dan/sk-2019.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

---
- name: Basic Setup
  hosts: sk-2019
  roles:
  # - role: apt-repo/base
  # - role: core/base
  # - role: core/sshd/base
  # - role: core/zsh
  - role: core/cpu-microcode
  # - role: core/users
  - role: storage/luks/base
  - role: storage/zfs/base
  - role: apt-repo/spreadspace
  - role: storage/zfs/sanoid
  tasks:
  - name: install post-boot script
    copy:
      dest: /usr/local/bin/post-boot
      mode: 0755
      content: |
        #!/bin/bash
        set -e

        {% for name, volume in luks_devices.items() %}
        echo -e "opening crypto volume: \033[1;37m{{ name }}\033[0m"
        cryptsetup luksOpen '{{ volume.device }}' '{{ name }}'
        {% endfor %}

        systemctl restart zfs-import-cache.service
        systemctl restart zfs-mount.service
        systemctl restart zfs-share.service
        systemctl restart zfs-zed.service
        mount -a

        sleep 2
        systemctl restart mariadb.service
        systemctl restart apache2.service

  - name: install ispconfig fix systemd service unit
    copy:
      dest: /etc/systemd/system/fix-fstab.service
      content: |
        [Unit]
        Description=fix fstab entries made by ispconfig

        [Service]
        Type=oneshot
        ExecStart=/usr/bin/sed s/bind,nobootwait/bind,nofail/ -i /etc/fstab

  - name: install ispconfig fix systemd service unit
    copy:
      dest: /etc/systemd/system/fix-fstab.timer
      content: |
        [Unit]
        Description=fix fstab entries made by ispconfig

        [Timer]
        OnCalendar=*-*-* *:*:00

        [Install]
        WantedBy=timers.target

  - name: enable and start fstab fix
    systemd:
      name: fix-fstab.timer
      daemon_reload: yes
      enabled: yes
      state: started

  ### the machine reboots often - make it so that no manual intervention is necessary
  ### of course this makes encrypting the disks a little bit silly...
  - name: create base dir for crypto volume key files
    file:
      path: /etc/cryptsetup-keys.d/
      state: directory
      mode: 0500

  - name: generate key files for crypto volumes
    loop: "{{ luks_devices | dict2items }}"
    loop_control:
      label: "{{ item.key }}"
    copy:
      dest: "/etc/cryptsetup-keys.d/{{ item.key }}.key"
      content: "{{ item.value.passphrase }}"
      mode: 0400
    notify: rebuild initramfs

  - name: generate crypttab
    copy:
      dest: /etc/crypttab
      content: |
        # ansible generated
        {% for name, volume in luks_devices.items() %}
        {{ name }}  {{ volume.device }}  /etc/cryptsetup-keys.d/{{ name }}.key  luks
        {% endfor %}
    notify: rebuild initramfs

  handlers:
  - name: rebuild initramfs
    command: dpkg-reconfigure initramfs-tools


### TODO:
#
# zfs create -o quota=30G -o compress=lz4 storage/mysql
# zfs create -o quota=35G -o compress=lz4 storage/automysqlbackup
# zfs create -o quota=300G -o compress=lz4 storage/vmail
# zfs create -o quota=600G -o compress=lz4 storage/www
# zfs create -o quota=40G -o compress=lz4 storage/log
# zfs create -o quota=50G -o compress=lz4 storage/configz
# zfs create -o quota=20G -o compress=lz4 storage/backup
#
# mkdir -p   /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
# chmod 0000 /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
# chattr +i  /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
#
### add to /etc/fstab:
##
## /srv/storage/mysql            /var/lib/mysql             none  defaults,bind,x-systemd.automount,nofail    0 0
## /srv/storage/automysqlbackup  /var/lib/automysqlbackup   none  defaults,bind,x-systemd.automount,nofail    0 0
## /srv/storage/vmail            /var/vmail                 none  defaults,bind,x-systemd.automount,nofail    0 0
## /srv/storage/www              /var/www                   none  defaults,bind,x-systemd.automount,nofail    0 0
## /srv/storage/log              /var/log/ispconfig         none  defaults,bind,x-systemd.automount,nofail    0 0
## /srv/storage/backup           /var/backup                none  defaults,bind,x-systemd.automount,nofail    0 0
#
# mount -a
#


########### manual post-boot

# cat /etc/fstab | grep "^/var/log" | awk '{ system("umount "$2) }'
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# rm -rf  /srv/storage/*