I'm so lazy so ignore this cimment this time pls

author: binary <me@rgoncalves.se> 2020-11-15 17:26:32 +0100
committer: binary <me@rgoncalves.se> 2020-11-15 17:26:32 +0100
commit: aea6b114e050545ccc8b953c579d53c9158e238b (patch)
tree: 7cbeb2ad790638e433c21f1452dded1588949d2e /roles
parent: 5bcecbf08db7013ba4de12e492961e2cba6e6b8a (diff)
download: infrastructure-aea6b114e050545ccc8b953c579d53c9158e238b.tar.gz
20 files changed, 276 insertions, 49 deletions
diff --git a/roles/common/tasks/init_alpine.yml b/roles/common/tasks/init_alpine.yml
new file mode 100644
index 0000000..68689bc
--- /dev/null
+++ b/roles/common/tasks/init_alpine.yml
@@ -0,0 +1,38 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Alpine initalization
+
+---
+
+- name: Setup repositories for Alpine
+  shell: |
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
+
+- name: Download virtio_vmmci
+  git:
+    repo: "https://github.com/voutilad/virtio_vmmci"
+    dest: /data/git/virtio_vmmci
+
+- name: Install virtio_vmmci
+  shell: make && make install && modprobe virtio_vmmci
+  args:
+    chdir: /data/git/virtio_vmmci
+    
+- name: Enable virtio_vmmci module
+  shell: echo "virtio_vmmci" > /etc/modules-load.d/virtio_vmmci.conf
+
+- name: Download vmm_clock module
+  git:
+    repo: "https://github.com/voutilad/vmm_clock"
+    dest: /data/git/vmm_clock
+
+- name: Install vmm_clock module
+  shell: make && make install && modprobe vmm_clock
+  args:
+    chdir: /data/git/vmm_clock
+
+- name: Enable vmm_clock module
+  shell: echo "vmm_clock" > /etc/modules-load.d/vmm_clock.conf
+
diff --git a/roles/common/tasks/init_openbsd.yml b/roles/common/tasks/init_openbsd.yml
new file mode 100644
index 0000000..d4dae41
--- /dev/null
+++ b/roles/common/tasks/init_openbsd.yml
@@ -0,0 +1,10 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Openbsd initalization
+
+---
+
+- name: Setup repositories for Openbsd
+  shell: echo "https://mirror.ungleich.ch/pub/OpenBSD/" > /etc/installurl
+
+
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index acbcb1c..1bc657f 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -3,38 +3,30 @@
 
 ---
 
-- name: Setup repositories for Alpine
-  shell: |
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
-  when: "'alpine' in group_names"
-
-- name: Check installation of package "{{ item }}"
+- name: Check installation of packages
   package:
     name: "{{ item }}"
     state: present
+  loop: "{{ common_packages +lookup('vars', 'common_packages_' + ansible_distribution | lower)  }}"
+  ignore_errors: true
 
+- name: Check existence of primary directory
+  file:
+    path: /data/{{ item }}
+    state: directory
   loop:
-    - "{{ packages.zsh }}"
-    - "{{ packages.curl }}"
-    - "{{ packages.tmux }}"
-    - "{{ packages.wget }}"
-    - "{{ packages.figlet }}"
-    - "{{ packages.neovim }}"
-    - "{{ packages.pip }}"
-    - util-linux
-    - shadow
+    - git
 
-  ignore_errors: yes
 
+- include: "init_{{ ansible_distribution | lower }}.yml"
+  ignore_errors: true
 
 - name: Copy zshrc configuration file
   copy:
     src: zshrc
     dest: "{{ path_zshrc }}"
     owner: root
-    group: "{{ group.root }}"
+    group: "{{ group_root }}"
     mode: 0644
 
 - name: Copy tmux configuration file
@@ -42,7 +34,7 @@
     src: tmux.conf
     dest: /etc/tmux.conf
     owner: root
-    group: "{{ group.root }}"
+    group: "{{ group_root }}"
     mode: 0644
 
 - name: Synchronize host hostname with config hostname
@@ -53,9 +45,6 @@
   shell: awk -F ":" '{ if($3 == 0 || $3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd
   register: valid_users_shell
 
-- debug:
-    var: valid_users_shell.stdout
-
 - name: Change shell for all valid users to zsh
   user:
     name: "{{ item }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
new file mode 100644
index 0000000..7cad228
--- /dev/null
+++ b/roles/common/vars/main.yml
@@ -0,0 +1,26 @@
+
+# common ~~ vars/main.yml
+
+---
+
+common_packages:
+  - zsh
+  - curl
+  - wget
+  - figlet
+  - neovim
+  - git
+
+common_packages_alpine:
+  # common packages
+  - tmux
+  - util-linux
+  - shadow
+  - wireguard-virt
+  - wireguard-tools
+  # vmm_clock module make dependcy
+  - gcc
+  - make
+  - linux-virt-dev
+
+common_packages_openbsd:
diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml
new file mode 100644
index 0000000..56a9eed
--- /dev/null
+++ b/roles/minecraft/tasks/main.yml
@@ -0,0 +1,41 @@
+
+# minecraft ~~ tasks/main.yml
+
+---
+
+- name: Check java installation
+  package:
+    name: openjdk11-jre
+    state: present
+
+- name: Create minecraft user
+  user:
+    name: "{{ minecraft_user }}"
+    group: "{{ minecraft_user }}"
+
+- name: Create minecraft directory
+  file: 
+    path: "{{ minecraft_dir }}"
+    owner: "{{ minecraft_user }}"
+    group: "{{ minecraft_user }}"
+    state: directory
+
+- name: Download minecraft server
+  get_url:
+    url: "{{ minecraft_url }}"
+    dest: "{{ minecraft_dir }}/{{ minecraft_bin }}"
+    owner: "{{ minecraft_user }}"
+
+- name: Enable eula
+  become_user: "{{ minecraft_user }}"
+  shell: echo "eula=true" >> {{ minecraft_dir}}/eula.txt
+
+- name: Create rc script
+  include_role:
+    name: rc
+  vars:
+    rc_name: "minecraft"
+    rc_cmd: "/usr/bin/java"
+    rc_args: "-jar {{ minecraft_dir }}/{{ minecraft_bin }}"
+    rc_user: "{{ minecraft_user }}"
+
diff --git a/roles/minecraft/vars/main.yml b/roles/minecraft/vars/main.yml
new file mode 100644
index 0000000..1fc2549
--- /dev/null
+++ b/roles/minecraft/vars/main.yml
@@ -0,0 +1,9 @@
+
+# minecraft ~~ vars/main.yml
+
+---
+
+minecraft_user: "minecraft"
+minecraft_dir: "/data/minecraft"
+minecraft_bin: "server.jar"
+minecraft_url: "https://papermc.io/api/v1/paper/1.16.4/274/download"
diff --git a/roles/papermc/vars/main.yml b/roles/papermc/vars/main.yml
deleted file mode 100644
index 9725e45..0000000
--- a/roles/papermc/vars/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-
-# papermc ~~ tasks/main.yml
-
----
-
-- name: Download latest java
-  package:
-    name: java
-    state: latest
-
-- name: Download latest papermc
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index 51471c5..c48c728 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -24,11 +24,3 @@
     delay: 2
     state: started
 
-- name: Add cron job for pf
-  cron:
-    cron_file: /etc/crontab
-    name: "Reload pf configuration"
-    user: root
-    job: "/sbin/pfctl -f /etc/pf.conf > /dev/nul 2>&1"
-    minute: "*"
-
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 6d67f4f..42b0bea 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -16,6 +16,18 @@ block all
 pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }}
 {% endfor %}
 
+# redirection
+{% for h in groups["all"] %}
+{% set h = hostvars[h] %}
+{##}
+{% if h.services is defined %}
+{% for service in h.services if h.ansible_host != "dcontroller" and service.public is defined and service.public%}
+pass in on egress proto { {{ service.proto }} } from any to any port {{ service.port }} rdr-to {{ h.ip.in }}
+{% endfor %}
+{% endif %}
+{##}
+{% endfor %}
+
 # *
 # sub-config. by Ansible
 # *
diff --git a/roles/rc/tasks/main.yml b/roles/rc/tasks/main.yml
new file mode 100644
index 0000000..ef8d4f3
--- /dev/null
+++ b/roles/rc/tasks/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- include_tasks: "rc_{{ ansible_distribution | lower }}.yml"
+
diff --git a/roles/rc/tasks/rc_alpine.yml b/roles/rc/tasks/rc_alpine.yml
new file mode 100644
index 0000000..7d35528
--- /dev/null
+++ b/roles/rc/tasks/rc_alpine.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+  template:
+    src: rc_alpine.j2
+    dest: "{{ rc_alpine_dir }}/{{ rc_name }}"
+
+- file:
+    path: "{{ rc_alpine_dir }}/{{ rc_name }}"
+    owner: "root"
+    group: "{{ group_root }}"
+    mode: "0755"
+
+- service:
+    name: "{{ rc_name }}"
+    state: started
+    enabled: true
+
diff --git a/roles/rc/tasks/rc_openbsd.yml b/roles/rc/tasks/rc_openbsd.yml
new file mode 100644
index 0000000..3d89e55
--- /dev/null
+++ b/roles/rc/tasks/rc_openbsd.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+  template:
+    src: rc_openbsd.j2
+    dest: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+
+- file:
+    path: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+    owner: "root"
+    group: "{{ group_root }}"
+    mode: "0555"
+
+- service:
+    name: "{{ rc_name }}"
+    state: started
+    enabled: true
+
diff --git a/roles/rc/templates/rc_alpine.j2 b/roles/rc/templates/rc_alpine.j2
new file mode 100644
index 0000000..217cd05
--- /dev/null
+++ b/roles/rc/templates/rc_alpine.j2
@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+#
+# managed by Ansible
+
+command="{{ rc_cmd }}"
+command_args="{{ rc_args }}"
+user="{{ rc_user }}"
diff --git a/roles/rc/templates/rc_openbsd.j2 b/roles/rc/templates/rc_openbsd.j2
new file mode 100644
index 0000000..30f1c0a
--- /dev/null
+++ b/roles/rc/templates/rc_openbsd.j2
@@ -0,0 +1,11 @@
+#!/bin/ksh
+#
+# managed by Ansible
+
+daemon="{{ rc_cmd }}"
+daemon_flags="{{ rc_args }}"
+daemon_user="{{ rc_user }}"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
diff --git a/roles/rc/vars/main.yml b/roles/rc/vars/main.yml
new file mode 100644
index 0000000..1ec55c3
--- /dev/null
+++ b/roles/rc/vars/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ vars/main.yml
+
+---
+
+rc_alpine_dir: "/etc/init.d"
+rc_openbsd_dir: "/etc/rc.d"
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
index e3264ef..6e60a92 100644
--- a/roles/wireguard/tasks/generate.yml
+++ b/roles/wireguard/tasks/generate.yml
@@ -34,7 +34,6 @@
     - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
     - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
   ignore_unreachable: true
-  failed_when: 1 == 2
 
 - name: Generate server configuration
   template:
@@ -49,7 +48,7 @@
 
 - name: Generate server interface
   template:
-    src: templates/hostname.tun0.j2
+    src: templates/hostname.j2
     dest: /etc/hostname.tun0
   when: ansible_host == _i.dcontroller
-  
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index be9e57c..9e23fa7 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,9 +1,57 @@
-
 # wireguard ~~ tasks/main.yml
 
 ---
 
 - include: set_facts.yml
 
-- include: generate.yml
+- stat:
+    path: "{{ wg_host_keys }}"
+  register: stat_host_keys
+  delegate_to: localhost
+
+- name: Generate domain keys
+  shell: |
+    umask 077
+    wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+  args:
+    chdir: "{{ wg_dir }}"
+  when: not stat_host_keys.stat.exists or force is defined and force
+  delegate_to: localhost
+
+- name: Create wireguard dir on remote host
+  file:
+    path: /etc/wireguard
+    owner: root
+    state: directory
+    mode: "0700"
+  ignore_unreachable: true
+
+- name: Generate client configuration
+  template:
+    src: templates/host.conf.j2
+    dest: "{{ item.path }}"
+    mode: "0600"
+  when: ansible_host != _i.dcontroller
+  delegate_to: "{{ item.name }}"
+  loop:
+    - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+  ignore_unreachable: true
+
+- name: Generate server configuration
+  template:
+    src: templates/dcontroller.conf.j2
+    dest: "{{ item.path }}"
+    mode: "0600"
+  when: ansible_host == _i.dcontroller
+  delegate_to: "{{ item.name }}"
+  loop:
+    - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+
+- name: Generate server interface
+  template:
+    src: templates/hostname.j2
+    dest: /etc/hostname.tun0
+  when: ansible_host == _i.dcontroller
 
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
index c1fd887..5771ef6 100644
--- a/roles/wireguard/templates/dcontroller.conf.j2
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -1,5 +1,5 @@
 
-# wireguard client configuration ~~ /etc/wireguard/*.conf
+# wireguard dcontroller configuration ~~ /etc/wireguard/*.conf
 # managed by Ansible
 {% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
 
diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2
index c25d937..2a5acc5 100644
--- a/roles/wireguard/templates/host.conf.j2
+++ b/roles/wireguard/templates/host.conf.j2
@@ -5,7 +5,7 @@
 {% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
 
 [Interface]
-Address = {{ ip.in }}
+Address = {{ ip.in }}, fd00:10:10::{{ ip.in.split(".")[3] }}
 PrivateKey = {{ host_keys[0] }}
 
 [Peer]
diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.j2
index 3903ccb..3903ccb 100644
--- a/roles/wireguard/templates/hostname.tun0.j2
+++ b/roles/wireguard/templates/hostname.j2
author	binary <me@rgoncalves.se>	2020-11-15 17:26:32 +0100
committer	binary <me@rgoncalves.se>	2020-11-15 17:26:32 +0100
commit	aea6b114e050545ccc8b953c579d53c9158e238b (patch)
tree	7cbeb2ad790638e433c21f1452dded1588949d2e /roles
parent	5bcecbf08db7013ba4de12e492961e2cba6e6b8a (diff)
download	infrastructure-aea6b114e050545ccc8b953c579d53c9158e238b.tar.gz