ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 669227d5079bee83b79713fd3e1efe808fb9089f
parent 16b489a261d56a4edc1edf2b2f5a1ca4d4328218
Author: Leah (ctucx) <leah@ctu.cx>
Date: Fri, 11 Jun 2021 15:17:28 +0200

add new host: f2k1de's matrix
4 files changed, 255 insertions(+), 7 deletions(-)
A
configuration/f2k1de/matrix.yml
|
242
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
configuration/osterei.yml
|
3
++-
M
inventory
|
7
+++++--
M
playbook-f2k1de.yml
|
10
++++++----
diff --git a/configuration/f2k1de/matrix.yml b/configuration/f2k1de/matrix.yml
@@ -0,0 +1,242 @@
+system:
+  hostname: matrix
+  domain: flauschekatze.space
+  timezone: Europe/Berlin
+  alpineVersion: v3.13
+  enableSudo: true
+  useNTP: true
+  extraPackages:
+    - iftop
+    - htop
+    - rsync
+    - tar
+    - wget
+    - curl
+    - nginx
+  fstab:
+    - device: UUID=eeea7ae6-2dac-4969-a6bf-aa88f1799db9
+      path: /
+      fstype: ext4
+      options: rw,relatime
+      checks: 0 1
+    - device: UUID=18daa231-c7c9-4583-97de-fc2a93095a09
+      path: /boot
+      fstype: ext4
+      options: rw,relatime
+      checks: 0 2
+  nameservers:
+    - 1.1.1.1
+    - 8.8.8.8
+  users:
+    - name: root
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local
+    - name: isa
+      groups: "wheel"
+      password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32646436343430316239336133663933356637336239653637386638393766376133623335343338
+          3066636233353436326461336561616365613233643965340a383036663337313466316139313061
+          31353232373536646565336563633166366639353563303534633336646532316131363266306335
+          3063393532396238300a393835373462636662303665333035343066376666383637326132346336
+          3966
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local
+
+network:
+  nftables:
+    enable: true
+  interfaces:
+    - name: lo
+      loopback: true
+    - name: eth0
+      ipv4:
+        address: 5.45.103.213
+        gateway: 5.45.100.1
+        netmask: 255.255.252.0
+      ipv6:
+        address: 2a03:4000:6:4c3::1
+        gateway: fe80::1
+        netmask: 64
+
+services:
+  openssh:
+    enable: true
+    port: 22
+    permitRootLogin: true
+    passwordAuthentication: false
+
+  prometheus_node_exporter:
+    enable: true
+
+  postgresql:
+    enable: true
+
+  vnstat:
+    enable: true
+
+  acme_redirect:
+    enable: true
+    email: hi@f2k1.de
+    certs:
+      matrix.flauschekatze.space:
+        renewTasks:
+          - sudo rc-service nginx restart
+
+  nginx:
+    enable: true
+    user: nginx
+    group: nginx
+    sslOnly: true
+    vhosts:
+      localhost:
+        defaultServer: true
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/matrix.flauschekatze.space/fullchain"
+          privkey: "/var/lib/acme-redirect/live/matrix.flauschekatze.space/privkey"
+        locations:
+          - path: /node-exporter
+            proxy: http://127.0.0.1:9100/metrics
+
+  synapse:
+    enable: true
+    homeserverConfig:
+      suppress_key_server_warning: true
+      no_tls: false
+      server_name: "flauschekatze.space"
+      pid_file: "/run/matrix-synapse.pid"
+      public_baseurl: "https://matrix.flauschekatze.space/"
+      listeners:
+        - port: 8008
+          bind_address: "127.0.0.1"
+          type: http
+          tls: false
+          x_forwarded: true
+          resources:
+            - names: ["client", "metrics"]
+              compress: true
+            - names: ["federation"]
+              compress: false
+      database:
+        name: "psycopg2"
+        args:
+          database: "synapse"
+      event_cache_size: "10K"
+      verbose: 0
+      rc_messages_per_second: 0.2
+      rc_message_burst_count: 10.0
+      federation_rc_window_size: 1000
+      federation_rc_sleep_limit: 10
+      federation_rc_sleep_delay: 500
+      federation_rc_reject_limit: 50
+      federation_rc_concurrent: 3
+      media_store_path: "/var/lib/synapse/media-store"
+      uploads_path: "/var/lib/synapse/uploads"
+      max_upload_size: "100M"
+      max_image_pixels: "32M"
+      dynamic_thumbnails: false
+      url_preview_enabled: true
+      url_preview_ip_range_blacklist: ["127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10","169.254.0.0/16","::1/128","fe80::/64","fc00::/7"]
+      url_preview_ip_range_whitelist: []
+      url_preview_url_blacklist: []
+      enable_registration: false
+      enable_registration_captcha: false
+      recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+      turn_uris: []
+      turn_shared_secret: ""
+      turn_user_lifetime: "1h"
+      enable_metrics: true
+      user_creation_max_duration: 1209600000
+      bcrypt_rounds: 12
+      allow_guest_access: false
+      room_invite_state_types: ["m.room.join_rules", "m.room.canonical_alias", "m.room.avatar", "m.room.name"]
+      expire_access_token: false
+      report_stats: false
+      signing_key_path: "/var/lib/synapse/homeserver.signing.key"
+      key_refresh_interval: "1d"
+      redaction_retention_period: 7
+      registration_shared_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30323431313734313633616137313161666664323131376432303866653030353763353061336363
+          6561643162353166643061623063643261373461613462390a653935613438376335633435353765
+          34313039666239333435396138313833306532383736613235323832633761386461656232396632
+          3232373435353731390a643732633063613335393163356338323861336530306466366637303533
+          66656635396465616665623063313335353331663062346665376266633034333462653565393831
+          65646438323564623966653436663034363139353665613838616139303538656431346631626630
+          306166303465306562636261626462323636
+      macaroon_secret_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65643935663437343933636637336437666262616634663130306132366237616335663436646564
+          6333623132663235313330373266643864366638616466390a383634323261323261653935626233
+          64363665663863653332613333383565646633643037383365303637323263353932623738666130
+          3237373737306262300a326464643935666533306138613861353533383630383337363433313436
+          33363966343766633963613932343965313031646632396265346664353761393663616332636338
+          39653031663433343162393532333163383532326166396139613636343665626232316135326266
+          373236363232306534373564316461396162
+      form_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35373339343138313837383839333761666466663734626631646330666666386639383664306137
+          6636303535633766653839353164353862343435613362300a633866333962623331633231376564
+          39363665373737326334326134616638613265303561376338393834376339373434656565383462
+          3135333335656437310a623530376137656161663735653365333032313566346136623166636330
+          34626263316539306634383835363935386264306131383238613165653838633166396634303335
+          35373337633466336236363062636639626439353633303635326565373364366530623139386161
+          333937373064356461356662363235363036
+      perspectives:
+        servers:
+          "matrix.org":
+            verify_keys:
+              "ed25519:auto":
+                key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+    logConfig:
+      version: 1
+      formatters:
+          precise:
+              format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+      handlers:
+          file:
+              class: logging.handlers.TimedRotatingFileHandler
+              formatter: precise
+              filename: /var/log/synapse/homeserver.log
+              when: midnight
+              backupCount: 3  # Does not include the current log file.
+              encoding: utf8
+          buffer:
+              class: logging.handlers.MemoryHandler
+              target: file
+              capacity: 10
+              flushLevel: 30  # Flush for WARNING logs as well
+          console:
+              class: logging.StreamHandler
+              formatter: precise
+      loggers:
+          synapse.storage.SQL:
+              level: INFO
+          twisted:
+              handlers: [file]
+              propagate: false
+      root:
+          level: INFO
+          handlers: [buffer]
+      disable_existing_loggers: false
+    webClient:
+      enable: false
+      configFile: config-files/osterei/schildichat-web.json
+    nginx:
+      enable: true
+      domain: "matrix.flauschekatze.space"
+      sslOnly: true
+      ssl:
+        enable: true
+        cert: "/var/lib/acme-redirect/live/matrix.flauschekatze.space/fullchain"
+        privkey: "/var/lib/acme-redirect/live/matrix.flauschekatze.space/privkey"
+      extraConfig: "
+        location /node-exporter {
+          proxy_pass http://127.0.0.1:9100/metrics;
+        }
+      "
diff --git a/configuration/osterei.yml b/configuration/osterei.yml
@@ -292,7 +292,8 @@ services:
             'toaster.frp.ctu.cx',
             'repo.f2k1.de',
             'luna.f2k1.de',
-            'isa-nuc.home.ctu.cx'
+            'isa-nuc.home.ctu.cx',
+            'matrix.flauschekatze.space'
           ]
 
         - job_name: 'fritzbox-exporter'
diff --git a/inventory b/inventory
@@ -35,4 +35,7 @@ ansible_ssh_port=24
 185.232.70.80
 
 [isanuc]
-195.39.246.41-
\ No newline at end of file
+195.39.246.41
+
+[matrix]
+matrix.flauschekatze.space+
\ No newline at end of file
diff --git a/playbook-f2k1de.yml b/playbook-f2k1de.yml
@@ -70,7 +70,9 @@
       tags: files
     - role: vnstat
       tags: vnstat
-#    - role: nginx
-#      tags: nginx
-#    - role: synapse
-#      tags: synapse
+    - role: postgresql
+      tags: postgresql
+    - role: nginx
+      tags: nginx
+    - role: synapse
+      tags: synapse