From: Jakub Czajka Date: Sun, 22 Oct 2023 21:59:55 +0000 (+0200) Subject: Split server configuration into separate playbooks. X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=395b851afd16ffa1bc45813e846341ca6d8b5af2;p=turnup.git Split server configuration into separate playbooks. --- diff --git a/server.yaml b/server.yaml index c4e44d8..511cf08 100644 --- a/server.yaml +++ b/server.yaml @@ -1,18 +1,32 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- hosts: servers - tasks: - - name: Install {{ item }} - include_tasks: "server/{{ item }}.yaml" - with_items: - - dovecot - - fail2ban - - git - - opendkim - - matrix - - nginx - - postgres - - postfix - - websites - - sshd +- name: Install dovecot + import_playbook: server/dovecot.yaml + +- name: Install fail2ban + import_playbook: server/fail2ban.yaml + +- name: Install git + import_playbook: server/git.yaml + +- name: Install opendkim + import_playbook: server/opendkim.yaml + +- name: Install matrix + import_playbook: server/matrix.yaml + +- name: Install nginx + import_playbook: server/nginx.yaml + +- name: Install postgres + import_playbook: server/postgres.yaml + +- name: Install postfix + import_playbook: server/postfix.yaml + +- name: Install web server sites + import_playbook: server/websites.yaml + +- name: Install sshd + import_playbook: server/sshd.yaml diff --git a/server/dovecot.yaml b/server/dovecot.yaml index 6423dd0..ea1f519 100644 --- a/server/dovecot.yaml +++ b/server/dovecot.yaml @@ -1,87 +1,94 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - dovecot/* - become: yes -- name: Install dovecot - package: - name: - - dovecot-imapd - - dovecot-lmtpd - - dovecot-pgsql - state: latest - become: yes -- name: Ensure dovecot directory structure exists - file: - path: "/etc/dovecot/conf.d" - state: directory - become: yes -- name: Copy to /etc/dovecot - copy: - src: "/tmp/dovecot/{{ item }}" - dest: "/etc/dovecot" - remote_src: true - become: true - with_items: - - dovecot-dict-auth.conf.ext - - dovecot-dict-sql.conf.ext - - dovecot-sql.conf.ext - - dovecot.conf -- name: Copy to /etc/dovecot/conf.d - copy: - src: "/tmp/dovecot/{{ item }}" - dest: "/etc/dovecot/conf.d" - remote_src: true - become: true - with_items: - - 10-auth.conf - - 10-master.conf - - 15-mailboxes.conf - - 90-plugin.conf - - auth-dict.conf.ext - - auth-static.conf.ext - - 10-director.conf - - 10-ssl.conf - - 20-imap.conf - - 90-quota.conf - - auth-master.conf.ext - - auth-system.conf.ext - - 10-logging.conf - - 10-tcpwrapper.conf - - 20-lmtp.conf - - auth-checkpassword.conf.ext - - auth-passwdfile.conf.ext - - 10-mail.conf - - 15-lda.conf - - 90-acl.conf - - auth-deny.conf.ext - - auth-sql.conf.ext -- name: Ensure correct permissions for the virtual mailbox - file: - path: "/var/vmail" - state: directory - mode: "0775" - owner: vmail - group: storage - recurse: true - become: true -- name: Ensure configuration of the virtual mailbox user - user: - name: "vmail" - home: "/var/vmail" - shell: "/usr/sbin/nologin" - password_lock: true - become: yes -- name: Ensure log files exist - file: - path: "/var/log/{{ item }}" - state: touch - owner: vmail - group: vmail - become: yes - with_items: - - dovecot.log - - dovecot-info.log +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force dovecot/* + become: yes + - name: Install dovecot + package: + name: + - dovecot-imapd + - dovecot-lmtpd + - dovecot-pgsql + state: latest + become: yes + - name: Ensure dovecot directory structure exists + file: + path: "/etc/dovecot/conf.d" + state: directory + become: yes + - name: Copy to /etc/dovecot + copy: + src: "/tmp/dovecot/{{ item }}" + dest: "/etc/dovecot" + remote_src: true + become: true + with_items: + - dovecot-dict-auth.conf.ext + - dovecot-dict-sql.conf.ext + - dovecot-sql.conf.ext + - dovecot.conf + - name: Copy to /etc/dovecot/conf.d + copy: + src: "/tmp/dovecot/{{ item }}" + dest: "/etc/dovecot/conf.d" + remote_src: true + become: true + with_items: + - 10-auth.conf + - 10-master.conf + - 15-mailboxes.conf + - 90-plugin.conf + - auth-dict.conf.ext + - auth-static.conf.ext + - 10-director.conf + - 10-ssl.conf + - 20-imap.conf + - 90-quota.conf + - auth-master.conf.ext + - auth-system.conf.ext + - 10-logging.conf + - 10-tcpwrapper.conf + - 20-lmtp.conf + - auth-checkpassword.conf.ext + - auth-passwdfile.conf.ext + - 10-mail.conf + - 15-lda.conf + - 90-acl.conf + - auth-deny.conf.ext + - auth-sql.conf.ext + - name: Ensure correct permissions for the virtual mailbox + file: + path: "/var/vmail" + state: directory + mode: "0775" + owner: vmail + group: storage + recurse: true + become: true + - name: Ensure configuration of the virtual mailbox user + user: + name: "vmail" + home: "/var/vmail" + shell: "/usr/sbin/nologin" + password_lock: true + become: yes + - name: Ensure log files exist + file: + path: "/var/log/{{ item }}" + state: touch + owner: vmail + group: vmail + become: yes + with_items: + - dovecot.log + - dovecot-info.log + - name: Restart dovecot + service: + name: dovecot + state: restarted + become: yes diff --git a/server/fail2ban.yaml b/server/fail2ban.yaml index cf1c84b..391df4e 100644 --- a/server/fail2ban.yaml +++ b/server/fail2ban.yaml @@ -1,29 +1,36 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - fail2ban/* - become: yes -- name: Install fail2ban - package: - name: - - fail2ban - state: latest - become: yes -- name: Ensure fail2ban directory structure exists - file: - path: "/etc/fail2ban" - state: directory - become: yes -- name: Copy to /etc/fail2ban - copy: - src: "/tmp/fail2ban/{{ item }}" - dest: "/etc/fail2ban" - remote_src: true - become: true - with_items: - - fail2ban.local - - jail.local - - paths-common.conf +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force fail2ban/* + become: yes + - name: Install fail2ban + package: + name: + - fail2ban + state: latest + become: yes + - name: Ensure fail2ban directory structure exists + file: + path: "/etc/fail2ban" + state: directory + become: yes + - name: Copy to /etc/fail2ban + copy: + src: "/tmp/fail2ban/{{ item }}" + dest: "/etc/fail2ban" + remote_src: true + become: true + with_items: + - fail2ban.local + - jail.local + - paths-common.conf + - name: Restart fail2ban + service: + name: fail2ban + state: restarted + become: yes diff --git a/server/git.yaml b/server/git.yaml index de924ba..61fbdf6 100644 --- a/server/git.yaml +++ b/server/git.yaml @@ -1,23 +1,36 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - git/* - become: yes -- name: Install gitweb - package: - name: - - fcgiwrap - - gitweb - state: latest - become: yes -- name: Copy to /etc - copy: - src: "/tmp/git/{{ item }}" - dest: "/etc" - remote_src: true - become: true - with_items: - - gitweb.conf +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force git/* + become: yes + - name: Install gitweb + package: + name: + - fcgiwrap + - gitweb + state: latest + become: yes + - name: Ensure git directory structure exists + file: + path: "/etc/git" + state: directory + become: yes + - name: Copy to /etc + copy: + src: "/tmp/git/{{ item }}" + dest: "/etc/git" + remote_src: true + become: true + with_items: + - ekhem.conf + - dobity.conf + - name: Restart fcgiwrap + service: + name: fcgiwrap + state: restarted + become: yes diff --git a/server/matrix.yaml b/server/matrix.yaml index e20611c..270c130 100644 --- a/server/matrix.yaml +++ b/server/matrix.yaml @@ -1,37 +1,44 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration files - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - matrix/* - become: yes -- name: Install matrix - package: - name: - - matrix-synapse - state: latest - become: yes -- name: Ensure matrix directory structure exists - file: - path: "/etc/matrix-synapse/conf.d" - state: directory - become: yes -- name: Copy to /etc/matrix-synapse - copy: - src: "/tmp/matrix/{{ item }}" - dest: "/etc/matrix-synapse" - remote_src: true - become: true - with_items: - - homeserver.yaml - - log.yaml -- name: Copy to /etc/matrix-synapse/conf.d - copy: - src: "/tmp/matrix/{{ item }}" - dest: "/etc/matrix-synapse/conf.d" - remote_src: true - become: true - with_items: - - report_stats.yaml - - server_name.yaml +- hosts: servers + tasks: + - name: Checkout configuration files + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force matrix/* + become: yes + - name: Install matrix + package: + name: + - matrix-synapse + state: latest + become: yes + - name: Ensure matrix directory structure exists + file: + path: "/etc/matrix-synapse/conf.d" + state: directory + become: yes + - name: Copy to /etc/matrix-synapse + copy: + src: "/tmp/matrix/{{ item }}" + dest: "/etc/matrix-synapse" + remote_src: true + become: true + with_items: + - homeserver.yaml + - log.yaml + - name: Copy to /etc/matrix-synapse/conf.d + copy: + src: "/tmp/matrix/{{ item }}" + dest: "/etc/matrix-synapse/conf.d" + remote_src: true + become: true + with_items: + - report_stats.yaml + - server_name.yaml + - name: Restart matrix-synapse + service: + name: matrix-synapse + state: restarted + become: yes diff --git a/server/nginx.yaml b/server/nginx.yaml index 3c87a5a..dd9e28d 100644 --- a/server/nginx.yaml +++ b/server/nginx.yaml @@ -1,28 +1,35 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - nginx/* - become: yes -- name: Install nginx - package: - name: - - nginx - state: latest - become: yes -- name: Ensure postfix directory structure exists - file: - path: "/etc/nginx" - state: directory - become: yes -- name: Copy to /etc/nginx - copy: - src: "/tmp/nginx/{{ item }}" - dest: "/etc/nginx" - remote_src: true - become: true - with_items: - - mime.types - - nginx.conf +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force nginx/* + become: yes + - name: Install nginx + package: + name: + - nginx + state: latest + become: yes + - name: Ensure postfix directory structure exists + file: + path: "/etc/nginx" + state: directory + become: yes + - name: Copy to /etc/nginx + copy: + src: "/tmp/nginx/{{ item }}" + dest: "/etc/nginx" + remote_src: true + become: true + with_items: + - mime.types + - nginx.conf + - name: Restart nginx + service: + name: nginx + state: restarted + become: yes diff --git a/server/opendkim.yaml b/server/opendkim.yaml index 843f534..2410218 100644 --- a/server/opendkim.yaml +++ b/server/opendkim.yaml @@ -1,41 +1,48 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - opendkim/* - become: yes -- name: Install opendkim - package: - name: - - opendkim - - libopendbx1-pgsql - state: latest - become: yes -- name: Copy to /etc - copy: - src: "/tmp/opendkim/opendkim.conf" - dest: "/etc" - remote_src: true - become: true -- name: Copy to /etc/default - copy: - src: "/tmp/opendkim/opendkim" - dest: "/etc/default" - remote_src: true - become: true -- name: Ensure correct permissions for opendkim files - file: - path: "/etc/opendkim/keys/{{ item.domain }}/{{ item.name }}" - mode: "0500" - become: true - with_items: - - domain: "dobity.eu.org" - name: "dobity.private" - - domain: "dobity.eu.org" - name: "dobity.txt" - - domain: "ekhem.eu.org" - name: "ekhem.txt" - - domain: "ekhem.eu.org" - name: "ekhem.txt" +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force opendkim/* + become: yes + - name: Install opendkim + package: + name: + - opendkim + - libopendbx1-pgsql + state: latest + become: yes + - name: Copy to /etc + copy: + src: "/tmp/opendkim/opendkim.conf" + dest: "/etc" + remote_src: true + become: true + - name: Copy to /etc/default + copy: + src: "/tmp/opendkim/opendkim" + dest: "/etc/default" + remote_src: true + become: true + - name: Ensure correct permissions for opendkim files + file: + path: "/etc/opendkim/keys/{{ item.domain }}/{{ item.name }}" + mode: "0500" + become: true + with_items: + - domain: "dobity.eu.org" + name: "dobity.private" + - domain: "dobity.eu.org" + name: "dobity.txt" + - domain: "ekhem.eu.org" + name: "ekhem.txt" + - domain: "ekhem.eu.org" + name: "ekhem.txt" + - name: Restart opendkim + service: + name: opendkim + state: restarted + become: yes diff --git a/server/postfix.yaml b/server/postfix.yaml index 1af4bf3..f7fd8cf 100644 --- a/server/postfix.yaml +++ b/server/postfix.yaml @@ -1,31 +1,38 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - postfix/* - become: yes -- name: Install postfix - package: - name: - - postfix - - postfix-pgsql - state: latest - become: yes -- name: Ensure postfix directory structure exists - file: - path: "/etc/postfix" - state: directory - become: yes -- name: Copy to /etc/postfix - copy: - src: "/tmp/postfix/{{ item }}" - dest: "/etc/postfix" - remote_src: true - become: true - with_items: - - address_book.cf - - domains.cf - - main.cf - - master.cf +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force postfix/* + become: yes + - name: Install postfix + package: + name: + - postfix + - postfix-pgsql + state: latest + become: yes + - name: Ensure postfix directory structure exists + file: + path: "/etc/postfix" + state: directory + become: yes + - name: Copy to /etc/postfix + copy: + src: "/tmp/postfix/{{ item }}" + dest: "/etc/postfix" + remote_src: true + become: true + with_items: + - address_book.cf + - domains.cf + - main.cf + - master.cf + - name: Restart postfix + service: + name: postfix + state: restarted + become: yes diff --git a/server/postgres.yaml b/server/postgres.yaml index aab0fe3..50555d4 100644 --- a/server/postgres.yaml +++ b/server/postgres.yaml @@ -1,48 +1,55 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - postgres/* - become: yes -- name: Install postgres - package: - name: - - postgresql - state: latest - become: yes -- name: Ensure postgres directory structure exists - file: - path: "/etc/postgresql/15/main/" - state: directory - become: yes -- name: Copy to /etc/postgresq/15/main - copy: - src: "/tmp/postgres/{{ item }}" - dest: "/etc/postgresql/15/main" - remote_src: true - become: true - with_items: - - pg_hba.conf - - postgresql.conf -- name: Ensure a directory for private files exists - file: - path: "/etc/postgresql/15/main/private" - state: directory - mode: "0700" - owner: postgres - group: postgres - become: true -- name: Copy certificates - copy: - src: "/etc/letsencrypt/live/postgres/{{ item }}" - dest: "/etc/postgresql/15/main/private" - mode: "0600" - owner: postgres - group: postgres - remote_src: true - become: true - with_items: - - fullchain.pem - - privkey.pem +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force postgres/* + become: yes + - name: Install postgres + package: + name: + - postgresql + state: latest + become: yes + - name: Ensure postgres directory structure exists + file: + path: "/etc/postgresql/15/main/" + state: directory + become: yes + - name: Copy to /etc/postgresq/15/main + copy: + src: "/tmp/postgres/{{ item }}" + dest: "/etc/postgresql/15/main" + remote_src: true + become: true + with_items: + - pg_hba.conf + - postgresql.conf + - name: Ensure a directory for private files exists + file: + path: "/etc/postgresql/15/main/private" + state: directory + mode: "0700" + owner: postgres + group: postgres + become: true + - name: Copy certificates + copy: + src: "/etc/letsencrypt/live/postgres/{{ item }}" + dest: "/etc/postgresql/15/main/private" + mode: "0600" + owner: postgres + group: postgres + remote_src: true + become: true + with_items: + - fullchain.pem + - privkey.pem + - name: Restart postgres + service: + name: postgresql + state: restarted + become: yes diff --git a/server/sshd.yaml b/server/sshd.yaml index 140eb53..c263f22 100644 --- a/server/sshd.yaml +++ b/server/sshd.yaml @@ -1,14 +1,21 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration - command: | - git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main --force \ - sshd/* - become: yes -- name: Copy to /etc/ssh - copy: - src: "/tmp/sshd/sshd_config" - dest: "/etc/ssh" - remote_src: true - become: true +- hosts: servers + tasks: + - name: Checkout configuration + command: | + git --work-tree=/tmp --git-dir=/srv/git/server.git checkout main \ + --force sshd/* + become: yes + - name: Copy to /etc/ssh + copy: + src: "/tmp/sshd/sshd_config" + dest: "/etc/ssh" + remote_src: true + become: true + - name: Restart sshd + service: + name: ssh + state: restarted + become: yes diff --git a/server/websites.yaml b/server/websites.yaml index 5cdec9c..35f293f 100644 --- a/server/websites.yaml +++ b/server/websites.yaml @@ -1,50 +1,57 @@ # Copyright (c) 2023 Jakub Czajka # License: GPL-3.0 or later. -- name: Checkout configuration files - command: | - git --work-tree=/tmp --git-dir=/srv/git/server_prod.git checkout main \ - --force - become: yes -- name: Ensure sites-available directory exists - file: - path: "/etc/nginx/sites-available" - state: directory - become: yes -- name: Ensure sites-enabled directory exists - file: - path: "/etc/nginx/sites-enabled" - state: directory - become: yes -- name: Copy to /etc/nginx/sites-available - copy: - src: "/tmp/nginx/{{ item }}" - dest: "/etc/nginx/sites-available" - remote_src: true - become: true - with_items: - - cv.ekhem.eu.org - - dobity.eu.org - - drive.dobity.eu.org - - ekhem.eu.org - - git.dobity.eu.org - - git.ekhem.eu.org - - matrix.dobity.eu.org - - pass.dobity.eu.org - - yt.dobity.eu.org -- name: Symlink to /etc/nginx/sites-enabled - file: - src: "/etc/nginx/sites-available/{{ item }}" - dest: "/etc/nginx/sites-enabled/{{ item }}" - state: link - become: true - with_items: - - cv.ekhem.eu.org - - dobity.eu.org - - drive.dobity.eu.org - - ekhem.eu.org - - git.dobity.eu.org - - git.ekhem.eu.org - - matrix.dobity.eu.org - - pass.dobity.eu.org - - yt.dobity.eu.org +- hosts: servers + tasks: + - name: Checkout configuration files + command: | + git --work-tree=/tmp --git-dir=/srv/git/server_prod.git checkout main \ + --force + become: yes + - name: Ensure sites-available directory exists + file: + path: "/etc/nginx/sites-available" + state: directory + become: yes + - name: Ensure sites-enabled directory exists + file: + path: "/etc/nginx/sites-enabled" + state: directory + become: yes + - name: Copy to /etc/nginx/sites-available + copy: + src: "/tmp/nginx/{{ item }}" + dest: "/etc/nginx/sites-available" + remote_src: true + become: true + with_items: + - cv.ekhem.eu.org + - dobity.eu.org + - drive.dobity.eu.org + - ekhem.eu.org + - git.dobity.eu.org + - git.ekhem.eu.org + - matrix.dobity.eu.org + - pass.dobity.eu.org + - yt.dobity.eu.org + - name: Symlink to /etc/nginx/sites-enabled + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + state: link + become: true + with_items: + - cv.ekhem.eu.org + - dobity.eu.org + - drive.dobity.eu.org + - ekhem.eu.org + - git.dobity.eu.org + - git.ekhem.eu.org + - matrix.dobity.eu.org + - pass.dobity.eu.org + - yt.dobity.eu.org + - name: Restart nginx + service: + name: nginx + state: restarted + become: yes