aboutsummaryrefslogtreecommitdiff
path: root/ansible
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2018-11-26 22:33:54 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2018-11-26 22:33:54 +0100
commitb7bccaf7ff75fd2234b9232f595cbc8e226b80e9 (patch)
tree3e2822166b9be455f7589e56ca28a685bbccd2d8 /ansible
parent6fe44ad6366232314d45502d387ccbc671e84d9f (diff)
downloadinfra-b7bccaf7ff75fd2234b9232f595cbc8e226b80e9.tar.gz
infra-b7bccaf7ff75fd2234b9232f595cbc8e226b80e9.tar.bz2
infra-b7bccaf7ff75fd2234b9232f595cbc8e226b80e9.tar.xz
infra-b7bccaf7ff75fd2234b9232f595cbc8e226b80e9.zip
o Importing bitraf-base, packages and postfix-satellite from Bitraf.
o Configuring nextcloud.
Diffstat (limited to 'ansible')
-rw-r--r--ansible/all.yml19
-rw-r--r--ansible/group_vars/all/host_database.yml26
-rw-r--r--ansible/group_vars/all/postfix.yml1
-rw-r--r--ansible/group_vars/all/users.yml3
-rw-r--r--ansible/group_vars/modern1/trygvis-base.yml5
-rw-r--r--ansible/host_vars/birgitte/lxc.yml8
-rw-r--r--ansible/host_vars/birgitte/users.yml5
-rw-r--r--ansible/host_vars/nextcloud/packages.yml4
-rw-r--r--ansible/host_vars/nextcloud/postfix.yml5
-rw-r--r--ansible/host_vars/nextcloud/users.yml5
-rw-r--r--ansible/inventory11
-rw-r--r--ansible/roles/lxc-host/defaults/main.yml1
-rw-r--r--ansible/roles/lxc-host/handlers/main.yml22
-rw-r--r--ansible/roles/lxc-host/tasks/main.yml72
-rw-r--r--ansible/roles/lxc-host/tasks/networkd.yml119
-rw-r--r--ansible/roles/lxc-host/tasks/per-host.yml143
-rw-r--r--ansible/roles/packages/defaults/main.yml2
-rw-r--r--ansible/roles/packages/handlers/main.yml5
-rw-r--r--ansible/roles/packages/tasks/main.yml37
-rw-r--r--ansible/roles/postfix-satellite/handlers/main.yml8
-rw-r--r--ansible/roles/postfix-satellite/tasks/main.yml4
-rw-r--r--ansible/roles/postfix-satellite/tasks/postfix-satellite.yml70
-rw-r--r--ansible/roles/trygvis-base/defaults/main.yml7
-rw-r--r--ansible/roles/trygvis-base/handlers/main.yml7
-rw-r--r--ansible/roles/trygvis-base/tasks/main.yml57
25 files changed, 600 insertions, 46 deletions
diff --git a/ansible/all.yml b/ansible/all.yml
index 0a493b6..3103f3b 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -1,11 +1,28 @@
- hosts:
+ - all
+ roles:
+ - lusers
+ - superusers
+ - packages
+ - trygvis-base
+
+- hosts:
- knot
roles:
- postfix
- hosts:
- - all
+ - all !knot
+ roles:
+ - postfix-satellite
+
+- hosts:
- desktops
- sbcs
roles:
- linode-dns-update
+
+- hosts:
+ - lxc-hosts
+ roles:
+ - lxc-host
diff --git a/ansible/group_vars/all/host_database.yml b/ansible/group_vars/all/host_database.yml
new file mode 100644
index 0000000..cbc1582
--- /dev/null
+++ b/ansible/group_vars/all/host_database.yml
@@ -0,0 +1,26 @@
+host_database:
+ birgitte:
+ interfaces:
+ wlx00e01d0808b2:
+ role: wan
+ ipv4:
+ address: 192.168.10.3
+ netmask: 24
+ gateway: 192.168.10.1
+ int0:
+ role: lan
+ ipv4:
+ address: 192.168.90.100
+ netmask: 24
+ ipv6:
+ address: cafe::1
+ netmask: 64
+ nextcloud:
+ interfaces:
+ eth0:
+ role: lan
+ hwaddr: 0e:18:a7:03:50:54
+ ipv4:
+ address: 192.168.90.101
+ netmask: 24
+ gateway: 192.168.90.100
diff --git a/ansible/group_vars/all/postfix.yml b/ansible/group_vars/all/postfix.yml
new file mode 100644
index 0000000..56516f1
--- /dev/null
+++ b/ansible/group_vars/all/postfix.yml
@@ -0,0 +1 @@
+postfix__relayhost: "[trygvis.io]:587"
diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml
index 23304ba..a2a59d3 100644
--- a/ansible/group_vars/all/users.yml
+++ b/ansible/group_vars/all/users.yml
@@ -3,4 +3,5 @@ users:
authorized_keys: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX+sVfRvl0+KxsDlbIutyB/Es3exTwNfDVHwi9orwz3 trygvis@birgitte
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAzB6JB/hZ87M6ozsd7lgKxgOacEOZZRxa4ucs11lqq trygvis@conflatorio
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+I9Xa11yaOzGCBkJQEYExYL7gSWYwdOGgT2KBMnKur trygvis@arius
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMRccGxF1l7xIUavu5vDqypCe/aon3+bdFgEhPa7pPb trygvis@arius-v3
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/Xrsk69KhaXdHPcbBoCbqlQ2DXmx77OnkLAk22ui5m trygvis@malabaricus
diff --git a/ansible/group_vars/modern1/trygvis-base.yml b/ansible/group_vars/modern1/trygvis-base.yml
new file mode 100644
index 0000000..b530673
--- /dev/null
+++ b/ansible/group_vars/modern1/trygvis-base.yml
@@ -0,0 +1,5 @@
+trygvis_base__etc_localtime: yes
+trygvis_base__remove_root_authorized_keys: yes
+trygvis_base__fix_aliases: yes
+trygvis_base__fix_hosts: yes
+trygvis_base__syslog: yes
diff --git a/ansible/host_vars/birgitte/lxc.yml b/ansible/host_vars/birgitte/lxc.yml
new file mode 100644
index 0000000..9233b4b
--- /dev/null
+++ b/ansible/host_vars/birgitte/lxc.yml
@@ -0,0 +1,8 @@
+lxc_host_containers:
+ nextcloud:
+ state: started
+
+lxc_host__enable_network_cfg: yes
+lxc_host__hardware_if: wlx00e01d0808b2
+lxc_host__br_if: br0
+lxc_host__internal_if: int0
diff --git a/ansible/host_vars/birgitte/users.yml b/ansible/host_vars/birgitte/users.yml
new file mode 100644
index 0000000..d0d4852
--- /dev/null
+++ b/ansible/host_vars/birgitte/users.yml
@@ -0,0 +1,5 @@
+lusers:
+ - trygvis
+
+superusers:
+ - trygvis
diff --git a/ansible/host_vars/nextcloud/packages.yml b/ansible/host_vars/nextcloud/packages.yml
new file mode 100644
index 0000000..a37731d
--- /dev/null
+++ b/ansible/host_vars/nextcloud/packages.yml
@@ -0,0 +1,4 @@
+packages_packages:
+ - less
+ - git
+ - vim
diff --git a/ansible/host_vars/nextcloud/postfix.yml b/ansible/host_vars/nextcloud/postfix.yml
new file mode 100644
index 0000000..83974e9
--- /dev/null
+++ b/ansible/host_vars/nextcloud/postfix.yml
@@ -0,0 +1,5 @@
+postfix:
+ sasl_password:
+ - host: "[trygvis.io]:587"
+ username: nextcloud.trygvis.io
+ password: gWC8uPCT90
diff --git a/ansible/host_vars/nextcloud/users.yml b/ansible/host_vars/nextcloud/users.yml
new file mode 100644
index 0000000..d0d4852
--- /dev/null
+++ b/ansible/host_vars/nextcloud/users.yml
@@ -0,0 +1,5 @@
+lusers:
+ - trygvis
+
+superusers:
+ - trygvis
diff --git a/ansible/inventory b/ansible/inventory
index 3ae9b34..4c99672 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -16,6 +16,8 @@ all:
ansible_host: malabaricus.trygvis.io
conflatorio:
ansible_host: conflatorio.trygvis.io
+ nextcloud:
+ ansible_host: 192.168.90.101
children:
desktops:
hosts:
@@ -27,6 +29,15 @@ all:
hosts:
homepi:
malabaricus:
+ modern1:
+ hosts:
+ nextcloud:
+ homepi:
+ malabaricus:
+ lxc-hosts:
+ hosts:
+ birgitte:
+# knot:
vm:
hosts:
mw:
diff --git a/ansible/roles/lxc-host/defaults/main.yml b/ansible/roles/lxc-host/defaults/main.yml
new file mode 100644
index 0000000..462ba8c
--- /dev/null
+++ b/ansible/roles/lxc-host/defaults/main.yml
@@ -0,0 +1 @@
+lxc_host__backing_store: dir
diff --git a/ansible/roles/lxc-host/handlers/main.yml b/ansible/roles/lxc-host/handlers/main.yml
new file mode 100644
index 0000000..7e7dc9c
--- /dev/null
+++ b/ansible/roles/lxc-host/handlers/main.yml
@@ -0,0 +1,22 @@
+- name: restart sysctl
+ become: yes
+ service:
+ name: systemd-sysctl.service
+ state: restarted
+
+- name: restart radvd
+ become: yes
+ service:
+ name: radvd.service
+ state: restarted
+
+- name: systemctl restart systemd-networkd
+ become: yes
+ service:
+ name: systemd-networkd
+ state: restarted
+
+- name: reload ufw
+ become: yes
+ ufw:
+ state: reloaded
diff --git a/ansible/roles/lxc-host/tasks/main.yml b/ansible/roles/lxc-host/tasks/main.yml
index ba511c9..ab86969 100644
--- a/ansible/roles/lxc-host/tasks/main.yml
+++ b/ansible/roles/lxc-host/tasks/main.yml
@@ -1,11 +1,71 @@
-- name: Remove default network setup packages
+- name: Install packages
+ tags:
+ - lxc-host
+ - lxc-host-packages
+ - radvd
+ become: yes
apt:
- name: "{{ item }}"
+ name: "{{ items }}"
install_recommends: no
- with_items:
- - python-lxc
+ vars:
+ items:
+ - lxc
+ - python-lxc
+ - radvd
+
+#- debug:
+# msg: "item={{ item }}, host={{ host }}, lan={{ lan }}"
+# tags:
+# - lxc-host
+# with_dict: "{{ lxc_host_containers }}"
+# vars:
+# i: "{{ item }}"
+# host: "{{ host_database[item.key] }}"
+# lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}"
+
+- name: Configure radvd
+ become: yes
+ tags:
+ - lxc-host
+ - radvd
+ vars:
+ ipv6: "{{ host_database[ansible_hostname].interfaces[lxc_host__internal_if].ipv6 }}"
+ notify: restart radvd
+ copy:
+ dest: /etc/radvd.conf
+ content: |
+ interface {{ lxc_host__br_if }}
+ {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 5;
+ MaxRtrAdvInterval 10;
+ MinDelayBetweenRAs 1;
+
+ AdvDefaultPreference medium;
+ AdvLinkMTU 1500;
+
+ prefix {{ ipv6.address }}/{{ ipv6.netmask }}
+ {
+ AdvOnLink on;
+ AdvAutonomous on;
+
+ AdvValidLifetime 14400;
+ AdvPreferredLifetime 3600;
+ AdvRouterAddr on;
+ };
+ };
+
+- name: Configure host networking
+ when: lxc_host__enable_network_cfg
+ tags:
+ - lxc-host
+ - lxc-host-network
+ include_tasks: networkd.yml
-- include_tasks: per-host.yml
+- tags: lxc-host
+ with_dict: "{{ lxc_host_containers }}"
vars:
i: "{{ item }}"
- with_dict: "{{ lxc_containers }}"
+ host: "{{ host_database[item.key] }}"
+ lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}"
+ include_tasks: per-host.yml
diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml
new file mode 100644
index 0000000..41ddb3f
--- /dev/null
+++ b/ansible/roles/lxc-host/tasks/networkd.yml
@@ -0,0 +1,119 @@
+- tags:
+ - lxc-host
+ - lxc-host-network
+ become: yes
+ vars:
+ hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}"
+ br_if: "{{ lxc_host__br_if }}"
+ internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}"
+ block:
+ - debug: var=hardware_if
+ - debug: var=br_if
+ - debug: var=internal_if
+
+ - name: Configure sysctl, enable ipv4 and ipv6 forwarding
+ become: yes
+ copy:
+ dest: /etc/sysctl.d/99-lxc-host.conf
+ content: |
+ net.ipv4.ip_forward=1
+ net.ipv6.conf.all.forwarding=1
+ notify: restart sysctl
+
+ - name: Enable UFW
+ become: yes
+ ufw:
+ state: enabled
+
+ - become: yes
+ ufw:
+ policy: allow
+ direction: outgoing
+
+ - become: yes
+ ufw:
+ policy: allow
+ direction: routed
+
+ - become: yes
+ ufw:
+ policy: deny
+ direction: incoming
+
+ - name: Enable NAT configuration through UFW
+ become: yes
+ notify: reload ufw
+ blockinfile:
+ path: /etc/ufw/before.rules
+ insertbefore: "# Don't delete these required lines, otherwise there will be errors"
+ block: |
+ # NAT table rules
+ *nat
+ :POSTROUTING ACCEPT [0:0]
+
+ # Forward traffic through eth0 - Change to match you out-interface
+ -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE
+
+ # don't delete the 'COMMIT' line or these nat table rules won't be processed
+ COMMIT
+
+ - name: enable systemd-networkd
+ service:
+ name: systemd-networkd
+ enabled: yes
+ state: started
+
+ - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
+ notify: systemctl restart systemd-networkd
+ copy:
+ dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
+ content: |
+ [Match]
+ Name={{ lxc_host__hardware_if }}
+
+ [Network]
+ Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }}
+ Gateway={{ hardware_if.ipv4.gateway }}
+
+ - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
+ notify: systemctl restart systemd-networkd
+ copy:
+ dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
+ content: |
+ [NetDev]
+ Name={{ lxc_host__internal_if }}
+ Kind=dummy
+
+ - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
+ notify: systemctl restart systemd-networkd
+ copy:
+ dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
+ content: |
+ [Match]
+ Name={{ lxc_host__internal_if }}
+
+ [Network]
+ Bridge={{ br_if }}
+
+ - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
+ notify: systemctl restart systemd-networkd
+ copy:
+ dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
+ content: |
+ [NetDev]
+ Name={{ br_if }}
+ Kind=bridge
+
+ - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
+ notify: systemctl restart systemd-networkd
+ copy:
+ dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
+ content: |
+ [Match]
+ Name={{ br_if }}
+
+ [Network]
+ Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }}
+ {% if internal_if.ipv6 is defined %}
+ Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }}
+ {% endif %}
diff --git a/ansible/roles/lxc-host/tasks/per-host.yml b/ansible/roles/lxc-host/tasks/per-host.yml
index d38267e..817497b 100644
--- a/ansible/roles/lxc-host/tasks/per-host.yml
+++ b/ansible/roles/lxc-host/tasks/per-host.yml
@@ -1,48 +1,115 @@
- debug:
msg: "LXC HOST: {{ i.key }}"
+ tags: lxc-host
-- name: lxc.network.type = veth
- register: type
- lineinfile:
- path: "/var/lib/lxc/{{ i.key }}/config"
- regexp: "lxc.network.type *="
- line: "lxc.network.type = veth"
-- name: lxc.network.link = br0
- register: link
- lineinfile:
- path: "/var/lib/lxc/{{ i.key }}/config"
- regexp: "lxc.network.link *="
- line: "lxc.network.link = br0"
-- name: Set IPv4 address {{ i.key }}
- register: ipv4
- lineinfile:
- path: "/var/lib/lxc/{{ i.key }}/config"
- regexp: "lxc.network.ipv4 *="
- line: "lxc.network.ipv4 = {{ i.value.ipv4.address }}/{{ i.value.ipv4.netmask }}"
-- name: Set IPv4 gateway
- register: ipv4_gateway
+- name: Create container
+ tags: lxc-host
+ become: yes
+ lxc_container:
+ name: "{{ i.key }}"
+ state: "{{ i.value.state }}"
+ template: debian
+ template_options: -r stretch --packages git,etckeeper,python,sudo
+ backing_store: "{{ lxc_host__backing_store }}"
+ zfs_root: "{{ lxc_host__zfs_root|default('') }}"
+ register: lxc
+
+- name: Connection info
+ tags: lxc-host
+ become: yes
+ when: lxc.changed
+ debug:
+ msg: "Container created! All keys for superusers are installed for
+ root user, so remember to add 'ansible_user=root' when running the
+ play for the host the first time."
+
+- name: Create /root/.ssh
+ tags: lxc-host
+ become: yes
+ when: lxc.changed
+ file:
+ path: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh"
+ state: directory
+ mode: 0600
+ owner: root
+ group: root
+
+- name: Fill authorized_keys
+ tags: lxc-host
+ become: yes
+ when: lxc.changed
+ copy:
+ dest: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh/authorized_keys"
+ content: |
+ {% for user in superusers %}
+ {% if users[user].authorized_keys is not none %}
+ {{ users[user].authorized_keys }}
+ {% endif %}
+ {% endfor %}
+
+- name: config-lxc-host
+ tags: lxc-host
+ become: yes
+ register: config_lxc_host
+ copy:
+ dest: "/var/lib/lxc/{{ i.key }}/config-lxc-host"
+ content: |
+ lxc.network.type = veth
+ lxc.network.link = br0
+ lxc.network.flags = up
+ lxc.network.hwaddr = {{ lan.hwaddr }}
+ {% if lan.ipv4 is defined %}
+ lxc.network.ipv4 = {{ lan.ipv4.address }}/{{ lan.ipv4.netmask }}
+ lxc.network.ipv4.gateway = {{ lan.ipv4.gateway }}
+ {% endif %}
+ # 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal.
+ lxc.loglevel = 1
+ lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log
+
+- name: "include file: config-lxc-host"
+ tags: lxc-host
+ become: yes
+ register: include_lxc_host
lineinfile:
path: "/var/lib/lxc/{{ i.key }}/config"
- regexp: "lxc.network.ipv4.gateway *="
- line: "lxc.network.ipv4.gateway = {{ i.value.ipv4.gateway }}"
- insertafter: "lxc.network.ipv4 *="
-- name: Set logfile
- register: logfile
+ regexp: "^lxc.include *=.*/config-lxc-host$"
+ line: "lxc.include = /var/lib/lxc/{{ i.key }}/config-lxc-host"
+
+- name: "include file: config.d"
+ tags: lxc-host
+ become: yes
+ register: include_config_d
lineinfile:
path: "/var/lib/lxc/{{ i.key }}/config"
- regexp: "lxc.logfile *="
- line: "lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log"
-
-#- name: state?
-# debug:
-# msg: "state={{ i.value.state }}"
-#- name: do restart?
-# debug:
-# msg: "DO RESTART: {{ i.key }}"
-# when: i.value.state == 'started'
-
-- name: restart lxc container {{ i.key }}
- when: i.value.state == 'started' and (type.changed or link.changed or ipv4.changed or logfile.changed)
+ regexp: "^lxc.include *=.*/conf.d/$"
+ line: "lxc.include = /var/lib/lxc/{{ i.key }}/conf.d/"
+
+- name: "mkdir conf.d"
+ tags: lxc-host
+ become: yes
+ file:
+ path: "/var/lib/lxc/{{ i.key }}/conf.d"
+ state: "directory"
+
+- name: "fill conf.d"
+ tags: lxc-host
+ become: yes
+ register: fill_config_d
+ with_fileglob: "lxc-host/{{ i.key }}/*"
+ loop_control:
+ loop_var: file
+ copy:
+ dest: "/var/lib/lxc/{{ i.key }}/conf.d"
+ src: "{{ file }}"
+
+- name: "restart lxc container {{ i.key }}"
+ tags: lxc-host
+ become: yes
+ when: i.value.state == 'started' and (
+ lxc.changed or
+ config_lxc_host.changed or
+ include_config_d.changed or
+ fill_config_d.changed)
lxc_container:
name: "{{ i.key }}"
state: restarted
diff --git a/ansible/roles/packages/defaults/main.yml b/ansible/roles/packages/defaults/main.yml
new file mode 100644
index 0000000..82869b4
--- /dev/null
+++ b/ansible/roles/packages/defaults/main.yml
@@ -0,0 +1,2 @@
+packages__enable_backports: no
+packages_packages:
diff --git a/ansible/roles/packages/handlers/main.yml b/ansible/roles/packages/handlers/main.yml
new file mode 100644
index 0000000..0298ff9
--- /dev/null
+++ b/ansible/roles/packages/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: update apt cache
+ become: yes
+ apt:
+ update_cache: yes
diff --git a/ansible/roles/packages/tasks/main.yml b/ansible/roles/packages/tasks/main.yml
new file mode 100644
index 0000000..45f64c3
--- /dev/null
+++ b/ansible/roles/packages/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: configure debian repositories
+ tags: packages
+ notify: update apt cache
+ become: yes
+ copy:
+ dest: /etc/apt/sources.list
+ content: |
+ deb http://ftp.no.debian.org/debian/ stretch main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ stretch main contrib non-free
+
+ deb http://security.debian.org/debian-security stretch/updates main contrib non-free
+ deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
+
+ deb http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free
+ deb-src http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free
+
+ {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free
+ {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free
+
+- name: Enable backports repository by default
+ when: packages__enable_backports
+ copy:
+ dest: /etc/apt/preferences.d/bitraf-packages
+ content: |
+ Package: *
+ Pin: release a=stretch-backports
+ Pin-Priority: 500
+
+- meta: flush_handlers
+
+- name: install debian packages
+ tags: packages
+ become: yes
+ apt:
+ name: "{{ packages_packages }}"
+ install_recommends: no
diff --git a/ansible/roles/postfix-satellite/handlers/main.yml b/ansible/roles/postfix-satellite/handlers/main.yml
new file mode 100644
index 0000000..b6cdb87
--- /dev/null
+++ b/ansible/roles/postfix-satellite/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: reload postfix
+ service: name=postfix state=reloaded
+ become: yes
+
+- name: postmap /etc/postfix/sasl_passwd
+ become: yes
+ shell: postmap /etc/postfix/sasl_passwd
diff --git a/ansible/roles/postfix-satellite/tasks/main.yml b/ansible/roles/postfix-satellite/tasks/main.yml
new file mode 100644
index 0000000..3aeb3cc
--- /dev/null
+++ b/ansible/roles/postfix-satellite/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- tags: postfix-satellite
+ become: true
+ include: postfix-satellite.yml
diff --git a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
new file mode 100644
index 0000000..46f2fea
--- /dev/null
+++ b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml
@@ -0,0 +1,70 @@
+- name: Update apt cache
+ apt:
+ update_cache: yes
+ cache_valid_time: 3600
+- name: Install package
+ package:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - postfix
+ - libsasl2-modules
+ - swaks
+
+- name: "Configure postfix: main.cf"
+ tags: postfix-satellite-config
+ notify: reload postfix
+ lineinfile:
+ dest: /etc/postfix/main.cf
+ line: "{{ item.key }} = {{ item.value }}"
+ regexp: "^{{ item.key }} ="
+ with_items:
+ - key: "mydomain"
+ value: "bitraf.no"
+ - key: "myorigin"
+ value: "bitraf.no"
+ - key: "mydestination"
+ value: ""
+ - key: "smtp_sasl_auth_enable"
+ value: "yes"
+ - key: "smtp_sasl_password_maps"
+ value: "hash:/etc/postfix/sasl_passwd"
+ - key: "smtp_sasl_security_options"
+ value: "noanonymous"
+ - key: "smtp_sasl_tls_security_options"
+ value: "noanonymous"
+ - key: "smtp_tls_security_level"
+ value: "encrypt"
+ - key: "header_size_limit"
+ value: "4096000"
+ - key: "relayhost"
+ value: "{{ postfix__relayhost }}"
+
+- name: Create /etc/postfix/sasl_passwd
+ tags: postfix-satellite-config
+ copy:
+ dest: /etc/postfix/sasl_passwd
+ content: ""
+ force: no
+ mode: 0600
+
+- name: "Configure postfix: sasl_passwd"
+ tags: postfix-satellite-config
+ no_log: yes
+ lineinfile:
+ dest: /etc/postfix/sasl_passwd
+ line: "{{ item.host }} {{ item.username }}:{{ item.password }}"
+ regexp: "^{{ item.host|regex_escape() }}"
+ with_items: "{{ postfix.sasl_password }}"
+ notify: postmap /etc/postfix/sasl_passwd
+
+- name: Enable postfix service
+ service:
+ name: postfix
+ state: started
+ enabled: yes
+
+- name: Remove old /etc/postfix/sasl directory
+ file:
+ state: absent
+ path: "/etc/postfix/sasl"
diff --git a/ansible/roles/trygvis-base/defaults/main.yml b/ansible/roles/trygvis-base/defaults/main.yml
new file mode 100644
index 0000000..f469304
--- /dev/null
+++ b/ansible/roles/trygvis-base/defaults/main.yml
@@ -0,0 +1,7 @@
+bitraf_base__etc_localtime: yes
+bitraf_base__remove_root_authorized_keys: yes
+bitraf_base__fix_aliases: yes
+
+# These mostly applies to LXC hosts
+bitraf_base__fix_hosts: no
+bitraf_base__syslog: no
diff --git a/ansible/roles/trygvis-base/handlers/main.yml b/ansible/roles/trygvis-base/handlers/main.yml
new file mode 100644
index 0000000..c0b601c
--- /dev/null
+++ b/ansible/roles/trygvis-base/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: reconfigure tzdata
+ become: yes
+ shell: dpkg-reconfigure -f noninteractive tzdata
+
+- name: postalias /etc/aliases
+ become: yes
+ shell: "[ -x /usr/sbin/postalias ] && /usr/sbin/postalias /etc/aliases"
diff --git a/ansible/roles/trygvis-base/tasks/main.yml b/ansible/roles/trygvis-base/tasks/main.yml
new file mode 100644
index 0000000..d753056
--- /dev/null
+++ b/ansible/roles/trygvis-base/tasks/main.yml
@@ -0,0 +1,57 @@
+- become: true
+ tags:
+ - trygvis-base
+ - trygvis-base-misc
+ block:
+ - name: /etc/localtime
+ when: trygvis_base__etc_localtime
+ file:
+ src: /usr/share/zoneinfo/Europe/Oslo
+ dest: /etc/localtime
+ state: link
+ force: yes
+ notify: reconfigure tzdata
+
+ - name: remove ~root/.ssh/authorized_keys
+ when: trygvis_base__remove_root_authorized_keys
+ file:
+ path: ~root/.ssh/authorized_keys
+ state: absent
+
+ - name: /etc/hosts
+ when: trygvis_base__fix_hosts
+ copy:
+ dest: /etc/hosts
+ content: |
+ 127.0.0.1 localhost
+ 127.0.1.1 {{ ansible_hostname }}.trygvis.io {{ ansible_hostname }}
+ ::1 localhost ip6-localhost ip6-loopback
+ ff02::1 ip6-allnodes
+ ff02::2 ip6-allrouters
+
+ - name: stat /etc/aliases
+ register: etc_aliases
+ stat:
+ path: /etc/aliases
+ - name: /etc/aliases
+ when: trygvis_base__fix_aliases and etc_aliases.stat.exists
+ notify: postalias /etc/aliases
+ lineinfile:
+ path: /etc/aliases
+ regexp: "^root:"
+ line: "root: root@trygvis.no"
+
+- become: true
+ tags:
+ - trygvis-base
+ - trygvis-base-syslog
+ when: trygvis_base__syslog
+ block:
+ - name:
+ vars:
+ items:
+ - rsyslog
+ apt:
+ name: "{{ items }}"
+ state: present
+ install_recommends: no