+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/cv.git
- dest: "/srv/prod/cv"
- tasks:
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- mode: 0775
- state: directory
- owner: git
- group: git
- become: true
- - name: Checkout to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
- - name: Install texlive
- package:
- name:
- - texlive
- state: latest
- become: yes
- - name: Compile CV
- command: pdflatex --output-directory=/srv/prod/cv /srv/prod/cv/cv.tex
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/notify.git
- dest: "/srv/prod/notify"
- tasks:
- - name: Ensure user exists for executing scripts
- user:
- name: "notify"
- shell: "/bin/sh"
- home: "{{ dest }}"
- become: yes
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- mode: 0775
- state: directory
- owner: git
- group: notify
- become: true
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- state: directory
- become: true
- - name: Checkout files to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
- - name: Ensure correct ownership in the destination directory
- file:
- dest: "{{ dest }}"
- owner: git
- group: notify
- recurse: yes
- become: yes
- - name: Symlink system configuration
- file:
- src: "{{ dest }}/{{ item }}"
- dest: "/etc/systemd/system/{{ item }}"
- state: link
- become: true
- with_items:
- - notify_failure@.service
- - name: Set execution mode to scripts
- file:
- dest: "{{ dest }}/{{ item }}"
- mode: 0755
- become: true
- with_items:
- - notify_on_failure.sh
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/password_store.git
- dest: "/srv/prod/password_store"
- tasks:
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- mode: 0775
- state: directory
- owner: git
- group: git
- become: true
- - name: Checkout files to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- name: Install dovecot
- import_playbook: server/dovecot.yaml
-
-- name: Install fail2ban
- import_playbook: server/fail2ban.yaml
-
-- name: Install git
- import_playbook: server/git.yaml
-
-- name: Install opendkim
- import_playbook: server/opendkim.yaml
-
-- name: Install matrix
- import_playbook: server/matrix.yaml
-
-- name: Install metadata
- import_playbook: server/metadata.yaml
-
-- name: Install nginx
- import_playbook: server/nginx.yaml
-
-- name: Install postgres
- import_playbook: server/postgres.yaml
-
-- name: Install postfix
- import_playbook: server/postfix.yaml
-
-- name: Install web server sites
- import_playbook: server/websites.yaml
-
-- name: Install rsyslog
- import_playbook: server/rsyslog.yaml
-
-- name: Install sshd
- import_playbook: server/sshd.yaml
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force dovecot/*
- become: yes
- - name: Install dovecot
- package:
- name:
- - dovecot-imapd
- - dovecot-lmtpd
- - dovecot-pgsql
- state: latest
- become: yes
- - name: Ensure dovecot directory structure exists
- file:
- path: "/etc/dovecot/conf.d"
- state: directory
- become: yes
- - name: Copy to /etc/dovecot
- copy:
- src: "/tmp/dovecot/{{ item }}"
- dest: "/etc/dovecot"
- remote_src: true
- become: true
- with_items:
- - dovecot-dict-auth.conf.ext
- - dovecot-dict-sql.conf.ext
- - dovecot-sql.conf.ext
- - dovecot.conf
- - name: Copy to /etc/dovecot/conf.d
- copy:
- src: "/tmp/dovecot/{{ item }}"
- dest: "/etc/dovecot/conf.d"
- remote_src: true
- become: true
- with_items:
- - 10-auth.conf
- - 10-master.conf
- - 15-mailboxes.conf
- - 90-plugin.conf
- - auth-dict.conf.ext
- - auth-static.conf.ext
- - 10-director.conf
- - 10-ssl.conf
- - 20-imap.conf
- - 90-quota.conf
- - auth-master.conf.ext
- - auth-system.conf.ext
- - 10-logging.conf
- - 10-tcpwrapper.conf
- - 20-lmtp.conf
- - auth-checkpassword.conf.ext
- - auth-passwdfile.conf.ext
- - 10-mail.conf
- - 15-lda.conf
- - 90-acl.conf
- - auth-deny.conf.ext
- - auth-sql.conf.ext
- - name: Ensure correct permissions for the virtual mailbox
- file:
- path: "/var/vmail"
- state: directory
- mode: "0775"
- owner: vmail
- group: storage
- recurse: true
- become: true
- - name: Ensure configuration of the virtual mailbox user
- user:
- name: "vmail"
- home: "/var/vmail"
- shell: "/usr/sbin/nologin"
- password_lock: true
- become: yes
- - name: Ensure log files exist
- file:
- path: "/var/log/{{ item }}"
- state: touch
- owner: vmail
- group: vmail
- become: yes
- with_items:
- - dovecot.log
- - dovecot-info.log
- - name: Restart dovecot
- service:
- name: dovecot
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force fail2ban/*
- become: yes
- - name: Install fail2ban
- package:
- name:
- - fail2ban
- state: latest
- become: yes
- - name: Ensure fail2ban directory structure exists
- file:
- path: "/etc/fail2ban"
- state: directory
- become: yes
- - name: Copy to /etc/fail2ban
- copy:
- src: "/tmp/fail2ban/{{ item }}"
- dest: "/etc/fail2ban"
- remote_src: true
- become: true
- with_items:
- - fail2ban.local
- - jail.local
- - paths-common.conf
- - name: Restart fail2ban
- service:
- name: fail2ban
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force git/*
- become: yes
- - name: Install gitweb
- package:
- name:
- - fcgiwrap
- - gitweb
- state: latest
- become: yes
- - name: Ensure git directory structure exists
- file:
- path: "/etc/git"
- state: directory
- become: yes
- - name: Copy to /etc
- copy:
- src: "/tmp/git/{{ item }}"
- dest: "/etc/git"
- remote_src: true
- become: true
- with_items:
- - ekhem.conf
- - dobity.conf
- - name: Restart fcgiwrap
- service:
- name: fcgiwrap
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration files
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force matrix/*
- become: yes
- - name: Install matrix
- package:
- name:
- - matrix-synapse
- state: latest
- become: yes
- - name: Ensure matrix directory structure exists
- file:
- path: "/etc/matrix-synapse/conf.d"
- state: directory
- become: yes
- - name: Copy to /etc/matrix-synapse
- copy:
- src: "/tmp/matrix/{{ item }}"
- dest: "/etc/matrix-synapse"
- remote_src: true
- become: true
- with_items:
- - homeserver.yaml
- - log.yaml
- - name: Copy to /etc/matrix-synapse/conf.d
- copy:
- src: "/tmp/matrix/{{ item }}"
- dest: "/etc/matrix-synapse/conf.d"
- remote_src: true
- become: true
- with_items:
- - report_stats.yaml
- - server_name.yaml
- - name: Restart matrix-synapse
- service:
- name: matrix-synapse
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/srv/git --git-dir=/srv/git/metadata.git checkout main \
- --force "*.git/*"
- become: yes
- - name: Checkout additional configuration
- command: |
- git --work-tree=/etc/sudoers.d --git-dir=/srv/git/metadata_prod.git \
- checkout main --force "90-git*"
- become: yes
- - name: Install ansible
- package:
- name:
- - ansible
- state: latest
- become: yes
- - name: Find all post-receive scripts
- find:
- paths: "/srv/git"
- recurse: yes
- patterns: "post-receive"
- register: post_receive_scripts
- - name: Ensure correct permissions on the post-receive scripts
- file:
- path: "{{ item.path }}"
- owner: git
- group: git
- mode: '0744'
- become: yes
- with_items: "{{ post_receive_scripts.files }}"
- - name: Ensure correct permissions on the additional configuration
- file:
- path: "/etc/sudoers.d/90-git"
- owner: root
- group: root
- mode: '0440'
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force nginx/*
- become: yes
- - name: Install nginx
- package:
- name:
- - nginx
- state: latest
- become: yes
- - name: Ensure postfix directory structure exists
- file:
- path: "/etc/nginx"
- state: directory
- become: yes
- - name: Copy to /etc/nginx
- copy:
- src: "/tmp/nginx/{{ item }}"
- dest: "/etc/nginx"
- remote_src: true
- become: true
- with_items:
- - mime.types
- - nginx.conf
- - name: Restart nginx
- service:
- name: nginx
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force opendkim/*
- become: yes
- - name: Install opendkim
- package:
- name:
- - opendkim
- - libopendbx1-pgsql
- state: latest
- become: yes
- - name: Copy to /etc
- copy:
- src: "/tmp/opendkim/opendkim.conf"
- dest: "/etc"
- remote_src: true
- become: true
- - name: Copy to /etc/default
- copy:
- src: "/tmp/opendkim/opendkim"
- dest: "/etc/default"
- remote_src: true
- become: true
- - name: Ensure correct permissions for opendkim files
- file:
- path: "/etc/opendkim/keys/{{ item.domain }}/{{ item.name }}"
- mode: "0500"
- become: true
- with_items:
- - domain: "dobity.eu.org"
- name: "dobity.private"
- - domain: "dobity.eu.org"
- name: "dobity.txt"
- - domain: "ekhem.eu.org"
- name: "ekhem.txt"
- - domain: "ekhem.eu.org"
- name: "ekhem.txt"
- - name: Restart opendkim
- service:
- name: opendkim
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force postfix/*
- become: yes
- - name: Install postfix
- package:
- name:
- - postfix
- - postfix-pgsql
- state: latest
- become: yes
- - name: Ensure postfix directory structure exists
- file:
- path: "/etc/postfix"
- state: directory
- become: yes
- - name: Copy to /etc/postfix
- copy:
- src: "/tmp/postfix/{{ item }}"
- dest: "/etc/postfix"
- remote_src: true
- become: true
- with_items:
- - address_book.cf
- - domains.cf
- - main.cf
- - master.cf
- - name: Restart postfix
- service:
- name: postfix
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force postgres/*
- become: yes
- - name: Install postgres
- package:
- name:
- - postgresql
- state: latest
- become: yes
- - name: Ensure postgres directory structure exists
- file:
- path: "/etc/postgresql/15/main/"
- state: directory
- become: yes
- - name: Copy to /etc/postgresq/15/main
- copy:
- src: "/tmp/postgres/{{ item }}"
- dest: "/etc/postgresql/15/main"
- remote_src: true
- become: true
- with_items:
- - pg_hba.conf
- - postgresql.conf
- - name: Ensure a directory for private files exists
- file:
- path: "/etc/postgresql/15/main/private"
- state: directory
- mode: "0700"
- owner: postgres
- group: postgres
- become: true
- - name: Copy certificates
- copy:
- src: "/etc/letsencrypt/live/postgres/{{ item }}"
- dest: "/etc/postgresql/15/main/private"
- mode: "0600"
- owner: postgres
- group: postgres
- remote_src: true
- become: true
- with_items:
- - fullchain.pem
- - privkey.pem
- - name: Restart postgres
- service:
- name: postgresql
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Install rsyslog
- package:
- name:
- - rsyslog
- state: latest
- become: yes
- - name: Restart rsyslog
- service:
- name: rsyslog
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \
- --force sshd/*
- become: yes
- - name: Copy to /etc/ssh
- copy:
- src: "/tmp/sshd/sshd_config"
- dest: "/etc/ssh"
- remote_src: true
- become: true
- - name: Restart sshd
- service:
- name: ssh
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Checkout configuration files
- command: |
- git --work-tree=/tmp --git-dir=/srv/git/server_prod.git checkout main \
- --force
- become: yes
- - name: Ensure sites-available directory exists
- file:
- path: "/etc/nginx/sites-available"
- state: directory
- become: yes
- - name: Ensure sites-enabled directory exists
- file:
- path: "/etc/nginx/sites-enabled"
- state: directory
- become: yes
- - name: Copy to /etc/nginx/sites-available
- copy:
- src: "/tmp/nginx/{{ item }}"
- dest: "/etc/nginx/sites-available"
- remote_src: true
- become: true
- with_items:
- - cv.ekhem.eu.org
- - dobity.eu.org
- - drive.dobity.eu.org
- - ekhem.eu.org
- - git.dobity.eu.org
- - git.ekhem.eu.org
- - matrix.dobity.eu.org
- - pass.dobity.eu.org
- - yt.dobity.eu.org
- - name: Symlink to /etc/nginx/sites-enabled
- file:
- src: "/etc/nginx/sites-available/{{ item }}"
- dest: "/etc/nginx/sites-enabled/{{ item }}"
- state: link
- become: true
- with_items:
- - cv.ekhem.eu.org
- - dobity.eu.org
- - drive.dobity.eu.org
- - ekhem.eu.org
- - git.dobity.eu.org
- - git.ekhem.eu.org
- - matrix.dobity.eu.org
- - pass.dobity.eu.org
- - yt.dobity.eu.org
- - name: Restart nginx
- service:
- name: nginx
- state: restarted
- become: yes
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Restart {{ item }}.service
- service:
- name: "{{ item }}"
- state: restarted
- become: yes
- with_items:
- - postgresql
- - postfix
- - dovecot
- - fail2ban
- - fcgiwrap
- - matrix-synapse
- - opendkim
- - nginx
- - ssh
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/storage_drive.git
- - /srv/git/storage_drive_prod.git
- dest: "/srv/prod/storage"
- tasks:
- - name: Ensure user exists for executing scripts
- user:
- name: "storage"
- shell: "/bin/sh"
- home: "{{ dest }}"
- become: yes
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- mode: 0775
- state: directory
- owner: git
- group: storage
- become: true
- - name: Install python-venv
- package:
- name:
- - python3.11-venv
- state: latest
- become: yes
- - name: Checkout to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
- - name: Ensure correct ownership in the destination directory
- file:
- dest: "{{ dest }}"
- owner: git
- group: storage
- recurse: yes
- become: yes
- - name: Symlink service configuration
- file:
- src: "{{ dest }}/{{ item }}"
- dest: "/etc/systemd/system/{{ item }}"
- state: link
- become: true
- with_items:
- - drive_auth.service
- - drive_download.service
- - drive_upload.service
- - psql_backup.service
- - psql_backup.timer
- - storage_drive.service
- - storage_drive.timer
- - name: Set execution mode to scripts
- file:
- dest: "{{ dest }}/{{ item }}"
- mode: 0755
- become: true
- with_items:
- - auth.sh
- - download.sh
- - psql_backup.sh
- - storage_drive.sh
- - upload.sh
- - name: Enable services
- systemd:
- name: "{{ item }}"
- state: restarted
- enabled: true
- daemon_reload: true
- become: true
- with_items:
- - drive_auth.service
- - drive_download.service
- - drive_upload.service
- - storage_drive.service
# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
# License: GPL-3.0 or later.
-- name: Ensure necessary users exist
- import_playbook: users.yaml
-
- hosts: servers
vars_files:
- sources.yaml
- import_playbook: install/ssl_certificates.yaml
-- name: Deploy server
- import_playbook: server.yaml
-
- name: Recreate database
import_playbook: database.yaml
-- name: Restart services
- import_playbook: services.yaml
-
-- name: Deploy cv
- import_playbook: cv.yaml
-
-- name: Deploy website
- import_playbook: website.yaml
-
-- name: Deploy password store
- import_playbook: password_store.yaml
-- name: Deploy notify
- import_playbook: notify.yaml
-
-- name: Deploy storage drive
- import_playbook: storage_drive.yaml
-
-- name: Deploy yt-dlp server
- import_playbook: yt_dlp_server.yaml
+- hosts: servers
+ tasks:
+ - find:
+ paths: "/srv/git"
+ file_type: file
+ patterns: "*.yaml"
+ recurse: true
+ register: post_receive_scripts
+ - shell: ansible-playbook --connection=local {{ item.path }}
+ with_items: "{{ post_receive_scripts.files }}"
- import_playbook: install/database_from_save.yaml
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- tasks:
- - name: Install git
- package:
- name:
- - git
- state: latest
- become: yes
- - name: Ensure user git exists
- user:
- name: "git"
- become: yes
- - name: Copy the SSH key for user git
- authorized_key:
- user: "git"
- state: present
- key: "{{ lookup('file', '{{ ssh_key }}') }}"
- key_options: >
- "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty"
- become: true
- - name: Ensure git uses the git-web shell
- user:
- name: "git"
- shell: "/usr/bin/git-shell"
- become: yes
- - name: Ensure existance of the {{ item }} user
- user:
- name: "{{ item }}"
- become: yes
- with_items:
- - opendkim
- - vmail
- - storage
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/website.git
- dest: "/srv/prod/www"
- tasks:
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- state: directory
- become: true
- - name: Checkout files to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
+++ /dev/null
-# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
-# License: GPL-3.0 or later.
-
-- hosts: servers
- vars:
- repos:
- - /srv/git/yt_dlp_server.git
- - /srv/git/yt_dlp_server_prod.git
- dest: "/srv/prod/yt_dlp_server"
- tasks:
- - name: Ensure user exists for executing scripts
- user:
- name: "yt_dlp_server"
- shell: "/bin/sh"
- home: "{{ dest }}"
- become: yes
- - name: Ensure destination directory exists
- file:
- path: "{{ dest }}"
- mode: 0775
- state: directory
- owner: git
- group: yt_dlp_server
- become: true
- - name: Install dependencies
- package:
- name:
- - ffmpeg
- - python3.11-venv
- state: latest
- become: yes
- - name: Checkout to the destination directory
- command: |
- git --work-tree={{ dest }} --git-dir={{ item }} checkout main --force
- become: yes
- with_items: "{{ repos }}"
- - name: Ensure correct ownership in the destination directory
- file:
- dest: "{{ dest }}"
- owner: git
- group: yt_dlp_server
- recurse: yes
- become: yes
- - name: Symlink system configuration
- file:
- src: "{{ dest }}/{{ item }}"
- dest: "/etc/systemd/system/{{ item }}"
- state: link
- become: true
- with_items:
- - yt_dlp_server.service
- - name: Set execution mode to scripts
- file:
- dest: "{{ dest }}/{{ item }}"
- mode: 0755
- become: true
- with_items:
- - yt_dlp_server.sh
- - name: Enable services
- systemd:
- name: "{{ item }}"
- state: restarted
- enabled: true
- daemon_reload: true
- become: true
- with_items:
- - yt_dlp_server.service
projects / turnup.git / commitdiff