diff --git a/Makefile b/Makefile index ed8c280..3abeca8 100644 --- a/Makefile +++ b/Makefile @@ -4,8 +4,9 @@ VARS = group_vars/all/vars.yaml VALL = group_vars/all/all.yaml SECRET = ~/.config/ansible/hcloud.secret -KEYDIR = roles/pubnix/files/keys +KEYDIR = roles/pub/files/keys TOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2) +DNSTOKEN = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_dns_token | cut -d' ' -f2) SNAPNAME = $(shell cat $(VALL) | yq .snapshot) SNAPSHOT = $(shell hcloud image list -t snapshot -o yaml | \ @@ -19,7 +20,7 @@ HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS) DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS) SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list -ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) +ENV = HCLOUD_TOKEN="$(TOKEN)" HETZNER_DNS_TOKEN="$(DNSTOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose) all: create deploy diff --git a/debug.yaml b/debug.yaml index 2720627..3b0d3eb 100644 --- a/debug.yaml +++ b/debug.yaml @@ -1,9 +1,9 @@ --- -- name: DEBUGGING ROLES +- name: Gather facts tags: active hosts: running gather_facts: true user: root roles: - role: network - - role: user + - role: dns diff --git a/deploy.yaml b/deploy.yaml index 3a6402d..7c87dd1 100644 --- a/deploy.yaml +++ b/deploy.yaml @@ -6,10 +6,10 @@ user: root roles: - role: reachable + - role: dns - role: network - role: server - role: firewall - role: ssh - role: jails - - role: pubnix - - role: dns + - role: pub diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml index cf62df2..3352946 100644 --- a/group_vars/all/all.yaml +++ b/group_vars/all/all.yaml @@ -25,7 +25,7 @@ ssh_keys: - scip@pixel8 jails: - pubnix: + pub: pkgs: - bash - zsh @@ -76,10 +76,7 @@ storage: - mount: /var/cron/tabs name: /crontabs -# runas user must be able to get to server using ssh w/ key auth and -# be member of the group knot, the dns jail must be running. dns: - server: e3 zone: bsdnix.de socket: /jail/run/dns/tmp/knot/knot.sock diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index 87e7529..40e521f 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -1,12 +1,15 @@ $ANSIBLE_VAULT;1.1;AES256 -30386430356466633261653236656333623835666363653766313864376439663739666539373466 -6133333563663839306331373863623064656330363234660a613235386230353233336134333665 -33323865646238363862663334343738326339623939663036643833356466633062656362653061 -3661626430303038360a303961356566663239656337333833323036343432656332386234623131 -34323538326435643534663239613438333037646261663462323661306536383435626133663562 -34326239363138656666353563396132303633373539646330303536346637346532616462393332 -64613233373331396364613466303535383964313836356365393735326136323832313731653936 -31633637643632323139303132336663626532623037343139363839626165323062303335363237 -31646234393337366330353261383465316632663232303464346566333738326164363935613933 -63393139663665343861363434396664383965613437383963343861333565356135656335383234 -656638656239636133646562383734323835 +36656334643662656164636264613965393166643630633436346635386332366630366461313438 +3863656566373333306466623361626431633030383061610a373533353766306137393832613134 +36346666616430376535343066313335393636363733323236363866373938346561356366336233 +3762346237636635610a363937306236623838346363643033353733623831316266313864313935 +38313162383839633433326135333836323133313537373034653434353639613637623438663330 +66396264666431383334636639363834613633336162353464366130333864396361646534623965 +66633566623861336430353162333336626631376162626464653139626565636230646638643836 +31356136626235656139336366363862313261653962666438303462353166613437663239366537 +38316636316261663062353836313639393537343437323639376463633563616435616264393532 +32333131613264363964613163303762626533623936333237326165356166363161666664646265 +65343564356661643933323634663639346634323564656366656235376234356537373237653235 +64393331343362613138666461653961646135386365623137306439343266333861653635653234 +64363934666433303165633764373431373030353238633165613630613538666363653361646432 +3833653436663838363539656235346166363430363233393965 diff --git a/inventory/vps.yaml b/inventory/vps.yaml index 2661a94..7bda3ca 100644 --- a/inventory/vps.yaml +++ b/inventory/vps.yaml @@ -1,6 +1,6 @@ --- vps: hosts: - shell: - hostname: shell.daemon.de + suto: + hostname: suto diff --git a/roles/dns/tasks/main.yaml b/roles/dns/tasks/main.yaml index 1cfd23c..9de5817 100644 --- a/roles/dns/tasks/main.yaml +++ b/roles/dns/tasks/main.yaml @@ -1,8 +1,11 @@ --- -# FIXME: get rid of hard coded hostnames -- name: add dns entry - shell: | - ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-begin {{ dns.zone }} - ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} shell 300 AAAA {{ server_ipv6 }} - ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} pubnix 300 AAAA {{ jailip }} - ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-commit {{ dns.zone }} +- name: add dns entry for server + community.dns.hetzner_dns_record: + state: present + zone: "{{ dns.zone }}" + record: "{{ name }}.{{ dns.zone }}" + type: AAAA + ttl: 300 + value: "{{ server_ipv6 }}" + hetzner_token: "{{ hetzner_dns_token }}" + diff --git a/roles/pubnix/bin/group.sh b/roles/pub/bin/group.sh similarity index 100% rename from roles/pubnix/bin/group.sh rename to roles/pub/bin/group.sh diff --git a/roles/pubnix/bin/user.sh b/roles/pub/bin/user.sh similarity index 100% rename from roles/pubnix/bin/user.sh rename to roles/pub/bin/user.sh diff --git a/roles/pubnix/files/keys/tom b/roles/pub/files/keys/tom similarity index 100% rename from roles/pubnix/files/keys/tom rename to roles/pub/files/keys/tom diff --git a/roles/pubnix/files/motd b/roles/pub/files/motd similarity index 100% rename from roles/pubnix/files/motd rename to roles/pub/files/motd diff --git a/roles/pubnix/files/skel/dot.bash_profile b/roles/pub/files/skel/dot.bash_profile similarity index 100% rename from roles/pubnix/files/skel/dot.bash_profile rename to roles/pub/files/skel/dot.bash_profile diff --git a/roles/pubnix/files/skel/dot.cshrc b/roles/pub/files/skel/dot.cshrc similarity index 100% rename from roles/pubnix/files/skel/dot.cshrc rename to roles/pub/files/skel/dot.cshrc diff --git a/roles/pubnix/files/skel/dot.emacs b/roles/pub/files/skel/dot.emacs similarity index 100% rename from roles/pubnix/files/skel/dot.emacs rename to roles/pub/files/skel/dot.emacs diff --git a/roles/pubnix/files/skel/dot.login b/roles/pub/files/skel/dot.login similarity index 100% rename from roles/pubnix/files/skel/dot.login rename to roles/pub/files/skel/dot.login diff --git a/roles/pubnix/files/skel/dot.login_conf b/roles/pub/files/skel/dot.login_conf similarity index 100% rename from roles/pubnix/files/skel/dot.login_conf rename to roles/pub/files/skel/dot.login_conf diff --git a/roles/pubnix/files/skel/dot.profile b/roles/pub/files/skel/dot.profile similarity index 100% rename from roles/pubnix/files/skel/dot.profile rename to roles/pub/files/skel/dot.profile diff --git a/roles/pubnix/files/skel/dot.shrc b/roles/pub/files/skel/dot.shrc similarity index 100% rename from roles/pubnix/files/skel/dot.shrc rename to roles/pub/files/skel/dot.shrc diff --git a/roles/pubnix/files/skel/dot.vimrc b/roles/pub/files/skel/dot.vimrc similarity index 100% rename from roles/pubnix/files/skel/dot.vimrc rename to roles/pub/files/skel/dot.vimrc diff --git a/roles/pubnix/files/sshd_config b/roles/pub/files/sshd_config similarity index 91% rename from roles/pubnix/files/sshd_config rename to roles/pub/files/sshd_config index e22dcd3..d24e9ed 100644 --- a/roles/pubnix/files/sshd_config +++ b/roles/pub/files/sshd_config @@ -1,4 +1,4 @@ -# pubnix sshd config +# pub jail sshd config LogLevel INFO LoginGraceTime 1m PermitRootLogin no diff --git a/roles/pubnix/tasks/main.yaml b/roles/pub/tasks/main.yaml similarity index 89% rename from roles/pubnix/tasks/main.yaml rename to roles/pub/tasks/main.yaml index 7d68740..b74da96 100644 --- a/roles/pubnix/tasks/main.yaml +++ b/roles/pub/tasks/main.yaml @@ -75,7 +75,7 @@ # create our own group[s] - name: Manage groups loop: "{{ jailgroups }}" - ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root" + ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root" # The normal ansible user module can't be used here, because we're # talking about jail users here. I tried to patch the module to @@ -89,3 +89,14 @@ loop: "{{ jailusers }}" ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root" +- name: add dns entry for jail host + community.dns.hetzner_dns_record: + state: present + zone: "{{ dns.zone }}" + record: "{{ role_name }}.{{ dns.zone }}" + type: AAAA + ttl: 300 + value: "{{ jailip.stdout }}" + hetzner_token: "{{ hetzner_dns_token }}" + + diff --git a/roles/pubnix/templates/Bastillefile.j2 b/roles/pub/templates/Bastillefile.j2 similarity index 89% rename from roles/pubnix/templates/Bastillefile.j2 rename to roles/pub/templates/Bastillefile.j2 index 6a9b4a3..5496fbe 100644 --- a/roles/pubnix/templates/Bastillefile.j2 +++ b/roles/pub/templates/Bastillefile.j2 @@ -1,6 +1,6 @@ CP etc / -PKG {{ jails.pubnix.pkgs | join(' ') }} +PKG {{ jails.pub.pkgs | join(' ') }} SYSRC sshd_enable=YES SYSRC sendmail_enable=NONE diff --git a/roles/pubnix/templates/resolv.conf.j2 b/roles/pub/templates/resolv.conf.j2 similarity index 100% rename from roles/pubnix/templates/resolv.conf.j2 rename to roles/pub/templates/resolv.conf.j2