--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install dovecot's packages
+ package:
+ name:
+ - dovecot-imapd
+ - dovecot-lmtpd
+ - dovecot-pgsql
+ state: latest
+ become: true
+ - name: Checkout dovecot's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ dovecot/*
+ become: true
+ - name: Copy files from /tmp/dovecot to /etc/dovecot
+ shell: envsubst < /tmp/dovecot/{{ item }} > /etc/dovecot/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - dovecot-dict-auth.conf.ext
+ - dovecot-dict-sql.conf.ext
+ - dovecot-sql.conf.ext
+ - dovecot.conf
+ - name: Copy files from /tmp/dovecot/conf.d to /etc/dovecot/conf.d
+ shell: envsubst < /tmp/dovecot/{{ item }} > /etc/dovecot/conf.d/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - auth-checkpassword.conf.ext
+ - auth-deny.conf.ext
+ - auth-dict.conf.ext
+ - auth-master.conf.ext
+ - auth-passwdfile.conf.ext
+ - auth-sql.conf.ext
+ - auth-static.conf.ext
+ - auth-system.conf.ext
+ - 10-auth.conf
+ - 10-director.conf
+ - 10-logging.conf
+ - 10-mail.conf
+ - 10-master.conf
+ - 10-ssl.conf
+ - 10-tcpwrapper.conf
+ - 15-lda.conf
+ - 15-mailboxes.conf
+ - 20-imap.conf
+ - 20-lmtp.conf
+ - 90-acl.conf
+ - 90-plugin.conf
+ - 90-quota.conf
+ - name: Set permissions for /var/vmail
+ file:
+ path: /var/vmail
+ state: directory
+ mode: 0775
+ owner: vmail
+ group: vmail
+ recurse: true
+ become: true
+ - name: Configure user vmail
+ user:
+ name: vmail
+ home: /var/vmail
+ shell: /usr/sbin/nologin
+ password_lock: true
+ become: true
+ - name: Create dovecot's log files
+ file:
+ path: /var/log/{{ item }}
+ state: touch
+ owner: vmail
+ group: vmail
+ become: true
+ with_items:
+ - dovecot-info.log
+ - dovecot.log
+ - name: Restart dovecot
+ service:
+ name: dovecot
+ state: restarted
+ become: true
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install fail2ban
+ package:
+ name:
+ - fail2ban
+ state: latest
+ become: true
+ - name: Checkout fail2ban's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ fail2ban/*
+ become: true
+ - name: Copy files from /tmp to /etc/fail2ban
+ copy:
+ src: /tmp/fail2ban/{{ item }}
+ dest: /etc/fail2ban
+ remote_src: true
+ become: true
+ with_items:
+ - fail2ban.local
+ - jail.local
+ - paths-common.conf
+ - name: Restart fail2ban
+ service:
+ name: fail2ban
+ state: restarted
+ become: true
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install fcgiwrap, gitweb and nginx
+ package:
+ name:
+ - fcgiwrap
+ - gitweb
+ - nginx
+ state: latest
+ become: true
+ - name: Checkout git's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force
+ become: true
+ - name: Create destination directory
+ file:
+ path: /etc/git
+ state: directory
+ become: true
+ - name: Copy files from /tmp to /etc/git
+ shell: envsubst < /tmp/git/{{ item }} > /etc/git/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - private.conf
+ - public.conf
+ - name: Use git-shell for user git
+ user:
+ name: git
+ shell: /usr/bin/git-shell
+ become: true
+
+ - name: Copy sites from /tmp to /etc/nginx/sites-available
+ copy:
+ src: /tmp/git/{{ item }}
+ dest: /etc/nginx/sites-available
+ remote_src: true
+ become: true
+ with_items:
+ - git_private.conf
+ - git_public.conf
+ - name: Enable sites in nginx
+ shell: envsubst < /etc/nginx/sites-available/{{ item }} \
+ > /etc/nginx/sites-enabled/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - git_private.conf
+ - git_public.conf
+ - name: Restart fcgiwrap and nginx
+ service:
+ name: "{{ item }}"
+ state: restarted
+ become: true
+ with_items:
+ - fcgiwrap
+ - nginx
--- /dev/null
+#!/bin/sh
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+DEPLOYABLE="dovecot fail2ban git matrix nginx opendkim postfix postgres sshd"
+
+while read old_revision new_revision branch
+do
+ if [ "${branch}" != "refs/heads/main" ]
+ then
+ echo "${branch} is not the main branch so not deploying."
+ exit 0
+ fi
+ dirs_diff=$(git diff --name-only HEAD HEAD~1 \
+ | cut --delimiter=/ --fields=1 \
+ | cut --delimiter=. --fields=1 \
+ | sort \
+ | uniq)
+ for dir in "${dirs_diff}"
+ do
+ if $(echo "${DEPLOYABLE}" | grep --word-regexp --quiet "${dir}")
+ then
+ sudo ansible-playbook --connection=local "${dir}".yaml
+ fi
+ done
+done
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install matrix-synapse and nginx
+ package:
+ name:
+ - matrix-synapse
+ - nginx
+ state: latest
+ become: true
+ - name: Checkout matrix's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ matrix/*
+ become: true
+ - name: Copy files from /tmp to /etc/matrix-synapse
+ copy:
+ src: /tmp/matrix/{{ item }}
+ dest: /etc/matrix-synapse
+ remote_src: true
+ become: true
+ with_items:
+ - homeserver.yaml
+ - log.yaml
+ - name: Copy files from /tmp to /etc/matrix-synapse/conf.d
+ shell: envsubst < /tmp/matrix/{{ item }} \
+ > /etc/matrix-synapse/conf.d/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - report_stats.yaml
+ - server_name.yaml
+
+ - name: Copy sites from /tmp to /etc/nginx/sites-available
+ copy:
+ src: /tmp/matrix/{{ item }}
+ dest: /etc/nginx/sites-available
+ remote_src: true
+ become: true
+ with_items:
+ - matrix.conf
+ - private.conf
+ - name: Enable sites in nginx
+ shell: envsubst < /etc/nginx/sites-available/{{ item }} \
+ > /etc/nginx/sites-enabled/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - matrix.conf
+ - private.conf
+ - name: Restart matrix-synapse and nginx
+ service:
+ name: "{{ item }}"
+ state: restarted
+ become: yes
+ with_items:
+ - matrix-synapse
+ - nginx
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install nginx
+ package:
+ name:
+ - nginx
+ state: latest
+ become: true
+ - name: Checkout nginx's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ nginx/*
+ become: true
+ - name: Copy files from /tmp/nginx to /etc/nginx
+ copy:
+ src: /tmp/nginx/{{ item }}
+ dest: /etc/nginx
+ remote_src: true
+ become: true
+ with_items:
+ - mime.types
+ - nginx.conf
+ - name: Restart nginx
+ service:
+ name: nginx
+ state: restarted
+ become: true
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ domain1: "{{ ansible_local.env.vars.private_domain }}"
+ domain2: "{{ ansible_local.env.vars.public_domain }}"
+ tasks:
+ - name: Install opendkim's packages
+ package:
+ name:
+ - opendkim
+ - libopendbx1-pgsql
+ state: latest
+ become: true
+ - name: Checkout opendkim's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ opendkim/*
+ become: true
+ - name: Copy opendkim.conf to /etc
+ copy:
+ src: /tmp/opendkim/opendkim.conf
+ dest: /etc
+ remote_src: true
+ become: true
+ - name: Copy opendkim to /etc/default
+ copy:
+ src: /tmp/opendkim/opendkim
+ dest: /etc/default
+ remote_src: true
+ become: true
+ - name: Disable group and others permissions for opendkim's files
+ file:
+ path: /etc/opendkim/keys/{{ item.domain }}/{{ item.name }}
+ mode: 0500
+ become: true
+ with_items:
+ - domain: "{{ domain1 }}"
+ name: "{{ domain1 | regex_replace('\\..*$', '') }}.private"
+ - domain: "{{ domain1 }}"
+ name: "{{ domain1 | regex_replace('\\..*$', '') }}.txt"
+ - domain: "{{ domain2 }}"
+ name: "{{ domain2 | regex_replace('\\..*$', '') }}.private"
+ - domain: "{{ domain2 }}"
+ name: "{{ domain2 | regex_replace('\\..*$', '') }}.txt"
+ - name: Restart opendkim
+ service:
+ name: opendkim
+ state: restarted
+ become: true
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install postfix's packages
+ package:
+ name:
+ - postfix
+ - postfix-pgsql
+ state: latest
+ become: true
+ - name: Checkout postfix's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ postfix/*
+ become: true
+ - name: Copy files from /tmp to /etc/postfix
+ shell: envsubst < /tmp/postfix/{{ item }} > /etc/postfix/{{ item }}
+ environment: "{{ ansible_local.env.vars }}"
+ become: true
+ with_items:
+ - address_book.cf
+ - domains.cf
+ - main.cf
+ - master.cf
+ - name: Restart postfix
+ service:
+ name: postfix
+ state: restarted
+ become: true
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Install postgres
+ package:
+ name:
+ - postgresql
+ state: latest
+ become: true
+ - name: Checkout postgres' configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main \
+ --force postgres/*
+ become: true
+ - name: Create directory /etc/postgresql/15/main/private
+ file:
+ path: /etc/postgresql/15/main/private
+ state: directory
+ become: true
+ - name: Copy files from /tmp/postgres to /etc/postgresq/15/main
+ copy:
+ src: /tmp/postgres/{{ item }}
+ dest: /etc/postgresql/15/main
+ remote_src: true
+ become: true
+ with_items:
+ - pg_hba.conf
+ - postgresql.conf
+ - name: Limit permissions for /etc/postgresql/15/main/private
+ file:
+ path: /etc/postgresql/15/main/private
+ state: directory
+ mode: 0700
+ owner: postgres
+ group: postgres
+ become: true
+ - name: Copy postgres' certificates /etc/postgresql/15/main/private
+ copy:
+ src: "{{ ansible_local.env.vars.postgres_ssl_cert_dir }}/{{ item }}"
+ dest: /etc/postgresql/15/main/private
+ mode: 0600
+ owner: postgres
+ group: postgres
+ remote_src: true
+ become: true
+ with_items:
+ - fullchain.pem
+ - privkey.pem
+ - name: Restart postgres
+ service:
+ name: postgresql
+ state: restarted
+ become: yes
--- /dev/null
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+ vars:
+ repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+ tasks:
+ - name: Checkout sshd's configuration files to /tmp
+ command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+ sshd/*
+ become: yes
+ - name: Copy /tmp/sshd/sshd_config to /etc/ssh
+ copy:
+ src: /tmp/sshd/sshd_config
+ dest: /etc/ssh
+ remote_src: true
+ become: true
+ - name: Restart sshd
+ service:
+ name: ssh
+ state: restarted
+ become: yes
projects / metadata.git / commitdiff