diff --git a/all/playbook.yaml b/all/playbook.yaml index 51c27b9..0e81db5 100644 --- a/all/playbook.yaml +++ b/all/playbook.yaml @@ -1,3 +1,4 @@ +--- - name: Playbook to Provision / Re-configure Node hosts: all vars: @@ -19,10 +20,12 @@ ansible.builtin.get_url: url: https://deb.goaccess.io/gnugpg.key dest: /usr/share/keyrings/goaccess.asc - mode: '0644' + mode: "0644" - name: Enable goaccess repo ansible.builtin.apt_repository: - repo: deb [signed-by=/usr/share/keyrings/goaccess.asc arch=amd64] https://deb.goaccess.io/ bookworm main + repo: + deb [signed-by=/usr/share/keyrings/goaccess.asc arch=amd64] https://deb.goaccess.io/ + bookworm main state: present - name: Install Required Programs / APT ansible.builtin.apt: @@ -94,7 +97,7 @@ - name: Disable dmesg logging to console ansible.posix.sysctl: name: kernel.printk - value: "3 4 1 3" + value: 3 4 1 3 state: present sysctl_set: true - name: Allow binding to non-local IPs / IPv6 @@ -169,21 +172,19 @@ password: "{{ item.password }}" shell: /bin/bash update_password: always - with_items: - - "{{ users }}" - - name: "Add authorized keys" + with_items: ["{{ users }}"] + - name: Add authorized keys ansible.posix.authorized_key: user: "{{ item.name }}" key: "{{ lookup('file', 'files/' + item.name + '.pub') }}" - with_items: - - "{{ users }}" - - name: "Allow admin users to sudo without a password" + with_items: ["{{ users }}"] + - name: Allow admin users to sudo without a password ansible.builtin.lineinfile: - dest: "/etc/sudoers" # path: in version 2.3 - state: "present" - regexp: "^%sudo" + dest: /etc/sudoers # path: in version 2.3 + state: present + regexp: ^%sudo line: "%sudo ALL=(ALL) NOPASSWD: ALL" - - name: "Sshd configuration file update" + - name: Sshd configuration file update ansible.builtin.template: src: templates/sshd_config.j2 dest: /etc/ssh/sshd_config @@ -191,17 +192,16 @@ owner: 0 group: 0 mode: "0644" - validate: "/usr/sbin/sshd -T -f %s" - notify: - - Restart sshd - - name: "Remove useless passphrase line (runs after borgmatic role)" + validate: /usr/sbin/sshd -T -f %s + notify: [Restart sshd] + - name: Remove useless passphrase line (runs after borgmatic role) ansible.builtin.lineinfile: - dest: "/etc/borgmatic/config.yaml" - state: "absent" - regexp: "^.*encryption_passphrase" + dest: /etc/borgmatic/config.yaml + state: absent + regexp: ^.*encryption_passphrase - name: Copy per-server docker daemon.json ansible.builtin.copy: - src: "./templates/{{ inventory_hostname }}/daemon.json" + src: ./templates/{{ inventory_hostname }}/daemon.json dest: /etc/docker/daemon.json mode: preserve handlers: @@ -218,10 +218,10 @@ - role: artis3n.tailscale # Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024) tailscale_authkey: "{{tailscale_authkey}}" - tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false" + tailscale_args: --login-server https://hs.projectsegfau.lt --accept-dns=false - role: borgbase.ansible_role_borgbackup borg_repository: - - ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}} + - ssh://zh6265@zh6265.rsync.net/data1/home/zh6265/backups/{{rsyncnet_slug}} borg_source_directories: "{{bkp_source_directories}}" borg_exclude_patterns: "{{bkp_exclude_patterns}}" borg_remote_path: /usr/local/bin/borg_1.2.4/borg1 @@ -229,14 +229,13 @@ postgresql_databases: "{{bkp_postgresql_databases}}" healthchecks: ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}} - states: - - finish + states: [finish] borg_retention_policy: keep_daily: 4 keep_weekly: 2 keep_monthly: 2 # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me) - borg_encryption_passcommand: "cat /etc/borgmatic/passphrase" + borg_encryption_passcommand: cat /etc/borgmatic/passphrase - name: UFW Firewall Configuration hosts: eu # IN is behind router so no f/w is needed tasks: @@ -260,14 +259,10 @@ rule: allow src: "{{ item }}" direction: in - loop: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 + loop: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16] - name: Deny rules community.general.ufw: rule: allow port: "{{ item.port }}" proto: "{{ item.proto }}" - with_items: - - "{{ ufw_allow_rules }}" + with_items: ["{{ ufw_allow_rules }}"] diff --git a/all/pubnix.yaml b/all/pubnix.yaml index 9e52dea..5fcc6ef 100644 --- a/all/pubnix.yaml +++ b/all/pubnix.yaml @@ -1,4 +1,3 @@ -# IMPORTANT: Inventory file for pubnix is stored in semaphore, not inventory.yml --- - name: Borgmatic Setup hosts: pubnix @@ -15,20 +14,18 @@ - /home - /nix - /opt - bkp_exclude_patterns: - - /var/log - - /var/soju/main.db + bkp_exclude_patterns: [/var/log, /var/soju/main.db] bkp_hc_uuid: 94c410f3-22f4-49f6-9f7f-e6f7b6409ced tasks: - - name: "Remove useless passphrase line (runs after borgmatic role)" + - name: Remove useless passphrase line (runs after borgmatic role) ansible.builtin.lineinfile: - dest: "/etc/borgmatic/config.yaml" - state: "absent" - regexp: "^.*encryption_passphrase" + dest: /etc/borgmatic/config.yaml + state: absent + regexp: ^.*encryption_passphrase roles: - role: borgbase.ansible_role_borgbackup borg_repository: - - ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/pubnix + - ssh://zh6265@zh6265.rsync.net/data1/home/zh6265/backups/pubnix borg_source_directories: "{{bkp_source_directories}}" borg_exclude_patterns: "{{bkp_exclude_patterns}}" borg_remote_path: /usr/local/bin/borg_1.2.4/borg1 @@ -38,11 +35,10 @@ path: /var/soju/soju.db healthchecks: ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}} - states: - - finish + states: [finish] borg_retention_policy: keep_daily: 4 keep_weekly: 2 keep_monthly: 2 # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me) - borg_encryption_passcommand: "cat /etc/borgmatic/passphrase" + borg_encryption_passcommand: cat /etc/borgmatic/passphrase