commit 5aee592cbe3700411bb5faf3ba36da6970b6faff
parent 8baef6c8f9a54821ed8633357ba3c4dc6e02aefa
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 12:23:41 +0100
parent 8baef6c8f9a54821ed8633357ba3c4dc6e02aefa
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 2 Feb 2021 12:23:41 +0100
combined playbooks
4 files changed, 423 insertions(+), 433 deletions(-)
A
|
307
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D
|
342
-------------------------------------------------------------------------------
D
|
91
-------------------------------------------------------------------------------
diff --git a/configuration/lollo.yml b/configuration/lollo.yml @@ -0,0 +1,307 @@ +system: + hostname: lollo + domain: ctu.cx + timezone: Europe/Berlin + enableOwnRepos: true + enableSSH: true + enableSudo: true + useNTP: true #todo: support archlinux + nameservers: + - 1.1.1.1 + - 8.8.8.8 + users: + - name: leah + groups: "wheel" + password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" + sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local" + +network: + ipForwarding: true + ferm: + enable: true + configFile: config-files/ferm/lollo.conf + +networkd: + networkd_resolv_conf_content: + - nameserver 1.1.1.1 + - nameserver 8.8.8.8 + networkd_apply_action: "restart" + netdev: + - name: enp2s0.5 + priority: 20 + content: + - NetDev: + - Name: enp2s0.5 + - Kind: vlan + - VLAN: + - Id: 5 + - name: wg-pbb + priority: 30 + content: + - NetDev: + - Name: wg-pbb + - Kind: wireguard + - WireGuard: + - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/lollo/wireguard.privkey returnall=true') }}" + - FirewallMark: 51820 + - WireGuardPeer: + - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}" + - AllowedIPs: "0.0.0.0/0, ::/0" + - Endpoint: "195.39.247.172:51820" + - PersistentKeepalive: 10 + - name: brlan + priority: 40 + content: + - NetDev: + - Name: brlan + - Kind: bridge + network: + - name: enp2s0 + priority: 20 + content: + - Match: + - Name: enp2s0 + - Network: + - DHCP: yes + - VLAN: enp2s0.5 + - name: enp2s0.5 + priority: 20 + content: + - Match: + - Name: enp2s0.5 + - Network: + - Bridge: brlan + - name: wg-pbb + priority: 30 + content: + - Match: + - Name: wg-pbb + - Link: + - MTUBytes: 1472 + - Route: + - Destination: 0.0.0.0/0 + - Table: 1234 + - Route: + - Destination: ::/0 + - Table: 1234 + - name: brlan + priority: 40 + content: + - Match: + - Name: brlan + - Driver: bridge + - Network: + - DHCP: no + - Address: 195.39.246.33/28 + - Address: 10.0.0.1/24 + - Address: 2a0f:4ac0:acab::1/62 + - RoutingPolicyRule: + - From: 195.39.246.32/28 + - Table: 254 + - Priority: 1900 + - SuppressPrefixLength: 0 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab::/62 + - Table: 254 + - Priority: 1900 + - SuppressPrefixLength: 0 + - RoutingPolicyRule: + - From: 195.39.246.32/28 + - Table: 1234 + - Priority: 2000 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab::/62 + - Table: 1234 + - Priority: 2000 + - name: usb-tetherring + priority: 91 + content: + - Match: + - Name: enp*s*u* + - Network: + - DHCP: yes + +services: + prometheus_node_exporter: + enable: true + + acme_redirect: + enable: true + email: lets-encrypt@ctu.cx + acme_url: https://api.buypass.com/acme/directory + certs: + lollo.ctu.cx: + dns_names: + - lollo.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/lollo.ctu.cx + syncthing.lollo.ctu.cx: + dns_names: + - syncthing.lollo.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.lollo.ctu.cx + home.ctu.cx: + dns_names: + - home.ctu.cx + - legacy.home.ctu.cx + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.ctu.cx + home.flauschekatze.space: + dns_names: + - home.flauschekatze.space + - legacy.home.flauschekatze.space + renew_tasks: + - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.flauschekatze.space + + nginx: + enable: true + sslOnly: true + vhosts: + lollo.ctu.cx: + defaultserver: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/lollo.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/lollo.ctu.cx/privkey" + locations: + - path: /node-exporter + proxy: http://127.0.0.1:9100/metrics + home.ctu.cx legacy.home.ctu.cx: + root: /var/lib/websites/home.ctu.cx + extraConfig: " + index index.html index.php; + try_files $uri $uri/ /index.php?$query_string; + " + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/home.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/home.ctu.cx/privkey" + locations: + - path: ~ \.php$ + extraConfig: " + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + " + home.flauschekatze.space legacy.home.flauschekatze.space: + root: /var/lib/websites/home.ctu.cx + extraConfig: " + index index.html index.php; + try_files $uri $uri/ /index.php?$query_string; + " + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/home.flauschekatze.space/fullchain" + privkey: "/var/lib/acme-redirect/live/home.flauschekatze.space/privkey" + locations: + - path: ~ \.php$ + extraConfig: " + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + " + + hostapd: + enable: false + interface: wlp3s0 + bridge: brlan + channel: 1 + ssid: legacy.home.ctu.cx + passphrase: "{{ lookup('diskcache', 'community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}" + + dnsmasq: + enable: true + local_service: true + no_resolv: true + domain_needed: true + bogus_priv: true + expand_hosts: false + read_ethers: false + enable_ra: true + quiet_ra: true + domain: home.ctu.cx + auth_ttl: 600 + auth_server: home.ctu.cx, wg-pbb + auth_zones: + - home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 + - home.flauschekatze.space, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 + local_addresses: + - /fritz.box/192.168.178.1 + - /intel-nuc/192.168.178.21 + - /lollo/192.168.178.20 + - /repo-vm/192.168.178.24 + - /mastodon-backup/192.168.178.25 + - /foo-nuc/192.168.178.23 + addresses: + - home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 + - legacy.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - legacy.home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 + dns_servers: + - 1.1.1.1 + - 1.0.0.1 + - 8.8.8.8 + - 8.8.4.4 + dhcp: + authoritative: true + rapid_commit: true + sequential_ip: true + options: + - option6:information-refresh-time, 6h + - option6:dns-server, [2a0f:4ac0:acab::1] + - private, option:router, 10.0.0.1 + - private, option:dns-server, 10.0.0.1 + - public, option:router, 195.39.246.33 + - public, option:dns-server, 195.39.246.33 + ranges: + - private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h + - public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h + - 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h + hosts: + # accesspoint + - f4:06:8d:df:1f:e3, accesspoint, 10.0.0.2 + # tradfri gateway + - 58:d5:0a:ba:23:29, tradfri, 10.0.0.10 + # ctucx macbook + - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a, toaster, [2a0f:4ac0:acab::34] + - 80:e6:50:21:e0:6a, toaster, 195.39.246.34 + # ctucx thinkcentre + - id:00:01:00:01:27:60:18:8c:e8:6a:64:f4:49:e7, stasicontainer, [2a0f:4ac0:acab::39] + - e8:6a:64:f4:49:e7, stasicontainer, 195.39.246.39 + # ctucx thinkpad t470 (mac: wlan, eth) + - id:00:04:37:8e:fd:cc:26:b8:11:b2:a8:5c:b8:77:0b:6e:a2:e6, coladose, [2a0f:4ac0:acab::35] + - 7c:2a:31:fb:e6:b8, 8c:16:45:da:61:8e, coladose, 195.39.246.35 + # isa macbook + - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c, isabelles-mbp, [2a0f:4ac0:acab::38] + - 6c:40:08:af:2e:9c, isabelles-mbp, 195.39.246.38 + # isa thinkpad x230 + - id:00:04:e8:51:c5:1d:f6:53:58:4a:9b:c0:28:59:a4:c7:76:32, isa-x230, [2a0f:4ac0:acab::36] + - 64:80:99:75:c5:5c, isa-x230, 195.39.246.36 + # isa p2max + - id:00:04:97:db:54:73:1e:20:bb:fe:bf:35:dd:14:70:59:c2:d5, isa-p2max, [2a0f:4ac0:acab::40] + - ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.40 + syncthing: + enable: true + user: leah + nginx: + enable: true + domain: "syncthing.lollo.ctu.cx" + sslOnly: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/privkey" + + frpc: + enable: true + serverAddress: wanderduene.ctu.cx + serverPort: 5050 + token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/frps/token returnall=true')}}" + dashboard: false + tunnels: + - name: lollo-ssh + type: tcp + local_ip: 127.0.0.1 + local_port: 22 + remote_port: 2202 +
diff --git a/playbook-router.yml b/playbook-router.yml @@ -1,342 +0,0 @@ ---- -- hosts: lollo - remote_user: root - gather_facts: false - tasks: - - name: "[Alpine] Install Python" - raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true) - - name: "[Archlinux] Install Python" - raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true) - - -- hosts: lollo - name: Install lollo - roles: - - role: common - tags: common - - role: kawaidesu.ansible_networkd - tags: systemd-networkd - - role: acme-redirect - tags: acme-redirect - - role: nginx - tags: nginx - - role: hostapd - tags: hostapd - - role: dnsmasq - tags: dnsmasq - - role: syncthing - tags: syncthing - - role: frp - tags: - - frp - - frpc - - frps - - vars: - system: - hostname: lollo - domain: ctu.cx - timezone: Europe/Berlin - enableOwnRepos: true - enableSSH: true - enableSudo: true - useNTP: true #todo: support archlinux - nameservers: - - 1.1.1.1 - - 8.8.8.8 - users: - - name: leah - groups: "wheel" - password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" - sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local" - - network: - ipForwarding: true - ferm: - enable: true - configFile: config-files/ferm/lollo.conf - - networkd: - networkd_resolv_conf_content: - - nameserver 1.1.1.1 - - nameserver 8.8.8.8 - networkd_apply_action: "restart" - netdev: - - name: enp2s0.5 - priority: 20 - content: - - NetDev: - - Name: enp2s0.5 - - Kind: vlan - - VLAN: - - Id: 5 - - name: wg-pbb - priority: 30 - content: - - NetDev: - - Name: wg-pbb - - Kind: wireguard - - WireGuard: - - PrivateKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/lollo/wireguard.privkey returnall=true') }}" - - FirewallMark: 51820 - - WireGuardPeer: - - PublicKey: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}" - - AllowedIPs: "0.0.0.0/0, ::/0" - - Endpoint: "195.39.247.172:51820" - - PersistentKeepalive: 10 - - name: brlan - priority: 40 - content: - - NetDev: - - Name: brlan - - Kind: bridge - network: - - name: enp2s0 - priority: 20 - content: - - Match: - - Name: enp2s0 - - Network: - - DHCP: yes - - VLAN: enp2s0.5 - - name: enp2s0.5 - priority: 20 - content: - - Match: - - Name: enp2s0.5 - - Network: - - Bridge: brlan - - name: wg-pbb - priority: 30 - content: - - Match: - - Name: wg-pbb - - Link: - - MTUBytes: 1472 - - Route: - - Destination: 0.0.0.0/0 - - Table: 1234 - - Route: - - Destination: ::/0 - - Table: 1234 - - name: brlan - priority: 40 - content: - - Match: - - Name: brlan - - Driver: bridge - - Network: - - DHCP: no - - Address: 195.39.246.33/28 - - Address: 10.0.0.1/24 - - Address: 2a0f:4ac0:acab::1/62 - - RoutingPolicyRule: - - From: 195.39.246.32/28 - - Table: 254 - - Priority: 1900 - - SuppressPrefixLength: 0 - - RoutingPolicyRule: - - From: 2a0f:4ac0:acab::/62 - - Table: 254 - - Priority: 1900 - - SuppressPrefixLength: 0 - - RoutingPolicyRule: - - From: 195.39.246.32/28 - - Table: 1234 - - Priority: 2000 - - RoutingPolicyRule: - - From: 2a0f:4ac0:acab::/62 - - Table: 1234 - - Priority: 2000 - - name: usb-tetherring - priority: 91 - content: - - Match: - - Name: enp*s*u* - - Network: - - DHCP: yes - - services: - prometheus_node_exporter: - enable: true - - acme_redirect: - enable: true - email: lets-encrypt@ctu.cx - acme_url: https://api.buypass.com/acme/directory - certs: - lollo.ctu.cx: - dns_names: - - lollo.ctu.cx - renew_tasks: - - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/lollo.ctu.cx - syncthing.lollo.ctu.cx: - dns_names: - - syncthing.lollo.ctu.cx - renew_tasks: - - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/syncthing.lollo.ctu.cx - home.ctu.cx: - dns_names: - - home.ctu.cx - - legacy.home.ctu.cx - renew_tasks: - - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.ctu.cx - home.flauschekatze.space: - dns_names: - - home.flauschekatze.space - - legacy.home.flauschekatze.space - renew_tasks: - - chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/home.flauschekatze.space - - nginx: - enable: true - sslOnly: true - vhosts: - lollo.ctu.cx: - defaultserver: true - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/lollo.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/lollo.ctu.cx/privkey" - locations: - - path: /node-exporter - proxy: http://127.0.0.1:9100/metrics - home.ctu.cx legacy.home.ctu.cx: - root: /var/lib/websites/home.ctu.cx - extraConfig: " - index index.html index.php; - try_files $uri $uri/ /index.php?$query_string; - " - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/home.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/home.ctu.cx/privkey" - locations: - - path: ~ \.php$ - extraConfig: " - fastcgi_pass unix:/run/php-fpm/php-fpm.sock; - fastcgi_index index.php; - include fastcgi_params; - " - home.flauschekatze.space legacy.home.flauschekatze.space: - root: /var/lib/websites/home.ctu.cx - extraConfig: " - index index.html index.php; - try_files $uri $uri/ /index.php?$query_string; - " - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/home.flauschekatze.space/fullchain" - privkey: "/var/lib/acme-redirect/live/home.flauschekatze.space/privkey" - locations: - - path: ~ \.php$ - extraConfig: " - fastcgi_pass unix:/run/php-fpm/php-fpm.sock; - fastcgi_index index.php; - include fastcgi_params; - " - - hostapd: - enable: false - interface: wlp3s0 - bridge: brlan - channel: 1 - ssid: legacy.home.ctu.cx - passphrase: "{{ lookup('diskcache', 'community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}" - - dnsmasq: - enable: true - local_service: true - no_resolv: true - domain_needed: true - bogus_priv: true - expand_hosts: false - read_ethers: false - enable_ra: true - quiet_ra: true - domain: home.ctu.cx - auth_ttl: 600 - auth_server: home.ctu.cx, wg-pbb - auth_zones: - - home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 - - home.flauschekatze.space, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 - local_addresses: - - /fritz.box/192.168.178.1 - - /intel-nuc/192.168.178.21 - - /lollo/192.168.178.20 - - /repo-vm/192.168.178.24 - - /mastodon-backup/192.168.178.25 - - /foo-nuc/192.168.178.23 - addresses: - - home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - - home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 - - legacy.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - - legacy.home.flauschekatze.space, 195.39.246.33, 2a0f:4ac0:acab::1 - dns_servers: - - 1.1.1.1 - - 1.0.0.1 - - 8.8.8.8 - - 8.8.4.4 - dhcp: - authoritative: true - rapid_commit: true - sequential_ip: true - options: - - option6:information-refresh-time, 6h - - option6:dns-server, [2a0f:4ac0:acab::1] - - private, option:router, 10.0.0.1 - - private, option:dns-server, 10.0.0.1 - - public, option:router, 195.39.246.33 - - public, option:dns-server, 195.39.246.33 - ranges: - - private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h - - public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h - - 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h - hosts: - # accesspoint - - f4:06:8d:df:1f:e3, accesspoint, 10.0.0.2 - # tradfri gateway - - 58:d5:0a:ba:23:29, tradfri, 10.0.0.10 - # ctucx macbook - - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a, toaster, [2a0f:4ac0:acab::34] - - 80:e6:50:21:e0:6a, toaster, 195.39.246.34 - # ctucx thinkcentre - - id:00:01:00:01:27:60:18:8c:e8:6a:64:f4:49:e7, stasicontainer, [2a0f:4ac0:acab::39] - - e8:6a:64:f4:49:e7, stasicontainer, 195.39.246.39 - # ctucx thinkpad t470 (mac: wlan, eth) - - id:00:04:37:8e:fd:cc:26:b8:11:b2:a8:5c:b8:77:0b:6e:a2:e6, coladose, [2a0f:4ac0:acab::35] - - 7c:2a:31:fb:e6:b8, 8c:16:45:da:61:8e, coladose, 195.39.246.35 - # isa macbook - - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c, isabelles-mbp, [2a0f:4ac0:acab::38] - - 6c:40:08:af:2e:9c, isabelles-mbp, 195.39.246.38 - # isa thinkpad x230 - - id:00:04:e8:51:c5:1d:f6:53:58:4a:9b:c0:28:59:a4:c7:76:32, isa-x230, [2a0f:4ac0:acab::36] - - 64:80:99:75:c5:5c, isa-x230, 195.39.246.36 - # isa p2max - - id:00:04:97:db:54:73:1e:20:bb:fe:bf:35:dd:14:70:59:c2:d5, isa-p2max, [2a0f:4ac0:acab::40] - - ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.40 - syncthing: - enable: true - user: leah - nginx: - enable: true - domain: "syncthing.lollo.ctu.cx" - sslOnly: true - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/syncthing.lollo.ctu.cx/privkey" - - frpc: - enable: true - serverAddress: wanderduene.ctu.cx - serverPort: 5050 - token: "{{ lookup('diskcache', 'community.general.passwordstore', 'Server/wanderduene/frps/token returnall=true')}}" - dashboard: false - tunnels: - - name: lollo-ssh - type: tcp - local_ip: 127.0.0.1 - local_port: 22 - remote_port: 2202 -
diff --git a/playbook-servers.yml b/playbook-servers.yml @@ -1,91 +0,0 @@ ---- -- hosts: all - remote_user: root - gather_facts: false - tasks: - - name: "[Alpine] Install Python" - raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true) - - name: "[Archlinux] Install Python" - raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true) - -- hosts: wanderduene - name: Install wanderduene - vars_files: configuration/wanderduene.yml - roles: - - role: common # supports: alpine, arch - tags: common - - role: files # supports: alpine, arch - tags: files - - role: bind # supports: alpine, arch(untested) - tags: bind - - role: acme-redirect # supports: alpine, arch - tags: acme-redirect - - role: nginx # supports: alpine, arch - tags: nginx - - role: gitolite # supports: alpine, arch(untested) - tags: gitolite - - role: cgit # supports: alpine, arch(untested) - tags: cgit - - role: oeffisearch # supports: alpine - tags: oeffisearch - - role: oeffi-web # supports: alpine - tags: oeffi-web - - role: maddy # supports: alpine - tags: maddy - - role: radicale # supports: alpine, arch(untested) - tags: radicale - - role: pleroma # supports: alpine - tags: pleroma - - role: synapse # supports: alpine, arch(untested) - tags: synapse - - role: prometheus # supports: alpine, arch(untested) - tags: prometheus - - role: grafana # supports: alpine, arch(untested) - tags: grafana - - role: fritzboxExporter # supports: alpine - tags: fritzboxExporter - - role: frp # frps supports: alpine, arch(untested) - tags: [ frp, frps ] - - role: backup # todo - tags: backup - - -- hosts: taurus - name: Install taurus - vars_files: configuration/taurus.yml - roles: - - role: common # supports: alpine, arch - tags: common - - role: files # supports: alpine, arch - tags: files - - role: bind # supports: alpine, arch(untested) - tags: bind - - role: nfsserver # supports: alpine - tags: nfs - - role: acme-redirect # supports: alpine, arch - tags: acme-redirect - - role: nginx # supports: alpine, arch - tags: nginx - - role: syncthing # supports: alpine, arch - tags: syncthing - - role: rest-server # supports: alpine, arch(untested) - vars: - rest_server: - nginx: - password: "{}" - tags: [ backup, rest-server, restic ] - -- hosts: joguhrtbecher - name: Install joguhrtbecher - vars_files: configuration/joguhrtbecher.yml - roles: - - role: common # supports: alpine, arch - tags: common - - role: kawaidesu.ansible_networkd - tags: systemd-networkd - - role: files # supports: alpine, arch - tags: files - - role: nginx # supports: alpine, arch - tags: nginx - - role: syncthing # supports: alpine, arch - tags: syncthing
diff --git a/playbook.yml b/playbook.yml @@ -0,0 +1,115 @@ +--- +- hosts: all + remote_user: root + gather_facts: false + tasks: + - name: "[Alpine] Install Python" + raw: test -e /usr/bin/python || (test -e /sbin/apk && apk update && apk add python3; true) + - name: "[Archlinux] Install Python" + raw: test -e /usr/bin/python || (test -e /usr/bin/pacman && pacman -Sy --noconfirm python; true) + +- hosts: wanderduene + name: Install wanderduene + vars_files: configuration/wanderduene.yml + roles: + - role: common # supports: alpine, arch + tags: common + - role: files # supports: alpine, arch + tags: files + - role: bind # supports: alpine, arch(untested) + tags: bind + - role: acme-redirect # supports: alpine, arch + tags: acme-redirect + - role: nginx # supports: alpine, arch + tags: nginx + - role: gitolite # supports: alpine, arch(untested) + tags: gitolite + - role: cgit # supports: alpine, arch(untested) + tags: cgit + - role: oeffisearch # supports: alpine + tags: oeffisearch + - role: oeffi-web # supports: alpine + tags: oeffi-web + - role: maddy # supports: alpine + tags: maddy + - role: radicale # supports: alpine, arch(untested) + tags: radicale + - role: pleroma # supports: alpine + tags: pleroma + - role: synapse # supports: alpine, arch(untested) + tags: synapse + - role: prometheus # supports: alpine, arch(untested) + tags: prometheus + - role: grafana # supports: alpine, arch(untested) + tags: grafana + - role: fritzboxExporter # supports: alpine + tags: fritzboxExporter + - role: frp # frps supports: alpine, arch(untested) + tags: [ frp, frps ] + - role: backup # todo + tags: backup + + +- hosts: taurus + name: Install taurus + vars_files: configuration/taurus.yml + roles: + - role: common # supports: alpine, arch + tags: common + - role: files # supports: alpine, arch + tags: files + - role: bind # supports: alpine, arch(untested) + tags: bind + - role: nfsserver # supports: alpine + tags: nfs + - role: acme-redirect # supports: alpine, arch + tags: acme-redirect + - role: nginx # supports: alpine, arch + tags: nginx + - role: syncthing # supports: alpine, arch + tags: syncthing + - role: rest-server # supports: alpine, arch(untested) + vars: + rest_server: + nginx: + password: "{}" + tags: [ backup, rest-server, restic ] + +- hosts: joguhrtbecher + name: Install joguhrtbecher + vars_files: configuration/joguhrtbecher.yml + roles: + - role: common # supports: alpine, arch + tags: common + - role: kawaidesu.ansible_networkd + tags: systemd-networkd + - role: files # supports: alpine, arch + tags: files + - role: nginx # supports: alpine, arch + tags: nginx + - role: syncthing # supports: alpine, arch + tags: syncthing + +- hosts: lollo + name: Install lollo + vars_files: configuration/lollo.yml + roles: + - role: common + tags: common + - role: kawaidesu.ansible_networkd + tags: systemd-networkd + - role: acme-redirect + tags: acme-redirect + - role: nginx + tags: nginx + - role: hostapd + tags: hostapd + - role: dnsmasq + tags: dnsmasq + - role: syncthing + tags: syncthing + - role: frp + tags: + - frp + - frpc + - frps + \ No newline at end of file