diff options
Diffstat (limited to 'dan/ele-helene.yml')
-rw-r--r-- | dan/ele-helene.yml | 135 |
1 files changed, 84 insertions, 51 deletions
diff --git a/dan/ele-helene.yml b/dan/ele-helene.yml index b65a3d34..b2635fc0 100644 --- a/dan/ele-helene.yml +++ b/dan/ele-helene.yml @@ -7,55 +7,88 @@ - role: core/sshd/base - role: core/zsh - role: core/cpu-microcode - - role: core/ntp - - role: core/admin-users - role: apt-repo/spreadspace - - role: monitoring/prometheus/exporter - - role: streaming/blackmagic/desktopvideo - post_tasks: - ## this is needed for local rtmp proxy - - name: install interface config for guest vlan - copy: - content: | - auto {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} - iface {{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }} inet static - address {{ network_zones.guest.prefix | ipaddr(network_zones.guest.offsets[inventory_hostname]) | ipaddr('address/prefix') }} - dest: "/etc/network/interfaces.d/{{ ansible_default_ipv4.interface }}.{{ network_zones.guest.vlan }}" - - - name: prepare storage volume for recordings - vars: - storage_volume: - vg: "{{ host_name }}" - lv: recordings - size: 200g - fs: ext4 - dest: /srv/recordings - import_role: - name: storage/lvm/volume - - - name: install lm-sensors and i7z - apt: - name: - - lm-sensors - - i7z - - - name: load modules for lm-sensors - vars: - sensors_modules: - - coretemp - block: - - name: load special modules for lm-sensors - loop: "{{ sensors_modules }}" - modprobe: - name: "{{ item }}" - state: present - - - name: make sure sensor modules are loaded on reboot - copy: - content: | - # Ansible managed - - {% for module in sensors_modules %} - {{ module }} - {% endfor %} - dest: /etc/modules-load.d/sensors.conf +# - role: monitoring/prometheus/exporter + - role: vm/host/base + - role: vm/host/network + - role: installer/debian/base +# - role: installer/openbsd/base + # post_tasks: + # - name: install smstools + # apt: + # name: smstools + # state: present + + # - name: add user for sachet + # user: + # name: sachet + # system: yes + # home: /nonexistent + # create_home: no + # groups: smsd + # append: yes + + # - name: create sachet config directory + # file: + # path: /etc/sachet + # state: directory + + # - name: install sachet config file + # copy: + # dest: /etc/sachet/config.yml + # content: | + # providers: + # smstools: + # outgoing_dir: /var/spool/sms/outgoing + + # receivers: + # - name: equinox + # provider: smstools + # to: + # - '+436644800222' + + # - name: install systemd service unit for sachet + # copy: + # dest: /etc/systemd/system/sachet.service + # content: | + # [Unit] + # Description=Sachet SMS Daemon for Prometheus Alertmanager + + # [Service] + # Restart=on-failure + # User=sachet + # ExecStart=/usr/local/bin/sachet -config /etc/sachet/config.yml + + # # systemd hardening-options + # AmbientCapabilities= + # CapabilityBoundingSet= + # DeviceAllow=/dev/null rw + # DevicePolicy=strict + # LimitMEMLOCK=0 + # LimitNOFILE=8192 + # LockPersonality=true + # MemoryDenyWriteExecute=true + # NoNewPrivileges=true + # PrivateDevices=true + # PrivateTmp=true + # PrivateUsers=true + # ProtectControlGroups=true + # ProtectHome=true + # ProtectKernelModules=true + # ProtectKernelTunables=true + # ProtectSystem=full + # ReadWritePaths=/var/spool/sms/outgoing + # RemoveIPC=true + # RestrictNamespaces=true + # RestrictRealtime=true + # SystemCallArchitectures=native + + # [Install] + # WantedBy=multi-user.target + + # ## TODO: + # ## - configure smstools + # ## - build sachet using this branch: https://github.com/spreadspace/sachet/tree/topic/add-smstools + # ## - copy binary to /usr/local/bin/sachet + # ## - $ systemctl daemon-reload + # ## - $ systemctl enable --now sachet |