apollo.yml 2.39 KB
Newer Older
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
1
2
---

3
4
5
- name: "prepare postgres ssl hosts list"
  hosts: apollo.archlinux.org
  tasks:
6
      - name: assign ipv4 addresses to fact postgres_ssl_hosts4
Jelle van der Waa's avatar
Jelle van der Waa committed
7
        set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
8
        vars:
Jelle van der Waa's avatar
Jelle van der Waa committed
9
            gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
10
            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
11
        tags: ["postgres", "firewall"]
12
      - name: assign ipv6 addresses to fact postgres_ssl_hosts6
Jelle van der Waa's avatar
Jelle van der Waa committed
13
        set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
14
        vars:
Jelle van der Waa's avatar
Jelle van der Waa committed
15
            gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
16
            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
17
        tags: ["postgres", "firewall"]
18

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
19
- name: setup apollo
20
  hosts: apollo.archlinux.org
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
21
22
  remote_user: root
  roles:
23
24
25
26
    - { role: common }
    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
27
    - { role: borg_client, tags: ["borg"] }
28
    - { role: certbot }
29
    - { role: nginx }
30
    - { role: rspamd, tags: ["mail"] }
31
    - { role: unbound, tags: ["mail"] }
32
    - { role: postfix, postfix_relayhost: "mail.archlinux.org", postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail"] }
33
    - { role: postfwd, tags: ['mail'] }
34
35
36
37
38
    - role: postgres
      postgres_listen_addresses: "*"
      postgres_max_connections: 1000
      postgres_ssl: 'on'
      postgres_shared_buffers: 4096MB
39
    - { role: mariadb, mariadb_query_cache_type: '0', mariadb_innodb_file_per_table: True }
40
41
    - { role: sudo }
    - { role: uwsgi }
42
    - { role: php_fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'] }
43
44
    - { role: memcached }
    - { role: archweb, archweb_planet: true }
45
46
47
48
    - role: security_tracker
      security_tracker_domain: "security.archlinux.org"
      security_tracker_nginx_conf: '/etc/nginx/nginx.d/security-tracker.conf'
      security_tracker_dir: "/srv/http/security-tracker"
49
50
51
52
    - { role: mailman, mailman_domain: "lists.archlinux.org" }
    - { role: patchwork }
    - { role: grafana }
    - { role: archwiki }
53
    - { role: conf_archlinux }
54
    - { role: fail2ban }
55
    - { role: prometheus_exporters }