~sirn/gridns.xyz

f909e54fbaf1c5d06bdaf4bb6e243fb41e0f8217 — Kridsada Thanabulpong 4 years ago b9eed9f
[chore] cleanup
M bootstrap.sh => bootstrap.sh +27 -37
@@ 1,47 1,36 @@
#!/bin/sh
#
# Bootstrap Ansible
#

_base_dir=$(cd "$(dirname "$0")/" || exit; pwd -P)
BASE_DIR=$(cd "$(dirname "$0")/" || exit; pwd -P)

_inventory_file="$_base_dir/hosts.yml"
_requirements_file="$_base_dir/requirements.yml"
_playbook_file="$_base_dir/playbook.yml"
INVENTORY_FILE="$BASE_DIR/inventory.yml"
REQUIREMENTS_FILE="$BASE_DIR/requirements.yml"
PLAYBOOK_FILE="$BASE_DIR/playbook.yml"

PLAYBOOK_BIN="ansible-playbook"
GALAXY_BIN="ansible-galaxy"

## Prepare
##

# FreeBSD uses `ansible-playbook-{PYVER}` for Python bins.
for v in "" "-2.7" "-3.6" "-3.7"; do
    if hash "ansible$v" 2>/dev/null; then
        _ansible_playbook="ansible-playbook$v"
        _ansible_galaxy="ansible-galaxy$v"
        break
    fi
done

if [ ! "$_ansible_playbook" ] || [ ! "$_ansible_galaxy" ]; then
    printf "No known Ansible versions found.\\n"
    exit 1
fi

if ! hash pass 2>/dev/null; then
    printf "Pass is required to be installed.\\n"
if [ ! "$PLAYBOOK_BIN" ] || [ ! "$GALAXY_BIN" ]; then
    echo "No suitable Ansible versions found."
    exit 1
fi

case "$FORCE_UPDATE_GALAXY" in
case "$UPDATE_GALAXY" in
    1 | y* | Y* | t* | T* )
        _ansible_galaxy_args="--force";;
        if ! "$GALAXY_BIN" install -f -r "$REQUIREMENTS_FILE"; then
            printf "Cannot install Galaxy roles.\\n"
            exit 1
        fi
        ;;

    * )
        _ansible_galaxy_args="";;
        ;;
esac


## Main
##

if ! "$_ansible_galaxy" install $_ansible_galaxy_args -r "$_requirements_file"; then
    printf "Cannot install Galaxy roles.\\n"
if ! command -v pass >/dev/null; then
    printf "Pass is required to be installed.\\n"
    exit 1
fi



@@ 52,11 41,12 @@ trap 'rm -f $_fifo && rmdir $_temp' 0 1 2 3 6 14 15
mkfifo "$_fifo"
pass Ansible/gridns.xyz > "$_fifo" &

env ANSIBLE_CONFIG="$_base_dir/ansible.cfg" \
        "$_ansible_playbook" \
        "$_playbook_file" \
        -i "$_inventory_file" \
exec \
    env ANSIBLE_CONFIG="$BASE_DIR/ansible.cfg" \
    "$PLAYBOOK_BIN" \
        "$PLAYBOOK_FILE" \
        --user=freebsd \
        --inventory "$INVENTORY_FILE" \
        --vault-password-file="$_fifo" \
        --ssh-common-args="-o StrictHostKeyChecking=no" \
        --ssh-common-args "-o StrictHostKeyChecking=no" \
        "$@"

M group_vars/all/main.yml => group_vars/all/main.yml +18 -16
@@ 4,7 4,6 @@

ansible_python_interpreter: /usr/local/bin/python3.6


## System tuning
##



@@ 14,7 13,6 @@ tuning_soacceptqueue: 4096

hardening_ssh_port: 4022


## Roles configurations
##



@@ 57,26 55,23 @@ doh_server_addresses:
  - "127.0.0.1:8053"

doh_server_upstream:
  - "127.0.0.1:1053"

  - "udp:127.0.0.1:1053"

# Nginx
#

nginx_accf_http: yes

nginx_accf_http_load: yes

nginx_accf_data: yes

nginx_access_log: /dev/null
nginx_accf_data_load: yes

nginx_drop_privileges_early: yes
nginx_access_log: /dev/null

nginx_error_log_level: warn

nginx_http_port: 1080

nginx_https_port: 1443

nginx_ipv6: yes

nginx_sites:


@@ 86,6 81,7 @@ nginx_sites:
      - path: /
        redirect_match: "^/(.*)$"
        redirect_target: "https://{{hostname}}/$1"

  - secure: yes
    dehydrated_cert: "{{hostname}}"
    domains:


@@ 114,13 110,19 @@ pf_allow_ipv6: yes

pf_ext_iface: vtnet0

pf_ipv4_forwarded_ports:
  - { port: "80", proto: tcp, address: "{{ipv4_address}}", dest_port: "1080" }
  - { port: "443", proto: tcp, address: "{{ipv4_address}}", dest_port: "1443" }
pf_ipv4_allowed_ports:
  - proto: tcp
    to_port: "80"

  - proto: tcp
    to_port: "443"

pf_ipv6_allowed_ports:
  - proto: tcp
    to_port: "80"

pf_ipv6_forwarded_ports:
  - { port: "80", proto: tcp, address: "{{ipv6_address}}", dest_port: "1080" }
  - { port: "443", proto: tcp, address: "{{ipv6_address}}", dest_port: "1443" }
  - proto: tcp
    to_port: "443"

pf_ssh_port: 4022


R hosts.yml => inventory.yml +0 -0
M playbook.yml => playbook.yml +0 -2
@@ 74,7 74,6 @@
      tags:
        - ntpd


## DNS
##



@@ 90,7 89,6 @@
      tags:
        - unbound


## HTTP
##


M roles/unbound-blocklist/tasks/main.yml => roles/unbound-blocklist/tasks/main.yml +2 -8
@@ 2,16 2,14 @@
## Install
##

- name: install
- name: install snooze
  become: yes
  pkgng:
    name:
      - snooze
    name: snooze
    state: latest
  notify:
    - restart unbound-blocklist


## Configure
##



@@ 24,7 22,6 @@
    group: wheel
    mode: 0755


- name: copy unbound-blocklist configuration
  become: yes
  copy:


@@ 34,7 31,6 @@
    group: wheel
    mode: 0600


## Setup
##



@@ 62,7 58,6 @@
  args:
    creates: /usr/local/etc/unbound-blocklist/blocklist.conf


## Supervise
##



@@ 115,7 110,6 @@
    - rescan s6
    - restart unbound-blocklist logger


## Per-role flush
##


M roles/unbound/tasks/main.yml => roles/unbound/tasks/main.yml +1 -4
@@ 6,11 6,10 @@
  become: yes
  pkgng:
    name: unbound
    state: present
    state: latest
  notify:
    - restart unbound


## Configure
##



@@ 47,7 46,6 @@
  register: unbound_root_key
  failed_when: unbound_root_key.rc > 1


## Supervise
##



@@ 86,7 84,6 @@
    - rescan s6
    - restart unbound logger


## Per-role flush
##


M roles/unbound/templates/unbound.conf.j2 => roles/unbound/templates/unbound.conf.j2 +7 -7
@@ 2,15 2,15 @@ server:
    verbosity: {{unbound_verbosity}}

{% for address in unbound_addresses %}
    interface: {{address}}
    interface: "{{address}}"
{% endfor %}
    port: {{unbound_port}}
{% if unbound_drop_privileges_early %}
    username: ""
    chroot: ""
{% else %}
    username: unbound
    chroot: /usr/local/etc/unbound
    username: "unbound"
    chroot: "/usr/local/etc/unbound"
{% endif %}
    use-syslog: no
    logfile: ""


@@ 39,9 39,9 @@ server:
    hide-identity: {{"yes" if unbound_hide_identity else "no"}}
    hide-version: {{"yes" if unbound_hide_version else "no"}}

    auto-trust-anchor-file: /usr/local/etc/unbound/root.key
    dlv-anchor-file: /usr/local/etc/unbound/dlv.isc.org.key
    root-hints: /usr/local/etc/unbound/named.cache
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
    dlv-anchor-file: "/usr/local/etc/unbound/dlv.isc.org.key"
    root-hints: "/usr/local/etc/unbound/named.cache"
{% if unbound_tls_cert_bundle %}
    tls-cert-bundle: "{{unbound_tls_cert_bundle}}"
{% endif %}


@@ 54,7 54,7 @@ server:
{% if unbound_includes %}

{% for inc in unbound_includes %}
    include: {{inc}}
    include: "{{inc}}"
{% endfor %}
{% endif %}
{% for zone in unbound_forward_zones %}