flyingscorpio/self-hosting
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix some linting

Browse source
This commit is contained in:
flyingscorpio@clevo 2022-12-16 20:12:49 +01:00
parent 06eb090c33
commit 87327d006d
15 changed files with 107 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.config/ansible-lint.yml
View file

@ -1,6 +1,5 @@
---
skip_list:
- fqcn-builtins
- meta-no-info
# vim: ft=yaml.ansible

17
roles/certbot/tasks/main.yml
View file

@ -1,21 +1,21 @@
---
- name: Install certbot
become: true
apt:
ansible.builtin.apt:
name: certbot
state: present
update_cache: true
- name: Create acme directory
become: true
file:
ansible.builtin.file:
path: /var/www/acme
state: directory
mode: 0755
- name: Enable modules
become: true
apache2_module:
community.general.apache2_module:
name: "{{ item }}"
state: present
with_items:
@ -25,14 +25,17 @@
- name: Copy apache confs
become: true
copy: src={{ item.src }} dest={{ item.dest }} mode=0644
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0644
with_items:
- {src: 'acme.conf', dest: '/etc/apache2/conf-available/acme.conf'}
- {src: 'ssl-options.conf', dest: '/etc/apache2/conf-available/ssl-options.conf'}
- name: Enable apache confs
become: true
command: a2enconf {{ item }}
ansible.builtin.command: a2enconf {{ item }}
with_items:
- acme
- ssl-options
@ -42,7 +45,7 @@
- name: Allow certbot renewal
become: true
copy:
ansible.builtin.copy:
src: http-certbot.conf
dest: /etc/nftables/input.d/http-certbot.conf
mode: 0640
@ -50,7 +53,7 @@
- name: Allow incoming HTTPS
become: true
copy:
ansible.builtin.copy:
src: https.conf
dest: /etc/nftables/input.d/https.conf
mode: 0640

18
roles/common/handlers/main.yml
View file

@ -1,57 +1,57 @@
---
- name: Reload systemd daemon
become: true
systemd:
ansible.builtin.systemd:
daemon-reload: true
- name: Start apache2 service
become: true
systemd:
ansible.builtin.systemd:
name: apache2
state: started
enabled: true
- name: Reload apache2 service
become: true
systemd:
ansible.builtin.systemd:
name: apache2
state: reloaded
- name: Start mariadb service
become: true
systemd:
ansible.builtin.systemd:
name: mariadb
state: started
enabled: true
- name: Start nftables service
become: true
systemd:
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- name: Restart nftables service
become: true
systemd:
ansible.builtin.systemd:
name: nftables
state: restarted
enabled: true
- name: Reload nftables service
become: true
systemd:
ansible.builtin.systemd:
name: nftables
state: reloaded
- name: Restart rsyslog service
become: true
systemd:
ansible.builtin.systemd:
name: rsyslog
state: restarted
- name: Restart fail2ban service
become: true
systemd:
ansible.builtin.systemd:
name: fail2ban
state: restarted

10
roles/deuxpuissanceiks_apache2/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Create 2px directory
become: true
file:
ansible.builtin.file:
path: "{{ dir_2px }}"
owner: "{{ owner_2px }}"
group: "{{ group_2px }}"
@ -10,7 +10,7 @@
- name: Install mod_wsgi
become: true
apt:
ansible.builtin.apt:
name: libapache2-mod-wsgi-py3
state: present
update_cache: true
@ -18,14 +18,14 @@
- name: Enable wsgi module
become: true
apache2_module:
community.general.apache2_module:
name: wsgi
state: present
notify: Reload apache2 service
- name: Copy vHost conf
become: true
template:
ansible.builtin.template:
src: 2px.info.conf.j2
dest: /etc/apache2/sites-available/2px.info.conf
mode: 0644
@ -33,7 +33,7 @@
- name: Activate vHost
become: true
command: a2ensite 2px.info.conf
ansible.builtin.command: a2ensite 2px.info.conf
register: result
changed_when: "'already enabled' not in result.stdout"
notify: Reload apache2 service

8
roles/deuxpuissanceiks_mariadb/tasks/main.yml
View file

@ -1,17 +1,17 @@
---
- name: Include vault variables
include_vars: vault.yml
ansible.builtin.include_vars: vault.yml
- name: Create 2px database
become: true
mysql_db:
community.mysql.mysql_db:
name: "{{ name_2px_db }}"
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Set 2px database user and privileges
become: true
mysql_user:
community.mysql.mysql_user:
name: "{{ user_2px_db }}"
password: "{{ pass_2px_db }}"
priv: "{{ name_2px_db }}.*:ALL"
@ -19,7 +19,7 @@
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Check 2px database connection
mysql_info:
community.mysql.mysql_info:
login_user: "{{ user_2px_db }}"
login_db: "{{ name_2px_db }}"
login_host: localhost

10
roles/gitea/handlers/main.yml
View file

@ -1,29 +1,29 @@
---
- name: Receive gitea pgp key
command: gpg --keyserver hkps://keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
ansible.builtin.command: gpg --keyserver hkps://keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
register: result
changed_when: '"not changed" not in result.stderr'
- name: Download gitea asc file
get_url:
ansible.builtin.get_url:
url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}.asc"
dest: "/tmp/gitea-{{ gitea_binary.json.latest.version }}.asc"
mode: 0644
- name: Verify gitea binary with gpg
command: "gpg --verify /tmp/gitea-{{ gitea_binary.json.latest.version }}.asc /home/git/gitea-{{ gitea_binary.json.latest.version }}"
ansible.builtin.command: "gpg --verify /tmp/gitea-{{ gitea_binary.json.latest.version }}.asc /home/git/gitea-{{ gitea_binary.json.latest.version }}"
register: result
failed_when: '"Good signature from" not in result.stderr'
- name: Start gitea service
become: true
systemd:
ansible.builtin.systemd:
name: gitea
state: started
enabled: true
- name: Restart gitea service
become: true
systemd:
ansible.builtin.systemd:
name: gitea
state: restarted

60
roles/gitea/tasks/main.yml
View file

@ -1,10 +1,10 @@
---
- name: Include vault variables
include_vars: vault.yml
ansible.builtin.include_vars: vault.yml
- name: Install needed packages
become: true
apt:
ansible.builtin.apt:
name:
- git
- unzip
@ -14,13 +14,13 @@
- name: Create git group
become: true
group:
ansible.builtin.group:
name: git
system: true
- name: Create git user
become: true
user:
ansible.builtin.user:
name: git
group: git
append: true
@ -34,7 +34,7 @@
- name: Set sudoer permissions to git user
become: true
copy:
ansible.builtin.copy:
content: 'git ALL=(root) NOPASSWD:/usr/bin/systemctl'
dest: /etc/sudoers.d/git
owner: root
@ -44,7 +44,7 @@
- name: Create /var/lib/gitea directory
become: true
file:
ansible.builtin.file:
path: /var/lib/gitea
state: directory
owner: git
@ -53,7 +53,7 @@
- name: Create /var/lib/gitea subdirectories
become: true
file:
ansible.builtin.file:
path: "/var/lib/gitea/{{ item }}"
state: directory
owner: git
@ -66,7 +66,7 @@
- name: Create /etc/gitea directory
become: true
file:
ansible.builtin.file:
path: /etc/gitea
state: directory
owner: git
@ -74,28 +74,28 @@
mode: 0750
- name: Find latest gitea version
uri:
ansible.builtin.uri:
url: https://dl.gitea.io/gitea/version.json
register: gitea_binary
- name: Find if latest gitea version is installed
stat:
ansible.builtin.stat:
path: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
register: latest_gitea_binary
- name: Set gitea binary architecture to amd64
set_fact:
ansible.builtin.set_fact:
gitea_binary_arch: amd64
when: ansible_facts['architecture'] == 'x86_64'
- name: Set gitea binary architecture to arm-6
set_fact:
ansible.builtin.set_fact:
gitea_binary_arch: arm-6
when: ansible_facts['architecture'] != 'x86_64'
- name: Get latest gitea binary
become: true
get_url:
ansible.builtin.get_url:
url: "https://dl.gitea.io/gitea/{{ gitea_binary.json.latest.version }}/gitea-{{ gitea_binary.json.latest.version }}-linux-{{ gitea_binary_arch }}"
dest: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
owner: git
@ -108,11 +108,11 @@
- Verify gitea binary with gpg
- name: Verify downloaded binary
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: Copy gitea binary to global location
become: true
copy:
ansible.builtin.copy:
src: "/home/git/gitea-{{ gitea_binary.json.latest.version }}"
dest: /usr/local/bin/gitea
remote_src: true
@ -122,7 +122,7 @@
- name: Copy /etc/systemd/system/gitea.service
become: true
copy:
ansible.builtin.copy:
src: gitea.service
dest: /etc/systemd/system/gitea.service
owner: root
@ -134,7 +134,7 @@
- name: Copy /etc/gitea/app.ini
become: true
template:
ansible.builtin.template:
src: app.ini.j2
dest: /etc/gitea/app.ini
owner: git
@ -144,18 +144,18 @@
- Restart gitea service
- name: Make sure systemd daemon is reloaded
meta: flush_handlers
ansible.builtin.meta: flush_handlers
- name: Make sure gitea is running
become: true
systemd:
ansible.builtin.systemd:
name: gitea
state: started
enabled: true
- name: Copy gitea_backup.sh script
become: true
template:
ansible.builtin.template:
src: gitea_backup.sh.j2
dest: /home/git/gitea_backup.sh
owner: git
@ -164,7 +164,7 @@
- name: Create gitea-dumps directory
become: true
file:
ansible.builtin.file:
path: /home/git/gitea-dumps
state: directory
owner: git
@ -172,18 +172,18 @@
mode: 0755
- name: Set today's string for zipfile name
set_fact:
ansible.builtin.set_fact:
today: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}"
- name: Ask if we push latest gitea_dump zipfile
pause: # today's gitea dump zipfile must be in the manager's /tmp
ansible.builtin.pause: # today's gitea dump zipfile must be in the manager's /tmp
prompt: Push latest gitea dump? [yes/no]
echo: true
register: push_latest_gitea_dump
- name: Push latest gitea_dump zipfile
become: true
copy:
ansible.builtin.copy:
src: "/tmp/gitea-dump-{{ today }}.zip"
dest: "/home/git/gitea-dumps/gitea-dump-{{ today }}.zip"
owner: git
@ -194,13 +194,13 @@
- name: Deploy repos
become: true
become_user: git
command:
ansible.builtin.command:
cmd: "/home/git/gitea_backup.sh restore /home/git/gitea-dumps/gitea-dump-{{ today }}.zip"
creates: /home/git/gitea-repositories # when this dir exists, the command won't run, so we don't overwrite existing repos
- name: Setup gitea-backup crontab
become: true
copy:
ansible.builtin.copy:
src: gitea-backup.cron
dest: /etc/cron.d/gitea-backup
mode: 0644
@ -208,14 +208,14 @@
- name: Generate SSH keys for git
become: true
become_user: git
openssh_keypair:
community.crypto.openssh_keypair:
path: ~/.ssh/id_rsa
type: rsa
comment: "git@{{ ansible_fqdn }}"
register: ssh_key
- name: Get previously added SSH keys
uri:
ansible.builtin.uri:
url: https://git.tunuifranken.info/api/v1/user/keys
method: GET
user: "{{ gitea_user }}"
@ -224,11 +224,11 @@
register: present_ssh_keys
- name: List SSH fingerprints
set_fact:
ansible.builtin.set_fact:
present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}"
- name: Add SSH key using Gitea's API
uri:
ansible.builtin.uri:
url: https://git.tunuifranken.info/api/v1/user/keys
method: POST
user: "{{ gitea_user }}"

6
roles/gitea_apache2/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Enable proxy modules
become: true
apache2_module:
community.general.apache2_module:
name: "{{ item }}"
state: present
with_items:
@ -11,7 +11,7 @@
- name: Copy vHost conf
become: true
template:
ansible.builtin.template:
src: git.tunuifranken.info.conf.j2
dest: /etc/apache2/sites-available/git.tunuifranken.info.conf
mode: 0644
@ -19,7 +19,7 @@
- name: Activate vHost
become: true
command: a2ensite git.tunuifranken.info.conf
ansible.builtin.command: a2ensite git.tunuifranken.info.conf
register: result
changed_when: "'already enabled' not in result.stdout"
notify: Reload apache2 service

4
roles/gitea_fail2ban/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Copy fail2ban filter
become: true
copy:
ansible.builtin.copy:
src: gitea-filter.conf
dest: /etc/fail2ban/filter.d/gitea.conf
owner: root
@ -11,7 +11,7 @@
- name: Copy fail2ban jail
become: true
copy:
ansible.builtin.copy:
src: gitea-jail.conf
dest: /etc/fail2ban/jail.d/gitea.conf
owner: root

8
roles/gitea_mariadb/tasks/main.yml
View file

@ -1,10 +1,10 @@
---
- name: Include vault variables
include_vars: vault.yml
ansible.builtin.include_vars: vault.yml
- name: Create gitea database
become: true
mysql_db:
community.mysql.mysql_db:
name: "{{ name_gitea_db }}"
state: present
encoding: utf8mb4
@ -13,7 +13,7 @@
- name: Set gitea database user and privileges
become: true
mysql_user:
community.mysql.mysql_user:
name: "{{ user_gitea_db }}"
password: "{{ pass_gitea_db }}"
priv: "{{ name_gitea_db }}.*:ALL"
@ -21,7 +21,7 @@
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Check gitea database connection
mysql_info:
community.mysql.mysql_info:
login_user: "{{ user_gitea_db }}"
login_db: "{{ name_gitea_db }}"
login_host: localhost

12
roles/setup_apache2/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Install apache
become: true
apt:
ansible.builtin.apt:
name: apache2
state: present
update_cache: true
@ -9,24 +9,24 @@
- name: Remove default html dir
become: true
file:
ansible.builtin.file:
path: /var/www/html
state: absent
- name: Check if default vHost is enabled
stat:
ansible.builtin.stat:
path: /etc/apache2/sites-enabled/000-default.conf
register: enabled_default_vhost
- name: Disable default vHost
become: true
command: a2dissite 000-default.conf
ansible.builtin.command: a2dissite 000-default.conf
when: enabled_default_vhost.stat.exists
notify: Reload apache2 service
- name: Remove default vHost conf files
become: true
file:
ansible.builtin.file:
path: "/etc/apache2/sites-available/{{ item }}"
state: absent
with_items:
@ -35,7 +35,7 @@
- name: Create /var/www/empty for *:80 vHosts
become: true
file:
ansible.builtin.file:
path: /var/www/empty
state: directory
mode: 0755

4
roles/setup_fail2ban/tasks/main.yml
View file

@ -1,14 +1,14 @@
---
- name: Install fail2ban
become: true
apt:
ansible.builtin.apt:
name: fail2ban
state: present
update_cache: true
- name: Configure fail2ban for nftables
become: true
copy:
ansible.builtin.copy:
src: 00-banactions-nft.conf
dest: /etc/fail2ban/jail.d/00-banactions-nft.conf
owner: root

14
roles/setup_mariadb/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Install mariadb
become: true
apt:
ansible.builtin.apt:
name:
- mariadb-server
- python3-pymysql
@ -11,7 +11,7 @@
- name: Initialize mariadb
become: true
command: mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
ansible.builtin.command: "mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql"
register: result
changed_when: "'table already exists!' not in result.stdout"
notify: Start mariadb service
@ -20,24 +20,24 @@
become: true
block:
- name: Set root password
mysql_user:
community.mysql.mysql_user:
user: root
password: ""
host: localhost
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Remove anonymous user for ansible_fqdn
mysql_user:
community.mysql.mysql_user:
user: ""
host: "{{ ansible_fqdn }}"
state: absent
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Remove anonymous user for localhost
mysql_user:
community.mysql.mysql_user:
user: ""
state: absent
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Remove remote root access
mysql_user:
community.mysql.mysql_user:
user: root
password: ""
host: "{{ item }}"
@ -47,7 +47,7 @@
- "127.0.0.1"
- localhost
- name: Remove test database
mysql_db:
community.mysql.mysql_db:
db: test
state: absent
login_unix_socket: /var/run/mysqld/mysqld.sock

25
roles/setup_nftables/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Install nftables
become: true
apt:
ansible.builtin.apt:
name: nftables
state: present
update_cache: true
@ -9,14 +9,19 @@
- name: Start nftables
become: true
systemd:
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- name: Setup needed directories
become: true
file: path={{ item }} owner=root group=root mode=0750 state=directory
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
mode: 0750
state: directory
with_items:
- /etc/nftables/input.d
- /etc/nftables/output.d
@ -28,7 +33,7 @@
- name: Copy local systemd configuration
become: true
copy:
ansible.builtin.copy:
src: systemd-local.conf
dest: /etc/systemd/system/nftables.service.d/local.conf
owner: root
@ -38,7 +43,7 @@
- name: Copy default configuration
become: true
copy:
ansible.builtin.copy:
src: nftables.conf
dest: /etc/nftables.conf
owner: root
@ -48,7 +53,7 @@
- name: Copy default input rules
become: true
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nftables/input.d/{{ item | basename }}"
owner: root
@ -60,7 +65,7 @@
- name: Copy default post-hook rules
become: true
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nftables/post-hooks.d/{{ item | basename }}"
owner: root
@ -72,7 +77,7 @@
- name: Copy default output rules
become: true
copy:
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nftables/output.d/{{ item | basename }}"
owner: root
@ -84,7 +89,7 @@
- name: Setup netfilter.log
become: true
copy:
ansible.builtin.copy:
src: netfilter.rsyslog
dest: /etc/rsyslog.d/netfilter.conf
owner: root
@ -94,7 +99,7 @@
- name: Setup logrotate for netfilter.log
become: true
copy:
ansible.builtin.copy:
src: netfilter.logrotate
dest: /etc/logrotate.d/netfilter
owner: root

10
roles/tunuifranken/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: Create tunuifranken directory
become: true
file:
ansible.builtin.file:
path: "{{ dir_tunuifranken }}"
owner: "{{ owner_tunuifranken }}"
group: "{{ group_tunuifranken }}"
@ -10,7 +10,7 @@
- name: Copy vHost conf
become: true
template:
ansible.builtin.template:
src: tunuifranken.info.conf.j2
dest: /etc/apache2/sites-available/tunuifranken.info.conf
mode: 0644
@ -18,19 +18,19 @@
- name: Activate vHost
become: true
command: a2ensite tunuifranken.info.conf
ansible.builtin.command: a2ensite tunuifranken.info.conf
register: result
changed_when: "'already enabled' not in result.stdout"
notify: Reload apache2 service
- name: Install git
become: true
apt:
ansible.builtin.apt:
name: git
state: present
- name: Clone tunuifranken.info repo
git:
ansible.builtin.git:
repo: git@tunuifranken.info:flyingscorpio/tunuifranken.info.git
dest: "{{ dir_tunuifranken }}"
clone: true