Merge pull request #526 from ariddell/feature/modularize-sovereign

Modularize sovereign

.gitignore

@@ -1,3 +1,4 @@
 .vagrant
 vagrant_ansible_inventory_default
 tests.pyc
+secret

README.md

@@ -99,7 +99,8 @@ Your new account will be automatically set up for passwordless `sudo`.
 
 ### 4. Configure your installation
 
-Modify the settings in `vars/user.yml` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
+Modify the settings in `group_vars/sovereign` to your liking. If you want to see how they’re used in context, just search for the corresponding string.
+All of the variables in `group_vars/sovereign` must be set for sovereign to function.
 
 Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
 
@@ -147,7 +148,7 @@ For Git hosting, copy your public key into place:
 
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub
 
-Finally, replace the TODOs in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
+Finally, replace the `host.example.net` in the file `hosts`. If your SSH daemon listens on a non-standard port, add a colon and the port number after the IP address. In that case you also need to add your custom port to the task `Set firewall rules for web traffic and SSH` in the file `roles/common/tasks/ufw.yml`.
 
 ### 5. Set up DNS
 
@@ -178,7 +179,7 @@ To run just one or more piece, use tags. I try to tag all my includes for easy i
 
 You might find that it fails at one point or another. This is probably because something needs to be done manually, usually because there’s no good way of automating it. Fortunately, all the tasks are clearly named so you should be able to find out where it stopped. I’ve tried to add comments where manual intervention is necessary.
 
-The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `vars/user.yml`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
+The `dependencies` tag just installs dependencies, performing no other operations. The tasks associated with the `dependencies` tag do not rely on the user-provided settings that live in `group_vars/sovereign`. Running the playbook with the `dependencies` tag is particularly convenient for working with Docker images.
 
 ### 7. Finish DNS set-up
 
@@ -206,7 +207,7 @@ Similarly, to access the server monitoring page, use another SSH tunnel:
 
 Again proceeding to http://localhost:2812 in your web browser.
 
-Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `vars/user.yml`.
+Finally, sign into ownCloud with a new administrator account to set it up. You should select PostgreSQL as the configuration backend. Use `owncloud` as the database user and the database name. For the database password use the password you set for `owncloud_db_password` in `group_vars/sovereign`.
 
 How To Use Your New Personal Cloud
 ----------------------------------

group_vars/sovereign

@@ -0,0 +1,62 @@
+---
+################################################################################
+# Set your variables here.
+################################################################################
+
+# common
+domain: (required)
+main_user_name: (required)
+
+# admin email
+# fail2ban reports will be sent to this address
+admin_email: "{{ main_user_name }}@{{ domain }}"
+
+# mail
+mail_virtual_domains:
+  - name: "{{ domain }}"
+    pk_id: 1
+mail_virtual_users:
+  - account: "{{ main_user_name }}"
+    domain: "{{ domain }}"
+    password_hash: TODO
+    domain_pk_id: 1
+mail_virtual_aliases:
+  - source: "root@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "postmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+  - source: "webmaster@{{ domain }}"
+    destination: "{{ admin_email }}"
+    domain_pk_id: 1
+
+# timezone
+# common_timezone will be used in the common and mailserver roles
+common_timezone: 'Etc/UTC'
+
+# znc
+irc_nick: (required)
+irc_ident: (required)
+irc_realname: (required)
+irc_quitmsg: (required)
+irc_password_hash: (required)
+irc_password_salt: (required)
+
+# xmpp
+prosody_admin: "{{ admin_email }}"
+prosody_virtual_domain: "{{ domain }}"
+prosody_accounts:
+  - name: "{{ main_user_name }}"
+    password: TODO
+
+# openvpn
+openvpn_key_country:  "US"
+openvpn_key_province: "California"
+openvpn_key_city: "Beverly Hills"
+openvpn_key_org: "ACME CORPORATION"
+openvpn_key_ou: "Anvil Department"
+openvpn_clients:
+  - laptop
+  - phone
+  - tablet

hosts

@@ -1,2 +1,4 @@
-[TODO]
-TODO # put your host's IP here
+[sovereign]
+# hosts in the `sovereign` group  use vars defined in `group_vars/sovereign`
+# put your host's IP address or domain name below
+host.example.net

roles/common/defaults/main.yml

@@ -0,0 +1,34 @@
+common_timezone: 'Etc/UTC'
+admin_email: "{{ main_user_name }}@{{ domain }}"
+main_user_shell: "/bin/bash"
+friendly_networks:
+  - ""
+
+# encfs
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+encfs_password: "{{ lookup('password', secret + '/' + 'encfs_password', length=32) }}"
+
+
+# let's encrypt
+letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
+
+# ssh
+kex_algorithms: "diffie-hellman-group-exchange-sha256"
+ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
+macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+
+# ntp
+ntp_servers:
+  # use nearby ntp servers by default
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+  # use servers tailored to the server location
+  # See http://www.pool.ntp.org/en/use.html
+  # - 0.north-america.pool.ntp.org
+  # - 1.north-america.pool.ntp.org
+  # - 2.north-america.pool.ntp.org
+  # - 3.north-america.pool.ntp.org

roles/git/defaults/main.yml

@@ -0,0 +1,3 @@
+cgit_version: 0.12
+cgit_domain: "git.{{ domain }}"
+gitolite_version: 3.6.4

roles/ircbouncer/defaults/main.yml

@@ -0,0 +1 @@
+irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"

roles/mailserver/defaults/main.yml

@@ -0,0 +1,29 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"
+
+mail_db_username: 'mailuser'
+mail_db_password: "{{ lookup('password', secret + '/' + 'mail_db_password', length=32) }}"
+mail_db_database: 'mailserver'
+
+mail_server_hostname: "mail.{{ domain }}"
+mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
+mail_header_privacy: 1
+
+# virtual domains
+mail_virtual_domains: []
+mail_virtual_users: []
+mail_virtual_aliases: []
+
+# opendmarc
+mail_db_opendmarc_username: opendmarc
+mail_db_opendmarc_database: opendmarc
+mail_db_opendmarc_password: "{{ lookup('password', secret + '/' + 'mail_db_opendmarc_password', length=32) }}"
+
+# zpush
+zpush_version: 2.1.1-1788
+# common_timezone is a sovereign variable
+zpush_timezone: "{{ common_timezone|default('Etc/UTC') }}"

roles/monitoring/defaults/main.yml

@@ -0,0 +1,4 @@
+collectd_version: 5.4.1
+collectd_librato_version: 0.0.10
+collectd_librato_email: "" # (optional)
+collectd_librato_api_token: "" # (optional)

roles/news/defaults/main.yml

@@ -0,0 +1,17 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+selfoss_domain: "news.{{ domain }}"
+selfoss_db_username: selfoss
+selfoss_db_password: "{{ lookup('password', secret + '/' + 'selfoss_db_password', length=32) }}"
+selfoss_db_database: selfoss
+selfoss_version: 2.14
+
+selfoss_username: "{{ main_user_name }}"
+# this is the sha512 hash of the desired password
+selfoss_password_hash: "{{ lookup('password', secret + '/' + 'selfoss_password_hash', length=32, crypt='sha512')|hash('sha512') }}"
+
+# must match values in roles/mailserver
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password', length=32) }}"

roles/owncloud/defaults/main.yml

@@ -0,0 +1,8 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+owncloud_domain: "cloud.{{ domain }}"
+owncloud_db_username: owncloud
+owncloud_db_password: "{{ lookup('password', secret + '/' + 'owncloud_db_password', length=32) }}"
+owncloud_db_database: owncloud

roles/readlater/defaults/main.yml

@@ -0,0 +1,10 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+wallabag_version: 1.9.1
+wallabag_domain: "read.{{ domain }}"
+wallabag_salt: "{{ lookup('password', secret + '/' + 'wallabag_salt', length=32) }}"
+wallabag_db_username: wallabag
+wallabag_db_password: "{{ lookup('password', secret + '/' + 'wallabag_db_password', length=32) }}"
+wallabag_db_database: wallabag

roles/tarsnap/defaults/main.yml

@@ -0,0 +1 @@
+tarsnap_version: 1.0.36.1

roles/vpn/defaults/main.yml

@@ -0,0 +1,26 @@
+# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
+# Check privacy: http://witch.valdikss.org.ru/
+
+openvpn_key_country:  "US"
+openvpn_key_province: "California"
+openvpn_key_city: "Beverly Hills"
+openvpn_key_org: "ACME CORPORATION"
+openvpn_key_ou: "Anvil Department"
+openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
+
+openvpn_days_valid: "1825"
+openvpn_key_size: "2048"
+openvpn_cipher: "AES-256-CBC"
+openvpn_auth_digest: "SHA512"
+openvpn_path: "/etc/openvpn"
+openvpn_ca: "{{ openvpn_path }}/ca"
+openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
+openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
+openvpn_server: "{{ domain }}"
+openvpn_port: "1194"
+openvpn_protocol: "udp"
+openvpn_mtu: "1300"
+openvpn_verb: "3" # "0" for anonymity
+openvpn_tls_version_min: "tls-version-min 1.2"
+openvpn_tls_cipher: "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
+openvpn_clients: []

roles/xmpp/defaults/main.yml

@@ -0,0 +1,3 @@
+prosody_admin: "{{ admin_email }}"
+prosody_virtual_domain: "{{ domain }}"
+prosody_accounts: []

site.yml

@@ -5,9 +5,6 @@
   user: deploy
   become: True
   gather_facts: True
-  vars_files:
-    - vars/defaults.yml
-    - vars/{{ 'testing' if testing is defined else 'user' }}.yml
 
   roles:
     - common

vars/defaults.yml

@@ -1,137 +0,0 @@
----
-###############################################################################
-# DO NOT EDIT. Set your variables in `vars/user.yml` instead.
-# This is a reference of all the variables.
-###############################################################################
-
-# # common
-common_timezone: 'Etc/UTC'
-# domain: (required)
-# main_user_name: (required)
-admin_email: "{{ main_user_name }}@{{ domain }}"
-main_user_shell: "/bin/bash"
-# encfs_password: (required)
-friendly_networks:
-  - ""
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
-
-# ssh
-kex_algorithms: "diffie-hellman-group-exchange-sha256"
-ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
-macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
-
-# ntp
-ntp_servers:
-  # use nearby ntp servers by default
-  - 0.pool.ntp.org
-  - 1.pool.ntp.org
-  - 2.pool.ntp.org
-  - 3.pool.ntp.org
-  # use servers tailored to the server location
-  # See http://www.pool.ntp.org/en/use.html
-  # - 0.north-america.pool.ntp.org
-  # - 1.north-america.pool.ntp.org
-  # - 2.north-america.pool.ntp.org
-  # - 3.north-america.pool.ntp.org
-
-# collectd
-collectd_version: 5.4.1
-collectd_librato_version: 0.0.10
-collectd_librato_email: "" # (optional)
-collectd_librato_api_token: "" # (optional)
-
-# database
-db_admin_username: 'postgres'
-# db_admin_password: (required)
-
-# ircbouncer
-# irc_nick: (required)
-# irc_ident: (required)
-# irc_realname: (required)
-# irc_quitmsg: (required)
-# irc_password_hash: (required)
-# irc_password_salt: (required)
-
-# mailserver
-mail_server_hostname: "mail.{{ domain }}"
-mail_server_autoconfig_hostname: "autoconfig.{{ domain }}"
-mail_db_username: mailuser
-# mail_db_password: (required)
-mail_db_database: mailserver
-# mail_virtual_domains: (required)
-# mail_virtual_users: (required)
-# mail_virtual_aliases: (required)
-mail_db_opendmarc_username: opendmarc
-# mail_db_opendmarc_password: (required)
-mail_db_opendmarc_database: opendmarc
-
-# z-push
-zpush_version: 2.1.1-1788
-
-# owncloud
-owncloud_domain: "cloud.{{ domain }}"
-owncloud_db_username: owncloud
-# owncloud_db_password: (required)
-owncloud_db_database: owncloud
-
-# tarsnap
-tarsnap_version: 1.0.36.1
-
-# vpn
-# Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
-# Check privacy: http://witch.valdikss.org.ru/
-# openvpn_key_country: (required)
-# openvpn_key_province: (required)
-# openvpn_key_city: (required)
-# openvpn_key_org: (required)
-# openvpn_key_ou: (required)
-openvpn_days_valid: "1825"
-openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
-openvpn_key_size: "2048"
-openvpn_cipher: "AES-256-CBC"
-openvpn_auth_digest: "SHA512"
-openvpn_path: "/etc/openvpn"
-openvpn_ca: "{{ openvpn_path }}/ca"
-openvpn_dhparam: "{{ openvpn_path }}/dh{{ openvpn_key_size }}.pem"
-openvpn_hmac_firewall: "{{ openvpn_path }}/ta.key"
-openvpn_server: "{{ domain }}"
-openvpn_port: "1194"
-openvpn_protocol: "udp"
-openvpn_mtu: "1300"
-openvpn_verb: "3" # "0" for anonymity
-# uncomment for openvpn 2.3.3 and >2.3.4
-openvpn_tls_version_min: "" # "tls-version-min 1.2"
-openvpn_tls_cipher: "" # "tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"
-# openvpn_clients: (required)
-
-# webmail
-webmail_domain: "{{ mail_server_hostname }}"
-webmail_db_username: "roundcube"
-# webmail_db_password: (required)
-webmail_db_database: "roundcube"
-carddav_version: "1.0.0"
-
-# xmpp
-prosody_admin: "{{ admin_email }}"
-prosody_virtual_domain: "{{ domain }}"
-# prosody_accounts: (required)
-
-# news
-selfoss_domain: "news.{{ domain }}"
-selfoss_db_username: selfoss
-# selfoss_db_password: (required)
-selfoss_db_database: selfoss
-selfoss_version: 2.14
-
-# git
-cgit_version: 0.12
-cgit_domain: "git.{{ domain }}"
-gitolite_version: 3.6.4
-
-# wallabag
-wallabag_version: 1.9.1
-wallabag_domain: "read.{{ domain }}"
-# wallabag_salt: (required)
-wallabag_db_username: wallabag
-# wallabag_db_password: (required)
-wallabag_db_database: wallabag

vars/user.yml

@@ -1,89 +0,0 @@
----
-###############################################################################
-# Set your variables here.
-# For a complete reference look at the `vars/defaults.yml` file.
-###############################################################################
-
-# common
-domain: TODO.com
-main_user_name: TODO
-encfs_password: TODO    # NOTE: must not contain dollar sign characters '$'
-
-# database
-db_admin_username: postgres
-db_admin_password: TODO
-
-# ircbouncer
-irc_nick: TODO
-irc_ident: TODO
-irc_realname: TODO
-irc_quitmsg: TODO
-irc_password_hash: TODO
-irc_password_salt: TODO
-irc_timezone: TODO      #Example: "America/New_York"
-
-# mailserver
-mail_db_password: TODO
-mail_db_opendmarc_password: TODO
-mail_virtual_domains:
-  - name: "{{ domain }}"
-    pk_id: 1
-#  - name: TODO.com
-#    pk_id: 2
-mail_virtual_users:
-  - account: "{{ main_user_name }}"
-    domain: "{{ domain }}"
-    password_hash: TODO
-    domain_pk_id: 1
-#  - account: "{{ TODO }}"
-#    domain: "{{ domain }}"
-#    password_hash: TODO
-#    domain_pk_id: 2
-mail_virtual_aliases:
-  - source: "root@{{ domain }}"
-    destination: "{{ admin_email }}"
-    domain_pk_id: 1
-  - source: "postmaster@{{ domain }}"
-    destination: "{{ admin_email }}"
-    domain_pk_id: 1
-  - source: "webmaster@{{ domain }}"
-    destination: "{{ admin_email }}"
-    domain_pk_id: 1
-mail_header_privacy: 1
-
-# z-push
-zpush_timezone: "TODO"  #Example: "America/New_York"
-
-# owncloud
-owncloud_db_password: TODO
-
-# vpn
-openvpn_key_country:  "US"
-openvpn_key_province: "California"
-openvpn_key_city: "Beverly Hills"
-openvpn_key_org: "ACME CORPORATION"
-openvpn_key_ou: "Anvil Department"
-openvpn_clients:
-  - laptop
-  - phone
-  - tablet
-
-# webmail
-webmail_db_password: TODO
-
-# xmpp
-prosody_admin: "{{ admin_email }}"
-prosody_virtual_domain: "{{ domain }}"
-prosody_accounts:
-  - name: "{{ main_user_name }}"
-    password: TODO
-
-# selfoss
-selfoss_db_password: "TODO"
-selfoss_username: "{{ main_user_name }}"
-# this is the sha512 hash of the desired password
-selfoss_password_hash: "TODO"
-
-# wallabag
-wallabag_salt: TODO
-wallabag_db_password: TODO