commit 2c5dd829cc81ed297c1b57dddc1b57f437c2f214
parent de51c8aa3377b80f870de32f46dab6f305d6b9ad
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 21 Feb 2021 16:29:09 +0100
parent de51c8aa3377b80f870de32f46dab6f305d6b9ad
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 21 Feb 2021 16:29:09 +0100
update configurations and playbook
5 files changed, 98 insertions(+), 70 deletions(-)
diff --git a/configuration/joguhrtbecher.yml b/configuration/joguhrtbecher.yml @@ -3,7 +3,6 @@ system: domain: ctu.cx timezone: Europe/Berlin enableOwnRepos: true - enableSSH: true enableSudo: true useNTP: true nameservers: @@ -13,7 +12,8 @@ system: - name: leah groups: "wheel" password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" - sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 network: nftables: @@ -82,6 +82,12 @@ networkd: - Priority: 2000 services: + openssh: + enable: true + port: 22 + permitRootLogin: true + passwordAuthentication: false + prometheus_node_exporter: enable: true
diff --git a/configuration/lollo.yml b/configuration/lollo.yml @@ -3,7 +3,6 @@ system: domain: ctu.cx timezone: Europe/Berlin enableOwnRepos: true - enableSSH: true enableSudo: true useNTP: true #todo: support archlinux nameservers: @@ -13,7 +12,9 @@ system: - name: leah groups: "wheel" password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" - sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local" + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local network: ipForwarding: true @@ -122,11 +123,15 @@ networkd: - DHCP: yes files: - /etc/nginx/passwd/influx: - state: "file" - content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/home.ctu.cx/influx returnall=true')}}" - mode: "0600" - owner: "nginx" + /var/lib/websites: + state: "directory" + mode: "0755" + owner: "leah" + group: "nginx" + /var/lib/websites/dnsmasq.home.ctu.cx: + state: "directory" + mode: "0755" + owner: "leah" group: "nginx" /etc/udev/rules.d/99-modbus-serial.rules: state: "file" @@ -159,6 +164,12 @@ files: group: "nginx" services: + openssh: + enable: true + port: 22 + permitRootLogin: true + passwordAuthentication: false + prometheus_node_exporter: enable: true @@ -224,34 +235,6 @@ services: fastcgi_index index.php; include fastcgi_params; " - influx.home.ctu.cx: - root: /var/lib/websites/home.home.ctu.cx - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/influx.home.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/influx.home.ctu.cx/privkey" - locations: - - path: / - extraConfig: " - auth_basic 'Needs Autherization'; - auth_basic_user_file /etc/nginx/passwd/influx; - - proxy_pass http://127.0.0.1:8086/; - proxy_redirect default; - proxy_http_version 1.1; - proxy_set_header Connection ''; - proxy_set_header Authorization ''; - - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_max_temp_file_size 0; - proxy_connect_timeout 240; - proxy_send_timeout 240; - proxy_read_timeout 240; - expires -1; - add_header Cache-Control private; - " hostapd: enable: false @@ -332,6 +315,7 @@ services: # isa p2max - id:00:04:97:db:54:73:1e:20:bb:fe:bf:35:dd:14:70:59:c2:d5, isa-p2max, [2a0f:4ac0:acab::40] - ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.40 + syncthing: enable: true user: leah @@ -359,6 +343,16 @@ services: influxdb: enable: true + nginx: + enable: true + domain: "influx.home.ctu.cx" + enableBasicAuth: true + basicAuthFileContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/home.ctu.cx/influx returnall=true')}}" + sslOnly: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/influx.home.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/influx.home.ctu.cx/privkey" databases: - powermeters - sensors @@ -374,7 +368,7 @@ services: smartied: enable: true - configFile: config-files/smartied/config.json + configFile: config-files/smartied.json nginx: enable: true domain: "home.ctu.cx"
diff --git a/configuration/taurus.yml b/configuration/taurus.yml @@ -4,9 +4,7 @@ system: timezone: Europe/Berlin alpineVersion: v3.13 enableOwnRepos: true - enableSSH: true enableSudo: true - enableNFTables: true useNTP: true nameservers: - 1.1.1.1 @@ -15,7 +13,8 @@ system: - name: leah groups: "wheel" password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" - sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 network: nftables: @@ -38,7 +37,25 @@ network: address: 10.0.0.1 netmask: 255.255.255.0 +files: + /var/lib/websites: + state: "directory" + mode: "0755" + owner: "leah" + group: "nginx" + /var/lib/websites/photos.ctu.cx: + state: "directory" + mode: "0755" + owner: "leah" + group: "nginx" + services: + openssh: + enable: true + port: 22 + permitRootLogin: true + passwordAuthentication: false + prometheus_node_exporter: enable: true @@ -143,10 +160,3 @@ services: - path: /srv/wanderduene/oeffisearch address: 10.0.0.10 options: rw,fsid=2,sync,no_subtree_check,no_auth_nlm,insecure,no_root_squash - -files: - /var/lib/websites/photos.ctu.cx: - state: "directory" - mode: "0755" - owner: "leah" - group: "nginx"
diff --git a/configuration/wanderduene.yml b/configuration/wanderduene.yml @@ -4,7 +4,6 @@ system: timezone: Europe/Berlin alpineVersion: v3.13 enableOwnRepos: true - enableSSH: true enableSudo: true useNTP: true #todo: support archlinux enableNFS: true #todo: support archlinux @@ -41,7 +40,8 @@ system: - name: leah groups: "wheel" password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" - sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 network: nftables: @@ -64,7 +64,31 @@ network: address: 10.0.0.10 netmask: 255.255.255.0 +files: + /var/lib/websites: + state: "directory" + mode: "0755" + owner: "leah" + group: "nginx" + /var/lib/websites/ctu.cx: + state: "directory" + mode: "0755" + owner: "leah" + group: "nginx" + /etc/nginx/passwd/print: + state: "file" + content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}" + mode: "0600" + owner: "nginx" + group: "nginx" + services: + openssh: + enable: true + port: 22 + permitRootLogin: true + passwordAuthentication: false + prometheus_node_exporter: enable: true @@ -292,7 +316,7 @@ services: radicale: enable: true - configFile: config-files/radicale/config + configFile: config-files/radicale.conf users: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/radicale.users returnall=true')}}" nginx: enable: true @@ -399,7 +423,7 @@ services: disable_existing_loggers: false webClient: enable: true - configFile: config-files/schildichat-web/config.json + configFile: config-files/schildichat-web.json nginx: enable: true domain: "matrix.ctu.cx" @@ -488,7 +512,7 @@ services: pleroma: enable: true - configFile: config-files/pleroma/config.exs + configFile: config-files/pleroma.exs secretsContent: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/pleroma.secrets returnall=true')}}" nginx: enable: true @@ -530,16 +554,3 @@ services: - toaster - isa - isa-mac - -files: - /var/lib/websites/ctu.cx: - state: "directory" - mode: "0755" - owner: "leah" - group: "nginx" - /etc/nginx/passwd/print: - state: "file" - content: "{{ lookup('diskcache', 'passwordstore', 'Server/{{system.hostname}}/passwd/ctu.cx/drucken returnall=true')}}" - mode: "0600" - owner: "nginx" - group: "nginx"- \ No newline at end of file
diff --git a/playbook.yml b/playbook.yml @@ -14,6 +14,8 @@ roles: - role: common # supports: alpine, arch tags: common + - role: openssh + tags: [ openssh, common ] - role: files # supports: alpine, arch tags: files - role: bind # supports: alpine, arch(untested) @@ -56,6 +58,8 @@ roles: - role: common # supports: alpine, arch tags: common + - role: openssh + tags: [ openssh, common ] - role: files # supports: alpine, arch tags: files - role: bind # supports: alpine, arch(untested) @@ -81,6 +85,8 @@ roles: - role: common # supports: alpine, arch tags: common + - role: openssh + tags: [ openssh, common ] - role: systemd-networkd tags: systemd-networkd - role: files # supports: alpine, arch @@ -98,6 +104,8 @@ roles: - role: common tags: common + - role: openssh + tags: [ openssh, common ] - role: files tags: files - role: systemd-timers @@ -120,8 +128,8 @@ - frpc - frps - role: influxdb - tags: influxdb + tags: [ influxdb, smarthome ] - role: mbusd - tags: mbusd - - role: smarthome + tags: [ mbusd, smarthome ] + - role: smartied tags: [ smartied, smarthome ]