make all.sh remember what has been run already

1 files changed, 239 insertions, 0 deletions

diff --git a/ansible/atuin.liw.fi.yml b/ansible/atuin.liw.fi.yml
new file mode 100644
index 0000000..43b8907
--- /dev/null
+++ b/ansible/atuin.liw.fi.yml
@@ -0,0 +1,239 @@
+- hosts: atuin
+  remote_user: root
+  roles:
+    - hetzner-network-bridge
+    - role: ferm-firewalled
+      tags: [ferm]
+    - sane_debian_system
+    - self-updating-system
+    - comfortable-debian-system
+    - unix_users
+    - storage_system
+    - smarthost-client
+    - vmhost-minimal
+  tasks:
+    - name: "install additional packages"
+      apt:
+        name:
+          - moreutils
+          - kpartx
+    - name: "put liw into libvirt"
+      user:
+        name: liw
+        groups: libvirt
+    - name: "enable IPv4 forwarding"
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+    - name: "create /home/liw/.config/ansibleness"
+      file:
+        path: /home/liw/.config/ansibleness
+        state: directory
+        owner: liw
+        group: liw
+    - name: "create vm.conf"
+      copy:
+        content: |
+          imagedir=/home/liw/base-image-specs/working
+          vg=vg0
+          vmnetwork=bridge=br0
+        dest: /home/liw/.config/ansibleness/vm.conf
+        owner: liw
+        group: liw
+  vars:
+    sane_debian_system_version: 0
+    unix_users_version: 0
+
+    ansible_python_interpreter: /usr/bin/python3
+    hostname: atuin
+    debian_codename: buster
+    timezone: Europe/Helsinki
+
+    unix_users:
+      - username: liw
+        comment: Lars Wirzenius
+        sudo: yes
+        authorized_keys: |
+          {{ liw_ssh_pub }}
+
+    mailname: atuin.liw.fi
+    smarthost: pieni.net
+    smarthost_user: pienirelay
+    smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
+    relayhost: pieni.net:587
+
+    bridge_nic: enp3s0
+    bridge_method: static
+    bridge_nic_addr: 78.46.87.180
+    bridge_gateway: 78.46.87.161
+    bridge_guest_addrs:
+      - 78.46.87.154
+      - 78.46.87.152
+
+    ferm_iface_ext: "{{ bridge_nic }}"
+
+
+- hosts: nalanda
+  remote_user: root
+  pre_tasks:
+    - name: "set up resolv.conf"
+      copy:
+        content: |
+          # nameserver config
+          nameserver 213.133.99.99
+          nameserver 213.133.98.98
+          nameserver 213.133.100.100
+          nameserver 2a01:4f8:0:1::add:1010
+          nameserver 2a01:4f8:0:1::add:9999
+          nameserver 2a01:4f8:0:1::add:9898
+        dest: /etc/resolv.conf
+        owner: root
+        group: root
+        mode: 0644
+  roles:
+    - role: ferm-firewalled
+      tags: [ferm]
+    - sane_debian_system
+    - self-updating-system
+    - comfortable-debian-system
+    - unix_users
+    - smarthost-client
+  tasks:
+    - name: "install additional packages"
+      apt:
+        name:
+          - borgbackup
+          - mosh
+    - name: "disable non-key authentication for ssh"
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+    - name: "allow ssh password auth for one user"
+      shell: |
+        file=/etc/ssh/sshd_config
+        if ! grep -q 'Match User holly' "$file"
+        then
+            printf >> "$file" 'Match User holly\n PasswordAuthentication yes\n'
+            systemctl reload sshd
+        fi
+    - name: "create repository dirs for backup clients"
+      file:
+        state: directory
+        path: "/home/{{ item }}/repo"
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: 0700
+      with_items:
+        - liw-laptop
+        - liw-wmf-laptop
+        - liw-holywood
+  vars:
+    sane_debian_system_version: 0
+    unix_users_version: 0
+
+    ansible_python_interpreter: /usr/bin/python3
+    hostname: nalanda
+    debian_codename: buster
+    timezone: UTC
+
+    unix_users:
+      - username: liw
+        comment: Lars Wirzenius
+        sudo: yes
+        authorized_keys: |
+          {{ liw_ssh_pub }}
+      - username: liw-laptop
+        comment: Lars Wirzenius
+        authorized_keys: |
+          {{ liw_ssh_pub }}
+      - username: liw-wmf-laptop
+        comment: Lars Wirzenius
+        authorized_keys: |
+          {{ liw_ssh_pub }}
+      - username: liw-holywood
+        comment: Lars Wirzenius
+        authorized_keys: |
+          {{ liw_ssh_pub }}
+          {{ root_at_holywood2_ssh_key_pub }}
+          {{ root_at_holywood2_ssh_key_pub_v2 }}
+
+# disabled authorized_keys so they don't overwrite user's own changes
+      - username: dkscully
+        comment: Leslie
+        # authorized_keys: |
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt+rzeHl8fYF5wX0p3MOiJWRvMTOluJh8n/r0qLfPyWdYq6z4pL+DlKOjO3KiZw0HjgkCMmk2E847aslMMTx0E113cWBqPZ0uP5lgfG5WrkZ1vMXRmy/k1itBd5FET5YQaB0lReoXk60wr2v9F41v8bG3RWEuZ9NbK4nqQjjIZKFmS04Y+NYtdUxtBaOp7hSTdbwHD1hC7j5Y+1Bucxi8DoLMUdk6E6kuvJST62X2tV8JlqFgukPgVOX+QXnIeqom51IcSvTuI+fLG0O6WtZhBw7wKG9uf5ye3Px5P9TQjU0Ejp3UJGdksUak3WCqTCyRGT0w/hpVY6THxSo87f5Jt dkscully@hex.geah.org
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5SqJ7JMed7z0byEWnQob/ZA9xeNfdBWXWy9Cp/VCNf95+D5BcmfulFDr6oZVRCOSe/j1HyI4yMmRzfd37FTEAWOywFfwtUoryO01wlafwoMQ61BLJYDVA5A66kn0X/88N5beVsEZohlJlpzek5CoUktbsI2W6qhaKabHd9p8TOwfDMx2zBxItgw+jJkPbmNIontBSr2VGj/fLyEKr5F7pdIoRZ/vp5QjjjfjiGGeKrA/P2jQSsh+5Krxm1Gg5j5TM9S84lT6YcDj0F/dxXZmKME6wddHFZm7E6JFKQ4h+uLsvGNCjR++WoZihXhgIY9WATdh7OFlBBB4KkZavQ4XB dkscully@minicore.geah.org
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ilWyOWlTzO2kIzY6xMks7LvhwwYY7/kVh6OCI/TFr4msglfsDvr+LjYDeZmWTbFOtf0WZF2qUgBm/V6HU8TZqCBWJEjD8yUUcvxNp/JzEt5J0PLZvB9hjYce549FNr5qwgfxz8i4a/tMVVektkiKlPlcrVK3lAuS/8BLkRmLm2fkBEzBU/CXyPpDdIqTOQQXohwD8VhTYEgoDFZa0FcNZyYQxpx8y3Iu7pX2IPSpbNyPLROlTGZyQ4iyfI2gA2gUsxw1S3MWvMbjW76kbXH4a4iLHrAi/1ND/rvt8Gm0Zrn1OsG8spR4G2H0wFHaYLm9lWWcwGyFaCpZl0ZsY/3KQ== dkscully@octopus
+      - username: dsilvers
+        comment: Daniel
+        # authorized_keys: |
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Fe75AEGYSg7qxMjAO/D1XjkDaRPAnYMN589swN5F99Mngw9cWoAd1IvVb3Xhkyk4dLbeDfWFRHlKrHg6MarWORNdWYWXnz25NblxMzVRybkoBhh9og76GGJzXn+gyz4q6dpx1uwI7DuIWt0aThIjFSxCJ/o/w8Zy8nFDjMALTZroqlWMtGMeZjMaahkmNzNdfDQFxHIWzRyL6jDM9Gw4fIcCVNQ4qphx2K1LDAAnpsaTlenaZLZqQavDHj/5LXZizUPRFi22O2VsOYWb5S4wPJnQSdfqZ2hJTRRm7G/atA5HfEDVzNFuBHhu/KI59QUxf6zuX617e9dG2VoVRlJ1Q== dsilvers@ataraxia
+        #   command="/usr/lib/openssh/sftp-server",no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA63ckmmt2XXb1rZnWoUlY8ShWODgEdEwYEgk2Y4JzCMAxT5SVCHqXGdIuQrZisqyRvwCeh2cvvuo81mgBWTX068b/YU/ahknLJYc6rdshQvQ+ON+BudhT91oqDDUQBF7jf6BJfohg5QbZEk586deKCo+tHgSNusH0m8UVZV4cAD+r6YIjxRKoG6r1jfRRf1Kwz31BFoIHSt2c7JvlUhb+MnAOQI47v6b+zsZY3PQRXMdYAHA5TCaDlJSaGctinHqHn4miWl+oGGqBnEBlYmEdmkwDxoDYM6UrgBntPJ+6UKzVOudcVWsOG43hytP1yS1eyaM5+Ok21sI9Kt56xf3v6w== root@octopus
+      - username: rjek
+        comment: Rob
+        # authorized_keys: |
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAunHPD5fC4YdJzs6GO1/lv1RDoURRX1NHZY9VXjnNVIVPmQTH+WXfHVTZeN1lpBCprIqGQwqpxiBt1btlh0ztyakbxaM0w4RpA9RvgRSGiHoMTmgmeKR6CmCil082n4+b92uQ4QZBN3J2xWsX82GS7Ptj0KwbGAlpxgd6/zB1EdmqvbEQk49ivzPANml5jpvEjG06Qx+ZknRzSucrnYHUHzvz9bdPSwDsdW7r166fvnwpTknR+Z+9Cs0oO/d7m4AwPe0x7TcQRDha/5T4xY/QuLSza83EheASZUbHGivFNsioDhzchA9aIIRg9TfnHBToL92idNtR5N2djoFAwU1Pdw== rjek@octopus
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle
+        #   echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle
+      - username: holly
+        comment: Holly
+      - username: ppf
+        comment: PPF
+        # authorized_keys: |
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPzZG0zGrTrGHDkoTGg5kmOZEKWPM8Y0uVsGcbFNlv2y8+Eg4pAWdejcj2DhzgBueoEzhXo4uHQH1iLDYJ/11XM5HxDrsXdi2ArzJ8lPAoQYObOK0/aq+ZrGS3GK6shuxGoQm2IWNnwu7XEfKMJR43LTpBEYntsesRtkIaPdd8buDJ1yixgXUggS9A/44Br3zkAPVhOfYbMjeaTQGQhSTZlS8MuD8PgQVNbftGhaK1WXfR9JpWmK8ILg6/Img48/+OhdYm2zz7K91Pi82hZ5JsEaTriC0p2IoHhA6EQdICLDdRfCSJNkhKyEjyL0BB4VFjIefmJfQ3rESCL+n9mGJP root@bagpuss
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKO73AYFqHucIjv2sdgbK+JU+i0gZOSazaTWT3Q4OouZ4M+EEYUTLPVBu301+QuSgrOqGPvwrAW5aYYgWWSqgr81dynPYoAUCgek9BzaW/GGffBDgPgeuJRrshDAwMNLxZTh8oWZUBvEWmSLVFAsmrZo71pEtj5DE9jjGXZodCnt2ngx7YeFyic0/jtJEe8SyZ/EhzXXbUMlt5I93P4le15j09XpAGZkt51J8hR/akAEh9pu06Slsy1tKawLtdr+oQdD22WZrn8jmkfp+X8ovwK8seKsG9NF70y2qT797cVd1egbtoKDRARBuxEWF1GrGnc62V6gP+Cn5hbagUnCGP root@inmail
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9vQVyxfuBw7X4KxWQx6cyGcfR6qVlsn8L2BxqGmvSfKZyez+v2vHsfk+2Jb1Ixauu2JjWFJ/IsH5S8Cx1TVvNK5DYklCiAS/dNp2Xm1jO39EG3tmr22NNOuIg8ADCs9Hjia+t5nm6GiYSIAN/ADn4XTwE0cG8CA0R1BvMUPnGL7vpOg+77r8h7wLIGvmFY8Eg0Sqpb55QkNx5VC7tbi3b9lCZNTtYMAuhlpBg18PAskUm2HV/tHUv3LhHC1bx9IMW+O9Vct2AKijlPP3uEVY6yKawtymU9EqM9RCSX2hjwg6CtG0sCIimAZCIdEMaFnaTlnKJ/Mlb7KHSmJLDxfQF root@outmail
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKusytc5zOHCK5nEzenYCVyCV4UHA6urvNbS7WSy4Asp9p5iaWSruwnyD5wlpUlyauJg/UmZuSdzh80+CQv1/bBTHgLJlbm1IBvORGNpcMzvrPMFfvSu+PcDs5VQpmZ99EtRrS5htpR14/lkfleCVLLUjYCm+O6qSk3kEhjJrO3BsDPZ8hc4nOOzThzcKGr+3VFQRygjWpIe1dMDLtD/aHuR+n4q3e3k82r4X+ok+owm01OIqyDTlVlmTCS68QR0pSKZU+gH7lVHUWn/j+B8y7ASx/uwC+FvG9vPmOC93ATpW+B6A5zP/cWisiHq6ugoVZ0pdL/pJ77tIAtjTqeuZJ root@ns-h1
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpA9f8+NuCLU3syBx9CoHMaMiUwx5lQ4QLVi2cVrpz5viYn/zDN+aEABBWBgdlUv0EqwvTVY9cKofDGWCMOPWFyv02gOxiKyAN5lh+iUlaetryKuV0LpU4JGcwJJjdGkv9JL0CplyCl/crP4JLpDp7rJuzy2hkwofuOxdepVPISXSmNX8D9p9wtdgfke1A/AOOtx7DaK9vnDajSQBeU60Y0Y1bBkJgP+jZn88U2QOVvCQr1GnDJk8Op7lABIh+Dk1NgICufH9O06EDk5t5Wn7LxdfxFXqLl1HiRJLeQ8IamfAXxf6QNWvi6KoDk1tV5at4fH0V0Q+x0P3bxfJMgkAf root@minnow
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn1o9OFu18ZuX0WHN8OSNQgiLlcA+n1lJnI1AP9bNNcdPz9Bp9ux0aCitu7LtegBAytw+95B8OtELz5PDX0NKVWl+pgjsMSWclQBvyEcPjsKEBdn10PaPLOxBsG+nskXdWfTbpIphADOvwArVPd4bdmNoEkj3xNK4LFEq62gNVy9gJRJhwGGKj7eDsnqkmXrLgxxMGwa5rDWAD8UrrOrcUbVibQrqEUVZd1Arw2z6WItuqYDzTRbLjIeHB3qgTy6S8Bzd4Natq6nfogScwcftTjRE9wE3Y2jfkgOvrvpy8GaA4SNpnUQAUpdJmu4tsxvOykdEEnMMJOWtTOorsfX2N root@platypus
+        #   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeStXzBGzv156b/fa10LuhNkMlTIA9f5i0+8CWTPU5HV45jbqXdX1vb5K+Hm62pl5UriQSq3zM4wap6KyZqbdQIuPj5N7xfBCBKf8dZDiLbhNNTu9y6yMKcgwcmh7Fa0HiAjlYawwPgrjpubAk5YNA4jnxqC+7Qz99xTPGkMk5AKJmPOgeKx1TPDjWu20vdW5YF44VQ28LkaP4QMIkoZSeYvLKOIuUOD0GHLqnNgHi/GbsPMN5pFM1fYuPz8GVz8+r5vYGdkONXNg6GxRLLx9XvmwJonblKBeWlFQqdDpjq4eEPyc5Hwu/Hdg2NYZZLmCFZD4tbMKwmpdBbTzlB+BF root@dnsbl.rjek.com
+
+
+    mailname: nalanda.liw.fi
+    smarthost: pieni.net
+    smarthost_user: pienirelay
+    smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
+    relayhost: pieni.net:587
+
+
+# - hosts: gregvm
+#   remote_user: root
+#   pre_tasks:
+#     - name: "set up resolv.conf"
+#       copy:
+#         content: |
+#           # nameserver config
+#           nameserver 213.133.99.99
+#           nameserver 213.133.98.98
+#           nameserver 213.133.100.100
+#           nameserver 2a01:4f8:0:1::add:1010
+#           nameserver 2a01:4f8:0:1::add:9999
+#           nameserver 2a01:4f8:0:1::add:9898
+#         dest: /etc/resolv.conf
+#         owner: root
+#         group: root
+#         mode: 0644
+#   roles:
+#     - sane_debian_system
+#     - unix_users
+#   tasks:
+#     - name: "disable non-key authentication for ssh"
+#       lineinfile:
+#         path: /etc/ssh/sshd_config
+#         regexp: "^PasswordAuthentication"
+#         line: "PasswordAuthentication no"
+#   vars:
+#     ansible_python_interpreter: /usr/bin/python3
+#     hostname: gregvm
+#     debian_codename: buster
+#     timezone: UTC
+
+#     unix_users:
+#       - username: greg
+#         comment: Greg
+#         sudo: yes
+#         authorized_keys: |
+#           {{ greg_ssh_pub }}