Move all ansible files to their own folder

author: Chris Lovering <[email protected]> 2023-08-13 14:59:36 +0100
committer: Chris Lovering <[email protected]> 2023-08-13 15:54:03 +0100
commit: 431585b5256a0d08f4f3c33122465a88a93ddcb1 (patch)
tree: 4cc41cda81655332fa467e6c9c85d1ee9c35b90e /roles
parent: Serve static files from Turing (#116) (diff)
45 files changed, 0 insertions, 795 deletions
diff --git a/roles/certbot/README.md b/roles/certbot/README.md
deleted file mode 100644
index b9d3e36..0000000
--- a/roles/certbot/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Role "certbot"
-
-Installs certbot and the Cloudflare DNS plugin for certbot to provision and deploy TLS certificates for web properties.
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
deleted file mode 100644
index 2cf859c..0000000
--- a/roles/certbot/tasks/main.yml
+++ /dev/null
@@ -1,105 +0,0 @@
----
-- name: Install certbot and certbot Cloudflare plugin
-  when: inventory_hostname == ansible_play_hosts_all[0]
-  package:
-    name:
-      - python3-certbot
-      - python3-certbot-dns-cloudflare
-    state: present
-  tags:
-    - role::certbot
-
-- name: Install rsync on certbot hosts
-  package:
-    name: rsync
-    state: present
-  tags:
-    - role::certbot
-
-- name: Generate Cloudflare credentials file on designated leader
-  when: inventory_hostname == ansible_play_hosts_all[0]
-  copy:
-    content: |
-      # This file is managed by Ansible
-      dns_cloudflare_api_token = {{ certbot_cloudflare_token }}
-    dest: /etc/letsencrypt/cloudflare.ini
-    owner: root
-    group: root
-    mode: "0400"
-  tags:
-    - role::certbot
-
-- name: Generate SSH key for certificate distribution
-  when: inventory_hostname == ansible_play_hosts_all[0]
-  community.crypto.openssh_keypair:
-    path: /root/.ssh/cert_{{ item }}_key_ed25519
-    type: ed25519
-    state: present
-    comment: certificate distribution key for {{ item }}
-  with_items:
-    - "{{ ansible_play_hosts | reject('in', [inventory_hostname]) }}"
-  tags:
-    - role::certbot
-  register: generated_keys
-
-- name: Create certificate directories on replica certificate hosts
-  when: inventory_hostname != ansible_play_hosts[0]
-  file:
-    path: /etc/letsencrypt/live
-    recurse: true
-    state: directory
-    owner: root
-    group: root
-    mode: "0700"
-  tags:
-    - role::certbot
-
-- name: Install certificate distribution keys to other NGINX nodes
-  when: inventory_hostname != ansible_play_hosts[0]
-  ansible.posix.authorized_key:
-    user: root
-    state: present
-    key: |
-      {{ hostvars[ansible_play_hosts_all[0]]['generated_keys']['results']
-      | selectattr('item', 'equalto', inventory_hostname)
-      | map(attribute='public_key')
-      | first }}
-    comment: "certificate distribution key"
-    key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/opt/cert_rsync.sh"'
-  tags:
-    - role::certbot
-
-- name: Ensure renewal-hooks deploy directory exists
-  file:
-    path: /etc/letsencrypt/renewal-hooks/deploy
-    recurse: true
-    state: directory
-
-- name: Create renewal hook to synchronize certificates
-  when: inventory_hostname == ansible_play_hosts_all[0]
-  template:
-    src: renewal-hook.sh.j2
-    dest: /etc/letsencrypt/renewal-hooks/deploy/distribute-certs
-    owner: root
-    group: root
-    mode: "0700"
-  tags:
-    - role::certbot
-
-- name: Request certificates for configured domains
-  when: inventory_hostname == ansible_play_hosts_all[0]
-  command: |
-    certbot certonly
-    --agree-tos
-    --non-interactive
-    --email {{ certbot_email }}
-    --dns-cloudflare
-    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
-    --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/distribute-certs
-    -d {{ item }} -d *.{{ item }} -d cloud.native.is.fun.and.easy.pydis.wtf
-  args:
-    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
-  with_items:
-    - "{{ certbot_domains }}"
-  tags:
-    - role::certbot
diff --git a/roles/certbot/templates/renewal-hook.sh.j2 b/roles/certbot/templates/renewal-hook.sh.j2
deleted file mode 100644
index 7fa7252..0000000
--- a/roles/certbot/templates/renewal-hook.sh.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-set -ex
-
-{% for host in ansible_play_hosts if host != inventory_hostname %}
-rsync --copy-links --delete --recursive -e "ssh -i /root/.ssh/cert_{{ host }}_key_ed25519 -o StrictHostKeyChecking=accept-new" /etc/letsencrypt/live/* root@{{ hostvars[host]['wireguard_subnet'] | split("/") | first }}:/etc/letsencrypt/live
-{% endfor %}
diff --git a/roles/certbot/vars/main/main.yml b/roles/certbot/vars/main/main.yml
deleted file mode 100644
index fdfc7b1..0000000
--- a/roles/certbot/vars/main/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-certbot_cloudflare_token: "{{ encrypted_cloudflare_token }}"
-certbot_email: "[email protected]"
-certbot_domains:
-  - pydis.wtf
-  - pythondiscord.com
diff --git a/roles/certbot/vars/main/vault.yml b/roles/certbot/vars/main/vault.yml
deleted file mode 100644
index c669b69..0000000
--- a/roles/certbot/vars/main/vault.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-66336535306366333038666137306135663438346366643735383962623339636236343438633766
-6565343931306531623330373936313730353539303264390a333031363634663236636232386461
-34353239643364653464373531653236383963303137326438343239313136376537336636326162
-3537383737323732310a623836363138646434636165643130366362656661393937346534313632
-37663966613031363036623838326666636231313462363831396366363837343632646131303863
-35363032386463346164623733656463633735376161653361343231326166313466643236623762
-31343562323362353238663666303435353138643463656531373466336639316464376632623731
-32646464393438656134
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
deleted file mode 100644
index 02cc88e..0000000
--- a/roles/common/handlers/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-- name: Restart ssh
-  service:
-    name: ssh
-    state: restarted
-
-- name: Restart systemd-timesyncd
-  service:
-    name: systemd-timesyncd
-    state: restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
deleted file mode 100644
index b9b9c52..0000000
--- a/roles/common/tasks/main.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-- name: Update hostname to match Ansible inventory
-  hostname:
-    name: "{{ inventory_hostname }}"
-  tags:
-    - role::common
-
-- name: Update /etc/hosts to match Ansible inventory
-  template:
-    src: etc-hosts.j2
-    dest: /etc/hosts
-    mode: '0644'
-    owner: root
-    group: root
-  tags:
-    - role::common
-
-- name: Disable SSH password authentication
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: "^PasswordAuthentication"
-    line: "PasswordAuthentication no"
-    state: present
-  notify:
-    - Restart ssh
-  tags:
-    - role::common
-
-- name: Set timezone to UTC
-  file:
-    src: /usr/share/zoneinfo/Etc/UTC
-    dest: /etc/localtime
-    mode: '0644'
-    owner: root
-    group: root
-  notify:
-    - Restart systemd-timesyncd
-  tags:
-    - role::common
-
-- name: Create sudoers lecture
-  template:
-    src: sudo_lecture.j2
-    dest: /etc/sudo_lecture
-    mode: '0644'
-    owner: root
-    group: root
-  tags:
-    - role::common
-
-- name: Add sudoers lecture path
-  lineinfile:
-    dest: /etc/sudoers
-    regexp: '^Defaults +?lecture_file ?= ?".+?"$'
-    line: 'Defaults    lecture_file = "/etc/sudo_lecture"'
-    state: present
-    validate: /usr/sbin/visudo -cf %s
-  tags:
-    - role::common
-
-- name: Configure MOTD
-  template:
-    src: motd.j2
-    dest: /etc/motd
-    mode: '0644'
-    owner: root
-    group: root
-  tags:
-    - role::common
-
-- name: Enable default .bashrc for root
-  copy:
-    src: /etc/skel/.bashrc
-    dest: /root/.bashrc
-    mode: '0644'
-    owner: root
-    group: root
-  tags:
-    - role::common
diff --git a/roles/common/templates/etc-hosts.j2 b/roles/common/templates/etc-hosts.j2
deleted file mode 100644
index 6fdbdaa..0000000
--- a/roles/common/templates/etc-hosts.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-127.0.0.1       localhost
-127.0.1.1       {{ inventory_hostname }}.box.pydis.wtf {{ inventory_hostname }}
-
-::1     localhost ip6-localhost ip6-loopback
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-{{ lookup('dig', ansible_host) }}    {{ inventory_hostname }}.box.pydis.wtf {{ inventory_hostname }}
diff --git a/roles/common/templates/motd.j2 b/roles/common/templates/motd.j2
deleted file mode 100644
index ff6cfcd..0000000
--- a/roles/common/templates/motd.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-[[[ To any NSA and FBI agents accessing our servers: please consider ]]]
-[[[ whether defending the US Constitution against all enemies, ]]]
-[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
diff --git a/roles/common/templates/sudo_lecture.j2 b/roles/common/templates/sudo_lecture.j2
deleted file mode 100644
index 1758dd0..0000000
--- a/roles/common/templates/sudo_lecture.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-
-[1m     [32m"Bee" careful    [34m__
-       [32mwith sudo!    [34m// \
-                     \\_/ [33m//
-   [35m''-.._.-''-.._.. [33m-(||)(')
-                     '''[0m
diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md
deleted file mode 100644
index 60bb3ac..0000000
--- a/roles/fail2ban/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Role "fail2ban"
-
-This role installs and configures fail2ban to all Python Discord hosts.
diff --git a/roles/fail2ban/files/jail.local b/roles/fail2ban/files/jail.local
deleted file mode 100644
index c25dde5..0000000
--- a/roles/fail2ban/files/jail.local
+++ /dev/null
@@ -1,8 +0,0 @@
-[DEFAULT]
-ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 10.0.0.0/8
-bantime = 24h
-maxretry = 3
-findtime = 2h
-
-[sshd]
-mode=aggressive
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
deleted file mode 100644
index dbff530..0000000
--- a/roles/fail2ban/handlers/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-- name: Reload fail2ban
-  service:
-    name: fail2ban
-    state: reloaded
-  tags:
-    - role::fail2ban
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
deleted file mode 100644
index 74a5442..0000000
--- a/roles/fail2ban/tasks/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- name: Install fail2ban package
-  package:
-    name: fail2ban
-    state: present
-  tags:
-    - role::fail2ban
-
-- name: Copy fail2ban config
-  copy:
-    src: jail.local
-    dest: /etc/fail2ban/jail.local
-    owner: root
-    group: root
-    mode: "0644"
-  tags:
-    - role::fail2ban
-  notify:
-    - Reload fail2ban
-
-- name: Enable fail2ban service
-  service:
-    name: fail2ban
-    state: started
-    enabled: true
-  tags:
-    - role::fail2ban
diff --git a/roles/nginx-cloudflare-mtls/README.md b/roles/nginx-cloudflare-mtls/README.md
deleted file mode 100644
index 081cacb..0000000
--- a/roles/nginx-cloudflare-mtls/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# Role "nginx-cloudflare-mtls"
-
-Installs the certificate required for performing mutual TLS authentication
-between NGINX and Cloudflare.
-
-To use mutual TLS in your NGINX virtual hosts, add this configuration snippet:
-
-```nginx
-ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }};
-ssl_verify_client on;
-```
-
-
-## Variables
-
-See [role defaults](./defaults/main.yml) for an annotated overview.
diff --git a/roles/nginx-cloudflare-mtls/defaults/main.yml b/roles/nginx-cloudflare-mtls/defaults/main.yml
deleted file mode 100644
index ff1c667..0000000
--- a/roles/nginx-cloudflare-mtls/defaults/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-# The path at which to install the certificate.
-nginx_cloudflare_mtls_certificate_path: /etc/nginx/certs/cloudflare.crt
diff --git a/roles/nginx-cloudflare-mtls/files/cloudflare.crt b/roles/nginx-cloudflare-mtls/files/cloudflare.crt
deleted file mode 100644
index 965f0bf..0000000
--- a/roles/nginx-cloudflare-mtls/files/cloudflare.crt
+++ /dev/null
@@ -1,35 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
-BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
-aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
-cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
-MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
-BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
-VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
-ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
-ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
-42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
-ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
-hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
-QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
-Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
-aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
-lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
-PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
-CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
-+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
-AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
-DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
-alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
-QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
-zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
-VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
-6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
-0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
-5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
-fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
-bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
-iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
-AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
-fVQ6VpyjEXdiIXWUq/o=
------END CERTIFICATE-----
diff --git a/roles/nginx-cloudflare-mtls/meta/main.yml b/roles/nginx-cloudflare-mtls/meta/main.yml
deleted file mode 100644
index 8b662c9..0000000
--- a/roles/nginx-cloudflare-mtls/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
-  - role: nginx
diff --git a/roles/nginx-cloudflare-mtls/tasks/main.yml b/roles/nginx-cloudflare-mtls/tasks/main.yml
deleted file mode 100644
index 21d1b28..0000000
--- a/roles/nginx-cloudflare-mtls/tasks/main.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-- name: Create nginx certificates directory
-  file:
-    path: /etc/nginx/certs
-    state: directory
-    owner: root
-    group: root
-    mode: "0444"
-  tags:
-    - role::nginx-cloudflare-mtls
-
-- name: Copy the cloudflare mutual TLS certificate
-  copy:
-    src: cloudflare.crt
-    dest: /etc/nginx/certs/cloudflare.crt
-    owner: root
-    group: root
-    mode: "0444"
-  tags:
-    - role::nginx-cloudflare-mtls
diff --git a/roles/nginx-geoip/meta/main.yml b/roles/nginx-geoip/meta/main.yml
deleted file mode 100644
index 8b662c9..0000000
--- a/roles/nginx-geoip/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
-  - role: nginx
diff --git a/roles/nginx-geoip/tasks/main.yml b/roles/nginx-geoip/tasks/main.yml
deleted file mode 100644
index e41b1e4..0000000
--- a/roles/nginx-geoip/tasks/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- name: Configure the geoip module
-  copy:
-    # ref https://nginx.org/en/docs/http/ngx_http_geoip_module.html
-    content: geoip_country /usr/share/GeoIP/GeoIP.dat;
-    dest: /etc/nginx/conf.d/geoip.conf
-    owner: root
-    group: root
-    mode: "0444"
-  tags:
-    - role::nginx-geoip
-  notify:
-    - Reload the nginx service
diff --git a/roles/nginx-ufw/README.md b/roles/nginx-ufw/README.md
deleted file mode 100644
index e657afb..0000000
--- a/roles/nginx-ufw/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Role "nginx-ufw"
-
-Allows NGINX HTTP and HTTPS traffic through the UFW firewall.
diff --git a/roles/nginx-ufw/meta/main.yml b/roles/nginx-ufw/meta/main.yml
deleted file mode 100644
index a6e9124..0000000
--- a/roles/nginx-ufw/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-dependencies:
-  - role: nginx
-  - role: ufw
diff --git a/roles/nginx-ufw/tasks/main.yml b/roles/nginx-ufw/tasks/main.yml
deleted file mode 100644
index 3b52f14..0000000
--- a/roles/nginx-ufw/tasks/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Allow http(s) traffic through the firewall
-  community.general.ufw:
-    app: Nginx Full
-    rule: allow
-  tags:
-    - role::nginx-ufw
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
deleted file mode 100644
index 9961a69..0000000
--- a/roles/nginx/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Role "nginx"
-
-Installs nginx on target hosts and provides a handler for reloading nginx, for instance on configuration change.
diff --git a/roles/nginx/files/default_server.conf b/roles/nginx/files/default_server.conf
deleted file mode 100644
index 1d68ff5..0000000
--- a/roles/nginx/files/default_server.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# Managed by Ansible
-server {
-  listen 80 default_server;
-
-  server_name _;
-
-  return 301 https://$host$request_uri;
-}
-
-server {
-  listen 443 ssl http2 default_server;
-
-  ssl_certificate      /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
-  ssl_certificate_key  /etc/letsencrypt/live/pydis.wtf/privkey.pem;
-
-  location / {
-    set_by_lua_block $url {
-      local urls = {
-            "https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-ride",
-            "https://en.wikipedia.org/wiki/Tax_evasion",
-            "https://jchri.st/blog/apfs-sadness-on-macos-big-sur.html",
-            "https://cdn.discordapp.com/attachments/675756741417369640/852688961516077086/Screenshot_2021-06-11_at_00.21.22.png",
-            "https://news.ycombinator.com/",
-            "https://www.hertfordshire.gov.uk/latest/letchworth-webcam.jpg",
-            "https://media.discordapp.net/attachments/922169059175444501/952929630459924501/1svkf3xto3n61.png"
-      }
-      return urls [ math.random(#urls) ]
-    }
-
-    return 302 $url;
-  }
-}
diff --git a/roles/nginx/files/files.pydis.wtf b/roles/nginx/files/files.pydis.wtf
deleted file mode 100644
index db8416e..0000000
--- a/roles/nginx/files/files.pydis.wtf
+++ /dev/null
@@ -1,10 +0,0 @@
-# Managed by Ansible
-server {
-  listen      443;
-  server_name files.pydis.wtf;
-  root        /var/www/turing;
-
-  location / {
-    try_files $uri $uri/;
-  }
-}
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
deleted file mode 100644
index 2e84daf..0000000
--- a/roles/nginx/handlers/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Reload the nginx service
-  service:
-    name: nginx
-    state: reloaded
-  tags:
-    - role::nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
deleted file mode 100644
index 85fe7ec..0000000
--- a/roles/nginx/tasks/main.yml
+++ /dev/null
@@ -1,45 +0,0 @@
----
-- name: Install NGINX & modules
-  package:
-    name:
-      - nginx
-      - libnginx-mod-http-lua
-      - libnginx-mod-http-geoip
-    state: present
-  tags:
-    - role::nginx
-
-- name: Copy NGINX default config
-  copy:
-    src: default_server.conf
-    dest: /etc/nginx/conf.d/default_server.conf
-    group: root
-    owner: root
-    mode: "0644"
-  tags:
-    - role::nginx
-  notify:
-    - Reload the nginx service
-
-- name: Remove default nginx site
-  file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-
-- name: Copy file server config
-  copy:
-    src: files.pydis.wtf
-    dest: /etc/nginx/sites-available/files.pydis.wtf
-    group: root
-    owner: root
-    mode: "0644"
-  tags:
-    - role::nginx
-  notify:
-    - Reload the nginx service
-
-- name: Enable file server
-  file:
-    src: /etc/nginx/sites-available/files.pydis.wtf
-    dest: /etc/nginx/sites-enabled/files.pydis.wtf
-    state: link
diff --git a/roles/podman/tasks/main.yml b/roles/podman/tasks/main.yml
deleted file mode 100644
index 154fa6c..0000000
--- a/roles/podman/tasks/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Install podman
-  package:
-    name: podman
-    state: present
-  tags:
-    - role::podman
diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml
deleted file mode 100644
index a036301..0000000
--- a/roles/postgres/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: Restart postgres.
-  service:
-    name: '{{ postgresql_daemon }}'
-    state: "restarted"
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
deleted file mode 100644
index 9551c4e..0000000
--- a/roles/postgres/tasks/main.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-- name: Install postgres packages
-  apt:
-    name:
-      - python3-psycopg2
-      - postgresql-{{ postgresql_version }}
-      - postgresql-contrib-{{ postgresql_version }}
-      - libpq-dev
-    state: present
-  tags:
-    - role::postgres
-
-- name: Check postgres is started and enabled on boot
-  service:
-    name: '{{ postgresql_daemon }}'
-    state: started
-    enabled: true
-  tags:
-    - role::postgres
-
-- name: Add postgres users
-  community.postgresql.postgresql_user: "{{ item }}"
-  with_items: "{{ postgresql_users }}"
-  become: true
-  become_user: "{{ postgresql_user }}"
-  tags:
-    - role::postgres
-
-- name: Add postgres databases
-  community.postgresql.postgresql_db: "{{ item }}"
-  with_items: "{{ postgresql_databases }}"
-  become: true
-  become_user: "{{ postgresql_user }}"
-  tags:
-    - role::postgres
diff --git a/roles/postgres/vars/main.yml b/roles/postgres/vars/main.yml
deleted file mode 100644
index ddb483a..0000000
--- a/roles/postgres/vars/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-postgresql_version: "15"
-postgresql_daemon: "postgresql@{{ postgresql_version }}-main"
-postgres_user: "postgres"
-
-postgresql_users: []
-
-postgresql_databases: []
diff --git a/roles/prometheus-node-exporter/README.md b/roles/prometheus-node-exporter/README.md
deleted file mode 100644
index 97ed275..0000000
--- a/roles/prometheus-node-exporter/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Role "prometheus-node-exporter"
-
-Installs prometheus-node-exporter on target hosts.
diff --git a/roles/prometheus-node-exporter/tasks/main.yml b/roles/prometheus-node-exporter/tasks/main.yml
deleted file mode 100644
index b6247e4..0000000
--- a/roles/prometheus-node-exporter/tasks/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Install prometheus-node-exporter
-  package:
-    name: prometheus-node-exporter
-    state: present
-  tags:
-    - role::prometheus-node-exporter
diff --git a/roles/prometheus/README.md b/roles/prometheus/README.md
deleted file mode 100644
index febe029..0000000
--- a/roles/prometheus/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Role "prometheus"
-
-Installs and configured Prometheus on target servers.
-
-
-## Variables
-
-- `prometheus_cmdline_options` configures arguments to be added
-  to the prometheus command line, and changing it will result in
-  a restart.
-
-- `prometheus_configuration` is the prometheus configuration, serialized to
-  YAML by Ansible. If unset, the default Prometheus configuration is used.
diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
deleted file mode 100644
index fbefe91..0000000
--- a/roles/prometheus/defaults/main.yml
+++ /dev/null
@@ -1,45 +0,0 @@
----
-# Default Prometheus configuration sample
-prometheus_configuration:
-  global:
-    scrape_interval: 15s  # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-    evaluation_interval: 15s  # Evaluate rules every 15 seconds. The default is every 1 minute.
-    # scrape_timeout is set to the global default (10s).
-
-    # Attach these labels to any time series or alerts when communicating with
-    # external systems (federation, remote storage, Alertmanager).
-    external_labels:
-      monitor: 'example'
-
-  # Alertmanager configuration
-  alerting:
-    alertmanagers:
-      - static_configs:
-          - targets: ['localhost:9093']
-
-  # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-  rule_files:
-    # - "first_rules.yml"
-    # - "second_rules.yml"
-
-  # A scrape configuration containing exactly one endpoint to scrape:
-  # Here it's Prometheus itself.
-  scrape_configs:
-    # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
-    - job_name: 'prometheus'
-
-      # Override the global default and scrape targets from this job every 5 seconds.
-      scrape_interval: 5s
-      scrape_timeout: 5s
-
-      # metrics_path defaults to '/metrics'
-      # scheme defaults to 'http'.
-
-      static_configs:
-        - targets: ['localhost:9090']
-
-    - job_name: node
-      # If prometheus-node-exporter is installed, grab stats about the local
-      # machine by default.
-      static_configs:
-        - targets: ['localhost:9100']
diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml
deleted file mode 100644
index 2031275..0000000
--- a/roles/prometheus/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: Reload the prometheus service
-  service:
-    name: prometheus
-    state: reloaded
-  tags:
-    - role::prometheus
-
-- name: Restart the prometheus service
-  service:
-    name: prometheus
-    state: restarted
-  tags:
-    - role::prometheus
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
deleted file mode 100644
index b1bb67a..0000000
--- a/roles/prometheus/tasks/main.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-- name: Install prometheus
-  package:
-    name: prometheus
-    state: present
-  tags:
-    - role::prometheus
-
-- name: Configure prometheus command line options
-  lineinfile:
-    path: /etc/default/prometheus
-    regexp: ^ARGS.*
-    line: ARGS="{{ prometheus_cmdline_options }}"
-  tags:
-    - role::prometheus
-  when:
-    - prometheus_cmdline_options is defined
-  notify:
-    - Restart the prometheus service
-
-- name: Configure prometheus
-  copy:
-    content: |
-      # Ansible managed
-      {{ prometheus_configuration | to_nice_yaml }}
-    dest: /etc/prometheus/prometheus.yml
-    owner: prometheus
-    group: prometheus
-    mode: "0400"
-  tags:
-    - role::prometheus
-  notify:
-    - Reload the prometheus service
diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
deleted file mode 100644
index 1204060..0000000
--- a/roles/ufw/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: Install UFW
-  apt:
-    update_cache: true
-    cache_valid_time: 3600
-    pkg:
-      - ufw
-  tags:
-    - role::ufw
-
-- name: Allow OpenSSH
-  community.general.ufw:
-    rule: allow
-    name: OpenSSH
-  tags:
-    - role::ufw
-
-- name: Enable UFW and deny all traffic by default
-  community.general.ufw:
-    state: enabled
-    policy: deny
-  tags:
-    - role::ufw
-
-- name: Allow WireGuard
-  community.general.ufw:
-    rule: allow
-    proto: udp
-    port: "{{ wireguard_port }}"
-    comment: "Allow WireGuard"
-  tags:
-    - role::ufw
-
-- name: Apply service-specific rules
-  community.general.ufw: "{{ item }}"
-  with_items: "{{ rules }}"
-  tags:
-    - role::ufw
diff --git a/roles/ufw/vars/main.yml b/roles/ufw/vars/main.yml
deleted file mode 100644
index da156e5..0000000
--- a/roles/ufw/vars/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-rules:
-  - comment: Allow internal traffic
-    interface: wg0
-    direction: in
-    rule: allow
-    from_ip: 10.0.0.0/8
diff --git a/roles/wireguard/defaults/main/vars.yml b/roles/wireguard/defaults/main/vars.yml
deleted file mode 100644
index 10c80ae..0000000
--- a/roles/wireguard/defaults/main/vars.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-extra_keys:
-  - name: Joe
-    pubkey: /dJ+tKXzxv7nrUleNlF+CGyq7OIVlqL8/9Sn8j+cEAc=
-    subnet: 10.0.1.0/24
diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml
deleted file mode 100644
index 86f6400..0000000
--- a/roles/wireguard/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
-- name: Reload wg-quick
-  service:
-    name: wg-quick@wg0
-    state: reloaded
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
deleted file mode 100644
index 9dc92dd..0000000
--- a/roles/wireguard/tasks/main.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-- name: Install WireGuard
-  apt:
-    update_cache: true
-    cache_valid_time: 3600
-    pkg:
-      - wireguard
-      - wireguard-tools
-      - linux-headers-{{ ansible_kernel }}
-  tags:
-    - role::wireguard
-
-- name: Generate WireGuard private key
-  shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv
-  args:
-    executable: /bin/bash
-    creates: /etc/wireguard/key.priv
-  tags:
-    - role::wireguard
-
-- name: Generate WireGuard public key
-  shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub
-  args:
-    executable: /bin/bash
-    creates: /etc/wireguard/key.pub
-  tags:
-    - role::wireguard
-
-- name: Ensure file permissions for keys set correctly
-  file:
-    path: '{{ item }}'
-    owner: root
-    group: root
-    mode: '0600'
-  with_items:
-    - /etc/wireguard/key.priv
-    - /etc/wireguard/key.pub
-  tags:
-    - role::wireguard
-
-- name: Fetch private key for all hosts
-  slurp:
-    src: /etc/wireguard/key.priv
-  register: wg_priv_key
-  tags:
-    - role::wireguard
-
-- name: Fetch public key for all hosts
-  slurp:
-    src: /etc/wireguard/key.pub
-  register: wg_pub_key
-  tags:
-    - role::wireguard
-
-- name: Generate WireGuard configuration file
-  template:
-    src: wg0.conf.j2
-    dest: /etc/wireguard/wg0.conf
-    mode: '0600'
-    group: root
-    owner: root
-  notify:
-    - Reload wg-quick
-  tags:
-    - role::wireguard
-
-- name: Start and enable the WireGuard service
-  service:
-    name: wg-quick@wg0
-    enabled: true
-    state: started
-  tags:
-    - role::wireguard
diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2
deleted file mode 100644
index 647854a..0000000
--- a/roles/wireguard/templates/wg0.conf.j2
+++ /dev/null
@@ -1,25 +0,0 @@
-# Configuration managed by Ansible
-[Interface]
-Address = {{ wireguard_subnet }}
-ListenPort = {{ wireguard_port }}
-PrivateKey = {{ wg_priv_key['content'] | b64decode | trim }}
-
-PostUp = ip route add local {{ wireguard_subnet }} dev eth0
-
-{% for host in hostvars.keys() if not host == inventory_hostname %}
-# Peer config for: {{ host }}
-[Peer]
-AllowedIPs = {{ hostvars[host]['wireguard_subnet'] }}
-PublicKey = {{ hostvars[host]['wg_pub_key']['content'] | b64decode | trim }}
-Endpoint = {{ host }}.box.pydis.wtf:{{ wireguard_port }}
-PersistentKeepalive = 30
-
-{% endfor %}
-
-{% for key in extra_keys %}
-# DevOps config for: {{ key.name }}
-[Peer]
-AllowedIPs = {{ key.subnet }}
-PublicKey = {{ key.pubkey }}
-
-{% endfor %}
author	Chris Lovering <[email protected]>	2023-08-13 14:59:36 +0100
committer	Chris Lovering <[email protected]>	2023-08-13 15:54:03 +0100
commit	431585b5256a0d08f4f3c33122465a88a93ddcb1 (patch)
tree	4cc41cda81655332fa467e6c9c85d1ee9c35b90e /roles
parent	Serve static files from Turing (#116) (diff)