Extend Ansible config

2023-09-15 21:49:19 +10:00 · 2023-09-15 21:49:19 +10:00 · bc4c5deec4
commit bc4c5deec4
parent 33e27a1e7a
4 changed files with 138 additions and 33 deletions
--- a/deploy/ansible/20auto-upgrades
+++ b/deploy/ansible/20auto-upgrades
@ -1,4 +0,0 @@
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Unattended-Upgrade "1";
-Unattended-Upgrade::Automatic-Reboot "true";
-Unattended-Upgrade::Automatic-Reboot-Time "02:00";
--- a/deploy/ansible/install.yml
+++ b/deploy/ansible/install.yml
@ -1,12 +1,10 @@
---
-# Run this with:
-#  ansible-playbook -i deploy/ansible/inventory.ini --become --ask-become-pass deploy/ansible/install.yml
-
-# Other useful commands:
-# ansible all -i [HOST], -u user -m ping
-# ansible all -i [HOST], -u user -a /bin/date
-# scp -3 -v [OLDHOST]:backup/backup.gz [HOST]:tmp/
+# Ansible playbook for basic web server configuration.
+#
+# Run with:
+# ANSIBLE_STDOUT_CALLBACK=debug ansible-playbook deploy/install.yml -i deploy/inventory.ini --verbose

+# Notes:
+#
 # /etc/apache2 uses OS defaults aside from "site-available", "sites-enabled" and
 # "conservancy.conf".
 #
@ -16,37 +14,84 @@
 # SQLite database lives at /var/lib/www/database.
 #
 # Disabled Rackspace CDN videos.
-#
-# No mail as yet.
-#
-# No etckeeper as yet.
-#
-# a2enmod ssl rewrite

 - name: Configure web server
   hosts: web
-   # remote_user:
-   # become_user:
-   # become_method:
-
+   become: true
+   vars:
+     ansible_ssh_pipelining: true
   tasks:
     - name: Install unattended upgrades
       apt:
         name: unattended-upgrades

-     - name: Configure unattended upgrades
+     - name: Configure unattended upgrades overrides
+       # See defaults in 50unattended-upgrades.
       copy:
-         src: 20auto-upgrades
         dest: /etc/apt/apt.conf.d/20auto-upgrades
+         content: |
+           APT::Periodic::Update-Package-Lists "1";
+           APT::Periodic::Unattended-Upgrade "1";
+           Unattended-Upgrade::Automatic-Reboot "true";
+           Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+           Unattended-Upgrade::Mail "root";
+
+     - name: Add extensive history logging
+       blockinfile:
+         path: /etc/bash.bashrc
+         block: |
+           # Write to history file immediately (rather than only when shell is
+           # closed). For setting history length see HISTSIZE and HISTFILESIZE in
+           # bash(1).
+           shopt -s histappend
+           PROMPT_COMMAND='history -a'
+           HISTSIZE=1000000
+           HISTFILESIZE=1000000
+         insertafter: EOF

     - name: Install Apache
       apt:
         name: apache2,libapache2-mod-wsgi-py3

+     - apache2_module:
+         state: present
+         name: ssl
+
+     - apache2_module:
+         state: present
+         name: rewrite
+
     - name: Install Postfix
       apt:
+         pkg:
+           - postfix
           # libsasl2-modules fixes "SASL authentication failure: No worthy mechs found"
-         name: postfix,libsasl2-modules,mailutils
+           - libsasl2-modules
+           - mailutils
+
+     # # Commented because you only want this on first run ever.
+     # - name: Add file for SMTP credentials
+     #   copy:
+     #     dest: /etc/postfix/sasl_passwd
+     #     content: |-
+     #       # After updating, run `sudo postmap hash:/etc/postfix/sasl_passwd`.
+     #       [mail.sfconservancy.org]:587 conference@sfconservancy.org:PASSWORD
+           
+     - name: Configure Postfix for relaying
+       copy:
+         src: postfix/main.cf
+         dest: /etc/postfix/main.cf
+       notify:
+         - restart postfix
+
+     - name: Alias mail to root
+       copy:
+         dest: /etc/aliases
+         content: |-
+           postmaster: root
+           root: sysadmin@sfconservancy.org, sysadmin@sturm.com.au
+       notify:
+         - restart postfix

     - name: Install Certbot
       apt:
@ -71,8 +116,8 @@
     - name: Disable SSH password authentication
       lineinfile:
         path: /etc/ssh/sshd_config
-         regexp: '^#?PasswordAuthentication '
         line: 'PasswordAuthentication no'
+         regexp: 'PasswordAuthentication '
       notify:
         - restart sshd

@ -88,6 +133,13 @@
         group: www-data
         mode: '0755'

+     - name: Git checkout
+       ansible.builtin.git:
+         repo: 'https://k.sfconservancy.org/website'
+         dest: /var/www/website
+         version: master
+         remote: upstream
+
     - name: Create the database directory
       file:
         path: /var/lib/www/database
@ -96,12 +148,6 @@
         group: www-data
         mode: '0755'

-     - name: Git checkout
-       ansible.builtin.git:
-         repo: 'https://k.sfconservancy.org/website'
-         dest: /var/www/website
-         version: master
-
     - name: Create static dir
       file:
         path: /var/www/website/conservancy/static
@ -110,6 +156,12 @@
         group: www-data
         mode: '0755'

+     - name: Install `netfilter-persistent` && `iptables-persistent` packages
+       apt:
+         pkg:
+           - iptables-persistent
+           - netfilter-persistent
+
     - name: Install iptables  # May need kernel reload/reboot
       apt:
         name: iptables,iptables-netflow-dkms
@ -225,3 +277,8 @@
       service:
         name: ssh
         state: reloaded
+
+     - name: restart postfix
+       service:
+         name: postfix
+         state: reloaded
--- a/deploy/ansible/inventory.ini
+++ b/deploy/ansible/inventory.ini
--- a/deploy/postfix/main.cf
+++ b/deploy/postfix/main.cf
@ -0,0 +1,52 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
+# fresh installs.
+compatibility_level = 3.6
+
+
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=secure
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = hickory.sfconservancy.org
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, hickory, localhost
+relayhost = [mail.sfconservancy.org]:587
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = loopback-only
+inet_protocols = all
+
+# Relay authentication
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous