pew
/
scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add polyvalent

master
Paul Wako 2020-12-23 00:08:41 -05:00
parent eced0aac2d
commit 649c0b4781
6 changed files with 36 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/README.md
View File

@ -8,10 +8,6 @@ Assumes:
- Passwordless sudo is enabled for the user ansible uses - Passwordless sudo is enabled for the user ansible uses
- Root and user pw is something memorable - Root and user pw is something memorable
- Wireguard hosts:
- Secure boot is disabled (wireguard is an unsigned module)
- Wireguard is configured on 10.200.0.0/24; See https://wiki.debian.org/Wireguard
- ZFS server: - ZFS server:
- ZFS is configured with a volume at /bigdata for sharing - ZFS is configured with a volume at /bigdata for sharing

68
ansible/files/dma.conf
View File

@ -1,68 +0,0 @@
# $DragonFly: src/etc/dma/dma.conf,v 1.2 2008/02/04 10:11:41 matthias Exp $
#
# Your smarthost (also called relayhost). Leave blank if you don't want
# smarthost support.
# NOTE: on Debian systems this is handled via debconf!
# Please use dpkg-reconfigure dma to change this value.
SMARTHOST smtp.gmail.com
# Use this SMTP port. Most users will be fine with the default (25)
PORT 587
# Path to your alias file. Just stay with the default.
#ALIASES /etc/aliases
# Path to your spooldir. Just stay with the default.
#SPOOLDIR /var/spool/dma
# SMTP authentication
AUTHPATH /etc/dma/auth.conf
# Uncomment if yout want TLS/SSL support
SECURETRANSFER
# Uncomment if you want STARTTLS support (only used in combination with
# SECURETRANSFER)
STARTTLS
# Uncomment if you have specified STARTTLS above and it should be allowed
# to fail ("opportunistic TLS", use an encrypted connection when available
# but allow an unencrypted one to servers that do not support it)
#OPPORTUNISTIC_TLS
# Path to your local SSL certificate
#CERTFILE
# If you want to use plain text SMTP login without using encryption, change
# the SECURE entry below to INSECURE. Otherwise plain login will only work
# over a secure connection. Use this option with caution.
#SECURE
# Uncomment if you want to defer your mails. This is useful if you are
# behind a dialup line. You have to submit your mails manually with dma -q
#DEFER
# Uncomment if you want the bounce message to include the complete original
# message, not just the headers.
#FULLBOUNCE
# The internet hostname dma uses to identify the host.
# If not set or empty, the result of gethostname(2) is used.
# If MAILNAME is an absolute path to a file, the first line of this file
# will be used as the hostname.
# NOTE: on Debian systems this is handled via debconf!
# Please use dpkg-reconfigure dma to change this value.
MAILNAME /etc/mailname
# Masquerade envelope from addresses with this address/hostname.
# Use this if mails are not accepted by destination mail servers because
# your sender domain is invalid.
# By default, MASQUERADE is not set.
# Format: MASQUERADE [user@][host]
# Examples:
# MASQUERADE john@ on host "hamlet" will send all mails as john@hamlet
# MASQUERADE percolator will send mails as $username@percolator, e.g. fish@percolator
# MASQUERADE herb@ert will send all mails as herb@ert
# Directly forward the mail to the SMARTHOST bypassing aliases and local delivery
#NULLCLIENT

10
ansible/hosts.cfg
View File

@ -1,14 +1,14 @@
[compute] [compute]
fogcutter interface=eno1 fogcutter hostname=fogcutter.seaturtle.pw interface=eno1
[daily] [daily]
cabinet interface=enp9s0 cabinet hostname=cabinet.seaturtle.pw interface=enp9s0
[nfs] [nfs]
bigdummy interface=enp2s0 bigdummy hostname=bigdummy.seaturtle.pw interface=enp2s0
[remote] [remote]
joe@madone.seaturtle.pw interface=enp1s0 joe@madone.seaturtle.pw interface=enp1s0
[router] [proxy]
corsa polyvalent hostname=polyvalent.seaturtle.pw interface=eth0

39
ansible/main.yml
View File

@ -1,12 +1,16 @@
# All hosts are debian 10 # All hosts are debian 10
--- ---
# Common # Common
- hosts: daily,compute,nfs,router - hosts: daily,compute,nfs,proxy
become: yes become: yes
handlers: handlers:
- import_tasks: handlers.yml - import_tasks: handlers.yml
tasks: tasks:
# Core # Core
- name: Set hostname
hostname:
name: "{{ hostname }}"
- name: Install common packages - name: Install common packages
apt: apt:
name: name:
@ -70,8 +74,8 @@
notify: Restart systemd-logind service notify: Restart systemd-logind service
- name: Set chrony ntp servers - name: Set chrony ntp servers
copy: template:
src: files/chrony.conf src: templates/chrony.conf.j2
dest: /etc/chrony/chrony.conf dest: /etc/chrony/chrony.conf
owner: root owner: root
group: root group: root
@ -79,7 +83,7 @@
notify: Restart chrony service notify: Restart chrony service
# Core networking # Core networking
- name: Configure sshd_config to listen on 37121/2222/22 and disable password auth - name: Configure sshd_config to listen on 22/2222/37121 and disable password auth
copy: copy:
src: files/sshd_config src: files/sshd_config
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
@ -88,8 +92,7 @@
mode: '0644' mode: '0644'
notify: Restart sshd service notify: Restart sshd service
## Changes will take effect during next reboot ## Changes will take effect during next reboot, does not effect static IPs
## (determined by unattended-upgrades)
- name: Configure sysctl with IPv6 privacy extensions - name: Configure sysctl with IPv6 privacy extensions
template: template:
src: templates/local.conf.j2 src: templates/local.conf.j2
@ -98,17 +101,6 @@
group: root group: root
mode: '0644' mode: '0644'
- name: Configure dma
copy:
src: files/dma.conf
dest: /etc/dma/dma.conf
owner: root
group: mail
mode: '0640'
- debug:
msg: 'Manually configure /etc/dma/auth.conf'
- name: Configure smartd - name: Configure smartd
copy: copy:
src: files/smartd.conf src: files/smartd.conf
@ -271,3 +263,16 @@
msg: msg:
- Start/Configure haproxy manually - Start/Configure haproxy manually
- Start microk8s manually - Start microk8s manually
# Proxy config
- hosts: proxy
become: yes
tasks:
## Changes will take effect during next reboot
- name: Configure sysctl to reject RA acceptance
template:
src: templates/disablera.conf.j2
dest: /etc/sysctl.d/disablera.conf
owner: root
group: root
mode: '0644'

7
ansible/files/chrony.conf → ansible/templates/chrony.conf.j2
View File

@ -1,9 +1,16 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more # Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usuable directives. # information about usuable directives.
{% if hostname == 'polyvalent.seaturtle.pw' %}
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
{% else %}
server ntp-1.vt.edu iburst server ntp-1.vt.edu iburst
server ntp-2.vt.edu iburst server ntp-2.vt.edu iburst
server ntp-3.vt.edu iburst server ntp-3.vt.edu iburst
server ntp-4.vt.edu iburst server ntp-4.vt.edu iburst
{% endif %}
pool 2.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst
# This directive specify the location of the file containing ID/key pairs for # This directive specify the location of the file containing ID/key pairs for

2
ansible/templates/disablera.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
net.ipv6.conf.{{ interface }}.accept_ra=0
net.ipv6.conf.all.accept_ra=0