feat: misc changes

deploy.yml

@@ -87,12 +87,14 @@
     - sshd
   vars:
     users:
-      - rilla
       - ansible
       - btrbk
       - builder
+      - dags
       - gopass
+      - rilla
       - woodpecker
+  tags: common
 
 - name: quality of life tools
   hosts:
@@ -163,6 +165,16 @@
   become: true
   roles:
     - wireguard
+  vars_files:
+    - 'vars/vault.yaml'
+
+- name: notifiers
+  hosts:
+    - suricata
+  become: true
+  roles:
+    - notifiers
+  tags: notifiers
 
 - name: set up NUT
   hosts:

hosts.yml

@@ -230,6 +230,29 @@ all:
 
       nut_host: localhost
 
+      notifiers:
+        xmpp:
+          recipient: rilla@monotremata.xyz
+          account: suricata@monotremata.xyz
+          password: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            3261336330303763383735646465326463333964383234653835396462383731623
+            63763386365653437396163656530626533633463613966303235616565330a6237
+            3535653731333366313438343465663034303433623132386364643338613732383
+            9326661316435336539306232633536356330376337663065636265660a61643830
+            3335633538613337616232306233633039333364373538373036623139666263383
+            06538636233643362383335653135333439353131336535353862
+
+        gotify:
+          url: https://gotify.monotremata.xyz
+          token: !vault |
+            $ANSIBLE_VAULT;1.1;AES256
+            3539643562356634616361643264623533643664303862613264316439343036323
+            93033306538353661343861313866613434633637653434336532613361310a6161
+            6563343236303135616335346364643763343533653331316166653937353965643
+            9383135393631366336383361373333396536343362626561613435310a34313261
+            38613264353832396362653036313531356261613833393965353664
+
     caladan:
       ansible_host: caladan
       ansible_user: ansible

justfile

@@ -1,9 +1,21 @@
 #!/usr/bin/env -S just --justfile
 
+password_file := "get_password.sh"
+
+# may need to use --force to reinstall all requirements
+reqs *ARGS:
+    ansible-galaxy install -r requirements.yaml {{ARGS}}
+
 deploy HOST *ARGS:
     ansible-playbook \
         --inventory hosts.yml \
-        --vault-password-file get_password.sh \
+        --vault-password-file {{password_file}} \
         --limit {{HOST}} \
         {{ARGS}} \
         deploy.yml
+
+# just vault (encrypt/decrypt/edit)
+vault ACTION:
+    EDITOR="nvim" ansible-vault {{ACTION}} \
+        --vault-password-file {{password_file}} \
+        vars/vault.yaml

roles/btrbk/files/id_ed25519

@@ -1,25 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
-65343662643732393835376666373930366539383835663834313035373362393133373833396161
-6463343465623762353737663036306433613132656533330a366333393165363434663033343136
-39303164396135323035303733393239633530313636323137653934346630343836343838363337
-6137303334623732300a663330613061303536326230323832383537633932396165323633656461
-62623938383131363831633536376163373265386264383131303238346335313236646239633630
-66656436303663646339613930396436356637613532353937366230643837663636313661376331
-39353939363265643661316534356338336639306666343034323434663861643764393737303865
-65366138636363323061616162356431633135626231306366616462383233393237316139323935
-36393930633363656630363364323336613635626661303339306435363837613766636163623534
-38613166633835656137346135306266626239633738323966383034386235383761316365303538
-63303231613766303532396562633830633161366230666430353432376537383562346330333033
-33306334646636383035326332343330636238386665616465326261373235313735633233633562
-66323933626232303236356266353365336433666362353838666465373764393463393238306530
-64333934616331343035663335326239353530323933616535613839383161646638646261393265
-31376233353532326361653164313636633438366266613235333234626633373531393364613432
-62303464646637663631356233373865613162336537313062646432383238613164643233383537
-34326362656564646138636562323131393661376133316565653861633039613937646564376333
-38343335333064643163383963623538636330613765383137306133323164633966353433333765
-33633135623534336131393431373637366239316334613936636661343165353236346433346634
-66333161623062333265396337633333636663386334306137643363343239323432636337313033
-38656434366464343038393935643663346661636134313965653963653532303534333031393666
-33323965653838633261613664623738356635346163333439363062646361623466663738393261
-65396463343537363166613666303830366162393134633739306630353936333165653361343134
-61366533323666383639
+30643932343335613161633362646134333061383332323030636434303335366337633236643230
+3830383639626433613162643933353064393939623137380a663539626161306366353165346434
+38653238623535303438303136643261666539666535376463633835383033353631333838643632
+6338343863616566350a363165636566363530613564313465366361383563623164663930663937
+36306339643766303964613332373665653062393836633665383363646133613864366564393133
+63356437633332346139373733303737396335386138376231626637643862336365356266656538
+63313165393030343863336530613232643735323163393434323034303939323034313464316636
+63616537323338633031626139323362663136356139336431353135343835393863656262663831
+36336661376539616631653737613963353266396532656162646336623032363037616638353661
+39643265366431656131626630353131656163656339626463336462356230333935646664383536
+32633562653462613962306164643338363562613664313631633565633636623161616232643762
+30303462333032623862383935386335323433643032623861633131633736633064303138326165
+35353762666530616533363634356464393139616535373162346238333839633639356331383933
+39326130346133636661306564613733616461653466613538633935636430613232666661336332
+33653637346163643937633431666137376339626132373237623137633131383234323165343730
+38326565316135613635383062643866633661653362386634303066626130373939343431333334
+35303139386234613565616335376564323139303534356466386531363565623630636238653430
+36343930356630333263313737376134656433623161383266613034343062616565633262343634
+63333861363736343630363330613063613637376463656332303534333939316261633233356230
+63396334613730396530333539383764613539353061383230363532333963366133653033366537
+62313562343135623135353438356563353338636336333932343039363862333463623039336533
+39653231373632633761383563613232613534393962646536393763396530366533303165383566
+63316235666161316638656663643632373634376262646233313932393030376134356135333134
+36623738313634666437

roles/btrbk/files/id_ed25519-cert.pub

@@ -0,0 +1,37 @@
+$ANSIBLE_VAULT;1.1;AES256
+32653462316534376436323930393938303861333466323162326432393364336164336338636535
+6236356239666230626138636164623266373838626462380a346635653331376161653962303833
+66626264636561313333343632376238376363633937343136613539633037366531376637633062
+3736353465336335320a373830653731303632366535626661646164623433366536663863363739
+35393437303837636233363563313563336639353233643261356664386239373464646266356134
+62656431343566316335343935376535346637666538376637623738353436343033373035313765
+64633735343162326564323365323934396364313339656164336566363333633865373431663430
+37623663656464343336653639393535613366336464346665323366343261383836373163616438
+34666539643861656136393061303834646239616235323961343430636636633633623835636538
+65303564623161623334306234643335363332363934653036306438363131396531343263386431
+62646565373334373837353833336165663631303032643362663763613862343330623463326331
+37313038343437316234316339663564303461353766383462643030363065363531616663656463
+30356237616134306234376439323166303765303633366161303366326363623734393030306366
+38613230313737306534616136643034393232646339313266656535643735356139633439656534
+32663462306339663563366638663831663530633932343935646666373266636132663636663662
+39626664336236613863386561326433383334383732353463303433386137396632653464666633
+36616334643063393566393338633763396536363433663839373339333536656365363863306536
+39633064653637383630623032306565313939636666646634393434373932303039376465316237
+63336431323336616266336536323832333662316435366661613564393963663130383365303431
+31323766323632393138626430326337633436656331653162326466633362643730346461316466
+37313334656131643166653430366366346366646339643137376362376361343637306364363635
+32653734303631613533353039346632366661633661633432626135313830353265636638616138
+37663262356131623539633235663733306133386565396433306366316664323263613533343830
+39393834303333343331343234336334343765326334303137366361323934656631396662373432
+33613731343438663531373866386262313134373366633439643030313230313739646433613666
+39393065323536613161376665666332383331656261396436666339633462343732326366363934
+62373734366132333035333363393562363233383638393865393532306432353133373530653931
+61346461353934356263623666633661363264363163323832373533643961326634666634363639
+35663632656137653961343831663862346138313535626365393030343736643862633166396566
+62633363646165393137666566303539396461393437646466313134316366663630613030333261
+38666665316439656437376663383566636465383039656336396131366365383663363537383230
+63636130333737636432363165666361343632373439613632333139376438656365313132653565
+64396133633636373433636663663339343135363133316261333136383834373132383262646637
+61383166343435366137343433376161656332306561373165363939656139363531306461633861
+62373035623266633565333830646266373036613634626339616536303062643961613031636238
+36353066656238373933

roles/btrbk/files/id_ed25519.pub

@@ -1,10 +1,10 @@
 $ANSIBLE_VAULT;1.1;AES256
-30613933373763373264373162313466663333353830306436323964633463353632326563343361
-3564643432323962313836326231313961346630303734650a376234653935643066326232666161
-39303061343564643866313530633835306332303861316163373439636534333730626538633264
-3532613234343936660a623966643230316337383636646337313435323836636263333765356261
-31326130313733616261643032396261333963316161363933383365316164383432623631353436
-64383238363430653933343836373233313131623838316462373639396162663632396631663063
-33356133316331366563613134366664393462326235613561613134613532396237393239316339
-64343735383930323862616664333464643232636166326136623335333733666666623261326132
-6231
+38666166393862396166636266353134633134313837613066356537363233666465373163383730
+3563623562373634613030366236363730333561383932390a396631613761303137313436343537
+66613435373865383738646439393034333637653736303565653164666539323864646436313136
+3037333464346336640a343433643137346665646237643262373338666231656339633935376632
+62616238386464653337346333313763363830646334383361613030323433313431363263376134
+66313661646333396532663732643430623030396337343164643363333463363263633236633231
+35633038373736343863323332343235656464306666633535616464313662366138343263373062
+34313130623661353834396235343065356665376232623736376665366536643462626161303064
+3161

roles/btrbk/tasks/main.yml

@@ -23,19 +23,26 @@
     src: "host_files/btrbk/{{ ansible_hostname }}/btrbk.conf"
     dest: /etc/btrbk/btrbk.conf
 
-- name: copy btrbk ssh key
+- name: copy btrbk ssh private key
   copy:
     src: id_ed25519
     dest: /etc/btrbk/id_ed25519
     owner: btrbk
     mode: '0400'
 
-- name: copy btrbk user ssh public key to authorized_keys
+- name: copy btrbk ssh public key
   copy:
     src: id_ed25519.pub
-    dest: /etc/ssh/authorized_keys/btrbk
+    dest: /etc/btrbk/id_ed25519.pub
     owner: btrbk
-    mode: '0644'
+    mode: '0444'
+
+- name: copy btrbk ssh public key certificate
+  copy:
+    src: id_ed25519-cert.pub
+    dest: /etc/btrbk/id_ed25519-cert.pub
+    owner: btrbk
+    mode: '0444'
 
 - name: add btrbk to cron
   cron:

roles/notifiers/files/bin/notify-gotify

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# shellcheck disable=SC1091
+. /usr/local/etc/notifiers/gotify
+
+PRIORITY="${PRIORITY:-5}"
+
+if [ -n "$TITLE" ]; then
+    TITLE_ARG="--form title=${TITLE}"
+else
+    TITLE_ARG=""
+fi
+
+MSG="$*"
+
+# shellcheck disable=SC2086
+curl \
+    "${GOTIFY_URL}/message?token=${GOTIFY_TOKEN}" \
+    $TITLE_ARG \
+    --form "message=${MSG}" \
+    --form "priority=${PRIORITY}"

roles/notifiers/files/bin/notify-xmpp

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# shellcheck disable=SC1091
+. /usr/local/etc/notifiers/xmpp
+
+MSG="$*"
+
+echo "$MSG" |
+    go-sendxmpp \
+        --username="$XMPP_ACCOUNT" \
+        --password="$XMPP_PASSWORD" \
+        "$XMPP_RECIPIENT"

roles/notifiers/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+
+- name: install notification programs
+  apk:
+    name:
+      - curl
+      - go-sendxmpp
+      - msmtp
+  when: ansible_distribution == "Alpine"
+
+- name: create config dir
+  file:
+    state: directory
+    path: /usr/local/etc/notifiers
+
+- name: render notifier configs
+  template:
+    src: "etc/notifiers/{{ item }}.j2"
+    dest: "/usr/local/etc/notifiers/{{ item }}"
+    owner: root
+    mode: '0600'
+  loop:
+    - gotify
+    - xmpp
+
+- name: copy notifier executables
+  copy:
+    src: "bin/{{ item }}"
+    dest: "/usr/local/bin/{{ item }}"
+    mode: '0755'
+  loop:
+    - notify-gotify
+    - notify-xmpp

roles/notifiers/templates/etc/notifiers/gotify.j2

@@ -0,0 +1,2 @@
+GOTIFY_URL='{{ notifiers.gotify.url }}'
+GOTIFY_TOKEN='{{ notifiers.gotify.token }}'

roles/notifiers/templates/etc/notifiers/xmpp.j2

@@ -0,0 +1,3 @@
+XMPP_RECIPIENT='{{ notifiers.xmpp.recipient }}'
+XMPP_ACCOUNT='{{ notifiers.xmpp.account }}'
+XMPP_PASSWORD='{{ notifiers.xmpp.password }}'

roles/users/tasks/dags.yml

@@ -0,0 +1,41 @@
+---
+- name: create group 'dags'
+  group:
+    name: dags
+    gid: 506
+
+- name: create user 'dags'
+  user:
+    name: dags
+    uid: 506
+    group: dags
+    home: /var/lib/dags
+    password: "*"  # disabled password but can be accessed with SSH
+    groups:
+      - wheel
+    append: true
+
+- name: additional groups to dags
+  user:
+    name: dags
+    groups: "{{item}}"
+    append: true
+  when: item in ansible_facts.getent_group
+  with_items:
+    - docker
+
+- name: make sure dags owns its home
+  file:
+    state: directory
+    path: /var/lib/dags
+    owner: dags
+    group: dags
+    mode: '2755'
+
+- name: commit dags's home to lbu
+  lbu:
+    include:
+      - /var/lib/dags
+    exclude:
+      - /var/lib/dags/.ash_history
+  when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]