slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🚀: new NAS

Browse Source
This commit is contained in:
VC
2024-10-26 10:07:10 +02:00
parent ca6a0cbb9e
commit 21be1afeac
21 changed files with 143 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
inventory/group_vars/all/restic.yml
View File

@@ -1,11 +1,14 @@
--- ---
restic_aws_access_key_id: "backup" restic_aws_access_key_id: "GK592f5dead61d5ffd40f660fb"
restic_aws_secret_access_key: !vault | restic_aws_secret_access_key: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
64613131346563323262316264306363636261313535353565333231316433313539653634303737 36346561343533353736366631613537623136663839373161306463356433636461646339656439
3766666137633637666265663230323937663239396534310a313330333163396664643830643934 3362376336643066616437633964363134326566346665630a663063313938356165333131663964
38623061653733653634623230616532383830626335653362333331353065353737323935326365 64313466373465343832623039313938383863333366313831613637373965663430336538353661
6638643861633038330a613832336463376535326461633832646238336663333537346461386534 3163313234656464320a393565336538316139393430663466326263663731343231333938393837
31373734303133623363393837613437313066656532623832333335663666353039 31663730636364646465633232633630313331313535353435396534313765306335666435636163
restic_s3_url: "http://backup.mateu.be:9000/backup" 39653839646661356136306233653263386532616237326431366262343633613863353934626665
38376163613837626435373134393630316235313032353738643537303162643538353966613833
34333735663939396433
restic_s3_url: "http://backup.mateu.be:3900/backup"

25
inventory/group_vars/garage_bck_cluster.yml Normal file
View File

@@ -0,0 +1,25 @@
---
garage_rpc_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
38383331313936363536356237316561363662346237333437626530646238313031643131323062
3730383236343333636263346638626263313439616136380a343830653061663231343139656433
35626164616236316331323536323365623834346461396537636164326531373464666530376438
6338356664363965650a383134313933333330376562353734646539306637303366636235636435
33656637316436353735646230653532323830656635633338623463613665616661663662383938
64393337373666396361303639366464623438663837386135326664386338623930333865646164
39376335313962376638393437626265353166636466616435623630373232643431646363386562
38613231356438663037
garage_admin_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
30363835373364633661303237303031663532633631393635386364303736316634333837323666
3634343666303333343637393464376666376534323031330a333235366164353162613066656134
63636462363265633638626537333364626136663735623035323233653261363131336363303165
6461373366393339390a336133343934313264666461373238633237313135333266613564373866
33393662313138626436333665313763616336646138626434316634666563666661616532613766
32326332363237646364666332653938316133343635383866633762643862626166336638313133
34313431333465376564306435316239633436323863643838643837653638386237303534303036
31306266336137346638
garage_root_domain: ".backup.mateu.be"

10
inventory/host_vars/frederica.dmz.mateu.be.yml
View File

@@ -1,16 +1,9 @@
--- ---
restic_path: "/mnt/tank/restic/restic"
restic_script_path: "/mnt/tank/restic/resticbackup.sh"
restic_cache_dir: "/mnt/tank/restic/cache"
restic_external_scheduler: true
restic_backup_path: restic_backup_path:
- /mnt/tank - /mnt/tank
- /var/lib/private
restic_backup_excluded_path: restic_backup_excluded_path:
- /mnt/tank/ix-applications
- /mnt/tank/s3/.minio.sys - /mnt/tank/s3/.minio.sys
- /mnt/tank/restic/cache
restic_backup_hour: 6 restic_backup_hour: 6
restic_backup_minute: 45 restic_backup_minute: 45
@@ -24,4 +17,3 @@ restic_aws_secret_access_key: !vault |
61333532656135333731313561663062323133613662373061666266383031343964623838336264 61333532656135333731313561663062323133613662373061666266383031343964623838336264
3936393838396163626438303962313931333165386363666139 3936393838396163626438303962313931333165386363666139
restic_s3_url: "https://s3.fr-par.scw.cloud/backup-libertus" restic_s3_url: "https://s3.fr-par.scw.cloud/backup-libertus"
restic_exe_group: "wheel"

16
inventory/production.yml
View File

@@ -7,6 +7,15 @@ hypervisors:
hosts: hosts:
serenor.dmz.mateu.be: serenor.dmz.mateu.be:
nasservers:
hosts:
frederica.dmz.mateu.be:
zfsservers:
hosts:
serenor.dmz.mateu.be:
frederica.dmz.mateu.be:
resticservers: resticservers:
hosts: hosts:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
@@ -33,6 +42,9 @@ garageservers:
garage_prd_cluster: garage_prd_cluster:
hosts: hosts:
garage1.dmz.mateu.be: garage1.dmz.mateu.be:
garage_bck_cluster:
hosts:
frederica.dmz.mateu.be:
elasticsearchservers: elasticsearchservers:
hosts: hosts:
@@ -43,6 +55,7 @@ nut:
nut_client: nut_client:
hosts: hosts:
serenor.dmz.mateu.be: serenor.dmz.mateu.be:
frederica.dmz.mateu.be:
nut_server: nut_server:
hosts: hosts:
serenor.dmz.mateu.be: serenor.dmz.mateu.be:
@@ -129,7 +142,6 @@ disabled_loadbalanced_webservers:
disabled_system: disabled_system:
hosts: hosts:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
frederica.dmz.mateu.be:
machinbox.mateu.be: machinbox.mateu.be:
muse-HP-EliteBook-820-G2.home.arpa: muse-HP-EliteBook-820-G2.home.arpa:
pinkypie.home.arpa: pinkypie.home.arpa:
@@ -137,7 +149,6 @@ disabled_system:
disabled_munin: disabled_munin:
hosts: hosts:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
frederica.dmz.mateu.be:
muse-HP-EliteBook-820-G2.home.arpa: muse-HP-EliteBook-820-G2.home.arpa:
pinkypie.home.arpa: pinkypie.home.arpa:
nsd-master1.ext.mateu.be: nsd-master1.ext.mateu.be:
@@ -146,7 +157,6 @@ disabled_munin:
disabled_syslog: disabled_syslog:
hosts: hosts:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
frederica.dmz.mateu.be:
machinbox.mateu.be: machinbox.mateu.be:
muse-HP-EliteBook-820-G2.home.arpa: muse-HP-EliteBook-820-G2.home.arpa:
nsd-master1.ext.mateu.be: nsd-master1.ext.mateu.be:

8
playbooks/nas.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Deploy NAS services
hosts: nasservers
diff: true
roles:
- zfs
- nfs

2
playbooks/site.yml
View File

@@ -2,6 +2,8 @@
- name: Run system playbook - name: Run system playbook
import_playbook: system.yml import_playbook: system.yml
- name: Run nas playbook
import_playbook: nas.yml
- name: Run usb playbook - name: Run usb playbook
import_playbook: usb.yml import_playbook: usb.yml
- name: Run nsd playbook - name: Run nsd playbook

2
playbooks/smtprelay.yml
View File

@@ -1,7 +1,7 @@
--- ---
- name: Deploy smtp relay - name: Deploy smtp relay
hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be:!frederica.dmz.mateu.be hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be
diff: true diff: true
roles: roles:
- smtprelay - smtprelay

6
roles/munin_client/tasks/main.yml
View File

@@ -111,6 +111,10 @@
ansible.builtin.include_tasks: hypervisors.yml ansible.builtin.include_tasks: hypervisors.yml
when: "'hypervisors' in group_names" when: "'hypervisors' in group_names"
# - name: Execute specific ZFS commands
# ansible.builtin.include_tasks: zfs.yml
# when: "'zfsservers' in group_names"
# Specific LXC commands # Specific LXC commands
- name: Execute specific LXC commands - name: Execute specific LXC commands
ansible.builtin.include_tasks: lxc.yml ansible.builtin.include_tasks: lxc.yml
@@ -119,7 +123,7 @@
# Specific garage commands # Specific garage commands
- name: Execute specific garage commands - name: Execute specific garage commands
ansible.builtin.include_tasks: garage.yml ansible.builtin.include_tasks: garage.yml
when: "'garage1' in inventory_hostname" when: "'garageservers' in group_names"
# Specific nsd commands # Specific nsd commands
- name: Execute specific nsd commands - name: Execute specific nsd commands

7
roles/nfs/handlers/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Restart NFS
ansible.builtin.service:
name: nfs-server
enabled: true
state: restarted

21
roles/nfs/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Install NFS
ansible.builtin.package:
name: nfs-kernel-server
state: present
- name: Export FS
ansible.builtin.template:
src: exports.j2
dest: /etc/exports
owner: root
group: root
mode: "0o640"
notify: Restart NFS
- name: Ensure NFSis started & enabled
ansible.builtin.service:
name: nfs-server
state: started
enabled: true

4
roles/nfs/templates/exports.j2 Normal file
View File

@@ -0,0 +1,4 @@
"/mnt/tank/nfs"\
*(sec=sys,rw,insecure,no_subtree_check)
"/mnt/tank/proxmox"\
10.233.212.59(sec=sys,rw,insecure,no_subtree_check)

8
roles/restic/defaults/main.yml
View File

@@ -1,11 +1,4 @@
--- ---
restic_path: "/usr/local/bin/restic"
restic_script_path: "/usr/local/bin/resticbackup.sh"
restic_cache_dir: ""
# use in cases when cron is not available
restic_external_scheduler: false
restic_pass: !vault | restic_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
62333166623737363731663766353330633335306532306366356536376232396664376430613434 62333166623737363731663766353330633335306532306366356536376232396664376430613434
@@ -17,4 +10,3 @@ restic_backup_path: ["/srv", "/home", "/etc"]
restic_backup_excluded_path: ["/srv/NOBACKUP"] restic_backup_excluded_path: ["/srv/NOBACKUP"]
restic_backup_hour: 6 restic_backup_hour: 6
restic_backup_minute: 0 restic_backup_minute: 0
restic_exe_group: "root"

11
roles/restic/tasks/install.yml
View File

@@ -16,13 +16,4 @@
path: "{{ restic_path }}" path: "{{ restic_path }}"
mode: "0o755" mode: "0o755"
owner: root owner: root
group: "{{ restic_exe_group }}" group: root
- name: Create cache dir
ansible.builtin.file:
name: "{{ restic_cache_dir }}"
state: directory
owner: root
group: "{{ restic_exe_group }}"
mode: "0o700"
when: restic_cache_dir | length > 0

2
roles/restic/tasks/main.yml
View File

@@ -8,7 +8,7 @@
src: resticbackup.sh.j2 src: resticbackup.sh.j2
dest: "{{ restic_script_path }}" dest: "{{ restic_script_path }}"
owner: root owner: root
group: "{{ restic_exe_group }}" group: root
mode: "0o750" mode: "0o750"
- name: Cron backup script - name: Cron backup script

2
roles/restic/templates/resticbackup.sh.j2
View File

@@ -7,7 +7,7 @@ export AWS_ACCESS_KEY_ID="{{ restic_aws_access_key_id }}"
export AWS_SECRET_ACCESS_KEY="{{ restic_aws_secret_access_key }}" export AWS_SECRET_ACCESS_KEY="{{ restic_aws_secret_access_key }}"
## lancement de la sauvegarde ## lancement de la sauvegarde
{{ restic_path }} backup {% if restic_cache_dir | length > 0 %}--cache-dir {{ restic_cache_dir }}{% endif %} --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %} {{ restic_path }} backup --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %}
## récupération de l'espace ## récupération de l'espace
{{ restic_path }} forget --prune -d 7 -w 4 -m 3 -y 1 {{ restic_path }} forget --prune -d 7 -w 4 -m 3 -y 1

2
roles/restic/vars/main.yml
View File

@@ -1,4 +1,6 @@
--- ---
restic_path: "/usr/local/bin/restic"
restic_script_path: "/usr/local/bin/resticbackup.sh"
restic_version: "0.17.1" restic_version: "0.17.1"
restic_architecture: "amd64" restic_architecture: "amd64"
restic_system: "{{ ansible_facts['system'] | lower }}" restic_system: "{{ ansible_facts['system'] | lower }}"

4
roles/spamassassin/files/local.cf
View File

@@ -7,6 +7,9 @@ ok_locales fr
score UNWANTED_LANGUAGE_BODY 5 score UNWANTED_LANGUAGE_BODY 5
score HTML_IMAGE_RATIO_02 3 score HTML_IMAGE_RATIO_02 3
rawbody LOCAL_partenaire_HM /partenaire HM/i
score LOCAL_partenaire_HM 20.0
rawbody LOCAL_Cbd_Gummies /Cbd Gummies/i rawbody LOCAL_Cbd_Gummies /Cbd Gummies/i
score LOCAL_Cbd_Gummies 20.0 score LOCAL_Cbd_Gummies 20.0
@@ -265,6 +268,7 @@ whitelist_from *@chichiclothing.com
whitelist_from dmarcreport@microsoft.com whitelist_from dmarcreport@microsoft.com
# Blacklist manuel # Blacklist manuel
blacklist_from *@supportprogram.fr
blacklist_from *@spotly.jp blacklist_from *@spotly.jp
blacklist_from *@itstales.de blacklist_from *@itstales.de
blacklist_from *@*.store blacklist_from *@*.store

5
roles/webapps/tasks/freshrss.yml
View File

@@ -13,7 +13,8 @@
mode: "0o644" mode: "0o644"
- name: Enable FreshRSS timer - name: Enable FreshRSS timer
ansible.builtin.service: ansible.builtin.systemd_service:
name: freshrss name: freshrss.timer
daemon_reload: true
enabled: true enabled: true
state: started state: started

29
roles/zfs/tasks/main.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Install Backports
ansible.builtin.template:
src: "backports.list.j2"
dest: "/etc/apt/sources.list.d/{{ ansible_distribution_release }}-backports.list"
owner: root
group: root
mode: "0o640"
- name: Pin ZFS
ansible.builtin.template:
src: "90_zfs.j2"
dest: "/etc/apt/preferences.d/90_zfs"
owner: root
group: root
mode: "0o640"
- name: Install ZFS
ansible.builtin.apt:
name: "{{ item }}"
state: present
update_cache: true
loop:
- dpkg-dev
- linux-headers-generic
- linux-image-generic
- zfs-dkms
- zfsutils-linux

3
roles/zfs/templates/90_zfs.j2 Normal file
View File

@@ -0,0 +1,3 @@
Package: src:zfs-linux
Pin: release n={{ ansible_distribution_release }}-backports
Pin-Priority: 990

2
roles/zfs/templates/backports.list.j2 Normal file
View File

@@ -0,0 +1,2 @@
deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib
deb-src http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib