new host: sodium (matrix) and new role matrix

This commit is contained in:
Markus 2020-01-20 15:56:29 +01:00
parent 7950c96da2
commit 6b82d3d92b
14 changed files with 1871 additions and 137 deletions

View File

@ -23,7 +23,7 @@ hackmd_dbuser: hackmd
hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hackmd_secret: "{{ vault_hackmd_secret }}" hackmd_secret: "{{ vault_hackmd_secret }}"
ldap_uri: ldaps://ldap.binary.kitchen/ ldap_uri: ldaps://ldap.binary.kitchen
ldap_host: ldap.binary.kitchen ldap_host: ldap.binary.kitchen
ldap_base: dc=binary-kitchen,dc=de ldap_base: dc=binary-kitchen,dc=de
ldap_binddn: cn=Services,ou=roles,dc=binary-kitchen,dc=de ldap_binddn: cn=Services,ou=roles,dc=binary-kitchen,dc=de
@ -71,6 +71,11 @@ mail_aliases:
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de" - "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de" - "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
matrix_domain: matrix.binary-kitchen.de
matrix_dbname: matrix
matrix_dbuser: matrix
matrix_dbpass: "{{ vault_matrix_dbpass }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de

View File

@ -1,24 +1,26 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
30656432303661346131643637306565653465333430373264396639383937626533626130346131 33626638333634313935343133326261343138306661326433393038396338626562616564393061
3965323538356638613931663034326365626333336364380a373865363966303835376134353336 3364316632336666336465633165353164633862616234320a643165666230366332346236363236
37376162383264663332363563343430663137623364613239613338383939376133653662666431 31386565393966663365633664633038653034356665316435356335393739356564353534366536
6235613339626636360a326639373535383761343535653136343138383338323733373037636538 6438613138393263610a353831666631356561663966376637363233636431386661376537366133
62623437666531656235373133393561323835393330323035656566646632303561366532653039 62363038376265323763623833396131633463326264343962643239646363353963653566623035
39636139333833313938643262383331363935616566303461323636343735303238343862303861 66316566316437343462393364616162366137363436343537343962333563376139663330373939
62313836323863643533313063323233306337633932393366393264343236366235356662333937 31613030303930316464653333653261623136313734616265633338356163386562353066646537
65366431613433336337346530663566613862333161613164633133356561653962326262643735 34306665366136633161313930643730323466613736333761336337353464623565623062613833
37636230356233333637623233633236323166616662343732343539376530336135306437313164 63316237616632636664623831333865646339623964376137653131373261373433366262643539
61323737353632666137393137356463333532313331633631653538613065303232663434633564 35363337653633636637653838386461306236616664393031303962346662393937333763323863
36616562323830373532646236373765623438376661383933646238353833663239653562356431 34646266383638323663643565303533316436636138303635353334386236663639643363396162
39623135366533373934363561363532326638363330366330353061333930373032386539636264 35633038303438366331383766353366326639376133366362353232353235393337646338343537
32353337653265656232333063653964613230643061653930653861356230363931623736333738 65343133343036393333333862303332373137363662343263326461613466323336346138373936
35656365306564313933666139613066633237656538666261613130326163373636636136666161 39356137643665343234343861393763396533636236353364333465613864636239646530643866
33633964663834356166343764383439396561393336393662653834396562373530313235363532 62643565636564373961653463623936633634303131356462346233663962616536363062323765
65383430663261363163623362663135626334626234356539366132643539323461633632303233 31393461613861383263646235396565636236333134316365313137316366353137343837303664
64616230316632356338663537666130396234316562616331316463383563376365326437643735 66306634376236396632303666636434386634366262613632346465306132396465353332303636
63666162356163343839636439653437643539636430386238626162373735663831636362646239 35323866333232393237353664363262333635353330313434336339326265623165396136373465
65636135343430623233383936326130646436336364636263633066373630386461333631356366 38323662353536333330663335656165353065396564386435373638376339386461326436633562
36353832376635303138643830643665643739663364356261633466636637643636613133623633 37333064353133376266623661386562376633333864383939306634623066386565383838306230
30316137393464343236326535613935366163613232386131343230336433616266653234323138 34326361326366383331633466336464653734646632313732396537353238383066323039316664
31343836306331353134653733383332633661316363343234303639353736306236356365303634 34343738356431393337366234643964313438303332373661613032383735383537306136366537
366130346637323334313961613135623663 32363037353732643037376263383762633266316339343463343231386439373730316162653365
64613737373436376533633536343533623736356564323630343162636539666434366235353836
3763

1
hosts
View File

@ -18,5 +18,6 @@ nitrogen.binary-kitchen.net
oxygen.binary-kitchen.net oxygen.binary-kitchen.net
fluorine.binary-kitchen.net fluorine.binary-kitchen.net
neon.binary-kitchen.net neon.binary-kitchen.net
sodium.binary-kitchen.net
krypton.binary-kitchen.net krypton.binary-kitchen.net
strontium.binary-kitchen.net strontium.binary-kitchen.net

View File

@ -24,6 +24,7 @@
- name: Configure misc software - name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }} copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items: with_items:
- { src: '.zshrc', dest: '/root/.zshrc' } - { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' } - { src: '.zshrc.local', dest: '/root/.zshrc.local' }

View File

@ -3,5 +3,8 @@
- name: Run acertmgr - name: Run acertmgr
command: /opt/acertmgr/acertmgr.py command: /opt/acertmgr/acertmgr.py
- name: Restart matrix-synapse
service: name=matrix-synapse state=restarted
- name: Restart nginx - name: Restart nginx
service: name=nginx state=restarted service: name=nginx state=restarted

View File

@ -0,0 +1,50 @@
---
- name: Enable https for apt
apt: name=apt-transport-https
- name: Enable matrix apt-key
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
- name: Enable matrix repository
apt_repository: repo="deb https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main"
- name: Install matrix
apt: name={{ item }}
with_items:
- matrix-synapse-py3
- postgresql
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ matrix_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ matrix_dbname }} name={{ matrix_dbuser }} password={{ matrix_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Configure matrix
template: src=matrix-synapse/{{ item }}.j2 dest=/etc/matrix-synapse/{{ item }}
with_items:
- homeserver.yaml
- conf.d/server_name.yaml
notify: Restart matrix-synapse
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ matrix_domain }}.key -out /etc/nginx/ssl/{{ matrix_domain }}.crt -days 730 -subj "/CN={{ matrix_domain }}" creates=/etc/nginx/ssl/{{ matrix_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for matrix
template: src=certs.j2 dest=/etc/acertmgr/{{ matrix_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/matrix
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/matrix dest=/etc/nginx/sites-enabled/matrix state=link
notify: Restart nginx

View File

@ -1,13 +1,13 @@
--- ---
{{ rocketchat_domain }}: {{ matrix_domain }}:
- path: /etc/nginx/ssl/{{ rocketchat_domain }}.key - path: /etc/nginx/ssl/{{ matrix_domain }}.key
user: root user: root
group: root group: root
perm: '400' perm: '400'
format: key format: key
action: '/usr/sbin/service nginx restart' action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ rocketchat_domain }}.crt - path: /etc/nginx/ssl/{{ matrix_domain }}.crt
user: root user: root
group: root group: root
perm: '400' perm: '400'

View File

@ -0,0 +1,9 @@
# This file is autogenerated, and will be recreated on upgrade if it is deleted.
# Any changes you make will be preserved.
# The domain name of the server, with optional explicit port.
# This is used by remote servers to connect to this server,
# e.g. matrix.org, localhost:8080, etc.
# This is also the last part of your UserID.
#
server_name: {{ matrix_domain }}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,45 @@
server {
listen 80;
listen [::]:80;
server_name {{ matrix_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ matrix_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ matrix_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
location / {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name {{ matrix_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
location / {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

View File

@ -1,60 +0,0 @@
---
- name: Create user
user: name=rocketchat
- name: Enable https for apt
apt: name=apt-transport-https
- name: Enable mongodb apt-key
apt_key: url="https://www.mongodb.org/static/pgp/server-4.0.asc"
- name: Enable mongodb repository
apt_repository: repo="deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main"
# mongodb needs libcurl3 which is no longer available in buster
- name: Enable stretch repository
apt_repository: repo="deb http://deb.debian.org/debian/ stretch main"
- name: Enable nodesource apt-key
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
- name: Enable nodesource repository
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
- name: Pin nodejs repository
blockinfile:
path: /etc/apt/preferences.d/nodejs
create: yes
block: |
Package: *
Pin: origin deb.nodesource.com
Pin-Priority: 600
- name: Install packages
apt: name={{ item }}
with_items:
- build-essential
- dirmngr
- graphicsmagick
- libcurl3
- mongodb-org
- nodejs
# rocket.chat itself is not setup here - it is done manually
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ rocketchat_domain }}.key -out /etc/nginx/ssl/{{ rocketchat_domain }}.crt -days 730 -subj "/CN={{ rocketchat_domain }}" creates=/etc/nginx/ssl/{{ rocketchat_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for rocketchat
template: src=certs.j2 dest=/etc/acertmgr/{{ rocketchat_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/rocketchat
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/rocketchat dest=/etc/nginx/sites-enabled/rocketchat state=link
notify: Restart nginx

View File

@ -1,43 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ rocketchat_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
alias /var/www/acme-challenge;
}
location / {
return 301 https://{{ rocketchat_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ rocketchat_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ rocketchat_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ rocketchat_domain }}.crt;
location / {
client_max_body_size 128M;
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}

View File

@ -8,7 +8,7 @@
- root-keys - root-keys
- name: Setup unattended updates - name: Setup unattended updates
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, strontium.binary-kitchen.net] hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, strontium.binary-kitchen.net, sodium.binary-kitchen.net]
roles: roles:
- uau - uau
@ -17,7 +17,7 @@
roles: roles:
- pvessl - pvessl
- name: Setup BK infrastructure server - name: Setup infrastructure server
hosts: [bacon.binary.kitchen, aveta.binary.kitchen] hosts: [bacon.binary.kitchen, aveta.binary.kitchen]
roles: roles:
- dns-intern - dns-intern
@ -78,12 +78,12 @@
roles: roles:
- dns-extern - dns-extern
- name: Setup matrix server
hosts: sodium.binary-kitchen.net
roles:
- matrix
- name: Setup partdb server - name: Setup partdb server
hosts: krypton.binary-kitchen.net hosts: krypton.binary-kitchen.net
roles: roles:
- partdb - partdb
- name: Setup rocketchat server
hosts: strontium.binary-kitchen.net
roles:
- rocketchat