ansible: A more complete config for hypsipyla: snmp, dhcp…

925aee9e · Vladimír Štill · 9f86877a · 925aee9e · 925aee9e · 925aee9e
Commit 925aee9e authored 3 years ago by Vladimír Štill
--- a/ansible/files/hoogle.service
+++ b/ansible/files/hoogle.service
+# Managed by ansible
+# vim: ft=systemd
+[Unit]
+Description=Hoogle server
+Wants=network.target
+
+[Service]
+Type=service
+Restart=always
+User=haskell
+Group=haskell
+ExecStart=/home/haskell/.cabal/bin/hoogle server --scope='package:base' --haddock=/home/haskell/doc/libraries -p 8080 --host='127.0.0.1' -n --home='http://hoogle.fi.muni.cz'
+
+[Install]
+WantedBy=multi-user.target
--- a/ansible/files/nginx/haskell
+++ b/ansible/files/nginx/haskell
 ## Managed by ansible
 ## vim: noexpandtab tabstop=4
 server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
+	listen [::]:443 ssl default_server;
+	listen 443 ssl default_server;
+	ssl_certificate /etc/letsencrypt/live/haskell.fi.muni.cz/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/haskell.fi.muni.cz/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

-#	listen 443 ssl default_server;
-#	listen [::]:443 ssl default_server;
-	#
-	# Note: You should disable gzip for SSL traffic.
-	# See: https://bugs.debian.org/773332
-	#
-	# Read up on ssl_ciphers to ensure a secure configuration.
-	# See: https://bugs.debian.org/765782
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
+	root /home/haskell/www;

-	root /var/empty;
-
-	server_name haskell.fi.muni.cz;
+	server_name haskell.fi.muni.cz hypsipyla.fi.muni.cz;

 	location /doc {
 		alias /home/haskell/doc/libraries;
 	}
 }
-
--- a/ansible/files/nginx/hoogle
+++ b/ansible/files/nginx/hoogle
 ## Managed by ansible
 ## vim: noexpandtab tabstop=4
 server {
-	listen 80;
-	listen [::]:80;
+	listen [::]:443 ssl;
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/haskell.fi.muni.cz/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/haskell.fi.muni.cz/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

-#	listen 443 ssl default_server;
-#	listen [::]:443 ssl default_server;
-	#
 	# Note: You should disable gzip for SSL traffic.
 	# See: https://bugs.debian.org/773332
 	#

--- a/ansible/files/nginx/http
+++ b/ansible/files/nginx/http
+## Managed by ansible
+## vim: noexpandtab tabstop=4
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	return 301 https://$host$request_uri;
+	server_name hypsipyla.fi.muni.cz;
+}
--- a/ansible/hypsipyla.yml
+++ b/ansible/hypsipyla.yml
 - name: hypsipyla
  hosts: hypsipyla.fi.muni.cz
  vars:
-    dhcpcd: false
+    dhcpcd: true
+    nftables:
+      nfs: false
+      snmp: true
+      pds_local: false
+    snmpd:
+      disks:
+        - path: /
+          free: '{{512 * 1024}}'
+
    ghc_ib015_version: 8.4.4
    ghc_newest_version: 9.0.1
    auto_install_ghc: false

-
  tasks:
    - fail:
        msg: possibly wrong server?
@@ -18,6 +26,33 @@
    - import_role:
        name: ghc_deb

+    - name: "Contextualization"
+      systemd:
+        name: '{{item}}'
+        enabled: false
+        state: stopped
+      loop:
+        - "one-context"
+        - "one-context-local"
+
+    - name: "Install SNMPd"
+      apt:
+        pkg:
+          - snmpd
+
+    - name: "Setup SNMPd"
+      template:
+        src: snmpd.conf.j2
+        dest: /etc/snmp/snmpd.conf
+      register: snmp_setup
+
+    - name: "Restart SNMPd"
+      service:
+        name: snmpd
+        state: '{{"restarted" if snmp_setup.changed else "started"}}'
+        masked: false
+        enabled: true
+
    - name: "Haskell user"
      user:
        name: "haskell"
@@ -68,6 +103,17 @@
        - name: "Generate database"
          command: "hoogle generate --haddock=/home/haskell/doc/libraries base directory base-unicode-symbols"

+        - name: "Landing page git"
+          git:
+            dest: "/home/haskell/www"
+            # note: this seems like a private token in a public repo and indeed
+            # it is, however, there is actually nothing private about the
+            # haskell.fi repo, it is just hidden in a private group, therefore,
+            # it does not matter that we have the token saved here
+            repo: "https://oauth2:1qz5SWyHJE3gGdes2r3X@gitlab.fi.muni.cz/ib015/haskell.fi"
+            update: true
+            recursive: true
+
      environment:
        PATH: "/opt/ghc/{{ghc_ib015_version}}/bin/:/opt/ghc/bin:/home/haskell/.cabal/bin:{{ansible_env.PATH}}"
      become: true
@@ -119,6 +165,7 @@
      loop:
        - 'hoogle'
        - 'haskell'
+        - 'http'

    - name: "nginx service"
      systemd:

--- a/ansible/hesperia/snmpd.conf
+++ b/ansible/hesperia/snmpd.conf
@@ -40,12 +40,12 @@ access  notConfigGroup ""      any       noauth    exact  systemview none none
 # restrictive access.

 ##      sec.name   source          community
-com2sec hesperia   127.0.0.1       hesperia
-com2sec hesperia   147.251.48.5    hesperia
+com2sec {{inventory_hostname_short}}   127.0.0.1       {{inventory_hostname_short}}
+com2sec {{inventory_hostname_short}}   147.251.48.5    {{inventory_hostname_short}}

 ##    group.name sec.model  sec.name
-group MyROGroup  v2c        hesperia
-group MyROGroup  v1         hesperia
+group MyROGroup  v2c        {{inventory_hostname_short}}
+group MyROGroup  v1         {{inventory_hostname_short}}

 ##          incl/excl subtree                          mask
 view all    included  .1                               80
@@ -76,8 +76,9 @@ extend systemctl /bin/bash -c "echo $(/bin/systemctl is-system-running) $(/bin/s
 ###############################################################################
 # load average checks
 #
-load 6 7 7
+load {{snmpd.load | default("1 0.9 0.8")}}

-disk  / 1574400
-disk  /tmp 1048576
+{% for d in snmpd.disks | default([]) %}
+disk  {{d.path}} {{d.free}}
+{% endfor %}
 # proc smartd 1 1