diff options
author | Lars Wirzenius <liw@liw.fi> | 2020-10-24 07:46:32 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2020-10-24 07:46:32 +0300 |
commit | 7e44cf9f4357be6dd38de1ae5b3af7e4a09555a8 (patch) | |
tree | 08d4376fd920171007273683c8d3c5065a836502 /ansible/atuin.liw.fi.yml | |
parent | c4be3fb180d7dd14ceda8a27121da531c3773724 (diff) | |
download | ansibleness-7e44cf9f4357be6dd38de1ae5b3af7e4a09555a8.tar.gz |
make all.sh remember what has been run already
Diffstat (limited to 'ansible/atuin.liw.fi.yml')
-rw-r--r-- | ansible/atuin.liw.fi.yml | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/ansible/atuin.liw.fi.yml b/ansible/atuin.liw.fi.yml new file mode 100644 index 0000000..43b8907 --- /dev/null +++ b/ansible/atuin.liw.fi.yml @@ -0,0 +1,239 @@ +- hosts: atuin + remote_user: root + roles: + - hetzner-network-bridge + - role: ferm-firewalled + tags: [ferm] + - sane_debian_system + - self-updating-system + - comfortable-debian-system + - unix_users + - storage_system + - smarthost-client + - vmhost-minimal + tasks: + - name: "install additional packages" + apt: + name: + - moreutils + - kpartx + - name: "put liw into libvirt" + user: + name: liw + groups: libvirt + - name: "enable IPv4 forwarding" + sysctl: + name: net.ipv4.ip_forward + value: 1 + - name: "create /home/liw/.config/ansibleness" + file: + path: /home/liw/.config/ansibleness + state: directory + owner: liw + group: liw + - name: "create vm.conf" + copy: + content: | + imagedir=/home/liw/base-image-specs/working + vg=vg0 + vmnetwork=bridge=br0 + dest: /home/liw/.config/ansibleness/vm.conf + owner: liw + group: liw + vars: + sane_debian_system_version: 0 + unix_users_version: 0 + + ansible_python_interpreter: /usr/bin/python3 + hostname: atuin + debian_codename: buster + timezone: Europe/Helsinki + + unix_users: + - username: liw + comment: Lars Wirzenius + sudo: yes + authorized_keys: | + {{ liw_ssh_pub }} + + mailname: atuin.liw.fi + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + relayhost: pieni.net:587 + + bridge_nic: enp3s0 + bridge_method: static + bridge_nic_addr: 78.46.87.180 + bridge_gateway: 78.46.87.161 + bridge_guest_addrs: + - 78.46.87.154 + - 78.46.87.152 + + ferm_iface_ext: "{{ bridge_nic }}" + + +- hosts: nalanda + remote_user: root + pre_tasks: + - name: "set up resolv.conf" + copy: + content: | + # nameserver config + nameserver 213.133.99.99 + nameserver 213.133.98.98 + nameserver 213.133.100.100 + nameserver 2a01:4f8:0:1::add:1010 + nameserver 2a01:4f8:0:1::add:9999 + nameserver 2a01:4f8:0:1::add:9898 + dest: /etc/resolv.conf + owner: root + group: root + mode: 0644 + roles: + - role: ferm-firewalled + tags: [ferm] + - sane_debian_system + - self-updating-system + - comfortable-debian-system + - unix_users + - smarthost-client + tasks: + - name: "install additional packages" + apt: + name: + - borgbackup + - mosh + - name: "disable non-key authentication for ssh" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + - name: "allow ssh password auth for one user" + shell: | + file=/etc/ssh/sshd_config + if ! grep -q 'Match User holly' "$file" + then + printf >> "$file" 'Match User holly\n PasswordAuthentication yes\n' + systemctl reload sshd + fi + - name: "create repository dirs for backup clients" + file: + state: directory + path: "/home/{{ item }}/repo" + owner: "{{ item }}" + group: "{{ item }}" + mode: 0700 + with_items: + - liw-laptop + - liw-wmf-laptop + - liw-holywood + vars: + sane_debian_system_version: 0 + unix_users_version: 0 + + ansible_python_interpreter: /usr/bin/python3 + hostname: nalanda + debian_codename: buster + timezone: UTC + + unix_users: + - username: liw + comment: Lars Wirzenius + sudo: yes + authorized_keys: | + {{ liw_ssh_pub }} + - username: liw-laptop + comment: Lars Wirzenius + authorized_keys: | + {{ liw_ssh_pub }} + - username: liw-wmf-laptop + comment: Lars Wirzenius + authorized_keys: | + {{ liw_ssh_pub }} + - username: liw-holywood + comment: Lars Wirzenius + authorized_keys: | + {{ liw_ssh_pub }} + {{ root_at_holywood2_ssh_key_pub }} + {{ root_at_holywood2_ssh_key_pub_v2 }} + +# disabled authorized_keys so they don't overwrite user's own changes + - username: dkscully + comment: Leslie + # authorized_keys: | + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt+rzeHl8fYF5wX0p3MOiJWRvMTOluJh8n/r0qLfPyWdYq6z4pL+DlKOjO3KiZw0HjgkCMmk2E847aslMMTx0E113cWBqPZ0uP5lgfG5WrkZ1vMXRmy/k1itBd5FET5YQaB0lReoXk60wr2v9F41v8bG3RWEuZ9NbK4nqQjjIZKFmS04Y+NYtdUxtBaOp7hSTdbwHD1hC7j5Y+1Bucxi8DoLMUdk6E6kuvJST62X2tV8JlqFgukPgVOX+QXnIeqom51IcSvTuI+fLG0O6WtZhBw7wKG9uf5ye3Px5P9TQjU0Ejp3UJGdksUak3WCqTCyRGT0w/hpVY6THxSo87f5Jt dkscully@hex.geah.org + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5SqJ7JMed7z0byEWnQob/ZA9xeNfdBWXWy9Cp/VCNf95+D5BcmfulFDr6oZVRCOSe/j1HyI4yMmRzfd37FTEAWOywFfwtUoryO01wlafwoMQ61BLJYDVA5A66kn0X/88N5beVsEZohlJlpzek5CoUktbsI2W6qhaKabHd9p8TOwfDMx2zBxItgw+jJkPbmNIontBSr2VGj/fLyEKr5F7pdIoRZ/vp5QjjjfjiGGeKrA/P2jQSsh+5Krxm1Gg5j5TM9S84lT6YcDj0F/dxXZmKME6wddHFZm7E6JFKQ4h+uLsvGNCjR++WoZihXhgIY9WATdh7OFlBBB4KkZavQ4XB dkscully@minicore.geah.org + # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ilWyOWlTzO2kIzY6xMks7LvhwwYY7/kVh6OCI/TFr4msglfsDvr+LjYDeZmWTbFOtf0WZF2qUgBm/V6HU8TZqCBWJEjD8yUUcvxNp/JzEt5J0PLZvB9hjYce549FNr5qwgfxz8i4a/tMVVektkiKlPlcrVK3lAuS/8BLkRmLm2fkBEzBU/CXyPpDdIqTOQQXohwD8VhTYEgoDFZa0FcNZyYQxpx8y3Iu7pX2IPSpbNyPLROlTGZyQ4iyfI2gA2gUsxw1S3MWvMbjW76kbXH4a4iLHrAi/1ND/rvt8Gm0Zrn1OsG8spR4G2H0wFHaYLm9lWWcwGyFaCpZl0ZsY/3KQ== dkscully@octopus + - username: dsilvers + comment: Daniel + # authorized_keys: | + # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Fe75AEGYSg7qxMjAO/D1XjkDaRPAnYMN589swN5F99Mngw9cWoAd1IvVb3Xhkyk4dLbeDfWFRHlKrHg6MarWORNdWYWXnz25NblxMzVRybkoBhh9og76GGJzXn+gyz4q6dpx1uwI7DuIWt0aThIjFSxCJ/o/w8Zy8nFDjMALTZroqlWMtGMeZjMaahkmNzNdfDQFxHIWzRyL6jDM9Gw4fIcCVNQ4qphx2K1LDAAnpsaTlenaZLZqQavDHj/5LXZizUPRFi22O2VsOYWb5S4wPJnQSdfqZ2hJTRRm7G/atA5HfEDVzNFuBHhu/KI59QUxf6zuX617e9dG2VoVRlJ1Q== dsilvers@ataraxia + # command="/usr/lib/openssh/sftp-server",no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA63ckmmt2XXb1rZnWoUlY8ShWODgEdEwYEgk2Y4JzCMAxT5SVCHqXGdIuQrZisqyRvwCeh2cvvuo81mgBWTX068b/YU/ahknLJYc6rdshQvQ+ON+BudhT91oqDDUQBF7jf6BJfohg5QbZEk586deKCo+tHgSNusH0m8UVZV4cAD+r6YIjxRKoG6r1jfRRf1Kwz31BFoIHSt2c7JvlUhb+MnAOQI47v6b+zsZY3PQRXMdYAHA5TCaDlJSaGctinHqHn4miWl+oGGqBnEBlYmEdmkwDxoDYM6UrgBntPJ+6UKzVOudcVWsOG43hytP1yS1eyaM5+Ok21sI9Kt56xf3v6w== root@octopus + - username: rjek + comment: Rob + # authorized_keys: | + # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAunHPD5fC4YdJzs6GO1/lv1RDoURRX1NHZY9VXjnNVIVPmQTH+WXfHVTZeN1lpBCprIqGQwqpxiBt1btlh0ztyakbxaM0w4RpA9RvgRSGiHoMTmgmeKR6CmCil082n4+b92uQ4QZBN3J2xWsX82GS7Ptj0KwbGAlpxgd6/zB1EdmqvbEQk49ivzPANml5jpvEjG06Qx+ZknRzSucrnYHUHzvz9bdPSwDsdW7r166fvnwpTknR+Z+9Cs0oO/d7m4AwPe0x7TcQRDha/5T4xY/QuLSza83EheASZUbHGivFNsioDhzchA9aIIRg9TfnHBToL92idNtR5N2djoFAwU1Pdw== rjek@octopus + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle + # echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle + - username: holly + comment: Holly + - username: ppf + comment: PPF + # authorized_keys: | + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPzZG0zGrTrGHDkoTGg5kmOZEKWPM8Y0uVsGcbFNlv2y8+Eg4pAWdejcj2DhzgBueoEzhXo4uHQH1iLDYJ/11XM5HxDrsXdi2ArzJ8lPAoQYObOK0/aq+ZrGS3GK6shuxGoQm2IWNnwu7XEfKMJR43LTpBEYntsesRtkIaPdd8buDJ1yixgXUggS9A/44Br3zkAPVhOfYbMjeaTQGQhSTZlS8MuD8PgQVNbftGhaK1WXfR9JpWmK8ILg6/Img48/+OhdYm2zz7K91Pi82hZ5JsEaTriC0p2IoHhA6EQdICLDdRfCSJNkhKyEjyL0BB4VFjIefmJfQ3rESCL+n9mGJP root@bagpuss + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKO73AYFqHucIjv2sdgbK+JU+i0gZOSazaTWT3Q4OouZ4M+EEYUTLPVBu301+QuSgrOqGPvwrAW5aYYgWWSqgr81dynPYoAUCgek9BzaW/GGffBDgPgeuJRrshDAwMNLxZTh8oWZUBvEWmSLVFAsmrZo71pEtj5DE9jjGXZodCnt2ngx7YeFyic0/jtJEe8SyZ/EhzXXbUMlt5I93P4le15j09XpAGZkt51J8hR/akAEh9pu06Slsy1tKawLtdr+oQdD22WZrn8jmkfp+X8ovwK8seKsG9NF70y2qT797cVd1egbtoKDRARBuxEWF1GrGnc62V6gP+Cn5hbagUnCGP root@inmail + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9vQVyxfuBw7X4KxWQx6cyGcfR6qVlsn8L2BxqGmvSfKZyez+v2vHsfk+2Jb1Ixauu2JjWFJ/IsH5S8Cx1TVvNK5DYklCiAS/dNp2Xm1jO39EG3tmr22NNOuIg8ADCs9Hjia+t5nm6GiYSIAN/ADn4XTwE0cG8CA0R1BvMUPnGL7vpOg+77r8h7wLIGvmFY8Eg0Sqpb55QkNx5VC7tbi3b9lCZNTtYMAuhlpBg18PAskUm2HV/tHUv3LhHC1bx9IMW+O9Vct2AKijlPP3uEVY6yKawtymU9EqM9RCSX2hjwg6CtG0sCIimAZCIdEMaFnaTlnKJ/Mlb7KHSmJLDxfQF root@outmail + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKusytc5zOHCK5nEzenYCVyCV4UHA6urvNbS7WSy4Asp9p5iaWSruwnyD5wlpUlyauJg/UmZuSdzh80+CQv1/bBTHgLJlbm1IBvORGNpcMzvrPMFfvSu+PcDs5VQpmZ99EtRrS5htpR14/lkfleCVLLUjYCm+O6qSk3kEhjJrO3BsDPZ8hc4nOOzThzcKGr+3VFQRygjWpIe1dMDLtD/aHuR+n4q3e3k82r4X+ok+owm01OIqyDTlVlmTCS68QR0pSKZU+gH7lVHUWn/j+B8y7ASx/uwC+FvG9vPmOC93ATpW+B6A5zP/cWisiHq6ugoVZ0pdL/pJ77tIAtjTqeuZJ root@ns-h1 + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpA9f8+NuCLU3syBx9CoHMaMiUwx5lQ4QLVi2cVrpz5viYn/zDN+aEABBWBgdlUv0EqwvTVY9cKofDGWCMOPWFyv02gOxiKyAN5lh+iUlaetryKuV0LpU4JGcwJJjdGkv9JL0CplyCl/crP4JLpDp7rJuzy2hkwofuOxdepVPISXSmNX8D9p9wtdgfke1A/AOOtx7DaK9vnDajSQBeU60Y0Y1bBkJgP+jZn88U2QOVvCQr1GnDJk8Op7lABIh+Dk1NgICufH9O06EDk5t5Wn7LxdfxFXqLl1HiRJLeQ8IamfAXxf6QNWvi6KoDk1tV5at4fH0V0Q+x0P3bxfJMgkAf root@minnow + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn1o9OFu18ZuX0WHN8OSNQgiLlcA+n1lJnI1AP9bNNcdPz9Bp9ux0aCitu7LtegBAytw+95B8OtELz5PDX0NKVWl+pgjsMSWclQBvyEcPjsKEBdn10PaPLOxBsG+nskXdWfTbpIphADOvwArVPd4bdmNoEkj3xNK4LFEq62gNVy9gJRJhwGGKj7eDsnqkmXrLgxxMGwa5rDWAD8UrrOrcUbVibQrqEUVZd1Arw2z6WItuqYDzTRbLjIeHB3qgTy6S8Bzd4Natq6nfogScwcftTjRE9wE3Y2jfkgOvrvpy8GaA4SNpnUQAUpdJmu4tsxvOykdEEnMMJOWtTOorsfX2N root@platypus + # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeStXzBGzv156b/fa10LuhNkMlTIA9f5i0+8CWTPU5HV45jbqXdX1vb5K+Hm62pl5UriQSq3zM4wap6KyZqbdQIuPj5N7xfBCBKf8dZDiLbhNNTu9y6yMKcgwcmh7Fa0HiAjlYawwPgrjpubAk5YNA4jnxqC+7Qz99xTPGkMk5AKJmPOgeKx1TPDjWu20vdW5YF44VQ28LkaP4QMIkoZSeYvLKOIuUOD0GHLqnNgHi/GbsPMN5pFM1fYuPz8GVz8+r5vYGdkONXNg6GxRLLx9XvmwJonblKBeWlFQqdDpjq4eEPyc5Hwu/Hdg2NYZZLmCFZD4tbMKwmpdBbTzlB+BF root@dnsbl.rjek.com + + + mailname: nalanda.liw.fi + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + relayhost: pieni.net:587 + + +# - hosts: gregvm +# remote_user: root +# pre_tasks: +# - name: "set up resolv.conf" +# copy: +# content: | +# # nameserver config +# nameserver 213.133.99.99 +# nameserver 213.133.98.98 +# nameserver 213.133.100.100 +# nameserver 2a01:4f8:0:1::add:1010 +# nameserver 2a01:4f8:0:1::add:9999 +# nameserver 2a01:4f8:0:1::add:9898 +# dest: /etc/resolv.conf +# owner: root +# group: root +# mode: 0644 +# roles: +# - sane_debian_system +# - unix_users +# tasks: +# - name: "disable non-key authentication for ssh" +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "^PasswordAuthentication" +# line: "PasswordAuthentication no" +# vars: +# ansible_python_interpreter: /usr/bin/python3 +# hostname: gregvm +# debian_codename: buster +# timezone: UTC + +# unix_users: +# - username: greg +# comment: Greg +# sudo: yes +# authorized_keys: | +# {{ greg_ssh_pub }} |