diff --git a/tasks/files/sshd_config b/tasks/files/sshd_config
index 5bacb890548c0bc4f46399d4426f7332b17f7b7c..be1872db862aac1bdbbc874645734ff258ce4130 100644
--- a/tasks/files/sshd_config
+++ b/tasks/files/sshd_config
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/system_cfg/backup_dest.yml b/tasks/system_cfg/backup_dest.yml
new file mode 100644
index 0000000000000000000000000000000000000000..14a15a8448c37a061c78a32d10b07b66c4f9661a
--- /dev/null
+++ b/tasks/system_cfg/backup_dest.yml
@@ -0,0 +1,67 @@
+---
+- name: "BACKUP | USER | set user «{{ backup_user }}»"
+ ansible.builtin.user:
+ groups: backup
+ name: "{{ backup_user }}"
+ shell: "{{ user_shell }}"
+ state: present
+ uid: 1001
+
+- name: "BACKUP | USER | ssh dir presence for «{{ backup_user }}»"
+ ansible.builtin.file:
+ group: "{{ backup_user }}"
+ mode: 0740
+ owner: "{{ backup_user }}"
+ path: "/home/{{ backup_user }}/.ssh/"
+ state: directory
+
+- name: "BACKUP | USER | ssh config for «{{ backup_user }}»"
+ ansible.builtin.template:
+ dest: "/home/{{ backup_user }}/.ssh/config"
+ group: "{{ backup_user }}"
+ mode: 0640
+ owner: "{{ backup_user }}"
+ src: templates/ssh_config_backup.j2
+
+- name: BACKUP | ZFS | parent destination dataset
+ when: inventory_hostname in groups.zfs
+ community.general.zfs:
+ name: zp0/bkp
+ state: present
+ extra_zfs_properties:
+ mountpoint: none
+ compression: lz4
+
+- name: "BACKUP | ZFS | allow commands for «{{ backup_user }}»"
+ community.general.zfs_delegate_admin:
+ name: zp0/bkp
+ users: "{{ backup_user }}"
+ permissions: receive,hold,release
+
+- name: BACKUP | ZFS | children destination datasets (production)
+ when: inventory_hostname in groups.zfs
+ loop: "{{ groups['production'] }}"
+ community.general.zfs:
+ name: "zp0/bkp/{{ hostvars[item]['inventory_hostname'] }}"
+ state: present
+ extra_zfs_properties:
+ "autobackup:bkp_{{ hostvars[item]['inventory_hostname'] }}": true
+ "autobackup:prod_policy": true
+ mountpoint: "/home/{{ backup_user }}/repo/{{ hostvars[item]['inventory_hostname'] }}"
+ sharenfs: "ro={{ hostvars[item]['ansible_host'] }}"
+ "src:fqdn": "{{ hostvars[item]['inventory_fqdn' ]}}"
+ "src:ip": "{{ hostvars[item]['ansible_host'] }}"
+
+- name: BACKUP | ZFS | children destination datasets (station)
+ when: inventory_hostname in groups.zfs
+ loop: "{{ groups['station'] }}"
+ community.general.zfs:
+ name: "zp0/bkp/{{hostvars[item]['inventory_hostname']}}"
+ state: present
+ extra_zfs_properties:
+ "autobackup:bkp_{{ hostvars[item]['inventory_hostname'] }}": true
+ "autobackup:stat_policy": true
+ mountpoint: "/home/{{ backup_user }}/repo/{{ hostvars[item]['inventory_hostname'] }}"
+ sharenfs: "ro={{ gateway }}"
+ "src:fqdn": "{{ hostvars[item]['inventory_fqdn' ]}}"
+ "src:ip": "{{ hostvars[item]['ansible_host'] }}"
diff --git a/tasks/system_cfg/backup_tools.yml b/tasks/system_cfg/backup_tools.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ee910e632014cac8d5c070490bb9c2db8e27345e
--- /dev/null
+++ b/tasks/system_cfg/backup_tools.yml
@@ -0,0 +1,30 @@
+---
+- name: BACKUP | BORG | install packages
+ when: inventory_hostname not in groups.zfs
+ ansible.builtin.apt:
+ cache_valid_time: 3600
+ force_apt_get: true
+ pkg:
+ - borgbackup
+ - borgmatic
+ state: present
+ update_cache: true
+
+- name: BACKUP | ZAB | install zfs-autobackup package
+ when: inventory_hostname in groups.zfs
+ ansible.builtin.pip:
+ name: zfs-autobackup
+ virtualenv: /opt/zfs-autobackup
+ virtualenv_command: /usr/bin/python3 -m venv
+
+- name: BACKUP | ZAB | set zfs-autobackup command in PATH
+ when: inventory_hostname in groups.zfs
+ copy:
+ content: |
+ #!/bin/bash
+ . /opt/zfs-autobackup/bin/activate
+ zfs-autobackup "$@"
+ dest: /usr/local/bin/zfs-autobackup
+ owner: root
+ group: root
+ mode: "0755"
diff --git a/tasks/system_cfg/firewall.yml b/tasks/system_cfg/firewall.yml
index ea26c82c7d96bbd74396eb3e1734c6d98f892c8a..c3b5576067204ca0a9d8ada41f3e5cfe5f130afa 100644
--- a/tasks/system_cfg/firewall.yml
+++ b/tasks/system_cfg/firewall.yml
@@ -2,7 +2,7 @@
- name: FIREWALL | install packages
ansible.builtin.apt:
cache_valid_time: 3600
- force_apt_get: yes
+ force_apt_get: true
pkg:
- fail2ban
- ufw
@@ -23,10 +23,30 @@
direction: outgoing
policy: allow
+- name: UFW | allow local IPs on port 22 IN
+ when: inventory_hostname in groups.station
+ loop: "{{ groups['station'] }}"
+ community.general.ufw:
+ direction: in
+ port: '22'
+ proto: tcp
+ rule: allow
+ src: "{{hostvars[item]['ansible_host']}}"
+
+- name: "UFW | allow {{gateway}} IP on port 22 IN"
+ when: (inventory_hostname in groups.production) or
+ (inventory_hostname in groups.devel)
+ community.general.ufw:
+ direction: in
+ port: '22'
+ proto: tcp
+ rule: allow
+ src: "{{gateway}}"
+
- name: UFW | limit tcp port 22 IN
community.general.ufw:
direction: in
- log: yes
+ log: true
port: '22'
proto: tcp
rule: limit
@@ -39,6 +59,14 @@
port: '80'
proto: tcp
+- name: UFW | allow tcp port 8006 IN
+ when: inventory_hostname in groups.pve
+ community.general.ufw:
+ direction: in
+ rule: allow
+ port: '8006'
+ proto: tcp
+
- name: UFW | enable & set logging
community.general.ufw:
logging: low
diff --git a/tasks/system_cfg/font.yml b/tasks/system_cfg/font.yml
index 6de96ae3774d07ff88818f7670e57b144aa8a0a3..00f7620c7fcd640b31cceb0bfc4980d88f229d7c 100644
--- a/tasks/system_cfg/font.yml
+++ b/tasks/system_cfg/font.yml
@@ -5,7 +5,7 @@
ansible.builtin.find:
path: "/usr/local/share/fonts/"
patterns: "JetBrainsMono*"
- recurse: yes
+ recurse: true
register: font_presence
- name: FONT | install JetBrainsMono font
@@ -13,5 +13,5 @@
(font_presence.matched < 50)
ansible.builtin.unarchive:
dest: "/usr/local/share/"
- remote_src: yes
+ remote_src: true
src: https://download.jetbrains.com/fonts/JetBrainsMono-2.242.zip
diff --git a/tasks/system_cfg/ldp.yml b/tasks/system_cfg/ldp.yml
index baa1e8a7817e8de56ea1b13e5916ff8951896ed6..362dc693c3793bf4b322b6e1f5f5fbe4fbd76b9a 100644
--- a/tasks/system_cfg/ldp.yml
+++ b/tasks/system_cfg/ldp.yml
@@ -2,7 +2,7 @@
- name: LDP | install packages
ansible.builtin.apt:
cache_valid_time: 3600
- force_apt_get: yes
+ force_apt_get: true
pkg:
- syslog-ng
- ca-certificates
@@ -20,5 +20,5 @@
- name: LDP | restart syslog-ng deamon
ansible.builtin.systemd:
state: restarted
- daemon_reload: yes
+ daemon_reload: true
name: syslog-ng
diff --git a/tasks/system_cfg/main.yml b/tasks/system_cfg/main.yml
index 2169f10af6920a7e3943c89412cd68eb293ae4ad..e2a0786c75abbcd9d00979d40b82292d49a3813a 100644
--- a/tasks/system_cfg/main.yml
+++ b/tasks/system_cfg/main.yml
@@ -6,17 +6,24 @@
tasks:
- - name: IMPORT_TASKS | firewall
- ansible.builtin.import_tasks: firewall.yml
+ - name: HOSTNAME | setup
+ ansible.builtin.hostname:
+ name: "{{ inventory_hostname }}"
- - name: IMPORT_TASKS | font
- ansible.builtin.import_tasks: font.yml
+ - name: HOSTS | setup
+ ansible.builtin.template:
+ dest: "/etc/hosts"
+ src: templates/etc-hosts.j2
+ backup: true
+ mode: 0640
- - name: IMPORT_TASKS | ldp
- ansible.builtin.import_tasks: ldp.yml
+ - name: ANSIBLE | re-gather facts
+ ansible.builtin.setup:
- - name: IMPORT_TASKS | ntp
- ansible.builtin.import_tasks: ntp.yml
+ - name: IMPORT_TASKS | backup destination
+ when: inventory_hostname in groups.backup
+ ansible.builtin.import_tasks: backup_dest.yml
- - name: IMPORT_TASKS | shell
- ansible.builtin.import_tasks: shell.yml
+ - name: IMPORT_TASKS | backup tools
+ when: inventory_hostname not in groups.production
+ ansible.builtin.import_tasks: backup_tools.yml
diff --git a/tasks/system_cfg/shell.yml b/tasks/system_cfg/shell.yml
deleted file mode 100644
index 0f39c034ed4de16dda7c2a770e77043002c2a808..0000000000000000000000000000000000000000
--- a/tasks/system_cfg/shell.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-
-- name: "SHELL | set zsh for {{ my_user }}"
- ansible.builtin.user:
- name: "{{ my_user }}"
- shell: /bin/zsh
- state: present
diff --git a/tasks/system_cfg/templates/etc-hosts.j2 b/tasks/system_cfg/templates/etc-hosts.j2
new file mode 100644
index 0000000000000000000000000000000000000000..17ee16dd4595888b8da7a6dbe3b0a86056cbbc48
--- /dev/null
+++ b/tasks/system_cfg/templates/etc-hosts.j2
@@ -0,0 +1,36 @@
+#jinja2:lstrip_blocks: True
+# ############################################# #
+# This file is managed by Ansible #
+# Manual edition will be overridden #
+# https://lab.frogg.it/freezed/ansible-debian #
+# ############################################# #
+
+127.0.0.1 localhost
+127.0.1.1 {{ inventory_fqdn }} {{ inventory_hostname }}
+{{ ansible_host }} {{ inventory_fqdn }} {{ inventory_hostname }}
+
+{% if inventory_hostname in groups['station'] or inventory_hostname in groups['backup'] %}
+# WAN
+ {% for host in groups['production'] %}
+{{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['inventory_fqdn'] }} {{ host }}
+ {% endfor %}
+{% endif %}
+
+{% if inventory_hostname in groups['station'] or inventory_hostname in groups['production'] %}
+# BKP
+ {% for host in groups['backup'] %}
+{{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['inventory_fqdn'] }} {{ host }}
+ {% endfor %}
+{% endif %}
+
+{% if inventory_hostname in groups['station'] %}
+# DEV
+ {% for host in groups['devel'] %}
+{{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['inventory_fqdn'] }} {{ host }}
+ {% endfor %}
+
+# LOCAL
+ {% for host in groups['station'] %}
+{{ hostvars[host]['ansible_host'] }} {{ hostvars[host]['inventory_fqdn'] }} {{ host }}
+ {% endfor %}
+{% endif %}
diff --git a/tasks/system_cfg/templates/ntpd.conf.j2 b/tasks/system_cfg/templates/ntpd.conf.j2
index f9c6a26f74e4d459ae31f535134f3d1e447accfd..37c2f70c1eca517711cf872952505e3b7d798692 100644
--- a/tasks/system_cfg/templates/ntpd.conf.j2
+++ b/tasks/system_cfg/templates/ntpd.conf.j2
@@ -5,7 +5,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/system_cfg/templates/ssh-config_backup.j2 b/tasks/system_cfg/templates/ssh-config_backup.j2
new file mode 100644
index 0000000000000000000000000000000000000000..82503850d3e33aac97af442d47f6e2487b768ec5
--- /dev/null
+++ b/tasks/system_cfg/templates/ssh-config_backup.j2
@@ -0,0 +1,14 @@
+#jinja2:lstrip_blocks: True
+# ############################################# #
+# This file is managed by Ansible #
+# Manual edition will be overridden #
+# https://lab.frogg.it/freezed/ansible-debian #
+# ############################################# #
+
+{% for host in groups['production'] %}
+Host {{ host }}
+ User {{ hostvars[host]['my_user'] }}
+ Hostname {{ hostvars[host]['ansible_host'] }}
+ Port {{ hostvars[host]['ansible_port'] }}
+
+{% endfor %}
diff --git a/tasks/user_cfg/files/dotfiles/gitconfig b/tasks/user_cfg/files/dotfiles/gitconfig
index 223dd52769c0be8f91c128b269988798ab170966..cd596e9f49f6a44722855a7eff48436e19bc87d4 100644
--- a/tasks/user_cfg/files/dotfiles/gitconfig
+++ b/tasks/user_cfg/files/dotfiles/gitconfig
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/user_cfg/files/dotfiles/vimrc b/tasks/user_cfg/files/dotfiles/vimrc
index a65bfe1ff3ded3fa108b1ca6f14145217fdfdc4a..086b5543282a8ba75dfa5b1c4046ed0322d74110 100644
--- a/tasks/user_cfg/files/dotfiles/vimrc
+++ b/tasks/user_cfg/files/dotfiles/vimrc
@@ -4,7 +4,7 @@
" This file is managed by Ansible "
" Manual edition will be overridden "
" "
-" https://lab.frogg.it/fcode/ansible/debian "
+" https://lab.frogg.it/freezed/ansible-debian "
" http://formation-debian.via.ecp.fr/ "
" "
" """"""""""""""""""""""""""""""""""""""""""""" "
@@ -98,4 +98,4 @@ set incsearch
"set hlsearch
" Décommentez la ligne suivante si vous voulez afficher les numéros de ligne
-"set number
+set number relativenumber
diff --git a/tasks/user_cfg/files/dotfiles/zlogin b/tasks/user_cfg/files/dotfiles/zlogin
index 7131f70acff2f283b54da5cfd5cb0fbedd031d26..fe6db75cb8e6b2eccff6afe8912654733f099ff3 100644
--- a/tasks/user_cfg/files/dotfiles/zlogin
+++ b/tasks/user_cfg/files/dotfiles/zlogin
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/user_cfg/files/dotfiles/zlogout b/tasks/user_cfg/files/dotfiles/zlogout
index b2b9439b107c6ea8bc01c5607c20ace7ab967bc1..d2323a0468270cb3f255d5b9b18ddb4057033288 100644
--- a/tasks/user_cfg/files/dotfiles/zlogout
+++ b/tasks/user_cfg/files/dotfiles/zlogout
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/user_cfg/files/dotfiles/zshenv b/tasks/user_cfg/files/dotfiles/zshenv
index 2bc3fe02e107337239027f833698f19fb6f306c9..d22f1b3f25cdcd27d7f9f4fb5af368542a7d5fb8 100644
--- a/tasks/user_cfg/files/dotfiles/zshenv
+++ b/tasks/user_cfg/files/dotfiles/zshenv
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/user_cfg/files/dotfiles/zshrc b/tasks/user_cfg/files/dotfiles/zshrc
index 735d779c1ce453e429b563f8df7cfb0075770de9..0a597e1d4f0960053aa0528f95413934bcaebad6 100644
--- a/tasks/user_cfg/files/dotfiles/zshrc
+++ b/tasks/user_cfg/files/dotfiles/zshrc
@@ -4,7 +4,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# from http://formation-debian.via.ecp.fr #
# #
# ############################################# #
diff --git a/tasks/user_cfg/templates/pruneconfig.j2 b/tasks/user_cfg/templates/pruneconfig.j2
index bea383e620ce7b7137bcdf5ce0765b211f011ef7..3bfdb5db32e22e069f566da0eb05ec8d3b658668 100644
--- a/tasks/user_cfg/templates/pruneconfig.j2
+++ b/tasks/user_cfg/templates/pruneconfig.j2
@@ -5,7 +5,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #
diff --git a/tasks/user_cfg/templates/ssh_config.j2 b/tasks/user_cfg/templates/ssh_config.j2
index 12a8ffda2f6f032540576865ab675c692e56e097..05e7661dc76eec06b75f1defb0dd7394e83890b0 100644
--- a/tasks/user_cfg/templates/ssh_config.j2
+++ b/tasks/user_cfg/templates/ssh_config.j2
@@ -6,7 +6,7 @@
# This file is managed by Ansible #
# Manual edition will be overridden #
# #
-# https://lab.frogg.it/fcode/ansible/debian #
+# https://lab.frogg.it/freezed/ansible-debian #
# #
# ############################################# #