# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- hosts: servers
- tasks:
- - name: Install {{ item }}
- include_tasks: "server/{{ item }}.yaml"
- with_items:
- - dovecot
- - fail2ban
- - git
- - opendkim
- - matrix
- - nginx
- - postgres
- - postfix
- - websites
- - sshd
+- name: Install dovecot
+ import_playbook: server/dovecot.yaml
+
+- name: Install fail2ban
+ import_playbook: server/fail2ban.yaml
+
+- name: Install git
+ import_playbook: server/git.yaml
+
+- name: Install opendkim
+ import_playbook: server/opendkim.yaml
+
+- name: Install matrix
+ import_playbook: server/matrix.yaml
+
+- name: Install nginx
+ import_playbook: server/nginx.yaml
+
+- name: Install postgres
+ import_playbook: server/postgres.yaml
+
+- name: Install postfix
+ import_playbook: server/postfix.yaml
+
+- name: Install web server sites
+ import_playbook: server/websites.yaml
+
+- name: Install sshd
+ import_playbook: server/sshd.yaml
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- dovecot/*
- become: yes
-- name: Install dovecot
- package:
- name:
- - dovecot-imapd
- - dovecot-lmtpd
- - dovecot-pgsql
- state: latest
- become: yes
-- name: Ensure dovecot directory structure exists
- file:
- path: "/etc/dovecot/conf.d"
- state: directory
- become: yes
-- name: Copy to /etc/dovecot
- copy:
- src: "/tmp/dovecot/{{ item }}"
- dest: "/etc/dovecot"
- remote_src: true
- become: true
- with_items:
- - dovecot-dict-auth.conf.ext
- - dovecot-dict-sql.conf.ext
- - dovecot-sql.conf.ext
- - dovecot.conf
-- name: Copy to /etc/dovecot/conf.d
- copy:
- src: "/tmp/dovecot/{{ item }}"
- dest: "/etc/dovecot/conf.d"
- remote_src: true
- become: true
- with_items:
- - 10-auth.conf
- - 10-master.conf
- - 15-mailboxes.conf
- - 90-plugin.conf
- - auth-dict.conf.ext
- - auth-static.conf.ext
- - 10-director.conf
- - 10-ssl.conf
- - 20-imap.conf
- - 90-quota.conf
- - auth-master.conf.ext
- - auth-system.conf.ext
- - 10-logging.conf
- - 10-tcpwrapper.conf
- - 20-lmtp.conf
- - auth-checkpassword.conf.ext
- - auth-passwdfile.conf.ext
- - 10-mail.conf
- - 15-lda.conf
- - 90-acl.conf
- - auth-deny.conf.ext
- - auth-sql.conf.ext
-- name: Ensure correct permissions for the virtual mailbox
- file:
- path: "/var/vmail"
- state: directory
- mode: "0775"
- owner: vmail
- group: storage
- recurse: true
- become: true
-- name: Ensure configuration of the virtual mailbox user
- user:
- name: "vmail"
- home: "/var/vmail"
- shell: "/usr/sbin/nologin"
- password_lock: true
- become: yes
-- name: Ensure log files exist
- file:
- path: "/var/log/{{ item }}"
- state: touch
- owner: vmail
- group: vmail
- become: yes
- with_items:
- - dovecot.log
- - dovecot-info.log
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force dovecot/*
+ become: yes
+ - name: Install dovecot
+ package:
+ name:
+ - dovecot-imapd
+ - dovecot-lmtpd
+ - dovecot-pgsql
+ state: latest
+ become: yes
+ - name: Ensure dovecot directory structure exists
+ file:
+ path: "/etc/dovecot/conf.d"
+ state: directory
+ become: yes
+ - name: Copy to /etc/dovecot
+ copy:
+ src: "/tmp/dovecot/{{ item }}"
+ dest: "/etc/dovecot"
+ remote_src: true
+ become: true
+ with_items:
+ - dovecot-dict-auth.conf.ext
+ - dovecot-dict-sql.conf.ext
+ - dovecot-sql.conf.ext
+ - dovecot.conf
+ - name: Copy to /etc/dovecot/conf.d
+ copy:
+ src: "/tmp/dovecot/{{ item }}"
+ dest: "/etc/dovecot/conf.d"
+ remote_src: true
+ become: true
+ with_items:
+ - 10-auth.conf
+ - 10-master.conf
+ - 15-mailboxes.conf
+ - 90-plugin.conf
+ - auth-dict.conf.ext
+ - auth-static.conf.ext
+ - 10-director.conf
+ - 10-ssl.conf
+ - 20-imap.conf
+ - 90-quota.conf
+ - auth-master.conf.ext
+ - auth-system.conf.ext
+ - 10-logging.conf
+ - 10-tcpwrapper.conf
+ - 20-lmtp.conf
+ - auth-checkpassword.conf.ext
+ - auth-passwdfile.conf.ext
+ - 10-mail.conf
+ - 15-lda.conf
+ - 90-acl.conf
+ - auth-deny.conf.ext
+ - auth-sql.conf.ext
+ - name: Ensure correct permissions for the virtual mailbox
+ file:
+ path: "/var/vmail"
+ state: directory
+ mode: "0775"
+ owner: vmail
+ group: storage
+ recurse: true
+ become: true
+ - name: Ensure configuration of the virtual mailbox user
+ user:
+ name: "vmail"
+ home: "/var/vmail"
+ shell: "/usr/sbin/nologin"
+ password_lock: true
+ become: yes
+ - name: Ensure log files exist
+ file:
+ path: "/var/log/{{ item }}"
+ state: touch
+ owner: vmail
+ group: vmail
+ become: yes
+ with_items:
+ - dovecot.log
+ - dovecot-info.log
+ - name: Restart dovecot
+ service:
+ name: dovecot
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- fail2ban/*
- become: yes
-- name: Install fail2ban
- package:
- name:
- - fail2ban
- state: latest
- become: yes
-- name: Ensure fail2ban directory structure exists
- file:
- path: "/etc/fail2ban"
- state: directory
- become: yes
-- name: Copy to /etc/fail2ban
- copy:
- src: "/tmp/fail2ban/{{ item }}"
- dest: "/etc/fail2ban"
- remote_src: true
- become: true
- with_items:
- - fail2ban.local
- - jail.local
- - paths-common.conf
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force fail2ban/*
+ become: yes
+ - name: Install fail2ban
+ package:
+ name:
+ - fail2ban
+ state: latest
+ become: yes
+ - name: Ensure fail2ban directory structure exists
+ file:
+ path: "/etc/fail2ban"
+ state: directory
+ become: yes
+ - name: Copy to /etc/fail2ban
+ copy:
+ src: "/tmp/fail2ban/{{ item }}"
+ dest: "/etc/fail2ban"
+ remote_src: true
+ become: true
+ with_items:
+ - fail2ban.local
+ - jail.local
+ - paths-common.conf
+ - name: Restart fail2ban
+ service:
+ name: fail2ban
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- git/*
- become: yes
-- name: Install gitweb
- package:
- name:
- - fcgiwrap
- - gitweb
- state: latest
- become: yes
-- name: Copy to /etc
- copy:
- src: "/tmp/git/{{ item }}"
- dest: "/etc"
- remote_src: true
- become: true
- with_items:
- - gitweb.conf
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force git/*
+ become: yes
+ - name: Install gitweb
+ package:
+ name:
+ - fcgiwrap
+ - gitweb
+ state: latest
+ become: yes
+ - name: Ensure git directory structure exists
+ file:
+ path: "/etc/git"
+ state: directory
+ become: yes
+ - name: Copy to /etc
+ copy:
+ src: "/tmp/git/{{ item }}"
+ dest: "/etc/git"
+ remote_src: true
+ become: true
+ with_items:
+ - ekhem.conf
+ - dobity.conf
+ - name: Restart fcgiwrap
+ service:
+ name: fcgiwrap
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration files
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- matrix/*
- become: yes
-- name: Install matrix
- package:
- name:
- - matrix-synapse
- state: latest
- become: yes
-- name: Ensure matrix directory structure exists
- file:
- path: "/etc/matrix-synapse/conf.d"
- state: directory
- become: yes
-- name: Copy to /etc/matrix-synapse
- copy:
- src: "/tmp/matrix/{{ item }}"
- dest: "/etc/matrix-synapse"
- remote_src: true
- become: true
- with_items:
- - homeserver.yaml
- - log.yaml
-- name: Copy to /etc/matrix-synapse/conf.d
- copy:
- src: "/tmp/matrix/{{ item }}"
- dest: "/etc/matrix-synapse/conf.d"
- remote_src: true
- become: true
- with_items:
- - report_stats.yaml
- - server_name.yaml
+- hosts: servers
+ tasks:
+ - name: Checkout configuration files
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force matrix/*
+ become: yes
+ - name: Install matrix
+ package:
+ name:
+ - matrix-synapse
+ state: latest
+ become: yes
+ - name: Ensure matrix directory structure exists
+ file:
+ path: "/etc/matrix-synapse/conf.d"
+ state: directory
+ become: yes
+ - name: Copy to /etc/matrix-synapse
+ copy:
+ src: "/tmp/matrix/{{ item }}"
+ dest: "/etc/matrix-synapse"
+ remote_src: true
+ become: true
+ with_items:
+ - homeserver.yaml
+ - log.yaml
+ - name: Copy to /etc/matrix-synapse/conf.d
+ copy:
+ src: "/tmp/matrix/{{ item }}"
+ dest: "/etc/matrix-synapse/conf.d"
+ remote_src: true
+ become: true
+ with_items:
+ - report_stats.yaml
+ - server_name.yaml
+ - name: Restart matrix-synapse
+ service:
+ name: matrix-synapse
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- nginx/*
- become: yes
-- name: Install nginx
- package:
- name:
- - nginx
- state: latest
- become: yes
-- name: Ensure postfix directory structure exists
- file:
- path: "/etc/nginx"
- state: directory
- become: yes
-- name: Copy to /etc/nginx
- copy:
- src: "/tmp/nginx/{{ item }}"
- dest: "/etc/nginx"
- remote_src: true
- become: true
- with_items:
- - mime.types
- - nginx.conf
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force nginx/*
+ become: yes
+ - name: Install nginx
+ package:
+ name:
+ - nginx
+ state: latest
+ become: yes
+ - name: Ensure postfix directory structure exists
+ file:
+ path: "/etc/nginx"
+ state: directory
+ become: yes
+ - name: Copy to /etc/nginx
+ copy:
+ src: "/tmp/nginx/{{ item }}"
+ dest: "/etc/nginx"
+ remote_src: true
+ become: true
+ with_items:
+ - mime.types
+ - nginx.conf
+ - name: Restart nginx
+ service:
+ name: nginx
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- opendkim/*
- become: yes
-- name: Install opendkim
- package:
- name:
- - opendkim
- - libopendbx1-pgsql
- state: latest
- become: yes
-- name: Copy to /etc
- copy:
- src: "/tmp/opendkim/opendkim.conf"
- dest: "/etc"
- remote_src: true
- become: true
-- name: Copy to /etc/default
- copy:
- src: "/tmp/opendkim/opendkim"
- dest: "/etc/default"
- remote_src: true
- become: true
-- name: Ensure correct permissions for opendkim files
- file:
- path: "/etc/opendkim/keys/{{ item.domain }}/{{ item.name }}"
- mode: "0500"
- become: true
- with_items:
- - domain: "dobity.eu.org"
- name: "dobity.private"
- - domain: "dobity.eu.org"
- name: "dobity.txt"
- - domain: "ekhem.eu.org"
- name: "ekhem.txt"
- - domain: "ekhem.eu.org"
- name: "ekhem.txt"
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force opendkim/*
+ become: yes
+ - name: Install opendkim
+ package:
+ name:
+ - opendkim
+ - libopendbx1-pgsql
+ state: latest
+ become: yes
+ - name: Copy to /etc
+ copy:
+ src: "/tmp/opendkim/opendkim.conf"
+ dest: "/etc"
+ remote_src: true
+ become: true
+ - name: Copy to /etc/default
+ copy:
+ src: "/tmp/opendkim/opendkim"
+ dest: "/etc/default"
+ remote_src: true
+ become: true
+ - name: Ensure correct permissions for opendkim files
+ file:
+ path: "/etc/opendkim/keys/{{ item.domain }}/{{ item.name }}"
+ mode: "0500"
+ become: true
+ with_items:
+ - domain: "dobity.eu.org"
+ name: "dobity.private"
+ - domain: "dobity.eu.org"
+ name: "dobity.txt"
+ - domain: "ekhem.eu.org"
+ name: "ekhem.txt"
+ - domain: "ekhem.eu.org"
+ name: "ekhem.txt"
+ - name: Restart opendkim
+ service:
+ name: opendkim
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- postfix/*
- become: yes
-- name: Install postfix
- package:
- name:
- - postfix
- - postfix-pgsql
- state: latest
- become: yes
-- name: Ensure postfix directory structure exists
- file:
- path: "/etc/postfix"
- state: directory
- become: yes
-- name: Copy to /etc/postfix
- copy:
- src: "/tmp/postfix/{{ item }}"
- dest: "/etc/postfix"
- remote_src: true
- become: true
- with_items:
- - address_book.cf
- - domains.cf
- - main.cf
- - master.cf
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force postfix/*
+ become: yes
+ - name: Install postfix
+ package:
+ name:
+ - postfix
+ - postfix-pgsql
+ state: latest
+ become: yes
+ - name: Ensure postfix directory structure exists
+ file:
+ path: "/etc/postfix"
+ state: directory
+ become: yes
+ - name: Copy to /etc/postfix
+ copy:
+ src: "/tmp/postfix/{{ item }}"
+ dest: "/etc/postfix"
+ remote_src: true
+ become: true
+ with_items:
+ - address_book.cf
+ - domains.cf
+ - main.cf
+ - master.cf
+ - name: Restart postfix
+ service:
+ name: postfix
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- postgres/*
- become: yes
-- name: Install postgres
- package:
- name:
- - postgresql
- state: latest
- become: yes
-- name: Ensure postgres directory structure exists
- file:
- path: "/etc/postgresql/15/main/"
- state: directory
- become: yes
-- name: Copy to /etc/postgresq/15/main
- copy:
- src: "/tmp/postgres/{{ item }}"
- dest: "/etc/postgresql/15/main"
- remote_src: true
- become: true
- with_items:
- - pg_hba.conf
- - postgresql.conf
-- name: Ensure a directory for private files exists
- file:
- path: "/etc/postgresql/15/main/private"
- state: directory
- mode: "0700"
- owner: postgres
- group: postgres
- become: true
-- name: Copy certificates
- copy:
- src: "/etc/letsencrypt/live/postgres/{{ item }}"
- dest: "/etc/postgresql/15/main/private"
- mode: "0600"
- owner: postgres
- group: postgres
- remote_src: true
- become: true
- with_items:
- - fullchain.pem
- - privkey.pem
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force postgres/*
+ become: yes
+ - name: Install postgres
+ package:
+ name:
+ - postgresql
+ state: latest
+ become: yes
+ - name: Ensure postgres directory structure exists
+ file:
+ path: "/etc/postgresql/15/main/"
+ state: directory
+ become: yes
+ - name: Copy to /etc/postgresq/15/main
+ copy:
+ src: "/tmp/postgres/{{ item }}"
+ dest: "/etc/postgresql/15/main"
+ remote_src: true
+ become: true
+ with_items:
+ - pg_hba.conf
+ - postgresql.conf
+ - name: Ensure a directory for private files exists
+ file:
+ path: "/etc/postgresql/15/main/private"
+ state: directory
+ mode: "0700"
+ owner: postgres
+ group: postgres
+ become: true
+ - name: Copy certificates
+ copy:
+ src: "/etc/letsencrypt/live/postgres/{{ item }}"
+ dest: "/etc/postgresql/15/main/private"
+ mode: "0600"
+ owner: postgres
+ group: postgres
+ remote_src: true
+ become: true
+ with_items:
+ - fullchain.pem
+ - privkey.pem
+ - name: Restart postgres
+ service:
+ name: postgresql
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \
- sshd/*
- become: yes
-- name: Copy to /etc/ssh
- copy:
- src: "/tmp/sshd/sshd_config"
- dest: "/etc/ssh"
- remote_src: true
- become: true
+- hosts: servers
+ tasks:
+ - name: Checkout configuration
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
+ --force sshd/*
+ become: yes
+ - name: Copy to /etc/ssh
+ copy:
+ src: "/tmp/sshd/sshd_config"
+ dest: "/etc/ssh"
+ remote_src: true
+ become: true
+ - name: Restart sshd
+ service:
+ name: ssh
+ state: restarted
+ become: yes
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Checkout configuration files
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server_prod.git checkout main \
- --force
- become: yes
-- name: Ensure sites-available directory exists
- file:
- path: "/etc/nginx/sites-available"
- state: directory
- become: yes
-- name: Ensure sites-enabled directory exists
- file:
- path: "/etc/nginx/sites-enabled"
- state: directory
- become: yes
-- name: Copy to /etc/nginx/sites-available
- copy:
- src: "/tmp/nginx/{{ item }}"
- dest: "/etc/nginx/sites-available"
- remote_src: true
- become: true
- with_items:
- - cv.ekhem.eu.org
- - dobity.eu.org
- - drive.dobity.eu.org
- - ekhem.eu.org
- - git.dobity.eu.org
- - git.ekhem.eu.org
- - matrix.dobity.eu.org
- - pass.dobity.eu.org
- - yt.dobity.eu.org
-- name: Symlink to /etc/nginx/sites-enabled
- file:
- src: "/etc/nginx/sites-available/{{ item }}"
- dest: "/etc/nginx/sites-enabled/{{ item }}"
- state: link
- become: true
- with_items:
- - cv.ekhem.eu.org
- - dobity.eu.org
- - drive.dobity.eu.org
- - ekhem.eu.org
- - git.dobity.eu.org
- - git.ekhem.eu.org
- - matrix.dobity.eu.org
- - pass.dobity.eu.org
- - yt.dobity.eu.org
+- hosts: servers
+ tasks:
+ - name: Checkout configuration files
+ command: |
+ git --work-tree=/tmp --git-dir=/srv/git/server_prod.git checkout main \
+ --force
+ become: yes
+ - name: Ensure sites-available directory exists
+ file:
+ path: "/etc/nginx/sites-available"
+ state: directory
+ become: yes
+ - name: Ensure sites-enabled directory exists
+ file:
+ path: "/etc/nginx/sites-enabled"
+ state: directory
+ become: yes
+ - name: Copy to /etc/nginx/sites-available
+ copy:
+ src: "/tmp/nginx/{{ item }}"
+ dest: "/etc/nginx/sites-available"
+ remote_src: true
+ become: true
+ with_items:
+ - cv.ekhem.eu.org
+ - dobity.eu.org
+ - drive.dobity.eu.org
+ - ekhem.eu.org
+ - git.dobity.eu.org
+ - git.ekhem.eu.org
+ - matrix.dobity.eu.org
+ - pass.dobity.eu.org
+ - yt.dobity.eu.org
+ - name: Symlink to /etc/nginx/sites-enabled
+ file:
+ src: "/etc/nginx/sites-available/{{ item }}"
+ dest: "/etc/nginx/sites-enabled/{{ item }}"
+ state: link
+ become: true
+ with_items:
+ - cv.ekhem.eu.org
+ - dobity.eu.org
+ - drive.dobity.eu.org
+ - ekhem.eu.org
+ - git.dobity.eu.org
+ - git.ekhem.eu.org
+ - matrix.dobity.eu.org
+ - pass.dobity.eu.org
+ - yt.dobity.eu.org
+ - name: Restart nginx
+ service:
+ name: nginx
+ state: restarted
+ become: yes
projects / turnup.git / commitdiff