diff options
Diffstat (limited to 'ansible')
| -rwxr-xr-x | ansible/all.sh | 10 | ||||
| -rw-r--r-- | ansible/ambient-driver.yml | 103 | ||||
| -rw-r--r-- | ansible/exolobe1.yml | 1 | ||||
| -rw-r--r-- | ansible/finntroll.liw.fi.yml | 205 | ||||
| -rw-r--r-- | ansible/hosts | 5 | ||||
| -rw-r--r-- | ansible/kea.yml | 69 | ||||
| -rw-r--r-- | ansible/monorepo.liw.fi.yml | 32 | ||||
| -rw-r--r-- | ansible/radicle-dev.yml | 21 | ||||
| -rw-r--r-- | ansible/radicle.liw.fi.yml | 10 | ||||
| -rw-r--r-- | ansible/roles/gnome-system/tasks/main.yml | 15 | ||||
| -rw-r--r-- | ansible/roles/gnupg-workstation/tasks/main.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/mail-server/files/virtual | 3 | ||||
| -rw-r--r-- | ansible/roles/rust-rustup/tasks/main.yml | 2 | ||||
| -rw-r--r-- | ansible/solace.yml | 1 | ||||
| -rwxr-xr-x | ansible/stamina-vms.sh | 7 | ||||
| -rw-r--r-- | ansible/texlive.yml | 3 | ||||
| -rw-r--r-- | ansible/tursas.yml | 248 | ||||
| -rw-r--r-- | ansible/wumpus.yml | 165 |
18 files changed, 815 insertions, 87 deletions
diff --git a/ansible/all.sh b/ansible/all.sh index eff3a72..3fbb709 100755 --- a/ansible/all.sh +++ b/ansible/all.sh @@ -11,7 +11,9 @@ online() { } maybe_run_playbook() { - if newer "$1.yml" "$1.stamp" && online "$1"; then + if ! online "$1"; then + echo "UNAVALABLE $1" + elif newer "$1.yml" "$1.stamp"; then echo "$1" ./run-playbook "$1.yml" touch "$1.stamp" @@ -20,17 +22,17 @@ maybe_run_playbook() { fi } +maybe_run_playbook tursas maybe_run_playbook solace maybe_run_playbook exolobe1 maybe_run_playbook exolobe2 maybe_run_playbook stamina maybe_run_playbook holywood2 maybe_run_playbook atuin.liw.fi -maybe_run_playbook mirror-git +#maybe_run_playbook mirror-git maybe_run_playbook git.liw.fi maybe_run_playbook apt.liw.fi maybe_run_playbook http.liw.fi maybe_run_playbook irc.liw.fi maybe_run_playbook shell-shell.vm.liw.fi -maybe_run_playbook qotom -maybe_run_playbook radicle.liw.fi +maybe_run_playbook finntroll.liw.fi diff --git a/ansible/ambient-driver.yml b/ansible/ambient-driver.yml new file mode 100644 index 0000000..6abdde7 --- /dev/null +++ b/ansible/ambient-driver.yml @@ -0,0 +1,103 @@ +- hosts: ambient-driver + remote_user: debian + become: yes + roles: + - role: sane_debian_system + - role: sshd + - role: comfortable-debian-system + - role: unix_users + - role: liw + - role: rust-rustup + tasks: + - apt: + name: + - ambient-driver + - build-essential + - cpu-checker + - dput + - qemu-system-x86 + - qemu-utils + - file: + state: directory + path: /home/liw/.config/ambient-driver + owner: liw + group: liw + - file: + state: directory + path: /home/liw/images + owner: liw + group: liw + - copy: + content: | + tmpdir: /tmp + log: ~/log + run_ci: /usr/bin/run-ci + cpus: 12 + memory: 25769803776 + cache_max_size: 536870912000 + dput_target: apt.liw.fi + dest: /home/liw/.config/ambient-driver/config.yaml + - copy: + content: | + [apt.liw.fi] + login = incoming + fqdn = apt.liw.fi + method = scp + incoming = /srv/apt/incoming + allow_unsigned_uploads = 1 + check_version = 0 + run_dinstall = 0 + dest: /home/liw/.dput.cf + owner: liw + group: liw + - copy: + content: | + {{ lookup('pipe', 'pass ambient-driver-apt/key') }} + dest: /home/liw/.ssh/id_ed25519 + owner: liw + group: liw + mode: 0600 + - copy: + content: | + {{ lookup('pipe', 'pass ambient-driver-apt/key.pub') }} + dest: /home/liw/.ssh/id_ed25519.pub + owner: liw + group: liw + - copy: + content: | + ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDiOutT7werZw3x8Yro1UgQJcHV1Z96nuz4PU5P5EiA7AAAAIPyTjl4aj32Gwp5vqvuOx+0hlvDqSh419PbuzSwjXT+EAAAAAAAAAAAAAAABAAAAJ2NlcnRpZmljYXRlIGZvciB1c2VyIGluY29taW5nLF9ld3d3LGxpdwAAABwAAAAIaW5jb21pbmcAAAAFX2V3d3cAAAADbGl3AAAAAGYaL1AAAAAAZpDWkQAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAABKAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINjZEn0qxuBORhdR9bB48Sk3dRz4Kxxo4S7dDiqssQPXAAAABHNzaDoAAABnAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAQAY9oziUwJJWaoFt48RnuinJgTkQ8xJ8sPVG+VIqdVYQ5By6Vv4ukOtLiQpQc+ykBFhzrYrEHVRHsiQWcX1wuQ0BAAAhIA== liw@tursas + dest: /home/liw/.ssh/id_ed25519-cert.pub + owner: liw + group: liw + - copy: + content: | + Host * + IdentityFile ~/.ssh/id_ed25519 + PasswordAuthentication no + IdentitiesOnly yes + dest: /home/liw/.ssh/config + owner: liw + group: liw + vars: + ansible_python_interpreter: python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + + timezone: Europe/Helsinki + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + groups: + - kvm + sudo: yes + + sane_debian_system_sources_lists: + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + sshd_version: 1 + diff --git a/ansible/exolobe1.yml b/ansible/exolobe1.yml index 7243064..4ff1648 100644 --- a/ansible/exolobe1.yml +++ b/ansible/exolobe1.yml @@ -261,7 +261,6 @@ sshd_version: 1 rustup_cargo_install: | - starship \ cargo-cache \ pikchr-cli \ bottom diff --git a/ansible/finntroll.liw.fi.yml b/ansible/finntroll.liw.fi.yml new file mode 100644 index 0000000..ffcc3e5 --- /dev/null +++ b/ansible/finntroll.liw.fi.yml @@ -0,0 +1,205 @@ +- hosts: finntroll.liw.fi + remote_user: root + roles: + - sshd + - sane_debian_system + - self-updating-system + - comfortable-debian-system + - unix_users + - rust-rustup + - radicle_node + tasks: + - name: "install additional packages" + apt: + name: + - jq + - moreutils + - nmap + - psmisc + - ripgrep + - sqlite3 + - wumpus-hunter + + - name: "create directory for wumpus files" + file: + state: directory + path: /srv/wumpus + owner: wumpus + group: wumpus + + - name: "create directory for temporary wumpus files" + file: + state: directory + path: /srv/tmp + owner: wumpus + group: wumpus + + - name: "install wumpus hunter config" + copy: + content: | + description: | + Results of running the Radicle heartwood tests + repeatedly. Report number of successful and fail test + runs per commit. Keep logs of each test run for each + commit. + repository_url: https://seed.radicle.xyz/z3gqcJUoA1n9HaHKufZs5FCSGazv5.git + git_ref: master + command: | + cargo test --locked --workspace + dest: /home/wumpus/wumpus.yaml + owner: wumpus + group: wumpus + + - name: "install service unit for wumpus hunter" + copy: + content: | + [Unit] + Description=Wumpus hunter + After=network.target network-online.target + Requires=network-online.target + + [Service] + User=wumpus + Group=wumpus + ExecStart=/usr/bin/wumpus-hunter run --logs /srv/wumpus /home/wumpus/wumpus.yaml + Environment=RUST_BACKTRACE=1 WUMPUS_LOG=info PATH=/home/wumpus/.cargo/bin:/bin:/sbin TMPDIR=/srv/tmp + KillMode=process + Restart=always + RestartSec=3 + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/wumpus-hunter.service + + - name: "(re)start systemd unit for Radicle node" + systemd: + name: wumpus-hunter + state: restarted + masked: no + enabled: yes + daemon_reload: yes + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: finntroll + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + - username: _rad + comment: Radicle node + - username: wumpus + comment: Wumpus hunter + + sshd_version: 1 + sshd_host_key: "{{ lookup('pipe', 'sshca host private-key finntroll.liw.fi') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 finntroll.liw.fi') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" + + radicle_node_version: 1 + radicle_node_key: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key') }}" + radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key.pub') }}" + # radicle_node_connections: + # - nid: z6MkhfTshN2uPFBGcxBsZW7Mbof1TgkphBqr5dFTWd1hbNUq + # host: seed.liw.fi + # port: 8776 + radicle_node_repositories: + # Radicle work + - rid: "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" # heartwood + - rid: "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" # pathdedup test repo + - rid: "rad:zwTxygwuz5LDGBq255RA2CbNGrz8" # radicle-ci-broker + - rid: "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE" # radicle-native-ci + - rid: "rad:z2HXqzZMRhZUiYm33pLgYfqBgcGCj" # radicle-stress-test + - rid: "rad:zd4kAF7rQFKbCHAdbcF6zVkx8MyN" # wumpus hunter + + # Personal, Subplot + - rid: "rad:zjxyd2A1A7FnxtC69qDfoAajfTHo" # subplot + - rid: "rad:z2M6WnwXyFcdQNj6M5pav3BnyTBfz" # subplot-web + + # Personal, Obnam + - rid: "rad:zhmWact4xuWp1XSwPER79oPUGW9S" # cachedir + - rid: "rad:z2iicxsVP46kyA7rzFXrQHrk88cAo" # obnam2 + - rid: "rad:z2aq8B4ui77q8msEtUaGYXeSwNYuc" # obnam-web + - rid: "rad:z3ZFpLzEYTmjzDqSTxf2bZchktBH1" # obnam-benchmark + - rid: "rad:z2bB6gdePNQ9jyMK487mu4CraYewX" # obnam-benchmark-results + - rid: "rad:z3NGfAXUfSehZbf8f6VGad9KHCrb5" # obnam-benchmark-specs + - rid: "rad:z3cL5uBuhFK5FWkc5RYecAoBXNz8d" # summain + + # Personal, other + - rid: "rad:z4AmsrmyEsdZWh9KLSRbReDM9nnbe" # 256.liw.fi + - rid: "rad:z3sckw1Xm8j5URDJz1zeESHfFYDEc" # ansibleness + - rid: "rad:z2aW1bujxH96GsWdKBcFqDpzSNnUS" # clab + - rid: "rad:z3LXXus6Wu93LuSuuuSBPcFkDiyCW" # debian-ansible + - rid: "rad:z355dPnbvpPxC3FoT38pjs9AzspQB" # early-linux-history-talk + - rid: "rad:z3pQaQ5fBe9CZY9g9vzXLWPEnwXVB" # extrautils + - rid: "rad:zN4j1nt4y1xtoz9Tat6asyfJDyc2" # gtdfh + - rid: "rad:z2i9UF8soK1X6L9hae8UcQPSvdHjW" # html-page + - rid: "rad:z2wZYvawkpUTnfrCL5iHaufpCdXyk" # jt + - rid: "rad:zUcMk9QpMdyty6tABQ6Cje21xAro" # liw-automation + - rid: "rad:z4Az1APNZyfFVkTzneyfq6SBPKqtV" # linux-news + - rid: "rad:z2xcsrnG8dC76bkxXsASZbWGH5N2w" # liw-dot-files + - rid: "rad:z3PKKNstRjLYqhvGq9rxGy7LoEVr5" # missing-dependencies + - rid: "rad:z2tnM99uips8nguhcg12hLX5yC3t7" # pandoc-filter-diagram + - rid: "rad:z3uBEubocQ9kJANPvMAo6z5ZhhaFh" # pathdedup (real) + - rid: "rad:zRGTo2HYeSsNojTQg93anVtn5Gcw" # puomi + - rid: "rad:z3GDoHhm4t58pciEoXZBPA76Qtzqz" # puomi-web + - rid: "rad:zw9BgStPgCkdsMspzs7EGbwnXq3r" # riki + - rid: "rad:z2oUkTnZgqvEER9WZdZLU19rqv7rX" # riki-web + - rid: "rad:z4PiGKYWcz3XPzLf91DAgSHxjNvg8" # roadmap + - rid: "rad:z24MZ7A64C7c9MmcNfR2X7GtQUk14" # sshca + - rid: "rad:z2S7Wn8ZWBKQUQkUNikpZiuFFJZDv" # sshca-web + - rid: "rad:zgYpM7b29D6wTMjEUxxzBjcF9EvK" # unpack-debian-sources + - rid: "rad:z37yxMDoGWhErwFt55n4jDCiQwxLm" # v-i + - rid: "rad:z4DNcHPHUoCytkihDY4vDp4KvGxh3" # v-i-web + - rid: "rad:z3U5PDwEqz64be8vfqEyyj2rkfd1s" # vmadm + - rid: "rad:z2qboj3zYdhQBKo8yGxMfwvhj7HfN" # vmadm-web + - rid: "rad:z2kxCtBwDQMPcaf9vGTNH5nYkp9qk" # vmdb2 + - rid: "rad:z2mn6wzpVAuJoeWx7TZo33nCHuDfQ" # vmdb2-web + radicle_node_domain_name: radicle.liw.fi + radicle_node_ci_domain_name: ci.radicle.liw.fi + radicle_node_ci_broker_config: | + db: /home/_rad/ci-broker.db + report_dir: /srv/http + default_adapter: native + adapters: + native: + command: /bin/radicle-native-ci + env: + RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml + sensitive_env: {} + filters: + - !Or + - !And + - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" # pathdeup-messy-test-repo + - !AnyPatch + - !And + - !Repository "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" # heartwood + - !AnyPatch + - !And + - !Repository "rad:zwTxygwuz5LDGBq255RA2CbNGrz8" # radicle-ci-broker + - !Or + - !Branch main + - !AnyPatch + - !And + - !Repository "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE" # radicle-native-ci + - !Or + - !Branch main + - !AnyPatch + radicle_node_policy: block + radicle_node_scope: all + + radicle_node_wumpus_domain_name: wumpus.liw.fi + + # radicle_node_backup: /home/liw/data/radicle.liw.fi/. + + rust_rustup_user: _rad diff --git a/ansible/hosts b/ansible/hosts index ad57af3..828a9d4 100644 --- a/ansible/hosts +++ b/ansible/hosts @@ -9,6 +9,7 @@ texlive [dev] aptrepo ambient-dev +ambient-driver debian-ansible-dev icktool obnam-bench @@ -27,6 +28,7 @@ v-i-dev vmadm-dev vmdb2-dev vmdb2-dev-sid +wumpus [toys] billion @@ -46,11 +48,12 @@ x220 kea qotom solace -upliw0 +tursas [remote] apt.liw.fi atuin ansible_ssh_host=atuin.liw.fi +finntroll.liw.fi nalanda ansible_ssh_host=nalanda.liw.fi gregvm ansible_ssh_host=78.46.87.152 git.liw.fi diff --git a/ansible/kea.yml b/ansible/kea.yml index 8841b9b..b21f6be 100644 --- a/ansible/kea.yml +++ b/ansible/kea.yml @@ -3,74 +3,35 @@ become: no roles: - role: sane_debian_system - tags: [sane] - comfortable-debian-system - - gnome-system - - mail-client - intel-wifi - - self-updating-system - ssd + - sshd - unix_users - tasks: - - lineinfile: - path: /etc/gdm3/daemon.conf - regex: WaylandEnable - line: WaylandEnable=false - - apt: - name: - - flatpak - - gnome-software-plugin-flatpak - - cups - - nfs-common - - ufw - - apt: - deb: https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb - - shell: - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - - ufw: - state: enabled - policy: deny - - ufw: - port: ssh - rule: allow + - puomi vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 - sane_debian_system_hostname: kea - sane_debian_system_codename: bullseye + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm sane_debian_system_timezone: Europe/Helsinki sane_debian_system_sources_lists: - repo: | - deb http://deb.debian.org/debian bullseye contrib non-free + deb http://deb.debian.org/debian bookworm contrib non-free - repo: | - deb-src http://deb.debian.org/debian bullseye main contrib non-free - - - repo: | - deb http://security.debian.org/debian-security bullseye-security main contrib non-free + deb http://security.debian.org/debian-security bookworm-security main contrib non-free unix_users_version: 2 unix_users: - - username: soile - comment: Soile Mottisenkangas - groups: - - audio - - bluetooth - - cdrom - - dialout - - dip - - floppy - - netdev - - plugdev - - scanner - - video - authorized_keys: | - {{ liw_personal_ssh_pub }} + - username: liw + comment: Lars Wirzenius + + sshd_version: 1 + sshd_host_key: "{{ lookup('pipe', 'sshca host private-key kea') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 kea') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" - mailname: kea.liw.fi - hostname: "{{ sane_debian_system_hostname }}" - relayhost: pieni.net:587 - smarthost: pieni.net - smarthost_user: pienirelay - smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + puomi_version: 1 + puomi_lan_ip: 10.2.0.1 diff --git a/ansible/monorepo.liw.fi.yml b/ansible/monorepo.liw.fi.yml index 1f1797d..24dc5dd 100644 --- a/ansible/monorepo.liw.fi.yml +++ b/ansible/monorepo.liw.fi.yml @@ -9,7 +9,9 @@ tasks: - apt: name: + - curl - git + - screen - shell: | a2enmod cgi alias env - copy: @@ -37,6 +39,34 @@ ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ </VirtualHost> dest: /etc/apache2/sites-enabled/000-default.conf + - copy: + content: | + <VirtualHost *:443> + ServerName monorepo.liw.fi + ServerAdmin liw@liw.fi + DocumentRoot /var/www/html + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/monorepo.liw.fi/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/monorepo.liw.fi/privkey.pem + + <Directory "/"> + AllowOverride None + Order deny,allow + Allow from all + </Directory> + + <Location "/> + Require all granted + </Location> + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SetEnv GIT_PROJECT_ROOT /home/liw/git + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ + </VirtualHost> + dest: /etc/apache2/sites-enabled/000-default.conf - systemd: name: apache2 state: restarted @@ -53,7 +83,7 @@ comment: Lars Wirzenius sudo: yes - letsencrypt: no + letsencrypt: yes letsencrypt_email: liw@liw.fi letsencrypt_main_domain: monorepo.liw.fi certbot_debian_release: bookworm diff --git a/ansible/radicle-dev.yml b/ansible/radicle-dev.yml index 09a3bb2..db72f23 100644 --- a/ansible/radicle-dev.yml +++ b/ansible/radicle-dev.yml @@ -4,7 +4,7 @@ roles: - role: sane_debian_system - role: sshd -# - role: comfortable-debian-system + - role: comfortable-debian-system - role: unix_users - role: rust-rustup - role: liw @@ -12,18 +12,26 @@ - name: "install important additional packages" apt: name: -# - asciidoctor + - asciidoctor - build-essential - curl - git + - llvm + - podman - rsync - screen + - man-db - moreutils + - time - tree -# - debhelper -# - lintian -# - python3 -# - ripgrep + - vim + - name: "make /bin/sh be bash" + shell: | + ln -nsf /bin/bash /bin/sh + - copy: + dest: /etc/containers/registries.conf.d/unqualified.conf + content: | + unqualified-search-registries = ["docker.io"] vars: ansible_python_interpreter: /usr/bin/python3 @@ -39,6 +47,7 @@ unix_users: - username: liw comment: Lars Wirzenius + sudo: true sshd_version: 1 diff --git a/ansible/radicle.liw.fi.yml b/ansible/radicle.liw.fi.yml index 479242d..dd9a949 100644 --- a/ansible/radicle.liw.fi.yml +++ b/ansible/radicle.liw.fi.yml @@ -2,6 +2,7 @@ remote_user: root become: yes roles: + - role: run-finntroll-playbook-instead - role: sane_debian_system - role: sshd - role: unix_users @@ -37,10 +38,7 @@ radicle_node_version: 1 radicle_node_key: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key') }}" radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key.pub') }}" - radicle_node_connections: - - nid: z6MkhfTshN2uPFBGcxBsZW7Mbof1TgkphBqr5dFTWd1hbNUq - host: seed.liw.fi - port: 8776 + radicle_node_connections: [] radicle_node_repositories: # heartwood - rid: "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" @@ -83,7 +81,11 @@ # vmdb2-web - rid: "rad:z2mn6wzpVAuJoeWx7TZo33nCHuDfQ" + + # unpack-debian-sources + - rid: "rad:zgYpM7b29D6wTMjEUxxzBjcF9EvK" radicle_node_domain_name: radicle.liw.fi + radicle_node_wumpus_domain_name: wumpus.liw.fi radicle_node_ci_domain_name: ci.radicle.liw.fi radicle_node_ci_broker_config: | db: /home/_rad/ci-broker.db diff --git a/ansible/roles/gnome-system/tasks/main.yml b/ansible/roles/gnome-system/tasks/main.yml index 0d4dca7..2b51946 100644 --- a/ansible/roles/gnome-system/tasks/main.yml +++ b/ansible/roles/gnome-system/tasks/main.yml @@ -3,20 +3,14 @@ state: present name: - gnome - - liferea -# - desktop-cronish - handbrake - handbrake-cli - - devhelp - gnumeric - keepass2 -# - revelation -# - mumble -# - gnome-shell-timer + - fonts-freefont-ttf - fonts-symbola - fonts-inconsolata - - fonts-arabeyes - fonts-cabinsketch - fonts-cantarell @@ -47,7 +41,7 @@ - fonts-texgyre - fonts-tomsontalks - fonts-hack - + - calibre - cups - system-config-printer @@ -70,10 +64,11 @@ - name: Add flathub shell: | - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.Flatpak - name: install flatpaks from flathub shell: | flatpak install --system --app --noninteractive flathub org.mozilla.firefox - flatpak install --system --app --noninteractive flathub org.signal.Signal + flatpak install --system --app --noninteractive flathub org.gnome.Fractal flatpak install --system --app --noninteractive flathub org.telegram.desktop + flatpak install --system --app --noninteractive flathub org.signal.Signal diff --git a/ansible/roles/gnupg-workstation/tasks/main.yml b/ansible/roles/gnupg-workstation/tasks/main.yml index 935970c..9c0f52c 100644 --- a/ansible/roles/gnupg-workstation/tasks/main.yml +++ b/ansible/roles/gnupg-workstation/tasks/main.yml @@ -4,5 +4,5 @@ - gnupg - scdaemon - pass -# - extrautils + - extrautils - oathtool diff --git a/ansible/roles/mail-server/files/virtual b/ansible/roles/mail-server/files/virtual index 67a2287..54b5ff0 100644 --- a/ansible/roles/mail-server/files/virtual +++ b/ansible/roles/mail-server/files/virtual @@ -10,6 +10,9 @@ tele@liw.fi liw exolobe1.liw.fi - @exolobe1.liw.fi liw +tursas.liw.fi - +@exolobe1.liw.fi liw + docstory.fi - postmaster@docstory.fi soile abuse@docstory.fi soile diff --git a/ansible/roles/rust-rustup/tasks/main.yml b/ansible/roles/rust-rustup/tasks/main.yml index ceb4a69..a24cf37 100644 --- a/ansible/roles/rust-rustup/tasks/main.yml +++ b/ansible/roles/rust-rustup/tasks/main.yml @@ -4,6 +4,8 @@ - build-essential - cmake - curl + - libssl-dev + - pkg-config - name: "install Rust toolchain using rustup" shell: | set -eu diff --git a/ansible/solace.yml b/ansible/solace.yml index 635505f..38f46d0 100644 --- a/ansible/solace.yml +++ b/ansible/solace.yml @@ -32,6 +32,7 @@ - memtest86+ - python3 - rsync + - time - vim - wireless-regdb diff --git a/ansible/stamina-vms.sh b/ansible/stamina-vms.sh index 9c44ced..232d146 100755 --- a/ansible/stamina-vms.sh +++ b/ansible/stamina-vms.sh @@ -5,13 +5,10 @@ set -eu playbooks=" web.yml ambient-dev.yml -obnam-dev.yml +ambient-driver.yml radicle-dev.yml -radicle-multi.yml rust-dev.yml subplot-dev.yml -v-i-dev.yml -vmdb2-dev.yml " for playbook in $playbooks; do @@ -19,4 +16,4 @@ for playbook in $playbooks; do chronic ./run-playbook "$playbook" done -test-ssh-credentials +#test-ssh-credentials diff --git a/ansible/texlive.yml b/ansible/texlive.yml index 7945b5b..8bbd121 100644 --- a/ansible/texlive.yml +++ b/ansible/texlive.yml @@ -39,6 +39,9 @@ - repo: | deb http://security.debian.org/debian-security bullseye-security main contrib non-free + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + unix_users_version: 2 unix_users: - username: liw diff --git a/ansible/tursas.yml b/ansible/tursas.yml new file mode 100644 index 0000000..aa8d2f8 --- /dev/null +++ b/ansible/tursas.yml @@ -0,0 +1,248 @@ +- hosts: tursas + remote_user: root + become: no + roles: + - role: sane_debian_system + - role: self-updating-system + - role: sshd + - role: ssd + - role: comfortable-debian-system + - role: intel-wifi + - role: gnupg-workstation + - role: gnome-system + - role: mail-client + - role: unix_users + - role: rust-rustup + + tasks: + - name: "remove ping so it can be re-installed with capabilities" + apt: + name: iputils-ping + state: absent + + - name: "install additional software" + apt: + name: + - acpi + - ambient-driver + - ansible + - apt-file + - asciidoctor + - bc + - bind9-host + - black + - cachedir + - clab + - colordiff + - cpu-checker + - curl + - daemonize + - dict + - dict-foldoc + - dict-gcide + - dict-jargon + - dict-vera + - dict-wn + - dictd + - dnsutils + - emacs + - fio + - firmware-sof-signed + - gddrescue + - genisoimage + - git-annex + - gimp + - graphviz + - iftop + - ikiwiki + - info + - iputils-ping + - jq + - jt + - libdvd-pkg + - librsvg2-bin + - liw-automation + - locales-all + - lshw + - memtest86+ + - moreutils + - musl + - musl-dev + - musl-tools + - nfs-common + - nmap + - num-utils + - oathtool + - obnam +# - obnam-benchmark +# - openpgp-ca + - ovmf + - pan + - pandoc + - pandoc-filter-diagram + - pass + - pathdedup + - pavucontrol + - pciutils + - plantuml + - printer-driver-ptouch + - psmisc + - pv + - qemu-user-static + - radicle + - ripgrep + - shellcheck + - sqlite3 + - sshca + - strace + - subplot + - summain + - systemd-zram-generator + - texlive-fonts-recommended + - texlive-latex-extra + - texlive-latex-recommended + - texlive-plain-generic + - tidy + - time + - units + - usbutils + - uuid + - validns + - vim + - virt-manager + - vlc + - vmdb2 + - vobcopy + - w3m + - whois + - xpdf + - yaml-mode + - zerofree + - zip + - zoxide + - zram-tools + + # - expect + # - gimp + # - inkscape + # - linux-perf + # - python3-requests + # - unicode + # - mmv + # - mtr + # - nethogs + # - parted-doc + + - name: "configure zram" + copy: + content: | + ALGO=zstd + PERCENT=50 + dest: /etc/default/zramswap + + - name: configure dict + copy: + content: | + server localhost + dest: /etc/dictd/dict.conf + + - lineinfile: + path: /etc/default/grub + regexp: GRUB_ENABLE_CRYPTODISK + line: "GRUB_ENABLE_CRYPTODISK=n" + + - shell: | + update-grub + + - lineinfile: + path: /etc/environment + regexp: MOZ_ENABLE_WAYLAND + line: "MOZ_ENABLE_WAYLAND=1" + + - shell: | + env DEBIAN_FRONTEND=noninteractive dpkg-reconfigure libdvd-pkg + + # CAREFUL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # - name: "create liw/.radicle/keys" + # file: + # state: directory + # path: /home/liw/.radicle/keys + # owner: liw + # group: liw + # mode: 0755 + + # - name: "install radicle private key" + # copy: + # content: "{{ radicle_key }}" + # dest: /home/liw/.radicle/keys/radicle + # owner: liw + # group: liw + # mode: 0600 + + # - name: "install radicle public key" + # copy: + # content: "{{ radicle_pub }}" + # dest: /home/liw/.radicle/keys/radicle.pub + # owner: liw + # group: liw + # mode: 0644 + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: | + deb http://deb.debian.org/debian bookworm contrib non-free non-free-firmware + + - repo: | + deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware + + - repo: | + deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware + + - repo: | + deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware + + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: liw + comment: Lars Wirzenius + groups: + - audio + - bluetooth + - cdrom + - dialout + - dip + - floppy + - kvm + - netdev + - plugdev + - scanner + - video + + mailname: "tursas.liw.fi" + relayhost: pieni.net:587 + smarthost: pieni.net + smarthost_user: pienirelay + smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + + sshd_version: 1 + + rustup_cargo_install: | + cargo-cache \ + cargo-deny \ + cargo-outdated \ + cargo-semver-checks \ + pikchr-cli \ + bottom + + # CAREFUL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + # radicle_key: "{{ lookup('pipe', 'pass radicle/liw/key') }}" + # radicle_pub: "{{ lookup('pipe', 'pass radicle/liw/key.pub') }}" diff --git a/ansible/wumpus.yml b/ansible/wumpus.yml new file mode 100644 index 0000000..c921822 --- /dev/null +++ b/ansible/wumpus.yml @@ -0,0 +1,165 @@ +- hosts: wumpus + remote_user: root + roles: + - sshd + - sane_debian_system + - unix_users + tasks: + - name: "Install packages" + apt: + name: + - ewww + - psmisc + - curl + - rsync + - wumpus-hunter + state: present + + - name: "Create /srv/wumpus" + file: + state: directory + path: /srv/wumpus + owner: wumpus + group: wumpus + mode: 0755 + + - name: "Create ewww config directory" + file: + state: directory + path: /etc/ewww + + - name: "Install ewww config" + copy: + content: | + webroot: /srv/wumpus + listen: "0.0.0.0:443" + tls_cert: /etc/ewww/tls.pem + tls_key: /etc/ewww/tls.key + dest: /etc/ewww/ewww.yaml + + - name: "Install TLS cert" + copy: + content: | + -----BEGIN CERTIFICATE----- + MIICrzCCAZcCFFusxXoXXAVCzpfNK5VlnS8vFnY/MA0GCSqGSIb3DQEBCwUAMBQx + EjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMTA3MjIwNzMzNThaFw0yMjA3MjIwNzMz + NThaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP + ADCCAQoCggEBALhfy48gwIslLt5nCDSaPZeg52TwlZ8gWotnoprcv3cgTllDD/t7 + uLwRrYFJl2AheaNRP+ZOgXYzuS+pOz7YCdLg6bc1d8Dto69gQy848GnTtHINgy3Z + Ag0L5d2B8/PcpEagFe2z1cCDzxNxkhjWisb0Rm1AOJcNxQWvICw428wwWEr6SRiO + FHTht5UG0oClK88cJSwBnzNSS9Q30q42JfUmua1Dd0PS3FOMibtzMB9aBATeR4uH + pQ1qCGU197er0PVfxWYrm8LEyZFQHRviwiaLNMtMRQuOp2rDF3kV/aZuw+aUYqpk + zz+H3g0lxU3vYp/NmSRvC7y4HFxr7xlu6DECAwEAATANBgkqhkiG9w0BAQsFAAOC + AQEAgpZ0dd+W4v7P6uFZ3R4rbRrHUQEOlFFMUrkf6EyT9xeIk7XjO6+RYbVP6tWX + h4T9sEIFypAtR/47JEhFKYzncPBygUQfzXH5hW0JgviMQ8nNQz6NUJ5vPpeI4Tob + 7uipx46Lq6nF6h9DbMK/03M7ZeybEa+nknDtry5hKTVzi+xSkVQX1/xgOBY0hhUk + xcLCULujN2Lp262aP9hIuI/vaXo5HOh+BavsSauVUsRjScz/8Lgn+q4qRajcgnRa + WvK5nH/Ok4am5F9LDcwZOyUXrV+VB9CcbhnzinMuPwCdhPvMr+F7zQP9YXbOeOlP + NdZiSNvGZAbEnmMnNCEYMO3wVA== + -----END CERTIFICATE----- + dest: /etc/ewww/tls.pem + - name: "Install TLS key" + copy: + content: | + -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEAuF/LjyDAiyUu3mcINJo9l6DnZPCVnyBai2eimty/dyBOWUMP + +3u4vBGtgUmXYCF5o1E/5k6BdjO5L6k7PtgJ0uDptzV3wO2jr2BDLzjwadO0cg2D + LdkCDQvl3YHz89ykRqAV7bPVwIPPE3GSGNaKxvRGbUA4lw3FBa8gLDjbzDBYSvpJ + GI4UdOG3lQbSgKUrzxwlLAGfM1JL1DfSrjYl9Sa5rUN3Q9LcU4yJu3MwH1oEBN5H + i4elDWoIZTX3t6vQ9V/FZiubwsTJkVAdG+LCJos0y0xFC46nasMXeRX9pm7D5pRi + qmTPP4feDSXFTe9in82ZJG8LvLgcXGvvGW7oMQIDAQABAoIBAQCTKyP441PNvahj + ripGkreHSNBrKf7EPbcIf3iz1HCgThE7/uPLAT68IAA2qt9BxHarfjdbRl7gUvkG + qja4OwncYdssemlUfluhqVz3XKPKVUo7n72N4yJX959L6GcpyHz4QuA+FMYSHSQ1 + iPntCZNMq79rhU+mgz85AkjUA66ulKzkFwYRL6oRJ+fxwYKTCcnRAUbUaihDXb5T + AV4wDPMKLse70KL42SPTrQFzTqguDlXzPlKvqOEi2lZkNkiMr8wdN/xZlzLre89K + EM/mczCnYnI17dkFrdF+9Wsr63o24H+vUQ3IWIDnVP+dgMXonvCz2Z8mawlb5tt7 + vuY4b9KBAoGBAOczO740Q/mDk2iQI4Kt+o1unRwz34AEge0hm7kVUb7g2iV9sqNU + PovFjIvfCpWTmxVj6NQHyHbKDUfnnYzrpYHuMu2mL5E/1w+WqO1xPgoS287Xs/0I + E6N/BozDW4kMgBID0U2qz0JBrDMDFlL/yoziec6kv8f8uvRlQKtSdVSFAoGBAMwm + uDCShE4RcCr0PgAhiCSllJF03AVbLioTqdXwiHbIVvu5XvUClgOuI0eUDzU0Dsco + eWVaMQYx2Gt26sPPE52duZQNZ8JOZVq8/eSoycxYBn+hxYsjWqR9VvAZ4UMQvQ9g + T8La/NJTmzGVqpSD6XA176umCmgB/oeEaNZvchq9AoGAUfmbdDxJ4b1iVc/Nl3ci + gGU49Zf65gQzISYqdbx2aIyHLIXeAgVLy/k2dR2XPiPA+BudoRhFXsETZmxcM2wW + GfSgQB0Nfp25HkDYEqB1U9MN9tAKdGwZsn3Gj8Bwwy4Ydsq9uqEWrbJlYQz2LGWf + psZiU/+cNEeK7j68aEJrcZUCgYAu7zvrVtP6CsJJ7csPRqZBHpwwcLhgtty/KbQj + DmChRl/REYYGOCj7AZ70xtJUPfqjyOdX6MtajD0gP7+rcsEkvG0833QaVOGyYb7R + Qgja5OXhk/SRj3g4VuSU4K5MN93vWgocVzJGvJfyZ2FHMaiKdqv6P3sm/EZjK4ra + udZ21QKBgQDXmMP5sPHBtpHyXybIHk+nJICOtsKAJklXA1msgCk8OqDyPXX3qh8e + 4vFU4tgRN1nBMmEG5ROTtING1dQ5+X3aqXOJIO+asE1FkQA1kUhFKg2OSo15liPI + cB5//DSHki2Mh1iZxPfZnvFYpEOl9pmedSJ4tlltzKQSY//6kGJ49g== + -----END RSA PRIVATE KEY----- + dest: /etc/ewww/tls.key + + - name: "Enable and start ewww service" + systemd: + name: ewww + state: restarted + enabled: yes + daemon_reload: yes + + - name: "create directory for temporary wumpus files" + file: + state: directory + path: /srv/tmp + owner: wumpus + group: wumpus + + - name: "install wumpus hunter config" + copy: + content: | + description: | + Test Radicle heartwood. + repository_url: https://seed.radicle.xyz/z3gqcJUoA1n9HaHKufZs5FCSGazv5.git + git_ref: master + command: | + cargo test --locked --workspace + dest: /home/wumpus/wumpus.yaml + owner: wumpus + group: wumpus + + - name: "install service unit for wumpus hunter" + copy: + content: | + [Unit] + Description=Wumpus hunter + After=network.target network-online.target + Requires=network-online.target + + [Service] + User=wumpus + Group=wumpus + ExecStart=/usr/bin/wumpus-hunter run --logs /srv/wumpus /home/wumpus/wumpus.yaml + Environment=RUST_BACKTRACE=1 WUMPUS_LOG=info PATH=/home/wumpus/.cargo/bin:/bin:/sbin TMPDIR=/srv/tmp + KillMode=process + Restart=always + RestartSec=3 + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/wumpus-hunter.service + + - name: "(re)start systemd unit for the wumpus hunter" + systemd: + name: wumpus-hunter + state: restarted + masked: no + enabled: yes + daemon_reload: yes + + vars: + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_hostname: "{{ inventory_hostname }}" + sane_debian_system_codename: bookworm + sane_debian_system_timezone: Europe/Helsinki + sane_debian_system_sources_lists: + - repo: deb http://apt.liw.fi/debian unstable main + signing_key: "{{ apt_liw_fi_signing_key }}" + + unix_users_version: 2 + unix_users: + - username: wumpus + comment: Wumpus hunter + + sshd_version: 1 |