Initial config check-in for vostok and orion

.gitignore

+*.retry

ansible.cfg

+[defaults]
+inventory = hosts
+remote_tmp = $HOME/.ansible/tmp
+transport = smart
+remote_port = 22
+gathering = implicit
+remote_user = root
+nocows = 1
+
+[ssh_connection]
+pipelining = True
+scp_if_ssh = True

group_vars/all/python2.yml

+ansible_python_interpreter: "/usr/bin/python2"

hosts

+[orion]
+88.198.91.70
+
+[vostok]
+5.9.158.171

orion-provision.yml

+---
+
+# This script is for provisioning a server for first boot.
+# Care: It is not idempotent by design.
+
+- name: provision orion
+  hosts: orion
+  remote_user: root
+  vars:
+    - hostname: orion
+      ipv4_address: "88.198.91.70"
+      ipv6_address: "2a01:4f8:160:6087::1/128"
+      ipv4_gateway: "88.198.91.65"
+      ipv6_gateway: "fe80::1"
+      filesystem: btrfs
+  roles:
+    - install_arch

orion.yml

+---
+
+- name: setup orion
+  hosts: orion
+  remote_user: root
+  roles:
+    - common
+    - tools
+    - borg

roles/borg/tasks/main.yml

+---
+
+- name: install borg
+  pacman: name=borg state=present

roles/common/tasks/main.yml

+---
+
+- name: update pacman cache
+  pacman: update_cache=yes
+
+- name: install ntp
+  pacman: name=ntp state=present
+
+- name: start and enable ntp
+  service: name=ntpd enabled=yes state=started
+
+- name: install smart
+  pacman: name=smartmontools state=present
+
+- name: start and enable smart
+  service: name=smartd enabled=yes state=started
+
+- name: install mlocate
+  pacman: name=mlocate state=present
+
+- name: activate regular updatedb for mlocate
+  service: name=updatedb.timer enabled=yes state=started
+
+- name: generate locales
+  locale_gen: name={{ item }} state=present
+  with_items:
+    - en_US.UTF-8
+
+- name: configure locales
+  template: src=locale.conf.j2 dest=/etc/locale.conf owner=root group=root mode=0644

roles/common/templates/locale.conf.j2

+LANG=en_US.UTF-8
+LC_COLLATE=en_US.UTF-8
+LC_TIME=en_US.UTF-8

roles/install_arch/files/florian.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3jDEPHSY0t7kUWqHIdzhFcjeDRK2dDxUAYXLyGKWMJixiBn9w0ZeXiyqrcJ/fH0b2Js85oOfl5EFVN4WKr0bEvSaw/pfLOYpbvdP/Xt272PH583rIlA12rTvbr3MMQMJO6yc/LD98zdCioW6XCbsqPvVYSlYiYdHLCxlS/DeKjxowu+b5FeiCOxHtsYBFGlln3WjeFEBhIjyS/DBvDG8bGhHLiCDzv568rJmAl8c3yY2rxC1nGboOBqQ4fC8xI/jljj8UhxBRAPFgthG127S14dDUlDEqCu7wRiog0C3ax5Ux6cksnS3wlh7FS3/dbMkoPP0YDrg+pgfYBkW0u46MdVjUVMeNIckpMvlvxSPvv49azFtkBcPhwOaKDYjRoeaHJobHIPPWm/FJU61G4voptf9IrjUWdG/QqhFKx3v3s+9mYArXLssh42BYSDxLEisiSvbDjrBeuyIU2QoehvzwTRT6kmmg6I68WIsSC08mF0no3CqrXkOXq46gXqJheQwzUAwVm5Mg94ntCI3eUl1sWsaiwWreY9zq6ZOfuhUFA0nanMozyouG0wtfKHv7T/jxxPAMHZgozY4Bf3XOA9Nz8CrQmbty0hAQOho5n9mGIcmMLukXGhNXzkkmNmyH+aTR2D6qlrsRiLTwIVxcwWjmk9Iq/iXMB0OSFjYsrEi8Rw== flo@Marin

roles/install_arch/files/sven.pub

+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJV4OQ6NSq0pXRZZB2jAOZnzW1eyt+7ctPZ6ZM31u2TOWgWCSfHYH6l0BxBtaL1HPlUxV+FZUheMbeXdgViI3WIO78zzuY/br9If6ZjYqdSwJFnYTNU+tLQhI5uVls0bmPvHkAn51JnVL56Vnil2mEylWRzKEg8RZvuaVEtQwvfR1mwQaR2ofSMuC6xE2hCcz93LWf+R+xjbQFtAdAQU288SB9SeABiG6FRgSUc1cGKFz8sBdsUpnlmCXqPD7fLJfPw1yF3M5HlN8ZHBhF1CZXNEKlQgXgtMz4eUc3JA10gVVAlm15PUOiEw0Tq9mOIT8ryaf7PyYxMpU4LzLoWHMxbiVD4CNq2ODGtHyLBX9lcHwwDTCwH1STht9992Bgd/5kpZ4df4gDBV89+w9758lX3eROZ7CQSEP2jSYNN2tr9KmYDiV5OY7KOGtkUZaDIMfQva6YMCQscKB8X/ypNkrQmwQwyOoXi1gbdF4zgmcDW68dzDPOiH+tzgLwJvUpkwMxvovzjMnMXUJjjXFqP8pgxM4OmTO9Ixhrt4TMsQXfmsVgUiGd+WecYguNF9UTBPum/KOOpa3wOr1vJnwrEZVJjhrhXNyNi2wnPUYB0CVEl6floR04pYYQs4K9MORgTxEiSYfbNpDMHgi5uuQAngJdQ9s7zc3bAS9Tp3de23b2w== svenstaro@smith

roles/install_arch/tasks/main.yml

+---
+
+- name: read /etc/motd
+  command: cat /etc/motd
+  register: motd_contents
+
+- name: check whether we're running in the Hetzner rescue system
+  fail: msg="Not running in Hetzner rescue system!"
+  when: "'Hetzner Rescue' not in motd_contents.stdout"
+
+- name: partition and format the disks
+  command: mkfs.btrfs -f -L rootfs -d raid1 /dev/sda /dev/sdb
+  when: filesystem == "btrfs"
+
+- name: create BIOS boot partitions
+  command: sgdisk -n 1:0:10M /dev/{{ item }}
+  when: filesystem == "ext4"
+  with_items:
+    - sda
+    - sdb
+
+- name: create RAID partitions
+  command: sgdisk -n 2:0:0 /dev/{{ item }}
+  when: filesystem == "ext4"
+  with_items:
+    - sda
+    - sdb
+
+- name: set BIOS boot partition types
+  command: sgdisk -t 1:ef02 /dev/{{ item }}
+  when: filesystem == "ext4"
+  with_items:
+    - sda
+    - sdb
+
+- name: set RAID partition types
+  command: sgdisk -t 2:fd00
+  when: filesystem == "ext4"
+  with_items:
+    - sda
+    - sdb
+
+- name: create MDADM array
+  command: mdadm --create --level=1 --raid-devices=2 --run /dev/md0 /dev/sda2 /dev/sdb2
+
+- name: format the MDADM array
+  filesystem: dev=/dev/md0 fstype=ext4
+  when: filesystem == "ext4"
+
+- name: mount the filesystem (btrfs)
+  mount: name=/mnt src='LABEL=rootfs' fstype=btrfs state=mounted
+  when: filesystem == "btrfs"
+
+- name: mount the filesystem (ext4)
+  mount: name=/mnt src=/dev/md0 fstype=ext4 state=mounted
+  when: filesystem == "ext4"
+
+- name: install arch base
+  command: pacstrap /mnt base
+
+- name: initialize pacman keyring
+  command: arch-chroot /mnt pacman-key --init
+
+- name: populate pacman keyring
+  command: arch-chroot /mnt pacman-key --poulate archlinux
+
+- name: force re-install all packages with proper database in chroot
+  command: arch-chroot /mnt pacman --force base base-devel grub openssh sudo btrfs-progs python2
+
+- name: generate mdadm.conf
+  shell: mdadm --detail --scan >> /mnt/etc/mdadm.conf
+  when: filesystem == "ext4"
+
+- name: set the hostname
+  lineinfile: dest=/mnt/etc/hostname line="{{ hostname }}" create=yes
+
+- name: add mdadm_udev to mkinitcpio.conf
+  lineinfile: dest=/mnt/etc/mkinitcpio.conf backrefs=yes regexp="^(.*)block filesystems(.*)$" line="\1block mdadm_udev filesystems\2"
+  when: filesystem == "ext4"
+
+- name: run mkinitcpio
+  command: arch-chroot /mnt mkinitcpio -p linux
+
+- name: generate fstab
+  shell: genfstab -p -L /mnt >> /etc/fstab
+
+- name: configure network
+  template: src=10-static-ethernet.network.j2 dest=/mnt/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
+
+- name: install grub
+  command: arch-chroot /mnt grub-install --recheck {{ item }}
+  with_items:
+    - sda
+    - sdb
+
+- name: configure grub
+  command: arch-chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg
+
+- name: configure zoneinfo
+  file: src=/usr/share/zoneinfo/UTC dest=/mnt/etc/localtime state=link force=yes
+
+- name: configure locale.gen
+  lineinfile: dest=/mnt/etc/locale.gen line="en_US.UTF-8 UTF-8"
+
+- name: run locale-gen inside chroot
+  command: arch-chroot /mnt locale-gen
+
+- name: enable services inside chroot
+  command: arch-chroot /mnt systemctl enable sshd systemd-networkd systemd-resolved
+
+- name: add authorized key for root
+  authorized_key: user=root key="{{ item }}" path=/mnt/root/.ssh/authorized_keys
+  with_file:
+    - sven.pub
+    - florian.pub
+
+- name: configure sshd
+  template: src=sshd_config.j2 dest=/mnt/etc/ssh/sshd_config owner=root group=root mode=0644
+
+- name: create symlink to resolv.conf
+  file: src=/run/systemd/resolve/resolv.conf dest=/mnt/etc/resolv.conf state=link force=yes

roles/install_arch/templates/10-static-ethernet.network.j2

+[Match]
+Name=e*
+
+[Network]
+DNS=213.133.98.98
+DNS=213.133.99.99
+DNS=213.133.100.100
+Address={{ ipv4_address }}
+Address={{ ipv6_address }}
+Gateway={{ ipv4_gateway }}
+Gateway={{ ipv6_gateway }}

roles/install_arch/templates/sshd_config.j2

+#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

roles/tools/tasks/main.yml

+- name: install sysadmin tools
+  pacman: name=lsof,psmisc,htop,nethogs,iftop,rsync,tmux,mtr,sshfs,dfc,tree,dstat,dmidecode,net-tools,ncdu state=present
+
+- name: install misc utils
+  pacman: name=zsh,colordiff,multitail,httpie,the_silver_searcher,cloc,ipcalc,calc,wget,neovim,python2-neovim state=present

vostok-provision.yml

+---
+
+# This script is for provisioning a server for first boot.
+# Care: It is not idempotent by design.
+
+- name: provision vostok
+  hosts: vostok
+  remote_user: root
+  vars:
+    - hostname: vostok
+      ipv4_address: "5.9.158.171"
+      ipv6_address: "2a01:4f8:190:51aa::1/128"
+      ipv4_gateway: "5.9.158.161"
+      ipv6_gateway: "fe80::1"
+      filesystem: ext4
+  roles:
+    - install_arch

vostok.yml

+---
+
+- name: setup vostok
+  hosts: vostok
+  remote_user: root
+  roles:
+    - common
+    - tools
+    - borg