added dns using hetzner dns, renamed pubnix => pub

2024-12-10 17:47:38 +01:00 · 2024-12-10 17:47:38 +01:00 · a92cda6b40
commit a92cda6b40
parent b429091ec7
23 changed files with 48 additions and 33 deletions
--- a/5
+++ b/5
@ -4,8 +4,9 @@
 VARS		= group_vars/all/vars.yaml
 VALL		= group_vars/all/all.yaml
 SECRET		= ~/.config/ansible/hcloud.secret
-KEYDIR		= roles/pubnix/files/keys
+KEYDIR		= roles/pub/files/keys
 TOKEN		= $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
 DNSTOKEN    = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_dns_token | cut -d' ' -f2)
 SNAPNAME	= $(shell cat $(VALL) | yq .snapshot)
 SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
@ -19,7 +20,7 @@ HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
 DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list
-ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
+ENV = HCLOUD_TOKEN="$(TOKEN)" HETZNER_DNS_TOKEN="$(DNSTOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 all: create deploy
--- a/debug.yaml
+++ b/debug.yaml
@ -1,9 +1,9 @@
 ---
- name: DEBUGGING ROLES
+- name: Gather facts
  tags: active
  hosts: running
  gather_facts: true
  user: root
  roles:
    - role: network
-    - role: user
+    - role: dns
--- a/deploy.yaml
+++ b/deploy.yaml
@ -6,10 +6,10 @@
  user: root
  roles:
    - role: reachable
    - role: dns
    - role: network
    - role: server
    - role: firewall
    - role: ssh
    - role: jails
-    - role: pubnix
+    - role: pub
    - role: dns
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@ -25,7 +25,7 @@ ssh_keys:
  - scip@pixel8
 jails:
-  pubnix:
+  pub:
    pkgs:
      - bash
      - zsh
@ -76,10 +76,7 @@ storage:
    - mount: /var/cron/tabs
      name: /crontabs
 # runas user must be  able to get to server using ssh  w/ key auth and
 # be member of the group knot, the dns jail must be running.
 dns:
  server: e3
  zone: bsdnix.de
  socket: /jail/run/dns/tmp/knot/knot.sock
--- a/group_vars/all/vars.yaml
+++ b/group_vars/all/vars.yaml
@ -1,12 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-30386430356466633261653236656333623835666363653766313864376439663739666539373466
+36656334643662656164636264613965393166643630633436346635386332366630366461313438
-6133333563663839306331373863623064656330363234660a613235386230353233336134333665
+3863656566373333306466623361626431633030383061610a373533353766306137393832613134
-33323865646238363862663334343738326339623939663036643833356466633062656362653061
+36346666616430376535343066313335393636363733323236363866373938346561356366336233
-3661626430303038360a303961356566663239656337333833323036343432656332386234623131
+3762346237636635610a363937306236623838346363643033353733623831316266313864313935
-34323538326435643534663239613438333037646261663462323661306536383435626133663562
+38313162383839633433326135333836323133313537373034653434353639613637623438663330
-34326239363138656666353563396132303633373539646330303536346637346532616462393332
+66396264666431383334636639363834613633336162353464366130333864396361646534623965
-64613233373331396364613466303535383964313836356365393735326136323832313731653936
+66633566623861336430353162333336626631376162626464653139626565636230646638643836
-31633637643632323139303132336663626532623037343139363839626165323062303335363237
+31356136626235656139336366363862313261653962666438303462353166613437663239366537
-31646234393337366330353261383465316632663232303464346566333738326164363935613933
+38316636316261663062353836313639393537343437323639376463633563616435616264393532
-63393139663665343861363434396664383965613437383963343861333565356135656335383234
+32333131613264363964613163303762626533623936333237326165356166363161666664646265
-656638656239636133646562383734323835
+65343564356661643933323634663639346634323564656366656235376234356537373237653235
 64393331343362613138666461653961646135386365623137306439343266333861653635653234
 64363934666433303165633764373431373030353238633165613630613538666363653361646432
 3833653436663838363539656235346166363430363233393965
--- a/inventory/vps.yaml
+++ b/inventory/vps.yaml
@ -1,6 +1,6 @@
 ---
 vps:
  hosts:
-    shell:
+    suto:
-      hostname: shell.daemon.de
+      hostname: suto
--- a/roles/dns/tasks/main.yaml
+++ b/roles/dns/tasks/main.yaml
@ -1,8 +1,11 @@
 ---
-# FIXME: get rid of hard coded hostnames
+- name: add dns entry for server
- name: add dns entry
+  community.dns.hetzner_dns_record:
-  shell: |
+    state: present
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-begin {{ dns.zone }}
+    zone: "{{ dns.zone }}"
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} shell 300 AAAA {{ server_ipv6 }}
+    record: "{{ name }}.{{ dns.zone }}"
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} pubnix 300 AAAA {{ jailip }}
+    type: AAAA
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-commit {{ dns.zone }}
+    ttl: 300
    value: "{{ server_ipv6 }}"
    hetzner_token: "{{ hetzner_dns_token }}"
--- a/roles/pubnix/bin/group.sh
+++ b/roles/pubnix/bin/group.sh
--- a/roles/pubnix/bin/user.sh
+++ b/roles/pubnix/bin/user.sh
--- a/roles/pubnix/files/keys/tom
+++ b/roles/pubnix/files/keys/tom
--- a/roles/pubnix/files/motd
+++ b/roles/pubnix/files/motd
--- a/roles/pubnix/files/skel/dot.bash_profile
+++ b/roles/pubnix/files/skel/dot.bash_profile
--- a/roles/pubnix/files/skel/dot.cshrc
+++ b/roles/pubnix/files/skel/dot.cshrc
--- a/roles/pubnix/files/skel/dot.emacs
+++ b/roles/pubnix/files/skel/dot.emacs
--- a/roles/pubnix/files/skel/dot.login
+++ b/roles/pubnix/files/skel/dot.login
--- a/roles/pubnix/files/skel/dot.login_conf
+++ b/roles/pubnix/files/skel/dot.login_conf
--- a/roles/pubnix/files/skel/dot.profile
+++ b/roles/pubnix/files/skel/dot.profile
--- a/roles/pubnix/files/skel/dot.shrc
+++ b/roles/pubnix/files/skel/dot.shrc
--- a/roles/pubnix/files/skel/dot.vimrc
+++ b/roles/pubnix/files/skel/dot.vimrc
--- a/roles/pubnix/files/sshd_config
+++ b/roles/pubnix/files/sshd_config
@ -1,4 +1,4 @@
-# pubnix sshd config
+# pub jail sshd config
 LogLevel INFO
 LoginGraceTime 1m
 PermitRootLogin no
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@ -75,7 +75,7 @@
 # create our own group[s]
 - name: Manage groups
  loop: "{{ jailgroups }}"
-  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root"
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
@ -89,3 +89,14 @@
  loop: "{{ jailusers }}"
  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
 - name: add dns entry for jail host
  community.dns.hetzner_dns_record:
    state: present
    zone: "{{ dns.zone }}"
    record: "{{ role_name }}.{{ dns.zone }}"
    type: AAAA
    ttl: 300
    value: "{{ jailip.stdout }}"
    hetzner_token: "{{ hetzner_dns_token }}"
--- a/roles/pubnix/templates/Bastillefile.j2
+++ b/roles/pubnix/templates/Bastillefile.j2
@ -1,6 +1,6 @@
 CP etc /
-PKG {{ jails.pubnix.pkgs | join(' ') }}
+PKG {{ jails.pub.pkgs | join(' ') }}
 SYSRC sshd_enable=YES
 SYSRC sendmail_enable=NONE
--- a/roles/pubnix/templates/resolv.conf.j2
+++ b/roles/pubnix/templates/resolv.conf.j2