[meta] lots of ansible updates

pull/37/head
Alpha Chen 3 years ago
parent bd555bb954
commit 849c769a65

@ -1,25 +1,53 @@
---
- hosts: beats-working
tasks:
- name: create user
user:
name: alpha
# password: "{{ password | password_hash('sha512') }}"
- name: give user sudo access
lineinfile:
path: /etc/sudoers.d/alpha
line: "alpha ALL=(ALL) NOPASSWD: ALL"
create: yes
validate: visudo -cf %s
- name: add ssh keys
authorized_key:
user: alpha
key: https://github.com/kejadlen.keys
- name: install dependencies
package:
name: "{{ item }}"
state: present
with_items:
- direnv
- git
- mosh
- zsh
- name: set shell to zxh
user:
name: alpha
shell: /usr/bin/zsh
- hosts: beats-working
pre_tasks:
- name: update dotfiles repo
git:
repo: https://github.com/kejadlen/dotfiles.git
dest: ~/.dotfiles
ignore_errors: yes
- import_playbook: playbooks/docker.yml
- hosts: beats-working
tasks:
- name install dependencies
package:
name: "{{ item }}"
state: present
with_items:
- mosh
- name: add user to docker group
user:
name: alpha
groups: [ docker ]
append: true
# - hosts: all
# tasks:

@ -143,20 +143,20 @@
- traefik.http.routers.minio.tls=true
- traefik.http.routers.minio.tls.certresolver=le
- traefik.http.services.minio.loadbalancer.server.port=9000
mitmproxy:
image: mitmproxy/mitmproxy:latest-ARMv7
container_name: mitmproxy
command: mitmweb --web-iface ""
volumes:
- /etc/mitmproxy:/home/mitmproxy/.mitmproxy
labels:
- traefik.enable=true
- traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`)
- traefik.tcp.routers.mitmproxy.tls.passthrough=true
- traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080
- traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`)
- traefik.http.routers.mitmproxy-web.tls.certresolver=le
- traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081
# mitmproxy:
# image: mitmproxy/mitmproxy:latest-ARMv7
# container_name: mitmproxy
# command: mitmweb --web-iface ""
# volumes:
# - /etc/mitmproxy:/home/mitmproxy/.mitmproxy
# labels:
# - traefik.enable=true
# - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`)
# - traefik.tcp.routers.mitmproxy.tls.passthrough=true
# - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080
# - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`)
# - traefik.http.routers.mitmproxy-web.tls.certresolver=le
# - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081
pihole:
image: pihole/pihole:latest
container_name: pihole
@ -229,9 +229,12 @@
block:
# - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
register: docker_ip_result
register: docker_gateway_result
- shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway
register: docker_subnet_result
- set_fact:
docker_ip: "{{ docker_ip_result.stdout | trim }}"
docker_gateway: "{{ docker_gateway_result.stdout | trim }}"
docker_subnet: "{{ docker_subnet_result.stdout | trim }}"
- copy:
content: |
[http.routers]
@ -244,9 +247,10 @@
[http.services]
[http.services.hassio.loadBalancer]
[[http.services.hassio.loadBalancer.servers]]
url = "http://{{ docker_ip }}:8123/"
url = "http://{{ docker_gateway }}:8123/"
dest: /etc/traefik/dynamic_conf.toml
mode: 0600
notify: Restart Traefik
handlers:
- name: Restart ddclient
@ -255,3 +259,14 @@
restart: yes
ignore_errors: yes
- name: Restart Traefik
docker_container:
name: traefik
restart: yes
ignore_errors: yes
- name: Restart Home Assistant
docker_container:
name: homeassistant
restart: yes
ignore_errors: yes

@ -175,6 +175,12 @@
key: NSToolbarTitleViewRolloverDelay
type: float
value: 0
- # show the proxy icon and older titlebar
# https://twitter.com/chucker/status/1395843084383043584
domain: com.apple.Finder
key: NSWindowSupportsAutomaticInlineTitle
type: bool
value: false
- # set date format in menubar
domain: com.apple.menuextra.clock
@ -227,7 +233,7 @@
- domain: com.freron.MailMate
key: MmAllowedImageURLRegexp
type: string
value: https://((i|images)\.gr-assets\.com|www\.goodreads\.com|massdrop-s3\.imgix\.net|.*\.cloudfront\.net|s3\.amazonaws\.com|files\.convertkitcdn\.com/assets/pictures)/.*
value: https://((i|images|d)\.gr-assets\.com|www\.goodreads\.com|massdrop-s3\.imgix\.net|.*\.cloudfront\.net|s3\.amazonaws\.com|files\.convertkitcdn\.com/assets/pictures)/.*
- domain: com.freron.MailMate
key: MmSendMessageDelayEnabled

@ -40,6 +40,7 @@
- reattach-to-user-namespace
- ripgrep
- ruby-install
- svn # required for font-source-code-pro
- syncthing
- tmux
- tree
@ -72,11 +73,13 @@
- 1password-cli
- acorn
- alfred
- anki
- arq
- bartender
- bitbar
- daisydisk
- dash
- discord
- encryptme
- fantastical
- firefox-developer-edition
@ -101,17 +104,26 @@
- transmit
- twitterrific
- vlc
- zoomus
- homebrew/cask-drivers/logitech-options
- zoom
- name: fix QuickLook generators
command: xattr -cr ~/Library/QuickLook/{{ item }}.qlgenerator
with_items:
- QLMarkdown
- QLStephen
notify: Reset QuickLook
- name: install from app store
command: /usr/local/bin/mas install {{ item }}
with_items:
- 1028916583 # iPulse
# - 1225570693 # Ulysses
# - 451907568 # Paprika Recipe Manager
# - 497799835 # Xcode
# - 585829637 # Todoist
# - 880001334 # Reeder 3
- 1449412482 # Reeder 4
- 1529448980 # Reeder 5
- 1522267256 # Shareful
- 904280696 # Things 3
handlers:
- name: Reset QuickLook
block:
- command: qlmanage -r
- command: qlmanage -r cache

@ -15,12 +15,33 @@
- name: Install Webster's 1913 dictionary
block:
- copy:
src: ~/.dotfiles/osx/websters-1913.dictionary
src: ~/.dotfiles/osx/websters-1913.dictionary/
dest: ~/Library/Dictionaries/websters-1913.dictionary
- command: >
/usr/libexec/PlistBuddy
-c "Add :DCSActiveDictionaries:0 string /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary"
~/Library/Preferences/com.apple.DictionaryServices.plist
# This worked in earlier versions of MacOS, but not in Big Sur?
# The plist now looks like this:
#
#
# /usr/libexec/PlistBuddy -c "Print" ~/Library/Preferences/com.apple.DictionaryServices.plist
# Dict {
# DCSActiveDictionaries = Array {
# /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary
# com.apple.dictionary.NOAD
# com.apple.dictionary.OAWT
# com.apple.dictionary.AppleDictionary
# /System/Library/Frameworks/CoreServices.framework/Frameworks/DictionaryServices.framework/Resources/Wikipedia.wikipediadictionary
# }
# DCSPreferenceVersion = 7
# DCSLastUsedAssetCompatibilityVersion = 10
# }
#
# - shell: /usr/libexec/PlistBuddy -c "Print :DCSActiveDictionaries:0" ~/Library/Preferences/com.apple.DictionaryServices.plist
# register: websters_1913_result
# - command: >
# /usr/libexec/PlistBuddy
# -c "Add :DCSActiveDictionaries:0 string /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary"
# ~/Library/Preferences/com.apple.DictionaryServices.plist
# when: websters_1913_result is failed
- name: Enable Touch ID for sudo
become: yes

@ -32,6 +32,7 @@
- DB_HOST=db
- DB_USERNAME=monica
- DB_PASSWORD={{ monica_db_password }}
- MAIL_MAILER=smtp
- MAIL_HOST={{ sendgrid_mail_host }}
- MAIL_PORT={{ sendgrid_mail_port }}
- MAIL_USERNAME={{ sendgrid_mail_username }}

@ -137,6 +137,7 @@
- { regexp: "^MAIL_FROM_ADDRESS=", line: "MAIL_FROM_ADDRESS={{ pixelfed_mail_from_address }}" }
- { regexp: "^ACTIVITY_PUB=", line: "ACTIVITY_PUB=true" }
- { regexp: "^AP_REMOTE_FOLLOW=", line: "AP_REMOTE_FOLLOW=true" }
- { regexp: "^OPEN_REGISTRATION=", line: "OPEN_REGISTRATION=false" }
notify: Clear Pixelfed cache
- command: php artisan {{ item }}
@ -152,6 +153,22 @@
- horizon:install
- horizon:publish
# https://docs.pixelfed.org/technical-documentation/api-v1.html#authorization
- lineinfile:
path: /usr/share/pixelfed/.env
regexp: "^OAUTH_ENABLED="
line: "OAUTH_ENABLED=true"
# Should probably be a handler - hopefully they're idempotent
- command: php artisan {{ item }}
args:
chdir: /usr/share/pixelfed
loop:
- passport:keys
- config:cache
- route:cache
- view:cache
- passport:client --personal
handlers:
- name: Clear Pixelfed cache
command: php artisan config:cache

@ -0,0 +1,119 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: pleroma
become: yes
tasks:
# arch="$(uname -m)";if [ "$arch" = "x86_64" ];then arch="amd64";elif [ "$arch" = "armv7l" ];then arch="arm";elif [ "$arch" = "aarch64" ];then arch="arm64";else echo "Unsupported arch: $arch">&2;fi;if getconf GNU_LIBC_VERSION>/dev/null;then libc_postfix="";elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ];then libc_postfix="-musl";elif [ "$(find /lib/libc.musl*|wc -l)" ];then libc_postfix="-musl";else echo "Unsupported libc">&2;fi;echo "$arch$libc_postfix"
- shell: |
arch="$(uname -m)"
if [ "$arch" = "x86_64" ]; then
arch="amd64";
elif [ "$arch" = "armv7l" ]; then
arch="arm";
elif [ "$arch" = "aarch64" ]; then
arch="arm64";
else
echo "Unsupported arch: $arch">&2;
fi;
if getconf GNU_LIBC_VERSION>/dev/null; then
libc_postfix="";
elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ]; then
libc_postfix="-musl";
elif [ "$(find /lib/libc.musl*|wc -l)" ]; then
libc_postfix="-musl";
else
echo "Unsupported libc">&2;
fi;
echo "$arch$libc_postfix"
register: arch_result
- set_fact:
pleroma_flavour: "{{ arch_result.stdout | trim }}"
- apt:
update_cache: yes
# apt install curl unzip libncurses5 postgresql postgresql-contrib nginx certbot libmagic-dev
# apt install imagemagick ffmpeg libimage-exiftool-perl
# apt install postgresql-11-rum
- package:
name:
- curl
- unzip
- libncurses5
- postgresql
- postgresql-contrib
- nginx
- certbot
- libmagic-dev
- imagemagick
- ffmpeg
- libimage-exiftool-perl
- postgresql-11-rum
notify:
- Restart postgres
# Create a Pleroma user
# adduser --system --shell /bin/false --home /opt/pleroma pleroma
- user:
name: pleroma
home: /opt/pleroma
shell: /bin/false
system: yes
# Clone the release build into a temporary directory and unpack it
# su pleroma -s $SHELL -lc "
# curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
# unzip /tmp/pleroma.zip -d /tmp/
# "
- get_url:
url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{ pleroma_flavour }}
dest: /tmp/pleroma.zip
- command: unzip /tmp/pleroma.zip -d /tmp/
# Move the release to the home directory and delete temporary files
# su pleroma -s $SHELL -lc "
# mv /tmp/release/* /opt/pleroma
# rmdir /tmp/release
# rm /tmp/pleroma.zip
# "
- copy:
src: /tmp/release/
dest: /opt/pleroma/
remote_src: yes
owner: pleroma
- file:
path: "{{ item }}"
state: absent
loop:
- /tmp/release
- /tmp/pleroma.zip
# Create uploads directory and set proper permissions (skip if planning to use a remote uploader)
# Note: It does not have to be `/var/lib/pleroma/uploads`, the config generator will ask about the upload directory later
# mkdir -p /var/lib/pleroma/uploads
# chown -R pleroma /var/lib/pleroma
# Create custom public files directory (custom emojis, frontend bundle overrides, robots.txt, etc.)
# Note: It does not have to be `/var/lib/pleroma/static`, the config generator will ask about the custom public files directory later
# mkdir -p /var/lib/pleroma/static
# chown -R pleroma /var/lib/pleroma
# Create a config directory
# mkdir -p /etc/pleroma
# chown -R pleroma /etc/pleroma
- file:
path: "{{ item }}"
state: directory
owner: pleroma
loop:
- /var/lib/pleroma/uploads
- /var/lib/pleroma/static
- /etc/pleroma
handlers:
- name: Restart postgres
service:
name: postgresql
state: restarted

@ -0,0 +1,31 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: pleroma
become: yes
tasks:
# Create the postgres database
# su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"
- command: psql -f /tmp/setup_db.psql
become_user: postgres
# Create the database schema
# su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"
- command: ./bin/pleroma_ctl migrate
args:
chdir: /opt/pleroma
become_user: pleroma
# If you have installed RUM indexes uncommend and run
# su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/"
- command: ./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/
args:
chdir: /opt/pleroma
become_user: pleroma
handlers:
- name: Restart postgres
service:
name: postgresql
state: restarted

@ -0,0 +1,62 @@
# https://docs.pleroma.social/backend/installation/otp_en/
---
- hosts: pleroma
become: yes
tasks:
# cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.conf
# ln -s /etc/nginx/sites-available/pleroma.conf /etc/nginx/sites-enabled/pleroma.conf
- copy:
src: /opt/pleroma/installation/pleroma.nginx
dest: /etc/nginx/sites-available/pleroma.conf
remote_src: yes
notify: Restart nginx
- file:
src: /etc/nginx/sites-available/pleroma.conf
dest: /etc/nginx/sites-enabled/pleroma.conf
state: link
notify: Restart nginx
- replace:
path: /etc/nginx/sites-available/pleroma.conf
regexp: 'example\.tld'
replace: "{{ pleroma_tld }}"
notify: Restart nginx
# Copy the service into a proper directory
# cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
- copy:
src: /opt/pleroma/installation/pleroma.service
dest: /etc/systemd/system/pleroma.service
remote_src: yes
# Start pleroma and enable it on boot
# systemctl start pleroma
# systemctl enable pleroma
notify: Restart pleroma
# Create the directory for webroot challenges
# mkdir -p /var/lib/letsencrypt
- file:
path: /var/lib/letsencrypt
state: directory
# Add it to the daily cron
# echo '#!/bin/sh
# certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
# ' > /etc/cron.daily/renew-pleroma-cert
# chmod +x /etc/cron.daily/renew-pleroma-cert
- template:
src: renew-pleroma-cert
dest: /etc/cron.daily/renew-pleroma-cert
mode: +x
handlers:
- name: Restart nginx
service:
name: nginx
state: restarted
- name: Restart pleroma
service:
name: pleroma
enabled: yes
state: restarted

@ -0,0 +1,32 @@
```sh
ansible-playbook -l pleroma playbooks/pleroma/01.yml
su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen --output /etc/pleroma/config.exs --output-psql /tmp/setup_db.psql"
ansible-playbook -l pleroma playbooks/pleroma/02.yml
# Start the instance to verify that everything is working as expected
su pleroma -s $SHELL -lc "./bin/pleroma daemon"
# Wait for about 20 seconds and query the instance endpoint, if it shows your uri, name and email correctly, you are configured correctly
sleep 20 && curl http://localhost:4000/api/v1/instance
# Stop the instance
su pleroma -s $SHELL -lc "./bin/pleroma stop"
sudo systemctl stop nginx
certbot certonly --standalone --preferred-challenges http -d $PLEROMA_TLD
ansible-playbook -l pleroma playbooks/pleroma/03.yml
# Uncomment the webroot method
sudo vim /etc/nginx/sites-available/pleroma.conf
sudo nginx -t
# Restart nginx
systemctl restart nginx
cd /opt/pleroma
su pleroma -s $SHELL -lc "./bin/pleroma_ctl user new joeuser joeuser@sld.tld --admin"
```

@ -0,0 +1,2 @@
#!/bin/sh
certbot renew --cert-name {{ pleroma_tld }} --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"

@ -0,0 +1,20 @@
---
- hosts: server
tasks:
- name: create user
user:
name: alpha
# password: "{{ password | password_hash('sha512') }}"
- name: give user sudo access
lineinfile:
path: /etc/sudoers.d/alpha
line: "alpha ALL=(ALL) NOPASSWD: ALL"
create: yes
validate: visudo -cf %s
- name: add ssh keys
authorized_key:
user: alpha
key: https://github.com/kejadlen.keys

@ -7,13 +7,11 @@ conf_dirs:
conf_symlinks:
gitignore: ~/.gitignore
.bundle/config: ~/.bundle/config
.chunkwmrc: ~/.chunkwmrc
.config: ~/.config
.gemrc: ~/.gemrc
.git_templates: ~/.git_templates
.gitconfig: ~/.gitconfig
.hammerspoon: ~/.hammerspoon
.pentadactylrc: ~/.pentadactylrc
.pryrc: ~/.pryrc
.tmux.conf: ~/.tmux.conf
.vim: ~/.vim

Loading…
Cancel
Save