ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 1d3c3d8b040015138ddaa65890bccd7f00aae7ea
parent 7132461cd0615ff344b613dcd1d8e9db985c41c7
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 10:56:37 +0100

update playbooks and configs
5 files changed, 115 insertions(+), 42 deletions(-)
M
configuration/joguhrtbecher.yml
|
46
+++++++++++++++++++++++++++++++++++++++++++++-
M
configuration/taurus.yml
|
44
+++++++++++++++++++++-----------------------
M
configuration/wanderduene.yml
|
52
+++++++++++++++++++++++++++++++++++++---------------
M
inventory
|
13
++++++++++---
M
playbook-servers.yml
|
2
++
diff --git a/configuration/joguhrtbecher.yml b/configuration/joguhrtbecher.yml
@@ -15,6 +15,49 @@ system:
       password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0"
       sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829"
 
+networkd:
+  networkd_resolv_conf_content:
+    - nameserver 1.1.1.1
+    - nameserver 8.8.8.8
+  networkd_apply_action: "restart"
+  netdev:
+    - name: wg-pbb
+      priority: 30
+      content:
+        - NetDev:
+          - Name: wg-pbb
+          - Kind: wireguard
+        - WireGuard:
+          - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/joguhrtbecher/wireguard.privkey returnall=true') }}"
+          - FirewallMark: 51820
+        - WireGuardPeer:
+          - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}"
+          - AllowedIPs:  "0.0.0.0/0, ::/0"
+          - Endpoint: "195.39.247.172:51820"
+          - PersistentKeepalive: 10
+  network:
+    - name: enp2s0
+      priority: 20
+      content:
+        - Match:
+          - Name: enp0s25
+        - Network:
+          - DHCP: yes
+    - name: wg-pbb
+      priority: 30
+      content:
+        - Match:
+          - Name: wg-pbb
+        - Network:
+          - Address: 195.39.247.49/32
+          - Address: 2a0f:4ac0:acab:1234::49/128
+        - Route: 
+          - Destination: 0.0.0.0/0
+        - Route: 
+          - Destination: ::/0
+        - Link:
+          - MTUBytes: 1472
+
 services:
   prometheus_node_exporter:
     enable: true

@@ -30,4 +73,4 @@ services:
         defaultServer: true
         locations:
           - path: /node-exporter
-            proxy: http://127.0.0.1:9100
+            proxy: http://127.0.0.1:9100+
\ No newline at end of file
diff --git a/configuration/taurus.yml b/configuration/taurus.yml
@@ -69,12 +69,6 @@ services:
         renew_tasks:
           - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.taurus.ctu.cx
           - sudo rc-service nginx restart
-      restic.ctu.cx:
-        dns_names: 
-          - restic.ctu.cx
-        renew_tasks:
-          - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/restic.ctu.cx
-          - sudo rc-service nginx restart
       photos.ctu.cx:
         dns_names: 
           - photos.ctu.cx

@@ -123,29 +117,33 @@ services:
         cert: "/var/lib/acme-redirect/live/syncthing.taurus.ctu.cx/fullchain"
         privkey: "/var/lib/acme-redirect/live/syncthing.taurus.ctu.cx/privkey"
 
-  rest_server:
-    enable: true
-    port: 8060
-    user: leah
-    nginx:
-      enable: true
-      domain: "restic.ctu.cx"
-      password: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/taurus/rest-server.htpasswd returnall=true') }}"
-      sslOnly: true
-      ssl:
-        enable: true
-        cert: "/var/lib/acme-redirect/live/restic.ctu.cx/fullchain"
-        privkey: "/var/lib/acme-redirect/live/restic.ctu.cx/privkey"
+#  rest_server:
+#    enable: true
+#    port: 8060
+#    user: leah
+#    nginx:
+#      enable: true
+#      domain: "restic.ctu.cx"
+#      password: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/taurus/rest-server.htpasswd returnall=true') }}"
+#      sslOnly: true
+#      ssl:
+#        enable: true
+#        cert: "/var/lib/acme-redirect/live/restic.ctu.cx/fullchain"
+#        privkey: "/var/lib/acme-redirect/live/restic.ctu.cx/privkey"
 
   nfsserver:
     enable: true
     exports:
       - path: /srv/wanderduene/pleroma
-        address: 10.0.0.2
-        options: rw,sync
+        address: 10.0.0.10
+        options: rw,fsid=0,sync,no_subtree_check,no_auth_nlm,insecure,no_root_squash
       - path: /srv/wanderduene/synapse
-        address: 10.0.0.2
-        options: rw,sync
+        address: 10.0.0.10
+        options: rw,fsid=1,sync,no_subtree_check,no_auth_nlm,insecure,no_root_squash
+      - path: /srv/wanderduene/oeffisearch
+        address: 10.0.0.10
+        options: rw,fsid=2,sync,no_subtree_check,no_auth_nlm,insecure,no_root_squash
+
 files:
   /var/lib/websites/photos.ctu.cx:
     state: "directory"
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml
@@ -7,6 +7,7 @@ system:
   enableSSH: true
   enableSudo: true
   useNTP: true #todo: support archlinux
+  enableNFS: true #todo: support archlinux
   fstab:
     - device: UUID=fc06e9aa-37fc-45ab-ad89-4f04e8ed78ba
       path: /

@@ -21,7 +22,17 @@ system:
     - device: 10.0.0.1:/srv/wanderduene/pleroma
       path: /var/lib/pleroma
       fstype: nfs
-      options: defaults
+      options: defaults,nolock
+      checks: 0 0
+    - device: 10.0.0.1:/srv/wanderduene/synapse
+      path: /var/lib/synapse
+      fstype: nfs
+      options: defaults,nolock
+      checks: 0 0
+    - device: 10.0.0.1:/srv/wanderduene/oeffisearch
+      path: /var/lib/oeffisearch
+      fstype: nfs
+      options: defaults,nolock
       checks: 0 0
   nameservers:
     - 1.1.1.1

@@ -50,7 +61,7 @@ network:
         netmask: 64
     - name: eth1
       ipv4:
-        address: 10.0.0.2
+        address: 10.0.0.10
         netmask: 255.255.255.0
 
 services:

@@ -217,11 +228,6 @@ services:
               proxy_hide_header "access-control-allow-origin";
               add_header "access-control-allow-origin" "*";
             '
-          - path: "/nuc8rugged"
-            extraConfig: '
-              autoindex on;
-              autoindex_exact_size off;
-            '
           - path: "/drucken"
             extraConfig: '
               autoindex on;

@@ -242,7 +248,6 @@ services:
     enable: true
     initialKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829"
 
-
   cgit:
     enable: true
     configFile: config-files/cgit/cgitrc

@@ -289,7 +294,7 @@ services:
   radicale:
     enable: true
     configFile: config-files/radicale/config
-    users: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/radicale.users returnall=true')}}"
+    users: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/{{system.hostname}}/radicale.users returnall=true')}}"
     nginx:
       enable: true
       domain: "dav.ctu.cx"

@@ -393,9 +398,20 @@ services:
         cert: "/var/lib/acme-redirect/live/pleroma.ctu.cx/fullchain"
         privkey: "/var/lib/acme-redirect/live/pleroma.ctu.cx/privkey"
 
+  fritzboxExporter:
+    enable: true
+    nginx:
+      enable: true
+      domain: "fbexporter.ctu.cx"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/fbexporter.ctu.cx/fullchain"
+        privkey: "/var/lib/acme-redirect/live/fbexporter.ctu.cx/privkey"
+
   frps:
     enable: true
-    token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/frps/token returnall=true')}}"
+    token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/{{system.hostname}}/frps/token returnall=true')}}"
     port: 5050
     vhostDomain: "frp.ctu.cx"
     vhostPort: 8088

@@ -417,7 +433,13 @@ services:
 
 files:
   /var/lib/websites/ctu.cx:
-    state: "directory"
-    mode:  "0755"
-    owner: "leah"
-    group: "nginx"-
\ No newline at end of file
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "nginx"
+  /etc/nginx/passwd/print:
+    state:   "file"
+    content: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}"
+    mode:    "0600"
+    owner:   "nginx"
+    group:   "nginx"+
\ No newline at end of file
diff --git a/inventory b/inventory
@@ -4,9 +4,16 @@ ansible_ssh_user=root
 [taurus]
 taurus.ctu.cx
 
-
 [wanderduene]
 wanderduene.ctu.cx
 
+[desastro]
+desastro.ctu.cx
+
 [lollo]
-10.0.0.1-
\ No newline at end of file
+lollo.ctu.cx
+
+[joguhrtbecher]
+c4y72xuu85nwkhkx.myfritz.net
+[joguhrtbecher:vars]
+ansible_ssh_port=2222+
\ No newline at end of file
diff --git a/playbook-servers.yml b/playbook-servers.yml
@@ -42,6 +42,8 @@
       tags: prometheus
     - role: grafana           # supports: alpine, arch(untested)
       tags: grafana
+    - role: fritzboxExporter  # supports: alpine
+      tags: fritzboxExporter
     - role: frp               # frps supports: alpine, arch(untested)
       tags: [ frp, frps ]
     - role: backup            # todo