initial commit

Signed-off-by: Thomas Schmid <tom@lfence.de>

.gitignore

@@ -0,0 +1 @@
+.vault_passwd

ansible.cfg

@@ -0,0 +1,16 @@
+[defaults]
+ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
+interpreter_python = auto
+inventory       = ./hosts
+nocows          = 1
+remote_user     = root
+retry_files_enabled = False
+roles_path      = ./roles
+vault_password_file = ./.vault_passwd
+# Use the YAML callback plugin.
+stdout_callback = debug
+# Use the stdout_callback when running ad-hoc commands.
+bin_ansible_callbacks = True
+
+[ssh_connection]
+pipelining      = true

group_vars/all/vars.yml

@@ -0,0 +1,6 @@
+---
+acertmgr_mode: webdir
+
+root_keys:
+- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
+- "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAH+k8kCgonUvgBUE/XRABAUsmBbWGHc3lgsxZU4O99595EuCq8AtZa3i5XzGBExm5tFwEqL2u4RuYuxwePaV3fLAAGBwTPGxkCobRtOpaPC6XVLShYl+qFkKzijG3GexdJClUFIPvcvuol+4LgZQK2QCn5QERxhQUNDYQeao1mRBPNpLw== venti@sky"  

group_vars/all/vault.yml

@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+65616234613165653261333463353761353165373339626365393238323866363562396638663862
+6163366532653966663862343530386233386464303736340a363961616163663963326432323565
+33326433343962383338613962366533386132333434386265353961626631383132343832393464
+3538383634333931310a386131646330653163363538386139353036373531316363396634663161
+37346365396637653864346537613963326464653531633132373234656539353037643265393561
+66626530666439353439343630616138613539376638623531316633613632393134613665346532
+35306161353034316563343832343035613165353831393866646630363134393831633665376634
+36663538366537306566303963316131386339373863383562363766656637333534326463653364
+32343962383631316636336563343833643739663766666361343362346530353961383463316136
+65396563326138623632663136636162386331646134356463323162373430363332623434326364
+63383032366561336337656465623038636434303332373961343632313566386533623566303434
+34366337616533313965

host_vars/canneloni.binary.kitchen

@@ -0,0 +1,2 @@
+octoprint_display_name: Prusa Mini
+octoprint_domain: canneloni.binary.kitchen

host_vars/maccaroni.binary.kitchen

@@ -0,0 +1,2 @@
+octoprint_display_name: Voron 2.4
+octoprint_domain: maccaroni.binary.kitchen

host_vars/raspberrypi

@@ -0,0 +1 @@
+octoprint_domain: raspberrypi.fritz.box

host_vars/spaghetti.binary copy.kitchen

@@ -0,0 +1,2 @@
+octoprint_display_name: Prusa MK3s
+octoprint_domain: spaghetti.binary.kitchen

hosts

@@ -0,0 +1,8 @@
+[3D_Printers_test]
+raspberrypi
+
+[Octoprint_hosts]
+spaghetti.binary.kitchen
+maccaroni.binary.kitchen
+canneloni.binary.kitchen
+

roles/acertmgr/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"

roles/acertmgr/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+    - python3-cryptography
+    - python3-dnspython
+    - python3-yaml
+    - python3-pkg-resources
+
+- name: Install acertmgr
+  apt:
+    deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
+
+- name: Create config directories
+  file:
+    path: /etc/acertmgr
+    state: directory
+    mode: 0755
+
+- name: Configure acertmgr
+  template:
+    src: acertmgr.conf.j2
+    dest: /etc/acertmgr/acertmgr.conf
+
+- name: Create challenge directory
+  file:
+    path: /var/www/acme-challenge/
+    owner: root
+    mode: 0755
+    state: directory
+
+- name: Enable acertmgr cronjob
+  cron:
+    name: certmgr
+    special_time: daily
+    job: /usr/bin/acertmgr

roles/acertmgr/templates/acertmgr.conf.j2

@@ -0,0 +1,5 @@
+---
+
+mode: {{ acertmgr_mode }}
+webdir: /var/www/acme-challenge/
+authority_tos_agreement: true

roles/common/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+logrotate_excludes:
+- "/etc/logrotate.d/alternatives"
+- "/etc/logrotate.d/apt"
+- "/etc/logrotate.d/dpkg"
+- "/etc/logrotate.d/dbconfig-common"
+- "/etc/logrotate.d/btmp"
+- "/etc/logrotate.d/wtmp"

roles/common/files/.zshrc.local

@@ -0,0 +1,12 @@
+# completion
+autoload -U compinit
+compinit
+
+
+# cache for the completion
+zstyle ':completion::complete:*' use-cache 1
+
+
+# promt
+autoload -U promptinit
+promptinit

roles/common/files/resume

@@ -0,0 +1 @@
+RESUME=none

roles/common/files/vimrc.local

@@ -0,0 +1,2 @@
+set mouse=
+set ttymouse=

roles/common/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Restart chrony
+  service: 
+    name: "{{ item.name }}"
+    state: restarted
+  when: "{{ item.os == ansible_facts['distribution'] }}"
+  loop:
+    - os: Debian
+      name: chrony
+    - os: Archlinux
+      name: chronyd
+
+- name: Restart journald
+  service: name=systemd-journald state=restarted

roles/common/tasks/Archlinux.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Install misc software
+  pacman:
+    name:
+    - htop
+    - less
+    - net-tools
+    - openssl
+    - rsync
+    - sudo
+    - vim
+    - zsh
+    - logrotate
+
+- name: Configure misc software
+  copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
+  with_items:
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+
+- name: Set shell for root user
+  user: name=root shell=/bin/zsh
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
+
+- name: Configure journald retention
+  lineinfile:
+    path: "/etc/systemd/journald.conf"
+    state: "present"
+    regexp: "^#?MaxRetentionSec=.*"
+    line: "MaxRetentionSec=7day"
+  notify: Restart journald
+
+- name: Set logrotate.conf to daily
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+
+- name: Set logrotate.conf rotation to 7
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"
+
+- name: Find logrotate.d configuration files
+  find:
+    paths: "/etc/logrotate.d/"
+  register: "logrotateconfigs"
+
+- name: Convert found files to path list
+  set_fact:
+    alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
+
+- name: Exclude files from ansible management
+  set_fact:
+    logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
+
+- name: "Set logrotate.d/* to daily"
+  replace:
+    path: "{{ item }}"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+  loop: "{{ logrotateconfigpaths }}"
+
+- name: "Set /etc/logrotate.d/* rotation to 7"
+  replace:
+    path: "{{ item }}"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"
+  loop: "{{ logrotateconfigpaths }}"

roles/common/tasks/Debian.yml

@@ -0,0 +1,83 @@
+---
+
+- name: Install misc software
+  apt:
+    name:
+    - apt-transport-https
+    - dnsutils
+    - gnupg2
+    - htop
+    - less
+    - net-tools
+    - openssl
+    - psmisc
+    - pydf
+    - rsync
+    - sudo
+    - vim
+    - zsh
+
+- name: Configure misc software
+  copy: src={{ item.src }} dest={{ item.dest }}
+  diff: no
+  with_items:
+  - { src: ".zshrc", dest: "/root/.zshrc" }
+  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
+  - { src: "motd", dest: "/etc/motd" }
+  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
+
+- name: Set shell for root user
+  user: name=root shell=/bin/zsh
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
+    line: "auth       required   pam_wheel.so"
+
+- name: Configure journald retention
+  lineinfile:
+    path: "/etc/systemd/journald.conf"
+    state: "present"
+    regexp: "^#?MaxRetentionSec=.*"
+    line: "MaxRetentionSec=7day"
+  notify: Restart journald
+
+- name: Set logrotate.conf to daily
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+
+- name: Set logrotate.conf rotation to 7
+  replace:
+    path: "/etc/logrotate.conf"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"
+
+- name: Find logrotate.d configuration files
+  find:
+    paths: "/etc/logrotate.d/"
+  register: "logrotateconfigs"
+
+- name: Convert found files to path list
+  set_fact:
+    alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
+
+- name: Exclude files from ansible management
+  set_fact:
+    logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
+
+- name: "Set logrotate.d/* to daily"
+  replace:
+    path: "{{ item }}"
+    regexp: "(?:weekly|monthly)"
+    replace: "daily"
+  loop: "{{ logrotateconfigpaths }}"
+
+- name: "Set /etc/logrotate.d/* rotation to 7"
+  replace:
+    path: "{{ item }}"
+    regexp: "rotate [0-9]+"
+    replace: "rotate 7"
+  loop: "{{ logrotateconfigpaths }}"

roles/common/tasks/chrony.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Install chrony for Debian
+  apt: name=chrony
+  notify: Restart chrony
+  when: ansible_os_family == "Debian"
+
+- name: Install chrony for Archlinux
+  pacman: name=chrony
+  notify: Restart chrony
+  when: ansible_os_family == "Archlinux"

roles/common/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Cleanup
+  apt: autoclean=yes
+  when: ansible_os_family == "Debian"
+
+- name: Gather package facts
+  package_facts:
+    manager: apt
+  when: ansible_os_family == "Debian"
+
+- name: Debian
+  include: Debian.yml
+  when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
+
+- name: Archlinux
+  include: Archlinux.yml
+  when: ansible_os_family == "Archlinux"
+
+- name: Setup chrony
+  include: chrony.yml

roles/docker/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Enable docker apt-key
+  apt_key: url='https://download.docker.com/linux/debian/gpg'
+
+- name: Enable docker repository
+  apt_repository:
+    repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
+    filename: docker
+
+- name: Install docker
+  apt:
+    name:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - python3-docker

roles/nginx/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nginx_anonymize: False

roles/nginx/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/nginx/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Install nginx
+  apt: name=nginx-light
+
+- name: Create certificate directory
+  file: path=/etc/nginx/ssl state=directory mode=0750
+  when: nginx_ssl
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
+      -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+  when: nginx_ssl
+  notify: Restart nginx
+
+- name: Ensure correct certificate permissions
+  file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
+  when: nginx_ssl
+  notify: Restart nginx
+
+- name: Create DH parameters
+  command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
+  when: nginx_ssl
+  with_items:
+  - /etc/nginx/dhparam.pem
+
+- name: Configure nginx
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
+  notify: Restart nginx
+
+- name: Configure default vhost
+  template: src=default.j2 dest=/etc/nginx/sites-available/default
+  when: nginx_ssl
+  notify: Restart nginx
+
+- name: Start nginx
+  service: name=nginx state=started enabled=yes

roles/nginx/templates/default.j2

@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	server_name _;
+	server_name_in_redirect on;
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name _;
+
+	ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
+}

roles/nginx/templates/nginx.conf.j2

@@ -0,0 +1,97 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_dhparam /etc/nginx/dhparam.pem;
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers off;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:MozSSL:10m;
+	ssl_session_tickets off;
+
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	##
+	# Logging Settings
+	##
+
+{% if nginx_anonymize %}
+	map $remote_addr $ip_anonym1 {
+		default 0.0.0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
+		"~(?P<ip>[^:]+:[^:]+):" $ip;
+	}
+
+	map $remote_addr $ip_anonym2 {
+		default .0;
+		"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
+		"~(?P<ip>[^:]+:[^:]+):" ::;
+	}
+
+	map $ip_anonym1$ip_anonym2 $ip_anonymized {
+		default 0.0.0.0;
+		"~(?P<ip>.*)" $ip;
+	}
+
+	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
+		'"$request" $status $body_bytes_sent '
+		'"$http_referer" "$http_user_agent"';
+
+	access_log /var/log/nginx/access.log anonymized;
+{% else %}
+	access_log /var/log/nginx/access.log;
+{% endif %}
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	gzip_vary on;
+	gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}

roles/octoprint/defaults/main.yml

@@ -0,0 +1,15 @@
+octoprint_user: octoprint
+octoprint_group: octoprint
+octoprint_dir: "/opt/octoprint"
+octoprint_ssl: false
+
+octoprint_config_salt: "{{ octoprint_salt }}"
+octoprint_config_api_key: "{{ octoprint_api_key}}"
+octoprint_config_secret_key: "{{ octoprint_secret_key }}"
+octoprint_config_display_name: 3D-Printer
+
+octoprint_printer_dimension:
+  x: 350
+  y: 350
+
+octoprint_printer_nozzle: 0.4

roles/octoprint/files/_default.profile

@@ -0,0 +1,33 @@
+axes:
+  e:
+    inverted: false
+    speed: 300
+  x:
+    inverted: false
+    speed: 6000
+  y:
+    inverted: false
+    speed: 6000
+  z:
+    inverted: false
+    speed: 200
+color: default
+extruder:
+  count: 1
+  nozzleDiameter: 0.4
+  offsets:
+  - - 0.0
+    - 0.0
+  sharedNozzle: false
+heatedBed: true
+heatedChamber: false
+id: _default
+model: Generic RepRap Printer
+name: Default
+volume:
+  custom_box: false
+  depth: 200.0
+  formFactor: rectangular
+  height: 200.0
+  origin: lowerleft
+  width: 200.0

roles/octoprint/files/users.yaml

@@ -0,0 +1,12 @@
+binarykitchen:
+  active: true
+  apikey: null
+  groups:
+  - users
+  - admins
+  password: fb5adb1fbecb856f2f37da607ea17faf4887cb353b0d28459b12fb814b59d325825b7856d604efddf30b7b0a08e95af0b5a78d6912830bac171d84fe0d8d2a33
+  permissions: []
+  roles:
+  - user
+  - admin
+  settings: {}

roles/octoprint/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: Reload systemd
+  systemd: daemon_reload=yes
+
+- name: Restart octoprint
+  service: name=octoprint state=restarted
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/octoprint/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - { role: acertmgr, when: octoprint_ssl }
+  - { role: nginx, nginx_ssl: octoprint_ssl }

roles/octoprint/tasks/main.yml

@@ -0,0 +1,151 @@
+---
+
+- name: Create group
+  group:
+    name: "{{ octoprint_group }}"
+
+- name: Create user
+  user: 
+    name: "{{ octoprint_user }}"
+    home: "/home/{{ octoprint_user }}"
+    group: "{{ octoprint_group }}"
+    append: yes
+    groups:
+    - video
+
+- name: Install requirements
+  apt:
+    name:
+    - python3-pip
+    - python3-virtualenv
+
+- name: Create virtual env and install python dependencies
+  pip:
+    name: octoprint
+    virtualenv: "{{ octoprint_dir }}"
+
+- name: Create configuration directories
+  file:
+    path: "/home/{{ octoprint_user }}/{{ item }}"
+    owner: "{{ octoprint_user }}"
+    group: "{{ octoprint_group }}"
+    state: directory
+    mode: u+rw,g+rw,o+r
+  with_items:
+  - .octoprint
+  - .octoprint/printerProfiles
+
+- name: Install systemd unit
+  template: src=octoprint.service.j2 dest=/lib/systemd/system/octoprint.service
+  notify:
+  - Reload systemd
+  - Restart octoprint
+
+################################################################################
+# Octoprint configuration
+################################################################################
+
+- name: Register if config already exists on target host
+  stat:
+    path: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
+  register: octoprint_register_config_stat
+
+- name: Default octoprint config
+  set_fact:
+    octoprint_config: "{{ lookup('template', 'config.yaml.j2') | from_yaml }}"
+
+- name: Initial configuration of octoprint
+  copy:
+    content: "{{ octoprint_config | to_nice_yaml }}"
+    dest: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
+  when: not octoprint_register_config_stat.stat.exists
+
+- name: Update existing Octoprint configuration
+  block:
+  - name: Read Octoprint config file
+    slurp:
+      src: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
+    register: octoprint_register_config
+  
+  - name: Parse Octoprint config file
+    set_fact:
+      current_octoprint_config: "{{ octoprint_register_config['content'] | b64decode | from_yaml}}"
+
+  - name: Write updated octoprint configuration
+    copy:
+      content: "{{ octoprint_config | combine(current_octoprint_config, recursive=True) | to_nice_yaml}}"
+      dest: "/home/{{octoprint_user}}/.octoprint/config.yaml"
+    notify: Restart octoprint
+
+################################################################################
+# Octoprint Users
+################################################################################
+
+  when: octoprint_register_config_stat.stat.exists
+
+- name: Register if user databse already exists on target host
+  stat:
+    path: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
+  register: octoprint_register_users
+
+- name: Read default octoprint users
+  set_fact:
+    octoprint_defaut_users: "{{ lookup('file', 'users.yaml') | from_yaml }}"
+
+- name: Copy default users
+  copy:
+    src: users.yaml
+    dest: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
+  when: not octoprint_register_users.stat.exists
+
+- name: Merge users database with default users
+  block:
+  - name: Read Octoprint users file
+    slurp:
+      src: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
+    register: octoprint_register_users_file
+
+  - name: Parse Octoprint users file
+    set_fact:
+      current_octoprint_users: "{{ octoprint_register_users_file['content'] | b64decode | from_yaml }}"
+  
+  - name: Merge current users with default users
+    set_fact:
+      octoprint_users_db: "{{ current_octoprint_users | combine(octoprint_default_users)}}"
+  
+  - name: Copy new users file
+    copy:
+      content: "{{ octoprint_users_db | to_nice_yaml }}"
+      dest: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
+  when: octoprint_register_users.stat.exists
+
+################################################################################
+# Reverse proxy
+################################################################################
+
+- name: Configure reverse proxy
+  block:
+  - name: Ensure certificates are available
+    command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/apache2/ssl/{{ octoprint_domain }}.key -out /etc/apache2/ssl/{{ octoprint_domain }}.crt -days 730 -subj "/CN={{ octoprint_domain }}" creates=/etc/apache2/ssl/{{ octoprint_domain }}.crt
+    notify: Restart apache2
+    when: octoprint_ssl
+
+  - name: Configure certificate manager for octoprint
+    template: src=certs.j2 dest=/etc/acertmgr/{{ octoprint_domain }}.conf
+    notify: Run acertmgr
+    when: octoprint_ssl
+
+  - name: Configure vhost
+    template: src=nginx_vhost.j2 dest=/etc/nginx/sites-available/octoprint
+    notify: Restart nginx
+
+  - name: Enable vhost
+    file: src=/etc/nginx/sites-available/octoprint dest=/etc/nginx/sites-enabled/octoprint state=link
+    notify: Restart nginx
+
+- name: Enable octoprint
+  service:
+    name: octoprint
+    enabled: yes
+
+       

roles/octoprint/templates/config.yaml.j2

@@ -0,0 +1,46 @@
+---
+
+appearance:
+    name: "{{ octoprint_config_display_name }}"
+
+accessControl:
+    salt: "{{ octoprint_config_salt }}"
+    autologinAs: binarykitchen
+
+api:
+    key: "{{ octoprint_config_api_key }}"
+
+plugins:
+    tracking:
+        enabled: false
+
+server:
+    commands:
+        serverRestartCommand: systemctl restart octoprint
+        systemRestartCommand: reboot
+        systemShutdownCommand: shutdown now
+    firstRun: false
+    onlineCheck:
+        enabled: false
+    pluginBlacklist:
+        enabled: true
+    secretKey: "{{ octoprint_config_secret_key }}"
+    seenWizards:
+        backup: null
+        corewizard: 4
+        tracking: null
+
+temperature:
+    profiles:
+        - name: ABS
+          chamber: null
+          bed: 100
+          extruder: 240
+        - name: PLA
+          chamber: null
+          bed: 60
+          extruder: 200
+        - name: PETG
+          chamber: null
+          bed: 80
+          extruder: 230

roles/octoprint/templates/nginx_vhost.j2

@@ -0,0 +1,60 @@
+{% if not octoprint_ssl %}
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ octoprint_domain }};
+
+	location / {
+		client_max_body_size 1024M;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Script-Name /octoprint;
+        proxy_http_version 1.1;
+		proxy_pass http://localhost:5000;
+	}
+}
+{% else %}
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ octoprint_domain }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ octoprint_domain }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ gitea_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
+
+	location / {
+		client_max_body_size 1024M;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header X-Script-Name /octoprint;
+        proxy_http_version 1.1;
+		proxy_pass http://localhost:5000;
+	}
+}
+{% endif %}

roles/octoprint/templates/octoprint.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=Octoprint
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User={{ octoprint_user }}
+Group={{ octoprint_user }}
+WorkingDirectory={{ octoprint_dir }}
+ExecStart={{ octoprint_dir }}/bin/octoprint serve
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/root_keys/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Set authorized keys
+  template: src=authorized_keys.j2 dest=/root/.ssh/authorized_keys

roles/root_keys/templates/authorized_keys.j2

@@ -0,0 +1,10 @@
+{% if root_keys %}
+{% for key in root_keys %}
+{{ key }}
+{% endfor %}
+{% endif %}
+{% if root_keys_host is defined %}
+{% for key in root_keys_host %}
+{{ key }}
+{% endfor %}
+{% endif %}

roles/uau/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+uau_reboot: "false"

roles/uau/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Install unattended upgrades
+  apt:
+    name:
+    - unattended-upgrades
+    - debian-goodies
+
+- name: Configure unattended upgrades
+  template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
+  with_items:
+  - 02periodic
+  - 50unattended-upgrades

roles/uau/templates/02periodic.j2

@@ -0,0 +1,18 @@
+// {{ ansible_managed }}
+// Enable the update/upgrade script (0=disable)
+APT::Periodic::Enable "1";
+
+// Do "apt-get update" automatically every n-days (0=disable)
+APT::Periodic::Update-Package-Lists "1";
+
+// Do "apt-get upgrade --download-only" every n-days (0=disable)
+APT::Periodic::Download-Upgradeable-Packages "1";
+
+// Run the "unattended-upgrade" security upgrade script
+// every n-days (0=disabled)
+// Requires the package "unattended-upgrades" and will write
+// a log in /var/log/unattended-upgrades
+APT::Periodic::Unattended-Upgrade "1";
+
+// Do "apt-get autoclean" every n-days (0=disable)
+APT::Periodic::AutocleanInterval "7";

roles/uau/templates/50unattended-upgrades.j2

@@ -0,0 +1,147 @@
+// {{ ansible_managed }}
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+//
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+        "origin=Debian,codename=${distro_codename}-updates";
+//      "origin=Debian,codename=${distro_codename}-proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+// Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+// Unattended-Upgrade::MailOnlyOnError "true";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";

site.yml

@@ -0,0 +1,10 @@
+- name: Setup common rules
+  hosts: [3D_Printers]
+  roles:
+  - common
+  - root_keys
+
+- name: Setup octoprint
+  hosts: [Octoprint_hosts]
+  roles:
+  - octoprint

site_testing.yml

@@ -0,0 +1,10 @@
+- name: Setup common rules
+  hosts: raspberrypi
+  roles:
+  - common
+  - root_keys
+
+- name: Setup octoprint
+  hosts: raspberrypi
+  roles:
+  - octoprint