prepare for full automation

backup.yaml

@@ -0,0 +1,8 @@
+---
+- name: "Deploy backup server"
+  hosts: git
+  roles:
+    - netplan
+    - common
+    - internalsmtp
+    - backupscript

dbhosts.yaml

@@ -0,0 +1,9 @@
+---
+- name: "Deploy database server base"
+  hosts: postgres, mariadb
+  roles:
+    - netplan
+    - common
+    - customfirewall
+    - backupscript
+    - customfirewall

group_vars/mckay.yaml

@@ -1,2 +1,3 @@
 ---
-default_gateway: "192.168.69.254"
+netplan:
+  default_gateway: "192.168.69.254"

group_vars/woolsey.yaml

@@ -1,2 +1,3 @@
 ---
-default_gateway: "192.168.69.1"
+netplan:
+  default_gateway: "192.168.69.1"

host_vars/backup.yaml

@@ -0,0 +1,5 @@
+---
+servicename: mckay
+backup:
+  host: oniel.tormakristof.eu
+  internal: false

host_vars/git.yaml

@@ -1,7 +1,6 @@
 ---
 servicename: git
 backup:
-  prearecommand: ""
   folder: "/home/service-user"
   tarfolder: "gitea docker-compose.yml"
 firewall:

host_vars/mariadb.yaml

@@ -0,0 +1,5 @@
+---
+firewall:
+  - port: "3306"
+    proto: tcp
+    interface: "eth0"

host_vars/neko.yaml

@@ -15,3 +15,10 @@ firewall:
   - port: "59000:59049"
     proto: udp
     interface: "eth1"
+netplan:
+  default_gateway: ""
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: true
+      dhcp6: true
+      denydns: true

host_vars/nexus.yaml

@@ -1,14 +1,6 @@
 ---
 webserver:
-  defaultservername: nexus.kmlabz.com
+  - domain: "nexus.kmlabz.com"
-  customrule: |
+    port: 8080
-    server {
+  - domain: "registry.kmlabz.com"
-            listen 443 ssl http2;
+    port: 4269
-            listen [::]:443 ssl http2;
-            server_name registry.kmlabz.com;
-            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-            location /{
-                proxy_pass  http://127.0.0.1:8080;
-            }
-    }

host_vars/openvpn.yaml

@@ -0,0 +1,22 @@
+---
+firewall:
+  - port: "1194"
+    proto: udp
+    interface: "eth0"
+  - port: "1194"
+    proto: udp
+    interface: "eth1"
+netplan:
+  default_gateway: ""
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: false
+      dhcp6: false
+      addresses:
+      - "2001:738:2001:207f:0:211:211:23/64"
+      gateway6: "fe80::"
+      denydns: true
+    - name: "eth2"
+      dhcp4: true
+      dhcp6: false
+      denydns: true

host_vars/postgres.yaml

@@ -0,0 +1,5 @@
+---
+firewall:
+  - port: "5432"
+    proto: tcp
+    interface: "eth0"

host_vars/testhost.yaml

@@ -1,2 +0,0 @@
----
-backupscript_name: "test-backupscript.sh"

inventory.yaml

@@ -38,7 +38,7 @@ all:
           ansible_host: bitwarden.stargate.internal
         nextcloud:
           ansible_host: nextcloud.stargate.internal
-        mysql:
+        mariadb:
-          ansible_host: mysql.stargate.internal
+          ansible_host: mariadb.stargate.internal
         backup:
           ansible_host: backup.stargate.internal

roles/backupscript/defaults/main.yaml

@@ -0,0 +1,6 @@
+---
+backup:
+  host: backup.stargate.internal
+  internal: true
+  prearecommand: ""
+  basedir: /mnt/backupstore

roles/backupscript/templates/backupscript.sh

@@ -3,6 +3,14 @@
 
 {{backup.prearecommand}}
 
-time ( rsync -azP --delete {{backup.folder}} backup@backup.stargate.internal:/mnt/backupstore/{{servicename}}/staging )
+{% if backup.internal %}
 
-time ( ssh backup@backup.stargate.internal 'tar -zcvf /mnt/backupstore/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C /mnt/backupstore/{{servicename}}/staging {{backup.tarfolder}}' )
+time ( rsync -azP --delete {{backup.folder}} backup@{{backup.host}}:{{backup.basedir}}/{{servicename}}/staging )
+
+time ( ssh backup@{{backup.host}} 'tar -zcvf {{backup.basedir}}/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C {{backup.basedir}}/{{servicename}}/staging {{backup.tarfolder}}' )
+
+{% else %}
+
+time ( rsync -azPr --delete --prune-empty-dirs --include "*/" --include="*.tar.gz" --include="*.sql" --include="*.zip" --exclude="*" {{backup.basedir}}/ backup@{{backup.host}}:/mnt/backup/{{servicename}} )
+
+{% endif %}

roles/mariadb/tasks/main.yaml

@@ -1,19 +0,0 @@
----
-- name: "Install MariaDB via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - mariadb-server
-
-- name: Enable and restart MariaDB daemon
-  service:
-    name: mariadb
-    state: restarted
-    enabled: yes
-
-- name: Allow mysql port via ufw
-  community.general.ufw:
-    rule: allow
-    port: "3306"
-    proto: tcp

roles/netplan/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+netplan:
+  additionalinterfaces: []

roles/netplan/templates/netplan.yaml

@@ -8,4 +8,31 @@ network:
       dhcp-identifier: mac
       dhcp4-overrides:
         use-routes: false
-      gateway4: {{default_gateway}}
+      {% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
+      gateway4: {{netplan.default_gateway}}
+      {% endif %}
+    {% for interface in additionalinterfaces %}
+    {{ interface.name }}:
+      dhcp4: {{ interface.dhcp4 }}
+      dhcp6: {{ interface.dhcp6 }}
+      dhcp-identifier: mac
+      dhcp4-overrides:
+        use-routes: false
+      {% if interface.addresses is defined and interface.addresses|length > 0 %}
+      addresses:
+      {% for address in interface.addresses %}
+        - {{address}}
+      {% endfor %}
+      {% endif %}
+      {% if interface.gateway4 is defined and interface.gateway4|length > 0 %}
+      gateway4: {{interface.gateway4}}
+      {% endif %}
+      {% if interface.gateway6 is defined and interface.gateway6|length > 0  %}
+      gateway4: {{interface.gateway6}}
+      {% endif %}
+      {% if interface.denydns %}
+      nameservers:
+        addresses: []
+        search: []
+      {% endif %}
+    {% endfor %}

roles/postgresql/tasks/main.yaml

@@ -1,37 +0,0 @@
----
-- name: "Install PostgreSQL via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - postgresql
-
-- name: Add access to every host on local network
-  postgresql_pg_hba:
-    dest: /var/lib/postgres/data/pg_hba.conf
-    contype: host
-    users: all
-    databases: all
-    address: samenet
-    state: present
-
-- name: Add access to every host via tls on local network
-  postgresql_pg_hba:
-    dest: /var/lib/postgres/data/pg_hba.conf
-    contype: hostssl
-    users: all
-    databases: all
-    address: samenet
-    state: present
-
-- name: Enable and restart PostgreSQL daemon
-  service:
-    name: postgresql
-    state: restarted
-    enabled: yes
-
-- name: Allow postgresql port via ufw
-  community.general.ufw:
-    rule: allow
-    port: "5432"
-    proto: tcp

roles/smtpgateway/tasks/main.yaml

@@ -23,4 +23,4 @@
 - name: Allow smtp port via ufw
   community.general.ufw:
     rule: allow
-    port: smtp
+    port: smtp

roles/webserver/defaults/main.yaml

@@ -1,3 +1,3 @@
 webserver:
-  customrule: ""
+  - domain: "_"
-  defaultservername: "_"
+    port: 8080

roles/webserver/templates/nginx.conf

@@ -54,8 +54,6 @@ http {
         proxy_buffering    off;
         proxy_request_buffering off;
 
-        {{webserver.customrule}}
-
         server {
 
             listen 80 default_server;
@@ -64,14 +62,17 @@ http {
             return 301 https://$host$request_uri;
         }
 
+        {% for server in webserver %}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
-            server_name {{webserver.defaultservername}};
+            server_name {{ server.domain }};
             ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
             ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
             location /{
-                proxy_pass  http://127.0.0.1:8080;
+                proxy_pass  http://127.0.01{{ server.port }};
             }
         }
+
+        {% endfor %}
 }