From b7bccaf7ff75fd2234b9232f595cbc8e226b80e9 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Mon, 26 Nov 2018 22:33:54 +0100 Subject: o Importing bitraf-base, packages and postfix-satellite from Bitraf. o Configuring nextcloud. --- ansible/all.yml | 19 ++- ansible/group_vars/all/host_database.yml | 26 ++++ ansible/group_vars/all/postfix.yml | 1 + ansible/group_vars/all/users.yml | 3 +- ansible/group_vars/modern1/trygvis-base.yml | 5 + ansible/host_vars/birgitte/lxc.yml | 8 ++ ansible/host_vars/birgitte/users.yml | 5 + ansible/host_vars/nextcloud/packages.yml | 4 + ansible/host_vars/nextcloud/postfix.yml | 5 + ansible/host_vars/nextcloud/users.yml | 5 + ansible/inventory | 11 ++ ansible/roles/lxc-host/defaults/main.yml | 1 + ansible/roles/lxc-host/handlers/main.yml | 22 ++++ ansible/roles/lxc-host/tasks/main.yml | 72 ++++++++++- ansible/roles/lxc-host/tasks/networkd.yml | 119 +++++++++++++++++ ansible/roles/lxc-host/tasks/per-host.yml | 143 +++++++++++++++------ ansible/roles/packages/defaults/main.yml | 2 + ansible/roles/packages/handlers/main.yml | 5 + ansible/roles/packages/tasks/main.yml | 37 ++++++ ansible/roles/postfix-satellite/handlers/main.yml | 8 ++ ansible/roles/postfix-satellite/tasks/main.yml | 4 + .../postfix-satellite/tasks/postfix-satellite.yml | 70 ++++++++++ ansible/roles/trygvis-base/defaults/main.yml | 7 + ansible/roles/trygvis-base/handlers/main.yml | 7 + ansible/roles/trygvis-base/tasks/main.yml | 57 ++++++++ 25 files changed, 600 insertions(+), 46 deletions(-) create mode 100644 ansible/group_vars/all/host_database.yml create mode 100644 ansible/group_vars/all/postfix.yml create mode 100644 ansible/group_vars/modern1/trygvis-base.yml create mode 100644 ansible/host_vars/birgitte/lxc.yml create mode 100644 ansible/host_vars/birgitte/users.yml create mode 100644 ansible/host_vars/nextcloud/packages.yml create mode 100644 ansible/host_vars/nextcloud/postfix.yml create mode 100644 ansible/host_vars/nextcloud/users.yml create mode 100644 ansible/roles/lxc-host/defaults/main.yml create mode 100644 ansible/roles/lxc-host/handlers/main.yml create mode 100644 ansible/roles/lxc-host/tasks/networkd.yml create mode 100644 ansible/roles/packages/defaults/main.yml create mode 100644 ansible/roles/packages/handlers/main.yml create mode 100644 ansible/roles/packages/tasks/main.yml create mode 100644 ansible/roles/postfix-satellite/handlers/main.yml create mode 100644 ansible/roles/postfix-satellite/tasks/main.yml create mode 100644 ansible/roles/postfix-satellite/tasks/postfix-satellite.yml create mode 100644 ansible/roles/trygvis-base/defaults/main.yml create mode 100644 ansible/roles/trygvis-base/handlers/main.yml create mode 100644 ansible/roles/trygvis-base/tasks/main.yml diff --git a/ansible/all.yml b/ansible/all.yml index 0a493b6..3103f3b 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -1,11 +1,28 @@ +- hosts: + - all + roles: + - lusers + - superusers + - packages + - trygvis-base + - hosts: - knot roles: - postfix - hosts: - - all + - all !knot + roles: + - postfix-satellite + +- hosts: - desktops - sbcs roles: - linode-dns-update + +- hosts: + - lxc-hosts + roles: + - lxc-host diff --git a/ansible/group_vars/all/host_database.yml b/ansible/group_vars/all/host_database.yml new file mode 100644 index 0000000..cbc1582 --- /dev/null +++ b/ansible/group_vars/all/host_database.yml @@ -0,0 +1,26 @@ +host_database: + birgitte: + interfaces: + wlx00e01d0808b2: + role: wan + ipv4: + address: 192.168.10.3 + netmask: 24 + gateway: 192.168.10.1 + int0: + role: lan + ipv4: + address: 192.168.90.100 + netmask: 24 + ipv6: + address: cafe::1 + netmask: 64 + nextcloud: + interfaces: + eth0: + role: lan + hwaddr: 0e:18:a7:03:50:54 + ipv4: + address: 192.168.90.101 + netmask: 24 + gateway: 192.168.90.100 diff --git a/ansible/group_vars/all/postfix.yml b/ansible/group_vars/all/postfix.yml new file mode 100644 index 0000000..56516f1 --- /dev/null +++ b/ansible/group_vars/all/postfix.yml @@ -0,0 +1 @@ +postfix__relayhost: "[trygvis.io]:587" diff --git a/ansible/group_vars/all/users.yml b/ansible/group_vars/all/users.yml index 23304ba..a2a59d3 100644 --- a/ansible/group_vars/all/users.yml +++ b/ansible/group_vars/all/users.yml @@ -3,4 +3,5 @@ users: authorized_keys: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX+sVfRvl0+KxsDlbIutyB/Es3exTwNfDVHwi9orwz3 trygvis@birgitte ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAzB6JB/hZ87M6ozsd7lgKxgOacEOZZRxa4ucs11lqq trygvis@conflatorio - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+I9Xa11yaOzGCBkJQEYExYL7gSWYwdOGgT2KBMnKur trygvis@arius + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMRccGxF1l7xIUavu5vDqypCe/aon3+bdFgEhPa7pPb trygvis@arius-v3 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/Xrsk69KhaXdHPcbBoCbqlQ2DXmx77OnkLAk22ui5m trygvis@malabaricus diff --git a/ansible/group_vars/modern1/trygvis-base.yml b/ansible/group_vars/modern1/trygvis-base.yml new file mode 100644 index 0000000..b530673 --- /dev/null +++ b/ansible/group_vars/modern1/trygvis-base.yml @@ -0,0 +1,5 @@ +trygvis_base__etc_localtime: yes +trygvis_base__remove_root_authorized_keys: yes +trygvis_base__fix_aliases: yes +trygvis_base__fix_hosts: yes +trygvis_base__syslog: yes diff --git a/ansible/host_vars/birgitte/lxc.yml b/ansible/host_vars/birgitte/lxc.yml new file mode 100644 index 0000000..9233b4b --- /dev/null +++ b/ansible/host_vars/birgitte/lxc.yml @@ -0,0 +1,8 @@ +lxc_host_containers: + nextcloud: + state: started + +lxc_host__enable_network_cfg: yes +lxc_host__hardware_if: wlx00e01d0808b2 +lxc_host__br_if: br0 +lxc_host__internal_if: int0 diff --git a/ansible/host_vars/birgitte/users.yml b/ansible/host_vars/birgitte/users.yml new file mode 100644 index 0000000..d0d4852 --- /dev/null +++ b/ansible/host_vars/birgitte/users.yml @@ -0,0 +1,5 @@ +lusers: + - trygvis + +superusers: + - trygvis diff --git a/ansible/host_vars/nextcloud/packages.yml b/ansible/host_vars/nextcloud/packages.yml new file mode 100644 index 0000000..a37731d --- /dev/null +++ b/ansible/host_vars/nextcloud/packages.yml @@ -0,0 +1,4 @@ +packages_packages: + - less + - git + - vim diff --git a/ansible/host_vars/nextcloud/postfix.yml b/ansible/host_vars/nextcloud/postfix.yml new file mode 100644 index 0000000..83974e9 --- /dev/null +++ b/ansible/host_vars/nextcloud/postfix.yml @@ -0,0 +1,5 @@ +postfix: + sasl_password: + - host: "[trygvis.io]:587" + username: nextcloud.trygvis.io + password: gWC8uPCT90 diff --git a/ansible/host_vars/nextcloud/users.yml b/ansible/host_vars/nextcloud/users.yml new file mode 100644 index 0000000..d0d4852 --- /dev/null +++ b/ansible/host_vars/nextcloud/users.yml @@ -0,0 +1,5 @@ +lusers: + - trygvis + +superusers: + - trygvis diff --git a/ansible/inventory b/ansible/inventory index 3ae9b34..4c99672 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -16,6 +16,8 @@ all: ansible_host: malabaricus.trygvis.io conflatorio: ansible_host: conflatorio.trygvis.io + nextcloud: + ansible_host: 192.168.90.101 children: desktops: hosts: @@ -27,6 +29,15 @@ all: hosts: homepi: malabaricus: + modern1: + hosts: + nextcloud: + homepi: + malabaricus: + lxc-hosts: + hosts: + birgitte: +# knot: vm: hosts: mw: diff --git a/ansible/roles/lxc-host/defaults/main.yml b/ansible/roles/lxc-host/defaults/main.yml new file mode 100644 index 0000000..462ba8c --- /dev/null +++ b/ansible/roles/lxc-host/defaults/main.yml @@ -0,0 +1 @@ +lxc_host__backing_store: dir diff --git a/ansible/roles/lxc-host/handlers/main.yml b/ansible/roles/lxc-host/handlers/main.yml new file mode 100644 index 0000000..7e7dc9c --- /dev/null +++ b/ansible/roles/lxc-host/handlers/main.yml @@ -0,0 +1,22 @@ +- name: restart sysctl + become: yes + service: + name: systemd-sysctl.service + state: restarted + +- name: restart radvd + become: yes + service: + name: radvd.service + state: restarted + +- name: systemctl restart systemd-networkd + become: yes + service: + name: systemd-networkd + state: restarted + +- name: reload ufw + become: yes + ufw: + state: reloaded diff --git a/ansible/roles/lxc-host/tasks/main.yml b/ansible/roles/lxc-host/tasks/main.yml index ba511c9..ab86969 100644 --- a/ansible/roles/lxc-host/tasks/main.yml +++ b/ansible/roles/lxc-host/tasks/main.yml @@ -1,11 +1,71 @@ -- name: Remove default network setup packages +- name: Install packages + tags: + - lxc-host + - lxc-host-packages + - radvd + become: yes apt: - name: "{{ item }}" + name: "{{ items }}" install_recommends: no - with_items: - - python-lxc + vars: + items: + - lxc + - python-lxc + - radvd + +#- debug: +# msg: "item={{ item }}, host={{ host }}, lan={{ lan }}" +# tags: +# - lxc-host +# with_dict: "{{ lxc_host_containers }}" +# vars: +# i: "{{ item }}" +# host: "{{ host_database[item.key] }}" +# lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}" + +- name: Configure radvd + become: yes + tags: + - lxc-host + - radvd + vars: + ipv6: "{{ host_database[ansible_hostname].interfaces[lxc_host__internal_if].ipv6 }}" + notify: restart radvd + copy: + dest: /etc/radvd.conf + content: | + interface {{ lxc_host__br_if }} + { + AdvSendAdvert on; + MinRtrAdvInterval 5; + MaxRtrAdvInterval 10; + MinDelayBetweenRAs 1; + + AdvDefaultPreference medium; + AdvLinkMTU 1500; + + prefix {{ ipv6.address }}/{{ ipv6.netmask }} + { + AdvOnLink on; + AdvAutonomous on; + + AdvValidLifetime 14400; + AdvPreferredLifetime 3600; + AdvRouterAddr on; + }; + }; + +- name: Configure host networking + when: lxc_host__enable_network_cfg + tags: + - lxc-host + - lxc-host-network + include_tasks: networkd.yml -- include_tasks: per-host.yml +- tags: lxc-host + with_dict: "{{ lxc_host_containers }}" vars: i: "{{ item }}" - with_dict: "{{ lxc_containers }}" + host: "{{ host_database[item.key] }}" + lan: "{{ host_database | json_query(item.key + '.interfaces | * | [?role==`lan`]') | first }}" + include_tasks: per-host.yml diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml new file mode 100644 index 0000000..41ddb3f --- /dev/null +++ b/ansible/roles/lxc-host/tasks/networkd.yml @@ -0,0 +1,119 @@ +- tags: + - lxc-host + - lxc-host-network + become: yes + vars: + hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}" + br_if: "{{ lxc_host__br_if }}" + internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}" + block: + - debug: var=hardware_if + - debug: var=br_if + - debug: var=internal_if + + - name: Configure sysctl, enable ipv4 and ipv6 forwarding + become: yes + copy: + dest: /etc/sysctl.d/99-lxc-host.conf + content: | + net.ipv4.ip_forward=1 + net.ipv6.conf.all.forwarding=1 + notify: restart sysctl + + - name: Enable UFW + become: yes + ufw: + state: enabled + + - become: yes + ufw: + policy: allow + direction: outgoing + + - become: yes + ufw: + policy: allow + direction: routed + + - become: yes + ufw: + policy: deny + direction: incoming + + - name: Enable NAT configuration through UFW + become: yes + notify: reload ufw + blockinfile: + path: /etc/ufw/before.rules + insertbefore: "# Don't delete these required lines, otherwise there will be errors" + block: | + # NAT table rules + *nat + :POSTROUTING ACCEPT [0:0] + + # Forward traffic through eth0 - Change to match you out-interface + -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE + + # don't delete the 'COMMIT' line or these nat table rules won't be processed + COMMIT + + - name: enable systemd-networkd + service: + name: systemd-networkd + enabled: yes + state: started + + - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" + content: | + [Match] + Name={{ lxc_host__hardware_if }} + + [Network] + Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }} + Gateway={{ hardware_if.ipv4.gateway }} + + - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" + content: | + [NetDev] + Name={{ lxc_host__internal_if }} + Kind=dummy + + - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + content: | + [Match] + Name={{ lxc_host__internal_if }} + + [Network] + Bridge={{ br_if }} + + - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + content: | + [NetDev] + Name={{ br_if }} + Kind=bridge + + - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + content: | + [Match] + Name={{ br_if }} + + [Network] + Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} + {% if internal_if.ipv6 is defined %} + Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }} + {% endif %} diff --git a/ansible/roles/lxc-host/tasks/per-host.yml b/ansible/roles/lxc-host/tasks/per-host.yml index d38267e..817497b 100644 --- a/ansible/roles/lxc-host/tasks/per-host.yml +++ b/ansible/roles/lxc-host/tasks/per-host.yml @@ -1,48 +1,115 @@ - debug: msg: "LXC HOST: {{ i.key }}" + tags: lxc-host -- name: lxc.network.type = veth - register: type - lineinfile: - path: "/var/lib/lxc/{{ i.key }}/config" - regexp: "lxc.network.type *=" - line: "lxc.network.type = veth" -- name: lxc.network.link = br0 - register: link - lineinfile: - path: "/var/lib/lxc/{{ i.key }}/config" - regexp: "lxc.network.link *=" - line: "lxc.network.link = br0" -- name: Set IPv4 address {{ i.key }} - register: ipv4 - lineinfile: - path: "/var/lib/lxc/{{ i.key }}/config" - regexp: "lxc.network.ipv4 *=" - line: "lxc.network.ipv4 = {{ i.value.ipv4.address }}/{{ i.value.ipv4.netmask }}" -- name: Set IPv4 gateway - register: ipv4_gateway +- name: Create container + tags: lxc-host + become: yes + lxc_container: + name: "{{ i.key }}" + state: "{{ i.value.state }}" + template: debian + template_options: -r stretch --packages git,etckeeper,python,sudo + backing_store: "{{ lxc_host__backing_store }}" + zfs_root: "{{ lxc_host__zfs_root|default('') }}" + register: lxc + +- name: Connection info + tags: lxc-host + become: yes + when: lxc.changed + debug: + msg: "Container created! All keys for superusers are installed for + root user, so remember to add 'ansible_user=root' when running the + play for the host the first time." + +- name: Create /root/.ssh + tags: lxc-host + become: yes + when: lxc.changed + file: + path: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh" + state: directory + mode: 0600 + owner: root + group: root + +- name: Fill authorized_keys + tags: lxc-host + become: yes + when: lxc.changed + copy: + dest: "/var/lib/lxc/{{ i.key }}/rootfs/root/.ssh/authorized_keys" + content: | + {% for user in superusers %} + {% if users[user].authorized_keys is not none %} + {{ users[user].authorized_keys }} + {% endif %} + {% endfor %} + +- name: config-lxc-host + tags: lxc-host + become: yes + register: config_lxc_host + copy: + dest: "/var/lib/lxc/{{ i.key }}/config-lxc-host" + content: | + lxc.network.type = veth + lxc.network.link = br0 + lxc.network.flags = up + lxc.network.hwaddr = {{ lan.hwaddr }} + {% if lan.ipv4 is defined %} + lxc.network.ipv4 = {{ lan.ipv4.address }}/{{ lan.ipv4.netmask }} + lxc.network.ipv4.gateway = {{ lan.ipv4.gateway }} + {% endif %} + # 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal. + lxc.loglevel = 1 + lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log + +- name: "include file: config-lxc-host" + tags: lxc-host + become: yes + register: include_lxc_host lineinfile: path: "/var/lib/lxc/{{ i.key }}/config" - regexp: "lxc.network.ipv4.gateway *=" - line: "lxc.network.ipv4.gateway = {{ i.value.ipv4.gateway }}" - insertafter: "lxc.network.ipv4 *=" -- name: Set logfile - register: logfile + regexp: "^lxc.include *=.*/config-lxc-host$" + line: "lxc.include = /var/lib/lxc/{{ i.key }}/config-lxc-host" + +- name: "include file: config.d" + tags: lxc-host + become: yes + register: include_config_d lineinfile: path: "/var/lib/lxc/{{ i.key }}/config" - regexp: "lxc.logfile *=" - line: "lxc.logfile = /var/lib/lxc/{{ i.key }}/{{ i.key }}.log" - -#- name: state? -# debug: -# msg: "state={{ i.value.state }}" -#- name: do restart? -# debug: -# msg: "DO RESTART: {{ i.key }}" -# when: i.value.state == 'started' - -- name: restart lxc container {{ i.key }} - when: i.value.state == 'started' and (type.changed or link.changed or ipv4.changed or logfile.changed) + regexp: "^lxc.include *=.*/conf.d/$" + line: "lxc.include = /var/lib/lxc/{{ i.key }}/conf.d/" + +- name: "mkdir conf.d" + tags: lxc-host + become: yes + file: + path: "/var/lib/lxc/{{ i.key }}/conf.d" + state: "directory" + +- name: "fill conf.d" + tags: lxc-host + become: yes + register: fill_config_d + with_fileglob: "lxc-host/{{ i.key }}/*" + loop_control: + loop_var: file + copy: + dest: "/var/lib/lxc/{{ i.key }}/conf.d" + src: "{{ file }}" + +- name: "restart lxc container {{ i.key }}" + tags: lxc-host + become: yes + when: i.value.state == 'started' and ( + lxc.changed or + config_lxc_host.changed or + include_config_d.changed or + fill_config_d.changed) lxc_container: name: "{{ i.key }}" state: restarted diff --git a/ansible/roles/packages/defaults/main.yml b/ansible/roles/packages/defaults/main.yml new file mode 100644 index 0000000..82869b4 --- /dev/null +++ b/ansible/roles/packages/defaults/main.yml @@ -0,0 +1,2 @@ +packages__enable_backports: no +packages_packages: diff --git a/ansible/roles/packages/handlers/main.yml b/ansible/roles/packages/handlers/main.yml new file mode 100644 index 0000000..0298ff9 --- /dev/null +++ b/ansible/roles/packages/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: update apt cache + become: yes + apt: + update_cache: yes diff --git a/ansible/roles/packages/tasks/main.yml b/ansible/roles/packages/tasks/main.yml new file mode 100644 index 0000000..45f64c3 --- /dev/null +++ b/ansible/roles/packages/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: configure debian repositories + tags: packages + notify: update apt cache + become: yes + copy: + dest: /etc/apt/sources.list + content: | + deb http://ftp.no.debian.org/debian/ stretch main contrib non-free + deb-src http://ftp.no.debian.org/debian/ stretch main contrib non-free + + deb http://security.debian.org/debian-security stretch/updates main contrib non-free + deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free + + deb http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free + deb-src http://ftp.no.debian.org/debian/ stretch-updates main contrib non-free + + {{ '' if packages__enable_backports else '#' }}deb http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free + {{ '' if packages__enable_backports else '#' }}deb-src http://ftp.no.debian.org/debian/ stretch-backports main contrib non-free + +- name: Enable backports repository by default + when: packages__enable_backports + copy: + dest: /etc/apt/preferences.d/bitraf-packages + content: | + Package: * + Pin: release a=stretch-backports + Pin-Priority: 500 + +- meta: flush_handlers + +- name: install debian packages + tags: packages + become: yes + apt: + name: "{{ packages_packages }}" + install_recommends: no diff --git a/ansible/roles/postfix-satellite/handlers/main.yml b/ansible/roles/postfix-satellite/handlers/main.yml new file mode 100644 index 0000000..b6cdb87 --- /dev/null +++ b/ansible/roles/postfix-satellite/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: reload postfix + service: name=postfix state=reloaded + become: yes + +- name: postmap /etc/postfix/sasl_passwd + become: yes + shell: postmap /etc/postfix/sasl_passwd diff --git a/ansible/roles/postfix-satellite/tasks/main.yml b/ansible/roles/postfix-satellite/tasks/main.yml new file mode 100644 index 0000000..3aeb3cc --- /dev/null +++ b/ansible/roles/postfix-satellite/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- tags: postfix-satellite + become: true + include: postfix-satellite.yml diff --git a/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml new file mode 100644 index 0000000..46f2fea --- /dev/null +++ b/ansible/roles/postfix-satellite/tasks/postfix-satellite.yml @@ -0,0 +1,70 @@ +- name: Update apt cache + apt: + update_cache: yes + cache_valid_time: 3600 +- name: Install package + package: + name: "{{ item }}" + state: present + with_items: + - postfix + - libsasl2-modules + - swaks + +- name: "Configure postfix: main.cf" + tags: postfix-satellite-config + notify: reload postfix + lineinfile: + dest: /etc/postfix/main.cf + line: "{{ item.key }} = {{ item.value }}" + regexp: "^{{ item.key }} =" + with_items: + - key: "mydomain" + value: "bitraf.no" + - key: "myorigin" + value: "bitraf.no" + - key: "mydestination" + value: "" + - key: "smtp_sasl_auth_enable" + value: "yes" + - key: "smtp_sasl_password_maps" + value: "hash:/etc/postfix/sasl_passwd" + - key: "smtp_sasl_security_options" + value: "noanonymous" + - key: "smtp_sasl_tls_security_options" + value: "noanonymous" + - key: "smtp_tls_security_level" + value: "encrypt" + - key: "header_size_limit" + value: "4096000" + - key: "relayhost" + value: "{{ postfix__relayhost }}" + +- name: Create /etc/postfix/sasl_passwd + tags: postfix-satellite-config + copy: + dest: /etc/postfix/sasl_passwd + content: "" + force: no + mode: 0600 + +- name: "Configure postfix: sasl_passwd" + tags: postfix-satellite-config + no_log: yes + lineinfile: + dest: /etc/postfix/sasl_passwd + line: "{{ item.host }} {{ item.username }}:{{ item.password }}" + regexp: "^{{ item.host|regex_escape() }}" + with_items: "{{ postfix.sasl_password }}" + notify: postmap /etc/postfix/sasl_passwd + +- name: Enable postfix service + service: + name: postfix + state: started + enabled: yes + +- name: Remove old /etc/postfix/sasl directory + file: + state: absent + path: "/etc/postfix/sasl" diff --git a/ansible/roles/trygvis-base/defaults/main.yml b/ansible/roles/trygvis-base/defaults/main.yml new file mode 100644 index 0000000..f469304 --- /dev/null +++ b/ansible/roles/trygvis-base/defaults/main.yml @@ -0,0 +1,7 @@ +bitraf_base__etc_localtime: yes +bitraf_base__remove_root_authorized_keys: yes +bitraf_base__fix_aliases: yes + +# These mostly applies to LXC hosts +bitraf_base__fix_hosts: no +bitraf_base__syslog: no diff --git a/ansible/roles/trygvis-base/handlers/main.yml b/ansible/roles/trygvis-base/handlers/main.yml new file mode 100644 index 0000000..c0b601c --- /dev/null +++ b/ansible/roles/trygvis-base/handlers/main.yml @@ -0,0 +1,7 @@ +- name: reconfigure tzdata + become: yes + shell: dpkg-reconfigure -f noninteractive tzdata + +- name: postalias /etc/aliases + become: yes + shell: "[ -x /usr/sbin/postalias ] && /usr/sbin/postalias /etc/aliases" diff --git a/ansible/roles/trygvis-base/tasks/main.yml b/ansible/roles/trygvis-base/tasks/main.yml new file mode 100644 index 0000000..d753056 --- /dev/null +++ b/ansible/roles/trygvis-base/tasks/main.yml @@ -0,0 +1,57 @@ +- become: true + tags: + - trygvis-base + - trygvis-base-misc + block: + - name: /etc/localtime + when: trygvis_base__etc_localtime + file: + src: /usr/share/zoneinfo/Europe/Oslo + dest: /etc/localtime + state: link + force: yes + notify: reconfigure tzdata + + - name: remove ~root/.ssh/authorized_keys + when: trygvis_base__remove_root_authorized_keys + file: + path: ~root/.ssh/authorized_keys + state: absent + + - name: /etc/hosts + when: trygvis_base__fix_hosts + copy: + dest: /etc/hosts + content: | + 127.0.0.1 localhost + 127.0.1.1 {{ ansible_hostname }}.trygvis.io {{ ansible_hostname }} + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + + - name: stat /etc/aliases + register: etc_aliases + stat: + path: /etc/aliases + - name: /etc/aliases + when: trygvis_base__fix_aliases and etc_aliases.stat.exists + notify: postalias /etc/aliases + lineinfile: + path: /etc/aliases + regexp: "^root:" + line: "root: root@trygvis.no" + +- become: true + tags: + - trygvis-base + - trygvis-base-syslog + when: trygvis_base__syslog + block: + - name: + vars: + items: + - rsyslog + apt: + name: "{{ items }}" + state: present + install_recommends: no -- cgit v1.2.3