1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
---
- name: Basic Setup
hosts: sk-2019
roles:
# - role: apt-repo/base
# - role: core/base
# - role: core/sshd/base
# - role: core/zsh
- role: core/cpu-microcode
# - role: core/admin-users
- role: storage/luks/volumes
- role: storage/zfs/pools
- role: apt-repo/spreadspace
- role: storage/zfs/sanoid
tasks:
- name: install post-boot script
copy:
dest: /usr/local/bin/post-boot
mode: 0755
content: |
#!/bin/bash
set -e
{% for name, volume in luks_volumes.items() %}
echo -e "opening crypto volume: \033[1;37m{{ name }}\033[0m"
cryptsetup luksOpen '{{ volume.device }}' '{{ name }}'
{% endfor %}
systemctl restart zfs-import-cache.service
systemctl restart zfs-mount.service
systemctl restart zfs-share.service
systemctl restart zfs-zed.service
mount -a
sleep 2
systemctl restart mariadb.service
systemctl restart apache2.service
- name: install ispconfig fix systemd service unit
copy:
dest: /etc/systemd/system/fix-fstab.service
content: |
[Unit]
Description=fix fstab entries made by ispconfig
[Service]
Type=oneshot
ExecStart=/usr/bin/sed s/bind,nobootwait/bind,nofail/ -i /etc/fstab
- name: install ispconfig fix systemd service unit
copy:
dest: /etc/systemd/system/fix-fstab.timer
content: |
[Unit]
Description=fix fstab entries made by ispconfig
[Timer]
OnCalendar=*-*-* *:*:00
[Install]
WantedBy=timers.target
- name: enable and start fstab fix
systemd:
name: fix-fstab.timer
daemon_reload: yes
enabled: yes
state: started
### the machine reboots often - make it so that no manual intervention is necessary
### of course this makes encrypting the disks a little bit silly...
- name: create base dir for crypto volume key files
file:
path: /etc/cryptsetup-keys.d/
state: directory
mode: 0500
- name: generate key files for crypto volumes
loop: "{{ luks_volumes | dict2items }}"
loop_control:
label: "{{ item.key }}"
copy:
dest: "/etc/cryptsetup-keys.d/{{ item.key }}.key"
content: "{{ item.value.passphrase }}"
mode: 0400
notify: rebuild initramfs
- name: generate crypttab
copy:
dest: /etc/crypttab
content: |
# ansible generated
{% for name, volume in luks_volumes.items() %}
{{ name }} {{ volume.device }} /etc/cryptsetup-keys.d/{{ name }}.key luks
{% endfor %}
notify: rebuild initramfs
handlers:
- name: rebuild initramfs
command: dpkg-reconfigure initramfs-tools
### TODO:
#
# zfs create -o quota=30G -o compress=lz4 storage/mysql
# zfs create -o quota=35G -o compress=lz4 storage/automysqlbackup
# zfs create -o quota=300G -o compress=lz4 storage/vmail
# zfs create -o quota=600G -o compress=lz4 storage/www
# zfs create -o quota=40G -o compress=lz4 storage/log
# zfs create -o quota=50G -o compress=lz4 storage/configz
# zfs create -o quota=20G -o compress=lz4 storage/backup
#
# mkdir -p /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
# chmod 0000 /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
# chattr +i /var/lib/mysql /var/lib/automysqlbackup /var/vmail /var/www /var/log/ispconfig /var/backup
#
### add to /etc/fstab:
##
## /srv/storage/mysql /var/lib/mysql none defaults,bind,x-systemd.automount,nofail 0 0
## /srv/storage/automysqlbackup /var/lib/automysqlbackup none defaults,bind,x-systemd.automount,nofail 0 0
## /srv/storage/vmail /var/vmail none defaults,bind,x-systemd.automount,nofail 0 0
## /srv/storage/www /var/www none defaults,bind,x-systemd.automount,nofail 0 0
## /srv/storage/log /var/log/ispconfig none defaults,bind,x-systemd.automount,nofail 0 0
## /srv/storage/backup /var/backup none defaults,bind,x-systemd.automount,nofail 0 0
#
# mount -a
#
########### manual post-boot
# cat /etc/fstab | grep "^/var/log" | awk '{ system("umount "$2) }'
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# umount /srv/storage/www/clients/client2/web2/web/shared/fileadmin/wolke
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# mount | grep systemd-1 | awk '{ print($3) }' | grep "^/var" | xargs umount
# rm -rf /srv/storage/*
|