refactor common role

roles/common/.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

roles/common/defaults/main.yml

@@ -3,9 +3,96 @@
 node_exporter_path: /
 node_exporter_port: 9100
 node_exporter_public_port: "9180"
+node_exporter_password: password
 
 nginx_config_dir: /etc/nginx/conf.d
 nginx_ssl_dir: /etc/nginx/ssl
+nginx_dhparam_size: 2048
 
-ssh_config_dir: ~/.ssh
-backup_targets: []
+users:
+  - name: ppbe
+  - name: coco
+    groups: []
+user_default_groups:
+  - sudo
+
+openssh_port: "22"
+
+backup_owner: backup
+backup_group: "{{ backup_owner }}"
+
+storage_box_enabled: no
+storage_box_host: storage.example.com
+storage_box_port: 23
+storage_box_path: /home/backup
+storage_box_mount:
+  path: "/mnt/backup"
+  owner: "{{ backup_owner }}"
+  group: "{{ backup_group }}"
+  options: [rw,default_permissions]
+storage_box_username: u123456-sub1
+storage_box_password: somesecret
+
+borg_encryption_mode: keyfile
+borg_passphrase: "{{ vault_borg_passphrase }}"
+borg_repository: |-
+  {%- if storage_box_enabled -%}
+  {{ storage_box_host }}:{{ storage_box_path }}/borg
+  {%- else -%}
+  {{ storage_box_mount.path }}/borg
+  {%- endif -%}
+
+borgmatic_config:
+  location:
+    source_directories:
+      - /
+    repositories:
+      - "{{ borg_repository }}"
+    exclude_patterns:
+      - /dev
+      - /home/*/.cache
+      - /home/*/.gvfs
+      - /lib*
+      - /media
+      - /mnt
+      - /proc
+      - /tmp
+      - /run
+      - /swap*
+      - /sys
+      - /usr/src/linux-headers*
+      - /var/backups
+      - /var/cache/apt/archives
+      - /var/lib
+      - /var/log
+      - /var/run
+      - /var/snap
+    exclude_caches: true
+  storage:
+    encryption_passphrase: "{{ borg_passphrase }}"
+    compression: zlib,7
+  retention:
+    keep_hourly: 24
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6
+
+borgmatic_cron_hour: "3"
+borgmatic_cron_minute: "0"
+borgmatic_check_cron_weekday: "0"
+borgmatic_check_cron_hour: "2"
+borgmatic_check_cron_minute: "0"
+
+smtp_accounts:
+  example:
+    host: mail.example.com
+    port: 587
+    from: no-reply@example.com
+    username: ahoy@example.com
+    password: secret
+smtp_default_account: example
+smtp_default_recipient: contact@example.com
+smtp_aliases_path: /etc/aliases
+
+postfix_sasl_secrets_path: /etc/postfix/sasl/passwd
+postfix_senders_map_path: /etc/postfix/senders

roles/common/defaults/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+66613631383234346131623731643533326566373463623935666636383464663639353164323861
+3464306432333534393565333334623965393363333365380a613764323664316338306532386331
+63353363633566373365623732636163366631656563393961333261623030363834376537643732
+6264373861313764390a306462323932333935653866373362383566333934386136336466623163
+39373332383733326261343162626336663135336561366137366466396463323762393538383333
+31663337393538623730326464316461323034636330626630616538316431633234306262613132
+36633164623162346231656364346363646563396664356337323763663135303963383533353838
+35396634386135386139

roles/common/files/sftp/push_public_key.sh

@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+function usage {
+    echo "Usage: $0 <host> <public key file>"
+}
+
+host="$1"
+public_key_file="$2"
+
+if [[ $# -ne 2 ]]; then
+  >&2 usage
+  exit 1
+fi
+
+authorized_keys_file="/tmp/${host}-authorized_keys"
+
+sshpass -e sftp "${host}" <<-EOF
+  mkdir .ssh
+  chmod 0700 .ssh
+  get .ssh/authorized_keys "${authorized_keys_file}"
+EOF
+
+if grep -f "${public_key_file}" "${authorized_keys_file}" > /dev/null; then
+  exit 0
+fi
+
+echo "Adding public key '${public_key_file}' for ${host}"
+sshpass -e sftp "${host}" <<-EOF
+  !cat "${public_key_file}" >> "${authorized_keys_file}"
+  put "${authorized_keys_file}" .ssh/authorized_keys
+  chmod 0600 .ssh/authorized_keys
+EOF
+echo "Public key added!"

roles/common/handlers/main.yml

@@ -3,6 +3,26 @@
     name: ssh
     state: restarted
 
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded
+
+- name: update aliases
+  command: newaliases
+
+- name: update postfix senders
+  command: postmap {{ postfix_senders_map_path }}
+
+- name: update postfix secrets
+  command: postmap {{ postfix_sasl_secrets_path }}
+
 - name: reload nginx
   include_tasks: ../handlers/nginx.yml
-  when: nginx_started is not changed
+  when: nginx_started is not changed
+
+- name: reload autofs
+  service:
+    name: autofs
+    state: restarted
+  when: autofs_started is not changed

roles/common/molecule/default/INSTALL.rst

@@ -0,0 +1,23 @@
+*********************************
+Vagrant driver installation guide
+*********************************
+
+Requirements
+============
+
+* Vagrant
+* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule_vagrant'

roles/common/molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  become: yes
+
+  roles:
+    - common

roles/common/molecule/default/files/ssh/ppbe/id_ed25519

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMgAAAJBcNgy6XDYM
+ugAAAAtzc2gtZWQyNTUxOQAAACDNtdE4Xhn4OP2J0MW6KSeNUNgA797j1Ylrb/PuDKAAMg
+AAAEDw/p35s5mUgbWvTlKnCuTuHdr3AJuNyFkn8DGERqzI7s210TheGfg4/YnQxbopJ41Q
+2ADv3uPViWtv8+4MoAAyAAAADHBwYmVAdmFncmFudAE=
+-----END OPENSSH PRIVATE KEY-----

roles/common/molecule/default/files/ssh/ppbe/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant

roles/common/molecule/default/molecule.yml

@@ -0,0 +1,31 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: vagrant
+  provider:
+    name: virtualbox
+platforms:
+  - name: debian-buster
+    box: debian/buster64
+    memory: 1024
+    cpus: 2
+    interfaces: 
+      - network_name: forwarded_port
+        guest: 22
+        host: 22000
+  - name: ubuntu-focal
+    box: ubuntu/focal64
+    memory: 1024
+    cpus: 2
+    interfaces: 
+      - network_name: forwarded_port
+        guest: 22
+        host: 22010
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: /usr/bin/python3
+verifier:
+  name: ansible

roles/common/tasks/backup.yml

@@ -0,0 +1,40 @@
+# 1. Backup incrémental tous les jours vers la storage box:
+#   1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
+#      -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
+#      -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
+#   2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
+# 2. D'autres machines se connectent pour récupérer les backups (rsync):
+#   1. En sftp chrooté via l'user system "backup"
+#   2. Donner accès SSH pour ces machines à l'user system "backup"
+
+- name: Create SSH directory
+  file:
+    path: "{{ ssh_config_dir }}"
+    state: directory
+    mode: "700"
+
+- name: Create SSH config file
+  file:
+    path: "{{ ssh_config_dir }}/config"
+    state: touch
+    access_time: preserve
+    modification_time: preserve
+    mode: "600"
+
+- name: Create backup user
+  user:
+    name: "{{ backup_owner }}"
+    shell: /bin/bash
+    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
+    password: '*'
+    state: present
+    update_password: always
+
+- name: Include Storage Box backup tasks
+  import_tasks: backup_storage_box.yml
+  when: storage_box_enabled
+  tags: backup_storage_box
+
+- name: Include Borg backup tasks
+  import_tasks: backup_borg.yml
+  tags: backup_borg

roles/common/tasks/backup_borg.yml

@@ -0,0 +1,61 @@
+- name: Install Borg packages
+  package:
+    name: "{{ borg_package }}"
+    state: present
+  loop: "{{ borg_packages }}"
+  loop_control:
+    loop_var: borg_package
+
+- name: Initialize Borg repository
+  command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
+  environment:
+    BORG_PASSPHRASE: "{{ borg_passphrase }}"
+  changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
+  failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
+  register: _borg_backup_init
+
+- name: Create Borgmatic config directory
+  file:
+    path: /etc/borgmatic
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+
+- name: Copy Borgmatic config file
+  copy:
+    content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
+    dest: /etc/borgmatic/config.yaml
+    owner: root
+    group: root
+    mode: "600"
+
+- name: Add cron job for regular Borgmatic create and prune
+  cron:
+    user: root
+    name: borgmatic-create
+    cron_file: borgmatic
+    hour: "{{ borgmatic_cron_hour }}"
+    minute: "{{ borgmatic_cron_minute }}"
+    state: present
+    job: borgmatic --create --prune
+
+- name: Add cron job for unfrequent Borgmatic check
+  cron:
+    user: root
+    name: borgmatic-check
+    cron_file: borgmatic
+    weekday: "{{ borgmatic_check_cron_weekday }}"
+    hour: "{{ borgmatic_check_cron_hour }}"
+    minute: "{{ borgmatic_check_cron_minute }}"
+    state: present
+    job: borgmatic --check
+
+- name: Set PATH for Borgmatic cron job.
+  cron:
+    user: root
+    name: PATH
+    cron_file: borgmatic
+    env: yes
+    state: present
+    value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

roles/common/tasks/backup_storage_box.yml

@@ -0,0 +1,95 @@
+- name: Install Storage Box mount dependencies
+  apt:
+    name: "{{ storage_box_package }}"
+    state: present
+  loop: "{{ storage_box_packages }}"
+  loop_control:
+    loop_var: storage_box_package
+
+- name: Generate SSH key pair for storage box {{ storage_box_host }}
+  openssh_keypair:
+    path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
+    type: ed25519
+
+- name: Update SSH config file for storage box {{ storage_box_host }}
+  blockinfile:
+    path: "{{ ssh_config_dir }}/config"
+    block: |
+      Host {{ storage_box_host }}
+        {% if storage_box_username is defined %}
+        User {{ storage_box_username }}
+        {% endif %}
+        Port {{ storage_box_port }}
+        IdentityFile {{ ssh_config_dir }}/{{ storage_box_prefix }}
+        PreferredAuthentications publickey,password
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ storage_box_host }}"
+
+- name: Copy script to add OpenSSH public key through SFTP
+  copy:
+    src: sftp/push_public_key.sh
+    dest: /usr/local/bin/sftp_push_public_key
+    owner: root
+    group: root
+    mode: "755"
+
+- name: Scan public keys for storage box {{ storage_box_host }}:{{ storage_box_port }}
+  command: ssh-keyscan -p {{ storage_box_port }} {{ storage_box_host }}
+  changed_when: no
+  register: _ssh_known_host
+
+- name: Add backup host {{ storage_box_host }} in known hosts list
+  known_hosts:
+    name: |-
+      {%- if storage_box_port == 22 -%}
+      {{ storage_box_host }}
+      {%- else -%}
+        [{{ storage_box_host }}]:{{ storage_box_port }}
+      {%- endif -%}
+    key: "{{ _ssh_known_host.stdout }}"
+    state: present
+
+- name: Push SSH public key to storage box {{ storage_box_host }}
+  when: storage_box_password is defined
+  command: sftp_push_public_key "{{ storage_box_host }}" "{{ ssh_config_dir }}/{{ storage_box_prefix }}.pub"
+  environment:
+    SSHPASS: "{{ storage_box_password }}"
+  changed_when:
+    - _storage_box_authorized.stdout is defined
+    - "'Public key added!' in _storage_box_authorized.stdout"
+  register: _storage_box_authorized
+
+- name: Create backup endpoint {{ storage_box_path }} on {{ storage_box_host }}
+  shell: |
+    sftp {{ storage_box_host }} <<-EOF
+      mkdir "{{ storage_box_path }}"
+    EOF
+  changed_when: "'Couldn\\'t create directory' not in _backup_endpoint_created.stderr"
+  register: _backup_endpoint_created
+
+- name: Create AutoFS config file for storage box {{ storage_box_host }} (SSHFS)
+  lineinfile:
+    path: /etc/auto.backup.{{ storage_box_prefix }}
+    regex: "^{{ storage_box_mount.path }} "
+    line: |
+      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
+    state: present
+    create: yes
+  notify: reload autofs
+
+- name: Add AutoFS config file into main AutoFS config
+  lineinfile:
+    path: /etc/auto.master
+    regexp: '^/- /etc/auto.backup'
+    line: /- /etc/auto.backup.{{ storage_box_prefix }} --timeout=90,--ghost
+    state: present
+  notify: reload autofs
+
+- name: Start AutoFS service
+  service:
+    name: autofs
+    state: started
+    enabled: yes
+  register: autofs_started
+
+- name: Trigger AutoFS handlers
+  meta: flush_handlers

roles/common/tasks/main.yml

@@ -6,11 +6,11 @@
   tags: openssh
 - import_tasks: ufw.yml
   tags: firewall
-- import_tasks: msmtp.yml
+- import_tasks: postfix.yml
   tags: smtp
 - import_tasks: nginx.yml
   tags: nginx
 - import_tasks: node_exporter.yml
   tags: node_exporter
-#- import_tasks: backup.yml
-# tags: backup
+- import_tasks: backup.yml
+  tags: backup

roles/common/tasks/msmtp.yml

@@ -1,18 +0,0 @@
----
-# Install and configure SMTP relay
-- name: Install msmtp
-  apt:
-    name:
-    - msmtp
-    - msmtp-mta
-    state: present
-
-- name: Copy msmtp configuration
-  template:
-    src: msmtp/msmtprc.j2
-    dest: /etc/msmtprc
-
-- name: Copy aliases
-  template:
-    src: msmtp/aliases.j2
-    dest: /etc/aliases

roles/common/tasks/nginx.yml

@@ -2,7 +2,7 @@
 # Install and configure Nginx
 - name: Install htpasswd dependencies
   apt:
-    name: python-passlib
+    name: python3-passlib
     state: present
 
 - name: Install SSL dependencies
@@ -32,7 +32,7 @@
   # This can take a long time... So we are doing it in async mode
   openssl_dhparam:
     path: "{{ nginx_ssl_dir }}/dhparam.pem"
-    size: 3072
+    size: "{{ nginx_dhparam_size }}"
     owner: root
     group: www-data
   async: 3600

roles/common/tasks/node_exporter.yml

@@ -5,7 +5,7 @@
     name: cloudalchemy.node-exporter
     public: yes
   vars:
-    node_exporter_web_listen_address: "0.0.0.0:{{ node_exporter_port }}"
+    node_exporter_web_listen_address: "localhost:{{ node_exporter_port }}"
 
 - name: Configure Nginx for node-exporter
   import_role:
@@ -28,3 +28,6 @@
   ufw:
     rule: allow
     port: "{{ node_exporter_public_port }}"
+
+- name: Trigger node-exporter handlers
+  meta: flush_handlers

roles/common/tasks/openssh.yml

@@ -11,9 +11,10 @@
     validate: '/usr/sbin/sshd -T -f %s'
   notify: restart openssh
 
-- name: Trigger Ansible handlers
+- name: Trigger OpenSSH handlers
   meta: flush_handlers
 
 - name: Change Ansible SSH port to {{ openssh_port }}
   set_fact:
     ansible_port: "{{ openssh_port }}"
+  when: openssh_port != "22"

roles/common/tasks/postfix.yml

@@ -0,0 +1,49 @@
+- name: Install postfix package
+  apt:
+    name: postfix
+    state: present
+
+- name: Copy postfix configuration file
+  template:
+    src: postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
+    owner: root
+    group: root
+    mode: "644"
+  notify: reload postfix
+
+- name: Copy aliases file
+  template:
+    src: postfix/aliases.j2
+    dest: "{{ smtp_aliases_path }}"
+    owner: root
+    group: root
+    mode: "644"
+  notify: update aliases
+
+- name: Copy Postfix senders map
+  template:
+    src: postfix/senders.j2
+    dest: "{{ postfix_senders_map_path }}"
+    owner: root
+    group: root
+    mode: "644"
+  notify: update postfix senders
+
+- name: Copy Postfix SASL secrets
+  template:
+    src: postfix/sasl_secrets.j2
+    dest: "{{ postfix_sasl_secrets_path }}"
+    owner: root
+    group: root
+    mode: "600"
+  notify: update postfix secrets
+
+- name: Start postfix service
+  service:
+    name: postfix
+    state: started
+    enabled: yes
+
+- name: Trigger Postfix handlers
+  meta: flush_handlers

roles/common/tasks/user.yml

@@ -6,17 +6,21 @@
     shell: /bin/bash
     # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
     password: '*'
-    groups: 
-    - sudo
-    append: yes
+    groups: "{{ user.groups | default(user_default_groups) }}"
+    append: no
     state: present
-    update_password: on_create
+    update_password: always
 
 - name: Add SSH public keys for user {{ user.name }}
   authorized_key:
     user: "{{ user.name }}"
     state: present
     # we can pass multiple SSH keys, but they must be separated by newlines
-    key: "{{ user.ssh_keys | join('\n') }}"
+    key: |
+      {% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %}
+      {{ lookup('file', key_file) }}
+      {% endfor %}
     # remove obsolete keys
-    exclusive: yes
+    exclusive: yes
+  vars:
+    user_ssh_key_path: ssh/{{ user.name }}/*.pub

roles/common/templates/msmtp/aliases.j2

@@ -1 +0,0 @@
-default: {{ smtp_default_contact }}

roles/common/templates/msmtp/msmtprc.j2

@@ -1,19 +0,0 @@
-defaults
-auth on
-tls on
-tls_trust_file /etc/ssl/certs/ca-certificates.crt
-logfile /var/log/msmtp.log
-
-{% for account in smtp_accounts %}
-account {{ account.name }}
-host {{ account.host }}
-port 587
-from {{ account.from }}
-user {{ account.user | default(account.from) }}
-password {{ account.password }}
-
-{% endfor %}
-
-account default : {{ smtp_default_account }}
- 
-aliases /etc/aliases

roles/common/templates/opensmtpd/smtpd-secret.j2

@@ -0,0 +1,3 @@
+{% for account in smtp_accounts %}
+{{ account.name }} {{ account.username | default(account.from) }}:{{ account.password }}
+{% endfor %}

roles/common/templates/opensmtpd/smtpd.conf.j2

@@ -0,0 +1,11 @@
+listen on localhost
+
+table aliases file:/etc/aliases
+table secrets file:/etc/smtpd-secret
+
+action "local" mbox alias <aliases>
+{% for account in smtp_accounts %}
+action "{{ account.name }}_relay" relay host "smtps://{{ account.name }}@{{ account.host }}" auth <secrets> mail-from "{{ account.from }}"
+{% endfor %}
+match for local action "local"
+match for any action "{{ smtp_default_account }}_relay"

roles/common/templates/postfix/aliases.j2

@@ -0,0 +1,2 @@
+root: {{ smtp_default_recipient }}
+postmaster: {{ smtp_default_recipient }}

roles/common/templates/postfix/main.cf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+biff = no
+recipient_delimiter = +
+readme_directory = no
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# rewrite sender address
+sender_canonical_maps = hash:{{ postfix_senders_map_path }}
+
+alias_maps = hash:{{ smtp_aliases_path }}
+alias_database = hash:{{ smtp_aliases_path }}
+
+myhostname = {{ ansible_hostname }}
+myorigin = $myhostname
+mydestination = $myhostname, localhost.localdomain, localhost
+mynetworks_style = host
+
+inet_interfaces = all
+inet_protocols = all
+
+relayhost = [{{ smtp_accounts[smtp_default_account].host }}]
+relay_domains =
+# enable SASL authentication
+smtp_sasl_auth_enable = yes
+# disallow methods that allow anonymous authentication.
+smtp_sasl_security_options = noanonymous
+# where to find sasl_passwd
+smtp_sasl_password_maps = hash:{{ postfix_sasl_secrets_path }}
+# Enable STARTTLS encryption
+smtp_use_tls = yes
+# where to find CA certificates
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

roles/common/templates/postfix/sasl_secrets.j2

@@ -0,0 +1,3 @@
+{% for account in smtp_accounts.values() %}
+[{{ account.host }}] {{ account.username }}:{{ account.password }}
+{% endfor %}

roles/common/templates/postfix/senders.j2

@@ -0,0 +1,3 @@
+{% if smtp_accounts[smtp_default_account].from is defined %}
+@{{ ansible_hostname }} {{ smtp_accounts[smtp_default_account].from }}
+{% endif %}

roles/common/vars/main.yml

@@ -1,2 +1,9 @@
----
-# vars file for common
+ssh_config_dir: "{{ ansible_env.HOME }}/.ssh"
+storage_box_prefix: storage-box
+storage_box_packages:
+  - sshpass
+  - sshfs
+  - autofs
+borg_packages:
+  - borgbackup
+  - borgmatic