refactor common role

ansible.cfg

@@ -4,6 +4,7 @@ vault_password_file=scripts/gopass-client.py
 host_key_checking = False
 inventory = inventories/hosts.ini
 roles_path = ~/.ansible/roles:./roles:/usr/share/ansible/roles:/etc/ansible/roles
+interpreter_python = /usr/bin/python3
 
 [gopass]
 key_path=ansible

inventories/group_vars/all.yml

@@ -1,45 +0,0 @@
-openssh_port: "12322"
-
-smtp_accounts:
-- name: ahoy
-  host: mail.infomaniak.ch
-  port: 587
-  from: ahoy@pirateparty.be
-  password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          62633164383764376333643063363263356461613164663066623836613931306437633033633134
-          3632326164663564653962613437376265333234313032360a313935303230393938356632356231
-          34613661383736313232613131313262616261323464653936393634653464323631333839353030
-          3230396536663635650a633537633633623365346563323334616338333436633537623831313165
-          38343766346437626332313230346537663735313937643765353465356236633134
-smtp_default_account: ahoy
-smtp_default_contact: it@pirateparty.be
-
-node_exporter_password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          35333237666635633862336433303264613133376230346461333332636231643563636466356630
-          3235623237303366626562393065353436663632306438370a333132653432636632643134326130
-          66396666626631373637373065613137393232383361346438633763396266636264663364663238
-          3363666332633562360a323532666664333266333761343136306133336138623137316234653939
-          37643239613631383165656138633134663736393238343939336135303732333838336538373531
-          3635396265643061356339333035393836313936316633623662
-
-backup_targets:
-  - host: storage.pirateparty.be
-    ssh:
-      port: 23
-      username: "{{ storage_box_username }}"
-      key_file: storage-box
-  - host: batato.be
-    ssh:
-      key_file: batato
-    
-users:
-- name: hgo
-  ssh_keys:
-  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry
-- name: tierce
-  ssh_keys:
-  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q
-
-acme_email: it@pirateparty.be

inventories/group_vars/all/main.yml

@@ -0,0 +1,31 @@
+openssh_port: "12322"
+
+nginx_dhparam_size: 3072
+
+smtp_accounts:
+  ahoy:
+    host: mail.infomaniak.ch
+    port: 587
+    from: ahoy@pirateparty.be
+    username: ahoy@pirateparty.be
+    password: "{{ vault_smtp_account_ahoy_password }}"
+smtp_default_account: ahoy
+smtp_default_recipient: it@pirateparty.be
+
+node_exporter_password: "{{ vault_node_exporter_password }}"
+
+storage_box_enabled: yes
+storage_box_host: storage.pirateparty.be
+storage_box_username: "{{ vault_storage_box_username }}"
+storage_box_password: "{{ vault_storage_box_password }}"
+
+borg_passphrase: "{{ vault_borg_passphrase }}"
+
+# Add SSH keys in playbooks/files/ssh/<username>/
+users:
+- name: hgo
+- name: tierce
+- name: backup
+  groups: []
+
+acme_email: it@pirateparty.be

inventories/group_vars/all/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+65393535396562366132383030663065656633343839326661386330626365343036326165616263
+3130623331623634386333373134333864616662323633650a373033613761333332393937643339
+31313763366437343933656366633762666234363133353265336164623063333239393865336363
+3437303962393962620a343364653936396562306635323163326433306237623264393734383562
+37636466666363363736373934306137343738383062623831623533336439633061363965633138
+39383966626565666265303137663335663061373563306363323030323239326133333661653230
+36646131303238346563373763353765613664623936343564633534626263346161653161666631
+62343561373233653336623063323561393438316566643365623337623637653966663131336235
+34353361626266616331333435313732313339623735643730633933633439333962653862316134
+3163306462313137633166366461333462303034316631373165

inventories/host_vars/mastodon.pirateparty.be/main.yml

@@ -0,0 +1,20 @@
+mastodon_home: /home/mastodon
+
+borgmatic_config:
+  location:
+    source_directories:
+      - "{{ mastodon_home }}"
+      - /etc
+    repositories:
+      - "{{ borg_repository }}"
+    exclude_patterns:
+      - "{{ mastodon_home }}/elasticsearch"
+      - "{{ mastodon_home }}/redis"
+  storage:
+    encryption_passphrase: "{{ borg_passphrase }}"
+    compression: zlib,7
+  retention:
+    keep_hourly: 24
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6

inventories/host_vars/mastodon.pirateparty.be/vault.yml

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+63373233646532393433373238336163666262343364316631326561366630636136313631393038
+6563313039663237326263383539383736323936343137390a376435313339376630666632633337
+64613334626262616464663234313361353731623836316430643266303335386332623137353066
+6631636265633336360a366563656463343964316630333762646163653334336663643230353336
+66646566363537316631316633306334646630343164303630383638613033653037386564373566
+62646435393038396331343337353132396234366163333763326638373933363437643430376334
+31303735626564346438383535336465656166633137303439316235323938303236396637336461
+63343435623239396433623632653838386666653335346434333865346438643266616366623932
+34373065386263633737363863303138636539613536646166643066636166343935313333636564
+66613663623565633534656635356431623538306438353963303833373263303735313062343062
+36316132636564643564383634333562663136353663336661353433396132353832323063396130
+39633535643134663532656266613939353137643765396235633465656436613432303266313765
+61333165383030653733333533366232343535396634626237386266613037613838653034326162
+64366265313132656536333163616436396232623036386435353565396665343836323838656436
+30326363656639366239386637653234303635353630633461393039353462333338303563316132
+33353636343865666132343730336438363261383131343662316538633635653434623561633364
+6664

inventories/host_vars/pirateparty.be/vault.yml

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+65623932623736623961633664613731383837313338336165366333343763646235316163653836
+6130643962393231643262353065653130326566613363630a346138396532663733383133666635
+30373362393636363833333530333762666164306436393263336164366637313132356464333931
+3861643330306337300a643330613364663861623564356535343035393966383161383739626234
+65313335316636646664396433393736386133343765643038663334666462333366353639363061
+65303230303132366366343734336462653764613836396531613235393837326532626330636134
+63643935323163356462343730633939303537656539336461666139323066366136343262326534
+62316332313137626463643964646630663631313464663365313066623934393665306665303031
+39613166626639663639623365343364396161656662333134303432656338393333323232366232
+63633937343165633638326234386231336637326237336636343830363661376236353939366634
+35653962393865616262366433663562333430643465613861643631323035626636343065336636
+62613464613462346436353636323035316665313866616535363833393033623339343136653063
+3363

inventories/host_vars/status.pirateparty.be.yml

@@ -1,8 +0,0 @@
-storage_box_username: u212275-sub5
-storage_box_password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          36313662333062323531613966386365373339663566303133653562663838316632613830613264
-          6564333736343830623061313534313630313534316231390a666662633861383563333562356561
-          64616534313266323833383331313334333761323965383634666635663430366461353437616465
-          6337363536643738310a656530663837386537336434633037376463336165613239323265366234
-          64663863333763356430616635323061396663373264343666323831646664646430

inventories/host_vars/status.pirateparty.be/vault.yml

@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+64623562393233633764386333323337393862313165626238356166376661353837666332393437
+6637336439346134383738656537643263306161363931630a303734333431343634646438663466
+36303062376431643537313537343865653136336137363639373635333132323665353735386237
+6231666464343734340a643163623832303130333864316534663664313835633964386531646666
+64333431366464626633373630353631383233633233613066386137636631646663646535633037
+65336635383432616466366338613838656336396462636261623131333033653832623331353036
+30653163333566366439366362613933663262643361386332356366363731336163653335396636
+36616563353965376537326563363332653336653030303762656530346135383336363337383666
+32653563306235383135623733363666313539633032643566653935373762363935306230386566
+33656231613634373832316661366630616434343266333562373563383838313236643931363234
+37383733353235616261326333386534303362623737353566383536353439353133633735356336
+61633934323233393738363635656662396464383033623237623166663733666336313533373937
+66303433316461323338333034656238373035356162613662666132636530613966366465363036
+65323132653831373531346362366236636665323534663036303366376463613065313861383936
+65666463656631636361346130366462326166316533323839303563646133376661313631393333
+30303663323436376461323331643939376235313232353164653764306530663265326134333739
+3238

inventories/host_vars/talk.parley.be/vault.yml

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+39656566313337306263346133666139643435626566363036303031636336303866346437326662
+3431363531363065386666363464653937386162646330610a353161633236643238663032333134
+64303731653235323830626638323739626133313634316263343534373337393963643334363861
+6433346664336666330a666234373434646635646633323837616561323033363464353931363338
+38386238326135653039396161666639383131323430623466626165353634313730623662646139
+62653937323363653864313630633165323361663438383631303064383164613232656636333562
+65353131633931346161303830393630663264646636633837613031323132666132376139376265
+39373362633765633266373261333137396436343832653061323365393336303938613438643830
+63396338613463623839396433366538383033316165636564363838313737613761613961343535
+33643835366461363439613364303534616437316361383835633261326332636431656664393031
+35356232636339383031643838316437303637393938333361636562626633303839656232323231
+39633935636234303633386231356333356633386230373962333237656361333933373730616161
+3261

inventories/host_vars/wiki.pirateparty.be/main.yml

@@ -0,0 +1,18 @@
+borgmatic_config:
+  location:
+    source_directories:
+      - /var/www/mediawiki
+      - /etc
+    repositories:
+      - "{{ borg_repository }}"
+  storage:
+    encryption_passphrase: "{{ borg_passphrase }}"
+    compression: zlib,7
+  retention:
+    keep_hourly: 24
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6
+  hooks:
+    mysql_databases:
+      - name: mediawiki_prod

inventories/host_vars/wiki.pirateparty.be/vault.yml

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
+65316362353466333562363830633862643035363561616137616633353032363832323039383966
+3430383934363433643639633732393361323736356562330a616437303366313861636539343236
+35623961613737653461653261663137316539653861333736616261313638633539356663313933
+3563653063633662300a366132666238623463306662633563336561626335656431393133393835
+36366436633162353765386561333865316236363832346465613162393139356362343438353535
+39653933656535366365356162333634366231316363633538383165383937623761363066653834
+35643638363534383561306332663536396538346638353632353839346637383130383863663030
+35393161393163313330626530383662333165363930626563303435393362636439613263653766
+39613832613366653339326262333433316138613566333131623334336165373765663237383334
+61383839373839373631393831336563633464346636393331633066353839313761393664646438
+61323331316238373538663462316533653433386132373664623433376639313364656162666638
+30313966656433663766343932633032623463323134306265643264303732383031623763646130
+3435

inventories/hosts.ini

@@ -8,4 +8,7 @@ talk.parley.be
 status.pirateparty.be
 
 [mumble]
-talk.parley.be
+talk.parley.be
+
+[mastodon]
+mastodon.pirateparty.be

playbooks/files/ssh/hgo/terry.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry

playbooks/files/ssh/tierce/q.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q

roles/common/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

roles/common/defaults/main.yml

@@ -3,9 +3,96 @@
 node_exporter_path: /
 node_exporter_port: 9100
 node_exporter_public_port: "9180"
+node_exporter_password: password
 
 nginx_config_dir: /etc/nginx/conf.d
 nginx_ssl_dir: /etc/nginx/ssl
+nginx_dhparam_size: 2048
 
-ssh_config_dir: ~/.ssh
-backup_targets: []
+users:
+  - name: ppbe
+  - name: coco
+    groups: []
+user_default_groups:
+  - sudo
+
+openssh_port: "22"
+
+backup_owner: backup
+backup_group: "{{ backup_owner }}"
+
+storage_box_enabled: no
+storage_box_host: storage.example.com
+storage_box_port: 23
+storage_box_path: /home/backup
+storage_box_mount:
+  path: "/mnt/backup"
+  owner: "{{ backup_owner }}"
+  group: "{{ backup_group }}"
+  options: [rw,default_permissions]
+storage_box_username: u123456-sub1
+storage_box_password: somesecret
+
+borg_encryption_mode: keyfile
+borg_passphrase: "{{ vault_borg_passphrase }}"
+borg_repository: |-
+  {%- if storage_box_enabled -%}
+  {{ storage_box_host }}:{{ storage_box_path }}/borg
+  {%- else -%}
+  {{ storage_box_mount.path }}/borg
+  {%- endif -%}
+
+borgmatic_config:
+  location:
+    source_directories:
+      - /
+    repositories:
+      - "{{ borg_repository }}"
+    exclude_patterns:
+      - /dev
+      - /home/*/.cache
+      - /home/*/.gvfs
+      - /lib*
+      - /media
+      - /mnt
+      - /proc
+      - /tmp
+      - /run
+      - /swap*
+      - /sys
+      - /usr/src/linux-headers*
+      - /var/backups
+      - /var/cache/apt/archives
+      - /var/lib
+      - /var/log
+      - /var/run
+      - /var/snap
+    exclude_caches: true
+  storage:
+    encryption_passphrase: "{{ borg_passphrase }}"
+    compression: zlib,7
+  retention:
+    keep_hourly: 24
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6
+
+borgmatic_cron_hour: "3"
+borgmatic_cron_minute: "0"
+borgmatic_check_cron_weekday: "0"
+borgmatic_check_cron_hour: "2"
+borgmatic_check_cron_minute: "0"
+
+smtp_accounts:
+  example:
+    host: mail.example.com
+    port: 587
+    from: no-reply@example.com
+    username: ahoy@example.com
+    password: secret
+smtp_default_account: example
+smtp_default_recipient: contact@example.com
+smtp_aliases_path: /etc/aliases
+
+postfix_sasl_secrets_path: /etc/postfix/sasl/passwd
+postfix_senders_map_path: /etc/postfix/senders

roles/common/defaults/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+66613631383234346131623731643533326566373463623935666636383464663639353164323861
+3464306432333534393565333334623965393363333365380a613764323664316338306532386331
+63353363633566373365623732636163366631656563393961333261623030363834376537643732
+6264373861313764390a306462323932333935653866373362383566333934386136336466623163
+39373332383733326261343162626336663135336561366137366466396463323762393538383333
+31663337393538623730326464316461323034636330626630616538316431633234306262613132
+36633164623162346231656364346363646563396664356337323763663135303963383533353838
+35396634386135386139

roles/common/files/sftp/push_public_key.sh

@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+function usage {
+    echo "Usage: $0 <host> <public key file>"
+}
+
+host="$1"
+public_key_file="$2"
+
+if [[ $# -ne 2 ]]; then
+  >&2 usage
+  exit 1
+fi
+
+authorized_keys_file="/tmp/${host}-authorized_keys"
+
+sshpass -e sftp "${host}" <<-EOF
+  mkdir .ssh
+  chmod 0700 .ssh
+  get .ssh/authorized_keys "${authorized_keys_file}"
+EOF
+
+if grep -f "${public_key_file}" "${authorized_keys_file}" > /dev/null; then
+  exit 0
+fi
+
+echo "Adding public key '${public_key_file}' for ${host}"
+sshpass -e sftp "${host}" <<-EOF
+  !cat "${public_key_file}" >> "${authorized_keys_file}"
+  put "${authorized_keys_file}" .ssh/authorized_keys
+  chmod 0600 .ssh/authorized_keys
+EOF
+echo "Public key added!"

roles/common/handlers/main.yml

@@ -3,6 +3,26 @@
     name: ssh
     state: restarted
 
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded
+
+- name: update aliases
+  command: newaliases
+
+- name: update postfix senders
+  command: postmap {{ postfix_senders_map_path }}
+
+- name: update postfix secrets
+  command: postmap {{ postfix_sasl_secrets_path }}
+
 - name: reload nginx
   include_tasks: ../handlers/nginx.yml
-  when: nginx_started is not changed
+  when: nginx_started is not changed
+
+- name: reload autofs
+  service:
+    name: autofs
+    state: restarted
+  when: autofs_started is not changed

roles/common/molecule/default/INSTALL.rst

@@ -0,0 +1,23 @@
+*********************************
+Vagrant driver installation guide
+*********************************
+
+Requirements
+============
+
+* Vagrant
+* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule_vagrant'

roles/common/molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  become: yes
+
+  roles:
+    - common

roles/common/molecule/default/files/ssh/ppbe/id_ed25519

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMgAAAJBcNgy6XDYM
+ugAAAAtzc2gtZWQyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMg
+AAAEDw/p35s5mUgbWvTlKnCuTuHdr3AJuNyFkn8DGERqzI7s210TheGfg4/YnQxbopJ41Q
+2ADv3uPViWtv8+4MoAAyAAAADHBwYmVAdmFncmFudAE=
+-----END OPENSSH PRIVATE KEY-----

roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant

roles/common/molecule/default/molecule.yml

@@ -0,0 +1,31 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: vagrant
+  provider:
+    name: virtualbox
+platforms:
+  - name: debian-buster
+    box: debian/buster64
+    memory: 1024
+    cpus: 2
+    interfaces: 
+      - network_name: forwarded_port
+        guest: 22
+        host: 22000
+  - name: ubuntu-focal
+    box: ubuntu/focal64
+    memory: 1024
+    cpus: 2
+    interfaces: 
+      - network_name: forwarded_port
+        guest: 22
+        host: 22010
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: /usr/bin/python3
+verifier:
+  name: ansible

roles/common/tasks/backup.yml

@@ -0,0 +1,40 @@
+# 1. Backup incrémental tous les jours vers la storage box:
+#   1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
+#      -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
+#      -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
+#   2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
+# 2. D'autres machines se connectent pour récupérer les backups (rsync):
+#   1. En sftp chrooté via l'user system "backup"
+#   2. Donner accès SSH pour ces machines à l'user system "backup"
+
+- name: Create SSH directory
+  file:
+    path: "{{ ssh_config_dir }}"
+    state: directory
+    mode: "700"
+
+- name: Create SSH config file
+  file:
+    path: "{{ ssh_config_dir }}/config"
+    state: touch
+    access_time: preserve
+    modification_time: preserve
+    mode: "600"
+
+- name: Create backup user
+  user:
+    name: "{{ backup_owner }}"
+    shell: /bin/bash
+    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
+    password: '*'
+    state: present
+    update_password: always
+
+- name: Include Storage Box backup tasks
+  import_tasks: backup_storage_box.yml
+  when: storage_box_enabled
+  tags: backup_storage_box
+
+- name: Include Borg backup tasks
+  import_tasks: backup_borg.yml
+  tags: backup_borg

roles/common/tasks/backup_borg.yml

@@ -0,0 +1,61 @@
+- name: Install Borg packages
+  package:
+    name: "{{ borg_package }}"
+    state: present
+  loop: "{{ borg_packages }}"
+  loop_control:
+    loop_var: borg_package
+
+- name: Initialize Borg repository
+  command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
+  environment:
+    BORG_PASSPHRASE: "{{ borg_passphrase }}"
+  changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
+  failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
+  register: _borg_backup_init
+
+- name: Create Borgmatic config directory
+  file:
+    path: /etc/borgmatic
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+
+- name: Copy Borgmatic config file
+  copy:
+    content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
+    dest: /etc/borgmatic/config.yaml
+    owner: root
+    group: root
+    mode: "600"
+
+- name: Add cron job for regular Borgmatic create and prune
+  cron:
+    user: root
+    name: borgmatic-create
+    cron_file: borgmatic
+    hour: "{{ borgmatic_cron_hour }}"
+    minute: "{{ borgmatic_cron_minute }}"
+    state: present
+    job: borgmatic --create --prune
+
+- name: Add cron job for unfrequent Borgmatic check
+  cron:
+    user: root
+    name: borgmatic-check
+    cron_file: borgmatic
+    weekday: "{{ borgmatic_check_cron_weekday }}"
+    hour: "{{ borgmatic_check_cron_hour }}"
+    minute: "{{ borgmatic_check_cron_minute }}"
+    state: present
+    job: borgmatic --check
+
+- name: Set PATH for Borgmatic cron job.
+  cron:
+    user: root
+    name: PATH
+    cron_file: borgmatic
+    env: yes
+    state: present
+    value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

roles/common/tasks/backup_storage_box.yml

@@ -0,0 +1,95 @@
+- name: Install Storage Box mount dependencies
+  apt:
+    name: "{{ storage_box_package }}"
+    state: present
+  loop: "{{ storage_box_packages }}"
+  loop_control:
+    loop_var: storage_box_package
+
+- name: Generate SSH key pair for storage box {{ storage_box_host }}
+  openssh_keypair:
+    path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
+    type: ed25519
+
+- name: Update SSH config file for storage box {{ storage_box_host }}
+  blockinfile:
+    path: "{{ ssh_config_dir }}/config"
+    block: |
+      Host {{ storage_box_host }}
+        {% if storage_box_username is defined %}
+        User {{ storage_box_username }}
+        {% endif %}
+        Port {{ storage_box_port }}
+        IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }}
+        PreferredAuthentications publickey,password
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}"
+
+- name: Copy script to add OpenSSH public key through SFTP
+  copy:
+    src: sftp/push_public_key.sh
+    dest: /usr/local/bin/sftp_push_public_key
+    owner: root
+    group: root
+    mode: "755"
+
+- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }}
+  command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }}
+  changed_when: no
+  register: _ssh_known_host
+
+- name: Add backup host {{ storage_box_host }} in known hosts list
+  known_hosts:
+    name: |-
+      {%- if storage_box_port == 22 -%}
+      {{ storage_box_host }}
+      {%- else -%}
+        [{{ storage_box_host }}]:{{ storage_box_port }}
+      {%- endif -%}
+    key: "{{ _ssh_known_host.stdout }}"
+    state: present
+
+- name: Push SSH public key to storage box {{ storage_box_host }}
+  when: storage_box_password is defined
+  command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub"
+  environment:
+    SSHPASS: "{{ storage_box_password }}"
+  changed_when:
+    - _storage_box_authorized.stdout is defined
+    - "'Public key added!' in _storage_box_authorized.stdout"
+  register: _storage_box_authorized
+
+- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }}
+  shell: |
+    sftp {{ storage_box_host }} <<-EOF
+      mkdir "{{ storage_box_path }}"
+    EOF
+  changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr"
+  register: _backup_endpoint_created
+
+- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS)
+  lineinfile:
+    path: /etc/auto.backup.{{ storage_box_prefix }}
+    regex: "^{{ storage_box_mount.path }} "
+    line: |
+      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
+    state: present
+    create: yes
+  notify: reload autofs
+
+- name: Add AutoFS config file into main AutoFS config
+  lineinfile:
+    path: /etc/auto.master
+    regexp: '^/- /etc/auto.backup'
+    line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost
+    state: present
+  notify: reload autofs
+
+- name: Start AutoFS service
+  service:
+    name: autofs
+    state: started
+    enabled: yes
+  register: autofs_started
+
+- name: Trigger AutoFS handlers
+  meta: flush_handlers

roles/common/tasks/main.yml

@@ -6,11 +6,11 @@
   tags: openssh
 - import_tasks: ufw.yml
   tags: firewall
-- import_tasks: msmtp.yml
+- import_tasks: postfix.yml
   tags: smtp
 - import_tasks: nginx.yml
   tags: nginx
 - import_tasks: node_exporter.yml
   tags: node_exporter
-#- import_tasks: backup.yml
-# tags: backup
+- import_tasks: backup.yml
+  tags: backup

roles/common/tasks/msmtp.yml

@@ -1,18 +0,0 @@
----
-# Install and configure SMTP relay
-- name: Install msmtp
-  apt:
-    name:
-    - msmtp
-    - msmtp-mta
-    state: present
-
-- name: Copy msmtp configuration
-  template:
-    src: msmtp/msmtprc.j2
-    dest: /etc/msmtprc
-
-- name: Copy aliases
-  template:
-    src: msmtp/aliases.j2
-    dest: /etc/aliases

roles/common/tasks/nginx.yml

@@ -2,7 +2,7 @@
 # Install and configure Nginx
 - name: Install htpasswd dependencies
   apt:
-    name: python-passlib
+    name: python3-passlib
     state: present
 
 - name: Install SSL dependencies
@@ -32,7 +32,7 @@
   # This can take a long time... So we are doing it in async mode
   openssl_dhparam:
     path: "{{ nginx_ssl_dir }}/dhparam.pem"
-    size: 3072
+    size: "{{ nginx_dhparam_size }}"
     owner: root
     group: www-data
   async: 3600

roles/common/tasks/node_exporter.yml

@@ -5,7 +5,7 @@
     name: cloudalchemy.node-exporter
     public: yes
   vars:
-    node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}"
+    node_exporter_web_listen_address: "localhost:{{ node_exporter_port }}"
 
 - name: Configure Nginx for node-exporter
   import_role:
@@ -28,3 +28,6 @@
   ufw:
     rule: allow
     port: "{{ node_exporter_public_port }}"
+
+- name: Trigger node-exporter handlers
+  meta: flush_handlers

roles/common/tasks/openssh.yml

@@ -11,9 +11,10 @@
     validate: '/usr/sbin/sshd -T -f %s'
   notify: restart openssh
 
-- name: Trigger Ansible handlers
+- name: Trigger OpenSSH handlers
   meta: flush_handlers
 
 - name: Change Ansible SSH port to {{ openssh_port }}
   set_fact:
     ansible_port: "{{ openssh_port }}"
+  when: openssh_port != "22"

roles/common/tasks/postfix.yml

@@ -0,0 +1,49 @@
+- name: Install postfix package
+  apt:
+    name: postfix
+    state: present
+
+- name: Copy postfix configuration file
+  template:
+    src: postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
+    owner: root
+    group: root
+    mode: "644"
+  notify: reload postfix
+
+- name: Copy aliases file
+  template:
+    src: postfix/aliases.j2
+    dest: "{{ smtp_aliases_path }}"
+    owner: root
+    group: root
+    mode: "644"
+  notify: update aliases
+
+- name: Copy Postfix senders map
+  template:
+    src: postfix/senders.j2
+    dest: "{{ postfix_senders_map_path }}"
+    owner: root
+    group: root
+    mode: "644"
+  notify: update postfix senders
+
+- name: Copy Postfix SASL secrets
+  template:
+    src: postfix/sasl_secrets.j2
+    dest: "{{ postfix_sasl_secrets_path }}"
+    owner: root
+    group: root
+    mode: "600"
+  notify: update postfix secrets
+
+- name: Start postfix service
+  service:
+    name: postfix
+    state: started
+    enabled: yes
+
+- name: Trigger Postfix handlers
+  meta: flush_handlers

roles/common/tasks/user.yml

@@ -6,17 +6,21 @@
     shell: /bin/bash
     # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
     password: '*'
-    groups: 
-    - sudo
-    append: yes
+    groups: "{{ user.groups | default(user_default_groups) }}"
+    append: no
     state: present
-    update_password: on_create
+    update_password: always
 
 - name: Add SSH public keys for user {{ user.name }}
   authorized_key:
     user: "{{ user.name }}"
     state: present
     # we can pass multiple SSH keys, but they must be separated by newlines
-    key: "{{ user.ssh_keys | join('\n') }}"
+    key: |
+      {% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %}
+      {{ lookup('file', key_file) }}
+      {% endfor %}
     # remove obsolete keys
-    exclusive: yes
+    exclusive: yes
+  vars:
+    user_ssh_key_path: ssh/{{ user.name }}/*.pub

roles/common/templates/msmtp/aliases.j2

@@ -1 +0,0 @@
-default: {{ smtp_default_contact }}

roles/common/templates/msmtp/msmtprc.j2

@@ -1,19 +0,0 @@
-defaults
-auth on
-tls on
-tls_trust_file /etc/ssl/certs/ca-certificates.crt
-logfile /var/log/msmtp.log
-
-{% for account in smtp_accounts %}
-account {{ account.name }}
-host {{ account.host }}
-port 587
-from {{ account.from }}
-user {{ account.user | default(account.from) }}
-password {{ account.password }}
-
-{% endfor %}
-
-account default : {{ smtp_default_account }}
- 
-aliases /etc/aliases

roles/common/templates/opensmtpd/smtpd-secret.j2

@@ -0,0 +1,3 @@
+{% for account in smtp_accounts %}
+{{ account.name }} {{ account.username | default(account.from) }}:{{ account.password }}
+{% endfor %}

roles/common/templates/opensmtpd/smtpd.conf.j2

@@ -0,0 +1,11 @@
+listen on localhost
+
+table aliases file:/etc/aliases
+table secrets file:/etc/smtpd-secret
+
+action "local" mbox alias <aliases>
+{% for account in smtp_accounts %}
+action "{{ account.name }}_relay" relay host "smtps://{{ account.name }}@{{ account.host }}" auth <secrets> mail-from "{{ account.from }}"
+{% endfor %}
+match for local action "local"
+match for any action "{{ smtp_default_account }}_relay"

roles/common/templates/postfix/aliases.j2

@@ -0,0 +1,2 @@
+root: {{ smtp_default_recipient }}
+postmaster: {{ smtp_default_recipient }}

roles/common/templates/postfix/main.cf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+biff = no
+recipient_delimiter = +
+readme_directory = no
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# rewrite sender address
+sender_canonical_maps = hash:{{ postfix_senders_map_path }}
+
+alias_maps = hash:{{ smtp_aliases_path }}
+alias_database = hash:{{ smtp_aliases_path }}
+
+myhostname = {{ ansible_hostname }}
+myorigin = $myhostname
+mydestination = $myhostname, localhost.localdomain, localhost
+mynetworks_style = host
+
+inet_interfaces = all
+inet_protocols = all
+
+relayhost = [{{ smtp_accounts[smtp_default_account].host }}]
+relay_domains =
+# enable SASL authentication
+smtp_sasl_auth_enable = yes
+# disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+# where to find sasl_passwd
+smtp_sasl_password_maps = hash:{{ postfix_sasl_secrets_path }}
+# Enable STARTTLS encryption
+smtp_use_tls = yes
+# where to find CA certificates
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

roles/common/templates/postfix/sasl_secrets.j2

@@ -0,0 +1,3 @@
+{% for account in smtp_accounts.values() %}
+[{{ account.host }}] {{ account.username }}:{{ account.password }}
+{% endfor %}

roles/common/templates/postfix/senders.j2

@@ -0,0 +1,3 @@
+{% if smtp_accounts[smtp_default_account].from is defined %}
+@{{ ansible_hostname }} {{ smtp_accounts[smtp_default_account].from }}
+{% endif %}

roles/common/vars/main.yml

@@ -1,2 +1,9 @@
----
-# vars file for common
+ssh_config_dir: "{{ ansible_env.HOME }}/.ssh"
+storage_box_prefix: storage-box
+storage_box_packages:
+  - sshpass
+  - sshfs
+  - autofs
+borg_packages:
+  - borgbackup
+  - borgmatic