diff --git a/.ansible-lint b/.ansible-lint index 188a5821..441aa214 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,15 +12,14 @@ exclude_paths: - .gitlab-ci.yml - friedhof/ - playbooks/on-off - - roles/geerlingguy-ansible-role-pip - - roles/pyratlabs-ansible-role-k3s - - roles/robertdebock-ansible-role-bootstrap - - roles/gantsign-ansible-role-ctop - - roles/geerlingguy-ansible-role-docker - - roles/geerlingguy-ansible-role-helm - - roles/geerlingguy-ansible-role-nfs - - roles/hifis-net-ansible-role-unattended-upgrades - - roles/mrlesmithjr-ansible-manage-lvm - - roles/oefenweb-ansible-ufw - - roles/pandemonium1986-ansible-role-k9s - - roles/pyratlabs-ansible-role-gitea + - roles/ansible-role-pip + - roles/ansible-role-bootstrap + - roles/ansible_role_ctop + - roles/ansible-role-docker + - roles/ansible-role-helm + - roles/ansible-role-nfs + - roles/ansible-role-unattended-upgrades + - roles/ansible-manage-lvm + - roles/ansible-ufw + - roles/ansible_role_gitea + - roles/ansible-role-postgresql diff --git a/.gitignore b/.gitignore index c167bf45..fbfd6d7e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,17 +2,19 @@ vault-pass.yml id_ed25519 id_ed25519.pub -roles/geerlingguy-ansible-role-pip -roles/pyratlabs-ansible-role-k3s -roles/robertdebock-ansible-role-bootstrap -roles/gantsign-ansible-role-ctop -roles/geerlingguy-ansible-role-docker -roles/geerlingguy-ansible-role-helm -roles/geerlingguy-ansible-role-nfs -roles/hifis-net-ansible-role-unattended-upgrades -roles/mrlesmithjr-ansible-manage-lvm -roles/oefenweb-ansible-ufw +roles/ansible-role-pip +roles/ansible-role-k3s +roles/ansible-role-bootstrap +roles/ansible_role_ctop +roles/ansible-role-docker +roles/ansible-role-helm +roles/ansible-role-nfs +roles/ansible_role_gitea +roles/ansible-role-unattended-upgrades +roles/ansible-manage-lvm +roles/ansible-ufw roles/pandemonium1986-ansible-role-k9s -roles/pyratlabs-ansible-role-gitea +roles/ansible_role_gitea collections/ plugins/lookup/__pycache__/ +roles/ansible-role-postgresql diff --git a/docker-compose/mail-relay/docker-compose.yml.j2 b/docker-compose/mail-relay/docker-compose.yml.j2 index c53d2c7e..e6c4bb08 100644 --- a/docker-compose/mail-relay/docker-compose.yml.j2 +++ b/docker-compose/mail-relay/docker-compose.yml.j2 @@ -15,7 +15,7 @@ services: ALWAYS_ADD_MISSING_HEADERS: "no" # literal # LOG_SUBJECT: "yes" # literal INET_PROTOCOL: ipv4 - SMTP_GENERIC_MAP: "/.*/ info@mgrote.net" + #SMTP_GENERIC_MAP: "/.*/ info@mgrote.net" # deactivated; dont overwrite sender networks: - mail-relay healthcheck: diff --git a/docker-compose/munin/docker-compose.yml.j2 b/docker-compose/munin/docker-compose.yml.j2 index d80a236d..030fe344 100644 --- a/docker-compose/munin/docker-compose.yml.j2 +++ b/docker-compose/munin/docker-compose.yml.j2 @@ -18,10 +18,11 @@ services: fileserver3.mgrote.net:fileserver3.mgrote.net ansible2.mgrote.net:ansible2.mgrote.net pve5.mgrote.net:pve5.mgrote.net - gitea.mgrote.net:gitea.mgrote.net + forgejo.mgrote.net:forgejo.mgrote.net docker10.mgrote.net:docker10.mgrote.net pbs.mgrote.net:pbs.mgrote.net blocky.mgrote.net:blocky.mgrote.net + ldap.mgrote.net:ldap.mgrote.net # z.B. # computer-test.mgrote.net.test:192.68.2.4 # computer.mgrote.net:computer.mgrote.net diff --git a/docker-compose/routeros-config-export/docker-compose.yml b/docker-compose/routeros-config-export/docker-compose.yml index 3b9aac6d..de0f5131 100644 --- a/docker-compose/routeros-config-export/docker-compose.yml +++ b/docker-compose/routeros-config-export/docker-compose.yml @@ -15,7 +15,7 @@ services: hex.mgrote.net,routeros-config-backup,/key_hex crs305.mgrote.net,routeros-config-backup,/key_crs305 GIT_REPO_BRANCH: "master" - GIT_REPO_URL: "ssh://gitea@gitea.mgrote.net:2222/mg/routeros-configs.git" + GIT_REPO_URL: "gitea@forgejo.mgrote.net:mg/routeros-configs.git" GIT_REPO_DEPLOY_KEY: "/deploy_token" GIT_USERNAME: oxidized-selfmade GIT_USER_MAIL: michael.grote@posteo.de diff --git a/docker-compose/traefik/file-provider.yml b/docker-compose/traefik/file-provider.yml index 5e81ff08..d97fd9d4 100644 --- a/docker-compose/traefik/file-provider.yml +++ b/docker-compose/traefik/file-provider.yml @@ -14,4 +14,4 @@ http: service_gitea: loadBalancer: servers: - - url: "http://gitea.mgrote.net:3000/" + - url: "http://forgejo.mgrote.net:3000/" diff --git a/roles/mgrote_exa/README.md b/friedhof/mgrote_exa/README.md similarity index 100% rename from roles/mgrote_exa/README.md rename to friedhof/mgrote_exa/README.md diff --git a/roles/mgrote_exa/defaults/main.yml b/friedhof/mgrote_exa/defaults/main.yml similarity index 100% rename from roles/mgrote_exa/defaults/main.yml rename to friedhof/mgrote_exa/defaults/main.yml diff --git a/roles/mgrote_exa/tasks/main.yml b/friedhof/mgrote_exa/tasks/main.yml similarity index 100% rename from roles/mgrote_exa/tasks/main.yml rename to friedhof/mgrote_exa/tasks/main.yml diff --git a/group_vars/all.yml b/group_vars/all.yml index d249abd8..976c1369 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -20,29 +20,6 @@ dotfiles_vim_vundle_repo_url: https://git.mgrote.net/mirrors/Vundle.vim.git ### mgrote_netplan netplan_configure: true -### mgrote_restic -restic_user: root -restic_group: restic -restic_conf_dir: /etc/restic -restic_exclude: | - ._* - desktop.ini - .Trash-* - **/**cache***/** - **/**Cache***/** - **/**AppData***/** - # https://github.com/restic/restic/issues/1005 - # https://forum.restic.net/t/exclude-syntax-confusion/1531/12 -restic_mount_timeout: "10 min" -restic_failure_delay: "30 s" -restic_schedule: "0/6:00" # alle 6 Stunden -restic_folders_to_backup: "/" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files -restic_repository: "//fileserver3.mgrote.net/restic" -restic_repository_password: "{{ lookup('keepass', 'restic_repository_password', 'password') }}" -restic_mount_user: restic -restic_mount_password: "{{ lookup('keepass', 'fileserver_smb_user_restic', 'password') }}" -restic_fail_mail: "{{ my_mail }}" - ### mgrote_user users: - username: mg @@ -219,16 +196,16 @@ munin_node_disabled_plugins: - name: timesync munin_node_plugins: - name: chrony - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true - name: lvm_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_ config: | [lvm_*] user root diff --git a/group_vars/blocky.yml b/group_vars/blocky.yml index e5a8d11d..bf43ad80 100644 --- a/group_vars/blocky.yml +++ b/group_vars/blocky.yml @@ -24,13 +24,13 @@ apt_packages_extra: - libnet-dns-perl # für munin: dnsresponse_ ### mgrote_user_setup -dotfiles_vim_vundle_repo_url: http://192.168.2.44:3000/mirrors/Vundle.vim.git +dotfiles_vim_vundle_repo_url: http://192.168.2.42:3000/mirrors/Vundle.vim.git dotfiles: - user: mg home: /home/mg - user: root home: /root -dotfiles_repo_url: http://192.168.2.44:3000/mg/dotfiles +dotfiles_repo_url: http://192.168.2.42:3000/mg/dotfiles ### mgrote_blocky blocky_version: v0.23 @@ -86,40 +86,40 @@ blocky_custom_lookups: # optional ip: 192.168.2.1 - name: fritz.box ip: 192.168.5.1 + - name: ldap.mgrote.net + ip: 192.168.2.47 -### mgrote_restic -restic_repository: "//192.168.2.54/restic" ### mgrote_munin_node # kann git.mgrote.net nicht auflösen, deshalb hiermit IP munin_node_plugins: - name: chrony - src: http://192.168.2.44:3000/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true - name: lvm_ - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_ + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_ config: | [lvm_*] user root - name: fail2ban - src: http://192.168.2.44:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban + src: http://192.168.2.42:3000/mg/munin-plugins/raw/branch/master/extern/fail2ban config: | [fail2ban] env.client /usr/bin/fail2ban-client env.config_dir /etc/fail2ban user root - name: dnsresponse_192.168.2.1 - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ - name: dnsresponse_192.168.2.37 - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ - name: dnsresponse_127.0.0.1 - src: http://192.168.2.44:3000/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + src: http://192.168.2.42:3000/mirrors/munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ config: | [dnsresponse_*] env.site www.heise.de diff --git a/group_vars/docker.yml b/group_vars/docker.yml index b624afcb..ac2e7287 100644 --- a/group_vars/docker.yml +++ b/group_vars/docker.yml @@ -15,9 +15,6 @@ lvm_groups: manage_lvm: true pvresize_to_max: true -### mgrote_restic -restic_folders_to_backup: "/ /var/lib/docker" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files - ### geerlingguy.pip pip_package: python3-pip pip_install_packages: @@ -85,14 +82,14 @@ systemd_resolved_nameserver: 192.168.2.37 munin_node_allowed_cidrs: [0.0.0.0/0] # weil der munin-server aus einem anderen subnet zugreift munin_node_plugins: - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true - name: lvm_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/disk/lvm_ config: | [lvm_*] user root @@ -104,23 +101,23 @@ munin_node_plugins: env.config_dir /etc/fail2ban user root - name: docker_containers - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ config: | [docker_*] user root env.DOCKER_HOST unix://run/docker.sock - name: docker_cpu - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_memory - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_network - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_volumes - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ - name: docker_volumesize - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_volumesize - name: chrony - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony ### oefenweb.ufw ufw_rules: diff --git a/group_vars/fileserver.yml b/group_vars/fileserver.yml index 2148915b..40250a82 100644 --- a/group_vars/fileserver.yml +++ b/group_vars/fileserver.yml @@ -34,11 +34,11 @@ smb_enable_snapshots_shadow: true ### mgrote_munin_node munin_node_plugins: - name: chrony - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true diff --git a/group_vars/git.yml b/group_vars/git.yml new file mode 100644 index 00000000..0cfd751d --- /dev/null +++ b/group_vars/git.yml @@ -0,0 +1,142 @@ +--- +### mrlesmithjr.ansible-manage-lvm +lvm_groups: + - vgname: vg_data + disks: + - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 + create: true + lvnames: + - lvname: lv_data + size: +100%FREE + create: true + filesystem: xfs + mount: true + mntp: /var/lib/gitea +manage_lvm: true +pvresize_to_max: true + +### mgrote_apt_manage_packages +apt_packages_extra: + - fail2ban + +### geerlingguy_postgres +postgresql_databases: + - name: "{{ gitea_db_name }}" +postgresql_users: + - name: "{{ gitea_db_user }}" + password: "{{ gitea_db_password }}" + +### oefenweb.ufw +ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 0.0.0.0/0 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: "{{ gitea_http_port }}" + protocol: tcp + comment: 'gitea' + from_ip: 0.0.0.0/0 + +### ansible_role_gitea +# https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea +gitea_fork: "forgejo" +# gitea update +gitea_version: "1.21.7-0" # alt zum renovate testen +gitea_version_check: true +gitea_backup_on_upgrade: false +# gitea in the linux world +gitea_group: "gitea" +gitea_user: "gitea" +gitea_home: "/var/lib/gitea" +gitea_user_home: "{{ gitea_home }}" +# config liegt in /etc/gitea/gitea.ini +gitea_configuration_path: "/etc/gitea" # anpassen +gitea_app_name: "forgejo" +gitea_fqdn: "git.mgrote.net" +# ssh +gitea_ssh_port: 22 # assuming the host SSH server is running on port 22 +gitea_start_ssh: false # to not start the built-in SSH server +gitea_shell: "/bin/bash" +# Repository +gitea_default_branch: "master" +gitea_default_private: "public" +gitea_repository_root: "{{ gitea_home }}/repos" +# ui +gitea_show_user_email: false +# server +gitea_protocol: "http" +gitea_http_domain: "{{ gitea_fqdn }}" +gitea_http_port: "3000" +gitea_http_listen: "0.0.0.0" +gitea_root_url: https://git.mgrote.net +# database +gitea_db_type: "postgres" +gitea_db_host: "localhost" +gitea_db_name: "gitea" +gitea_db_user: "gitea" +gitea_db_password: "{{ lookup('keepass', 'forgejo_db_password', 'password') }}" +# indexer +gitea_repo_indexer_enabled: true +# security +gitea_disable_webhooks: false +gitea_password_check_pwn: false +gitea_internal_token: "{{ lookup('keepass', 'forgejo_internal_token', 'password') }}" +gitea_secret_key: "{{ lookup('keepass', 'forgejo_secret_key', 'password') }}" +# service +gitea_disable_registration: true +gitea_register_email_confirm: true +gitea_require_signin: false +gitea_default_keep_mail_private: true +gitea_enable_captcha: false +gitea_show_registration_button: false +gitea_enable_notify_mail: true +gitea_default_user_visibility: "public" +gitea_show_milestones_dashboard_page: false +gitea_default_allow_create_organization: true +gitea_default_org_visibility: "public" +# Mailer +gitea_mailer_enabled: true +gitea_mailer_protocol: "smtp" +gitea_mailer_smtp_addr: "docker10.mgrote.net" +gitea_mailer_smtp_port: 1025 +gitea_mailer_from: "gitea@mgrote.net" +gitea_subject_prefix: "git.mgrote.net - " +# log +gitea_log_systemd: true +gitea_log_level: "Info" +# Metrics +gitea_metrics_enabled: false +# Federation +gitea_federation_enabled: false +# Packages +gitea_packages_enabled: false +# actions +gitea_actions_enabled: false +gitea_extra_config: | + ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet" + [webhook] + ALLOWED_HOST_LIST = *.mgrote.net + ; für Import/Migration aus anderen Git-Systemen + [migrations] + ALLOWED_DOMAINS = * +# oauth2 +gitea_oauth2_jwt_secret: "{{ lookup('keepass', 'forgejo_oauth2_jwt_secret', 'password') }}" +# Fail2Ban configuration +gitea_fail2ban_enabled: true +gitea_fail2ban_jail_maxretry: "3" +gitea_fail2ban_jail_findtime: "300" +gitea_fail2ban_jail_bantime: "600" +gitea_fail2ban_jail_action: "iptables-allports" + +### mgrote_gitea_setup +gitea_ldap_host: "ldap.mgrote.net" +gitea_ldap_bind_pass: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" +gitea_admin_user: "fadmin" +gitea_admin_user_pass: "{{ lookup('keepass', 'forgejo_admin_user_pass', 'password') }}" diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml deleted file mode 100644 index dcbe2acb..00000000 --- a/group_vars/gitea.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -### mrlesmithjr.ansible-manage-lvm -lvm_groups: - - vgname: vg_gitea_data - disks: - - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1 - create: true - lvnames: - - lvname: lv_gitea_data - size: +100%FREE - create: true - filesystem: xfs - mount: true - mntp: /var/lib/gitea -manage_lvm: true -pvresize_to_max: true - -### mgrote_restic -restic_folders_to_backup: "/ /var/lib/gitea" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files - -### mgrote_apt_manage_packages -apt_packages_extra: - - fail2ban - -### oefenweb.ufw -ufw_rules: - - rule: allow - to_port: 22 - protocol: tcp - comment: 'ssh' - from_ip: 0.0.0.0/0 - - rule: allow - to_port: 4949 - protocol: tcp - comment: 'munin' - from_ip: 192.168.2.0/24 - - rule: allow - to_port: "{{ gitea_http_port }}" - protocol: tcp - comment: 'gitea' - from_ip: 0.0.0.0/0 - - rule: allow - to_port: "{{ gitea_ssh_port }}" - protocol: tcp - comment: 'gitea' - from_ip: 0.0.0.0/0 - -### l3d.gitea -# config liegt in /etc/gitea/gitea.ini -gitea_version: "1.21.7-0" -gitea_fork: "forgejo" -gitea_app_name: "Gitea" -gitea_user: "gitea" -gitea_home: "/var/lib/gitea" -gitea_repository_root: "{{ gitea_home }}" -gitea_user_repo_limit: 300 -gitea_root_url: https://git.mgrote.net -gitea_offline_mode: true -gitea_lfs_server_enabled: false -gitea_secret_key: "{{ lookup('keepass', 'gitea_secret_key', 'password') }}" -gitea_internal_token: "{{ lookup('keepass', 'gitea_internal_token', 'password') }}" -gitea_disable_git_hooks: false -gitea_show_user_email: false -gitea_disable_gravatar: true -gitea_enable_captcha: true -gitea_only_allow_external_registration: false -gitea_enable_notify_mail: true -gitea_autowatch_on_change: true -gitea_force_private: false -gitea_oauth2_enabled: true -gitea_repo_indexer_enabled: true - -gitea_mailer_enabled: true -gitea_mailer_protocol: smtp -gitea_mailer_smtp_addr: docker10.mgrote.net -gitea_mailer_smtp_port: 1025 -gitea_mailer_from: "gitea@mgrote.net" - -gitea_default_branch: 'master' - -gitea_db_type: sqlite3 -gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3 - -gitea_ssh_listen: 0.0.0.0 -gitea_ssh_domain: gitea.mgrote.net -gitea_ssh_port: 2222 -gitea_start_ssh: true - -gitea_http_domain: git.mgrote.net -gitea_http_listen: 0.0.0.0 -gitea_http_port: 3000 -gitea_disable_http_git: false -gitea_protocol: http - -gitea_show_registration_button: false -gitea_require_signin: false -gitea_disable_registration: true - -gitea_fail2ban_enabled: true -gitea_fail2ban_jail_maxretry: 3 -gitea_fail2ban_jail_findtime: 300 -gitea_fail2ban_jail_bantime: 600 -# wird für drone benötigt, sonst wird der Webhook nicht "gesendet" -gitea_extra_config: | - [webhook] - ALLOWED_HOST_LIST = *.mgrote.net - -gitea_backup_on_upgrade: false -gitea_backup_location: "{{ gitea_home }}/backups/" - -submodules_versioncheck: true -gitea_log_systemd: true -gitea_log_level: "Info" diff --git a/group_vars/ldap.yml b/group_vars/ldap.yml new file mode 100644 index 00000000..48291d61 --- /dev/null +++ b/group_vars/ldap.yml @@ -0,0 +1,58 @@ +--- +### geerlingguy_postgres +postgresql_databases: + - name: "{{ lldap_db_name }}" +postgresql_users: + - name: "{{ lldap_db_user }}" + password: "{{ lldap_db_pass }}" + +### oefenweb.ufw +ufw_rules: + - rule: allow + to_port: 22 + protocol: tcp + comment: 'ssh' + from_ip: 0.0.0.0/0 + - rule: allow + to_port: 4949 + protocol: tcp + comment: 'munin' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: "{{ lldap_http_port }}" + protocol: tcp + comment: 'lldap' + from_ip: 192.168.2.0/24 + - rule: allow + to_port: 3890 + protocol: tcp + comment: 'lldap' + from_ip: 192.168.2.0/24 + +### mgrote_lldap +lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb" +lldap_logging_verbose: "true" # must be a string not a boolean +lldap_http_port: 17170 +lldap_http_host: "0.0.0.0" +lldap_ldap_host: "0.0.0.0" +lldap_public_url: http://localhost +lldap_jwt_secret: "{{ lookup('keepass', 'lldap_jwt_secret', 'password') }}" +lldap_ldap_base_dn: "dc=mgrote,dc=net" +lldap_admin_username: ladmin # only used on setup +lldap_admin_password: "{{ lookup('keepass', 'lldap_ldap_user_pass', 'password') }}" # only used on setup; also bind-secret +lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup +lldap_database_url: "postgres://{{ lldap_db_user }}:{{ lldap_db_pass }}@{{ lldap_db_host }}/{{ lldap_db_name }}" +lldap_key_seed: "{{ lookup('keepass', 'lldap_key_seed', 'password') }}" +lldap_smtp_from: "LLDAP Admin " +lldap_smtp_reply_to: "Do not reply " +lldap_smtp_server: "docker10.mgrote.net" +lldap_smtp_port: "1025" +lldap_smtp_smtp_encryption: "NONE" +lldap_smtp_user: "info@mgrote.net" +lldap_smtp_enable_password_reset: "true" # must be a string not a boolean +# "meta vars"; daraus werden die db-url und die postgres-db abgeleitet +lldap_db_name: "lldap" +lldap_db_user: "lldap" +lldap_db_pass: "{{ lookup('keepass', 'lldap_db_pass', 'password') }}" +lldap_db_host: "localhost" +... diff --git a/group_vars/pbs.yml b/group_vars/pbs.yml index 11e24eb0..c2b18237 100644 --- a/group_vars/pbs.yml +++ b/group_vars/pbs.yml @@ -5,9 +5,6 @@ netplan_configure: false ### mgrote_postfix postfix_erlaubte_netzwerke: "127.0.0.0/8 192.168.2.0/24 192.168.3.0/24" -### mgrote_restic -restic_folders_to_backup: "/ /etc/proxmox-backup" - ### mgrote_user users: - username: root @@ -37,11 +34,11 @@ users: ### mgrote_munin_node munin_node_plugins: - name: chrony - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true @@ -53,22 +50,22 @@ munin_node_plugins: env.config_dir /etc/fail2ban user root - name: zfs_arcstats - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats - name: zfsonlinux_stats_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_ - name: zpool_iostat - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat - name: zfs_list - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list config: | [zfs_list] env.ignore_datasets_pattern autodaily - name: zfs_count - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count - name: zpool_iostat - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat - name: zpool_capacity - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity munin_node_disabled_plugins: - meminfo # zu hohe last - hddtemp2 # ersetzt durch hddtemp_smartctl diff --git a/group_vars/pve.yml b/group_vars/pve.yml index e53f3aac..6e8aa92b 100644 --- a/group_vars/pve.yml +++ b/group_vars/pve.yml @@ -2,9 +2,6 @@ ### mgrote_netplan netplan_configure: false -### mgrote_restic -restic_folders_to_backup: "/ /etc/pve" - ### mgrote_user users: - username: root @@ -42,11 +39,11 @@ apt_packages_extra: ### mgrote_munin_node munin_node_plugins: - name: chrony - src: https://git.mgrote.net/Mirror/munin-contrib/raw/branch/master/plugins/chrony/chrony + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/chrony/chrony - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_status - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/systemd/systemd_mem config: | [systemd_mem] env.all_services true @@ -58,39 +55,39 @@ munin_node_plugins: env.config_dir /etc/fail2ban user root - name: zfs_arcstats - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_arcstats - name: zfsonlinux_stats_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_ + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfsonlinux_stats_ - name: zpool_iostat - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_iostat - name: zfs_list - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_list + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_list config: | [zfs_list] env.ignore_datasets_pattern autodaily - name: zpool_capacity - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zpool_capacity - name: kvm_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_mem - name: kvm_net - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_net + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_net - name: kvm_io - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_io + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_io config: | [kvm_io] user root - name: kvm_cpu - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/libvirt/kvm_cpu - name: proxmox_count - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/proxmox/proxmox_vm_count config: | [proxmox_count] user root group root - name: zfs_count - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/zfs/zfs_pool_dataset_count - name: ksm_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging + src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/system/kernel_same_page_merging munin_node_disabled_plugins: - meminfo # zu hohe last - hddtemp2 # ersetzt durch hddtemp_smartctl diff --git a/host_vars/docker10.mgrote.net.yml b/host_vars/docker10.mgrote.net.yml index 892eb3e5..1365c5d7 100644 --- a/host_vars/docker10.mgrote.net.yml +++ b/host_vars/docker10.mgrote.net.yml @@ -15,11 +15,11 @@ lvm_groups: manage_lvm: true pvresize_to_max: true -### mgrote_mount_cifs +### mgrote_mount_cifs # löschen cifs_mounts: - name: bilder type: cifs - state: present + state: absent dest: /mnt/fileserver3_photoprism_bilder_ro src: //fileserver3.mgrote.net/bilder user: photoprism @@ -29,9 +29,6 @@ cifs_mounts: gid: 5000 extra_opts: ",ro" # komma am Anfang ist notwendig weil die Option hinten angehangen wird -### mgrote_restic -restic_folders_to_backup: "/ /var/lib/docker /mnt/oci-registry" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben - ### mgrote_docker-compose-inline compose_owner: "docker-user" compose_group: "docker-user" @@ -59,8 +56,6 @@ compose_files: - name: navidrome state: present network: traefik - - name: watchtower - state: absent - name: routeros-config-export state: present - name: mail-relay @@ -72,8 +67,6 @@ compose_files: - name: wiki state: present network: traefik - - name: statping-ng - state: absent ### oefenweb.ufw ufw_rules: diff --git a/host_vars/fileserver3.mgrote.net.yml b/host_vars/fileserver3.mgrote.net.yml index 055c9383..9454e9c5 100644 --- a/host_vars/fileserver3.mgrote.net.yml +++ b/host_vars/fileserver3.mgrote.net.yml @@ -55,8 +55,6 @@ smb_users: password: "{{ lookup('keepass', 'fileserver_smb_user_pve', 'password') }}" - name: 'brother_ads2700w' password: "{{ lookup('keepass', 'fileserver_smb_user_brother_ads2700w', 'password') }}" - - name: 'photoprism' - password: "{{ lookup('keepass', 'fileserver_smb_user_photoprism', 'password') }}" smb_shares: - name: 'videos' @@ -89,7 +87,7 @@ smb_shares: users_rw: 'kodi win10 michaelgrote' - name: 'bilder' path: '/shares_bilder' - users_ro: 'photoprism' + users_ro: '' users_rw: ' michaelgrote win10' - name: 'proxmox' path: '/shares_pve_backup' @@ -98,7 +96,7 @@ smb_shares: - name: 'restic' path: '/shares_restic' users_ro: '' - users_rw: ' restic win10 michaelgrote' + users_rw: 'restic win10 michaelgrote' - name: 'buecher' path: '/shares_buecher' users_ro: '' diff --git a/inventory b/inventory index e76d0c1a..11e7a7d7 100644 --- a/inventory +++ b/inventory @@ -6,6 +6,9 @@ all: blocky: hosts: blocky.mgrote.net: + ldap: + hosts: + ldap.mgrote.net: lxc: hosts: fileserver3.mgrote.net: @@ -32,19 +35,20 @@ all: hosts: pve5.mgrote.net: pbs.mgrote.net: - gitea: + git: hosts: - gitea.mgrote.net: + forgejo.mgrote.net: production: hosts: fileserver3.mgrote.net: ansible2.mgrote.net: pve5.mgrote.net: - gitea.mgrote.net: + forgejo.mgrote.net: docker10.mgrote.net: pbs.mgrote.net: blocky.mgrote.net: + ldap.mgrote.net: test: hosts: vm-test-2204.mgrote.net: diff --git a/keepass_db.kdbx b/keepass_db.kdbx index bdc0f30d..cbdc09a0 100644 Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ diff --git a/playbooks/1_bootstrap.yml b/playbooks/1_bootstrap.yml index 9d3558b2..040d8c64 100644 --- a/playbooks/1_bootstrap.yml +++ b/playbooks/1_bootstrap.yml @@ -2,7 +2,7 @@ - hosts: all gather_facts: false roles: - - role: robertdebock-ansible-role-bootstrap + - role: ansible-role-bootstrap tags: "bootstrap" become: true - role: mgrote_apt_manage_sources diff --git a/playbooks/3_service/ansible.yml b/playbooks/3_service/ansible.yml index 36f3bba3..e7aebf82 100644 --- a/playbooks/3_service/ansible.yml +++ b/playbooks/3_service/ansible.yml @@ -1,4 +1,6 @@ --- - hosts: ansible roles: - - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true } + - role: ansible-role-pip + tags: "pip" + become: true diff --git a/playbooks/3_service/blocky.yml b/playbooks/3_service/blocky.yml index 267abc3e..01d3c160 100644 --- a/playbooks/3_service/blocky.yml +++ b/playbooks/3_service/blocky.yml @@ -1,5 +1,7 @@ --- - hosts: blocky roles: - - { role: mgrote_systemd_resolved, tags: "resolved" } - - { role: mgrote_blocky, tags: "blocky" } + - role: mgrote_systemd_resolved + tags: "resolved" + - role: mgrote_blocky + tags: "blocky" diff --git a/playbooks/3_service/docker.yml b/playbooks/3_service/docker.yml index faa04d25..568953f4 100644 --- a/playbooks/3_service/docker.yml +++ b/playbooks/3_service/docker.yml @@ -1,10 +1,21 @@ --- - hosts: docker roles: - - { role: mgrote_systemd_resolved, tags: "dns", become: true } - - { role: mgrote_mount_cifs, tags: "cifs", become: true } - - { role: geerlingguy-ansible-role-pip, tags: "pip", become: true } - - { role: geerlingguy-ansible-role-docker, tags: "docker", become: true } - - { role: gantsign-ansible-role-ctop, tags: "ctop", become: true } - - { role: mgrote_set_permissions, tags: "perm", become: true } - - { role: mgrote_docker_compose_inline, tags: "compose", become: true } + - role: mgrote_systemd_resolved + tags: "dns" + become: true + - role: ansible-role-pip + tags: "pip" + become: true + - role: ansible-role-docker + tags: "docker" + become: true + - role: ansible_role_ctop + tags: "ctop" + become: true + - role: mgrote_set_permissions + tags: "perm" + become: true + - role: mgrote_docker_compose_inline + tags: "compose" + become: true diff --git a/playbooks/3_service/fileserver.yml b/playbooks/3_service/fileserver.yml index 399ac160..6560db39 100644 --- a/playbooks/3_service/fileserver.yml +++ b/playbooks/3_service/fileserver.yml @@ -6,6 +6,9 @@ --- - hosts: fileserver roles: - - { role: mgrote_fileserver_smb, tags: "smb" } - - { role: mgrote_youtubedl, tags: "youtubedl" } - - { role: mgrote_disable_oom_killer, tags: "oom" } + - role: mgrote_fileserver_smb + tags: "smb" + - role: mgrote_youtubedl + tags: "youtubedl" + - role: mgrote_disable_oom_killer + tags: "oom" diff --git a/playbooks/3_service/git.yml b/playbooks/3_service/git.yml new file mode 100644 index 00000000..b04fa2ff --- /dev/null +++ b/playbooks/3_service/git.yml @@ -0,0 +1,12 @@ +--- +- hosts: git + roles: + - role: ansible-role-postgresql + tags: "db" + become: true + - role: ansible_role_gitea + tags: "gitea" + become: true + - role: mgrote_gitea_setup + tags: "setup" + become: true diff --git a/playbooks/3_service/gitea.yml b/playbooks/3_service/gitea.yml deleted file mode 100644 index 68793928..00000000 --- a/playbooks/3_service/gitea.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: gitea - roles: - - { role: pyratlabs-ansible-role-gitea, tags: "gitea", become: true } diff --git a/playbooks/3_service/lldap.yml b/playbooks/3_service/lldap.yml new file mode 100644 index 00000000..99f024e4 --- /dev/null +++ b/playbooks/3_service/lldap.yml @@ -0,0 +1,9 @@ +--- +- hosts: ldap + roles: + - role: ansible-role-postgresql + tags: "db" + become: true + - role: mgrote_lldap + tags: "lldap" + become: true diff --git a/playbooks/3_service/pbs.yml b/playbooks/3_service/pbs.yml index d4f25e4d..9c3cccb6 100644 --- a/playbooks/3_service/pbs.yml +++ b/playbooks/3_service/pbs.yml @@ -1,12 +1,21 @@ --- - hosts: pbs roles: - - { role: mgrote_zfs_packages, tags: "zfs_packages" } - - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" } - - { role: mgrote_zfs_manage_datasets, tags: "datasets" } - - { role: mgrote_zfs_scrub, tags: "zfs_scrub" } - - { role: mgrote_zfs_zed, tags: "zfs_zed" } - - { role: mgrote_zfs_sanoid, tags: "sanoid" } - - { role: mgrote_smart, tags: "smart" } - - { role: mgrote_pbs_users, tags: "pbs_users" } - - { role: mgrote_pbs_datastores, tags: "pbs_datastores" } + - role: mgrote_zfs_packages + tags: "zfs_packages" + - role: mgrote_zfs_arc_mem + tags: "zfs_arc_mem" + - role: mgrote_zfs_manage_datasets + tags: "datasets" + - role: mgrote_zfs_scrub + tags: "zfs_scrub" + - role: mgrote_zfs_zed + tags: "zfs_zed" + - role: mgrote_zfs_sanoid + tags: "sanoid" + - role: mgrote_smart + tags: "smart" + - role: mgrote_pbs_users + tags: "pbs_users" + - role: mgrote_pbs_datastores + tags: "pbs_datastores" diff --git a/playbooks/3_service/pve.yml b/playbooks/3_service/pve.yml index 2942574e..3e5b3a4d 100644 --- a/playbooks/3_service/pve.yml +++ b/playbooks/3_service/pve.yml @@ -1,14 +1,25 @@ --- - hosts: pve roles: - - { role: mgrote_zfs_packages, tags: "zfs_packages" } - - { role: mgrote_zfs_arc_mem, tags: "zfs_arc_mem" } - - { role: mgrote_zfs_manage_datasets, tags: "datasets" } - - { role: mgrote_zfs_scrub, tags: "zfs_scrub" } - - { role: mgrote_zfs_zed, tags: "zfs_zed" } - - { role: mgrote_zfs_sanoid, tags: "sanoid" } - - { role: mgrote_smart, tags: "smart" } - - { role: mgrote_cv4pve_autosnap, tags: "cv4pve" } - - { role: mgrote_proxmox_bind_mounts, tags: "bindmounts" } - - { role: mgrote_proxmox_lxc_profiles, tags: "lxc-profile" } - - { role: mgrote_pbs_pve_integration, tags: "pbs" } + - role: mgrote_zfs_packages + tags: "zfs_packages" + - role: mgrote_zfs_arc_mem + tags: "zfs_arc_mem" + - role: mgrote_zfs_manage_datasets + tags: "datasets" + - role: mgrote_zfs_scrub + tags: "zfs_scrub" + - role: mgrote_zfs_zed + tags: "zfs_zed" + - role: mgrote_zfs_sanoid + tags: "sanoid" + - role: mgrote_smart + tags: "smart" + - role: mgrote_cv4pve_autosnap + tags: "cv4pve" + - role: mgrote_proxmox_bind_mounts + tags: "bindmounts" + - role: mgrote_proxmox_lxc_profiles + tags: "lxc-profile" + - role: mgrote_pbs_pve_integration + tags: "pbs" diff --git a/playbooks/base/packages.yml b/playbooks/base/packages.yml index cfbfd974..41a17806 100644 --- a/playbooks/base/packages.yml +++ b/playbooks/base/packages.yml @@ -5,14 +5,12 @@ tags: "apt_sources" - role: mgrote_apt_manage_packages tags: "install" - - role: mgrote_exa - tags: "exa" - role: mgrote_remove_snapd become: true tags: "snapd" - role: mgrote_apt_update_packages tags: "updates" - - role: hifis-net-ansible-role-unattended-upgrades + - role: ansible-role-unattended-upgrades become: true tags: unattended when: "ansible_facts['distribution'] == 'Ubuntu'" diff --git a/playbooks/base/system.yml b/playbooks/base/system.yml index 08309d97..aafe625c 100644 --- a/playbooks/base/system.yml +++ b/playbooks/base/system.yml @@ -13,11 +13,11 @@ become: true tags: fwupd when: "ansible_facts['distribution'] == 'Ubuntu'" - - role: mrlesmithjr-ansible-manage-lvm + - role: ansible-manage-lvm tags: "lvm" become: true when: manage_lvm == true and manage_lvm is defined - # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das PLaybook zu "aktivieren" + # $manage_lvm gehört zu dieser Rolle, wird aber extra abgefragt um das Playbook zu "aktivieren" - role: mgrote_ssh tags: "ssh" - role: mgrote_netplan diff --git a/playbooks/base/ufw.yml b/playbooks/base/ufw.yml index afc5bcf5..0afd9435 100644 --- a/playbooks/base/ufw.yml +++ b/playbooks/base/ufw.yml @@ -1,6 +1,6 @@ --- - hosts: all:!pve:!pbs roles: - - { role: oefenweb-ansible-ufw, # Regeln werden in den Group/Host-Vars gesetzt - tags: "ufw", - become: true} + - role: ansible-ufw # Regeln werden in den Group/Host-Vars gesetzt + tags: ufw + become: true diff --git a/playbooks/base/users.yml b/playbooks/base/users.yml index ad1eca58..f9522646 100644 --- a/playbooks/base/users.yml +++ b/playbooks/base/users.yml @@ -2,9 +2,9 @@ - hosts: all roles: - role: mgrote_users - tags: "user" + tags: users become: true - role: mgrote_user_setup tags: - - "user_setup" + - user_setup - dotfiles diff --git a/requirements.yml b/requirements.yml index e093ff29..92b41346 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,21 +4,23 @@ collections: - git+https://git.mgrote.net/ansible-collections-mirrors/ansible.posix - git+https://git.mgrote.net/ansible-collections-mirrors/community.docker roles: - - src: https://git.mgrote.net/ansible-roles-mirrors/robertdebock-ansible-role-bootstrap + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-bootstrap scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/oefenweb-ansible-ufw + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-ufw scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/mrlesmithjr-ansible-manage-lvm + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-manage-lvm scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/hifis-net-ansible-role-unattended-upgrades + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-unattended-upgrades scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-pip + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-pip scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-nfs + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-nfs scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/geerlingguy-ansible-role-docker + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-docker scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/gantsign-ansible-role-ctop + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_ctop scm: git - - src: https://git.mgrote.net/ansible-roles-mirrors/pyratlabs-ansible-role-gitea + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible_role_gitea + scm: git + - src: https://git.mgrote.net/ansible-roles-mirrors/ansible-role-postgresql scm: git diff --git a/roles/mgrote_gitea_setup/tasks/admin.yml b/roles/mgrote_gitea_setup/tasks/admin.yml new file mode 100644 index 00000000..64543baa --- /dev/null +++ b/roles/mgrote_gitea_setup/tasks/admin.yml @@ -0,0 +1,22 @@ +--- +# die Variablen kommen aus +# - https://docs.gitea.com/administration/command-line +# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md +# und +# den jeweiligen group/host-Vars! +- name: Ensure Admin-User exists + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin user create \ + --config /etc/gitea/gitea.ini + --username "{{ gitea_admin_user }}" \ + --password "{{ gitea_admin_user_pass }}" \ + --email "{{ gitea_admin_user }}@mgrote.net" \ + --admin + register: setup_admin + ignore_errors: true + failed_when: 'not "Command error: CreateUser: user already exists [name: mg]" in setup_admin.stderr' # fail Task wenn LDAP schon konfiguriert ist + changed_when: "setup_admin.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet +... diff --git a/roles/mgrote_gitea_setup/tasks/ldap.yml b/roles/mgrote_gitea_setup/tasks/ldap.yml new file mode 100644 index 00000000..f8ef6401 --- /dev/null +++ b/roles/mgrote_gitea_setup/tasks/ldap.yml @@ -0,0 +1,56 @@ +--- +# die Variablen kommen aus +# - https://docs.gitea.com/administration/command-line +# - https://github.com/lldap/lldap/blob/main/example_configs/gitea.md +# und +# den jeweiligen group/host-Vars! +- name: Ensure LDAP config is set up + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin auth add-ldap \ + --config "{{ gitea_configuration_path }}/gitea.ini" \ + --name "lldap" \ + --security-protocol "unencrypted" \ + --host "{{ gitea_ldap_host }}" \ + --port "3890" \ + --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \ + --bind-password "{{ gitea_ldap_bind_pass }}" \ + --user-search-base "ou=people,dc=mgrote,dc=net" \ + --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \ + --username-attribute "uid" \ + --email-attribute "mail" \ + --firstname-attribute "givenName" \ + --surname-attribute "sn" \ + --avatar-attribute "jpegPhoto" \ + --synchronize-users + register: setup + ignore_errors: true + failed_when: 'not "Command error: login source already exists [name: lldap]" in setup.stderr' # fail Task wenn LDAP schon konfiguriert ist + changed_when: "setup.rc == 0" # chnaged nur wenn Task rc 0 hat, sollte nur beim ersten lauf vorkommen; ungetestet + +- name: Modify LDAP config + no_log: true + become_user: gitea + become: true + ansible.builtin.command: | + forgejo admin auth update-ldap \ + --config "{{ gitea_configuration_path }}/gitea.ini" \ + --id "1" \ + --security-protocol "unencrypted" \ + --host "{{ gitea_ldap_host }}" \ + --port "3890" \ + --bind-dn "uid=ladmin,ou=people,dc=mgrote,dc=net" \ + --bind-password "{{ gitea_ldap_bind_pass }}" \ + --user-search-base "ou=people,dc=mgrote,dc=net" \ + --user-filter "(&(memberof=cn=gitea,ou=groups,dc=mgrote,dc=net)(|(uid=%[1]s)(mail=%[1]s)))" \ + --username-attribute "uid" \ + --email-attribute "mail" \ + --firstname-attribute "givenName" \ + --surname-attribute "sn" \ + --avatar-attribute "jpegPhoto" \ + --synchronize-users + when: '"Command error: login source already exists [name: lldap]" in setup.stderr' # führe nur aus wenn erster Task fehlgeschlagen ist + changed_when: false # keine idee wie ich changed feststellen kann +... diff --git a/roles/mgrote_gitea_setup/tasks/main.yml b/roles/mgrote_gitea_setup/tasks/main.yml new file mode 100644 index 00000000..1da6b7d9 --- /dev/null +++ b/roles/mgrote_gitea_setup/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Include LDAP tasks + ansible.builtin.include_tasks: ldap.yml + +- name: Include User tasks + ansible.builtin.include_tasks: admin.yml +... diff --git a/roles/mgrote_lldap/defaults/main.yml b/roles/mgrote_lldap/defaults/main.yml new file mode 100644 index 00000000..875efbb5 --- /dev/null +++ b/roles/mgrote_lldap/defaults/main.yml @@ -0,0 +1,21 @@ +--- +lldap_package_url: "https://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/xUbuntu_22.04/amd64/lldap_0.5.0-1+3.1_amd64.deb" +lldap_logging_verbose: "false" +lldap_http_port: "17170" +lldap_http_host: "0.0.0.0" +lldap_ldap_host: "0.0.0.0" +lldap_public_url: http://localhost +lldap_jwt_secret: supersecret +lldap_ldap_base_dn: "dc=example,dc=com" +lldap_admin_username: ladmin # only used on setup +lldap_admin_password: supersecret # also bind-secret; only used on setup +lldap_admin_mailaddress: lldap-admin@mgrote.net # only used on setup +lldap_database_url: "postgres://postgres-user:password@postgres-server/my-database" +lldap_key_seed: supersecretseed +lldap_smtp_from: "LLDAP Admin " +lldap_smtp_reply_to: "Do not reply " +lldap_smtp_server: "mail.domain.net" +lldap_smtp_port: "25" +lldap_smtp_smtp_encryption: "NONE" +lldap_smtp_user: "info@mgrote.net" +lldap_smtp_enable_password_reset: "true" diff --git a/roles/mgrote_lldap/handlers/main.yml b/roles/mgrote_lldap/handlers/main.yml new file mode 100644 index 00000000..81b2c4ad --- /dev/null +++ b/roles/mgrote_lldap/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: Ensure services are enabled and started + become: true + ansible.builtin.systemd: + name: lldap.service + masked: false + enabled: true + state: started +... diff --git a/roles/mgrote_lldap/tasks/main.yml b/roles/mgrote_lldap/tasks/main.yml new file mode 100644 index 00000000..a658d7ae --- /dev/null +++ b/roles/mgrote_lldap/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Ensure package is installed + ansible.builtin.apt: + deb: "{{ lldap_package_url }}" + notify: Ensure services are enabled and started + +- name: Ensure needed directories exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: lldap + group: lldap + mode: '0755' + loop: + - /usr/share/lldap/app/static/fonts + - /usr/share/lldap/app/static + - /usr/share/lldap/app/pkg + +- name: Ensure config is templated + ansible.builtin.template: + src: lldap_config.toml.j2 + dest: /etc/lldap/lldap_config.toml + owner: lldap + group: lldap + mode: "0644" + notify: Ensure services are enabled and started +... diff --git a/roles/mgrote_lldap/templates/lldap_config.toml.j2 b/roles/mgrote_lldap/templates/lldap_config.toml.j2 new file mode 100644 index 00000000..d7c546d6 --- /dev/null +++ b/roles/mgrote_lldap/templates/lldap_config.toml.j2 @@ -0,0 +1,144 @@ +{{ file_header | default () }} +## Tune the logging to be more verbose by setting this to be true. +## You can set it with the LLDAP_VERBOSE environment variable. +verbose={{ lldap_logging_verbose }} + +## The host address that the LDAP server will be bound to. +## To enable IPv6 support, simply switch "ldap_host" to "::": +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6)". +ldap_host = "{{ lldap_ldap_host }}" + +## The port on which to have the LDAP server. +#ldap_port = 3890 + +## The host address that the HTTP server will be bound to. +## To enable IPv6 support, simply switch "http_host" to "::". +## To only allow connections from localhost (if you want to restrict to local self-hosted services), +## change it to "127.0.0.1" ("::1" in case of IPv6)". +http_host = "{{ lldap_http_host }}" + +## The port on which to have the HTTP server, for user login and +## administration. +http_port = {{ lldap_http_port }} + +## The public URL of the server, for password reset links. +http_url = "{{ lldap_public_url }}" + +## Random secret for JWT signature. +## This secret should be random, and should be shared with application +## servers that need to consume the JWTs. +## Changing this secret will invalidate all user sessions and require +## them to re-login. +## You should probably set it through the LLDAP_JWT_SECRET environment +## variable from a secret ".env" file. +## This can also be set from a file's contents by specifying the file path +## in the LLDAP_JWT_SECRET_FILE environment variable +## You can generate it with (on linux): +## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' . +from="{{ lldap_smtp_from }}" +## Same for reply-to, optional. +reply_to="{{ lldap_smtp_reply_to }}" + +## Options to configure LDAPS. +## To set these options from environment variables, use the following format +## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT +[ldaps_options] +## Whether to enable LDAPS. +#enabled=true +## Port on which to listen. +#port=6360 +## Certificate file. +#cert_file="/data/cert.pem" +## Certificate key file. +#key_file="/data/key.pem" diff --git a/roles/mgrote_munin_node/defaults/main.yml b/roles/mgrote_munin_node/defaults/main.yml index fafaf701..cea5df43 100644 --- a/roles/mgrote_munin_node/defaults/main.yml +++ b/roles/mgrote_munin_node/defaults/main.yml @@ -22,7 +22,7 @@ munin_plugin_dest_path: /etc/munin/plugins/ munin_plugin_conf_dest_path: /etc/munin/plugin-conf.d/ # munin_node_plugins: #plugins to install # - name: docker_volumes # name -# src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/docker/docker_ #src +# src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/docker/docker_ #src # config_file_name: /etc/munin/plugin-conf.d/docker # where to put plugin config # content of config # config: | diff --git a/roles/mgrote_netplan/templates/10_config.yml.j2 b/roles/mgrote_netplan/templates/10_config.yml.j2 index 18fce5b7..c2e81b00 100644 --- a/roles/mgrote_netplan/templates/10_config.yml.j2 +++ b/roles/mgrote_netplan/templates/10_config.yml.j2 @@ -4,4 +4,4 @@ network: renderer: networkd ethernets: {{ ansible_default_ipv4.interface }}: - dhcp4: yes + dhcp4: true