ansible/holywood2.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

- hosts: holywood2
  remote_user: root
  roles:
    - sane_debian_system
    - sshd
    - ssd
    - comfortable-debian-system
    - version-controller
    - unix_users
    - apache_server
    - role: holywood2
      tags: holywood2
    - smarthost-client
    - self-updating-system
  tasks:
    - cron:
        name: "scrub file systems"
        special_time: weekly
        job: "find /mnt/*/* -type f -exec cat '{}' ';' > /dev/null"
  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: holywood2
    sane_debian_system_codename: bullseye
    sane_debian_system_mirror: deb.debian.org
    sane_debian_system_sources_lists:
      - repo: deb http://deb.debian.org/debian bullseye main contrib non-free

      - repo: deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main
        signing_key: "{{ ci_prod_signing_key }}"

    unix_users_version: 2
    unix_users:
      - username: liw
        comment: Lars Wirzenius
        sudo: yes
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
      - username: root
        ssh_key: "{{ lookup('pipe', 'pass show root_at_holywood2_ssh_key') }}"
        ssh_key_pub: "{{ root_at_holywood2_ssh_key_pub }}"
        authorized_keys: |
          {{ liw_personal_ssh_pub }}

    mailname: "{{ sane_debian_system_hostname }}.liw.fi"
    relayhost: pieni.net:587
    smarthost: pieni.net
    smarthost_user: pienirelay
    smarthost_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"

    letsencrypt: no

    sshd_version: 1
    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key holywood2') }}"
    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 holywood2') }}"
    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}"