ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update the rsync backup endpoints (also thanks linter for breaking the structure)

Browse Source
This commit is contained in:
Midou
2026-01-27 11:14:33 +01:00
parent 3d0c2acdfd
commit 23e70a1be7
2 changed files with 35 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
all/playbook.yaml
View File

@@ -1,3 +1,4 @@
---
- name: Playbook to Provision / Re-configure Node
hosts: all
vars:
@@ -19,10 +20,12 @@
ansible.builtin.get_url:
url: https://deb.goaccess.io/gnugpg.key
dest: /usr/share/keyrings/goaccess.asc
mode: '0644'
mode: "0644"
- name: Enable goaccess repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/share/keyrings/goaccess.asc arch=amd64] https://deb.goaccess.io/ bookworm main
repo:
deb [signed-by=/usr/share/keyrings/goaccess.asc arch=amd64] https://deb.goaccess.io/
bookworm main
state: present
- name: Install Required Programs / APT
ansible.builtin.apt:
@@ -94,7 +97,7 @@
- name: Disable dmesg logging to console
ansible.posix.sysctl:
name: kernel.printk
value: "3 4 1 3"
value: 3 4 1 3
state: present
sysctl_set: true
- name: Allow binding to non-local IPs / IPv6
@@ -169,21 +172,19 @@
password: "{{ item.password }}"
shell: /bin/bash
update_password: always
with_items:
- "{{ users }}"
- name: "Add authorized keys"
with_items: ["{{ users }}"]
- name: Add authorized keys
ansible.posix.authorized_key:
user: "{{ item.name }}"
key: "{{ lookup('file', 'files/' + item.name + '.pub') }}"
with_items:
- "{{ users }}"
- name: "Allow admin users to sudo without a password"
with_items: ["{{ users }}"]
- name: Allow admin users to sudo without a password
ansible.builtin.lineinfile:
dest: "/etc/sudoers" # path: in version 2.3
state: "present"
regexp: "^%sudo"
dest: /etc/sudoers # path: in version 2.3
state: present
regexp: ^%sudo
line: "%sudo ALL=(ALL) NOPASSWD: ALL"
- name: "Sshd configuration file update"
- name: Sshd configuration file update
ansible.builtin.template:
src: templates/sshd_config.j2
dest: /etc/ssh/sshd_config
@@ -191,17 +192,16 @@
owner: 0
group: 0
mode: "0644"
validate: "/usr/sbin/sshd -T -f %s"
notify:
- Restart sshd
- name: "Remove useless passphrase line (runs after borgmatic role)"
validate: /usr/sbin/sshd -T -f %s
notify: [Restart sshd]
- name: Remove useless passphrase line (runs after borgmatic role)
ansible.builtin.lineinfile:
dest: "/etc/borgmatic/config.yaml"
state: "absent"
regexp: "^.*encryption_passphrase"
dest: /etc/borgmatic/config.yaml
state: absent
regexp: ^.*encryption_passphrase
- name: Copy per-server docker daemon.json
ansible.builtin.copy:
src: "./templates/{{ inventory_hostname }}/daemon.json"
src: ./templates/{{ inventory_hostname }}/daemon.json
dest: /etc/docker/daemon.json
mode: preserve
handlers:
@@ -218,10 +218,10 @@
- role: artis3n.tailscale
# Future Sysadmin seeing this: if this fails; it is because the key is only valid for 365 days (from Jan 6 2024)
tailscale_authkey: "{{tailscale_authkey}}"
tailscale_args: "--login-server https://hs.projectsegfau.lt --accept-dns=false"
tailscale_args: --login-server https://hs.projectsegfau.lt --accept-dns=false
- role: borgbase.ansible_role_borgbackup
borg_repository:
- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/{{rsyncnet_slug}}
- ssh://zh6265@zh6265.rsync.net/data1/home/zh6265/backups/{{rsyncnet_slug}}
borg_source_directories: "{{bkp_source_directories}}"
borg_exclude_patterns: "{{bkp_exclude_patterns}}"
borg_remote_path: /usr/local/bin/borg_1.2.4/borg1
@@ -229,14 +229,13 @@
postgresql_databases: "{{bkp_postgresql_databases}}"
healthchecks:
ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
states:
- finish
states: [finish]
borg_retention_policy:
keep_daily: 4
keep_weekly: 2
keep_monthly: 2
# very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
borg_encryption_passcommand: "cat /etc/borgmatic/passphrase"
borg_encryption_passcommand: cat /etc/borgmatic/passphrase
- name: UFW Firewall Configuration
hosts: eu # IN is behind router so no f/w is needed
tasks:
@@ -260,14 +259,10 @@
rule: allow
src: "{{ item }}"
direction: in
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
loop: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
- name: Deny rules
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- "{{ ufw_allow_rules }}"
with_items: ["{{ ufw_allow_rules }}"]

20
all/pubnix.yaml
View File

@@ -1,4 +1,3 @@
# IMPORTANT: Inventory file for pubnix is stored in semaphore, not inventory.yml
---
- name: Borgmatic Setup
hosts: pubnix
@@ -15,20 +14,18 @@
- /home
- /nix
- /opt
bkp_exclude_patterns:
- /var/log
- /var/soju/main.db
bkp_exclude_patterns: [/var/log, /var/soju/main.db]
bkp_hc_uuid: 94c410f3-22f4-49f6-9f7f-e6f7b6409ced
tasks:
- name: "Remove useless passphrase line (runs after borgmatic role)"
- name: Remove useless passphrase line (runs after borgmatic role)
ansible.builtin.lineinfile:
dest: "/etc/borgmatic/config.yaml"
state: "absent"
regexp: "^.*encryption_passphrase"
dest: /etc/borgmatic/config.yaml
state: absent
regexp: ^.*encryption_passphrase
roles:
- role: borgbase.ansible_role_borgbackup
borg_repository:
- ssh://zh3117@zh3117.rsync.net/data1/home/zh3117/backups/pubnix
- ssh://zh6265@zh6265.rsync.net/data1/home/zh6265/backups/pubnix
borg_source_directories: "{{bkp_source_directories}}"
borg_exclude_patterns: "{{bkp_exclude_patterns}}"
borg_remote_path: /usr/local/bin/borg_1.2.4/borg1
@@ -38,11 +35,10 @@
path: /var/soju/soju.db
healthchecks:
ping_url: https://healthchecks.projectsegfau.lt/ping/{{bkp_hc_uuid}}
states:
- finish
states: [finish]
borg_retention_policy:
keep_daily: 4
keep_weekly: 2
keep_monthly: 2
# very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
borg_encryption_passcommand: "cat /etc/borgmatic/passphrase"
borg_encryption_passcommand: cat /etc/borgmatic/passphrase