initial commit

Signed-off-by: Thomas Schmid <tom@lfence.de>
This commit is contained in:
Thomas 2022-01-11 18:43:31 +01:00
commit 3dfff93c0e
46 changed files with 3868 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.vault_passwd

16
ansible.cfg Normal file
View File

@ -0,0 +1,16 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
nocows = 1
remote_user = root
retry_files_enabled = False
roles_path = ./roles
vault_password_file = ./.vault_passwd
# Use the YAML callback plugin.
stdout_callback = debug
# Use the stdout_callback when running ad-hoc commands.
bin_ansible_callbacks = True
[ssh_connection]
pipelining = true

6
group_vars/all/vars.yml Normal file
View File

@ -0,0 +1,6 @@
---
acertmgr_mode: webdir
root_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
- "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAH+k8kCgonUvgBUE/XRABAUsmBbWGHc3lgsxZU4O99595EuCq8AtZa3i5XzGBExm5tFwEqL2u4RuYuxwePaV3fLAAGBwTPGxkCobRtOpaPC6XVLShYl+qFkKzijG3GexdJClUFIPvcvuol+4LgZQK2QCn5QERxhQUNDYQeao1mRBPNpLw== venti@sky"

13
group_vars/all/vault.yml Normal file
View File

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
65616234613165653261333463353761353165373339626365393238323866363562396638663862
6163366532653966663862343530386233386464303736340a363961616163663963326432323565
33326433343962383338613962366533386132333434386265353961626631383132343832393464
3538383634333931310a386131646330653163363538386139353036373531316363396634663161
37346365396637653864346537613963326464653531633132373234656539353037643265393561
66626530666439353439343630616138613539376638623531316633613632393134613665346532
35306161353034316563343832343035613165353831393866646630363134393831633665376634
36663538366537306566303963316131386339373863383562363766656637333534326463653364
32343962383631316636336563343833643739663766666361343362346530353961383463316136
65396563326138623632663136636162386331646134356463323162373430363332623434326364
63383032366561336337656465623038636434303332373961343632313566386533623566303434
34366337616533313965

View File

@ -0,0 +1,2 @@
octoprint_display_name: Prusa Mini
octoprint_domain: canneloni.binary.kitchen

View File

@ -0,0 +1,2 @@
octoprint_display_name: Voron 2.4
octoprint_domain: maccaroni.binary.kitchen

1
host_vars/raspberrypi Normal file
View File

@ -0,0 +1 @@
octoprint_domain: raspberrypi.fritz.box

View File

@ -0,0 +1,2 @@
octoprint_display_name: Prusa MK3s
octoprint_domain: spaghetti.binary.kitchen

8
hosts Normal file
View File

@ -0,0 +1,8 @@
[3D_Printers_test]
raspberrypi
[Octoprint_hosts]
spaghetti.binary.kitchen
maccaroni.binary.kitchen
canneloni.binary.kitchen

View File

@ -0,0 +1,3 @@
---
acertmgr_version: "{{ lookup('url', 'https://raw.githubusercontent.com/moepman/acertmgr/master/version.txt') | trim }}"

View File

@ -0,0 +1,37 @@
---
- name: Install dependencies
apt:
name:
- python3-cryptography
- python3-dnspython
- python3-yaml
- python3-pkg-resources
- name: Install acertmgr
apt:
deb: "https://github.com/moepman/acertmgr/releases/download/{{ acertmgr_version }}/python3-acertmgr_{{ acertmgr_version }}-1_all.deb"
- name: Create config directories
file:
path: /etc/acertmgr
state: directory
mode: 0755
- name: Configure acertmgr
template:
src: acertmgr.conf.j2
dest: /etc/acertmgr/acertmgr.conf
- name: Create challenge directory
file:
path: /var/www/acme-challenge/
owner: root
mode: 0755
state: directory
- name: Enable acertmgr cronjob
cron:
name: certmgr
special_time: daily
job: /usr/bin/acertmgr

View File

@ -0,0 +1,5 @@
---
mode: {{ acertmgr_mode }}
webdir: /var/www/acme-challenge/
authority_tos_agreement: true

View File

@ -0,0 +1,8 @@
---
logrotate_excludes:
- "/etc/logrotate.d/alternatives"
- "/etc/logrotate.d/apt"
- "/etc/logrotate.d/dpkg"
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"

2790
roles/common/files/.zshrc Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,12 @@
# completion
autoload -U compinit
compinit
# cache for the completion
zstyle ':completion::complete:*' use-cache 1
# promt
autoload -U promptinit
promptinit

0
roles/common/files/motd Normal file
View File

View File

@ -0,0 +1 @@
RESUME=none

View File

@ -0,0 +1,2 @@
set mouse=
set ttymouse=

View File

@ -0,0 +1,15 @@
---
- name: Restart chrony
service:
name: "{{ item.name }}"
state: restarted
when: "{{ item.os == ansible_facts['distribution'] }}"
loop:
- os: Debian
name: chrony
- os: Archlinux
name: chronyd
- name: Restart journald
service: name=systemd-journald state=restarted

View File

@ -0,0 +1,77 @@
---
- name: Install misc software
pacman:
name:
- htop
- less
- net-tools
- openssl
- rsync
- sudo
- vim
- zsh
- logrotate
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"
- name: Find logrotate.d configuration files
find:
paths: "/etc/logrotate.d/"
register: "logrotateconfigs"
- name: Convert found files to path list
set_fact:
alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
- name: Exclude files from ansible management
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"

View File

@ -0,0 +1,83 @@
---
- name: Install misc software
apt:
name:
- apt-transport-https
- dnsutils
- gnupg2
- htop
- less
- net-tools
- openssl
- psmisc
- pydf
- rsync
- sudo
- vim
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
- name: Configure journald retention
lineinfile:
path: "/etc/systemd/journald.conf"
state: "present"
regexp: "^#?MaxRetentionSec=.*"
line: "MaxRetentionSec=7day"
notify: Restart journald
- name: Set logrotate.conf to daily
replace:
path: "/etc/logrotate.conf"
regexp: "(?:weekly|monthly)"
replace: "daily"
- name: Set logrotate.conf rotation to 7
replace:
path: "/etc/logrotate.conf"
regexp: "rotate [0-9]+"
replace: "rotate 7"
- name: Find logrotate.d configuration files
find:
paths: "/etc/logrotate.d/"
register: "logrotateconfigs"
- name: Convert found files to path list
set_fact:
alllogrotateconfigpaths: "{{ logrotateconfigs.files | map(attribute='path') | list }}"
- name: Exclude files from ansible management
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"

View File

@ -0,0 +1,11 @@
---
- name: Install chrony for Debian
apt: name=chrony
notify: Restart chrony
when: ansible_os_family == "Debian"
- name: Install chrony for Archlinux
pacman: name=chrony
notify: Restart chrony
when: ansible_os_family == "Archlinux"

View File

@ -0,0 +1,21 @@
---
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
- name: Archlinux
include: Archlinux.yml
when: ansible_os_family == "Archlinux"
- name: Setup chrony
include: chrony.yml

View File

@ -0,0 +1,17 @@
---
- name: Enable docker apt-key
apt_key: url='https://download.docker.com/linux/debian/gpg'
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
- name: Install docker
apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- python3-docker

View File

@ -0,0 +1,3 @@
---
nginx_anonymize: False

View File

@ -0,0 +1,4 @@
---
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -0,0 +1,42 @@
---
- name: Install nginx
apt: name=nginx-light
- name: Create certificate directory
file: path=/etc/nginx/ssl state=directory mode=0750
when: nginx_ssl
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
-days 730 -subj "/CN={{ ansible_fqdn }}"
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
when: nginx_ssl
notify: Restart nginx
- name: Ensure correct certificate permissions
file: path=/etc/nginx/ssl/{{ ansible_fqdn }}.key owner=root mode=0400
when: nginx_ssl
notify: Restart nginx
- name: Create DH parameters
command: openssl dhparam -outform PEM -out {{ item }} 2048 creates={{ item }}
when: nginx_ssl
with_items:
- /etc/nginx/dhparam.pem
- name: Configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
notify: Restart nginx
- name: Configure default vhost
template: src=default.j2 dest=/etc/nginx/sites-available/default
when: nginx_ssl
notify: Restart nginx
- name: Start nginx
service: name=nginx state=started enabled=yes

View File

@ -0,0 +1,28 @@
# {{ ansible_managed }}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
server_name_in_redirect on;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
}

View File

@ -0,0 +1,97 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
##
# Logging Settings
##
{% if nginx_anonymize %}
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
{% else %}
access_log /var/log/nginx/access.log;
{% endif %}
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_vary on;
gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -0,0 +1,15 @@
octoprint_user: octoprint
octoprint_group: octoprint
octoprint_dir: "/opt/octoprint"
octoprint_ssl: false
octoprint_config_salt: "{{ octoprint_salt }}"
octoprint_config_api_key: "{{ octoprint_api_key}}"
octoprint_config_secret_key: "{{ octoprint_secret_key }}"
octoprint_config_display_name: 3D-Printer
octoprint_printer_dimension:
x: 350
y: 350
octoprint_printer_nozzle: 0.4

View File

@ -0,0 +1,33 @@
axes:
e:
inverted: false
speed: 300
x:
inverted: false
speed: 6000
y:
inverted: false
speed: 6000
z:
inverted: false
speed: 200
color: default
extruder:
count: 1
nozzleDiameter: 0.4
offsets:
- - 0.0
- 0.0
sharedNozzle: false
heatedBed: true
heatedChamber: false
id: _default
model: Generic RepRap Printer
name: Default
volume:
custom_box: false
depth: 200.0
formFactor: rectangular
height: 200.0
origin: lowerleft
width: 200.0

View File

@ -0,0 +1,12 @@
binarykitchen:
active: true
apikey: null
groups:
- users
- admins
password: fb5adb1fbecb856f2f37da607ea17faf4887cb353b0d28459b12fb814b59d325825b7856d604efddf30b7b0a08e95af0b5a78d6912830bac171d84fe0d8d2a33
permissions: []
roles:
- user
- admin
settings: {}

View File

@ -0,0 +1,8 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart octoprint
service: name=octoprint state=restarted
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -0,0 +1,5 @@
---
dependencies:
- { role: acertmgr, when: octoprint_ssl }
- { role: nginx, nginx_ssl: octoprint_ssl }

View File

@ -0,0 +1,151 @@
---
- name: Create group
group:
name: "{{ octoprint_group }}"
- name: Create user
user:
name: "{{ octoprint_user }}"
home: "/home/{{ octoprint_user }}"
group: "{{ octoprint_group }}"
append: yes
groups:
- video
- name: Install requirements
apt:
name:
- python3-pip
- python3-virtualenv
- name: Create virtual env and install python dependencies
pip:
name: octoprint
virtualenv: "{{ octoprint_dir }}"
- name: Create configuration directories
file:
path: "/home/{{ octoprint_user }}/{{ item }}"
owner: "{{ octoprint_user }}"
group: "{{ octoprint_group }}"
state: directory
mode: u+rw,g+rw,o+r
with_items:
- .octoprint
- .octoprint/printerProfiles
- name: Install systemd unit
template: src=octoprint.service.j2 dest=/lib/systemd/system/octoprint.service
notify:
- Reload systemd
- Restart octoprint
################################################################################
# Octoprint configuration
################################################################################
- name: Register if config already exists on target host
stat:
path: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
register: octoprint_register_config_stat
- name: Default octoprint config
set_fact:
octoprint_config: "{{ lookup('template', 'config.yaml.j2') | from_yaml }}"
- name: Initial configuration of octoprint
copy:
content: "{{ octoprint_config | to_nice_yaml }}"
dest: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
when: not octoprint_register_config_stat.stat.exists
- name: Update existing Octoprint configuration
block:
- name: Read Octoprint config file
slurp:
src: "/home/{{ octoprint_user }}/.octoprint/config.yaml"
register: octoprint_register_config
- name: Parse Octoprint config file
set_fact:
current_octoprint_config: "{{ octoprint_register_config['content'] | b64decode | from_yaml}}"
- name: Write updated octoprint configuration
copy:
content: "{{ octoprint_config | combine(current_octoprint_config, recursive=True) | to_nice_yaml}}"
dest: "/home/{{octoprint_user}}/.octoprint/config.yaml"
notify: Restart octoprint
################################################################################
# Octoprint Users
################################################################################
when: octoprint_register_config_stat.stat.exists
- name: Register if user databse already exists on target host
stat:
path: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
register: octoprint_register_users
- name: Read default octoprint users
set_fact:
octoprint_defaut_users: "{{ lookup('file', 'users.yaml') | from_yaml }}"
- name: Copy default users
copy:
src: users.yaml
dest: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
when: not octoprint_register_users.stat.exists
- name: Merge users database with default users
block:
- name: Read Octoprint users file
slurp:
src: "/home/{{ octoprint_user }}/.octoprint/users.yaml"
register: octoprint_register_users_file
- name: Parse Octoprint users file
set_fact:
current_octoprint_users: "{{ octoprint_register_users_file['content'] | b64decode | from_yaml }}"
- name: Merge current users with default users
set_fact:
octoprint_users_db: "{{ current_octoprint_users | combine(octoprint_default_users)}}"
- name: Copy new users file
copy:
content: "{{ octoprint_users_db | to_nice_yaml }}"
dest: "/home/{{ octoprint_user }}/.octoprint.users.yaml"
when: octoprint_register_users.stat.exists
################################################################################
# Reverse proxy
################################################################################
- name: Configure reverse proxy
block:
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/apache2/ssl/{{ octoprint_domain }}.key -out /etc/apache2/ssl/{{ octoprint_domain }}.crt -days 730 -subj "/CN={{ octoprint_domain }}" creates=/etc/apache2/ssl/{{ octoprint_domain }}.crt
notify: Restart apache2
when: octoprint_ssl
- name: Configure certificate manager for octoprint
template: src=certs.j2 dest=/etc/acertmgr/{{ octoprint_domain }}.conf
notify: Run acertmgr
when: octoprint_ssl
- name: Configure vhost
template: src=nginx_vhost.j2 dest=/etc/nginx/sites-available/octoprint
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/octoprint dest=/etc/nginx/sites-enabled/octoprint state=link
notify: Restart nginx
- name: Enable octoprint
service:
name: octoprint
enabled: yes

View File

@ -0,0 +1,46 @@
---
appearance:
name: "{{ octoprint_config_display_name }}"
accessControl:
salt: "{{ octoprint_config_salt }}"
autologinAs: binarykitchen
api:
key: "{{ octoprint_config_api_key }}"
plugins:
tracking:
enabled: false
server:
commands:
serverRestartCommand: systemctl restart octoprint
systemRestartCommand: reboot
systemShutdownCommand: shutdown now
firstRun: false
onlineCheck:
enabled: false
pluginBlacklist:
enabled: true
secretKey: "{{ octoprint_config_secret_key }}"
seenWizards:
backup: null
corewizard: 4
tracking: null
temperature:
profiles:
- name: ABS
chamber: null
bed: 100
extruder: 240
- name: PLA
chamber: null
bed: 60
extruder: 200
- name: PETG
chamber: null
bed: 80
extruder: 230

View File

@ -0,0 +1,60 @@
{% if not octoprint_ssl %}
server {
listen 80;
listen [::]:80;
server_name {{ octoprint_domain }};
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Script-Name /octoprint;
proxy_http_version 1.1;
proxy_pass http://localhost:5000;
}
}
{% else %}
server {
listen 80;
listen [::]:80;
server_name {{ octoprint_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ octoprint_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ gitea_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Script-Name /octoprint;
proxy_http_version 1.1;
proxy_pass http://localhost:5000;
}
}
{% endif %}

View File

@ -0,0 +1,16 @@
[Unit]
Description=Octoprint
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User={{ octoprint_user }}
Group={{ octoprint_user }}
WorkingDirectory={{ octoprint_dir }}
ExecStart={{ octoprint_dir }}/bin/octoprint serve
Restart=always
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,4 @@
---
- name: Set authorized keys
template: src=authorized_keys.j2 dest=/root/.ssh/authorized_keys

View File

@ -0,0 +1,10 @@
{% if root_keys %}
{% for key in root_keys %}
{{ key }}
{% endfor %}
{% endif %}
{% if root_keys_host is defined %}
{% for key in root_keys_host %}
{{ key }}
{% endfor %}
{% endif %}

View File

@ -0,0 +1,3 @@
---
uau_reboot: "false"

13
roles/uau/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Install unattended upgrades
apt:
name:
- unattended-upgrades
- debian-goodies
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades

View File

@ -0,0 +1,18 @@
// {{ ansible_managed }}
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

View File

@ -0,0 +1,147 @@
// {{ ansible_managed }}
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
// Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
// Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";

10
site.yml Normal file
View File

@ -0,0 +1,10 @@
- name: Setup common rules
hosts: [3D_Printers]
roles:
- common
- root_keys
- name: Setup octoprint
hosts: [Octoprint_hosts]
roles:
- octoprint

10
site_testing.yml Normal file
View File

@ -0,0 +1,10 @@
- name: Setup common rules
hosts: raspberrypi
roles:
- common
- root_keys
- name: Setup octoprint
hosts: raspberrypi
roles:
- octoprint