --git a/ansible/group_vars/all/unattended-upgrades.yml b/ansible/group_vars/all/unattended-upgrades.yml
new file mode 100644
index 0000000..b3ca37a
--- /dev/null
+++ b/ansible/group_vars/all/unattended-upgrades.yml
@@ -0,0 +1,2 @@
+unattended_upgrades:
+  mail: root@inamo.no
diff --git a/ansible/host_vars/numquam/rosin_secret.yml b/ansible/host_vars/numquam/rosin_secret.yml
new file mode 100644
index 0000000..fe2cc41
--- /dev/null
+++ b/ansible/host_vars/numquam/rosin_secret.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33393536373264646466653564653130343331366262646331333331343030346131363636386137
+3335323235633466366262656263383863396631353930370a653630376237633336656162356261
+61306633643233343133343135366233663237313365386163383039323830316430336463313739
+3466303364343931300a386232326561396534396464326339303061663236346532366639643037
+37376461306333313466656337636238303734386133353835633533393862373337323232393832
+37636531333136356636623461626231643130353634373764633736383835663939386536346137
+31363565616636323864333536616262363134613432643736616265306166306366656231356330
+36386162363036333035
diff --git a/ansible/numquam.yml b/ansible/numquam.yml
index 36ec607..c75987f 100644
--- a/ansible/numquam.yml
+++ b/ansible/numquam.yml
@@ -1,8 +1,28 @@
 ---
 - hosts:
     - numquam
-  vars_files:
-    - secrets.yml
   roles:
-    - superusers
     - timezone
+    - superusers
+  tasks:
+    - name: timezone
+      import_role: name=timezone
+      tags: timezone
+    - name: superusers
+      import_role: name=superusers
+      tags: superusers
+    - name: unattended-upgrades
+      import_role: name=unattended-upgrades
+      tags: unattended-upgrades
+    - name: postgresql-server
+      import_role: name=postgresql-server
+      tags: postgresql-server
+      become: yes
+    - name: java8
+      import_role: name=java8
+      tags: java8
+      become: yes
+    - name: rosin
+      import_role: name=rosin
+      tags: rosin
+      become: yes
diff --git a/ansible/roles/rosin/handlers/main.yml b/ansible/roles/rosin/handlers/main.yml
new file mode 100644
index 0000000..5248ca9
--- /dev/null
+++ b/ansible/roles/rosin/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: reload nginx
+  become: yes
+  service:
+    name: nginx
+    state: reloaded
+
+- name: apt update
+  become: yes
+  apt:
+    update_cache: yes
diff --git a/ansible/roles/rosin/tasks/main.yml b/ansible/roles/rosin/tasks/main.yml
new file mode 100644
index 0000000..7a9805b
--- /dev/null
+++ b/ansible/roles/rosin/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: rosin account
+  user:
+    name: rosin
+    shell: "/bin/bash"
+    createhome: no
+    home: /home/rosin
+    system: yes
+- name: nginx
+  tags: nginx
+  import_tasks: nginx.yml
+- name: rosin-db
+  tags: rosin-db
+  import_tasks: rosin-db.yml
+    
diff --git a/ansible/roles/rosin/tasks/nginx.yml b/ansible/roles/rosin/tasks/nginx.yml
new file mode 100644
index 0000000..8ef9145
--- /dev/null
+++ b/ansible/roles/rosin/tasks/nginx.yml
@@ -0,0 +1,31 @@
+---
+- name: Packages for nginx
+  apt:
+    name: "{{ item }}"
+    install_recommends: no
+  with_items:
+    - nginx
+    - certbot
+    - python3-certbot-nginx
+
+- name: no default nginx site
+  notify: reload nginx
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: nginx config
+  notify: reload nginx
+  template:
+    dest: "/etc/nginx/sites-enabled/rosin.trygvis.io"
+    src: etc/nginx/sites-enabled/rosin.j2
+
+- name: docroot dir
+  file:
+    path: "/var/www/rosin"
+    state: directory
+
+#- name: docroot dir
+#  copy:
+#    dest: "/var/www/rosin/index.html"
+#    src: "docroot/index.html"
diff --git a/ansible/roles/rosin/tasks/rosin-db.yml b/ansible/roles/rosin/tasks/rosin-db.yml
new file mode 100644
index 0000000..be2eac1
--- /dev/null
+++ b/ansible/roles/rosin/tasks/rosin-db.yml
@@ -0,0 +1,36 @@
+---
+- name: packages
+  apt:
+    name: "{{ item }}"
+    install_recommends: no
+  with_items:
+    - python-psycopg2
+    - python3-psycopg2
+- become: yes
+  become_user: postgres
+  vars:
+    ansible_ssh_pipelining: true
+  block:
+    - name: create-user rosin-prod
+      tags: update-password
+      postgresql_user:
+        name: rosin-prod
+        password: "{{ rosin_secret.db_password_rosin_prod }}"
+        encrypted: yes
+    - name: createdb rosin-prod
+      postgresql_db:
+        name: "rosin-prod"
+        encoding: "utf-8"
+        owner: "rosin-prod"
+    - name: enable uuid extension
+      postgresql_ext:
+        name: uuid-ossp
+        db: rosin-prod
+    - name: grant permissions
+      postgresql_privs:
+        database: rosin-prod
+        state: present
+        privs: USAGE
+        type: schema
+        objs: public
+        roles: rosin-prod
diff --git a/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2 b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
new file mode 100644
index 0000000..a67899c
--- /dev/null
+++ b/ansible/roles/rosin/templates/etc/nginx/sites-enabled/rosin.j2
@@ -0,0 +1,52 @@
+# Managed by Ansible
+
+server {
+    server_name numquam.trygvis.io;
+
+#    listen 443 default_server ssl;
+#    include /etc/letsencrypt/options-ssl-nginx.conf;
+#    ssl_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem; # managed by Certbot
+#    ssl_certificate_key /etc/letsencrypt/live/numquam.trygvis.io/privkey.pem; # managed by Certbot
+#    ssl_trusted_certificate /etc/letsencrypt/live/numquam.trygvis.io/fullchain.pem;
+
+    listen 80 default_server;
+
+    location / {
+        # Pløens gate 4
+        allow 77.40.158.96/27;
+        allow 2001:840:4b0b::/48;
+
+        # Cloudflare
+        allow 2400:cb00::/32;
+        allow 2405:8100::/32;
+        allow 2405:b500::/32;
+        allow 2606:4700::/32;
+        allow 2803:f800::/32;
+        allow 2c0f:f248::/32;
+        allow 2a06:98c0::/29;
+        allow 103.21.244.0/22;
+        allow 103.22.200.0/22;
+        allow 103.31.4.0/22;
+        allow 104.16.0.0/12;
+        allow 108.162.192.0/18;
+        allow 131.0.72.0/22;
+        allow 141.101.64.0/18;
+        allow 162.158.0.0/15;
+        allow 172.64.0.0/13;
+        allow 173.245.48.0/20;
+        allow 188.114.96.0/20;
+        allow 190.93.240.0/20;
+        allow 197.234.240.0/22;
+        allow 198.41.128.0/17;
+
+        deny all;
+        try_files $uri @proxy;
+    }
+
+    location @proxy {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://127.0.0.1:{{ rosin.http_port }};
+    }
+}
diff --git a/ansible/roles/rosin/vars/main.yml b/ansible/roles/rosin/vars/main.yml
new file mode 100644
index 0000000..be784dc
--- /dev/null
+++ b/ansible/roles/rosin/vars/main.yml
@@ -0,0 +1,3 @@
+rosin:
+  http_port: 7410
+wat: awesome
diff --git a/ansible/roles/timezone/tasks/main.yml b/ansible/roles/timezone/tasks/main.yml
index 1279897..3b81702 100644
--- a/ansible/roles/timezone/tasks/main.yml
+++ b/ansible/roles/timezone/tasks/main.yml
@@ -5,4 +5,5 @@
     src: /usr/share/zoneinfo/Europe/Oslo
     dest: /etc/localtime
     state: link
+    force: yes
   notify: reconfigure tzdata
diff --git a/ansible/roles/unattended-upgrades/README.md b/ansible/roles/unattended-upgrades/README.md
new file mode 100644
index 0000000..eee9ff7
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/README.md
@@ -0,0 +1,109 @@
+# Original /etc/apt/apt.conf.d/50unattended-upgrades
+
+	// Unattended-Upgrade::Origins-Pattern controls which packages are
+	// upgraded.
+	//
+	// Lines below have the format format is "keyword=value,...".  A
+	// package will be upgraded only if the values in its metadata match
+	// all the supplied keywords in a line.  (In other words, omitted
+	// keywords are wild cards.) The keywords originate from the Release
+	// file, but several aliases are accepted.  The accepted keywords are:
+	//   a,archive,suite (eg, "stable")
+	//   c,component     (eg, "main", "contrib", "non-free")
+	//   l,label         (eg, "Debian", "Debian-Security")
+	//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+	//   n,codename      (eg, "jessie", "jessie-updates")
+	//     site          (eg, "http.debian.net")
+	// The available values on the system are printed by the command
+	// "apt-cache policy", and can be debugged by running
+	// "unattended-upgrades -d" and looking at the log file.
+	//
+	// Within lines unattended-upgrades allows 2 macros whose values are
+	// derived from /etc/debian_version:
+	//   ${distro_id}            Installed origin.
+	//   ${distro_codename}      Installed codename (eg, "jessie")
+	Unattended-Upgrade::Origins-Pattern {
+			// Codename based matching:
+			// This will follow the migration of a release through different
+			// archives (e.g. from testing to stable and later oldstable).
+	//      "o=Debian,n=jessie";
+	//      "o=Debian,n=jessie-updates";
+	//      "o=Debian,n=jessie-proposed-updates";
+	//      "o=Debian,n=jessie,l=Debian-Security";
+
+			// Archive or Suite based matching:
+			// Note that this will silently match a different release after
+			// migration to the specified archive (e.g. testing becomes the
+			// new stable).
+	//      "o=Debian,a=stable";
+	//      "o=Debian,a=stable-updates";
+	//      "o=Debian,a=proposed-updates";
+			"origin=Debian,codename=${distro_codename},label=Debian-Security";
+	};
+
+	// List of packages to not update (regexp are supported)
+	Unattended-Upgrade::Package-Blacklist {
+	//	"vim";
+	//	"libc6";
+	//	"libc6-dev";
+	//	"libc6-i686";
+	};
+
+	// This option allows you to control if on a unclean dpkg exit
+	// unattended-upgrades will automatically run 
+	//   dpkg --force-confold --configure -a
+	// The default is true, to ensure updates keep getting installed
+	//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+	// Split the upgrade into the smallest possible chunks so that
+	// they can be interrupted with SIGUSR1. This makes the upgrade
+	// a bit slower but it has the benefit that shutdown while a upgrade
+	// is running is possible (with a small delay)
+	//Unattended-Upgrade::MinimalSteps "true";
+
+	// Install all unattended-upgrades when the machine is shuting down
+	// instead of doing it in the background while the machine is running
+	// This will (obviously) make shutdown slower
+	//Unattended-Upgrade::InstallOnShutdown "true";
+
+	// Send email to this address for problems or packages upgrades
+	// If empty or unset then no email is sent, make sure that you
+	// have a working mail setup on your system. A package that provides
+	// 'mailx' must be installed. E.g. "user@example.com"
+	//Unattended-Upgrade::Mail "root";
+
+	// Set this value to "true" to get emails only on errors. Default
+	// is to always send a mail if Unattended-Upgrade::Mail is set
+	//Unattended-Upgrade::MailOnlyOnError "true";
+
+	// Do automatic removal of new unused dependencies after the upgrade
+	// (equivalent to apt-get autoremove)
+	//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+	// Automatically reboot *WITHOUT CONFIRMATION* if
+	//  the file /var/run/reboot-required is found after the upgrade 
+	//Unattended-Upgrade::Automatic-Reboot "false";
+
+	// Automatically reboot even if there are users currently logged in.
+	//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+	// If automatic reboot is enabled and needed, reboot at the specific
+	// time instead of immediately
+	//  Default: "now"
+	//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+	// Use apt bandwidth limit feature, this example limits the download
+	// speed to 70kb/sec
+	//Acquire::http::Dl-Limit "70";
+
+	// Enable logging to syslog. Default is False
+	// Unattended-Upgrade::SyslogEnable "false";
+
+	// Specify syslog facility. Default is daemon
+	// Unattended-Upgrade::SyslogFacility "daemon";
+
+# Original /etc/apt/apt.conf.d/20auto-upgrades
+
+	APT::Periodic::Update-Package-Lists "1";
+	APT::Periodic::Unattended-Upgrade "1";
+
diff --git a/ansible/roles/unattended-upgrades/tasks/main.yml b/ansible/roles/unattended-upgrades/tasks/main.yml
new file mode 100644
index 0000000..0bc02a1
--- /dev/null
+++ b/ansible/roles/unattended-upgrades/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Packages for unattended upgrades
+  become: true
+  apt:
+    name: "{{ item }}"
+    install_recommends: no
+  with_items:
+    - unattended-upgrades
+    - apt-listchanges
+
+- name: Configure /etc/apt/apt.conf.d/50unattended-upgrades
+  become: true
+  copy:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    content: |
+      Unattended-Upgrade::Origins-Pattern {
+          "origin=Debian,codename=${distro_codename},label=Debian";
+          "origin=Debian,codename=${distro_codename}-updates,label=Debian";
+          "origin=Debian,codename=${distro_codename},label=Debian-Security";
+          "origin=apt.postgresql.org,codename=${distro_codename}-pgdg,label=PostgreSQL for Debian/Ubuntu repository";
+      }
+      Unattended-Upgrade::MinimalSteps "False";
+      Unattended-Upgrade::Mail "{{ unattended_upgrades.mail }}";
+      Unattended-Upgrade::MailOnlyOnError "false";
+
+- name: Configure /etc/apt/apt.conf.d/20auto-upgrades
+  become: true
+  copy:
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    content: |
+      APT::Periodic::Update-Package-Lists "1";
+      APT::Periodic::Unattended-Upgrade "1";
+
+- name: Configure /etc/apt/listchanges.conf
+  become: true
+  lineinfile:
+    dest: /etc/apt/listchanges.conf
+    line: "email_address={{ unattended_upgrades.mail }}"
+    regexp: "^email_address="