- hosts: atuin remote_user: root roles: - hetzner-network-bridge - sshd - role: ferm-firewalled tags: [ferm] - sane_debian_system - self-updating-system - comfortable-debian-system - unix_users - storage_system - smarthost-client - vmhost-minimal tasks: - name: "install additional packages" apt: name: - moreutils - kpartx - name: "put liw into libvirt" user: name: liw groups: libvirt - name: "enable IPv4 forwarding" sysctl: name: net.ipv4.ip_forward value: 1 - name: "create /home/liw/.config/ansibleness" file: path: /home/liw/.config/ansibleness state: directory owner: liw group: liw - name: "create vm.conf" copy: content: | imagedir=/home/liw/base-image-specs/working vg=vg0 vmnetwork=bridge=br0 dest: /home/liw/.config/ansibleness/vm.conf owner: liw group: liw vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: atuin sane_debian_system_codename: bullseye sane_debian_system_timezone: Europe/Helsinki unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius sudo: yes authorized_keys: | {{ liw_hetzner_ssh_pub }} - username: root sudo: yes authorized_keys: | {{ liw_hetzner_ssh_pub }} mailname: atuin.liw.fi smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" relayhost: pieni.net:587 bridge_nic: enp3s0 bridge_method: static bridge_nic_addr: 78.46.87.180 bridge_gateway: 78.46.87.161 bridge_guest_addrs: - 78.46.87.154 - 78.46.87.152 ferm_iface_ext: "{{ bridge_nic }}" sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key atuin.liw.fi') }}" sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 atuin.liw.fi') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" - hosts: nalanda remote_user: root pre_tasks: - name: "set up resolv.conf" copy: content: | # nameserver config nameserver 213.133.99.99 nameserver 213.133.98.98 nameserver 213.133.100.100 nameserver 2a01:4f8:0:1::add:1010 nameserver 2a01:4f8:0:1::add:9999 nameserver 2a01:4f8:0:1::add:9898 dest: /etc/resolv.conf owner: root group: root mode: 0644 roles: - sshd - role: ferm-firewalled tags: [ferm] - sane_debian_system - self-updating-system - comfortable-debian-system - unix_users - smarthost-client tasks: - name: "install additional packages" apt: name: - borgbackup - mosh - name: "disable non-key authentication for ssh" lineinfile: path: /etc/ssh/sshd_config regexp: "^PasswordAuthentication" line: "PasswordAuthentication no" - name: "allow ssh password auth for one user" shell: | file=/etc/ssh/sshd_config if ! grep -q 'Match User holly' "$file" then printf >> "$file" 'Match User holly\n PasswordAuthentication yes\n' systemctl reload sshd fi - name: "create repository dirs for backup clients" file: state: directory path: "/home/{{ item }}/repo" owner: "{{ item }}" group: "{{ item }}" mode: 0700 with_items: - liw-laptop - liw-wmf-laptop - liw-holywood vars: ansible_python_interpreter: /usr/bin/python3 sane_debian_system_version: 2 sane_debian_system_hostname: nalanda sane_debian_system_codename: bullseye sane_debian_system_timezone: UTC unix_users_version: 2 unix_users: - username: liw comment: Lars Wirzenius sudo: yes authorized_keys: | {{ liw_hetzner_ssh_pub }} - username: root sudo: yes authorized_keys: | {{ liw_hetzner_ssh_pub }} - username: liw-laptop comment: Lars Wirzenius authorized_keys: | {{ liw_hetzner_ssh_pub }} - username: liw-holywood comment: Lars Wirzenius authorized_keys: | {{ root_at_holywood2_ssh_key_pub }} {{ root_at_holywood2_ssh_key_pub_v2 }} # disabled authorized_keys so they don't overwrite user's own changes - username: dkscully comment: Leslie # authorized_keys: | # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt+rzeHl8fYF5wX0p3MOiJWRvMTOluJh8n/r0qLfPyWdYq6z4pL+DlKOjO3KiZw0HjgkCMmk2E847aslMMTx0E113cWBqPZ0uP5lgfG5WrkZ1vMXRmy/k1itBd5FET5YQaB0lReoXk60wr2v9F41v8bG3RWEuZ9NbK4nqQjjIZKFmS04Y+NYtdUxtBaOp7hSTdbwHD1hC7j5Y+1Bucxi8DoLMUdk6E6kuvJST62X2tV8JlqFgukPgVOX+QXnIeqom51IcSvTuI+fLG0O6WtZhBw7wKG9uf5ye3Px5P9TQjU0Ejp3UJGdksUak3WCqTCyRGT0w/hpVY6THxSo87f5Jt dkscully@hex.geah.org # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5SqJ7JMed7z0byEWnQob/ZA9xeNfdBWXWy9Cp/VCNf95+D5BcmfulFDr6oZVRCOSe/j1HyI4yMmRzfd37FTEAWOywFfwtUoryO01wlafwoMQ61BLJYDVA5A66kn0X/88N5beVsEZohlJlpzek5CoUktbsI2W6qhaKabHd9p8TOwfDMx2zBxItgw+jJkPbmNIontBSr2VGj/fLyEKr5F7pdIoRZ/vp5QjjjfjiGGeKrA/P2jQSsh+5Krxm1Gg5j5TM9S84lT6YcDj0F/dxXZmKME6wddHFZm7E6JFKQ4h+uLsvGNCjR++WoZihXhgIY9WATdh7OFlBBB4KkZavQ4XB dkscully@minicore.geah.org # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0ilWyOWlTzO2kIzY6xMks7LvhwwYY7/kVh6OCI/TFr4msglfsDvr+LjYDeZmWTbFOtf0WZF2qUgBm/V6HU8TZqCBWJEjD8yUUcvxNp/JzEt5J0PLZvB9hjYce549FNr5qwgfxz8i4a/tMVVektkiKlPlcrVK3lAuS/8BLkRmLm2fkBEzBU/CXyPpDdIqTOQQXohwD8VhTYEgoDFZa0FcNZyYQxpx8y3Iu7pX2IPSpbNyPLROlTGZyQ4iyfI2gA2gUsxw1S3MWvMbjW76kbXH4a4iLHrAi/1ND/rvt8Gm0Zrn1OsG8spR4G2H0wFHaYLm9lWWcwGyFaCpZl0ZsY/3KQ== dkscully@octopus - username: dsilvers comment: Daniel # authorized_keys: | # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Fe75AEGYSg7qxMjAO/D1XjkDaRPAnYMN589swN5F99Mngw9cWoAd1IvVb3Xhkyk4dLbeDfWFRHlKrHg6MarWORNdWYWXnz25NblxMzVRybkoBhh9og76GGJzXn+gyz4q6dpx1uwI7DuIWt0aThIjFSxCJ/o/w8Zy8nFDjMALTZroqlWMtGMeZjMaahkmNzNdfDQFxHIWzRyL6jDM9Gw4fIcCVNQ4qphx2K1LDAAnpsaTlenaZLZqQavDHj/5LXZizUPRFi22O2VsOYWb5S4wPJnQSdfqZ2hJTRRm7G/atA5HfEDVzNFuBHhu/KI59QUxf6zuX617e9dG2VoVRlJ1Q== dsilvers@ataraxia # command="/usr/lib/openssh/sftp-server",no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA63ckmmt2XXb1rZnWoUlY8ShWODgEdEwYEgk2Y4JzCMAxT5SVCHqXGdIuQrZisqyRvwCeh2cvvuo81mgBWTX068b/YU/ahknLJYc6rdshQvQ+ON+BudhT91oqDDUQBF7jf6BJfohg5QbZEk586deKCo+tHgSNusH0m8UVZV4cAD+r6YIjxRKoG6r1jfRRf1Kwz31BFoIHSt2c7JvlUhb+MnAOQI47v6b+zsZY3PQRXMdYAHA5TCaDlJSaGctinHqHn4miWl+oGGqBnEBlYmEdmkwDxoDYM6UrgBntPJ+6UKzVOudcVWsOG43hytP1yS1eyaM5+Ok21sI9Kt56xf3v6w== root@octopus - username: rjek comment: Rob # authorized_keys: | # ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAunHPD5fC4YdJzs6GO1/lv1RDoURRX1NHZY9VXjnNVIVPmQTH+WXfHVTZeN1lpBCprIqGQwqpxiBt1btlh0ztyakbxaM0w4RpA9RvgRSGiHoMTmgmeKR6CmCil082n4+b92uQ4QZBN3J2xWsX82GS7Ptj0KwbGAlpxgd6/zB1EdmqvbEQk49ivzPANml5jpvEjG06Qx+ZknRzSucrnYHUHzvz9bdPSwDsdW7r166fvnwpTknR+Z+9Cs0oO/d7m4AwPe0x7TcQRDha/5T4xY/QuLSza83EheASZUbHGivFNsioDhzchA9aIIRg9TfnHBToL92idNtR5N2djoFAwU1Pdw== rjek@octopus # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfdeHZJ5zkUYpH1ofYmIaFhm58LSiO80yyZca5ggzp0GBji9nV73eq0kn5K8XLeoC0uS/oiRNEstopwK6KvHR1lnGVnw4b7QKbYiu1MvlJANJqPhfXgzJA+8YwCV5AgsSx2fEWass1E+g2ylN05c3S5VgbUbfijTx6jqmOL3a43E7IBvMCvRPtEDJaHnpMpBeZneKt8UHNgreVCP8y6RMwezzHOWm81GeQHI7QPU5NR6vImJJeY+Js0gA2UzM6ch4IBnhhpy+KafP6Sf8E7oVHu4qq41JI8HT2vC1yCytipZ/51IG3Ou4G4jmVLL0O1XawK4/oWBS+SL+1sm7EulQD rjek@monotony # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle # echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWDSfzEXTejxDO0cy7RBUgcWQPTR1ceWC1ri7b0i0IUnD1VQjZkhmzT+QY25SyKBhoxGyB4RtfYPKcTq6DHmU1ffb4cgP9/s++P4Z35u0jJDjHZ7xpL4B2d3NZn+0Xbc1k1KhsGYSdH0XTMCvIcd6pjJBIBFN/WJSyroxLcD16ZXB9ZYSCo90rdFfuwuRtbQxcAdVw4KGqM6lpc0SZdhkVvCXl3a0uOK9hqg9jGHuZ2qSvKD/km5UpHJfv/1Jt96GbW3CLypBa+Vau7PALqzO6H+OkD9VH4Z2YfrnUFAqaUSvAMXaW+k/Fyj+GpTnX8XhPADQIZW+yC7AC/eyDTd/ root@gruntle - username: holly comment: Holly - username: ppf comment: PPF # authorized_keys: | # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPzZG0zGrTrGHDkoTGg5kmOZEKWPM8Y0uVsGcbFNlv2y8+Eg4pAWdejcj2DhzgBueoEzhXo4uHQH1iLDYJ/11XM5HxDrsXdi2ArzJ8lPAoQYObOK0/aq+ZrGS3GK6shuxGoQm2IWNnwu7XEfKMJR43LTpBEYntsesRtkIaPdd8buDJ1yixgXUggS9A/44Br3zkAPVhOfYbMjeaTQGQhSTZlS8MuD8PgQVNbftGhaK1WXfR9JpWmK8ILg6/Img48/+OhdYm2zz7K91Pi82hZ5JsEaTriC0p2IoHhA6EQdICLDdRfCSJNkhKyEjyL0BB4VFjIefmJfQ3rESCL+n9mGJP root@bagpuss # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKO73AYFqHucIjv2sdgbK+JU+i0gZOSazaTWT3Q4OouZ4M+EEYUTLPVBu301+QuSgrOqGPvwrAW5aYYgWWSqgr81dynPYoAUCgek9BzaW/GGffBDgPgeuJRrshDAwMNLxZTh8oWZUBvEWmSLVFAsmrZo71pEtj5DE9jjGXZodCnt2ngx7YeFyic0/jtJEe8SyZ/EhzXXbUMlt5I93P4le15j09XpAGZkt51J8hR/akAEh9pu06Slsy1tKawLtdr+oQdD22WZrn8jmkfp+X8ovwK8seKsG9NF70y2qT797cVd1egbtoKDRARBuxEWF1GrGnc62V6gP+Cn5hbagUnCGP root@inmail # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9vQVyxfuBw7X4KxWQx6cyGcfR6qVlsn8L2BxqGmvSfKZyez+v2vHsfk+2Jb1Ixauu2JjWFJ/IsH5S8Cx1TVvNK5DYklCiAS/dNp2Xm1jO39EG3tmr22NNOuIg8ADCs9Hjia+t5nm6GiYSIAN/ADn4XTwE0cG8CA0R1BvMUPnGL7vpOg+77r8h7wLIGvmFY8Eg0Sqpb55QkNx5VC7tbi3b9lCZNTtYMAuhlpBg18PAskUm2HV/tHUv3LhHC1bx9IMW+O9Vct2AKijlPP3uEVY6yKawtymU9EqM9RCSX2hjwg6CtG0sCIimAZCIdEMaFnaTlnKJ/Mlb7KHSmJLDxfQF root@outmail # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKusytc5zOHCK5nEzenYCVyCV4UHA6urvNbS7WSy4Asp9p5iaWSruwnyD5wlpUlyauJg/UmZuSdzh80+CQv1/bBTHgLJlbm1IBvORGNpcMzvrPMFfvSu+PcDs5VQpmZ99EtRrS5htpR14/lkfleCVLLUjYCm+O6qSk3kEhjJrO3BsDPZ8hc4nOOzThzcKGr+3VFQRygjWpIe1dMDLtD/aHuR+n4q3e3k82r4X+ok+owm01OIqyDTlVlmTCS68QR0pSKZU+gH7lVHUWn/j+B8y7ASx/uwC+FvG9vPmOC93ATpW+B6A5zP/cWisiHq6ugoVZ0pdL/pJ77tIAtjTqeuZJ root@ns-h1 # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpA9f8+NuCLU3syBx9CoHMaMiUwx5lQ4QLVi2cVrpz5viYn/zDN+aEABBWBgdlUv0EqwvTVY9cKofDGWCMOPWFyv02gOxiKyAN5lh+iUlaetryKuV0LpU4JGcwJJjdGkv9JL0CplyCl/crP4JLpDp7rJuzy2hkwofuOxdepVPISXSmNX8D9p9wtdgfke1A/AOOtx7DaK9vnDajSQBeU60Y0Y1bBkJgP+jZn88U2QOVvCQr1GnDJk8Op7lABIh+Dk1NgICufH9O06EDk5t5Wn7LxdfxFXqLl1HiRJLeQ8IamfAXxf6QNWvi6KoDk1tV5at4fH0V0Q+x0P3bxfJMgkAf root@minnow # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn1o9OFu18ZuX0WHN8OSNQgiLlcA+n1lJnI1AP9bNNcdPz9Bp9ux0aCitu7LtegBAytw+95B8OtELz5PDX0NKVWl+pgjsMSWclQBvyEcPjsKEBdn10PaPLOxBsG+nskXdWfTbpIphADOvwArVPd4bdmNoEkj3xNK4LFEq62gNVy9gJRJhwGGKj7eDsnqkmXrLgxxMGwa5rDWAD8UrrOrcUbVibQrqEUVZd1Arw2z6WItuqYDzTRbLjIeHB3qgTy6S8Bzd4Natq6nfogScwcftTjRE9wE3Y2jfkgOvrvpy8GaA4SNpnUQAUpdJmu4tsxvOykdEEnMMJOWtTOorsfX2N root@platypus # ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeStXzBGzv156b/fa10LuhNkMlTIA9f5i0+8CWTPU5HV45jbqXdX1vb5K+Hm62pl5UriQSq3zM4wap6KyZqbdQIuPj5N7xfBCBKf8dZDiLbhNNTu9y6yMKcgwcmh7Fa0HiAjlYawwPgrjpubAk5YNA4jnxqC+7Qz99xTPGkMk5AKJmPOgeKx1TPDjWu20vdW5YF44VQ28LkaP4QMIkoZSeYvLKOIuUOD0GHLqnNgHi/GbsPMN5pFM1fYuPz8GVz8+r5vYGdkONXNg6GxRLLx9XvmwJonblKBeWlFQqdDpjq4eEPyc5Hwu/Hdg2NYZZLmCFZD4tbMKwmpdBbTzlB+BF root@dnsbl.rjek.com mailname: nalanda.liw.fi smarthost: pieni.net smarthost_user: pienirelay smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" relayhost: pieni.net:587 sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key nalanda.liw.fi') }}" sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v5 nalanda.liw.fi') }}" sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" # - hosts: gregvm # remote_user: root # pre_tasks: # - name: "set up resolv.conf" # copy: # content: | # # nameserver config # nameserver 213.133.99.99 # nameserver 213.133.98.98 # nameserver 213.133.100.100 # nameserver 2a01:4f8:0:1::add:1010 # nameserver 2a01:4f8:0:1::add:9999 # nameserver 2a01:4f8:0:1::add:9898 # dest: /etc/resolv.conf # owner: root # group: root # mode: 0644 # roles: # - sane_debian_system # - unix_users # tasks: # - name: "disable non-key authentication for ssh" # lineinfile: # path: /etc/ssh/sshd_config # regexp: "^PasswordAuthentication" # line: "PasswordAuthentication no" # vars: # ansible_python_interpreter: /usr/bin/python3 # hostname: gregvm # debian_codename: buster # timezone: UTC # unix_users: # - username: greg # comment: Greg # sudo: yes # authorized_keys: | # {{ greg_ssh_pub }}