You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible/site.yml

400 lines
11 KiB
YAML

---
- name: Configure local repository
hosts: 127.0.0.1
connection: local
gather_facts: no
tasks:
- name: Create local directory for credentials & keys
file:
path: "{{ item }}"
owner: "{{ global_local_user }}"
group: "{{ global_local_user }}"
mode: "u=rwx,g=rx,o=rx"
state: directory
loop:
- "{{ global_credentials_directory }}"
- "{{ global_public_key_directory }}"
- "{{ global_ssh_key_directory }}"
- "{{ global_ssh_host_key_directory }}"
- "{{ global_wireguard_private_directory }}"
- "{{ global_wireguard_public_directory }}"
- name: Install required tools
become: yes
become_user: root
become_method: sudo
apt:
name:
- sshpass
- wireguard-tools
state: present
- name: Configure secure root access to hosts
hosts: bootstrap
gather_facts: no
roles:
- role: bootstrap
- hosts: all
strategy: free
roles:
- role: hostname
fqdn: "{{ inventory_hostname }}"
- role: common
- role: account
username: "zocker"
password: "{{ zocker_password }}"
authorized_keys: "{{ zocker_authorized_keys_url }}"
sudo: yes
- name: Configure wireguard network
import_playbook: playbooks/wireguard.yml
- name: Configure nvak
tags:
- test
hosts: nvak.banananet.work
vars:
nvak_dns_slaves: []
pre_tasks:
- name: Load ssh host key dns fingerprint for host
command: cat "{{ global_ssh_host_key_directory | quote }}/{{ item | quote }}/dns"
delegate_to: localhost
register: ssh_key_dns_fpr_raw
changed_when: False
loop: "{{ groups['all'] }}"
- name: Remap ssh host key dns fingerprints
set_fact:
ssh_key_dns_fpr_map: "{{ ssh_key_dns_fpr_raw.results | items2dict(key_name='item', value_name='stdout') }}"
roles:
- role: dns/master
domain: banananet.work
main_nameserver_domain: ns1.banananet.work.
responsible_mail_name: admin.banananet.work.
slaves: "{{ nvak_dns_slaves }}"
entries: |
; Name Servers
@ IN NS ns1
ns1 IN A {{ ansible_default_ipv4.address }}
ns1 IN AAAA {{ ansible_default_ipv6.address }}
; Automatic server addresses
{% for fqdn in groups['public_available'] %}
{{ fqdn }}. IN A {{ hostvars[fqdn].ansible_default_ipv4.address }}
{{ fqdn }}. IN AAAA {{ hostvars[fqdn].ansible_default_ipv6.address }}
{{ ssh_key_dns_fpr_map[fqdn] }}
{% endfor %}
; Public use domains
@ IN A {{ ansible_default_ipv4.address }}
@ IN AAAA {{ ansible_default_ipv6.address }}
auth IN CNAME nvak
cloud IN CNAME nvak
test.cloud IN CNAME nvak
dsa IN CNAME nvak
firefox IN CNAME nvak
git IN CNAME nvak
keys IN CNAME rurapenthe
rss IN CNAME nvak
wg IN CNAME nvak
; Mail
@ IN MX 10 nvak
@ IN TXT "v=spf1 +mx -all"
mail IN CNAME nvak
imap IN CNAME nvak
smtp IN CNAME nvak
- role: dns/master
domain: forumderschan.de
main_nameserver_domain: ns1.banananet.work.
responsible_mail_name: admin.banananet.work.
slaves: "{{ nvak_dns_slaves }}"
entries: |
; Name Servers
@ IN NS ns1.banananet.work.
@ IN NS ns2.banananet.work.
; WebPage
@ IN A {{ ansible_default_ipv4.address }}
@ IN AAAA {{ ansible_default_ipv6.address }}
www IN A {{ ansible_default_ipv4.address }}
www IN AAAA {{ ansible_default_ipv6.address }}
; Mail
@ IN MX 10 nvak
@ IN TXT "v=spf1 +mx -all"
- role: dns/master
domain: spotme.fun
main_nameserver_domain: ns1.banananet.work.
responsible_mail_name: admin.banananet.work.
slaves: "{{ nvak_dns_slaves }}"
entries: |
; Name Servers
@ IN NS ns1.banananet.work.
@ IN NS ns2.banananet.work.
; Web Page
@ IN A {{ ansible_default_ipv4.address }}
@ IN AAAA {{ ansible_default_ipv6.address }}
www IN A {{ ansible_default_ipv4.address }}
www IN AAAA {{ ansible_default_ipv6.address }}
; Mail
@ IN MX 10 nvak
@ IN TXT "v=spf1 +mx -all"
- role: dns/master
domain: stadtpiraten-karlsruhe.de
main_nameserver_domain: ns1.banananet.work.
resposible_mail_name: admin.banananet.work.
slaves: "{{ nvak_dns_slaves }}"
entries: |
; Name Servers
@ IN NS ns1.banananet.work.
@ IN NS ns2.banananet.work.
; WebPages
@ IN A {{ ansible_default_ipv4.address }}
@ IN AAAA {{ ansible_default_ipv6.address }}
www IN A {{ ansible_default_ipv4.address }}
www IN AAAA {{ ansible_default_ipv6.address }}
forum IN A {{ ansible_default_ipv4.address }}
forum IN AAAA {{ ansible_default_ipv6.address }}
; Mail
@ IN MX 10 nvak
@ IN TXT "v=spf1 +mx -all"
# Git Server
- role: server/gitea
domain: git.banananet.work
gitea_system_user: git
# Banananet.work
- role: server/static
domain: banananet.work
repo: git@git.banananet.work:banananetwork/main-static.git
# SpotMe Server
# - role: server/spotme
# domain: spotme.fun
# spotme_system_user: spotme
# # Admin Panel
# - role: server/php
# domain: nvak.banananet.work
# repo: PHPMYADMIN # TODO
# BananaNetwork Keys
- role: server/node
domain: keys.banananet.work
repo: git@git.banananet.work:banananetwork/keys.git
app_port: 12822
system_user: keys-banananet-work
# Nextcloud Server
- role: server/nextcloud
domain: cloud.banananet.work
system_user: nextcloud
nextcloud_admin_user: zocker
nextcloud_admin_pass: "{{ zocker_password }}"
enabled_apps_list:
- accessibility
- activity
- admin_audit
- apporder
- bruteforcesettings
- calendar
- checksum
- cloud_federation_api
- comments
- contacts
- cookbook
- cospend
- dav
- deck
- dicomviewer
- external
- federatedfilesharing
- federation
- files
- files_automatedtagging
- files_ebookreader
- files_external
- files_markdown
- files_pdfviewer
- files_readmemd
- files_rightclick
- files_sharing
- files_texteditor
- files_trashbin
- files_versions
- files_videoplayer
- firstrunwizard
- gallery
- logreader
- lookup_server_connector
- mail
- metadata
- nextcloud_announcements
- notes
- notifications
- oauth2
- ocdownloader
- password_policy
- phonetrack
- polls
- privacy
- provisioning_api
- quota_warning
- serverinfo
- sharebymail
- sharerenamer
- social
- sociallogin
- socialsharing_email
- spreed
- support
- suspicious_login
- systemtags
- tasks
- theming
- twofactor_admin
- twofactor_backupcodes
- twofactor_gateway
- twofactor_nextcloud_notification
- twofactor_totp
- twofactor_u2f
- updatenotification
- viewer
- workflowengine
disabled_apps_list:
- encryption
- recommendations
- survey_client
- user_ldap
# Firefox Sync Server
- role: server/firefox-sync
domain: firefox.banananet.work
# RSS Server
# TODO Manual initialization of database required
- role: server/tt-rss
domain: rss.banananet.work
# DSA Seite
# - role: server/node
# domain: dsa.banananet.work
# repo: git@git.banananet.work:dsaGroup/dsaPage.git
# app_port: 12821
# system_user: dsaPage
# Forum der Schande
- role: server/php
domain: forumderschan.de
repo: git@git.banananet.work:strichliste/strichliste-php.git
root: html
installation_includes:
- includes
- role: nginx/forward
domain: www.forumderschan.de
dest: forumderschan.de
# WG Nextcloud
- role: server/nextcloud
domain: wg.banananet.work
nextcloud_admin_user: felix
enabled_apps_list:
- accessibility
- activity
- apporder
- bruteforcesettings
- calendar
- checksum
- cloud_federation_api
- comments
- contacts
- cookbook
- cospend
- dav
- deck
- encryption
- external
- federatedfilesharing
- federation
- files
- files_automatedtagging
- files_ebookreader
- files_external
- files_markdown
- files_pdfviewer
- files_readmemd
- files_rightclick
- files_sharing
- files_texteditor
- files_trashbin
- files_versions
- files_videoplayer
- firstrunwizard
- gallery
- logreader
- lookup_server_connector
- metadata
- nextcloud_announcements
- notes
- notifications
- oauth2
- ocdownloader
- password_policy
- polls
- privacy
- provisioning_api
- quota_warning
- serverinfo
- sharebymail
- sharerenamer
- sociallogin
- socialsharing_email
- spreed
- support
- suspicious_login
- systemtags
- tasks
- theming
- twofactor_admin
- twofactor_backupcodes
- twofactor_gateway
- twofactor_nextcloud_notification
- twofactor_totp
- twofactor_u2f
- updatenotification
- viewer
- workflowengine
disabled_apps_list:
- admin_audit
- recommendations
- survey_client
- user_ldap
# # Stadtpiraten
# - role: server/typo3
# domain: piraten.dev.banananet.work
# - role: server/php
# domain: forum.piraten.dev.banananet.work
# repo: PHPBB # TODO
# version: master
# # Stadtpiraten (prod)
# - role: nginx/forward
# domain: www.stadtpiraten-karlsruhe.de
# dest: stadtpiraten-karlsruhe.de
- name: Configure rurapenthe
hosts: rurapenthe.banananet.work
roles:
# - role: dns/slave
# domain: banananet.work
# masters:
# - nvak.banananet.work
# - role: dns/slave
# domain: forumderschan.de
# masters:
# - nvak.banananet.work
# - role: dns/slave
# domain: stadtpiraten-karlsruhe.de
# masters:
# - nvak.banananet.work
# - role: dns/slave
# domain: spotme.fun
# masters:
# - nvak.banananet.work
- role: server/node
domain: keys.banananet.work
repo: git@git.banananet.work:banananetwork/keys.git
app_port: 12822
system_user: keys-banananet-work
environment_vars:
REGISTER_PASS: "{{ global_ip_discover_register_pass }}"
- hosts: hardie.khitomer.banananet.work
roles:
- role: misc/ip_discover