diff --git a/README.md b/README.md index 373c6a4..af86f26 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ # ansible -CCC HB Ansible \ No newline at end of file +CCC HB Ansible + +## Deployment + + ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml diff --git a/bhyve.yml b/bhyve.yml index c741552..05fc900 100644 --- a/bhyve.yml +++ b/bhyve.yml @@ -1,19 +1,9 @@ --- -- hosts: - - localhost - - become: yes - - tasks: - - name: Install passlib - package: - name: py39-netaddr - state: present - - hosts: - emma become: yes + tags: bhyve roles: - bhyve diff --git a/debian.yml b/debian.yml index 5e48cde..a80ff5f 100644 --- a/debian.yml +++ b/debian.yml @@ -3,4 +3,3 @@ become: yes roles: - debian - - { role: user_mgmt, tags: [user_mgmt]} diff --git a/group_vars/all.yml b/group_vars/all.yml index 52e5f65..1036635 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -19,6 +19,7 @@ user_mgmt_default: present: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSZUs/SgJRKK+NgmifBt8xehIbrpdQtpT9MeRkdwdHU fritz@m1air" absent: [] deelkar: ssh_key: @@ -30,3 +31,8 @@ user_mgmt_default: present: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSHkU00aO4U98ikMiiiWiEeRj/597UzFcFctwY8iwLy humm@fluorine" absent: [] + blazr: + ssh_key: + present: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDbxgesllBFfJUfwYX58rZln0ZpOq/Jyp361OmKohiQFHUyWK6wlPqDmfhqJuLPkAZQOjmK25gvLQXJ19+y1arjtGgbgf2nrjkCJ1l/2SHIa088DVYvZDLly+cSDMOUwgM1bzlKrHYK5asFihM+XJDV2oKUBIWaVNLHK99hpmiDXQ== jollyjinx@planetexpress.local" + absent: [] diff --git a/group_vars/debian b/group_vars/debian index bc7ba4f..b4f76d2 100644 --- a/group_vars/debian +++ b/group_vars/debian @@ -1,5 +1,5 @@ --- -ansible_python_interpreter: /usr/bin/python3.7 +ansible_python_interpreter: /usr/bin/python3 dns: 213.133.98.98 8.8.8.8 ipv6_subnet: '2a01:4f8:150:926f::' @@ -8,6 +8,6 @@ ipv4_subnet: 10.0.0.0 ipv6: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)+1) }}/127' ipv6route: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)) }}' -ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}' +#ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}' ipv4: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}/31' ipv4route: '{{ ipv4_subnet | ipmath(2 * vm_index) }}' diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de index 8271cab..c1a94c2 100644 --- a/host_vars/emma.ccchb.de +++ b/host_vars/emma.ccchb.de @@ -40,6 +40,10 @@ haproxy_http: addr: '2a01:4f8:150:926f::13' - host: 'element.ccchb.de' addr: '2a01:4f8:150:926f::13' + - host: 'frab.ccchb.de' + addr: '2a01:4f8:150:926f::17' + - host: 'auth.ccchb.de' + addr: '2a01:4f8:150:926f::11' haproxy_sni: - host: 'ccchb.de' @@ -68,6 +72,10 @@ haproxy_sni: addr: '2a01:4f8:150:926f::13' - host: 'element.ccchb.de' addr: '2a01:4f8:150:926f::13' + - host: 'frab.ccchb.de' + addr: '2a01:4f8:150:926f::17' + - host: 'auth.ccchb.de' + addr: '2a01:4f8:150:926f::11' bhyve_ipv4: 10.0.0.0 bhyve_ipv6: 2a01:4f8:150:926f::4 @@ -214,3 +222,19 @@ bhyve_guests: volsize: 128g volblocksize: 64k primarycache: metadata + + - name: frab + index: 9 + enabled: true + ram: 1G + cpus: 1 + image: ubuntu-22.04.1-live-server-amd64.iso + password: foobar + order: + - DISKS + disks: + - name: disk + properties: + volsize: 128g + volblocksize: 64k + primarycache: metadata diff --git a/host_vars/frab.emma.ccchb.de.yml b/host_vars/frab.emma.ccchb.de.yml new file mode 100644 index 0000000..3d170bb --- /dev/null +++ b/host_vars/frab.emma.ccchb.de.yml @@ -0,0 +1,15 @@ +vm_index: 9 + +user_mgmt: + crest: + state: present + groups: sudo + fritz: + state: present + groups: sudo + humm: + state: present + groups: sudo + blazr: + state: present + groups: sudo diff --git a/host_vars/gitea.emma.ccchb.de.yml b/host_vars/gitea.emma.ccchb.de.yml index 84d41d7..a72c703 100644 --- a/host_vars/gitea.emma.ccchb.de.yml +++ b/host_vars/gitea.emma.ccchb.de.yml @@ -1,6 +1,6 @@ vm_index: 2 -gitea_version: "1.17.1" +gitea_version: "1.21.2" gitea_app_name: "dev.ccchb.de" # technical: @@ -29,6 +29,9 @@ gitea_require_signin: false gitea_register_email_confirm: true gitea_enable_captcha: true +gitea_disable_registration: false +gitea_only_allow_external_registration: true + # privacy: gitea_offline_mode: true gitea_disable_gravatar: true @@ -45,3 +48,6 @@ user_mgmt: humm: state: present groups: sudo + fritz: + state: present + groups: sudo diff --git a/hosts/10_frab b/hosts/10_frab new file mode 100644 index 0000000..b0b1f7b --- /dev/null +++ b/hosts/10_frab @@ -0,0 +1,2 @@ +[frab] +frab.emma.ccchb.de \ No newline at end of file diff --git a/jabber.yml b/jabber.yml new file mode 100644 index 0000000..7ecba0d --- /dev/null +++ b/jabber.yml @@ -0,0 +1,8 @@ +--- +- hosts: + - jabber + become: yes + tags: [jabber] + roles: + - certbot + - prosody diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml index ebd029b..46c0762 100644 --- a/roles/prosody/defaults/main.yml +++ b/roles/prosody/defaults/main.yml @@ -1,44 +1,12 @@ --- prosody_domain: "jabber.ccchb.de" -prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem" -prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem" +prosody_ssl_cert: "/etc/prosody/certs/fullchain.pem" +prosody_ssl_key: "/etc/prosody/certs/privkey.pem" prosody_allow_registration: false -prosody_modules: - - roster - - saslauth - - tls - - dialback - - disco - - private - - bookmarks - - vcard - - proxy65 - - legacyauth - - version - - uptime - - time - - ping - - pep - - register - - adhoc - - admin_adhoc - - posix - - bosh - - websocket - - groups - - announce - - watchregistrations - - blocking - - smacks - - carbons - - cloud_notify - - csi - - mam - - filter_chatstates - - throttle_presence - - http_upload - - turncredentials - - vcard_legacy + +prosody_http_url: "https://jabber.ccchb.de/" +prosody_turn_server: "einstein.cskreie.de" +prosody_turn_secret: "gabbagabbahey" prosody_nginx_install: true prosody_nginx_conf: | diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index fffe4b6..19464ed 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -16,6 +16,6 @@ - name: Configure prosody template: src: prosody.cfg.lua.j2 - dest: /etc/prosody/prosody_test.cfg.lua + dest: /etc/prosody/prosody.cfg.lua ... diff --git a/roles/prosody/templates/nginx.j2 b/roles/prosody/templates/nginx.j2 index bf6f639..6609a1d 100644 --- a/roles/prosody/templates/nginx.j2 +++ b/roles/prosody/templates/nginx.j2 @@ -15,4 +15,8 @@ server { proxy_set_header Host {{ prosody_domain }}; proxy_pass http://127.0.0.1:5280/upload; } + + location /file_share { + proxy_pass http://127.0.0.1:5280/file_share; + } } diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 index 6ac7996..5e552da 100644 --- a/roles/prosody/templates/prosody.cfg.lua.j2 +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -1,126 +1,73 @@ --- Prosody XMPP Server Configuration -- {{ ansible_managed }} ----------- Server-wide settings ---------- --- Settings in this section apply to the whole server and are the default settings --- for any virtual hosts - --- This is a (by default, empty) list of accounts that are admins --- for the server. Note that you must create the accounts separately --- (see http://prosody.im/doc/creating_accounts for info) --- Example: admins = { "user1@example.com", "user2@example.net" } admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" } --- Enable use of libevent for better performance under high load --- For more information see: http://prosody.im/doc/libevent -use_libevent = false; - -plugin_paths = { "/opt/prosody-modules" } - --- This is the list of modules Prosody will load on startup. --- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. --- Documentation on modules can be found at: http://prosody.im/doc/modules +use_libevent = true; modules_enabled = { - {% for module in prosody_modules %} - "{{ module }}"; - {% endfor %} + -- Generally required + "roster"; + "saslauth"; + "tls"; + "dialback"; + "disco"; + "posix"; + "private"; + + -- Nice to have + "version"; + "uptime"; + "time"; + "ping"; + "pep"; + "register"; + + -- Admin interfaces + "admin_adhoc"; + "admin_shell"; + + -- HTTP modules + "bosh"; + "http_files"; + "http_file_share"; + + -- Other specific functionality + "groups"; + "watchregistrations"; + "turn_external"; + "carbons"; + "blocklist"; + "mam"; + "csi_simple"; + "vcard_legacy"; + "proxy65"; }; --- These modules are auto-loaded, should you --- (for some mad reason) want to disable --- them then uncomment them below -modules_disabled = { - -- "presence"; -- Route user/contact status information - -- "message"; -- Route messages - -- "iq"; -- Route info queries - -- "offline"; -- Store offline messages -}; +allow_registration = {% if prosody_allow_registration then "True" else "False" %}; --- Disable account creation by default, for security --- For more information see http://prosody.im/doc/creating_accounts -allow_registration = {{ prosody_allow_registration }}; +c2s_require_encryption = true +s2s_secure_auth = false --- These are the SSL/TLS-related settings. If you don't want --- to use SSL/TLS, you may comment or remove this --- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION *** -ssl = { - protocol = "sslv23"; - key = "{{ prosody_ssl_key }}"; - certificate = "{{ prosody_ssl_cert }}"; - dhparam = "/etc/prosody/certs/dh-2048.pem"; - options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; - ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; -} -legacy_ssl_ports = { 5223 } -http_external_url = "https://{{ prosody_domain }}/" - --- Only allow encrypted streams? Encryption is already used when --- available. These options will cause Prosody to deny connections that --- are not encrypted. Note that some servers do not support s2s --- encryption or have it disabled, including gmail.com and Google Apps --- domains. - ---c2s_require_encryption = false ---s2s_require_encryption = false - --- Select the authentication backend to use. The 'internal' providers --- use Prosody's configured data storage to store the authentication data. --- To allow Prosody to offer secure authentication mechanisms to clients, the --- default provider stores passwords in plaintext. If you do not trust your --- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed --- for information about using the hashed backend. +-- PID file, necessary for prosodyctl +pidfile = "/var/run/prosody/prosody.pid" authentication = "internal_hashed" --- Select the storage backend to use. By default Prosody uses flat files --- in its configured data directory, but it also supports more backends --- through modules. An "sql" backend is included by default, but requires --- additional dependencies. See http://prosody.im/doc/storage for more info. - ---storage = "sql" -- Default is "internal" - --- For the "sql" backend, you can uncomment *one* of the below to configure: ---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. ---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } ---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } - - --- STUN/TURN ---turncredentials_host = "jabber.emma.ccchb.de" -turncredentials_host = "einstein.cskreie.de" -turncredentials_secret = "gabbagabbahey" - - --- HTTP-UPLOAD -http_upload_file_size_limit = 10485760 -- 10M -http_max_content_size = 20971520 -- 20M -http_upload_quota = 104857600 -- 100M -http_upload_expire_after = 2592000 -- 30d - --- Logging configuration --- For advanced logging see http://prosody.im/doc/logging --- Hint: If you create a new log file or rename them, don't forget --- to update the logrotate config at /etc/logrotate.d/prosody log = { - -- Log all error messages to prosody.err error = "/var/log/prosody/prosody.err"; - -- Log everything of level "info" and higher (that is, all except "debug" messages) - -- to prosody.log - -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging - -- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging - --"*syslog"; -- Uncomment this for logging to syslog } --- Pidfile, used by prosodyctl and the init.d script -pidfile = "/var/run/prosody/prosody.pid"; +-- TODO: Fix escaping +http_external_url = "{{ prosody_http_url }}" +trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", } + +-- TURN Server +turn_external_host = "{{ prosody_turn_server }}" +turn_external_secret = "{{ prosody_turn_secret }}" ------------ Virtual hosts ----------- --- You need to add a VirtualHost entry for each domain you wish Prosody to serve. --- Settings under each VirtualHost entry apply *only* to that host. VirtualHost "localhost" -VirtualHost "{{ prosody_domain }}" +VirtualHost "jabber.ccchb.de" enabled = true -- Remove this line to enable this host -- Assign this host a certificate for TLS, otherwise it would use the one @@ -128,33 +75,18 @@ VirtualHost "{{ prosody_domain }}" -- Note that old-style SSL on port 5223 only supports one certificate, and will always -- use the global one. ssl = { - protocol = "sslv23"; + protocol = "tlsv1_2+"; key = "{{ prosody_ssl_key }}"; certificate = "{{ prosody_ssl_cert }}"; - dhparam = "/etc/prosody/certs/dh-2048.pem"; - options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; - ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; + dhparam = "/etc/prosody/certs/dh-2048.pem"; + -- TODO: Evaluate allowed ciphers + ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; } ------- Components ------ --- You can specify components to add hosts that provide special services, --- like multi-user conferences, and transports. --- For more information on components, see http://prosody.im/doc/components - ----Set up a MUC (multi-user chat) room server on conference.example.com: -Component "muc.{{ prosody_domain }}" "muc" -modules_enabled = { - "vcard_muc", "muc_mam", -} --- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: ---Component "proxy.example.com" "proxy65" - ----Set up an external component (default component port is 5347) --- --- External components allow adding various services, such as gateways/ --- transports to other networks like ICQ, MSN and Yahoo. For more info --- see: http://prosody.im/doc/components#adding_an_external_component --- ---Component "gateway.example.com" --- component_secret = "password" +Component "muc.jabber.ccchb.de" "muc" + modules_enabled = { + "vcard_muc", + "muc_mam" + } +Component "upload.jabber.ccchb.de" "http_file_share" diff --git a/site.yml b/site.yml index 845bad0..7d5f227 100644 --- a/site.yml +++ b/site.yml @@ -7,3 +7,4 @@ - import_playbook: mail.yml - import_playbook: restic.yml - import_playbook: wiki.yml +- import_playbook: users.yml diff --git a/users.yml b/users.yml new file mode 100644 index 0000000..ea6b615 --- /dev/null +++ b/users.yml @@ -0,0 +1,6 @@ +--- +- hosts: debian frab + become: yes + tags: [user_mgmt] + roles: + - user_mgmt