aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorbinary <me@rgoncalves.se>2020-11-15 17:26:32 +0100
committerbinary <me@rgoncalves.se>2020-11-15 17:26:32 +0100
commitaea6b114e050545ccc8b953c579d53c9158e238b (patch)
tree7cbeb2ad790638e433c21f1452dded1588949d2e /roles
parent5bcecbf08db7013ba4de12e492961e2cba6e6b8a (diff)
downloadinfrastructure-aea6b114e050545ccc8b953c579d53c9158e238b.tar.gz
I'm so lazy so ignore this cimment this time pls
Diffstat (limited to 'roles')
-rw-r--r--roles/common/tasks/init_alpine.yml38
-rw-r--r--roles/common/tasks/init_openbsd.yml10
-rw-r--r--roles/common/tasks/main.yml35
-rw-r--r--roles/common/vars/main.yml26
-rw-r--r--roles/minecraft/tasks/main.yml41
-rw-r--r--roles/minecraft/vars/main.yml9
-rw-r--r--roles/papermc/vars/main.yml11
-rw-r--r--roles/pf/tasks/main.yml8
-rw-r--r--roles/pf/templates/pf.conf.j212
-rw-r--r--roles/rc/tasks/main.yml7
-rw-r--r--roles/rc/tasks/rc_alpine.yml21
-rw-r--r--roles/rc/tasks/rc_openbsd.yml21
-rw-r--r--roles/rc/templates/rc_alpine.j27
-rw-r--r--roles/rc/templates/rc_openbsd.j211
-rw-r--r--roles/rc/vars/main.yml7
-rw-r--r--roles/wireguard/tasks/generate.yml5
-rw-r--r--roles/wireguard/tasks/main.yml52
-rw-r--r--roles/wireguard/templates/dcontroller.conf.j22
-rw-r--r--roles/wireguard/templates/host.conf.j22
-rw-r--r--roles/wireguard/templates/hostname.j2 (renamed from roles/wireguard/templates/hostname.tun0.j2)0
20 files changed, 276 insertions, 49 deletions
diff --git a/roles/common/tasks/init_alpine.yml b/roles/common/tasks/init_alpine.yml
new file mode 100644
index 0000000..68689bc
--- /dev/null
+++ b/roles/common/tasks/init_alpine.yml
@@ -0,0 +1,38 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Alpine initalization
+
+---
+
+- name: Setup repositories for Alpine
+ shell: |
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
+
+- name: Download virtio_vmmci
+ git:
+ repo: "https://github.com/voutilad/virtio_vmmci"
+ dest: /data/git/virtio_vmmci
+
+- name: Install virtio_vmmci
+ shell: make && make install && modprobe virtio_vmmci
+ args:
+ chdir: /data/git/virtio_vmmci
+
+- name: Enable virtio_vmmci module
+ shell: echo "virtio_vmmci" > /etc/modules-load.d/virtio_vmmci.conf
+
+- name: Download vmm_clock module
+ git:
+ repo: "https://github.com/voutilad/vmm_clock"
+ dest: /data/git/vmm_clock
+
+- name: Install vmm_clock module
+ shell: make && make install && modprobe vmm_clock
+ args:
+ chdir: /data/git/vmm_clock
+
+- name: Enable vmm_clock module
+ shell: echo "vmm_clock" > /etc/modules-load.d/vmm_clock.conf
+
diff --git a/roles/common/tasks/init_openbsd.yml b/roles/common/tasks/init_openbsd.yml
new file mode 100644
index 0000000..d4dae41
--- /dev/null
+++ b/roles/common/tasks/init_openbsd.yml
@@ -0,0 +1,10 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Openbsd initalization
+
+---
+
+- name: Setup repositories for Openbsd
+ shell: echo "https://mirror.ungleich.ch/pub/OpenBSD/" > /etc/installurl
+
+
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index acbcb1c..1bc657f 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -3,38 +3,30 @@
---
-- name: Setup repositories for Alpine
- shell: |
- echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
- echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
- echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
- when: "'alpine' in group_names"
-
-- name: Check installation of package "{{ item }}"
+- name: Check installation of packages
package:
name: "{{ item }}"
state: present
+ loop: "{{ common_packages +lookup('vars', 'common_packages_' + ansible_distribution | lower) }}"
+ ignore_errors: true
+- name: Check existence of primary directory
+ file:
+ path: /data/{{ item }}
+ state: directory
loop:
- - "{{ packages.zsh }}"
- - "{{ packages.curl }}"
- - "{{ packages.tmux }}"
- - "{{ packages.wget }}"
- - "{{ packages.figlet }}"
- - "{{ packages.neovim }}"
- - "{{ packages.pip }}"
- - util-linux
- - shadow
+ - git
- ignore_errors: yes
+- include: "init_{{ ansible_distribution | lower }}.yml"
+ ignore_errors: true
- name: Copy zshrc configuration file
copy:
src: zshrc
dest: "{{ path_zshrc }}"
owner: root
- group: "{{ group.root }}"
+ group: "{{ group_root }}"
mode: 0644
- name: Copy tmux configuration file
@@ -42,7 +34,7 @@
src: tmux.conf
dest: /etc/tmux.conf
owner: root
- group: "{{ group.root }}"
+ group: "{{ group_root }}"
mode: 0644
- name: Synchronize host hostname with config hostname
@@ -53,9 +45,6 @@
shell: awk -F ":" '{ if($3 == 0 || $3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd
register: valid_users_shell
-- debug:
- var: valid_users_shell.stdout
-
- name: Change shell for all valid users to zsh
user:
name: "{{ item }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
new file mode 100644
index 0000000..7cad228
--- /dev/null
+++ b/roles/common/vars/main.yml
@@ -0,0 +1,26 @@
+
+# common ~~ vars/main.yml
+
+---
+
+common_packages:
+ - zsh
+ - curl
+ - wget
+ - figlet
+ - neovim
+ - git
+
+common_packages_alpine:
+ # common packages
+ - tmux
+ - util-linux
+ - shadow
+ - wireguard-virt
+ - wireguard-tools
+ # vmm_clock module make dependcy
+ - gcc
+ - make
+ - linux-virt-dev
+
+common_packages_openbsd:
diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml
new file mode 100644
index 0000000..56a9eed
--- /dev/null
+++ b/roles/minecraft/tasks/main.yml
@@ -0,0 +1,41 @@
+
+# minecraft ~~ tasks/main.yml
+
+---
+
+- name: Check java installation
+ package:
+ name: openjdk11-jre
+ state: present
+
+- name: Create minecraft user
+ user:
+ name: "{{ minecraft_user }}"
+ group: "{{ minecraft_user }}"
+
+- name: Create minecraft directory
+ file:
+ path: "{{ minecraft_dir }}"
+ owner: "{{ minecraft_user }}"
+ group: "{{ minecraft_user }}"
+ state: directory
+
+- name: Download minecraft server
+ get_url:
+ url: "{{ minecraft_url }}"
+ dest: "{{ minecraft_dir }}/{{ minecraft_bin }}"
+ owner: "{{ minecraft_user }}"
+
+- name: Enable eula
+ become_user: "{{ minecraft_user }}"
+ shell: echo "eula=true" >> {{ minecraft_dir}}/eula.txt
+
+- name: Create rc script
+ include_role:
+ name: rc
+ vars:
+ rc_name: "minecraft"
+ rc_cmd: "/usr/bin/java"
+ rc_args: "-jar {{ minecraft_dir }}/{{ minecraft_bin }}"
+ rc_user: "{{ minecraft_user }}"
+
diff --git a/roles/minecraft/vars/main.yml b/roles/minecraft/vars/main.yml
new file mode 100644
index 0000000..1fc2549
--- /dev/null
+++ b/roles/minecraft/vars/main.yml
@@ -0,0 +1,9 @@
+
+# minecraft ~~ vars/main.yml
+
+---
+
+minecraft_user: "minecraft"
+minecraft_dir: "/data/minecraft"
+minecraft_bin: "server.jar"
+minecraft_url: "https://papermc.io/api/v1/paper/1.16.4/274/download"
diff --git a/roles/papermc/vars/main.yml b/roles/papermc/vars/main.yml
deleted file mode 100644
index 9725e45..0000000
--- a/roles/papermc/vars/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-
-# papermc ~~ tasks/main.yml
-
----
-
-- name: Download latest java
- package:
- name: java
- state: latest
-
-- name: Download latest papermc
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index 51471c5..c48c728 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -24,11 +24,3 @@
delay: 2
state: started
-- name: Add cron job for pf
- cron:
- cron_file: /etc/crontab
- name: "Reload pf configuration"
- user: root
- job: "/sbin/pfctl -f /etc/pf.conf > /dev/nul 2>&1"
- minute: "*"
-
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 6d67f4f..42b0bea 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -16,6 +16,18 @@ block all
pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }}
{% endfor %}
+# redirection
+{% for h in groups["all"] %}
+{% set h = hostvars[h] %}
+{##}
+{% if h.services is defined %}
+{% for service in h.services if h.ansible_host != "dcontroller" and service.public is defined and service.public%}
+pass in on egress proto { {{ service.proto }} } from any to any port {{ service.port }} rdr-to {{ h.ip.in }}
+{% endfor %}
+{% endif %}
+{##}
+{% endfor %}
+
# *
# sub-config. by Ansible
# *
diff --git a/roles/rc/tasks/main.yml b/roles/rc/tasks/main.yml
new file mode 100644
index 0000000..ef8d4f3
--- /dev/null
+++ b/roles/rc/tasks/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- include_tasks: "rc_{{ ansible_distribution | lower }}.yml"
+
diff --git a/roles/rc/tasks/rc_alpine.yml b/roles/rc/tasks/rc_alpine.yml
new file mode 100644
index 0000000..7d35528
--- /dev/null
+++ b/roles/rc/tasks/rc_alpine.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+ template:
+ src: rc_alpine.j2
+ dest: "{{ rc_alpine_dir }}/{{ rc_name }}"
+
+- file:
+ path: "{{ rc_alpine_dir }}/{{ rc_name }}"
+ owner: "root"
+ group: "{{ group_root }}"
+ mode: "0755"
+
+- service:
+ name: "{{ rc_name }}"
+ state: started
+ enabled: true
+
diff --git a/roles/rc/tasks/rc_openbsd.yml b/roles/rc/tasks/rc_openbsd.yml
new file mode 100644
index 0000000..3d89e55
--- /dev/null
+++ b/roles/rc/tasks/rc_openbsd.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+ template:
+ src: rc_openbsd.j2
+ dest: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+
+- file:
+ path: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+ owner: "root"
+ group: "{{ group_root }}"
+ mode: "0555"
+
+- service:
+ name: "{{ rc_name }}"
+ state: started
+ enabled: true
+
diff --git a/roles/rc/templates/rc_alpine.j2 b/roles/rc/templates/rc_alpine.j2
new file mode 100644
index 0000000..217cd05
--- /dev/null
+++ b/roles/rc/templates/rc_alpine.j2
@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+#
+# managed by Ansible
+
+command="{{ rc_cmd }}"
+command_args="{{ rc_args }}"
+user="{{ rc_user }}"
diff --git a/roles/rc/templates/rc_openbsd.j2 b/roles/rc/templates/rc_openbsd.j2
new file mode 100644
index 0000000..30f1c0a
--- /dev/null
+++ b/roles/rc/templates/rc_openbsd.j2
@@ -0,0 +1,11 @@
+#!/bin/ksh
+#
+# managed by Ansible
+
+daemon="{{ rc_cmd }}"
+daemon_flags="{{ rc_args }}"
+daemon_user="{{ rc_user }}"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
diff --git a/roles/rc/vars/main.yml b/roles/rc/vars/main.yml
new file mode 100644
index 0000000..1ec55c3
--- /dev/null
+++ b/roles/rc/vars/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ vars/main.yml
+
+---
+
+rc_alpine_dir: "/etc/init.d"
+rc_openbsd_dir: "/etc/rc.d"
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
index e3264ef..6e60a92 100644
--- a/roles/wireguard/tasks/generate.yml
+++ b/roles/wireguard/tasks/generate.yml
@@ -34,7 +34,6 @@
- { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
- { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
ignore_unreachable: true
- failed_when: 1 == 2
- name: Generate server configuration
template:
@@ -49,7 +48,7 @@
- name: Generate server interface
template:
- src: templates/hostname.tun0.j2
+ src: templates/hostname.j2
dest: /etc/hostname.tun0
when: ansible_host == _i.dcontroller
-
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index be9e57c..9e23fa7 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,9 +1,57 @@
-
# wireguard ~~ tasks/main.yml
---
- include: set_facts.yml
-- include: generate.yml
+- stat:
+ path: "{{ wg_host_keys }}"
+ register: stat_host_keys
+ delegate_to: localhost
+
+- name: Generate domain keys
+ shell: |
+ umask 077
+ wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+ args:
+ chdir: "{{ wg_dir }}"
+ when: not stat_host_keys.stat.exists or force is defined and force
+ delegate_to: localhost
+
+- name: Create wireguard dir on remote host
+ file:
+ path: /etc/wireguard
+ owner: root
+ state: directory
+ mode: "0700"
+ ignore_unreachable: true
+
+- name: Generate client configuration
+ template:
+ src: templates/host.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host != _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+ ignore_unreachable: true
+
+- name: Generate server configuration
+ template:
+ src: templates/dcontroller.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host == _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+
+- name: Generate server interface
+ template:
+ src: templates/hostname.j2
+ dest: /etc/hostname.tun0
+ when: ansible_host == _i.dcontroller
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
index c1fd887..5771ef6 100644
--- a/roles/wireguard/templates/dcontroller.conf.j2
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -1,5 +1,5 @@
-# wireguard client configuration ~~ /etc/wireguard/*.conf
+# wireguard dcontroller configuration ~~ /etc/wireguard/*.conf
# managed by Ansible
{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2
index c25d937..2a5acc5 100644
--- a/roles/wireguard/templates/host.conf.j2
+++ b/roles/wireguard/templates/host.conf.j2
@@ -5,7 +5,7 @@
{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
[Interface]
-Address = {{ ip.in }}
+Address = {{ ip.in }}, fd00:10:10::{{ ip.in.split(".")[3] }}
PrivateKey = {{ host_keys[0] }}
[Peer]
diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.j2
index 3903ccb..3903ccb 100644
--- a/roles/wireguard/templates/hostname.tun0.j2
+++ b/roles/wireguard/templates/hostname.j2
remember that computers suck.