diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..a84cd28 --- /dev/null +++ b/site.yml @@ -0,0 +1,287 @@ +--- + +- name: Configure local repository + hosts: 127.0.0.1 + connection: local + gather_facts: no + tasks: + - name: Create local directory for credentials & keys + file: + path: "{{ item }}" + owner: "{{ global_local_user }}" + group: "{{ global_local_user }}" + mode: "u=rwx,g=rx,o=rx" + state: directory + loop: + - "{{ global_credentials_directory }}" + - "{{ global_public_key_directory }}" + - "{{ global_ssh_key_directory }}" + - "{{ global_ssh_host_key_directory }}" + - "{{ global_wireguard_private_directory }}" + - "{{ global_wireguard_public_directory }}" + - name: Install required tools + become: yes + become_user: root + become_method: sudo + apt: + name: + - sshpass + - wireguard-tools + state: present + +- name: Configure secure root access to hosts + hosts: bootstrap + gather_facts: no + roles: + - role: bootstrap + +- hosts: all + strategy: free + roles: + - role: hostname + fqdn: "{{ inventory_hostname }}" + - role: common + - role: account + username: "zocker" + password: "{{ zocker_password }}" + sudo: yes + +- name: Install wireguard vpn + hosts: all + strategy: free + roles: + - role: wireguard/application + +- name: Configure nvak + tags: + - test + hosts: nvak.banananet.work + vars: + nvak_dns_slaves: [] + pre_tasks: + - name: Load ssh host key dns fingerprint for host + local_action: + module: command cat "{{ global_ssh_host_key_directory | quote }}/{{ item | quote }}/dns" + register: ssh_key_dns_fpr_raw + changed_when: False + loop: "{{ groups['all'] }}" + - name: Remap ssh host key dns fingerprints + set_fact: + ssh_key_dns_fpr_map: "{{ ssh_key_dns_fpr_raw.results | items2dict(key_name='item', value_name='stdout') }}" + roles: + - role: dns/master + domain: banananet.work + main_nameserver_domain: ns1.banananet.work. + responsible_mail_name: admin.banananet.work. + slaves: "{{ nvak_dns_slaves }}" + entries: | + ; Name Servers + @ IN NS ns1 + ns1 IN A {{ ansible_default_ipv4.address }} + ns1 IN AAAA {{ ansible_default_ipv6.address }} + @ IN NS ns2 + ns2 IN A {{ hostvars['rurapenthe.banananet.work'].ansible_default_ipv4.address }} + ns2 IN AAAA {{ hostvars['rurapenthe.banananet.work'].ansible_default_ipv6.address }} + ; Automatic server addresses + ; TODO only if addresses not local + {% for fqdn, facts in hostvars.items() %} + {{ fqdn }}. IN A {{ facts.ansible_default_ipv4.address }} + {{ fqdn }}. IN AAAA {{ facts.ansible_default_ipv6.address }} + {{ ssh_key_dns_fpr_map[fqdn] }} + {% endfor %} + ; Public use domains + @ IN A {{ ansible_default_ipv4.address }} + @ IN AAAA {{ ansible_default_ipv6.address }} + auth IN CNAME nvak + cloud IN CNAME nvak + test.cloud IN CNAME nvak + dsa IN CNAME nvak + firefox.quvat IN CNAME nvak ; TODO Legacy domain + git IN CNAME nvak + keys IN CNAME nvak + rss IN CNAME nvak + ; Mail + @ IN MX 10 nvak.banananet.work + mail IN CNAME nvak + imap IN CNAME nvak + smtp IN CNAME nvak + - role: dns/master + domain: forumderschan.de + main_nameserver_domain: ns1.banananet.work. + responsible_mail_name: admin.banananet.work. + slaves: "{{ nvak_dns_slaves }}" + entries: | + ; Name Servers + @ IN NS ns1.banananet.work. + @ IN NS ns2.banananet.work. + ; WebPage + @ IN A {{ ansible_default_ipv4.address }} + @ IN AAAA {{ ansible_default_ipv6.address }} + www IN A {{ ansible_default_ipv4.address }} + www IN AAAA {{ ansible_default_ipv6.address }} + ; Mail + @ IN MX 10 nvak.banananet.work + - role: dns/master + domain: spotme.fun + main_nameserver_domain: ns1.banananet.work. + responsible_mail_name: admin.banananet.work. + slaves: "{{ nvak_dns_slaves }}" + entries: | + ; Name Servers + @ IN NS ns1.banananet.work. + @ IN NS ns2.banananet.work. + ; Web Page + @ IN A {{ ansible_default_ipv4.address }} + @ IN AAAA {{ ansible_default_ipv6.address }} + www IN A {{ ansible_default_ipv4.address }} + www IN AAAA {{ ansible_default_ipv6.address }} + ; Mail + @ IN MX 10 nvak.banananet.work + - role: dns/master + domain: stadtpiraten-karlsruhe.de + main_nameserver_domain: ns1.banananet.work. + resposible_mail_name: admin.banananet.work. + slaves: "{{ nvak_dns_slaves }}" + entries: | + ; Name Servers + @ IN NS ns1.banananet.work. + @ IN NS ns2.banananet.work. + ; WebPages + @ IN A {{ ansible_default_ipv4.address }} + @ IN AAAA {{ ansible_default_ipv6.address }} + www IN A {{ ansible_default_ipv4.address }} + www IN AAAA {{ ansible_default_ipv6.address }} + forum IN A {{ ansible_default_ipv4.address }} + forum IN AAAA {{ ansible_default_ipv6.address }} + ; Mail + @ IN MX 10 nvak.banananet.work + # Git Server + - role: server/gitea + domain: git.banananet.work + # Banananet.work + - role: server/static + domain: banananet.work + repo: git@git.banananet.work:banananetwork/main-static.git + # SpotMe Server +# - role: server/spotme +# domain: spotme.fun +# # Admin Panel +# - role: server/php +# domain: nvak.banananet.work +# repo: PHPMYADMIN # TODO + # BananaNetwork Keys + - role: server/node + domain: keys.banananet.work + repo: git@git.banananet.work:banananetwork/keys.git + app_port: 12822 + system_user: keys-banananet-work + # Nextcloud Server + - role: server/nextcloud + domain: cloud.banananet.work +# # RSS Server +# - role: server/php +# domain: rss.banananet.work +# repo: TTRSS # TODO + # DSA Seite + - role: server/node + domain: dsa.banananet.work + repo: git@git.banananet.work:dsaGroup/dsaPage.git + app_port: 12821 + system_user: dsaPage +# # Forum der Schande +# - role: server/php +# name: strichliste +# domain: forumderschan.de +# repo: git@git.banananet.work:strichliste/strichliste-php.git +# root: html +# includes: +# - includes + - role: nginx/forward + domain: www.forumderschan.de + dest: forumderschan.de +# # Stadtpiraten +# - role: server/typo3 +# domain: piraten.dev.banananet.work +# - role: server/php +# domain: forum.piraten.dev.banananet.work +# repo: PHPBB # TODO +# version: master +# # Stadtpiraten (prod) +# - role: nginx/forward +# domain: www.stadtpiraten-karlsruhe.de +# dest: stadtpiraten-karlsruhe.de + +#- hosts: quvat.banananet.work +# roles: +# - role: hostname +# fqdn: quvat.banananet.work +# +# - role: server/static +# domain: banananet.work +# repo: git@git.banananet.work:banananetwork/main-static.git +# +# - role: server/php +# domain: quvat.banananet.work +# repo: "MISSING" # TODO +# +# - role: nginx/forward +# domain: server.banananet.work +# forward: quvat.banananet.work +# +# - role: server/node +# domain: keys.banananet.work +# repo: git@git.banananet.work:banananetwork/keys.git +# +# - role: server/nextcloud +# domain: cloud.banananet.work +# nextcloud_admin_user: "{{ common_user }}" +# nextcloud_admin_pass: "{{ common_pass }}" +# +# - role: server/tt-rss +# domain: rss.banananet.work +# +# - role: server/firefox-sync +# domain: firefox.quvat.banananet.work +# +# - role: server/node +# domain: dsa.banananet.work +# repo: git@git.banananet.work:dsaGroup/dsaPage.git +# +# - role: server/php +# domain: forumderschan.de +# repo: git@git.banananet.work:strichliste/strichliste-php.git +# html: /html +# +# - role: nginx/forward +# domain: www.forumderschan.de +# forward: forumderschan.de +# +# - role: server/typo3 +# domain: piraten.dev.banananet.work +# +# - role: server/php # TODO Maybe php-bb special configuration +# domain: forum.piraten.dev.banananet.work + +#- name: Configure rurapenthe +# hosts: rurapenthe.banananet.work +# roles: +# - role: dns/slave +# domain: banananet.work +# masters: +# - nvak.banananet.work +# - role: dns/slave +# domain: forumderschan.de +# masters: +# - nvak.banananet.work +# - role: dns/slave +# domain: stadtpiraten-karlsruhe.de +# masters: +# - nvak.banananet.work +# - role: dns/slave +# domain: spotme.fun +# masters: +# - nvak.banananet.work + +#- hosts: 192.168.1.8 # hardie.khitomer.banananet.work +# roles: +# - role: mysql/application