diff options
| author | Lars Wirzenius <liw@liw.fi> | 2023-09-18 06:56:55 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2023-09-18 06:56:55 +0300 |
| commit | 3d9ad7ece30b701515ebe869b0b7372c0c93ceb7 (patch) | |
| tree | 7b854a89c20249cd83c5d25cba7c855c95bc98d9 | |
| parent | 373ff634e83dfd131fe2c47106da15be82d597c6 (diff) | |
| download | ansibleness-3d9ad7ece30b701515ebe869b0b7372c0c93ceb7.tar.gz | |
more use of default sshd_ variables
Sponsored-by: author
| -rw-r--r-- | ansible/exolobe1.yml | 3 | ||||
| -rw-r--r-- | ansible/http.liw.fi.yml | 4 | ||||
| -rw-r--r-- | ansible/image-dist.yml | 3 | ||||
| -rw-r--r-- | ansible/qotom.yml | 3 | ||||
| -rw-r--r-- | ansible/radicle-dev.yml | 3 | ||||
| -rw-r--r-- | ansible/stamina.yml | 3 | ||||
| -rw-r--r-- | ansible/upliw.yml | 430 | ||||
| -rw-r--r-- | ansible/upliw0-private.yml | 210 |
8 files changed, 4 insertions, 655 deletions
diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml index 72b27dd..6a2184a 100644 --- a/ansible/exolobe1.yml +++ b/ansible/exolobe1.yml @@ -268,9 +268,6 @@ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key {{ sane_debian_system_hostname }}') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 {{ sane_debian_system_hostname }}') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" rustup_cargo_install: | starship \ diff --git a/ansible/http.liw.fi.yml b/ansible/http.liw.fi.yml index b48d536..598537b 100644 --- a/ansible/http.liw.fi.yml +++ b/ansible/http.liw.fi.yml @@ -290,6 +290,10 @@ ownermail: liw@liw.fi letsencrypt: no + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key http.liw.fi') }}" sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 http.liw.fi') }}" diff --git a/ansible/image-dist.yml b/ansible/image-dist.yml index 07562b1..91e2612 100644 --- a/ansible/image-dist.yml +++ b/ansible/image-dist.yml @@ -110,7 +110,4 @@ comment: Static web site content sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key image-dist') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 image-dist') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/qotom.yml b/ansible/qotom.yml index f36cb60..de370db 100644 --- a/ansible/qotom.yml +++ b/ansible/qotom.yml @@ -20,7 +20,4 @@ comment: Lars Wirzenius sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key qotom') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 qotom') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/radicle-dev.yml b/ansible/radicle-dev.yml index db9515d..b2383c1 100644 --- a/ansible/radicle-dev.yml +++ b/ansible/radicle-dev.yml @@ -124,9 +124,6 @@ comment: Lars Wirzenius sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key {{ sane_debian_hostname }}') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 {{ sane_debian_hostname }}') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" rustup_cargo_install: | starship \ diff --git a/ansible/stamina.yml b/ansible/stamina.yml index 4d7dce7..411c387 100644 --- a/ansible/stamina.yml +++ b/ansible/stamina.yml @@ -193,6 +193,3 @@ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key stamina') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 stamina') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/upliw.yml b/ansible/upliw.yml deleted file mode 100644 index bc22b9c..0000000 --- a/ansible/upliw.yml +++ /dev/null @@ -1,430 +0,0 @@ -- hosts: upliw0 - remote_user: root - become: no - roles: - - role: sane_debian_system - - role: self-updating-system - - role: sshd - - role: ssd - - role: ansible - - role: comfortable-debian-system - - role: gnupg-workstation - - role: version-controller - - role: emacs - - role: gnome-system - - role: vmhost - - role: unix_users - - role: liw - - role: rust-rustup - - role: smarthost-client - - - tasks: - - file: - state: directory - path: /etc/apt/keyrings - - - copy: - content: | - {{ docker_pgp }} - dest: /etc/apt/keyrings/docker.asc - - - apt_repository: - state: present - repo: | - deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable - update_cache: yes - - - name: install goreleaser apt source - apt_repository: - state: present - repo: | - deb [trusted=yes] https://repo.goreleaser.com/apt/ / - update_cache: yes - - - copy: - content: | - {{ hashcorp_pgp }} - dest: /etc/apt/keyrings/hashcorp.asc - - - apt_repository: - state: present - repo: | - deb [signed-by=/etc/apt/keyrings/hashcorp.asc] https://apt.releases.hashicorp.com {{ sane_debian_system_codename }} main - - # Remove ping to force it be reinstalled so that the right - # capabilities are set. - - apt: - name: iputils-ping - state: absent - - - apt: - name: - - acpi - - apt-file - - bc - - bind9-host - - black - - build-essential - - cachedir - - clang - - cryptsetup - - curl - - debhelper - - debmirror - - dh-cargo - - dict - - dict-foldoc - - dict-gcide - - dict-jargon - - dict-vera - - dict-wn - - dictd - - dnsutils - - expect - - extrautils - - fio - - firmware-misc-nonfree - - fling - - gddrescue - - genisoimage - - gimp - - git-annex - - graphviz - - htop - - iftop - - ikiwiki - - info - - inkscape - - iputils-ping - - isync - - jq - - jt - - libclang-dev - - libdvd-pkg - - librsvg2-bin - - libsqlite3-dev - - libssl-dev - - libvirt-dev - - linux-perf - - liw-automation - - llvm - - lmodern - - locales-all - - lshw - - lvm2 - - mmv - - moreutils - - mosh - - mtr - - nethogs - - nfpm - - nfs-common - - nmap - - num-utils - - oathtool - - openpgp-ca - - ovmf - - pandoc - - pandoc-filter-diagram - - parted-doc - - pavucontrol - - pkg-config - - plantuml - - printer-driver-ptouch - - psmisc - - pv - - python3 - - qemu-user-static - - rsync - - screen - - shellcheck - - sqlite3 - - sshca - - strace - - subplot - - summain - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-extra - - texlive-latex-recommended - - texlive-plain-generic - - time - - unicode - - units - - usbutils - - uuid - - vault - - validns - - vim - - vlc - - vmdb2 - - vobcopy - - w3m - - whois - - xpdf - - yaml-mode - - zerofree - - zip - - - name: configure dict - copy: - content: | - server localhost - dest: /etc/dictd/dict.conf - - - apt: - name: - - linux-image-amd64 - - firmware-misc-nonfree - - firmware-realtek - default_release: bookworm - state: latest - - - lineinfile: - path: /etc/gdm3/daemon.conf - regexp: WaylandEnable= - line: WaylandEnable=false - - - name: "install necessary packages to use a Yubikey with LUKS" - apt: - name: - - yubikey-luks - - usbutils - - # - name: "configure crypttab to use yubikey-luks key script" - # crypttab: - # name: pv0 - # opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript - # state: opts_present - - - name: "update initramfs" - shell: | - update-initramfs -u - - - shell: | - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - - - apt: - name: - - golang - default_release: bookworm - state: latest - - - copy: - content: | - { - "default-address-pools": [{ "base": "192.168.128.0/17", "size": 24 }] - } - dest: /etc/docker/daemon.json - - - lineinfile: - path: /etc/default/grub - regexp: ^GRUB_ENABLE_CRYPTODISK= - line: GRUB_ENABLE_CRYPTODISK=n - - - shell: | - update-grub - - vars: - ansible_python_interpreter: /usr/bin/python3 - - sane_debian_system_version: 2 - sane_debian_system_hostname: "{{ inventory_hostname }}" - sane_debian_system_codename: bookworm - sane_debian_system_timezone: Europe/Helsinki - sane_debian_system_sources_lists: - - repo: | - deb http://deb.debian.org/debian bookworm contrib non-free - - - repo: | - deb-src http://deb.debian.org/debian bookworm main contrib non-free - - - repo: | - deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - - repo: | - deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free - - - repo: | - deb http://security.debian.org/debian-security bookworm-security main contrib non-free - - - repo: | - deb http://code.liw.fi/debian unstable main - signing_key: "{{ code_liw_fi_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main - signing_key: "{{ ci_prod_signing_key }}" - - unix_users_version: 2 - unix_users: - - username: liw - comment: Lars Wirzenius - sudo: yes - groups: - - audio - - bluetooth - - cdrom - - dialout - - dip - - floppy - - libvirt - - netdev - - plugdev - - scanner - - video - - docker - - rustup_cargo_install: | - bat \ - difftastic \ - ripgrep \ - starship \ - zoxide \ - ytop - - sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key upliw0') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 upliw0') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" - - docker_pgp: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth - lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh - 38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq - L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 - UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N - cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht - ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo - vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD - G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ - XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj - q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB - tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 - BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO - v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd - tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk - jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m - 6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P - XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc - FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 - g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm - ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh - 9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 - G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW - FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB - EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF - M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx - Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu - w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk - z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 - eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb - VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa - 1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X - zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ - pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 - ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ - BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY - 1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp - YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI - mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES - KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 - JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ - cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 - 6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 - U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z - VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f - irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk - SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz - QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W - 9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw - 24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe - dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y - Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR - H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh - /nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ - M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S - xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O - jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG - YT90qFF93M3v01BbxP+EIY2/9tiIPbrd - =0YYh - -----END PGP PUBLIC KEY BLOCK----- - - hashcorp_pgp: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQINBGO9u+MBEADmE9i8rpt8xhRqxbzlBG06z3qe+e1DI+SyjscyVVRcGDrEfo+J - W5UWw0+afey7HFkaKqKqOHVVGSjmh6HO3MskxcpRm/pxRzfni/OcBBuJU2DcGXnG - nuRZ+ltqBncOuONi6Wf00McTWviLKHRrP6oWwWww7sYF/RbZp5xGmMJ2vnsNhtp3 - 8LIMOmY2xv9LeKMh++WcxQDpIeRohmSJyknbjJ0MNlhnezTIPajrs1laLh/IVKVz - 7/Z73UWX+rWI/5g+6yBSEtj368N7iyq+hUvQ/bL00eyg1Gs8nE1xiCmRHdNjMBLX - lHi0V9fYgg3KVGo6Hi/Is2gUtmip4ZPnThVmB5fD5LzS7Y5joYVjHpwUtMD0V3s1 - HiHAUbTH+OY2JqxZDO9iW8Gl0rCLkfaFDBS2EVLPjo/kq9Sn7vfp2WHffWs1fzeB - HI6iUl2AjCCotK61nyMR33rNuNcbPbp+17NkDEy80YPDRbABdgb+hQe0o8htEB2t - CDA3Ev9t2g9IC3VD/jgncCRnPtKP3vhEhlhMo3fUCnJI7XETgbuGntLRHhmGJpTj - ydudopoMWZAU/H9KxJvwlVXiNoBYFvdoxhV7/N+OBQDLMevB8XtPXNQ8ZOEHl22G - hbL8I1c2SqjEPCa27OIccXwNY+s0A41BseBr44dmu9GoQVhI7TsetpR+qwARAQAB - tFFIYXNoaUNvcnAgU2VjdXJpdHkgKEhhc2hpQ29ycCBQYWNrYWdlIFNpZ25pbmcp - IDxzZWN1cml0eStwYWNrYWdpbmdAaGFzaGljb3JwLmNvbT6JAlQEEwEIAD4CGwMF - CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQR5iuxlTlwVQoyOQu6qFvy8piHnAQUC - Y728PQUJCWYB2gAKCRCqFvy8piHnAd16EADeBtTgkdVEvct40TH/9HKkR/Lc/ohM - rer6FFHdKmceJ6Ma8/Qm4nCO5C7c4+EPjsUXdhK5w8DSdC5VbKLJDY1EnDlmU5B1 - wSFkGoYKoB8lUn30E77E33MTu2kfrSuF605vetq269CyBwIJV7oNN6311dW8iQ6z - IytTtlJbVr4YZ7Vst40/uR4myumk9bVBGEd6JhFAPmr/um+BZFhRf9/8xtOryOyB - GF2d+bc9IoAugpxwv0IowHEqkI4RpK2U9hvxG80sTOcmerOuFbmNyPwnEgtJ6CM1 - bc8WAmObJiQcRSLbcgF+a7+2wqrUbCqRE7QoS2wjd1HpUVPmSdJN925c2uaua2A4 - QCbTEg8kV2HiP0HGXypVNhZJt5ouo0YgR6BSbMlsMHniDQaSIP1LgmEz5xD4UAxO - Y/GRR3LWojGzVzBb0T98jpDgPtOu/NpKx3jhSpE2U9h/VRDiL/Pf7gvEIxPUTKuV - 5D8VqAiXovlk4wSH13Q05d9dIAjuinSlxb4DVr8IL0lmx9DyHehticmJVooHDyJl - HoA2q2tFnlBBAFbN92662q8Pqi9HbljVRTD1vUjof6ohaoM+5K1C043dmcwZZMTc - 7gV1rbCuxh69rILpjwM1stqgI1ONUIkurKVGZHM6N2AatNKqtBRdGEroQo1aL4+4 - u+DKFrMxOqa5b7kCDQRjvbwTARAA0ut7iKLj9sOcp5kRG/5V+T0Ak2k2GSus7w8e - kFh468SVCNUgLJpLzc5hBiXACQX6PEnyhLZa8RAG+ehBfPt03GbxW6cK9nx7HRFQ - GA79H5B4AP3XdEdT1gIL2eaHdQot0mpF2b07GNfADgj99MhpxMCtTdVbBqHY8YEQ - Uq7+E9UCNNs45w5ddq07EDk+o6C3xdJ42fvS2x44uNH6Z6sdApPXLrybeun74C1Z - Oo4Ypre4+xkcw2q2WIhy0Qzeuw+9tn4CYjrhw/+fvvPGUAhtYlFGF6bSebmyua8Q - MTKhwqHqwJxpjftM3ARdgFkhlH1H+PcmpnVutgTNKGcy+9b/lu/Rjq/47JZ+5VkK - ZtYT/zO1oW5zRklHvB6R/OcSlXGdC0mfReIBcNvuNlLhNcBA9frNdOk3hpJgYDzg - f8Ykkc+4z8SZ9gA3g0JmDHY1X3SnSadSPyMas3zH5W+16rq9E+MZztR0RWwmpDtg - Ff1XGMmvc+FVEB8dRLKFWSt/E1eIhsK2CRnaR8uotKW/A/gosao0E3mnIygcyLB4 - fnOM3mnTF3CcRumxJvnTEmSDcoKSOpv0xbFgQkRAnVSn/gHkcbVw/ZnvZbXvvseh - 7dstp2ljCs0queKU+Zo22TCzZqXX/AINs/j9Ll67NyIJev445l3+0TWB0kego5Fi - UVuSWkMAEQEAAYkEcgQYAQgAJhYhBHmK7GVOXBVCjI5C7qoW/LymIecBBQJjvbwT - AhsCBQkJZgGAAkAJEKoW/LymIecBwXQgBBkBCAAdFiEE6wr14plJaVlvmYc+cG5m - g2nAhekFAmO9vBMACgkQcG5mg2nAhenPURAAimI0EBZbqpyHpwpbeYq3Pygg1bdo - IlBQUVoutaN1lR7kqGXwYH+BP6G40x79LwVy/fWV8gO7cDX6D1yeKLNbhnJHPBus - FJDmzDPbjTlyWlDqJoWMiPqfAOc1A1cHodsUJDUlA01j1rPTho0S9iALX5R50Wa9 - sIenpfe7RVunDwW5gw6y8me7ncl5trD0LM2HURw6nYnLrxePiTAF1MF90jrAhJDV - +krYqd6IFq5RHKveRtCuTvpL7DlgVCtntmbXLbVC/Fbv6w1xY3A7rXko/03nswAi - AXHKMP14UutVEcLYDBXbDrvgpb2p2ZUJnujs6cNyx9cOPeuxnke8+ACWvpnWxwjL - M5u8OckiqzRRobNxQZ1vLxzdovYTwTlUAG7QjIXVvOk9VNp/ERhh0eviZK+1/ezk - Z8nnPjx+elThQ+r16EM7hD0RDXtOR1VZ0R3OL64AlZYDZz1jEA3lrGhvbjSIfBQk - T6mxKUsCy3YbElcOyuohmPRgT1iVDIZ/1iPL0Q0HGm4+EsWCdH6fAPB7TlHD8z2D - 7JCFLihFDWs5lrZyuWMO9nryZiVjJrOLPcStgJYVd/MhRHR4hC6g09bgo25RMJ6f - gyzL4vlEB7aSUih7yjgL9s5DKXP2J71dAhIlF8nnM403R2xEeHyivnyeR/9Ifn7M - PJvUMUuoG+ZANSMkrw//XA31o//TVk9WsLD1Edxt5XZCoR+fS+Vz8ScLwP1d/vQE - OW/EWzeMRG15C0td1lfHvwPKvf2MN+WLenp9TGZ7A1kEHIpjKvY51AIkX2kW5QLu - Y3LBb+HGiZ6j7AaU4uYR3kS1+L79v4kyvhhBOgx/8V+b3+2pQIsVOp79ySGvVwpL - FJ2QUgO15hnlQJrFLRYa0PISKrSWf35KXAy04mjqCYqIGkLsz2qQCY2lGcD5k05z - bBC4TvxwVxv0ftl2C5Bd0ydl/2YM7GfLrmZmTijK067t4OO+2SROT2oYPDsMtZ6S - E8vUXvoGpQ8tf5Nkrn2t0zDG3UDtgZY5UVYnZI+xT7WHsCz//8fY3QMvPXAuc33T - vVdiSfP0aBnZXj6oGs/4Vl1Dmm62XLr13+SMoepMWg2Vt7C8jqKOmhFmSOWyOmRH - UZJR7nKvTpFnL8atSyFDa4o1bk2U3alOscWS8u8xJ/iMcoONEBhItft6olpMVdzP - CTrnCAqMjTSPlQU/9EGtp21KQBed2KdAsJBYuPgwaQeyNIvQEOXmINavl58VD72Y - 2T4TFEY8dUiExAYpSodbwBL2fr8DJxOX68WH6e3fF7HwX8LRBjZq0XUwh0KxgHN+ - b9gGXBvgWnJr4NSQGGPiSQVNNHt2ZcBAClYhm+9eC5/VwB+Etg4+1wDmggztiqE= - =FdUF - -----END PGP PUBLIC KEY BLOCK----- - - - mailname: "{{ sane_debian_system_hostname }}.liw.fi" - hostname: "{{ sane_debian_system_hostname }}" - relayhost: pieni.net:587 - smarthost: pieni.net - smarthost_user: pienirelay - smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" diff --git a/ansible/upliw0-private.yml b/ansible/upliw0-private.yml deleted file mode 100644 index 441b246..0000000 --- a/ansible/upliw0-private.yml +++ /dev/null @@ -1,210 +0,0 @@ -- hosts: private - remote_user: root - become: no - roles: - - role: sane_debian_system - - role: self-updating-system - - role: comfortable-debian-system - - role: version-controller - - role: emacs - - role: smarthost-client - - role: mail-client - - role: annexed - - role: unix_users - - role: liw - - role: rust-rustup - - tasks: - # Remove ping to force it be reinstalled so that the right - # capabilities are set. - - apt: - name: iputils-ping - state: absent - - - apt: - name: - - build-essential - - extrautils - - iputils-ping - - jq - - jt - - liw-automation - - pandoc-filter-diagram - - python3 - - shellcheck - - subplot - - summain - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-extra - - texlive-latex-recommended - - texlive-plain-generic - - - name: install command line utilities - apt: - name: - - bc - - bind9-host - - curl - - dnsutils - - htop - - iftop - - ikiwiki - - info - - jt - - locales-all - - lvm2 - - mmv - - moreutils - - mosh - - mtr - - nethogs - - nmap - - num-utils - - psmisc - - pv - - rsync - - screen - - strace - - time - - units - - vim - - w3m - - whois - - yaml-mode - - zip - - - name: "Install ewww" - apt: - name: - - ewww - - psmisc - - curl - - rsync - state: present - - name: "Create /srv/http" - file: - state: directory - path: /srv/http - owner: _ewww - group: _ewww - mode: 0755 - - name: "Create ewww config directory" - file: - state: directory - path: /etc/ewww - - name: "Install ewww config" - copy: - content: | - webroot: /srv/http - listen: "0.0.0.0:443" - tls_cert: /etc/ewww/tls.pem - tls_key: /etc/ewww/tls.key - dest: /etc/ewww/ewww.yaml - - name: "Install TLS cert" - copy: - content: | - -----BEGIN CERTIFICATE----- - MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx - EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz - NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7 - uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z - Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO - FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH - pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk - zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC - AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX - h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob - 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk - xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa - WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP - NdZiSNvGZAbEnmMnNCEYMO3wVA== - -----END CERTIFICATE----- - dest: /etc/ewww/tls.pem - - name: "Install TLS key" - copy: - content: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP - +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D - LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ - GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H - i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi - qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj - ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG - qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1 - iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T - AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K - EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7 - vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU - PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I - E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm - uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco - eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g - T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci - gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW - GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf - psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj - DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R - Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra - udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e - 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI - cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g== - -----END RSA PRIVATE KEY----- - dest: /etc/ewww/tls.key - - name: "Enable and start ewww service" - systemd: - name: ewww - state: restarted - enabled: yes - daemon_reload: yes - - vars: - ansible_python_interpreter: /usr/bin/python3 - - sane_debian_system_version: 2 - sane_debian_system_hostname: "{{ inventory_hostname }}" - sane_debian_system_codename: bullseye - sane_debian_system_timezone: Europe/Helsinki - sane_debian_system_sources_lists: - - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free - - - repo: | - deb-src http://deb.debian.org/debian bullseye main contrib non-free - - - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - - repo: | - deb http://code.liw.fi/debian unstable main - signing_key: "{{ code_liw_fi_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main - signing_key: "{{ ci_prod_signing_key }}" - - unix_users_version: 2 - unix_users: - - username: _ewww - comment: Static web site content - - username: liw - comment: Lars Wirzenius - sudo: yes - - mailname: "{{ sane_debian_system_hostname }}.liw.fi" - relayhost: pieni.net:587 - smarthost: pieni.net - smarthost_user: pienirelay - smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" - - rustup_cargo_install: | - bat \ - difftastic \ - ripgrep \ - starship \ - zoxide \ - ytop |