diff options
Diffstat (limited to 'ansible/inventory')
-rw-r--r-- | ansible/inventory/host_vars/mailmash/backup.yml | 18 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/certs.yml | 13 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/network.yml | 37 | ||||
-rw-r--r-- | ansible/inventory/host_vars/mailmash/sieve.yml | 9 | ||||
-rw-r--r-- | ansible/inventory/host_vars/webby/certs.yml | 23 | ||||
-rw-r--r-- | ansible/inventory/host_vars/webby/network.yml | 12 | ||||
-rw-r--r-- | ansible/inventory/host_vars/webby/nginx.yml | 77 | ||||
-rw-r--r-- | ansible/inventory/inventory | 5 |
8 files changed, 194 insertions, 0 deletions
diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml new file mode 100644 index 0000000..aa5fcc4 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/backup.yml | |||
@@ -0,0 +1,18 @@ | |||
1 | --- | ||
2 | backup: | ||
3 | # Define a host in your ~/.ssh/config with username, host, and private key. | ||
4 | # Maintaining your ~/.ssh/config is out of scope for our implementation here. | ||
5 | host: rsn-backup | ||
6 | |||
7 | # directories to backup can be amended at any time | ||
8 | dirs: | ||
9 | - /var/mail | ||
10 | - /var/lib/fail2ban | ||
11 | - /var/lib/redis | ||
12 | |||
13 | # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash | ||
14 | phrase: your phrase goes here | ||
15 | |||
16 | # your runAs user should be able to ssh to the backup host without a password | ||
17 | # (remote login user is configured by Host->User in this user's ~/.ssh/config) | ||
18 | runAs: root | ||
diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml new file mode 100644 index 0000000..fd6dde0 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/certs.yml | |||
@@ -0,0 +1,13 @@ | |||
1 | --- | ||
2 | certs: | ||
3 | # Copy only these private keys and certs from ansible into the system | ||
4 | requested: | ||
5 | - yourmail.server.com | ||
6 | |||
7 | # we receive our certs by scp from the main cert hosting service elsewhere | ||
8 | receiver: true | ||
9 | |||
10 | # These users have ansible-controlled ssh private keys | ||
11 | # (mainly for automated backups right now) | ||
12 | sshKeysForUsers: | ||
13 | - root | ||
diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml new file mode 100644 index 0000000..e290f7b --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/network.yml | |||
@@ -0,0 +1,37 @@ | |||
1 | --- | ||
2 | network: | ||
3 | # These interface names are used to pull IP addresses into templates. | ||
4 | # interface.public has the IP we use to open ports to the world (mail, web, etc) | ||
5 | # interface.private has the IP for private services (ssh login, reporting, etc) | ||
6 | # Right now we don't support multiple IPs per interface, we just grab the IPv4 | ||
7 | # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' | ||
8 | interface: | ||
9 | private: ens3 | ||
10 | public: ens4 | ||
11 | hostname: | ||
12 | # network.hostname.public is used populate templates with | ||
13 | # server's public hostname, including: | ||
14 | # - TLS certs to use with this pattern: | ||
15 | # /etc/ssl/[hostname]-cert-combined.pem | ||
16 | # /etc/ssl/[hostname]-key.pem | ||
17 | # - Postfix config parameter "myhostname" | ||
18 | public: yourmail.server.com | ||
19 | |||
20 | # Below is almost (almost!) the netplan schema with three changes: | ||
21 | # - only one "interface" per system because ansible can't seem to generate multiple | ||
22 | # templates from one yaml dict? | ||
23 | # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ... | ||
24 | # - also, 'addresses' needs per-address broadcast, so addresses are now lists | ||
25 | # of dicts, so 'ip' is a new name as is 'broadcast' | ||
26 | ethernets: | ||
27 | interface: ens4 | ||
28 | macaddress: 02:00:00:7d:ca:ab | ||
29 | networks: | ||
30 | - subnet: 4.4.4.0/30 | ||
31 | gateway: 5.5.5.5 | ||
32 | addresses: | ||
33 | - 4.4.4.4/32 | ||
34 | routes: | ||
35 | - to: 0.0.0.0/0 | ||
36 | via: 5.5.5.5 | ||
37 | on-link: true | ||
diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml new file mode 100644 index 0000000..635fb4e --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/sieve.yml | |||
@@ -0,0 +1,9 @@ | |||
1 | --- | ||
2 | sieve: | ||
3 | users: | ||
4 | # username field is the filename [username].sieve in files/ | ||
5 | # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/ | ||
6 | # We could improve this because it's clearly redundant... | ||
7 | - username: [email protected] | ||
8 | domain: server.com | ||
9 | user: username | ||
diff --git a/ansible/inventory/host_vars/webby/certs.yml b/ansible/inventory/host_vars/webby/certs.yml new file mode 100644 index 0000000..c38b80d --- /dev/null +++ b/ansible/inventory/host_vars/webby/certs.yml | |||
@@ -0,0 +1,23 @@ | |||
1 | --- | ||
2 | certs: | ||
3 | # Copy only these private keys and certs from ansible into the system | ||
4 | keyTypes: | ||
5 | - rsa2048 | ||
6 | - prime256v1 | ||
7 | |||
8 | # requested can EITHER be: | ||
9 | # - just a list of hostnames (then we depoly all 'keyTypes' for each hostname) | ||
10 | # - or, a mapping of, e.g.: | ||
11 | # - host: example1.com | ||
12 | # type: rsa2048 | ||
13 | # - host: example1.com | ||
14 | # type: prime256v1 | ||
15 | required: | ||
16 | - example1.com | ||
17 | - example2.com | ||
18 | - example3.com | ||
19 | |||
20 | # These users have ansible-controlled ssh private keys | ||
21 | # (mainly for automated backups right now) | ||
22 | sshKeysForUsers: [] | ||
23 | # - root | ||
diff --git a/ansible/inventory/host_vars/webby/network.yml b/ansible/inventory/host_vars/webby/network.yml new file mode 100644 index 0000000..39eb141 --- /dev/null +++ b/ansible/inventory/host_vars/webby/network.yml | |||
@@ -0,0 +1,12 @@ | |||
1 | --- | ||
2 | network: | ||
3 | # These interface names are used to pull IP addresses into templates. | ||
4 | # interface.public has the IP we use to open ports to the world (mail, web, etc) | ||
5 | # interface.private has the IP for private services (ssh login, reporting, etc) | ||
6 | # Right now we don't support multiple IPs per interface, we just grab the IPv4 | ||
7 | # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' | ||
8 | interface: | ||
9 | private: ens3 | ||
10 | public: ens4 | ||
11 | hostname: | ||
12 | public: webby | ||
diff --git a/ansible/inventory/host_vars/webby/nginx.yml b/ansible/inventory/host_vars/webby/nginx.yml new file mode 100644 index 0000000..87976dc --- /dev/null +++ b/ansible/inventory/host_vars/webby/nginx.yml | |||
@@ -0,0 +1,77 @@ | |||
1 | --- | ||
2 | nginx: | ||
3 | # Google webmaster tools wants this same filename on all hosts | ||
4 | google: | ||
5 | siteKey: googleYOURKEYHERE | ||
6 | siteKeyServeDir: /srv/web/files/ | ||
7 | |||
8 | # ssl can be "modern" or "tls13" or anything else means default | ||
9 | ssl: default | ||
10 | |||
11 | # These configs are directly uploaded as saved config files from files/nginx/<sitename> | ||
12 | complex: | ||
13 | - example4.com | ||
14 | - example5.com | ||
15 | |||
16 | basic: [] | ||
17 | # These configs are generated by template description below. | ||
18 | # 'customConfig' is nginx directives placed for your http2 server block. | ||
19 | # basic: | ||
20 | # - domain: "example.com" | ||
21 | # uri: | ||
22 | # - path: / | ||
23 | # | ||
24 | # - domain: example2.com | ||
25 | # uri: | ||
26 | # - path: / | ||
27 | # appServer: "http://127.0.0.1:7780" | ||
28 | # customConfig: | | ||
29 | # keepalive_timeout 5 5; | ||
30 | # keepalive_requests 200; | ||
31 | # | ||
32 | # proxy_intercept_errors on; | ||
33 | # error_page 502 =503 @noserver; | ||
34 | # error_page 503 =503 @noserver; | ||
35 | # error_page 504 =503 @noserver; | ||
36 | # | ||
37 | # location @noserver { | ||
38 | # root /home/matt/repos/matt-prod/priv; | ||
39 | # charset utf-8; | ||
40 | # rewrite ^(.*)$ /noserver.txt break; | ||
41 | # } | ||
42 | # | ||
43 | # location /src/ { | ||
44 | # proxy_pass http://127.0.0.1:7780/$request_uri; | ||
45 | # add_header Cache-Control public; | ||
46 | # expires +5m; | ||
47 | # if ($args) { | ||
48 | # expires +1y; | ||
49 | # } | ||
50 | # } | ||
51 | # | ||
52 | # location /style { | ||
53 | # proxy_pass http://127.0.0.1:7780/$request_uri; | ||
54 | # add_header Cache-Control public; | ||
55 | # expires +5m; | ||
56 | # if ($args) { | ||
57 | # expires +1y; | ||
58 | # } | ||
59 | # } | ||
60 | # | ||
61 | # location /js { | ||
62 | # proxy_pass http://127.0.0.1:7780/$request_uri; | ||
63 | # add_header Cache-Control public; | ||
64 | # expires +5m; | ||
65 | # if ($args) { | ||
66 | # expires +1y; | ||
67 | # } | ||
68 | # } | ||
69 | # | ||
70 | # location /favicon.ico { | ||
71 | # empty_gif; | ||
72 | # } | ||
73 | # | ||
74 | # location /files { | ||
75 | # expires max; | ||
76 | # root /srv/web/matt.sh; | ||
77 | # } | ||
diff --git a/ansible/inventory/inventory b/ansible/inventory/inventory new file mode 100644 index 0000000..3999869 --- /dev/null +++ b/ansible/inventory/inventory | |||
@@ -0,0 +1,5 @@ | |||
1 | [mail] | ||
2 | mailmash ansible_python_interpreter=/usr/bin/python3 | ||
3 | |||
4 | [web] | ||
5 | webby ansible_python_interpreter=/usr/bin/python3 | ||