28 files changed, 368 insertions, 64 deletions

diff --git a/ansible.cfg b/ansible.cfg
index 56c18a0..e52d45d 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -6,6 +6,7 @@ jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
 
 roles_path = roles/
 library = /usr/share/ansible:plugins/modules
+filter_plugins = filter_plugins
 
 [ssh_connection]
 pipelining = True
diff --git a/filter_plugins/__pycache__/filters.cpython-38.pyc b/filter_plugins/__pycache__/filters.cpython-38.pyc
new file mode 100644
index 0000000..e52f396
--- /dev/null
+++ b/filter_plugins/__pycache__/filters.cpython-38.pyc
diff --git a/filter_plugins/filters.py b/filter_plugins/filters.py
index 1f1500e..efe0c43 100644
--- a/filter_plugins/filters.py
+++ b/filter_plugins/filters.py
@@ -1,8 +1,25 @@
 #!/bin/python
 
+import requests
+
 class FilterModule(object):
 
     def filters(self):
+        return {
+            "repology": self.repology_filter
+        }
+
+    def repology_filter(self, package, repository):
+        """
+        Use repology.org API for getting generic package names accrossed different Unix systems.
+        This allows us to use standard package names, and execute install tasks with a system-agnostic way.
+        """
+        api_endpoint = "https://repology.org/api/v1/project/"
+
+        response = requests.get(f"{api_endpoint}/{package}")
+
+        for res in response.json():
+            if res["repo"] == repository:
+                return res
 
-        def get_vm_distro(vms, distro):
-            return False
+        return response.json()[0]
diff --git a/filter_plugins/filters.yml b/filter_plugins/filters.yml
new file mode 100644
index 0000000..8ffd742
--- /dev/null
+++ b/filter_plugins/filters.yml
@@ -0,0 +1,17 @@
+
+# filters ~~ filter_plugins/filters.yml
+# DEBUG PLAYBOOK for custom filters
+
+---
+
+- hosts: localhost
+  tasks:
+
+    - debug:
+        msg: "{{ item | repology }}"
+      loop:
+        - "AAA"
+        - "firefox"
+        - "neovim"
+        - "brrrrrrrr"
+
diff --git a/inventory.yml b/inventory.yml
index 105b43d..e715339 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -40,20 +40,19 @@ all:
       ansible_host: "dcontroller"
       ip: { in: "10.10.0.1", out: "185.203.114.234" }
       services:
-        - { name: "ssh", proto: "tcp", port: "22", public: "true" }
-        - { name: "httpd", proto: "tcp", port: "80", public: "true", domain: "www" }
-        - { name: "wireguard", proto: "udp", port: "53", public: "true" }
+        - { name: "ssh", proto: "tcp", port: "22", public: true }
+        - { name: "httpd", proto: "tcp", port: "80", public: true, domain: "www" }
+        - { name: "wireguard", proto: "udp", port: "53", public: true }
 
     # SERVER for vm
     stack0:
       ansible_host: "stack0"
       ip: { in: "10.10.0.40", out: "192.168.5.40" }
       services:
-        - { name: "ssh", proto: "tcp", port: "22", public: "false" }
-        - { name: "nextcloud", proto: "udp", port: "80", public: "true", domain: "cloud" }
+        - { name: "ssh", proto: "tcp", port: "22" }
       vms:
-        - { name: "vm0", iso: "alpine", memory: "2G", size: "4G", enabled: "true" }
-        - { name: "vm1", iso: "alpine", memory: "2G", size: "4G", enabled: "true" }
+        - { name: "vm0", iso: "alpine", memory: "6G", size: "4G", enabled: true }
+        - { name: "vm1", iso: "alpine", memory: "2G", size: "4G", enabled: true }
       hypervisor:
         enabled: "true"
         interface: "bnx0"
@@ -66,21 +65,23 @@ all:
       ansible_host: "emb0"
       ip: { in: "10.10.0.41", out: "192.168.5.41" }
       services:
-        - { name: "ssh", proto: "tcp", port: "22", public: "false" }
-        - { name: "syncthing", proto: "tcp", port: "8384", public: "false" }
+        - { name: "ssh", proto: "tcp", port: "22" }
+        - { name: "syncthing", proto: "tcp", port: "8384" }
 
     # VM
     vm0:
       ansible_host: "vm0"
       ip: { in: "10.10.0.60", out: "192.168.5.60" }
       services:
-        - { name: "ssh", proto: "tcp", port: "22", public: "false" }
+        - { name: "ssh", proto: "tcp", port: "22" }
+        - { name: "minecraft", proto: "tcp, udp", port: "25565", public: true }
 
     vm1:
       ansible_host: "vm1"
       ip: { in: "10.10.0.61", out: "192.168.5.61" }
       services:
-        - { name: "ssh", proto: "tcp", port: "22", public: "false" }
+        - { name: "ssh", proto: "tcp", port: "22"}
+        - { name: "nextcloud", proto: "tcp", port: "8080", public: true, domain: "cloud" }
 
     # CLIENTS
     graphite:
@@ -108,7 +109,17 @@ all:
         dcontroller:
         stack0:
         emb0:
+        vm0:
+        vm1:
 
+    # GROUP physical
+    ph:
+      hosts:
+        dcontroller:
+        stack0:
+        emb0:
+     
+    # GROUP virtual machine
     vm:
       hosts:
         vm0:
diff --git a/playbooks/p.yml b/playbooks/p.yml
new file mode 100644
index 0000000..49c3200
--- /dev/null
+++ b/playbooks/p.yml
@@ -0,0 +1,13 @@
+
+# p.yml
+# Execute only one role
+
+---
+
+- hosts: "{{ host }}"
+
+  tasks:
+
+    - include_role:
+        name: "{{ role }}"
+        tasks_from: "{{ task }}.yml"
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 29f4033..f493eb1 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -2,7 +2,7 @@
 # site.yml
 # Deploy configuration to all servers.
 
-- hosts: all
+- hosts: servers
 
   roles:
     - common
diff --git a/playbooks/wireguard.yml b/playbooks/wireguard.yml
index d995b5c..320fd31 100644
--- a/playbooks/wireguard.yml
+++ b/playbooks/wireguard.yml
@@ -4,8 +4,26 @@
 
 ---
 
-- hosts: all
+- hosts: servers
   gather_facts: no
   roles:
     - wireguard
 
+- hosts: alpine
+  vars:
+    rc_name: "wireguard"
+    rc_cmd: "/usr/bin/wg-quick"
+    rc_args: "up {{ _i.dcontroller }}"
+    rc_user: "root"
+  roles:
+    - rc
+  ignore_errors: true
+
+- hosts: openbsd
+  vars:
+    rc_name: "wireguard"
+    rc_cmd: "/usr/local/bin/wg-quick"
+    rc_args: "up {{ _i.dcontroller }}"
+    rc_user: "root"
+  roles:
+    - rc
diff --git a/roles/common/tasks/init_alpine.yml b/roles/common/tasks/init_alpine.yml
new file mode 100644
index 0000000..68689bc
--- /dev/null
+++ b/roles/common/tasks/init_alpine.yml
@@ -0,0 +1,38 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Alpine initalization
+
+---
+
+- name: Setup repositories for Alpine
+  shell: |
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
+    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
+
+- name: Download virtio_vmmci
+  git:
+    repo: "https://github.com/voutilad/virtio_vmmci"
+    dest: /data/git/virtio_vmmci
+
+- name: Install virtio_vmmci
+  shell: make && make install && modprobe virtio_vmmci
+  args:
+    chdir: /data/git/virtio_vmmci
+    
+- name: Enable virtio_vmmci module
+  shell: echo "virtio_vmmci" > /etc/modules-load.d/virtio_vmmci.conf
+
+- name: Download vmm_clock module
+  git:
+    repo: "https://github.com/voutilad/vmm_clock"
+    dest: /data/git/vmm_clock
+
+- name: Install vmm_clock module
+  shell: make && make install && modprobe vmm_clock
+  args:
+    chdir: /data/git/vmm_clock
+
+- name: Enable vmm_clock module
+  shell: echo "vmm_clock" > /etc/modules-load.d/vmm_clock.conf
+
diff --git a/roles/common/tasks/init_openbsd.yml b/roles/common/tasks/init_openbsd.yml
new file mode 100644
index 0000000..d4dae41
--- /dev/null
+++ b/roles/common/tasks/init_openbsd.yml
@@ -0,0 +1,10 @@
+
+# common ~~ tasks/init_alpine.yml
+# specific tasks for Openbsd initalization
+
+---
+
+- name: Setup repositories for Openbsd
+  shell: echo "https://mirror.ungleich.ch/pub/OpenBSD/" > /etc/installurl
+
+
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index acbcb1c..1bc657f 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -3,38 +3,30 @@
 
 ---
 
-- name: Setup repositories for Alpine
-  shell: |
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
-    echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
-  when: "'alpine' in group_names"
-
-- name: Check installation of package "{{ item }}"
+- name: Check installation of packages
   package:
     name: "{{ item }}"
     state: present
+  loop: "{{ common_packages +lookup('vars', 'common_packages_' + ansible_distribution | lower)  }}"
+  ignore_errors: true
 
+- name: Check existence of primary directory
+  file:
+    path: /data/{{ item }}
+    state: directory
   loop:
-    - "{{ packages.zsh }}"
-    - "{{ packages.curl }}"
-    - "{{ packages.tmux }}"
-    - "{{ packages.wget }}"
-    - "{{ packages.figlet }}"
-    - "{{ packages.neovim }}"
-    - "{{ packages.pip }}"
-    - util-linux
-    - shadow
+    - git
 
-  ignore_errors: yes
 
+- include: "init_{{ ansible_distribution | lower }}.yml"
+  ignore_errors: true
 
 - name: Copy zshrc configuration file
   copy:
     src: zshrc
     dest: "{{ path_zshrc }}"
     owner: root
-    group: "{{ group.root }}"
+    group: "{{ group_root }}"
     mode: 0644
 
 - name: Copy tmux configuration file
@@ -42,7 +34,7 @@
     src: tmux.conf
     dest: /etc/tmux.conf
     owner: root
-    group: "{{ group.root }}"
+    group: "{{ group_root }}"
     mode: 0644
 
 - name: Synchronize host hostname with config hostname
@@ -53,9 +45,6 @@
   shell: awk -F ":" '{ if($3 == 0 || $3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd
   register: valid_users_shell
 
-- debug:
-    var: valid_users_shell.stdout
-
 - name: Change shell for all valid users to zsh
   user:
     name: "{{ item }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
new file mode 100644
index 0000000..7cad228
--- /dev/null
+++ b/roles/common/vars/main.yml
@@ -0,0 +1,26 @@
+
+# common ~~ vars/main.yml
+
+---
+
+common_packages:
+  - zsh
+  - curl
+  - wget
+  - figlet
+  - neovim
+  - git
+
+common_packages_alpine:
+  # common packages
+  - tmux
+  - util-linux
+  - shadow
+  - wireguard-virt
+  - wireguard-tools
+  # vmm_clock module make dependcy
+  - gcc
+  - make
+  - linux-virt-dev
+
+common_packages_openbsd:
diff --git a/roles/minecraft/tasks/main.yml b/roles/minecraft/tasks/main.yml
new file mode 100644
index 0000000..56a9eed
--- /dev/null
+++ b/roles/minecraft/tasks/main.yml
@@ -0,0 +1,41 @@
+
+# minecraft ~~ tasks/main.yml
+
+---
+
+- name: Check java installation
+  package:
+    name: openjdk11-jre
+    state: present
+
+- name: Create minecraft user
+  user:
+    name: "{{ minecraft_user }}"
+    group: "{{ minecraft_user }}"
+
+- name: Create minecraft directory
+  file: 
+    path: "{{ minecraft_dir }}"
+    owner: "{{ minecraft_user }}"
+    group: "{{ minecraft_user }}"
+    state: directory
+
+- name: Download minecraft server
+  get_url:
+    url: "{{ minecraft_url }}"
+    dest: "{{ minecraft_dir }}/{{ minecraft_bin }}"
+    owner: "{{ minecraft_user }}"
+
+- name: Enable eula
+  become_user: "{{ minecraft_user }}"
+  shell: echo "eula=true" >> {{ minecraft_dir}}/eula.txt
+
+- name: Create rc script
+  include_role:
+    name: rc
+  vars:
+    rc_name: "minecraft"
+    rc_cmd: "/usr/bin/java"
+    rc_args: "-jar {{ minecraft_dir }}/{{ minecraft_bin }}"
+    rc_user: "{{ minecraft_user }}"
+
diff --git a/roles/minecraft/vars/main.yml b/roles/minecraft/vars/main.yml
new file mode 100644
index 0000000..1fc2549
--- /dev/null
+++ b/roles/minecraft/vars/main.yml
@@ -0,0 +1,9 @@
+
+# minecraft ~~ vars/main.yml
+
+---
+
+minecraft_user: "minecraft"
+minecraft_dir: "/data/minecraft"
+minecraft_bin: "server.jar"
+minecraft_url: "https://papermc.io/api/v1/paper/1.16.4/274/download"
diff --git a/roles/papermc/vars/main.yml b/roles/papermc/vars/main.yml
deleted file mode 100644
index 9725e45..0000000
--- a/roles/papermc/vars/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-
-# papermc ~~ tasks/main.yml
-
----
-
-- name: Download latest java
-  package:
-    name: java
-    state: latest
-
-- name: Download latest papermc
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index 51471c5..c48c728 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -24,11 +24,3 @@
     delay: 2
     state: started
 
-- name: Add cron job for pf
-  cron:
-    cron_file: /etc/crontab
-    name: "Reload pf configuration"
-    user: root
-    job: "/sbin/pfctl -f /etc/pf.conf > /dev/nul 2>&1"
-    minute: "*"
-
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 6d67f4f..42b0bea 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -16,6 +16,18 @@ block all
 pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }}
 {% endfor %}
 
+# redirection
+{% for h in groups["all"] %}
+{% set h = hostvars[h] %}
+{##}
+{% if h.services is defined %}
+{% for service in h.services if h.ansible_host != "dcontroller" and service.public is defined and service.public%}
+pass in on egress proto { {{ service.proto }} } from any to any port {{ service.port }} rdr-to {{ h.ip.in }}
+{% endfor %}
+{% endif %}
+{##}
+{% endfor %}
+
 # *
 # sub-config. by Ansible
 # *
diff --git a/roles/rc/tasks/main.yml b/roles/rc/tasks/main.yml
new file mode 100644
index 0000000..ef8d4f3
--- /dev/null
+++ b/roles/rc/tasks/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- include_tasks: "rc_{{ ansible_distribution | lower }}.yml"
+
diff --git a/roles/rc/tasks/rc_alpine.yml b/roles/rc/tasks/rc_alpine.yml
new file mode 100644
index 0000000..7d35528
--- /dev/null
+++ b/roles/rc/tasks/rc_alpine.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+  template:
+    src: rc_alpine.j2
+    dest: "{{ rc_alpine_dir }}/{{ rc_name }}"
+
+- file:
+    path: "{{ rc_alpine_dir }}/{{ rc_name }}"
+    owner: "root"
+    group: "{{ group_root }}"
+    mode: "0755"
+
+- service:
+    name: "{{ rc_name }}"
+    state: started
+    enabled: true
+
diff --git a/roles/rc/tasks/rc_openbsd.yml b/roles/rc/tasks/rc_openbsd.yml
new file mode 100644
index 0000000..3d89e55
--- /dev/null
+++ b/roles/rc/tasks/rc_openbsd.yml
@@ -0,0 +1,21 @@
+
+# openrc ~~ tasks/main.yml
+
+---
+
+- name: Generate rc script for desired service
+  template:
+    src: rc_openbsd.j2
+    dest: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+
+- file:
+    path: "{{ rc_openbsd_dir }}/{{ rc_name }}"
+    owner: "root"
+    group: "{{ group_root }}"
+    mode: "0555"
+
+- service:
+    name: "{{ rc_name }}"
+    state: started
+    enabled: true
+
diff --git a/roles/rc/templates/rc_alpine.j2 b/roles/rc/templates/rc_alpine.j2
new file mode 100644
index 0000000..217cd05
--- /dev/null
+++ b/roles/rc/templates/rc_alpine.j2
@@ -0,0 +1,7 @@
+#!/sbin/openrc-run
+#
+# managed by Ansible
+
+command="{{ rc_cmd }}"
+command_args="{{ rc_args }}"
+user="{{ rc_user }}"
diff --git a/roles/rc/templates/rc_openbsd.j2 b/roles/rc/templates/rc_openbsd.j2
new file mode 100644
index 0000000..30f1c0a
--- /dev/null
+++ b/roles/rc/templates/rc_openbsd.j2
@@ -0,0 +1,11 @@
+#!/bin/ksh
+#
+# managed by Ansible
+
+daemon="{{ rc_cmd }}"
+daemon_flags="{{ rc_args }}"
+daemon_user="{{ rc_user }}"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
diff --git a/roles/rc/vars/main.yml b/roles/rc/vars/main.yml
new file mode 100644
index 0000000..1ec55c3
--- /dev/null
+++ b/roles/rc/vars/main.yml
@@ -0,0 +1,7 @@
+
+# openrc ~~ vars/main.yml
+
+---
+
+rc_alpine_dir: "/etc/init.d"
+rc_openbsd_dir: "/etc/rc.d"
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
index e3264ef..6e60a92 100644
--- a/roles/wireguard/tasks/generate.yml
+++ b/roles/wireguard/tasks/generate.yml
@@ -34,7 +34,6 @@
     - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
     - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
   ignore_unreachable: true
-  failed_when: 1 == 2
 
 - name: Generate server configuration
   template:
@@ -49,7 +48,7 @@
 
 - name: Generate server interface
   template:
-    src: templates/hostname.tun0.j2
+    src: templates/hostname.j2
     dest: /etc/hostname.tun0
   when: ansible_host == _i.dcontroller
-  
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index be9e57c..9e23fa7 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,9 +1,57 @@
-
 # wireguard ~~ tasks/main.yml
 
 ---
 
 - include: set_facts.yml
 
-- include: generate.yml
+- stat:
+    path: "{{ wg_host_keys }}"
+  register: stat_host_keys
+  delegate_to: localhost
+
+- name: Generate domain keys
+  shell: |
+    umask 077
+    wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+  args:
+    chdir: "{{ wg_dir }}"
+  when: not stat_host_keys.stat.exists or force is defined and force
+  delegate_to: localhost
+
+- name: Create wireguard dir on remote host
+  file:
+    path: /etc/wireguard
+    owner: root
+    state: directory
+    mode: "0700"
+  ignore_unreachable: true
+
+- name: Generate client configuration
+  template:
+    src: templates/host.conf.j2
+    dest: "{{ item.path }}"
+    mode: "0600"
+  when: ansible_host != _i.dcontroller
+  delegate_to: "{{ item.name }}"
+  loop:
+    - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+  ignore_unreachable: true
+
+- name: Generate server configuration
+  template:
+    src: templates/dcontroller.conf.j2
+    dest: "{{ item.path }}"
+    mode: "0600"
+  when: ansible_host == _i.dcontroller
+  delegate_to: "{{ item.name }}"
+  loop:
+    - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+
+- name: Generate server interface
+  template:
+    src: templates/hostname.j2
+    dest: /etc/hostname.tun0
+  when: ansible_host == _i.dcontroller
 
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
index c1fd887..5771ef6 100644
--- a/roles/wireguard/templates/dcontroller.conf.j2
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -1,5 +1,5 @@
 
-# wireguard client configuration ~~ /etc/wireguard/*.conf
+# wireguard dcontroller configuration ~~ /etc/wireguard/*.conf
 # managed by Ansible
 {% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
 
diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2
index c25d937..2a5acc5 100644
--- a/roles/wireguard/templates/host.conf.j2
+++ b/roles/wireguard/templates/host.conf.j2
@@ -5,7 +5,7 @@
 {% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
 
 [Interface]
-Address = {{ ip.in }}
+Address = {{ ip.in }}, fd00:10:10::{{ ip.in.split(".")[3] }}
 PrivateKey = {{ host_keys[0] }}
 
 [Peer]
diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.j2
index 3903ccb..3903ccb 100644
--- a/roles/wireguard/templates/hostname.tun0.j2
+++ b/roles/wireguard/templates/hostname.j2