summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rwxr-xr-xansible/all.sh25
-rw-r--r--ansible/ambient-dev.yml49
-rw-r--r--ansible/apt.liw.fi.html53
-rw-r--r--ansible/apt.liw.fi.yml43
-rw-r--r--ansible/aptrepo.yml44
-rw-r--r--ansible/atuin.liw.fi.yml18
-rw-r--r--ansible/authorized_keys/_ickwm0
-rw-r--r--ansible/authorized_keys/backups1
-rw-r--r--ansible/authorized_keys/distix1
-rw-r--r--ansible/authorized_keys/ickliwfi2
-rw-r--r--ansible/authorized_keys/liw1
-rw-r--r--ansible/authorized_keys/obbench3
-rw-r--r--ansible/authorized_keys/sshforward2
-rw-r--r--ansible/authorized_keys/yakking1
-rw-r--r--ansible/bigtoy.yml44
-rw-r--r--ansible/billion.yml8
-rw-r--r--ansible/contractor-dev.yml48
-rw-r--r--ansible/debian-ansible-dev.yml12
-rw-r--r--ansible/debian-mirror.yml114
-rw-r--r--ansible/exolobe1.yml261
-rw-r--r--ansible/exolobe2.yml9
-rw-r--r--ansible/files/mirror-list7
-rw-r--r--ansible/git.liw.fi.hz5
-rw-r--r--ansible/git.liw.fi.yml7
-rw-r--r--ansible/group_vars/all.yml34
-rw-r--r--ansible/handbrake.yml55
-rw-r--r--ansible/holywood2.yml14
-rw-r--r--ansible/hosts77
-rw-r--r--ansible/hosts.ci-prep0
-rw-r--r--ansible/hosts.ci-prod1
-rw-r--r--ansible/hosts.ci-prod-workers0
-rw-r--r--ansible/hosts.collectd0
-rw-r--r--ansible/hosts.demo0
-rw-r--r--ansible/hosts.demo-workers0
-rw-r--r--ansible/hosts.docstory-files0
-rw-r--r--ansible/hosts.git1
-rw-r--r--ansible/hosts.http1
-rw-r--r--ansible/hosts.irc1
-rw-r--r--ansible/hosts.letest0
-rw-r--r--ansible/hosts.mirror0
-rw-r--r--ansible/hosts.obnam0
-rw-r--r--ansible/hosts.shell1
-rw-r--r--ansible/hosts.subplot-dan0
-rw-r--r--ansible/http.liw.fi.hz5
-rw-r--r--ansible/http.liw.fi.yml194
-rw-r--r--ansible/ick2-dev.yml50
-rw-r--r--ansible/icktool.yml88
-rw-r--r--ansible/image-dist.yml113
-rw-r--r--ansible/irc.liw.fi.hz5
-rw-r--r--ansible/irc.liw.fi.yml12
-rw-r--r--ansible/kea.yml69
-rw-r--r--ansible/letest-letest.vm.liw.fi.hz5
-rw-r--r--ansible/maybe-someday/apt-dev.yml (renamed from ansible/apt-dev.yml)0
-rw-r--r--ansible/maybe-someday/clab-dev.yml (renamed from ansible/clab-dev.yml)1
-rw-r--r--ansible/maybe-someday/debian-mirror.yml (renamed from ansible/sequoia-web.yml)36
-rw-r--r--ansible/maybe-someday/debmirror.yml (renamed from ansible/debmirror.yml)2
-rw-r--r--ansible/maybe-someday/ewww-dev.yml (renamed from ansible/ewww-dev.yml)1
-rw-r--r--ansible/maybe-someday/ewww-test.yml (renamed from ansible/ewww-test.yml)0
-rw-r--r--ansible/maybe-someday/jt-dev.yml (renamed from ansible/jt-dev.yml)0
-rw-r--r--ansible/maybe-someday/letest-letest.vm.liw.fi.yml (renamed from ansible/letest-letest.vm.liw.fi.yml)0
-rw-r--r--ansible/maybe-someday/openpgp-ca-dev.yml (renamed from ansible/openpgp-ca-dev.yml)1
-rw-r--r--ansible/maybe-someday/openpgp-card-dev.yml (renamed from ansible/openpgp-card-dev.yml)3
-rw-r--r--ansible/maybe-someday/python-mess.yml (renamed from ansible/python-mess.yml)0
-rw-r--r--ansible/maybe-someday/roadmap-dev.yml (renamed from ansible/roadmap-dev.yml)1
-rw-r--r--ansible/maybe-someday/ssh-dev.yml (renamed from ansible/ssh-dev.yml)0
-rw-r--r--ansible/mirror-git.yml2
-rw-r--r--ansible/monorepo.liw.fi.yml64
-rw-r--r--ansible/obnam-bench.yml4
-rw-r--r--ansible/obnam-dev.yml22
-rw-r--r--ansible/qotom.yml18
-rw-r--r--ansible/radicle-dev.yml47
-rw-r--r--ansible/radicle-liw3.yaml195
-rw-r--r--ansible/radicle-multi.yml49
-rw-r--r--ansible/radicle-other-node.yml148
-rw-r--r--ansible/radicle-test.yml43
-rwxr-xr-xansible/radicle-verify83
-rw-r--r--ansible/radicle.liw.fi.yml116
-rw-r--r--ansible/riki-dev.yml (renamed from ansible/rikiwiki-dev.yml)24
-rw-r--r--ansible/roles/apt-repository/files/process-incoming13
-rw-r--r--ansible/roles/apt-repository/handlers/main.yml4
-rw-r--r--ansible/roles/apt-repository/tasks/main.yml133
-rw-r--r--ansible/roles/apt-repository/templates/000-default.conf18
-rw-r--r--ansible/roles/apt-repository/templates/distributions.j212
-rw-r--r--ansible/roles/apt-repository/templates/incoming.j25
-rw-r--r--ansible/roles/apt-repository/templates/uploaders.j21
-rw-r--r--ansible/roles/debian-mirror/files/mirror-debian2
-rw-r--r--ansible/roles/debian-mirror/tasks/main.yml11
-rw-r--r--ansible/roles/emacs/tasks/main.yml5
-rw-r--r--ansible/roles/gnome-system/tasks/main.yml16
-rw-r--r--ansible/roles/holywood2/files/exports2
-rw-r--r--ansible/roles/holywood2/tasks/main.yml19
-rw-r--r--ansible/roles/liw/tasks/main.yml15
-rw-r--r--ansible/roles/mail-client/files/aliases (renamed from ansible/roles/smarthost-client/files/aliases)0
-rw-r--r--ansible/roles/mail-client/tasks/main.yml50
-rw-r--r--ansible/roles/mail-client/templates/main.cf4
-rw-r--r--ansible/roles/mail-server/files/aliases2
-rw-r--r--ansible/roles/mail-server/files/virtual4
-rw-r--r--ansible/roles/mail-server/tasks/main.yml11
-rw-r--r--ansible/roles/riot-host/files/element-io-archive-keyring.gpgbin0 -> 2577 bytes
-rw-r--r--ansible/roles/riot-host/tasks/main.yml6
-rw-r--r--ansible/roles/rust-rustup/defaults/main.yml1
-rw-r--r--ansible/roles/rust-rustup/tasks/main.yml13
-rw-r--r--ansible/roles/smarthost-client/handlers/main.yml2
-rw-r--r--ansible/roles/smarthost-client/tasks/main.yml46
-rw-r--r--ansible/roles/smarthost-client/templates/main.cf46
-rw-r--r--ansible/roles/smarthost-client/templates/sasl_passwd1
-rw-r--r--ansible/roles/subplot-dev-env/tasks/main.yml1
-rw-r--r--ansible/rust-dev.yml21
-rw-r--r--ansible/seed.liw.fi.yml62
-rw-r--r--ansible/shell-shell.vm.liw.fi.hz5
-rw-r--r--ansible/shell-shell.vm.liw.fi.yml14
-rw-r--r--ansible/solace.yml299
-rw-r--r--ansible/sq-test.yml160
-rw-r--r--ansible/sshca-dev.yml10
-rwxr-xr-xansible/stamina-recreate-and-provision-all.sh8
-rwxr-xr-xansible/stamina-vm-check.sh10
-rwxr-xr-xansible/stamina-vms.sh29
-rw-r--r--ansible/stamina.yml91
-rw-r--r--ansible/subplot-dan.hz5
-rw-r--r--ansible/subplot-dan.yml38
-rw-r--r--ansible/subplot-dev.yml30
-rw-r--r--ansible/texlive.yml (renamed from ansible/sequoia-dev.yml)40
-rw-r--r--ansible/unpack-dsc.yml32
-rw-r--r--ansible/v-i-dev.yml22
-rw-r--r--ansible/vmadm-dev.yml19
-rw-r--r--ansible/vmdb2-dev.yml11
-rw-r--r--ansible/web.yml8
-rw-r--r--ansible/wumpus.liw.fi.yml52
-rw-r--r--ansible/x220-puomi.yml26
-rw-r--r--ansible/x220.yml55
-rw-r--r--base-image/Makefile2
-rw-r--r--base-image/base-image.yml1
-rw-r--r--base-image/bookworm-vm.vmdb51
-rwxr-xr-xbase-image/bullseye-vm.sh13
-rw-r--r--base-image/eth0.network5
-rw-r--r--v-i/exolobe1-spec.yaml16
-rwxr-xr-xv-i/hostid.py73
-rw-r--r--v-i/kea-spec.yaml10
-rw-r--r--v-i/qotom-spec.yaml17
-rw-r--r--v-i/solace-spec.yaml10
-rw-r--r--v-i/stamina-spec.yaml5
-rw-r--r--v-i/upliw-spec.yaml9
-rw-r--r--v-i/x220-puomi-spec.yaml8
-rw-r--r--v-i/x220-spec.yaml12
-rw-r--r--vmadm/exolobe2/debian-mirror.yaml3
-rw-r--r--vmadm/exolobe2/holywood2.yaml5
-rw-r--r--vmadm/exolobe2/image-dist.yaml5
-rw-r--r--vmadm/exolobe2/obnam-server.yaml5
-rw-r--r--vmadm/someday-maybe/apt-dev.yaml4
-rw-r--r--vmadm/someday-maybe/billion.yaml2
-rw-r--r--vmadm/someday-maybe/clab-dev.yaml (renamed from vmadm/stamina/clab-dev.yaml)0
-rw-r--r--vmadm/someday-maybe/debian-ansible-dev.yaml (renamed from vmadm/stamina/debian-ansible-dev.yaml)0
-rw-r--r--vmadm/someday-maybe/ewww-dev.yaml (renamed from vmadm/stamina/ewww-dev.yaml)0
-rw-r--r--vmadm/someday-maybe/ewww-test.yaml (renamed from vmadm/stamina/ewww-test.yaml)0
-rw-r--r--vmadm/someday-maybe/handbrake.yaml6
-rw-r--r--vmadm/someday-maybe/jt-dev.yaml (renamed from vmadm/stamina/jt-dev.yaml)0
-rw-r--r--vmadm/someday-maybe/obnam-bench.yaml (renamed from vmadm/stamina/obnam-bench.yaml)0
-rw-r--r--vmadm/someday-maybe/openpgp-ca-dev.yaml4
-rw-r--r--vmadm/someday-maybe/openpgp-card-dev.yaml4
-rw-r--r--vmadm/someday-maybe/python-mess.yaml (renamed from vmadm/stamina/python-mess.yaml)0
-rw-r--r--vmadm/someday-maybe/radicle-liw3.yaml4
-rw-r--r--vmadm/someday-maybe/radicle-test.yaml4
-rw-r--r--vmadm/someday-maybe/riki-dev.yaml4
-rw-r--r--vmadm/someday-maybe/roadmap-dev.yaml4
-rw-r--r--vmadm/someday-maybe/ssh-dev.yaml2
-rw-r--r--vmadm/someday-maybe/sshca-dev.yaml (renamed from vmadm/stamina/sshca-dev.yaml)0
-rw-r--r--vmadm/someday-maybe/texlive.yaml5
-rw-r--r--vmadm/someday-maybe/unpack-dsc.yaml5
-rw-r--r--vmadm/someday-maybe/vmadm-dev.yaml (renamed from vmadm/stamina/roadmap-dev.yaml)2
-rw-r--r--vmadm/someday-maybe/vmdb2-dev-sid.yaml4
-rw-r--r--vmadm/stamina/ambient-dev.yaml (renamed from vmadm/stamina/sequoia-web.yaml)2
-rw-r--r--vmadm/stamina/icktool.yaml6
-rw-r--r--vmadm/stamina/obnam-dev.yaml4
-rw-r--r--vmadm/stamina/openpgp-ca-dev.yaml4
-rw-r--r--vmadm/stamina/openpgp-card-dev.yaml4
-rw-r--r--vmadm/stamina/radicle-dev.yaml4
-rw-r--r--vmadm/stamina/radicle-multi.yaml4
-rw-r--r--vmadm/stamina/radicle-other-node.yaml4
-rw-r--r--vmadm/stamina/rikiwiki-dev.yaml4
-rw-r--r--vmadm/stamina/rust-dev.yaml4
-rw-r--r--vmadm/stamina/sequoia-dev.yaml4
-rw-r--r--vmadm/stamina/subplot-dev.yaml4
-rw-r--r--vmadm/stamina/vmadm-dev.yaml4
-rw-r--r--vmadm/stamina/workera.yaml6
185 files changed, 2610 insertions, 1587 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..824fe39
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.gitsigners
diff --git a/ansible/all.sh b/ansible/all.sh
index f2b9010..eff3a72 100755
--- a/ansible/all.sh
+++ b/ansible/all.sh
@@ -13,17 +13,7 @@ online() {
maybe_run_playbook() {
if newer "$1.yml" "$1.stamp" && online "$1"; then
echo "$1"
- chronic ./run-playbook "$1.yml"
- touch "$1.stamp"
- else
- echo "SKIPPING $1"
- fi
-}
-
-maybe_run_ansible() {
- if newer "$1.yml" "$1.stamp" && online "$1"; then
- echo "$1"
- chronic run-ansible "$1.hz" "hosts.$2" "$1.yml"
+ ./run-playbook "$1.yml"
touch "$1.stamp"
else
echo "SKIPPING $1"
@@ -35,11 +25,12 @@ maybe_run_playbook exolobe1
maybe_run_playbook exolobe2
maybe_run_playbook stamina
maybe_run_playbook holywood2
-maybe_run_playbook web
maybe_run_playbook atuin.liw.fi
maybe_run_playbook mirror-git
-
-maybe_run_ansible git.liw.fi git
-maybe_run_ansible http.liw.fi http
-maybe_run_ansible irc.liw.fi irc
-maybe_run_ansible shell-shell.vm.liw.fi shell
+maybe_run_playbook git.liw.fi
+maybe_run_playbook apt.liw.fi
+maybe_run_playbook http.liw.fi
+maybe_run_playbook irc.liw.fi
+maybe_run_playbook shell-shell.vm.liw.fi
+maybe_run_playbook qotom
+maybe_run_playbook radicle.liw.fi
diff --git a/ansible/ambient-dev.yml b/ansible/ambient-dev.yml
new file mode 100644
index 0000000..15e8c6c
--- /dev/null
+++ b/ansible/ambient-dev.yml
@@ -0,0 +1,49 @@
+- hosts: ambient-dev
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: comfortable-debian-system
+ - role: unix_users
+ - role: liw
+ - role: rust-rustup
+ tasks:
+ - apt:
+ name:
+ - build-essential
+ - dosfstools
+ - debhelper
+ - dh-python
+ - qemu-system-x86
+ - qemu-utils
+ - python3-all-dev
+ - subplot
+ - vmdb2
+ - zerofree
+ - file:
+ state: directory
+ path: /root/.cache/ambient
+ vars:
+ ansible_python_interpreter: python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+
+ timezone: Europe/Helsinki
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+ groups:
+ - kvm
+ sudo: yes
+
+ sane_debian_system_sources_lists:
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ sshd_version: 1
+
diff --git a/ansible/apt.liw.fi.html b/ansible/apt.liw.fi.html
new file mode 100644
index 0000000..414b438
--- /dev/null
+++ b/ansible/apt.liw.fi.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <meta charset="utf-8" />
+ <title>apt.liw.fi</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1" />
+</head>
+<body lang=en>
+ <article>
+ <h1>apt.liw.fi</h1>
+
+ <p>This is the personal APT repository
+ of <a href="https://liw.fi">Lars Wirzenius</a>. It contains free
+ and open source software packaged for
+ the <a href="https://debian.org">Debian</a> operating system
+ as <code>.deb</code> packages.
+ </p>
+
+ <p>Repository signing keys are in
+ the <code>apt.liw.fi-keyring</code> package, in this repository.
+ Those keys in turn are signed by my personal key with
+ fingerprint <code>EA0B 7399 ECCF 9282 A74E F8F8 31DA 8032 081D
+ 901D</code>. You can get my key via WKD (using email address
+ <code>liw@liw.fi</code>), from various key servers, or from
+ my <a href="https://liw.fi/pgp">home page</a>.
+ </p>
+
+ <p>To add this repository to your APT sources lists, first install
+ the keyring package: download the latest package
+ from <a href="debian/pool/main/a/apt.liw.fi-keyring/">debian/pool/main/a/apt.liw.fi-keyring/</a>,
+ then install the downloaded file:</p>
+
+ <blockquote>
+ <code>sudo apt install ./apt.liw.fi-keyring_(something).deb</code>
+ </blockquote>
+
+ <p>Then create a file
+ <code>/etc/apt/sources.list.d/apt.liw.fi.list</code> with the
+ contents (or any other filename that ends in <code>.list</code>):
+ </p>
+
+ <blockquote>
+<code>deb [signed-by=/usr/share/keyrings/apt.liw.fi-keyring.pgp] http://apt.liw.fi/debian unstable main</code>
+ </blockquote>
+
+ <p>This means the keyring package is only ever used for this
+ repository. After you've installed the keyring package, you'll get
+ any new keys for this repository automatically, as long as you
+ update it at least once a year.</p>
+
+ </article>
+</body>
+</html>
diff --git a/ansible/apt.liw.fi.yml b/ansible/apt.liw.fi.yml
new file mode 100644
index 0000000..c69c63b
--- /dev/null
+++ b/ansible/apt.liw.fi.yml
@@ -0,0 +1,43 @@
+- hosts: apt.liw.fi
+ remote_user: root
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: apt-repository
+ vars:
+ ansible_python_interpreter: python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+
+ timezone: Europe/Helsinki
+
+ unix_users_version: 2
+ unix_users:
+ - username: apt
+ comment: Owner of APT repository
+ - username: incoming
+ comment: APT incoming packages
+ authorized_keys: |
+ {{ apt_uploader_ssh_pub_keys }}
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ sshd_version: 1
+
+ apt_uploader_ssh_pub_keys: |
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP
+ apt_admin_email: liw@liw.fi
+ apt_domain: apt.liw.fi
+ apt_distributions:
+ - codename: unstable
+ description: builds for unstable
+ apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
+ apt_signing_key_pub: "{{ lookup('pipe', 'pass show apt.liw.fi-signing-key') }}"
+ apt_signing_key_fingerprint: |
+ {{ lookup('pipe', 'pass show apt.liw.fi-signing-key | gpg --show-keys --with-colons | grep "^fpr:" | head -n1 | cut -d: -f10') }}
+ apt_index_content: |
+ {{ lookup('file', 'apt.liw.fi.html') }}
diff --git a/ansible/aptrepo.yml b/ansible/aptrepo.yml
new file mode 100644
index 0000000..c671752
--- /dev/null
+++ b/ansible/aptrepo.yml
@@ -0,0 +1,44 @@
+- hosts: aptrepo
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: apt-repository
+ vars:
+ ansible_python_interpreter: python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+
+ timezone: Europe/Helsinki
+
+ unix_users_version: 2
+ unix_users:
+ - username: apt
+ comment: Owner of APT repository
+ - username: incoming
+ comment: APT incoming packages
+ authorized_keys: |
+ {{ apt_uploader_ssh_pub_keys }}
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ sshd_version: 1
+
+ apt_uploader_ssh_pub_keys: |
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP
+ apt_admin_email: liw@liw.fi
+ apt_domain: aptrepo
+ apt_distributions:
+ - codename: unstable
+ description: Release packages for unstable
+ - codename: unstable-ci
+ description: CI builds for unstable
+ apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
+ apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
+ apt_signing_key_fingerprint: |
+ {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --show-keys --with-colons | grep "^fpr:" | cut -d: -f10') }}
diff --git a/ansible/atuin.liw.fi.yml b/ansible/atuin.liw.fi.yml
index 46c78e8..8987e5b 100644
--- a/ansible/atuin.liw.fi.yml
+++ b/ansible/atuin.liw.fi.yml
@@ -10,7 +10,7 @@
- comfortable-debian-system
- unix_users
- storage_system
- - smarthost-client
+ - mail-client
- vmhost-minimal
tasks:
- name: "install additional packages"
@@ -77,9 +77,13 @@
ferm_iface_ext: "{{ bridge_nic }}"
+ # We must define the sshd variables here. The defaults from the
+ # "all" group assume sshca knows the host by the
+ # sane_debian_system_hostname name, which isn't true for this
+ # host.
sshd_version: 1
sshd_host_key: "{{ lookup('pipe', 'sshca host private-key atuin.liw.fi') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 atuin.liw.fi') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 atuin.liw.fi') }}"
sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
- hosts: nalanda
@@ -100,14 +104,14 @@
group: root
mode: 0644
roles:
- - sshd
+# - sshd
- role: ferm-firewalled
tags: [ferm]
- sane_debian_system
- self-updating-system
- comfortable-debian-system
- unix_users
- - smarthost-client
+ - mail-client
tasks:
- name: "install additional packages"
apt:
@@ -207,9 +211,13 @@
smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
relayhost: pieni.net:587
+ # We must define the sshd variables here. The defaults from the
+ # "all" group assume sshca knows the host by the
+ # sane_debian_system_hostname name, which isn't true for this
+ # host.
sshd_version: 1
sshd_host_key: "{{ lookup('pipe', 'sshca host private-key nalanda.liw.fi') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 nalanda.liw.fi') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 nalanda.liw.fi') }}"
sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
# - hosts: gregvm
diff --git a/ansible/authorized_keys/_ickwm b/ansible/authorized_keys/_ickwm
deleted file mode 100644
index e69de29..0000000
--- a/ansible/authorized_keys/_ickwm
+++ /dev/null
diff --git a/ansible/authorized_keys/backups b/ansible/authorized_keys/backups
deleted file mode 100644
index 5b6719a..0000000
--- a/ansible/authorized_keys/backups
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
diff --git a/ansible/authorized_keys/distix b/ansible/authorized_keys/distix
deleted file mode 100644
index 5b6719a..0000000
--- a/ansible/authorized_keys/distix
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
diff --git a/ansible/authorized_keys/ickliwfi b/ansible/authorized_keys/ickliwfi
deleted file mode 100644
index d2fb365..0000000
--- a/ansible/authorized_keys/ickliwfi
+++ /dev/null
@@ -1,2 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWvVYqyPen0CFhfx9dzzCKNbQ7fUpbCRdlQ/PI4sAv5R+gjUYjZJ3HQQhdkEx6mwY+fGYgGIAY9xiTi+BzXSPPtuWUypB2/ee+Dh5Uqica1TCj/3txmFGE7qwD+AqoJYbDAD1x17AaCIEDgHv2wOQ2o8GlOKTK9mGgvZWTUgIUF7PObotg8/M6TV4NO3of7ZSJ0yqumU/GLaJ8UkvYVQ3Gj0w8tbX6xiJKcOnMyM+P+JIFRKKi/SzjymVfAie9OAlIcDEYTeT6dtqWYB6hT0/40D0ZcxOfIg07/m4A956hH9AzRKuz01w2phP2zQyHRUSOCWa5EWF/H9snxpeE5Ein liw@exolobe3
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
diff --git a/ansible/authorized_keys/liw b/ansible/authorized_keys/liw
deleted file mode 100644
index 5b6719a..0000000
--- a/ansible/authorized_keys/liw
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
diff --git a/ansible/authorized_keys/obbench b/ansible/authorized_keys/obbench
deleted file mode 100644
index 327e9e7..0000000
--- a/ansible/authorized_keys/obbench
+++ /dev/null
@@ -1,3 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4YSJQK7HFM7J9+mNpTzqu5TDnR0PlofNdi1oWz0VShpJkaNxS+REp0lYxlMiC3Ytp+/+xPsgxGgfHUwmYYFTsOccaKivjDpfqUg1RK4NeenpdXArX9ZctmBRciP58jndjVJ54UO9QL6smkx7LcbMFSI+FEhaCCxVBHaD7OMeEtjvCnhzFUAHYS/uUH5dTzoT63v6Oo4IYfTM8SlGYjtepcm9xy3gPXDcIxWxhxqT01lrzgUM9l4+DzHfrenJy9NSZSoYRzVqMPam3x/35K5O6HNJKN0uf80Aos/33bdxdqIAsKEQe0+xi7kEfwgMN5NSWAvBj9utzij7A+weuQOxb liw@obbench2
-
diff --git a/ansible/authorized_keys/sshforward b/ansible/authorized_keys/sshforward
deleted file mode 100644
index fc38b16..0000000
--- a/ansible/authorized_keys/sshforward
+++ /dev/null
@@ -1,2 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ1CbVnqhFatB0aDrss1JE6arIDiYxAHl2iyVfrrtMF6Y7vMRWt2ETK8kNJrGzTuQZEGInk/PsnIdeaL0pz6cZrZnDf/Pqpmwit3idhvPHaLAtpc/XM/UOeC1lheawtDtKbmACguwnT0MtuIfy/ELQlaE+AOw1qBwsmwrc6pBTjB+5cPWbgGE+jNGvmi0QhaH3VkMduVX0xkHVxPkYoPMI3lSlalNp2RDwzkHiSua+RFE7GWDLGnZGYL0fRXNkR1mwroOSTdLdkckSU8P+L7v3TiQPpZJBBvzz70jP8hIs/8ty+AC5DNhz0SIewmYbBrJX3yaM+UvYr1TvWig0d/3R liw@exolobe1
diff --git a/ansible/authorized_keys/yakking b/ansible/authorized_keys/yakking
deleted file mode 100644
index 5b6719a..0000000
--- a/ansible/authorized_keys/yakking
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50
diff --git a/ansible/bigtoy.yml b/ansible/bigtoy.yml
new file mode 100644
index 0000000..765aefc
--- /dev/null
+++ b/ansible/bigtoy.yml
@@ -0,0 +1,44 @@
+- hosts: bigtoy
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ tags: [sane]
+ - role: sshd
+ tags: [sshd]
+ - role: comfortable-debian-system
+ tags: [comfy]
+ - role: unix_users
+ tags: [users]
+ - role: emacs
+ - role: liw
+ tasks:
+ - apt:
+ name:
+ - build-essential
+ - debian-keyring
+ - debmirror
+ - git
+ - moreutils
+ - python3
+ vars:
+ ansible_python_interpreter: python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bullseye
+
+ timezone: Europe/Helsinki
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ sane_debian_system_sources_lists:
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ sshd_version: 1
+ sshd_allow_authorized_keys: yes
diff --git a/ansible/billion.yml b/ansible/billion.yml
index 841ad45..b1a8213 100644
--- a/ansible/billion.yml
+++ b/ansible/billion.yml
@@ -3,19 +3,17 @@
become: yes
roles:
- sane_debian_system
- - role: sshd
- tags: [sshd]
+ - sshd
- comfortable-debian-system
- unix_users
- - self-updating-system
tasks:
- apt:
name:
- btrfs-progs
vars:
sane_debian_system_version: 2
- sane_debian_system_hostname: billion
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
unix_users_version: 2
unix_users:
diff --git a/ansible/contractor-dev.yml b/ansible/contractor-dev.yml
deleted file mode 100644
index 0ef3722..0000000
--- a/ansible/contractor-dev.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-- hosts: contractor-dev
- remote_user: root
- roles:
- - role: sane_debian_system
- tags: [sane]
- - comfortable-debian-system
- - unix_users
- - version-controller
- - vmhost
- tasks:
- - user:
- name: liw
- groups:
- - kvm
- - libvirt
- - apt:
- name:
- - black
- - vmdb2
- - subplot
- - shell: |
- virsh net-autostart default
- virsh net-start default || true
- - user:
- name: liw
- groups: [liw, kvm]
- - copy:
- content: |
- {{ liw_personal_ssh_pub }}
- dest: /home/liw/.ssh/liw-openpgp.pub
- owner: liw
- group: liw
- mode: 0600
-
- vars:
- sane_debian_system_version: 2
- sane_debian_system_hostname: contractor-dev
- sane_debian_system_codename: buster
-
- unix_users_version: 2
- unix_users:
- - username: liw
- comment: Lars Wirzenius
- sudo: yes
-
- sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
diff --git a/ansible/debian-ansible-dev.yml b/ansible/debian-ansible-dev.yml
index b8f2300..58d2bda 100644
--- a/ansible/debian-ansible-dev.yml
+++ b/ansible/debian-ansible-dev.yml
@@ -40,8 +40,8 @@
owner: liw
group: liw
- copy:
- src: /home/liw/tmp/base-images/debian-10-openstack-amd64.qcow2
- dest: /home/liw/tmp/debian-10-openstack-amd64.qcow2
+ src: /home/liw/tmp/base-images/debian-11-generic-amd64.qcow2
+ dest: /home/liw/tmp/debian.qcow2
owner: liw
group: liw
mode: 0644
@@ -49,8 +49,8 @@
ansible_python_interpreter: python3
sane_debian_system_version: 2
- sane_debian_system_hostname: debian-ansible-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
timezone: Europe/Helsinki
@@ -61,8 +61,8 @@
sudo: yes
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
sshd_version: 1
sshd_allow_authorized_keys: yes
diff --git a/ansible/debian-mirror.yml b/ansible/debian-mirror.yml
index 1b85a21..89a02c0 100644
--- a/ansible/debian-mirror.yml
+++ b/ansible/debian-mirror.yml
@@ -3,109 +3,29 @@
become: yes
roles:
- role: sane_debian_system
+ - role: sshd
+ - role: comfortable-debian-system
- role: unix_users
- - role: self-updating-system
+ - role: mail-client
- role: debian-mirror
- tasks:
- - name: "Install ewww"
- apt:
- name:
- - curl
- - ewww
- - locales-all
- - psmisc
- - rsync
- state: present
- - name: "Create /srv/http"
- file:
- state: directory
- path: /srv/http
- owner: debmirror
- group: debmirror
- mode: 0755
- - name: "Create ewww config directory"
- file:
- state: directory
- path: /etc/ewww
- - name: "Install ewww config"
- copy:
- content: |
- webroot: /srv/http
- listen: "0.0.0.0:443"
- tls_cert: /etc/ewww/tls.pem
- tls_key: /etc/ewww/tls.key
- dest: /etc/ewww/ewww.yaml
- - name: "Install TLS cert"
- copy:
- content: |
- -----BEGIN CERTIFICATE-----
- MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx
- EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz
- NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
- ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7
- uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z
- Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO
- FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH
- pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk
- zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC
- AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX
- h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob
- 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk
- xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa
- WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP
- NdZiSNvGZAbEnmMnNCEYMO3wVA==
- -----END CERTIFICATE-----
- dest: /etc/ewww/tls.pem
- - name: "Install TLS key"
- copy:
- content: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP
- +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D
- LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ
- GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H
- i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi
- qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj
- ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG
- qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1
- iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T
- AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K
- EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7
- vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU
- PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I
- E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm
- uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco
- eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g
- T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci
- gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW
- GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf
- psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj
- DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R
- Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra
- udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e
- 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI
- cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g==
- -----END RSA PRIVATE KEY-----
- dest: /etc/ewww/tls.key
- - name: "Enable and start ewww service"
- systemd:
- name: ewww
- state: restarted
- enabled: yes
- daemon_reload: yes
vars:
- ansible_python_interpreter: /usr/bin/python3
+ ansible_python_interpreter: python3
sane_debian_system_version: 2
- sane_debian_system_hostname: debian-mirror
- sane_debian_system_codename: bullseye
- sane_debian_system_mirror: deb.debian.org
- sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+
+ timezone: Europe/Helsinki
unix_users_version: 2
unix_users:
- username: debmirror
- - username: liw
- comment: Lars Wirzenius
+ comment: Debian mirror
+
+ sshd_version: 1
+
+ mailname: "exolobe1.liw.fi"
+ relayhost: pieni.net:587
+ smarthost: pieni.net
+ smarthost_user: pienirelay
+ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml
index 427ad5d..7243064 100644
--- a/ansible/exolobe1.yml
+++ b/ansible/exolobe1.yml
@@ -2,40 +2,269 @@
remote_user: root
become: no
roles:
- - sane_debian_system
- - sshd
- - unix_users
- - gnome-system
+ - role: sane_debian_system
+ - role: self-updating-system
+ - role: sshd
+ - role: ssd
+ - role: comfortable-debian-system
- role: intel-wifi
- tags: wifi
+ - role: version-controller
+ - role: emacs
+ - role: gnupg-workstation
+ - role: gnome-system
+ - role: ansible
+ - role: vmhost
+ - role: mail-client
+ - role: annexed
+ - role: unix_users
+# - role: liw
+ - role: rust-rustup
+ - role: riot-host
+ - role: thinkpad
+
+ tasks:
+ # Remove ping to force it be reinstalled so that the right
+ # capabilities are set.
+ - apt:
+ name: iputils-ping
+ state: absent
+
+ - apt:
+ name:
+ - ambient-driver
+ - asciidoctor
+ - black
+ - btrfs-progs
+ - build-essential
+ - cachedir
+ - capnproto
+ - clab
+ - clang
+ - daemonize
+ - debhelper
+ - expect
+ - extrautils
+ - fio
+ - firmware-misc-nonfree
+ - fling
+ - gddrescue
+ - genisoimage
+ - gimp
+ - graphviz
+ - inkscape
+ - iputils-ping
+ - jq
+ - jt
+ - libclang-dev
+ - libdvd-pkg
+ - librsvg2-bin
+ - libsqlite3-dev
+ - libssl-dev
+ - libvirt-dev
+ - linux-perf
+ - liw-automation
+ - llvm
+ - lmodern
+ - nettle-dev
+ - nfs-common
+ - obnam
+ - obnam-benchmark
+ - openpgp-ca
+ - ovmf
+ - pandoc
+ - pandoc-filter-diagram
+ - pathdedup
+ - pavucontrol
+ - pkg-config
+ - plantuml
+ - printer-driver-ptouch
+ - python3
+ - python3-requests
+ - qemu-user-static
+ - radicle
+ - sequoia-chameleon-gnupg
+ - shellcheck
+ - sq-liw
+ - sqlite3
+ - sshca
+ - subplot
+ - summain
+ - texlive-fonts-recommended
+ - texlive-latex-base
+ - texlive-latex-extra
+ - texlive-latex-recommended
+ - texlive-plain-generic
+ - unicode
+ - usbutils
+ - uuid
+ - validns
+ - vlc
+ - vobcopy
+ - vmdb2
+ - xpdf
+ - zerofree
+
+
+ - name: install command line utilities
+ apt:
+ name:
+ - acpi
+ - ambient-run
+ - apt-file
+ - bc
+ - bind9-host
+ - cryptsetup
+ - curl
+ - debmirror
+ - dict
+ - dict-foldoc
+ - dict-gcide
+ - dict-jargon
+ - dict-vera
+ - dict-wn
+ - dictd
+ - dnsutils
+ - git-annex
+ - htop
+ - iftop
+ - ikiwiki
+ - info
+ - jt
+ - locales-all
+ - lshw
+ - lvm2
+ - mmv
+ - moreutils
+ - mosh
+ - mtr
+ - nethogs
+ - nmap
+ - num-utils
+ - oathtool
+ - parted-doc
+ - psmisc
+ - pv
+ - rsync
+ - screen
+ - strace
+ - time
+ - tmux
+ - units
+ - vim
+ - w3m
+ - whois
+ - yaml-mode
+ - zip
+ - yaml-mode
+ - zip
+ - zoxide
+
+ - name: configure dict
+ copy:
+ content: |
+ server localhost
+ dest: /etc/dictd/dict.conf
+
+ - lineinfile:
+ path: /etc/gdm3/daemon.conf
+ regexp: WaylandEnable=
+ line: "# WaylandEnable=false"
+
+ - lineinfile:
+ path: /etc/default/grub
+ regexp: GRUB_ENABLE_CRYPTODISK
+ line: "GRUB_ENABLE_CRYPTODISK=n"
+
+ - lineinfile:
+ path: /etc/environment
+ regexp: MOZ_ENABLE_WAYLAND
+ line: "MOZ_ENABLE_WAYLAND=1"
+
+ - shell: |
+ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+
+ - shell: |
+ env DEBIAN_FRONTEND=noninteractive dpkg-reconfigure libdvd-pkg
+
+ - name: "create liw/.radicle/keys"
+ file:
+ state: directory
+ path: /home/liw/.radicle/keys
+ owner: liw
+ group: liw
+ mode: 0755
+
+ - name: "install radicle private key"
+ copy:
+ content: "{{ radicle_key }}"
+ dest: /home/liw/.radicle/keys/radicle
+ owner: liw
+ group: liw
+ mode: 0600
+
+ - name: "install radicle public key"
+ copy:
+ content: "{{ radicle_pub }}"
+ dest: /home/liw/.radicle/keys/radicle.pub
+ owner: liw
+ group: liw
+ mode: 0644
+
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
sane_debian_system_hostname: "{{ inventory_hostname }}"
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
- deb http://deb.debian.org/debian bullseye contrib non-free
+ deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware
+
+ - repo: |
+ deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
- repo: |
- deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
- username: liw
comment: Lars Wirzenius
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
+ sudo: yes
+ groups:
+ - audio
+ - bluetooth
+ - cdrom
+ - dialout
+ - dip
+ - floppy
+ - libvirt
+ - kvm
+ - netdev
+ - plugdev
+ - scanner
+ - video
+
+ mailname: "exolobe1.liw.fi"
+ relayhost: pieni.net:587
+ smarthost: pieni.net
+ smarthost_user: pienirelay
+ smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe1') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe1') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
rustup_cargo_install: |
- starship
+ starship \
+ cargo-cache \
+ pikchr-cli \
+ bottom
+
+ radicle_key: "{{ lookup('pipe', 'pass radicle/liw/key') }}"
+ radicle_pub: "{{ lookup('pipe', 'pass radicle/liw/key.pub') }}"
diff --git a/ansible/exolobe2.yml b/ansible/exolobe2.yml
index 7d69877..70c4cec 100644
--- a/ansible/exolobe2.yml
+++ b/ansible/exolobe2.yml
@@ -11,7 +11,7 @@
- emacs
- vmhost
- storage_system
- - smarthost-client
+ - mail-client
vars:
ansible_python_interpreter: /usr/bin/python3
@@ -25,8 +25,8 @@
- repo: |
deb http://deb.debian.org/debian bullseye contrib non-free
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
@@ -50,6 +50,3 @@
smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key exolobe2') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 exolobe2') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/files/mirror-list b/ansible/files/mirror-list
index 2e6dab8..61866c6 100644
--- a/ansible/files/mirror-list
+++ b/ansible/files/mirror-list
@@ -1,10 +1,7 @@
larswirzenius/bumper bumper-rs
larswirzenius/clab clab
-larswirzenius/contractor2 contractor2
larswirzenius/ewww ewww
larswirzenius/pandoc-filter-diagram pandoc-filter-diagram
-larswirzenius/gtdfh gtdfh.liw.fi
-larswirzenius/ideas ideas
larswirzenius/jt jt2
larswirzenius/puomi puomi
larswirzenius/sshca sshca
@@ -14,7 +11,6 @@ larswirzenius/vmadm vmadm
larswirzenius/vmadm-web vmadm.liw.fi
larswirzenius/vmdb2 vmdb2
larswirzenius/vmdb2-web vmdb2.liw.fi
-larswirzenius/yuck yuck
obnam/obnam obnam2
obnam/obnam-benchmark obnam-benchmark
obnam/obnam-benchmark-results obnam-benchmark-results
@@ -23,6 +19,3 @@ obnam/obnam.org obnam.org
obnam/cachedir cachedir-rs
subplot/subplot subplot
subplot/subplot-web subplot.liw.fi
-sequoia-pgp/sequoia sequoia
-sequoia-pgp/sequoia-chameleon-gnupg sequoia-chameleon-gnupg
-openpgp-ca/openpgp-ca openpgp-ca
diff --git a/ansible/git.liw.fi.hz b/ansible/git.liw.fi.hz
deleted file mode 100644
index e10d6af..0000000
--- a/ansible/git.liw.fi.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cx11
- image: debian-10
-hosts:
- - name: git
diff --git a/ansible/git.liw.fi.yml b/ansible/git.liw.fi.yml
index 94721cb..a71d8ed 100644
--- a/ansible/git.liw.fi.yml
+++ b/ansible/git.liw.fi.yml
@@ -1,8 +1,9 @@
-- hosts: git
+- hosts: git.liw.fi
remote_user: root
roles:
- - role: sane_debian_system
- tags: [sane]
+# sane_debian_system doesn't work on buster, because it needs systemd
+# - role: sane_debian_system
+# tags: [sane]
- role: comfortable-debian-system
- role: unix_users
- role: apache_server
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 0211717..9ed50fb 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -30,6 +30,36 @@ root_at_holywood2_ssh_key_pub_v2: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMKd1WOfe1815VB+Mny4B0M8Yk9Koj5xVR5yBA1yHt6HWD/q8yBRpezeADYHEAhxi2RiwlzI5indSXWG6e597Al5fpo9lWtwfBWw50D9VFhmEmkNGGKaBQcqIlP+ATj57ORz9g482mKgfeyVbakYa+5jrwl/8x4kQ3XW4IhACQtIWJG3ms+/tnNr7F59k4p3C8jjTBl1eWJwkLiZOrUqsnzYTIvhcMTUDCtHAuYCwB1Kg9QDeSFAYuNZ+IrUdnBC26jhUDH513XwDySmwsCiZRGKNXdMc5BtjNH0Xmd+xaVa42/lUNGvstQrZusq5lETkzsh9dzAZNUlYOuZNQs4D root@holywood2
+apt_liw_fi_signing_key: |
+ -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+ mDMEZZJdGhYJKwYBBAHaRw8BAQdAqeF0fisweYyKM1ijm2TofKLI56kxprqQQgRI
+ 3XS7sfOI0QQfFgoAgwWCZZJdGgWJAeGFNAMLCQcJEDAjOV80dhuBRxQAAAAAAB4A
+ IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6QIq8aJr7rZ4To0YujnzP+e
+ VPuNqYamrIwP7oedSJuRAxUKCAKbAQIeARYhBNMIjAl0ALjhurGI1DAjOV80dhuB
+ AADPhAD9E7FKlBGQ4+kBNyJMSc6Kjp8DgI7GU1SsmGejPz97YsgA/ir2dwmq2Ik3
+ Mh8zxzUkrLT6K20iOi/ZoCXw2h/lNzgPtCthcHQubGl3LmZpIGFyY2hpdmUgc2ln
+ bmluZyBrZXkgPGxpd0BsaXcuZmk+iNQEExYKAIYFgmWSXRoFiQHhhTQDCwkHCRAw
+ IzlfNHYbgUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmci
+ FPskp0wwO97SSRdxY+2fEeZ+OomxFq+LdrIf1qwhEwMVCggCmQECmwECHgEWIQTT
+ CIwJdAC44bqxiNQwIzlfNHYbgQAAGAMA/2uERO4xdI3DOeTx6GZtENeMNbBTe7X+
+ fh2IjXFv/xmXAQCT0eiqaHKEGq3RwrOoCBRmxec4yMgOfIuCt0l7YvytA4h1BBAW
+ CgAdFiEE6gtzmezPkoKnTvj4MdqAMggdkB0FAmWSXdwACgkQMdqAMggdkB3FXwEA
+ q82Xm0RheXzOMSKoCYOCxhM8rbn1wWIrufIo3znkrhABALMelmzI+LmzT7s62zGE
+ 2z8V7Nv0JnjZyrf+FZhNAqYFuDMEZZJdGhYJKwYBBAHaRw8BAQdAF+jg51KWsd8V
+ HxeHo6bab39J6gGNsJZcUVqRqCfrrzSJAYUEGBYKATcFgmWSXRoFiQHhhTQJEDAj
+ OV80dhuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+J5
+ 7Y6sMbUC82e9ztMS6yorTd1niehqKtaj22Fq9xREApsCvqAEGRYKAG8FgmWSXRoJ
+ EJqO39bYba7MRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y
+ Z/Kx/ROGuSeEFI8QlSRIBLTxGvqRP+G0MIVtj5277onuFiEEbwX90zO8sdjuP23I
+ mo7f1thtrswAAIZrAQCWL1DboWlW3fCUEx++p8KTSjEt925x9uEt+QYk1W8wgQD+
+ PnefEb8sHyZBkznoZcqgWdiqFQzgpJHYK0rieZt51AAWIQTTCIwJdAC44bqxiNQw
+ IzlfNHYbgQAANkwBAKPT/FYSCp1w2moONOyKjxLkURCa6bXM+HPODBUn/0ozAQDa
+ kaEaS+5jPDYzDJdpB6+7JJNu9IbT2RcI85S4KUr1Ag==
+ =by66
+ -----END PGP PUBLIC KEY BLOCK-----
+
+
code_liw_fi_signing_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
@@ -303,3 +333,7 @@ riot_im_signing_key: |
3mc4ZPLfWwxNMYs=
=dS2q
-----END PGP PUBLIC KEY BLOCK-----
+
+sshd_host_key: "{{ lookup('pipe', 'sshca host private-key {{ sane_debian_system_hostname }}') }}"
+sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 {{ sane_debian_system_hostname }}') }}"
+sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/handbrake.yml b/ansible/handbrake.yml
new file mode 100644
index 0000000..eb928cf
--- /dev/null
+++ b/ansible/handbrake.yml
@@ -0,0 +1,55 @@
+- hosts: handbrake
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ tasks:
+ - apt:
+ name:
+# - gnome
+# - handbrake
+ - handbrake-cli
+ - htop
+ - moreutils
+ - rsync
+ - screen
+
+ # # This seems to be wanted by something in the GNOME app stack.
+ # # Installing it will stop a lot of apps from whinging at startup.
+ # - libcanberra-gtk-module
+
+ # - lineinfile:
+ # path: /etc/gdm3/daemon.conf
+ # regexp: WaylandEnable=
+ # line: "WaylandEnable=false"
+
+ # - lineinfile:
+ # path: /etc/default/grub
+ # regexp: GRUB_ENABLE_CRYPTODISK
+ # line: "GRUB_ENABLE_CRYPTODISK=n"
+
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware
+
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
diff --git a/ansible/holywood2.yml b/ansible/holywood2.yml
index ac4d72f..20fafc7 100644
--- a/ansible/holywood2.yml
+++ b/ansible/holywood2.yml
@@ -1,3 +1,6 @@
+# As long as this is based on bullseye, reboot VM after running the
+# playbook.
+
- hosts: holywood2
remote_user: root
roles:
@@ -10,7 +13,7 @@
- apache_server
- role: holywood2
tags: holywood2
- - smarthost-client
+ - mail-client
- self-updating-system
tasks:
- cron:
@@ -21,14 +24,14 @@
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: holywood2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
sane_debian_system_codename: bullseye
sane_debian_system_mirror: deb.debian.org
sane_debian_system_sources_lists:
- repo: deb http://deb.debian.org/debian bullseye main contrib non-free
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
@@ -52,6 +55,3 @@
letsencrypt: no
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key holywood2') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 holywood2') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/hosts b/ansible/hosts
index 4348c29..ad57af3 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -1,48 +1,63 @@
-[all]
-exolobe1
-exolobe2
-stamina
-x220
-kea
-qotom
-solace
-
-atuin ansible_ssh_host=atuin.liw.fi
-nalanda ansible_ssh_host=nalanda.liw.fi
-gregvm ansible_ssh_host=78.46.87.152
-
+[infra]
debian-mirror
holywood2
mirror-git
+image-dist
web
+texlive
-pieni ansible_ssh_host=koom.pieni.net debian_codename=stretch
-sq-test ansible_ssh_host=sq-test.liw.fi
-
-apt-dev
-billion
-clab-dev
+[dev]
+aptrepo
+ambient-dev
debian-ansible-dev
-ewww-dev
-ewww-test
-ick2-dev
icktool
-jt-dev
obnam-bench
obnam-dev
-openpgp-ca-dev
-openpgp-card-dev
-python-mess
-rikiwiki-dev
-roadmap-dev
+radicle-dev
+radicle-liw3
+radicle-multi
+radicle-other-node
+radicle-test
+riki-dev
rust-dev
-sequoia-dev
-sequoia-web
-ssh-dev
sshca-dev
subplot-dev
+unpack-dsc
v-i-dev
vmadm-dev
vmdb2-dev
+vmdb2-dev-sid
+[toys]
+billion
toy
+bigtoy
+handbrake
+
+[upliw_vm]
+private
+updev
+
+[bare]
+exolobe1
+exolobe2
+stamina
+x220
+kea
+qotom
+solace
+upliw0
+
+[remote]
+apt.liw.fi
+atuin ansible_ssh_host=atuin.liw.fi
+nalanda ansible_ssh_host=nalanda.liw.fi
+gregvm ansible_ssh_host=78.46.87.152
+git.liw.fi
+http.liw.fi
+irc.liw.fi
+monorepo.liw.fi
+shell-shell.vm.liw.fi
+radicle.liw.fi
+seed.liw.fi
+wumpus.liw.fi
diff --git a/ansible/hosts.ci-prep b/ansible/hosts.ci-prep
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.ci-prep
+++ /dev/null
diff --git a/ansible/hosts.ci-prod b/ansible/hosts.ci-prod
deleted file mode 100644
index c8c8c4b..0000000
--- a/ansible/hosts.ci-prod
+++ /dev/null
@@ -1 +0,0 @@
-controller ansible_ssh_host=ci-prod-controller.vm.liw.fi
diff --git a/ansible/hosts.ci-prod-workers b/ansible/hosts.ci-prod-workers
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.ci-prod-workers
+++ /dev/null
diff --git a/ansible/hosts.collectd b/ansible/hosts.collectd
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.collectd
+++ /dev/null
diff --git a/ansible/hosts.demo b/ansible/hosts.demo
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.demo
+++ /dev/null
diff --git a/ansible/hosts.demo-workers b/ansible/hosts.demo-workers
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.demo-workers
+++ /dev/null
diff --git a/ansible/hosts.docstory-files b/ansible/hosts.docstory-files
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.docstory-files
+++ /dev/null
diff --git a/ansible/hosts.git b/ansible/hosts.git
deleted file mode 100644
index 9477321..0000000
--- a/ansible/hosts.git
+++ /dev/null
@@ -1 +0,0 @@
-git ansible_ssh_host=git-git.vm.liw.fi
diff --git a/ansible/hosts.http b/ansible/hosts.http
deleted file mode 100644
index 564c4da..0000000
--- a/ansible/hosts.http
+++ /dev/null
@@ -1 +0,0 @@
-static ansible_ssh_host=http-static.vm.liw.fi
diff --git a/ansible/hosts.irc b/ansible/hosts.irc
deleted file mode 100644
index a94bb32..0000000
--- a/ansible/hosts.irc
+++ /dev/null
@@ -1 +0,0 @@
-irc ansible_ssh_host=irc-irc.vm.liw.fi
diff --git a/ansible/hosts.letest b/ansible/hosts.letest
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.letest
+++ /dev/null
diff --git a/ansible/hosts.mirror b/ansible/hosts.mirror
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.mirror
+++ /dev/null
diff --git a/ansible/hosts.obnam b/ansible/hosts.obnam
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.obnam
+++ /dev/null
diff --git a/ansible/hosts.shell b/ansible/hosts.shell
deleted file mode 100644
index 1b142ae..0000000
--- a/ansible/hosts.shell
+++ /dev/null
@@ -1 +0,0 @@
-shell ansible_ssh_host=shell-shell.vm.liw.fi
diff --git a/ansible/hosts.subplot-dan b/ansible/hosts.subplot-dan
deleted file mode 100644
index e69de29..0000000
--- a/ansible/hosts.subplot-dan
+++ /dev/null
diff --git a/ansible/http.liw.fi.hz b/ansible/http.liw.fi.hz
deleted file mode 100644
index ad22c6b..0000000
--- a/ansible/http.liw.fi.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cpx11
- image: debian-10
-hosts:
- - name: static
diff --git a/ansible/http.liw.fi.yml b/ansible/http.liw.fi.yml
index ed409ff..9372c4c 100644
--- a/ansible/http.liw.fi.yml
+++ b/ansible/http.liw.fi.yml
@@ -1,10 +1,11 @@
-- hosts: static
+- hosts: http.liw.fi
remote_user: root
roles:
- role: sane_debian_system
- role: sshd
- role: unix_users
- role: apache_server
+ tags: [httpd]
- role: comfortable-debian-system
- role: self-updating-system
vars:
@@ -22,11 +23,6 @@
- username: root
authorized_keys: |
{{ liw_personal_ssh_pub }}
- - username: ickliwfi
- comment: Ick website
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
- {{ ci_worker_ssh_pub }}
letsencrypt: yes
letsencrypt_email: liw@liw.fi
@@ -41,215 +37,179 @@
owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: ideas.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: files.liw.fi
owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: code.liw.fi
- owner: liw
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: vmdb2.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: vmdb2-images.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: vmdb2-manual.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cer1
+ letsencrypt_cert: certa
- domain: journal.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
htpasswd: "{{ lookup('pipe', 'pass journal.liw.fi.htpasswd') }}"
htpasswd_name: "Private site by Lars. Go away."
- domain: noir.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: manifesto.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: doc.obnam.org
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: seinfeld.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: subplot.tech
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert12
+ letsencrypt_cert: certa
- domain: www.subplot.tech
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert12
+ letsencrypt_cert: certa
redirect: subplot.tech
- domain: doc.subplot.tech
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert12
+ letsencrypt_cert: certa
- domain: subplot.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
redirect: subplot.tech
- domain: doc.subplot.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert11
+ letsencrypt_cert: certa
redirect: doc.subplot.tech
- - domain: yuck.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
-
- domain: 256.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: gtdfh.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert1
+ letsencrypt_cert: certa
- domain: blog.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert1
-
- - domain: summain.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert4
+ letsencrypt_cert: certa
- domain: vmadm.liw.fi
- owner: ickliwfi
- ownermail: liw@liw.fi
- letsencrypt: yes
- letsencrypt_cert: cert6
-
- - domain: clab.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert9
+ letsencrypt_cert: certa
- domain: doc.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert10
+ letsencrypt_cert: certa
- domain: sshca.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert11
+ letsencrypt_cert: certa
- domain: www.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert13
+ letsencrypt_cert: certa
redirect: liw.fi
- domain: riki.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert14
+ letsencrypt_cert: certa
- domain: v-i.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert15
+ letsencrypt_cert: certa
- domain: puomi.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert15
+ letsencrypt_cert: certa
- domain: ewww.liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert16
+ letsencrypt_cert: certa
- # Sites that need to be changed in DNS (A record) before Let's
- # Encrypt certificates can be created. Comment these out until
- # DNS has been changed.
+ - domain: ambient.liw.fi
+ owner: liw
+ ownermail: liw@liw.fi
+ letsencrypt: yes
+ letsencrypt_cert: certa
- - domain: ick.liw.fi
- owner: ickliwfi
+ - domain: openpgpkey.liw.fi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert3
+ letsencrypt_cert: certa
+
+ - domain: liw.iki.fi
+ owner: liw
+ ownermail: liw@liw.fi
+ letsencrypt: yes
+ letsencrypt_cert: certa
+
+ # Sites that need to be changed in DNS (A record) before Let's
+ # Encrypt certificates can be created. Comment these out until
+ # DNS has been changed.
- domain: obnam.org
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert2
+ letsencrypt_cert: certa
- domain: liw.fi
- owner: ickliwfi
+ owner: liw
ownermail: liw@liw.fi
letsencrypt: yes
- letsencrypt_cert: cert2
+ letsencrypt_cert: certa
# Sites without HTTPS.
@@ -274,17 +234,11 @@
ownermail: webmaster@docstory.fi
letsencrypt: no
- - domain: liw.iki.fi
- owner: liw
- ownermail: liw@liw.fi
- letsencrypt: no
-
- - domain: demo-journal.liw.fi
- owner: liw
- ownermail: liw@liw.fi
- letsencrypt: no
-
+ # We must define the sshd variables here. The defaults from the
+ # "all" group assume sshca knows the host by the
+ # sane_debian_system_hostname name, which isn't true for this
+ # host.
sshd_version: 1
sshd_host_key: "{{ lookup('pipe', 'sshca host private-key http.liw.fi') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 http.liw.fi') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 http.liw.fi') }}"
+ sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/ick2-dev.yml b/ansible/ick2-dev.yml
deleted file mode 100644
index 6a8b0c6..0000000
--- a/ansible/ick2-dev.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-- hosts: ick2-dev
- remote_user: debian
- become: yes
- roles:
- - role: sane_debian_system
- - role: unix_users
- - role: version-controller
- - role: liw
- tasks:
- - name: "install build dependencies for Ick"
- apt:
- state: present
- name:
- - debhelper
- - python3-all
- - python3-bottle
- - python-cliapp
- - python3-cliapp
- - python3-coverage-test-runner
- - python3-apifw
- - python3-slog
- - python3-cryptography
- - python3-requests
- - python-requests
- - pycodestyle
- - gunicorn3
- - python3-yaml
- - cmdtest
- - copyright-statement-lint
- vars:
- ansible_python_interpreter: /usr/bin/python3
-
- sane_debian_system_version: 2
- sane_debian_system_hostname: ick2-dev
- sane_debian_system_codename: buster
- sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
-
- unix_users_version: 2
- unix_users:
- - username: liw
- comment: Lars Wirzenius
- sudo: true
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
- ssh_key: |
- {{ lookup('pipe', 'pass show ssh/liw@mirror-git') }}
- ssh_key_pub: |
- {{ lookup('pipe', 'pass show ssh/liw@mirror-git.pub') }}
diff --git a/ansible/icktool.yml b/ansible/icktool.yml
deleted file mode 100644
index c2ed8cc..0000000
--- a/ansible/icktool.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-- hosts: icktool
- remote_user: debian
- become: yes
- roles:
- - role: sane_debian_system
- - role: unix_users
- tasks:
- - name: "install git and Ick"
- apt:
- state: present
- name:
- - git
- - moreutils
- - psmisc
- - ick2
- - jq
- - name: "clone liw-ci"
- shell: |
- if ! [ -e /home/liw/liw-ci ]
- then
- sudo -i -u liw git clone git://git.liw.fi/liw-ci
- fi
- - name: "install ick-statut"
- copy:
- content: |
- #!/bin/bash
- set -euo pipefail
- icktool status | grep -v -e "done" -e "dummy-"
- dest: /home/liw/ick-status
- owner: liw
- group: liw
- mode: 0755
- - name: "create ~/.config/icktool"
- file:
- state: directory
- path: /home/liw/.config/icktool
- owner: liw
- group: liw
- - name: "install icktool config"
- copy:
- content: |
- config:
- controller: https://ci-prod-controller.vm.liw.fi
- dest: /home/liw/.config/icktool/icktool.yaml
- owner: liw
- group: liw
- mode: 0644
- - name: "install icktool credentials"
- copy:
- content: |
- [https://ci-prod-controller.vm.liw.fi/token]
- client_id = liw
- client_secret = {{ lookup('pipe', 'pass ick2/admin_secret') }}
- dest: /home/liw/.config/icktool/credentials.conf
- owner: liw
- group: liw
- mode: 0600
-
- - name: "install cron job to trigger missing or old builds"
- cron:
- name: "trigger-old"
- user: liw
- minute: "0"
- hour: "*"
- job: |
- /home/liw/liw-ci/trigger-old | head -n3 | while read x; do icktool trigger "$x"; done
-
- vars:
- ansible_python_interpreter: /usr/bin/python3
-
- sane_debian_system_version: 2
- sane_debian_system_hostname: icktool
- sane_debian_system_codename: buster
- sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
-
- unix_users_version: 2
- unix_users:
- - username: liw
- comment: Lars Wirzenius
- sudo: true
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
- ssh_key: |
- {{ lookup('pipe', 'pass show ssh/liw@mirror-git') }}
- ssh_key_pub: |
- {{ lookup('pipe', 'pass show ssh/liw@mirror-git.pub') }}
diff --git a/ansible/image-dist.yml b/ansible/image-dist.yml
new file mode 100644
index 0000000..2ef70af
--- /dev/null
+++ b/ansible/image-dist.yml
@@ -0,0 +1,113 @@
+- hosts: image-dist
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: self-updating-system
+ tasks:
+ - name: "Install ewww"
+ apt:
+ name:
+ - ewww
+ - psmisc
+ - curl
+ - rsync
+ state: present
+ - name: "Create /srv/http"
+ file:
+ state: directory
+ path: /srv/http
+ owner: _ewww
+ group: _ewww
+ mode: 0755
+ - name: "Create ewww config directory"
+ file:
+ state: directory
+ path: /etc/ewww
+ - name: "Install ewww config"
+ copy:
+ content: |
+ webroot: /srv/http
+ listen: "0.0.0.0:443"
+ tls_cert: /etc/ewww/tls.pem
+ tls_key: /etc/ewww/tls.key
+ dest: /etc/ewww/ewww.yaml
+ - name: "Install TLS cert"
+ copy:
+ content: |
+ -----BEGIN CERTIFICATE-----
+ MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx
+ EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz
+ NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7
+ uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z
+ Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO
+ FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH
+ pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk
+ zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC
+ AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX
+ h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob
+ 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk
+ xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa
+ WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP
+ NdZiSNvGZAbEnmMnNCEYMO3wVA==
+ -----END CERTIFICATE-----
+ dest: /etc/ewww/tls.pem
+ - name: "Install TLS key"
+ copy:
+ content: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP
+ +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D
+ LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ
+ GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H
+ i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi
+ qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj
+ ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG
+ qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1
+ iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T
+ AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K
+ EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7
+ vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU
+ PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I
+ E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm
+ uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco
+ eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g
+ T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci
+ gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW
+ GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf
+ psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj
+ DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R
+ Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra
+ udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e
+ 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI
+ cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g==
+ -----END RSA PRIVATE KEY-----
+ dest: /etc/ewww/tls.key
+ - name: "Enable and start ewww service"
+ systemd:
+ name: ewww
+ state: restarted
+ enabled: yes
+ daemon_reload: yes
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bullseye
+ sane_debian_system_sources_lists:
+ - repo: deb http://apt.liw.fi/debian unstable-ci main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+ - username: _ewww
+ comment: Static web site content
+
+ sshd_version: 1
+
diff --git a/ansible/irc.liw.fi.hz b/ansible/irc.liw.fi.hz
deleted file mode 100644
index 487bd5d..0000000
--- a/ansible/irc.liw.fi.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cx11
- image: debian-10
-hosts:
- - name: irc
diff --git a/ansible/irc.liw.fi.yml b/ansible/irc.liw.fi.yml
index ca6030e..3e094c3 100644
--- a/ansible/irc.liw.fi.yml
+++ b/ansible/irc.liw.fi.yml
@@ -1,4 +1,4 @@
-- hosts: irc
+- hosts: irc.liw.fi
remote_user: root
roles:
- role: sane_debian_system
@@ -12,7 +12,7 @@
sane_debian_system_version: 2
sane_debian_system_hostname: irc
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_mirror: deb.debian.org
unix_users_version: 2
@@ -29,7 +29,11 @@
authorized_keys: |
{{ liw_personal_ssh_pub }}
+ # We must define the sshd variables here. The defaults from the
+ # "all" group assume sshca knows the host by the
+ # sane_debian_system_hostname name, which isn't true for this
+ # host.
sshd_version: 1
sshd_host_key: "{{ lookup('pipe', 'sshca host private-key irc.liw.fi') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 irc.liw.fi') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 irc.liw.fi') }}"
+ sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/kea.yml b/ansible/kea.yml
index 610c6d3..b21f6be 100644
--- a/ansible/kea.yml
+++ b/ansible/kea.yml
@@ -3,74 +3,35 @@
become: no
roles:
- role: sane_debian_system
- tags: [sane]
- comfortable-debian-system
- - gnome-system
- - smarthost-client
- intel-wifi
- - self-updating-system
- ssd
+ - sshd
- unix_users
- tasks:
- - lineinfile:
- path: /etc/gdm3/daemon.conf
- regex: WaylandEnable
- line: WaylandEnable=false
- - apt:
- name:
- - flatpak
- - gnome-software-plugin-flatpak
- - cups
- - nfs-common
- - ufw
- - apt:
- deb: https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
- - shell:
- flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
- - ufw:
- state: enabled
- policy: deny
- - ufw:
- port: ssh
- rule: allow
+ - puomi
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: kea
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
- deb http://deb.debian.org/debian bullseye contrib non-free
+ deb http://deb.debian.org/debian bookworm contrib non-free
- repo: |
- deb-src http://deb.debian.org/debian bullseye main contrib non-free
-
- - repo: |
- deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
unix_users_version: 2
unix_users:
- - username: soile
- comment: Soile Mottisenkangas
- groups:
- - audio
- - bluetooth
- - cdrom
- - dialout
- - dip
- - floppy
- - netdev
- - plugdev
- - scanner
- - video
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
+ sshd_host_key: "{{ lookup('pipe', 'sshca host private-key kea') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 kea') }}"
+ sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
- mailname: kea.liw.fi
- hostname: "{{ sane_debian_system_hostname }}"
- relayhost: pieni.net:587
- smarthost: pieni.net
- smarthost_user: pienirelay
- smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
+ puomi_version: 1
+ puomi_lan_ip: 10.2.0.1
diff --git a/ansible/letest-letest.vm.liw.fi.hz b/ansible/letest-letest.vm.liw.fi.hz
deleted file mode 100644
index 919af09..0000000
--- a/ansible/letest-letest.vm.liw.fi.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cx11
- image: debian-10
-hosts:
- - name: letest
diff --git a/ansible/apt-dev.yml b/ansible/maybe-someday/apt-dev.yml
index 54c3d99..54c3d99 100644
--- a/ansible/apt-dev.yml
+++ b/ansible/maybe-someday/apt-dev.yml
diff --git a/ansible/clab-dev.yml b/ansible/maybe-someday/clab-dev.yml
index 5d386e3..32c6dd9 100644
--- a/ansible/clab-dev.yml
+++ b/ansible/maybe-someday/clab-dev.yml
@@ -19,7 +19,6 @@
name:
- debhelper
- build-essential
- - dh-cargo
- git
- moreutils
- python3
diff --git a/ansible/sequoia-web.yml b/ansible/maybe-someday/debian-mirror.yml
index b769c9e..1b85a21 100644
--- a/ansible/sequoia-web.yml
+++ b/ansible/maybe-someday/debian-mirror.yml
@@ -1,27 +1,27 @@
-- hosts: sequoia-web
+- hosts: debian-mirror
remote_user: debian
become: yes
roles:
- role: sane_debian_system
- - role: sshd
- tags: [sshd]
- role: unix_users
- - role: comfortable-debian-system
- - role: liw
+ - role: self-updating-system
+ - role: debian-mirror
tasks:
- - apt:
+ - name: "Install ewww"
+ apt:
name:
- - emacs
- - git
- - hugo
- - make
+ - curl
- ewww
+ - locales-all
+ - psmisc
+ - rsync
+ state: present
- name: "Create /srv/http"
file:
state: directory
path: /srv/http
- owner: _ewww
- group: _ewww
+ owner: debmirror
+ group: debmirror
mode: 0755
- name: "Create ewww config directory"
file:
@@ -30,7 +30,7 @@
- name: "Install ewww config"
copy:
content: |
- webroot: /home/liw/src/public
+ webroot: /srv/http
listen: "0.0.0.0:443"
tls_cert: /etc/ewww/tls.pem
tls_key: /etc/ewww/tls.key
@@ -94,8 +94,10 @@
enabled: yes
daemon_reload: yes
vars:
+ ansible_python_interpreter: /usr/bin/python3
+
sane_debian_system_version: 2
- sane_debian_system_hostname: sequoia-web
+ sane_debian_system_hostname: debian-mirror
sane_debian_system_codename: bullseye
sane_debian_system_mirror: deb.debian.org
sane_debian_system_sources_lists:
@@ -104,10 +106,6 @@
unix_users_version: 2
unix_users:
+ - username: debmirror
- username: liw
comment: Lars Wirzenius
- - username: _ewww
- comment: Static web site content
-
- sshd_version: 1
- sshd_allow_authorized_keys: yes
diff --git a/ansible/debmirror.yml b/ansible/maybe-someday/debmirror.yml
index 88aa1c1..8aa9831 100644
--- a/ansible/debmirror.yml
+++ b/ansible/maybe-someday/debmirror.yml
@@ -9,7 +9,7 @@
- role: self-updating-system
- role: debian-mirror
tags: [mirror]
- - role: smarthost-client
+ - role: mail-client
vars:
sane_debian_system_version: 0
unix_users_version: 0
diff --git a/ansible/ewww-dev.yml b/ansible/maybe-someday/ewww-dev.yml
index 5a24d37..4696bd2 100644
--- a/ansible/ewww-dev.yml
+++ b/ansible/maybe-someday/ewww-dev.yml
@@ -21,7 +21,6 @@
name:
- debhelper
- build-essential
- - dh-cargo
- daemonize
- git
- moreutils
diff --git a/ansible/ewww-test.yml b/ansible/maybe-someday/ewww-test.yml
index 67b2123..67b2123 100644
--- a/ansible/ewww-test.yml
+++ b/ansible/maybe-someday/ewww-test.yml
diff --git a/ansible/jt-dev.yml b/ansible/maybe-someday/jt-dev.yml
index ccb405b..ccb405b 100644
--- a/ansible/jt-dev.yml
+++ b/ansible/maybe-someday/jt-dev.yml
diff --git a/ansible/letest-letest.vm.liw.fi.yml b/ansible/maybe-someday/letest-letest.vm.liw.fi.yml
index c9555dc..c9555dc 100644
--- a/ansible/letest-letest.vm.liw.fi.yml
+++ b/ansible/maybe-someday/letest-letest.vm.liw.fi.yml
diff --git a/ansible/openpgp-ca-dev.yml b/ansible/maybe-someday/openpgp-ca-dev.yml
index 52afa6c..38818e1 100644
--- a/ansible/openpgp-ca-dev.yml
+++ b/ansible/maybe-someday/openpgp-ca-dev.yml
@@ -22,7 +22,6 @@
- capnproto
- clang
- debhelper
- - dh-cargo
- libclang-dev
- libsqlite3-dev
- libssl-dev
diff --git a/ansible/openpgp-card-dev.yml b/ansible/maybe-someday/openpgp-card-dev.yml
index 99d869a..3633b68 100644
--- a/ansible/openpgp-card-dev.yml
+++ b/ansible/maybe-someday/openpgp-card-dev.yml
@@ -20,14 +20,15 @@
name:
- build-essential
- debhelper
- - dh-cargo
- docker.io
- libclang-dev
- libpcsclite-dev
- lintian
- moreutils
- nettle-dev
+ - ntp
- pkg-config
+ - psmisc
- subplot
- user:
name: liw
diff --git a/ansible/python-mess.yml b/ansible/maybe-someday/python-mess.yml
index 3cbdc91..3cbdc91 100644
--- a/ansible/python-mess.yml
+++ b/ansible/maybe-someday/python-mess.yml
diff --git a/ansible/roadmap-dev.yml b/ansible/maybe-someday/roadmap-dev.yml
index ac98d3a..0842792 100644
--- a/ansible/roadmap-dev.yml
+++ b/ansible/maybe-someday/roadmap-dev.yml
@@ -21,7 +21,6 @@
name:
- debhelper
- build-essential
- - dh-cargo
- git
- moreutils
- python3
diff --git a/ansible/ssh-dev.yml b/ansible/maybe-someday/ssh-dev.yml
index 3b05e70..3b05e70 100644
--- a/ansible/ssh-dev.yml
+++ b/ansible/maybe-someday/ssh-dev.yml
diff --git a/ansible/mirror-git.yml b/ansible/mirror-git.yml
index 97810f6..e1e9cb7 100644
--- a/ansible/mirror-git.yml
+++ b/ansible/mirror-git.yml
@@ -5,7 +5,7 @@
- role: sane_debian_system
- role: unix_users
- role: self-updating-system
- - role: smarthost-client
+ - role: mail-client
tasks:
- name: "configure ssh client"
copy:
diff --git a/ansible/monorepo.liw.fi.yml b/ansible/monorepo.liw.fi.yml
new file mode 100644
index 0000000..1f1797d
--- /dev/null
+++ b/ansible/monorepo.liw.fi.yml
@@ -0,0 +1,64 @@
+- hosts: monorepo.liw.fi
+ remote_user: root
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: apache_server
+ - role: self-updating-system
+ tasks:
+ - apt:
+ name:
+ - git
+ - shell: |
+ a2enmod cgi alias env
+ - copy:
+ content: |
+ <VirtualHost *:80>
+ ServerName monorepo.liw.fi
+ ServerAdmin liw@liw.fi
+ DocumentRoot /var/www/html
+
+ <Directory "/">
+ AllowOverride None
+ Order deny,allow
+ Allow from all
+ </Directory>
+
+ <Location "/>
+ Require all granted
+ </Location>
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ SetEnv GIT_PROJECT_ROOT /home/liw/git
+ SetEnv GIT_HTTP_EXPORT_ALL
+ ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
+ </VirtualHost>
+ dest: /etc/apache2/sites-enabled/000-default.conf
+ - systemd:
+ name: apache2
+ state: restarted
+
+ vars:
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: monorepo
+ sane_debian_system_codename: bookworm
+ sane_debian_system_mirror: deb.debian.org
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ letsencrypt: no
+ letsencrypt_email: liw@liw.fi
+ letsencrypt_main_domain: monorepo.liw.fi
+ certbot_debian_release: bookworm
+
+ sshd_version: 1
+ sshd_host_key: "{{ lookup('pipe', 'sshca host private-key monorepo.liw.fi') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 monorepo.liw.fi') }}"
+ sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/obnam-bench.yml b/ansible/obnam-bench.yml
index 7b5c393..8e3c84d 100644
--- a/ansible/obnam-bench.yml
+++ b/ansible/obnam-bench.yml
@@ -39,8 +39,8 @@
- repo: |
deb http://security.debian.org/debian-security buster/updates main
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable-ci main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
diff --git a/ansible/obnam-dev.yml b/ansible/obnam-dev.yml
index 332d3cb..e4c08c1 100644
--- a/ansible/obnam-dev.yml
+++ b/ansible/obnam-dev.yml
@@ -3,31 +3,22 @@
become: yes
roles:
- role: sane_debian_system
- tags: [sane]
- role: sshd
- tags: [sshd]
- role: comfortable-debian-system
- tags: [comfy]
- role: version-controller
- tags: [vcs]
- role: unix_users
- tags: [users]
- role: rust-rustup
- tags: [rustup]
- role: liw
- tags: [liw]
tasks:
- apt:
name:
- build-essential
- daemonize
- debhelper
- - dh-cargo
- git
- jq
- libsqlite3-dev
- libssl-dev
-# - linux-perf
- moreutils
- pkg-config
- python3
@@ -37,9 +28,6 @@
- strace
- subplot
- summain
- - texlive-fonts-recommended
- - texlive-latex-base
- - texlive-latex-recommended
- sysctl:
name: kernel.perf_event_paranoid
value: "0"
@@ -49,22 +37,22 @@
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: obnam-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
deb http://security.debian.org/debian-security buster/updates main
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
- username: liw
comment: Lars Wirzenius
+
rustup_cargo_install: |
flamegraph
sshd_version: 1
- sshd_allow_authorized_keys: yes
diff --git a/ansible/qotom.yml b/ansible/qotom.yml
index 8a1cb9f..5fc6875 100644
--- a/ansible/qotom.yml
+++ b/ansible/qotom.yml
@@ -4,23 +4,21 @@
- role: sane_debian_system
- role: sshd
- role: ssd
- - role: unix_users
- role: puomi
+ tags: [puomi]
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
sane_debian_system_hostname: "{{ inventory_hostname }}"
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
- unix_users_version: 2
- unix_users:
- - username: liw
- comment: Lars Wirzenius
-
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key qotom') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 qotom') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
+ puomi_version: 1
+ puomi_lan_ip: 10.1.1.1
+ puomi_dhcp_start: 10.1.1.10
+ puomi_dhcp_end: 10.1.1.250
+ puomi_dhcp_netmask: 255.255.255.0
+ puomi_dhcp_lease: 1h
diff --git a/ansible/radicle-dev.yml b/ansible/radicle-dev.yml
new file mode 100644
index 0000000..09a3bb2
--- /dev/null
+++ b/ansible/radicle-dev.yml
@@ -0,0 +1,47 @@
+- hosts: radicle-dev
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+# - role: comfortable-debian-system
+ - role: unix_users
+ - role: rust-rustup
+ - role: liw
+ tasks:
+ - name: "install important additional packages"
+ apt:
+ name:
+# - asciidoctor
+ - build-essential
+ - curl
+ - git
+ - rsync
+ - screen
+ - moreutils
+ - tree
+# - debhelper
+# - lintian
+# - python3
+# - ripgrep
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
+
+ # rustup_cargo_install: |
+ # starship \
+ # zoxide
diff --git a/ansible/radicle-liw3.yaml b/ansible/radicle-liw3.yaml
new file mode 100644
index 0000000..0ad8a4e
--- /dev/null
+++ b/ansible/radicle-liw3.yaml
@@ -0,0 +1,195 @@
+- hosts: radicle-liw3
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: comfortable-debian-system
+ - role: unix_users
+ - role: rust-rustup
+ - role: liw
+ tasks:
+ - name: "install important additional packages"
+ apt:
+ name:
+ - moreutils
+ - nmap
+ - ripgrep
+
+ - name: "install radicle using installer"
+ shell: |
+ curl -sSf https://radicle.xyz/install | sudo -u liw bash
+
+ - name: "create directory for Radicle keys"
+ file:
+ state: directory
+ path: /home/liw/.radicle/keys
+ owner: liw
+ group: liw
+
+ - name: "install Radicle private key"
+ copy:
+ content: |
+ {{ lookup('pipe', 'pass show radicle/radicle-liw3/key') }}
+ dest: /home/liw/.radicle/keys/radicle
+ owner: liw
+ group: liw
+ mode: 0600
+
+ - name: "install Radicle public key"
+ copy:
+ content: |
+ {{ lookup('pipe', 'pass show radicle/radicle-liw3/key.pub') }}
+ dest: /home/liw/.radicle/keys/radicle.pub
+ owner: liw
+ group: liw
+ mode: 0644
+
+ - name: "install script to install Radicle CI stuff"
+ copy:
+ content: |
+ #!/bin/bash
+ set -xeuo pipefail
+
+ clone_install() {
+ local url dir root
+ url="$1"
+ dir="$2"
+ root="$3"
+
+ if [ ! -e "$dir" ]; then
+ git clone "$url" "$dir"
+ else
+ (cd "$dir" && git pull)
+ fi
+
+ (cd "$dir" && cargo install --path=. --root="$root")
+ }
+
+ clone_install https://radicle.liw.fi/zwTxygwuz5LDGBq255RA2CbNGrz8.git radicle-ci-broker "$(pwd)/root"
+ clone_install https://radicle.liw.fi/z3qg5TKmN83afz2fj9z3fQjU8vaYE.git radicle-native-ci "$(pwd)/root"
+
+ install root/bin/* $HOME/bin
+ dest: /home/liw/install-radicle-ci
+ owner: liw
+ group: liw
+ mode: 0755
+
+ - name: "install Radicle CI stuff"
+ shell: |
+ sudo -i -u liw bash -c 'cd /home/liw && install -d bin && ./install-radicle-ci'
+
+ - name: "install systemd unit for Radicle node"
+ copy:
+ content: |
+ [Unit]
+ After=syslog.target network.target
+ Description=Radicle Node
+
+ [Service]
+ Type=simple
+ ExecStart=/home/liw/.radicle/bin/radicle-node --listen 0.0.0.0:8776
+ Environment=RAD_HOME=/home/liw/.radicle
+ KillMode=process
+ Restart=never
+ RestartSec=1
+ User=liw
+ Group=liw
+
+ [Install]
+ WantedBy=default.target
+ dest: /lib/systemd/system/radicle-node.service
+
+ - name: "enable systemd unit for Radicle node"
+ systemd:
+ name: radicle-node
+ state: restarted
+ masked: no
+ enabled: yes
+ daemon_reload: yes
+
+ - name: "install Radicle CI broker config"
+ copy:
+ content: |
+ default_adapter: native
+ adapters:
+ native:
+ command: /home/liw/bin/radicle-native-ci
+ env:
+ RADICLE_NATIVE_CI: /home/liw/native-ci.yaml
+ filters:
+ - !And
+ - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs"
+ - !AnyPatch
+ dest: /home/liw/ci-broker.yaml
+ owner: liw
+ group: liw
+ mode: 0644
+
+ - name: "create state directory for Radicle native CI"
+ file:
+ state: directory
+ path: /home/liw/native-ci.state
+ owner: liw
+ group: liw
+ mode: 0755
+
+ - name: "install Radicle native CI config"
+ copy:
+ content: |
+ state: /home/liw/native-ci.state
+ dest: /home/liw/native-ci.yaml
+ owner: liw
+ group: liw
+ mode: 0644
+
+ - name: "install systemd unit for Radicle CI broker"
+ copy:
+ content: |
+ [Unit]
+ After=radicle-node.service
+ Description=Radicle CI broker
+
+ [Service]
+ Type=simple
+ Environment=RAD_HOME=/home/liw/.radicle
+ Environment=RUST_LOG=trace
+ ExecStart=bash -c '/home/liw/bin/ci-broker /home/liw/ci-broker.yaml >> /home/liw/broker.log'
+ KillMode=process
+ Restart=never
+ RestartSec=1
+ User=liw
+ Group=liw
+
+ [Install]
+ WantedBy=default.target
+ dest: /lib/systemd/system/radicle-ci-broker.service
+
+ - name: "enable systemd unit for Radicle CI broker"
+ systemd:
+ name: radicle-ci-broker
+ state: restarted
+ masked: no
+ enabled: yes
+ daemon_reload: yes
+
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
+
+ rustup_cargo_install: |
+ starship
diff --git a/ansible/radicle-multi.yml b/ansible/radicle-multi.yml
new file mode 100644
index 0000000..b63660c
--- /dev/null
+++ b/ansible/radicle-multi.yml
@@ -0,0 +1,49 @@
+- hosts: radicle-multi
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: comfortable-debian-system
+ - role: unix_users
+ - role: liw
+ tasks:
+ - name: "disable access to seed.radicle.garden in DNS"
+ lineinfile:
+ path: /etc/hosts
+ regex: seed.radicle.garden
+ line: 127.0.0.1 seed.radicle.garden
+
+ - name: "disable access to seed.radicle.xyz in DNS"
+ lineinfile:
+ path: /etc/hosts
+ regex: seed.radicle.xyz
+ line: 127.0.0.1 seed.radicle.xyz
+
+ - name: "install important additional packages"
+ apt:
+ name:
+ - curl
+ - jq
+ - moreutils
+ - radicle
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ sshd_version: 1
diff --git a/ansible/radicle-other-node.yml b/ansible/radicle-other-node.yml
new file mode 100644
index 0000000..658fbc0
--- /dev/null
+++ b/ansible/radicle-other-node.yml
@@ -0,0 +1,148 @@
+- hosts: radicle-other-node
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: rust-rustup
+ - role: liw
+ tasks:
+ - apt:
+ name:
+ - curl
+ - git
+ - jq
+ - man-db
+ - psmisc
+ - rsync
+ - screen
+ - sqlite3
+ - vim
+ - w3m
+
+ - name: "install radicle using installer"
+ shell: |
+ filename="/home/liw/.radicle/bin/rad"
+
+ install=false
+ if [ ! -e "$filename" ]; then
+ install=true
+ else
+ weekago="$(date -d 'week ago' +%s)"
+ mtime="$(stat -c %Y "$filename")"
+ if [ "$mtime" -lt "$weekago" ]; then
+ install=true
+ fi
+ fi
+
+ if $install; then
+ curl -sSf https://radicle.xyz/install | sudo -u liw bash
+ fi
+
+ - name: "create liw/.radicle/keys"
+ file:
+ state: directory
+ path: /home/liw/.radicle/keys
+ owner: liw
+ group: liw
+ mode: 0755
+
+ - name: "install radicle private key"
+ copy:
+ content: "{{ radicle_key }}"
+ dest: /home/liw/.radicle/keys/radicle
+ owner: liw
+ group: liw
+ mode: 0600
+
+ - name: "install radicle public key"
+ copy:
+ content: "{{ radicle_pub }}"
+ dest: /home/liw/.radicle/keys/radicle.pub
+ owner: liw
+ group: liw
+ mode: 0644
+
+ - name: "configure rad"
+ copy:
+ content: |
+ {
+ "publicExplorer": "https://app.radicle.xyz/nodes/$host/$rid$path",
+ "preferredSeeds": [
+ ],
+ "web": {
+ "pinned": {
+ "repositories": []
+ }
+ },
+ "cli": {
+ "hints": true
+ },
+ "node": {
+ "alias": "liw-other-node",
+ "listen": [],
+ "peers": {
+ "type": "dynamic",
+ "target": 8
+ },
+ "connect": [
+ "z6MkfXa53s1ZSFy8rktvyXt5ADCojnxvjAoQpzajaXyLqG5n@radicle.liw.fi:8776"
+ ],
+ "externalAddresses": [],
+ "network": "main",
+ "relay": true,
+ "limits": {
+ "routingMaxSize": 1000,
+ "routingMaxAge": 604800,
+ "gossipMaxAge": 1209600,
+ "fetchConcurrency": 1,
+ "maxOpenFiles": 4096,
+ "rate": {
+ "inbound": {
+ "fillRate": 0.2,
+ "capacity": 32
+ },
+ "outbound": {
+ "fillRate": 1.0,
+ "capacity": 64
+ }
+ }
+ },
+ "policy": "block",
+ "scope": "followed"
+ }
+ }
+ dest: /home/liw/.radicle/config.json
+ owner: liw
+ group: liw
+ mode: 0644
+
+ - name: "create /srv/http"
+ file:
+ state: directory
+ path: /srv/http
+ owner: liw
+ group: liw
+ mode: 0o755
+
+ vars:
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main
+
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+
+ sshd_version: 1
+
+ radicle_key: "{{ lookup('pipe', 'pass radicle/radicle-other-node/key') }}"
+ radicle_pub: "{{ lookup('pipe', 'pass radicle/radicle-other-node/key.pub') }}"
diff --git a/ansible/radicle-test.yml b/ansible/radicle-test.yml
new file mode 100644
index 0000000..31f627a
--- /dev/null
+++ b/ansible/radicle-test.yml
@@ -0,0 +1,43 @@
+- hosts: radicle-test
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: liw
+ - role: rust-rustup
+ tasks:
+ - apt:
+ name:
+ - git
+ - moreutils
+ - psmisc
+ - rsync
+ - screen
+
+ - copy:
+ content: |
+ * hard nofile 4000
+ dest: /etc/security/limits.d/nofile.conf
+
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+ - repo: |
+ deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
diff --git a/ansible/radicle-verify b/ansible/radicle-verify
new file mode 100755
index 0000000..da8fba9
--- /dev/null
+++ b/ansible/radicle-verify
@@ -0,0 +1,83 @@
+#!/usr/bin/python3
+
+import argparse
+import shlex
+import subprocess
+
+
+def debug(msg):
+ if False:
+ print(msg)
+
+
+class RadicleHost:
+ def __init__(self, host=None, ssh_user=None, rad_user=None):
+ assert host is not None
+ self.host = host
+
+ assert ssh_user is not None
+ self.ssh_user = ssh_user
+
+ assert rad_user is not None
+ self.rad_user = rad_user
+
+ self._path = None
+
+ def _ssh(self, caller_args, as_rad_user=True):
+ base_argv = ["ssh", f"{self.ssh_user}@{self.host}"]
+ sudo_argv = ["sudo", "-u", self.rad_user]
+
+ if self._path is None:
+ path_argv = base_argv + sudo_argv + ["env"]
+ debug(f"PATH_ARGV: {path_argv!r}")
+ p = subprocess.run(
+ path_argv,
+ check=True,
+ capture_output=True,
+ )
+ path = [
+ line.strip()
+ for line in p.stdout.decode().splitlines()
+ if line.startswith("PATH=")
+ ][0][len("PATH=") :]
+ self._path = f"/home/{self.rad_user}/.radicle/bin:{path}"
+
+ argv = base_argv
+ if as_rad_user:
+ argv += sudo_argv + ["env", f"PATH={self._path}"]
+ argv += [shlex.quote(a) for a in caller_args]
+ debug(f"ARGV: {argv!r}")
+ p = subprocess.run(
+ argv,
+ capture_output=True,
+ )
+ if p.returncode != 0:
+ raise Exception(
+ f"ssh failed, exit code {p.returncode}:\n{p.stderr.decode()}"
+ )
+ return p.stdout.decode()
+
+ def can_become_rad_user(self):
+ out = self._ssh(["id", "-nu"])
+ assert out.strip() == self.rad_user
+ print("OK: can become rad user")
+
+ def node_is_running(self):
+ out = self._ssh(["env", "TERM=dumb", "rad", "node", "status"])
+ assert "is running" in out.splitlines()[0]
+ print("OK: node is running")
+
+
+def main():
+ p = argparse.ArgumentParser()
+ p.add_argument("--host", required=True)
+ p.add_argument("--ssh-user", required=True)
+ p.add_argument("--rad-user", default="_rad")
+ args = p.parse_args()
+ rad = RadicleHost(host=args.host, ssh_user=args.ssh_user, rad_user=args.rad_user)
+
+ rad.can_become_rad_user()
+ rad.node_is_running()
+
+
+main()
diff --git a/ansible/radicle.liw.fi.yml b/ansible/radicle.liw.fi.yml
new file mode 100644
index 0000000..479242d
--- /dev/null
+++ b/ansible/radicle.liw.fi.yml
@@ -0,0 +1,116 @@
+- hosts: radicle.liw.fi
+ remote_user: root
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: rust-rustup
+ - role: radicle_node
+ tasks:
+ - name: "install convenience packages"
+ apt:
+ name:
+ - jq
+ - moreutils
+ - psmisc
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: _rad
+ comment: Radicle node
+
+ sshd_version: 1
+
+ radicle_node_version: 1
+ radicle_node_key: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key') }}"
+ radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key.pub') }}"
+ radicle_node_connections:
+ - nid: z6MkhfTshN2uPFBGcxBsZW7Mbof1TgkphBqr5dFTWd1hbNUq
+ host: seed.liw.fi
+ port: 8776
+ radicle_node_repositories:
+ # heartwood
+ - rid: "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"
+
+ # pathdedup test repo
+ - rid: "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs"
+
+ # ansibleness
+ - rid: "rad:z3sckw1Xm8j5URDJz1zeESHfFYDEc"
+
+ # debian-ansible
+ - rid: "rad:z3LXXus6Wu93LuSuuuSBPcFkDiyCW"
+
+ # html-page
+ - rid: "rad:z2i9UF8soK1X6L9hae8UcQPSvdHjW"
+
+ # liw-dot-files
+ - rid: "rad:z2xcsrnG8dC76bkxXsASZbWGH5N2w"
+
+ # radicle-stress-test
+ - rid: "rad:z2HXqzZMRhZUiYm33pLgYfqBgcGCj"
+
+ # radicle-ci-broker
+ - rid: "rad:zwTxygwuz5LDGBq255RA2CbNGrz8"
+
+ # radicle-native-ci
+ - rid: "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE"
+
+ # riki
+ - rid: "rad:zw9BgStPgCkdsMspzs7EGbwnXq3r"
+
+ # wumpus hunter
+ - rid: "rad:zd4kAF7rQFKbCHAdbcF6zVkx8MyN"
+
+ # missing-dependencies
+ - rid: "rad:z3PKKNstRjLYqhvGq9rxGy7LoEVr5"
+
+ # vmdb2
+ - rid: "rad:z2kxCtBwDQMPcaf9vGTNH5nYkp9qk"
+
+ # vmdb2-web
+ - rid: "rad:z2mn6wzpVAuJoeWx7TZo33nCHuDfQ"
+ radicle_node_domain_name: radicle.liw.fi
+ radicle_node_ci_domain_name: ci.radicle.liw.fi
+ radicle_node_ci_broker_config: |
+ db: /home/_rad/ci-broker.db
+ report_dir: /srv/http
+ default_adapter: native
+ adapters:
+ native:
+ command: /bin/radicle-native-ci
+ env:
+ RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml
+ filters:
+ - !Or
+ - !And
+ - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs"
+ - !AnyPatch
+ - !And
+ - !Repository "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"
+ - !AnyPatch
+ - !And
+ - !Repository "rad:zwTxygwuz5LDGBq255RA2CbNGrz8"
+ - !AnyPatch
+ - !And
+ - !Repository "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE"
+ - !AnyPatch
+ radicle_node_policy: block
+ radicle_node_scope: all
+
+ # radicle_node_backup: /home/liw/data/radicle.liw.fi/.
+
+ rust_rustup_user: _rad
diff --git a/ansible/rikiwiki-dev.yml b/ansible/riki-dev.yml
index 79c7139..67b9b9b 100644
--- a/ansible/rikiwiki-dev.yml
+++ b/ansible/riki-dev.yml
@@ -1,4 +1,4 @@
-- hosts: rikiwiki-dev
+- hosts: riki-dev
remote_user: debian
become: yes
roles:
@@ -18,22 +18,8 @@
- apt:
name:
- build-essential
- - daemonize
- debhelper
- - dh-cargo
- - graphviz
- - librsvg2-bin
- - linux-perf
- - lmodern
- pandoc
- - pandoc-citeproc
- - plantuml
- - python3
- - python3-requests
- - texlive-fonts-recommended
- - texlive-latex-base
- - texlive-latex-recommended
- - texlive-plain-generic
- sysctl:
name: kernel.perf_event_paranoid
value: "0"
@@ -43,15 +29,15 @@
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: rikiwiki-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable-ci main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
diff --git a/ansible/roles/apt-repository/files/process-incoming b/ansible/roles/apt-repository/files/process-incoming
new file mode 100644
index 0000000..b668c88
--- /dev/null
+++ b/ansible/roles/apt-repository/files/process-incoming
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+(
+ # sleep for a few seconds so that dput has time to chmod the uploaded
+ # file.
+ sleep 10
+ date
+ echo "Processing incoming"
+ reprepro -v -b /srv/apt processincoming default
+ reprepro -v -b /srv/apt export
+ rm -f incoming/*.buildinfo
+ echo "Finished processing incoming"
+) 2>&1 >>/home/apt/reprepro.log
diff --git a/ansible/roles/apt-repository/handlers/main.yml b/ansible/roles/apt-repository/handlers/main.yml
new file mode 100644
index 0000000..a7ec2ee
--- /dev/null
+++ b/ansible/roles/apt-repository/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart apache2
+ service:
+ name: apache2
+ state: restarted
diff --git a/ansible/roles/apt-repository/tasks/main.yml b/ansible/roles/apt-repository/tasks/main.yml
new file mode 100644
index 0000000..6bf8412
--- /dev/null
+++ b/ansible/roles/apt-repository/tasks/main.yml
@@ -0,0 +1,133 @@
+- name: "install software needed for APT repository management"
+ apt:
+ name:
+ - apache2
+ - incron
+ - reprepro
+
+- name: "create root directory for APT repository"
+ file:
+ state: directory
+ path: /srv/apt
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "create incoming directory for APT repository"
+ file:
+ state: directory
+ path: /srv/apt/incoming
+ owner: apt
+ group: incoming
+ mode: 0775
+
+- name: "create .gnupg for apt user"
+ file:
+ state: directory
+ dest: /home/apt/.gnupg
+ owner: apt
+ group: apt
+ mode: 0700
+
+- name: "install temporary copies of gpg keys for repository signing"
+ copy:
+ content: "{{ item.content }}"
+ dest: "/home/apt/{{ item.name }}"
+ owner: apt
+ group: apt
+ mode: 0600
+ with_items:
+ - content: "{{ apt_signing_key }}"
+ name: key
+ - content: "{{ apt_signing_key_pub }}"
+ name: key.pub
+
+- name: "import gpg keys for apt"
+ shell: |
+ cd /home/apt
+ sudo -u apt gpg --import key key.pub
+
+- name: "delete temporary copies of keys"
+ file:
+ dest: "/home/apt/{{ item }}"
+ state: absent
+ with_items:
+ - key
+ - key.pub
+
+- name: "allow apt user to use incron"
+ lineinfile:
+ dest: /etc/incron.allow
+ line: apt
+
+- name: "crate reprepro configuration directory"
+ file:
+ path: /srv/apt/conf
+ state: directory
+
+- name: "create reprepro temp directory"
+ file:
+ state: directory
+ dest: /srv/apt/tmp
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "configure reprepro distributions"
+ template:
+ src: distributions.j2
+ dest: /srv/apt/conf/distributions
+
+- name: "configure reprepro uploaders"
+ template:
+ src: uploaders.j2
+ dest: /srv/apt/conf/uploaders
+
+- name: "configure reprepro incoming"
+ template:
+ src: incoming.j2
+ dest: /srv/apt/conf/incoming
+ owner: apt
+ group: incoming
+ mode: 01777
+
+- name: "create web root directory"
+ file:
+ state: directory
+ path: /srv/http
+
+- name: "install an index page in the web root directory"
+ copy:
+ content: |
+ {{ apt_index_content }}
+ dest: /srv/http/index.html
+
+- name: "configure apache to server APT repository over http"
+ template:
+ src: 000-default.conf
+ dest: /etc/apache2/sites-enabled/000-default.conf
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart apache2
+
+- name: "install script to process uploads to APT"
+ copy:
+ src: process-incoming
+ dest: /home/apt/process-incoming
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "create incrontab for apt"
+ copy:
+ content: |
+ /srv/apt/incoming IN_CLOSE_WRITE /home/apt/process-incoming
+ dest: /home/apt/incrontab
+ owner: apt
+ group: apt
+ mode: 0644
+
+- name: "set up incrontab for processing incoming uploads"
+ shell: |
+ sudo -u apt incrontab /home/apt/incrontab
diff --git a/ansible/roles/apt-repository/templates/000-default.conf b/ansible/roles/apt-repository/templates/000-default.conf
new file mode 100644
index 0000000..b62e1fd
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/000-default.conf
@@ -0,0 +1,18 @@
+<VirtualHost _default_>
+ ServerAdmin {{ apt_admin_email }}
+
+ DocumentRoot /srv/http
+ Alias "/debian" "/srv/apt"
+
+ <Directory /srv/http>
+ Require all granted
+ </Directory>
+
+ <Directory /srv/apt>
+ Options +Indexes
+ Require all granted
+ </Directory>
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
diff --git a/ansible/roles/apt-repository/templates/distributions.j2 b/ansible/roles/apt-repository/templates/distributions.j2
new file mode 100644
index 0000000..ab3f861
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/distributions.j2
@@ -0,0 +1,12 @@
+{% for dist in apt_distributions %}
+
+Codename: {{ dist.codename }}
+Suite: {{ dist.codename }}
+Origin: {{ apt_domain }}
+Description: {{ dist.description }}
+Architectures: source {{ dist.architectures|default('amd64') }}
+Components: {{ dist.components|default('main') }}
+Uploaders: uploaders
+Tracking: keep
+SignWith: {{ apt_signing_key_fingerprint }}
+{% endfor %}
diff --git a/ansible/roles/apt-repository/templates/incoming.j2 b/ansible/roles/apt-repository/templates/incoming.j2
new file mode 100644
index 0000000..548c44b
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/incoming.j2
@@ -0,0 +1,5 @@
+Name: default
+IncomingDir: incoming
+TempDir: tmp
+Cleanup: on_error
+Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %}
diff --git a/ansible/roles/apt-repository/templates/uploaders.j2 b/ansible/roles/apt-repository/templates/uploaders.j2
new file mode 100644
index 0000000..0891e6d
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/uploaders.j2
@@ -0,0 +1 @@
+allow * by unsigned
diff --git a/ansible/roles/debian-mirror/files/mirror-debian b/ansible/roles/debian-mirror/files/mirror-debian
index 93eca56..29ff019 100644
--- a/ansible/roles/debian-mirror/files/mirror-debian
+++ b/ansible/roles/debian-mirror/files/mirror-debian
@@ -11,7 +11,7 @@ debmirror \
--rsync-extra=trace \
--arch=amd64 \
--getcontents \
- --dist=bullseye \
+ --dist=stable \
-v \
"$mirror_root"
diff --git a/ansible/roles/debian-mirror/tasks/main.yml b/ansible/roles/debian-mirror/tasks/main.yml
index 71b7e0c..0c68110 100644
--- a/ansible/roles/debian-mirror/tasks/main.yml
+++ b/ansible/roles/debian-mirror/tasks/main.yml
@@ -2,6 +2,7 @@
apt:
name:
- debmirror
+ - screen
- name: "install mirror-debian script"
copy:
@@ -9,12 +10,19 @@
dest: /usr/local/bin
mode: 0755
+- name: "create directory for mirror"
+ file:
+ state: directory
+ path: /srv/http/debmirror/debian
+ owner: debmirror
+ group: debmirror
+
- name: "install cronjob for mirroring Debian"
cron:
name: "mirror Debian"
user: debmirror
minute: "0"
- hour: "5,19"
+ hour: "12"
job: "/usr/local/bin/mirror-debian /srv/http/debmirror/debian"
- name: "set MAILTO in crontab"
@@ -23,4 +31,3 @@
env: yes
name: MAILTO
value: root
-
diff --git a/ansible/roles/emacs/tasks/main.yml b/ansible/roles/emacs/tasks/main.yml
index 81962f4..e21ab48 100644
--- a/ansible/roles/emacs/tasks/main.yml
+++ b/ansible/roles/emacs/tasks/main.yml
@@ -2,9 +2,4 @@
apt:
name:
- emacs
- - emacs-goodies-el
- debian-el
- - elpa-markdown-mode
- - elpa-magit
- - yaml-mode
- - elpa-go-mode
diff --git a/ansible/roles/gnome-system/tasks/main.yml b/ansible/roles/gnome-system/tasks/main.yml
index 4c4c587..0d4dca7 100644
--- a/ansible/roles/gnome-system/tasks/main.yml
+++ b/ansible/roles/gnome-system/tasks/main.yml
@@ -12,7 +12,7 @@
- keepass2
# - revelation
# - mumble
- - gnome-shell-timer
+# - gnome-shell-timer
- fonts-freefont-ttf
- fonts-symbola
- fonts-inconsolata
@@ -53,15 +53,27 @@
- system-config-printer
- darktable
- - flatpak
- gnome-software-plugin-flatpak
- libreoffice
+ - gnome-shell-extension-manager
+
# This seems to be wanted by something in the GNOME app stack.
# Installing it will stop a lot of apps from whinging at startup.
- libcanberra-gtk-module
+- name: "add flatpak from backports"
+ shell: |
+ DEBIAN_FRONTEND=noninteractive \
+ apt-get install -y flatpak
+
- name: Add flathub
shell: |
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
+
+- name: install flatpaks from flathub
+ shell: |
+ flatpak install --system --app --noninteractive flathub org.mozilla.firefox
+ flatpak install --system --app --noninteractive flathub org.signal.Signal
+ flatpak install --system --app --noninteractive flathub org.telegram.desktop
diff --git a/ansible/roles/holywood2/files/exports b/ansible/roles/holywood2/files/exports
index 92dc38d..f90ff7c 100644
--- a/ansible/roles/holywood2/files/exports
+++ b/ansible/roles/holywood2/files/exports
@@ -1,6 +1,8 @@
/mnt/soile/pupu 10.0.0.0/24(rw,nohide,async,no_subtree_check,insecure)
/mnt/soile/pupu 10.1.1.0/24(rw,nohide,async,no_subtree_check,insecure)
/mnt/soile/pupu 10.2.2.0/24(rw,nohide,async,no_subtree_check,insecure)
+/mnt/soile/pupu 10.3.1.0/24(rw,nohide,async,no_subtree_check,insecure)
/mnt/media 10.0.0.0/24(ro,nohide,async,no_subtree_check,insecure)
/mnt/media 10.1.1.0/24(ro,nohide,async,no_subtree_check,insecure)
/mnt/media 10.2.2.0/24(ro,nohide,async,no_subtree_check,insecure)
+/mnt/media 10.3.1.0/24(ro,nohide,async,no_subtree_check,insecure)
diff --git a/ansible/roles/holywood2/tasks/main.yml b/ansible/roles/holywood2/tasks/main.yml
index 1da48db..b67ae16 100644
--- a/ansible/roles/holywood2/tasks/main.yml
+++ b/ansible/roles/holywood2/tasks/main.yml
@@ -8,11 +8,11 @@
src: ssh-config
dest: /home/root/.ssh/config
-- name: symlink /root/.ssh to /home/root/.ssh
- file:
- state: link
- src: /home/root/.ssh
- path: /root/.ssh
+# - name: symlink /root/.ssh to /home/root/.ssh
+# file:
+# state: link
+# src: /home/root/.ssh
+# path: /root/.ssh
- name: create soile group
group:
@@ -65,3 +65,12 @@
owner: root
group: root
mode: 0755
+
+- name: install SSH client config
+ copy:
+ content: |
+ Host nalanda
+ hostname nalanda.liw.fi
+ ProxyJump exolobe2
+ dest: /root/.ssh/config
+ mode: 0644
diff --git a/ansible/roles/liw/tasks/main.yml b/ansible/roles/liw/tasks/main.yml
index 99f1b47..916d140 100644
--- a/ansible/roles/liw/tasks/main.yml
+++ b/ansible/roles/liw/tasks/main.yml
@@ -8,6 +8,21 @@
sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks"
sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig"
+- name: "make sure ~liw/.ssh/known_hosts exists"
+ shell: |
+ dir=/home/liw/.ssh
+ k="$dir/known_hosts"
+ if ! [ -e "$dir" ]; then install -d -o liw -g liw -m 0755 "$dir"; fi
+ if ! [ -e "$k" ]; then touch "$k"; fi
+
+- name: "configure liw SSH known hosts"
+ lineinfile:
+ line: "@cert-authority * ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIW1QmBC3OLsjpUv1gIYBHSN5tWhPOHHzDIXgj8d1Hg1"
+ path: /home/liw/.ssh/known_hosts
+ owner: liw
+ group: liw
+ mode: 0644
+
- name: "create ~liw/src and ~liw/cargo"
file:
state: directory
diff --git a/ansible/roles/smarthost-client/files/aliases b/ansible/roles/mail-client/files/aliases
index 040d695..040d695 100644
--- a/ansible/roles/smarthost-client/files/aliases
+++ b/ansible/roles/mail-client/files/aliases
diff --git a/ansible/roles/mail-client/tasks/main.yml b/ansible/roles/mail-client/tasks/main.yml
index 63df37e..ba40678 100644
--- a/ansible/roles/mail-client/tasks/main.yml
+++ b/ansible/roles/mail-client/tasks/main.yml
@@ -1,9 +1,45 @@
-- name: "install email stuff"
+- name: "install mail client packages"
apt:
name:
- - mutt
- - notmuch
- - notmuch-mutt
- - offlineimap
- - procmail
- - clab
+ - isync
+ - libsasl2-modules
+ - mailutils
+ - mutt
+ - notmuch
+ - notmuch-mutt
+ - postfix
+
+- name: "configure postfix"
+ template:
+ src: main.cf
+ dest: /etc/postfix/main.cf
+ notify: restart postfix
+
+- name: "set mailname"
+ copy:
+ content: "{{ mailname }}\n"
+ dest: /etc/mailname
+ owner: root
+ group: root
+ mode: 0644
+
+- name: "set smarthost relay credentials"
+ template:
+ src: sasl_passwd
+ dest: /etc/postfix/sasl_passwd
+ mode: 0600
+
+- name: "postmap relay credentials"
+ shell: |
+ postmap /etc/postfix/sasl_passwd
+
+- name: "install aliases"
+ copy:
+ src: aliases
+ dest: /etc/aliases
+ owner: root
+ group: root
+ mode: 0644
+
+- name: "run newaliases"
+ shell: newaliases
diff --git a/ansible/roles/mail-client/templates/main.cf b/ansible/roles/mail-client/templates/main.cf
index 2c026ad..af8e058 100644
--- a/ansible/roles/mail-client/templates/main.cf
+++ b/ansible/roles/mail-client/templates/main.cf
@@ -10,7 +10,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
-append_dot_mydomain = no
+append_dot_mydomain = yes
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
@@ -32,7 +32,7 @@ myhostname = {{ mailname }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
-mydestination = {{ mailname }}, {{ hostname }}, localhost.localdomain, localhost
+mydestination = {{ mailname }}, {{ sane_debian_system_hostname }}, localhost.localdomain, localhost
relayhost = {{ relayhost }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
diff --git a/ansible/roles/mail-server/files/aliases b/ansible/roles/mail-server/files/aliases
index 0aa8635..e5197fa 100644
--- a/ansible/roles/mail-server/files/aliases
+++ b/ansible/roles/mail-server/files/aliases
@@ -7,3 +7,5 @@ soilar: liw, soile
hbo: liw, soile
ick-conduct: liw
atuin: liw, dkscully@geah.org, rjek@rjek.com, dsilvers@digital-scurf.org, greg@grossmeier.net
+remy: liw
+sateenvarjo: soilar
diff --git a/ansible/roles/mail-server/files/virtual b/ansible/roles/mail-server/files/virtual
index d822be3..67a2287 100644
--- a/ansible/roles/mail-server/files/virtual
+++ b/ansible/roles/mail-server/files/virtual
@@ -6,7 +6,9 @@ liw@liw.fi liw
liw-passthrough@liw.fi liw
ivana@liw.fi liw
tele@liw.fi liw
-rust.fossdev@liw.fi liw
+
+exolobe1.liw.fi -
+@exolobe1.liw.fi liw
docstory.fi -
postmaster@docstory.fi soile
diff --git a/ansible/roles/mail-server/tasks/main.yml b/ansible/roles/mail-server/tasks/main.yml
index 9b38dc5..f0c1fd1 100644
--- a/ansible/roles/mail-server/tasks/main.yml
+++ b/ansible/roles/mail-server/tasks/main.yml
@@ -1,3 +1,8 @@
-- include: postfix.yml
-- include: dovecot.yml
-- include: usertools.yml
+- ansible.builtin.import_tasks:
+ file: postfix.yml
+
+- ansible.builtin.import_tasks:
+ file: dovecot.yml
+
+- ansible.builtin.import_tasks:
+ file: usertools.yml
diff --git a/ansible/roles/riot-host/files/element-io-archive-keyring.gpg b/ansible/roles/riot-host/files/element-io-archive-keyring.gpg
new file mode 100644
index 0000000..6fbeecc
--- /dev/null
+++ b/ansible/roles/riot-host/files/element-io-archive-keyring.gpg
Binary files differ
diff --git a/ansible/roles/riot-host/tasks/main.yml b/ansible/roles/riot-host/tasks/main.yml
index 402da88..84c8ad3 100644
--- a/ansible/roles/riot-host/tasks/main.yml
+++ b/ansible/roles/riot-host/tasks/main.yml
@@ -1,10 +1,10 @@
- name: "install riot.im keyring"
copy:
- src: riot-im-archive-keyring.gpg
+ src: element-io-archive-keyring.gpg
dest: /etc/apt/trusted.gpg.d/
- apt_repository:
- repo: "deb [signed-by=/etc/apt/trusted.gpg.d/riot-im-archive-keyring.gpg] https://packages.riot.im/debian/ {{ sane_debian_system_codename }} main"
+ repo: "deb [signed-by=/etc/apt/trusted.gpg.d/element-io-archive-keyring.gpg] https://packages.element.io/debian/ default main"
update_cache: no
# Use shell to run apt-get, rather than the Ansible apt module, so
@@ -12,8 +12,6 @@
- name: update package lists
shell: |
apt-get update --allow-releaseinfo-change
- args:
- warn: false
- apt:
name: element-desktop
diff --git a/ansible/roles/rust-rustup/defaults/main.yml b/ansible/roles/rust-rustup/defaults/main.yml
new file mode 100644
index 0000000..e1c0df8
--- /dev/null
+++ b/ansible/roles/rust-rustup/defaults/main.yml
@@ -0,0 +1 @@
+rust_rustup_user: liw
diff --git a/ansible/roles/rust-rustup/tasks/main.yml b/ansible/roles/rust-rustup/tasks/main.yml
index 2ebd6f6..ceb4a69 100644
--- a/ansible/roles/rust-rustup/tasks/main.yml
+++ b/ansible/roles/rust-rustup/tasks/main.yml
@@ -9,15 +9,16 @@
set -eu
if command -v rustup > /dev/null
then
- sudo -u liw rustup update
+ sudo -u {{ rust_rustup_user }} rustup update
else
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /tmp/rustup.sh
- sudo -u liw -i sh /tmp/rustup.sh -y
+ sudo -u {{ rust_rustup_user }} -i sh /tmp/rustup.sh -y --no-modify-path
fi
- sudo -u liw -i rustup component add clippy rust-src
+ sudo -u {{ rust_rustup_user }} -i /home/{{ rust_rustup_user }}/.cargo/bin/rustup self update
+ sudo -u {{ rust_rustup_user }} -i /home/{{ rust_rustup_user }}/.cargo/bin/rustup component add clippy \
+ rust-src rust-analyzer
+
- name: "cargo install applications"
when: rustup_cargo_install is defined
- args:
- warn: no
shell: |
- sudo -i -u liw cargo install {{ rustup_cargo_install }}
+ sudo -i -u {{ rust_rustup_user }} sh -c '. $HOME/.cargo/env && cargo install {{ rustup_cargo_install }}'
diff --git a/ansible/roles/smarthost-client/handlers/main.yml b/ansible/roles/smarthost-client/handlers/main.yml
deleted file mode 100644
index 6cdc4d4..0000000
--- a/ansible/roles/smarthost-client/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: restart postfix
- service: name=postfix state=restarted
diff --git a/ansible/roles/smarthost-client/tasks/main.yml b/ansible/roles/smarthost-client/tasks/main.yml
deleted file mode 100644
index 61830c9..0000000
--- a/ansible/roles/smarthost-client/tasks/main.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-# A mail client needs to send mail. I prefer to send via a local MTA,
-# which routes things out via a smarthost.
-
-- name: install postfix and related packages
- apt:
- name:
- - postfix
- - libsasl2-modules
- - mailutils
-
-- name: configure postfix
- template:
- src: main.cf
- dest: /etc/postfix/main.cf
- notify: restart postfix
-
-- name: set mailname
- copy:
- content: "{{ mailname }}\n"
- dest: /etc/mailname
- owner: root
- group: root
- mode: 0644
-
-# Set up the smarthost relay credentials.
-
-- name: set smarthost relay credentials
- template:
- src: sasl_passwd
- dest: /etc/postfix/sasl_passwd
- mode: 0600
-
-- name: postmap relay credentials
- shell: |
- postmap /etc/postfix/sasl_passwd
-
-- name: install aliases
- copy:
- src: aliases
- dest: /etc/aliases
- owner: root
- group: root
- mode: 0644
-
-- name: run newaliases
- shell: newaliases
diff --git a/ansible/roles/smarthost-client/templates/main.cf b/ansible/roles/smarthost-client/templates/main.cf
deleted file mode 100644
index d9deaaf..0000000
--- a/ansible/roles/smarthost-client/templates/main.cf
+++ /dev/null
@@ -1,46 +0,0 @@
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-
-
-# Debian specific: Specifying a file name will cause the first
-# line of that file to be used as the name. The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
-
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ mailname }}
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-myorigin = /etc/mailname
-mydestination = {{ mailname }}, {{ sane_debian_system_hostname }}, localhost.localdomain, localhost
-relayhost = {{ relayhost }}
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_command = procmail -a "$EXTENSION"
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = 127.0.0.1
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_use_tls = yes
-smtp_tls_note_starttls_offer = yes
diff --git a/ansible/roles/smarthost-client/templates/sasl_passwd b/ansible/roles/smarthost-client/templates/sasl_passwd
deleted file mode 100644
index da722f6..0000000
--- a/ansible/roles/smarthost-client/templates/sasl_passwd
+++ /dev/null
@@ -1 +0,0 @@
-{{ smarthost }} {{ smarthost_user }}:{{ smarthost_password }}
diff --git a/ansible/roles/subplot-dev-env/tasks/main.yml b/ansible/roles/subplot-dev-env/tasks/main.yml
index 5c99cfa..22fddb9 100644
--- a/ansible/roles/subplot-dev-env/tasks/main.yml
+++ b/ansible/roles/subplot-dev-env/tasks/main.yml
@@ -2,7 +2,6 @@
apt:
name:
- debhelper
- - dh-cargo
- python3
- pandoc
- pandoc-citeproc
diff --git a/ansible/rust-dev.yml b/ansible/rust-dev.yml
index 23d9ba5..73ce706 100644
--- a/ansible/rust-dev.yml
+++ b/ansible/rust-dev.yml
@@ -3,29 +3,23 @@
become: yes
roles:
- role: sane_debian_system
- tags: [sane]
- role: sshd
- tags: [sshd]
- - role: comfortable-debian-system
- tags: [comfy]
- role: unix_users
- tags: [users]
- role: version-controller
- tags: [vacs]
- - role: liw
- tags: [liw]
- - role: rust-rustup
- tags: [rustup]
tasks:
- apt:
name:
- build-essential
+ - curl
+ - musl
+ - musl-dev
+ - musl-tools
vars:
ansible_python_interpreter: python3
sane_debian_system_version: 2
sane_debian_system_hostname: rust-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
timezone: Europe/Helsinki
@@ -35,8 +29,7 @@
comment: Lars Wirzenius
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
sshd_version: 1
- sshd_allow_authorized_keys: yes
diff --git a/ansible/seed.liw.fi.yml b/ansible/seed.liw.fi.yml
new file mode 100644
index 0000000..fb5a00f
--- /dev/null
+++ b/ansible/seed.liw.fi.yml
@@ -0,0 +1,62 @@
+- hosts: seed.liw.fi
+ remote_user: root
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: rust-rustup
+ - role: radicle_node
+ tasks:
+ - name: "install convenience packages"
+ apt:
+ name:
+ - jq
+ - moreutils
+ - psmisc
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+
+ unix_users_version: 2
+ unix_users:
+ - username: _rad
+ comment: Radicle node
+
+ sshd_version: 1
+
+ radicle_node_version: 1
+ radicle_node_key: "{{ lookup('pipe', 'pass radicle/seed.liw.fi/key') }}"
+ radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/seed.liw.fi/key.pub') }}"
+ radicle_node_connections:
+ - nid: z6MkfXa53s1ZSFy8rktvyXt5ADCojnxvjAoQpzajaXyLqG5n
+ host: radicle.liw.fi
+ port: 8776
+ radicle_node_repositories: []
+ radicle_node_domain_name: seed.liw.fi
+ radicle_node_ci_domain_name: ci.seed.liw.fi
+ radicle_node_ci_broker_config: |
+ status_page: /srv/http/status.json
+ default_adapter: native
+ adapters:
+ native:
+ command: /bin/radicle-native-ci
+ env:
+ RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml
+ filters:
+ - !And
+ - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs"
+ - !AnyPatch
+ radicle_node_policy: allow
+ radicle_node_scope: all
+
+ rust_rustup_user: _rad
diff --git a/ansible/shell-shell.vm.liw.fi.hz b/ansible/shell-shell.vm.liw.fi.hz
deleted file mode 100644
index d2abde0..0000000
--- a/ansible/shell-shell.vm.liw.fi.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cx11
- image: debian-10
-hosts:
- - name: shell
diff --git a/ansible/shell-shell.vm.liw.fi.yml b/ansible/shell-shell.vm.liw.fi.yml
index 9cd9738..ca1e32c 100644
--- a/ansible/shell-shell.vm.liw.fi.yml
+++ b/ansible/shell-shell.vm.liw.fi.yml
@@ -1,4 +1,4 @@
-- hosts: shell
+- hosts: shell-shell.vm.liw.fi
remote_user: root
roles:
- role: sane_debian_system
@@ -32,14 +32,18 @@
comment: Soile Mottisenkangas
mailname: pieni.net
- smarthost: mail.pepperfish.net
+ smarthost: mail.infrafish.uk
smarthost_port: 587
- smarthost_user: pieni-fwd@ppfm.net
- smarthost_pass_name: pieni.net/smarthost_pass
+ smarthost_user: liw@login.liw.fi
+ smarthost_pass_name: pieni.net/smarthost_pass_intrafish
mail_hostname: pieni.net
+ # We must define the sshd variables here. The defaults from the
+ # "all" group assume sshca knows the host by the
+ # sane_debian_system_hostname name, which isn't true for this
+ # host.
sshd_version: 1
sshd_host_key: "{{ lookup('pipe', 'sshca host private-key shell-shell.vm.liw.fi') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 shell-shell.vm.liw.fi') }}"
+ sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 shell-shell.vm.liw.fi') }}"
sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/solace.yml b/ansible/solace.yml
index f978757..635505f 100644
--- a/ansible/solace.yml
+++ b/ansible/solace.yml
@@ -6,331 +6,78 @@
- role: sshd
- role: ssd
- role: comfortable-debian-system
- - role: chaoskey-host
- role: version-controller
- - role: emacs
- - role: gnupg-workstation
- - role: gnome-system
- - role: ansible
- role: vmhost
- - role: smarthost-client
- role: mail-client
- - role: annexed
- - role: riot-host
-# # - role: writing-dev-env
-# # - role: journal-workstation
-# # - role: debian-dev-env
-# # - role: subplot-dev-env
-# # - role: obnam-dev-env
-# # - role: tex-dev-env
-# # - role: python-dev-env
- role: unix_users
- role: rust-rustup
- tags: [rustup]
+ - role: liw
+ - role: self-updating-system
tasks:
- # - shell: |
- # sed -i 's/NOPASSWD://' /etc/sudoers.d/liw
- # args:
- # warn: false
-
# Remove ping to force it be reinstalled so that the right
# capabilities are set.
- apt:
name: iputils-ping
state: absent
- - apt:
- name:
- - bash-completion
- - black
- - build-essential
- - cachedir
- - capnproto
- - clang
- - daemonize
- - debhelper
- - dh-cargo
- - expect
- - extrautils
- - fio
- - firmware-misc-nonfree
- - fling
- - gimp
- - graphviz
- - inkscape
- - iputils-ping
- - isync
- - jq
- - jt
- - libclang-dev
- - librsvg2-bin
- - libsqlite3-dev
- - libssl-dev
- - libvirt-dev
- - linux-perf
- - liw-automation
- - llvm
- - lmodern
- - nettle-dev
- - nfs-common
- - obnam
- - obnam-benchmark
- - openpgp-ca
- - pandoc
- - pandoc-citeproc
- - pandoc-filter-diagram
- - pavucontrol
- - pkg-config
- - plantuml
- - printer-driver-ptouch
- - python3
- - python3-requests
- - qemu-user-static
- - sequoia-chameleon-gnupg
- - shellcheck
- - sq-liw
- - sqlite3
- - sshca
- - subplot
- - summain
- - texlive-fonts-recommended
- - texlive-latex-base
- - texlive-latex-extra
- - texlive-latex-recommended
- - texlive-plain-generic
- - usbutils
- - uuid
- - validns
- - vlc
- - vobcopy
- - vmdb2
- - xpdf
- - zerofree
-
- name: install command line utilities
apt:
name:
+ - build-essential
+ - firmware-misc-nonfree
+ - firmware-realtek
+ - iputils-ping
- locales-all
- - psmisc
- - mosh
+ - memtest86+
+ - python3
- rsync
- vim
- - screen
- - tmux
- - strace
- - gddrescue
- - pv
- - moreutils
- - bind9-host
- - dnsutils
- - lshw
- - curl
- # - extrautils
- # - liw-automation
- # - copyright-statement-lint
- - bc
- - yaml-mode
- - ikiwiki
- - taskwarrior
- - zip
- # - cachedir
- - debmirror
- - git-annex
- - iftop
- - info
- # - jt
- - kpartx
- - lftp
- - mediainfo
- - mmv
- - mtr
- - num-utils
- - parted-doc
- - trickle
- - units
- - w3m
- - youtube-dl
- - signing-party
- - sshfs
- - dict
- - dictd
- - dict-foldoc
- - dict-gcide
- - dict-jargon
- - dict-vera
- - dict-wn
- - gnuplot
- - acpi
- - nmap
- - nethogs
- - time
- - restic
- - apt-file
- - whois
- - oathtool
- - htop
- - smartmontools
- - bonnie++
- - mdadm
- - hddtemp
- - parted
- - lvm2
- - cryptsetup
-
- - name: configure dict
- copy:
- content: |
- server localhost
- dest: /etc/dictd/dict.conf
-
- - lineinfile:
- path: /etc/gdm3/daemon.conf
- regexp: WaylandEnable=
- line: WaylandEnable=false
-
- # - lineinfile:
- # path: /etc/xdg/autostart/gnome-keyring-ssh.desktop
- # line: Hidden=true
-
- # - lineinfile:
- # path: /etc/X11/Xsession.options
- # line: use-ssh-agent
- # state: absent
-
- # - file:
- # state: directory
- # path: /home/liw/.config/autostart
- # owner: liw
- # group: liw
-
- # - copy:
- # content: |
- # [Desktop Entry]
- # Type=Application
- # Name=gpg-agent
- # Comment=gpg-agent
- # Exec=/usr/bin/gpg-agent --daemon
- # OnlyShowIn=GNOME;Unity;MATE;
- # X-GNOME-Autostart-Phase=PreDisplayServer
- # X-GNOME-AutoRestart=false
- # X-GNOME-Autostart-Notify=true
- # X-GNOME-Bugzilla-Bugzilla=GNOME
- # X-GNOME-Bugzilla-Product=gnome-keyring
- # X-GNOME-Bugzilla-Component=general
- # X-GNOME-Bugzilla-Version=3.20.0
- # dest: /home/liw/.config/autostart/gpg-agent.desktop
- # owner: liw
- # group: liw
-
- - name: "install necessary packages to use a Yubikey with LUKS"
- apt:
- name:
- - yubikey-luks
- - usbutils
+ - wireless-regdb
- - name: "configure crypttab to use yubikey-luks key script"
- crypttab:
- name: pv0
- opts: keyscript=/usr/share/yubikey-luks/ykluks-keyscript
- state: opts_present
+ - name: "configure GRUB to wait a little before booting"
+ lineinfile:
+ path: /etc/default/grub
+ regexp: GRUB_TIMEOUT
+ line: "GRUB_TIMEOUT=5"
- - name: "update initramfs"
+ - name: "update grub"
shell: |
- update-initramfs -u
-
- - apt:
- name:
- - libpam-yubico
- # disabled until I don't need Y4 anymore.
- # - lineinfile:
- # path: /etc/pam.d/common-auth
- # regex: pam_yubico.so
- # line: "auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubikey_chalresp"
- - file:
- state: directory
- path: /etc/yubikey_chalresp
- mode: 0700
- - copy:
- content: |
- {{ lookup('pipe', 'pass libpam-yubico/liw/y6.chalresp') }}
- dest: "/etc/yubikey_chalresp/liw-{{ lookup('pipe', 'pass libpam-yubico/liw/y6.serial') }}"
- mode: 0600
-
+ update-grub
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: solace
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
- deb http://deb.debian.org/debian bullseye contrib non-free
+ deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware
- repo: |
- deb-src http://deb.debian.org/debian bullseye main contrib non-free
-
- - repo: |
- deb http://security.debian.org/debian-security bullseye-security main contrib non-free
-
- - repo: |
- deb http://code.liw.fi/debian unstable main
- signing_key: "{{ code_liw_fi_signing_key }}"
-
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
- username: liw
comment: Lars Wirzenius
- sudo: yes
groups:
- - audio
- - bluetooth
- - cdrom
- - dialout
- - dip
- - floppy
- libvirt
- - netdev
- - plugdev
- - scanner
- - video
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
mailname: "{{ sane_debian_system_hostname }}.liw.fi"
- hostname: "{{ sane_debian_system_hostname }}"
relayhost: pieni.net:587
smarthost: pieni.net
smarthost_user: pienirelay
smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
rustup_cargo_install: |
- cargo-audit \
- cargo-deny \
- cargo-deps \
- bandwhich \
- bat \
- cargo-edit \
- cargo-geiger \
- cargo-outdated \
- flamegraph \
- hyperfine \
- ripgrep \
starship \
- tokei \
- zoxide \
- ytop
+ bottom
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key solace') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 solace') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
diff --git a/ansible/sq-test.yml b/ansible/sq-test.yml
deleted file mode 100644
index 5879ef1..0000000
--- a/ansible/sq-test.yml
+++ /dev/null
@@ -1,160 +0,0 @@
-- hosts: sq-test
- remote_user: root
- roles:
- - role: sane_debian_system
- - role: comfortable-debian-system
- - role: unix_users
- - role: self-updating-system
- tasks:
- - apt:
- name:
- - bash-completion
- - sq
- state: present
- - file:
- path: /tmp/shared
- state: directory
- mode: 01777
- - copy:
- content: |
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Comment: 010A B1FA 8E24 283F B898 3F52 9036 838A 283E 1AA9
- Comment: Lars Wirzenius
-
- xjMEYuzSFBYJKwYBBAHaRw8BAQdAkOVflgRACWQrysidOFgXUa5AmknlCt0Sb5U/
- kFHOHmzCwBEEHxYKAIMFgmLs0hQFiQWkj70DCwkHCRCQNoOKKD4aqUcUAAAAAAAe
- ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmc0zoAeYXkSCb7SOLblaokA
- uMiuMLNocIM4XSeEEVVdogMVCggCmwECHgEWIQQBCrH6jiQoP7iYP1KQNoOKKD4a
- qQAAJvkBAPOvcIFKjV+RDssTF+M8ANsVPN8e9MCaHhF65o6dHtv2AQCyJVPftDH2
- ub9mr6bIPEUYJi6+imZX2Xa3C7SGNEe0Bc0OTGFycyBXaXJ6ZW5pdXPCwBQEExYK
- AIYFgmLs0hQFiQWkj70DCwkHCRCQNoOKKD4aqUcUAAAAAAAeACBzYWx0QG5vdGF0
- aW9ucy5zZXF1b2lhLXBncC5vcmdy+aoELSz02TDwDO0w+j6N/Yg4vQ8Ws6cZeFQU
- u0lkMAMVCggCmQECmwECHgEWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAApqwBANTK
- v3NN6xI8eH/TSbR+5VgrSiZj4mZoNCBQALpEQzT9AQCvrZmKNfeq77Q4SsEWUmD8
- dHb0eMsppyi0oW8itAuaC84zBGLs0hQWCSsGAQQB2kcPAQEHQGpPf6RSeuBlzhTS
- 5J+yAYQNSKUC+RPYBiq3u1jkydJ9wsDFBBgWCgE3BYJi7NIUBYkFpI+9CRCQNoOK
- KD4aqUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcg7Rr7
- iOeL3SCZ2ecGO0/g/5CorBrxP8AlfuyWAJroeAKbAr6gBBkWCgBvBYJi7NIUCRCM
- lfahnAL5XUcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd1
- Jf5951yGEOtGCSw0BpWa4pPp6mR9hGGhMqpyA5sXkhYhBHTyxaykxgutnvUZlIyV
- 9qGcAvldAAA+iAD/VOod7dIUrxPL23iUKYCe1OjQ+rOWrjzWr4lXh8MbYD8A/ium
- ns8bmARpt2+VPqfbTQiESK5i+k3HFw2O2R3MP1EFFiEEAQqx+o4kKD+4mD9SkDaD
- iig+GqkAAJo0AP9TWhlep2UnuQb1eqpyK7bxrpaPV/cR2v98DtxUcDZJPAEAyjcD
- +AR1KC2VHF32JYHddbvEBG4YkRuslXpX8t46SQ3OMwRi7NIUFgkrBgEEAdpHDwEB
- B0Dlc6Sa0OENRkXRlGSJx+TW6+QEK7WB8eIHikyxfK4hdcLABgQYFgoAeAWCYuzS
- FAWJBaSPvQkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p
- YS1wZ3Aub3JnadCLyuCKpqa7utZ+81jTDOpCgF1yoR/grzfb3h3H+0YCmyAWIQQB
- CrH6jiQoP7iYP1KQNoOKKD4aqQAAY/gA/35WSxWkNURZdGOwKgBJtw5nc5K9s6nt
- LefNkI/OB7O/AP98xXylCuzQNw7jbmkuwIyb3t1iyBUmBBkAkVHUVkEmCs44BGLs
- 0hQSCisGAQQBl1UBBQEBB0B73lJoeEfLvaYgpYJiJcTnDPXon0TI3Kd37xa+8ieM
- eAMBCAfCwAYEGBYKAHgFgmLs0hQFiQWkj70JEJA2g4ooPhqpRxQAAAAAAB4AIHNh
- bHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyeEI8W6tcOpWsDOVz9SqpQlgAlN
- IzNCdED0mddImb5RApsMFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAAFxjAP40OKNA
- IEx5tGJneoTLFFDYQUpstG6h7AZ36ooEaRIk5AEA6mUCs9JdJMElHa34g+txs7Pk
- 3gygQYQtpkkeCXZ2tgc=
- =YmSW
- -----END PGP PUBLIC KEY BLOCK-----
- dest: /home/liw/liw-pub.pgp
- owner: liw
- group: liw
- - copy:
- content: |
- -----BEGIN PGP PRIVATE KEY BLOCK-----
- Comment: 010A B1FA 8E24 283F B898 3F52 9036 838A 283E 1AA9
- Comment: Lars Wirzenius
-
- xVgEYuzSFBYJKwYBBAHaRw8BAQdAkOVflgRACWQrysidOFgXUa5AmknlCt0Sb5U/
- kFHOHmwAAP90GKYJ/CEDoZtNhVMCsXveNAmriM18VhfjQmoJVY9F8g6gwsARBB8W
- CgCDBYJi7NIUBYkFpI+9AwsJBwkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3Rh
- dGlvbnMuc2VxdW9pYS1wZ3Aub3JnNM6AHmF5Egm+0ji25WqJALjIrjCzaHCDOF0n
- hBFVXaIDFQoIApsBAh4BFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAACb5AQDzr3CB
- So1fkQ7LExfjPADbFTzfHvTAmh4ReuaOnR7b9gEAsiVT37Qx9rm/Zq+myDxFGCYu
- vopmV9l2twu0hjRHtAXNDkxhcnMgV2lyemVuaXVzwsAUBBMWCgCGBYJi7NIUBYkF
- pI+9AwsJBwkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p
- YS1wZ3Aub3JncvmqBC0s9Nkw8AztMPo+jf2IOL0PFrOnGXhUFLtJZDADFQoIApkB
- ApsBAh4BFiEEAQqx+o4kKD+4mD9SkDaDiig+GqkAAKasAQDUyr9zTesSPHh/00m0
- fuVYK0omY+JmaDQgUAC6REM0/QEAr62ZijX3qu+0OErBFlJg/HR29HjLKacotKFv
- IrQLmgvHWARi7NIUFgkrBgEEAdpHDwEBB0BqT3+kUnrgZc4U0uSfsgGEDUilAvkT
- 2AYqt7tY5MnSfQABAIPRid4IAhZwCvDmr27PF78T/0VSA2gtlwouA8yvb7HsDojC
- wMUEGBYKATcFgmLs0hQFiQWkj70JEJA2g4ooPhqpRxQAAAAAAB4AIHNhbHRAbm90
- YXRpb25zLnNlcXVvaWEtcGdwLm9yZyDtGvuI54vdIJnZ5wY7T+D/kKisGvE/wCV+
- 7JYAmuh4ApsCvqAEGRYKAG8FgmLs0hQJEIyV9qGcAvldRxQAAAAAAB4AIHNhbHRA
- bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ3Ul/n3nXIYQ60YJLDQGlZrik+nqZH2E
- YaEyqnIDmxeSFiEEdPLFrKTGC62e9RmUjJX2oZwC+V0AAD6IAP9U6h3t0hSvE8vb
- eJQpgJ7U6ND6s5auPNaviVeHwxtgPwD+K6aezxuYBGm3b5U+p9tNCIRIrmL6TccX
- DY7ZHcw/UQUWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAAmjQA/1NaGV6nZSe5BvV6
- qnIrtvGulo9X9xHa/3wO3FRwNkk8AQDKNwP4BHUoLZUcXfYlgd11u8QEbhiRG6yV
- elfy3jpJDcdYBGLs0hQWCSsGAQQB2kcPAQEHQOVzpJrQ4Q1GRdGUZInH5Nbr5AQr
- tYHx4geKTLF8riF1AAEAx8kFIwgl9lPJI91ZUXBK9nj8BAChRHHiq1YJI+heIUoN
- 4MLABgQYFgoAeAWCYuzSFAWJBaSPvQkQkDaDiig+GqlHFAAAAAAAHgAgc2FsdEBu
- b3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnadCLyuCKpqa7utZ+81jTDOpCgF1yoR/g
- rzfb3h3H+0YCmyAWIQQBCrH6jiQoP7iYP1KQNoOKKD4aqQAAY/gA/35WSxWkNURZ
- dGOwKgBJtw5nc5K9s6ntLefNkI/OB7O/AP98xXylCuzQNw7jbmkuwIyb3t1iyBUm
- BBkAkVHUVkEmCsddBGLs0hQSCisGAQQBl1UBBQEBB0B73lJoeEfLvaYgpYJiJcTn
- DPXon0TI3Kd37xa+8ieMeAMBCAcAAP9ou8Z/+/40YzSNg9fTYC33bJCA/IFb7V+N
- XGhehUoNcBIEwsAGBBgWCgB4BYJi7NIUBYkFpI+9CRCQNoOKKD4aqUcUAAAAAAAe
- ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcnhCPFurXDqVrAzlc/UqqU
- JYAJTSMzQnRA9JnXSJm+UQKbDBYhBAEKsfqOJCg/uJg/UpA2g4ooPhqpAABcYwD+
- NDijQCBMebRiZ3qEyxRQ2EFKbLRuoewGd+qKBGkSJOQBAOplArPSXSTBJR2t+IPr
- cbOz5N4MoEGELaZJHgl2drYH
- =DO2c
- -----END PGP PRIVATE KEY BLOCK-----
- dest: /home/liw/liw.pgp
- owner: liw
- group: liw
- vars:
- ansible_python_interpreter: /usr/bin/python3
-
- sane_debian_system_version: 2
- sane_debian_system_hostname: shell
- sane_debian_system_codename: bullseye
- sane_debian_system_mirror: deb.debian.org
- sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
-
- unix_users_version: 2
- unix_users:
- - username: root
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
- - username: liw
- comment: Lars Wirzenius
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
- - username: volunteer1
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
-# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGZdyfLIkIPT49xv3wHurk97Q4Iv2+E8vzBdLl9FEt/m
- - username: volunteer2
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
-# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnYWSq0gnmLnshJdikKT65NJcuKRXa7RAsyUraqha0V
- - username: volunteer3
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
-# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOY4VaVEXyQpV7knCanFU4oNb8+Tuz2ef8HvMD8fYPhA
- - username: volunteer4
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
-# ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIcY2jjbtV2OnQourPizkXbgLfJJVi4orUdeuvgiM6alHiPmuo/Feya+R+GuLgxoJYXHIk82ZZSHS9LGGNrXrHJIvrCva7CC5XPdUrgGjZRCHnHXI1Ly7Grw1fa/We8a1PoxISxDGRy9NTwqChm8qGEG8Gm4eH7DOXrJCgUoI04oCp/gEfRL+wF0A2/FZvpG7zSuYReJsdIa733t+CpltVTlJS9iCdUFuYkzKzhp01r6sw7Kp3PuzaU2xi2nxBP8K9nBW85UB4q42RdoDHASTcIZE3uss4XzdRQPOurvoppzV7MzGtegCPY65t3MMDJtVKmhAYc4OEZKu4+8cnOd1Wre2rLARFHw/u881QfNjDwN2+oMnmJo45YHM45GIIXhFr+Hs44TJEuons9rA933MW8vjLTNzyKSNK5TXfzg9oqD+Gc3ATwooTPBf+EaN2i5D4DGxX6l7xsRoBXD6DidLRoN9iD1pVVJRpE7q9lRU0GaUMdNC2RRtUk36BZDpmKoyBsuFDLgOUSbKFPOG7378LYC9MQmB0RR2VW0g0x01MGfd7UNX9cpHuJNjRikfqF8Lm4Y7UAkyF498MFbkZPaKpGPFxbUARghryrLRkVjDyqwDAIlOgjjdN2KOGLIB+rgjRnuEvHoshnr1MADlGHBocfX4LO0ABxMNcCB3RU/t26w==
- - username: volunteer5
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/0/n02JFJXtuBOUbu34Hm5xQ9CuiQtthsxPkfnIOhfC4Gx2tNWgcygnZTUh0ymDutQugJVKKj2nHJoKVJUeecroqW7VdR8omfWJGTST9CxJhubMuJnD4dnRVnvsLvmPN5X2ELaoQU7H4Ia4/P596kH9aw3/b07mx+xf0wg9OCLf7q3dNjBUR9ztqR253hjRA9yi4yut3sNosDwtfzbDhypDsG+fzve/bUH13X3Et+pUD3GWRkEjbTUv6qTxob+xlSBRVHviCiQG0MAcW+YAOyvG/REzONGoMufiP9ozgrx46Qn1Ey1bh6POBQjgE8zaajOHn4f63j5sir1aezRmSd7l6yAB/YwyFHuSXY4TkWmiWLaFw0EB4E3A2M8qACjsH173gVh+BlnRot+AYzpJ2oDIluQrTzcY558AYuRb4u0jfRfsnDdt3aifSnLXkF2cw46zB8nBDY789adhvoyX+HR/igA2W2Ljl1i15zHeo8IqI8kgNnghxaSYGisBAUO5oQWsgGoDV5rNz00MZT3IXkG5NN+Diaep0rJBteaqMYQWD/Nr2A/Oq7f7Q47Z9i378kWQywlSk6M252fRh8+sJLCzMFd9sH/MPIEk1HiX3umZoEdfU4/bULYBL6q8ePXC7wSaW7eOL5b0/za0NwTZRL9UC4uduEQC1t/HWuJ3OB+w==
- - username: volunteer6
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqhNi9rrxfK6Rn2rsoJZbBmxWmPoqftMOTf7LD+1K99sOUmwCM+bqoPt7pHl/JsxOpAilfD5lVQ9m+4Xutjtaenf98jnO8Gi3h7xMsUZRaU0T3gCmKq/T1B9N3/YSWosPHAHvRfeu9zr6rJj7gxMAJ7Ab+Ix7t60j6iAGkX+LuyC9VQ5GR1SGC76a3TMHYrgR0VBYohFTzFqhVquubTEtUZrvZy/kNkKb5XvgiCLCNyFfO1huq/c3hDFUnQvP6/0MSGJq/FRqwPdLLOcRDaBQpw942JC0Xh0+0qOJVIpdRfdM/83NBsBIJKNqR2eWYHoW2brTKjxHPsRNtKjn6AgKj
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYbT9Mw8v+C2SdqjFhWCmR2IrurUoZJBxTw1WsO1JkcXdcl7PX/jaQoVlAolI3P2iF9wHO9SwG8LLRObjtjOWzHOGtk+GGwRpxFYgu2a+y3mSu50UwOCJeROWerVfra0/E0JuWkAWAlVzrfcBApXx+g/IY/gH9jb4/ErEqysAE4BcsQSQ25FgtZVj97emSW1Ozzd68X7i6i6KX9W778Guq9XOxS7n+hX+0+yCibMBvW+hBK9HhJba5QvQtZ6msaw9wvWWbfr0T3IknrbRhZAGoNcQ0DW++vrv2+8pvOhcTdXIWsNF/WFIqBAcZmFHR6iKZAnx/pxW2ZM4N+IPT4zX12PsMWPZQqBQxMXy/MIEsAby/NlMK9XO3L1K8WqOqLwnjIJ0YUbsaTkaE1REHY17LuQgmu2UXm4cpTHyzEVBz48PeCh6jqoP4Wd/YQ+VtLZiSqjsP7leU9mvd06mFoBk/z4KeaM7dKqWTUxwwXRJ0HDTb3CaYgy3GF+FtZWAcsKv6X32GEV8lYsrOFSUPXUhPuoJZR12BLuJRCv2kk7rlIjVIAZjG0r84PRWKgNXNmFW9dtpnQmaZnOqeLwIBepQsdb2I5NWUItg4YUp3M8Ne/+KAywH5Zx9FHjCn4PNNKYoYKLYb1D/FW03UECa2Jv+ygi+1iYNgUA8uA4CX2vYXEw==
- - username: volunteer7
- comment: sq volunteer
- authorized_keys: |
- {{ liw_hetzner_ssh_pub }}
-# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZAUtpJZ3I3alPpJuvAqsjixoO+WWRxFTKauJKe2Lup
diff --git a/ansible/sshca-dev.yml b/ansible/sshca-dev.yml
index dd5097a..9422d96 100644
--- a/ansible/sshca-dev.yml
+++ b/ansible/sshca-dev.yml
@@ -21,8 +21,8 @@
name:
- debhelper
- build-essential
- - dh-cargo
- git
+ - lintian
- moreutils
- python3
- python3-requests
@@ -35,8 +35,8 @@
ansible_python_interpreter: python3
sane_debian_system_version: 2
- sane_debian_system_hostname: sshca-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
timezone: Europe/Helsinki
@@ -47,8 +47,8 @@
sudo: yes
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable-ci main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
sshd_version: 1
sshd_allow_authorized_keys: yes
diff --git a/ansible/stamina-recreate-and-provision-all.sh b/ansible/stamina-recreate-and-provision-all.sh
new file mode 100755
index 0000000..99bde0e
--- /dev/null
+++ b/ansible/stamina-recreate-and-provision-all.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euo pipefail
+
+echo "vmadm recreate all VMs"
+chronic ssh stamina 'vmadm recreate ansibleness/vmadm/stamina/*.yaml'
+echo "provision all VMs"
+chronic ./stamina-vms.sh
diff --git a/ansible/stamina-vm-check.sh b/ansible/stamina-vm-check.sh
index ce84992..743b784 100755
--- a/ansible/stamina-vm-check.sh
+++ b/ansible/stamina-vm-check.sh
@@ -3,21 +3,13 @@
set -eu
playbooks="
-clab-dev
debian-ansible-dev
-ewww-dev
icktool
-jt-dev
obnam-bench
obnam-dev
openpgp-ca-dev
openpgp-card-dev
-python-mess
-rikiwiki-dev
-roadmap-dev
-rust-dev
-sequoia-dev
-sequoia-web
+riki-dev
sshca-dev
subplot-dev
v-i-dev
diff --git a/ansible/stamina-vms.sh b/ansible/stamina-vms.sh
index ed494a4..9c44ced 100755
--- a/ansible/stamina-vms.sh
+++ b/ansible/stamina-vms.sh
@@ -3,31 +3,20 @@
set -eu
playbooks="
-clab-dev.yml
-debian-ansible-dev.yml
-ewww-dev.yml
-ewww-test.yml
-icktool.yml
-jt-dev.yml
-obnam-bench.yml
+web.yml
+ambient-dev.yml
obnam-dev.yml
-openpgp-ca-dev.yml
-openpgp-card-dev.yml
-python-mess.yml
-rikiwiki-dev.yml
-roadmap-dev.yml
+radicle-dev.yml
+radicle-multi.yml
rust-dev.yml
-sequoia-dev.yml
-sequoia-web.yml
-sshca-dev.yml
subplot-dev.yml
v-i-dev.yml
-vmadm-dev.yml
vmdb2-dev.yml
-web.yml
"
-parallel chronic ./run-playbook -- $playbooks
+for playbook in $playbooks; do
+ echo "$playbook"
+ chronic ./run-playbook "$playbook"
+done
-cd "$HOME/pers/ick/ick2-ansible"
-chronic ./run-workers.sh ci-prod-controller.vm.liw.fi
+test-ssh-credentials
diff --git a/ansible/stamina.yml b/ansible/stamina.yml
index f2c0a30..713bef1 100644
--- a/ansible/stamina.yml
+++ b/ansible/stamina.yml
@@ -8,7 +8,7 @@
- self-updating-system
- vmhost-minimal
- unix_users
- - smarthost-client
+ - mail-client
tasks:
- apt:
name:
@@ -19,6 +19,7 @@
- ifupdown
- bridge-utils
- moreutils
+ - genisoimage
- apt:
name: ntp
state: absent
@@ -50,6 +51,13 @@
owner: root
group: libvirt
mode: 0775
+ - name: "remove git reps from ~liw"
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /home/liw/ansibleness
+ - /home/liw/liw-dot-files
- name: "clone ansibleness to ~liw"
git:
repo: git://git.liw.fi/ansibleness
@@ -59,16 +67,36 @@
repo: git://git.liw.fi/liw-dot-files
dest: /home/liw/liw-dot-files
- name: "set ownership of everything in ~liw/ansibleness and liw-dot-files"
- args:
- warn: false
shell: |
chown -R liw:liw /home/liw/ansibleness /home/liw/liw-dot-files
- name: "configure liw dot files"
- args:
- warn: false
shell: |
sudo -u liw -i bash -c "pwd && ./liw-dot-files/make-symlinks"
sudo -u liw -i bash -c "ln -nsf liw-dot-files/gitconfig-exolobe1 .gitconfig"
+ - name: "remove vmadm config"
+ file:
+ state: absent
+ path: /home/liw/.config/vmadm/config.yaml
+ - name: "install vmadm config"
+ copy:
+ content: |
+ image_directory: /mnt/vms
+ default_autostart: true
+ default_base_image: ~/base-images/bookworm-vm.qcow2
+ default_cpus: 4
+ default_generate_host_certificate: true
+ default_image_gib: 100
+ default_memory_mib: 8192
+ default_networks:
+ - bridge=br0
+ authorized_keys:
+ - ~/.ssh/id_personal.pub
+ ca_key: ~/.ssh/vmadm
+ user_ca_pubkey: ~/.ssh/userca.pub
+ dest: /home/liw/.config/vmadm/config.yaml
+ owner: liw
+ group: liw
+ mode: 0644
- name: "create ~liw/base-images"
file:
state: directory
@@ -83,18 +111,6 @@
owner: liw
group: liw
mode: 0755
- # - name: "fetch cloud images"
- # get_url:
- # url: "{{ item.url }}"
- # dest: "/home/liw/base-images/{{ item.file }}"
- # owner: liw
- # group: liw
- # mode: 0644
- # with_items:
- # - url: https://cloud.debian.org/images/cloud/bullseye/latest/debian-11-generic-amd64.qcow2
- # file: bullseye.qcow2
- # - url: https://cloud.debian.org/images/cloud/OpenStack/current-10/debian-10-openstack-amd64.qcow2
- # file: buster.qcow2
- name: "create ~liw/.ssh"
file:
state: directory
@@ -122,20 +138,19 @@
then
echo >> /home/liw/.ssh/vmadm
fi
- # - name: "create ~liw/.config/vmadm"
- # file:
- # state: directory
- # path: /home/liw/.config/vmadm
- # owner: liw
- # group: liw
- # mode: 0755
- # - name: "configure vmadm"
- # copy:
- # src: vmadm.yaml
- # dest: /home/liw/.config/vmadm/config.yaml
- # owner: liw
- # group: liw
- # mode: 0644
+ - name: "install SSH user CA key"
+ copy:
+ content: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"
+ dest: /home/liw/.ssh/userca.pub
+ owner: liw
+ group: liw
+ mode: 0644
+ - name: "ensure SSH user CA key file ends in a newline"
+ shell: |
+ if [ "$(tail -n1 /home/liw/.ssh/userca.pub | wc -l)" = 0 ]
+ then
+ echo >> /home/liw/.ssh/userca.pub
+ fi
- name: "enable libvirt 'default' network"
virt_net:
name: default
@@ -146,16 +161,16 @@
sane_debian_system_version: 2
sane_debian_system_hostname: "{{ inventory_hostname}}"
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_sources_lists:
- repo: |
- deb http://security.debian.org/debian-security buster/updates main contrib non-free
+ deb http://deb.debian.org/debian bookworm contrib non-free
- repo: |
- deb http://deb.debian.org/debian buster contrib non-free
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
@@ -164,6 +179,7 @@
sudo: yes
groups:
- libvirt
+ - kvm
authorized_keys: |
{{ liw_personal_ssh_pub }}
- username: root
@@ -177,6 +193,3 @@
smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key stamina') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 stamina') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
diff --git a/ansible/subplot-dan.hz b/ansible/subplot-dan.hz
deleted file mode 100644
index 8038af3..0000000
--- a/ansible/subplot-dan.hz
+++ /dev/null
@@ -1,5 +0,0 @@
-defaults:
- type: cx21
- image: debian-10
-hosts:
- - name: dev
diff --git a/ansible/subplot-dan.yml b/ansible/subplot-dan.yml
deleted file mode 100644
index 56a3d9b..0000000
--- a/ansible/subplot-dan.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-- hosts: dev
- remote_user: root
- roles:
- - sane_debian_system
- - comfortable-debian-system
- - unix_users
- - self-updating-system
- tasks:
- - apt:
- name:
- - curl
- - build-essential
- - clang
- - pkg-config
- - nettle-dev
- - libssl-dev
- - capnproto
- - libsqlite3-dev
- vars:
- hostname: subplot-dev
- debian_codename: buster
-
- unix_users:
- - username: liw
- comment: Lars Wirzenius
- sudo: yes
- authorized_keys: |
- {{ liw_personal_ssh_pub }}
- - username: dan
- comment: Dan
- sudo: yes
- authorized_keys: |
- {{ dan_ssh_pub }}
- - username: dsilvers
- comment: Daniel
- sudo: yes
- authorized_keys: |
- {{ dsilvers_ssh_pub }}
diff --git a/ansible/subplot-dev.yml b/ansible/subplot-dev.yml
index 71741e7..0ad4ae6 100644
--- a/ansible/subplot-dev.yml
+++ b/ansible/subplot-dev.yml
@@ -3,49 +3,38 @@
become: yes
roles:
- role: sane_debian_system
- tags: [sane]
- role: sshd
- tags: [sshd]
- role: comfortable-debian-system
- tags: [comfy]
- role: unix_users
- tags: [users]
- role: rust-rustup
- tags: [rustup]
- role: liw
- tags: [liw]
tasks:
- apt:
+ name: ca-certificates-java
+ default_release: bookworm-backports
+ - apt:
name:
- build-essential
- daemonize
- debhelper
- - dh-cargo
- graphviz
- librsvg2-bin
- - lmodern
- - pandoc
- - pandoc-citeproc
- plantuml
- python3
- python3-requests
- - texlive-fonts-recommended
- - texlive-latex-base
- - texlive-latex-recommended
- - texlive-plain-generic
+ - tidy
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: subplot-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
- deb http://security.debian.org/debian-security bullseye-security main contrib non-free
-
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free
unix_users_version: 2
unix_users:
@@ -53,4 +42,3 @@
comment: Lars Wirzenius
sshd_version: 1
- sshd_allow_authorized_keys: yes
diff --git a/ansible/sequoia-dev.yml b/ansible/texlive.yml
index f7ecaf5..7945b5b 100644
--- a/ansible/sequoia-dev.yml
+++ b/ansible/texlive.yml
@@ -1,4 +1,4 @@
-- hosts: sequoia-dev
+- hosts: texlive
remote_user: debian
become: yes
roles:
@@ -8,51 +8,37 @@
tags: [sshd]
- role: unix_users
tags: [users]
- - role: rust-rustup
- tags: [rustup]
- role: liw
tags: [liw]
-
tasks:
- apt:
name:
- - build-essential
- - cargo
- - capnproto
- - clang
- - debhelper
- - dh-cargo
- - libclang-dev
- - libsqlite3-dev
- - libssl-dev
- - llvm
- - locales-all
- - moreutils
- - nettle-dev
- - pkg-config
- rsync
- - rustc
- - screen
- - shellcheck
- - subplot
+ - graphviz
+ - librsvg2-bin
+ - lmodern
+ - pandoc
+ - pandoc-citeproc
+ - pandoc-filter-diagram
+ - make
+ - plantuml
+ - python3
- texlive-fonts-recommended
- texlive-latex-base
+ - texlive-latex-extra
- texlive-latex-recommended
-
+ - texlive-plain-generic
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: sequoia-dev
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
sane_debian_system_codename: bullseye
sane_debian_system_timezone: Europe/Helsinki
sane_debian_system_sources_lists:
- repo: |
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
-
unix_users_version: 2
unix_users:
- username: liw
diff --git a/ansible/unpack-dsc.yml b/ansible/unpack-dsc.yml
new file mode 100644
index 0000000..55d0dcd
--- /dev/null
+++ b/ansible/unpack-dsc.yml
@@ -0,0 +1,32 @@
+- hosts: unpack-dsc
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: liw
+ tasks:
+ - apt:
+ name:
+ - dpkg-dev
+ - git
+ - moreutils
+ - psmisc
+ - pv
+ - rsync
+ - screen
+ - strace
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_mirror: deb.debian.org
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+
+ sshd_version: 1
diff --git a/ansible/v-i-dev.yml b/ansible/v-i-dev.yml
index c9eadec..413f780 100644
--- a/ansible/v-i-dev.yml
+++ b/ansible/v-i-dev.yml
@@ -16,39 +16,39 @@
tags: [liw]
tasks:
- apt:
+ name: ca-certificates-java
+ default_release: bookworm-backports
+ - apt:
name:
- ansible
- build-essential
- cryptsetup
- dosfstools
+ - expect
- graphviz
- kpartx
- librsvg2-bin
- - lmodern
- lvm2
- moreutils
+ - ovmf
- pandoc
- - pandoc-citeproc
- parted
- plantuml
- python3
- python3
- python3-requests
- python3-yaml
+ - qemu-system-x86
- qemu-utils
- subplot
- - texlive-fonts-recommended
- - texlive-latex-base
- - texlive-latex-recommended
- - texlive-plain-generic
- vmdb2
- zerofree
vars:
ansible_python_interpreter: python3
sane_debian_system_version: 2
- sane_debian_system_hostname: v-i-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
timezone: Europe/Helsinki
@@ -59,8 +59,10 @@
sudo: yes
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free
sshd_version: 1
sshd_allow_authorized_keys: yes
diff --git a/ansible/vmadm-dev.yml b/ansible/vmadm-dev.yml
index 2f5aaa5..f103382 100644
--- a/ansible/vmadm-dev.yml
+++ b/ansible/vmadm-dev.yml
@@ -18,12 +18,17 @@
tags: [liw]
tasks:
- apt:
+ name: ca-certificates-java
+ default_release: bookworm-backports
+ - apt:
name:
- build-essential
+ - libclang-dev
- curl
- libvirt-dev
- moreutils
- plantuml
+ - python3-coverage-test-runner
- python3-libvirt
- python3-lxml
- python3-yaml
@@ -38,12 +43,10 @@
group: liw
mode: 0644
- virt_net:
+ xml: /usr/share/libvirt/networks/default.xml
name: default
+ command: define
autostart: yes
- - virt_net:
- name: default
- command: start
- state: active
- user:
name: liw
groups:
@@ -53,10 +56,12 @@
sane_debian_system_version: 2
sane_debian_system_hostname: vmadm-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free
timezone: Europe/Helsinki
diff --git a/ansible/vmdb2-dev.yml b/ansible/vmdb2-dev.yml
index ef2cca6..d36689b 100644
--- a/ansible/vmdb2-dev.yml
+++ b/ansible/vmdb2-dev.yml
@@ -22,6 +22,7 @@
- cmdtest
- cryptsetup
- debhelper
+ - debian-ports-archive-keyring
- debootstrap
- dosfstools
- expect
@@ -29,6 +30,7 @@
- kpartx
- lvm2
- moreutils
+ - ovmf
- pandoc
- parted
- python3-all
@@ -45,14 +47,13 @@
- texlive-fonts-recommended
- texlive-latex-base
- texlive-latex-recommended
- - vmdb2
- zerofree
vars:
ansible_python_interpreter: python3
sane_debian_system_version: 2
- sane_debian_system_hostname: vmdb2-dev
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
timezone: Europe/Helsinki
@@ -63,8 +64,8 @@
sudo: yes
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
sshd_version: 1
sshd_allow_authorized_keys: yes
diff --git a/ansible/web.yml b/ansible/web.yml
index 26f0602..abc5687 100644
--- a/ansible/web.yml
+++ b/ansible/web.yml
@@ -97,12 +97,12 @@
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
- sane_debian_system_hostname: web
- sane_debian_system_codename: bullseye
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
sane_debian_system_mirror: deb.debian.org
sane_debian_system_sources_lists:
- - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
- signing_key: "{{ ci_prod_signing_key }}"
+ - repo: deb http://apt.liw.fi/debian unstable main
+ signing_key: "{{ apt_liw_fi_signing_key }}"
unix_users_version: 2
unix_users:
diff --git a/ansible/wumpus.liw.fi.yml b/ansible/wumpus.liw.fi.yml
new file mode 100644
index 0000000..0be5379
--- /dev/null
+++ b/ansible/wumpus.liw.fi.yml
@@ -0,0 +1,52 @@
+- hosts: wumpus.liw.fi
+ remote_user: root
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: comfortable-debian-system
+ - role: unix_users
+ - role: apache_server
+ - role: rust-rustup
+ - role: liw
+ tasks:
+ - name: "install important additional packages"
+ apt:
+ name:
+ - moreutils
+ - nmap
+ - ripgrep
+
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+
+ unix_users_version: 2
+ unix_users:
+ - username: liw
+ comment: Lars Wirzenius
+
+ sshd_version: 1
+
+ rustup_cargo_install: |
+ starship
+
+ letsencrypt: yes
+ letsencrypt_email: liw@liw.fi
+ letsencrypt_main_domain: wumpus.liw.fi
+ certbot_debian_release: bookworm
+
+ static_sites:
+
+ - domain: wumpus.liw.fi
+ owner: liw
+ ownermail: liw@liw.fi
+ letsencrypt: yes
+ letsencrypt_cert: cert01
diff --git a/ansible/x220-puomi.yml b/ansible/x220-puomi.yml
new file mode 100644
index 0000000..76e176e
--- /dev/null
+++ b/ansible/x220-puomi.yml
@@ -0,0 +1,26 @@
+- hosts: x220
+ remote_user: root
+ roles:
+ - role: sane_debian_system
+ - role: ssd
+ - role: sshd
+ - role: intel-wifi
+ - role: puomi
+
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+ sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free
+
+ sshd_version: 1
+
+ puomi_version: 1
diff --git a/ansible/x220.yml b/ansible/x220.yml
index 7bcd10b..a2f562a 100644
--- a/ansible/x220.yml
+++ b/ansible/x220.yml
@@ -3,46 +3,47 @@
roles:
- role: sane_debian_system
- role: sshd
- - role: ssd
- role: unix_users
- - role: thinkpad
- - role: puomi
+ - role: comfortable-debian-system
+ - role: intel-wifi
+ - role: gnome-system
+ - role: unix_users
+ - role: liw
tasks:
- - lineinfile:
- path: /etc/systemd/logind.conf
- regexp: HandleLidSwitch=
- line: HandleLidSwitch=ignore
- - lineinfile:
- path: /etc/systemd/logind.conf
- regexp: HandleLidSwitchExternalPower=
- line: HandleLidSwitchExternalPower=ignore
- - systemd:
- name: systemd-logind
- state: restarted
+ - name: "install desktop"
+ apt:
+ name:
+ - gnome
+
vars:
ansible_python_interpreter: /usr/bin/python3
sane_debian_system_version: 2
sane_debian_system_hostname: "{{ inventory_hostname }}"
- sane_debian_system_codename: bullseye
+ sane_debian_system_codename: bookworm
sane_debian_system_timezone: Europe/Helsinki
+ sane_debian_system_sources_lists:
+ - repo: |
+ deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware
+
+ - repo: |
+ deb http://security.debian.org/debian-security bookworm-security main contrib non-free
+
+ - repo: |
+ deb http://deb.debian.org/debian bookworm-backports main contrib non-free
unix_users_version: 2
unix_users:
- username: liw
comment: Lars Wirzenius
+ groups:
+ - audio
+ - dialout
+ - dip
+ - floppy
+ - netdev
+ - plugdev
+ - video
sshd_version: 1
- sshd_host_key: "{{ lookup('pipe', 'sshca host private-key x220') }}"
- sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 x220') }}"
- sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"
-
- puomi_lan_ip: 10.3.3.1
- puomi_dhcp_start: 10.3.3.10
- puomi_dhcp_end: 10.3.3.250
- puomi_dhcp_netmask: 255.255.255.0
- puomi_dhcp_lease: 1h
- puomi_essid: Valkama3
- puomi_wifi_country_code: FI
- puomi_wifi_passphrase: Oomam2ah
diff --git a/base-image/Makefile b/base-image/Makefile
index 7af2dd1..394a298 100644
--- a/base-image/Makefile
+++ b/base-image/Makefile
@@ -1,4 +1,4 @@
-qcows = bullseye-vm.qcow2
+qcows = bullseye-vm.qcow2 bookworm-vm.qcow2
.SUFFIXES: .vmdb .img .qcow2
diff --git a/base-image/base-image.yml b/base-image/base-image.yml
index 84d938f..d53df26 100644
--- a/base-image/base-image.yml
+++ b/base-image/base-image.yml
@@ -21,6 +21,7 @@
mode: 0600
- shell: |
apt clean
+ sed -i 's/^root:[^:]*:/root::/' /etc/shadow /etc/passwd
vars:
hostname: bullseye
ansible_python_interpreter: /usr/bin/python3
diff --git a/base-image/bookworm-vm.vmdb b/base-image/bookworm-vm.vmdb
new file mode 100644
index 0000000..9d6186c
--- /dev/null
+++ b/base-image/bookworm-vm.vmdb
@@ -0,0 +1,51 @@
+steps:
+ - mkimg: "{{ output }}"
+ size: 4G
+
+ - mklabel: msdos
+ device: "{{ output }}"
+
+ - mkpart: primary
+ device: "{{ output }}"
+ start: 0%
+ end: 50%
+ tag: /
+
+ - kpartx: "{{ output }}"
+
+ - mkfs: ext4
+ partition: /
+
+ - mount: /
+
+ - unpack-rootfs: /
+
+ - debootstrap: bookworm
+ mirror: http://deb.debian.org/debian
+ target: /
+ unless: rootfs_unpacked
+
+ - apt: install
+ packages:
+ - linux-image-amd64
+ recommends: false
+ tag: /
+ unless: rootfs_unpacked
+
+ - cache-rootfs: /
+ unless: rootfs_unpacked
+
+ - chroot: /
+ shell: |
+ apt-get -y install python3 parted acpi
+
+ - fstab: /
+
+ - resize-rootfs: /
+
+ - ansible: /
+ playbook: base-image.yml
+
+ - grub: bios
+ tag: /
+ quiet: false
diff --git a/base-image/bullseye-vm.sh b/base-image/bullseye-vm.sh
deleted file mode 100755
index b40229e..0000000
--- a/base-image/bullseye-vm.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-tarball="$1"
-
-sudo vmdb2 bullseye-vm.vmdb \
- --output bullseye-vm.img \
- --log bullseye-vm.log \
- --rootfs-tarball "$tarball" \
- --verbose
-
-qemu-img convert -f raw -O qcow2 bullseye-vm.img bullseye-vm.qcow2
diff --git a/base-image/eth0.network b/base-image/eth0.network
new file mode 100644
index 0000000..e871c69
--- /dev/null
+++ b/base-image/eth0.network
@@ -0,0 +1,5 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
diff --git a/v-i/exolobe1-spec.yaml b/v-i/exolobe1-spec.yaml
index b063753..cdfbaf3 100644
--- a/v-i/exolobe1-spec.yaml
+++ b/v-i/exolobe1-spec.yaml
@@ -1,19 +1,9 @@
hostname: exolobe1
+luks: asdf
drive: /dev/sda
extra_lvs:
- name: home
size: 300G
mounted: /home
-ansible_vars:
- host_key: |
- -----BEGIN OPENSSH PRIVATE KEY-----
- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
- QyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjgAAAIietrwbnra8
- GwAAAAtzc2gtZWQyNTUxOQAAACDrR+77pLmmtG2oAtcaot5ZIgU7FriMoDSCejG33dsfjg
- AAAEAugoV1wqYMsAYSW1su3W3WyWh4ZIWNbvDIkphOGOS0eetH7vukuaa0bagC1xqi3lki
- BTsWuIygNIJ6Mbfd2x+OAAAAAAECAwQF
- -----END OPENSSH PRIVATE KEY-----
- host_cert: |
- ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIBP8EBgXCPNnMmQyA/yi1TR7gvC/x4nuy07Rerr5YiZEAAAAIOtH7vukuaa0bagC1xqi3lkiBTsWuIygNIJ6Mbfd2x+OAAAAAAAAAAAAAAACAAAAJGhvc3QgY2VydGlmaWNhdGUgZm9yIC1uZXhvbG9iZTEgb25seQAAAAwAAAAIZXhvbG9iZTEAAAAAYv80eAAAAABi/0LWAAAAAAAAAAAAAAAAAAAASgAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACDeJ1TbK+3I9g06kkVHB3IeEWOikNT4BAd1S0NFgwfjNwAAAARzc2g6AAAAZwAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAAECkEfhBJWCzRnqDZb3XnrBJNOb41pwpKtC3u4fKodkUjjag3+Sp0myTVexUaTAOGF0OSrrk/j0YdZIeArWTaroDAQAAAsw= /tmp/.tmpximUbQ/sub.pub
- user_pub: |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+ansible_vars_files:
+ - hostid.yml
diff --git a/v-i/hostid.py b/v-i/hostid.py
new file mode 100755
index 0000000..d87d3a6
--- /dev/null
+++ b/v-i/hostid.py
@@ -0,0 +1,73 @@
+#!/usr/bin/python3
+
+import argparse
+import yaml
+import sys
+from subprocess import run, PIPE
+
+
+DEFAULT_HOST_CA = "liw.fi/ca/host/v5"
+DEFAULT_USER_CA = "liw.fi/ca/user/v5"
+
+
+class HostId:
+ def __init__(self):
+ self.user_ca_pubkey = None
+ self.host_key = None
+ self.host_cert = None
+
+ def set_user_ca_pubkey(self, value):
+ self.user_ca_pubkey = value
+
+ def set_host_key(self, value):
+ self.host_key = value
+
+ def set_host_cert(self, value):
+ self.host_cert = value
+
+ def to_dict(self):
+ return {
+ "user_ca_pubkey": self.user_ca_pubkey,
+ "host_key": self.host_key,
+ "host_cert": self.host_cert,
+ }
+
+
+def sshca(args):
+ p = run(["sshca"] + args, capture_output=True, check=True)
+ return p.stdout.decode().strip()
+
+
+def user_ca_pubkey(ca_name):
+ return sshca(["ca", "public-key", ca_name]).strip()
+
+
+def host_key(hostname):
+ sshca(["host", "regenerate", hostname])
+ return sshca(["host", "private-key", hostname]).strip()
+
+
+def host_cert(ca_name, hostname):
+ return sshca(["host", "certify", "--ca", ca_name, hostname]).strip()
+
+
+def main():
+ parser = argparse.ArgumentParser()
+ parser.add_argument("--hostname", required=True)
+ parser.add_argument("--host-ca", default=DEFAULT_HOST_CA)
+ parser.add_argument("--user-ca", default=DEFAULT_USER_CA)
+ values = parser.parse_args()
+
+ hostname = values.hostname
+ host_ca = values.host_ca
+ user_ca = values.user_ca
+
+ hostid = HostId()
+ hostid.set_user_ca_pubkey(user_ca_pubkey(user_ca))
+ hostid.set_host_key(host_key(hostname))
+ hostid.set_host_cert(host_cert(host_ca, hostname))
+ yaml.safe_dump(hostid.to_dict(), stream=sys.stdout, indent=4)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/v-i/kea-spec.yaml b/v-i/kea-spec.yaml
index 5b82490..d19609c 100644
--- a/v-i/kea-spec.yaml
+++ b/v-i/kea-spec.yaml
@@ -1,6 +1,10 @@
hostname: kea
-luks: asdf
drive: /dev/sda
+extra_lvs:
+ - name: home
+ size: 20G
+ mounted: /home
+ansible_vars_files:
+ - hostid.yml
ansible_vars:
- user_pub: |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+ passwordless_root: true
diff --git a/v-i/qotom-spec.yaml b/v-i/qotom-spec.yaml
index 23e722b..7f593d0 100644
--- a/v-i/qotom-spec.yaml
+++ b/v-i/qotom-spec.yaml
@@ -1,15 +1,8 @@
hostname: qotom
drive: /dev/sda
+extra_playbooks:
+ - puomi-playbook.yml
+ansible_vars_files:
+ - hostid.yml
ansible_vars:
- host_key: |
- -----BEGIN OPENSSH PRIVATE KEY-----
- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
- QyNTUxOQAAACBb1EpgwZ1snHx38tQIWjg5O/cnpVWipTZpGcWQHtcmjwAAAIjOAeqazgHq
- mgAAAAtzc2gtZWQyNTUxOQAAACBb1EpgwZ1snHx38tQIWjg5O/cnpVWipTZpGcWQHtcmjw
- AAAEBhCtpBXjQkLAgy7exucw1mx8BvwkmxQq3fy6CxaoMRtlvUSmDBnWycfHfy1AhaODk7
- 9yelVaKlNmkZxZAe1yaPAAAAAAECAwQF
- -----END OPENSSH PRIVATE KEY-----
- host_cert: |
- ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAkqeged+VrqZU6pZk12HGRHwth898vCWDtgjETR7WPdAAAAIFvUSmDBnWycfHfy1AhaODk79yelVaKlNmkZxZAe1yaPAAAAAAAAAAAAAAACAAAAIWhvc3QgY2VydGlmaWNhdGUgZm9yIC1ucW90b20gb25seQAAAAkAAAAFcW90b20AAAAAYwDyuAAAAABjAQE0AAAAAAAAAAAAAAAAAAAASgAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACDeJ1TbK+3I9g06kkVHB3IeEWOikNT4BAd1S0NFgwfjNwAAAARzc2g6AAAAZwAAABpzay1zc2gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAAEAvJcz09YMhOI7yLJCw47zoQ74q4ye4nMQ0yZ1T5SDSiSzkHYjtdth6VM82CyOOyprpRkQIC7cZil973Llk7vwKAQAAA10= /tmp/.tmpYrs8LV/sub.pub
- user_pub: |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+ passwordless_root: true
diff --git a/v-i/solace-spec.yaml b/v-i/solace-spec.yaml
index e518e73..925c5d4 100644
--- a/v-i/solace-spec.yaml
+++ b/v-i/solace-spec.yaml
@@ -1,6 +1,8 @@
hostname: solace
-luks: asdf
drive: /dev/nvme0n1
-ansible_vars:
- user_pub: |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+extra_lvs:
+ - name: home
+ size: 300G
+ mounted: /home
+ansible_vars_files:
+ - hostid.yml
diff --git a/v-i/stamina-spec.yaml b/v-i/stamina-spec.yaml
index 3eb2cf6..6a9aede 100644
--- a/v-i/stamina-spec.yaml
+++ b/v-i/stamina-spec.yaml
@@ -6,6 +6,5 @@ extra_lvs:
- name: vms
size: 500G
mounted: /mnt/vms
-ansible_vars:
- user_pub: |
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems
+ansible_vars_files:
+ - hostid.yml
diff --git a/v-i/upliw-spec.yaml b/v-i/upliw-spec.yaml
new file mode 100644
index 0000000..aead751
--- /dev/null
+++ b/v-i/upliw-spec.yaml
@@ -0,0 +1,9 @@
+hostname: upliw0
+luks: asdf
+drive: /dev/nvme0n1
+extra_lvs:
+ - name: home
+ size: 100G
+ mounted: /home
+ansible_vars_files:
+ - hostid.yml
diff --git a/v-i/x220-puomi-spec.yaml b/v-i/x220-puomi-spec.yaml
new file mode 100644
index 0000000..98d32fb
--- /dev/null
+++ b/v-i/x220-puomi-spec.yaml
@@ -0,0 +1,8 @@
+hostname: x220
+drive: /dev/sda
+extra_playbooks:
+ - puomi-playbook.yml
+ansible_vars_files:
+ - hostid.yml
+ansible_vars:
+ passwordless_root: true
diff --git a/v-i/x220-spec.yaml b/v-i/x220-spec.yaml
index 3ef3296..1dfb393 100644
--- a/v-i/x220-spec.yaml
+++ b/v-i/x220-spec.yaml
@@ -1,8 +1,10 @@
hostname: x220
-luks: asdf
-drive: /dev/sdb
-ansible_vars:
- user_ca_pubkey: |
- sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAnrswi6ZNElxSgt6ak5hjSNIkVte11ht7BG3qpBJU4hAAAABHNzaDo=
+drive: /dev/sda
+extra_lvs:
+ - name: home
+ size: 20G
+ mounted: /home
ansible_vars_files:
- hostid.yml
+ansible_vars:
+ passwordless_root: true
diff --git a/vmadm/exolobe2/debian-mirror.yaml b/vmadm/exolobe2/debian-mirror.yaml
index 9a7846a..bc9b7df 100644
--- a/vmadm/exolobe2/debian-mirror.yaml
+++ b/vmadm/exolobe2/debian-mirror.yaml
@@ -1,3 +1,4 @@
debian-mirror:
- image_size_gib: 200
+ base: ~/base-images/bookworm-vm.qcow2
+ image_size_gib: 500
autostart: true
diff --git a/vmadm/exolobe2/holywood2.yaml b/vmadm/exolobe2/holywood2.yaml
new file mode 100644
index 0000000..fa7a959
--- /dev/null
+++ b/vmadm/exolobe2/holywood2.yaml
@@ -0,0 +1,5 @@
+holywood2:
+ base: ~/base-images/bullseye-vm.qcow2
+ cpus: 2
+ memory_mib: 8192
+ image_size_gib: 10
diff --git a/vmadm/exolobe2/image-dist.yaml b/vmadm/exolobe2/image-dist.yaml
new file mode 100644
index 0000000..e1b7a35
--- /dev/null
+++ b/vmadm/exolobe2/image-dist.yaml
@@ -0,0 +1,5 @@
+image-dist:
+ base: ~/base-images/bullseye-vm.qcow2
+ cpus: 2
+ memory_mib: 1024
+ image_size_gib: 10
diff --git a/vmadm/exolobe2/obnam-server.yaml b/vmadm/exolobe2/obnam-server.yaml
new file mode 100644
index 0000000..19298fc
--- /dev/null
+++ b/vmadm/exolobe2/obnam-server.yaml
@@ -0,0 +1,5 @@
+obnam-server:
+ cpus: 2
+ memory_mib: 4096
+ image_size_gib: 300
+ autostart: true
diff --git a/vmadm/someday-maybe/apt-dev.yaml b/vmadm/someday-maybe/apt-dev.yaml
deleted file mode 100644
index 3cbab11..0000000
--- a/vmadm/someday-maybe/apt-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apt-dev:
- cpus: 16
- memory_mib: 65536
- image_size_gib: 100
diff --git a/vmadm/someday-maybe/billion.yaml b/vmadm/someday-maybe/billion.yaml
index c61f4d5..543dbc6 100644
--- a/vmadm/someday-maybe/billion.yaml
+++ b/vmadm/someday-maybe/billion.yaml
@@ -1,4 +1,4 @@
billion:
cpus: 8
memory_mib: 16384
- image_size_gib: 10
+ image_size_gib: 1024
diff --git a/vmadm/stamina/clab-dev.yaml b/vmadm/someday-maybe/clab-dev.yaml
index 31c882d..31c882d 100644
--- a/vmadm/stamina/clab-dev.yaml
+++ b/vmadm/someday-maybe/clab-dev.yaml
diff --git a/vmadm/stamina/debian-ansible-dev.yaml b/vmadm/someday-maybe/debian-ansible-dev.yaml
index aa80f4a..aa80f4a 100644
--- a/vmadm/stamina/debian-ansible-dev.yaml
+++ b/vmadm/someday-maybe/debian-ansible-dev.yaml
diff --git a/vmadm/stamina/ewww-dev.yaml b/vmadm/someday-maybe/ewww-dev.yaml
index 784050f..784050f 100644
--- a/vmadm/stamina/ewww-dev.yaml
+++ b/vmadm/someday-maybe/ewww-dev.yaml
diff --git a/vmadm/stamina/ewww-test.yaml b/vmadm/someday-maybe/ewww-test.yaml
index 0d88ab1..0d88ab1 100644
--- a/vmadm/stamina/ewww-test.yaml
+++ b/vmadm/someday-maybe/ewww-test.yaml
diff --git a/vmadm/someday-maybe/handbrake.yaml b/vmadm/someday-maybe/handbrake.yaml
new file mode 100644
index 0000000..83d0708
--- /dev/null
+++ b/vmadm/someday-maybe/handbrake.yaml
@@ -0,0 +1,6 @@
+handbrake:
+ autostart: false
+ memory_mib: 16384
+ cpus: 30
+ image_size_gib: 100
+
diff --git a/vmadm/stamina/jt-dev.yaml b/vmadm/someday-maybe/jt-dev.yaml
index a412c61..a412c61 100644
--- a/vmadm/stamina/jt-dev.yaml
+++ b/vmadm/someday-maybe/jt-dev.yaml
diff --git a/vmadm/stamina/obnam-bench.yaml b/vmadm/someday-maybe/obnam-bench.yaml
index 64e3208..64e3208 100644
--- a/vmadm/stamina/obnam-bench.yaml
+++ b/vmadm/someday-maybe/obnam-bench.yaml
diff --git a/vmadm/someday-maybe/openpgp-ca-dev.yaml b/vmadm/someday-maybe/openpgp-ca-dev.yaml
new file mode 100644
index 0000000..65823f3
--- /dev/null
+++ b/vmadm/someday-maybe/openpgp-ca-dev.yaml
@@ -0,0 +1,4 @@
+openpgp-ca-dev:
+ cpus: 16
+ memory_mib: 16384
+ image_size_gib: 100
diff --git a/vmadm/someday-maybe/openpgp-card-dev.yaml b/vmadm/someday-maybe/openpgp-card-dev.yaml
new file mode 100644
index 0000000..0c38856
--- /dev/null
+++ b/vmadm/someday-maybe/openpgp-card-dev.yaml
@@ -0,0 +1,4 @@
+openpgp-card-dev:
+ cpus: 16
+ memory_mib: 16384
+ image_size_gib: 100
diff --git a/vmadm/stamina/python-mess.yaml b/vmadm/someday-maybe/python-mess.yaml
index 524b5e5..524b5e5 100644
--- a/vmadm/stamina/python-mess.yaml
+++ b/vmadm/someday-maybe/python-mess.yaml
diff --git a/vmadm/someday-maybe/radicle-liw3.yaml b/vmadm/someday-maybe/radicle-liw3.yaml
new file mode 100644
index 0000000..6551f2e
--- /dev/null
+++ b/vmadm/someday-maybe/radicle-liw3.yaml
@@ -0,0 +1,4 @@
+radicle-liw3:
+ cpus: 2
+ memory_mib: 1024
+ image_size_gib: 20
diff --git a/vmadm/someday-maybe/radicle-test.yaml b/vmadm/someday-maybe/radicle-test.yaml
new file mode 100644
index 0000000..db8ef3d
--- /dev/null
+++ b/vmadm/someday-maybe/radicle-test.yaml
@@ -0,0 +1,4 @@
+radicle-test:
+ cpus: 4
+ memory_mib: 8192
+ image_size_gib: 100
diff --git a/vmadm/someday-maybe/riki-dev.yaml b/vmadm/someday-maybe/riki-dev.yaml
new file mode 100644
index 0000000..0131fc1
--- /dev/null
+++ b/vmadm/someday-maybe/riki-dev.yaml
@@ -0,0 +1,4 @@
+riki-dev:
+ cpus: 8
+ memory_mib: 8192
+ image_size_gib: 100
diff --git a/vmadm/someday-maybe/roadmap-dev.yaml b/vmadm/someday-maybe/roadmap-dev.yaml
new file mode 100644
index 0000000..027de7d
--- /dev/null
+++ b/vmadm/someday-maybe/roadmap-dev.yaml
@@ -0,0 +1,4 @@
+roadmap-dev:
+ cpus: 8
+ memory_mib: 4096
+ image_size_gib: 100
diff --git a/vmadm/someday-maybe/ssh-dev.yaml b/vmadm/someday-maybe/ssh-dev.yaml
deleted file mode 100644
index aad3eb1..0000000
--- a/vmadm/someday-maybe/ssh-dev.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-ssh-dev:
- autostart: true
diff --git a/vmadm/stamina/sshca-dev.yaml b/vmadm/someday-maybe/sshca-dev.yaml
index a04aac7..a04aac7 100644
--- a/vmadm/stamina/sshca-dev.yaml
+++ b/vmadm/someday-maybe/sshca-dev.yaml
diff --git a/vmadm/someday-maybe/texlive.yaml b/vmadm/someday-maybe/texlive.yaml
new file mode 100644
index 0000000..08c6d80
--- /dev/null
+++ b/vmadm/someday-maybe/texlive.yaml
@@ -0,0 +1,5 @@
+texlive:
+ cpus: 8
+ memory_mib: 16384
+ image_size_gib: 100
+ base: /home/liw/base-images/bullseye-vm.qcow2
diff --git a/vmadm/someday-maybe/unpack-dsc.yaml b/vmadm/someday-maybe/unpack-dsc.yaml
new file mode 100644
index 0000000..4f8b02e
--- /dev/null
+++ b/vmadm/someday-maybe/unpack-dsc.yaml
@@ -0,0 +1,5 @@
+unpack-dsc:
+ autostart: true
+ image_size_gib: 1000
+ cpus: 30
+ memory_mib: 16384
diff --git a/vmadm/stamina/roadmap-dev.yaml b/vmadm/someday-maybe/vmadm-dev.yaml
index 61d3651..81de98b 100644
--- a/vmadm/stamina/roadmap-dev.yaml
+++ b/vmadm/someday-maybe/vmadm-dev.yaml
@@ -1,4 +1,4 @@
-roadmap-dev:
+vmadm-dev:
cpus: 8
memory_mib: 16384
image_size_gib: 100
diff --git a/vmadm/someday-maybe/vmdb2-dev-sid.yaml b/vmadm/someday-maybe/vmdb2-dev-sid.yaml
new file mode 100644
index 0000000..a117a58
--- /dev/null
+++ b/vmadm/someday-maybe/vmdb2-dev-sid.yaml
@@ -0,0 +1,4 @@
+vmdb2-dev-sid:
+ cpus: 8
+ memory_mib: 16384
+ image_size_gib: 100
diff --git a/vmadm/stamina/sequoia-web.yaml b/vmadm/stamina/ambient-dev.yaml
index 963fdcd..5692bf8 100644
--- a/vmadm/stamina/sequoia-web.yaml
+++ b/vmadm/stamina/ambient-dev.yaml
@@ -1,4 +1,4 @@
-sequoia-web:
+ambient-dev:
cpus: 4
memory_mib: 8192
image_size_gib: 100
diff --git a/vmadm/stamina/icktool.yaml b/vmadm/stamina/icktool.yaml
deleted file mode 100644
index d089a26..0000000
--- a/vmadm/stamina/icktool.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-icktool:
- base: ~/base-images/debian-10-openstack-amd64.qcow2
- cpus: 1
- memory_mib: 1024
- image_size_gib: 4
- autostart: true
diff --git a/vmadm/stamina/obnam-dev.yaml b/vmadm/stamina/obnam-dev.yaml
index 26d597b..96dae0c 100644
--- a/vmadm/stamina/obnam-dev.yaml
+++ b/vmadm/stamina/obnam-dev.yaml
@@ -1,4 +1,4 @@
obnam-dev:
- cpus: 30
- memory_mib: 65535
+ cpus: 16
+ memory_mib: 16384
image_size_gib: 100
diff --git a/vmadm/stamina/openpgp-ca-dev.yaml b/vmadm/stamina/openpgp-ca-dev.yaml
deleted file mode 100644
index 237b99c..0000000
--- a/vmadm/stamina/openpgp-ca-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-openpgp-ca-dev:
- cpus: 30
- memory_mib: 65535
- image_size_gib: 100
diff --git a/vmadm/stamina/openpgp-card-dev.yaml b/vmadm/stamina/openpgp-card-dev.yaml
deleted file mode 100644
index f151f53..0000000
--- a/vmadm/stamina/openpgp-card-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-openpgp-card-dev:
- cpus: 30
- memory_mib: 65535
- image_size_gib: 100
diff --git a/vmadm/stamina/radicle-dev.yaml b/vmadm/stamina/radicle-dev.yaml
new file mode 100644
index 0000000..c073431
--- /dev/null
+++ b/vmadm/stamina/radicle-dev.yaml
@@ -0,0 +1,4 @@
+radicle-dev:
+ cpus: 8
+ memory_mib: 8192
+ image_size_gib: 100
diff --git a/vmadm/stamina/radicle-multi.yaml b/vmadm/stamina/radicle-multi.yaml
new file mode 100644
index 0000000..03e36f6
--- /dev/null
+++ b/vmadm/stamina/radicle-multi.yaml
@@ -0,0 +1,4 @@
+radicle-multi:
+ cpus: 20
+ memory_mib: 32768
+ image_size_gib: 200
diff --git a/vmadm/stamina/radicle-other-node.yaml b/vmadm/stamina/radicle-other-node.yaml
new file mode 100644
index 0000000..73073e7
--- /dev/null
+++ b/vmadm/stamina/radicle-other-node.yaml
@@ -0,0 +1,4 @@
+radicle-other-node:
+ cpus: 2
+ memory_mib: 2048
+ image_size_gib: 20
diff --git a/vmadm/stamina/rikiwiki-dev.yaml b/vmadm/stamina/rikiwiki-dev.yaml
deleted file mode 100644
index 5060a37..0000000
--- a/vmadm/stamina/rikiwiki-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-rikiwiki-dev:
- cpus: 30
- memory_mib: 65535
- image_size_gib: 100
diff --git a/vmadm/stamina/rust-dev.yaml b/vmadm/stamina/rust-dev.yaml
index f700290..6572862 100644
--- a/vmadm/stamina/rust-dev.yaml
+++ b/vmadm/stamina/rust-dev.yaml
@@ -1,4 +1,4 @@
rust-dev:
- cpus: 16
- memory_mib: 65535
+ cpus: 8
+ memory_mib: 16384
image_size_gib: 100
diff --git a/vmadm/stamina/sequoia-dev.yaml b/vmadm/stamina/sequoia-dev.yaml
deleted file mode 100644
index 5a1a856..0000000
--- a/vmadm/stamina/sequoia-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-sequoia-dev:
- cpus: 30
- memory_mib: 65535
- image_size_gib: 100
diff --git a/vmadm/stamina/subplot-dev.yaml b/vmadm/stamina/subplot-dev.yaml
index 605d7f3..191b878 100644
--- a/vmadm/stamina/subplot-dev.yaml
+++ b/vmadm/stamina/subplot-dev.yaml
@@ -1,4 +1,4 @@
subplot-dev:
- cpus: 30
- memory_mib: 65535
+ cpus: 8
+ memory_mib: 8192
image_size_gib: 100
diff --git a/vmadm/stamina/vmadm-dev.yaml b/vmadm/stamina/vmadm-dev.yaml
deleted file mode 100644
index b75b70c..0000000
--- a/vmadm/stamina/vmadm-dev.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-vmadm-dev:
- cpus: 30
- memory_mib: 65536
- image_size_gib: 100
diff --git a/vmadm/stamina/workera.yaml b/vmadm/stamina/workera.yaml
deleted file mode 100644
index c49eee3..0000000
--- a/vmadm/stamina/workera.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-workera:
- base: ~/base-images/buster.qcow2
- cpus: 8
- memory_mib: 16384
- image_size_gib: 100
- autostart: true