From 849c769a65b94e57933512ae2d883d639dc31efc Mon Sep 17 00:00:00 2001 From: Alpha Chen Date: Mon, 15 Nov 2021 16:53:41 -0800 Subject: [PATCH] [meta] lots of ansible updates --- ansible/beats-working.yml | 44 +++++-- ansible/on-fire-within/main.yml | 49 +++++--- ansible/playbooks/defaults.yml | 8 +- ansible/playbooks/homebrew.yml | 26 ++-- ansible/playbooks/mac_os.yml | 31 ++++- ansible/playbooks/monica/main.yml | 1 + ansible/playbooks/pixelfed/install.yml | 17 +++ ansible/playbooks/pleroma/01.yml | 119 +++++++++++++++++++ ansible/playbooks/pleroma/02.yml | 31 +++++ ansible/playbooks/pleroma/03.yml | 62 ++++++++++ ansible/playbooks/pleroma/README.md | 32 +++++ ansible/playbooks/pleroma/renew-pleroma-cert | 2 + ansible/playbooks/server.yml | 20 ++++ ansible/roles/dotfiles/vars/main.yml | 2 - 14 files changed, 404 insertions(+), 40 deletions(-) create mode 100644 ansible/playbooks/pleroma/01.yml create mode 100644 ansible/playbooks/pleroma/02.yml create mode 100644 ansible/playbooks/pleroma/03.yml create mode 100644 ansible/playbooks/pleroma/README.md create mode 100644 ansible/playbooks/pleroma/renew-pleroma-cert create mode 100644 ansible/playbooks/server.yml diff --git a/ansible/beats-working.yml b/ansible/beats-working.yml index 4b1c463..6aee633 100644 --- a/ansible/beats-working.yml +++ b/ansible/beats-working.yml @@ -1,25 +1,53 @@ --- - hosts: beats-working tasks: + - name: create user user: name: alpha + # password: "{{ password | password_hash('sha512') }}" + - name: give user sudo access + lineinfile: + path: /etc/sudoers.d/alpha + line: "alpha ALL=(ALL) NOPASSWD: ALL" + create: yes + validate: visudo -cf %s + + - name: add ssh keys + authorized_key: + user: alpha + key: https://github.com/kejadlen.keys + + - name: install dependencies + package: + name: "{{ item }}" + state: present + with_items: + - direnv + - git + - mosh + - zsh + + - name: set shell to zxh + user: + name: alpha + shell: /usr/bin/zsh -- hosts: beats-working - pre_tasks: - name: update dotfiles repo git: repo: https://github.com/kejadlen/dotfiles.git dest: ~/.dotfiles ignore_errors: yes + +- import_playbook: playbooks/docker.yml +- hosts: beats-working tasks: - - name install dependencies - package: - name: "{{ item }}" - state: present - with_items: - - mosh + - name: add user to docker group + user: + name: alpha + groups: [ docker ] + append: true # - hosts: all # tasks: diff --git a/ansible/on-fire-within/main.yml b/ansible/on-fire-within/main.yml index 2354964..551ba8a 100644 --- a/ansible/on-fire-within/main.yml +++ b/ansible/on-fire-within/main.yml @@ -143,20 +143,20 @@ - traefik.http.routers.minio.tls=true - traefik.http.routers.minio.tls.certresolver=le - traefik.http.services.minio.loadbalancer.server.port=9000 - mitmproxy: - image: mitmproxy/mitmproxy:latest-ARMv7 - container_name: mitmproxy - command: mitmweb --web-iface "" - volumes: - - /etc/mitmproxy:/home/mitmproxy/.mitmproxy - labels: - - traefik.enable=true - - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`) - - traefik.tcp.routers.mitmproxy.tls.passthrough=true - - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080 - - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`) - - traefik.http.routers.mitmproxy-web.tls.certresolver=le - - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081 + # mitmproxy: + # image: mitmproxy/mitmproxy:latest-ARMv7 + # container_name: mitmproxy + # command: mitmweb --web-iface "" + # volumes: + # - /etc/mitmproxy:/home/mitmproxy/.mitmproxy + # labels: + # - traefik.enable=true + # - traefik.tcp.routers.mitmproxy.rule=HostSNI(`{{ traefik.host_rules.mitmproxy }}`) + # - traefik.tcp.routers.mitmproxy.tls.passthrough=true + # - traefik.tcp.services.mitmproxy.loadbalancer.server.port=8080 + # - traefik.http.routers.mitmproxy-web.rule=Host(`{{ traefik.host_rules.mitmproxy_web }}`) + # - traefik.http.routers.mitmproxy-web.tls.certresolver=le + # - traefik.http.services.mitmproxy-web.loadbalancer.server.port=8081 pihole: image: pihole/pihole:latest container_name: pihole @@ -229,9 +229,12 @@ block: # - shell: ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+' | head -n 1 - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway - register: docker_ip_result + register: docker_gateway_result + - shell: docker network inspect on-fire-within_default | jq --raw-output .[0].IPAM.Config[0].Gateway + register: docker_subnet_result - set_fact: - docker_ip: "{{ docker_ip_result.stdout | trim }}" + docker_gateway: "{{ docker_gateway_result.stdout | trim }}" + docker_subnet: "{{ docker_subnet_result.stdout | trim }}" - copy: content: | [http.routers] @@ -244,9 +247,10 @@ [http.services] [http.services.hassio.loadBalancer] [[http.services.hassio.loadBalancer.servers]] - url = "http://{{ docker_ip }}:8123/" + url = "http://{{ docker_gateway }}:8123/" dest: /etc/traefik/dynamic_conf.toml mode: 0600 + notify: Restart Traefik handlers: - name: Restart ddclient @@ -255,3 +259,14 @@ restart: yes ignore_errors: yes + - name: Restart Traefik + docker_container: + name: traefik + restart: yes + ignore_errors: yes + + - name: Restart Home Assistant + docker_container: + name: homeassistant + restart: yes + ignore_errors: yes diff --git a/ansible/playbooks/defaults.yml b/ansible/playbooks/defaults.yml index ac9e164..0c89047 100644 --- a/ansible/playbooks/defaults.yml +++ b/ansible/playbooks/defaults.yml @@ -175,6 +175,12 @@ key: NSToolbarTitleViewRolloverDelay type: float value: 0 + - # show the proxy icon and older titlebar + # https://twitter.com/chucker/status/1395843084383043584 + domain: com.apple.Finder + key: NSWindowSupportsAutomaticInlineTitle + type: bool + value: false - # set date format in menubar domain: com.apple.menuextra.clock @@ -227,7 +233,7 @@ - domain: com.freron.MailMate key: MmAllowedImageURLRegexp type: string - value: https://((i|images)\.gr-assets\.com|www\.goodreads\.com|massdrop-s3\.imgix\.net|.*\.cloudfront\.net|s3\.amazonaws\.com|files\.convertkitcdn\.com/assets/pictures)/.* + value: https://((i|images|d)\.gr-assets\.com|www\.goodreads\.com|massdrop-s3\.imgix\.net|.*\.cloudfront\.net|s3\.amazonaws\.com|files\.convertkitcdn\.com/assets/pictures)/.* - domain: com.freron.MailMate key: MmSendMessageDelayEnabled diff --git a/ansible/playbooks/homebrew.yml b/ansible/playbooks/homebrew.yml index 660acb8..5e33799 100644 --- a/ansible/playbooks/homebrew.yml +++ b/ansible/playbooks/homebrew.yml @@ -40,6 +40,7 @@ - reattach-to-user-namespace - ripgrep - ruby-install + - svn # required for font-source-code-pro - syncthing - tmux - tree @@ -72,11 +73,13 @@ - 1password-cli - acorn - alfred + - anki - arq - bartender - bitbar - daisydisk - dash + - discord - encryptme - fantastical - firefox-developer-edition @@ -101,17 +104,26 @@ - transmit - twitterrific - vlc - - zoomus - - homebrew/cask-drivers/logitech-options + - zoom + + - name: fix QuickLook generators + command: xattr -cr ~/Library/QuickLook/{{ item }}.qlgenerator + with_items: + - QLMarkdown + - QLStephen + notify: Reset QuickLook - name: install from app store command: /usr/local/bin/mas install {{ item }} with_items: - 1028916583 # iPulse - # - 1225570693 # Ulysses # - 451907568 # Paprika Recipe Manager - # - 497799835 # Xcode - # - 585829637 # Todoist - # - 880001334 # Reeder 3 - - 1449412482 # Reeder 4 + - 1529448980 # Reeder 5 + - 1522267256 # Shareful - 904280696 # Things 3 + + handlers: + - name: Reset QuickLook + block: + - command: qlmanage -r + - command: qlmanage -r cache diff --git a/ansible/playbooks/mac_os.yml b/ansible/playbooks/mac_os.yml index 5b59ad6..2e1d96d 100644 --- a/ansible/playbooks/mac_os.yml +++ b/ansible/playbooks/mac_os.yml @@ -15,12 +15,33 @@ - name: Install Webster's 1913 dictionary block: - copy: - src: ~/.dotfiles/osx/websters-1913.dictionary + src: ~/.dotfiles/osx/websters-1913.dictionary/ dest: ~/Library/Dictionaries/websters-1913.dictionary - - command: > - /usr/libexec/PlistBuddy - -c "Add :DCSActiveDictionaries:0 string /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary" - ~/Library/Preferences/com.apple.DictionaryServices.plist + + # This worked in earlier versions of MacOS, but not in Big Sur? + # The plist now looks like this: + # + # + # ❯ /usr/libexec/PlistBuddy -c "Print" ~/Library/Preferences/com.apple.DictionaryServices.plist + # Dict { + # DCSActiveDictionaries = Array { + # /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary + # com.apple.dictionary.NOAD + # com.apple.dictionary.OAWT + # com.apple.dictionary.AppleDictionary + # /System/Library/Frameworks/CoreServices.framework/Frameworks/DictionaryServices.framework/Resources/Wikipedia.wikipediadictionary + # } + # DCSPreferenceVersion = 7 + # DCSLastUsedAssetCompatibilityVersion = 10 + # } + # + # - shell: /usr/libexec/PlistBuddy -c "Print :DCSActiveDictionaries:0" ~/Library/Preferences/com.apple.DictionaryServices.plist + # register: websters_1913_result + # - command: > + # /usr/libexec/PlistBuddy + # -c "Add :DCSActiveDictionaries:0 string /Users/alpha/Library/Containers/com.apple.Dictionary/Data/Library/Dictionaries/websters-1913.dictionary" + # ~/Library/Preferences/com.apple.DictionaryServices.plist + # when: websters_1913_result is failed - name: Enable Touch ID for sudo become: yes diff --git a/ansible/playbooks/monica/main.yml b/ansible/playbooks/monica/main.yml index 73892cc..0e54edc 100644 --- a/ansible/playbooks/monica/main.yml +++ b/ansible/playbooks/monica/main.yml @@ -32,6 +32,7 @@ - DB_HOST=db - DB_USERNAME=monica - DB_PASSWORD={{ monica_db_password }} + - MAIL_MAILER=smtp - MAIL_HOST={{ sendgrid_mail_host }} - MAIL_PORT={{ sendgrid_mail_port }} - MAIL_USERNAME={{ sendgrid_mail_username }} diff --git a/ansible/playbooks/pixelfed/install.yml b/ansible/playbooks/pixelfed/install.yml index f7ac2a8..81b1a62 100644 --- a/ansible/playbooks/pixelfed/install.yml +++ b/ansible/playbooks/pixelfed/install.yml @@ -137,6 +137,7 @@ - { regexp: "^MAIL_FROM_ADDRESS=", line: "MAIL_FROM_ADDRESS={{ pixelfed_mail_from_address }}" } - { regexp: "^ACTIVITY_PUB=", line: "ACTIVITY_PUB=true" } - { regexp: "^AP_REMOTE_FOLLOW=", line: "AP_REMOTE_FOLLOW=true" } + - { regexp: "^OPEN_REGISTRATION=", line: "OPEN_REGISTRATION=false" } notify: Clear Pixelfed cache - command: php artisan {{ item }} @@ -152,6 +153,22 @@ - horizon:install - horizon:publish + # https://docs.pixelfed.org/technical-documentation/api-v1.html#authorization + - lineinfile: + path: /usr/share/pixelfed/.env + regexp: "^OAUTH_ENABLED=" + line: "OAUTH_ENABLED=true" + # Should probably be a handler - hopefully they're idempotent + - command: php artisan {{ item }} + args: + chdir: /usr/share/pixelfed + loop: + - passport:keys + - config:cache + - route:cache + - view:cache + - passport:client --personal + handlers: - name: Clear Pixelfed cache command: php artisan config:cache diff --git a/ansible/playbooks/pleroma/01.yml b/ansible/playbooks/pleroma/01.yml new file mode 100644 index 0000000..0d16043 --- /dev/null +++ b/ansible/playbooks/pleroma/01.yml @@ -0,0 +1,119 @@ +# https://docs.pleroma.social/backend/installation/otp_en/ +--- +- hosts: pleroma + become: yes + tasks: + + # arch="$(uname -m)";if [ "$arch" = "x86_64" ];then arch="amd64";elif [ "$arch" = "armv7l" ];then arch="arm";elif [ "$arch" = "aarch64" ];then arch="arm64";else echo "Unsupported arch: $arch">&2;fi;if getconf GNU_LIBC_VERSION>/dev/null;then libc_postfix="";elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ];then libc_postfix="-musl";elif [ "$(find /lib/libc.musl*|wc -l)" ];then libc_postfix="-musl";else echo "Unsupported libc">&2;fi;echo "$arch$libc_postfix" + - shell: | + arch="$(uname -m)" + if [ "$arch" = "x86_64" ]; then + arch="amd64"; + elif [ "$arch" = "armv7l" ]; then + arch="arm"; + elif [ "$arch" = "aarch64" ]; then + arch="arm64"; + else + echo "Unsupported arch: $arch">&2; + fi; + if getconf GNU_LIBC_VERSION>/dev/null; then + libc_postfix=""; + elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ]; then + libc_postfix="-musl"; + elif [ "$(find /lib/libc.musl*|wc -l)" ]; then + libc_postfix="-musl"; + else + echo "Unsupported libc">&2; + fi; + echo "$arch$libc_postfix" + register: arch_result + - set_fact: + pleroma_flavour: "{{ arch_result.stdout | trim }}" + + - apt: + update_cache: yes + + # apt install curl unzip libncurses5 postgresql postgresql-contrib nginx certbot libmagic-dev + # apt install imagemagick ffmpeg libimage-exiftool-perl + # apt install postgresql-11-rum + - package: + name: + - curl + - unzip + - libncurses5 + - postgresql + - postgresql-contrib + - nginx + - certbot + - libmagic-dev + - imagemagick + - ffmpeg + - libimage-exiftool-perl + - postgresql-11-rum + notify: + - Restart postgres + + # Create a Pleroma user + # adduser --system --shell /bin/false --home /opt/pleroma pleroma + - user: + name: pleroma + home: /opt/pleroma + shell: /bin/false + system: yes + + # Clone the release build into a temporary directory and unpack it + # su pleroma -s $SHELL -lc " + # curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip + # unzip /tmp/pleroma.zip -d /tmp/ + # " + - get_url: + url: https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job={{ pleroma_flavour }} + dest: /tmp/pleroma.zip + - command: unzip /tmp/pleroma.zip -d /tmp/ + + # Move the release to the home directory and delete temporary files + # su pleroma -s $SHELL -lc " + # mv /tmp/release/* /opt/pleroma + # rmdir /tmp/release + # rm /tmp/pleroma.zip + # " + - copy: + src: /tmp/release/ + dest: /opt/pleroma/ + remote_src: yes + owner: pleroma + - file: + path: "{{ item }}" + state: absent + loop: + - /tmp/release + - /tmp/pleroma.zip + + # Create uploads directory and set proper permissions (skip if planning to use a remote uploader) + # Note: It does not have to be `/var/lib/pleroma/uploads`, the config generator will ask about the upload directory later + # mkdir -p /var/lib/pleroma/uploads + # chown -R pleroma /var/lib/pleroma + + # Create custom public files directory (custom emojis, frontend bundle overrides, robots.txt, etc.) + # Note: It does not have to be `/var/lib/pleroma/static`, the config generator will ask about the custom public files directory later + # mkdir -p /var/lib/pleroma/static + # chown -R pleroma /var/lib/pleroma + + # Create a config directory + # mkdir -p /etc/pleroma + # chown -R pleroma /etc/pleroma + - file: + path: "{{ item }}" + state: directory + owner: pleroma + loop: + - /var/lib/pleroma/uploads + - /var/lib/pleroma/static + - /etc/pleroma + + handlers: + - name: Restart postgres + service: + name: postgresql + state: restarted + diff --git a/ansible/playbooks/pleroma/02.yml b/ansible/playbooks/pleroma/02.yml new file mode 100644 index 0000000..bf81968 --- /dev/null +++ b/ansible/playbooks/pleroma/02.yml @@ -0,0 +1,31 @@ +# https://docs.pleroma.social/backend/installation/otp_en/ +--- +- hosts: pleroma + become: yes + tasks: + + # Create the postgres database + # su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql" + - command: psql -f /tmp/setup_db.psql + become_user: postgres + + # Create the database schema + # su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate" + - command: ./bin/pleroma_ctl migrate + args: + chdir: /opt/pleroma + become_user: pleroma + + # If you have installed RUM indexes uncommend and run + # su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/" + - command: ./bin/pleroma_ctl migrate --migrations-path priv/repo/optional_migrations/rum_indexing/ + args: + chdir: /opt/pleroma + become_user: pleroma + + handlers: + - name: Restart postgres + service: + name: postgresql + state: restarted + diff --git a/ansible/playbooks/pleroma/03.yml b/ansible/playbooks/pleroma/03.yml new file mode 100644 index 0000000..693f0fa --- /dev/null +++ b/ansible/playbooks/pleroma/03.yml @@ -0,0 +1,62 @@ +# https://docs.pleroma.social/backend/installation/otp_en/ +--- +- hosts: pleroma + become: yes + tasks: + + # cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.conf + # ln -s /etc/nginx/sites-available/pleroma.conf /etc/nginx/sites-enabled/pleroma.conf + - copy: + src: /opt/pleroma/installation/pleroma.nginx + dest: /etc/nginx/sites-available/pleroma.conf + remote_src: yes + notify: Restart nginx + - file: + src: /etc/nginx/sites-available/pleroma.conf + dest: /etc/nginx/sites-enabled/pleroma.conf + state: link + notify: Restart nginx + + - replace: + path: /etc/nginx/sites-available/pleroma.conf + regexp: 'example\.tld' + replace: "{{ pleroma_tld }}" + notify: Restart nginx + + # Copy the service into a proper directory + # cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service + - copy: + src: /opt/pleroma/installation/pleroma.service + dest: /etc/systemd/system/pleroma.service + remote_src: yes + # Start pleroma and enable it on boot + # systemctl start pleroma + # systemctl enable pleroma + notify: Restart pleroma + + # Create the directory for webroot challenges + # mkdir -p /var/lib/letsencrypt + - file: + path: /var/lib/letsencrypt + state: directory + + # Add it to the daily cron + # echo '#!/bin/sh + # certbot renew --cert-name yourinstance.tld --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx" + # ' > /etc/cron.daily/renew-pleroma-cert + # chmod +x /etc/cron.daily/renew-pleroma-cert + - template: + src: renew-pleroma-cert + dest: /etc/cron.daily/renew-pleroma-cert + mode: +x + + handlers: + - name: Restart nginx + service: + name: nginx + state: restarted + - name: Restart pleroma + service: + name: pleroma + enabled: yes + state: restarted diff --git a/ansible/playbooks/pleroma/README.md b/ansible/playbooks/pleroma/README.md new file mode 100644 index 0000000..5baa884 --- /dev/null +++ b/ansible/playbooks/pleroma/README.md @@ -0,0 +1,32 @@ +```sh +ansible-playbook -l pleroma playbooks/pleroma/01.yml + +su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen --output /etc/pleroma/config.exs --output-psql /tmp/setup_db.psql" + +ansible-playbook -l pleroma playbooks/pleroma/02.yml + +# Start the instance to verify that everything is working as expected +su pleroma -s $SHELL -lc "./bin/pleroma daemon" + +# Wait for about 20 seconds and query the instance endpoint, if it shows your uri, name and email correctly, you are configured correctly +sleep 20 && curl http://localhost:4000/api/v1/instance + +# Stop the instance +su pleroma -s $SHELL -lc "./bin/pleroma stop" + +sudo systemctl stop nginx +certbot certonly --standalone --preferred-challenges http -d $PLEROMA_TLD + +ansible-playbook -l pleroma playbooks/pleroma/03.yml + +# Uncomment the webroot method +sudo vim /etc/nginx/sites-available/pleroma.conf + +sudo nginx -t + +# Restart nginx +systemctl restart nginx + +cd /opt/pleroma +su pleroma -s $SHELL -lc "./bin/pleroma_ctl user new joeuser joeuser@sld.tld --admin" +``` diff --git a/ansible/playbooks/pleroma/renew-pleroma-cert b/ansible/playbooks/pleroma/renew-pleroma-cert new file mode 100644 index 0000000..08a21f5 --- /dev/null +++ b/ansible/playbooks/pleroma/renew-pleroma-cert @@ -0,0 +1,2 @@ +#!/bin/sh +certbot renew --cert-name {{ pleroma_tld }} --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx" diff --git a/ansible/playbooks/server.yml b/ansible/playbooks/server.yml new file mode 100644 index 0000000..15da967 --- /dev/null +++ b/ansible/playbooks/server.yml @@ -0,0 +1,20 @@ +--- +- hosts: server + tasks: + + - name: create user + user: + name: alpha + # password: "{{ password | password_hash('sha512') }}" + + - name: give user sudo access + lineinfile: + path: /etc/sudoers.d/alpha + line: "alpha ALL=(ALL) NOPASSWD: ALL" + create: yes + validate: visudo -cf %s + + - name: add ssh keys + authorized_key: + user: alpha + key: https://github.com/kejadlen.keys diff --git a/ansible/roles/dotfiles/vars/main.yml b/ansible/roles/dotfiles/vars/main.yml index ca0cc33..d2a3983 100644 --- a/ansible/roles/dotfiles/vars/main.yml +++ b/ansible/roles/dotfiles/vars/main.yml @@ -7,13 +7,11 @@ conf_dirs: conf_symlinks: gitignore: ~/.gitignore .bundle/config: ~/.bundle/config - .chunkwmrc: ~/.chunkwmrc .config: ~/.config .gemrc: ~/.gemrc .git_templates: ~/.git_templates .gitconfig: ~/.gitconfig .hammerspoon: ~/.hammerspoon - .pentadactylrc: ~/.pentadactylrc .pryrc: ~/.pryrc .tmux.conf: ~/.tmux.conf .vim: ~/.vim