diff --git a/inventory/group_vars/all/restic.yml b/inventory/group_vars/all/restic.yml index a027917..b988cb4 100644 --- a/inventory/group_vars/all/restic.yml +++ b/inventory/group_vars/all/restic.yml @@ -1,11 +1,14 @@ --- -restic_aws_access_key_id: "backup" +restic_aws_access_key_id: "GK592f5dead61d5ffd40f660fb" restic_aws_secret_access_key: !vault | $ANSIBLE_VAULT;1.1;AES256 - 64613131346563323262316264306363636261313535353565333231316433313539653634303737 - 3766666137633637666265663230323937663239396534310a313330333163396664643830643934 - 38623061653733653634623230616532383830626335653362333331353065353737323935326365 - 6638643861633038330a613832336463376535326461633832646238336663333537346461386534 - 31373734303133623363393837613437313066656532623832333335663666353039 -restic_s3_url: "http://backup.mateu.be:9000/backup" + 36346561343533353736366631613537623136663839373161306463356433636461646339656439 + 3362376336643066616437633964363134326566346665630a663063313938356165333131663964 + 64313466373465343832623039313938383863333366313831613637373965663430336538353661 + 3163313234656464320a393565336538316139393430663466326263663731343231333938393837 + 31663730636364646465633232633630313331313535353435396534313765306335666435636163 + 39653839646661356136306233653263386532616237326431366262343633613863353934626665 + 38376163613837626435373134393630316235313032353738643537303162643538353966613833 + 34333735663939396433 +restic_s3_url: "http://backup.mateu.be:3900/backup" diff --git a/inventory/group_vars/garage_bck_cluster.yml b/inventory/group_vars/garage_bck_cluster.yml new file mode 100644 index 0000000..b08cf1c --- /dev/null +++ b/inventory/group_vars/garage_bck_cluster.yml @@ -0,0 +1,25 @@ +--- + +garage_rpc_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38383331313936363536356237316561363662346237333437626530646238313031643131323062 + 3730383236343333636263346638626263313439616136380a343830653061663231343139656433 + 35626164616236316331323536323365623834346461396537636164326531373464666530376438 + 6338356664363965650a383134313933333330376562353734646539306637303366636235636435 + 33656637316436353735646230653532323830656635633338623463613665616661663662383938 + 64393337373666396361303639366464623438663837386135326664386338623930333865646164 + 39376335313962376638393437626265353166636466616435623630373232643431646363386562 + 38613231356438663037 + +garage_admin_token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30363835373364633661303237303031663532633631393635386364303736316634333837323666 + 3634343666303333343637393464376666376534323031330a333235366164353162613066656134 + 63636462363265633638626537333364626136663735623035323233653261363131336363303165 + 6461373366393339390a336133343934313264666461373238633237313135333266613564373866 + 33393662313138626436333665313763616336646138626434316634666563666661616532613766 + 32326332363237646364666332653938316133343635383866633762643862626166336638313133 + 34313431333465376564306435316239633436323863643838643837653638386237303534303036 + 31306266336137346638 + +garage_root_domain: ".backup.mateu.be" diff --git a/inventory/host_vars/frederica.dmz.mateu.be.yml b/inventory/host_vars/frederica.dmz.mateu.be.yml index 6fd7522..4c0c45e 100644 --- a/inventory/host_vars/frederica.dmz.mateu.be.yml +++ b/inventory/host_vars/frederica.dmz.mateu.be.yml @@ -1,16 +1,9 @@ --- -restic_path: "/mnt/tank/restic/restic" -restic_script_path: "/mnt/tank/restic/resticbackup.sh" -restic_cache_dir: "/mnt/tank/restic/cache" - -restic_external_scheduler: true - restic_backup_path: - /mnt/tank + - /var/lib/private restic_backup_excluded_path: - - /mnt/tank/ix-applications - /mnt/tank/s3/.minio.sys - - /mnt/tank/restic/cache restic_backup_hour: 6 restic_backup_minute: 45 @@ -24,4 +17,3 @@ restic_aws_secret_access_key: !vault | 61333532656135333731313561663062323133613662373061666266383031343964623838336264 3936393838396163626438303962313931333165386363666139 restic_s3_url: "https://s3.fr-par.scw.cloud/backup-libertus" -restic_exe_group: "wheel" diff --git a/inventory/production.yml b/inventory/production.yml index c0fb41c..fb3ed7e 100644 --- a/inventory/production.yml +++ b/inventory/production.yml @@ -7,6 +7,15 @@ hypervisors: hosts: serenor.dmz.mateu.be: +nasservers: + hosts: + frederica.dmz.mateu.be: + +zfsservers: + hosts: + serenor.dmz.mateu.be: + frederica.dmz.mateu.be: + resticservers: hosts: baybay-ponay.mateu.be: @@ -33,6 +42,9 @@ garageservers: garage_prd_cluster: hosts: garage1.dmz.mateu.be: + garage_bck_cluster: + hosts: + frederica.dmz.mateu.be: elasticsearchservers: hosts: @@ -43,6 +55,7 @@ nut: nut_client: hosts: serenor.dmz.mateu.be: + frederica.dmz.mateu.be: nut_server: hosts: serenor.dmz.mateu.be: @@ -129,7 +142,6 @@ disabled_loadbalanced_webservers: disabled_system: hosts: baybay-ponay.mateu.be: - frederica.dmz.mateu.be: machinbox.mateu.be: muse-HP-EliteBook-820-G2.home.arpa: pinkypie.home.arpa: @@ -137,7 +149,6 @@ disabled_system: disabled_munin: hosts: baybay-ponay.mateu.be: - frederica.dmz.mateu.be: muse-HP-EliteBook-820-G2.home.arpa: pinkypie.home.arpa: nsd-master1.ext.mateu.be: @@ -146,7 +157,6 @@ disabled_munin: disabled_syslog: hosts: baybay-ponay.mateu.be: - frederica.dmz.mateu.be: machinbox.mateu.be: muse-HP-EliteBook-820-G2.home.arpa: nsd-master1.ext.mateu.be: diff --git a/playbooks/nas.yml b/playbooks/nas.yml new file mode 100644 index 0000000..d235508 --- /dev/null +++ b/playbooks/nas.yml @@ -0,0 +1,8 @@ +--- + +- name: Deploy NAS services + hosts: nasservers + diff: true + roles: + - zfs + - nfs diff --git a/playbooks/site.yml b/playbooks/site.yml index 58d8fcc..b6c4d58 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -2,6 +2,8 @@ - name: Run system playbook import_playbook: system.yml +- name: Run nas playbook + import_playbook: nas.yml - name: Run usb playbook import_playbook: usb.yml - name: Run nsd playbook diff --git a/playbooks/smtprelay.yml b/playbooks/smtprelay.yml index f8b6cdc..9f57525 100644 --- a/playbooks/smtprelay.yml +++ b/playbooks/smtprelay.yml @@ -1,7 +1,7 @@ --- - name: Deploy smtp relay - hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be:!frederica.dmz.mateu.be + hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be diff: true roles: - smtprelay diff --git a/roles/munin_client/tasks/main.yml b/roles/munin_client/tasks/main.yml index 8bd5384..93d3e23 100644 --- a/roles/munin_client/tasks/main.yml +++ b/roles/munin_client/tasks/main.yml @@ -111,6 +111,10 @@ ansible.builtin.include_tasks: hypervisors.yml when: "'hypervisors' in group_names" +# - name: Execute specific ZFS commands +# ansible.builtin.include_tasks: zfs.yml +# when: "'zfsservers' in group_names" + # Specific LXC commands - name: Execute specific LXC commands ansible.builtin.include_tasks: lxc.yml @@ -119,7 +123,7 @@ # Specific garage commands - name: Execute specific garage commands ansible.builtin.include_tasks: garage.yml - when: "'garage1' in inventory_hostname" + when: "'garageservers' in group_names" # Specific nsd commands - name: Execute specific nsd commands diff --git a/roles/nfs/handlers/main.yml b/roles/nfs/handlers/main.yml new file mode 100644 index 0000000..469dc53 --- /dev/null +++ b/roles/nfs/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart NFS + ansible.builtin.service: + name: nfs-server + enabled: true + state: restarted diff --git a/roles/nfs/tasks/main.yml b/roles/nfs/tasks/main.yml new file mode 100644 index 0000000..38de6ff --- /dev/null +++ b/roles/nfs/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: Install NFS + ansible.builtin.package: + name: nfs-kernel-server + state: present + +- name: Export FS + ansible.builtin.template: + src: exports.j2 + dest: /etc/exports + owner: root + group: root + mode: "0o640" + notify: Restart NFS + +- name: Ensure NFS is started & enabled + ansible.builtin.service: + name: nfs-server + state: started + enabled: true diff --git a/roles/nfs/templates/exports.j2 b/roles/nfs/templates/exports.j2 new file mode 100644 index 0000000..bb9382e --- /dev/null +++ b/roles/nfs/templates/exports.j2 @@ -0,0 +1,4 @@ +"/mnt/tank/nfs"\ + *(sec=sys,rw,insecure,no_subtree_check) +"/mnt/tank/proxmox"\ + 10.233.212.59(sec=sys,rw,insecure,no_subtree_check) diff --git a/roles/restic/defaults/main.yml b/roles/restic/defaults/main.yml index c8bc933..1bd48f6 100644 --- a/roles/restic/defaults/main.yml +++ b/roles/restic/defaults/main.yml @@ -1,11 +1,4 @@ --- -restic_path: "/usr/local/bin/restic" -restic_script_path: "/usr/local/bin/resticbackup.sh" -restic_cache_dir: "" - -# use in cases when cron is not available -restic_external_scheduler: false - restic_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 62333166623737363731663766353330633335306532306366356536376232396664376430613434 @@ -17,4 +10,3 @@ restic_backup_path: ["/srv", "/home", "/etc"] restic_backup_excluded_path: ["/srv/NOBACKUP"] restic_backup_hour: 6 restic_backup_minute: 0 -restic_exe_group: "root" diff --git a/roles/restic/tasks/install.yml b/roles/restic/tasks/install.yml index 0fd37f1..9a196c0 100644 --- a/roles/restic/tasks/install.yml +++ b/roles/restic/tasks/install.yml @@ -16,13 +16,4 @@ path: "{{ restic_path }}" mode: "0o755" owner: root - group: "{{ restic_exe_group }}" - -- name: Create cache dir - ansible.builtin.file: - name: "{{ restic_cache_dir }}" - state: directory - owner: root - group: "{{ restic_exe_group }}" - mode: "0o700" - when: restic_cache_dir | length > 0 + group: root diff --git a/roles/restic/tasks/main.yml b/roles/restic/tasks/main.yml index a7a89f6..b053065 100644 --- a/roles/restic/tasks/main.yml +++ b/roles/restic/tasks/main.yml @@ -8,7 +8,7 @@ src: resticbackup.sh.j2 dest: "{{ restic_script_path }}" owner: root - group: "{{ restic_exe_group }}" + group: root mode: "0o750" - name: Cron backup script diff --git a/roles/restic/templates/resticbackup.sh.j2 b/roles/restic/templates/resticbackup.sh.j2 index f7eeecd..e7f6150 100644 --- a/roles/restic/templates/resticbackup.sh.j2 +++ b/roles/restic/templates/resticbackup.sh.j2 @@ -7,7 +7,7 @@ export AWS_ACCESS_KEY_ID="{{ restic_aws_access_key_id }}" export AWS_SECRET_ACCESS_KEY="{{ restic_aws_secret_access_key }}" ## lancement de la sauvegarde -{{ restic_path }} backup {% if restic_cache_dir | length > 0 %}--cache-dir {{ restic_cache_dir }}{% endif %} --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %} +{{ restic_path }} backup --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %} ## récupération de l'espace {{ restic_path }} forget --prune -d 7 -w 4 -m 3 -y 1 diff --git a/roles/restic/vars/main.yml b/roles/restic/vars/main.yml index 6afdd17..fa93ed4 100644 --- a/roles/restic/vars/main.yml +++ b/roles/restic/vars/main.yml @@ -1,4 +1,6 @@ --- +restic_path: "/usr/local/bin/restic" +restic_script_path: "/usr/local/bin/resticbackup.sh" restic_version: "0.17.1" restic_architecture: "amd64" restic_system: "{{ ansible_facts['system'] | lower }}" diff --git a/roles/spamassassin/files/local.cf b/roles/spamassassin/files/local.cf index 579536a..d7a77d8 100644 --- a/roles/spamassassin/files/local.cf +++ b/roles/spamassassin/files/local.cf @@ -7,6 +7,9 @@ ok_locales fr score UNWANTED_LANGUAGE_BODY 5 score HTML_IMAGE_RATIO_02 3 +rawbody LOCAL_partenaire_HM /partenaire HM/i +score LOCAL_partenaire_HM 20.0 + rawbody LOCAL_Cbd_Gummies /Cbd Gummies/i score LOCAL_Cbd_Gummies 20.0 @@ -265,6 +268,7 @@ whitelist_from *@chichiclothing.com whitelist_from dmarcreport@microsoft.com # Blacklist manuel +blacklist_from *@supportprogram.fr blacklist_from *@spotly.jp blacklist_from *@itstales.de blacklist_from *@*.store diff --git a/roles/webapps/tasks/freshrss.yml b/roles/webapps/tasks/freshrss.yml index 9414554..12d4884 100644 --- a/roles/webapps/tasks/freshrss.yml +++ b/roles/webapps/tasks/freshrss.yml @@ -13,7 +13,8 @@ mode: "0o644" - name: Enable FreshRSS timer - ansible.builtin.service: - name: freshrss + ansible.builtin.systemd_service: + name: freshrss.timer + daemon_reload: true enabled: true state: started diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml new file mode 100644 index 0000000..783858c --- /dev/null +++ b/roles/zfs/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- name: Install Backports + ansible.builtin.template: + src: "backports.list.j2" + dest: "/etc/apt/sources.list.d/{{ ansible_distribution_release }}-backports.list" + owner: root + group: root + mode: "0o640" + +- name: Pin ZFS + ansible.builtin.template: + src: "90_zfs.j2" + dest: "/etc/apt/preferences.d/90_zfs" + owner: root + group: root + mode: "0o640" + +- name: Install ZFS + ansible.builtin.apt: + name: "{{ item }}" + state: present + update_cache: true + loop: + - dpkg-dev + - linux-headers-generic + - linux-image-generic + - zfs-dkms + - zfsutils-linux diff --git a/roles/zfs/templates/90_zfs.j2 b/roles/zfs/templates/90_zfs.j2 new file mode 100644 index 0000000..010bc11 --- /dev/null +++ b/roles/zfs/templates/90_zfs.j2 @@ -0,0 +1,3 @@ +Package: src:zfs-linux +Pin: release n={{ ansible_distribution_release }}-backports +Pin-Priority: 990 diff --git a/roles/zfs/templates/backports.list.j2 b/roles/zfs/templates/backports.list.j2 new file mode 100644 index 0000000..9d233ee --- /dev/null +++ b/roles/zfs/templates/backports.list.j2 @@ -0,0 +1,2 @@ +deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib +deb-src http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib