diff --git a/doc/ariane.md b/doc/ariane.md index 5122536..e10404c 100644 --- a/doc/ariane.md +++ b/doc/ariane.md @@ -6,6 +6,39 @@ |**H2**|01 /dev/sdb `6TB`
`WD-WX21D36PPLPH`|05 |09 |13 | |**H3**|02 /dev/sdc `6TB`
`WD-WX21D36PP0K1`|06 |10 |14 | |**H4**|03 /dev/sdd `6TB`
`WD-WXB1HB4MJCMM`|07 |11 |15 | +## Debian setup install steps +``` +Boot Image Debian Netinstall on USB stick, Advanced Options->Expert Install +Language: English, Location: other->Europe->Austria +Locale: en_US.UTF-8, Additional Locale: de_AT.UTF-8, System Locale: en_US.UTF-8 +Keyboard: German +Detect and mount CD-ROM, Load installer components: no extra +auf KISTL statische IP 192.168.86.7/24 für ariane.fet.htu.tuwien.ac.at einrichten +Detect network hardware, Configure Network: enp8s0: Hostname: ariane, IP 192.168.86.7/24 domain fet.htu.tuwien.ac.at +Setup Users and Passwords: shadow, user petra +Configure the clock: NTP Server: tutimea.tuwien.ac.at +Detect disks, partition disks: manual +RAID1 md0 with both SSDs https://blog.sleeplessbeastie.eu/2013/10/04/how-to-configure-software-raid1-during-installation-process/ +/dev/nvmeXn1p1 32GB primary Volume für / in btrfs 32GB +/dev/nvmeXn1p5 1.5 GB logical Volume +/dev/nvmeXn1p6 1.5 GB logical Volume +/dev/nvmeXn1p7 1.5 GB logical Volume +/dev/nvmeXn1p8 1.5 GB logical Volume +/dev/nvmeXn1p9 90 GB logical Volume +ZFS RAIDZ-2 on is already on 4 x 6TB disks = 12TB 0 spares +partition1 ariane-root btrfs noatime, discard +Generic Kernel +Mirror: gd.tuwien.ac.at, allow backported +install with ssh server and standard sys utilities +Install Grub on /dev/nvme0n1 (to removable media path) +Install Grub on /dev/nvme1n1 +reboot, log in as root +edit /etc/ssh/sshd_config set PermitRootlogin to yes +service sshd reload +ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub +ssh-copy-id root@ariane from client +edit /etc/ssh/sshd_config set PermitRootlogin to Prohibit-Password +``` ## Install ZFS ```shell apt-get install zfsutils-linux @@ -67,10 +100,14 @@ mv /var/log/* /ssd/var/log/ zfs set mountpoint=/var/log ssd/var/log mv /var/lib/lxc/* /ssd/var/lxc/ zfs set mountpoint=/var/lib/lxc ssd/var/lxc +zfs create -o com.sun:auto-snapshot=false zv1/sojus +zfs create -o com.sun:auto-snapshot=false zv1/daten/Scans ``` ### Set dataset quota ```shell zfs set quota=1T zv1/homes zv1/daten zv1/fotos +zfs set quota=3T zv1/sojus +zfs set quota=5G zv1/daten/Scans ``` ### If intend using ACL someday ```shell @@ -129,3 +166,9 @@ mdadm --misc --detail /dev/md0 echo check > /sys/block/md0/md/sync_action watch -n 0.1 cat /proc/mdstat ``` +## Shutdown System +```shell +# stop all LXC containers +zfs_mount.sh unmount +halt -p +``` diff --git a/doc/configs/ariane_mbr_nvme0n1.txt b/doc/configs/ariane_mbr_nvme0n1.txt new file mode 100644 index 0000000..79a26ce --- /dev/null +++ b/doc/configs/ariane_mbr_nvme0n1.txt @@ -0,0 +1,15 @@ +Disk /dev/nvme0n1: 119.2 GiB, 128035676160 bytes, 250069680 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: dos +Disk identifier: 0x21183a98 + +Device Boot Start End Sectors Size Id Type +/dev/nvme0n1p1 2048 62500863 62498816 29.8G fd Linux raid autodetect +/dev/nvme0n1p2 62502910 250068991 187566082 89.4G 5 Extended +/dev/nvme0n1p5 62504960 65435647 2930688 1.4G 83 Linux +/dev/nvme0n1p6 65437696 68368383 2930688 1.4G 83 Linux +/dev/nvme0n1p7 68370432 71301119 2930688 1.4G 83 Linux +/dev/nvme0n1p8 71303168 74233855 2930688 1.4G 83 Linux +/dev/nvme0n1p9 74235904 250068991 175833088 83.9G 83 Linux diff --git a/doc/configs/ariane_mbr_nvme1n1.txt b/doc/configs/ariane_mbr_nvme1n1.txt new file mode 100644 index 0000000..20baf97 --- /dev/null +++ b/doc/configs/ariane_mbr_nvme1n1.txt @@ -0,0 +1,16 @@ +Disk /dev/nvme1n1: 119.2 GiB, 128035676160 bytes, 250069680 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: dos +Disk identifier: 0x35c808a6 + +Device Boot Start End Sectors Size Id Type +/dev/nvme1n1p1 2048 62500863 62498816 29.8G fd Linux raid autodetect +/dev/nvme1n1p2 62502910 250068991 187566082 89.4G 5 Extended +/dev/nvme1n1p5 62504960 65435647 2930688 1.4G 83 Linux +/dev/nvme1n1p6 65437696 68368383 2930688 1.4G 83 Linux +/dev/nvme1n1p7 68370432 71301119 2930688 1.4G 83 Linux +/dev/nvme1n1p8 71303168 74233855 2930688 1.4G 83 Linux +/dev/nvme1n1p9 74235904 250068991 175833088 83.9G 83 Linux + diff --git a/doc/configs/ariane_mbr_zv1.txt b/doc/configs/ariane_mbr_zv1.txt new file mode 100644 index 0000000..33569f9 --- /dev/null +++ b/doc/configs/ariane_mbr_zv1.txt @@ -0,0 +1,9 @@ +Disk /dev/sdc: 5.5 TiB, 6001175126016 bytes, 11721045168 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 4096 bytes +I/O size (minimum/optimal): 4096 bytes / 4096 bytes +Disklabel type: gpt +Disk identifier: D2B76C08-E0D8-42AC-A0D5-F3A14EA584DF + +Device Start End Sectors Size Type +/dev/sdc1 2048 11721045134 11721043087 5.5T Solaris /usr & Apple ZFS diff --git a/doc/configs/kistl-pfSense-backup.xml b/doc/configs/kistl-pfSense-backup.xml new file mode 100644 index 0000000..4ce2284 --- /dev/null +++ b/doc/configs/kistl-pfSense-backup.xml @@ -0,0 +1,1394 @@ + + + 11.7 + + metallic + + + debug.pfftpproxy + 1 + + + + + vfs.read_max + default + + + + net.inet.ip.portrange.first + default + + + + net.inet.tcp.blackhole + default + + + + net.inet.udp.blackhole + default + + + + net.inet.ip.random_id + default + + + + net.inet.tcp.drop_synfin + default + + + + net.inet.ip.redirect + default + + + + net.inet6.ip6.redirect + default + + + + net.inet.tcp.syncookies + default + + + + net.inet.tcp.recvspace + default + + + + net.inet.tcp.sendspace + default + + + + net.inet.ip.fastforwarding + default + + + + net.inet.tcp.delayed_ack + default + + + + net.inet.udp.maxdgram + default + + + + net.link.bridge.pfil_onlyip + default + + + + net.link.bridge.pfil_member + default + + + + net.link.bridge.pfil_bridge + default + + + + net.link.tap.user_open + default + + + + kern.randompid + default + + + + net.inet.ip.intr_queue_maxlen + default + + + + hw.syscons.kbd_reboot + default + + + + net.inet.tcp.inflight.enable + default + + + + net.inet.tcp.log_debug + default + + + + net.inet.icmp.icmplim + default + + + + net.inet.tcp.tso + default + + + + kern.ipc.maxsockbuf + default + + + + normal + kistl + fet.htu.tuwien.ac.at + + all + + system + 1998 + + + admins + + system + 1999 + 0 + 2000 + page-all + + + admin + + system + admins + $1$i/nede5l$nk7jGz.SDcZy6qZrGlvkr/ + 0 + user-shell-access + 709413c5a7adc43b91f90ece7f6b7915 + ffe4b7bdc7724aa5f2eacfde176c38b5 + + + + + + user + $1$K..ec31W$knkqCaSwhAIqtCGErMxLf. + 8fa8fc542b8c5267d46eae228073243c + 9c825dfb2764d7beb731ef17334c7ff2 + bajo + + + + + 2000 + + 2001 + 2000 + Europe/Vienna + + tutimea.tuwien.ac.at + + https + 4f031b5823c78 + + + yes + + + none + none + none + none + + + + wan + + en_US + none + none + none + none + 128.130.4.3 + 128.131.4.3 + + + + + + rl0 + 128.131.95.200 + 24 + WANGW + on + on + + + + + + + bge0 + 192.168.86.1 + 24 + + + + + + + + 192.168.95.0/24 + miruk + + + + 192.168.96.0/24 + Ariane + + + + 10.0.3.0/24 + Ariane + + + + + + + + 192.168.86.50 + 192.168.86.191 + + + 00:10:18:2d:b0:c0 + + 192.168.86.2 + atlas + + + + + + + + + + + + + + + + + 1c:bd:b9:7f:fe:a4 + + 192.168.86.3 + laika + + + + + + + + + + + + + + + + + a0:f3:c1:5e:c4:98 + + 192.168.86.4 + wlan + + + + + + + + + + + + + + + + + 52:54:00:87:be:61 + + 192.168.86.5 + backup + + + + + + + + + + + + + + + + + 00:02:44:7c:b2:1c + + 192.168.86.6 + sputnik + + + + + + + + + + + + + + + + + 38:d5:47:01:7a:63 + ariane + 192.168.86.7 + ariane + + + + + + + fet.htu.tuwien.ac.at + + + + + + + + + + 3c:4a:92:43:d3:f3 + + 192.168.86.8 + hp3015 + + + + + + + + + + + + + + + + + 00:00:48:d1:06:b9 + + 192.168.86.9 + AL-C9100-D106B9 + + + + + + + + + + + + + + + + + 20:cf:30:67:09:28 + + 192.168.86.10 + energija + + + + + + + + + + + + + + + + + 00:09:3d:10:c4:aa + + 192.168.86.11 + kusnezow + + + + + + + + + + + + + + + + + ee:ee:ee:ee:ee:ef + + 192.168.86.12 + webup + + + + + + + + + + + + + + + + + 52:54:00:2b:a0:5e + + 192.168.86.13 + scm + + + + + + + + + + + + + + + + + 00:21:b7:99:4c:60 + + 192.168.86.14 + dell3465 + + + + + + + + + + + + + + + + + b8:27:eb:d5:7c:12 + + 192.168.86.15 + malina-hs + + + + + + + + + + + + + + + + + b8:27:eb:4e:c6:8f + + 192.168.86.16 + malina-retro + + + + + + + + + + + + + + + + + 00:a0:de:a4:ac:9a + + 192.168.86.17 + fet-av + + + + + + + + + + + + + + + + + 52:54:00:5c:b0:fd + + 192.168.86.18 + gagarin + + + + + + + + + + + + + + + + + e0:69:95:57:b2:f7 + + 192.168.86.20 + proton + + + + + + + + + + + + + + + + + e0:69:95:57:b6:08 + + 192.168.86.21 + suchoi + + + + + + + + + + + + + + + + + 10:c3:7b:9f:32:b1 + + 192.168.86.22 + potemkin + + + + + + + + + + + + + + + + + 90:2b:34:c8:72:ab + + 192.168.86.23 + lunik + + + + + + + + + + + + + + + + + 52:54:00:c6:91:2d + + 192.168.86.30 + ruby + + + + + + + + + + + + + + + + + 52:54:00:2f:ea:01 + + 192.168.86.31 + zabbix + + + + + + + + + + + + + + + + + 52:54:00:b1:03:4f + Fachschaften + 192.168.86.32 + fachschaften + + + + + + + + + + + + + + + + + 52:54:00:3b:a6:19 + bufata + 192.168.86.33 + bufata + + + + + + + + + + + + + + + + + 52:54:00:40:50:dc + + 192.168.86.34 + cloud + + + + + + + + + + + + + + + + + 52:54:00:d6:73:74 + + 192.168.86.35 + mars + + + + + + + fet.htu.tuwien.ac.at + + + + + + + + + + 52:54:00:ca:e4:4b + + 192.168.86.36 + miruk + + + + + + + + + + + + + + + + + 00:1a:4d:4b:dd:92 + + 192.168.86.42 + absturz + + + + + + + + + + + + + + + + + b8:27:eb:da:0b:43 + + 192.168.86.43 + baroness + + + + + + + + + + + + + + + + + 2e:6d:b6:07:14:01 + + 192.168.86.44 + betam + + + + + + + + + + + + + + + + + 2e:6d:b6:07:15:01 + + 192.168.86.45 + zyklon + + + + + + + + + + + + + + + + + 2e:6d:b6:07:16:01 + + 192.168.86.46 + proteus + + + + + + + + + + + + + + + + + ee:ee:ee:ee:ee:ee + + 192.168.86.47 + sojus + + + + + + + + + + + + + + + + + + + + + fet.htu.tuwien.ac.at + + + + + pxelinux.0 + + + + 192.168.86.134 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + address=/baroness.fet.at/192.168.86.43 +address=/baroness.local/192.168.86.43 +address=/triton.local/192.168.86.36 +address=/ldap.fet.at/192.168.86.18 + + backup + fet.htu.tuwien.ac.at + 192.168.86.12 + + + + gagarin + fet.htu.tuwien.ac.at + 192.168.86.18 + + + + + laika + fet.htu.tuwien.ac.at + 192.168.86.3 + + + + + laika2 + fet.htu.tuwien.ac.at + 192.168.86.3 + + + + + + + + + public + + + + + + + + + + 50 + + + + automatic + + + + + pass + + lan + + lan + + + + + 1430676699 + + + pass + lan + inet + + icmp + echoreq + +
128.131.95.208
+ + +
192.168.5.16
+ + + + Easy Rule + + + + + + + + + + + + 1,31 + 0-5 + * + * + * + root + /usr/bin/nice -n20 adjkerntz -a + + + 1 + 3 + 1 + * + * + root + /usr/bin/nice -n20 /etc/rc.update_bogons.sh + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout + + + 1 + 1 + * + * + * + root + /usr/bin/nice -n20 /etc/rc.dyndns.update + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot + + + 30 + 12 + * + * + * + root + /usr/bin/nice -n20 /etc/rc.update_urltables + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout + + + + + + + + + ICMP + icmp + + + + + TCP + tcp + + + + + HTTP + http + + + / + + 200 + + + + HTTPS + https + + + / + + 200 + + + + SMTP + send + + + + 220 * + + + + + system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close + + + + + admin@192.168.86.134 + + + + + + + + 4f031b5823c78 + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLRENDQTVHZ0F3SUJBZ0lKQUpmT3gyeFlmOVFDTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUcvTVFzd0NRWUQKVlFRR0V3SlZVekVTTUJBR0ExVUVDQk1KVTI5dFpYZG9aWEpsTVJFd0R3WURWUVFIRXdoVGIyMWxZMmwwZVRFVQpNQklHQTFVRUNoTUxRMjl0Y0dGdWVVNWhiV1V4THpBdEJnTlZCQXNUSms5eVoyRnVhWHBoZEdsdmJtRnNJRlZ1CmFYUWdUbUZ0WlNBb1pXY3NJSE5sWTNScGIyNHBNU1F3SWdZRFZRUURFeHREYjIxdGIyNGdUbUZ0WlNBb1pXY3MKSUZsUFZWSWdibUZ0WlNreEhEQWFCZ2txaGtpRzl3MEJDUUVXRFVWdFlXbHNJRUZrWkhKbGMzTXdIaGNOTVRJdwpNVEF6TVRVeE5ETXlXaGNOTVRjd05qSTFNVFV4TkRNeVdqQ0J2ekVMTUFrR0ExVUVCaE1DVlZNeEVqQVFCZ05WCkJBZ1RDVk52YldWM2FHVnlaVEVSTUE4R0ExVUVCeE1JVTI5dFpXTnBkSGt4RkRBU0JnTlZCQW9UQzBOdmJYQmgKYm5sT1lXMWxNUzh3TFFZRFZRUUxFeVpQY21kaGJtbDZZWFJwYjI1aGJDQlZibWwwSUU1aGJXVWdLR1ZuTENCegpaV04wYVc5dUtURWtNQ0lHQTFVRUF4TWJRMjl0Ylc5dUlFNWhiV1VnS0dWbkxDQlpUMVZTSUc1aGJXVXBNUnd3CkdnWUpLb1pJaHZjTkFRa0JGZzFGYldGcGJDQkJaR1J5WlhOek1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R04KQURDQmlRS0JnUURYd295VTAxd1pTQmNJcUV0YytjS0pTY0FSb21kL1RIQ2lzdTdGdTNvOVMvK1JhamJRWUROagpUQVJUa3FLd3dqMXBMajhzSTNlVFhoNk9oZlVDdk85YjlGZHZQL0ZHa3RYdW5VUGsvODM2c2RaMDdZeU16bll0CmM2TWJDY2lNK2RYek52K0ozRWJIdnVMMkd1TkRhU3BSUThMUVh4TTlXby8wK1hGc1VvcEZld0lEQVFBQm80SUIKS0RDQ0FTUXdIUVlEVlIwT0JCWUVGTFAxR0ZuU1NWY0lVbHdnbktJYmhJWjZ0ZG5tTUlIMEJnTlZIU01FZ2V3dwpnZW1BRkxQMUdGblNTVmNJVWx3Z25LSWJoSVo2dGRubW9ZSEZwSUhDTUlHL01Rc3dDUVlEVlFRR0V3SlZVekVTCk1CQUdBMVVFQ0JNSlUyOXRaWGRvWlhKbE1SRXdEd1lEVlFRSEV3aFRiMjFsWTJsMGVURVVNQklHQTFVRUNoTUwKUTI5dGNHRnVlVTVoYldVeEx6QXRCZ05WQkFzVEprOXlaMkZ1YVhwaGRHbHZibUZzSUZWdWFYUWdUbUZ0WlNBbwpaV2NzSUhObFkzUnBiMjRwTVNRd0lnWURWUVFERXh0RGIyMXRiMjRnVG1GdFpTQW9aV2NzSUZsUFZWSWdibUZ0ClpTa3hIREFhQmdrcWhraUc5dzBCQ1FFV0RVVnRZV2xzSUVGa1pISmxjM09DQ1FDWHpzZHNXSC9VQWpBTUJnTlYKSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQU1zeDM4M1dYdVRUU01WU3pnUWZmMjV1NWdVSwpGUkZIa2VibldBdzNXOFl4T21hS1dXNVF0T0h2b0IrL1IvdTcrdkhqZGVPZWgvVXZxUEtjZmpWbmNKSjlPWmdPCjVKMnVGU0NHd1BJZHNuUlUxQkJOQWVWVlorVmU3SnVORVJEQkdnSCswOTRwY1U3VU5LYi96cng5RFNWQXJXV3kKZWlaazZtS3krbXlZUHVkMQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + R2VuZXJhdGluZyBSU0EgcHJpdmF0ZSBrZXksIDEwMjQgYml0IGxvbmcgbW9kdWx1cwouLi4uLi4uLi4uLi4uLi4uKysrKysrCi4uLi4uLi4uLi4uLi4uLi4rKysrKysKdW5hYmxlIHRvIHdyaXRlICdyYW5kb20gc3RhdGUnCmUgaXMgNjU1MzcgKDB4MTAwMDEpCi0tLS0tQkVHSU4gUlNBIFBSSVZBVEUgS0VZLS0tLS0KTUlJQ1hRSUJBQUtCZ1FEWHdveVUwMXdaU0JjSXFFdGMrY0tKU2NBUm9tZC9USENpc3U3RnUzbzlTLytSYWpiUQpZRE5qVEFSVGtxS3d3ajFwTGo4c0kzZVRYaDZPaGZVQ3ZPOWI5RmR2UC9GR2t0WHVuVVBrLzgzNnNkWjA3WXlNCnpuWXRjNk1iQ2NpTStkWHpOditKM0ViSHZ1TDJHdU5EYVNwUlE4TFFYeE05V28vMCtYRnNVb3BGZXdJREFRQUIKQW9HQUorcnhrWE5OUGN3dG5zZHNNZ1p2YkhEOW5RV2IrbHhORm56ZVdpem1YOExZeExHTzlKeG54WDVCNnFoZAplekJrcGpvTkxBQmYxaDc2cmttd1c5SlN3aXhraWFTREhGNG1UcEp1Sy9scjgvNGhTeWFDSEtIbHB4akZORDNGCkIyVG5rS3BwSFhwK3BtSGlhZ1RBMk42NmRVRzNVd2tGRDh5dzc4TFhNOWZlM2tFQ1FRRDVQaThEbDJGdmJvenIKN1RXZnQraFJwQVpuRm1MNnY1d0lCRnF2UDE0a3FzUjdBRTlyUC90Y2VoalFRQjYyK3A1MkQ0VW9qdFNET1hocwo4VGgxYUpnaEFrRUEzWnY3L3dXYzUyS2pFTHYvN25uK0picGFtUzhDSE0wK2RQZU4yZGdQSkpPNVhZKzFxdVZMClE4SGNCVzR0Z21EdmFwcFh6M1h0OTJTLzU4RHhaYkw2R3dKQUFkUk1BZ205WkZUNlljem01Tm96c1UyejRsUE8KdkNwbDJjVTJhU3pjNHdZQjFTbEdhL0lYUlRGOE55TVJWcVIyUDBXVDQ1MVF2L25QQVhXdnhXVFVJUUpCQU5FVgpuNTlRSTJhb1NLTzhUTThxcUYvZVFDWnhGTFFwN1hpY0xHalJrZy8zbEpleXhEdFdGVG43aU9SU3ZIdGJpK2Z2CmNWUGF0MGVIOWd2cG5aaFBVZXNDUVFEUndOVERZVnFhalhCUWsvc2xINml3QWkyVW4vM3Awc0I0dnFsQTB3MDkKcERSQm5tMUZJazBqeUQ1L2pDYVoyQXIxOHhwTHBvNHkwZjhEeEQ4VStmRWsKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + + + + + wan + 128.131.95.1 + WANGW + 1 + + + inet + + + lan + 192.168.86.35 + mars + 1 + inet + + + + + + + + lan + 192.168.86.36 + miruk + 1 + inet + + + + + + + + lan + 192.168.86.7 + Ariane + 1 + inet + + + + + + + + + + iperf + http://dast.nlanr.net/Projects/Iperf/ + + Network Management + https://packages.pfsense.org/packages/config/iperf/iperf.xml + iperf-2.0.5-i386.pbi + 2.0.5_1 + Beta + https://doc.pfsense.org/index.php/Iperf_package + 2.2 + iperf.xml + benchmarks + bin/iperf:benchmarks/iperf + + benchmarks/iperf + + https://files.pfsense.org/packages/10/All/ + + + ntop + http://www.ntop.org/ + + Network Management + ntop-5.0.1_4-i386.pbi + + databases/gdbm net/GeoIP x11-fonts/font-util x11-fonts/webfonts graphics/graphviz + net/ntop + + ntop_SET_FORCE=PCAP_PORT XMLDUMP MAKO;ntop_UNSET_FORCE=JUMBO_FRAMES;rrdtool_UNSET_FORCE=DEJAVU PERL_MODULE PYTHON_MODULE RUBY_MODULE;rrdtool_SET_FORCE=JSON MMAP NLS;graphviz_UNSET_FORCE=XPM DIGCOLA IPSEPCOLA PANGOCAIRO;graphviz_SET_FORCE=ICONV NLS;cairo_UNSET_FORCE=X11 XCB;libgd_UNSET_FORCE=FONTCONFIG XPM;libgd_SET_FORCE=ICONV;libpcap_UNSET_FORCE=DAG;libpcap_SET_FORCE=IPV6 + 5.0.1_4 v2.3 + BETA + 2.2 + https://packages.pfsense.org/packages/config/ntop2/ntop.xml + ntop.xml + true + 2.2.999 + https://files.pfsense.org/packages/10/All/ + + + Zabbix Agent + Setup Zabbix Agent specific settings +
Services
+ /pkg_edit.php?xml=zabbix-agent.xml&id=0 + + + iperf + Run iperf in client or server mode. +
Diagnostics
+ iperf.xml + + + ntop Settings + Set ntop settings such as password and port. +
Diagnostics
+ /pkg_edit.php?xml=ntop.xml&id=0 + + + ntop + Access ntop +
Diagnostics
+ http://$myurl:3000 + ntop + + + zabbix_agentd + zabbix_agentd.sh + zabbix_agentd + + + + iperf + iperf + + + + ntop + ntop.sh + ntop + + + + + <__csrf_magic>sid:31efc492c9e3e76d276671a946cd2689b38939d7,1412273730 + All packages + reinstallall + Confirm + admin + + + + + zabbix.fet.htu.tuwien.ac.at + 10051 + kistl.fet.htu.tuwien.ac.at + 0.0.0.0 + 10050 + 120 + 3 + + + + + + + ntop Settings + /pkg_edit.php?xml=ntop.xml&id=0 + + + + + + + + + + www.fet.at + 192.168.86.30 + + + + diff --git a/doc/configs/miruk-pfSense-backup.xml b/doc/configs/miruk-pfSense-backup.xml new file mode 100644 index 0000000..30cc9a0 --- /dev/null +++ b/doc/configs/miruk-pfSense-backup.xml @@ -0,0 +1,1268 @@ + + + 15.8 + + + normal + miruk + fet.htu.tuwien.ac.at + + all + + system + 1998 + 0 + + + admins + + system + 1999 + 0 + page-all + + + admin + + system + admins + $2b$10$S52zNMrTbsfoLVYT3Tk/zOt/EG2IKr6DUyOMzh7ojE8PL.kxdnrqu + 0 + user-shell-access + + 2000 + 2000 + 0.pfsense.pool.ntp.org + + https + + 58e6957796d5e + 2 + 4444 + 2 + pfSense.css + + + + + + + hadp + hadp + hadp + + monthly + + Europe/Vienna + 115200 + serial + + 222 + + en_US + none + + + + + yes + yes + + 192.168.86.1 + 192.168.95.1 + + none + + enabled + + + + + re0 + dhcp + dhcp6 + + + + + 0 + + + + vtnet0 + + 192.168.95.1 + 24 + + + + + re1 + + + 32 + 52:54:00:32:e7:18 + 128.131.95.208 + 32 + WAN_TUGW + + + + re2 + + 128.130.95.208 + 19 + WLAN_TU2GW2 + + + + + + + 192.168.95.70 + 192.168.95.170 + + + + + + + + + + + + + + + + + + + + + + + + + 52:54:00:0c:d9:ba + + 192.168.95.2 + maria-storage + + + + + + + + + + + + + + + + + 52:54:00:a9:cf:27 + + 192.168.95.10 + triton + + + + + + + + + + + + + + + + + 52:54:00:c9:94:71 + + 192.168.95.11 + fetruby + + + + + + + + + + + + + + + + + 52:54:00:7f:d4:7a + + 192.168.95.12 + fetwiki + + + + + + + + + + + + + + + + + 52:54:00:ee:e0:3f + + 192.168.95.14 + triton-amp + + + + + + + + + + + + + + + + + 52:54:00:6d:5e:3b + + 192.168.95.16 + mogok + + + + + + + + + + + + + + + + + 52:54:00:04:ce:3b + + 192.168.95.21 + fachschaften + + + + + + + + + + + + + + + + + 52:54:00:40:50:dc + + 192.168.95.22 + cloud + + + + + + + + + + + + + + + + + + + + + + + public + + + + + + + 60 + + ipv4 + + + + + + 1491562113 + pass + wan + inet + + + + + + + + keep state + + tcp + +
192.168.86.6
+ + + wanip + 222 + + + + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + 1491561492 + pass + wan + inet + + + + + + + + keep state + + tcp + + + + + wanip + 4444 + + + WAN_DHCP + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + 1491902925 + pass + wan + inet + + + + + + + + keep state + + tcp + + lan + + + +
triton
+ web + + + nat_58eca1cd607012.85095132 + + + NAT Port Forward + + + + admin@192.168.86.6 + + + + + + 1491752134 + pass + wan + inet + + + + + + + + keep state + + icmp + echoreq + +
192.168.86.1
+ + + wanip + + + + + Easy Rule + + + + admin@192.168.86.6 + + + + + 1497948726 + pass + wan + inet + + + + + + + + keep state + + tcp + +
192.168.86.6
+ + + lan + 22 + + + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + 1498656295 + pass + wan + inet + + + + + + + + keep state + + tcp + +
192.168.86.5
+ + + lan + 22 + + + + + admin@192.168.86.121 + + + + admin@192.168.86.121 + + + + + 1498122209 + pass + wan + inet + + + + + + + + keep state + + icmp + any + +
192.168.86.6
+ + + lan + + + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + 1498129426 + pass + wan + inet + + + + + + + + keep state + + tcp + +
192.168.86.18
+ + + + + + + + admin@192.168.86.6 + + + + admin@192.168.86.23 + + + + pass + inet + + lan + 0100000101 + + lan + + + + + + + pass + inet6 + + lan + 0100000102 + + lan + + + + + + + + 1500808129 + pass + lan + inet + + + + + + + + keep state + + tcp + + lan + + + wan + + + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + lan + + + opt1 + tcp + +
triton
+ web + + + nat_5908d2244a91e7.30605837 + 1493750308 + + + NAT Port Forward + + + + + lan + + + opt1 + tcp + +
triton
+ web + + + nat_59458f70519734.91879734 + 1497730928 + + + NAT Port Forward + + + + + lan + + + opt1 + tcp + +
triton
+ web + + + nat_594a4d4dc6b478.76146266 + 1498041677 + + + NAT Port Forward + + + + + 1497817929 + pass + opt1 + inet + + + + + + + + keep state + + icmp + any + + + + +
128.131.95.208
+ + + + + Easy Rule + + + + admin@192.168.86.6 + + + + + 1497942865 + pass + opt1 + inet + + + + + + + + keep state + + icmp + any + +
128.131.95.206
+ + +
128.131.95.212
+ + + + + Easy Rule + + + + admin@192.168.86.6 + + + + + 1498030651 + pass + opt2 + inet + + + + + + + + keep state + + icmp + any + + + + +
128.130.95.208
+ + + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + lan + + + opt2 + tcp + +
triton
+ web + + + nat_594a2222a1b396.11166902 + 1498030626 + + + NAT Port Forward + + + + + + + + + + + + + fetalt + host +
192.168.95.12
+ + + + + fetruby + host +
192.168.95.11
+ + + + + mogok + host +
192.168.95.16
+ + + + + triton + host +
192.168.95.10
+ + + + + tritonamp + host +
192.168.95.14
+ + + + + web + port +
80 443
+ + + + + + + + 1,31 + 0-5 + * + * + * + root + /usr/bin/nice -n20 adjkerntz -a + + + 1 + 3 + 1 + * + * + root + /usr/bin/nice -n20 /etc/rc.update_bogons.sh + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout + + + 1 + 1 + * + * + * + root + /usr/bin/nice -n20 /etc/rc.dyndns.update + + + */60 + * + * + * + * + root + /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot + + + 30 + 12 + * + * + * + root + /usr/bin/nice -n20 /etc/rc.update_urltables + + + + + lan + 52:54:00:a9:cf:27 + + + + + + left=system-processor&right=&resolution=300&timePeriod=-1d&startDate=&endDate=&startTime=0&endTime=0&graphtype=line&invert=true&refresh-interval=0 + + + + ICMP + icmp + + + + + TCP + tcp + + + + + HTTP + http + + + / + + 200 + + + + HTTPS + https + + + / + + 200 + + + + SMTP + send + + + + 220 * + + + + + system_information:col1:open,interfaces:col2:open,captive_portal_status:col2:open + 10 + + + + + all + wan + + + + + + + + + transparent + + + + + + + admin@192.168.86.6 + + + + 58e6957796d5e + + server + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiVENDQkZXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBRENCdERFTE1Ba0dBMVVFQmhNQ1ZWTXgKRGpBTUJnTlZCQWdUQlZOMFlYUmxNUkV3RHdZRFZRUUhFd2hNYjJOaGJHbDBlVEU0TURZR0ExVUVDaE12Y0daVApaVzV6WlNCM1pXSkRiMjVtYVdkMWNtRjBiM0lnVTJWc1ppMVRhV2R1WldRZ1EyVnlkR2xtYVdOaGRHVXhLREFtCkJna3Foa2lHOXcwQkNRRVdHV0ZrYldsdVFIQm1VMlZ1YzJVdWJHOWpZV3hrYjIxaGFXNHhIakFjQmdOVkJBTVQKRlhCbVUyVnVjMlV0TlRobE5qazFOemM1Tm1RMVpUQWVGdzB4TnpBME1EWXhPVEl5TXpGYUZ3MHlNakE1TWpjeApPVEl5TXpGYU1JRzBNUXN3Q1FZRFZRUUdFd0pWVXpFT01Bd0dBMVVFQ0JNRlUzUmhkR1V4RVRBUEJnTlZCQWNUCkNFeHZZMkZzYVhSNU1UZ3dOZ1lEVlFRS0V5OXdabE5sYm5ObElIZGxZa052Ym1acFozVnlZWFJ2Y2lCVFpXeG0KTFZOcFoyNWxaQ0JEWlhKMGFXWnBZMkYwWlRFb01DWUdDU3FHU0liM0RRRUpBUllaWVdSdGFXNUFjR1pUWlc1egpaUzVzYjJOaGJHUnZiV0ZwYmpFZU1Cd0dBMVVFQXhNVmNHWlRaVzV6WlMwMU9HVTJPVFUzTnprMlpEVmxNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE3YmtWQWN3ekxqMHN5MG5LbXBmczgwb1oKRitsYTI0eTludVMweFRidm45T2hGdmJKNWFmUEV6WVdBV1hZQlZaVnBvZkpRMmFjZm9qS1Y3dUlTOHF1NG1DYQpYdVZORll1M3JUTmpSK3lxbkRpZDFhYjlTZXZZczZJc0d5b3FuMEN2aHZzdDF2RDRzT1lQUGZuZmNBbG11RDRSCmoxWjFmT3pQZElXNFlmVk5CQ00vbC82b2hCMW5SMWRXTnIrbEptV1dhK3dia0Yya3FOK2ZZR01aT2JGZUl6NFIKWGRoVGpQUUYwc0V2N0hnNGxTM29ZU1JBUWhSTjNmWXZETGZhZ21PZnJsRDA4cXRHYnhvSFc4QXJrYTB3QjVlRwpEYUw5NGRQdmRNSXFuZlBEZkZLbWo2aHZ0ZU5teXBFdHdZSk5EWlhCVUM0OHo5anhPbFM5aGp0OE9VK2VId0lECkFRQUJvNElCaGpDQ0FZSXdDUVlEVlIwVEJBSXdBREFSQmdsZ2hrZ0JodmhDQVFFRUJBTUNCa0F3TXdZSllJWkkKQVliNFFnRU5CQ1lXSkU5d1pXNVRVMHdnUjJWdVpYSmhkR1ZrSUZObGNuWmxjaUJEWlhKMGFXWnBZMkYwWlRBZApCZ05WSFE0RUZnUVVJZlpPL2o1NlJ1eE4yRWY5UmQ3NXh3MDV6U2t3Z2VFR0ExVWRJd1NCMlRDQjFvQVVJZlpPCi9qNTZSdXhOMkVmOVJkNzV4dzA1elNtaGdicWtnYmN3Z2JReEN6QUpCZ05WQkFZVEFsVlRNUTR3REFZRFZRUUkKRXdWVGRHRjBaVEVSTUE4R0ExVUVCeE1JVEc5allXeHBkSGt4T0RBMkJnTlZCQW9UTDNCbVUyVnVjMlVnZDJWaQpRMjl1Wm1sbmRYSmhkRzl5SUZObGJHWXRVMmxuYm1Wa0lFTmxjblJwWm1sallYUmxNU2d3SmdZSktvWklodmNOCkFRa0JGaGxoWkcxcGJrQndabE5sYm5ObExteHZZMkZzWkc5dFlXbHVNUjR3SEFZRFZRUURFeFZ3WmxObGJuTmwKTFRVNFpUWTVOVGMzT1Raa05XV0NBUUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQ0FJQwpNQXNHQTFVZER3UUVBd0lGb0RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUtxZkR2c2F2L2xEVXpkOHdhSG91CkQyZzExcjFzb2tQTXNXUUxwWlhtcHozRDZEUWlHNVl3UjdEZllDMnBsZWxzTjFMUlRNMHcxWnJWVlNwNTBJaWsKak83b2IvZ0h4c1FnaE1MeVFnWndRVVVoQ1doMVo1ODAzQytCY1Ftd1Q5dlVVZmI0dnpGWCtzTDNPZUtyTDRFLwpFSVkxM0ZKeGI3eGVEd2JLR1ZvVmdHek9ReUdLdmhXU2dURVd4anlPZTlHZWZFeEhnNkxQSTQ3WG96NGhiNG04CkpFMnoyZElnbG9MRkk1RU1vR0s3QXNTbFlxN2ovZ0NLdEZKK1JtWFpDVVk5a0M0UmxXTEhPMzQxam4wWE16d1QKUUZiVk1ja2gzQ2ZKcXNHaitMZWsycHllVytXZ3RrWFRMNEFZNHExYWo5eFVMV29vMFZlaXRIa0l4WUFmMEhBQwpMQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHR1UlVCekRNdVBTekwKU2NxYWwrenpTaGtYNlZyYmpMMmU1TFRGTnUrZjA2RVc5c25scDg4VE5oWUJaZGdGVmxXbWg4bERacHgraU1wWAp1NGhMeXE3aVlKcGU1VTBWaTdldE0yTkg3S3FjT0ozVnB2MUo2OWl6b2l3YktpcWZRSytHK3kzVzhQaXc1Zzg5CitkOXdDV2E0UGhHUFZuVjg3TTkwaGJoaDlVMEVJeitYL3FpRUhXZEhWMVkydjZVbVpaWnI3QnVRWGFTbzM1OWcKWXhrNXNWNGpQaEZkMkZPTTlBWFN3Uy9zZURpVkxlaGhKRUJDRkUzZDlpOE10OXFDWTUrdVVQVHlxMFp2R2dkYgp3Q3VSclRBSGw0WU5vdjNoMCs5MHdpcWQ4OE44VXFhUHFHKzE0MmJLa1MzQmdrME5sY0ZRTGp6UDJQRTZWTDJHCk8zdzVUNTRmQWdNQkFBRUNnZ0VCQUxSaTF6L3Y5WDVHeVhEUTQ3NS9QancybytmekdSQzBNVWNiQU5rTm9MTkUKNFY0TmtwS0R6YXdrUkhwM0QzNnRUbno1V0kyZWxXMm0ydlBMeDliTFMvMVhsSXdocjJhRUNMS1M1ZWt6K3hwawpFOUNGMEhtQlQ0U3ZzSXhFYU9kRExHNWV0eC84NXBsRldaZUx2akxEejRCTENRUWRkVFdBZE1OVW5OOG9SbksxCjNnTDMvY2FadGFEL0hPWnZ1YnkrV2tCRzBVOU90cENoem9pRHN3NFhYMURSdGtEQURmbUtKSm1JZHlMZkI0WDEKcTR1ZXZncUdJYVliR0tOdnZUMHo3OEpoSkVzbE1WNVRxb2pGUEpEeVB0S080M0tRMnlzdGpKMlEvNWZ6REw3cApSczB3TXpRazF1d05xQ0UwVGhDQW5uakFXR1RVams3dnFMeHZVc0lFbTFFQ2dZRUEvakFVWDZOUjF3V0RjeUgrCkR6Yys1QmdCc003Y25HM0JJSmQrZHFmY2oxdUpta3E0L1Y2Z2lsSmx1L2tmK0ZSU2VVZEdQQkcxVUxtUjNFa3YKS2lQd2IrN0RRS3dRb0dKbTdIckt3dXpvUUpaYmZWV1RQMG1QcWl2NWxVeEgxRU92UnBZUDBsTVVjMHdxVEdDZgo3dEtMY2JwWGltWjFzYm5QMGdrcUIyeGxtWlVDZ1lFQTcycnp6ZVRuNEEzKzd2YnFsUFFrNFNOOWNMVENDZ2s1CmlTazZVVFJpNFRWT2UxTUwwcUE4YU1aKzR3M0RLekdhYmgzSE1WbGw2cmpjWUZ5T01aQkRxRGNrZlhORTM1VjQKcHdmTGQ4bWFUVzA3STJoeHNCa3gybGFVNUxhNjJXVVFSZHpxOGxmcy9QdFF1ODR1R0pFRDZZeUVWaWcyTUV4TQoxTWFtaDhTdzgrTUNnWUJ0U0I1NlA2MGYxSzcvQU01Sm5HYmRpYlN3WHo5WndaWVdmUXRSMkRscktOK3dCaEFpClhseUhHNFhCbXdtenFnMExOeWxyQ2ZINkVzNHk5d1BnQ2pPRTdCSGw3QlA1NEZSL3R3c1ZZdVUzWDIxV0pVUjUKSVJjekFsVDdheUEya2lMNUplc0hjZENKQVdYdUVGeXlRTExTNGxwZ2xreGpiSTk4clpQMFBSWXhRUUtCZ0g2NApuVkxkVmQzQmlxM3hBempVQUxFcGw3dVA4U1JldlpWYnZRSStPQmY3bnc2blpocVZ0V08vckdtQlgwdjlkVC9UCmd4c2J0bFlHZ3A1K1hzVGRGdkp5UFY0cEpNc3kwaW1XZHB0d21idGhsV3VvWElSWTBZby9TWS9GS0NEbzNUUWQKT2o0TFMrU2JJS0JIQVI3L29wSjdUWkJNdUdIWUFOS2VVb2FLRlI4QkFvR0JBUEdPOWpDeExXdTBubWNJR05JbwpGL1luekw2cW1ORmk2d0djNHBsdkp0cjRiejlvVk0xNHZSREtqTWhtK0JaNWRHcTBNcmxBc1BaU1V3Szh6ajMxCjFOeDEvMWM0VmQ0NjYrK2FXTHR5NE1TK0N6em4rKzdjaVd0dFU0Y3ZtNEtIa1lERDF3TENOcncwUHRqNzJubTQKeXJWTE1GSjd4NFVMcDN6YWUwWHZDSU5BCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + + + + + + wan + dynamic + WAN_DHCP + 1 + inet + + + + opt1 + 128.131.95.1 + WAN_TUGW + 1 + inet + + + + + opt2 + 128.130.95.193 + WLAN_TU2GW2 + 1 + inet + + + + + wan + dynamic + WAN_DHCP6 + 1 + inet6 + + + + + + + + + + lan + + + + opt2ip + web + + tcp + triton + web + opt2 + + nat_594a2222a1b396.11166902 + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + lan + + + +
128.131.95.212
+ web + + tcp + triton + web + opt1 + + nat_59458f70519734.91879734 + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + lan + + + + opt1ip + web + + tcp + triton + web + opt1 + + nat_5908d2244a91e7.30605837 + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + lan + + + + wanip + web + + tcp + triton + web + wan + + nat_58eca1cd607012.85095132 + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + + + lan + + + +
128.131.95.201
+ web + + tcp + triton + web + opt1 + + nat_594a4d4dc6b478.76146266 + + + admin@192.168.86.6 + + + + admin@192.168.86.6 + + + + automatic + + + + address=/triton.fet.at/192.168.95.10 +address=/triton.local/192.168.95.10 +address=/git.local/192.168.95.10 +address=/fet.at/192.168.95.10 +address=/www.fet.at/192.168.95.10 +address=/git.triton.fet.at/192.168.95.10 +address=/fet.at/192.168.95.10 +address=/triton-amp.local/192.168.95.14 +address=/maria-storage.local/192.168.95.2 +address=/ldap.local/192.168.86.18 +address=/gagarin.htu.tuwien.ac.at/192.168.86.18 +address=/mogok.local/192.168.95.16 +address=/twikialt.local/192.168.95.12 +address=/fachschaften.local/192.168.95.21 +address=/fet.local/192.168.95.11 + + + fet.at + 192.168.95.10 + + 0 + + + git.triton.fet.at + 192.168.95.10 + + 1 + + + triton.fet.at + 192.168.95.10 + + 2 + + + + + + + + + + + Default + + + + + ipalias + opt1 + 59458efbc450f + + single + 24 + 128.131.95.212 + + + ipalias + opt1 + 594a4e127cd72 + + single + 32 + 128.131.95.201 + + + diff --git a/doc/configs/wlan-OpenWrt-backup.tar.gz b/doc/configs/wlan-OpenWrt-backup.tar.gz new file mode 100644 index 0000000..ec9d83e Binary files /dev/null and b/doc/configs/wlan-OpenWrt-backup.tar.gz differ diff --git a/doc/kistl.md b/doc/kistl.md new file mode 100644 index 0000000..1e9dd0e --- /dev/null +++ b/doc/kistl.md @@ -0,0 +1,3 @@ +# kistl +## Current config +See [config file](configs/kistl-pfSense-backup.xml) diff --git a/doc/lxc.md b/doc/lxc.md new file mode 100644 index 0000000..2a3f50d --- /dev/null +++ b/doc/lxc.md @@ -0,0 +1,11 @@ +# LXC container +## edit config +```shell +vi /var/lib/lxc/lxc-container-01/config +``` +## manage container +```shell +lxc-start -n lxc-container-01 +lxc-attach -n lxc-container-01 +lxc-stop -n lxc-container-01 +``` diff --git a/doc/miruk.md b/doc/miruk.md new file mode 100644 index 0000000..25278e3 --- /dev/null +++ b/doc/miruk.md @@ -0,0 +1,3 @@ +# miruk +## Current config +See [config file](configs/miruk-pfSense-backup.xml) diff --git a/doc/sojus.md b/doc/sojus.md new file mode 100644 index 0000000..936f824 --- /dev/null +++ b/doc/sojus.md @@ -0,0 +1,15 @@ +# sojus +## create big backup locally +```shell +cryptsetup luksOpen /dev/disk/by-id/ata--part1 ata--part1 +zpool import +zpool import lab +zfs create -o com.sun:auto-snapshot=false lab/backup +borg init -e none /lab/backup/ariane.fet.htu.tuwien.ac.at +./borg create --show-rc --verbose --stats backup@sojus:system::ariane-{now} /zv1/daten /zv1/fotos /zv1/homes +zpool export lab +cryptsetup luksClose ata--part1 +sync +hdparm -y /dev/disk/by-id/ata- +hdparm -C /dev/disk/by-id/ata- +``` diff --git a/doc/wlan.md b/doc/wlan.md new file mode 100644 index 0000000..0824a5e --- /dev/null +++ b/doc/wlan.md @@ -0,0 +1,3 @@ +# wlan +## Current config +See [config file](configs/wlan-OpenWrt-backup.tar.gz) diff --git a/group_vars/all b/group_vars/all index 4ae9703..a33100b 100644 --- a/group_vars/all +++ b/group_vars/all @@ -29,9 +29,6 @@ common_locales: - name: 'de_AT.UTF-8' state: "present" - -# apt-get common config -common_apt: True common_apt_repositories: - "deb http://cdn.debian.net/debian/ {{ ansible_distribution_release }} main contrib non-free" - "deb http://cdn.debian.net/debian/ {{ ansible_distribution_release }}-backports main contrib non-free" @@ -40,10 +37,10 @@ common_apt_repositories: common_vim_default: False common_openssh_keys_root: - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmv/aixvhRzeQiD3XABD448WHW2sHSX5wj5TkqKmHG3MekovCjacEDwAEdH+3MzXzbQXCD8NOHxlvRsqfzsaIZw6al+i7hd7xeYzRAITeXAod/eQNJY71Czh1xt/rtfjgVrwFKe6kUo+RqUUBxOXjKNtCROxvsa/gxTSJD4xz/TGOTM7EbRfkOGBh3j/xmdBinURTACwKwHCR4SUnpAA7usY/QQGW22Nqczvj9SW1Un0TnYpMm7jAghGo7pvwInTerbbA2OQ07QEp9T/mAbPUks5QGEw1lwMZgEtl0EZrKxDoWjssGPw5ZA6RzwIggjuEN1zzE+pn9jWL+9sd2Tihr pet@fet.at" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEer+2Q3/bSJv2SpaGo8tjkQdSw/Kqoyy3XZ2RrtEqwzGozfvjyrZ0jd2Vy6LJ37o3n34brfVOvzeBaiSzc+5ciNgRVohaMydM6ADSGvZ9S2BGod1KonKfTbultWA1+BzJAjn7ZTjLlPJmceITYlh5uAnHrWQgZNPipMHLbKnSMUUd7AbkBy/nhg/ad5dO6e9TOXmEY+cNMCcA20R1i/O9nA1LIgXfnx1WKtW40gOf5YioHnhOMo8rNP5WlzZ1Lf5SiMJgxeT0covc3pq+hAHa+Y6KKdeO5oQ36RMi5FJUk2txQHGQtAjLMg0dv+bJgepIakM5wxekk9oY0J8inZOMh0mRH86KMH3SDwXt2xPomXfkGKeHVkM5VO6qfv8CzX/FjMoTTFGVaKDEPngbA8BIrPD7++gicdcnkmYOJLXgBDuJhhpis/Yp8F+F1tMBDT9LRLNvM18BXpekoFJNwTWJOAR8gktsiYP3VMt6oN1Y5lStvzv6MkhaEa0WGqjQoOJsQuI1roVHwlQhyWM/igCeO0Egb7qz/qPJHRRCgNfVjDO/rtFK09EjmG1bQrgOP7dJv0E+3scxilnoIED6ocCpKNVpc/okehgHwC+QdIpWrn5fPrXJt/hifguCn7KziWfQne8eIxaQOWBaZLdcY7HmgtQmOi3KRlKy+ORXtj/+MQ== hans@fet.at" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZAVxkHZYqjgCBcfHy0yggdVALZKoQbJP1TJAEYgLIAWFQ0ZPMGDaidOQiTzFTE0i35MUlQB6Rc+pTYnW/+h9rzktWbU/8RNirQve2XR5TWiRIUa13p31Xgjyw05O0uF3LEL/SmZruMHy25ncDXGF+xC2VllIttC+fLHJWLXIbWVujHdOA69fBqOonQrcPTsg1l4QQv6ZAxwVgCsbeOccZkdpoT0BJk03nflW+SGsKthTYX2VMGJlc/4QjArfZ2hTykr0I/lSA6E9FkFSLl65ejovGxCp1oXn484DlyajoXqJY7IOD86izXqkQSq4w4bLKEdrfQOnfGKe1XmxzFdk92SNEW41RXokNQ16xOBZzO1ZHkXd6hx0Pj6aBvUbs3PlCn4q764LKIcjSk7ADgeC5OBA4xgRxyZt9vuP93o7jl3vvqLWevsFa0j8orxC0D3cO5SMPbowW9LqrtqHynC0WltrtLT5+Q2tBSavP615NOu+bfcakgiWN8otv41ST+2hWka8qNptOxTRj/h7+MMOyi9bh1vjgB1KkOZYotJtFdXKFiYz+buIKwguWZWEni9uTRMiEsu84x8aJwdptPO0UIgZGroyUZJcWlUkwrkdE5T4cg9zP14M6zmogAYEI7oRX56FyspRVlA7J6VF/mcZ1z6ufH+97cle613gPKUVkpw== andis@fet.at" - - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrEdkD1Oecw++r77MVrga1e20FA+e/O37rhMc0etS5MvlbsAHd6Ftx2SIXVtwDnHDzyUAOJb8WlYPdG5r/QJYtXgVMGZrZ31UFdlAZq3K8ytczKkcMgnEEOWYSSyQRJlEW5LkZ9tD0hv1myIg5iw6Vpuqe6YFSkdDHtGxf0lnLAfi1XKwu7b7tARJz7teOAjaFzXumvsZlFx9BdufMW32uu7BSYWjSGcrEzMyyB/5C3kU/d5Q1ZTNK6tceopFr/K1lKBzvj85safD5BH8NpjvLe1QkzHu+C0AVxYNtqGHI5oWJbcR+UOwelBeEM/On+/Xq0ZIVmiLmFx03Qun8t1n berni@fet.at" - - 'no-pty,no-agent-forwarding,no-X11-forwarding,command="shutdown -h +1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCiI41+XkobMT0K8ZrHdCeomdGAIRMZbdX1VjGe5OWa72rcaDFmBtK7MxD5xPZEdSaDkn+Nrpwv5/j10MccvkAOI/tx6PIxcgDF52FnHLMMVrXRM3cnkm9CrBi4kCN0D2fpbDLhknJhiqftIcPdct/a9foZQwkWOzGUN2Rk0mCw2QzkGyWHNxOMzMjV0gpfAWPv6Jg+JKDl5EHf2xJTeJ/l0TG6O0lsc5YY/7cqjRJJzTVFDo1Gy+qNgff0mbPrhcbWepG5R1tjkdT++f8uuoVkBUamwkjwDpH2y57sdESEPB0C5ES2cglOp2X3MMN7EnUBHYU3mMiYU0wV+b7Q3oKmQuG86a2D+yEp+0+WFaUY/TMCNpslGOtTBrNLshMIX/bnrx/aF9DApl9L/kUIlSxwwBNiPIl4VVU1p5Zzj/YAPvRl0kAKjosOZgl108JeRUbhQSGVrcODyhaIMQv4BAzHnV0kii7jNACHhqBR36eo3N6HX7GkbnU1YadZRcrxrpE9z9mrXuqWxzl4Cmz1yHb1JTwsnQQ2Dy0trIklQjEmLxvG8zpxHLV3EQmtIMK/g2Mk6VTdz9HZnwYLU7Mj/uZk0DWhTZ5Eyj6QAbcw2gLPLEUmdQhkHSoQKxHY0at3OjGFGydyc/3n7B7d578uxVBrp04uhTbW7SDi6mYGCkvCRQ== nut ups shutdown' - + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at" + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmv/aixvhRzeQiD3XABD448WHW2sHSX5wj5TkqKmHG3MekovCjacEDwAEdH+3MzXzbQXCD8NOHxlvRsqfzsaIZw6al+i7hd7xeYzRAITeXAod/eQNJY71Czh1xt/rtfjgVrwFKe6kUo+RqUUBxOXjKNtCROxvsa/gxTSJD4xz/TGOTM7EbRfkOGBh3j/xmdBinURTACwKwHCR4SUnpAA7usY/QQGW22Nqczvj9SW1Un0TnYpMm7jAghGo7pvwInTerbbA2OQ07QEp9T/mAbPUks5QGEw1lwMZgEtl0EZrKxDoWjssGPw5ZA6RzwIggjuEN1zzE+pn9jWL+9sd2Tihr pet@fet.at" + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEer+2Q3/bSJv2SpaGo8tjkQdSw/Kqoyy3XZ2RrtEqwzGozfvjyrZ0jd2Vy6LJ37o3n34brfVOvzeBaiSzc+5ciNgRVohaMydM6ADSGvZ9S2BGod1KonKfTbultWA1+BzJAjn7ZTjLlPJmceITYlh5uAnHrWQgZNPipMHLbKnSMUUd7AbkBy/nhg/ad5dO6e9TOXmEY+cNMCcA20R1i/O9nA1LIgXfnx1WKtW40gOf5YioHnhOMo8rNP5WlzZ1Lf5SiMJgxeT0covc3pq+hAHa+Y6KKdeO5oQ36RMi5FJUk2txQHGQtAjLMg0dv+bJgepIakM5wxekk9oY0J8inZOMh0mRH86KMH3SDwXt2xPomXfkGKeHVkM5VO6qfv8CzX/FjMoTTFGVaKDEPngbA8BIrPD7++gicdcnkmYOJLXgBDuJhhpis/Yp8F+F1tMBDT9LRLNvM18BXpekoFJNwTWJOAR8gktsiYP3VMt6oN1Y5lStvzv6MkhaEa0WGqjQoOJsQuI1roVHwlQhyWM/igCeO0Egb7qz/qPJHRRCgNfVjDO/rtFK09EjmG1bQrgOP7dJv0E+3scxilnoIED6ocCpKNVpc/okehgHwC+QdIpWrn5fPrXJt/hifguCn7KziWfQne8eIxaQOWBaZLdcY7HmgtQmOi3KRlKy+ORXtj/+MQ== hans@fet.at" + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZAVxkHZYqjgCBcfHy0yggdVALZKoQbJP1TJAEYgLIAWFQ0ZPMGDaidOQiTzFTE0i35MUlQB6Rc+pTYnW/+h9rzktWbU/8RNirQve2XR5TWiRIUa13p31Xgjyw05O0uF3LEL/SmZruMHy25ncDXGF+xC2VllIttC+fLHJWLXIbWVujHdOA69fBqOonQrcPTsg1l4QQv6ZAxwVgCsbeOccZkdpoT0BJk03nflW+SGsKthTYX2VMGJlc/4QjArfZ2hTykr0I/lSA6E9FkFSLl65ejovGxCp1oXn484DlyajoXqJY7IOD86izXqkQSq4w4bLKEdrfQOnfGKe1XmxzFdk92SNEW41RXokNQ16xOBZzO1ZHkXd6hx0Pj6aBvUbs3PlCn4q764LKIcjSk7ADgeC5OBA4xgRxyZt9vuP93o7jl3vvqLWevsFa0j8orxC0D3cO5SMPbowW9LqrtqHynC0WltrtLT5+Q2tBSavP615NOu+bfcakgiWN8otv41ST+2hWka8qNptOxTRj/h7+MMOyi9bh1vjgB1KkOZYotJtFdXKFiYz+buIKwguWZWEni9uTRMiEsu84x8aJwdptPO0UIgZGroyUZJcWlUkwrkdE5T4cg9zP14M6zmogAYEI7oRX56FyspRVlA7J6VF/mcZ1z6ufH+97cle613gPKUVkpw== andis@fet.at" + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrEdkD1Oecw++r77MVrga1e20FA+e/O37rhMc0etS5MvlbsAHd6Ftx2SIXVtwDnHDzyUAOJb8WlYPdG5r/QJYtXgVMGZrZ31UFdlAZq3K8ytczKkcMgnEEOWYSSyQRJlEW5LkZ9tD0hv1myIg5iw6Vpuqe6YFSkdDHtGxf0lnLAfi1XKwu7b7tARJz7teOAjaFzXumvsZlFx9BdufMW32uu7BSYWjSGcrEzMyyB/5C3kU/d5Q1ZTNK6tceopFr/K1lKBzvj85safD5BH8NpjvLe1QkzHu+C0AVxYNtqGHI5oWJbcR+UOwelBeEM/On+/Xq0ZIVmiLmFx03Qun8t1n berni@fet.at" + - key: 'no-pty,no-agent-forwarding,no-X11-forwarding,command="shutdown -h +1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCiI41+XkobMT0K8ZrHdCeomdGAIRMZbdX1VjGe5OWa72rcaDFmBtK7MxD5xPZEdSaDkn+Nrpwv5/j10MccvkAOI/tx6PIxcgDF52FnHLMMVrXRM3cnkm9CrBi4kCN0D2fpbDLhknJhiqftIcPdct/a9foZQwkWOzGUN2Rk0mCw2QzkGyWHNxOMzMjV0gpfAWPv6Jg+JKDl5EHf2xJTeJ/l0TG6O0lsc5YY/7cqjRJJzTVFDo1Gy+qNgff0mbPrhcbWepG5R1tjkdT++f8uuoVkBUamwkjwDpH2y57sdESEPB0C5ES2cglOp2X3MMN7EnUBHYU3mMiYU0wV+b7Q3oKmQuG86a2D+yEp+0+WFaUY/TMCNpslGOtTBrNLshMIX/bnrx/aF9DApl9L/kUIlSxwwBNiPIl4VVU1p5Zzj/YAPvRl0kAKjosOZgl108JeRUbhQSGVrcODyhaIMQv4BAzHnV0kii7jNACHhqBR36eo3N6HX7GkbnU1YadZRcrxrpE9z9mrXuqWxzl4Cmz1yHb1JTwsnQQ2Dy0trIklQjEmLxvG8zpxHLV3EQmtIMK/g2Mk6VTdz9HZnwYLU7Mj/uZk0DWhTZ5Eyj6QAbcw2gLPLEUmdQhkHSoQKxHY0at3OjGFGydyc/3n7B7d578uxVBrp04uhTbW7SDi6mYGCkvCRQ== nut ups shutdown' + state: present diff --git a/group_vars/fet_hosts b/group_vars/fet_hosts index 2d07311..2793ed5 100644 --- a/group_vars/fet_hosts +++ b/group_vars/fet_hosts @@ -24,9 +24,11 @@ common_basic_packages: - python3-apt - python3-pycurl # extra - - lshw - - gdisk + - cgroupfs-mount - cryptsetup + - fuse + - gdisk + - lshw - nvme-cli common_sysctl: True diff --git a/group_vars/fet_lxc_void b/group_vars/fet_lxc_void index 3f9a804..982e651 100644 --- a/group_vars/fet_lxc_void +++ b/group_vars/fet_lxc_void @@ -1,2 +1,19 @@ --- common_apt: False +common_xbps: True +common_basic_packages: + - curl + - ncurses-term + - etckeeper + - git + - htop + - logrotate + - ncdu + - rsync + - strace + - sudo + - screen + - tmux + - tree + - vim + - zsh diff --git a/host_vars/ariane b/host_vars/ariane index 09f5f7d..e33661f 100644 --- a/host_vars/ariane +++ b/host_vars/ariane @@ -2,6 +2,7 @@ inventory_hostname: ariane.fet.htu.tuwien.ac.at inventory_hostname_short: ariane +common_interfaces: interfaces_ariane.j2 common_iptables_v4: "iptables_ariane_v4.j2" common_iptables_v6: "iptables_ariane_v6.j2" @@ -33,6 +34,28 @@ lxc: - lxc.network.hwaddr = 2e:6d:b6:07:15:01 - lxc.pts = 6 + - name: progress + revision: "01" + template: voidlinux + config: + - lxc.network.type = veth + - lxc.network.hwaddr = 2e:6d:b6:07:19:01 + - lxc.network.link = br0 + - lxc.network.flags = up + - lxc.pts = 6 + - lxc.mount.entry = /zv1/daten/Scans /var/lib/lxc/lxc-progress-01/rootfs/mnt/scans none bind,create=dir 0 0 + + - name: sojus + revision: "01" + template: voidlinux + config: + - lxc.network.type = veth + - lxc.network.hwaddr = 2e:6d:b6:07:17:01 + - lxc.network.link = br0 + - lxc.network.flags = up + - lxc.pts = 6 + - lxc.mount.entry = /zv1/sojus /var/lib/lxc/lxc-sojus-01/rootfs/home/backup/repos none bind,create=dir 0 0 + - name: proteus revision: "01" template: debian diff --git a/host_vars/backup01 b/host_vars/backup01 deleted file mode 100644 index 7b9530f..0000000 --- a/host_vars/backup01 +++ /dev/null @@ -1 +0,0 @@ -inventory_hostname_short: backup01 \ No newline at end of file diff --git a/host_vars/baroness b/host_vars/baroness new file mode 100644 index 0000000..afd8f40 --- /dev/null +++ b/host_vars/baroness @@ -0,0 +1,42 @@ +inventory_hostname: baroness.fet.htu.tuwien.ac.at +inventory_hostname_short: baroness + +borgbackup_binary_version: "1.1.6" +borgbackup_binary_platform: "armv6" +borgbackup_binary_uri: "https://borg.bauerj.eu/borg-{{ borgbackup_binary_version }}-{{ borgbackup_binary_platform }}" + +borgbackup_encryption_mode: "none" + +borgbackup_client_backup_server: sojus + +borgbackup_create_jobs: + - name: system + options: "--lock-wait 1800" + day: "*" + hour: "*" # default value = 1 + minute: 0 # default value = 0 + random_minute: 59 # default value : ignore randomization + directories: + - "/home/pi/baroness" + excludes: [] + +borgbackup_prune_enabled: yes +borgbackup_prune_jobs: + - name: system + prune_options: "--lock-wait 1800 --keep-daily=750 --keep-weekly=52 --keep-monthly=24 --keep-yearly=-1" + day: "*" + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + +borgbackup_check_enabled: yes +borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: 1 + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + random_day: 27 # default value : ignore randomization diff --git a/host_vars/lxc-betam-01 b/host_vars/betam similarity index 100% rename from host_vars/lxc-betam-01 rename to host_vars/betam diff --git a/host_vars/buran b/host_vars/buran new file mode 100644 index 0000000..52809fb --- /dev/null +++ b/host_vars/buran @@ -0,0 +1,44 @@ +inventory_hostname: buran.fet.htu.tuwien.ac.at +inventory_hostname_short: buran + +borgbackup_install_from_repo: False +borgbackup_binary_platform: "borg-linux32" + +borgbackup_encryption_mode: "none" + +borgbackup_client_backup_server: sojus + +borgbackup_create_jobs: + - name: system + options: "--lock-wait 7200" + day: "*" + hour: 0 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + directories: + - "/var/lib/cyrus" + - "/var/spool/cyrus/mail" + - "/var/spool/sieve" + excludes: [] + +borgbackup_prune_enabled: yes +borgbackup_prune_jobs: + - name: system + prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1" + day: "*" + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + +borgbackup_check_enabled: yes +borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: 1 + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + random_day: 27 # default value : ignore randomization diff --git a/host_vars/lxc-laika-01 b/host_vars/laika similarity index 100% rename from host_vars/lxc-laika-01 rename to host_vars/laika diff --git a/host_vars/maria-storage b/host_vars/maria-storage new file mode 100644 index 0000000..486f8dc --- /dev/null +++ b/host_vars/maria-storage @@ -0,0 +1,42 @@ +inventory_hostname: maria-storage.fet.htu.tuwien.ac.at +inventory_hostname_short: maria-storage + +borgbackup_install_from_repo: False + +borgbackup_encryption_mode: "none" + +borgbackup_client_backup_server: sojus + +borgbackup_create_jobs: + - name: system + options: "--lock-wait 7200" + day: "*" + hour: 0 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + directories: + - "/var/lib/mysql" + - "/srv/save" + excludes: [] + +borgbackup_prune_enabled: yes +borgbackup_prune_jobs: + - name: system + prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1" + day: "*" + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + +borgbackup_check_enabled: yes +borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: 1 + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + random_day: 27 # default value : ignore randomization diff --git a/host_vars/nauka b/host_vars/nauka new file mode 100644 index 0000000..9e184cf --- /dev/null +++ b/host_vars/nauka @@ -0,0 +1,42 @@ +inventory_hostname: nauka.fet.htu.tuwien.ac.at +inventory_hostname_short: nauka + +borgbackup_install_from_repo: False + +borgbackup_encryption_mode: "none" + +borgbackup_client_backup_server: sojus + +borgbackup_create_jobs: + - name: system + options: "--lock-wait 7200" + day: "*" + hour: 0 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + directories: + - "/var/lib/mysql" + - "/var/www" + excludes: [] + +borgbackup_prune_enabled: yes +borgbackup_prune_jobs: + - name: system + prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1" + day: "*" + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + +borgbackup_check_enabled: yes +borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: 1 + hour: 12 # default value = 1 + minute: 0 # default value = 0 + random_hour: 5 # default value : ignore randomization + random_minute: 59 # default value : ignore randomization + random_day: 27 # default value : ignore randomization diff --git a/host_vars/lxc-pet-01 b/host_vars/pet similarity index 100% rename from host_vars/lxc-pet-01 rename to host_vars/pet diff --git a/host_vars/progress b/host_vars/progress new file mode 100644 index 0000000..9551b87 --- /dev/null +++ b/host_vars/progress @@ -0,0 +1,6 @@ +inventory_hostname: progress.fet.htu.tuwien.ac.at +inventory_hostname_short: progress + +common_iptables_v4: "iptables_progress_v4.j2" +common_iptables_v6: "iptables_progress_v6.j2" +printer_ip: 192.168.86.14 diff --git a/host_vars/lxc-proteus-01 b/host_vars/proteus similarity index 100% rename from host_vars/lxc-proteus-01 rename to host_vars/proteus diff --git a/host_vars/sojus b/host_vars/sojus new file mode 100644 index 0000000..3972b5d --- /dev/null +++ b/host_vars/sojus @@ -0,0 +1,7 @@ +inventory_hostname: sojus.fet.htu.tuwien.ac.at +inventory_hostname_short: sojus + +borgbackup_install_from_repo: True +borgbackup_binary: "/usr/bin/borg" + +borgbackup_encryption_mode: "none" diff --git a/host_vars/lxc-zyklon-01 b/host_vars/zyklon similarity index 100% rename from host_vars/lxc-zyklon-01 rename to host_vars/zyklon diff --git a/hosts/production b/hosts/production index 6ab8a92..7dfd430 100644 --- a/hosts/production +++ b/hosts/production @@ -13,5 +13,15 @@ all: fet_lxc_void: hosts: zyklon: + sojus: + progress: + fet_qemu: + hosts: + maria-storage: + buran: + nauka: + fet_pi: + hosts: + baroness: vars: ansible_python_interpreter=/usr/bin/python3 diff --git a/roles/backup/defaults/main.yml b/roles/backup/defaults/main.yml deleted file mode 100644 index 81d832e..0000000 --- a/roles/backup/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -backup_borg: True \ No newline at end of file diff --git a/roles/backup/tasks/borg.yml b/roles/backup/tasks/borg.yml deleted file mode 100644 index 4fad2c2..0000000 --- a/roles/backup/tasks/borg.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: install borg - package: name="borgbackup" state=present - -- name: create repositories - file: - path: "{{item.path}}" - state: directory - with_items: "{{backup.repositories}}" - -- name: init borg repositories - command: "borg init {{item.path}} --encryption=none" - args: - creates: "{{item.path}}/README" - with_items: "{{backup.repositories}}" - -- name: create READMES - template: - src=borg_README.j2 - dest="{{item.path}}/README" - with_items: "{{backup.repositories}}" diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml deleted file mode 100644 index 83441d1..0000000 --- a/roles/backup/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- import_tasks: borg.yml - when: backup_borg - tags: ['backup', 'borg'] diff --git a/roles/backup/templates/borg_README.j2 b/roles/backup/templates/borg_README.j2 deleted file mode 100644 index 349390f..0000000 --- a/roles/backup/templates/borg_README.j2 +++ /dev/null @@ -1,2 +0,0 @@ -This is a generate FET borg repository. -Name: {{item.name}} \ No newline at end of file diff --git a/roles/backupclient/defaults/main.yml b/roles/backupclient/defaults/main.yml deleted file mode 100644 index 81d832e..0000000 --- a/roles/backupclient/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -backup_borg: True \ No newline at end of file diff --git a/roles/backupclient/tasks/borg.yml b/roles/backupclient/tasks/borg.yml deleted file mode 100644 index 451b60c..0000000 --- a/roles/backupclient/tasks/borg.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: install borg - package: name="borgbackup" state=present - -- name: create backup user - user: - name: borg_backup - comment: "BackupUser für BORG Backup" - group: root - generate_ssh_key: yes - ssh_key_bits: 4096 - ssh_key_file: .ssh/id_rsa - -- name: fetch pubickey - shell: "cat /home/borg_backup/.ssh/id_rsa.pub" - register: id_rsa_pub - changed_when: false - -- name: Add authorized key to borg backup servers - authorized_key: - user: "root" - key: "{{id_rsa_pub.stdout}}" - key_options: 'command="borg serve --restrict-to-path /srv/rep1"' - delegate_to: "{{item}}" - with_items: "{{groups['backup']}}" - when: id_rsa_pub.stdout is defined - diff --git a/roles/backupclient/tasks/main.yml b/roles/backupclient/tasks/main.yml deleted file mode 100644 index 83441d1..0000000 --- a/roles/backupclient/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- import_tasks: borg.yml - when: backup_borg - tags: ['backup', 'borg'] diff --git a/roles/borg_client/.travis.yml b/roles/borg_client/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/borg_client/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/borg_client/LICENSE b/roles/borg_client/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/roles/borg_client/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/roles/borg_client/README.md b/roles/borg_client/README.md new file mode 100644 index 0000000..ff482ee --- /dev/null +++ b/roles/borg_client/README.md @@ -0,0 +1,59 @@ +Borgbackup +========== + +Ansible [Borgbackup](https://borgbackup.readthedocs.io/en/stable/) role. + +Features: + * Repository or binary installation + * Schedules regular backup jobs + * Schedules regular prune jobs to keep backup windows clean + * Flexible configuration to list backup targets + +Role Variables +-------------- + +see `defaults/main.yml` + +Example Playbook +---------------- + + - hosts: all + roles: + - role: SphericalElephant.borgbackup + borgbackup_client: True + borgbackup_client_backup_server: backup01.example.com + borgbackup_create_jobs: + - name: system + day: "*" + hour: "0" + minute: "{{ 59 | random }}" + directories: + - /etc + - /home + - /var + excludes: + - 're:^/var/lib/apt' + - 're:^/var/[^/]+\/cache/' + borgbackup_prune_jobs: + - name: system + prune_options: "--keep-daily=7 --keep-weekly=4" + day: "*" + hour: "8" + minute: "0" + borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: "1" + hour: "12" + minute: "0" + + +You can easily assign client and server attributes from your inventory with something similar to the following: + + borgbackup_client: "{{ (inventory_hostname in groups.borgbackup_server)|ternary(False, True) }}" + borgbackup_client_backup_server: "{{ groups.borgbackup_server[0] }}" + +License +------- + +Apache 2.0 diff --git a/roles/borg_client/defaults/main.yml b/roles/borg_client/defaults/main.yml new file mode 100644 index 0000000..ddaded0 --- /dev/null +++ b/roles/borg_client/defaults/main.yml @@ -0,0 +1,77 @@ +--- +borgbackup_install_from_repo: False +borgbackup_binary_version: "1.1.6" +borgbackup_binary_platform: "borg-linux64" +borgbackup_binary_uri: "https://github.com/borgbackup/borg/releases/download/{{ borgbackup_binary_version }}/{{ borgbackup_binary_platform }}" +borgbackup_binary: "/usr/local/bin/borg" + +borgbackup_encryption_mode: "none" +borgbackup_passphrase: "yoursecret" + +borgbackup_server_user: "backup" +borgbackup_server_group: "backup" +borgbackup_server_home: "/home/backup" +borgbackup_server_pool: "{{ borgbackup_server_home }}/repos" + +borgbackup_client_ssh_key_type: '{{ "ed25519" + if ("ssh-ed25519" in borgbackup_register_key_types.stdout_lines) + else "rsa" }}' + +borgbackup_client_ssh_key_file: "/root/.ssh/id_{{ borgbackup_client_ssh_key_type }}-backup" +borgbackup_client_ssh_key_comment: 'root@{{ ansible_hostname }} generated by Ansible' +borgbackup_client_scripts_dir: "/etc/borg" + +borgbackup_client_lastlog_dir: "/var/log/borg" + +# backup server IP or FQDN used during ansible installation AND backup operation. +borgbackup_client_backup_server: + +# if defined, IP or FQDN used on backup operation. Usefull in case of LAN-free backup +#borgbackup_client_backup_server_lanfreebackup: + +# you have to set at least a "create" job. +# "prune" and "checks" jobs are optionnal, but you should use it too. +borgbackup_create_jobs: + +# borgbackup jobs examples : +#borgbackup_create_jobs: +# - name: system +# options: "--lock-wait 7200 --compression lzma" +# day: "*" +# hour: 0 # default value = 1 +# minute: 0 # default value = 0 +# random_hour: 5 # default value : ignore randomization +# random_minute: 59 # default value : ignore randomization +# directories: +# - "/etc/" +# - "/home" +# excludes: [] + +borgbackup_prune_enabled: yes +#borgbackup_prune_jobs: +# - name: system +# prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1" +# day: "*" +# hour: 12 # default value = 1 +# minute: 0 # default value = 0 +# random_hour: 5 # default value : ignore randomization +# random_minute: 59 # default value : ignore randomization + +borgbackup_check_enabled: yes +#borgbackup_check_jobs: +# - name: system +# check_options: "--lock-wait 28800" +# day: 1 +# hour: 12 # default value = 1 +# minute: 0 # default value = 0 +# random_hour: 5 # default value : ignore randomization +# random_minute: 59 # default value : ignore randomization +# random_day: 27 # default value : ignore randomization + +# about random : +# TL;DR : if 'random_hour' is set, then 'hour' will be set by a random value within range 'hour' up to 'hour+random_hour' +# purpose is to set indempotent random crontab values. Usefull when many jobs are croned toward a small number of repository servers. +# random_hour : if defined, a indempotent random value is computed between 0 and the value specified. +# Then, the crontab hour will be addition of hour and random_hour. +# a modulo 24 is applied in order to ensure valid hour are specified. +# random_minute and random_day works the same way. diff --git a/roles/borg_client/meta/main.yml b/roles/borg_client/meta/main.yml new file mode 100644 index 0000000..fc83234 --- /dev/null +++ b/roles/borg_client/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Farhad Shahbazi + description: Borgbackup + company: Spherical Elephant GmbH + license: Apache + min_ansible_version: 2.1 + platforms: + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - jessie + - sid + - stretch + - name: Archlinux + galaxy_tags: + - backup + +dependencies: [] diff --git a/roles/borg_client/tasks/borgbackup_client.yml b/roles/borg_client/tasks/borgbackup_client.yml new file mode 100644 index 0000000..c2955ba --- /dev/null +++ b/roles/borg_client/tasks/borgbackup_client.yml @@ -0,0 +1,191 @@ +--- +- name: check available SSH key types + shell: ssh -Q key 2>/dev/null || echo "ssh-rsa" + register: borgbackup_register_key_types + changed_when: False + check_mode: no + +- name: generate backup ssh-key + user: + name: root + ssh_key_file: "{{ borgbackup_client_ssh_key_file }}" + ssh_key_type: "{{ borgbackup_client_ssh_key_type }}" + ssh_key_comment: "{{ borgbackup_client_ssh_key_comment }}" + ssh_key_bits: 4096 + generate_ssh_key: yes + +- name: fetch backup ssh-pubkey + command: "cat {{ borgbackup_client_ssh_key_file }}.pub" + check_mode: no + register: borgbackup_client_ssh_pubkey_file + changed_when: False + +- name: add ssh-pubkey to backup server + delegate_to: "{{ borgbackup_client_backup_server }}" + # Start the delegate from the ansible master to avoid distributing more keys + connection: local + authorized_key: + user: "{{ borgbackup_server_user }}" + key: "{{ borgbackup_client_ssh_pubkey_file.stdout }}" + key_options: 'command="cd {{ borgbackup_server_pool }}/{{ inventory_hostname }};borg serve --restrict-to-path {{ borgbackup_server_pool }}/{{ inventory_hostname }}",restrict' + +- name: create repo path for host + delegate_to: "{{ borgbackup_client_backup_server }}" + # Start the delegate from the ansible master to avoid distributing more keys + connection: local + file: + path: "{{ borgbackup_server_pool }}/{{ inventory_hostname }}" + owner: "{{ borgbackup_server_user }}" + group: "{{ borgbackup_server_group }}" + mode: 0700 + state: directory + +- name: backup scripts dir + file: + path: "{{ borgbackup_client_scripts_dir }}" + owner: root + group: root + mode: 0750 + state: directory + +- name: backup supervision lastlog dir + file: + path: "{{ borgbackup_client_lastlog_dir }}" + owner: root + group: root + mode: 0755 + state: directory + +- name: check if the repositories already exist + command: "{{ borgbackup_binary }} list {{ borgbackup_server_user }}@{{ borgbackup_client_backup_server_lanfreebackup | default(borgbackup_client_backup_server) }}:{{ item.name }}" + environment: + - BORG_RSH: "ssh -o StrictHostKeyChecking=no -i {{ borgbackup_client_ssh_key_file }}" + - BORG_PASSPHRASE: "{{ borgbackup_passphrase }}" + with_items: "{{ borgbackup_create_jobs }}" + register: list_repos + failed_when: False + changed_when: False + check_mode: no + +- name: initialize empty list of initialized repositories + set_fact: + initialized_repos: [] + +- name: store only initialized repositories in the list + set_fact: + initialized_repos: "{{ initialized_repos }} + [ '{{ item.item.name }}' ]" + with_items: "{{ list_repos.results }}" + when: item.rc == 0 + +- name: initialize repositories + command: "{{ borgbackup_binary }} init --encryption {{ borgbackup_encryption_mode }} {{ borgbackup_server_user }}@{{ borgbackup_client_backup_server_lanfreebackup | default(borgbackup_client_backup_server) }}:{{ item.name }}" + environment: + - BORG_RSH: "ssh -o StrictHostKeyChecking=no -i {{ borgbackup_client_ssh_key_file }}" + - BORG_PASSPHRASE: "{{ borgbackup_passphrase }}" + with_items: "{{ borgbackup_create_jobs }}" + register: borgbackup_initialize_result + failed_when: (borgbackup_initialize_result.rc != 0) and (borgbackup_initialize_result.stderr != "") and ('already exists' not in borgbackup_initialize_result.stderr) + when: item.name not in initialized_repos + +- name: generate filename for create / prune / check scripts + set_fact: + create_suffix_script_filename: "create_{{ borgbackup_client_backup_server.split('.')[0] }}" + prune_suffix_script_filename: "prune_{{ borgbackup_client_backup_server.split('.')[0] }}" + check_suffix_script_filename: "check_{{ borgbackup_client_backup_server.split('.')[0] }}" + +# +# borg create scripts +# +- name: deploy borg create scripts + template: + dest: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ create_suffix_script_filename }}.sh" + src: create_job.sh.j2 + owner: root + group: root + mode: 0700 + with_items: "{{ borgbackup_create_jobs }}" + +- name: schedule borg create scripts on cron + cron: + name: "borg backup {{ item.name }}" + user: root + job: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ create_suffix_script_filename }}.sh 2>&1 | /usr/bin/logger -t borgbackup" + day: "{{ (item.day | default(1)) + (item.random_day | random(seed=item.name + check_suffix_script_filename + ansible_host))%28 if item.random_day is defined else item.day | default('*') }}" + hour: "{{ (item.hour | default(1)) + (item.random_hour | random(seed=item.name + create_suffix_script_filename + ansible_host))%24 if item.random_hour is defined else item.hour | default(1) }}" + minute: "{{ (item.minute | default(0)) + (item.random_minute | random(seed=ansible_host + item.name + create_suffix_script_filename))%60 if item.random_minute is defined else item.minute | default(0) }}" + state: present + cron_file: "borgbackup_{{ item.name }}_{{ create_suffix_script_filename }}" + with_items: "{{ borgbackup_create_jobs }}" + +- name: deploy borg create fake logs, when no log yet + shell: echo -ne "FAKE LOG\nterminating with success status, rc 0\n" | tee "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ create_suffix_script_filename }}.lastlog" + args: + chdir: "{{ borgbackup_client_lastlog_dir }}" + creates: "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ create_suffix_script_filename }}.lastlog" + with_items: "{{ borgbackup_create_jobs }}" + +# +# borg prune scripts +# +- name: deploy borg prune scripts + template: + dest: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ prune_suffix_script_filename }}.sh" + src: prune_job.sh.j2 + owner: root + group: root + mode: 0700 + with_items: "{{ borgbackup_prune_jobs }}" + when: borgbackup_prune_enabled + +- name: schedule borg prune scripts on cron + cron: + name: "borg prune {{ item.name }}" + user: root + job: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ prune_suffix_script_filename }}.sh 2>&1 | /usr/bin/logger -t borgbackup" + day: "{{ (item.day | default(1)) + (item.random_day | random(seed=item.name + check_suffix_script_filename + ansible_host))%28 if item.random_day is defined else item.day | default('*') }}" + hour: "{{ (item.hour | default(1)) + (item.random_hour | random(seed=item.name + prune_suffix_script_filename + ansible_host))%24 if item.random_hour is defined else item.hour | default(2) }}" + minute: "{{ (item.minute | default(0)) + (item.random_minute | random(seed=ansible_host + item.name + prune_suffix_script_filename))%60 if item.random_minute is defined else item.minute | default(0) }}" + state: present + cron_file: "borgbackup_{{ item.name }}_{{ prune_suffix_script_filename }}" + with_items: "{{ borgbackup_prune_jobs }}" + when: borgbackup_prune_enabled + +- name: deploy borg prune fake logs, when no log yet + shell: echo -ne "FAKE LOG\nterminating with success status, rc 0\n" | tee "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ prune_suffix_script_filename }}.lastlog" + args: + chdir: "{{ borgbackup_client_lastlog_dir }}" + creates: "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ prune_suffix_script_filename }}.lastlog" + with_items: "{{ borgbackup_prune_jobs }}" + +# +# borg check scripts +# +- name: deploy borg check scripts + template: + dest: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ check_suffix_script_filename }}.sh" + src: check_job.sh.j2 + owner: root + group: root + mode: 0700 + with_items: "{{ borgbackup_check_jobs }}" + when: borgbackup_check_enabled + +- name: schedule borg check scripts on cron + cron: + name: "borg check {{ item.name }}" + user: root + job: "{{ borgbackup_client_scripts_dir }}/{{ item.name }}_{{ check_suffix_script_filename }}.sh 2>&1 | /usr/bin/logger -t borgbackup" + day: "{{ (item.day | default(1)) + (item.random_day | random(seed=item.name + check_suffix_script_filename + ansible_host))%28 if item.random_day is defined else item.day | default(1) }}" + hour: "{{ (item.hour | default(1)) + (item.random_hour | random(seed=item.name + check_suffix_script_filename + ansible_host))%24 if item.random_hour is defined else item.hour | default(3) }}" + minute: "{{ (item.minute | default(0)) + (item.random_minute | random(seed=ansible_host + item.name + check_suffix_script_filename))%60 if item.random_minute is defined else item.minute | default(0) }}" + state: present + cron_file: "borgbackup_{{ item.name }}_{{ check_suffix_script_filename }}" + with_items: "{{ borgbackup_check_jobs }}" + when: borgbackup_check_enabled + +- name: deploy borg check fake logs, when no log yet + shell: echo -ne "FAKE LOG\nterminating with success status, rc 0\n" | tee "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ check_suffix_script_filename }}.lastlog" + args: + chdir: "{{ borgbackup_client_lastlog_dir }}" + creates: "{{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ check_suffix_script_filename }}.lastlog" + with_items: "{{ borgbackup_check_jobs }}" diff --git a/roles/borg_client/tasks/borgbackup_install.yml b/roles/borg_client/tasks/borgbackup_install.yml new file mode 100644 index 0000000..10b4fff --- /dev/null +++ b/roles/borg_client/tasks/borgbackup_install.yml @@ -0,0 +1,21 @@ +--- +- name: borgbackup - download borg binary + get_url: + url: "{{ borgbackup_binary_uri }}" + dest: "{{ borgbackup_binary }}-{{ borgbackup_binary_version }}" + mode: "755" + when: not borgbackup_install_from_repo + +- name: borgbackup - link install + file: + src: "{{ borgbackup_binary }}-{{ borgbackup_binary_version }}" + dest: "{{ borgbackup_binary }}" + state: link + force: yes + when: not borgbackup_install_from_repo + +- name: borgbackup - install borgbackup + package: + name: borg + state: latest + when: borgbackup_install_from_repo diff --git a/roles/borg_client/tasks/main.yml b/roles/borg_client/tasks/main.yml new file mode 100644 index 0000000..b59598e --- /dev/null +++ b/roles/borg_client/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: borgbackup_install.yml + tags: [ borg ] + +- import_tasks: borgbackup_client.yml + tags: [ borg ] diff --git a/roles/borg_client/templates/check_job.sh.j2 b/roles/borg_client/templates/check_job.sh.j2 new file mode 100644 index 0000000..ddcaf84 --- /dev/null +++ b/roles/borg_client/templates/check_job.sh.j2 @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +export BORG_RSH="ssh -i {{ borgbackup_client_ssh_key_file }}" +export BORG_PASSPHRASE="{{ borgbackup_passphrase }}" + +REPOSITORY={{ borgbackup_server_user }}@{{ borgbackup_client_backup_server_lanfreebackup | default(borgbackup_client_backup_server) }}:{{ item.name }} + +{{ borgbackup_binary }} check --show-rc --verbose \ + {{ item.check_options }} \ + $REPOSITORY \ + 2>&1 | tee {{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ check_suffix_script_filename }}.lastlog \ + | /usr/bin/logger -t borgbackup_check_{{ item.name }}_{{ borgbackup_client_backup_server }} diff --git a/roles/borg_client/templates/create_job.sh.j2 b/roles/borg_client/templates/create_job.sh.j2 new file mode 100644 index 0000000..08564b1 --- /dev/null +++ b/roles/borg_client/templates/create_job.sh.j2 @@ -0,0 +1,18 @@ +#!/bin/sh + +set -e + +export BORG_RSH="ssh -i {{ borgbackup_client_ssh_key_file }}" +export BORG_PASSPHRASE="{{ borgbackup_passphrase }}" + +REPOSITORY={{ borgbackup_server_user }}@{{ borgbackup_client_backup_server_lanfreebackup | default(borgbackup_client_backup_server) }}:{{ item.name }} + +{{ borgbackup_binary }} create --show-rc --verbose --stats \ + {{ item.options | default('--compression zlib,6') }} \ + $REPOSITORY::{{ ansible_hostname }}-$(date +%Y-%m-%d_%H-%M) \ + {{ item.directories | join(' ') }} \ + {% for e in item.excludes %} + --exclude '{{ e }}' \ + {% endfor %} + 2>&1 | tee {{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ create_suffix_script_filename }}.lastlog \ + | /usr/bin/logger -t borgbackup_backup_{{ item.name }}_{{ borgbackup_client_backup_server }} \ No newline at end of file diff --git a/roles/borg_client/templates/prune_job.sh.j2 b/roles/borg_client/templates/prune_job.sh.j2 new file mode 100644 index 0000000..5977439 --- /dev/null +++ b/roles/borg_client/templates/prune_job.sh.j2 @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +export BORG_RSH="ssh -i {{ borgbackup_client_ssh_key_file }}" +export BORG_PASSPHRASE="{{ borgbackup_passphrase }}" + +REPOSITORY={{ borgbackup_server_user }}@{{ borgbackup_client_backup_server_lanfreebackup | default(borgbackup_client_backup_server) }}:{{ item.name }} + +{{ borgbackup_binary }} prune --show-rc --verbose --stats \ + {{ item.prune_options }} \ + $REPOSITORY \ + 2>&1 | tee {{ borgbackup_client_lastlog_dir }}/{{ item.name }}_{{ prune_suffix_script_filename }}.lastlog \ + | /usr/bin/logger -t borgbackup_prune_{{ item.name }}_{{ borgbackup_client_backup_server }} diff --git a/roles/borg_server/.travis.yml b/roles/borg_server/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/borg_server/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/borg_server/LICENSE b/roles/borg_server/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/roles/borg_server/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/roles/borg_server/README.md b/roles/borg_server/README.md new file mode 100644 index 0000000..ff482ee --- /dev/null +++ b/roles/borg_server/README.md @@ -0,0 +1,59 @@ +Borgbackup +========== + +Ansible [Borgbackup](https://borgbackup.readthedocs.io/en/stable/) role. + +Features: + * Repository or binary installation + * Schedules regular backup jobs + * Schedules regular prune jobs to keep backup windows clean + * Flexible configuration to list backup targets + +Role Variables +-------------- + +see `defaults/main.yml` + +Example Playbook +---------------- + + - hosts: all + roles: + - role: SphericalElephant.borgbackup + borgbackup_client: True + borgbackup_client_backup_server: backup01.example.com + borgbackup_create_jobs: + - name: system + day: "*" + hour: "0" + minute: "{{ 59 | random }}" + directories: + - /etc + - /home + - /var + excludes: + - 're:^/var/lib/apt' + - 're:^/var/[^/]+\/cache/' + borgbackup_prune_jobs: + - name: system + prune_options: "--keep-daily=7 --keep-weekly=4" + day: "*" + hour: "8" + minute: "0" + borgbackup_check_jobs: + - name: system + check_options: "--lock-wait 28800" + day: "1" + hour: "12" + minute: "0" + + +You can easily assign client and server attributes from your inventory with something similar to the following: + + borgbackup_client: "{{ (inventory_hostname in groups.borgbackup_server)|ternary(False, True) }}" + borgbackup_client_backup_server: "{{ groups.borgbackup_server[0] }}" + +License +------- + +Apache 2.0 diff --git a/roles/borg_server/defaults/main.yml b/roles/borg_server/defaults/main.yml new file mode 100644 index 0000000..2ba6d45 --- /dev/null +++ b/roles/borg_server/defaults/main.yml @@ -0,0 +1,14 @@ +--- +borgbackup_install_from_repo: False +borgbackup_binary_version: "1.1.6" +borgbackup_binary_platform: "borg-linux64" +borgbackup_binary_uri: "https://github.com/borgbackup/borg/releases/download/{{ borgbackup_binary_version }}/{{ borgbackup_binary_platform }}" +borgbackup_binary: "/usr/local/bin/borg" + +borgbackup_server_user: "backup" +borgbackup_server_group: "backup" +borgbackup_server_home: "/home/backup" +borgbackup_server_pool: "{{ borgbackup_server_home }}/repos" + +borgbackup_encryption_mode: "none" +borgbackup_passphrase: "yoursecret" diff --git a/roles/borg_server/meta/main.yml b/roles/borg_server/meta/main.yml new file mode 100644 index 0000000..fc83234 --- /dev/null +++ b/roles/borg_server/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Farhad Shahbazi + description: Borgbackup + company: Spherical Elephant GmbH + license: Apache + min_ansible_version: 2.1 + platforms: + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - jessie + - sid + - stretch + - name: Archlinux + galaxy_tags: + - backup + +dependencies: [] diff --git a/roles/borg_server/tasks/borgbackup_install.yml b/roles/borg_server/tasks/borgbackup_install.yml new file mode 100644 index 0000000..10b4fff --- /dev/null +++ b/roles/borg_server/tasks/borgbackup_install.yml @@ -0,0 +1,21 @@ +--- +- name: borgbackup - download borg binary + get_url: + url: "{{ borgbackup_binary_uri }}" + dest: "{{ borgbackup_binary }}-{{ borgbackup_binary_version }}" + mode: "755" + when: not borgbackup_install_from_repo + +- name: borgbackup - link install + file: + src: "{{ borgbackup_binary }}-{{ borgbackup_binary_version }}" + dest: "{{ borgbackup_binary }}" + state: link + force: yes + when: not borgbackup_install_from_repo + +- name: borgbackup - install borgbackup + package: + name: borg + state: latest + when: borgbackup_install_from_repo diff --git a/roles/borg_server/tasks/borgbackup_server.yml b/roles/borg_server/tasks/borgbackup_server.yml new file mode 100644 index 0000000..2b64ed4 --- /dev/null +++ b/roles/borg_server/tasks/borgbackup_server.yml @@ -0,0 +1,40 @@ +--- +- name: borg_server - create group + group: + name: "{{ borgbackup_server_group }}" + state: present + +- name: borg_server - create user + user: + name: "{{ borgbackup_server_user }}" + group: "{{ borgbackup_server_group }}" + groups: + home: "{{ borgbackup_server_home }}" + createhome: yes + shell: /bin/bash + state: present + +- name: borg_server - manage permissions + file: + path: "{{ item }}" + owner: "{{ borgbackup_server_user }}" + group: "{{ borgbackup_server_group }}" + mode: 0700 + state: directory + with_items: + - "{{ borgbackup_server_home }}" + - "{{ borgbackup_server_home }}/.ssh" + - "{{ borgbackup_server_pool }}" + +- name : borg_server - create authorized_keys + stat: + path: "{{ borgbackup_server_home }}/.ssh/authorized_keys" + register: authorized_keys + +- name: borg_server - manage permissions for authorized_keys + file: + path: "{{ borgbackup_server_home }}/.ssh/authorized_keys" + owner: "{{ borgbackup_server_user }}" + group: "{{ borgbackup_server_group }}" + mode: 0600 + state: '{{ "file" if authorized_keys.stat.exists else "touch" }}' diff --git a/roles/borg_server/tasks/main.yml b/roles/borg_server/tasks/main.yml new file mode 100644 index 0000000..0394b37 --- /dev/null +++ b/roles/borg_server/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: borgbackup_install.yml + tags: [ borg ] + +- import_tasks: borgbackup_server.yml + tags: [ borg ] diff --git a/roles/common b/roles/common index e347803..32cb76a 160000 --- a/roles/common +++ b/roles/common @@ -1 +1 @@ -Subproject commit e347803f6257b04aae3c3ef19a6c11ce7c56c5b6 +Subproject commit 32cb76a1d5eed1ec5a983325f7193298913ff333 diff --git a/roles/gitea/templates/gitea.conf.j2 b/roles/gitea/templates/gitea.conf.j2 index e209bb0..5a52c17 100644 --- a/roles/gitea/templates/gitea.conf.j2 +++ b/roles/gitea/templates/gitea.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} + ; App name that shows on every page title APP_NAME = FET-Gitea ; Change it if you run locally diff --git a/roles/maria-storage/handlers/main.yml b/roles/maria-storage/handlers/main.yml new file mode 100644 index 0000000..03a5700 --- /dev/null +++ b/roles/maria-storage/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload nfs + service: name=nfs-kernel-server enabled=yes state=reloaded + +- name: restart mariadb + service: name=mysql enabled=yes state=restarted diff --git a/roles/maria-storage/tasks/main.yml b/roles/maria-storage/tasks/main.yml new file mode 100644 index 0000000..40bdc0a --- /dev/null +++ b/roles/maria-storage/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- import_tasks: nfs.yml + tags: [ maria-storage, nfs ] + +- import_tasks: mariadb.yml + tags: [ maria-storage, mariadb ] diff --git a/roles/maria-storage/tasks/mariadb.yml b/roles/maria-storage/tasks/mariadb.yml new file mode 100644 index 0000000..87e42fa --- /dev/null +++ b/roles/maria-storage/tasks/mariadb.yml @@ -0,0 +1,7 @@ +--- +- name: mariadb - install mariadb-server + package: name=mariadb-server + +- name: mariadb - config /etc/mysql/my.cnf + template: dest=/etc/mysql/my.cnf src=my.cnf.j2 owner=root group=root mode=0644 + notify: restart mariadb diff --git a/roles/maria-storage/tasks/nfs.yml b/roles/maria-storage/tasks/nfs.yml new file mode 100644 index 0000000..26617b4 --- /dev/null +++ b/roles/maria-storage/tasks/nfs.yml @@ -0,0 +1,7 @@ +--- +- name: mariadb - install nfs-kernel-server + package: name=nfs-kernel-server + +- name: mariadb - nfs /etc/exports + template: dest=/etc/exports src=exports.j2 owner=root group=root mode=0644 + notify: reload nfs diff --git a/roles/maria-storage/templates/exports.j2 b/roles/maria-storage/templates/exports.j2 new file mode 100644 index 0000000..6b1d9a3 --- /dev/null +++ b/roles/maria-storage/templates/exports.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +/srv/save/fetsite_production_1 192.168.95.0/24(rw,sync,acl,insecure,no_subtree_check) +/srv/save/web_doc 192.168.95.0/24(rw,sync,acl,insecure,no_subtree_check) +/srv/save/git_repo 192.168.95.0/24(rw,sync,acl,insecure,no_subtree_check) diff --git a/roles/maria-storage/templates/my.cnf.j2 b/roles/maria-storage/templates/my.cnf.j2 new file mode 100644 index 0000000..737fbf1 --- /dev/null +++ b/roles/maria-storage/templates/my.cnf.j2 @@ -0,0 +1,129 @@ +# {{ ansible_managed }} +# +# The MySQL database server configuration file. +# +# You can copy this to one of: +# - "/etc/mysql/my.cnf" to set global options, +# - "~/.my.cnf" to set user-specific options. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +# This will be passed to all mysql clients +# It has been reported that passwords should be enclosed with ticks/quotes +# escpecially if they contain "#" chars... +# Remember to edit /etc/mysql/debian.cnf when changing the socket location. +[client] +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +# Here is entries for some specific programs +# The following values assume you have at least 32M ram + +# This was formally known as [safe_mysqld]. Both versions are currently parsed. +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 + +[mysqld] +# +# * Basic Settings +# +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +skip-external-locking +# +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 0.0.0.0 +# +# * Fine Tuning +# +key_buffer = 16M +max_allowed_packet = 16M +thread_stack = 192K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam-recover = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 +# +# * Query Cache Configuration +# +query_cache_limit = 1M +query_cache_size = 16M +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Here you can see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mysql-slow.log +#slow_query_log = 1 +#long_query_time = 2 +#log_queries_not_using_indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# +# * Security Features +# +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ +# +# For generating SSL certificates I recommend the OpenSSL GUI "tinyca". +# +# ssl-ca=/etc/mysql/cacert.pem +# ssl-cert=/etc/mysql/server-cert.pem +# ssl-key=/etc/mysql/server-key.pem + + + +[mysqldump] +quick +quote-names +max_allowed_packet = 16M + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = 16M + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/roles/scans/defaults/main.yml b/roles/scans/defaults/main.yml new file mode 100644 index 0000000..9d06c5f --- /dev/null +++ b/roles/scans/defaults/main.yml @@ -0,0 +1,4 @@ +--- +samba_users: + - name: dell + smbpasswd: delloscanner diff --git a/roles/scans/handlers/main.yml b/roles/scans/handlers/main.yml new file mode 100644 index 0000000..b90ebae --- /dev/null +++ b/roles/scans/handlers/main.yml @@ -0,0 +1,3 @@ +--- + - name: restart samba + service: name=smbd enabled=yes state=restarted diff --git a/roles/scans/tasks/main.yml b/roles/scans/tasks/main.yml new file mode 100644 index 0000000..d61bacc --- /dev/null +++ b/roles/scans/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- import_tasks: samba.yml + tags: [ samba ] diff --git a/roles/scans/tasks/samba.yml b/roles/scans/tasks/samba.yml new file mode 100644 index 0000000..66b0e6f --- /dev/null +++ b/roles/scans/tasks/samba.yml @@ -0,0 +1,20 @@ +--- +- name: samba - install + package: name={{ item }} + with_items: + - samba + +- name: samba - /etc/smb.conf + template: dest=/etc/smb.conf src=smb.conf.j2 owner=root group=root mode=0644 + notify: restart samba + +- name: samba - create users group + group: name=users gid=2000 + +- name: samba - add smb users + user: "name={{ item['name'] }} shell=/bin/false group=users" + with_items: '{{ samba_users }}' + +- name: samba - set smbpasswds + shell: "(echo {{ item['smbpasswd'] }}; echo {{ item['smbpasswd'] }}) | smbpasswd -s -a {{ item['name'] }}" + with_items: '{{ samba_users }}' diff --git a/roles/scans/templates/smb.conf.j2 b/roles/scans/templates/smb.conf.j2 new file mode 100644 index 0000000..0ac3ea9 --- /dev/null +++ b/roles/scans/templates/smb.conf.j2 @@ -0,0 +1,26 @@ +# {{ ansible_managed }} + +[global] + + workgroup = WORKGROUP + server string = PROGRESS + + security = user + hosts allow = 192.168.86.14 + + log file = /var/log/samba/%m.log + max log size = 500 + + dns proxy = no + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + +[scans] + comment = scans + path = /mnt/scans + valid users = dell + public = no + browseable = yes + writeable = yes diff --git a/site.yml b/site.yml index 4b2aa7e..1588a60 100644 --- a/site.yml +++ b/site.yml @@ -34,22 +34,36 @@ roles: - gitea -- hosts: backup +- hosts: sojus roles: - - backup + - borg_server -- hosts: backupclient +- hosts: maria-storage roles: - - backupclient +# - maria-storage + - borg_client -- hosts: ruby - become: True +- hosts: baroness roles: - - rvm1-ansible - -- hosts: test_common - become: True + - borg_client - hosts: fetlab roles: - fetlab + +- hosts: buran + roles: + - borg_client + +- hosts: nauka + roles: + - borg_client + +- hosts: progress + roles: + - scans + +#- hosts: ruby +# become: True +# roles: +# - rvm1-ansible diff --git a/templates/interfaces_ariane.j2 b/templates/interfaces_ariane.j2 new file mode 100644 index 0000000..b80f6ab --- /dev/null +++ b/templates/interfaces_ariane.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback + +allow-hotplug enp8s0 +iface enp8s0 inet dhcp + +auto br0 +iface br0 inet dhcp + bridge_ports enp9s0 + bridge_fd 0 + bridge_maxwait 0 + +dns-nameservers 192.168.86.1 +#dns-nameservers 192.168.86.1 10.0.3.1 +#dns-nameserver 10.0.3.1 diff --git a/templates/iptables_progress_v4.j2 b/templates/iptables_progress_v4.j2 new file mode 100644 index 0000000..09ddf87 --- /dev/null +++ b/templates/iptables_progress_v4.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p udp -m udp -s {{ printer_ip }}/32 --dport 137 -j ACCEPT +-A INPUT -p udp -m udp -s {{ printer_ip }}/32 --dport 138 -j ACCEPT +-A INPUT -m state --state NEW -m tcp -p tcp -s {{ printer_ip }}/32 --dport 139 -j ACCEPT +-A INPUT -m state --state NEW -m tcp -p tcp -s {{ printer_ip }}/32 --dport 445 -j ACCEPT +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable +COMMIT diff --git a/templates/iptables_progress_v6.j2 b/templates/iptables_progress_v6.j2 new file mode 100644 index 0000000..d2927b5 --- /dev/null +++ b/templates/iptables_progress_v6.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p tcp --syn -j DROP +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -i lo -j ACCEPT +COMMIT