diff --git a/backup.yaml b/backup.yaml new file mode 100644 index 0000000..0147b79 --- /dev/null +++ b/backup.yaml @@ -0,0 +1,8 @@ +--- +- name: "Deploy backup server" + hosts: git + roles: + - netplan + - common + - internalsmtp + - backupscript diff --git a/dbhosts.yaml b/dbhosts.yaml new file mode 100644 index 0000000..923486d --- /dev/null +++ b/dbhosts.yaml @@ -0,0 +1,9 @@ +--- +- name: "Deploy database server base" + hosts: postgres, mariadb + roles: + - netplan + - common + - customfirewall + - backupscript + - customfirewall diff --git a/group_vars/mckay.yaml b/group_vars/mckay.yaml index cc502c4..71861a0 100644 --- a/group_vars/mckay.yaml +++ b/group_vars/mckay.yaml @@ -1,2 +1,3 @@ --- -default_gateway: "192.168.69.254" +netplan: + default_gateway: "192.168.69.254" diff --git a/group_vars/woolsey.yaml b/group_vars/woolsey.yaml index 6918b1a..a0ce937 100644 --- a/group_vars/woolsey.yaml +++ b/group_vars/woolsey.yaml @@ -1,2 +1,3 @@ --- -default_gateway: "192.168.69.1" +netplan: + default_gateway: "192.168.69.1" diff --git a/host_vars/backup.yaml b/host_vars/backup.yaml new file mode 100644 index 0000000..4ffa73d --- /dev/null +++ b/host_vars/backup.yaml @@ -0,0 +1,5 @@ +--- +servicename: mckay +backup: + host: oniel.tormakristof.eu + internal: false diff --git a/host_vars/git.yaml b/host_vars/git.yaml index bffbbc0..ed7e991 100644 --- a/host_vars/git.yaml +++ b/host_vars/git.yaml @@ -1,7 +1,6 @@ --- servicename: git backup: - prearecommand: "" folder: "/home/service-user" tarfolder: "gitea docker-compose.yml" firewall: diff --git a/host_vars/mariadb.yaml b/host_vars/mariadb.yaml new file mode 100644 index 0000000..9f97dd4 --- /dev/null +++ b/host_vars/mariadb.yaml @@ -0,0 +1,5 @@ +--- +firewall: + - port: "3306" + proto: tcp + interface: "eth0" diff --git a/host_vars/neko.yaml b/host_vars/neko.yaml index 974320a..2fe1a9d 100644 --- a/host_vars/neko.yaml +++ b/host_vars/neko.yaml @@ -15,3 +15,10 @@ firewall: - port: "59000:59049" proto: udp interface: "eth1" +netplan: + default_gateway: "" + additionalinterfaces: + - name: "eth1" + dhcp4: true + dhcp6: true + denydns: true diff --git a/host_vars/nexus.yaml b/host_vars/nexus.yaml index e206b79..bbf7f2a 100644 --- a/host_vars/nexus.yaml +++ b/host_vars/nexus.yaml @@ -1,14 +1,6 @@ --- webserver: - defaultservername: nexus.kmlabz.com - customrule: | - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name registry.kmlabz.com; - ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; - ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - location /{ - proxy_pass http://127.0.0.1:8080; - } - } + - domain: "nexus.kmlabz.com" + port: 8080 + - domain: "registry.kmlabz.com" + port: 4269 diff --git a/host_vars/openvpn.yaml b/host_vars/openvpn.yaml new file mode 100644 index 0000000..d19dea1 --- /dev/null +++ b/host_vars/openvpn.yaml @@ -0,0 +1,22 @@ +--- +firewall: + - port: "1194" + proto: udp + interface: "eth0" + - port: "1194" + proto: udp + interface: "eth1" +netplan: + default_gateway: "" + additionalinterfaces: + - name: "eth1" + dhcp4: false + dhcp6: false + addresses: + - "2001:738:2001:207f:0:211:211:23/64" + gateway6: "fe80::" + denydns: true + - name: "eth2" + dhcp4: true + dhcp6: false + denydns: true diff --git a/host_vars/postgres.yaml b/host_vars/postgres.yaml new file mode 100644 index 0000000..ebb31ee --- /dev/null +++ b/host_vars/postgres.yaml @@ -0,0 +1,5 @@ +--- +firewall: + - port: "5432" + proto: tcp + interface: "eth0" diff --git a/host_vars/testhost.yaml b/host_vars/testhost.yaml deleted file mode 100644 index e106f56..0000000 --- a/host_vars/testhost.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -backupscript_name: "test-backupscript.sh" diff --git a/inventory.yaml b/inventory.yaml index 32cd0da..baedee2 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -38,7 +38,7 @@ all: ansible_host: bitwarden.stargate.internal nextcloud: ansible_host: nextcloud.stargate.internal - mysql: - ansible_host: mysql.stargate.internal + mariadb: + ansible_host: mariadb.stargate.internal backup: ansible_host: backup.stargate.internal diff --git a/roles/backupscript/defaults/main.yaml b/roles/backupscript/defaults/main.yaml new file mode 100644 index 0000000..eacc86f --- /dev/null +++ b/roles/backupscript/defaults/main.yaml @@ -0,0 +1,6 @@ +--- +backup: + host: backup.stargate.internal + internal: true + prearecommand: "" + basedir: /mnt/backupstore diff --git a/roles/backupscript/templates/backupscript.sh b/roles/backupscript/templates/backupscript.sh index 636febe..bb6bbc6 100644 --- a/roles/backupscript/templates/backupscript.sh +++ b/roles/backupscript/templates/backupscript.sh @@ -3,6 +3,14 @@ {{backup.prearecommand}} -time ( rsync -azP --delete {{backup.folder}} backup@backup.stargate.internal:/mnt/backupstore/{{servicename}}/staging ) +{% if backup.internal %} -time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging {{backup.tarfolder}}' ) +time ( rsync -azP --delete {{backup.folder}} backup@{{backup.host}}:{{backup.basedir}}/{{servicename}}/staging ) + +time ( ssh backup@{{backup.host}} 'tar -zcvf {{backup.basedir}}/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C {{backup.basedir}}/{{servicename}}/staging {{backup.tarfolder}}' ) + +{% else %} + +time ( rsync -azPr --delete --prune-empty-dirs --include "*/" --include="*.tar.gz" --include="*.sql" --include="*.zip" --exclude="*" {{backup.basedir}}/ backup@{{backup.host}}:/mnt/backup/{{servicename}} ) + +{% endif %} diff --git a/roles/mariadb/tasks/main.yaml b/roles/mariadb/tasks/main.yaml deleted file mode 100644 index c643cb3..0000000 --- a/roles/mariadb/tasks/main.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: "Install MariaDB via apt" - apt: - update_cache: yes - state: present - name: - - mariadb-server - -- name: Enable and restart MariaDB daemon - service: - name: mariadb - state: restarted - enabled: yes - -- name: Allow mysql port via ufw - community.general.ufw: - rule: allow - port: "3306" - proto: tcp diff --git a/roles/netplan/defaults/main.yaml b/roles/netplan/defaults/main.yaml new file mode 100644 index 0000000..61c37c3 --- /dev/null +++ b/roles/netplan/defaults/main.yaml @@ -0,0 +1,3 @@ +--- +netplan: + additionalinterfaces: [] diff --git a/roles/netplan/templates/netplan.yaml b/roles/netplan/templates/netplan.yaml index 0666285..18e1ef7 100644 --- a/roles/netplan/templates/netplan.yaml +++ b/roles/netplan/templates/netplan.yaml @@ -8,4 +8,31 @@ network: dhcp-identifier: mac dhcp4-overrides: use-routes: false - gateway4: {{default_gateway}} + {% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %} + gateway4: {{netplan.default_gateway}} + {% endif %} + {% for interface in additionalinterfaces %} + {{ interface.name }}: + dhcp4: {{ interface.dhcp4 }} + dhcp6: {{ interface.dhcp6 }} + dhcp-identifier: mac + dhcp4-overrides: + use-routes: false + {% if interface.addresses is defined and interface.addresses|length > 0 %} + addresses: + {% for address in interface.addresses %} + - {{address}} + {% endfor %} + {% endif %} + {% if interface.gateway4 is defined and interface.gateway4|length > 0 %} + gateway4: {{interface.gateway4}} + {% endif %} + {% if interface.gateway6 is defined and interface.gateway6|length > 0 %} + gateway4: {{interface.gateway6}} + {% endif %} + {% if interface.denydns %} + nameservers: + addresses: [] + search: [] + {% endif %} + {% endfor %} diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml deleted file mode 100644 index 53aab92..0000000 --- a/roles/postgresql/tasks/main.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: "Install PostgreSQL via apt" - apt: - update_cache: yes - state: present - name: - - postgresql - -- name: Add access to every host on local network - postgresql_pg_hba: - dest: /var/lib/postgres/data/pg_hba.conf - contype: host - users: all - databases: all - address: samenet - state: present - -- name: Add access to every host via tls on local network - postgresql_pg_hba: - dest: /var/lib/postgres/data/pg_hba.conf - contype: hostssl - users: all - databases: all - address: samenet - state: present - -- name: Enable and restart PostgreSQL daemon - service: - name: postgresql - state: restarted - enabled: yes - -- name: Allow postgresql port via ufw - community.general.ufw: - rule: allow - port: "5432" - proto: tcp diff --git a/roles/smtpgateway/tasks/main.yaml b/roles/smtpgateway/tasks/main.yaml index b019131..de58076 100644 --- a/roles/smtpgateway/tasks/main.yaml +++ b/roles/smtpgateway/tasks/main.yaml @@ -23,4 +23,4 @@ - name: Allow smtp port via ufw community.general.ufw: rule: allow - port: smtp \ No newline at end of file + port: smtp diff --git a/roles/webserver/defaults/main.yaml b/roles/webserver/defaults/main.yaml index 47a1986..4775742 100644 --- a/roles/webserver/defaults/main.yaml +++ b/roles/webserver/defaults/main.yaml @@ -1,3 +1,3 @@ webserver: - customrule: "" - defaultservername: "_" + - domain: "_" + port: 8080 diff --git a/roles/webserver/templates/nginx.conf b/roles/webserver/templates/nginx.conf index 93e6915..0da4717 100644 --- a/roles/webserver/templates/nginx.conf +++ b/roles/webserver/templates/nginx.conf @@ -54,8 +54,6 @@ http { proxy_buffering off; proxy_request_buffering off; - {{webserver.customrule}} - server { listen 80 default_server; @@ -64,14 +62,17 @@ http { return 301 https://$host$request_uri; } + {% for server in webserver %} server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{webserver.defaultservername}}; + server_name {{ server.domain }}; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; location /{ - proxy_pass http://127.0.0.1:8080; + proxy_pass http://127.0.01{{ server.port }}; } } + + {% endfor %} }