diff --git a/ansible/README.md b/ansible/README.md index 2abdccd..8e4be86 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -5,29 +5,15 @@ export GANDI_API_KEY=mykey ansible-playbook main.yml -i hosts.cfg --extra-vars "gandi_api_key=$GANDI_API_KEY" --limit=cabinet ``` -All additional variables: -- `gandi_api_key`: gandi api key for dynamic dns -- `dma_auth`: smtp password to be used by dma +Additional variables: +- `gandi_api_key`: gandi api key for dynamic dns (only for hosts with non-static IPs) +- `dma_auth`: smtp password to be used by dma (for sending mail) Assumes: -- All: - - OS (Debian) has been installed and IPs have been configured in hosts.cfg - - Host is already trusted via ssh and can be ssh'd into using keys - - Passwordless sudo is enabled for the user ansible uses - -- ZFS server: - - ZFS is configured with a volume at /bigdata - -- Media server: - - Create /media-vtluug folder ??? TODO!! - -- Remote: - - users have already been created - -- Laptop/etc: - - Manually configure ssh and tor - -- TODO: - - fix for network-online.target debian 10 bug - - add samba stuff for fogcutter +- OS (Debian) has been installed and IPs have been configured in hosts.cfg +- Host is already trusted via ssh and can be ssh'd into using keys +- Passwordless sudo is enabled for the user ansible uses +- ZFS and Docker already already configured on applicable hosts +- Special mounts such as /media-vtluug already have their folder created. +- Any additional users have been created diff --git a/ansible/files/bigdummy-main.cf b/ansible/files/bigdummy-main.cf deleted file mode 100644 index 802e611..0000000 --- a/ansible/files/bigdummy-main.cf +++ /dev/null @@ -1,55 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on -# fresh installs. -compatibility_level = 2 - - - -# TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -myhostname = bigdummy.seaturtle.pw -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = $myhostname, bigdummy.seaturtle.pw, localhost.seaturtle.pw, , localhost -relayhost = [smtp.gmail.com]:587 -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all -inet_protocols = all - -# added configs -# http://mhawthorne.net/posts/postfix-configuring-gmail-as-relay.html -smtp_use_tls = yes -smtp_sasl_auth_enable = yes -smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -smtp_sasl_security_options = diff --git a/ansible/files/dma.conf b/ansible/files/dma.conf index cf75ef0..00655b8 100644 --- a/ansible/files/dma.conf +++ b/ansible/files/dma.conf @@ -4,7 +4,7 @@ # smarthost support. # NOTE: on Debian systems this is handled via debconf! # Please use dpkg-reconfigure dma to change this value. -SMARTHOST smtp.gmail.com +SMARTHOST smtp.fastmail.com # Use this SMTP port. Most users will be fine with the default (25) PORT 587 @@ -63,6 +63,7 @@ MAILNAME /etc/mailname # MASQUERADE john@ on host "hamlet" will send all mails as john@hamlet # MASQUERADE percolator will send mails as $username@percolator, e.g. fish@percolator # MASQUERADE herb@ert will send all mails as herb@ert +MASQUERADE puffy@bigcavemaps.com # Directly forward the mail to the SMARTHOST bypassing aliases and local delivery #NULLCLIENT diff --git a/ansible/files/exports b/ansible/files/exports deleted file mode 100644 index 5ddf02a..0000000 --- a/ansible/files/exports +++ /dev/null @@ -1 +0,0 @@ -/bigdata 10.42.0.0/24(ro,all_squash,no_subtree_check) 10.200.0.0/24(rw,no_subtree_check,no_root_squash) diff --git a/ansible/files/smb.conf b/ansible/files/fogcutter/smb.conf similarity index 100% rename from ansible/files/smb.conf rename to ansible/files/fogcutter/smb.conf diff --git a/ansible/files/lech/smb.conf b/ansible/files/lech/smb.conf new file mode 100644 index 0000000..e20cd90 --- /dev/null +++ b/ansible/files/lech/smb.conf @@ -0,0 +1,236 @@ +# +# Sample configuration file for the Samba suite for Debian GNU/Linux. +# +# +# This is the main Samba configuration file. You should read the +# smb.conf(5) manual page in order to understand the options listed +# here. Samba has a huge number of configurable options most of which +# are not shown in this example +# +# Some options that are often worth tuning have been included as +# commented-out examples in this file. +# - When such options are commented with ";", the proposed setting +# differs from the default Samba behaviour +# - When commented with "#", the proposed setting is the default +# behaviour of Samba but the option is considered important +# enough to be mentioned here +# +# NOTE: Whenever you modify this file you should run the command +# "testparm" to check that you have not made any basic syntactic +# errors. + +#======================= Global Settings ======================= + +[global] +smb ports = 4445 +client min protocol = SMB3_11 + +## Browsing/Identification ### + +# Change this to the workgroup/NT-domain name your Samba server will part of + workgroup = PEWWG + +#### Networking #### + +# The specific set of interfaces / networks to bind to +# This can be either the interface name or an IP address/netmask; +# interface names are normally preferred +; interfaces = 127.0.0.0/8 eth0 +interfaces = 64.112.38.10/30 eno1 + +# Only bind to the named interfaces and/or networks; you must use the +# 'interfaces' option above to use this. +# It is recommended that you enable this feature if your Samba machine is +# not protected by a firewall or is a firewall itself. However, this +# option cannot handle dynamic or non-broadcast interfaces correctly. +; bind interfaces only = yes + + + +#### Debugging/Accounting #### + +# This tells Samba to use a separate log file for each machine +# that connects + log file = /var/log/samba/log.%m + +# Cap the size of the individual log files (in KiB). + max log size = 1000 + +# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}. +# Append syslog@1 if you want important messages to be sent to syslog too. + logging = file + +# Do something sensible when Samba crashes: mail the admin a backtrace + panic action = /usr/share/samba/panic-action %d + + +####### Authentication ####### + +# Server role. Defines in which mode Samba will operate. Possible +# values are "standalone server", "member server", "classic primary +# domain controller", "classic backup domain controller", "active +# directory domain controller". +# +# Most people will want "standalone server" or "member server". +# Running as "active directory domain controller" will require first +# running "samba-tool domain provision" to wipe databases and create a +# new domain. + server role = standalone server + + obey pam restrictions = yes + +# This boolean parameter controls whether Samba attempts to sync the Unix +# password with the SMB password when the encrypted SMB password in the +# passdb is changed. + unix password sync = yes + +# For Unix password sync to work on a Debian GNU/Linux system, the following +# parameters must be set (thanks to Ian Kahan < for +# sending the correct chat script for the passwd program in Debian Sarge). + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + +# This boolean controls whether PAM will be used for password changes +# when requested by an SMB client instead of the program listed in +# 'passwd program'. The default is 'no'. + pam password change = yes + +# This option controls how unsuccessful authentication attempts are mapped +# to anonymous connections + map to guest = bad user + +########## Domains ########### + +# +# The following settings only takes effect if 'server role = classic +# primary domain controller', 'server role = classic backup domain controller' +# or 'domain logons' is set +# + +# It specifies the location of the user's +# profile directory from the client point of view) The following +# required a [profiles] share to be setup on the samba server (see +# below) +; logon path = \\%N\profiles\%U +# Another common choice is storing the profile in the user's home directory +# (this is Samba's default) +# logon path = \\%N\%U\profile + +# The following setting only takes effect if 'domain logons' is set +# It specifies the location of a user's home directory (from the client +# point of view) +; logon drive = H: +# logon home = \\%N\%U + +# The following setting only takes effect if 'domain logons' is set +# It specifies the script to run during logon. The script must be stored +# in the [netlogon] share +# NOTE: Must be store in 'DOS' file format convention +; logon script = logon.cmd + +# This allows Unix users to be created on the domain controller via the SAMR +# RPC pipe. The example command creates a user account with a disabled Unix +# password; please adapt to your needs +; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u + +# This allows machine accounts to be created on the domain controller via the +# SAMR RPC pipe. +# The following assumes a "machines" group exists on the system +; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u + +# This allows Unix groups to be created on the domain controller via the SAMR +# RPC pipe. +; add group script = /usr/sbin/addgroup --force-badname %g + +############ Misc ############ + +# Using the following line enables you to customise your configuration +# on a per machine basis. The %m gets replaced with the netbios name +# of the machine that is connecting +; include = /home/samba/etc/smb.conf.%m + +# Some defaults for winbind (make sure you're not using the ranges +# for something else.) +; idmap config * : backend = tdb +; idmap config * : range = 3000-7999 +; idmap config YOURDOMAINHERE : backend = tdb +; idmap config YOURDOMAINHERE : range = 100000-999999 +; template shell = /bin/bash + +# Setup usershare options to enable non-root users to share folders +# with the net usershare command. + +# Maximum number of usershare. 0 means that usershare is disabled. +# usershare max shares = 100 + +# Allow users who've been granted usershare privileges to create +# public shares, not just authenticated ones + usershare allow guests = yes + +#======================= Share Definitions ======================= + +[pew-organized-photos] + comment = pew's organized photos + browseable = yes + path = /mammoth/tmp/pew-organized-photos + guest ok = no + read only = yes + create mask = 0644 + directory mask = 0755 + valid users = paul + +[pew-unorganized-photos] + comment = pew's unorganized photos + browseable = yes + path = /mammoth/tmp/pew-unorganized-photos + guest ok = no + read only = no + create mask = 0644 + directory mask = 0755 + valid users = paul + +# Un-comment the following and create the netlogon directory for Domain Logons +# (you need to configure Samba to act as a domain controller too.) +;[netlogon] +; comment = Network Logon Service +; path = /home/samba/netlogon +; guest ok = yes +; read only = yes + +# Un-comment the following and create the profiles directory to store +# users profiles (see the "logon path" option above) +# (you need to configure Samba to act as a domain controller too.) +# The path below should be writable by all users so that their +# profile directory may be created the first time they log on +;[profiles] +; comment = Users profiles +; path = /home/samba/profiles +; guest ok = no +; browseable = no +; create mask = 0600 +; directory mask = 0700 + +;[printers] +; comment = All Printers +; browseable = no +; path = /var/spool/samba +; printable = yes +; guest ok = no +; read only = yes +; create mask = 0700 + +# Windows clients look for this share name as a source of downloadable +# printer drivers +;[print$] +; comment = Printer Drivers +; path = /var/lib/samba/printers +; browseable = yes +; read only = yes +; guest ok = no +# Uncomment to allow remote administration of Windows print drivers. +# You may need to replace 'lpadmin' with the name of the group your +# admin users are members of. +# Please note that you also need to set appropriate Unix permissions +# to the drivers directory for these users to have write rights in it +; write list = root, @lpadmin + diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg index 5f97e08..53e702d 100644 --- a/ansible/hosts.cfg +++ b/ansible/hosts.cfg @@ -1,14 +1,11 @@ [all:vars] ansible_python_interpreter=/usr/bin/python3 -[homelab] -fogcutter hostname=fogcutter.seaturtle.pw interface=eno1 admin=joe +[fogcutter] +paul@fogcutter.seaturtle.pw hostname=fogcutter.seaturtle.pw hostname_short=fogcutter interface=eno1 admin=joe -[daily] -cabinet hostname=cabinet.seaturtle.pw interface=enp9s0 admin=paul +[cabinet] +paul@cabinet.seaturtle.pw hostname=cabinet.seaturtle.pw hostname_short=cabinet interface=enp9s0 admin=paul -[irc] -joe@madone.seaturtle.pw hostname=madone.seaturtle.pw interface=enp1s0 admin=joe - -[cloudlab] -joe@polyvalent hostname=polyvalent.seaturtle.pw interface=eth0 admin=joe +[lech] +paul@lech.seaturtle.pw hostname=lech.seaturtle.pw hostname_short=lech interface=eno1 admin=paul diff --git a/ansible/main.yml b/ansible/main.yml index c80a229..8eb303b 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,7 +1,7 @@ -# All hosts are debian 10 or 11 +# All hosts are debian --- # Common -- hosts: daily,homelab,irc +- hosts: cabinet,fogcutter,lech become: yes handlers: - import_tasks: handlers.yml @@ -16,6 +16,7 @@ name: - apt-listchanges - beets + - bsd-mailx - chrony - curl - dma @@ -32,6 +33,7 @@ - smartmontools - snapd - speedtest-cli + - sshfs - tmux - tor - unattended-upgrades @@ -112,7 +114,7 @@ - name: Configure dma auth template: - src: templates/auth.conf.j2 + src: templates/dma-auth.conf.j2 dest: /etc/dma/auth.conf owner: root group: mail @@ -150,57 +152,30 @@ msg: Manually get tor hostname # Common dynamic settings -- hosts: daily,homelab - become: yes - handlers: - - import_tasks: handlers.yml - tasks: - - name: Copy Dynamic DNS script - template: - src: templates/gandi-ddns.sh.j2 - dest: /usr/local/bin/gandi-ddns.sh - owner: root - group: root - mode: '0755' - when: gandi_api_key is defined and gandi_api_key != '' +#- hosts: fogcutter +# become: yes +# handlers: +# - import_tasks: handlers.yml +# tasks: +# - name: Copy Dynamic DNS script +# template: +# src: templates/gandi-ddns.sh.j2 +# dest: /usr/local/bin/gandi-ddns.sh +# owner: root +# group: root +# mode: '0755' +# when: gandi_api_key is defined and gandi_api_key != '' +# +# - name: Add Dynamic DNS cronjob +# cron: +# name: "Update dynamic dns" +# job: /usr/local/bin/gandi-ddns.sh +# special_time: daily +# user: root +# when: gandi_api_key is defined - - name: Add Dynamic DNS cronjob - cron: - name: "Update dynamic dns" - job: /usr/local/bin/gandi-ddns.sh - special_time: daily - user: root - when: gandi_api_key is defined - -# Docker -- hosts: homelab,irc - become: yes - tasks: - - name: Add Docker GPG key - apt_key: - url: https://download.docker.com/linux/debian/gpg - - - name: Add Docker APT repository - apt_repository: - repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable - - - name: Install Docker CE - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - force_apt_get: yes - update_cache: yes - - - name: Add admin to docker group - user: - name: "{{ admin }}" - groups: docker - append: yes - -# Compute config -- hosts: homelab +# Lech (main host) config +- hosts: lech become: yes handlers: - import_tasks: handlers.yml @@ -208,11 +183,32 @@ - name: Install samba, zfs stuff apt: name: + - samba - zfs-auto-snapshot - zfs-zed force_apt_get: yes update_cache: yes + - name: Create samba dirs + file: + path: "/mammoth/tmp/{{ item }}" + state: directory + owner: paul + group: paul + loop: + - pew-unorganized-photos + - pew-organized-photos + notify: Restart smbd + + - name: Configure samba + copy: + src: files/lech/smb.conf + dest: /etc/samba/smb.conf + owner: root + group: root + mode: '0644' + notify: Restart smbd + - name: Configure zfs-zed copy: src: files/zed.rc @@ -222,26 +218,24 @@ mode: '0644' notify: Restart zfs-zed - - name: Install weekly bigdata scrub cron job + - name: Install weekly ZFS cron job cron: name: 'Weekly zfs pool status check' special_time: weekly job: '/usr/sbin/zpool status | mail -s "ZFS STATUS" paul@bigcavemaps.com' - user: root + user: paul - name: Mount vtluug /media via sshfs mount: src: pew-media@dirtycow.vtluug.org:/nfs/cistern/share/media path: /media-vtluug fstype: fuse.sshfs - opts: reconnect,allow_other,ro,_netdev,IdentityFile=/home/paul/.ssh/id_rsa_fast + opts: allow_other,ro,_netdev,StrictHostKeyChecking=no,IdentityFile=/home/paul/.ssh/id_rsa_fast state: mounted - - - name: Install rclone - apt: - deb: https://downloads.rclone.org/rclone-current-linux-amd64.deb - force_apt_get: yes + - debug: + msg: Manually copy vtluug ssh key + - debug: msg: Manually configure rclone remote drive @@ -254,19 +248,4 @@ month: '*' weekday: '1' user: paul - job: "/home/paul/scripts-private/{{ inventory_hostname }}/backup.sh" - -# IRC config -- hosts: irc - become: yes - handlers: - - import_tasks: handlers.yml - tasks: - - name: Install weechat systemd service - copy: - src: files/weechat.service - dest: /etc/systemd/system/weechat.service - owner: root - group: root - mode: '0644' - notify: Enable weechat service + job: "/home/paul/scripts-private/{{ hostname_short }}/backup.sh" diff --git a/ansible/templates/auth.conf.j2 b/ansible/templates/dma-auth.conf.j2 similarity index 77% rename from ansible/templates/auth.conf.j2 rename to ansible/templates/dma-auth.conf.j2 index d1eaf6e..86c3385 100644 --- a/ansible/templates/auth.conf.j2 +++ b/ansible/templates/dma-auth.conf.j2 @@ -2,4 +2,4 @@ # # SMTP authentication entries (currently AUTH LOGIN only) # Format: user|my.smarthost.example.com:password -zedseaturtlepw@gmail.com|smtp.gmail.com:{{ dma_auth }} +paul@bigcavemaps.com|smtp.fastmail.com:{{ dma_auth }}