M bootstrap.sh => bootstrap.sh +27 -37
@@ 1,47 1,36 @@
#!/bin/sh
+#
+# Bootstrap Ansible
+#
-_base_dir=$(cd "$(dirname "$0")/" || exit; pwd -P)
+BASE_DIR=$(cd "$(dirname "$0")/" || exit; pwd -P)
-_inventory_file="$_base_dir/hosts.yml"
-_requirements_file="$_base_dir/requirements.yml"
-_playbook_file="$_base_dir/playbook.yml"
+INVENTORY_FILE="$BASE_DIR/inventory.yml"
+REQUIREMENTS_FILE="$BASE_DIR/requirements.yml"
+PLAYBOOK_FILE="$BASE_DIR/playbook.yml"
+PLAYBOOK_BIN="ansible-playbook"
+GALAXY_BIN="ansible-galaxy"
-## Prepare
-##
-
-# FreeBSD uses `ansible-playbook-{PYVER}` for Python bins.
-for v in "" "-2.7" "-3.6" "-3.7"; do
- if hash "ansible$v" 2>/dev/null; then
- _ansible_playbook="ansible-playbook$v"
- _ansible_galaxy="ansible-galaxy$v"
- break
- fi
-done
-
-if [ ! "$_ansible_playbook" ] || [ ! "$_ansible_galaxy" ]; then
- printf "No known Ansible versions found.\\n"
- exit 1
-fi
-
-if ! hash pass 2>/dev/null; then
- printf "Pass is required to be installed.\\n"
+if [ ! "$PLAYBOOK_BIN" ] || [ ! "$GALAXY_BIN" ]; then
+ echo "No suitable Ansible versions found."
exit 1
fi
-case "$FORCE_UPDATE_GALAXY" in
+case "$UPDATE_GALAXY" in
1 | y* | Y* | t* | T* )
- _ansible_galaxy_args="--force";;
+ if ! "$GALAXY_BIN" install -f -r "$REQUIREMENTS_FILE"; then
+ printf "Cannot install Galaxy roles.\\n"
+ exit 1
+ fi
+ ;;
+
* )
- _ansible_galaxy_args="";;
+ ;;
esac
-
-## Main
-##
-
-if ! "$_ansible_galaxy" install $_ansible_galaxy_args -r "$_requirements_file"; then
- printf "Cannot install Galaxy roles.\\n"
+if ! command -v pass >/dev/null; then
+ printf "Pass is required to be installed.\\n"
exit 1
fi
@@ 52,11 41,12 @@ trap 'rm -f $_fifo && rmdir $_temp' 0 1 2 3 6 14 15
mkfifo "$_fifo"
pass Ansible/gridns.xyz > "$_fifo" &
-env ANSIBLE_CONFIG="$_base_dir/ansible.cfg" \
- "$_ansible_playbook" \
- "$_playbook_file" \
- -i "$_inventory_file" \
+exec \
+ env ANSIBLE_CONFIG="$BASE_DIR/ansible.cfg" \
+ "$PLAYBOOK_BIN" \
+ "$PLAYBOOK_FILE" \
--user=freebsd \
+ --inventory "$INVENTORY_FILE" \
--vault-password-file="$_fifo" \
- --ssh-common-args="-o StrictHostKeyChecking=no" \
+ --ssh-common-args "-o StrictHostKeyChecking=no" \
"$@"
M group_vars/all/main.yml => group_vars/all/main.yml +18 -16
@@ 4,7 4,6 @@
ansible_python_interpreter: /usr/local/bin/python3.6
-
## System tuning
##
@@ 14,7 13,6 @@ tuning_soacceptqueue: 4096
hardening_ssh_port: 4022
-
## Roles configurations
##
@@ 57,26 55,23 @@ doh_server_addresses:
- "127.0.0.1:8053"
doh_server_upstream:
- - "127.0.0.1:1053"
-
+ - "udp:127.0.0.1:1053"
# Nginx
#
nginx_accf_http: yes
+nginx_accf_http_load: yes
+
nginx_accf_data: yes
-nginx_access_log: /dev/null
+nginx_accf_data_load: yes
-nginx_drop_privileges_early: yes
+nginx_access_log: /dev/null
nginx_error_log_level: warn
-nginx_http_port: 1080
-
-nginx_https_port: 1443
-
nginx_ipv6: yes
nginx_sites:
@@ 86,6 81,7 @@ nginx_sites:
- path: /
redirect_match: "^/(.*)$"
redirect_target: "https://{{hostname}}/$1"
+
- secure: yes
dehydrated_cert: "{{hostname}}"
domains:
@@ 114,13 110,19 @@ pf_allow_ipv6: yes
pf_ext_iface: vtnet0
-pf_ipv4_forwarded_ports:
- - { port: "80", proto: tcp, address: "{{ipv4_address}}", dest_port: "1080" }
- - { port: "443", proto: tcp, address: "{{ipv4_address}}", dest_port: "1443" }
+pf_ipv4_allowed_ports:
+ - proto: tcp
+ to_port: "80"
+
+ - proto: tcp
+ to_port: "443"
+
+pf_ipv6_allowed_ports:
+ - proto: tcp
+ to_port: "80"
-pf_ipv6_forwarded_ports:
- - { port: "80", proto: tcp, address: "{{ipv6_address}}", dest_port: "1080" }
- - { port: "443", proto: tcp, address: "{{ipv6_address}}", dest_port: "1443" }
+ - proto: tcp
+ to_port: "443"
pf_ssh_port: 4022
R hosts.yml => inventory.yml +0 -0
M playbook.yml => playbook.yml +0 -2
@@ 74,7 74,6 @@
tags:
- ntpd
-
## DNS
##
@@ 90,7 89,6 @@
tags:
- unbound
-
## HTTP
##
M roles/unbound-blocklist/tasks/main.yml => roles/unbound-blocklist/tasks/main.yml +2 -8
@@ 2,16 2,14 @@
## Install
##
-- name: install
+- name: install snooze
become: yes
pkgng:
- name:
- - snooze
+ name: snooze
state: latest
notify:
- restart unbound-blocklist
-
## Configure
##
@@ 24,7 22,6 @@
group: wheel
mode: 0755
-
- name: copy unbound-blocklist configuration
become: yes
copy:
@@ 34,7 31,6 @@
group: wheel
mode: 0600
-
## Setup
##
@@ 62,7 58,6 @@
args:
creates: /usr/local/etc/unbound-blocklist/blocklist.conf
-
## Supervise
##
@@ 115,7 110,6 @@
- rescan s6
- restart unbound-blocklist logger
-
## Per-role flush
##
M roles/unbound/tasks/main.yml => roles/unbound/tasks/main.yml +1 -4
@@ 6,11 6,10 @@
become: yes
pkgng:
name: unbound
- state: present
+ state: latest
notify:
- restart unbound
-
## Configure
##
@@ 47,7 46,6 @@
register: unbound_root_key
failed_when: unbound_root_key.rc > 1
-
## Supervise
##
@@ 86,7 84,6 @@
- rescan s6
- restart unbound logger
-
## Per-role flush
##
M roles/unbound/templates/unbound.conf.j2 => roles/unbound/templates/unbound.conf.j2 +7 -7
@@ 2,15 2,15 @@ server:
verbosity: {{unbound_verbosity}}
{% for address in unbound_addresses %}
- interface: {{address}}
+ interface: "{{address}}"
{% endfor %}
port: {{unbound_port}}
{% if unbound_drop_privileges_early %}
username: ""
chroot: ""
{% else %}
- username: unbound
- chroot: /usr/local/etc/unbound
+ username: "unbound"
+ chroot: "/usr/local/etc/unbound"
{% endif %}
use-syslog: no
logfile: ""
@@ 39,9 39,9 @@ server:
hide-identity: {{"yes" if unbound_hide_identity else "no"}}
hide-version: {{"yes" if unbound_hide_version else "no"}}
- auto-trust-anchor-file: /usr/local/etc/unbound/root.key
- dlv-anchor-file: /usr/local/etc/unbound/dlv.isc.org.key
- root-hints: /usr/local/etc/unbound/named.cache
+ auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
+ dlv-anchor-file: "/usr/local/etc/unbound/dlv.isc.org.key"
+ root-hints: "/usr/local/etc/unbound/named.cache"
{% if unbound_tls_cert_bundle %}
tls-cert-bundle: "{{unbound_tls_cert_bundle}}"
{% endif %}
@@ 54,7 54,7 @@ server:
{% if unbound_includes %}
{% for inc in unbound_includes %}
- include: {{inc}}
+ include: "{{inc}}"
{% endfor %}
{% endif %}
{% for zone in unbound_forward_zones %}