8 files changed, 194 insertions, 0 deletions

diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml
new file mode 100644
index 0000000..aa5fcc4
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/backup.yml
@@ -0,0 +1,18 @@
+---
+backup:
+  # Define a host in your ~/.ssh/config with username, host, and private key.
+  # Maintaining your ~/.ssh/config is out of scope for our implementation here.
+  host: rsn-backup
+
+  # directories to backup can be amended at any time
+  dirs:
+    - /var/mail
+    - /var/lib/fail2ban
+    - /var/lib/redis
+
+  # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash
+  phrase: your phrase goes here
+
+  # your runAs user should be able to ssh to the backup host without a password
+  # (remote login user is configured by Host->User in this user's ~/.ssh/config)
+  runAs: root
diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml
new file mode 100644
index 0000000..fd6dde0
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/certs.yml
@@ -0,0 +1,13 @@
+---
+certs:
+  # Copy only these private keys and certs from ansible into the system
+  requested:
+    - yourmail.server.com
+
+  # we receive our certs by scp from the main cert hosting service elsewhere
+  receiver: true
+
+  # These users have ansible-controlled ssh private keys
+  # (mainly for automated backups right now)
+  sshKeysForUsers:
+    - root
diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml
new file mode 100644
index 0000000..e290f7b
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/network.yml
@@ -0,0 +1,37 @@
+---
+network:
+  # These interface names are used to pull IP addresses into templates.
+  # interface.public has the IP we use to open ports to the world (mail, web, etc)
+  # interface.private has the IP for private services (ssh login, reporting, etc)
+  # Right now we don't support multiple IPs per interface, we just grab the IPv4
+  # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address'
+  interface:
+    private: ens3
+    public: ens4
+  hostname:
+    # network.hostname.public is used populate templates with
+    # server's public hostname, including:
+    #   - TLS certs to use with this pattern:
+    #     /etc/ssl/[hostname]-cert-combined.pem
+    #     /etc/ssl/[hostname]-key.pem
+    #   - Postfix config parameter "myhostname"
+    public: yourmail.server.com
+
+  # Below is almost (almost!) the netplan schema with three changes:
+  # - only one "interface" per system because ansible can't seem to generate multiple
+  #   templates from one yaml dict?
+  # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ...
+  # - also, 'addresses' needs per-address broadcast, so addresses are now lists
+  #   of dicts, so 'ip' is a new name as is 'broadcast'
+  ethernets:
+      interface: ens4
+      macaddress: 02:00:00:7d:ca:ab
+      networks:
+        - subnet: 4.4.4.0/30
+          gateway: 5.5.5.5
+      addresses:
+        - 4.4.4.4/32
+      routes:
+        - to: 0.0.0.0/0
+          via: 5.5.5.5
+          on-link: true
diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml
new file mode 100644
index 0000000..635fb4e
--- /dev/null
+++ b/ansible/inventory/host_vars/mailmash/sieve.yml
@@ -0,0 +1,9 @@
+---
+sieve:
+  users:
+    # username field is the filename [username].sieve in files/
+    # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/
+    # We could improve this because it's clearly redundant...
+    - username: [email protected]
+      domain: server.com
+      user: username
diff --git a/ansible/inventory/host_vars/webby/certs.yml b/ansible/inventory/host_vars/webby/certs.yml
new file mode 100644
index 0000000..c38b80d
--- /dev/null
+++ b/ansible/inventory/host_vars/webby/certs.yml
@@ -0,0 +1,23 @@
+---
+certs:
+  # Copy only these private keys and certs from ansible into the system
+  keyTypes:
+    - rsa2048
+    - prime256v1
+
+# requested can EITHER be:
+# - just a list of hostnames (then we depoly all 'keyTypes' for each hostname)
+# - or, a mapping of, e.g.:
+#   - host: example1.com
+#     type: rsa2048
+#   - host: example1.com
+#     type: prime256v1
+  required:
+    - example1.com
+    - example2.com
+    - example3.com
+
+  # These users have ansible-controlled ssh private keys
+  # (mainly for automated backups right now)
+  sshKeysForUsers: []
+  #  - root
diff --git a/ansible/inventory/host_vars/webby/network.yml b/ansible/inventory/host_vars/webby/network.yml
new file mode 100644
index 0000000..39eb141
--- /dev/null
+++ b/ansible/inventory/host_vars/webby/network.yml
@@ -0,0 +1,12 @@
+---
+network:
+  # These interface names are used to pull IP addresses into templates.
+  # interface.public has the IP we use to open ports to the world (mail, web, etc)
+  # interface.private has the IP for private services (ssh login, reporting, etc)
+  # Right now we don't support multiple IPs per interface, we just grab the IPv4
+  # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address'
+  interface:
+    private: ens3
+    public: ens4
+  hostname:
+    public: webby
diff --git a/ansible/inventory/host_vars/webby/nginx.yml b/ansible/inventory/host_vars/webby/nginx.yml
new file mode 100644
index 0000000..87976dc
--- /dev/null
+++ b/ansible/inventory/host_vars/webby/nginx.yml
@@ -0,0 +1,77 @@
+---
+nginx:
+  # Google webmaster tools wants this same filename on all hosts
+  google:
+    siteKey: googleYOURKEYHERE
+    siteKeyServeDir: /srv/web/files/
+
+  # ssl can be "modern" or "tls13" or anything else means default
+  ssl: default
+
+  # These configs are directly uploaded as saved config files from files/nginx/<sitename>
+  complex:
+    - example4.com
+    - example5.com
+
+  basic: []
+  # These configs are generated by template description below.
+  # 'customConfig' is nginx directives placed for your http2 server block.
+  #  basic:
+  #    - domain: "example.com"
+  #      uri:
+  #        - path: /
+  #
+  #    - domain: example2.com
+  #      uri:
+  #        - path: /
+  #          appServer: "http://127.0.0.1:7780"
+  #      customConfig: |
+  #          keepalive_timeout 5 5;
+  #          keepalive_requests 200;
+  #
+  #          proxy_intercept_errors on;
+  #          error_page 502 =503 @noserver;
+  #          error_page 503 =503 @noserver;
+  #          error_page 504 =503 @noserver;
+  #
+  #          location @noserver {
+  #            root /home/matt/repos/matt-prod/priv;
+  #            charset utf-8;
+  #            rewrite ^(.*)$ /noserver.txt break;
+  #          }
+  #
+  #          location /src/ {
+  #            proxy_pass http://127.0.0.1:7780/$request_uri;
+  #            add_header Cache-Control public;
+  #            expires +5m;
+  #            if ($args) {
+  #              expires +1y;
+  #            }
+  #          }
+  #
+  #          location /style {
+  #            proxy_pass http://127.0.0.1:7780/$request_uri;
+  #            add_header Cache-Control public;
+  #            expires +5m;
+  #            if ($args) {
+  #              expires +1y;
+  #            }
+  #          }
+  #
+  #          location /js {
+  #            proxy_pass http://127.0.0.1:7780/$request_uri;
+  #            add_header Cache-Control public;
+  #            expires +5m;
+  #            if ($args) {
+  #              expires +1y;
+  #            }
+  #          }
+  #
+  #          location /favicon.ico {
+  #            empty_gif;
+  #          }
+  #
+  #          location /files {
+  #            expires max;
+  #            root /srv/web/matt.sh;
+  #          }
diff --git a/ansible/inventory/inventory b/ansible/inventory/inventory
new file mode 100644
index 0000000..3999869
--- /dev/null
+++ b/ansible/inventory/inventory
@@ -0,0 +1,5 @@
+[mail]
+mailmash ansible_python_interpreter=/usr/bin/python3
+
+[web]
+webby ansible_python_interpreter=/usr/bin/python3