diff options
-rw-r--r-- | chaos-at-home/ch-prometheus.yml | 57 | ||||
-rw-r--r-- | inventory/host_vars/ch-atlas.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/ch-mcbr.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/ch-prometheus.yml | 3 | ||||
-rw-r--r-- | inventory/host_vars/ele-gwhetzner.yml | 36 | ||||
-rw-r--r-- | inventory/host_vars/ele-media.yml | 2 |
6 files changed, 79 insertions, 23 deletions
diff --git a/chaos-at-home/ch-prometheus.yml b/chaos-at-home/ch-prometheus.yml index a736a331..c632a905 100644 --- a/chaos-at-home/ch-prometheus.yml +++ b/chaos-at-home/ch-prometheus.yml @@ -7,6 +7,10 @@ - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode + +- name: Payload Setup + hosts: ch-prometheus + roles: - role: apt-repo/spreadspace - role: nginx/base - role: monitoring/prometheus/exporter @@ -61,3 +65,56 @@ {% endif %} {% endfor %} exec dstat -cnd -N {{ network.primary.name }} -D "{{ disk_variables | join(',') }}" --disk-util --top-io --top-bio + + - name: install systemd service to sync homes from prometheus-legcay + copy: + content: | + [Unit] + Description=sync homes from legacy server + + [Service] + Type=oneshot + ExecStart=rsync -v -a --delete -e 'ssh -i /root/.ssh/id_promtheus-legacy_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa -o MACs=hmac-sha1 -o HostKeyAlgorithms=ssh-rsa' --exclude /sendfile-spool --exclude /.zfs/ root@192.168.28.250:/home/ /srv/storage/home/ + TimeoutStartSec=50m + + # systemd hardening-options + AmbientCapabilities=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER + CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER + LockPersonality=true + MemoryDenyWriteExecute=true + NoNewPrivileges=true + PrivateTmp=true + ProtectControlGroups=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=strict + ReadWritePaths=/srv/storage/home + RemoveIPC=true + RestrictNamespaces=true + RestrictRealtime=true + RestrictAddressFamilies=AF_UNIX AF_INET + SystemCallArchitectures=native + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/sync-homes-from-legacy.service + + - name: install systemd timer to sync homes from prometheus-legcay + copy: + content: | + [Unit] + Description=sync homes from legacy server + + [Timer] + OnCalendar=hourly + + [Install] + WantedBy=timers.target + dest: /etc/systemd/system/sync-homes-from-legacy.timer + + - name: make sure systemd timer to sync homes from prometheus-legcay is started and enabled + systemd: + daemon_reload: yes + name: sync-homes-from-legacy.timer + state: started + enabled: yes diff --git a/inventory/host_vars/ch-atlas.yml b/inventory/host_vars/ch-atlas.yml index 5fa51964..f342445b 100644 --- a/inventory/host_vars/ch-atlas.yml +++ b/inventory/host_vars/ch-atlas.yml @@ -32,7 +32,7 @@ ssh_keys_root_extra: apt_repo_components: - main - contrib ## for zfs - - non-free ## for microcode updates + - non-free-firmware spreadspace_apt_repo_components: - main diff --git a/inventory/host_vars/ch-mcbr.yml b/inventory/host_vars/ch-mcbr.yml index 6f7ae3c4..b781216d 100644 --- a/inventory/host_vars/ch-mcbr.yml +++ b/inventory/host_vars/ch-mcbr.yml @@ -34,6 +34,7 @@ base_modules_blacklist: "{{ base_modules_blacklist_none }}" apt_repo_components: - main - contrib + - non-free-firmware - non-free ntp_variant: systemd-timesyncd @@ -42,7 +43,6 @@ ntp_variant: systemd-timesyncd kodi_standalone_support_packages_extra: - i965-va-driver-shaders -kodi_standalone_use_backports: yes kodi_standalone_kodi_packages_extra: - kodi-repository-kodi - kodi-inputstream-adaptive diff --git a/inventory/host_vars/ch-prometheus.yml b/inventory/host_vars/ch-prometheus.yml index 332ba8ef..88a4784f 100644 --- a/inventory/host_vars/ch-prometheus.yml +++ b/inventory/host_vars/ch-prometheus.yml @@ -37,11 +37,10 @@ network: apt_repo_components: - main - contrib ## for zfs - - non-free ## for microcode updates + - non-free-firmware ssh_keys_root_extra: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9AkOBxvf1wZ0B3wEyf7O3GbaIGx5o2f6cVuQIrOjeFfgMSAr1LwiB/gmHhMSEq6OSauD37TA5yDIrzk6NPPjVs/wiklsHgYtTqIxSPItTZFPX4gLvNwwGuRvEW9bTEiHd+bVPIiIT7HOje0kgacjan44rdgppX9DgcUp2j7uSZZabsxDCS/ms0slhwBNU1gtR31PoQ56vIya23D2uMauNAbRJzDEOfAjy4pHF8njYcXPas/yrbLi8PUZ1YO1u/AZto96EIYfHaCLWlstqeCX+R2JrTunvfTr8TF3AkFw8lHMzk3neUR+tPAAFQaqeTlqGPiSNq1Oyf+52XR16qwhd equinox@mail - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjZEFZLrl2KIqYl/GU8Vkp7mlhAbFbjwf4Ht9zQRmI8 ZFS Backup syncoid@epimetheus diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml index ea16146e..9cd236ef 100644 --- a/inventory/host_vars/ele-gwhetzner.yml +++ b/inventory/host_vars/ele-gwhetzner.yml @@ -59,24 +59,24 @@ wireguard_gateway_tunnels: - pub_key: "{{ hostvars['ele-media'].wireguard_keys.gwhetzner.pub }}" allowed_ips: - 192.168.254.2/32 - wg-emc: - description: Elevate Media Channel - priv_key: "{{ wireguard_keys.emc.priv }}" - listen_port: 51821 - addresses: - - 192.168.254.5/30 - ip_snat: - interface: "{{ network.primary.name }}" - to: "{{ network.primary.overlay }}" - port_forwardings: - - dest: "{{ network.primary.overlay }}" - tcp_ports: - 422: 192.168.254.6:222 - peers: - - pub_key: "{{ hostvars['ele-router'].wireguard_keys.gwhetzner.pub }}" - allowed_ips: - - 192.168.254.6/32 - - 192.168.20.0/24 + # wg-emc: + # description: Elevate Media Channel + # priv_key: "{{ wireguard_keys.emc.priv }}" + # listen_port: 51821 + # addresses: + # - 192.168.254.5/30 + # ip_snat: + # interface: "{{ network.primary.name }}" + # to: "{{ network.primary.overlay }}" + # port_forwardings: + # - dest: "{{ network.primary.overlay }}" + # tcp_ports: + # 422: 192.168.254.6:222 + # peers: + # - pub_key: "{{ hostvars['ele-router'].wireguard_keys.gwhetzner.pub }}" + # allowed_ips: + # - 192.168.254.6/32 + # - 192.168.20.0/24 wireguard_p2p_interface: diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml index 7aab28bb..6b071894 100644 --- a/inventory/host_vars/ele-media.yml +++ b/inventory/host_vars/ele-media.yml @@ -24,7 +24,7 @@ admin_users_host: apt_repo_components: - main - contrib ## for zfs - - non-free ## for microcode updates + - non-free-firmware spreadspace_apt_repo_components: - container |