ctucx.git: ansible-configs

add new host: osterei

diff --git a/config-files/nftables/osterei.nft b/config-files/nftables/osterei.nft
@@ -0,0 +1,42 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet firewall {
+    chain inbound {
+    	# By default, drop all traffic unless it meets a filter
+    	# criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets.
+        ct state established,related accept
+
+        # Drop invalid packets.
+        ct state invalid drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow vlan traffic.
+        iifname eth1 accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 5/second accept
+        ip6 nexthdr ipv6-icmp limit rate 5/second accept
+        ip protocol igmp limit rate 5/second accept
+    }
+
+    chain forward {
+        # Drop everything (assumes this device is not a router)
+        type filter hook forward priority 0; policy drop;
+    }
+
+    chain outbound {
+        # Allow all outbound traffic
+        type filter hook output priority 0; policy accept;
+    }
+
+}
+
+include "/etc/nftables.d/*.nft"

diff --git a/configuration/osterei.yml b/configuration/osterei.yml
@@ -0,0 +1,120 @@
+system:
+  hostname: osterei
+  domain: ctu.cx
+  timezone: Europe/Berlin
+  alpineVersion: v3.13
+  enableOwnRepos: true
+  enableSudo: true
+  useNTP: true
+  enableNFSMount: true
+  extraPackages:
+    - iftop
+    - iotop
+    - htop
+    - rsync
+    - mtr
+    - bind-tools
+    - tar
+    - unzip
+    - wget
+    - curl
+    - nginx
+  fstab:
+    - device: UUID=d70afec5-1c07-4b4e-8ee8-93947ab737a8
+      path: /
+      fstype: ext4
+      options: rw,relatime 
+      checks: 0 1
+    - device: UUID=cadc498e-0cf9-4617-a817-3383b7233185
+      path: /boot
+      fstype: ext4
+      options: rw,relatime
+      checks: 0 2
+  nameservers:
+    - 1.1.1.1
+    - 8.8.8.8
+  users:
+    - name: root
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+    - name: leah
+      groups: "wheel"
+      password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}"
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+
+network:
+  nftables:
+    enable: true
+    configFile: config-files/nftables/osterei.nft
+  interfaces:
+    - name: lo
+      loopback: true
+    - name: eth0
+      ipv4:
+        address: 185.232.70.80
+        gateway: 185.232.68.1
+        netmask: 255.255.255.0
+      ipv6:
+        address: 2a03:4000:4e:af1::1
+        gateway: fe80::1
+        netmask: 64
+    - name: eth1
+      ipv4:
+        address: 10.0.0.15
+        netmask: 255.255.255.0
+
+files:
+  /var/lib/websites:
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "nginx"
+  /var/lib/websites/ctu.cx:
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "nginx"
+
+services:
+  openssh:
+    enable: true
+    port: 22
+    permitRootLogin: true
+    passwordAuthentication: false
+
+  prometheus_node_exporter:
+    enable: true
+
+  postgresql:
+    enable: true
+
+  vnstat:
+    enable: true
+
+  acme_redirect:
+    enable: true
+    email: lets-encrypt@ctu.cx
+    certs:
+      osterei.ctu.cx:
+        renewTasks:
+          - sudo rc-service nginx restart
+
+  nginx:
+    enable: true
+    enableXSLTFilter: true
+    user: nginx
+    group: nginx
+    sslOnly: true
+    vhosts:
+      osterey.ctu.cx:
+        defaultServer: true
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/osterei.ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/osterei.ctu.cx/privkey"
+        locations:
+          - path: /node-exporter
+            proxy: http://127.0.0.1:9100/metrics

diff --git a/inventory b/inventory
@@ -30,3 +30,6 @@ joguhrtbecher.ctu.cx
 luna.f2k1.de
 [luna:vars]
 ansible_ssh_port=24
+
+[osterei]
+185.232.70.80+
\ No newline at end of file

diff --git a/playbook.yml b/playbook.yml
@@ -207,3 +207,20 @@
       tags: mumble
     - role: ctucx-gallery
       tags: ctucx-gallery
+
+- hosts: osterei
+  name:  Install osterei
+  vars_files: configuration/osterei.yml
+  roles: 
+    - role: common
+      tags: common
+    - role: openssh
+      tags: [ openssh, common ]
+    - role: files
+      tags: files
+    - role: bind
+      tags: bind
+    - role: vnstat
+      tags: vnstat
+    - role: nginx
+      tags: nginx+
\ No newline at end of file