diff options
-rw-r--r-- | ansible/exolobe2.yml | 8 | ||||
-rw-r--r-- | ansible/holywood2.yml | 15 | ||||
-rw-r--r-- | ansible/roles/comfortable-debian-system/tasks/main.yml | 6 | ||||
-rwxr-xr-x | ansible/roles/holywood2/files/borg-all | 17 | ||||
-rwxr-xr-x | ansible/roles/holywood2/files/run-borg | 22 | ||||
-rw-r--r-- | ansible/roles/holywood2/tasks/main.yml | 24 | ||||
-rw-r--r-- | ansible/roles/smarthost-client/handlers/main.yml | 2 | ||||
-rw-r--r-- | ansible/roles/smarthost-client/tasks/main.yml | 31 | ||||
-rw-r--r-- | ansible/roles/smarthost-client/templates/main.cf | 46 | ||||
-rw-r--r-- | ansible/roles/smarthost-client/templates/sasl_passwd | 1 | ||||
-rw-r--r-- | ansible/roles/version-controller/tasks/main.yml | 16 |
11 files changed, 178 insertions, 10 deletions
diff --git a/ansible/exolobe2.yml b/ansible/exolobe2.yml index 1d305a2..ef0bbfa 100644 --- a/ansible/exolobe2.yml +++ b/ansible/exolobe2.yml @@ -9,12 +9,11 @@ - emacs - vmhost - storage_system + - smarthost-client vars: hostname: exolobe2 debian_codename: stretch - mailname: exolobe2.liw.fi - unix_users: - username: liw comment: Lars Wirzenius @@ -22,3 +21,8 @@ authorized_keys: | {{ liw_ssh_pub }} + mailname: exolobe2.liw.fi + relayhost: pieni.net:587 + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" diff --git a/ansible/holywood2.yml b/ansible/holywood2.yml index 1861587..4b06aa4 100644 --- a/ansible/holywood2.yml +++ b/ansible/holywood2.yml @@ -8,12 +8,20 @@ - unix_users - apache_server - holywood2 + - smarthost-client - self-updating-system vars: hostname: holywood2 debian_codename: stretch debian_mirror: deb.debian.org debian_mirror_src: deb.debian.org + + mailname: holywood2.liw.fi + relayhost: pieni.net:587 + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + letsencrypt: no unix_users: - username: liw @@ -24,3 +32,10 @@ - username: root ssh_key: "{{ lookup('pipe', 'pass show root_at_holywood2_ssh_key') }}" ssh_key_pub: "{{ root_at_holywood2_ssh_key_pub }}" + + sources_lists: + - repo: deb http://deb.debian.org/debian stretch main contrib non-free + - repo: deb http://deb.debian.org/debian stretch-backports main contrib non-free + - repo: deb http://code.liw.fi/debian stretch main + signing_key: "{{ code_liw_fi_signing_key }}" + keyring_package: code.liw.fi-keyring diff --git a/ansible/roles/comfortable-debian-system/tasks/main.yml b/ansible/roles/comfortable-debian-system/tasks/main.yml index f5bdcec..bf1a738 100644 --- a/ansible/roles/comfortable-debian-system/tasks/main.yml +++ b/ansible/roles/comfortable-debian-system/tasks/main.yml @@ -14,3 +14,9 @@ - apt-file - dnsutils +- name: "remove uncomfortable stuff" + apt: + name: "{{ item }}" + state: absent + with_items: + - bash-completion diff --git a/ansible/roles/holywood2/files/borg-all b/ansible/roles/holywood2/files/borg-all new file mode 100755 index 0000000..bbc982a --- /dev/null +++ b/ansible/roles/holywood2/files/borg-all @@ -0,0 +1,17 @@ +#!/bin/sh + +ts="$(date +%Y-%m-%dT%H:%M:%S)" + +echo "Backing up /mnt/soile" +./run-borg willikins /mnt/backups/borg create -p --stats ::"soile-$ts)" /mnt/soile/ + +echo "Backing up /mnt/media" +./run-borg willikins /mnt/backups/borg create -p --stats ::"media-$ts)" /mnt/media/ + +echo "Backing up /mnt/liw-backups" +./run-borg willikins /mnt/backups/borg create -p --stats ::"liw-$ts)" /mnt/liw-backups/ + +echo "Pruning" +./run-borg willikins /mnt/backups/borg prune --keep-with 100d + +echo "Backup finished" diff --git a/ansible/roles/holywood2/files/run-borg b/ansible/roles/holywood2/files/run-borg new file mode 100755 index 0000000..7225a94 --- /dev/null +++ b/ansible/roles/holywood2/files/run-borg @@ -0,0 +1,22 @@ +#!/bin/sh + +set -eu + +hostname="$(hostname)" +target="$1" +export targetdir="$2" +shift 2 + +export BORG_REPO="$target:$targetdir" +export BORG_PASSCOMMAND="cat /etc/borg-passphrase" + +if borg init --encryption=repokey +then + borg upgrade --disable-tam +fi + +DATE="$(date +%Y-%m-%dT%H%M%S)" + +echo borg "$@" +borg "$@" +echo borg finished diff --git a/ansible/roles/holywood2/tasks/main.yml b/ansible/roles/holywood2/tasks/main.yml index fbd5224..a6a7171 100644 --- a/ansible/roles/holywood2/tasks/main.yml +++ b/ansible/roles/holywood2/tasks/main.yml @@ -22,3 +22,27 @@ owner: root group: root mode: 0644 + +- name: install borg + apt: + name: borgbackup + default_release: stretch-backports + +- name: install borg scripting + copy: + src: "{{ item }}" + dest: /root + owner: root + group: root + mode: 0755 + with_items: + - run-borg + - borg-all + +- name: install borg passphrase + copy: + content: "{{ lookup('pipe', 'pass borg/holywood2-to-willikins') }}" + dest: /etc/borg-passphrase + owner: root + group: root + mode: 0600 diff --git a/ansible/roles/smarthost-client/handlers/main.yml b/ansible/roles/smarthost-client/handlers/main.yml new file mode 100644 index 0000000..6cdc4d4 --- /dev/null +++ b/ansible/roles/smarthost-client/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart postfix + service: name=postfix state=restarted diff --git a/ansible/roles/smarthost-client/tasks/main.yml b/ansible/roles/smarthost-client/tasks/main.yml new file mode 100644 index 0000000..899f736 --- /dev/null +++ b/ansible/roles/smarthost-client/tasks/main.yml @@ -0,0 +1,31 @@ +# A mail client needs to send mail. I prefer to send via a local MTA, +# which routes things out via a smarthost. + +- name: install postfix + apt: name=postfix + +- name: configure postfix + template: + src: main.cf + dest: /etc/postfix/main.cf + notify: restart postfix + +- name: set mailname + copy: + content: "{{ mailname }}\n" + dest: /etc/mailname + owner: root + group: root + mode: 0644 + +# Set up the smarthost relay credentials. + +- name: set smarthost relay credentials + template: + src: sasl_passwd + dest: /etc/postfix/sasl_passwd + mode: 0600 + +- name: postmap relay credentials + shell: | + postmap /etc/postfix/sasl_passwd diff --git a/ansible/roles/smarthost-client/templates/main.cf b/ansible/roles/smarthost-client/templates/main.cf new file mode 100644 index 0000000..2c026ad --- /dev/null +++ b/ansible/roles/smarthost-client/templates/main.cf @@ -0,0 +1,46 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = {{ mailname }} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = {{ mailname }}, {{ hostname }}, localhost.localdomain, localhost +relayhost = {{ relayhost }} +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = 127.0.0.1 +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = noanonymous +smtp_use_tls = yes +smtp_tls_note_starttls_offer = yes diff --git a/ansible/roles/smarthost-client/templates/sasl_passwd b/ansible/roles/smarthost-client/templates/sasl_passwd new file mode 100644 index 0000000..da722f6 --- /dev/null +++ b/ansible/roles/smarthost-client/templates/sasl_passwd @@ -0,0 +1 @@ +{{ smarthost }} {{ smarthost_user }}:{{ smarthost_password }} diff --git a/ansible/roles/version-controller/tasks/main.yml b/ansible/roles/version-controller/tasks/main.yml index 609a64c..a2d9b02 100644 --- a/ansible/roles/version-controller/tasks/main.yml +++ b/ansible/roles/version-controller/tasks/main.yml @@ -1,8 +1,8 @@ -- name: install git - apt: name=git - -- name: install mr - apt: name=mr - -- name: install colordiff - apt: name=colordiff +- name: "install version control tools" + apt: + name: "{{ item }}" + with_items: + - git + - git-annex + - mr + - colordiff |