From e7492b10e356a1b5cd78875bdee8c088d554380e Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 25 Feb 2023 15:35:35 +0100
Subject: [PATCH] move from homeservers repo

---
 ansible.cfg                                   |  8 ++++++
 inventory/group_vars/all.yml                  |  9 +++++++
 inventory/hosts.yml                           |  7 ++++++
 playbooks/all.yml                             |  6 +++++
 roles/borg/tasks/main.yml                     | 22 ++++++++++++++++
 roles/common/tasks/main.yml                   |  7 ++++++
 roles/system/files/ssh_host_ed25519_key       | 25 +++++++++++++++++++
 roles/system/tasks/main.yml                   | 15 +++++++++++
 .../templates/ssh_host_ed25519_key.pub.j2     |  1 +
 util/secret-service-client.sh                 | 10 ++++++++
 10 files changed, 110 insertions(+)
 create mode 100644 ansible.cfg
 create mode 100644 inventory/group_vars/all.yml
 create mode 100644 inventory/hosts.yml
 create mode 100644 playbooks/all.yml
 create mode 100644 roles/borg/tasks/main.yml
 create mode 100644 roles/common/tasks/main.yml
 create mode 100644 roles/system/files/ssh_host_ed25519_key
 create mode 100644 roles/system/tasks/main.yml
 create mode 100644 roles/system/templates/ssh_host_ed25519_key.pub.j2
 create mode 100755 util/secret-service-client.sh

diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..5f42fc7
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,8 @@
+[defaults]
+roles_path=~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+
+[diff]
+always = True
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
new file mode 100644
index 0000000..1ee4f48
--- /dev/null
+++ b/inventory/group_vars/all.yml
@@ -0,0 +1,9 @@
+borg_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM"
+dataserver_public_key: "AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D"
+kingston1tb_mount_point: "/mnt/kingston1TB"
+kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
+backup_location: "{{ kingston1tb_mount_point }}/homeserver_backup"
+
+admin_public_keys:
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
+  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
diff --git a/inventory/hosts.yml b/inventory/hosts.yml
new file mode 100644
index 0000000..a196063
--- /dev/null
+++ b/inventory/hosts.yml
@@ -0,0 +1,7 @@
+all:
+  children:
+    dataserver:
+      hosts:
+        lewis:
+          ansible_user: root
+          ansible_host: lewis.lan
diff --git a/playbooks/all.yml b/playbooks/all.yml
new file mode 100644
index 0000000..e5ab377
--- /dev/null
+++ b/playbooks/all.yml
@@ -0,0 +1,6 @@
+- name: Setup homeserver
+  hosts: dataserver
+  roles:
+    - {role: 'common', tags: 'common'}
+    - {role: 'system', tags: 'system'}
+    - {role: 'borg', tags: 'borg'}
diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml
new file mode 100644
index 0000000..ff4c687
--- /dev/null
+++ b/roles/borg/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Create extra disk moint point
+  file:
+    path: "{{ kingston1tb_mount_point }}"
+    state: directory
+- name: Mount extra disk
+  ansible.posix.mount:
+    path: "{{kingston1tb_mount_point }}"
+    src: "UUID={{ kingston1tb_uuid }}"
+    fstype: ext4
+    passno: 1
+    state: present
+- name: Install borg
+  apt:
+    name: borgbackup
+- name: Add Borg public key
+  authorized_key:
+    key: "ssh-ed25519 {{ borg_public_key }} root@max"
+    user: "{{ ansible_user_id }}"
+- name: Create Borg repository
+  command:
+    cmd: "borg init -e none {{ backup_location }}"
+    creates: "{{ backup_location }}"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..7a8f229
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,7 @@
+- name: APT upgrade
+  apt:
+    autoremove: true
+    upgrade: yes
+    state: latest
+    update_cache: yes
+    cache_valid_time: 86400 # One day
diff --git a/roles/system/files/ssh_host_ed25519_key b/roles/system/files/ssh_host_ed25519_key
new file mode 100644
index 0000000..1629458
--- /dev/null
+++ b/roles/system/files/ssh_host_ed25519_key
@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+38633038656332643033396338303864343332636434633331366266383235316235313236646361
+6634313931303637616535373966316165656564366437330a393465356237626631303063363061
+62323737343635316139636664663937333233323737376238656566633037613938383737306132
+6237633230623962320a643433323532646261366532346234653332323336653162366433626465
+31386461393535303730333865356364646137386634643630353831383039353763396536313439
+30333335623364306166346232303862633636633066323062313531363234396362653232316261
+36666132623030323332623334323632636639646239363032626364646334643461346662616366
+39656266643937663531656137353031353130366238326535383261333539353439353566313537
+38353632353039643530613766313033313063333331333733613939383731663262623766626266
+64363061306166353633333634363332633461346538316661666364626639366132356434343631
+61373432633863643237386435386633366161393934646562343261386335353638353033343932
+62393633366163613064393966663830646237613265396462376238396639363566363865303861
+36343666326632626166323430303137323236346137346131623636653236353061343633383437
+61396534636166353038626162376335363137636164616631646261366332303135306237356432
+61626261656332666536343039316333303431653931666233363366613166663266663130656633
+39316363326532653665626136393135373863383234326638303466353930653038303433643536
+30666237363230306634333162396562623034386232666465343631306433373764626634613635
+63343965623163356536626162613863373033396565366361353538323933656165653932653937
+34666538353139636366333765363733336134396566613134303530633666326165306131353535
+33653133663166333964326330366530643730363861626261666366383334613661303762636663
+34376531343732346630643466616638323537633665373333346162306361393836326533636630
+61656335306337643930613662613832626530653630343566643661356666313331316438366538
+37333166636639363838303665626137643731626338356662656338393335343239376635303633
+35663237653238313133
diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml
new file mode 100644
index 0000000..c7c4d30
--- /dev/null
+++ b/roles/system/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: Add admins' authorized keys
+  authorized_key:
+    key: "{{ item }}"
+    user: "{{ ansible_user_id }}"
+  loop: "{{ admin_public_keys }}"
+- name: Copy host public key
+  template:
+    src: "{{ role_path }}/templates/ssh_host_ed25519_key.pub.j2"
+    dest: "/etc/ssh/ssh_host_ed25519_key.pub"
+    mode: 0644
+- name: Copy host private key
+  copy:
+    src: "{{ role_path }}/files/ssh_host_ed25519_key"
+    dest: "/etc/ssh/ssh_host_ed25519_key"
+    mode: 0600
diff --git a/roles/system/templates/ssh_host_ed25519_key.pub.j2 b/roles/system/templates/ssh_host_ed25519_key.pub.j2
new file mode 100644
index 0000000..08b6b21
--- /dev/null
+++ b/roles/system/templates/ssh_host_ed25519_key.pub.j2
@@ -0,0 +1 @@
+ssh-ed25519 {{ dataserver_public_key }} root@lewis
diff --git a/util/secret-service-client.sh b/util/secret-service-client.sh
new file mode 100755
index 0000000..6a75000
--- /dev/null
+++ b/util/secret-service-client.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault dataserver`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	echo Provide password:
+	read -s pass
+fi
+echo $pass