parent
67b8c5f230
commit
2b8f69fc41
Binary file not shown.
@ -1,45 +0,0 @@ |
||||
openssh_port: "12322" |
||||
|
||||
smtp_accounts: |
||||
- name: ahoy |
||||
host: mail.infomaniak.ch |
||||
port: 587 |
||||
from: ahoy@pirateparty.be |
||||
password: !vault | |
||||
$ANSIBLE_VAULT;1.1;AES256 |
||||
62633164383764376333643063363263356461613164663066623836613931306437633033633134 |
||||
3632326164663564653962613437376265333234313032360a313935303230393938356632356231 |
||||
34613661383736313232613131313262616261323464653936393634653464323631333839353030 |
||||
3230396536663635650a633537633633623365346563323334616338333436633537623831313165 |
||||
38343766346437626332313230346537663735313937643765353465356236633134 |
||||
smtp_default_account: ahoy |
||||
smtp_default_contact: it@pirateparty.be |
||||
|
||||
node_exporter_password: !vault | |
||||
$ANSIBLE_VAULT;1.1;AES256 |
||||
35333237666635633862336433303264613133376230346461333332636231643563636466356630 |
||||
3235623237303366626562393065353436663632306438370a333132653432636632643134326130 |
||||
66396666626631373637373065613137393232383361346438633763396266636264663364663238 |
||||
3363666332633562360a323532666664333266333761343136306133336138623137316234653939 |
||||
37643239613631383165656138633134663736393238343939336135303732333838336538373531 |
||||
3635396265643061356339333035393836313936316633623662 |
||||
|
||||
backup_targets: |
||||
- host: storage.pirateparty.be |
||||
ssh: |
||||
port: 23 |
||||
username: "{{ storage_box_username }}" |
||||
key_file: storage-box |
||||
- host: batato.be |
||||
ssh: |
||||
key_file: batato |
||||
|
||||
users: |
||||
- name: hgo |
||||
ssh_keys: |
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry |
||||
- name: tierce |
||||
ssh_keys: |
||||
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q |
||||
|
||||
acme_email: it@pirateparty.be |
@ -0,0 +1,31 @@ |
||||
openssh_port: "12322" |
||||
|
||||
nginx_dhparam_size: 3072 |
||||
|
||||
smtp_accounts: |
||||
ahoy: |
||||
host: mail.infomaniak.ch |
||||
port: 587 |
||||
from: ahoy@pirateparty.be |
||||
username: ahoy@pirateparty.be |
||||
password: "{{ vault_smtp_account_ahoy_password }}" |
||||
smtp_default_account: ahoy |
||||
smtp_default_recipient: it@pirateparty.be |
||||
|
||||
node_exporter_password: "{{ vault_node_exporter_password }}" |
||||
|
||||
storage_box_enabled: yes |
||||
storage_box_host: storage.pirateparty.be |
||||
storage_box_username: "{{ vault_storage_box_username }}" |
||||
storage_box_password: "{{ vault_storage_box_password }}" |
||||
|
||||
borg_passphrase: "{{ vault_borg_passphrase }}" |
||||
|
||||
# Add SSH keys in playbooks/files/ssh/<username>/ |
||||
users: |
||||
- name: hgo |
||||
- name: tierce |
||||
- name: backup |
||||
groups: [] |
||||
|
||||
acme_email: it@pirateparty.be |
@ -0,0 +1,11 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
65393535396562366132383030663065656633343839326661386330626365343036326165616263 |
||||
3130623331623634386333373134333864616662323633650a373033613761333332393937643339 |
||||
31313763366437343933656366633762666234363133353265336164623063333239393865336363 |
||||
3437303962393962620a343364653936396562306635323163326433306237623264393734383562 |
||||
37636466666363363736373934306137343738383062623831623533336439633061363965633138 |
||||
39383966626565666265303137663335663061373563306363323030323239326133333661653230 |
||||
36646131303238346563373763353765613664623936343564633534626263346161653161666631 |
||||
62343561373233653336623063323561393438316566643365623337623637653966663131336235 |
||||
34353361626266616331333435313732313339623735643730633933633439333962653862316134 |
||||
3163306462313137633166366461333462303034316631373165 |
@ -0,0 +1,20 @@ |
||||
mastodon_home: /home/mastodon |
||||
|
||||
borgmatic_config: |
||||
location: |
||||
source_directories: |
||||
- "{{ mastodon_home }}" |
||||
- /etc |
||||
repositories: |
||||
- "{{ borg_repository }}" |
||||
exclude_patterns: |
||||
- "{{ mastodon_home }}/elasticsearch" |
||||
- "{{ mastodon_home }}/redis" |
||||
storage: |
||||
encryption_passphrase: "{{ borg_passphrase }}" |
||||
compression: zlib,7 |
||||
retention: |
||||
keep_hourly: 24 |
||||
keep_daily: 7 |
||||
keep_weekly: 4 |
||||
keep_monthly: 6 |
@ -0,0 +1,18 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
63373233646532393433373238336163666262343364316631326561366630636136313631393038 |
||||
6563313039663237326263383539383736323936343137390a376435313339376630666632633337 |
||||
64613334626262616464663234313361353731623836316430643266303335386332623137353066 |
||||
6631636265633336360a366563656463343964316630333762646163653334336663643230353336 |
||||
66646566363537316631316633306334646630343164303630383638613033653037386564373566 |
||||
62646435393038396331343337353132396234366163333763326638373933363437643430376334 |
||||
31303735626564346438383535336465656166633137303439316235323938303236396637336461 |
||||
63343435623239396433623632653838386666653335346434333865346438643266616366623932 |
||||
34373065386263633737363863303138636539613536646166643066636166343935313333636564 |
||||
66613663623565633534656635356431623538306438353963303833373263303735313062343062 |
||||
36316132636564643564383634333562663136353663336661353433396132353832323063396130 |
||||
39633535643134663532656266613939353137643765396235633465656436613432303266313765 |
||||
61333165383030653733333533366232343535396634626237386266613037613838653034326162 |
||||
64366265313132656536333163616436396232623036386435353565396665343836323838656436 |
||||
30326363656639366239386637653234303635353630633461393039353462333338303563316132 |
||||
33353636343865666132343730336438363261383131343662316538633635653434623561633364 |
||||
6664 |
@ -0,0 +1,14 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
65623932623736623961633664613731383837313338336165366333343763646235316163653836 |
||||
6130643962393231643262353065653130326566613363630a346138396532663733383133666635 |
||||
30373362393636363833333530333762666164306436393263336164366637313132356464333931 |
||||
3861643330306337300a643330613364663861623564356535343035393966383161383739626234 |
||||
65313335316636646664396433393736386133343765643038663334666462333366353639363061 |
||||
65303230303132366366343734336462653764613836396531613235393837326532626330636134 |
||||
63643935323163356462343730633939303537656539336461666139323066366136343262326534 |
||||
62316332313137626463643964646630663631313464663365313066623934393665306665303031 |
||||
39613166626639663639623365343364396161656662333134303432656338393333323232366232 |
||||
63633937343165633638326234386231336637326237336636343830363661376236353939366634 |
||||
35653962393865616262366433663562333430643465613861643631323035626636343065336636 |
||||
62613464613462346436353636323035316665313866616535363833393033623339343136653063 |
||||
3363 |
@ -1,8 +0,0 @@ |
||||
storage_box_username: u212275-sub5 |
||||
storage_box_password: !vault | |
||||
$ANSIBLE_VAULT;1.1;AES256 |
||||
36313662333062323531613966386365373339663566303133653562663838316632613830613264 |
||||
6564333736343830623061313534313630313534316231390a666662633861383563333562356561 |
||||
64616534313266323833383331313334333761323965383634666635663430366461353437616465 |
||||
6337363536643738310a656530663837386537336434633037376463336165613239323265366234 |
||||
64663863333763356430616635323061396663373264343666323831646664646430 |
@ -0,0 +1,18 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
64623562393233633764386333323337393862313165626238356166376661353837666332393437 |
||||
6637336439346134383738656537643263306161363931630a303734333431343634646438663466 |
||||
36303062376431643537313537343865653136336137363639373635333132323665353735386237 |
||||
6231666464343734340a643163623832303130333864316534663664313835633964386531646666 |
||||
64333431366464626633373630353631383233633233613066386137636631646663646535633037 |
||||
65336635383432616466366338613838656336396462636261623131333033653832623331353036 |
||||
30653163333566366439366362613933663262643361386332356366363731336163653335396636 |
||||
36616563353965376537326563363332653336653030303762656530346135383336363337383666 |
||||
32653563306235383135623733363666313539633032643566653935373762363935306230386566 |
||||
33656231613634373832316661366630616434343266333562373563383838313236643931363234 |
||||
37383733353235616261326333386534303362623737353566383536353439353133633735356336 |
||||
61633934323233393738363635656662396464383033623237623166663733666336313533373937 |
||||
66303433316461323338333034656238373035356162613662666132636530613966366465363036 |
||||
65323132653831373531346362366236636665323534663036303366376463613065313861383936 |
||||
65666463656631636361346130366462326166316533323839303563646133376661313631393333 |
||||
30303663323436376461323331643939376235313232353164653764306530663265326134333739 |
||||
3238 |
@ -0,0 +1,14 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
39656566313337306263346133666139643435626566363036303031636336303866346437326662 |
||||
3431363531363065386666363464653937386162646330610a353161633236643238663032333134 |
||||
64303731653235323830626638323739626133313634316263343534373337393963643334363861 |
||||
6433346664336666330a666234373434646635646633323837616561323033363464353931363338 |
||||
38386238326135653039396161666639383131323430623466626165353634313730623662646139 |
||||
62653937323363653864313630633165323361663438383631303064383164613232656636333562 |
||||
65353131633931346161303830393630663264646636633837613031323132666132376139376265 |
||||
39373362633765633266373261333137396436343832653061323365393336303938613438643830 |
||||
63396338613463623839396433366538383033316165636564363838313737613761613961343535 |
||||
33643835366461363439613364303534616437316361383835633261326332636431656664393031 |
||||
35356232636339383031643838316437303637393938333361636562626633303839656232323231 |
||||
39633935636234303633386231356333356633386230373962333237656361333933373730616161 |
||||
3261 |
@ -0,0 +1,18 @@ |
||||
borgmatic_config: |
||||
location: |
||||
source_directories: |
||||
- /var/www/mediawiki |
||||
- /etc |
||||
repositories: |
||||
- "{{ borg_repository }}" |
||||
storage: |
||||
encryption_passphrase: "{{ borg_passphrase }}" |
||||
compression: zlib,7 |
||||
retention: |
||||
keep_hourly: 24 |
||||
keep_daily: 7 |
||||
keep_weekly: 4 |
||||
keep_monthly: 6 |
||||
hooks: |
||||
mysql_databases: |
||||
- name: mediawiki_prod |
@ -0,0 +1,14 @@ |
||||
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357 |
||||
65316362353466333562363830633862643035363561616137616633353032363832323039383966 |
||||
3430383934363433643639633732393361323736356562330a616437303366313861636539343236 |
||||
35623961613737653461653261663137316539653861333736616261313638633539356663313933 |
||||
3563653063633662300a366132666238623463306662633563336561626335656431393133393835 |
||||
36366436633162353765386561333865316236363832346465613162393139356362343438353535 |
||||
39653933656535366365356162333634366231316363633538383165383937623761363066653834 |
||||
35643638363534383561306332663536396538346638353632353839346637383130383863663030 |
||||
35393161393163313330626530383662333165363930626563303435393362636439613263653766 |
||||
39613832613366653339326262333433316138613566333131623334336165373765663237383334 |
||||
61383839373839373631393831336563633464346636393331633066353839313761393664646438 |
||||
61323331316238373538663462316533653433386132373664623433376639313364656162666638 |
||||
30313966656433663766343932633032623463323134306265643264303732383031623763646130 |
||||
3435 |
@ -0,0 +1 @@ |
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry |
@ -0,0 +1 @@ |
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q |
@ -0,0 +1,33 @@ |
||||
--- |
||||
# Based on ansible-lint config |
||||
extends: default |
||||
|
||||
rules: |
||||
braces: |
||||
max-spaces-inside: 1 |
||||
level: error |
||||
brackets: |
||||
max-spaces-inside: 1 |
||||
level: error |
||||
colons: |
||||
max-spaces-after: -1 |
||||
level: error |
||||
commas: |
||||
max-spaces-after: -1 |
||||
level: error |
||||
comments: disable |
||||
comments-indentation: disable |
||||
document-start: disable |
||||
empty-lines: |
||||
max: 3 |
||||
level: error |
||||
hyphens: |
||||
level: error |
||||
indentation: disable |
||||
key-duplicates: enable |
||||
line-length: disable |
||||
new-line-at-end-of-file: disable |
||||
new-lines: |
||||
type: unix |
||||
trailing-spaces: disable |
||||
truthy: disable |
@ -0,0 +1,9 @@ |
||||
$ANSIBLE_VAULT;1.1;AES256 |
||||
66613631383234346131623731643533326566373463623935666636383464663639353164323861 |
||||
3464306432333534393565333334623965393363333365380a613764323664316338306532386331 |
||||
63353363633566373365623732636163366631656563393961333261623030363834376537643732 |
||||
6264373861313764390a306462323932333935653866373362383566333934386136336466623163 |
||||
39373332383733326261343162626336663135336561366137366466396463323762393538383333 |
||||
31663337393538623730326464316461323034636330626630616538316431633234306262613132 |
||||
36633164623162346231656364346363646563396664356337323763663135303963383533353838 |
||||
35396634386135386139 |
@ -0,0 +1,33 @@ |
||||
#!/bin/bash -e |
||||
|
||||
function usage { |
||||
echo "Usage: $0 <host> <public key file>" |
||||
} |
||||
|
||||
host="$1" |
||||
public_key_file="$2" |
||||
|
||||
if [[ $# -ne 2 ]]; then |
||||
>&2 usage |
||||
exit 1 |
||||
fi |
||||
|
||||
authorized_keys_file="/tmp/${host}-authorized_keys" |
||||
|
||||
sshpass -e sftp "${host}" <<-EOF |
||||
mkdir .ssh |
||||
chmod 0700 .ssh |
||||
get .ssh/authorized_keys "${authorized_keys_file}" |
||||
EOF |
||||
|
||||
if grep -f "${public_key_file}" "${authorized_keys_file}" > /dev/null; then |
||||
exit 0 |
||||
fi |
||||
|
||||
echo "Adding public key '${public_key_file}' for ${host}" |
||||
sshpass -e sftp "${host}" <<-EOF |
||||
!cat "${public_key_file}" >> "${authorized_keys_file}" |
||||
put "${authorized_keys_file}" .ssh/authorized_keys |
||||
chmod 0600 .ssh/authorized_keys |
||||
EOF |
||||
echo "Public key added!" |
@ -0,0 +1,23 @@ |
||||
********************************* |
||||
Vagrant driver installation guide |
||||
********************************* |
||||
|
||||
Requirements |
||||
============ |
||||
|
||||
* Vagrant |
||||
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop |
||||
|
||||
Install |
||||
======= |
||||
|
||||
Please refer to the `Virtual environment`_ documentation for installation best |
||||
practices. If not using a virtual environment, please consider passing the |
||||
widely recommended `'--user' flag`_ when invoking ``pip``. |
||||
|
||||
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ |
||||
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site |
||||
|
||||
.. code-block:: bash |
||||
|
||||
$ pip install 'molecule_vagrant' |
@ -0,0 +1,7 @@ |
||||
--- |
||||
- name: Converge |
||||
hosts: all |
||||
become: yes |
||||
|
||||
roles: |
||||
- common |
@ -0,0 +1,7 @@ |
||||
-----BEGIN OPENSSH PRIVATE KEY----- |
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW |
||||
QyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMgAAAJBcNgy6XDYM |
||||
ugAAAAtzc2gtZWQyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMg |
||||
AAAEDw/p35s5mUgbWvTlKnCuTuHdr3AJuNyFkn8DGERqzI7s210TheGfg4/YnQxbopJ41Q |
||||
2ADv3uPViWtv8+4MoAAyAAAADHBwYmVAdmFncmFudAE= |
||||
-----END OPENSSH PRIVATE KEY----- |
@ -0,0 +1 @@ |
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant |
@ -0,0 +1,31 @@ |
||||
--- |
||||
dependency: |
||||
name: galaxy |
||||
driver: |
||||
name: vagrant |
||||
provider: |
||||
name: virtualbox |
||||
platforms: |
||||
- name: debian-buster |
||||
box: debian/buster64 |
||||
memory: 1024 |
||||
cpus: 2 |
||||
interfaces: |
||||
- network_name: forwarded_port |
||||
guest: 22 |
||||
host: 22000 |
||||
- name: ubuntu-focal |
||||
box: ubuntu/focal64 |
||||
memory: 1024 |
||||
cpus: 2 |
||||
interfaces: |
||||
- network_name: forwarded_port |
||||
guest: 22 |
||||
host: 22010 |
||||
provisioner: |
||||
name: ansible |
||||
config_options: |
||||
defaults: |
||||
interpreter_python: /usr/bin/python3 |
||||
verifier: |
||||
name: ansible |
@ -0,0 +1,40 @@ |
||||
# 1. Backup incrémental tous les jours vers la storage box: |
||||
# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup" |
||||
# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme) |
||||
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups) |
||||
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host. |
||||
# 2. D'autres machines se connectent pour récupérer les backups (rsync): |
||||
# 1. En sftp chrooté via l'user system "backup" |
||||
# 2. Donner accès SSH pour ces machines à l'user system "backup" |
||||
|
||||
- name: Create SSH directory |
||||
file: |
||||
path: "{{ ssh_config_dir }}" |
||||
state: directory |
||||
mode: "700" |
||||
|
||||
- name: Create SSH config file |
||||
file: |
||||
path: "{{ ssh_config_dir }}/config" |
||||
state: touch |
||||
access_time: preserve |
||||
modification_time: preserve |
||||
mode: "600" |
||||
|
||||
- name: Create backup user |
||||
user: |
||||
name: "{{ backup_owner }}" |
||||
shell: /bin/bash |
||||
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131 |
||||
password: '*' |
||||
state: present |
||||
update_password: always |
||||
|
||||
- name: Include Storage Box backup tasks |
||||
import_tasks: backup_storage_box.yml |
||||
when: storage_box_enabled |
||||
tags: backup_storage_box |
||||
|
||||
- name: Include Borg backup tasks |
||||
import_tasks: backup_borg.yml |
||||
tags: backup_borg |
@ -0,0 +1,61 @@ |
||||
- name: Install Borg packages |
||||
package: |
||||
name: "{{ borg_package }}" |
||||
state: present |
||||
loop: "{{ borg_packages }}" |
||||
loop_control: |
||||
loop_var: borg_package |
||||
|
||||
- name: Initialize Borg repository |
||||
command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}" |
||||
environment: |
||||
BORG_PASSPHRASE: "{{ borg_passphrase }}" |
||||
changed_when: "'A repository already exists' not in _borg_backup_init.stderr" |
||||
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr |
||||
register: _borg_backup_init |
||||
|
||||
- name: Create Borgmatic config directory |
||||
file: |
||||
path: /etc/borgmatic |
||||
state: directory |
||||
owner: root |
||||
group: root |
||||
mode: "755" |
||||
|
||||
- name: Copy Borgmatic config file |
||||
copy: |
||||
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}" |
||||
dest: /etc/borgmatic/config.yaml |
||||
owner: root |
||||
group: root |
||||
mode: "600" |
||||
|
||||
- name: Add cron job for regular Borgmatic create and prune |
||||
cron: |
||||
user: root |
||||
name: borgmatic-create |
||||
cron_file: borgmatic |
||||
hour: "{{ borgmatic_cron_hour }}" |
||||
minute: "{{ borgmatic_cron_minute }}" |
||||
state: present |
||||
job: borgmatic --create --prune |
||||
|
||||
- name: Add cron job for unfrequent Borgmatic check |
||||
cron: |
||||
user: root |
||||
name: borgmatic-check |
||||
cron_file: borgmatic |
||||
weekday: "{{ borgmatic_check_cron_weekday }}" |
||||
hour: "{{ borgmatic_check_cron_hour }}" |
||||
minute: "{{ borgmatic_check_cron_minute }}" |
||||
state: present |
||||
job: borgmatic --check |
||||
|
||||
- name: Set PATH for Borgmatic cron job. |
||||
cron: |
||||
user: root |
||||
name: PATH |
||||
cron_file: borgmatic |
||||
env: yes |
||||
state: present |
||||
value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
@ -0,0 +1,95 @@ |
||||
- name: Install Storage Box mount dependencies |
||||
apt: |
||||
name: "{{ storage_box_package }}" |
||||
state: present |
||||
loop: "{{ storage_box_packages }}" |
||||
loop_control: |
||||
loop_var: storage_box_package |
||||
|
||||
- name: Generate SSH key pair for storage box {{ storage_box_host }} |
||||
openssh_keypair: |
||||
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}" |
||||
type: ed25519 |
||||
|
||||
- name: Update SSH config file for storage box {{ storage_box_host }} |
||||
blockinfile: |
||||
path: "{{ ssh_config_dir }}/config" |
||||
block: | |
||||
Host {{ storage_box_host }} |
||||
{% if storage_box_username is defined %} |
||||
User {{ storage_box_username }} |
||||
{% endif %} |
||||
Port {{ storage_box_port }} |
||||
IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }} |
||||
PreferredAuthentications publickey,password |
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}" |
||||
|
||||
- name: Copy script to add OpenSSH public key through SFTP |
||||
copy: |
||||
src: sftp/push_public_key.sh |
||||
dest: /usr/local/bin/sftp_push_public_key |
||||
owner: root |
||||
group: root |
||||
mode: "755" |
||||
|
||||
- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }} |
||||
command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }} |
||||
changed_when: no |
||||
register: _ssh_known_host |
||||
|
||||
- name: Add backup host {{ storage_box_host }} in known hosts list |
||||
known_hosts: |
||||
name: |- |
||||
{%- if storage_box_port == 22 -%} |
||||
{{ storage_box_host }} |
||||
{%- else -%} |
||||
[{{ storage_box_host }}]:{{ storage_box_port }} |
||||
{%- endif -%} |
||||
key: "{{ _ssh_known_host.stdout }}" |
||||
state: present |
||||
|
||||
- name: Push SSH public key to storage box {{ storage_box_host }} |
||||
when: storage_box_password is defined |
||||
command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub" |
||||
environment: |
||||
SSHPASS: "{{ storage_box_password }}" |
||||
changed_when: |
||||
- _storage_box_authorized.stdout is defined |
||||
- "'Public key added!' in _storage_box_authorized.stdout" |
||||
register: _storage_box_authorized |
||||
|
||||
- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }} |
||||
shell: | |
||||
sftp {{ storage_box_host }} <<-EOF |
||||
mkdir "{{ storage_box_path }}" |
||||
EOF |
||||
changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr" |
||||
register: _backup_endpoint_created |
||||
|
||||
- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS) |
||||
lineinfile: |
||||
path: /etc/auto.backup.{{ storage_box_prefix }} |
||||
regex: "^{{ storage_box_mount.path }} " |
||||
line: | |
||||
{{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }} |
||||
state: present |
||||
create: yes |
||||
notify: reload autofs |
||||
|
||||
- name: Add AutoFS config file into main AutoFS config |
||||
lineinfile: |
||||
path: /etc/auto.master |
||||
regexp: '^/- /etc/auto.backup' |
||||
line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost |
||||
state: present |
||||
notify: reload autofs |
||||
|
||||
- name: Start AutoFS service |
||||
service: |
||||
name: autofs |
||||
state: started |
||||
enabled: yes |
||||
register: autofs_started |
||||
|
||||
- name: Trigger AutoFS handlers |
||||
meta: flush_handlers |
@ -1,18 +0,0 @@ |
||||
--- |
||||
# Install and configure SMTP relay |
||||
- name: Install msmtp |
||||
apt: |
||||
name: |
||||
- msmtp |
||||
- msmtp-mta |
||||
state: present |
||||
|
||||
- name: Copy msmtp configuration |
||||
template: |
||||
src: msmtp/msmtprc.j2 |
||||
dest: /etc/msmtprc |
||||
|
||||
- name: Copy aliases |
||||
template: |
||||
src: msmtp/aliases.j2 |
||||
dest: /etc/aliases |
@ -0,0 +1,49 @@ |
||||
- name: Install postfix package |
||||
apt: |
||||
name: postfix |
||||
state: present |
||||
|
||||
- name: Copy postfix configuration file |
||||
template: |
||||
src: postfix/main.cf.j2 |
||||
dest: /etc/postfix/main.cf |
||||
owner: root |
||||
group: root |
||||
mode: "644" |
||||
notify: reload postfix |
||||
|
||||
- name: Copy aliases file |
||||
template: |
||||
src: postfix/aliases.j2 |
||||
dest: "{{ smtp_aliases_path }}" |
||||
owner: root |
||||
group: root |
||||
mode: "644" |
||||
notify: update aliases |
||||
|
||||
- name: Copy Postfix senders map |
||||
template: |
||||
src: postfix/senders.j2 |
||||
dest: "{{ postfix_senders_map_path }}" |
||||
owner: root |
||||
group: root |
||||
mode: "644" |
||||
notify: update postfix senders |
||||
|
||||
- name: Copy Postfix SASL secrets |
||||
template: |
||||
src: postfix/sasl_secrets.j2 |
||||
dest: "{{ postfix_sasl_secrets_path }}" |
||||
owner: root |
||||
group: root |
||||
mode: "600" |
||||
notify: update postfix secrets |
||||
|
||||
- name: Start postfix service |
||||
service: |
||||
name: postfix |
||||
state: started |
||||
enabled: yes |
||||
|
||||
- name: Trigger Postfix handlers |
||||
meta: flush_handlers |
@ -1 +0,0 @@ |
||||
default: {{ smtp_default_contact }} |
@ -1,19 +0,0 @@ |
||||
defaults |
||||
auth on |
||||
tls on |
||||
tls_trust_file /etc/ssl/certs/ca-certificates.crt |
||||
logfile /var/log/msmtp.log |
||||
|
||||
{% for account in smtp_accounts %} |
||||
account {{ account.name }} |
||||
host {{ account.host }} |
||||
port 587 |
||||
from {{ account.from }} |
||||
user {{ account.user | default(account.from) }} |
||||
password {{ account.password }} |
||||
|
||||
{% endfor %} |
||||
|
||||
account default : {{ smtp_default_account }} |
||||
|
||||
aliases /etc/aliases |
@ -0,0 +1,3 @@ |
||||
{% for account in smtp_accounts %} |
||||
{{ account.name }} {{ account.username | default(account.from) }}:{{ account.password }} |
||||
{% endfor %} |
@ -0,0 +1,11 @@ |
||||
listen on localhost |
||||
|
||||
table aliases file:/etc/aliases |
||||
table secrets file:/etc/smtpd-secret |
||||
|
||||
action "local" mbox alias <aliases> |
||||
{% for account in smtp_accounts %} |
||||
action "{{ account.name }}_relay" relay host "smtps://{{ account.name }}@{{ account.host }}" auth <secrets> mail-from "{{ account.from }}" |
||||
{% endfor %} |
||||
match for local action "local" |
||||
match for any action "{{ smtp_default_account }}_relay" |
@ -0,0 +1,2 @@ |
||||
root: {{ smtp_default_recipient }} |
||||
postmaster: {{ smtp_default_recipient }} |
@ -0,0 +1,40 @@ |
||||
{{ ansible_managed | comment }} |
||||
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version |
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on |
||||
# fresh installs. |
||||
compatibility_level = 2 |
||||
|
||||
biff = no |
||||
recipient_delimiter = + |
||||
readme_directory = no |
||||
# appending .domain is the MUA's job. |
||||
append_dot_mydomain = no |
||||
|
||||
# rewrite sender address |
||||
sender_canonical_maps = hash:{{ postfix_senders_map_path }} |
||||
|
||||
alias_maps = hash:{{ smtp_aliases_path }} |
||||
alias_database = hash:{{ smtp_aliases_path }} |
||||
|
||||
myhostname = {{ ansible_hostname }} |
||||
myorigin = $myhostname |
||||
mydestination = $myhostname, localhost.localdomain, localhost |
||||
mynetworks_style = host |
||||
|
||||
inet_interfaces = all |
||||
inet_protocols = all |
||||
|
||||
relayhost = [{{ smtp_accounts[smtp_default_account].host }}] |
||||
relay_domains = |
||||
# enable SASL authentication |
||||
smtp_sasl_auth_enable = yes |
||||
# disallow methods that allow anonymous authentication. |
||||
smtp_sasl_security_options = noanonymous |
||||
# where to find sasl_passwd |
||||
smtp_sasl_password_maps = hash:{{ postfix_sasl_secrets_path }} |
||||
# Enable STARTTLS encryption |
||||
smtp_use_tls = yes |
||||
# where to find CA certificates |
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt |
@ -0,0 +1,3 @@ |
||||
{% for account in smtp_accounts.values() %} |
||||
[{{ account.host }}] {{ account.username }}:{{ account.password }} |
||||
{% endfor %} |
@ -0,0 +1,3 @@ |
||||
{% if smtp_accounts[smtp_default_account].from is defined %} |
||||
@{{ ansible_hostname }} {{ smtp_accounts[smtp_default_account].from }} |
||||
{% endif %} |
@ -1,2 +1,9 @@ |
||||
--- |
||||
# vars file for common |
||||
ssh_config_dir: "{{ ansible_env.HOME }}/.ssh" |
||||
storage_box_prefix: storage-box |
||||
storage_box_packages: |
||||
- sshpass |
||||
- sshfs |
||||
- autofs |
||||
borg_packages: |
||||
- borgbackup |
||||
- borgmatic |
Loading…
Reference in new issue