🚀: new NAS

inventory/group_vars/all/restic.yml

@@ -1,11 +1,14 @@
 ---
 
-restic_aws_access_key_id: "backup"
+restic_aws_access_key_id: "GK592f5dead61d5ffd40f660fb"
 restic_aws_secret_access_key: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          64613131346563323262316264306363636261313535353565333231316433313539653634303737
-          3766666137633637666265663230323937663239396534310a313330333163396664643830643934
-          38623061653733653634623230616532383830626335653362333331353065353737323935326365
-          6638643861633038330a613832336463376535326461633832646238336663333537346461386534
-          31373734303133623363393837613437313066656532623832333335663666353039
-restic_s3_url: "http://backup.mateu.be:9000/backup"
+          36346561343533353736366631613537623136663839373161306463356433636461646339656439
+          3362376336643066616437633964363134326566346665630a663063313938356165333131663964
+          64313466373465343832623039313938383863333366313831613637373965663430336538353661
+          3163313234656464320a393565336538316139393430663466326263663731343231333938393837
+          31663730636364646465633232633630313331313535353435396534313765306335666435636163
+          39653839646661356136306233653263386532616237326431366262343633613863353934626665
+          38376163613837626435373134393630316235313032353738643537303162643538353966613833
+          34333735663939396433
+restic_s3_url: "http://backup.mateu.be:3900/backup"

inventory/group_vars/garage_bck_cluster.yml

@@ -0,0 +1,25 @@
+---
+
+garage_rpc_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38383331313936363536356237316561363662346237333437626530646238313031643131323062
+          3730383236343333636263346638626263313439616136380a343830653061663231343139656433
+          35626164616236316331323536323365623834346461396537636164326531373464666530376438
+          6338356664363965650a383134313933333330376562353734646539306637303366636235636435
+          33656637316436353735646230653532323830656635633338623463613665616661663662383938
+          64393337373666396361303639366464623438663837386135326664386338623930333865646164
+          39376335313962376638393437626265353166636466616435623630373232643431646363386562
+          38613231356438663037
+
+garage_admin_token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30363835373364633661303237303031663532633631393635386364303736316634333837323666
+          3634343666303333343637393464376666376534323031330a333235366164353162613066656134
+          63636462363265633638626537333364626136663735623035323233653261363131336363303165
+          6461373366393339390a336133343934313264666461373238633237313135333266613564373866
+          33393662313138626436333665313763616336646138626434316634666563666661616532613766
+          32326332363237646364666332653938316133343635383866633762643862626166336638313133
+          34313431333465376564306435316239633436323863643838643837653638386237303534303036
+          31306266336137346638
+
+garage_root_domain: ".backup.mateu.be"

inventory/host_vars/frederica.dmz.mateu.be.yml

@@ -1,16 +1,9 @@
 ---
-restic_path: "/mnt/tank/restic/restic"
-restic_script_path: "/mnt/tank/restic/resticbackup.sh"
-restic_cache_dir: "/mnt/tank/restic/cache"
-
-restic_external_scheduler: true
-
 restic_backup_path:
   - /mnt/tank
+  - /var/lib/private
 restic_backup_excluded_path:
-  - /mnt/tank/ix-applications
   - /mnt/tank/s3/.minio.sys
-  - /mnt/tank/restic/cache
 restic_backup_hour: 6
 restic_backup_minute: 45
 
@@ -24,4 +17,3 @@ restic_aws_secret_access_key: !vault |
           61333532656135333731313561663062323133613662373061666266383031343964623838336264
           3936393838396163626438303962313931333165386363666139
 restic_s3_url: "https://s3.fr-par.scw.cloud/backup-libertus"
-restic_exe_group: "wheel"

inventory/production.yml

@@ -7,6 +7,15 @@ hypervisors:
   hosts:
     serenor.dmz.mateu.be:
 
+nasservers:
+  hosts:
+    frederica.dmz.mateu.be:
+
+zfsservers:
+  hosts:
+    serenor.dmz.mateu.be:
+    frederica.dmz.mateu.be:
+
 resticservers:
   hosts:
     baybay-ponay.mateu.be:
@@ -33,6 +42,9 @@ garageservers:
     garage_prd_cluster:
       hosts:
         garage1.dmz.mateu.be:
+    garage_bck_cluster:
+      hosts:
+        frederica.dmz.mateu.be:
 
 elasticsearchservers:
   hosts:
@@ -43,6 +55,7 @@ nut:
     nut_client:
       hosts:
         serenor.dmz.mateu.be:
+        frederica.dmz.mateu.be:
     nut_server:
       hosts:
         serenor.dmz.mateu.be:
@@ -129,7 +142,6 @@ disabled_loadbalanced_webservers:
 disabled_system:
   hosts:
     baybay-ponay.mateu.be:
-    frederica.dmz.mateu.be:
     machinbox.mateu.be:
     muse-HP-EliteBook-820-G2.home.arpa:
     pinkypie.home.arpa:
@@ -137,7 +149,6 @@ disabled_system:
 disabled_munin:
   hosts:
     baybay-ponay.mateu.be:
-    frederica.dmz.mateu.be:
     muse-HP-EliteBook-820-G2.home.arpa:
     pinkypie.home.arpa:
     nsd-master1.ext.mateu.be:
@@ -146,7 +157,6 @@ disabled_munin:
 disabled_syslog:
   hosts:
     baybay-ponay.mateu.be:
-    frederica.dmz.mateu.be:
     machinbox.mateu.be:
     muse-HP-EliteBook-820-G2.home.arpa:
     nsd-master1.ext.mateu.be:

playbooks/nas.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Deploy NAS services
+  hosts: nasservers
+  diff: true
+  roles:
+      - zfs
+      - nfs

playbooks/site.yml

@@ -2,6 +2,8 @@
 
 - name: Run system playbook
   import_playbook: system.yml
+- name: Run nas playbook
+  import_playbook: nas.yml
 - name: Run usb playbook
   import_playbook: usb.yml
 - name: Run nsd playbook

playbooks/smtprelay.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Deploy smtp relay
-  hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be:!frederica.dmz.mateu.be
+  hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be
   diff: true
   roles:
     - smtprelay

roles/munin_client/tasks/main.yml

@@ -111,6 +111,10 @@
   ansible.builtin.include_tasks: hypervisors.yml
   when: "'hypervisors' in group_names"
 
+# - name: Execute specific ZFS commands
+#   ansible.builtin.include_tasks: zfs.yml
+#   when: "'zfsservers' in group_names"
+
 # Specific LXC commands
 - name: Execute specific LXC commands
   ansible.builtin.include_tasks: lxc.yml
@@ -119,7 +123,7 @@
 # Specific garage commands
 - name: Execute specific garage commands
   ansible.builtin.include_tasks: garage.yml
-  when: "'garage1' in inventory_hostname"
+  when: "'garageservers' in group_names"
 
 # Specific nsd commands
 - name: Execute specific nsd commands

roles/nfs/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart NFS
+  ansible.builtin.service:
+    name: nfs-server
+    enabled: true
+    state: restarted

roles/nfs/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Install NFS
+  ansible.builtin.package:
+    name: nfs-kernel-server
+    state: present
+
+- name: Export FS
+  ansible.builtin.template:
+    src: exports.j2
+    dest: /etc/exports
+    owner: root
+    group: root
+    mode: "0o640"
+  notify: Restart NFS
+
+- name: Ensure NFS is started & enabled
+  ansible.builtin.service:
+    name: nfs-server
+    state: started
+    enabled: true

roles/nfs/templates/exports.j2

@@ -0,0 +1,4 @@
+"/mnt/tank/nfs"\
+	*(sec=sys,rw,insecure,no_subtree_check)
+"/mnt/tank/proxmox"\
+	10.233.212.59(sec=sys,rw,insecure,no_subtree_check)

roles/restic/defaults/main.yml

@@ -1,11 +1,4 @@
 ---
-restic_path: "/usr/local/bin/restic"
-restic_script_path: "/usr/local/bin/resticbackup.sh"
-restic_cache_dir: ""
-
-# use in cases when cron is not available
-restic_external_scheduler: false
-
 restic_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           62333166623737363731663766353330633335306532306366356536376232396664376430613434
@@ -17,4 +10,3 @@ restic_backup_path: ["/srv", "/home", "/etc"]
 restic_backup_excluded_path: ["/srv/NOBACKUP"]
 restic_backup_hour: 6
 restic_backup_minute: 0
-restic_exe_group: "root"

roles/restic/tasks/install.yml

@@ -16,13 +16,4 @@
     path: "{{ restic_path }}"
     mode: "0o755"
     owner: root
-    group: "{{ restic_exe_group }}"
-
-- name: Create cache dir
-  ansible.builtin.file:
-    name: "{{ restic_cache_dir }}"
-    state: directory
-    owner: root
-    group: "{{ restic_exe_group }}"
-    mode: "0o700"
-  when: restic_cache_dir | length > 0
+    group: root

roles/restic/tasks/main.yml

@@ -8,7 +8,7 @@
     src: resticbackup.sh.j2
     dest: "{{ restic_script_path }}"
     owner: root
-    group: "{{ restic_exe_group }}"
+    group: root
     mode: "0o750"
 
 - name: Cron backup script

roles/restic/templates/resticbackup.sh.j2

@@ -7,7 +7,7 @@ export AWS_ACCESS_KEY_ID="{{ restic_aws_access_key_id }}"
 export AWS_SECRET_ACCESS_KEY="{{ restic_aws_secret_access_key }}"
 
 ## lancement de la sauvegarde
-{{ restic_path }} backup {% if restic_cache_dir | length > 0 %}--cache-dir {{ restic_cache_dir }}{% endif %} --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %}
+{{ restic_path }} backup --exclude-caches {% for i in restic_backup_excluded_path %} -e {{ i }} {% endfor %} {% for i in restic_backup_path %}{{ i }} {% endfor %}
 
 ## récupération de l'espace
 {{ restic_path }} forget --prune -d 7 -w 4 -m 3 -y 1

roles/restic/vars/main.yml

@@ -1,4 +1,6 @@
 ---
+restic_path: "/usr/local/bin/restic"
+restic_script_path: "/usr/local/bin/resticbackup.sh"
 restic_version: "0.17.1"
 restic_architecture: "amd64"
 restic_system: "{{ ansible_facts['system'] | lower }}"

roles/spamassassin/files/local.cf

@@ -7,6 +7,9 @@ ok_locales      fr
 score   UNWANTED_LANGUAGE_BODY  5
 score	HTML_IMAGE_RATIO_02		3
 
+rawbody		LOCAL_partenaire_HM		/partenaire HM/i
+score		LOCAL_partenaire_HM		20.0
+
 rawbody		LOCAL_Cbd_Gummies	/Cbd Gummies/i
 score		LOCAL_Cbd_Gummies	20.0
 
@@ -265,6 +268,7 @@ whitelist_from *@chichiclothing.com
 whitelist_from dmarcreport@microsoft.com
 
 # Blacklist manuel
+blacklist_from *@supportprogram.fr
 blacklist_from *@spotly.jp
 blacklist_from *@itstales.de
 blacklist_from *@*.store

roles/webapps/tasks/freshrss.yml

@@ -13,7 +13,8 @@
     mode: "0o644"
 
 - name: Enable FreshRSS timer
-  ansible.builtin.service:
-    name: freshrss
+  ansible.builtin.systemd_service:
+    name: freshrss.timer
+    daemon_reload: true
     enabled: true
     state: started

roles/zfs/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Install Backports
+  ansible.builtin.template:
+    src: "backports.list.j2"
+    dest: "/etc/apt/sources.list.d/{{ ansible_distribution_release }}-backports.list"
+    owner: root
+    group: root
+    mode: "0o640"
+
+- name: Pin ZFS
+  ansible.builtin.template:
+    src: "90_zfs.j2"
+    dest: "/etc/apt/preferences.d/90_zfs"
+    owner: root
+    group: root
+    mode: "0o640"
+
+- name: Install ZFS
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: true
+  loop:
+    - dpkg-dev
+    - linux-headers-generic
+    - linux-image-generic
+    - zfs-dkms
+    - zfsutils-linux

roles/zfs/templates/90_zfs.j2

@@ -0,0 +1,3 @@
+Package: src:zfs-linux
+Pin: release n={{ ansible_distribution_release }}-backports
+Pin-Priority: 990

roles/zfs/templates/backports.list.j2

@@ -0,0 +1,2 @@
+deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib
+deb-src http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib