Basic deployment on valkyrie

.gitignore

@@ -1 +1,3 @@
-secrets.yml
+secrets/common.yml
+secrets/valkyrie.yml
+secrets/yggdrasil.yml

README.md

@@ -5,5 +5,6 @@ Ansible playbooks for provisioning Yggdrasil.
 ## Secrets vault
 
 - Encrypt with: ```ansible-vault encrypt secrets.yml```
+- Decrypt with: ```ansible-vault decrypt secrets.yml```
 - Print secrets to STDOUT: ```ansible-vault decrypt --output - secrets.yml```
 - Run a playbook with ```ansible-playbook --vault-id @prompt playbook.yml```

ansible.cfg

@@ -2,4 +2,4 @@
 inventory = ./hosts
 
 [privilege_escalation]
-become=True
+become = True

filesystem/common/etc/fail2ban/jail.local.j2

@@ -3,7 +3,7 @@
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
+ignoreip = 127.0.0.1/8 ::1 {{ subnet }}
 
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 1d

filesystem/common/etc/mailname.j2

@@ -0,0 +1 @@
+{{ hostname }}.{{ domain }}

filesystem/common/etc/nftables.conf.j2

@@ -3,8 +3,8 @@
 flush ruleset
 
 table inet filter {
-	chain input {
-		type filter hook input priority 0;
+        chain input {
+                type filter hook input priority 0;
 
                 # Accept any localhost traffic.
                 iif lo accept;
@@ -17,19 +17,19 @@ table inet filter {
                 ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;
                 ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;
 
-		# Drop invalid connections.
-		ct state invalid drop;
+                # Drop invalid connections.
+                ct state invalid drop;
 
                 # Activate the following line to accept common local services.
                 tcp dport { 80, 443, {{ ansible_port }} } ct state new accept;
 
                 # Count and drop any other traffic.
                 counter drop;
-	}
-	chain forward {
-		type filter hook forward priority 0;
-	}
-	chain output {
-		type filter hook output priority 0;
-	}
+        }
+        chain forward {
+                type filter hook forward priority 0;
+        }
+        chain output {
+                type filter hook output priority 0;
+        }
 }

filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2

@@ -15,3 +15,6 @@ PasswordAuthentication no
 
 # No X window forwarding.
 X11Forwarding no
+
+# Check in with the client every now and then.
+ClientAliveInterval 120

filesystem/valkyrie/etc/motd

@@ -0,0 +1,9 @@
+-------------------------------------------------------------------
+                           _ _               _
+               __   ____ _| | | ___   _ _ __(_) ___
+               \ \ / / _` | | |/ / | | | '__| |/ _ \
+                \ V / (_| | |   <| |_| | |  | |  __/
+                 \_/ \__,_|_|_|\_\\__, |_|  |_|\___|
+                                  |___/
+
+-------------------------------------------------------------------

hosts

@@ -1 +1,2 @@
+valkyrie
 yggdrasil

root/etc/mailname.j2

@@ -1 +0,0 @@
-{{ domain }}

secrets/template.yml

@@ -10,6 +10,7 @@ hostname:
 domain:
 subnet_address:
 subnet_masklen:
+subnet:
 
 # Postfix variables
 postfix_smtp_server:

tasks/fail2ban.yml

@@ -4,14 +4,14 @@
 
 - name: Configure fail2ban
   template:
-    src: ./root/etc/fail2ban/jail.local.j2
+    src: ./filesystem/common/etc/fail2ban/jail.local.j2
     dest: /etc/fail2ban/jail.local
     mode: 0644
   register: fail2ban_conf
 
 - name: Configure fail2ban sshd jail
   template:
-    src: ./root/etc/fail2ban/jail.d/sshd.local.j2
+    src: ./filesystem/common/etc/fail2ban/jail.d/sshd.local.j2
     dest: /etc/fail2ban/jail.d/sshd.local
     mode: 0644
   register: fail2ban_sshd_jail

tasks/firewall.yml

@@ -4,7 +4,7 @@
 
 - name: Configure nftables
   template:
-    src: ./root/etc/nftables.conf.j2
+    src: ./filesystem/common/etc/nftables.conf.j2
     dest: /etc/nftables.conf
     mode: 0755
   register: nftables_conf

tasks/fstrim.yml

@@ -0,0 +1,5 @@
+- name: Enable fstrim
+  systemd:
+    name: fstrim.timer
+    enabled: yes
+    state: started

tasks/logs.yml

@@ -6,7 +6,7 @@
 
 - name: Configure logcheck
   template:
-    src: ./root/etc/logcheck/ignore.d.server/yggdrasil.j2
-    dest: /etc/logcheck/ignore.d.server/yggdrasil
+    src: ./filesystem/common/etc/logcheck/ignore.d.server/hostname.j2
+    dest: /etc/logcheck/ignore.d.server/{{ hostname }}
     group: logcheck
     mode: 0644

tasks/mail.yml

@@ -1,24 +1,13 @@
 - name: Configure mailname
   template:
-    src: ./root/etc/mailname.j2
+    src: ./filesystem/common/etc/mailname.j2
     dest: /etc/mailname
     mode: 0644
   register: mail_mailname
 
-- name: Configure aliases
-  template:
-    src: ./root/etc/aliases.j2
-    dest: /etc/aliases
-    mode: 0644
-  register: mail_aliases
-
-- name: Update aliases
-  command: newaliases
-  when: mail_aliases is changed
-
 - name: Configure mailutils
   template:
-    src: ./root/etc/mailutils.conf.j2
+    src: ./filesystem/common/etc/mailutils.conf.j2
     dest: /etc/mailutils.conf
     mode: 0644
 
@@ -29,16 +18,27 @@
       - ca-certificates
       - libsasl2-modules
 
+- name: Configure aliases
+  template:
+    src: ./filesystem/common/etc/aliases.j2
+    dest: /etc/aliases
+    mode: 0644
+  register: mail_aliases
+
+- name: Update aliases
+  command: newaliases
+  when: mail_aliases is changed
+
 - name: Configure postfix
   template:
-    src: ./root/etc/postfix/main.cf.j2
+    src: ./filesystem/common/etc/postfix/main.cf.j2
     dest: /etc/postfix/main.cf
     mode: 0644
   register: mail_postfix_conf
 
 - name: Configure credentials
   template:
-    src: ./root/etc/postfix/sasl_passwd.j2
+    src: ./filesystem/common/etc/postfix/sasl_passwd.j2
     dest: /etc/postfix/sasl_passwd
     mode: 0600
   register: mail_postfix_credentials

tasks/motd.yml

@@ -1,5 +1,5 @@
 - name: Set MotD
   copy:
-    src: ./root/etc/motd
+    src: ./filesystem/{{ hostname }}/etc/motd
     dest: /etc/motd
     mode: 0644

tasks/root-shell.yml

@@ -5,6 +5,6 @@
 
 - name: Disable su for non-wheel users
   copy:
-    src: ./root/etc/pam.d/su
+    src: ./filesystem/common/etc/pam.d/su
     dest: /etc/pam.d/su
     mode: 0644

tasks/smart.yml

@@ -4,7 +4,7 @@
 
 - name: Smartd configuration
   copy:
-    src: ./root/etc/smartd.conf
+    src: ./filesystem/yggdrasil/etc/smartd.conf
     dest: /etc/smartd.conf
     mode: 0644
   register: smartd_conf

tasks/sshd.yml

@@ -3,8 +3,8 @@
 
 - name: Configure sshd
   template:
-    src: ./root/etc/ssh/sshd_config.d/00-yggdrasil.conf.j2
-    dest: /etc/ssh/sshd_config.d/00-yggdrasil.conf
+    src: ./filesystem/common/etc/ssh/sshd_config.d/00-local.conf.j2
+    dest: /etc/ssh/sshd_config.d/00-local.conf
     mode: 0600
   register: sshd_conf
 

tasks/systemd-mail.yml

@@ -1,12 +1,12 @@
 - name: SystemD mail script
   template:
-    src: ./root/usr/local/sbin/systemd-mail-systemctl-status.j2
+    src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-systemctl-status.j2
     dest: /usr/local/sbin/systemd-mail-systemctl-status
     mode: 0755
 
 - name: SystemD mail service
   copy:
-    src: ./root/etc/systemd/system/status-mail@.service
+    src: ./filesystem/yggdrasil/etc/systemd/system/status-mail@.service
     dest: /etc/systemd/system/status-mail@.service
     mode: 0644
   register: systemd_status_mail_service_file

tasks/unattended-upgrades.yml

@@ -4,12 +4,12 @@
 
 - name: Configure unattended-upgrades
   copy:
-    src: ./root/etc/apt/apt.conf.d/50unattended-upgrades
+    src: ./filesystem/common/etc/apt/apt.conf.d/50unattended-upgrades
     dest: /etc/apt/apt.conf.d/50unattended-upgrades
     mode: 0644
 
 - name: Enable unattended-upgrades
   copy:
-    src: ./root/etc/apt/apt.conf.d/20auto-upgrades
+    src: ./filesystem/common/etc/apt/apt.conf.d/20auto-upgrades
     dest: /etc/apt/apt.conf.d/20auto-upgrades
     mode: 0644

tasks/ups.yml

@@ -4,7 +4,7 @@
 
 - name: Apcupsd configuration
   copy:
-    src: ./root/etc/apcupsd/apcupsd.conf
+    src: ./filesystem/yggdrasil/etc/apcupsd/apcupsd.conf
     dest: /etc/apcupsd/apcupsd.conf
     mode: 0644
   register: apcupsd_conf

tasks/user.yml

@@ -8,14 +8,14 @@
 - name: Configure tmux
   become: no
   copy:
-    src: ./root/home/user/tmux.conf
+    src: ./filesystem/common/home/user/tmux.conf
     dest: .tmux.conf
     mode: 0644
 
 - name: Configure bashrc
   become: no
   copy:
-    src: ./root/home/user/bashrc
+    src: ./filesystem/common/home/user/bashrc
     dest: .bashrc
     mode: 0644
 

tasks/utils.yml

@@ -4,4 +4,5 @@
       - git
       - htop
       - man
+      - perl
       - tmux

tasks/zfs-scrub.yml

@@ -1,19 +1,19 @@
 - name: Zpool status mail script
   template:
-    src: ./root/usr/local/sbin/systemd-mail-zpool-status.j2
+    src: ./filesystem/yggdrasil/usr/local/sbin/systemd-mail-zpool-status.j2
     dest: /usr/local/sbin/systemd-mail-zpool-status
     mode: 0755
 
 - name: Zfs scrub service file
   copy:
-    src: ./root/etc/systemd/system/zfs-scrub@.service
+    src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub@.service
     dest: /etc/systemd/system/zfs-scrub@.service
     mode: 0644
   register: systemd_zfs_scrub_service_file
 
 - name: Zfs scrub timer file
   copy:
-    src: ./root/etc/systemd/system/zfs-scrub-monthly@.timer
+    src: ./filesystem/yggdrasil/etc/systemd/system/zfs-scrub-monthly@.timer
     dest: /etc/systemd/system/zfs-scrub-monthly@.timer
     mode: 0644
   register: systemd_zfs_scrub_monthly_timer_file

tasks/zfs-trim.yml

@@ -1,19 +1,13 @@
-- name: Enable fstrim
-  systemd:
-    name: fstrim.timer
-    enabled: yes
-    state: started
-
 - name: Zfs trim service file
   copy:
-    src: ./root/etc/systemd/system/zfs-trim@.service
+    src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim@.service
     dest: /etc/systemd/system/zfs-trim@.service
     mode: 0644
   register: systemd_zfs_trim_service_file
 
 - name: Zfs trim timer file
   copy:
-    src: ./root/etc/systemd/system/zfs-trim-monthly@.timer
+    src: ./filesystem/yggdrasil/etc/systemd/system/zfs-trim-monthly@.timer
     dest: /etc/systemd/system/zfs-trim-monthly@.timer
     mode: 0644
   register: systemd_zfs_trim_monthly_timer_file

valkyrie.yml

@@ -0,0 +1,20 @@
+---
+- hosts: valkyrie
+
+  vars_files:
+    - secrets/common.yml
+    - secrets/valkyrie.yml
+
+  tasks:
+    - import_tasks: tasks/sshd.yml
+    - import_tasks: tasks/firewall.yml
+    - import_tasks: tasks/ntp.yml
+    - import_tasks: tasks/mail.yml
+    - import_tasks: tasks/unattended-upgrades.yml
+    - import_tasks: tasks/fail2ban.yml
+    - import_tasks: tasks/fstrim.yml
+    - import_tasks: tasks/logs.yml
+    - import_tasks: tasks/motd.yml
+    - import_tasks: tasks/utils.yml
+    - import_tasks: tasks/user.yml
+    - import_tasks: tasks/root-shell.yml

yggdrasil.yml

@@ -2,7 +2,8 @@
 - hosts: yggdrasil
 
   vars_files:
-    - secrets.yml
+    - secrets/common.yml
+    - secrets/yggdrasil.yml
 
   tasks:
     - import_tasks: tasks/sshd.yml
@@ -13,7 +14,8 @@
     - import_tasks: tasks/fail2ban.yml
     - import_tasks: tasks/systemd-mail.yml
     - import_tasks: tasks/zfs-scrub.yml
-    - import_tasks: tasks/trim.yml
+    - import_tasks: tasks/zfs-trim.yml
+    - import_tasks: tasks/fstrim.yml
     - import_tasks: tasks/zfsutils-cron.yml
     - import_tasks: tasks/ups.yml
     - import_tasks: tasks/smart.yml