From face0e0f7cef22314b54c3f24822ff93476eb7cf Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Fri, 1 Dec 2023 01:07:55 +0100
Subject: [PATCH] [server] Configure automatic deployment.

---
 server.git/dovecot.yaml       | 86 +++++++++++++++++++++++++++++++++++
 server.git/fail2ban.yaml      | 32 +++++++++++++
 server.git/git.yaml           | 61 +++++++++++++++++++++++++
 server.git/hooks/post-receive | 26 +++++++++++
 server.git/matrix.yaml        | 61 +++++++++++++++++++++++++
 server.git/nginx.yaml         | 31 +++++++++++++
 server.git/opendkim.yaml      | 51 +++++++++++++++++++++
 server.git/postfix.yaml       | 32 +++++++++++++
 server.git/postgres.yaml      | 56 +++++++++++++++++++++++
 server.git/sshd.yaml          | 22 +++++++++
 10 files changed, 458 insertions(+)
 create mode 100644 server.git/dovecot.yaml
 create mode 100644 server.git/fail2ban.yaml
 create mode 100644 server.git/git.yaml
 create mode 100755 server.git/hooks/post-receive
 create mode 100644 server.git/matrix.yaml
 create mode 100644 server.git/nginx.yaml
 create mode 100644 server.git/opendkim.yaml
 create mode 100644 server.git/postfix.yaml
 create mode 100644 server.git/postgres.yaml
 create mode 100644 server.git/sshd.yaml

diff --git a/server.git/dovecot.yaml b/server.git/dovecot.yaml
new file mode 100644
index 0000000..41bd9a9
--- /dev/null
+++ b/server.git/dovecot.yaml
@@ -0,0 +1,86 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install dovecot's packages
+      package:
+        name:
+          - dovecot-imapd
+          - dovecot-lmtpd
+          - dovecot-pgsql
+        state: latest
+      become: true
+    - name: Checkout dovecot's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        dovecot/*
+      become: true
+    - name: Copy files from /tmp/dovecot to /etc/dovecot
+      shell: envsubst < /tmp/dovecot/{{ item }} > /etc/dovecot/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - dovecot-dict-auth.conf.ext
+        - dovecot-dict-sql.conf.ext
+        - dovecot-sql.conf.ext
+        - dovecot.conf
+    - name: Copy files from /tmp/dovecot/conf.d to /etc/dovecot/conf.d
+      shell: envsubst < /tmp/dovecot/{{ item }} > /etc/dovecot/conf.d/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - auth-checkpassword.conf.ext
+        - auth-deny.conf.ext
+        - auth-dict.conf.ext
+        - auth-master.conf.ext
+        - auth-passwdfile.conf.ext
+        - auth-sql.conf.ext
+        - auth-static.conf.ext
+        - auth-system.conf.ext
+        - 10-auth.conf
+        - 10-director.conf
+        - 10-logging.conf
+        - 10-mail.conf
+        - 10-master.conf
+        - 10-ssl.conf
+        - 10-tcpwrapper.conf
+        - 15-lda.conf
+        - 15-mailboxes.conf
+        - 20-imap.conf
+        - 20-lmtp.conf
+        - 90-acl.conf
+        - 90-plugin.conf
+        - 90-quota.conf
+    - name: Set permissions for /var/vmail
+      file:
+        path: /var/vmail
+        state: directory
+        mode: 0775
+        owner: vmail
+        group: vmail
+        recurse: true
+      become: true
+    - name: Configure user vmail
+      user:
+        name: vmail
+        home: /var/vmail
+        shell: /usr/sbin/nologin
+        password_lock: true
+      become: true
+    - name: Create dovecot's log files
+      file:
+        path: /var/log/{{ item }}
+        state: touch
+        owner: vmail
+        group: vmail
+      become: true
+      with_items:
+        - dovecot-info.log
+        - dovecot.log
+    - name: Restart dovecot
+      service:
+        name: dovecot
+        state: restarted
+      become: true
diff --git a/server.git/fail2ban.yaml b/server.git/fail2ban.yaml
new file mode 100644
index 0000000..9a4d3b8
--- /dev/null
+++ b/server.git/fail2ban.yaml
@@ -0,0 +1,32 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install fail2ban
+      package:
+        name:
+          - fail2ban
+        state: latest
+      become: true
+    - name: Checkout fail2ban's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        fail2ban/*
+      become: true
+    - name: Copy files from /tmp to /etc/fail2ban
+      copy:
+        src: /tmp/fail2ban/{{ item }}
+        dest: /etc/fail2ban
+        remote_src: true
+      become: true
+      with_items:
+        - fail2ban.local
+        - jail.local
+        - paths-common.conf
+    - name: Restart fail2ban
+      service:
+        name: fail2ban
+        state: restarted
+      become: true
diff --git a/server.git/git.yaml b/server.git/git.yaml
new file mode 100644
index 0000000..4249d0d
--- /dev/null
+++ b/server.git/git.yaml
@@ -0,0 +1,61 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install fcgiwrap, gitweb and nginx
+      package:
+        name:
+          - fcgiwrap
+          - gitweb
+          - nginx
+        state: latest
+      become: true
+    - name: Checkout git's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force
+      become: true
+    - name: Create destination directory
+      file:
+        path: /etc/git
+        state: directory
+      become: true
+    - name: Copy files from /tmp to /etc/git
+      shell: envsubst < /tmp/git/{{ item }} > /etc/git/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - private.conf
+        - public.conf
+    - name: Use git-shell for user git
+      user:
+        name: git
+        shell: /usr/bin/git-shell
+      become: true
+
+    - name: Copy sites from /tmp to /etc/nginx/sites-available
+      copy:
+        src: /tmp/git/{{ item }}
+        dest: /etc/nginx/sites-available
+        remote_src: true
+      become: true
+      with_items:
+        - git_private.conf
+        - git_public.conf
+    - name: Enable sites in nginx
+      shell: envsubst < /etc/nginx/sites-available/{{ item }} \
+        > /etc/nginx/sites-enabled/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - git_private.conf
+        - git_public.conf
+    - name: Restart fcgiwrap and nginx
+      service:
+        name: "{{ item }}"
+        state: restarted
+      become: true
+      with_items:
+        - fcgiwrap
+        - nginx
diff --git a/server.git/hooks/post-receive b/server.git/hooks/post-receive
new file mode 100755
index 0000000..1ec1efe
--- /dev/null
+++ b/server.git/hooks/post-receive
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+DEPLOYABLE="dovecot fail2ban git matrix nginx opendkim postfix postgres sshd"
+
+while read old_revision new_revision branch
+do
+    if [ "${branch}" != "refs/heads/main" ]
+    then
+        echo "${branch} is not the main branch so not deploying."
+        exit 0
+    fi
+    dirs_diff=$(git diff --name-only HEAD HEAD~1 \
+                    | cut --delimiter=/ --fields=1 \
+                    | cut --delimiter=. --fields=1 \
+                    | sort \
+                    | uniq)
+    for dir in "${dirs_diff}"
+    do
+        if $(echo "${DEPLOYABLE}" | grep --word-regexp --quiet "${dir}")
+        then
+	    sudo ansible-playbook --connection=local "${dir}".yaml
+        fi
+    done
+done
diff --git a/server.git/matrix.yaml b/server.git/matrix.yaml
new file mode 100644
index 0000000..19ed211
--- /dev/null
+++ b/server.git/matrix.yaml
@@ -0,0 +1,61 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install matrix-synapse and nginx
+      package:
+        name:
+          - matrix-synapse
+          - nginx
+        state: latest
+      become: true
+    - name: Checkout matrix's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        matrix/*
+      become: true
+    - name: Copy files from /tmp to /etc/matrix-synapse
+      copy:
+        src: /tmp/matrix/{{ item }}
+        dest: /etc/matrix-synapse
+        remote_src: true
+      become: true
+      with_items:
+        - homeserver.yaml
+        - log.yaml
+    - name: Copy files from /tmp to /etc/matrix-synapse/conf.d
+      shell: envsubst < /tmp/matrix/{{ item }} \
+        > /etc/matrix-synapse/conf.d/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - report_stats.yaml
+        - server_name.yaml
+
+    - name: Copy sites from /tmp to /etc/nginx/sites-available
+      copy:
+        src: /tmp/matrix/{{ item }}
+        dest: /etc/nginx/sites-available
+        remote_src: true
+      become: true
+      with_items:
+        - matrix.conf
+        - private.conf
+    - name: Enable sites in nginx
+      shell: envsubst < /etc/nginx/sites-available/{{ item }} \
+        > /etc/nginx/sites-enabled/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - matrix.conf
+        - private.conf
+    - name: Restart matrix-synapse and nginx
+      service:
+        name: "{{ item }}"
+        state: restarted
+      become: yes
+      with_items:
+        - matrix-synapse
+        - nginx
diff --git a/server.git/nginx.yaml b/server.git/nginx.yaml
new file mode 100644
index 0000000..beca390
--- /dev/null
+++ b/server.git/nginx.yaml
@@ -0,0 +1,31 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install nginx
+      package:
+        name:
+          - nginx
+        state: latest
+      become: true
+    - name: Checkout nginx's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        nginx/*
+      become: true
+    - name: Copy files from /tmp/nginx to /etc/nginx
+      copy:
+        src: /tmp/nginx/{{ item }}
+        dest: /etc/nginx
+        remote_src: true
+      become: true
+      with_items:
+        - mime.types
+        - nginx.conf
+    - name: Restart nginx
+      service:
+        name: nginx
+        state: restarted
+      become: true
diff --git a/server.git/opendkim.yaml b/server.git/opendkim.yaml
new file mode 100644
index 0000000..15e11b3
--- /dev/null
+++ b/server.git/opendkim.yaml
@@ -0,0 +1,51 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+    domain1: "{{ ansible_local.env.vars.private_domain }}"
+    domain2: "{{ ansible_local.env.vars.public_domain }}"
+  tasks:
+    - name: Install opendkim's packages
+      package:
+        name:
+          - opendkim
+          - libopendbx1-pgsql
+        state: latest
+      become: true
+    - name: Checkout opendkim's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        opendkim/*
+      become: true
+    - name: Copy opendkim.conf to /etc
+      copy:
+        src: /tmp/opendkim/opendkim.conf
+        dest: /etc
+        remote_src: true
+      become: true
+    - name: Copy opendkim to /etc/default
+      copy:
+        src: /tmp/opendkim/opendkim
+        dest: /etc/default
+        remote_src: true
+      become: true
+    - name: Disable group and others permissions for opendkim's files
+      file:
+        path: /etc/opendkim/keys/{{ item.domain }}/{{ item.name }}
+        mode: 0500
+      become: true
+      with_items:
+        - domain: "{{ domain1 }}"
+          name: "{{ domain1 | regex_replace('\\..*$', '') }}.private"
+        - domain: "{{ domain1 }}"
+          name: "{{ domain1 | regex_replace('\\..*$', '') }}.txt"
+        - domain: "{{ domain2 }}"
+          name: "{{ domain2 | regex_replace('\\..*$', '') }}.private"
+        - domain: "{{ domain2 }}"
+          name: "{{ domain2 | regex_replace('\\..*$', '') }}.txt"
+    - name: Restart opendkim
+      service:
+        name: opendkim
+        state: restarted
+      become: true
diff --git a/server.git/postfix.yaml b/server.git/postfix.yaml
new file mode 100644
index 0000000..9107a0a
--- /dev/null
+++ b/server.git/postfix.yaml
@@ -0,0 +1,32 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install postfix's packages
+      package:
+        name:
+          - postfix
+          - postfix-pgsql
+        state: latest
+      become: true
+    - name: Checkout postfix's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        postfix/*
+      become: true
+    - name: Copy files from /tmp to /etc/postfix
+      shell: envsubst < /tmp/postfix/{{ item }} > /etc/postfix/{{ item }}
+      environment: "{{ ansible_local.env.vars }}"
+      become: true
+      with_items:
+        - address_book.cf
+        - domains.cf
+        - main.cf
+        - master.cf
+    - name: Restart postfix
+      service:
+        name: postfix
+        state: restarted
+      become: true
diff --git a/server.git/postgres.yaml b/server.git/postgres.yaml
new file mode 100644
index 0000000..4f1ae11
--- /dev/null
+++ b/server.git/postgres.yaml
@@ -0,0 +1,56 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Install postgres
+      package:
+        name:
+          - postgresql
+        state: latest
+      become: true
+    - name: Checkout postgres' configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main \
+        --force postgres/*
+      become: true
+    - name: Create directory /etc/postgresql/15/main/private
+      file:
+        path: /etc/postgresql/15/main/private
+        state: directory
+      become: true
+    - name: Copy files from /tmp/postgres to /etc/postgresq/15/main
+      copy:
+        src: /tmp/postgres/{{ item }}
+        dest: /etc/postgresql/15/main
+        remote_src: true
+      become: true
+      with_items:
+        - pg_hba.conf
+        - postgresql.conf
+    - name: Limit permissions for /etc/postgresql/15/main/private
+      file:
+        path: /etc/postgresql/15/main/private
+        state: directory
+        mode: 0700
+        owner: postgres
+        group: postgres
+      become: true
+    - name: Copy postgres' certificates /etc/postgresql/15/main/private
+      copy:
+        src: "{{ ansible_local.env.vars.postgres_ssl_cert_dir }}/{{ item }}"
+        dest: /etc/postgresql/15/main/private
+        mode: 0600
+        owner: postgres
+        group: postgres
+        remote_src: true
+      become: true
+      with_items:
+        - fullchain.pem
+        - privkey.pem
+    - name: Restart postgres
+      service:
+        name: postgresql
+        state: restarted
+      become: yes
diff --git a/server.git/sshd.yaml b/server.git/sshd.yaml
new file mode 100644
index 0000000..7f8c6cf
--- /dev/null
+++ b/server.git/sshd.yaml
@@ -0,0 +1,22 @@
+# Copyright (c) 2023 Jakub Czajka <jakub@ekhem.eu.org>
+# License: GPL-3.0 or later.
+
+- hosts: servers
+  vars:
+    repo: "{{ ansible_local.env.vars.git_home_dir }}/server.git"
+  tasks:
+    - name: Checkout sshd's configuration files to /tmp
+      command: git --work-tree=/tmp --git-dir={{ repo }} checkout main --force \
+        sshd/*
+      become: yes
+    - name: Copy /tmp/sshd/sshd_config to /etc/ssh
+      copy:
+        src: /tmp/sshd/sshd_config
+        dest: /etc/ssh
+        remote_src: true
+      become: true
+    - name: Restart sshd
+      service:
+        name: ssh
+        state: restarted
+      become: yes
-- 
2.39.5