From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- ansible/inventory/host_vars/mailmash/backup.yml | 18 ++++++ ansible/inventory/host_vars/mailmash/certs.yml | 13 ++++ ansible/inventory/host_vars/mailmash/network.yml | 37 ++++++++++++ ansible/inventory/host_vars/mailmash/sieve.yml | 9 +++ ansible/inventory/host_vars/webby/certs.yml | 23 +++++++ ansible/inventory/host_vars/webby/network.yml | 12 ++++ ansible/inventory/host_vars/webby/nginx.yml | 77 ++++++++++++++++++++++++ 7 files changed, 189 insertions(+) create mode 100644 ansible/inventory/host_vars/mailmash/backup.yml create mode 100644 ansible/inventory/host_vars/mailmash/certs.yml create mode 100644 ansible/inventory/host_vars/mailmash/network.yml create mode 100644 ansible/inventory/host_vars/mailmash/sieve.yml create mode 100644 ansible/inventory/host_vars/webby/certs.yml create mode 100644 ansible/inventory/host_vars/webby/network.yml create mode 100644 ansible/inventory/host_vars/webby/nginx.yml (limited to 'ansible/inventory/host_vars') diff --git a/ansible/inventory/host_vars/mailmash/backup.yml b/ansible/inventory/host_vars/mailmash/backup.yml new file mode 100644 index 0000000..aa5fcc4 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/backup.yml @@ -0,0 +1,18 @@ +--- +backup: + # Define a host in your ~/.ssh/config with username, host, and private key. + # Maintaining your ~/.ssh/config is out of scope for our implementation here. + host: rsn-backup + + # directories to backup can be amended at any time + dirs: + - /var/mail + - /var/lib/fail2ban + - /var/lib/redis + + # phrase is from: borg init --remote-path=borg1 --encryption=repokey-blake2 rsn-backup:mailmash + phrase: your phrase goes here + + # your runAs user should be able to ssh to the backup host without a password + # (remote login user is configured by Host->User in this user's ~/.ssh/config) + runAs: root diff --git a/ansible/inventory/host_vars/mailmash/certs.yml b/ansible/inventory/host_vars/mailmash/certs.yml new file mode 100644 index 0000000..fd6dde0 --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/certs.yml @@ -0,0 +1,13 @@ +--- +certs: + # Copy only these private keys and certs from ansible into the system + requested: + - yourmail.server.com + + # we receive our certs by scp from the main cert hosting service elsewhere + receiver: true + + # These users have ansible-controlled ssh private keys + # (mainly for automated backups right now) + sshKeysForUsers: + - root diff --git a/ansible/inventory/host_vars/mailmash/network.yml b/ansible/inventory/host_vars/mailmash/network.yml new file mode 100644 index 0000000..e290f7b --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/network.yml @@ -0,0 +1,37 @@ +--- +network: + # These interface names are used to pull IP addresses into templates. + # interface.public has the IP we use to open ports to the world (mail, web, etc) + # interface.private has the IP for private services (ssh login, reporting, etc) + # Right now we don't support multiple IPs per interface, we just grab the IPv4 + # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' + interface: + private: ens3 + public: ens4 + hostname: + # network.hostname.public is used populate templates with + # server's public hostname, including: + # - TLS certs to use with this pattern: + # /etc/ssl/[hostname]-cert-combined.pem + # /etc/ssl/[hostname]-key.pem + # - Postfix config parameter "myhostname" + public: yourmail.server.com + + # Below is almost (almost!) the netplan schema with three changes: + # - only one "interface" per system because ansible can't seem to generate multiple + # templates from one yaml dict? + # - so, the 'interface' key is added, other wise it would just be ethernets: ens4: ... + # - also, 'addresses' needs per-address broadcast, so addresses are now lists + # of dicts, so 'ip' is a new name as is 'broadcast' + ethernets: + interface: ens4 + macaddress: 02:00:00:7d:ca:ab + networks: + - subnet: 4.4.4.0/30 + gateway: 5.5.5.5 + addresses: + - 4.4.4.4/32 + routes: + - to: 0.0.0.0/0 + via: 5.5.5.5 + on-link: true diff --git a/ansible/inventory/host_vars/mailmash/sieve.yml b/ansible/inventory/host_vars/mailmash/sieve.yml new file mode 100644 index 0000000..635fb4e --- /dev/null +++ b/ansible/inventory/host_vars/mailmash/sieve.yml @@ -0,0 +1,9 @@ +--- +sieve: + users: + # username field is the filename [username].sieve in files/ + # The sieve file gets stored in vmail user directory [domain]/[user]/sieve/ + # We could improve this because it's clearly redundant... + - username: username@server.com + domain: server.com + user: username diff --git a/ansible/inventory/host_vars/webby/certs.yml b/ansible/inventory/host_vars/webby/certs.yml new file mode 100644 index 0000000..c38b80d --- /dev/null +++ b/ansible/inventory/host_vars/webby/certs.yml @@ -0,0 +1,23 @@ +--- +certs: + # Copy only these private keys and certs from ansible into the system + keyTypes: + - rsa2048 + - prime256v1 + +# requested can EITHER be: +# - just a list of hostnames (then we depoly all 'keyTypes' for each hostname) +# - or, a mapping of, e.g.: +# - host: example1.com +# type: rsa2048 +# - host: example1.com +# type: prime256v1 + required: + - example1.com + - example2.com + - example3.com + + # These users have ansible-controlled ssh private keys + # (mainly for automated backups right now) + sshKeysForUsers: [] + # - root diff --git a/ansible/inventory/host_vars/webby/network.yml b/ansible/inventory/host_vars/webby/network.yml new file mode 100644 index 0000000..39eb141 --- /dev/null +++ b/ansible/inventory/host_vars/webby/network.yml @@ -0,0 +1,12 @@ +--- +network: + # These interface names are used to pull IP addresses into templates. + # interface.public has the IP we use to open ports to the world (mail, web, etc) + # interface.private has the IP for private services (ssh login, reporting, etc) + # Right now we don't support multiple IPs per interface, we just grab the IPv4 + # address as presented by ansible fact e.g. 'ansible_{{interface.public}}.ipv4.address' + interface: + private: ens3 + public: ens4 + hostname: + public: webby diff --git a/ansible/inventory/host_vars/webby/nginx.yml b/ansible/inventory/host_vars/webby/nginx.yml new file mode 100644 index 0000000..87976dc --- /dev/null +++ b/ansible/inventory/host_vars/webby/nginx.yml @@ -0,0 +1,77 @@ +--- +nginx: + # Google webmaster tools wants this same filename on all hosts + google: + siteKey: googleYOURKEYHERE + siteKeyServeDir: /srv/web/files/ + + # ssl can be "modern" or "tls13" or anything else means default + ssl: default + + # These configs are directly uploaded as saved config files from files/nginx/ + complex: + - example4.com + - example5.com + + basic: [] + # These configs are generated by template description below. + # 'customConfig' is nginx directives placed for your http2 server block. + # basic: + # - domain: "example.com" + # uri: + # - path: / + # + # - domain: example2.com + # uri: + # - path: / + # appServer: "http://127.0.0.1:7780" + # customConfig: | + # keepalive_timeout 5 5; + # keepalive_requests 200; + # + # proxy_intercept_errors on; + # error_page 502 =503 @noserver; + # error_page 503 =503 @noserver; + # error_page 504 =503 @noserver; + # + # location @noserver { + # root /home/matt/repos/matt-prod/priv; + # charset utf-8; + # rewrite ^(.*)$ /noserver.txt break; + # } + # + # location /src/ { + # proxy_pass http://127.0.0.1:7780/$request_uri; + # add_header Cache-Control public; + # expires +5m; + # if ($args) { + # expires +1y; + # } + # } + # + # location /style { + # proxy_pass http://127.0.0.1:7780/$request_uri; + # add_header Cache-Control public; + # expires +5m; + # if ($args) { + # expires +1y; + # } + # } + # + # location /js { + # proxy_pass http://127.0.0.1:7780/$request_uri; + # add_header Cache-Control public; + # expires +5m; + # if ($args) { + # expires +1y; + # } + # } + # + # location /favicon.ico { + # empty_gif; + # } + # + # location /files { + # expires max; + # root /srv/web/matt.sh; + # } -- cgit v1.2.3