Browse Source

refactor common role

master
HgO 2 years ago
parent
commit
2b8f69fc41
  1. BIN
      .vault.secret
  2. 1
      ansible.cfg
  3. 45
      inventories/group_vars/all.yml
  4. 31
      inventories/group_vars/all/main.yml
  5. 11
      inventories/group_vars/all/vault.yml
  6. 20
      inventories/host_vars/mastodon.pirateparty.be/main.yml
  7. 18
      inventories/host_vars/mastodon.pirateparty.be/vault.yml
  8. 14
      inventories/host_vars/pirateparty.be/vault.yml
  9. 8
      inventories/host_vars/status.pirateparty.be.yml
  10. 18
      inventories/host_vars/status.pirateparty.be/vault.yml
  11. 14
      inventories/host_vars/talk.parley.be/vault.yml
  12. 18
      inventories/host_vars/wiki.pirateparty.be/main.yml
  13. 14
      inventories/host_vars/wiki.pirateparty.be/vault.yml
  14. 5
      inventories/hosts.ini
  15. 1
      playbooks/files/ssh/hgo/terry.pub
  16. 1
      playbooks/files/ssh/tierce/q.pub
  17. 33
      roles/common/.yamllint
  18. 91
      roles/common/defaults/main.yml
  19. 9
      roles/common/defaults/vault.yml
  20. 33
      roles/common/files/sftp/push_public_key.sh
  21. 22
      roles/common/handlers/main.yml
  22. 23
      roles/common/molecule/default/INSTALL.rst
  23. 7
      roles/common/molecule/default/converge.yml
  24. 7
      roles/common/molecule/default/files/ssh/ppbe/id_ed25519
  25. 1
      roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub
  26. 31
      roles/common/molecule/default/molecule.yml
  27. 40
      roles/common/tasks/backup.yml
  28. 61
      roles/common/tasks/backup_borg.yml
  29. 95
      roles/common/tasks/backup_storage_box.yml
  30. 6
      roles/common/tasks/main.yml
  31. 18
      roles/common/tasks/msmtp.yml
  32. 4
      roles/common/tasks/nginx.yml
  33. 5
      roles/common/tasks/node_exporter.yml
  34. 3
      roles/common/tasks/openssh.yml
  35. 49
      roles/common/tasks/postfix.yml
  36. 16
      roles/common/tasks/user.yml
  37. 1
      roles/common/templates/msmtp/aliases.j2
  38. 19
      roles/common/templates/msmtp/msmtprc.j2
  39. 3
      roles/common/templates/opensmtpd/smtpd-secret.j2
  40. 11
      roles/common/templates/opensmtpd/smtpd.conf.j2
  41. 2
      roles/common/templates/postfix/aliases.j2
  42. 40
      roles/common/templates/postfix/main.cf.j2
  43. 3
      roles/common/templates/postfix/sasl_secrets.j2
  44. 3
      roles/common/templates/postfix/senders.j2
  45. 11
      roles/common/vars/main.yml

BIN
.vault.secret

1
ansible.cfg

@ -4,6 +4,7 @@ vault_password_file=scripts/gopass-client.py
host_key_checking = False
inventory = inventories/hosts.ini
roles_path = ~/.ansible/roles:./roles:/usr/share/ansible/roles:/etc/ansible/roles
interpreter_python = /usr/bin/python3
[gopass]
key_path=ansible

45
inventories/group_vars/all.yml

@ -1,45 +0,0 @@
openssh_port: "12322"
smtp_accounts:
- name: ahoy
host: mail.infomaniak.ch
port: 587
from: ahoy@pirateparty.be
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62633164383764376333643063363263356461613164663066623836613931306437633033633134
3632326164663564653962613437376265333234313032360a313935303230393938356632356231
34613661383736313232613131313262616261323464653936393634653464323631333839353030
3230396536663635650a633537633633623365346563323334616338333436633537623831313165
38343766346437626332313230346537663735313937643765353465356236633134
smtp_default_account: ahoy
smtp_default_contact: it@pirateparty.be
node_exporter_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35333237666635633862336433303264613133376230346461333332636231643563636466356630
3235623237303366626562393065353436663632306438370a333132653432636632643134326130
66396666626631373637373065613137393232383361346438633763396266636264663364663238
3363666332633562360a323532666664333266333761343136306133336138623137316234653939
37643239613631383165656138633134663736393238343939336135303732333838336538373531
3635396265643061356339333035393836313936316633623662
backup_targets:
- host: storage.pirateparty.be
ssh:
port: 23
username: "{{ storage_box_username }}"
key_file: storage-box
- host: batato.be
ssh:
key_file: batato
users:
- name: hgo
ssh_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry
- name: tierce
ssh_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q
acme_email: it@pirateparty.be

31
inventories/group_vars/all/main.yml

@ -0,0 +1,31 @@
openssh_port: "12322"
nginx_dhparam_size: 3072
smtp_accounts:
ahoy:
host: mail.infomaniak.ch
port: 587
from: ahoy@pirateparty.be
username: ahoy@pirateparty.be
password: "{{ vault_smtp_account_ahoy_password }}"
smtp_default_account: ahoy
smtp_default_recipient: it@pirateparty.be
node_exporter_password: "{{ vault_node_exporter_password }}"
storage_box_enabled: yes
storage_box_host: storage.pirateparty.be
storage_box_username: "{{ vault_storage_box_username }}"
storage_box_password: "{{ vault_storage_box_password }}"
borg_passphrase: "{{ vault_borg_passphrase }}"
# Add SSH keys in playbooks/files/ssh/<username>/
users:
- name: hgo
- name: tierce
- name: backup
groups: []
acme_email: it@pirateparty.be

11
inventories/group_vars/all/vault.yml

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
65393535396562366132383030663065656633343839326661386330626365343036326165616263
3130623331623634386333373134333864616662323633650a373033613761333332393937643339
31313763366437343933656366633762666234363133353265336164623063333239393865336363
3437303962393962620a343364653936396562306635323163326433306237623264393734383562
37636466666363363736373934306137343738383062623831623533336439633061363965633138
39383966626565666265303137663335663061373563306363323030323239326133333661653230
36646131303238346563373763353765613664623936343564633534626263346161653161666631
62343561373233653336623063323561393438316566643365623337623637653966663131336235
34353361626266616331333435313732313339623735643730633933633439333962653862316134
3163306462313137633166366461333462303034316631373165

20
inventories/host_vars/mastodon.pirateparty.be/main.yml

@ -0,0 +1,20 @@
mastodon_home: /home/mastodon
borgmatic_config:
location:
source_directories:
- "{{ mastodon_home }}"
- /etc
repositories:
- "{{ borg_repository }}"
exclude_patterns:
- "{{ mastodon_home }}/elasticsearch"
- "{{ mastodon_home }}/redis"
storage:
encryption_passphrase: "{{ borg_passphrase }}"
compression: zlib,7
retention:
keep_hourly: 24
keep_daily: 7
keep_weekly: 4
keep_monthly: 6

18
inventories/host_vars/mastodon.pirateparty.be/vault.yml

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
63373233646532393433373238336163666262343364316631326561366630636136313631393038
6563313039663237326263383539383736323936343137390a376435313339376630666632633337
64613334626262616464663234313361353731623836316430643266303335386332623137353066
6631636265633336360a366563656463343964316630333762646163653334336663643230353336
66646566363537316631316633306334646630343164303630383638613033653037386564373566
62646435393038396331343337353132396234366163333763326638373933363437643430376334
31303735626564346438383535336465656166633137303439316235323938303236396637336461
63343435623239396433623632653838386666653335346434333865346438643266616366623932
34373065386263633737363863303138636539613536646166643066636166343935313333636564
66613663623565633534656635356431623538306438353963303833373263303735313062343062
36316132636564643564383634333562663136353663336661353433396132353832323063396130
39633535643134663532656266613939353137643765396235633465656436613432303266313765
61333165383030653733333533366232343535396634626237386266613037613838653034326162
64366265313132656536333163616436396232623036386435353565396665343836323838656436
30326363656639366239386637653234303635353630633461393039353462333338303563316132
33353636343865666132343730336438363261383131343662316538633635653434623561633364
6664

14
inventories/host_vars/pirateparty.be/vault.yml

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
65623932623736623961633664613731383837313338336165366333343763646235316163653836
6130643962393231643262353065653130326566613363630a346138396532663733383133666635
30373362393636363833333530333762666164306436393263336164366637313132356464333931
3861643330306337300a643330613364663861623564356535343035393966383161383739626234
65313335316636646664396433393736386133343765643038663334666462333366353639363061
65303230303132366366343734336462653764613836396531613235393837326532626330636134
63643935323163356462343730633939303537656539336461666139323066366136343262326534
62316332313137626463643964646630663631313464663365313066623934393665306665303031
39613166626639663639623365343364396161656662333134303432656338393333323232366232
63633937343165633638326234386231336637326237336636343830363661376236353939366634
35653962393865616262366433663562333430643465613861643631323035626636343065336636
62613464613462346436353636323035316665313866616535363833393033623339343136653063
3363

8
inventories/host_vars/status.pirateparty.be.yml

@ -1,8 +0,0 @@
storage_box_username: u212275-sub5
storage_box_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
36313662333062323531613966386365373339663566303133653562663838316632613830613264
6564333736343830623061313534313630313534316231390a666662633861383563333562356561
64616534313266323833383331313334333761323965383634666635663430366461353437616465
6337363536643738310a656530663837386537336434633037376463336165613239323265366234
64663863333763356430616635323061396663373264343666323831646664646430

18
inventories/host_vars/status.pirateparty.be/vault.yml

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
64623562393233633764386333323337393862313165626238356166376661353837666332393437
6637336439346134383738656537643263306161363931630a303734333431343634646438663466
36303062376431643537313537343865653136336137363639373635333132323665353735386237
6231666464343734340a643163623832303130333864316534663664313835633964386531646666
64333431366464626633373630353631383233633233613066386137636631646663646535633037
65336635383432616466366338613838656336396462636261623131333033653832623331353036
30653163333566366439366362613933663262643361386332356366363731336163653335396636
36616563353965376537326563363332653336653030303762656530346135383336363337383666
32653563306235383135623733363666313539633032643566653935373762363935306230386566
33656231613634373832316661366630616434343266333562373563383838313236643931363234
37383733353235616261326333386534303362623737353566383536353439353133633735356336
61633934323233393738363635656662396464383033623237623166663733666336313533373937
66303433316461323338333034656238373035356162613662666132636530613966366465363036
65323132653831373531346362366236636665323534663036303366376463613065313861383936
65666463656631636361346130366462326166316533323839303563646133376661313631393333
30303663323436376461323331643939376235313232353164653764306530663265326134333739
3238

14
inventories/host_vars/talk.parley.be/vault.yml

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
39656566313337306263346133666139643435626566363036303031636336303866346437326662
3431363531363065386666363464653937386162646330610a353161633236643238663032333134
64303731653235323830626638323739626133313634316263343534373337393963643334363861
6433346664336666330a666234373434646635646633323837616561323033363464353931363338
38386238326135653039396161666639383131323430623466626165353634313730623662646139
62653937323363653864313630633165323361663438383631303064383164613232656636333562
65353131633931346161303830393630663264646636633837613031323132666132376139376265
39373362633765633266373261333137396436343832653061323365393336303938613438643830
63396338613463623839396433366538383033316165636564363838313737613761613961343535
33643835366461363439613364303534616437316361383835633261326332636431656664393031
35356232636339383031643838316437303637393938333361636562626633303839656232323231
39633935636234303633386231356333356633386230373962333237656361333933373730616161
3261

18
inventories/host_vars/wiki.pirateparty.be/main.yml

@ -0,0 +1,18 @@
borgmatic_config:
location:
source_directories:
- /var/www/mediawiki
- /etc
repositories:
- "{{ borg_repository }}"
storage:
encryption_passphrase: "{{ borg_passphrase }}"
compression: zlib,7
retention:
keep_hourly: 24
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
hooks:
mysql_databases:
- name: mediawiki_prod

14
inventories/host_vars/wiki.pirateparty.be/vault.yml

@ -0,0 +1,14 @@
$ANSIBLE_VAULT;1.2;AES256;62a40f49-7deb-45e3-8c17-639277033357
65316362353466333562363830633862643035363561616137616633353032363832323039383966
3430383934363433643639633732393361323736356562330a616437303366313861636539343236
35623961613737653461653261663137316539653861333736616261313638633539356663313933
3563653063633662300a366132666238623463306662633563336561626335656431393133393835
36366436633162353765386561333865316236363832346465613162393139356362343438353535
39653933656535366365356162333634366231316363633538383165383937623761363066653834
35643638363534383561306332663536396538346638353632353839346637383130383863663030
35393161393163313330626530383662333165363930626563303435393362636439613263653766
39613832613366653339326262333433316138613566333131623334336165373765663237383334
61383839373839373631393831336563633464346636393331633066353839313761393664646438
61323331316238373538663462316533653433386132373664623433376639313364656162666638
30313966656433663766343932633032623463323134306265643264303732383031623763646130
3435

5
inventories/hosts.ini

@ -8,4 +8,7 @@ talk.parley.be
status.pirateparty.be
[mumble]
talk.parley.be
talk.parley.be
[mastodon]
mastodon.pirateparty.be

1
playbooks/files/ssh/hgo/terry.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOK8Y3OEq1j3rR8EOLpVPYZeA5qC0PTsctza9c2qhbU hadrien@terry

1
playbooks/files/ssh/tierce/q.pub

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC75IeAMEg6RwvbO6oLEQOpYSASGx9A3JD15gtA7D3NJFz+pZ7hBjBSjTxZrHDQLg1OFs0XRGS5DATRMnj6jSRAc25C71DewbNY9fWOH1/dAuo45zBllO3/pol17uYVqUbaPVjnqQFfikLCf7HjBbjt7JEVffJ3nkalE2q0TqjGK0JrltrL9dePE/R3ZNzVSDXvkgMsu18Wov9if6ftsKYgNTW+oOc9xoN1GSHYEnzv68+YNt3zKGTiwhU87cLyHJBu9o/wFDNOLdQcOtKa3IUPZvOgDlLrAm8a4Z9/A9DCJS/8kFmyNOazF1rupPAojn7k9mIBvVPxc5zqg+qrKbxR tierce@q

33
roles/common/.yamllint

@ -0,0 +1,33 @@
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

91
roles/common/defaults/main.yml

@ -3,9 +3,96 @@
node_exporter_path: /
node_exporter_port: 9100
node_exporter_public_port: "9180"
node_exporter_password: password
nginx_config_dir: /etc/nginx/conf.d
nginx_ssl_dir: /etc/nginx/ssl
nginx_dhparam_size: 2048
ssh_config_dir: ~/.ssh
backup_targets: []
users:
- name: ppbe
- name: coco
groups: []
user_default_groups:
- sudo
openssh_port: "22"
backup_owner: backup
backup_group: "{{ backup_owner }}"
storage_box_enabled: no
storage_box_host: storage.example.com
storage_box_port: 23
storage_box_path: /home/backup
storage_box_mount:
path: "/mnt/backup"
owner: "{{ backup_owner }}"
group: "{{ backup_group }}"
options: [rw,default_permissions]
storage_box_username: u123456-sub1
storage_box_password: somesecret
borg_encryption_mode: keyfile
borg_passphrase: "{{ vault_borg_passphrase }}"
borg_repository: |-
{%- if storage_box_enabled -%}
{{ storage_box_host }}:{{ storage_box_path }}/borg
{%- else -%}
{{ storage_box_mount.path }}/borg
{%- endif -%}
borgmatic_config:
location:
source_directories:
- /
repositories:
- "{{ borg_repository }}"
exclude_patterns:
- /dev
- /home/*/.cache
- /home/*/.gvfs
- /lib*
- /media
- /mnt
- /proc
- /tmp
- /run
- /swap*
- /sys
- /usr/src/linux-headers*
- /var/backups
- /var/cache/apt/archives
- /var/lib
- /var/log
- /var/run
- /var/snap
exclude_caches: true
storage:
encryption_passphrase: "{{ borg_passphrase }}"
compression: zlib,7
retention:
keep_hourly: 24
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borgmatic_cron_hour: "3"
borgmatic_cron_minute: "0"
borgmatic_check_cron_weekday: "0"
borgmatic_check_cron_hour: "2"
borgmatic_check_cron_minute: "0"
smtp_accounts:
example:
host: mail.example.com
port: 587
from: no-reply@example.com
username: ahoy@example.com
password: secret
smtp_default_account: example
smtp_default_recipient: contact@example.com
smtp_aliases_path: /etc/aliases
postfix_sasl_secrets_path: /etc/postfix/sasl/passwd
postfix_senders_map_path: /etc/postfix/senders

9
roles/common/defaults/vault.yml

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
66613631383234346131623731643533326566373463623935666636383464663639353164323861
3464306432333534393565333334623965393363333365380a613764323664316338306532386331
63353363633566373365623732636163366631656563393961333261623030363834376537643732
6264373861313764390a306462323932333935653866373362383566333934386136336466623163
39373332383733326261343162626336663135336561366137366466396463323762393538383333
31663337393538623730326464316461323034636330626630616538316431633234306262613132
36633164623162346231656364346363646563396664356337323763663135303963383533353838
35396634386135386139

33
roles/common/files/sftp/push_public_key.sh

@ -0,0 +1,33 @@
#!/bin/bash -e
function usage {
echo "Usage: $0 <host> <public key file>"
}
host="$1"
public_key_file="$2"
if [[ $# -ne 2 ]]; then
>&2 usage
exit 1
fi
authorized_keys_file="/tmp/${host}-authorized_keys"
sshpass -e sftp "${host}" <<-EOF
mkdir .ssh
chmod 0700 .ssh
get .ssh/authorized_keys "${authorized_keys_file}"
EOF
if grep -f "${public_key_file}" "${authorized_keys_file}" > /dev/null; then
exit 0
fi
echo "Adding public key '${public_key_file}' for ${host}"
sshpass -e sftp "${host}" <<-EOF
!cat "${public_key_file}" >> "${authorized_keys_file}"
put "${authorized_keys_file}" .ssh/authorized_keys
chmod 0600 .ssh/authorized_keys
EOF
echo "Public key added!"

22
roles/common/handlers/main.yml

@ -3,6 +3,26 @@
name: ssh
state: restarted
- name: reload postfix
service:
name: postfix
state: reloaded
- name: update aliases
command: newaliases
- name: update postfix senders
command: postmap {{ postfix_senders_map_path }}
- name: update postfix secrets
command: postmap {{ postfix_sasl_secrets_path }}
- name: reload nginx
include_tasks: ../handlers/nginx.yml
when: nginx_started is not changed
when: nginx_started is not changed
- name: reload autofs
service:
name: autofs
state: restarted
when: autofs_started is not changed

23
roles/common/molecule/default/INSTALL.rst

@ -0,0 +1,23 @@
*********************************
Vagrant driver installation guide
*********************************
Requirements
============
* Vagrant
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule_vagrant'

7
roles/common/molecule/default/converge.yml

@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
become: yes
roles:
- common

7
roles/common/molecule/default/files/ssh/ppbe/id_ed25519

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMgAAAJBcNgy6XDYM
ugAAAAtzc2gtZWQyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMg
AAAEDw/p35s5mUgbWvTlKnCuTuHdr3AJuNyFkn8DGERqzI7s210TheGfg4/YnQxbopJ41Q
2ADv3uPViWtv8+4MoAAyAAAADHBwYmVAdmFncmFudAE=
-----END OPENSSH PRIVATE KEY-----

1
roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant

31
roles/common/molecule/default/molecule.yml

@ -0,0 +1,31 @@
---
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: virtualbox
platforms:
- name: debian-buster
box: debian/buster64
memory: 1024
cpus: 2
interfaces:
- network_name: forwarded_port
guest: 22
host: 22000
- name: ubuntu-focal
box: ubuntu/focal64
memory: 1024
cpus: 2
interfaces:
- network_name: forwarded_port
guest: 22
host: 22010
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: /usr/bin/python3
verifier:
name: ansible

40
roles/common/tasks/backup.yml

@ -0,0 +1,40 @@
# 1. Backup incrémental tous les jours vers la storage box:
# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
# 2. D'autres machines se connectent pour récupérer les backups (rsync):
# 1. En sftp chrooté via l'user system "backup"
# 2. Donner accès SSH pour ces machines à l'user system "backup"
- name: Create SSH directory
file:
path: "{{ ssh_config_dir }}"
state: directory
mode: "700"
- name: Create SSH config file
file:
path: "{{ ssh_config_dir }}/config"
state: touch
access_time: preserve
modification_time: preserve
mode: "600"
- name: Create backup user
user:
name: "{{ backup_owner }}"
shell: /bin/bash
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
password: '*'
state: present
update_password: always
- name: Include Storage Box backup tasks
import_tasks: backup_storage_box.yml
when: storage_box_enabled
tags: backup_storage_box
- name: Include Borg backup tasks
import_tasks: backup_borg.yml
tags: backup_borg

61
roles/common/tasks/backup_borg.yml

@ -0,0 +1,61 @@
- name: Install Borg packages
package:
name: "{{ borg_package }}"
state: present
loop: "{{ borg_packages }}"
loop_control:
loop_var: borg_package
- name: Initialize Borg repository
command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
environment:
BORG_PASSPHRASE: "{{ borg_passphrase }}"
changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
register: _borg_backup_init
- name: Create Borgmatic config directory
file:
path: /etc/borgmatic
state: directory
owner: root
group: root
mode: "755"
- name: Copy Borgmatic config file
copy:
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
dest: /etc/borgmatic/config.yaml
owner: root
group: root
mode: "600"
- name: Add cron job for regular Borgmatic create and prune
cron:
user: root
name: borgmatic-create
cron_file: borgmatic
hour: "{{ borgmatic_cron_hour }}"
minute: "{{ borgmatic_cron_minute }}"
state: present
job: borgmatic --create --prune
- name: Add cron job for unfrequent Borgmatic check
cron:
user: root
name: borgmatic-check
cron_file: borgmatic
weekday: "{{ borgmatic_check_cron_weekday }}"
hour: "{{ borgmatic_check_cron_hour }}"
minute: "{{ borgmatic_check_cron_minute }}"
state: present
job: borgmatic --check
- name: Set PATH for Borgmatic cron job.
cron:
user: root
name: PATH
cron_file: borgmatic
env: yes
state: present
value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

95
roles/common/tasks/backup_storage_box.yml

@ -0,0 +1,95 @@
- name: Install Storage Box mount dependencies
apt:
name: "{{ storage_box_package }}"
state: present
loop: "{{ storage_box_packages }}"
loop_control:
loop_var: storage_box_package
- name: Generate SSH key pair for storage box {{ storage_box_host }}
openssh_keypair:
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
type: ed25519
- name: Update SSH config file for storage box {{ storage_box_host }}
blockinfile:
path: "{{ ssh_config_dir }}/config"
block: |
Host {{ storage_box_host }}
{% if storage_box_username is defined %}
User {{ storage_box_username }}
{% endif %}
Port {{ storage_box_port }}
IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }}
PreferredAuthentications publickey,password
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}"
- name: Copy script to add OpenSSH public key through SFTP
copy:
src: sftp/push_public_key.sh
dest: /usr/local/bin/sftp_push_public_key
owner: root
group: root
mode: "755"
- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }}
command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }}
changed_when: no
register: _ssh_known_host
- name: Add backup host {{ storage_box_host }} in known hosts list
known_hosts:
name: |-
{%- if storage_box_port == 22 -%}
{{ storage_box_host }}
{%- else -%}
[{{ storage_box_host }}]:{{ storage_box_port }}
{%- endif -%}
key: "{{ _ssh_known_host.stdout }}"
state: present
- name: Push SSH public key to storage box {{ storage_box_host }}
when: storage_box_password is defined
command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub"
environment:
SSHPASS: "{{ storage_box_password }}"
changed_when:
- _storage_box_authorized.stdout is defined
- "'Public key added!' in _storage_box_authorized.stdout"
register: _storage_box_authorized
- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }}
shell: |
sftp {{ storage_box_host }} <<-EOF
mkdir "{{ storage_box_path }}"
EOF
changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr"
register: _backup_endpoint_created
- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS)
lineinfile:
path: /etc/auto.backup.{{ storage_box_prefix }}
regex: "^{{ storage_box_mount.path }} "
line: |
{{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
state: present
create: yes
notify: reload autofs
- name: Add AutoFS config file into main AutoFS config
lineinfile:
path: /etc/auto.master
regexp: '^/- /etc/auto.backup'
line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost
state: present
notify: reload autofs
- name: Start AutoFS service
service:
name: autofs
state: started
enabled: yes
register: autofs_started
- name: Trigger AutoFS handlers
meta: flush_handlers

6
roles/common/tasks/main.yml

@ -6,11 +6,11 @@
tags: openssh
- import_tasks: ufw.yml
tags: firewall
- import_tasks: msmtp.yml
- import_tasks: postfix.yml
tags: smtp
- import_tasks: nginx.yml
tags: nginx
- import_tasks: node_exporter.yml
tags: node_exporter
#- import_tasks: backup.yml
# tags: backup
- import_tasks: backup.yml
tags: backup

18
roles/common/tasks/msmtp.yml

@ -1,18 +0,0 @@
---
# Install and configure SMTP relay
- name: Install msmtp
apt:
name:
- msmtp
- msmtp-mta
state: present
- name: Copy msmtp configuration
template:
src: msmtp/msmtprc.j2
dest: /etc/msmtprc
- name: Copy aliases
template:
src: msmtp/aliases.j2
dest: /etc/aliases

4
roles/common/tasks/nginx.yml

@ -2,7 +2,7 @@
# Install and configure Nginx
- name: Install htpasswd dependencies
apt:
name: python-passlib
name: python3-passlib
state: present
- name: Install SSL dependencies
@ -32,7 +32,7 @@
# This can take a long time... So we are doing it in async mode
openssl_dhparam:
path: "{{ nginx_ssl_dir }}/dhparam.pem"
size: 3072
size: "{{ nginx_dhparam_size }}"
owner: root
group: www-data
async: 3600

5
roles/common/tasks/node_exporter.yml

@ -5,7 +5,7 @@
name: cloudalchemy.node-exporter
public: yes
vars:
node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}"
node_exporter_web_listen_address: "localhost:{{ node_exporter_port }}"
- name: Configure Nginx for node-exporter
import_role:
@ -28,3 +28,6 @@
ufw:
rule: allow
port: "{{ node_exporter_public_port }}"
- name: Trigger node-exporter handlers
meta: flush_handlers

3
roles/common/tasks/openssh.yml

@ -11,9 +11,10 @@
validate: '/usr/sbin/sshd -T -f %s'
notify: restart openssh
- name: Trigger Ansible handlers
- name: Trigger OpenSSH handlers
meta: flush_handlers
- name: Change Ansible SSH port to {{ openssh_port }}
set_fact:
ansible_port: "{{ openssh_port }}"
when: openssh_port != "22"

49
roles/common/tasks/postfix.yml

@ -0,0 +1,49 @@
- name: Install postfix package
apt:
name: postfix
state: present
- name: Copy postfix configuration file
template:
src: postfix/main.cf.j2
dest: /etc/postfix/main.cf
owner: root
group: root
mode: "644"
notify: reload postfix
- name: Copy aliases file
template:
src: postfix/aliases.j2
dest: "{{ smtp_aliases_path }}"
owner: root
group: root
mode: "644"
notify: update aliases
- name: Copy Postfix senders map
template:
src: postfix/senders.j2
dest: "{{ postfix_senders_map_path }}"
owner: root
group: root
mode: "644"
notify: update postfix senders
- name: Copy Postfix SASL secrets
template:
src: postfix/sasl_secrets.j2
dest: "{{ postfix_sasl_secrets_path }}"
owner: root
group: root
mode: "600"
notify: update postfix secrets
- name: Start postfix service
service:
name: postfix
state: started
enabled: yes
- name: Trigger Postfix handlers
meta: flush_handlers

16
roles/common/tasks/user.yml

@ -6,17 +6,21 @@
shell: /bin/bash
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
password: '*'
groups:
- sudo
append: yes
groups: "{{ user.groups | default(user_default_groups) }}"
append: no
state: present
update_password: on_create
update_password: always
- name: Add SSH public keys for user {{ user.name }}
authorized_key:
user: "{{ user.name }}"
state: present
# we can pass multiple SSH keys, but they must be separated by newlines
key: "{{ user.ssh_keys | join('\n') }}"
key: |
{% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %}
{{ lookup('file', key_file) }}
{% endfor %}
# remove obsolete keys
exclusive: yes
exclusive: yes
vars:
user_ssh_key_path: ssh/{{ user.name }}/*.pub

1
roles/common/templates/msmtp/aliases.j2

@ -1 +0,0 @@
default: {{ smtp_default_contact }}

19
roles/common/templates/msmtp/msmtprc.j2

@ -1,19 +0,0 @@
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
{% for account in smtp_accounts %}
account {{ account.name }}
host {{ account.host }}
port 587
from {{ account.from }}
user {{ account.user | default(account.from) }}
password {{ account.password }}
{% endfor %}
account default : {{ smtp_default_account }}
aliases /etc/aliases

3
roles/common/templates/opensmtpd/smtpd-secret.j2

@ -0,0 +1,3 @@
{% for account in smtp_accounts %}
{{ account.name }} {{ account.username | default(account.from) }}:{{ account.password }}
{% endfor %}

11
roles/common/templates/opensmtpd/smtpd.conf.j2

@ -0,0 +1,11 @@
listen on localhost
table aliases file:/etc/aliases
table secrets file:/etc/smtpd-secret
action "local" mbox alias <aliases>
{% for account in smtp_accounts %}
action "{{ account.name }}_relay" relay host "smtps://{{ account.name }}@{{ account.host }}" auth <secrets> mail-from "{{ account.from }}"
{% endfor %}
match for local action "local"
match for any action "{{ smtp_default_account }}_relay"

2
roles/common/templates/postfix/aliases.j2

@ -0,0 +1,2 @@
root: {{ smtp_default_recipient }}
postmaster: {{ smtp_default_recipient }}

40
roles/common/templates/postfix/main.cf.j2

@ -0,0 +1,40 @@
{{ ansible_managed | comment }}
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
biff = no
recipient_delimiter = +
readme_directory = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# rewrite sender address
sender_canonical_maps = hash:{{ postfix_senders_map_path }}
alias_maps = hash:{{ smtp_aliases_path }}
alias_database = hash:{{ smtp_aliases_path }}
myhostname = {{ ansible_hostname }}
myorigin = $myhostname
mydestination = $myhostname, localhost.localdomain, localhost
mynetworks_style = host
inet_interfaces = all
inet_protocols = all
relayhost = [{{ smtp_accounts[smtp_default_account].host }}]
relay_domains =
# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:{{ postfix_sasl_secrets_path }}
# Enable STARTTLS encryption
smtp_use_tls = yes
# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

3
roles/common/templates/postfix/sasl_secrets.j2

@ -0,0 +1,3 @@
{% for account in smtp_accounts.values() %}
[{{ account.host }}] {{ account.username }}:{{ account.password }}
{% endfor %}

3
roles/common/templates/postfix/senders.j2

@ -0,0 +1,3 @@
{% if smtp_accounts[smtp_default_account].from is defined %}
@{{ ansible_hostname }} {{ smtp_accounts[smtp_default_account].from }}
{% endif %}

11
roles/common/vars/main.yml

@ -1,2 +1,9 @@
---
# vars file for common
ssh_config_dir: "{{ ansible_env.HOME }}/.ssh"
storage_box_prefix: storage-box
storage_box_packages:
- sshpass
- sshfs
- autofs
borg_packages:
- borgbackup
- borgmatic
Loading…
Cancel
Save