ansible-edda/machine.yml

---
- hosts: yggdrasil

  vars_files:
    - secrets.yml

  tasks:

    # ----------------------------------------------------------------------------------------------
    # SSH configuration.
    # ----------------------------------------------------------------------------------------------

    # SSH must be installed and enabled for ansible to even connect so we don't bother with
    # installing and starting it.

    - name: Configure sshd
      template:
        src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
        dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
        mode: 0600
      register: sshd_cfg

    - name: Restart sshd
      service:
        name: sshd
        enabled: yes
        state: restarted
      when:
        sshd_cfg is changed

    # -------------------------------------------------------------------------
    # Firewall configuration.
    # -------------------------------------------------------------------------

    - name: Install nftables
      apt:
        name: nftables
      register: nftables_install

    - name: Configure nftables
      template:
        src: ./root/etc/nftables.conf.j2
        dest: /etc/nftables.conf
        mode: 0755
      register: nftables_cfg

    - name: Enable/start/restart nftables
      service:
        name: nftables
        state: restarted
        enabled: yes
      when:
        nftables_install is changed or
        nftables_cfg is changed

    # ----------------------------------------------------------------------------------------------
    # NTP configuration.
    # ----------------------------------------------------------------------------------------------

    - name: Install systemd-timesyncd
      apt:
        name: systemd-timesyncd

    - name: Enable/start NTP
      service:
        name: systemd-timesyncd
        enabled: yes
        state: started

    # ----------------------------------------------------------------------------------------------
    # E-mail configuration.
    # ----------------------------------------------------------------------------------------------

    - name: Configure mailname
      template:
        src: ./root/etc/mailname.j2
        dest: /etc/mailname
        mode: 0644
      register: mail_mailname

    - name: Configure aliases
      template:
        src: ./root/etc/aliases.j2
        dest: /etc/aliases
        mode: 0644
      register: mail_aliases

    - name: Update aliases
      command: newaliases
      when: mail_aliases is changed

    - name: Configure mailutils
      template:
        src: ./root/etc/mailutils.conf.j2
        dest: /etc/mailutils.conf
        mode: 0644

    - name: Install postfix
      apt:
        name:
          - postfix
          - ca-certificates
          - libsasl2-modules
      register: mail_postfix_install

    - name: Configure postfix
      template:
        src: ./root/etc/postfix/main.cf.j2
        dest: /etc/postfix/main.cf
        mode: 0644
      register: mail_postfix_cfg

    - name: Configure credentials
      template:
        src: ./root/etc/postfix/sasl_passwd.j2
        dest: /etc/postfix/sasl_passwd
        mode: 0600
      register: mail_postfix_credentials

    - name: Create hash database
      command: postmap /etc/postfix/sasl_passwd
      when:
        mail_postfix_credentials is changed

    - name: Set hash database permissions
      file:
        path: /etc/postfix/sasl_passwd.db
        mode: 0600

    - name: Enable/start/restart postfix
      service:
        name: postfix
        enabled: yes
        state: restarted
      when:
        mail_mailname is changed or
        mail_aliases is changed or
        mail_postfix_install is changed or
        mail_postfix_cfg is changed or
        mail_postfix_credentials is changed

    # ----------------------------------------------------------------------------------------------
    # SystemD mails.
    # ----------------------------------------------------------------------------------------------

    - name: SystemD mail script
      template:
        src: ./root/usr/local/bin/systemd-mail.j2
        dest: /usr/local/bin/systemd-mail
        mode: 0755

    - name: SystemD mail service
      copy:
        src: ./root/etc/systemd/system/status-mail@.service
        dest: /etc/systemd/system/status-mail@.service
        mode: 0644
      register: systemd_status_mail_service_file

    - name: SystemD daemon reload
      systemd:
        daemon_reload: true
      when:
        systemd_status_mail_service_file is changed

    # ----------------------------------------------------------------------------------------------
    # ZFS scrubbing.
    # ----------------------------------------------------------------------------------------------

    - name: Zpool status mail script
      template:
        src: ./root/usr/local/bin/zpool-status-mail.j2
        dest: /usr/local/bin/zpool-status-mail
        mode: 0755

    - name: Zfs scrub service file
      copy:
        src: ./root/etc/systemd/system/zfs-scrub@.service
        dest: /etc/systemd/system/zfs-scrub@.service
        mode: 0644
      register: systemd_zfs_scrub_service_file

    - name: Zfs scrub timer file
      copy:
        src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
        dest: /etc/systemd/system/zfs-scrub-monthly@.timer
        mode: 0644
      register: systemd_zfs_scrub_monthly_timer_file

    - name: SystemD daemon reload
      systemd:
        daemon_reload: true
      when:
        systemd_zfs_scrub_service_file is changed or
        systemd_zfs_scrub_monthly_timer_file is changed

    - name: Enable zfs scrub of bpool
      service:
        name: zfs-scrub-monthly@bpool.timer
        enabled: yes
        state: started

    - name: Enable zfs scrub of rpool
      service:
        name: zfs-scrub-monthly@rpool.timer
        enabled: yes
        state: started

    # ----------------------------------------------------------------------------------------------
    # Filesystem TRIM.
    # ----------------------------------------------------------------------------------------------

    - name: Enable fstrim
      service:
        name: fstrim.timer
        enabled: yes
        state: started

    - name: Zfs trim service file
      copy:
        src: ./root/etc/systemd/system/zfs-trim@.service
        dest: /etc/systemd/system/zfs-trim@.service
        mode: 0644
      register: systemd_zfs_trim_service_file

    - name: Zfs trim timer file
      copy:
        src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
        dest: /etc/systemd/system/zfs-trim-monthly@.timer
        mode: 0644
      register: systemd_zfs_trim_monthly_timer_file

    - name: SystemD daemon reload
      systemd:
        daemon_reload: true
      when:
        systemd_zfs_trim_service_file is changed or
        systemd_zfs_trim_monthly_timer_file is changed

    - name: Enable zfs trim of bpool
      service:
        name: zfs-trim-monthly@bpool.timer
        enabled: yes
        state: started

    - name: Enable zfs trim of rpool
      service:
        name: zfs-trim-monthly@rpool.timer
        enabled: yes
        state: started

    # ----------------------------------------------------------------------------------------------
    # UPS configuration.
    # ----------------------------------------------------------------------------------------------

    - name: Install acpupsd
      apt:
        name: apcupsd
      register: apcupsd_install

    - name: Apcupsd configuration
      copy:
        src: ./root/etc/apcupsd/apcupsd.conf
        dest: /etc/apcupsd/apcupsd.conf
        mode: 0644
      register: apcupsd_cfg

    - name: Enable/start/restart apcupsd
      service:
        name: apcupsd
        enabled: yes
        state: restarted
      when:
        apcupsd_install is changed or
        apcupsd_cfg is changed
Empty machine playbook 2022-08-26 16:20:37 +02:00			`---`
			`- hosts: yggdrasil`

			`vars_files:`
			`- secrets.yml`
Install postfix 2022-08-27 18:55:35 +02:00
			`tasks:`

Configure ntp 2022-08-27 22:07:23 +02:00			`# ----------------------------------------------------------------------------------------------`
Configure ssh 2022-08-30 15:18:44 +02:00			`# SSH configuration.`
			`# ----------------------------------------------------------------------------------------------`

			`# SSH must be installed and enabled for ansible to even connect so we don't bother with`
			`# installing and starting it.`

			`- name: Configure sshd`
			`template:`
			`src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2`
			`dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf`
			`mode: 0600`
			`register: sshd_cfg`

			`- name: Restart sshd`
			`service:`
			`name: sshd`
			`enabled: yes`
			`state: restarted`
			`when:`
			`sshd_cfg is changed`

Configure nftables 2022-08-30 15:39:31 +02:00			`# -------------------------------------------------------------------------`
			`# Firewall configuration.`
			`# -------------------------------------------------------------------------`

			`- name: Install nftables`
			`apt:`
			`name: nftables`
			`register: nftables_install`

			`- name: Configure nftables`
			`template:`
			`src: ./root/etc/nftables.conf.j2`
			`dest: /etc/nftables.conf`
			`mode: 0755`
			`register: nftables_cfg`

			`- name: Enable/start/restart nftables`
			`service:`
			`name: nftables`
			`state: restarted`
			`enabled: yes`
			`when:`
			`nftables_install is changed or`
			`nftables_cfg is changed`

Configure ssh 2022-08-30 15:18:44 +02:00			`# ----------------------------------------------------------------------------------------------`
			`# NTP configuration.`
Configure ntp 2022-08-27 22:07:23 +02:00			`# ----------------------------------------------------------------------------------------------`

			`- name: Install systemd-timesyncd`
			`apt:`
			`name: systemd-timesyncd`

			`- name: Enable/start NTP`
			`service:`
			`name: systemd-timesyncd`
			`enabled: yes`
For services put enabled before state 2022-08-28 04:00:34 +02:00			`state: started`
Configure ntp 2022-08-27 22:07:23 +02:00
Install postfix 2022-08-27 18:55:35 +02:00			`# ----------------------------------------------------------------------------------------------`
			`# E-mail configuration.`
			`# ----------------------------------------------------------------------------------------------`

Configure mail 2022-08-27 22:07:17 +02:00			`- name: Configure mailname`
			`template:`
			`src: ./root/etc/mailname.j2`
			`dest: /etc/mailname`
			`mode: 0644`
			`register: mail_mailname`

			`- name: Configure aliases`
			`template:`
			`src: ./root/etc/aliases.j2`
			`dest: /etc/aliases`
			`mode: 0644`
			`register: mail_aliases`

			`- name: Update aliases`
			`command: newaliases`
			`when: mail_aliases is changed`

			`- name: Configure mailutils`
			`template:`
			`src: ./root/etc/mailutils.conf.j2`
			`dest: /etc/mailutils.conf`
			`mode: 0644`

Install postfix 2022-08-27 18:55:35 +02:00			`- name: Install postfix`
			`apt:`
Configure mail 2022-08-27 22:07:17 +02:00			`name:`
			`- postfix`
			`- ca-certificates`
			`- libsasl2-modules`
			`register: mail_postfix_install`

			`- name: Configure postfix`
			`template:`
			`src: ./root/etc/postfix/main.cf.j2`
			`dest: /etc/postfix/main.cf`
			`mode: 0644`
			`register: mail_postfix_cfg`

			`- name: Configure credentials`
			`template:`
			`src: ./root/etc/postfix/sasl_passwd.j2`
			`dest: /etc/postfix/sasl_passwd`
			`mode: 0600`
			`register: mail_postfix_credentials`

			`- name: Create hash database`
			`command: postmap /etc/postfix/sasl_passwd`
			`when:`
			`mail_postfix_credentials is changed`

			`- name: Set hash database permissions`
			`file:`
			`path: /etc/postfix/sasl_passwd.db`
			`mode: 0600`

Combine start/restart steps 2022-08-30 15:33:13 +02:00			`- name: Enable/start/restart postfix`
Configure mail 2022-08-27 22:07:17 +02:00			`service:`
Install postfix 2022-08-27 18:55:35 +02:00			`name: postfix`
Configure mail 2022-08-27 22:07:17 +02:00			`enabled: yes`
For services put enabled before state 2022-08-28 04:00:34 +02:00			`state: restarted`
Configure mail 2022-08-27 22:07:17 +02:00			`when:`
			`mail_mailname is changed or`
			`mail_aliases is changed or`
			`mail_postfix_install is changed or`
			`mail_postfix_cfg is changed or`
			`mail_postfix_credentials is changed`
Add systemd mails 2022-08-28 04:01:22 +02:00
			`# ----------------------------------------------------------------------------------------------`
			`# SystemD mails.`
			`# ----------------------------------------------------------------------------------------------`

			`- name: SystemD mail script`
			`template:`
			`src: ./root/usr/local/bin/systemd-mail.j2`
			`dest: /usr/local/bin/systemd-mail`
			`mode: 0755`

			`- name: SystemD mail service`
			`copy:`
			`src: ./root/etc/systemd/system/status-mail@.service`
			`dest: /etc/systemd/system/status-mail@.service`
			`mode: 0644`
			`register: systemd_status_mail_service_file`

			`- name: SystemD daemon reload`
			`systemd:`
			`daemon_reload: true`
			`when:`
			`systemd_status_mail_service_file is changed`
Add zfs scrubbing and filesystem trim 2022-08-28 04:02:18 +02:00
			`# ----------------------------------------------------------------------------------------------`
			`# ZFS scrubbing.`
			`# ----------------------------------------------------------------------------------------------`

			`- name: Zpool status mail script`
			`template:`
			`src: ./root/usr/local/bin/zpool-status-mail.j2`
			`dest: /usr/local/bin/zpool-status-mail`
			`mode: 0755`

			`- name: Zfs scrub service file`
			`copy:`
			`src: ./root/etc/systemd/system/zfs-scrub@.service`
			`dest: /etc/systemd/system/zfs-scrub@.service`
			`mode: 0644`
			`register: systemd_zfs_scrub_service_file`

			`- name: Zfs scrub timer file`
			`copy:`
			`src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer`
			`dest: /etc/systemd/system/zfs-scrub-monthly@.timer`
			`mode: 0644`
			`register: systemd_zfs_scrub_monthly_timer_file`

			`- name: SystemD daemon reload`
			`systemd:`
			`daemon_reload: true`
			`when:`
			`systemd_zfs_scrub_service_file is changed or`
			`systemd_zfs_scrub_monthly_timer_file is changed`

			`- name: Enable zfs scrub of bpool`
			`service:`
			`name: zfs-scrub-monthly@bpool.timer`
			`enabled: yes`
			`state: started`

			`- name: Enable zfs scrub of rpool`
			`service:`
			`name: zfs-scrub-monthly@rpool.timer`
			`enabled: yes`
			`state: started`

			`# ----------------------------------------------------------------------------------------------`
			`# Filesystem TRIM.`
			`# ----------------------------------------------------------------------------------------------`

			`- name: Enable fstrim`
			`service:`
			`name: fstrim.timer`
			`enabled: yes`
			`state: started`

			`- name: Zfs trim service file`
			`copy:`
			`src: ./root/etc/systemd/system/zfs-trim@.service`
			`dest: /etc/systemd/system/zfs-trim@.service`
			`mode: 0644`
			`register: systemd_zfs_trim_service_file`

			`- name: Zfs trim timer file`
			`copy:`
			`src: ./root/etc/systemd/system/zfs-trim-monthly@.timer`
			`dest: /etc/systemd/system/zfs-trim-monthly@.timer`
			`mode: 0644`
			`register: systemd_zfs_trim_monthly_timer_file`

			`- name: SystemD daemon reload`
			`systemd:`
			`daemon_reload: true`
			`when:`
			`systemd_zfs_trim_service_file is changed or`
			`systemd_zfs_trim_monthly_timer_file is changed`

			`- name: Enable zfs trim of bpool`
			`service:`
			`name: zfs-trim-monthly@bpool.timer`
			`enabled: yes`
			`state: started`

			`- name: Enable zfs trim of rpool`
			`service:`
			`name: zfs-trim-monthly@rpool.timer`
			`enabled: yes`
			`state: started`
Configure UPS 2022-08-28 12:43:22 +02:00
			`# ----------------------------------------------------------------------------------------------`
			`# UPS configuration.`
			`# ----------------------------------------------------------------------------------------------`

			`- name: Install acpupsd`
			`apt:`
			`name: apcupsd`
Combine start/restart steps 2022-08-30 15:33:13 +02:00			`register: apcupsd_install`
Configure UPS 2022-08-28 12:43:22 +02:00
			`- name: Apcupsd configuration`
			`copy:`
			`src: ./root/etc/apcupsd/apcupsd.conf`
			`dest: /etc/apcupsd/apcupsd.conf`
			`mode: 0644`
			`register: apcupsd_cfg`

Combine start/restart steps 2022-08-30 15:33:13 +02:00			`- name: Enable/start/restart apcupsd`
Configure UPS 2022-08-28 12:43:22 +02:00			`service:`
			`name: apcupsd`
			`enabled: yes`
			`state: restarted`
			`when:`
Combine start/restart steps 2022-08-30 15:33:13 +02:00			`apcupsd_install is changed or`
Configure UPS 2022-08-28 12:43:22 +02:00			`apcupsd_cfg is changed`