add ansible roles for automatic deployment to any arch linux system

ansible/inventory

@@ -0,0 +1,2 @@
+[all]
+doorlock ansible_host=10.109.250.15 ansible_user=root

ansible/main.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  gather_facts: no
+  become_method: su
+  roles:
+          - doorlock

ansible/roles/acme_sh/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Install acme.sh
+  pacman:
+    name: acme.sh
+    state: present
+
+- name: Install dependencies
+  pacman:
+    name: ['cronie','bind-tools']
+    state: present
+
+- name: Enable and start cronie
+  service:
+    name: cronie
+    enabled: yes
+    state: started
+
+- name: Run acem.sh --install
+  command: ./acme.sh --install
+  args:
+    chdir: /usr/share/acme.sh
+
+- name: Create acme directory
+  file:
+    path: /etc/acme/
+    state: directory
+
+- name: Copy nsupdate key
+  copy:
+    decrypt: yes
+    src: nsupdate.key
+    dest: /etc/acme/nsupdate.key
+
+- name: Issue ssl certificate
+  command: acme.sh --issue --home "/etc/acme/" --test -d lock.binary.kitchen --dns dns_nsupdate
+  register: command_result
+  failed_when: command_result.stderr != ''
+  changed_when: command_result.rc == 0
+  environment:
+    NSUPDATE_SERVER: ns1.binary-kitchen.de 
+    NSUPDATE_KEY: /etc/acme/nsupdate.key

ansible/roles/base/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Pacman key init
+  raw: pacman-key --init
+
+- name: Pacman key populate
+  raw: | 
+       if [[ "`uname -m`" == "armv7l" ]]; then
+        pacman-key --populate archlinuxarm
+       else
+        pacman-key --populate archlinux
+       fi
+
+- name: Update System
+  raw: pacman -Syu --noconfirm
+
+- name: Install Python
+  raw: pacman -S python --noconfirm --
+  
+- name: Gather facts
+  setup:
+
+- name: Add authorized keys
+  authorized_key:
+    user: root
+    key: "{{ pub_keys|map(attribute='key')|join('\n') }}"

ansible/roles/base/vars/main.yml

@@ -0,0 +1,7 @@
+pub_keys:
+  - name: tom
+    key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062
+  - name: ralf1
+    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC310tfw4GsjRcXKDbeuOLwPSZcwK+hwc8x106usc93pRrE38LHNfLuiw5GCABswXDSHPc1m6FOzPuSp2k9n7YKJ1L6SwSV9j4Ysxv47WXsGKWbgHXxS8HDN88aXivFJQ/+SZgeBbjSxzm0+NzkZ9Slwq0KRIRy8OThjiwi11cfsErQzDk/HmoX5re12mMViIsCPCKvrFB13jbDmyWwyEL4PRGDu9XZQQo0mgUfbhNwX+FcZEaWLWf4HJJalFt3AVYWS0d94dxOu6pIoXntmvJL91balZiEyTkXwQpKgr/Z1zINY/aayggqzeVnQWOkR7ZhoKLaA0QGMy4f5m2m670KK7K2euJXvMYefwsbuVe4v6Rw3bkrtzKdURFGYRdFNMgaygv3ywZE2Cas5LYj/R6Z8TTxAZu7z9R/lI32Hn7ciN72u9pyJ/rs5uBwXVNVbbHD5pKTAi+WHCpKklDTm7DO6EB3Y/i6DJp3+TMBXKoyJZF59+Z6c19WmuV2IK8P7cudbAzH6msl9K9/bdhBDbRyIpmaJC4BSYWk4XDqK3sEklvx3eq7EcjUDXwVXCfU1NmGIJV6Pxj5D0gt4CSItumhlJLYKJIZksE3Hf/411dKdIq7O5ImT1k6pZnD4oEFpgossVV7wrh01P5mzWpGAV78q0kGgex88AURVlNoylsH7K3Y1pPx6zaCC0dcFsFbn+1G0Dr8DOdsKuCm139QSeFTK6zkMyvlo9IDllHyXTaIoM/pOezoC/uCgShDqxzNqafEK+Aox8rhIrG6lWucSjKq9q4TaVvZQ4yqQ3OYYB6kpZBs3w31x2Pl5MT9qaMmDymLmnwgBZ6VpPr1KY+chFOyZtEVyagR8gfrjSDmCxulKBWntHP5g1vcdaAhzhqx0W4TVBQ5NxAdlUBsy2z1X2VivCBw5dPCkybE2BO6rTr8XPsLdjXBMVNDqOLIrnKEXT+vG+fKsDsIBrROQrPkrbV8D5pZ5u9D5PlP+T4QxYFqTPIcxWUfWA4t+8ug2pTgSRmXxR82VFcZZuBkC+KUcx76fk2dVYvWtpXiMQhQx8NDaHbc3UhHdWw+XQ5A399uL9J9HSKbrQw0Y0x6/bHW1L+vP7yxGZClR5aLx/h4AyZn6XQqt0SzwBGDgtuHTZyIuWleEr/nhPE6FWPJbrTXA+yGGhvwHK8KLhvlHN/RXQkroa8SWEQGraHUEnn7gMjGHpdyovzfqP8z/Nz9yhADVDBmrgyYVsVa91hbQYl97E5GBcehbEszQ1LOgPFUZPJbr+Jm70xBKhNydxP7FAld6QMpqwWZ7VFNuqNBunpFiP28TceHTD+xK4WU3aZMc9oafMNHBGDVaHJc6q0BxxNjx+RD /home/ralf/.ssh/id_rsa
+  - name: ralf2
+    key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay

ansible/roles/desktop/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart lightdm
+  service:
+    name: lightdm
+    state: restarted

ansible/roles/desktop/tasks/main.yml

@@ -0,0 +1,16 @@
+
+---
+- name: Install X-Server
+  pacman:
+    name: [xorg, xorg-xinit]
+    state: present
+
+- name: Install displaymanager
+  pacman:
+    name: [lightdm, lightdm-gtk-greeter]
+    state: present
+
+- name: Enable lightdm
+  service:
+    name: lightdm
+    enabled: yes

ansible/roles/doorlock/files/Doorlock.desktop

@@ -0,0 +1,4 @@
+[Desktop Entry]
+Name=Doorlock
+Type=Application
+Exec=/usr/share/xsessions/launch_doorlock_session.sh

ansible/roles/doorlock/files/launch_doorlock_session.sh

@@ -0,0 +1,7 @@
+#! /bin/bash
+
+xset -dpms
+xset -s off
+xset -b off
+unclutter &
+chromium --kiosk --fullscreen --app=https://localhost/display

ansible/roles/doorlock/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+- role: doorlockd
+- role: desktop

ansible/roles/doorlock/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Install unclutter
+  pacman:
+    name: unclutter
+    state: present
+
+- name: Copy doorlock xsession files
+  copy:
+    src: "{{ item.name }}"
+    dest: /usr/share/xsessions/{{ item.name }}
+    mode: "{{ item.mode }}"
+  with_items:
+  - { name: Doorlock.desktop, mode: preserve}
+  - { name: launch_doorlock_session.sh, mode: a+x}
+
+- name: Configure autologin
+  ini_file:
+    path: /etc/lightdm/lightdm.conf
+    section: Seat:*
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { option: "autologin-user", value: "doorlock"}
+    - { option: "user-session", value: "Doorlock"}
+    - { option: "autologin-session", value: "Doorlock"}
+  notify: Restart lightdm
+
+- name: Install accountsservice
+  pacman:
+    name: accountsservice
+    state: present
+
+- name: Create group autologin
+  group:
+    name: autologin
+    state: present 
+
+- name: Add user doorlock to group autologin
+  user:
+    append: yes
+    user: doorlock
+    groups: autologin
+
+- name: Disable root password login
+  user:
+    user: root
+    password: '*'
+
+- name: Delete alarm user
+  user:
+    user: alarm
+    state: absent

ansible/roles/doorlockd/files/doorlock_nginx_vhost

@@ -0,0 +1,31 @@
+upstream doorlock{
+    server 127.0.0.1:8080 fail_timeout=2s;
+    server 127.0.0.1:8080 fail_timeout=2s;
+}
+
+server {
+    listen       443 ssl http2;
+    server_name  _default;
+
+    ssl_certificate /etc/acme/lock.binary.kitchen/fullchain.cer;
+    ssl_certificate_key /etc/acme/lock.binary.kitchen/lock.binary.kitchen.key;
+
+    location / {
+        rewrite /nomoretokens /;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_no_cache 1;
+        proxy_cache_bypass 1;
+        expires 1s;
+        proxy_pass http://doorlock;
+    }
+}
+
+server {
+    listen       80;
+    server_name  _default;
+
+    location ~ (.*) {
+        rewrite ^ https://$host$request_uri? permanent;
+    }    
+}

ansible/roles/doorlockd/files/nsupdate.key

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+37653265613562656435643937303338626632383463303630643635363135373962323636646237
+3632313530333133623363326661373238623635656430320a383564383034613432346132333866
+30366661663166636563376366303037363237353164636130646161323464616132336233303437
+3461303036346333390a663731633233383464633533363439613336333635396634386261383038
+31323036616631303463313336316666323866393261643037636565363237353961303266313936
+63333337616565626535666630346334356533653734313831366162396665623962333363376561
+65616365366238313132616336633431333633373737646663333134623263303866373833306435
+34363966386232303231373365336631663639373937313161353661643262383239656663393362
+34363533623835306466613339376564646164316235303235343666616665323439653063343731
+34643230363664633435373533643263653335373262616135396461316139353334393932613232
+36376363316162333338373033333732303935343237666139653338323837333765656435326464
+32386531383665393565343361303836313236646130393662363665313362633034363533303735
+3163

ansible/roles/doorlockd/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Restart doorlock services
+  service:
+    name: "{{ item }}"
+    state: restarted
+  with_items:
+  - doorlockd
+  - doorstate
+
+- name: Restart doorstate
+  service:
+    name: doorstate
+    state: restarted

ansible/roles/doorlockd/meta/main.yml

@@ -0,0 +1,5 @@
+---
+dependencies:
+- role: base
+- role: nginx
+- role: acme_sh

ansible/roles/doorlockd/tasks/main.yml

@@ -0,0 +1,77 @@
+---
+- name: Install some essential packages
+  pacman:
+    name: ['git','base-devel','sudo','vim']
+    state: present
+
+- name: Create doorlock user
+  user:
+    name: doorlock
+    append: yes
+    groups: wheel, uucp
+    state: present
+
+- name: Enable NOPASSWD for wheel
+  lineinfile:
+    path: /etc/sudoers
+    create: yes
+    regexp: '^%wheel\s'
+    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+
+- name: Clone pikaur
+  become: yes
+  become_user: doorlock
+  git:
+    repo: https://aur.archlinux.org/pikaur.git
+    dest: /tmp/pikaur
+
+- name: Install pikaur
+  command: makepkg -fsri --noconfirm
+  become_user: doorlock
+  become_method: su
+  become: yes
+  args:
+    chdir: /tmp/pikaur
+
+- name: Clone Doorlock repo
+  become_user: doorlock
+  become: yes
+  git:
+    repo: https://github.com/Binary-Kitchen/doorlockd
+    version: next
+    dest: /tmp/doorlockd
+
+- name: Remove doorlockd
+  pacman:
+    name: doorlockd
+    state: absent
+
+- name: Install doorlockd
+  command: makepkg -si --noconfirm
+  become: yes
+  become_user: doorlock
+  become_method: su
+  args:
+    chdir: /tmp/doorlockd/arch
+  environment:
+    PACMAN: pikaur
+
+- name: Enable doorlockd and doorstate
+  service: 
+    enabled: yes
+    name: "{{ item }}"
+  with_items:
+  - doorlockd
+  - doorstate
+
+- name: Copy doorlockd configuration
+  template:
+    src: doorlockd.cfg
+    dest: /etc/doorlockd.cfg
+  notify: Restart doorlock services
+
+- name: Install nginx virtual host
+  copy:
+    src: doorlock_nginx_vhost
+    dest: /etc/nginx/sites-enabled/doorlock
+  notify: nginx restart

ansible/roles/doorlockd/templates/doorlockd.cfg

@@ -0,0 +1,38 @@
+[doorlockd]
+
+DEBUG = False
+SIMULATE_SERIAL = True
+SIMULATE_AUTH = True
+RUN_HOOKS = False
+SOUNDS = True
+
+# LDAP
+LDAP_URI = ldaps://ldap1.binary.kitchen
+LDAP_BINDDN = cn=%%s,ou=people,dc=binary-kitchen,dc=de
+
+# Authentication Backends
+
+# Local
+# LOCAL_USER_DB = /etc/doorlockd.passwd
+
+TITLE = Binary Kitchen Doorlock
+ROOM = Hauptraum
+WELCOME = Willkommen in der Binary Kitchen
+
+SERIAL_PORT = /dev/ttyAMA0
+
+SECRET_KEY = foobar
+
+SIMULATE_SERIAL_PORT = 5000
+
+[dooralarm]
+
+GPIO_CHIP = /dev/gpiochip0
+GPIO_PIN = 22
+
+TOPIC_ALARM = kitchen/alarm
+TOPIC_DOORSTATE = kitchen/doorlock/frontdoor/doorstate
+
+MQTT_HOST = pizza.binary.kitchen
+MQTT_USERNAME = doorlock
+MQTT_PASSWORD = {{ mqtt_pub_pw }}

ansible/roles/doorlockd/vars/main.yml

@@ -0,0 +1,7 @@
+mqtt_pub_pw: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31363464306233653662393565336563383662653138653861643961643337343833313265663866
+  6137353665616633326630383463303961623534626563310a336362393664343039306534613737
+  62326330623662333661323734353862346264313734316132633065376632656436333763326361
+  6363323038653265370a383031363564333065326332383865646562313761636462343536323663
+  6263

ansible/roles/nginx/files/nginx.conf

@@ -0,0 +1,35 @@
+#user html;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include sites-enabled/*; # See Server blocks
+}

ansible/roles/nginx/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: nginx restart
+  service:
+    name: nginx
+    state: restarted

ansible/roles/nginx/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Install nginx
+  pacman:
+    name: nginx
+
+- name: Create sites-available and sites-enabled
+  file:
+    path: "/etc/nginx/{{ item }}"
+    state: directory
+  with_items:
+    - sites-enabled
+    - sites-available
+
+- name: Copy nginx configuration
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: Enable nginx
+  service:
+    name: nginx
+    enabled: yes
+    state: restarted

ansible/staging_pi

@@ -0,0 +1,2 @@
+[all]
+doorlock ansible_host=172.23.3.243 ansible_user=root

arch/PKGBUILD

@@ -9,7 +9,7 @@ url="https://github.com/Binary-Kitchen/${pkgname}"
 license=(GPL)
 depends=('python3'
 	 'python-pyserial'
-         'python-ldap'
+   'python-ldap'
 	 'python-pip'
 	 'alsa-utils'
 	 'libgpiod'
@@ -23,7 +23,7 @@ depends=('python3'
 	 'fluxbox'
 	 'nginx'
 	 'slim')
-source=("git+https://github.com/Binary-Kitchen/${pkgname}.git#branch=next")
+source=("git+https://github.com/Binary-Kitchen/${pkgname}.git#branch=tom")
 sha256sums=('SKIP')
 
 build() {

systemd/doorlockd.service

@@ -3,8 +3,8 @@ Description=Binary Kitchen doorlockd service
 After=network.target
 
 [Service]
-User=root
-Group=root
+User=doorlock
+Group=doorlock
 ExecStart=doorlockd
 
 [Install]

systemd/doorstate.service

@@ -3,8 +3,8 @@ Description=Binary Kitchen doorstate service
 After=network.target
 
 [Service]
-User=root
-Group=root
+User=doorlock
+Group=doorlock
 ExecStart=doorstate
 
 [Install]