mg/homeserver
1
1
Fork 0
Code Issues1 Pull requests7 Activity Actions

ci: deploy config on merge or push ()

Browse source 
Reviewed-on: 
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

ci: testing deployment ()

Reviewed-on: 
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

ci: test

ci: enable deployment

ci: set ssh-key for deployment

ci: debug

ci: deactivate ansible-lint temporarily

ci: deactivate ansible-galaxy temporarily

ci: debug ssh-key shell redirect

ci: base64

ci: debug

ci: debug

ci: fix output

Revert "ci: deactivate ansible-lint temporarily"

This reverts commit 6729342f26.

ci: fix vault-pass secret

pbs_integration: enable no_log

ci: debug ansible-vault

ci: debug

ci: ansible-vault + move to viczem.keepass ()

Reviewed-on: 
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

ff

plugin umbennennugn

ff
This commit is contained in:
Michael Grote 2024-07-09 17:35:56 +02:00
parent 697f4ad89b
commit 28f22968da
44 changed files with 127 additions and 219 deletions

1
.ansible-lint
View file

@ -23,3 +23,4 @@ exclude_paths:
- roles/ansible-ufw
- roles/ansible_role_gitea
- roles/ansible-role-postgresql
- .woodpecker/

12
.woodpecker/ansible-lint.yml
View file

@ -6,13 +6,19 @@ steps:
ansible-lint:
image: quay.io/ansible/creator-ee:v24.2.0
commands:
- ansible-lint --version
- echo $${VAULTPASS} > ./vault-pass.yml # nach des Secret in Großschreibung
# Secrets
- echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreakes, daher mit base64 -w0 "kodiert"
- echo $${VAULTPASS} | base64 -d > ./vault-pass.yml # Name des Secrets in Großschreibung
- chmod 0400 ./id_ed25519
# Abhängigkeiten
- pip install pykeepass Jinja2 markupsafe jmespath --user
- ansible-galaxy install -r requirements.yaml
# Doing
- ansible-lint --version
- ansible-lint --force-color --format pep8
# https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
secrets: [vaultpass]
when:
- event: [push, pull_request, cron]
- event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
...

25
.woodpecker/ansible-playbook.yml Normal file
View file

@ -0,0 +1,25 @@
---
depends_on:
- ansible-lint
steps:
ansible-playbook:
image: quay.io/ansible/creator-ee:v24.2.0
commands:
# Secrets
- echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreakes, daher mit base64 -w0 "kodiert"
- echo $${VAULTPASS} | base64 -d > ./vault-pass.yml # Name des Secrets in Großschreibung
- chmod 0400 ./id_ed25519
# Abhängigkeiten
- pip install 'pykeepass==4.0.3' --user
- ansible-galaxy install -r requirements.yaml
# Debug
- ansible localhost -m debug -a "var={{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
# Doing
- ansible-playbook playbooks/2_all.yml playbooks/3_service/* --limit production
# https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
secrets: [vaultpass, sshkey]
when:
- event: [push, pull_request_closed]
branch: master
...

2
.woodpecker/gitleaks.yml
View file

@ -5,6 +5,6 @@ steps:
commands:
- gitleaks detect --no-git --verbose --source $CI_WORKSPACE
when:
- event: [push, pull_request, cron]
- event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
...

2
docker-compose/httpd/docker-compose.yml.j2
View file

@ -28,7 +28,7 @@ services:
# FLASK_APP: app # for debugging
MAX_CONTENT_LENGTH: 500
UPLOAD_DIRECTORY: /uploads
AUTH_TOKEN: "{{ lookup('keepass', 'httpd-api-server-token', 'password') }}"
AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'httpd-api-server-token', 'password') }}"
ENABLE_WEBSERVER: false
volumes:

2
docker-compose/mail-relay/docker-compose.yml.j2
View file

@ -9,7 +9,7 @@ services:
environment:
SMTP_SERVER: smtp.strato.de
SMTP_USERNAME: info@mgrote.net
SMTP_PASSWORD: "{{ lookup('keepass', 'strato_smtp_password', 'password') }}"
SMTP_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'strato_smtp_password', 'password') }}"
SERVER_HOSTNAME: mgrote.net
# DEBUG: "yes" # as string not boolean
ALWAYS_ADD_MISSING_HEADERS: "no" # as string not boolean

8
docker-compose/miniflux/docker-compose.yml.j2
View file

@ -8,11 +8,11 @@ services:
depends_on:
- mf-db16
environment:
DATABASE_URL: "postgres://miniflux:{{ lookup('keepass', 'miniflux_postgres_password', 'password') }}@mf-db16/miniflux?sslmode=disable"
DATABASE_URL: "postgres://miniflux:{{ lookup('viczem.keepass.keepass', 'miniflux_postgres_password', 'password') }}@mf-db16/miniflux?sslmode=disable"
RUN_MIGRATIONS: 1
# CREATE_ADMIN: 1
# ADMIN_USERNAME: adminmf
# ADMIN_PASSWORD: "{{ lookup('keepass', 'miniflux_admin_password', 'password') }}"
# ADMIN_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux_admin_password', 'password') }}"
WORKER_POOL_SIZE: 10
POLLING_FREQUENCY: 10
CLEANUP_ARCHIVE_UNREAD_DAYS: -1
@ -38,7 +38,7 @@ services:
restart: always
environment:
POSTGRES_USER: miniflux
POSTGRES_PASSWORD: "{{ lookup('keepass', 'miniflux_postgres_password', 'password') }}"
POSTGRES_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'miniflux_postgres_password', 'password') }}"
TZ: Europe/Berlin
POSTGRES_HOST_AUTH_METHOD: "md5" # Workaround beim Migration von 13 -> 16; https://eelkevdbos.medium.com/upgrade-postgresql-with-docker-compose-99d995e464 ;
volumes:
@ -58,7 +58,7 @@ services:
restart: always
environment:
TZ: Europe/Berlin
MF_AUTH_TOKEN: "{{ lookup('keepass', 'miniflux_auth_token', 'password') }}"
MF_AUTH_TOKEN: "{{ lookup('viczem.keepass.keepass', 'miniflux_auth_token', 'password') }}"
MF_API_URL: https://miniflux.mgrote.net/v1
MF_SLEEP: 600
#MF_DEBUG: 1

2
docker-compose/navidrome/docker-compose.yml.j2
View file

@ -54,7 +54,7 @@ volumes:
driver: local
driver_opts:
type: "cifs"
o: "user=navidrome,password={{ lookup('keepass', 'navidrome_smb_share_password', 'password') }}"
o: "user=navidrome,password={{ lookup('viczem.keepass.keepass', 'navidrome_smb_share_password', 'password') }}"
device: "//192.168.2.54/musik/Musik"
######## Networks ########
networks:

14
docker-compose/nextcloud/docker-compose.yml.j2
View file

@ -11,8 +11,8 @@ services:
- /etc/timezone:/etc/timezone:ro
- db:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_root_password', 'password') }}"
MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'nextcloud_mysql_root_password', 'password') }}"
MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'nextcloud_mysql_password', 'password') }}"
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_INITDB_SKIP_TZINFO: 1
@ -45,9 +45,9 @@ services:
networks:
- intern
restart: unless-stopped
command: "redis-server --requirepass {{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
command: "redis-server --requirepass {{ lookup('viczem.keepass.keepass', 'nextcloud_redis_host_password', 'password') }}"
healthcheck:
test: ["CMD", "redis-cli", "--pass", "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
test: ["CMD", "redis-cli", "--pass", "{{ lookup('viczem.keepass.keepass', 'nextcloud_redis_host_password', 'password') }}", "--no-auth-warning", "ping"]
interval: 5s
timeout: 2s
retries: 3
@ -77,15 +77,15 @@ services:
environment:
# redis
REDIS_HOST: nextcloud-redis
REDIS_HOST_PASSWORD: "{{ lookup('keepass', 'nextcloud_redis_host_password', 'password') }}"
REDIS_HOST_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'nextcloud_redis_host_password', 'password') }}"
# mysql
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_PASSWORD: "{{ lookup('keepass', 'nextcloud_mysql_password', 'password') }}"
MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'nextcloud_mysql_password', 'password') }}"
MYSQL_HOST: nextcloud-db
# admin
NEXTCLOUD_ADMIN_USER: n-admin
NEXTCLOUD_ADMIN_PASSWORD: "{{ lookup('keepass', 'nextcloud_admin_user_password', 'password') }}"
NEXTCLOUD_ADMIN_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'nextcloud_admin_user_password', 'password') }}"
# misc
NEXTCLOUD_TRUSTED_DOMAINS: "nextcloud.mgrote.net"
PHP_MEMORY_LIMIT: 1024M

4
docker-compose/nextcloud/ldap.sh.j2
View file

@ -2,7 +2,7 @@
# Vorraussetzungen siehe https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md
# lldap_bind_user=nextcloud_bind_user
# lldap_bind_user_pass="{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
# lldap_bind_user_pass="{{ lookup('viczem.keepass.keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
# lldap_bind_user_groups=lldap_strict_readonly
php occ app:install user_ldap
@ -15,7 +15,7 @@ php occ ldap:set-config s01 ldapPort 3890
# EDIT: admin user
php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
# EDIT: password
php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('viczem.keepass.keepass', 'nextcloud_lldap_bind_user_pass', 'password') }}"
# EDIT: Base DN
php occ ldap:set-config s01 ldapBase "dc=mgrote,dc=net"
php occ ldap:set-config s01 ldapBaseUsers "dc=mgrote,dc=net"

BIN
docker-compose/nextcloud/mail_settings.png
View file

Binary file not shown.
Side by side

Before

(image error) Size: 7.2 KiB

4
docker-compose/registry/docker-compose.yml.j2
View file

@ -21,7 +21,7 @@ services:
TZ: Europe/Berlin
REGISTRY_AUTH: none
REGISTRY_REDIS_ADDR: oci-registry-redis:6379
REGISTRY_REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
REGISTRY_REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
REGISTRY_STORAGE_DELETE_ENABLED: true
REGISTRY_CATALOG_MAXENTRIES: 100000 # https://github.com/Joxit/docker-registry-ui/issues/306
# https://joxit.dev/docker-registry-ui/#using-cors
@ -58,7 +58,7 @@ services:
- intern
restart: always
environment:
REDIS_PASSWORD: "{{ lookup('keepass', 'oci-registry-redis-pw', 'password') }}"
REDIS_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'oci-registry-redis-pw', 'password') }}"
MAXMEMORY POLICY: allkeys-lru
healthcheck:
test: ["CMD", "redis-cli", "ping"]

2
docker-compose/routeros-config-export/deploy_token.j2
View file

@ -1 +1 @@
{{ lookup('keepass', 'routeros-config-backup_deploy-token', 'notes') }}
{{ lookup('viczem.keepass.keepass', 'routeros-config-backup_deploy-token', 'notes') }}

2
docker-compose/routeros-config-export/key_crs305.j2
View file

@ -1 +1 @@
{{ lookup('keepass', 'routeros-config-backup_crs305_private_key', 'notes') }}
{{ lookup('viczem.keepass.keepass', 'routeros-config-backup_crs305_private_key', 'notes') }}

2
docker-compose/routeros-config-export/key_hex.j2
View file

@ -1 +1 @@
{{ lookup('keepass', 'routeros-config-backup_hex_private_key', 'notes') }}
{{ lookup('viczem.keepass.keepass', 'routeros-config-backup_hex_private_key', 'notes') }}

2
docker-compose/routeros-config-export/key_rb5009.j2
View file

@ -1 +1 @@
{{ lookup('keepass', 'routeros-config-backup_rb5009_private_key', 'notes') }}
{{ lookup('viczem.keepass.keepass', 'routeros-config-backup_rb5009_private_key', 'notes') }}

2
docker-compose/traefik/docker-compose.yml.j2
View file

@ -31,7 +31,7 @@ services:
image: "nosduco/nforwardauth:v1.4.0"
container_name: traefik-nforwardauth
environment:
TOKEN_SECRET: "{{ lookup('keepass', 'nforwardauth_token_secret', 'password') }}"
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
AUTH_HOST: auth.mgrote.net
labels:
traefik.enable: true

2
docker-compose/traefik/passwd.j2
View file

@ -1 +1 @@
{{ lookup('keepass', 'nforwardauth-mg-hash', 'password') }}
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}

2
docker-compose/unifi-network-application/docker-compose.yml.j2
View file

@ -9,7 +9,7 @@ services:
PGID: 1000
TZ: Etc/UTC
MONGO_USER: unifiuser
MONGO_PASS: "{{ lookup('keepass', 'unifi-mongodb-pass', 'password') }}"
MONGO_PASS: "{{ lookup('viczem.keepass.keepass', 'unifi-mongodb-pass', 'password') }}"
MONGO_HOST: unifi-db
MONGO_PORT: 27017
MONGO_DBNAME: unifidb

12
docker-compose/woodpecker/docker-compose.yml.j2
View file

@ -16,9 +16,9 @@ services:
WOODPECKER_WEBHOOK_HOST: http://docker10.mgrote.net:8000
WOODPECKER_GITEA: true
WOODPECKER_GITEA_URL: https://git.mgrote.net
WOODPECKER_GITEA_CLIENT: "{{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}"
WOODPECKER_GITEA_SECRET: "{{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
WOODPECKER_AGENT_SECRET: "{{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}"
WOODPECKER_GITEA_CLIENT: "{{ lookup('viczem.keepass.keepass', 'woodpecker-oauth2-client-id', 'password') }}"
WOODPECKER_GITEA_SECRET: "{{ lookup('viczem.keepass.keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
WOODPECKER_AGENT_SECRET: "{{ lookup('viczem.keepass.keepass', 'woodpecker-agent-secret', 'password') }}"
WOODPECKER_ADMIN: mg
WOODPECKER_LOG_LEVEL: info
WOODPECKER_DEBUG_PRETTY: true
@ -53,7 +53,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
environment:
WOODPECKER_SERVER: woodpecker-server:9000
WOODPECKER_AGENT_SECRET: "{{ lookup('keepass', 'woodpecker-agent-secret', 'password') }}"
WOODPECKER_AGENT_SECRET: "{{ lookup('viczem.keepass.keepass', 'woodpecker-agent-secret', 'password') }}"
WOODPECKER_MAX_WORKFLOWS: 20
WOODPECKER_DEBUG_PRETTY: true
WOODPECKER_LOG_LEVEL: info
@ -68,8 +68,8 @@ volumes:
agent-config:
# git.mgrote.net -> Settings -> Applications -> woodpecker
# WOODPECKER_GITEA_CLIENT: "{{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}"
# WOODPECKER_GITEA_SECRET: "{{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
# WOODPECKER_GITEA_CLIENT: "{{ lookup('viczem.keepass.keepass', 'woodpecker-oauth2-client-id', 'password') }}"
# WOODPECKER_GITEA_SECRET: "{{ lookup('viczem.keepass.keepass', 'woodpecker-oauth2-client-secret', 'password') }}"
# Redirect URL: https://ci.mgrote.net/authorize
######## Networks ########

2
friedhof/mgrote_sealed_secrets/defaults/main.yml
View file

@ -5,4 +5,4 @@ sealed_secrets_user: sealed_secrets
kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz"
kubeseal_path_bin: /usr/local/sbin
kubeconfig: /etc/rancher/k3s/k3s.yaml
sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" # mit kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key holen
sealed_secrets_keepass_entry_name: "{{ lookup('viczem.keepass.keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" # mit kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key holen

8
group_vars/all.yml
View file

@ -23,7 +23,7 @@ netplan_configure: true
### mgrote_user
users:
- username: mg
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
@ -31,7 +31,7 @@ users:
allow_sudo: true
allow_passwordless_sudo: true
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
@ -95,8 +95,8 @@ restic_exclude: |
restic_folders_to_backup: "/usr/local /etc /root /home"
restic_repository: "//fileserver3.mgrote.net/restic"
restic_fail_mail: michael.grote@posteo.de
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
restic_mount_password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_restic', 'password') }}" #gitleaks:allow
restic_mount_user: restic
restic_schedule: "*-*-* 4:00:00"

6
group_vars/docker.yml
View file

@ -27,7 +27,7 @@ apt_packages_extra:
### mgrote_user
users:
- username: mg
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo, docker
state: present
@ -35,7 +35,7 @@ users:
allow_sudo: true
allow_passwordless_sudo: true
- username: docker-user
password: "{{ lookup('keepass', 'docker-user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'docker-user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo, docker
state: present
@ -43,7 +43,7 @@ users:
allow_passwordless_sudo: true
uid: "5000"
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present

12
group_vars/git.yml
View file

@ -91,14 +91,14 @@ gitea_db_type: "postgres"
gitea_db_host: "localhost"
gitea_db_name: "gitea"
gitea_db_user: "gitea"
gitea_db_password: "{{ lookup('keepass', 'forgejo_db_password', 'password') }}"
gitea_db_password: "{{ lookup('viczem.keepass.keepass', 'forgejo_db_password', 'password') }}"
# indexer
gitea_repo_indexer_enabled: true
# security
gitea_disable_webhooks: false
gitea_password_check_pwn: false
gitea_internal_token: "{{ lookup('keepass', 'forgejo_internal_token', 'password') }}"
gitea_secret_key: "{{ lookup('keepass', 'forgejo_secret_key', 'password') }}"
gitea_internal_token: "{{ lookup('viczem.keepass.keepass', 'forgejo_internal_token', 'password') }}"
gitea_secret_key: "{{ lookup('viczem.keepass.keepass', 'forgejo_secret_key', 'password') }}"
# service
gitea_disable_registration: true
gitea_register_email_confirm: true
@ -141,7 +141,7 @@ gitea_extra_config: |
[repo-archive]
ENABLED = false
# oauth2
gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'forgejo_oauth2_jwt_secret', 'password') }}"
gitea_oauth2_jwt_secret: "{{ lookup('viczem.keepass.keepass', 'forgejo_oauth2_jwt_secret', 'password') }}"
# Fail2Ban configuration
gitea_fail2ban_enabled: true
gitea_fail2ban_jail_maxretry: "3"
@ -153,6 +153,6 @@ gitea_fail2ban_jail_action: "iptables-allports"
gitea_ldap_host: "ldap.mgrote.net"
gitea_ldap_base_path: "dc=mgrote,dc=net"
gitea_ldap_bind_user: "forgejo_bind_user"
gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_forgejo_bind_user', 'password') }}"
gitea_ldap_bind_pass: "{{ lookup('viczem.keepass.keepass', 'lldap_forgejo_bind_user', 'password') }}"
gitea_admin_user: "fadmin"
gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}"
gitea_admin_user_pass: "{{ lookup('viczem.keepass.keepass', 'forgejo_admin_user_pass', 'password') }}"

8
group_vars/ldap.yml
View file

@ -41,13 +41,13 @@ lldap_http_port: 17170
lldap_http_host: "0.0.0.0"
lldap_ldap_host: "0.0.0.0"
lldap_public_url: http://ldap.mgrote.net:17170
lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}"
lldap_jwt_secret: "{{ lookup('viczem.keepass.keepass', 'lldap_jwt_secret', 'password') }}"
lldap_ldap_base_dn: "dc=mgrote,dc=net"
lldap_admin_username: ladmin # only used on setup
lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
lldap_admin_password: "{{ lookup('viczem.keepass.keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret
lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup
lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}"
lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}"
lldap_key_seed: "{{ lookup('viczem.keepass.keepass', 'lldap_key_seed', 'password') }}"
#lldap_smtp_from: "lldap@mgrote.net" # unused in role
lldap_smtp_reply_to: "Do not reply <info@mgrote.net>"
lldap_smtp_server: "docker10.mgrote.net"
@ -58,6 +58,6 @@ lldap_smtp_enable_password_reset: "true" # must be a string not a boolean
# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet
lldap_db_name: "lldap"
lldap_db_user: "lldap"
lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}"
lldap_db_pass: "{{ lookup('viczem.keepass.keepass', 'lldap_db_pass', 'password') }}"
lldap_db_host: "localhost"
...

6
group_vars/pbs.yml
View file

@ -11,14 +11,14 @@ restic_repository: "//192.168.2.54/restic"
### mgrote_user
users:
- username: root
password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'root_linux_password_hash_proxmox', 'password') }}"
update_password: always
groups: ssh, sudo, root
state: present
allow_sudo: true
allow_passwordless_sudo: true
- username: mg
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
@ -26,7 +26,7 @@ users:
allow_sudo: true
allow_passwordless_sudo: true
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present

8
group_vars/pve.yml
View file

@ -5,14 +5,14 @@ netplan_configure: false
### mgrote_user
users:
- username: root
password: "{{ lookup('keepass', 'root_linux_password_hash_proxmox', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'root_linux_password_hash_proxmox', 'password') }}"
update_password: always
groups: ssh, sudo, root
state: present
allow_sudo: true
allow_passwordless_sudo: true
- username: mg
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
@ -20,7 +20,7 @@ users:
allow_sudo: true
allow_passwordless_sudo: true
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present
@ -30,7 +30,7 @@ users:
### mgrote_cv4pve_autosnap
cv4pve_api_user: root@pam!cv4pve-autosnap
cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}"
cv4pve_api_token: "{{ lookup('viczem.keepass.keepass', 'cv4pve_api_token', 'password') }}"
cv4pve_vmid: all,-115
cv4pve_keep_snapshots: 5
cv4pve_version: v1.14.10

2
host_vars/docker10.mgrote.net.yml
View file

@ -23,7 +23,7 @@ cifs_mounts:
dest: /mnt/fileserver3_photoprism_bilder_ro
src: //fileserver3.mgrote.net/bilder
user: photoprism
password: "{{ lookup('keepass', 'fileserver_smb_user_photoprism', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_photoprism', 'password') }}"
domain: mgrote.net
uid: 5000
gid: 5000

20
host_vars/fileserver3.mgrote.net.yml
View file

@ -32,29 +32,29 @@ ytdl_enable_podcast_download: false
ytdl_podcast_output: "/shares_music/Podcasts/%(playlist)s/%(id)s.%(ext)s"
ytdl_video_log_output: "/shares_videos/Youtube/archive-youtube.log"
ytdl_podcast_log_output: "/shares_music/Podcasts/archive-podcast.log"
ytdl_youtube_username: "{{ lookup('keepass', 'youtubedl_youtube_login', 'username') }}"
ytdl_youtube_password: "{{ lookup('keepass', 'youtubedl_youtube_login', 'password') }}"
ytdl_youtube_username: "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'username') }}"
ytdl_youtube_password: "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'password') }}"
ytdl_conf_dir: "/etc/youtubedl" # ohne / am ende
ytdl_download_limit: "10000K"
### mgrote_fileserver_smb
smb_users:
- name: 'restic'
password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_restic', 'password') }}"
- name: 'win10'
password: "{{ lookup('keepass', 'fileserver_smb_user_win10', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_win10', 'password') }}"
- name: 'kodi'
password: "{{ lookup('keepass', 'fileserver_smb_user_kodi', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_kodi', 'password') }}"
- name: 'michaelgrote'
password: "{{ lookup('keepass', 'fileserver_smb_user_michaelgrote', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_michaelgrote', 'password') }}"
- name: 'navidrome'
password: "{{ lookup('keepass', 'fileserver_smb_user_navidrome', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_navidrome', 'password') }}"
- name: 'docker'
password: "{{ lookup('keepass', 'fileserver_smb_user_docker', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_docker', 'password') }}"
- name: 'pve'
password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_pve', 'password') }}"
- name: 'brother_ads2700w'
password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}"
smb_shares:
- name: 'videos'

6
host_vars/pbs-test.mgrote.net.yml
View file

@ -21,10 +21,10 @@ pbs_permissions:
pbs_users:
- name: user_pve5
password: "{{ lookup('keepass', 'pbs_pve_user', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'pbs_pve_user', 'password') }}"
realm: pbs
- name: user_pve5-test
password: "{{ lookup('keepass', 'pbs_pve_user-test', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'pbs_pve_user-test', 'password') }}"
realm: pbs
# rpool ist unverschlüsselt als Boot-Medium
# entschlüsseln nach Boot mit: sudo zpool import -d /dev/disk/by-id/ -a && sudo zfs mount -a -l
@ -77,7 +77,7 @@ sanoid_snaps_enable: true
## syncoid
sanoid_syncoid_destination_host: false
sanoid_syncoid_ssh_privkey: "{{ lookup('keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_ssh_privkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_timer: '*-*-* *:00:00' # jede Stunde
sanoid_syncoid_bwlimit: 30m # 30MB/s
sanoid_syncoid_datasets_sync:

4
host_vars/pbs.mgrote.net.yml
View file

@ -20,7 +20,7 @@ pbs_permissions:
pbs_users:
- name: user_pve5
password: "{{ lookup('keepass', 'pbs_pve_user', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'pbs_pve_user', 'password') }}"
realm: pbs
# rpool ist unverschlüsselt als Boot-Medium
# entschlüsseln nach Boot mit: sudo zpool import -d /dev/disk/by-id/ -a && sudo zfs mount -a -l
@ -70,7 +70,7 @@ zfs_extra_zfs_pools:
sanoid_snaps_enable: true
## syncoid
sanoid_syncoid_destination_host: true
sanoid_syncoid_ssh_privkey: "{{ lookup('keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_ssh_privkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_timer: '*-*-* *:00:00' # jede Stunde
sanoid_syncoid_bwlimit: 50M # 30MB/s
sanoid_syncoid_datasets_sync:

2
host_vars/pve5-test.mgrote.net.yml
View file

@ -214,5 +214,5 @@ pve_pbs_datastore:
server: 192.168.2.18
datastore: zfs_backup
username: user_pve5-test@pbs
password: "{{ lookup('keepass', 'pbs_pve_user-test', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'pbs_pve_user-test', 'password') }}"
fingerprint: "38:53:f6:1e:99:99:76:78:c4:00:dd:90:1a:89:47:56:97:4e:f3:62:01:d2:2c:76:ba:f8:55:be:f8:05:d1:7a"

4
host_vars/pve5.mgrote.net.yml
View file

@ -101,7 +101,7 @@ zfs_extra_zfs_pools:
sanoid_snaps_enable: true
## enable sending snaps
sanoid_syncoid_source_host: true
sanoid_syncoid_ssh_pubkey: "{{ lookup('keepass', 'sanoid_syncoid_public_key', 'notes') }}"
sanoid_syncoid_ssh_pubkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_public_key', 'notes') }}"
sanoid_datasets:
### hdd_data
- path: 'hdd_data/videos'
@ -232,5 +232,5 @@ pve_pbs_datastore:
server: pbs.mgrote.net
datastore: zfs_backup
username: user_pve5@pbs
password: "{{ lookup('keepass', 'pbs_pve_user', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'pbs_pve_user', 'password') }}"
fingerprint: "7F:AC:54:75:1C:33:55:84:1E:1E:3A:15:5A:5E:AF:79:33:C9:D4:E1:C0:A0:1C:0D:9E:6A:EA:82:F9:27:57:79"

4
playbooks/1_bootstrap.yml
View file

@ -22,7 +22,7 @@
ansible.builtin.user:
name: mg
update_password: always
password: "{{ lookup('keepass', 'mg_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'mg_linux_password_hash', 'password') }}"
vars:
### reobertdebock.bootstrap
@ -37,7 +37,7 @@
### mgrote_user
users:
- username: ansible-user
password: "{{ lookup('keepass', 'ansible_user_linux_password_hash', 'password') }}"
password: "{{ lookup('viczem.keepass.keepass', 'ansible_user_linux_password_hash', 'password') }}"
update_password: always
groups: ssh, sudo
state: present

128
plugins/lookup/keepass.py
View file

@ -1,128 +0,0 @@
# -*- coding: utf-8 -*-
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display
display = Display()
import os
import json
import socket
import tempfile
from pykeepass import PyKeePass
from construct.core import ChecksumError
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
DOCUMENTATION = """
lookup: keepass
author: Victor Zemtsov <victor.zemtsov@gmail.com>
version_added: '0.2'
short_description: fetch data from KeePass file
description:
- This lookup returns a value of a property of a KeePass entry
- which fetched by given path
options:
_terms:
description:
- first is a path to KeePass entry
- second is a property name of the entry, e.g. username or password
- third (optional property) if true custem_field_property is return
required: True
notes:
- https://github.com/viczem/ansible-keepass
example:
- "{{ lookup('keepass', 'path/to/entry', 'password') }}"
"""
class LookupModule(LookupBase):
keepass = None
def run(self, terms, variables=None, **kwargs):
if not terms or len(terms) < 2 or len(terms) > 3:
raise AnsibleError('Wrong request format')
if variables is not None:
self._templar.available_variables = variables
variables_for_templating = getattr(self._templar, '_available_variables', {})
entry_path = terms[0].strip('/')
entry_attr = terms[1]
enable_custom_attr = False
if len(terms) == 3:
enable_custom_attr = terms[2]
kp_dbx = self._templar.template(variables_for_templating.get('keepass_dbx', ''), fail_on_undefined=True)
kp_dbx = os.path.realpath(os.path.expanduser(kp_dbx))
if os.path.isfile(kp_dbx):
display.v(u"Keepass: database file %s" % kp_dbx)
kp_soc = "%s/ansible-keepass.sock" % tempfile.gettempdir()
if os.path.exists(kp_soc):
display.v(u"Keepass: fetch from socket")
return self._fetch_socket(kp_soc, entry_path, entry_attr, enable_custom_attr)
kp_psw = self._templar.template(variables_for_templating.get('keepass_psw', ''), fail_on_undefined=True)
kp_key = self._templar.template(variables_for_templating.get('keepass_key', ''), fail_on_undefined=True)
display.v(u"Keepass: fetch from kdbx file")
return self._fetch_file(
kp_dbx, str(kp_psw), kp_key, entry_path, entry_attr, enable_custom_attr)
def _fetch_file(self, kp_dbx, kp_psw, kp_key, entry_path, entry_attr, enable_custom_attr):
if kp_key:
kp_key = os.path.realpath(os.path.expanduser(kp_key))
if os.path.isfile(kp_key):
display.vvv(u"Keepass: database keyfile: %s" % kp_key)
try:
if not LookupModule.keepass:
LookupModule.keepass = PyKeePass(kp_dbx, kp_psw, kp_key)
entry = LookupModule.keepass.\
find_entries_by_path(entry_path, first=True)
if entry is None:
raise AnsibleError(u"Entry '%s' is not found" % entry_path)
display.vv(
u"KeePass: attr: %s in path: %s" % (entry_attr, entry_path))
entry_val = None
if enable_custom_attr:
entry_val = entry.get_custom_property(entry_attr)
if entry_val is not None:
return [entry_val]
else:
raise AnsibleError(AttributeError(u"'No custom field property '%s'" % (entry_attr)))
else:
return [getattr(entry, entry_attr)]
except ChecksumError:
raise AnsibleError("Wrong password/keyfile {}".format(kp_dbx))
except (AttributeError, FileNotFoundError) as e:
raise AnsibleError(e)
def _fetch_socket(self, kp_soc, entry_path, entry_attr, enable_custom_attr):
display.vvvv(u"KeePass: try to socket connect")
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(kp_soc)
display.vvvv(u"KeePass: connected")
data = {'attr': entry_attr, 'path': entry_path}
if enable_custom_attr:
data['enable_custom_attr'] = True
sock.send(json.dumps(data).encode())
display.vv(u"KeePass: attr: %s in path: %s" % (entry_attr, entry_path))
try:
msg = json.loads(sock.recv(1024).decode())
except json.JSONDecodeError as e:
raise AnsibleError(str(e))
finally:
sock.close()
display.vvvv(u"KeePass: disconnected")
if msg['status'] == 'error':
raise AnsibleError(msg['text'])
return [msg['text']]

2
requirements.yaml
View file

@ -7,6 +7,8 @@ collections:
version: "1.5.4"
- name: community.docker
version: "3.10.4"
- name: viczem.keepass
version: "0.7.5"
roles:
- name: ansible-role-bootstrap
src: git+https://git.mgrote.net/ansible-role-mirrors/ansible-role-bootstrap

2
roles/mgrote_docker_compose_inline/README.md
View file

@ -23,5 +23,5 @@ siehe [defaults](./defaults/main.yml)
1. ersteller Ordner in `compose_src_basedir`
1. alle Dateien die templated werden sollen + IMMER `docker-compose.yml` mit der Dateiendung `.j2` versehen
1. Secrets: in `*.j2`-Dateien mit `{{ lookup('keepass', '<name>', 'password') }}
1. Secrets: in `*.j2`-Dateien mit `{{ lookup('viczem.keepass.keepass', '<name>', 'password') }}
` einbauen

2
roles/mgrote_fileserver_smb/README.md
View file

@ -35,7 +35,7 @@ SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
```
smb_users:
- name: 'annemariedroessler' # Nutzername
password: "{{ lookup('keepass', 'fileserver_smb_user_amd', 'password') }}" # Passwort als Klartext
password: "{{ lookup('viczem.keepass.keepass', 'fileserver_smb_user_amd', 'password') }}" # Passwort als Klartext
state: present # Status(default: present)
remove_dir: false # removes homedir if state is absent und remove_dir is true (default: false)
```

2
roles/mgrote_pbs_pve_integration/tasks/main.yml
View file

@ -12,6 +12,7 @@
ansible.builtin.command: "pvesm add pbs {{ item.name }} --server {{ item.server }} --datastore {{ item.datastore }} --username {{ item.username }} --password {{ item.password }} --fingerprint {{ item.fingerprint }}"
loop: "{{ pve_pbs_datastore }}"
when: "item.name not in storages.stdout"
no_log: true
- name: ensure datastore is configured
become: true
@ -19,3 +20,4 @@
loop: "{{ pve_pbs_datastore }}"
when: "item.name in storages.stdout"
changed_when: false
no_log: true

2
roles/mgrote_restic/defaults/main.yml
View file

@ -24,7 +24,7 @@ restic_folders_to_backup: "/usr/local /etc /root /var/www /home"
# smb-share mit dem repository: z.B. "//fileserver3.mgrote.net/restic"
restic_repository: "//fileserver.domain/restic"
# password für das repo
restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}"
restic_repository_password: "{{ lookup('viczem.keepass.keepass', 'restic_repository_password', 'password') }}"
# nutzer für den share
restic_mount_user: restic
# passwort für den mount

4
roles/mgrote_youtubedl/defaults/main.yml
View file

@ -30,8 +30,8 @@ ytdl_video_output: "/shares_videos/Youtube/%(uploader)s/%(title)s-%(id)s.%(ext)s
ytdl_podcast_output: "/shares_music/Podcasts/%(playlist)s/%(id)s.%(ext)s"
ytdl_video_log_output: "/shares_videos/Youtube/archive-youtube.log"
ytdl_podcast_log_output: "/shares_music/Podcasts/archive-podcast.log"
ytdl_youtube_username: "{{ lookup('keepass', 'youtubedl_youtube_login', 'username') }}"
ytdl_youtube_password: "{{ lookup('keepass', 'youtubedl_youtube_login', 'password') }}"
ytdl_youtube_username: "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'username') }}"
ytdl_youtube_password: "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'password') }}"
ytdl_conf_dir: "/etc/youtubedl" #ohne / am ende
ytdl_download_limit: "10000K"
ytdl_active: false # damit werden die systemd-Units nicht angelegt

4
roles/mgrote_youtubedl/templates/youtube.txt
View file

@ -15,8 +15,8 @@
--write-info-json #schreibe metadaten
--write-description #schreibe metadaten
--write-annotations #schreibe metadaten
--username "{{ lookup('keepass', 'youtubedl_youtube_login', 'username') }}" #login youtube
--password "{{ lookup('keepass', 'youtubedl_youtube_login', 'password') }}" #login youtube
--username "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'username') }}" #login youtube
--password "{{ lookup('viczem.keepass.keepass', 'youtubedl_youtube_login', 'password') }}" #login youtube
--no-color
--no-progress

2
roles/mgrote_zfs_sanoid/README.md
View file

@ -79,7 +79,7 @@ Es gibt 3 Funktionen:
destination_mount_check: hdd_data/encrypted # Wenn dieses Dataset nicht gemountet ist(z.B. durch Verschlüsselung, dann bricht syncoid ab)
destination_dataset: hdd_data/encrypted/syncoid/zfs1
skip_parent: false
sanoid_syncoid_ssh_privkey: "{{ lookup('keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_ssh_privkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_private_key', 'notes') }}"
sanoid_syncoid_destination_host: true
```

4
roles/mgrote_zfs_sanoid/defaults/main.yml
View file

@ -41,8 +41,8 @@ sanoid_user_group: sanoid
# sanoid_syncoid_destination_host: true
# syncoid
#sanoid_syncoid_ssh_privkey: "{{ lookup('keepass', 'sanoid_syncoid_private_key', 'notes') }}"
#sanoid_syncoid_ssh_pubkey: "{{ lookup('keepass', 'sanoid_syncoid_public_key', 'notes') }}"
#sanoid_syncoid_ssh_privkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_private_key', 'notes') }}"
#sanoid_syncoid_ssh_pubkey: "{{ lookup('viczem.keepass.keepass', 'sanoid_syncoid_public_key', 'notes') }}"
### mgrote_sanoid
#sanoid_syncoid_datasets_sync: