diff options
185 files changed, 2610 insertions, 1587 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..824fe39 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.gitsigners diff --git a/ansible/all.sh b/ansible/all.sh index f2b9010..eff3a72 100755 --- a/ansible/all.sh +++ b/ansible/all.sh @@ -13,17 +13,7 @@ online() { maybe_run_playbook() { if newer "$1.yml" "$1.stamp" && online "$1"; then echo "$1" - chronic ./run-playbook "$1.yml" - touch "$1.stamp" - else - echo "SKIPPING $1" - fi -} - -maybe_run_ansible() { - if newer "$1.yml" "$1.stamp" && online "$1"; then - echo "$1" - chronic run-ansible "$1.hz" "hosts.$2" "$1.yml" + ./run-playbook "$1.yml" touch "$1.stamp" else echo "SKIPPING $1" @@ -35,11 +25,12 @@ maybe_run_playbook exolobe1 maybe_run_playbook exolobe2 maybe_run_playbook stamina maybe_run_playbook holywood2 -maybe_run_playbook web maybe_run_playbook atuin.liw.fi maybe_run_playbook mirror-git - -maybe_run_ansible git.liw.fi git -maybe_run_ansible http.liw.fi http -maybe_run_ansible irc.liw.fi irc -maybe_run_ansible shell-shell.vm.liw.fi shell +maybe_run_playbook git.liw.fi +maybe_run_playbook apt.liw.fi +maybe_run_playbook http.liw.fi +maybe_run_playbook irc.liw.fi +maybe_run_playbook shell-shell.vm.liw.fi +maybe_run_playbook qotom +maybe_run_playbook radicle.liw.fi diff --git a/ansible/ambient-dev.yml b/ansible/ambient-dev.yml new file mode 100644 index 0000000..15e8c6c --- /dev/null +++ b/ansible/ambient-dev.yml @@ -0,0 +1,49 @@ +- hosts: ambient-dev + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system + - role: unix_users + - role: liw + - role: rust-rustup + tasks: + - apt: + name: + - build-essential + - dosfstools + - debhelper + - dh-python + - qemu-system-x86 + - qemu-utils + - python3-all-dev + - subplot + - vmdb2 + - zerofree + - file: + state: directory + path: /root/.cache/ambient + vars: + ansible_python_interpreter: python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + + timezone: Europe/Helsinki + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + groups: + - kvm + sudo: yes + + sane_debian_system_sources_lists: + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + sshd_version: 1 + diff --git a/ansible/apt.liw.fi.html b/ansible/apt.liw.fi.html new file mode 100644 index 0000000..414b438 --- /dev/null +++ b/ansible/apt.liw.fi.html @@ -0,0 +1,53 @@ +<!DOCTYPE html> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> + <meta charset="utf-8" /> + <title>apt.liw.fi</title> + <meta name="viewport" content="width=device-width, initial-scale=1" /> +</head> +<body lang=en> + <article> + <h1>apt.liw.fi</h1> + + <p>This is the personal APT repository + of <a href="https://liw.fi">Lars Wirzenius</a>. It contains free + and open source software packaged for + the <a href="https://debian.org">Debian</a> operating system + as <code>.deb</code> packages. + </p> + + <p>Repository signing keys are in + the <code>apt.liw.fi-keyring</code> package, in this repository. + Those keys in turn are signed by my personal key with + fingerprint <code>EA0B 7399 ECCF 9282 A74E F8F8 31DA 8032 081D + 901D</code>. You can get my key via WKD (using email address + <code>liw@liw.fi</code>), from various key servers, or from + my <a href="https://liw.fi/pgp">home page</a>. + </p> + + <p>To add this repository to your APT sources lists, first install + the keyring package: download the latest package + from <a href="debian/pool/main/a/apt.liw.fi-keyring/">debian/pool/main/a/apt.liw.fi-keyring/</a>, + then install the downloaded file:</p> + + <blockquote> + <code>sudo apt install ./apt.liw.fi-keyring_(something).deb</code> + </blockquote> + + <p>Then create a file + <code>/etc/apt/sources.list.d/apt.liw.fi.list</code> with the + contents (or any other filename that ends in <code>.list</code>): + </p> + + <blockquote> +<code>deb [signed-by=/usr/share/keyrings/apt.liw.fi-keyring.pgp] http://apt.liw.fi/debian unstable main</code> + </blockquote> + + <p>This means the keyring package is only ever used for this + repository. After you've installed the keyring package, you'll get + any new keys for this repository automatically, as long as you + update it at least once a year.</p> + + </article> +</body> +</html> diff --git a/ansible/apt.liw.fi.yml b/ansible/apt.liw.fi.yml new file mode 100644 index 0000000..c69c63b --- /dev/null +++ b/ansible/apt.liw.fi.yml @@ -0,0 +1,43 @@ +- hosts: apt.liw.fi + remote_user: root + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: apt-repository + vars: + ansible_python_interpreter: python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + + timezone: Europe/Helsinki + + unix_users_version: 2 + unix_users: + - username: apt + comment: Owner of APT repository + - username: incoming + comment: APT incoming packages + authorized_keys: | + {{ apt_uploader_ssh_pub_keys }} + - username: liw + comment: Lars Wirzenius + sudo: yes + + sshd_version: 1 + + apt_uploader_ssh_pub_keys: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP + apt_admin_email: liw@liw.fi + apt_domain: apt.liw.fi + apt_distributions: + - codename: unstable + description: builds for unstable + apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" + apt_signing_key_pub: "{{ lookup('pipe', 'pass show apt.liw.fi-signing-key') }}" + apt_signing_key_fingerprint: | + {{ lookup('pipe', 'pass show apt.liw.fi-signing-key | gpg --show-keys --with-colons | grep "^fpr:" | head -n1 | cut -d: -f10') }} + apt_index_content: | + {{ lookup('file', 'apt.liw.fi.html') }} diff --git a/ansible/aptrepo.yml b/ansible/aptrepo.yml new file mode 100644 index 0000000..c671752 --- /dev/null +++ b/ansible/aptrepo.yml @@ -0,0 +1,44 @@ +- hosts: aptrepo + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: apt-repository + vars: + ansible_python_interpreter: python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + + timezone: Europe/Helsinki + + unix_users_version: 2 + unix_users: + - username: apt + comment: Owner of APT repository + - username: incoming + comment: APT incoming packages + authorized_keys: | + {{ apt_uploader_ssh_pub_keys }} + - username: liw + comment: Lars Wirzenius + sudo: yes + + sshd_version: 1 + + apt_uploader_ssh_pub_keys: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP + apt_admin_email: liw@liw.fi + apt_domain: aptrepo + apt_distributions: + - codename: unstable + description: Release packages for unstable + - codename: unstable-ci + description: CI builds for unstable + apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" + apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" + apt_signing_key_fingerprint: | + {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --show-keys --with-colons | grep "^fpr:" | cut -d: -f10') }} diff --git a/ansible/atuin.liw.fi.yml b/ansible/atuin.liw.fi.yml index 46c78e8..8987e5b 100644 --- a/ansible/atuin.liw.fi.yml +++ b/ansible/atuin.liw.fi.yml @@ -10,7 +10,7 @@ - comfortable-debian-system - unix_users - storage_system - - smarthost-client + - mail-client - vmhost-minimal tasks: - name: "install additional packages" @@ -77,9 +77,13 @@ ferm_iface_ext: "{{ bridge_nic }}" + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key atuin.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 atuin.liw.fi') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 atuin.liw.fi') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" - hosts: nalanda @@ -100,14 +104,14 @@ group: root mode: 0644 roles: - - sshd +# - sshd - role: ferm-firewalled tags: [ferm] - sane_debian_system - self-updating-system - comfortable-debian-system - unix_users - - smarthost-client + - mail-client tasks: - name: "install additional packages" apt: @@ -207,9 +211,13 @@ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" relayhost: pieni.net:587 + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key nalanda.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 nalanda.liw.fi') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 nalanda.liw.fi') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" # - hosts: gregvm diff --git a/ansible/authorized_keys/_ickwm b/ansible/authorized_keys/_ickwm deleted file mode 100644 index e69de29..0000000 --- a/ansible/authorized_keys/_ickwm +++ /dev/null diff --git a/ansible/authorized_keys/backups b/ansible/authorized_keys/backups deleted file mode 100644 index 5b6719a..0000000 --- a/ansible/authorized_keys/backups +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/ansible/authorized_keys/distix b/ansible/authorized_keys/distix deleted file mode 100644 index 5b6719a..0000000 --- a/ansible/authorized_keys/distix +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/ansible/authorized_keys/ickliwfi b/ansible/authorized_keys/ickliwfi deleted file mode 100644 index d2fb365..0000000 --- a/ansible/authorized_keys/ickliwfi +++ /dev/null @@ -1,2 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWvVYqyPen0CFhfx9dzzCKNbQ7fUpbCRdlQ/PI4sAv5R+gjUYjZJ3HQQhdkEx6mwY+fGYgGIAY9xiTi+BzXSPPtuWUypB2/ee+Dh5Uqica1TCj/3txmFGE7qwD+AqoJYbDAD1x17AaCIEDgHv2wOQ2o8GlOKTK9mGgvZWTUgIUF7PObotg8/M6TV4NO3of7ZSJ0yqumU/GLaJ8UkvYVQ3Gj0w8tbX6xiJKcOnMyM+P+JIFRKKi/SzjymVfAie9OAlIcDEYTeT6dtqWYB6hT0/40D0ZcxOfIg07/m4A956hH9AzRKuz01w2phP2zQyHRUSOCWa5EWF/H9snxpeE5Ein liw@exolobe3 -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/ansible/authorized_keys/liw b/ansible/authorized_keys/liw deleted file mode 100644 index 5b6719a..0000000 --- a/ansible/authorized_keys/liw +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/ansible/authorized_keys/obbench b/ansible/authorized_keys/obbench deleted file mode 100644 index 327e9e7..0000000 --- a/ansible/authorized_keys/obbench +++ /dev/null @@ -1,3 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YSJQK7HFM7J9+mNpTzqu5TDnR0PlofNdi1oWz0VShpJkaNxS+REp0lYxlMiC3Ytp+/+xPsgxGgfHUwmYYFTsOccaKivjDpfqUg1RK4NeenpdXArX9ZctmBRciP58jndjVJ54UO9QL6smkx7LcbMFSI+FEhaCCxVBHaD7OMeEtjvCnhzFUAHYS/uUH5dTzoT63v6Oo4IYfTM8SlGYjtepcm9xy3gPXDcIxWxhxqT01lrzgUM9l4+DzHfrenJy9NSZSoYRzVqMPam3x/35K5O6HNJKN0uf80Aos/33bdxdqIAsKEQe0+xi7kEfwgMN5NSWAvBj9utzij7A+weuQOxb liw@obbench2 - diff --git a/ansible/authorized_keys/sshforward b/ansible/authorized_keys/sshforward deleted file mode 100644 index fc38b16..0000000 --- a/ansible/authorized_keys/sshforward +++ /dev/null @@ -1,2 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ1CbVnqhFatB0aDrss1JE6arIDiYxAHl2iyVfrrtMF6Y7vMRWt2ETK8kNJrGzTuQZEGInk/PsnIdeaL0pz6cZrZnDf/Pqpmwit3idhvPHaLAtpc/XM/UOeC1lheawtDtKbmACguwnT0MtuIfy/ELQlaE+AOw1qBwsmwrc6pBTjB+5cPWbgGE+jNGvmi0QhaH3VkMduVX0xkHVxPkYoPMI3lSlalNp2RDwzkHiSua+RFE7GWDLGnZGYL0fRXNkR1mwroOSTdLdkckSU8P+L7v3TiQPpZJBBvzz70jP8hIs/8ty+AC5DNhz0SIewmYbBrJX3yaM+UvYr1TvWig0d/3R liw@exolobe1 diff --git a/ansible/authorized_keys/yakking b/ansible/authorized_keys/yakking deleted file mode 100644 index 5b6719a..0000000 --- a/ansible/authorized_keys/yakking +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 diff --git a/ansible/bigtoy.yml b/ansible/bigtoy.yml new file mode 100644 index 0000000..765aefc --- /dev/null +++ b/ansible/bigtoy.yml @@ -0,0 +1,44 @@ +- hosts: bigtoy + remote_user: debian + become: yes + roles: + - role: sane_debian_system + tags: [sane] + - role: sshd + tags: [sshd] + - role: comfortable-debian-system + tags: [comfy] + - role: unix_users + tags: [users] + - role: emacs + - role: liw + tasks: + - apt: + name: + - build-essential + - debian-keyring + - debmirror + - git + - moreutils + - python3 + vars: + ansible_python_interpreter: python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bullseye + + timezone: Europe/Helsinki + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + sudo: yes + + sane_debian_system_sources_lists: + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + sshd_version: 1 + sshd_allow_authorized_keys: yes diff --git a/ansible/billion.yml b/ansible/billion.yml index 841ad45..b1a8213 100644 --- a/ansible/billion.yml +++ b/ansible/billion.yml @@ -3,19 +3,17 @@ become: yes roles: - sane_debian_system - - role: sshd - tags: [sshd] + - sshd - comfortable-debian-system - unix_users - - self-updating-system tasks: - apt: name: - btrfs-progs vars: sane_debian_system_version: 2 - sane_debian_system_hostname: billion - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm unix_users_version: 2 unix_users: diff --git a/ansible/contractor-dev.yml b/ansible/contractor-dev.yml deleted file mode 100644 index 0ef3722..0000000 --- a/ansible/contractor-dev.yml +++ /dev/null @@ -1,48 +0,0 @@ -- hosts: contractor-dev - remote_user: root - roles: - - role: sane_debian_system - tags: [sane] - - comfortable-debian-system - - unix_users - - version-controller - - vmhost - tasks: - - user: - name: liw - groups: - - kvm - - libvirt - - apt: - name: - - black - - vmdb2 - - subplot - - shell: | - virsh net-autostart default - virsh net-start default || true - - user: - name: liw - groups: [liw, kvm] - - copy: - content: | - {{ liw_personal_ssh_pub }} - dest: /home/liw/.ssh/liw-openpgp.pub - owner: liw - group: liw - mode: 0600 - - vars: - sane_debian_system_version: 2 - sane_debian_system_hostname: contractor-dev - sane_debian_system_codename: buster - - unix_users_version: 2 - unix_users: - - username: liw - comment: Lars Wirzenius - sudo: yes - - sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" diff --git a/ansible/debian-ansible-dev.yml b/ansible/debian-ansible-dev.yml index b8f2300..58d2bda 100644 --- a/ansible/debian-ansible-dev.yml +++ b/ansible/debian-ansible-dev.yml @@ -40,8 +40,8 @@ owner: liw group: liw - copy: - src: /home/liw/tmp/base-images/debian-10-openstack-amd64.qcow2 - dest: /home/liw/tmp/debian-10-openstack-amd64.qcow2 + src: /home/liw/tmp/base-images/debian-11-generic-amd64.qcow2 + dest: /home/liw/tmp/debian.qcow2 owner: liw group: liw mode: 0644 @@ -49,8 +49,8 @@ ansible_python_interpreter: python3 sane_debian_system_version: 2 - sane_debian_system_hostname: debian-ansible-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm timezone: Europe/Helsinki @@ -61,8 +61,8 @@ sudo: yes sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" sshd_version: 1 sshd_allow_authorized_keys: yes diff --git a/ansible/debian-mirror.yml b/ansible/debian-mirror.yml index 1b85a21..89a02c0 100644 --- a/ansible/debian-mirror.yml +++ b/ansible/debian-mirror.yml @@ -3,109 +3,29 @@ become: yes roles: - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system - role: unix_users - - role: self-updating-system + - role: mail-client - role: debian-mirror - tasks: - - name: "Install ewww" - apt: - name: - - curl - - ewww - - locales-all - - psmisc - - rsync - state: present - - name: "Create /srv/http" - file: - state: directory - path: /srv/http - owner: debmirror - group: debmirror - mode: 0755 - - name: "Create ewww config directory" - file: - state: directory - path: /etc/ewww - - name: "Install ewww config" - copy: - content: | - webroot: /srv/http - listen: "0.0.0.0:443" - tls_cert: /etc/ewww/tls.pem - tls_key: /etc/ewww/tls.key - dest: /etc/ewww/ewww.yaml - - name: "Install TLS cert" - copy: - content: | - -----BEGIN CERTIFICATE----- - MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx - EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz - NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7 - uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z - Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO - FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH - pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk - zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC - AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX - h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob - 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk - xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa - WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP - NdZiSNvGZAbEnmMnNCEYMO3wVA== - -----END CERTIFICATE----- - dest: /etc/ewww/tls.pem - - name: "Install TLS key" - copy: - content: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP - +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D - LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ - GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H - i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi - qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj - ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG - qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1 - iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T - AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K - EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7 - vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU - PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I - E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm - uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco - eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g - T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci - gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW - GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf - psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj - DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R - Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra - udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e - 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI - cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g== - -----END RSA PRIVATE KEY----- - dest: /etc/ewww/tls.key - - name: "Enable and start ewww service" - systemd: - name: ewww - state: restarted - enabled: yes - daemon_reload: yes vars: - ansible_python_interpreter: /usr/bin/python3 + ansible_python_interpreter: python3 sane_debian_system_version: 2 - sane_debian_system_hostname: debian-mirror - sane_debian_system_codename: bullseye - sane_debian_system_mirror: deb.debian.org - sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + + timezone: Europe/Helsinki unix_users_version: 2 unix_users: - username: debmirror - - username: liw - comment: Lars Wirzenius + comment: Debian mirror + + sshd_version: 1 + + mailname: "exolobe1.liw.fi" + relayhost: pieni.net:587 + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml index 427ad5d..7243064 100644 --- a/ansible/exolobe1.yml +++ b/ansible/exolobe1.yml @@ -2,40 +2,269 @@ remote_user: root become: no roles: - - sane_debian_system - - sshd - - unix_users - - gnome-system + - role: sane_debian_system + - role: self-updating-system + - role: sshd + - role: ssd + - role: comfortable-debian-system - role: intel-wifi - tags: wifi + - role: version-controller + - role: emacs + - role: gnupg-workstation + - role: gnome-system + - role: ansible + - role: vmhost + - role: mail-client + - role: annexed + - role: unix_users +# - role: liw + - role: rust-rustup + - role: riot-host + - role: thinkpad + + tasks: + # Remove ping to force it be reinstalled so that the right + # capabilities are set. + - apt: + name: iputils-ping + state: absent + + - apt: + name: + - ambient-driver + - asciidoctor + - black + - btrfs-progs + - build-essential + - cachedir + - capnproto + - clab + - clang + - daemonize + - debhelper + - expect + - extrautils + - fio + - firmware-misc-nonfree + - fling + - gddrescue + - genisoimage + - gimp + - graphviz + - inkscape + - iputils-ping + - jq + - jt + - libclang-dev + - libdvd-pkg + - librsvg2-bin + - libsqlite3-dev + - libssl-dev + - libvirt-dev + - linux-perf + - liw-automation + - llvm + - lmodern + - nettle-dev + - nfs-common + - obnam + - obnam-benchmark + - openpgp-ca + - ovmf + - pandoc + - pandoc-filter-diagram + - pathdedup + - pavucontrol + - pkg-config + - plantuml + - printer-driver-ptouch + - python3 + - python3-requests + - qemu-user-static + - radicle + - sequoia-chameleon-gnupg + - shellcheck + - sq-liw + - sqlite3 + - sshca + - subplot + - summain + - texlive-fonts-recommended + - texlive-latex-base + - texlive-latex-extra + - texlive-latex-recommended + - texlive-plain-generic + - unicode + - usbutils + - uuid + - validns + - vlc + - vobcopy + - vmdb2 + - xpdf + - zerofree + + + - name: install command line utilities + apt: + name: + - acpi + - ambient-run + - apt-file + - bc + - bind9-host + - cryptsetup + - curl + - debmirror + - dict + - dict-foldoc + - dict-gcide + - dict-jargon + - dict-vera + - dict-wn + - dictd + - dnsutils + - git-annex + - htop + - iftop + - ikiwiki + - info + - jt + - locales-all + - lshw + - lvm2 + - mmv + - moreutils + - mosh + - mtr + - nethogs + - nmap + - num-utils + - oathtool + - parted-doc + - psmisc + - pv + - rsync + - screen + - strace + - time + - tmux + - units + - vim + - w3m + - whois + - yaml-mode + - zip + - yaml-mode + - zip + - zoxide + + - name: configure dict + copy: + content: | + server localhost + dest: /etc/dictd/dict.conf + + - lineinfile: + path: /etc/gdm3/daemon.conf + regexp: WaylandEnable= + line: "# WaylandEnable=false" + + - lineinfile: + path: /etc/default/grub + regexp: GRUB_ENABLE_CRYPTODISK + line: "GRUB_ENABLE_CRYPTODISK=n" + + - lineinfile: + path: /etc/environment + regexp: MOZ_ENABLE_WAYLAND + line: "MOZ_ENABLE_WAYLAND=1" + + - shell: | + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + + - shell: | + env DEBIAN_FRONTEND=noninteractive dpkg-reconfigure libdvd-pkg + + - name: "create liw/.radicle/keys" + file: + state: directory + path: /home/liw/.radicle/keys + owner: liw + group: liw + mode: 0755 + + - name: "install radicle private key" + copy: + content: "{{ radicle_key }}" + dest: /home/liw/.radicle/keys/radicle + owner: liw + group: liw + mode: 0600 + + - name: "install radicle public key" + copy: + content: "{{ radicle_pub }}" + dest: /home/liw/.radicle/keys/radicle.pub + owner: liw + group: liw + mode: 0644 + vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: "{{ inventory_hostname }}" - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware + + - repo: | + deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware + + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free + deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius - authorized_keys: | - {{ liw_personal_ssh_pub }} + sudo: yes + groups: + - audio + - bluetooth + - cdrom + - dialout + - dip + - floppy + - libvirt + - kvm + - netdev + - plugdev + - scanner + - video + + mailname: "exolobe1.liw.fi" + relayhost: pieni.net:587 + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe1') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe1') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" rustup_cargo_install: | - starship + starship \ + cargo-cache \ + pikchr-cli \ + bottom + + radicle_key: "{{ lookup('pipe', 'pass radicle/liw/key') }}" + radicle_pub: "{{ lookup('pipe', 'pass radicle/liw/key.pub') }}" diff --git a/ansible/exolobe2.yml b/ansible/exolobe2.yml index 7d69877..70c4cec 100644 --- a/ansible/exolobe2.yml +++ b/ansible/exolobe2.yml @@ -11,7 +11,7 @@ - emacs - vmhost - storage_system - - smarthost-client + - mail-client vars: ansible_python_interpreter: /usr/bin/python3 @@ -25,8 +25,8 @@ - repo: | deb http://deb.debian.org/debian bullseye contrib non-free - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: @@ -50,6 +50,3 @@ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe2') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe2') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/files/mirror-list b/ansible/files/mirror-list index 2e6dab8..61866c6 100644 --- a/ansible/files/mirror-list +++ b/ansible/files/mirror-list @@ -1,10 +1,7 @@ larswirzenius/bumper bumper-rs larswirzenius/clab clab -larswirzenius/contractor2 contractor2 larswirzenius/ewww ewww larswirzenius/pandoc-filter-diagram pandoc-filter-diagram -larswirzenius/gtdfh gtdfh.liw.fi -larswirzenius/ideas ideas larswirzenius/jt jt2 larswirzenius/puomi puomi larswirzenius/sshca sshca @@ -14,7 +11,6 @@ larswirzenius/vmadm vmadm larswirzenius/vmadm-web vmadm.liw.fi larswirzenius/vmdb2 vmdb2 larswirzenius/vmdb2-web vmdb2.liw.fi -larswirzenius/yuck yuck obnam/obnam obnam2 obnam/obnam-benchmark obnam-benchmark obnam/obnam-benchmark-results obnam-benchmark-results @@ -23,6 +19,3 @@ obnam/obnam.org obnam.org obnam/cachedir cachedir-rs subplot/subplot subplot subplot/subplot-web subplot.liw.fi -sequoia-pgp/sequoia sequoia -sequoia-pgp/sequoia-chameleon-gnupg sequoia-chameleon-gnupg -openpgp-ca/openpgp-ca openpgp-ca diff --git a/ansible/git.liw.fi.hz b/ansible/git.liw.fi.hz deleted file mode 100644 index e10d6af..0000000 --- a/ansible/git.liw.fi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-10 -hosts: - - name: git diff --git a/ansible/git.liw.fi.yml b/ansible/git.liw.fi.yml index 94721cb..a71d8ed 100644 --- a/ansible/git.liw.fi.yml +++ b/ansible/git.liw.fi.yml @@ -1,8 +1,9 @@ -- hosts: git +- hosts: git.liw.fi remote_user: root roles: - - role: sane_debian_system - tags: [sane] +# sane_debian_system doesn't work on buster, because it needs systemd +# - role: sane_debian_system +# tags: [sane] - role: comfortable-debian-system - role: unix_users - role: apache_server diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 0211717..9ed50fb 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -30,6 +30,36 @@ root_at_holywood2_ssh_key_pub_v2: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMKd1WOfe1815VB+Mny4B0M8Yk9Koj5xVR5yBA1yHt6HWD/q8yBRpezeADYHEAhxi2RiwlzI5indSXWG6e597Al5fpo9lWtwfBWw50D9VFhmEmkNGGKaBQcqIlP+ATj57ORz9g482mKgfeyVbakYa+5jrwl/8x4kQ3XW4IhACQtIWJG3ms+/tnNr7F59k4p3C8jjTBl1eWJwkLiZOrUqsnzYTIvhcMTUDCtHAuYCwB1Kg9QDeSFAYuNZ+IrUdnBC26jhUDH513XwDySmwsCiZRGKNXdMc5BtjNH0Xmd+xaVa42/lUNGvstQrZusq5lETkzsh9dzAZNUlYOuZNQs4D root@holywood2 +apt_liw_fi_signing_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEZZJdGhYJKwYBBAHaRw8BAQdAqeF0fisweYyKM1ijm2TofKLI56kxprqQQgRI + 3XS7sfOI0QQfFgoAgwWCZZJdGgWJAeGFNAMLCQcJEDAjOV80dhuBRxQAAAAAAB4A + IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6QIq8aJr7rZ4To0YujnzP+e + VPuNqYamrIwP7oedSJuRAxUKCAKbAQIeARYhBNMIjAl0ALjhurGI1DAjOV80dhuB + AADPhAD9E7FKlBGQ4+kBNyJMSc6Kjp8DgI7GU1SsmGejPz97YsgA/ir2dwmq2Ik3 + Mh8zxzUkrLT6K20iOi/ZoCXw2h/lNzgPtCthcHQubGl3LmZpIGFyY2hpdmUgc2ln + bmluZyBrZXkgPGxpd0BsaXcuZmk+iNQEExYKAIYFgmWSXRoFiQHhhTQDCwkHCRAw + IzlfNHYbgUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmci + FPskp0wwO97SSRdxY+2fEeZ+OomxFq+LdrIf1qwhEwMVCggCmQECmwECHgEWIQTT + CIwJdAC44bqxiNQwIzlfNHYbgQAAGAMA/2uERO4xdI3DOeTx6GZtENeMNbBTe7X+ + fh2IjXFv/xmXAQCT0eiqaHKEGq3RwrOoCBRmxec4yMgOfIuCt0l7YvytA4h1BBAW + CgAdFiEE6gtzmezPkoKnTvj4MdqAMggdkB0FAmWSXdwACgkQMdqAMggdkB3FXwEA + q82Xm0RheXzOMSKoCYOCxhM8rbn1wWIrufIo3znkrhABALMelmzI+LmzT7s62zGE + 2z8V7Nv0JnjZyrf+FZhNAqYFuDMEZZJdGhYJKwYBBAHaRw8BAQdAF+jg51KWsd8V + HxeHo6bab39J6gGNsJZcUVqRqCfrrzSJAYUEGBYKATcFgmWSXRoFiQHhhTQJEDAj + OV80dhuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+J5 + 7Y6sMbUC82e9ztMS6yorTd1niehqKtaj22Fq9xREApsCvqAEGRYKAG8FgmWSXRoJ + EJqO39bYba7MRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y + Z/Kx/ROGuSeEFI8QlSRIBLTxGvqRP+G0MIVtj5277onuFiEEbwX90zO8sdjuP23I + mo7f1thtrswAAIZrAQCWL1DboWlW3fCUEx++p8KTSjEt925x9uEt+QYk1W8wgQD+ + PnefEb8sHyZBkznoZcqgWdiqFQzgpJHYK0rieZt51AAWIQTTCIwJdAC44bqxiNQw + IzlfNHYbgQAANkwBAKPT/FYSCp1w2moONOyKjxLkURCa6bXM+HPODBUn/0ozAQDa + kaEaS+5jPDYzDJdpB6+7JJNu9IbT2RcI85S4KUr1Ag== + =by66 + -----END PGP PUBLIC KEY BLOCK----- + + code_liw_fi_signing_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -303,3 +333,7 @@ riot_im_signing_key: | 3mc4ZPLfWwxNMYs= =dS2q -----END PGP PUBLIC KEY BLOCK----- + +sshd_host_key: "{{ lookup('pipe', 'sshca host private-key {{ sane_debian_system_hostname }}') }}" +sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 {{ sane_debian_system_hostname }}') }}" +sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/handbrake.yml b/ansible/handbrake.yml new file mode 100644 index 0000000..eb928cf --- /dev/null +++ b/ansible/handbrake.yml @@ -0,0 +1,55 @@ +- hosts: handbrake + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + tasks: + - apt: + name: +# - gnome +# - handbrake + - handbrake-cli + - htop + - moreutils + - rsync + - screen + + # # This seems to be wanted by something in the GNOME app stack. + # # Installing it will stop a lot of apps from whinging at startup. + # - libcanberra-gtk-module + + # - lineinfile: + # path: /etc/gdm3/daemon.conf + # regexp: WaylandEnable= + # line: "WaylandEnable=false" + + # - lineinfile: + # path: /etc/default/grub + # regexp: GRUB_ENABLE_CRYPTODISK + # line: "GRUB_ENABLE_CRYPTODISK=n" + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware + + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware + + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 diff --git a/ansible/holywood2.yml b/ansible/holywood2.yml index ac4d72f..20fafc7 100644 --- a/ansible/holywood2.yml +++ b/ansible/holywood2.yml @@ -1,3 +1,6 @@ +# As long as this is based on bullseye, reboot VM after running the +# playbook. + - hosts: holywood2 remote_user: root roles: @@ -10,7 +13,7 @@ - apache_server - role: holywood2 tags: holywood2 - - smarthost-client + - mail-client - self-updating-system tasks: - cron: @@ -21,14 +24,14 @@ ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: holywood2 + sane_debian_system_hostname: "{{ inventory_hostname }}" sane_debian_system_codename: bullseye sane_debian_system_mirror: deb.debian.org sane_debian_system_sources_lists: - repo: deb http://deb.debian.org/debian bullseye main contrib non-free - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: @@ -52,6 +55,3 @@ letsencrypt: no sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key holywood2') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 holywood2') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/hosts b/ansible/hosts index 4348c29..ad57af3 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -1,48 +1,63 @@ -[all] -exolobe1 -exolobe2 -stamina -x220 -kea -qotom -solace - -atuin ansible_ssh_host=atuin.liw.fi -nalanda ansible_ssh_host=nalanda.liw.fi -gregvm ansible_ssh_host=78.46.87.152 - +[infra] debian-mirror holywood2 mirror-git +image-dist web +texlive -pieni ansible_ssh_host=koom.pieni.net debian_codename=stretch -sq-test ansible_ssh_host=sq-test.liw.fi - -apt-dev -billion -clab-dev +[dev] +aptrepo +ambient-dev debian-ansible-dev -ewww-dev -ewww-test -ick2-dev icktool -jt-dev obnam-bench obnam-dev -openpgp-ca-dev -openpgp-card-dev -python-mess -rikiwiki-dev -roadmap-dev +radicle-dev +radicle-liw3 +radicle-multi +radicle-other-node +radicle-test +riki-dev rust-dev -sequoia-dev -sequoia-web -ssh-dev sshca-dev subplot-dev +unpack-dsc v-i-dev vmadm-dev vmdb2-dev +vmdb2-dev-sid +[toys] +billion toy +bigtoy +handbrake + +[upliw_vm] +private +updev + +[bare] +exolobe1 +exolobe2 +stamina +x220 +kea +qotom +solace +upliw0 + +[remote] +apt.liw.fi +atuin ansible_ssh_host=atuin.liw.fi +nalanda ansible_ssh_host=nalanda.liw.fi +gregvm ansible_ssh_host=78.46.87.152 +git.liw.fi +http.liw.fi +irc.liw.fi +monorepo.liw.fi +shell-shell.vm.liw.fi +radicle.liw.fi +seed.liw.fi +wumpus.liw.fi diff --git a/ansible/hosts.ci-prep b/ansible/hosts.ci-prep deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.ci-prep +++ /dev/null diff --git a/ansible/hosts.ci-prod b/ansible/hosts.ci-prod deleted file mode 100644 index c8c8c4b..0000000 --- a/ansible/hosts.ci-prod +++ /dev/null @@ -1 +0,0 @@ -controller ansible_ssh_host=ci-prod-controller.vm.liw.fi diff --git a/ansible/hosts.ci-prod-workers b/ansible/hosts.ci-prod-workers deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.ci-prod-workers +++ /dev/null diff --git a/ansible/hosts.collectd b/ansible/hosts.collectd deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.collectd +++ /dev/null diff --git a/ansible/hosts.demo b/ansible/hosts.demo deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.demo +++ /dev/null diff --git a/ansible/hosts.demo-workers b/ansible/hosts.demo-workers deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.demo-workers +++ /dev/null diff --git a/ansible/hosts.docstory-files b/ansible/hosts.docstory-files deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.docstory-files +++ /dev/null diff --git a/ansible/hosts.git b/ansible/hosts.git deleted file mode 100644 index 9477321..0000000 --- a/ansible/hosts.git +++ /dev/null @@ -1 +0,0 @@ -git ansible_ssh_host=git-git.vm.liw.fi diff --git a/ansible/hosts.http b/ansible/hosts.http deleted file mode 100644 index 564c4da..0000000 --- a/ansible/hosts.http +++ /dev/null @@ -1 +0,0 @@ -static ansible_ssh_host=http-static.vm.liw.fi diff --git a/ansible/hosts.irc b/ansible/hosts.irc deleted file mode 100644 index a94bb32..0000000 --- a/ansible/hosts.irc +++ /dev/null @@ -1 +0,0 @@ -irc ansible_ssh_host=irc-irc.vm.liw.fi diff --git a/ansible/hosts.letest b/ansible/hosts.letest deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.letest +++ /dev/null diff --git a/ansible/hosts.mirror b/ansible/hosts.mirror deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.mirror +++ /dev/null diff --git a/ansible/hosts.obnam b/ansible/hosts.obnam deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.obnam +++ /dev/null diff --git a/ansible/hosts.shell b/ansible/hosts.shell deleted file mode 100644 index 1b142ae..0000000 --- a/ansible/hosts.shell +++ /dev/null @@ -1 +0,0 @@ -shell ansible_ssh_host=shell-shell.vm.liw.fi diff --git a/ansible/hosts.subplot-dan b/ansible/hosts.subplot-dan deleted file mode 100644 index e69de29..0000000 --- a/ansible/hosts.subplot-dan +++ /dev/null diff --git a/ansible/http.liw.fi.hz b/ansible/http.liw.fi.hz deleted file mode 100644 index ad22c6b..0000000 --- a/ansible/http.liw.fi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cpx11 - image: debian-10 -hosts: - - name: static diff --git a/ansible/http.liw.fi.yml b/ansible/http.liw.fi.yml index ed409ff..9372c4c 100644 --- a/ansible/http.liw.fi.yml +++ b/ansible/http.liw.fi.yml @@ -1,10 +1,11 @@ -- hosts: static +- hosts: http.liw.fi remote_user: root roles: - role: sane_debian_system - role: sshd - role: unix_users - role: apache_server + tags: [httpd] - role: comfortable-debian-system - role: self-updating-system vars: @@ -22,11 +23,6 @@ - username: root authorized_keys: | {{ liw_personal_ssh_pub }} - - username: ickliwfi - comment: Ick website - authorized_keys: | - {{ liw_personal_ssh_pub }} - {{ ci_worker_ssh_pub }} letsencrypt: yes letsencrypt_email: liw@liw.fi @@ -41,215 +37,179 @@ owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: ideas.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: files.liw.fi owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: code.liw.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: vmdb2.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: vmdb2-images.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: vmdb2-manual.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cer1 + letsencrypt_cert: certa - domain: journal.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa htpasswd: "{{ lookup('pipe', 'pass journal.liw.fi.htpasswd') }}" htpasswd_name: "Private site by Lars. Go away." - domain: noir.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: manifesto.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: doc.obnam.org - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: seinfeld.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa - domain: www.subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa redirect: subplot.tech - domain: doc.subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa - domain: subplot.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa redirect: subplot.tech - domain: doc.subplot.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert11 + letsencrypt_cert: certa redirect: doc.subplot.tech - - domain: yuck.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - domain: 256.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: gtdfh.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: blog.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: summain.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert4 + letsencrypt_cert: certa - domain: vmadm.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert6 - - - domain: clab.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert9 + letsencrypt_cert: certa - domain: doc.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert10 + letsencrypt_cert: certa - domain: sshca.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert11 + letsencrypt_cert: certa - domain: www.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert13 + letsencrypt_cert: certa redirect: liw.fi - domain: riki.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert14 + letsencrypt_cert: certa - domain: v-i.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert15 + letsencrypt_cert: certa - domain: puomi.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert15 + letsencrypt_cert: certa - domain: ewww.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert16 + letsencrypt_cert: certa - # Sites that need to be changed in DNS (A record) before Let's - # Encrypt certificates can be created. Comment these out until - # DNS has been changed. + - domain: ambient.liw.fi + owner: liw + ownermail: liw@liw.fi + letsencrypt: yes + letsencrypt_cert: certa - - domain: ick.liw.fi - owner: ickliwfi + - domain: openpgpkey.liw.fi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert3 + letsencrypt_cert: certa + + - domain: liw.iki.fi + owner: liw + ownermail: liw@liw.fi + letsencrypt: yes + letsencrypt_cert: certa + + # Sites that need to be changed in DNS (A record) before Let's + # Encrypt certificates can be created. Comment these out until + # DNS has been changed. - domain: obnam.org - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert2 + letsencrypt_cert: certa - domain: liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert2 + letsencrypt_cert: certa # Sites without HTTPS. @@ -274,17 +234,11 @@ ownermail: webmaster@docstory.fi letsencrypt: no - - domain: liw.iki.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: no - - - domain: demo-journal.liw.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: no - + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key http.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 http.liw.fi') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 http.liw.fi') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/ick2-dev.yml b/ansible/ick2-dev.yml deleted file mode 100644 index 6a8b0c6..0000000 --- a/ansible/ick2-dev.yml +++ /dev/null @@ -1,50 +0,0 @@ -- hosts: ick2-dev - remote_user: debian - become: yes - roles: - - role: sane_debian_system - - role: unix_users - - role: version-controller - - role: liw - tasks: - - name: "install build dependencies for Ick" - apt: - state: present - name: - - debhelper - - python3-all - - python3-bottle - - python-cliapp - - python3-cliapp - - python3-coverage-test-runner - - python3-apifw - - python3-slog - - python3-cryptography - - python3-requests - - python-requests - - pycodestyle - - gunicorn3 - - python3-yaml - - cmdtest - - copyright-statement-lint - vars: - ansible_python_interpreter: /usr/bin/python3 - - sane_debian_system_version: 2 - sane_debian_system_hostname: ick2-dev - sane_debian_system_codename: buster - sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - - unix_users_version: 2 - unix_users: - - username: liw - comment: Lars Wirzenius - sudo: true - authorized_keys: | - {{ liw_personal_ssh_pub }} - ssh_key: | - {{ lookup('pipe', 'pass show ssh/liw@mirror-git') }} - ssh_key_pub: | - {{ lookup('pipe', 'pass show ssh/liw@mirror-git.pub') }} diff --git a/ansible/icktool.yml b/ansible/icktool.yml deleted file mode 100644 index c2ed8cc..0000000 --- a/ansible/icktool.yml +++ /dev/null @@ -1,88 +0,0 @@ -- hosts: icktool - remote_user: debian - become: yes - roles: - - role: sane_debian_system - - role: unix_users - tasks: - - name: "install git and Ick" - apt: - state: present - name: - - git - - moreutils - - psmisc - - ick2 - - jq - - name: "clone liw-ci" - shell: | - if ! [ -e /home/liw/liw-ci ] - then - sudo -i -u liw git clone git://git.liw.fi/liw-ci - fi - - name: "install ick-statut" - copy: - content: | - #!/bin/bash - set -euo pipefail - icktool status | grep -v -e "done" -e "dummy-" - dest: /home/liw/ick-status - owner: liw - group: liw - mode: 0755 - - name: "create ~/.config/icktool" - file: - state: directory - path: /home/liw/.config/icktool - owner: liw - group: liw - - name: "install icktool config" - copy: - content: | - config: - controller: https://ci-prod-controller.vm.liw.fi - dest: /home/liw/.config/icktool/icktool.yaml - owner: liw - group: liw - mode: 0644 - - name: "install icktool credentials" - copy: - content: | - [https://ci-prod-controller.vm.liw.fi/token] - client_id = liw - client_secret = {{ lookup('pipe', 'pass ick2/admin_secret') }} - dest: /home/liw/.config/icktool/credentials.conf - owner: liw - group: liw - mode: 0600 - - - name: "install cron job to trigger missing or old builds" - cron: - name: "trigger-old" - user: liw - minute: "0" - hour: "*" - job: | - /home/liw/liw-ci/trigger-old | head -n3 | while read x; do icktool trigger "$x"; done - - vars: - ansible_python_interpreter: /usr/bin/python3 - - sane_debian_system_version: 2 - sane_debian_system_hostname: icktool - sane_debian_system_codename: buster - sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - - unix_users_version: 2 - unix_users: - - username: liw - comment: Lars Wirzenius - sudo: true - authorized_keys: | - {{ liw_personal_ssh_pub }} - ssh_key: | - {{ lookup('pipe', 'pass show ssh/liw@mirror-git') }} - ssh_key_pub: | - {{ lookup('pipe', 'pass show ssh/liw@mirror-git.pub') }} diff --git a/ansible/image-dist.yml b/ansible/image-dist.yml new file mode 100644 index 0000000..2ef70af --- /dev/null +++ b/ansible/image-dist.yml @@ -0,0 +1,113 @@ +- hosts: image-dist + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: self-updating-system + tasks: + - name: "Install ewww" + apt: + name: + - ewww + - psmisc + - curl + - rsync + state: present + - name: "Create /srv/http" + file: + state: directory + path: /srv/http + owner: _ewww + group: _ewww + mode: 0755 + - name: "Create ewww config directory" + file: + state: directory + path: /etc/ewww + - name: "Install ewww config" + copy: + content: | + webroot: /srv/http + listen: "0.0.0.0:443" + tls_cert: /etc/ewww/tls.pem + tls_key: /etc/ewww/tls.key + dest: /etc/ewww/ewww.yaml + - name: "Install TLS cert" + copy: + content: | + -----BEGIN CERTIFICATE----- + MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx + EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz + NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP + ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7 + uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z + Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO + FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH + pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk + zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC + AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX + h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob + 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk + xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa + WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP + NdZiSNvGZAbEnmMnNCEYMO3wVA== + -----END CERTIFICATE----- + dest: /etc/ewww/tls.pem + - name: "Install TLS key" + copy: + content: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP + +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D + LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ + GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H + i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi + qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj + ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG + qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1 + iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T + AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K + EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7 + vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU + PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I + E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm + uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco + eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g + T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci + gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW + GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf + psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj + DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R + Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra + udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e + 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI + cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g== + -----END RSA PRIVATE KEY----- + dest: /etc/ewww/tls.key + - name: "Enable and start ewww service" + systemd: + name: ewww + state: restarted + enabled: yes + daemon_reload: yes + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bullseye + sane_debian_system_sources_lists: + - repo: deb http://apt.liw.fi/debian unstable-ci main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + - username: _ewww + comment: Static web site content + + sshd_version: 1 + diff --git a/ansible/irc.liw.fi.hz b/ansible/irc.liw.fi.hz deleted file mode 100644 index 487bd5d..0000000 --- a/ansible/irc.liw.fi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-10 -hosts: - - name: irc diff --git a/ansible/irc.liw.fi.yml b/ansible/irc.liw.fi.yml index ca6030e..3e094c3 100644 --- a/ansible/irc.liw.fi.yml +++ b/ansible/irc.liw.fi.yml @@ -1,4 +1,4 @@ -- hosts: irc +- hosts: irc.liw.fi remote_user: root roles: - role: sane_debian_system @@ -12,7 +12,7 @@ sane_debian_system_version: 2 sane_debian_system_hostname: irc - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_mirror: deb.debian.org unix_users_version: 2 @@ -29,7 +29,11 @@ authorized_keys: | {{ liw_personal_ssh_pub }} + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key irc.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 irc.liw.fi') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 irc.liw.fi') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/kea.yml b/ansible/kea.yml index 610c6d3..b21f6be 100644 --- a/ansible/kea.yml +++ b/ansible/kea.yml @@ -3,74 +3,35 @@ become: no roles: - role: sane_debian_system - tags: [sane] - comfortable-debian-system - - gnome-system - - smarthost-client - intel-wifi - - self-updating-system - ssd + - sshd - unix_users - tasks: - - lineinfile: - path: /etc/gdm3/daemon.conf - regex: WaylandEnable - line: WaylandEnable=false - - apt: - name: - - flatpak - - gnome-software-plugin-flatpak - - cups - - nfs-common - - ufw - - apt: - deb: https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb - - shell: - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - - ufw: - state: enabled - policy: deny - - ufw: - port: ssh - rule: allow + - puomi vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: kea - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free - repo: | - deb-src http://deb.debian.org/debian bullseye main contrib non-free - - - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free + deb http://security.debian.org/debian-security bookworm-security main contrib non-free unix_users_version: 2 unix_users: - - username: soile - comment: Soile Mottisenkangas - groups: - - audio - - bluetooth - - cdrom - - dialout - - dip - - floppy - - netdev - - plugdev - - scanner - - video - authorized_keys: | - {{ liw_personal_ssh_pub }} + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 + sshd_host_key: "{{ lookup('pipe', 'sshca host private-key kea') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 kea') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" - mailname: kea.liw.fi - hostname: "{{ sane_debian_system_hostname }}" - relayhost: pieni.net:587 - smarthost: pieni.net - smarthost_user: pienirelay - smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + puomi_version: 1 + puomi_lan_ip: 10.2.0.1 diff --git a/ansible/letest-letest.vm.liw.fi.hz b/ansible/letest-letest.vm.liw.fi.hz deleted file mode 100644 index 919af09..0000000 --- a/ansible/letest-letest.vm.liw.fi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-10 -hosts: - - name: letest diff --git a/ansible/apt-dev.yml b/ansible/maybe-someday/apt-dev.yml index 54c3d99..54c3d99 100644 --- a/ansible/apt-dev.yml +++ b/ansible/maybe-someday/apt-dev.yml diff --git a/ansible/clab-dev.yml b/ansible/maybe-someday/clab-dev.yml index 5d386e3..32c6dd9 100644 --- a/ansible/clab-dev.yml +++ b/ansible/maybe-someday/clab-dev.yml @@ -19,7 +19,6 @@ name: - debhelper - build-essential - - dh-cargo - git - moreutils - python3 diff --git a/ansible/sequoia-web.yml b/ansible/maybe-someday/debian-mirror.yml index b769c9e..1b85a21 100644 --- a/ansible/sequoia-web.yml +++ b/ansible/maybe-someday/debian-mirror.yml @@ -1,27 +1,27 @@ -- hosts: sequoia-web +- hosts: debian-mirror remote_user: debian become: yes roles: - role: sane_debian_system - - role: sshd - tags: [sshd] - role: unix_users - - role: comfortable-debian-system - - role: liw + - role: self-updating-system + - role: debian-mirror tasks: - - apt: + - name: "Install ewww" + apt: name: - - emacs - - git - - hugo - - make + - curl - ewww + - locales-all + - psmisc + - rsync + state: present - name: "Create /srv/http" file: state: directory path: /srv/http - owner: _ewww - group: _ewww + owner: debmirror + group: debmirror mode: 0755 - name: "Create ewww config directory" file: @@ -30,7 +30,7 @@ - name: "Install ewww config" copy: content: | - webroot: /home/liw/src/public + webroot: /srv/http listen: "0.0.0.0:443" tls_cert: /etc/ewww/tls.pem tls_key: /etc/ewww/tls.key @@ -94,8 +94,10 @@ enabled: yes daemon_reload: yes vars: + ansible_python_interpreter: /usr/bin/python3 + sane_debian_system_version: 2 - sane_debian_system_hostname: sequoia-web + sane_debian_system_hostname: debian-mirror sane_debian_system_codename: bullseye sane_debian_system_mirror: deb.debian.org sane_debian_system_sources_lists: @@ -104,10 +106,6 @@ unix_users_version: 2 unix_users: + - username: debmirror - username: liw comment: Lars Wirzenius - - username: _ewww - comment: Static web site content - - sshd_version: 1 - sshd_allow_authorized_keys: yes diff --git a/ansible/debmirror.yml b/ansible/maybe-someday/debmirror.yml index 88aa1c1..8aa9831 100644 --- a/ansible/debmirror.yml +++ b/ansible/maybe-someday/debmirror.yml @@ -9,7 +9,7 @@ - role: self-updating-system - role: debian-mirror tags: [mirror] - - role: smarthost-client + - role: mail-client vars: sane_debian_system_version: 0 unix_users_version: 0 diff --git a/ansible/ewww-dev.yml b/ansible/maybe-someday/ewww-dev.yml index 5a24d37..4696bd2 100644 --- a/ansible/ewww-dev.yml +++ b/ansible/maybe-someday/ewww-dev.yml @@ -21,7 +21,6 @@ name: - debhelper - build-essential - - dh-cargo - daemonize - git - moreutils diff --git a/ansible/ewww-test.yml b/ansible/maybe-someday/ewww-test.yml index 67b2123..67b2123 100644 --- a/ansible/ewww-test.yml +++ b/ansible/maybe-someday/ewww-test.yml diff --git a/ansible/jt-dev.yml b/ansible/maybe-someday/jt-dev.yml index ccb405b..ccb405b 100644 --- a/ansible/jt-dev.yml +++ b/ansible/maybe-someday/jt-dev.yml diff --git a/ansible/letest-letest.vm.liw.fi.yml b/ansible/maybe-someday/letest-letest.vm.liw.fi.yml index c9555dc..c9555dc 100644 --- a/ansible/letest-letest.vm.liw.fi.yml +++ b/ansible/maybe-someday/letest-letest.vm.liw.fi.yml diff --git a/ansible/openpgp-ca-dev.yml b/ansible/maybe-someday/openpgp-ca-dev.yml index 52afa6c..38818e1 100644 --- a/ansible/openpgp-ca-dev.yml +++ b/ansible/maybe-someday/openpgp-ca-dev.yml @@ -22,7 +22,6 @@ - capnproto - clang - debhelper - - dh-cargo - libclang-dev - libsqlite3-dev - libssl-dev diff --git a/ansible/openpgp-card-dev.yml b/ansible/maybe-someday/openpgp-card-dev.yml index 99d869a..3633b68 100644 --- a/ansible/openpgp-card-dev.yml +++ b/ansible/maybe-someday/openpgp-card-dev.yml @@ -20,14 +20,15 @@ name: - build-essential - debhelper - - dh-cargo - docker.io - libclang-dev - libpcsclite-dev - lintian - moreutils - nettle-dev + - ntp - pkg-config + - psmisc - subplot - user: name: liw diff --git a/ansible/python-mess.yml b/ansible/maybe-someday/python-mess.yml index 3cbdc91..3cbdc91 100644 --- a/ansible/python-mess.yml +++ b/ansible/maybe-someday/python-mess.yml diff --git a/ansible/roadmap-dev.yml b/ansible/maybe-someday/roadmap-dev.yml index ac98d3a..0842792 100644 --- a/ansible/roadmap-dev.yml +++ b/ansible/maybe-someday/roadmap-dev.yml @@ -21,7 +21,6 @@ name: - debhelper - build-essential - - dh-cargo - git - moreutils - python3 diff --git a/ansible/ssh-dev.yml b/ansible/maybe-someday/ssh-dev.yml index 3b05e70..3b05e70 100644 --- a/ansible/ssh-dev.yml +++ b/ansible/maybe-someday/ssh-dev.yml diff --git a/ansible/mirror-git.yml b/ansible/mirror-git.yml index 97810f6..e1e9cb7 100644 --- a/ansible/mirror-git.yml +++ b/ansible/mirror-git.yml @@ -5,7 +5,7 @@ - role: sane_debian_system - role: unix_users - role: self-updating-system - - role: smarthost-client + - role: mail-client tasks: - name: "configure ssh client" copy: diff --git a/ansible/monorepo.liw.fi.yml b/ansible/monorepo.liw.fi.yml new file mode 100644 index 0000000..1f1797d --- /dev/null +++ b/ansible/monorepo.liw.fi.yml @@ -0,0 +1,64 @@ +- hosts: monorepo.liw.fi + remote_user: root + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: apache_server + - role: self-updating-system + tasks: + - apt: + name: + - git + - shell: | + a2enmod cgi alias env + - copy: + content: | + <VirtualHost *:80> + ServerName monorepo.liw.fi + ServerAdmin liw@liw.fi + DocumentRoot /var/www/html + + <Directory "/"> + AllowOverride None + Order deny,allow + Allow from all + </Directory> + + <Location "/> + Require all granted + </Location> + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SetEnv GIT_PROJECT_ROOT /home/liw/git + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ + </VirtualHost> + dest: /etc/apache2/sites-enabled/000-default.conf + - systemd: + name: apache2 + state: restarted + + vars: + sane_debian_system_version: 2 + sane_debian_system_hostname: monorepo + sane_debian_system_codename: bookworm + sane_debian_system_mirror: deb.debian.org + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + sudo: yes + + letsencrypt: no + letsencrypt_email: liw@liw.fi + letsencrypt_main_domain: monorepo.liw.fi + certbot_debian_release: bookworm + + sshd_version: 1 + sshd_host_key: "{{ lookup('pipe', 'sshca host private-key monorepo.liw.fi') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 monorepo.liw.fi') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/obnam-bench.yml b/ansible/obnam-bench.yml index 7b5c393..8e3c84d 100644 --- a/ansible/obnam-bench.yml +++ b/ansible/obnam-bench.yml @@ -39,8 +39,8 @@ - repo: | deb http://security.debian.org/debian-security buster/updates main - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable-ci main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: diff --git a/ansible/obnam-dev.yml b/ansible/obnam-dev.yml index 332d3cb..e4c08c1 100644 --- a/ansible/obnam-dev.yml +++ b/ansible/obnam-dev.yml @@ -3,31 +3,22 @@ become: yes roles: - role: sane_debian_system - tags: [sane] - role: sshd - tags: [sshd] - role: comfortable-debian-system - tags: [comfy] - role: version-controller - tags: [vcs] - role: unix_users - tags: [users] - role: rust-rustup - tags: [rustup] - role: liw - tags: [liw] tasks: - apt: name: - build-essential - daemonize - debhelper - - dh-cargo - git - jq - libsqlite3-dev - libssl-dev -# - linux-perf - moreutils - pkg-config - python3 @@ -37,9 +28,6 @@ - strace - subplot - summain - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-recommended - sysctl: name: kernel.perf_event_paranoid value: "0" @@ -49,22 +37,22 @@ ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: obnam-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | deb http://security.debian.org/debian-security buster/updates main - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius + rustup_cargo_install: | flamegraph sshd_version: 1 - sshd_allow_authorized_keys: yes diff --git a/ansible/qotom.yml b/ansible/qotom.yml index 8a1cb9f..5fc6875 100644 --- a/ansible/qotom.yml +++ b/ansible/qotom.yml @@ -4,23 +4,21 @@ - role: sane_debian_system - role: sshd - role: ssd - - role: unix_users - role: puomi + tags: [puomi] vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: "{{ inventory_hostname }}" - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki - unix_users_version: 2 - unix_users: - - username: liw - comment: Lars Wirzenius - sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key qotom') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 qotom') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" + puomi_version: 1 + puomi_lan_ip: 10.1.1.1 + puomi_dhcp_start: 10.1.1.10 + puomi_dhcp_end: 10.1.1.250 + puomi_dhcp_netmask: 255.255.255.0 + puomi_dhcp_lease: 1h diff --git a/ansible/radicle-dev.yml b/ansible/radicle-dev.yml new file mode 100644 index 0000000..09a3bb2 --- /dev/null +++ b/ansible/radicle-dev.yml @@ -0,0 +1,47 @@ +- hosts: radicle-dev + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd +# - role: comfortable-debian-system + - role: unix_users + - role: rust-rustup + - role: liw + tasks: + - name: "install important additional packages" + apt: + name: +# - asciidoctor + - build-essential + - curl + - git + - rsync + - screen + - moreutils + - tree +# - debhelper +# - lintian +# - python3 +# - ripgrep + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 + + # rustup_cargo_install: | + # starship \ + # zoxide diff --git a/ansible/radicle-liw3.yaml b/ansible/radicle-liw3.yaml new file mode 100644 index 0000000..0ad8a4e --- /dev/null +++ b/ansible/radicle-liw3.yaml @@ -0,0 +1,195 @@ +- hosts: radicle-liw3 + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system + - role: unix_users + - role: rust-rustup + - role: liw + tasks: + - name: "install important additional packages" + apt: + name: + - moreutils + - nmap + - ripgrep + + - name: "install radicle using installer" + shell: | + curl -sSf https://radicle.xyz/install | sudo -u liw bash + + - name: "create directory for Radicle keys" + file: + state: directory + path: /home/liw/.radicle/keys + owner: liw + group: liw + + - name: "install Radicle private key" + copy: + content: | + {{ lookup('pipe', 'pass show radicle/radicle-liw3/key') }} + dest: /home/liw/.radicle/keys/radicle + owner: liw + group: liw + mode: 0600 + + - name: "install Radicle public key" + copy: + content: | + {{ lookup('pipe', 'pass show radicle/radicle-liw3/key.pub') }} + dest: /home/liw/.radicle/keys/radicle.pub + owner: liw + group: liw + mode: 0644 + + - name: "install script to install Radicle CI stuff" + copy: + content: | + #!/bin/bash + set -xeuo pipefail + + clone_install() { + local url dir root + url="$1" + dir="$2" + root="$3" + + if [ ! -e "$dir" ]; then + git clone "$url" "$dir" + else + (cd "$dir" && git pull) + fi + + (cd "$dir" && cargo install --path=. --root="$root") + } + + clone_install https://radicle.liw.fi/zwTxygwuz5LDGBq255RA2CbNGrz8.git radicle-ci-broker "$(pwd)/root" + clone_install https://radicle.liw.fi/z3qg5TKmN83afz2fj9z3fQjU8vaYE.git radicle-native-ci "$(pwd)/root" + + install root/bin/* $HOME/bin + dest: /home/liw/install-radicle-ci + owner: liw + group: liw + mode: 0755 + + - name: "install Radicle CI stuff" + shell: | + sudo -i -u liw bash -c 'cd /home/liw && install -d bin && ./install-radicle-ci' + + - name: "install systemd unit for Radicle node" + copy: + content: | + [Unit] + After=syslog.target network.target + Description=Radicle Node + + [Service] + Type=simple + ExecStart=/home/liw/.radicle/bin/radicle-node --listen 0.0.0.0:8776 + Environment=RAD_HOME=/home/liw/.radicle + KillMode=process + Restart=never + RestartSec=1 + User=liw + Group=liw + + [Install] + WantedBy=default.target + dest: /lib/systemd/system/radicle-node.service + + - name: "enable systemd unit for Radicle node" + systemd: + name: radicle-node + state: restarted + masked: no + enabled: yes + daemon_reload: yes + + - name: "install Radicle CI broker config" + copy: + content: | + default_adapter: native + adapters: + native: + command: /home/liw/bin/radicle-native-ci + env: + RADICLE_NATIVE_CI: /home/liw/native-ci.yaml + filters: + - !And + - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" + - !AnyPatch + dest: /home/liw/ci-broker.yaml + owner: liw + group: liw + mode: 0644 + + - name: "create state directory for Radicle native CI" + file: + state: directory + path: /home/liw/native-ci.state + owner: liw + group: liw + mode: 0755 + + - name: "install Radicle native CI config" + copy: + content: | + state: /home/liw/native-ci.state + dest: /home/liw/native-ci.yaml + owner: liw + group: liw + mode: 0644 + + - name: "install systemd unit for Radicle CI broker" + copy: + content: | + [Unit] + After=radicle-node.service + Description=Radicle CI broker + + [Service] + Type=simple + Environment=RAD_HOME=/home/liw/.radicle + Environment=RUST_LOG=trace + ExecStart=bash -c '/home/liw/bin/ci-broker /home/liw/ci-broker.yaml >> /home/liw/broker.log' + KillMode=process + Restart=never + RestartSec=1 + User=liw + Group=liw + + [Install] + WantedBy=default.target + dest: /lib/systemd/system/radicle-ci-broker.service + + - name: "enable systemd unit for Radicle CI broker" + systemd: + name: radicle-ci-broker + state: restarted + masked: no + enabled: yes + daemon_reload: yes + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 + + rustup_cargo_install: | + starship diff --git a/ansible/radicle-multi.yml b/ansible/radicle-multi.yml new file mode 100644 index 0000000..b63660c --- /dev/null +++ b/ansible/radicle-multi.yml @@ -0,0 +1,49 @@ +- hosts: radicle-multi + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system + - role: unix_users + - role: liw + tasks: + - name: "disable access to seed.radicle.garden in DNS" + lineinfile: + path: /etc/hosts + regex: seed.radicle.garden + line: 127.0.0.1 seed.radicle.garden + + - name: "disable access to seed.radicle.xyz in DNS" + lineinfile: + path: /etc/hosts + regex: seed.radicle.xyz + line: 127.0.0.1 seed.radicle.xyz + + - name: "install important additional packages" + apt: + name: + - curl + - jq + - moreutils + - radicle + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + sudo: yes + + sshd_version: 1 diff --git a/ansible/radicle-other-node.yml b/ansible/radicle-other-node.yml new file mode 100644 index 0000000..658fbc0 --- /dev/null +++ b/ansible/radicle-other-node.yml @@ -0,0 +1,148 @@ +- hosts: radicle-other-node + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: rust-rustup + - role: liw + tasks: + - apt: + name: + - curl + - git + - jq + - man-db + - psmisc + - rsync + - screen + - sqlite3 + - vim + - w3m + + - name: "install radicle using installer" + shell: | + filename="/home/liw/.radicle/bin/rad" + + install=false + if [ ! -e "$filename" ]; then + install=true + else + weekago="$(date -d 'week ago' +%s)" + mtime="$(stat -c %Y "$filename")" + if [ "$mtime" -lt "$weekago" ]; then + install=true + fi + fi + + if $install; then + curl -sSf https://radicle.xyz/install | sudo -u liw bash + fi + + - name: "create liw/.radicle/keys" + file: + state: directory + path: /home/liw/.radicle/keys + owner: liw + group: liw + mode: 0755 + + - name: "install radicle private key" + copy: + content: "{{ radicle_key }}" + dest: /home/liw/.radicle/keys/radicle + owner: liw + group: liw + mode: 0600 + + - name: "install radicle public key" + copy: + content: "{{ radicle_pub }}" + dest: /home/liw/.radicle/keys/radicle.pub + owner: liw + group: liw + mode: 0644 + + - name: "configure rad" + copy: + content: | + { + "publicExplorer": "https://app.radicle.xyz/nodes/$host/$rid$path", + "preferredSeeds": [ + ], + "web": { + "pinned": { + "repositories": [] + } + }, + "cli": { + "hints": true + }, + "node": { + "alias": "liw-other-node", + "listen": [], + "peers": { + "type": "dynamic", + "target": 8 + }, + "connect": [ + "z6MkfXa53s1ZSFy8rktvyXt5ADCojnxvjAoQpzajaXyLqG5n@radicle.liw.fi:8776" + ], + "externalAddresses": [], + "network": "main", + "relay": true, + "limits": { + "routingMaxSize": 1000, + "routingMaxAge": 604800, + "gossipMaxAge": 1209600, + "fetchConcurrency": 1, + "maxOpenFiles": 4096, + "rate": { + "inbound": { + "fillRate": 0.2, + "capacity": 32 + }, + "outbound": { + "fillRate": 1.0, + "capacity": 64 + } + } + }, + "policy": "block", + "scope": "followed" + } + } + dest: /home/liw/.radicle/config.json + owner: liw + group: liw + mode: 0644 + + - name: "create /srv/http" + file: + state: directory + path: /srv/http + owner: liw + group: liw + mode: 0o755 + + vars: + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main + + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + + sshd_version: 1 + + radicle_key: "{{ lookup('pipe', 'pass radicle/radicle-other-node/key') }}" + radicle_pub: "{{ lookup('pipe', 'pass radicle/radicle-other-node/key.pub') }}" diff --git a/ansible/radicle-test.yml b/ansible/radicle-test.yml new file mode 100644 index 0000000..31f627a --- /dev/null +++ b/ansible/radicle-test.yml @@ -0,0 +1,43 @@ +- hosts: radicle-test + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: liw + - role: rust-rustup + tasks: + - apt: + name: + - git + - moreutils + - psmisc + - rsync + - screen + + - copy: + content: | + * hard nofile 4000 + dest: /etc/security/limits.d/nofile.conf + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: | + deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 diff --git a/ansible/radicle-verify b/ansible/radicle-verify new file mode 100755 index 0000000..da8fba9 --- /dev/null +++ b/ansible/radicle-verify @@ -0,0 +1,83 @@ +#!/usr/bin/python3 + +import argparse +import shlex +import subprocess + + +def debug(msg): + if False: + print(msg) + + +class RadicleHost: + def __init__(self, host=None, ssh_user=None, rad_user=None): + assert host is not None + self.host = host + + assert ssh_user is not None + self.ssh_user = ssh_user + + assert rad_user is not None + self.rad_user = rad_user + + self._path = None + + def _ssh(self, caller_args, as_rad_user=True): + base_argv = ["ssh", f"{self.ssh_user}@{self.host}"] + sudo_argv = ["sudo", "-u", self.rad_user] + + if self._path is None: + path_argv = base_argv + sudo_argv + ["env"] + debug(f"PATH_ARGV: {path_argv!r}") + p = subprocess.run( + path_argv, + check=True, + capture_output=True, + ) + path = [ + line.strip() + for line in p.stdout.decode().splitlines() + if line.startswith("PATH=") + ][0][len("PATH=") :] + self._path = f"/home/{self.rad_user}/.radicle/bin:{path}" + + argv = base_argv + if as_rad_user: + argv += sudo_argv + ["env", f"PATH={self._path}"] + argv += [shlex.quote(a) for a in caller_args] + debug(f"ARGV: {argv!r}") + p = subprocess.run( + argv, + capture_output=True, + ) + if p.returncode != 0: + raise Exception( + f"ssh failed, exit code {p.returncode}:\n{p.stderr.decode()}" + ) + return p.stdout.decode() + + def can_become_rad_user(self): + out = self._ssh(["id", "-nu"]) + assert out.strip() == self.rad_user + print("OK: can become rad user") + + def node_is_running(self): + out = self._ssh(["env", "TERM=dumb", "rad", "node", "status"]) + assert "is running" in out.splitlines()[0] + print("OK: node is running") + + +def main(): + p = argparse.ArgumentParser() + p.add_argument("--host", required=True) + p.add_argument("--ssh-user", required=True) + p.add_argument("--rad-user", default="_rad") + args = p.parse_args() + rad = RadicleHost(host=args.host, ssh_user=args.ssh_user, rad_user=args.rad_user) + + rad.can_become_rad_user() + rad.node_is_running() + + +main() diff --git a/ansible/radicle.liw.fi.yml b/ansible/radicle.liw.fi.yml new file mode 100644 index 0000000..479242d --- /dev/null +++ b/ansible/radicle.liw.fi.yml @@ -0,0 +1,116 @@ +- hosts: radicle.liw.fi + remote_user: root + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: rust-rustup + - role: radicle_node + tasks: + - name: "install convenience packages" + apt: + name: + - jq + - moreutils + - psmisc + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: _rad + comment: Radicle node + + sshd_version: 1 + + radicle_node_version: 1 + radicle_node_key: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key') }}" + radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key.pub') }}" + radicle_node_connections: + - nid: z6MkhfTshN2uPFBGcxBsZW7Mbof1TgkphBqr5dFTWd1hbNUq + host: seed.liw.fi + port: 8776 + radicle_node_repositories: + # heartwood + - rid: "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" + + # pathdedup test repo + - rid: "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" + + # ansibleness + - rid: "rad:z3sckw1Xm8j5URDJz1zeESHfFYDEc" + + # debian-ansible + - rid: "rad:z3LXXus6Wu93LuSuuuSBPcFkDiyCW" + + # html-page + - rid: "rad:z2i9UF8soK1X6L9hae8UcQPSvdHjW" + + # liw-dot-files + - rid: "rad:z2xcsrnG8dC76bkxXsASZbWGH5N2w" + + # radicle-stress-test + - rid: "rad:z2HXqzZMRhZUiYm33pLgYfqBgcGCj" + + # radicle-ci-broker + - rid: "rad:zwTxygwuz5LDGBq255RA2CbNGrz8" + + # radicle-native-ci + - rid: "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE" + + # riki + - rid: "rad:zw9BgStPgCkdsMspzs7EGbwnXq3r" + + # wumpus hunter + - rid: "rad:zd4kAF7rQFKbCHAdbcF6zVkx8MyN" + + # missing-dependencies + - rid: "rad:z3PKKNstRjLYqhvGq9rxGy7LoEVr5" + + # vmdb2 + - rid: "rad:z2kxCtBwDQMPcaf9vGTNH5nYkp9qk" + + # vmdb2-web + - rid: "rad:z2mn6wzpVAuJoeWx7TZo33nCHuDfQ" + radicle_node_domain_name: radicle.liw.fi + radicle_node_ci_domain_name: ci.radicle.liw.fi + radicle_node_ci_broker_config: | + db: /home/_rad/ci-broker.db + report_dir: /srv/http + default_adapter: native + adapters: + native: + command: /bin/radicle-native-ci + env: + RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml + filters: + - !Or + - !And + - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" + - !AnyPatch + - !And + - !Repository "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" + - !AnyPatch + - !And + - !Repository "rad:zwTxygwuz5LDGBq255RA2CbNGrz8" + - !AnyPatch + - !And + - !Repository "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE" + - !AnyPatch + radicle_node_policy: block + radicle_node_scope: all + + # radicle_node_backup: /home/liw/data/radicle.liw.fi/. + + rust_rustup_user: _rad diff --git a/ansible/rikiwiki-dev.yml b/ansible/riki-dev.yml index 79c7139..67b9b9b 100644 --- a/ansible/rikiwiki-dev.yml +++ b/ansible/riki-dev.yml @@ -1,4 +1,4 @@ -- hosts: rikiwiki-dev +- hosts: riki-dev remote_user: debian become: yes roles: @@ -18,22 +18,8 @@ - apt: name: - build-essential - - daemonize - debhelper - - dh-cargo - - graphviz - - librsvg2-bin - - linux-perf - - lmodern - pandoc - - pandoc-citeproc - - plantuml - - python3 - - python3-requests - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-recommended - - texlive-plain-generic - sysctl: name: kernel.perf_event_paranoid value: "0" @@ -43,15 +29,15 @@ ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: rikiwiki-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable-ci main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: diff --git a/ansible/roles/apt-repository/files/process-incoming b/ansible/roles/apt-repository/files/process-incoming new file mode 100644 index 0000000..b668c88 --- /dev/null +++ b/ansible/roles/apt-repository/files/process-incoming @@ -0,0 +1,13 @@ +#!/bin/bash + +( + # sleep for a few seconds so that dput has time to chmod the uploaded + # file. + sleep 10 + date + echo "Processing incoming" + reprepro -v -b /srv/apt processincoming default + reprepro -v -b /srv/apt export + rm -f incoming/*.buildinfo + echo "Finished processing incoming" +) 2>&1 >>/home/apt/reprepro.log diff --git a/ansible/roles/apt-repository/handlers/main.yml b/ansible/roles/apt-repository/handlers/main.yml new file mode 100644 index 0000000..a7ec2ee --- /dev/null +++ b/ansible/roles/apt-repository/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart apache2 + service: + name: apache2 + state: restarted diff --git a/ansible/roles/apt-repository/tasks/main.yml b/ansible/roles/apt-repository/tasks/main.yml new file mode 100644 index 0000000..6bf8412 --- /dev/null +++ b/ansible/roles/apt-repository/tasks/main.yml @@ -0,0 +1,133 @@ +- name: "install software needed for APT repository management" + apt: + name: + - apache2 + - incron + - reprepro + +- name: "create root directory for APT repository" + file: + state: directory + path: /srv/apt + owner: apt + group: apt + mode: 0755 + +- name: "create incoming directory for APT repository" + file: + state: directory + path: /srv/apt/incoming + owner: apt + group: incoming + mode: 0775 + +- name: "create .gnupg for apt user" + file: + state: directory + dest: /home/apt/.gnupg + owner: apt + group: apt + mode: 0700 + +- name: "install temporary copies of gpg keys for repository signing" + copy: + content: "{{ item.content }}" + dest: "/home/apt/{{ item.name }}" + owner: apt + group: apt + mode: 0600 + with_items: + - content: "{{ apt_signing_key }}" + name: key + - content: "{{ apt_signing_key_pub }}" + name: key.pub + +- name: "import gpg keys for apt" + shell: | + cd /home/apt + sudo -u apt gpg --import key key.pub + +- name: "delete temporary copies of keys" + file: + dest: "/home/apt/{{ item }}" + state: absent + with_items: + - key + - key.pub + +- name: "allow apt user to use incron" + lineinfile: + dest: /etc/incron.allow + line: apt + +- name: "crate reprepro configuration directory" + file: + path: /srv/apt/conf + state: directory + +- name: "create reprepro temp directory" + file: + state: directory + dest: /srv/apt/tmp + owner: apt + group: apt + mode: 0755 + +- name: "configure reprepro distributions" + template: + src: distributions.j2 + dest: /srv/apt/conf/distributions + +- name: "configure reprepro uploaders" + template: + src: uploaders.j2 + dest: /srv/apt/conf/uploaders + +- name: "configure reprepro incoming" + template: + src: incoming.j2 + dest: /srv/apt/conf/incoming + owner: apt + group: incoming + mode: 01777 + +- name: "create web root directory" + file: + state: directory + path: /srv/http + +- name: "install an index page in the web root directory" + copy: + content: | + {{ apt_index_content }} + dest: /srv/http/index.html + +- name: "configure apache to server APT repository over http" + template: + src: 000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf + owner: root + group: root + mode: 0644 + notify: restart apache2 + +- name: "install script to process uploads to APT" + copy: + src: process-incoming + dest: /home/apt/process-incoming + owner: apt + group: apt + mode: 0755 + +- name: "create incrontab for apt" + copy: + content: | + /srv/apt/incoming IN_CLOSE_WRITE /home/apt/process-incoming + dest: /home/apt/incrontab + owner: apt + group: apt + mode: 0644 + +- name: "set up incrontab for processing incoming uploads" + shell: | + sudo -u apt incrontab /home/apt/incrontab diff --git a/ansible/roles/apt-repository/templates/000-default.conf b/ansible/roles/apt-repository/templates/000-default.conf new file mode 100644 index 0000000..b62e1fd --- /dev/null +++ b/ansible/roles/apt-repository/templates/000-default.conf @@ -0,0 +1,18 @@ +<VirtualHost _default_> + ServerAdmin {{ apt_admin_email }} + + DocumentRoot /srv/http + Alias "/debian" "/srv/apt" + + <Directory /srv/http> + Require all granted + </Directory> + + <Directory /srv/apt> + Options +Indexes + Require all granted + </Directory> + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined +</VirtualHost> diff --git a/ansible/roles/apt-repository/templates/distributions.j2 b/ansible/roles/apt-repository/templates/distributions.j2 new file mode 100644 index 0000000..ab3f861 --- /dev/null +++ b/ansible/roles/apt-repository/templates/distributions.j2 @@ -0,0 +1,12 @@ +{% for dist in apt_distributions %} + +Codename: {{ dist.codename }} +Suite: {{ dist.codename }} +Origin: {{ apt_domain }} +Description: {{ dist.description }} +Architectures: source {{ dist.architectures|default('amd64') }} +Components: {{ dist.components|default('main') }} +Uploaders: uploaders +Tracking: keep +SignWith: {{ apt_signing_key_fingerprint }} +{% endfor %} diff --git a/ansible/roles/apt-repository/templates/incoming.j2 b/ansible/roles/apt-repository/templates/incoming.j2 new file mode 100644 index 0000000..548c44b --- /dev/null +++ b/ansible/roles/apt-repository/templates/incoming.j2 @@ -0,0 +1,5 @@ +Name: default +IncomingDir: incoming +TempDir: tmp +Cleanup: on_error +Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %} diff --git a/ansible/roles/apt-repository/templates/uploaders.j2 b/ansible/roles/apt-repository/templates/uploaders.j2 new file mode 100644 index 0000000..0891e6d --- /dev/null +++ b/ansible/roles/apt-repository/templates/uploaders.j2 @@ -0,0 +1 @@ +allow * by unsigned diff --git a/ansible/roles/debian-mirror/files/mirror-debian b/ansible/roles/debian-mirror/files/mirror-debian index 93eca56..29ff019 100644 --- a/ansible/roles/debian-mirror/files/mirror-debian +++ b/ansible/roles/debian-mirror/files/mirror-debian @@ -11,7 +11,7 @@ debmirror \ --rsync-extra=trace \ --arch=amd64 \ --getcontents \ - --dist=bullseye \ + --dist=stable \ -v \ "$mirror_root" diff --git a/ansible/roles/debian-mirror/tasks/main.yml b/ansible/roles/debian-mirror/tasks/main.yml index 71b7e0c..0c68110 100644 --- a/ansible/roles/debian-mirror/tasks/main.yml +++ b/ansible/roles/debian-mirror/tasks/main.yml @@ -2,6 +2,7 @@ apt: name: - debmirror + - screen - name: "install mirror-debian script" copy: @@ -9,12 +10,19 @@ dest: /usr/local/bin mode: 0755 +- name: "create directory for mirror" + file: + state: directory + path: /srv/http/debmirror/debian + owner: debmirror + group: debmirror + - name: "install cronjob for mirroring Debian" cron: name: "mirror Debian" user: debmirror minute: "0" - hour: "5,19" + hour: "12" job: "/usr/local/bin/mirror-debian /srv/http/debmirror/debian" - name: "set MAILTO in crontab" @@ -23,4 +31,3 @@ env: yes name: MAILTO value: root - diff --git a/ansible/roles/emacs/tasks/main.yml b/ansible/roles/emacs/tasks/main.yml index 81962f4..e21ab48 100644 --- a/ansible/roles/emacs/tasks/main.yml +++ b/ansible/roles/emacs/tasks/main.yml @@ -2,9 +2,4 @@ apt: name: - emacs - - emacs-goodies-el - debian-el - - elpa-markdown-mode - - elpa-magit - - yaml-mode - - elpa-go-mode diff --git a/ansible/roles/gnome-system/tasks/main.yml b/ansible/roles/gnome-system/tasks/main.yml index 4c4c587..0d4dca7 100644 --- a/ansible/roles/gnome-system/tasks/main.yml +++ b/ansible/roles/gnome-system/tasks/main.yml @@ -12,7 +12,7 @@ - keepass2 # - revelation # - mumble - - gnome-shell-timer +# - gnome-shell-timer - fonts-freefont-ttf - fonts-symbola - fonts-inconsolata @@ -53,15 +53,27 @@ - system-config-printer - darktable - - flatpak - gnome-software-plugin-flatpak - libreoffice + - gnome-shell-extension-manager + # This seems to be wanted by something in the GNOME app stack. # Installing it will stop a lot of apps from whinging at startup. - libcanberra-gtk-module +- name: "add flatpak from backports" + shell: | + DEBIAN_FRONTEND=noninteractive \ + apt-get install -y flatpak + - name: Add flathub shell: | flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + +- name: install flatpaks from flathub + shell: | + flatpak install --system --app --noninteractive flathub org.mozilla.firefox + flatpak install --system --app --noninteractive flathub org.signal.Signal + flatpak install --system --app --noninteractive flathub org.telegram.desktop diff --git a/ansible/roles/holywood2/files/exports b/ansible/roles/holywood2/files/exports index 92dc38d..f90ff7c 100644 --- a/ansible/roles/holywood2/files/exports +++ b/ansible/roles/holywood2/files/exports @@ -1,6 +1,8 @@ /mnt/soile/pupu 10.0.0.0/24(rw,nohide,async,no_subtree_check,insecure) /mnt/soile/pupu 10.1.1.0/24(rw,nohide,async,no_subtree_check,insecure) /mnt/soile/pupu 10.2.2.0/24(rw,nohide,async,no_subtree_check,insecure) +/mnt/soile/pupu 10.3.1.0/24(rw,nohide,async,no_subtree_check,insecure) /mnt/media 10.0.0.0/24(ro,nohide,async,no_subtree_check,insecure) /mnt/media 10.1.1.0/24(ro,nohide,async,no_subtree_check,insecure) /mnt/media 10.2.2.0/24(ro,nohide,async,no_subtree_check,insecure) +/mnt/media 10.3.1.0/24(ro,nohide,async,no_subtree_check,insecure) diff --git a/ansible/roles/holywood2/tasks/main.yml b/ansible/roles/holywood2/tasks/main.yml index 1da48db..b67ae16 100644 --- a/ansible/roles/holywood2/tasks/main.yml +++ b/ansible/roles/holywood2/tasks/main.yml @@ -8,11 +8,11 @@ src: ssh-config dest: /home/root/.ssh/config -- name: symlink /root/.ssh to /home/root/.ssh - file: - state: link - src: /home/root/.ssh - path: /root/.ssh +# - name: symlink /root/.ssh to /home/root/.ssh +# file: +# state: link +# src: /home/root/.ssh +# path: /root/.ssh - name: create soile group group: @@ -65,3 +65,12 @@ owner: root group: root mode: 0755 + +- name: install SSH client config + copy: + content: | + Host nalanda + hostname nalanda.liw.fi + ProxyJump exolobe2 + dest: /root/.ssh/config + mode: 0644 diff --git a/ansible/roles/liw/tasks/main.yml b/ansible/roles/liw/tasks/main.yml index 99f1b47..916d140 100644 --- a/ansible/roles/liw/tasks/main.yml +++ b/ansible/roles/liw/tasks/main.yml @@ -8,6 +8,21 @@ sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks" sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig" +- name: "make sure ~liw/.ssh/known_hosts exists" + shell: | + dir=/home/liw/.ssh + k="$dir/known_hosts" + if ! [ -e "$dir" ]; then install -d -o liw -g liw -m 0755 "$dir"; fi + if ! [ -e "$k" ]; then touch "$k"; fi + +- name: "configure liw SSH known hosts" + lineinfile: + line: "@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIW1QmBC3OLsjpUv1gIYBHSN5tWhPOHHzDIXgj8d1Hg1" + path: /home/liw/.ssh/known_hosts + owner: liw + group: liw + mode: 0644 + - name: "create ~liw/src and ~liw/cargo" file: state: directory diff --git a/ansible/roles/smarthost-client/files/aliases b/ansible/roles/mail-client/files/aliases index 040d695..040d695 100644 --- a/ansible/roles/smarthost-client/files/aliases +++ b/ansible/roles/mail-client/files/aliases diff --git a/ansible/roles/mail-client/tasks/main.yml b/ansible/roles/mail-client/tasks/main.yml index 63df37e..ba40678 100644 --- a/ansible/roles/mail-client/tasks/main.yml +++ b/ansible/roles/mail-client/tasks/main.yml @@ -1,9 +1,45 @@ -- name: "install email stuff" +- name: "install mail client packages" apt: name: - - mutt - - notmuch - - notmuch-mutt - - offlineimap - - procmail - - clab + - isync + - libsasl2-modules + - mailutils + - mutt + - notmuch + - notmuch-mutt + - postfix + +- name: "configure postfix" + template: + src: main.cf + dest: /etc/postfix/main.cf + notify: restart postfix + +- name: "set mailname" + copy: + content: "{{ mailname }}\n" + dest: /etc/mailname + owner: root + group: root + mode: 0644 + +- name: "set smarthost relay credentials" + template: + src: sasl_passwd + dest: /etc/postfix/sasl_passwd + mode: 0600 + +- name: "postmap relay credentials" + shell: | + postmap /etc/postfix/sasl_passwd + +- name: "install aliases" + copy: + src: aliases + dest: /etc/aliases + owner: root + group: root + mode: 0644 + +- name: "run newaliases" + shell: newaliases diff --git a/ansible/roles/mail-client/templates/main.cf b/ansible/roles/mail-client/templates/main.cf index 2c026ad..af8e058 100644 --- a/ansible/roles/mail-client/templates/main.cf +++ b/ansible/roles/mail-client/templates/main.cf @@ -10,7 +10,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. -append_dot_mydomain = no +append_dot_mydomain = yes # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h @@ -32,7 +32,7 @@ myhostname = {{ mailname }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname -mydestination = {{ mailname }}, {{ hostname }}, localhost.localdomain, localhost +mydestination = {{ mailname }}, {{ sane_debian_system_hostname }}, localhost.localdomain, localhost relayhost = {{ relayhost }} mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" diff --git a/ansible/roles/mail-server/files/aliases b/ansible/roles/mail-server/files/aliases index 0aa8635..e5197fa 100644 --- a/ansible/roles/mail-server/files/aliases +++ b/ansible/roles/mail-server/files/aliases @@ -7,3 +7,5 @@ soilar: liw, soile hbo: liw, soile ick-conduct: liw atuin: liw, dkscully@geah.org, rjek@rjek.com, dsilvers@digital-scurf.org, greg@grossmeier.net +remy: liw +sateenvarjo: soilar diff --git a/ansible/roles/mail-server/files/virtual b/ansible/roles/mail-server/files/virtual index d822be3..67a2287 100644 --- a/ansible/roles/mail-server/files/virtual +++ b/ansible/roles/mail-server/files/virtual @@ -6,7 +6,9 @@ liw@liw.fi liw liw-passthrough@liw.fi liw ivana@liw.fi liw tele@liw.fi liw -rust.fossdev@liw.fi liw + +exolobe1.liw.fi - +@exolobe1.liw.fi liw docstory.fi - postmaster@docstory.fi soile diff --git a/ansible/roles/mail-server/tasks/main.yml b/ansible/roles/mail-server/tasks/main.yml index 9b38dc5..f0c1fd1 100644 --- a/ansible/roles/mail-server/tasks/main.yml +++ b/ansible/roles/mail-server/tasks/main.yml @@ -1,3 +1,8 @@ -- include: postfix.yml -- include: dovecot.yml -- include: usertools.yml +- ansible.builtin.import_tasks: + file: postfix.yml + +- ansible.builtin.import_tasks: + file: dovecot.yml + +- ansible.builtin.import_tasks: + file: usertools.yml diff --git a/ansible/roles/riot-host/files/element-io-archive-keyring.gpg b/ansible/roles/riot-host/files/element-io-archive-keyring.gpg Binary files differnew file mode 100644 index 0000000..6fbeecc --- /dev/null +++ b/ansible/roles/riot-host/files/element-io-archive-keyring.gpg diff --git a/ansible/roles/riot-host/tasks/main.yml b/ansible/roles/riot-host/tasks/main.yml index 402da88..84c8ad3 100644 --- a/ansible/roles/riot-host/tasks/main.yml +++ b/ansible/roles/riot-host/tasks/main.yml @@ -1,10 +1,10 @@ - name: "install riot.im keyring" copy: - src: riot-im-archive-keyring.gpg + src: element-io-archive-keyring.gpg dest: /etc/apt/trusted.gpg.d/ - apt_repository: - repo: "deb [signed-by=/etc/apt/trusted.gpg.d/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ {{ sane_debian_system_codename }} main" + repo: "deb [signed-by=/etc/apt/trusted.gpg.d/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main" update_cache: no # Use shell to run apt-get, rather than the Ansible apt module, so @@ -12,8 +12,6 @@ - name: update package lists shell: | apt-get update --allow-releaseinfo-change - args: - warn: false - apt: name: element-desktop diff --git a/ansible/roles/rust-rustup/defaults/main.yml b/ansible/roles/rust-rustup/defaults/main.yml new file mode 100644 index 0000000..e1c0df8 --- /dev/null +++ b/ansible/roles/rust-rustup/defaults/main.yml @@ -0,0 +1 @@ +rust_rustup_user: liw diff --git a/ansible/roles/rust-rustup/tasks/main.yml b/ansible/roles/rust-rustup/tasks/main.yml index 2ebd6f6..ceb4a69 100644 --- a/ansible/roles/rust-rustup/tasks/main.yml +++ b/ansible/roles/rust-rustup/tasks/main.yml @@ -9,15 +9,16 @@ set -eu if command -v rustup > /dev/null then - sudo -u liw rustup update + sudo -u {{ rust_rustup_user }} rustup update else curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /tmp/rustup.sh - sudo -u liw -i sh /tmp/rustup.sh -y + sudo -u {{ rust_rustup_user }} -i sh /tmp/rustup.sh -y --no-modify-path fi - sudo -u liw -i rustup component add clippy rust-src + sudo -u {{ rust_rustup_user }} -i /home/{{ rust_rustup_user }}/.cargo/bin/rustup self update + sudo -u {{ rust_rustup_user }} -i /home/{{ rust_rustup_user }}/.cargo/bin/rustup component add clippy \ + rust-src rust-analyzer + - name: "cargo install applications" when: rustup_cargo_install is defined - args: - warn: no shell: | - sudo -i -u liw cargo install {{ rustup_cargo_install }} + sudo -i -u {{ rust_rustup_user }} sh -c '. $HOME/.cargo/env && cargo install {{ rustup_cargo_install }}' diff --git a/ansible/roles/smarthost-client/handlers/main.yml b/ansible/roles/smarthost-client/handlers/main.yml deleted file mode 100644 index 6cdc4d4..0000000 --- a/ansible/roles/smarthost-client/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: restart postfix - service: name=postfix state=restarted diff --git a/ansible/roles/smarthost-client/tasks/main.yml b/ansible/roles/smarthost-client/tasks/main.yml deleted file mode 100644 index 61830c9..0000000 --- a/ansible/roles/smarthost-client/tasks/main.yml +++ /dev/null @@ -1,46 +0,0 @@ -# A mail client needs to send mail. I prefer to send via a local MTA, -# which routes things out via a smarthost. - -- name: install postfix and related packages - apt: - name: - - postfix - - libsasl2-modules - - mailutils - -- name: configure postfix - template: - src: main.cf - dest: /etc/postfix/main.cf - notify: restart postfix - -- name: set mailname - copy: - content: "{{ mailname }}\n" - dest: /etc/mailname - owner: root - group: root - mode: 0644 - -# Set up the smarthost relay credentials. - -- name: set smarthost relay credentials - template: - src: sasl_passwd - dest: /etc/postfix/sasl_passwd - mode: 0600 - -- name: postmap relay credentials - shell: | - postmap /etc/postfix/sasl_passwd - -- name: install aliases - copy: - src: aliases - dest: /etc/aliases - owner: root - group: root - mode: 0644 - -- name: run newaliases - shell: newaliases diff --git a/ansible/roles/smarthost-client/templates/main.cf b/ansible/roles/smarthost-client/templates/main.cf deleted file mode 100644 index d9deaaf..0000000 --- a/ansible/roles/smarthost-client/templates/main.cf +++ /dev/null @@ -1,46 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -myhostname = {{ mailname }} -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = {{ mailname }}, {{ sane_debian_system_hostname }}, localhost.localdomain, localhost -relayhost = {{ relayhost }} -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_command = procmail -a "$EXTENSION" -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = 127.0.0.1 -smtp_sasl_auth_enable = yes -smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -smtp_sasl_security_options = noanonymous -smtp_use_tls = yes -smtp_tls_note_starttls_offer = yes diff --git a/ansible/roles/smarthost-client/templates/sasl_passwd b/ansible/roles/smarthost-client/templates/sasl_passwd deleted file mode 100644 index da722f6..0000000 --- a/ansible/roles/smarthost-client/templates/sasl_passwd +++ /dev/null @@ -1 +0,0 @@ -{{ smarthost }} {{ smarthost_user }}:{{ smarthost_password }} diff --git a/ansible/roles/subplot-dev-env/tasks/main.yml b/ansible/roles/subplot-dev-env/tasks/main.yml index 5c99cfa..22fddb9 100644 --- a/ansible/roles/subplot-dev-env/tasks/main.yml +++ b/ansible/roles/subplot-dev-env/tasks/main.yml @@ -2,7 +2,6 @@ apt: name: - debhelper - - dh-cargo - python3 - pandoc - pandoc-citeproc diff --git a/ansible/rust-dev.yml b/ansible/rust-dev.yml index 23d9ba5..73ce706 100644 --- a/ansible/rust-dev.yml +++ b/ansible/rust-dev.yml @@ -3,29 +3,23 @@ become: yes roles: - role: sane_debian_system - tags: [sane] - role: sshd - tags: [sshd] - - role: comfortable-debian-system - tags: [comfy] - role: unix_users - tags: [users] - role: version-controller - tags: [vacs] - - role: liw - tags: [liw] - - role: rust-rustup - tags: [rustup] tasks: - apt: name: - build-essential + - curl + - musl + - musl-dev + - musl-tools vars: ansible_python_interpreter: python3 sane_debian_system_version: 2 sane_debian_system_hostname: rust-dev - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm timezone: Europe/Helsinki @@ -35,8 +29,7 @@ comment: Lars Wirzenius sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" sshd_version: 1 - sshd_allow_authorized_keys: yes diff --git a/ansible/seed.liw.fi.yml b/ansible/seed.liw.fi.yml new file mode 100644 index 0000000..fb5a00f --- /dev/null +++ b/ansible/seed.liw.fi.yml @@ -0,0 +1,62 @@ +- hosts: seed.liw.fi + remote_user: root + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: rust-rustup + - role: radicle_node + tasks: + - name: "install convenience packages" + apt: + name: + - jq + - moreutils + - psmisc + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: _rad + comment: Radicle node + + sshd_version: 1 + + radicle_node_version: 1 + radicle_node_key: "{{ lookup('pipe', 'pass radicle/seed.liw.fi/key') }}" + radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/seed.liw.fi/key.pub') }}" + radicle_node_connections: + - nid: z6MkfXa53s1ZSFy8rktvyXt5ADCojnxvjAoQpzajaXyLqG5n + host: radicle.liw.fi + port: 8776 + radicle_node_repositories: [] + radicle_node_domain_name: seed.liw.fi + radicle_node_ci_domain_name: ci.seed.liw.fi + radicle_node_ci_broker_config: | + status_page: /srv/http/status.json + default_adapter: native + adapters: + native: + command: /bin/radicle-native-ci + env: + RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml + filters: + - !And + - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" + - !AnyPatch + radicle_node_policy: allow + radicle_node_scope: all + + rust_rustup_user: _rad diff --git a/ansible/shell-shell.vm.liw.fi.hz b/ansible/shell-shell.vm.liw.fi.hz deleted file mode 100644 index d2abde0..0000000 --- a/ansible/shell-shell.vm.liw.fi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-10 -hosts: - - name: shell diff --git a/ansible/shell-shell.vm.liw.fi.yml b/ansible/shell-shell.vm.liw.fi.yml index 9cd9738..ca1e32c 100644 --- a/ansible/shell-shell.vm.liw.fi.yml +++ b/ansible/shell-shell.vm.liw.fi.yml @@ -1,4 +1,4 @@ -- hosts: shell +- hosts: shell-shell.vm.liw.fi remote_user: root roles: - role: sane_debian_system @@ -32,14 +32,18 @@ comment: Soile Mottisenkangas mailname: pieni.net - smarthost: mail.pepperfish.net + smarthost: mail.infrafish.uk smarthost_port: 587 - smarthost_user: pieni-fwd@ppfm.net - smarthost_pass_name: pieni.net/smarthost_pass + smarthost_user: liw@login.liw.fi + smarthost_pass_name: pieni.net/smarthost_pass_intrafish mail_hostname: pieni.net + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key shell-shell.vm.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 shell-shell.vm.liw.fi') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 shell-shell.vm.liw.fi') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/solace.yml b/ansible/solace.yml index f978757..635505f 100644 --- a/ansible/solace.yml +++ b/ansible/solace.yml @@ -6,331 +6,78 @@ - role: sshd - role: ssd - role: comfortable-debian-system - - role: chaoskey-host - role: version-controller - - role: emacs - - role: gnupg-workstation - - role: gnome-system - - role: ansible - role: vmhost - - role: smarthost-client - role: mail-client - - role: annexed - - role: riot-host -# # - role: writing-dev-env -# # - role: journal-workstation -# # - role: debian-dev-env -# # - role: subplot-dev-env -# # - role: obnam-dev-env -# # - role: tex-dev-env -# # - role: python-dev-env - role: unix_users - role: rust-rustup - tags: [rustup] + - role: liw + - role: self-updating-system tasks: - # - shell: | - # sed -i 's/NOPASSWD://' /etc/sudoers.d/liw - # args: - # warn: false - # Remove ping to force it be reinstalled so that the right # capabilities are set. - apt: name: iputils-ping state: absent - - apt: - name: - - bash-completion - - black - - build-essential - - cachedir - - capnproto - - clang - - daemonize - - debhelper - - dh-cargo - - expect - - extrautils - - fio - - firmware-misc-nonfree - - fling - - gimp - - graphviz - - inkscape - - iputils-ping - - isync - - jq - - jt - - libclang-dev - - librsvg2-bin - - libsqlite3-dev - - libssl-dev - - libvirt-dev - - linux-perf - - liw-automation - - llvm - - lmodern - - nettle-dev - - nfs-common - - obnam - - obnam-benchmark - - openpgp-ca - - pandoc - - pandoc-citeproc - - pandoc-filter-diagram - - pavucontrol - - pkg-config - - plantuml - - printer-driver-ptouch - - python3 - - python3-requests - - qemu-user-static - - sequoia-chameleon-gnupg - - shellcheck - - sq-liw - - sqlite3 - - sshca - - subplot - - summain - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-extra - - texlive-latex-recommended - - texlive-plain-generic - - usbutils - - uuid - - validns - - vlc - - vobcopy - - vmdb2 - - xpdf - - zerofree - - name: install command line utilities apt: name: + - build-essential + - firmware-misc-nonfree + - firmware-realtek + - iputils-ping - locales-all - - psmisc - - mosh + - memtest86+ + - python3 - rsync - vim - - screen - - tmux - - strace - - gddrescue - - pv - - moreutils - - bind9-host - - dnsutils - - lshw - - curl - # - extrautils - # - liw-automation - # - copyright-statement-lint - - bc - - yaml-mode - - ikiwiki - - taskwarrior - - zip - # - cachedir - - debmirror - - git-annex - - iftop - - info - # - jt - - kpartx - - lftp - - mediainfo - - mmv - - mtr - - num-utils - - parted-doc - - trickle - - units - - w3m - - youtube-dl - - signing-party - - sshfs - - dict - - dictd - - dict-foldoc - - dict-gcide - - dict-jargon - - dict-vera - - dict-wn - - gnuplot - - acpi - - nmap - - nethogs - - time - - restic - - apt-file - - whois - - oathtool - - htop - - smartmontools - - bonnie++ - - mdadm - - hddtemp - - parted - - lvm2 - - cryptsetup - - - name: configure dict - copy: - content: | - server localhost - dest: /etc/dictd/dict.conf - - - lineinfile: - path: /etc/gdm3/daemon.conf - regexp: WaylandEnable= - line: WaylandEnable=false - - # - lineinfile: - # path: /etc/xdg/autostart/gnome-keyring-ssh.desktop - # line: Hidden=true - - # - lineinfile: - # path: /etc/X11/Xsession.options - # line: use-ssh-agent - # state: absent - - # - file: - # state: directory - # path: /home/liw/.config/autostart - # owner: liw - # group: liw - - # - copy: - # content: | - # [Desktop Entry] - # Type=Application - # Name=gpg-agent - # Comment=gpg-agent - # Exec=/usr/bin/gpg-agent --daemon - # OnlyShowIn=GNOME;Unity;MATE; - # X-GNOME-Autostart-Phase=PreDisplayServer - # X-GNOME-AutoRestart=false - # X-GNOME-Autostart-Notify=true - # X-GNOME-Bugzilla-Bugzilla=GNOME - # X-GNOME-Bugzilla-Product=gnome-keyring - # X-GNOME-Bugzilla-Component=general - # X-GNOME-Bugzilla-Version=3.20.0 - # dest: /home/liw/.config/autostart/gpg-agent.desktop - # owner: liw - # group: liw - - - name: "install necessary packages to use a Yubikey with LUKS" - apt: - name: - - yubikey-luks - - usbutils + - wireless-regdb - - name: "configure crypttab to use yubikey-luks key script" - crypttab: - name: pv0 - opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript - state: opts_present + - name: "configure GRUB to wait a little before booting" + lineinfile: + path: /etc/default/grub + regexp: GRUB_TIMEOUT + line: "GRUB_TIMEOUT=5" - - name: "update initramfs" + - name: "update grub" shell: | - update-initramfs -u - - - apt: - name: - - libpam-yubico - # disabled until I don't need Y4 anymore. - # - lineinfile: - # path: /etc/pam.d/common-auth - # regex: pam_yubico.so - # line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp" - - file: - state: directory - path: /etc/yubikey_chalresp - mode: 0700 - - copy: - content: | - {{ lookup('pipe', 'pass libpam-yubico/liw/y6.chalresp') }} - dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y6.serial') }}" - mode: 0600 - + update-grub vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: solace - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware - repo: | - deb-src http://deb.debian.org/debian bullseye main contrib non-free - - - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - - repo: | - deb http://code.liw.fi/debian unstable main - signing_key: "{{ code_liw_fi_signing_key }}" - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius - sudo: yes groups: - - audio - - bluetooth - - cdrom - - dialout - - dip - - floppy - libvirt - - netdev - - plugdev - - scanner - - video - authorized_keys: | - {{ liw_personal_ssh_pub }} mailname: "{{ sane_debian_system_hostname }}.liw.fi" - hostname: "{{ sane_debian_system_hostname }}" relayhost: pieni.net:587 smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" rustup_cargo_install: | - cargo-audit \ - cargo-deny \ - cargo-deps \ - bandwhich \ - bat \ - cargo-edit \ - cargo-geiger \ - cargo-outdated \ - flamegraph \ - hyperfine \ - ripgrep \ starship \ - tokei \ - zoxide \ - ytop + bottom sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key solace') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 solace') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" diff --git a/ansible/sq-test.yml b/ansible/sq-test.yml deleted file mode 100644 index 5879ef1..0000000 --- a/ansible/sq-test.yml +++ /dev/null @@ -1,160 +0,0 @@ -- hosts: sq-test - remote_user: root - roles: - - role: sane_debian_system - - role: comfortable-debian-system - - role: unix_users - - role: self-updating-system - tasks: - - apt: - name: - - bash-completion - - sq - state: present - - file: - path: /tmp/shared - state: directory - mode: 01777 - - copy: - content: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Comment: 010A B1FA 8E24 283F B898 3F52 9036 838A 283E 1AA9 - Comment: Lars Wirzenius - - xjMEYuzSFBYJKwYBBAHaRw8BAQdAkOVflgRACWQrysidOFgXUa5AmknlCt0Sb5U/ - kFHOHmzCwBEEHxYKAIMFgmLs0hQFiQWkj70DCwkHCRCQNoOKKD4aqUcUAAAAAAAe - ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmc0zoAeYXkSCb7SOLblaokA - uMiuMLNocIM4XSeEEVVdogMVCggCmwECHgEWIQQBCrH6jiQoP7iYP1KQNoOKKD4a - qQAAJvkBAPOvcIFKjV+RDssTF+M8ANsVPN8e9MCaHhF65o6dHtv2AQCyJVPftDH2 - ub9mr6bIPEUYJi6+imZX2Xa3C7SGNEe0Bc0OTGFycyBXaXJ6ZW5pdXPCwBQEExYK - AIYFgmLs0hQFiQWkj70DCwkHCRCQNoOKKD4aqUcUAAAAAAAeACBzYWx0QG5vdGF0 - aW9ucy5zZXF1b2lhLXBncC5vcmdy+aoELSz02TDwDO0w+j6N/Yg4vQ8Ws6cZeFQU - u0lkMAMVCggCmQECmwECHgEWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAApqwBANTK - v3NN6xI8eH/TSbR+5VgrSiZj4mZoNCBQALpEQzT9AQCvrZmKNfeq77Q4SsEWUmD8 - dHb0eMsppyi0oW8itAuaC84zBGLs0hQWCSsGAQQB2kcPAQEHQGpPf6RSeuBlzhTS - 5J+yAYQNSKUC+RPYBiq3u1jkydJ9wsDFBBgWCgE3BYJi7NIUBYkFpI+9CRCQNoOK - KD4aqUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcg7Rr7 - iOeL3SCZ2ecGO0/g/5CorBrxP8AlfuyWAJroeAKbAr6gBBkWCgBvBYJi7NIUCRCM - lfahnAL5XUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd1 - Jf5951yGEOtGCSw0BpWa4pPp6mR9hGGhMqpyA5sXkhYhBHTyxaykxgutnvUZlIyV - 9qGcAvldAAA+iAD/VOod7dIUrxPL23iUKYCe1OjQ+rOWrjzWr4lXh8MbYD8A/ium - ns8bmARpt2+VPqfbTQiESK5i+k3HFw2O2R3MP1EFFiEEAQqx+o4kKD+4mD9SkDaD - iig+GqkAAJo0AP9TWhlep2UnuQb1eqpyK7bxrpaPV/cR2v98DtxUcDZJPAEAyjcD - +AR1KC2VHF32JYHddbvEBG4YkRuslXpX8t46SQ3OMwRi7NIUFgkrBgEEAdpHDwEB - B0Dlc6Sa0OENRkXRlGSJx+TW6+QEK7WB8eIHikyxfK4hdcLABgQYFgoAeAWCYuzS - FAWJBaSPvQkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p - YS1wZ3Aub3JnadCLyuCKpqa7utZ+81jTDOpCgF1yoR/grzfb3h3H+0YCmyAWIQQB - CrH6jiQoP7iYP1KQNoOKKD4aqQAAY/gA/35WSxWkNURZdGOwKgBJtw5nc5K9s6nt - LefNkI/OB7O/AP98xXylCuzQNw7jbmkuwIyb3t1iyBUmBBkAkVHUVkEmCs44BGLs - 0hQSCisGAQQBl1UBBQEBB0B73lJoeEfLvaYgpYJiJcTnDPXon0TI3Kd37xa+8ieM - eAMBCAfCwAYEGBYKAHgFgmLs0hQFiQWkj70JEJA2g4ooPhqpRxQAAAAAAB4AIHNh - bHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyeEI8W6tcOpWsDOVz9SqpQlgAlN - IzNCdED0mddImb5RApsMFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAAFxjAP40OKNA - IEx5tGJneoTLFFDYQUpstG6h7AZ36ooEaRIk5AEA6mUCs9JdJMElHa34g+txs7Pk - 3gygQYQtpkkeCXZ2tgc= - =YmSW - -----END PGP PUBLIC KEY BLOCK----- - dest: /home/liw/liw-pub.pgp - owner: liw - group: liw - - copy: - content: | - -----BEGIN PGP PRIVATE KEY BLOCK----- - Comment: 010A B1FA 8E24 283F B898 3F52 9036 838A 283E 1AA9 - Comment: Lars Wirzenius - - xVgEYuzSFBYJKwYBBAHaRw8BAQdAkOVflgRACWQrysidOFgXUa5AmknlCt0Sb5U/ - kFHOHmwAAP90GKYJ/CEDoZtNhVMCsXveNAmriM18VhfjQmoJVY9F8g6gwsARBB8W - CgCDBYJi7NIUBYkFpI+9AwsJBwkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3Rh - dGlvbnMuc2VxdW9pYS1wZ3Aub3JnNM6AHmF5Egm+0ji25WqJALjIrjCzaHCDOF0n - hBFVXaIDFQoIApsBAh4BFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAACb5AQDzr3CB - So1fkQ7LExfjPADbFTzfHvTAmh4ReuaOnR7b9gEAsiVT37Qx9rm/Zq+myDxFGCYu - vopmV9l2twu0hjRHtAXNDkxhcnMgV2lyemVuaXVzwsAUBBMWCgCGBYJi7NIUBYkF - pI+9AwsJBwkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p - YS1wZ3Aub3JncvmqBC0s9Nkw8AztMPo+jf2IOL0PFrOnGXhUFLtJZDADFQoIApkB - ApsBAh4BFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAAKasAQDUyr9zTesSPHh/00m0 - fuVYK0omY+JmaDQgUAC6REM0/QEAr62ZijX3qu+0OErBFlJg/HR29HjLKacotKFv - IrQLmgvHWARi7NIUFgkrBgEEAdpHDwEBB0BqT3+kUnrgZc4U0uSfsgGEDUilAvkT - 2AYqt7tY5MnSfQABAIPRid4IAhZwCvDmr27PF78T/0VSA2gtlwouA8yvb7HsDojC - wMUEGBYKATcFgmLs0hQFiQWkj70JEJA2g4ooPhqpRxQAAAAAAB4AIHNhbHRAbm90 - YXRpb25zLnNlcXVvaWEtcGdwLm9yZyDtGvuI54vdIJnZ5wY7T+D/kKisGvE/wCV+ - 7JYAmuh4ApsCvqAEGRYKAG8FgmLs0hQJEIyV9qGcAvldRxQAAAAAAB4AIHNhbHRA - bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ3Ul/n3nXIYQ60YJLDQGlZrik+nqZH2E - YaEyqnIDmxeSFiEEdPLFrKTGC62e9RmUjJX2oZwC+V0AAD6IAP9U6h3t0hSvE8vb - eJQpgJ7U6ND6s5auPNaviVeHwxtgPwD+K6aezxuYBGm3b5U+p9tNCIRIrmL6TccX - DY7ZHcw/UQUWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAAmjQA/1NaGV6nZSe5BvV6 - qnIrtvGulo9X9xHa/3wO3FRwNkk8AQDKNwP4BHUoLZUcXfYlgd11u8QEbhiRG6yV - elfy3jpJDcdYBGLs0hQWCSsGAQQB2kcPAQEHQOVzpJrQ4Q1GRdGUZInH5Nbr5AQr - tYHx4geKTLF8riF1AAEAx8kFIwgl9lPJI91ZUXBK9nj8BAChRHHiq1YJI+heIUoN - 4MLABgQYFgoAeAWCYuzSFAWJBaSPvQkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBu - b3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnadCLyuCKpqa7utZ+81jTDOpCgF1yoR/g - rzfb3h3H+0YCmyAWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAAY/gA/35WSxWkNURZ - dGOwKgBJtw5nc5K9s6ntLefNkI/OB7O/AP98xXylCuzQNw7jbmkuwIyb3t1iyBUm - BBkAkVHUVkEmCsddBGLs0hQSCisGAQQBl1UBBQEBB0B73lJoeEfLvaYgpYJiJcTn - DPXon0TI3Kd37xa+8ieMeAMBCAcAAP9ou8Z/+/40YzSNg9fTYC33bJCA/IFb7V+N - XGhehUoNcBIEwsAGBBgWCgB4BYJi7NIUBYkFpI+9CRCQNoOKKD4aqUcUAAAAAAAe - ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcnhCPFurXDqVrAzlc/UqqU - JYAJTSMzQnRA9JnXSJm+UQKbDBYhBAEKsfqOJCg/uJg/UpA2g4ooPhqpAABcYwD+ - NDijQCBMebRiZ3qEyxRQ2EFKbLRuoewGd+qKBGkSJOQBAOplArPSXSTBJR2t+IPr - cbOz5N4MoEGELaZJHgl2drYH - =DO2c - -----END PGP PRIVATE KEY BLOCK----- - dest: /home/liw/liw.pgp - owner: liw - group: liw - vars: - ansible_python_interpreter: /usr/bin/python3 - - sane_debian_system_version: 2 - sane_debian_system_hostname: shell - sane_debian_system_codename: bullseye - sane_debian_system_mirror: deb.debian.org - sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - - unix_users_version: 2 - unix_users: - - username: root - authorized_keys: | - {{ liw_hetzner_ssh_pub }} - - username: liw - comment: Lars Wirzenius - authorized_keys: | - {{ liw_hetzner_ssh_pub }} - - username: volunteer1 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} -# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZdyfLIkIPT49xv3wHurk97Q4Iv2+E8vzBdLl9FEt/m - - username: volunteer2 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} -# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnYWSq0gnmLnshJdikKT65NJcuKRXa7RAsyUraqha0V - - username: volunteer3 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} -# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOY4VaVEXyQpV7knCanFU4oNb8+Tuz2ef8HvMD8fYPhA - - username: volunteer4 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} -# ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIcY2jjbtV2OnQourPizkXbgLfJJVi4orUdeuvgiM6alHiPmuo/Feya+R+GuLgxoJYXHIk82ZZSHS9LGGNrXrHJIvrCva7CC5XPdUrgGjZRCHnHXI1Ly7Grw1fa/We8a1PoxISxDGRy9NTwqChm8qGEG8Gm4eH7DOXrJCgUoI04oCp/gEfRL+wF0A2/FZvpG7zSuYReJsdIa733t+CpltVTlJS9iCdUFuYkzKzhp01r6sw7Kp3PuzaU2xi2nxBP8K9nBW85UB4q42RdoDHASTcIZE3uss4XzdRQPOurvoppzV7MzGtegCPY65t3MMDJtVKmhAYc4OEZKu4+8cnOd1Wre2rLARFHw/u881QfNjDwN2+oMnmJo45YHM45GIIXhFr+Hs44TJEuons9rA933MW8vjLTNzyKSNK5TXfzg9oqD+Gc3ATwooTPBf+EaN2i5D4DGxX6l7xsRoBXD6DidLRoN9iD1pVVJRpE7q9lRU0GaUMdNC2RRtUk36BZDpmKoyBsuFDLgOUSbKFPOG7378LYC9MQmB0RR2VW0g0x01MGfd7UNX9cpHuJNjRikfqF8Lm4Y7UAkyF498MFbkZPaKpGPFxbUARghryrLRkVjDyqwDAIlOgjjdN2KOGLIB+rgjRnuEvHoshnr1MADlGHBocfX4LO0ABxMNcCB3RU/t26w== - - username: volunteer5 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/0/n02JFJXtuBOUbu34Hm5xQ9CuiQtthsxPkfnIOhfC4Gx2tNWgcygnZTUh0ymDutQugJVKKj2nHJoKVJUeecroqW7VdR8omfWJGTST9CxJhubMuJnD4dnRVnvsLvmPN5X2ELaoQU7H4Ia4/P596kH9aw3/b07mx+xf0wg9OCLf7q3dNjBUR9ztqR253hjRA9yi4yut3sNosDwtfzbDhypDsG+fzve/bUH13X3Et+pUD3GWRkEjbTUv6qTxob+xlSBRVHviCiQG0MAcW+YAOyvG/REzONGoMufiP9ozgrx46Qn1Ey1bh6POBQjgE8zaajOHn4f63j5sir1aezRmSd7l6yAB/YwyFHuSXY4TkWmiWLaFw0EB4E3A2M8qACjsH173gVh+BlnRot+AYzpJ2oDIluQrTzcY558AYuRb4u0jfRfsnDdt3aifSnLXkF2cw46zB8nBDY789adhvoyX+HR/igA2W2Ljl1i15zHeo8IqI8kgNnghxaSYGisBAUO5oQWsgGoDV5rNz00MZT3IXkG5NN+Diaep0rJBteaqMYQWD/Nr2A/Oq7f7Q47Z9i378kWQywlSk6M252fRh8+sJLCzMFd9sH/MPIEk1HiX3umZoEdfU4/bULYBL6q8ePXC7wSaW7eOL5b0/za0NwTZRL9UC4uduEQC1t/HWuJ3OB+w== - - username: volunteer6 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqhNi9rrxfK6Rn2rsoJZbBmxWmPoqftMOTf7LD+1K99sOUmwCM+bqoPt7pHl/JsxOpAilfD5lVQ9m+4Xutjtaenf98jnO8Gi3h7xMsUZRaU0T3gCmKq/T1B9N3/YSWosPHAHvRfeu9zr6rJj7gxMAJ7Ab+Ix7t60j6iAGkX+LuyC9VQ5GR1SGC76a3TMHYrgR0VBYohFTzFqhVquubTEtUZrvZy/kNkKb5XvgiCLCNyFfO1huq/c3hDFUnQvP6/0MSGJq/FRqwPdLLOcRDaBQpw942JC0Xh0+0qOJVIpdRfdM/83NBsBIJKNqR2eWYHoW2brTKjxHPsRNtKjn6AgKj - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYbT9Mw8v+C2SdqjFhWCmR2IrurUoZJBxTw1WsO1JkcXdcl7PX/jaQoVlAolI3P2iF9wHO9SwG8LLRObjtjOWzHOGtk+GGwRpxFYgu2a+y3mSu50UwOCJeROWerVfra0/E0JuWkAWAlVzrfcBApXx+g/IY/gH9jb4/ErEqysAE4BcsQSQ25FgtZVj97emSW1Ozzd68X7i6i6KX9W778Guq9XOxS7n+hX+0+yCibMBvW+hBK9HhJba5QvQtZ6msaw9wvWWbfr0T3IknrbRhZAGoNcQ0DW++vrv2+8pvOhcTdXIWsNF/WFIqBAcZmFHR6iKZAnx/pxW2ZM4N+IPT4zX12PsMWPZQqBQxMXy/MIEsAby/NlMK9XO3L1K8WqOqLwnjIJ0YUbsaTkaE1REHY17LuQgmu2UXm4cpTHyzEVBz48PeCh6jqoP4Wd/YQ+VtLZiSqjsP7leU9mvd06mFoBk/z4KeaM7dKqWTUxwwXRJ0HDTb3CaYgy3GF+FtZWAcsKv6X32GEV8lYsrOFSUPXUhPuoJZR12BLuJRCv2kk7rlIjVIAZjG0r84PRWKgNXNmFW9dtpnQmaZnOqeLwIBepQsdb2I5NWUItg4YUp3M8Ne/+KAywH5Zx9FHjCn4PNNKYoYKLYb1D/FW03UECa2Jv+ygi+1iYNgUA8uA4CX2vYXEw== - - username: volunteer7 - comment: sq volunteer - authorized_keys: | - {{ liw_hetzner_ssh_pub }} -# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZAUtpJZ3I3alPpJuvAqsjixoO+WWRxFTKauJKe2Lup diff --git a/ansible/sshca-dev.yml b/ansible/sshca-dev.yml index dd5097a..9422d96 100644 --- a/ansible/sshca-dev.yml +++ b/ansible/sshca-dev.yml @@ -21,8 +21,8 @@ name: - debhelper - build-essential - - dh-cargo - git + - lintian - moreutils - python3 - python3-requests @@ -35,8 +35,8 @@ ansible_python_interpreter: python3 sane_debian_system_version: 2 - sane_debian_system_hostname: sshca-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm timezone: Europe/Helsinki @@ -47,8 +47,8 @@ sudo: yes sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable-ci main + signing_key: "{{ apt_liw_fi_signing_key }}" sshd_version: 1 sshd_allow_authorized_keys: yes diff --git a/ansible/stamina-recreate-and-provision-all.sh b/ansible/stamina-recreate-and-provision-all.sh new file mode 100755 index 0000000..99bde0e --- /dev/null +++ b/ansible/stamina-recreate-and-provision-all.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +set -euo pipefail + +echo "vmadm recreate all VMs" +chronic ssh stamina 'vmadm recreate ansibleness/vmadm/stamina/*.yaml' +echo "provision all VMs" +chronic ./stamina-vms.sh diff --git a/ansible/stamina-vm-check.sh b/ansible/stamina-vm-check.sh index ce84992..743b784 100755 --- a/ansible/stamina-vm-check.sh +++ b/ansible/stamina-vm-check.sh @@ -3,21 +3,13 @@ set -eu playbooks=" -clab-dev debian-ansible-dev -ewww-dev icktool -jt-dev obnam-bench obnam-dev openpgp-ca-dev openpgp-card-dev -python-mess -rikiwiki-dev -roadmap-dev -rust-dev -sequoia-dev -sequoia-web +riki-dev sshca-dev subplot-dev v-i-dev diff --git a/ansible/stamina-vms.sh b/ansible/stamina-vms.sh index ed494a4..9c44ced 100755 --- a/ansible/stamina-vms.sh +++ b/ansible/stamina-vms.sh @@ -3,31 +3,20 @@ set -eu playbooks=" -clab-dev.yml -debian-ansible-dev.yml -ewww-dev.yml -ewww-test.yml -icktool.yml -jt-dev.yml -obnam-bench.yml +web.yml +ambient-dev.yml obnam-dev.yml -openpgp-ca-dev.yml -openpgp-card-dev.yml -python-mess.yml -rikiwiki-dev.yml -roadmap-dev.yml +radicle-dev.yml +radicle-multi.yml rust-dev.yml -sequoia-dev.yml -sequoia-web.yml -sshca-dev.yml subplot-dev.yml v-i-dev.yml -vmadm-dev.yml vmdb2-dev.yml -web.yml " -parallel chronic ./run-playbook -- $playbooks +for playbook in $playbooks; do + echo "$playbook" + chronic ./run-playbook "$playbook" +done -cd "$HOME/pers/ick/ick2-ansible" -chronic ./run-workers.sh ci-prod-controller.vm.liw.fi +test-ssh-credentials diff --git a/ansible/stamina.yml b/ansible/stamina.yml index f2c0a30..713bef1 100644 --- a/ansible/stamina.yml +++ b/ansible/stamina.yml @@ -8,7 +8,7 @@ - self-updating-system - vmhost-minimal - unix_users - - smarthost-client + - mail-client tasks: - apt: name: @@ -19,6 +19,7 @@ - ifupdown - bridge-utils - moreutils + - genisoimage - apt: name: ntp state: absent @@ -50,6 +51,13 @@ owner: root group: libvirt mode: 0775 + - name: "remove git reps from ~liw" + file: + path: "{{ item }}" + state: absent + with_items: + - /home/liw/ansibleness + - /home/liw/liw-dot-files - name: "clone ansibleness to ~liw" git: repo: git://git.liw.fi/ansibleness @@ -59,16 +67,36 @@ repo: git://git.liw.fi/liw-dot-files dest: /home/liw/liw-dot-files - name: "set ownership of everything in ~liw/ansibleness and liw-dot-files" - args: - warn: false shell: | chown -R liw:liw /home/liw/ansibleness /home/liw/liw-dot-files - name: "configure liw dot files" - args: - warn: false shell: | sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks" sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig" + - name: "remove vmadm config" + file: + state: absent + path: /home/liw/.config/vmadm/config.yaml + - name: "install vmadm config" + copy: + content: | + image_directory: /mnt/vms + default_autostart: true + default_base_image: ~/base-images/bookworm-vm.qcow2 + default_cpus: 4 + default_generate_host_certificate: true + default_image_gib: 100 + default_memory_mib: 8192 + default_networks: + - bridge=br0 + authorized_keys: + - ~/.ssh/id_personal.pub + ca_key: ~/.ssh/vmadm + user_ca_pubkey: ~/.ssh/userca.pub + dest: /home/liw/.config/vmadm/config.yaml + owner: liw + group: liw + mode: 0644 - name: "create ~liw/base-images" file: state: directory @@ -83,18 +111,6 @@ owner: liw group: liw mode: 0755 - # - name: "fetch cloud images" - # get_url: - # url: "{{ item.url }}" - # dest: "/home/liw/base-images/{{ item.file }}" - # owner: liw - # group: liw - # mode: 0644 - # with_items: - # - url: https://cloud.debian.org/images/cloud/bullseye/latest/debian-11-generic-amd64.qcow2 - # file: bullseye.qcow2 - # - url: https://cloud.debian.org/images/cloud/OpenStack/current-10/debian-10-openstack-amd64.qcow2 - # file: buster.qcow2 - name: "create ~liw/.ssh" file: state: directory @@ -122,20 +138,19 @@ then echo >> /home/liw/.ssh/vmadm fi - # - name: "create ~liw/.config/vmadm" - # file: - # state: directory - # path: /home/liw/.config/vmadm - # owner: liw - # group: liw - # mode: 0755 - # - name: "configure vmadm" - # copy: - # src: vmadm.yaml - # dest: /home/liw/.config/vmadm/config.yaml - # owner: liw - # group: liw - # mode: 0644 + - name: "install SSH user CA key" + copy: + content: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" + dest: /home/liw/.ssh/userca.pub + owner: liw + group: liw + mode: 0644 + - name: "ensure SSH user CA key file ends in a newline" + shell: | + if [ "$(tail -n1 /home/liw/.ssh/userca.pub | wc -l)" = 0 ] + then + echo >> /home/liw/.ssh/userca.pub + fi - name: "enable libvirt 'default' network" virt_net: name: default @@ -146,16 +161,16 @@ sane_debian_system_version: 2 sane_debian_system_hostname: "{{ inventory_hostname}}" - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_sources_lists: - repo: | - deb http://security.debian.org/debian-security buster/updates main contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free - repo: | - deb http://deb.debian.org/debian buster contrib non-free + deb http://security.debian.org/debian-security bookworm-security main contrib non-free - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: @@ -164,6 +179,7 @@ sudo: yes groups: - libvirt + - kvm authorized_keys: | {{ liw_personal_ssh_pub }} - username: root @@ -177,6 +193,3 @@ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key stamina') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 stamina') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" diff --git a/ansible/subplot-dan.hz b/ansible/subplot-dan.hz deleted file mode 100644 index 8038af3..0000000 --- a/ansible/subplot-dan.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx21 - image: debian-10 -hosts: - - name: dev diff --git a/ansible/subplot-dan.yml b/ansible/subplot-dan.yml deleted file mode 100644 index 56a3d9b..0000000 --- a/ansible/subplot-dan.yml +++ /dev/null @@ -1,38 +0,0 @@ -- hosts: dev - remote_user: root - roles: - - sane_debian_system - - comfortable-debian-system - - unix_users - - self-updating-system - tasks: - - apt: - name: - - curl - - build-essential - - clang - - pkg-config - - nettle-dev - - libssl-dev - - capnproto - - libsqlite3-dev - vars: - hostname: subplot-dev - debian_codename: buster - - unix_users: - - username: liw - comment: Lars Wirzenius - sudo: yes - authorized_keys: | - {{ liw_personal_ssh_pub }} - - username: dan - comment: Dan - sudo: yes - authorized_keys: | - {{ dan_ssh_pub }} - - username: dsilvers - comment: Daniel - sudo: yes - authorized_keys: | - {{ dsilvers_ssh_pub }} diff --git a/ansible/subplot-dev.yml b/ansible/subplot-dev.yml index 71741e7..0ad4ae6 100644 --- a/ansible/subplot-dev.yml +++ b/ansible/subplot-dev.yml @@ -3,49 +3,38 @@ become: yes roles: - role: sane_debian_system - tags: [sane] - role: sshd - tags: [sshd] - role: comfortable-debian-system - tags: [comfy] - role: unix_users - tags: [users] - role: rust-rustup - tags: [rustup] - role: liw - tags: [liw] tasks: - apt: + name: ca-certificates-java + default_release: bookworm-backports + - apt: name: - build-essential - daemonize - debhelper - - dh-cargo - graphviz - librsvg2-bin - - lmodern - - pandoc - - pandoc-citeproc - plantuml - python3 - python3-requests - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-recommended - - texlive-plain-generic + - tidy vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: subplot-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free unix_users_version: 2 unix_users: @@ -53,4 +42,3 @@ comment: Lars Wirzenius sshd_version: 1 - sshd_allow_authorized_keys: yes diff --git a/ansible/sequoia-dev.yml b/ansible/texlive.yml index f7ecaf5..7945b5b 100644 --- a/ansible/sequoia-dev.yml +++ b/ansible/texlive.yml @@ -1,4 +1,4 @@ -- hosts: sequoia-dev +- hosts: texlive remote_user: debian become: yes roles: @@ -8,51 +8,37 @@ tags: [sshd] - role: unix_users tags: [users] - - role: rust-rustup - tags: [rustup] - role: liw tags: [liw] - tasks: - apt: name: - - build-essential - - cargo - - capnproto - - clang - - debhelper - - dh-cargo - - libclang-dev - - libsqlite3-dev - - libssl-dev - - llvm - - locales-all - - moreutils - - nettle-dev - - pkg-config - rsync - - rustc - - screen - - shellcheck - - subplot + - graphviz + - librsvg2-bin + - lmodern + - pandoc + - pandoc-citeproc + - pandoc-filter-diagram + - make + - plantuml + - python3 - texlive-fonts-recommended - texlive-latex-base + - texlive-latex-extra - texlive-latex-recommended - + - texlive-plain-generic vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: sequoia-dev + sane_debian_system_hostname: "{{ inventory_hostname }}" sane_debian_system_codename: bullseye sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | deb http://security.debian.org/debian-security bullseye-security main contrib non-free - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" - unix_users_version: 2 unix_users: - username: liw diff --git a/ansible/unpack-dsc.yml b/ansible/unpack-dsc.yml new file mode 100644 index 0000000..55d0dcd --- /dev/null +++ b/ansible/unpack-dsc.yml @@ -0,0 +1,32 @@ +- hosts: unpack-dsc + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: unix_users + - role: liw + tasks: + - apt: + name: + - dpkg-dev + - git + - moreutils + - psmisc + - pv + - rsync + - screen + - strace + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_mirror: deb.debian.org + + unix_users_version: 2 + unix_users: + - username: liw + + sshd_version: 1 diff --git a/ansible/v-i-dev.yml b/ansible/v-i-dev.yml index c9eadec..413f780 100644 --- a/ansible/v-i-dev.yml +++ b/ansible/v-i-dev.yml @@ -16,39 +16,39 @@ tags: [liw] tasks: - apt: + name: ca-certificates-java + default_release: bookworm-backports + - apt: name: - ansible - build-essential - cryptsetup - dosfstools + - expect - graphviz - kpartx - librsvg2-bin - - lmodern - lvm2 - moreutils + - ovmf - pandoc - - pandoc-citeproc - parted - plantuml - python3 - python3 - python3-requests - python3-yaml + - qemu-system-x86 - qemu-utils - subplot - - texlive-fonts-recommended - - texlive-latex-base - - texlive-latex-recommended - - texlive-plain-generic - vmdb2 - zerofree vars: ansible_python_interpreter: python3 sane_debian_system_version: 2 - sane_debian_system_hostname: v-i-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm timezone: Europe/Helsinki @@ -59,8 +59,10 @@ sudo: yes sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free sshd_version: 1 sshd_allow_authorized_keys: yes diff --git a/ansible/vmadm-dev.yml b/ansible/vmadm-dev.yml index 2f5aaa5..f103382 100644 --- a/ansible/vmadm-dev.yml +++ b/ansible/vmadm-dev.yml @@ -18,12 +18,17 @@ tags: [liw] tasks: - apt: + name: ca-certificates-java + default_release: bookworm-backports + - apt: name: - build-essential + - libclang-dev - curl - libvirt-dev - moreutils - plantuml + - python3-coverage-test-runner - python3-libvirt - python3-lxml - python3-yaml @@ -38,12 +43,10 @@ group: liw mode: 0644 - virt_net: + xml: /usr/share/libvirt/networks/default.xml name: default + command: define autostart: yes - - virt_net: - name: default - command: start - state: active - user: name: liw groups: @@ -53,10 +56,12 @@ sane_debian_system_version: 2 sane_debian_system_hostname: vmadm-dev - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free timezone: Europe/Helsinki diff --git a/ansible/vmdb2-dev.yml b/ansible/vmdb2-dev.yml index ef2cca6..d36689b 100644 --- a/ansible/vmdb2-dev.yml +++ b/ansible/vmdb2-dev.yml @@ -22,6 +22,7 @@ - cmdtest - cryptsetup - debhelper + - debian-ports-archive-keyring - debootstrap - dosfstools - expect @@ -29,6 +30,7 @@ - kpartx - lvm2 - moreutils + - ovmf - pandoc - parted - python3-all @@ -45,14 +47,13 @@ - texlive-fonts-recommended - texlive-latex-base - texlive-latex-recommended - - vmdb2 - zerofree vars: ansible_python_interpreter: python3 sane_debian_system_version: 2 - sane_debian_system_hostname: vmdb2-dev - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm timezone: Europe/Helsinki @@ -63,8 +64,8 @@ sudo: yes sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" sshd_version: 1 sshd_allow_authorized_keys: yes diff --git a/ansible/web.yml b/ansible/web.yml index 26f0602..abc5687 100644 --- a/ansible/web.yml +++ b/ansible/web.yml @@ -97,12 +97,12 @@ ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: web - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_mirror: deb.debian.org sane_debian_system_sources_lists: - - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main - signing_key: "{{ ci_prod_signing_key }}" + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" unix_users_version: 2 unix_users: diff --git a/ansible/wumpus.liw.fi.yml b/ansible/wumpus.liw.fi.yml new file mode 100644 index 0000000..0be5379 --- /dev/null +++ b/ansible/wumpus.liw.fi.yml @@ -0,0 +1,52 @@ +- hosts: wumpus.liw.fi + remote_user: root + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system + - role: unix_users + - role: apache_server + - role: rust-rustup + - role: liw + tasks: + - name: "install important additional packages" + apt: + name: + - moreutils + - nmap + - ripgrep + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 + + rustup_cargo_install: | + starship + + letsencrypt: yes + letsencrypt_email: liw@liw.fi + letsencrypt_main_domain: wumpus.liw.fi + certbot_debian_release: bookworm + + static_sites: + + - domain: wumpus.liw.fi + owner: liw + ownermail: liw@liw.fi + letsencrypt: yes + letsencrypt_cert: cert01 diff --git a/ansible/x220-puomi.yml b/ansible/x220-puomi.yml new file mode 100644 index 0000000..76e176e --- /dev/null +++ b/ansible/x220-puomi.yml @@ -0,0 +1,26 @@ +- hosts: x220 + remote_user: root + roles: + - role: sane_debian_system + - role: ssd + - role: sshd + - role: intel-wifi + - role: puomi + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + sshd_version: 1 + + puomi_version: 1 diff --git a/ansible/x220.yml b/ansible/x220.yml index 7bcd10b..a2f562a 100644 --- a/ansible/x220.yml +++ b/ansible/x220.yml @@ -3,46 +3,47 @@ roles: - role: sane_debian_system - role: sshd - - role: ssd - role: unix_users - - role: thinkpad - - role: puomi + - role: comfortable-debian-system + - role: intel-wifi + - role: gnome-system + - role: unix_users + - role: liw tasks: - - lineinfile: - path: /etc/systemd/logind.conf - regexp: HandleLidSwitch= - line: HandleLidSwitch=ignore - - lineinfile: - path: /etc/systemd/logind.conf - regexp: HandleLidSwitchExternalPower= - line: HandleLidSwitchExternalPower=ignore - - systemd: - name: systemd-logind - state: restarted + - name: "install desktop" + apt: + name: + - gnome + vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: "{{ inventory_hostname }}" - sane_debian_system_codename: bullseye + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware + + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius + groups: + - audio + - dialout + - dip + - floppy + - netdev + - plugdev + - video sshd_version: 1 - sshd_host_key: "{{ lookup('pipe', 'sshca host private-key x220') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 x220') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" - - puomi_lan_ip: 10.3.3.1 - puomi_dhcp_start: 10.3.3.10 - puomi_dhcp_end: 10.3.3.250 - puomi_dhcp_netmask: 255.255.255.0 - puomi_dhcp_lease: 1h - puomi_essid: Valkama3 - puomi_wifi_country_code: FI - puomi_wifi_passphrase: Oomam2ah diff --git a/base-image/Makefile b/base-image/Makefile index 7af2dd1..394a298 100644 --- a/base-image/Makefile +++ b/base-image/Makefile @@ -1,4 +1,4 @@ -qcows = bullseye-vm.qcow2 +qcows = bullseye-vm.qcow2 bookworm-vm.qcow2 .SUFFIXES: .vmdb .img .qcow2 diff --git a/base-image/base-image.yml b/base-image/base-image.yml index 84d938f..d53df26 100644 --- a/base-image/base-image.yml +++ b/base-image/base-image.yml @@ -21,6 +21,7 @@ mode: 0600 - shell: | apt clean + sed -i 's/^root:[^:]*:/root::/' /etc/shadow /etc/passwd vars: hostname: bullseye ansible_python_interpreter: /usr/bin/python3 diff --git a/base-image/bookworm-vm.vmdb b/base-image/bookworm-vm.vmdb new file mode 100644 index 0000000..9d6186c --- /dev/null +++ b/base-image/bookworm-vm.vmdb @@ -0,0 +1,51 @@ +steps: + - mkimg: "{{ output }}" + size: 4G + + - mklabel: msdos + device: "{{ output }}" + + - mkpart: primary + device: "{{ output }}" + start: 0% + end: 50% + tag: / + + - kpartx: "{{ output }}" + + - mkfs: ext4 + partition: / + + - mount: / + + - unpack-rootfs: / + + - debootstrap: bookworm + mirror: http://deb.debian.org/debian + target: / + unless: rootfs_unpacked + + - apt: install + packages: + - linux-image-amd64 + recommends: false + tag: / + unless: rootfs_unpacked + + - cache-rootfs: / + unless: rootfs_unpacked + + - chroot: / + shell: | + apt-get -y install python3 parted acpi + + - fstab: / + + - resize-rootfs: / + + - ansible: / + playbook: base-image.yml + + - grub: bios + tag: / + quiet: false diff --git a/base-image/bullseye-vm.sh b/base-image/bullseye-vm.sh deleted file mode 100755 index b40229e..0000000 --- a/base-image/bullseye-vm.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -tarball="$1" - -sudo vmdb2 bullseye-vm.vmdb \ - --output bullseye-vm.img \ - --log bullseye-vm.log \ - --rootfs-tarball "$tarball" \ - --verbose - -qemu-img convert -f raw -O qcow2 bullseye-vm.img bullseye-vm.qcow2 diff --git a/base-image/eth0.network b/base-image/eth0.network new file mode 100644 index 0000000..e871c69 --- /dev/null +++ b/base-image/eth0.network @@ -0,0 +1,5 @@ +[Match] +Name=eth0 + +[Network] +DHCP=yes diff --git a/v-i/exolobe1-spec.yaml b/v-i/exolobe1-spec.yaml index b063753..cdfbaf3 100644 --- a/v-i/exolobe1-spec.yaml +++ b/v-i/exolobe1-spec.yaml @@ -1,19 +1,9 @@ hostname: exolobe1 +luks: asdf drive: /dev/sda extra_lvs: - name: home size: 300G mounted: /home -ansible_vars: - host_key: | - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW - QyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjgAAAIietrwbnra8 - GwAAAAtzc2gtZWQyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjg - AAAEAugoV1wqYMsAYSW1su3W3WyWh4ZIWNbvDIkphOGOS0eetH7vukuaa0bagC1xqi3lki - BTsWuIygNIJ6Mbfd2x+OAAAAAAECAwQF - -----END OPENSSH PRIVATE KEY----- - host_cert: | - ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBP8EBgXCPNnMmQyA/yi1TR7gvC/x4nuy07Rerr5YiZEAAAAIOtH7vukuaa0bagC1xqi3lkiBTsWuIygNIJ6Mbfd2x+OAAAAAAAAAAAAAAACAAAAJGhvc3QgY2VydGlmaWNhdGUgZm9yIC1uZXhvbG9iZTEgb25seQAAAAwAAAAIZXhvbG9iZTEAAAAAYv80eAAAAABi/0LWAAAAAAAAAAAAAAAAAAAASgAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACDeJ1TbK+3I9g06kkVHB3IeEWOikNT4BAd1S0NFgwfjNwAAAARzc2g6AAAAZwAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAAECkEfhBJWCzRnqDZb3XnrBJNOb41pwpKtC3u4fKodkUjjag3+Sp0myTVexUaTAOGF0OSrrk/j0YdZIeArWTaroDAQAAAsw= /tmp/.tmpximUbQ/sub.pub - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems +ansible_vars_files: + - hostid.yml diff --git a/v-i/hostid.py b/v-i/hostid.py new file mode 100755 index 0000000..d87d3a6 --- /dev/null +++ b/v-i/hostid.py @@ -0,0 +1,73 @@ +#!/usr/bin/python3 + +import argparse +import yaml +import sys +from subprocess import run, PIPE + + +DEFAULT_HOST_CA = "liw.fi/ca/host/v5" +DEFAULT_USER_CA = "liw.fi/ca/user/v5" + + +class HostId: + def __init__(self): + self.user_ca_pubkey = None + self.host_key = None + self.host_cert = None + + def set_user_ca_pubkey(self, value): + self.user_ca_pubkey = value + + def set_host_key(self, value): + self.host_key = value + + def set_host_cert(self, value): + self.host_cert = value + + def to_dict(self): + return { + "user_ca_pubkey": self.user_ca_pubkey, + "host_key": self.host_key, + "host_cert": self.host_cert, + } + + +def sshca(args): + p = run(["sshca"] + args, capture_output=True, check=True) + return p.stdout.decode().strip() + + +def user_ca_pubkey(ca_name): + return sshca(["ca", "public-key", ca_name]).strip() + + +def host_key(hostname): + sshca(["host", "regenerate", hostname]) + return sshca(["host", "private-key", hostname]).strip() + + +def host_cert(ca_name, hostname): + return sshca(["host", "certify", "--ca", ca_name, hostname]).strip() + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--hostname", required=True) + parser.add_argument("--host-ca", default=DEFAULT_HOST_CA) + parser.add_argument("--user-ca", default=DEFAULT_USER_CA) + values = parser.parse_args() + + hostname = values.hostname + host_ca = values.host_ca + user_ca = values.user_ca + + hostid = HostId() + hostid.set_user_ca_pubkey(user_ca_pubkey(user_ca)) + hostid.set_host_key(host_key(hostname)) + hostid.set_host_cert(host_cert(host_ca, hostname)) + yaml.safe_dump(hostid.to_dict(), stream=sys.stdout, indent=4) + + +if __name__ == "__main__": + main() diff --git a/v-i/kea-spec.yaml b/v-i/kea-spec.yaml index 5b82490..d19609c 100644 --- a/v-i/kea-spec.yaml +++ b/v-i/kea-spec.yaml @@ -1,6 +1,10 @@ hostname: kea -luks: asdf drive: /dev/sda +extra_lvs: + - name: home + size: 20G + mounted: /home +ansible_vars_files: + - hostid.yml ansible_vars: - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + passwordless_root: true diff --git a/v-i/qotom-spec.yaml b/v-i/qotom-spec.yaml index 23e722b..7f593d0 100644 --- a/v-i/qotom-spec.yaml +++ b/v-i/qotom-spec.yaml @@ -1,15 +1,8 @@ hostname: qotom drive: /dev/sda +extra_playbooks: + - puomi-playbook.yml +ansible_vars_files: + - hostid.yml ansible_vars: - host_key: | - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW - QyNTUxOQAAACBb1EpgwZ1snHx38tQIWjg5O/cnpVWipTZpGcWQHtcmjwAAAIjOAeqazgHq - mgAAAAtzc2gtZWQyNTUxOQAAACBb1EpgwZ1snHx38tQIWjg5O/cnpVWipTZpGcWQHtcmjw - AAAEBhCtpBXjQkLAgy7exucw1mx8BvwkmxQq3fy6CxaoMRtlvUSmDBnWycfHfy1AhaODk7 - 9yelVaKlNmkZxZAe1yaPAAAAAAECAwQF - -----END OPENSSH PRIVATE KEY----- - host_cert: | - ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAkqeged+VrqZU6pZk12HGRHwth898vCWDtgjETR7WPdAAAAIFvUSmDBnWycfHfy1AhaODk79yelVaKlNmkZxZAe1yaPAAAAAAAAAAAAAAACAAAAIWhvc3QgY2VydGlmaWNhdGUgZm9yIC1ucW90b20gb25seQAAAAkAAAAFcW90b20AAAAAYwDyuAAAAABjAQE0AAAAAAAAAAAAAAAAAAAASgAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACDeJ1TbK+3I9g06kkVHB3IeEWOikNT4BAd1S0NFgwfjNwAAAARzc2g6AAAAZwAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAAEAvJcz09YMhOI7yLJCw47zoQ74q4ye4nMQ0yZ1T5SDSiSzkHYjtdth6VM82CyOOyprpRkQIC7cZil973Llk7vwKAQAAA10= /tmp/.tmpYrs8LV/sub.pub - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems + passwordless_root: true diff --git a/v-i/solace-spec.yaml b/v-i/solace-spec.yaml index e518e73..925c5d4 100644 --- a/v-i/solace-spec.yaml +++ b/v-i/solace-spec.yaml @@ -1,6 +1,8 @@ hostname: solace -luks: asdf drive: /dev/nvme0n1 -ansible_vars: - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems +extra_lvs: + - name: home + size: 300G + mounted: /home +ansible_vars_files: + - hostid.yml diff --git a/v-i/stamina-spec.yaml b/v-i/stamina-spec.yaml index 3eb2cf6..6a9aede 100644 --- a/v-i/stamina-spec.yaml +++ b/v-i/stamina-spec.yaml @@ -6,6 +6,5 @@ extra_lvs: - name: vms size: 500G mounted: /mnt/vms -ansible_vars: - user_pub: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems +ansible_vars_files: + - hostid.yml diff --git a/v-i/upliw-spec.yaml b/v-i/upliw-spec.yaml new file mode 100644 index 0000000..aead751 --- /dev/null +++ b/v-i/upliw-spec.yaml @@ -0,0 +1,9 @@ +hostname: upliw0 +luks: asdf +drive: /dev/nvme0n1 +extra_lvs: + - name: home + size: 100G + mounted: /home +ansible_vars_files: + - hostid.yml diff --git a/v-i/x220-puomi-spec.yaml b/v-i/x220-puomi-spec.yaml new file mode 100644 index 0000000..98d32fb --- /dev/null +++ b/v-i/x220-puomi-spec.yaml @@ -0,0 +1,8 @@ +hostname: x220 +drive: /dev/sda +extra_playbooks: + - puomi-playbook.yml +ansible_vars_files: + - hostid.yml +ansible_vars: + passwordless_root: true diff --git a/v-i/x220-spec.yaml b/v-i/x220-spec.yaml index 3ef3296..1dfb393 100644 --- a/v-i/x220-spec.yaml +++ b/v-i/x220-spec.yaml @@ -1,8 +1,10 @@ hostname: x220 -luks: asdf -drive: /dev/sdb -ansible_vars: - user_ca_pubkey: | - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo= +drive: /dev/sda +extra_lvs: + - name: home + size: 20G + mounted: /home ansible_vars_files: - hostid.yml +ansible_vars: + passwordless_root: true diff --git a/vmadm/exolobe2/debian-mirror.yaml b/vmadm/exolobe2/debian-mirror.yaml index 9a7846a..bc9b7df 100644 --- a/vmadm/exolobe2/debian-mirror.yaml +++ b/vmadm/exolobe2/debian-mirror.yaml @@ -1,3 +1,4 @@ debian-mirror: - image_size_gib: 200 + base: ~/base-images/bookworm-vm.qcow2 + image_size_gib: 500 autostart: true diff --git a/vmadm/exolobe2/holywood2.yaml b/vmadm/exolobe2/holywood2.yaml new file mode 100644 index 0000000..fa7a959 --- /dev/null +++ b/vmadm/exolobe2/holywood2.yaml @@ -0,0 +1,5 @@ +holywood2: + base: ~/base-images/bullseye-vm.qcow2 + cpus: 2 + memory_mib: 8192 + image_size_gib: 10 diff --git a/vmadm/exolobe2/image-dist.yaml b/vmadm/exolobe2/image-dist.yaml new file mode 100644 index 0000000..e1b7a35 --- /dev/null +++ b/vmadm/exolobe2/image-dist.yaml @@ -0,0 +1,5 @@ +image-dist: + base: ~/base-images/bullseye-vm.qcow2 + cpus: 2 + memory_mib: 1024 + image_size_gib: 10 diff --git a/vmadm/exolobe2/obnam-server.yaml b/vmadm/exolobe2/obnam-server.yaml new file mode 100644 index 0000000..19298fc --- /dev/null +++ b/vmadm/exolobe2/obnam-server.yaml @@ -0,0 +1,5 @@ +obnam-server: + cpus: 2 + memory_mib: 4096 + image_size_gib: 300 + autostart: true diff --git a/vmadm/someday-maybe/apt-dev.yaml b/vmadm/someday-maybe/apt-dev.yaml deleted file mode 100644 index 3cbab11..0000000 --- a/vmadm/someday-maybe/apt-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apt-dev: - cpus: 16 - memory_mib: 65536 - image_size_gib: 100 diff --git a/vmadm/someday-maybe/billion.yaml b/vmadm/someday-maybe/billion.yaml index c61f4d5..543dbc6 100644 --- a/vmadm/someday-maybe/billion.yaml +++ b/vmadm/someday-maybe/billion.yaml @@ -1,4 +1,4 @@ billion: cpus: 8 memory_mib: 16384 - image_size_gib: 10 + image_size_gib: 1024 diff --git a/vmadm/stamina/clab-dev.yaml b/vmadm/someday-maybe/clab-dev.yaml index 31c882d..31c882d 100644 --- a/vmadm/stamina/clab-dev.yaml +++ b/vmadm/someday-maybe/clab-dev.yaml diff --git a/vmadm/stamina/debian-ansible-dev.yaml b/vmadm/someday-maybe/debian-ansible-dev.yaml index aa80f4a..aa80f4a 100644 --- a/vmadm/stamina/debian-ansible-dev.yaml +++ b/vmadm/someday-maybe/debian-ansible-dev.yaml diff --git a/vmadm/stamina/ewww-dev.yaml b/vmadm/someday-maybe/ewww-dev.yaml index 784050f..784050f 100644 --- a/vmadm/stamina/ewww-dev.yaml +++ b/vmadm/someday-maybe/ewww-dev.yaml diff --git a/vmadm/stamina/ewww-test.yaml b/vmadm/someday-maybe/ewww-test.yaml index 0d88ab1..0d88ab1 100644 --- a/vmadm/stamina/ewww-test.yaml +++ b/vmadm/someday-maybe/ewww-test.yaml diff --git a/vmadm/someday-maybe/handbrake.yaml b/vmadm/someday-maybe/handbrake.yaml new file mode 100644 index 0000000..83d0708 --- /dev/null +++ b/vmadm/someday-maybe/handbrake.yaml @@ -0,0 +1,6 @@ +handbrake: + autostart: false + memory_mib: 16384 + cpus: 30 + image_size_gib: 100 + diff --git a/vmadm/stamina/jt-dev.yaml b/vmadm/someday-maybe/jt-dev.yaml index a412c61..a412c61 100644 --- a/vmadm/stamina/jt-dev.yaml +++ b/vmadm/someday-maybe/jt-dev.yaml diff --git a/vmadm/stamina/obnam-bench.yaml b/vmadm/someday-maybe/obnam-bench.yaml index 64e3208..64e3208 100644 --- a/vmadm/stamina/obnam-bench.yaml +++ b/vmadm/someday-maybe/obnam-bench.yaml diff --git a/vmadm/someday-maybe/openpgp-ca-dev.yaml b/vmadm/someday-maybe/openpgp-ca-dev.yaml new file mode 100644 index 0000000..65823f3 --- /dev/null +++ b/vmadm/someday-maybe/openpgp-ca-dev.yaml @@ -0,0 +1,4 @@ +openpgp-ca-dev: + cpus: 16 + memory_mib: 16384 + image_size_gib: 100 diff --git a/vmadm/someday-maybe/openpgp-card-dev.yaml b/vmadm/someday-maybe/openpgp-card-dev.yaml new file mode 100644 index 0000000..0c38856 --- /dev/null +++ b/vmadm/someday-maybe/openpgp-card-dev.yaml @@ -0,0 +1,4 @@ +openpgp-card-dev: + cpus: 16 + memory_mib: 16384 + image_size_gib: 100 diff --git a/vmadm/stamina/python-mess.yaml b/vmadm/someday-maybe/python-mess.yaml index 524b5e5..524b5e5 100644 --- a/vmadm/stamina/python-mess.yaml +++ b/vmadm/someday-maybe/python-mess.yaml diff --git a/vmadm/someday-maybe/radicle-liw3.yaml b/vmadm/someday-maybe/radicle-liw3.yaml new file mode 100644 index 0000000..6551f2e --- /dev/null +++ b/vmadm/someday-maybe/radicle-liw3.yaml @@ -0,0 +1,4 @@ +radicle-liw3: + cpus: 2 + memory_mib: 1024 + image_size_gib: 20 diff --git a/vmadm/someday-maybe/radicle-test.yaml b/vmadm/someday-maybe/radicle-test.yaml new file mode 100644 index 0000000..db8ef3d --- /dev/null +++ b/vmadm/someday-maybe/radicle-test.yaml @@ -0,0 +1,4 @@ +radicle-test: + cpus: 4 + memory_mib: 8192 + image_size_gib: 100 diff --git a/vmadm/someday-maybe/riki-dev.yaml b/vmadm/someday-maybe/riki-dev.yaml new file mode 100644 index 0000000..0131fc1 --- /dev/null +++ b/vmadm/someday-maybe/riki-dev.yaml @@ -0,0 +1,4 @@ +riki-dev: + cpus: 8 + memory_mib: 8192 + image_size_gib: 100 diff --git a/vmadm/someday-maybe/roadmap-dev.yaml b/vmadm/someday-maybe/roadmap-dev.yaml new file mode 100644 index 0000000..027de7d --- /dev/null +++ b/vmadm/someday-maybe/roadmap-dev.yaml @@ -0,0 +1,4 @@ +roadmap-dev: + cpus: 8 + memory_mib: 4096 + image_size_gib: 100 diff --git a/vmadm/someday-maybe/ssh-dev.yaml b/vmadm/someday-maybe/ssh-dev.yaml deleted file mode 100644 index aad3eb1..0000000 --- a/vmadm/someday-maybe/ssh-dev.yaml +++ /dev/null @@ -1,2 +0,0 @@ -ssh-dev: - autostart: true diff --git a/vmadm/stamina/sshca-dev.yaml b/vmadm/someday-maybe/sshca-dev.yaml index a04aac7..a04aac7 100644 --- a/vmadm/stamina/sshca-dev.yaml +++ b/vmadm/someday-maybe/sshca-dev.yaml diff --git a/vmadm/someday-maybe/texlive.yaml b/vmadm/someday-maybe/texlive.yaml new file mode 100644 index 0000000..08c6d80 --- /dev/null +++ b/vmadm/someday-maybe/texlive.yaml @@ -0,0 +1,5 @@ +texlive: + cpus: 8 + memory_mib: 16384 + image_size_gib: 100 + base: /home/liw/base-images/bullseye-vm.qcow2 diff --git a/vmadm/someday-maybe/unpack-dsc.yaml b/vmadm/someday-maybe/unpack-dsc.yaml new file mode 100644 index 0000000..4f8b02e --- /dev/null +++ b/vmadm/someday-maybe/unpack-dsc.yaml @@ -0,0 +1,5 @@ +unpack-dsc: + autostart: true + image_size_gib: 1000 + cpus: 30 + memory_mib: 16384 diff --git a/vmadm/stamina/roadmap-dev.yaml b/vmadm/someday-maybe/vmadm-dev.yaml index 61d3651..81de98b 100644 --- a/vmadm/stamina/roadmap-dev.yaml +++ b/vmadm/someday-maybe/vmadm-dev.yaml @@ -1,4 +1,4 @@ -roadmap-dev: +vmadm-dev: cpus: 8 memory_mib: 16384 image_size_gib: 100 diff --git a/vmadm/someday-maybe/vmdb2-dev-sid.yaml b/vmadm/someday-maybe/vmdb2-dev-sid.yaml new file mode 100644 index 0000000..a117a58 --- /dev/null +++ b/vmadm/someday-maybe/vmdb2-dev-sid.yaml @@ -0,0 +1,4 @@ +vmdb2-dev-sid: + cpus: 8 + memory_mib: 16384 + image_size_gib: 100 diff --git a/vmadm/stamina/sequoia-web.yaml b/vmadm/stamina/ambient-dev.yaml index 963fdcd..5692bf8 100644 --- a/vmadm/stamina/sequoia-web.yaml +++ b/vmadm/stamina/ambient-dev.yaml @@ -1,4 +1,4 @@ -sequoia-web: +ambient-dev: cpus: 4 memory_mib: 8192 image_size_gib: 100 diff --git a/vmadm/stamina/icktool.yaml b/vmadm/stamina/icktool.yaml deleted file mode 100644 index d089a26..0000000 --- a/vmadm/stamina/icktool.yaml +++ /dev/null @@ -1,6 +0,0 @@ -icktool: - base: ~/base-images/debian-10-openstack-amd64.qcow2 - cpus: 1 - memory_mib: 1024 - image_size_gib: 4 - autostart: true diff --git a/vmadm/stamina/obnam-dev.yaml b/vmadm/stamina/obnam-dev.yaml index 26d597b..96dae0c 100644 --- a/vmadm/stamina/obnam-dev.yaml +++ b/vmadm/stamina/obnam-dev.yaml @@ -1,4 +1,4 @@ obnam-dev: - cpus: 30 - memory_mib: 65535 + cpus: 16 + memory_mib: 16384 image_size_gib: 100 diff --git a/vmadm/stamina/openpgp-ca-dev.yaml b/vmadm/stamina/openpgp-ca-dev.yaml deleted file mode 100644 index 237b99c..0000000 --- a/vmadm/stamina/openpgp-ca-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -openpgp-ca-dev: - cpus: 30 - memory_mib: 65535 - image_size_gib: 100 diff --git a/vmadm/stamina/openpgp-card-dev.yaml b/vmadm/stamina/openpgp-card-dev.yaml deleted file mode 100644 index f151f53..0000000 --- a/vmadm/stamina/openpgp-card-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -openpgp-card-dev: - cpus: 30 - memory_mib: 65535 - image_size_gib: 100 diff --git a/vmadm/stamina/radicle-dev.yaml b/vmadm/stamina/radicle-dev.yaml new file mode 100644 index 0000000..c073431 --- /dev/null +++ b/vmadm/stamina/radicle-dev.yaml @@ -0,0 +1,4 @@ +radicle-dev: + cpus: 8 + memory_mib: 8192 + image_size_gib: 100 diff --git a/vmadm/stamina/radicle-multi.yaml b/vmadm/stamina/radicle-multi.yaml new file mode 100644 index 0000000..03e36f6 --- /dev/null +++ b/vmadm/stamina/radicle-multi.yaml @@ -0,0 +1,4 @@ +radicle-multi: + cpus: 20 + memory_mib: 32768 + image_size_gib: 200 diff --git a/vmadm/stamina/radicle-other-node.yaml b/vmadm/stamina/radicle-other-node.yaml new file mode 100644 index 0000000..73073e7 --- /dev/null +++ b/vmadm/stamina/radicle-other-node.yaml @@ -0,0 +1,4 @@ +radicle-other-node: + cpus: 2 + memory_mib: 2048 + image_size_gib: 20 diff --git a/vmadm/stamina/rikiwiki-dev.yaml b/vmadm/stamina/rikiwiki-dev.yaml deleted file mode 100644 index 5060a37..0000000 --- a/vmadm/stamina/rikiwiki-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -rikiwiki-dev: - cpus: 30 - memory_mib: 65535 - image_size_gib: 100 diff --git a/vmadm/stamina/rust-dev.yaml b/vmadm/stamina/rust-dev.yaml index f700290..6572862 100644 --- a/vmadm/stamina/rust-dev.yaml +++ b/vmadm/stamina/rust-dev.yaml @@ -1,4 +1,4 @@ rust-dev: - cpus: 16 - memory_mib: 65535 + cpus: 8 + memory_mib: 16384 image_size_gib: 100 diff --git a/vmadm/stamina/sequoia-dev.yaml b/vmadm/stamina/sequoia-dev.yaml deleted file mode 100644 index 5a1a856..0000000 --- a/vmadm/stamina/sequoia-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -sequoia-dev: - cpus: 30 - memory_mib: 65535 - image_size_gib: 100 diff --git a/vmadm/stamina/subplot-dev.yaml b/vmadm/stamina/subplot-dev.yaml index 605d7f3..191b878 100644 --- a/vmadm/stamina/subplot-dev.yaml +++ b/vmadm/stamina/subplot-dev.yaml @@ -1,4 +1,4 @@ subplot-dev: - cpus: 30 - memory_mib: 65535 + cpus: 8 + memory_mib: 8192 image_size_gib: 100 diff --git a/vmadm/stamina/vmadm-dev.yaml b/vmadm/stamina/vmadm-dev.yaml deleted file mode 100644 index b75b70c..0000000 --- a/vmadm/stamina/vmadm-dev.yaml +++ /dev/null @@ -1,4 +0,0 @@ -vmadm-dev: - cpus: 30 - memory_mib: 65536 - image_size_gib: 100 diff --git a/vmadm/stamina/workera.yaml b/vmadm/stamina/workera.yaml deleted file mode 100644 index c49eee3..0000000 --- a/vmadm/stamina/workera.yaml +++ /dev/null @@ -1,6 +0,0 @@ -workera: - base: ~/base-images/buster.qcow2 - cpus: 8 - memory_mib: 16384 - image_size_gib: 100 - autostart: true |