summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakob Odersky <jakob@odersky.com>2017-12-03 22:47:13 -0800
committerJakob Odersky <jakob@odersky.com>2017-12-03 22:47:13 -0800
commitdf6be44d67e29d73b0f226985c2c7b6ec989c224 (patch)
tree590198484d5322042c2d0ef38bc4eeb1c71412ae
downloadmetamorphic-master.tar.gz
metamorphic-master.tar.bz2
metamorphic-master.zip
Initial commitHEADmaster
-rw-r--r--.gitignore1
-rw-r--r--ansible.cfg346
-rw-r--r--hosts6
-rw-r--r--roles/common/tasks/main.yml40
-rw-r--r--roles/ddns.notyet/meta/main.yml3
-rw-r--r--roles/ddns.notyet/tasks/main.yml11
-rw-r--r--roles/ddns.notyet/templates/update-dns.j224
-rw-r--r--roles/ddns.notyet/vars/main.yml2
-rw-r--r--roles/ddns.notyet/vars/vault.yml8
-rw-r--r--roles/dl/files/dl.conf17
-rw-r--r--roles/dl/files/mini-dinstall.conf10
-rw-r--r--roles/dl/files/mini-dinstall.service12
-rw-r--r--roles/dl/meta/main.yml6
-rw-r--r--roles/dl/tasks/main.yml28
-rw-r--r--roles/openvpn/files/ca.crt31
-rw-r--r--roles/openvpn/files/crl.pem18
-rw-r--r--roles/openvpn/files/dh4096.pem13
-rw-r--r--roles/openvpn/files/server.conf306
-rw-r--r--roles/openvpn/handlers/main.yml6
-rw-r--r--roles/openvpn/meta/main.yml3
-rw-r--r--roles/openvpn/tasks/main.yml56
-rw-r--r--roles/rsnapshot.notyet/files/rsnapshot.conf228
-rw-r--r--roles/rsnapshot.notyet/meta/main.yml3
-rw-r--r--roles/rsnapshot.notyet/tasks/main.yml17
-rw-r--r--roles/rsnapshot.notyet/templates/cron.j25
-rw-r--r--roles/rsnapshot.notyet/templates/linux.conf.j231
-rw-r--r--roles/webserver/files/default.conf9
-rw-r--r--roles/webserver/files/homepage.conf8
-rw-r--r--roles/webserver/meta/main.yml3
-rw-r--r--roles/webserver/tasks/main.yml30
-rw-r--r--site.yml8
-rwxr-xr-xvaultpass2
32 files changed, 1291 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a8b42eb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.retry
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..29a3719
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,346 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+
+# nearly all parameters can be overridden in ansible-playbook
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+
+# some basic default values...
+
+#inventory = /etc/ansible/hosts
+#library = /usr/share/my_modules/
+#remote_tmp = $HOME/.ansible/tmp
+#local_tmp = $HOME/.ansible/tmp
+#forks = 5
+#poll_interval = 15
+#sudo_user = root
+#ask_sudo_pass = True
+#ask_pass = True
+#transport = smart
+#remote_port = 22
+#module_lang = C
+#module_set_locale = True
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+#gathering = implicit
+
+# by default retrieve all facts subsets
+# all - gather all subsets
+# network - gather min and network facts
+# hardware - gather hardware facts (longest facts to retrieve)
+# virtual - gather min and virtual facts
+# facter - import facts from facter
+# ohai - import facts from ohai
+# You can combine them using comma (ex: network,virtual)
+# You can negate them using ! (ex: !hardware,!facter,!ohai)
+# A minimal set of facts is always gathered.
+#gather_subset = all
+
+# additional paths to search for roles in, colon separated
+#roles_path = /etc/ansible/roles
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+# change the default callback
+#stdout_callback = skippy
+# enable additional callbacks
+#callback_whitelist = timer, mail
+
+# Determine whether includes in tasks and handlers are "static" by
+# default. As of 2.0, includes are dynamic by default. Setting these
+# values to True will make includes behave more like they did in the
+# 1.x versions.
+#task_includes_static = True
+#handler_includes_static = True
+
+# change this for alternative sudo implementations
+#sudo_exe = sudo
+
+# What flags to pass to sudo
+# WARNING: leaving out the defaults might create unexpected behaviours
+#sudo_flags = -H -S -n
+
+# SSH timeout
+#timeout = 10
+
+# default user to use for playbooks if user is not specified
+# (/usr/bin/ansible will use current user as default)
+#remote_user = root
+
+# logging is off by default unless this path is defined
+# if so defined, consider logrotate
+#log_path = /var/log/ansible.log
+
+# default module name for /usr/bin/ansible
+#module_name = command
+
+# use this shell for commands executed under sudo
+# you may need to change this to bin/bash in rare instances
+# if sudo is constrained
+#executable = /bin/sh
+
+# if inventory variables overlap, does the higher precedence one win
+# or are hash values merged together? The default is 'replace' but
+# this can also be set to 'merge'.
+#hash_behaviour = replace
+
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
+# list any Jinja2 extensions to enable here:
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
+
+# if set, always use this private key file for authentication, same as
+# if passing --private-key to ansible or ansible-playbook
+#private_key_file = /path/to/file
+
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+#vault_password_file = ~/.vault.py
+
+# format of string {{ ansible_managed }} available within Jinja2
+# templates indicates to users editing templates files will be replaced.
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+# This short version is better used in templates as it won't flag the file as changed every run.
+#ansible_managed = Ansible managed: {file} on {host}
+
+# by default, ansible-playbook will display "Skipping [host]" if it determines a task
+# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
+# messages. NOTE: the task header will still be shown regardless of whether or not the
+# task is skipped.
+#display_skipped_hosts = True
+
+# by default, if a task in a playbook does not include a name: field then
+# ansible-playbook will construct a header that includes the task's action but
+# not the task's args. This is a security feature because ansible cannot know
+# if the *module* considers an argument to be no_log at the time that the
+# header is printed. If your environment doesn't have a problem securing
+# stdout from ansible-playbook (or you have manually specified no_log in your
+# playbook on all of the tasks where you have secret information) then you can
+# safely set this to True to get more informative messages.
+#display_args_to_stdout = False
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
+# to revert the behavior to pre-1.3.
+#error_on_undefined_vars = False
+
+# by default (as of 1.6), Ansible may display warnings based on the configuration of the
+# system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
+# to disable these warnings, set the following value to False:
+#system_warnings = True
+
+# by default (as of 1.4), Ansible may display deprecation warnings for language
+# features that should no longer be used and will be removed in future versions.
+# to disable these warnings, set the following value to False:
+#deprecation_warnings = True
+
+# (as of 1.8), Ansible can optionally warn when usage of the shell and
+# command module appear to be simplified by using a default Ansible module
+# instead. These warnings can be silenced by adjusting the following
+# setting or adding warn=yes or warn=no to the end of the command line
+# parameter string. This will for example suggest using the git module
+# instead of shelling out to the git command.
+# command_warnings = False
+
+
+# set plugin path directories here, separate with colons
+#action_plugins = /usr/share/ansible/plugins/action
+#callback_plugins = /usr/share/ansible/plugins/callback
+#connection_plugins = /usr/share/ansible/plugins/connection
+#lookup_plugins = /usr/share/ansible/plugins/lookup
+#vars_plugins = /usr/share/ansible/plugins/vars
+#filter_plugins = /usr/share/ansible/plugins/filter
+#test_plugins = /usr/share/ansible/plugins/test
+#strategy_plugins = /usr/share/ansible/plugins/strategy
+
+# by default callbacks are not loaded for /bin/ansible, enable this if you
+# want, for example, a notification or logging callback to also apply to
+# /bin/ansible runs
+#bin_ansible_callbacks = False
+
+
+# don't like cows? that's unfortunate.
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
+#nocows = 1
+
+# set which cowsay stencil you'd like to use by default. When set to 'random',
+# a random stencil will be selected for each task. The selection will be filtered
+# against the `cow_whitelist` option below.
+#cow_selection = default
+#cow_selection = random
+
+# when using the 'random' option for cowsay, stencils will be restricted to this list.
+# it should be formatted as a comma-separated list with no spaces between names.
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
+# in python does not support them.
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
+# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
+# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
+
+# don't like colors either?
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
+#nocolor = 1
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored. This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+#fact_caching = memory
+
+
+# retry files
+# When a playbook fails by default a .retry file will be created in ~/
+# You can disable this feature by setting retry_files_enabled to False
+# and you can change the location of the files by setting retry_files_save_path
+
+#retry_files_enabled = False
+#retry_files_save_path = ~/.ansible-retry
+
+# squash actions
+# Ansible can optimise actions that call modules with list parameters
+# when looping. Instead of calling the module once per with_ item, the
+# module is called once with all items at once. Currently this only works
+# under limited circumstances, and only with parameters named 'name'.
+#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper
+
+# prevents logging of task data, off by default
+#no_log = False
+
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
+#no_target_syslog = False
+
+# controls whether Ansible will raise an error or warning if a task has no
+# choice but to create world readable temporary files to execute a module on
+# the remote machine. This option is False by default for security. Users may
+# turn this on to have behaviour more like Ansible prior to 2.1.x. See
+# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
+# for more secure ways to fix this than enabling this option.
+#allow_world_readable_tmpfiles = False
+
+# controls the compression level of variables sent to
+# worker processes. At the default of 0, no compression
+# is used. This value must be an integer from 0 to 9.
+#var_compression_level = 9
+
+# controls what compression method is used for new-style ansible modules when
+# they are sent to the remote system. The compression types depend on having
+# support compiled into both the controller's python and the client's python.
+# The names should match with the python Zipfile compression types:
+# * ZIP_STORED (no compression. available everywhere)
+# * ZIP_DEFLATED (uses zlib, the default)
+# These values may be set per host via the ansible_module_compression inventory
+# variable
+#module_compression = 'ZIP_DEFLATED'
+
+# This controls the cutoff point (in bytes) on --diff for files
+# set to 0 for unlimited (RAM may suffer!).
+#max_diff_size = 1048576
+
+[privilege_escalation]
+#become=True
+#become_method=sudo
+#become_user=root
+#become_ask_pass=False
+
+[paramiko_connection]
+
+# uncomment this line to cause the paramiko connection plugin to not record new host
+# keys encountered. Increases performance on new host additions. Setting works independently of the
+# host key checking setting above.
+#record_host_keys=False
+
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
+# line to disable this behaviour.
+#pty=False
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use
+# paramiko on older platforms rather than removing it
+#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+
+# The path to use for the ControlPath sockets. This defaults to
+# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
+# very long hostnames or very long path names (caused by long user names or
+# deeply nested home directories) this can exceed the character limit on
+# file socket names (108 characters for most platforms). In that case, you
+# may wish to shorten the string below.
+#
+# Example:
+# control_path = %(directory)s/%%h-%%r
+#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
+
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+pipelining = True
+
+# if True, make ansible use scp if the connection type is ssh
+# (default is sftp)
+#scp_if_ssh = True
+
+# if False, sftp will not use batch mode to transfer files. This may cause some
+# types of file transfer failures impossible to catch however, and should
+# only be disabled if your sftp version has problems with batch mode
+#sftp_batch_mode = False
+
+[accelerate]
+#accelerate_port = 5099
+#accelerate_timeout = 30
+#accelerate_connect_timeout = 5.0
+
+# The daemon timeout is measured in minutes. This time is measured
+# from the last activity to the accelerate daemon.
+#accelerate_daemon_timeout = 30
+
+# If set to yes, accelerate_multi_key will allow multiple
+# private keys to be uploaded to it, though each user must
+# have access to the system via SSH to add a new key. The default
+# is "no".
+#accelerate_multi_key = yes
+
+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependent context.
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs
+
+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
+[colors]
+#highlight = white
+#verbose = blue
+#warn = bright purple
+#error = red
+#debug = dark gray
+#deprecate = purple
+#skip = cyan
+#unreachable = red
+#ok = green
+#changed = yellow
+#diff_add = green
+#diff_remove = red
+#diff_lines = cyan
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..66bd4ef
--- /dev/null
+++ b/hosts
@@ -0,0 +1,6 @@
+[all]
+vps
+
+## virtual private servers
+[vps]
+peter.crashbox.io \ No newline at end of file
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..7e81c55
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: install common packages
+ apt: name={{item}} state=latest
+ with_items:
+ - ufw
+ - openssl
+ - ca-certificates
+ - curl
+ - wget
+ - jq
+ - rsync
+
+- name: firewall - allow ssh
+ ufw: rule=allow port=22 proto=tcp
+
+- name: firewall - enforce rules and deny by default
+ ufw: state=enabled policy=deny
+
+- name: forward root email
+ lineinfile: "dest=/etc/aliases regexp='root:' line='root: infra@odersky.com'"
+
+- name: unattended upgrades - install
+ apt: name={{item}} state=latest
+ with_items:
+ - unattended-upgrades
+ - apt-listchanges
+
+- name: unattended upgrades - configure email
+ lineinfile:
+ dest=/etc/apt/apt.conf.d/50unattended-upgrades
+ regexp='//Unattended-Upgrade::Mail "root";'
+ line='Unattended-Upgrade::Mail "root";'
+ backrefs=yes
+
+- name: unattended upgrades - enable
+ copy:
+ content: |
+ APT::Periodic::Update-Package-Lists "1";
+ APT::Periodic::Unattended-Upgrade "1";
+ dest: /etc/apt/apt.conf.d/20auto-upgrades
diff --git a/roles/ddns.notyet/meta/main.yml b/roles/ddns.notyet/meta/main.yml
new file mode 100644
index 0000000..fdda41b
--- /dev/null
+++ b/roles/ddns.notyet/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: common
diff --git a/roles/ddns.notyet/tasks/main.yml b/roles/ddns.notyet/tasks/main.yml
new file mode 100644
index 0000000..63caa0c
--- /dev/null
+++ b/roles/ddns.notyet/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- include_vars: vars/vault.yml
+
+- name: install dns utilities
+ apt: name=dnsutils state=latest
+
+- name: install jq
+ apt: name=jq state=latest
+
+- name: schedule periodic updates of dns entry
+ template: src=update-dns.j2 dest=/etc/cron.daily/update-dns
diff --git a/roles/ddns.notyet/templates/update-dns.j2 b/roles/ddns.notyet/templates/update-dns.j2
new file mode 100644
index 0000000..4d68666
--- /dev/null
+++ b/roles/ddns.notyet/templates/update-dns.j2
@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+api_email=jodersky@gmail.com
+api_key={{ddns_api_key}}
+zone_name={{ddns_zone}}
+record_name={{ddns_record}}
+
+cf() {
+ curl \
+ -sS \
+ -H "X-Auth-Email: $api_email"\
+ -H "X-Auth-Key: $api_key"\
+ -H "Content-Type: application/json"\
+ $@
+}
+
+external_ip=$(dig +short myip.opendns.com @resolver1.opendns.com)
+zone_id=$(cf -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone_name" | jq -r '.result[0].id')
+record_id=$(cf -X GET "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records?name=$record_name" | jq -r '.result[0].id')
+
+cf -X PUT "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id}" \
+ --data {\"type\":\"A\",\"name\":\""$record_name"\",\"content\":\""$external_ip"\"} \
+ || (echo "Error updating IP address." >&2 && exit 1)
diff --git a/roles/ddns.notyet/vars/main.yml b/roles/ddns.notyet/vars/main.yml
new file mode 100644
index 0000000..6128462
--- /dev/null
+++ b/roles/ddns.notyet/vars/main.yml
@@ -0,0 +1,2 @@
+---
+ddns_api_key: "{{vault_ddns_api_key}}"
diff --git a/roles/ddns.notyet/vars/vault.yml b/roles/ddns.notyet/vars/vault.yml
new file mode 100644
index 0000000..77502f8
--- /dev/null
+++ b/roles/ddns.notyet/vars/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38333565623838383936376530366331383234626234346666623232643831333761376563666561
+3930343438613136656633656363633930623931626238330a656236633037303535663733383838
+33636566336164313365653766353931353739343562343435613130623739656432383831323466
+3039626461333738610a303632633562326133356635656234353334343764636236623238343262
+39623638376663643964623938626238626636313136636364633561346630303266303232363366
+33383361623532636165666433653964653937613038393132343762666131616338643230643734
+313734343834663538323038393337316635
diff --git a/roles/dl/files/dl.conf b/roles/dl/files/dl.conf
new file mode 100644
index 0000000..43b96da
--- /dev/null
+++ b/roles/dl/files/dl.conf
@@ -0,0 +1,17 @@
+server {
+ server_name dl.crashbox.io;
+ listen 80;
+ listen 443;
+
+ root /srv/dl;
+
+ location /debian/mini-dinstall {
+ deny all;
+ return 403;
+ }
+
+ location / {
+ try_files $uri $uri/ =404;
+ autoindex on;
+ }
+}
diff --git a/roles/dl/files/mini-dinstall.conf b/roles/dl/files/mini-dinstall.conf
new file mode 100644
index 0000000..9ceca88
--- /dev/null
+++ b/roles/dl/files/mini-dinstall.conf
@@ -0,0 +1,10 @@
+[DEFAULT]
+archivedir = /srv/dl/debian
+archive_style = flat
+incoming_permissions = 0770
+architecture = all,amd64,i386,armhf
+generate_release = 1
+mail_to = root@localhost
+
+[internal]
+release_label = Internal Packages \ No newline at end of file
diff --git a/roles/dl/files/mini-dinstall.service b/roles/dl/files/mini-dinstall.service
new file mode 100644
index 0000000..f543123
--- /dev/null
+++ b/roles/dl/files/mini-dinstall.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=APT archive management
+
+[Service]
+User=mini-dinstall
+Group=mini-dinstall
+Type=forking
+ExecStart=/usr/bin/mini-dinstall
+PIDFile=/srv/dl/debian/mini-dinstall/mini-dinstall.lock
+
+[Install]
+WantedBy=multi-user.target \ No newline at end of file
diff --git a/roles/dl/meta/main.yml b/roles/dl/meta/main.yml
new file mode 100644
index 0000000..8d74850
--- /dev/null
+++ b/roles/dl/meta/main.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+ - role: common
+ - role: webserver
+
+
diff --git a/roles/dl/tasks/main.yml b/roles/dl/tasks/main.yml
new file mode 100644
index 0000000..a0dbd46
--- /dev/null
+++ b/roles/dl/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+
+- name: nginx - configure dl
+ copy: src=dl.conf dest=/etc/nginx/sites-available/dl.conf
+
+- name: nginx - activate dl
+ file:
+ src=/etc/nginx/sites-available/dl.conf
+ dest=/etc/nginx/sites-enabled/dl.conf
+ state=link
+
+- name: add mini-dinstall user
+ command: adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group mini-dinstall
+
+- name: install mini-dinstall
+ apt: name=mini-dinstall state=latest
+
+- name: copy mini-dinstall config
+ copy: src=mini-dinstall.conf dest=/etc/mini-dinstall.conf
+
+- name: create mini-dinstall archive directory
+ file: path=/srv/dl/debian state=directory owner=mini-dinstall group=mini-dinstall mode=0755
+
+- name: copy mini-dinstall service config
+ copy: src=mini-dinstall.service dest=/etc/systemd/system/mini-dinstall.service
+
+- name: enable and start mini-dinstall service
+ service: name=mini-dinstall enabled=yes state=started
diff --git a/roles/openvpn/files/ca.crt b/roles/openvpn/files/ca.crt
new file mode 100644
index 0000000..dc24426
--- /dev/null
+++ b/roles/openvpn/files/ca.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFUDCCAzigAwIBAgIJALKknwe+743TMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNV
+BAMMFEpha29iIE9kZXJza3kgVlBOIENBMB4XDTE2MTIyNjE1NDYzOFoXDTI2MTIy
+NDE1NDYzOFowHzEdMBsGA1UEAwwUSmFrb2IgT2RlcnNreSBWUE4gQ0EwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqQWgLTIUBuJm83VlWA0Mq6kpHGqjD
+PICzlEHFjT6uliSQBeGDCBZ5VyZH3xM+KXsbibDHlWuBebrysv6Eepl64E2X9BnH
+7OtCM1XaYxITB5bXLvA+YGAdklZC28Izv63elcV4HCD593T38txErGWJsK1OG78i
+GKIAAlhWR9wjdGxF8YzQx1GNud1AoY8Xgi3W0cTaJc18yqaapnDNs3gRcNBSmrq/
+s5CsFG/vvz0+Njf1u79qyrQVUFLYJqFWwnqrSmj/ldVYCn2vlIExNvFy5EGQi90L
+Y1jyDQYMVDIC1yLWJIlW6TGZi8qjc7MbRXqLs1SePJaYtfxMG8mGb605cZ5v3mTS
+Mi3+nFe5OIqk8E8NsVl/s2oUGbYc3GMdGKUU68O6ihUwH9Gxj1ocSq4cKxyXHXPL
+uErCFBu36FN/CoAgdOThPED84x9n8EklGxewJKvkHNos3zQoubEimzqw1e8hXH3Z
+kxHG325W4PcaT6HK7t127wvWPNywsYa5A+cuQKnXq6NysQbEhcsHxMUmeBBEOfaH
+KQmji/KQTQQPAW8GpRh/PIVY/fmKVu8tKgVhQPlURNVqU0o2Mi/xDtnhFiPmaTzt
+2zOyWpl3WGZrHiX+cdHqInqSQAbBe1sjNqPDTNsTGxAEnmzYK2Ya0C1TIc2MFv/j
+uQRaOTRApAxy4wIDAQABo4GOMIGLMB0GA1UdDgQWBBTOxv73DemHSrCYq3B1GcDc
+NrBOKzBPBgNVHSMESDBGgBTOxv73DemHSrCYq3B1GcDcNrBOK6EjpCEwHzEdMBsG
+A1UEAwwUSmFrb2IgT2RlcnNreSBWUE4gQ0GCCQCypJ8Hvu+N0zAMBgNVHRMEBTAD
+AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAckRY9ueeSa3uafKX
+PzNYqmwUVlIEYhQtG3vy0rqDQU3gcNYEkABXigquZatF46qOZ0pTN+8vGCksN3mZ
+42/idtEfv0yxlZIbJRHBjYs6YZP1/rABAEtZSxIebw+cq1zdXnr98xWGAVWA3WJY
+np8+Man2zeBEqU4dSJOr6wPSqpwJOFaYwI+PeHqcpHUd+PWsdFaWeOkk58oaS+1j
+oVPSdEP+YgAZ7Pn/O6cF7ft7k1H6mQ6oUYJwKjN9/lsaFwKghicH3/iCizwwqZCw
+sFxkGUMMFlN8EAuKu/44Tk3BegsJnkF6EB6ihesA5sF/Ymbx+nYPIlkwY6E7wG5W
++/jfj+CbQmZqbtXtwtx8zCVCmNuYGFlv5nq5TpmBn9Uxb1cN7YPp/ytDd4YkvJyc
+MsTKU12PFs4+XKItW0PV4ipY+djZnN//sJYjcJPKS7UsxMLg7oV5ooQvV6NMkVUg
+yP+dPS5NK3L63HT2s9VyRKV058Oc/J9Kcm9GG5faFo2EUxCIRwvVne/gIcEqxaRD
+5s533dmhI4VgWVIOhY00Fg7M3Ee016oTiRbZmmu2rpemHwEYkrmS4HKi+JWSce3a
+PjQXZHPsfk05V84Dr2aLS7giC7QYOg+iaoeXh61djFsGaX1jltPHH2HG4F6FJ1XC
+eCb8J4mhiEuYryEJKAz+55wKgp8=
+-----END CERTIFICATE-----
diff --git a/roles/openvpn/files/crl.pem b/roles/openvpn/files/crl.pem
new file mode 100644
index 0000000..cbcc529
--- /dev/null
+++ b/roles/openvpn/files/crl.pem
@@ -0,0 +1,18 @@
+-----BEGIN X509 CRL-----
+MIIC0zCBvAIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRKYWtvYiBPZGVy
+c2t5IFZQTiBDQRcNMTYxMjI2MTU1NTUzWhcNMTcwNjI0MTU1NTUzWjAUMBICAQIX
+DTE2MTIyNjE1NTEyN1qgUzBRME8GA1UdIwRIMEaAFM7G/vcN6YdKsJircHUZwNw2
+sE4roSOkITAfMR0wGwYDVQQDDBRKYWtvYiBPZGVyc2t5IFZQTiBDQYIJALKknwe+
+743TMA0GCSqGSIb3DQEBCwUAA4ICAQA3NWbkDDKdaMBSMnX0pCOebHigtNwiBLa+
+7riMqu0W+lok/pnrYXIvssk36psXljv/9NZ/U3KE1TfSOXM84YKNgN9nPS1JFaMD
+1bVJQ4WMlBO/onF1ELtAyIePhHm9ZQSNKa9i7hLep+PCZadvI8JIxZGNeKDHYv6x
+xrs3yqyte0Lw3gRB8XjWXKJQPCmaYpRf/X1EdrHteZX78uTZX3ArbysyY1xpji98
+8r6AeYOQgR2hLmaa5mpgn9YCiN5VFherVexGubz7xRvIEvII8BcIk84tW08U9oCO
+cyUsTxWeiDYd6WJY3BEjVSy0DRGHQMOhc84XSp4KMS9fQfdLpdXbpovf4mVhNuJQ
+5H41ZZ7dwuVWEf0n3ma/EAVOQE6MD1vMaPedHBEwqRCNDXz6XkQPi6ar/uSi9YhX
+Zyc/9DP/auQ5wgc6xkJptIB3DFKkW8yUHB7yEzhmWYuF8Z89Dtxsh9GV9e4s40v2
+ELrPm4Yf5UzeDQdl+ipkpjvL2Xs5+FRYtQIsTVGEnKcu0+fGHOd+bpRt909cpiNC
+ToIgnskJpnBzGwlmCsAg3Mt8QB8GpKouIwyYRIDTSdzJnh9OUYHtqDC2MUZ+xgWF
+YvqFMkMVQJ0g0X6f5BYukyicTNK/BJ++NySXov83Jb8xxQg771VxmJvWNx8plekZ
+0oar1TLHJQ==
+-----END X509 CRL-----
diff --git a/roles/openvpn/files/dh4096.pem b/roles/openvpn/files/dh4096.pem
new file mode 100644
index 0000000..3fd26d4
--- /dev/null
+++ b/roles/openvpn/files/dh4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA8PC5fLB2y0AAFvUFwSoZCi/vgWVHKoHY34kU3NnCrmAHKVpvBGJ0
+g8Y4No6MHWyMGtgt7JGcnRRokzsgedtn02j69rqiwQWDS6WlU3gOYSRQAtrzU6L8
+1TYoAc5iux0M0rw9nV2XSLZSRGsLQQDDsiOb0fsZD05B3JytyjIGCgs3PiztdmCM
+4BIFn2VqYj2vm9+wmwJ716JRVHgieU58pHIQrao4uSRCSVTNru8+1ACXgcFI/xGk
+89hti0Ywh2sGKC+9+SZOKdZMXl8u7NhCo9dAQAjg1e6wAp/jjP0yUWnlhY87rVl/
+LNQnVSM7VmPMgUGy1ffdLd03b/MBG1to64ioSaNyq0VAuevBihQ7BZaZxuwuioWk
+eTLv0dp1Zie2IihiY3/IONu8HvrqvZn8+Ml7m4icTPwQrqN9S0eMsyA09MuNI3MP
+5F+fn2zyib3fxwPV7GeNjsCj+QywFGdmukThD7sT0Q7BLx2KhZaj6D76JZLz4H0S
+cBkJGjK3/YcjZFHipaaFvvEdftO33o+CdWwKc3+TL1gn3TB5smZS4V5oO3SkoMOr
+mowBd6CsFqdNASvoWZs29CgRHewtAmMfx4ZtlcFDffGLNzx1DO8VoCX0RGATEI/M
+vlrYYchykZjEMqjS6PAxpeCSDLWqIkW9fy8qUJcebZ7Rml25vv4SeeMCAQI=
+-----END DH PARAMETERS-----
diff --git a/roles/openvpn/files/server.conf b/roles/openvpn/files/server.conf
new file mode 100644
index 0000000..a30e72c
--- /dev/null
+++ b/roles/openvpn/files/server.conf
@@ -0,0 +1,306 @@
+#################################################
+# Sample OpenVPN 2.0 config file for #
+# multi-client server. #
+# #
+# This file is for the server side #
+# of a many-clients <-> one-server #
+# OpenVPN configuration. #
+# #
+# OpenVPN also supports #
+# single-machine <-> single-machine #
+# configurations (See the Examples page #
+# on the web site for more info). #
+# #
+# This config should work on Windows #
+# or Linux/BSD systems. Remember on #
+# Windows to quote pathnames and use #
+# double backslashes, e.g.: #
+# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
+# #
+# Comments are preceded with '#' or ';' #
+#################################################
+
+# Which local IP address should OpenVPN
+# listen on? (optional)
+;local a.b.c.d
+
+# Which TCP/UDP port should OpenVPN listen on?
+# If you want to run multiple OpenVPN instances
+# on the same machine, use a different port
+# number for each one. You will need to
+# open up this port on your firewall.
+port 1194
+
+# TCP or UDP server?
+;proto tcp
+proto udp
+
+# "dev tun" will create a routed IP tunnel,
+# "dev tap" will create an ethernet tunnel.
+# Use "dev tap0" if you are ethernet bridging
+# and have precreated a tap0 virtual interface
+# and bridged it with your ethernet interface.
+# If you want to control access policies
+# over the VPN, you must create firewall
+# rules for the the TUN/TAP interface.
+# On non-Windows systems, you can give
+# an explicit unit number, such as tun0.
+# On Windows, use "dev-node" for this.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel if you
+# have more than one. On XP SP2 or higher,
+# you may need to selectively disable the
+# Windows firewall for the TAP adapter.
+# Non-Windows systems usually don't need this.
+;dev-node MyTap
+
+# SSL/TLS root certificate (ca), certificate
+# (cert), and private key (key). Each client
+# and the server must have their own cert and
+# key file. The server and all clients will
+# use the same ca file.
+#
+# See the "easy-rsa" directory for a series
+# of scripts for generating RSA certificates
+# and private keys. Remember to use
+# a unique Common Name for the server
+# and each of the client certificates.
+#
+# Any X509 key management system can be used.
+# OpenVPN can also use a PKCS #12 formatted key file
+# (see "pkcs12" directive in man page).
+ca ca.crt
+cert server.crt
+key server.key # This file should be kept secret
+crl-verify crl.pem
+
+# Diffie hellman parameters.
+# Generate your own with:
+# openssl dhparam -out dh2048.pem 2048
+dh dh4096.pem
+
+# Network topology
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+topology subnet
+
+# Configure server mode and supply a VPN subnet
+# for OpenVPN to draw client addresses from.
+# The server will take 10.8.0.1 for itself,
+# the rest will be made available to clients.
+# Each client will be able to reach the server
+# on 10.8.0.1. Comment this line out if you are
+# ethernet bridging. See the man page for more info.
+;server 10.8.0.0 255.255.255.0
+server 192.168.255.128 255.255.255.128
+
+# Maintain a record of client <-> virtual IP address
+# associations in this file. If OpenVPN goes down or
+# is restarted, reconnecting clients can be assigned
+# the same virtual IP address from the pool that was
+# previously assigned.
+ifconfig-pool-persist ipp.txt
+
+# Configure server mode for ethernet bridging.
+# You must first use your OS's bridging capability
+# to bridge the TAP interface with the ethernet
+# NIC interface. Then you must manually set the
+# IP/netmask on the bridge interface, here we
+# assume 10.8.0.4/255.255.255.0. Finally we
+# must set aside an IP range in this subnet
+# (start=10.8.0.50 end=10.8.0.100) to allocate
+# to connecting clients. Leave this line commented
+# out unless you are ethernet bridging.
+;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
+
+# Configure server mode for ethernet bridging
+# using a DHCP-proxy, where clients talk
+# to the OpenVPN server-side DHCP server
+# to receive their IP address allocation
+# and DNS server addresses. You must first use
+# your OS's bridging capability to bridge the TAP
+# interface with the ethernet NIC interface.
+# Note: this mode only works on clients (such as
+# Windows), where the client-side TAP adapter is
+# bound to a DHCP client.
+;server-bridge
+
+# Push routes to the client to allow it
+# to reach other private subnets behind
+# the server. Remember that these
+# private subnets will also need
+# to know to route the OpenVPN client
+# address pool (10.8.0.0/255.255.255.0)
+# back to the OpenVPN server.
+;push "route 192.168.10.0 255.255.255.0"
+;push "route 192.168.20.0 255.255.255.0"
+
+# To assign specific IP addresses to specific
+# clients or if a connecting client has a private
+# subnet behind it that should also have VPN access,
+# use the subdirectory "ccd" for client-specific
+# configuration files (see man page for more info).
+
+# EXAMPLE: Suppose the client
+# having the certificate common name "Thelonious"
+# also has a small subnet behind his connecting
+# machine, such as 192.168.40.128/255.255.255.248.
+# First, uncomment out these lines:
+;client-config-dir ccd
+;route 192.168.40.128 255.255.255.248
+# Then create a file ccd/Thelonious with this line:
+# iroute 192.168.40.128 255.255.255.248
+# This will allow Thelonious' private subnet to
+# access the VPN. This example will only work
+# if you are routing, not bridging, i.e. you are
+# using "dev tun" and "server" directives.
+
+# EXAMPLE: Suppose you want to give
+# Thelonious a fixed VPN IP address of 10.9.0.1.
+# First uncomment out these lines:
+;client-config-dir ccd
+;route 10.9.0.0 255.255.255.252
+# Then add this line to ccd/Thelonious:
+# ifconfig-push 10.9.0.1 10.9.0.2
+
+# Suppose that you want to enable different
+# firewall access policies for different groups
+# of clients. There are two methods:
+# (1) Run multiple OpenVPN daemons, one for each
+# group, and firewall the TUN/TAP interface
+# for each group/daemon appropriately.
+# (2) (Advanced) Create a script to dynamically
+# modify the firewall in response to access
+# from different clients. See man
+# page for more info on learn-address script.
+;learn-address ./script
+
+# If enabled, this directive will configure
+# all clients to redirect their default
+# network gateway through the VPN, causing
+# all IP traffic such as web browsing and
+# and DNS lookups to go through the VPN
+# (The OpenVPN server machine may need to NAT
+# or bridge the TUN/TAP interface to the internet
+# in order for this to work properly).
+push "redirect-gateway def1 bypass-dhcp"
+
+# Certain Windows-specific network settings
+# can be pushed to clients, such as DNS
+# or WINS server addresses. CAVEAT:
+# http://openvpn.net/faq.html#dhcpcaveats
+# The addresses below refer to the public
+# DNS servers provided by opendns.com.
+push "dhcp-option DNS 208.67.222.222"
+push "dhcp-option DNS 208.67.220.220"
+
+# Uncomment this directive to allow different
+# clients to be able to "see" each other.
+# By default, clients will only see the server.
+# To force clients to only see the server, you
+# will also need to appropriately firewall the
+# server's TUN/TAP interface.
+;client-to-client
+
+# Uncomment this directive if multiple clients
+# might connect with the same certificate/key
+# files or common names. This is recommended
+# only for testing purposes. For production use,
+# each client should have its own certificate/key
+# pair.
+#
+# IF YOU HAVE NOT GENERATED INDIVIDUAL
+# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
+# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
+# UNCOMMENT THIS LINE OUT.
+;duplicate-cn
+
+# The keepalive directive causes ping-like
+# messages to be sent back and forth over
+# the link so that each side knows when
+# the other side has gone down.
+# Ping every 10 seconds, assume that remote
+# peer is down if no ping received during
+# a 120 second time period.
+keepalive 10 120
+
+# For extra security beyond that provided
+# by SSL/TLS, create an "HMAC firewall"
+# to help block DoS attacks and UDP port flooding.
+#
+# Generate with:
+# openvpn --genkey --secret ta.key
+#
+# The server and each client must have
+# a copy of this key.
+# The second parameter should be '0'
+# on the server and '1' on the clients.
+;tls-auth ta.key 0 # This file is secret
+
+# Select a cryptographic cipher.
+# This config item must be copied to
+# the client config file as well.
+;cipher BF-CBC # Blowfish (default)
+cipher AES-128-CBC # AES
+;cipher DES-EDE3-CBC # Triple-DES
+
+# Enable compression on the VPN link.
+# If you enable it here, you must also
+# enable it in the client config file.
+comp-lzo
+
+# The maximum number of concurrently connected
+# clients we want to allow.
+;max-clients 100
+
+# It's a good idea to reduce the OpenVPN
+# daemon's privileges after initialization.
+#
+# You can uncomment this out on
+# non-Windows systems.
+user nobody
+group nogroup
+
+# The persist options will try to avoid
+# accessing certain resources on restart
+# that may no longer be accessible because
+# of the privilege downgrade.
+persist-key
+persist-tun
+
+# Output a short status file showing
+# current connections, truncated
+# and rewritten every minute.
+status openvpn-status.log
+
+# By default, log messages will go to the syslog (or
+# on Windows, if running as a service, they will go to
+# the "\Program Files\OpenVPN\log" directory).
+# Use log or log-append to override this default.
+# "log" will truncate the log file on OpenVPN startup,
+# while "log-append" will append to it. Use one
+# or the other (but not both).
+;log openvpn.log
+;log-append openvpn.log
+
+# Set the appropriate level of log
+# file verbosity.
+#
+# 0 is silent, except for fatal errors
+# 4 is reasonable for general usage
+# 5 and 6 can help to debug connection problems
+# 9 is extremely verbose
+verb 4
+
+# Silence repeating messages. At most 20
+# sequential messages of the same message
+# category will be output to the log.
+;mute 20
diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml
new file mode 100644
index 0000000..d462ff1
--- /dev/null
+++ b/roles/openvpn/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart openvpn
+ service: name=openvpn state=restarted
+
+- name: restart ufw
+ service: name=ufw state=restarted
diff --git a/roles/openvpn/meta/main.yml b/roles/openvpn/meta/main.yml
new file mode 100644
index 0000000..fdda41b
--- /dev/null
+++ b/roles/openvpn/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: common
diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml
new file mode 100644
index 0000000..ad3b928
--- /dev/null
+++ b/roles/openvpn/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: install openvpn
+ apt: name=openvpn state=latest
+
+- name: copy root certificate
+ copy: src=ca.crt dest=/etc/openvpn/ca.crt
+ notify: restart openvpn
+
+- name: copy dh parameters
+ copy: src=dh4096.pem dest=/etc/openvpn/dh4096.pem
+ notify: restart openvpn
+
+- name: copy server config
+ copy: src=server.conf dest=/etc/openvpn/server.conf
+ notify: restart openvpn
+
+- name: copy crl
+ copy: src=crl.pem dest=/etc/openvpn/crl.pem
+ notify: restart openvpn # restart to terminate all connections and enforce crl
+
+- name: copy server certificate
+ copy:
+ src="host_files/{{inventory_hostname}}/etc/openvpn/server.crt"
+ dest=/etc/openvpn/server.crt
+ notify: restart openvpn
+
+- name: copy server key
+ copy:
+ src="host_files/{{inventory_hostname}}/etc/openvpn/server.key"
+ dest=/etc/openvpn/server.key
+ mode=0600
+ notify: restart openvpn
+
+- name: enable ip forwarding
+ sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes
+
+- name: firewall - update default forward policy
+ lineinfile: dest=/etc/default/ufw regexp=^DEFAULT_FORWARD_POLICY line=DEFAULT_FORWARD_POLICY="ACCEPT"
+ notify: restart ufw
+
+- name: firewall - add NAT rules
+ blockinfile:
+ dest: /etc/ufw/before.rules
+ insertbefore: BOF
+ block: |
+ # NAT table rules
+ *nat
+ :POSTROUTING ACCEPT [0:0]
+ # Allow traffic from OpenVPN client to eth0
+ -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
+ COMMIT
+ notify: restart ufw
+
+- name: firewall - allow openvpn
+ ufw: rule=allow port=1194 proto=udp
+ notify: restart ufw
diff --git a/roles/rsnapshot.notyet/files/rsnapshot.conf b/roles/rsnapshot.notyet/files/rsnapshot.conf
new file mode 100644
index 0000000..57e100c
--- /dev/null
+++ b/roles/rsnapshot.notyet/files/rsnapshot.conf
@@ -0,0 +1,228 @@
+#################################################
+# rsnapshot.conf - rsnapshot configuration file #
+#################################################
+# #
+# PLEASE BE AWARE OF THE FOLLOWING RULE: #
+# #
+# This file requires tabs between elements #
+# #
+#################################################
+
+# This rsnapshot configuration file has been modified to support
+# multiple hosts, each specified in /etc/rsnapshot.d/ and including
+# this file. The idea is from
+# http://derek.simkowiak.net/backing-up-multiple-servers-with-rsnapshot/
+
+#######################
+# CONFIG FILE VERSION #
+#######################
+
+config_version 1.2
+
+###########################
+# SNAPSHOT ROOT DIRECTORY #
+###########################
+
+# All snapshots will be stored under this root directory.
+#
+#snapshot_root /mnt/backup/ (defined in host-specific rsnapshot config file)
+
+# If no_create_root is enabled, rsnapshot will not automatically create the
+# snapshot_root directory. This is particularly useful if you are backing
+# up to removable media, such as a FireWire or USB drive.
+#
+no_create_root 1
+
+#################################
+# EXTERNAL PROGRAM DEPENDENCIES #
+#################################
+
+# LINUX USERS: Be sure to uncomment "cmd_cp". This gives you extra features.
+# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
+#
+# See the README file or the man page for more details.
+#
+cmd_cp /bin/cp
+
+# uncomment this to use the rm program instead of the built-in perl routine.
+#
+cmd_rm /bin/rm
+
+# rsync must be enabled for anything to work. This is the only command that
+# must be enabled.
+#
+cmd_rsync /usr/bin/rsync
+
+# Uncomment this to enable remote ssh backups over rsync.
+#
+cmd_ssh /usr/bin/ssh
+
+# Comment this out to disable syslog support.
+#
+cmd_logger /usr/bin/logger
+
+# Uncomment this to specify the path to "du" for disk usage checks.
+# If you have an older version of "du", you may also want to check the
+# "du_args" parameter below.
+#
+cmd_du /usr/bin/du
+
+# Uncomment this to specify the path to rsnapshot-diff.
+#
+#cmd_rsnapshot_diff /usr/bin/rsnapshot-diff
+
+# Specify the path to a script (and any optional arguments) to run right
+# before rsnapshot syncs files
+#
+#cmd_preexec /path/to/preexec/script
+
+# Specify the path to a script (and any optional arguments) to run right
+# after rsnapshot syncs files
+#
+#cmd_postexec /path/to/postexec/script
+
+# Paths to lvcreate, lvremove, mount and umount commands, for use with
+# Linux LVMs.
+#
+#linux_lvm_cmd_lvcreate /sbin/lvcreate
+#linux_lvm_cmd_lvremove /sbin/lvremove
+#linux_lvm_cmd_mount /bin/mount
+#linux_lvm_cmd_umount /bin/umount
+
+#########################################
+# BACKUP LEVELS / INTERVALS #
+# Must be unique and in ascending order #
+# e.g. alpha, beta, gamma, etc. #
+#########################################
+
+retain daily 7
+retain weekly 4
+retain monthly 12
+retain yearly 3
+
+############################################
+# GLOBAL OPTIONS #
+# All are optional, with sensible defaults #
+############################################
+
+# Verbose level, 1 through 5.
+# 1 Quiet Print fatal errors only
+# 2 Default Print errors and warnings only
+# 3 Verbose Show equivalent shell commands being executed
+# 4 Extra Verbose Show extra verbose information
+# 5 Debug mode Everything
+#
+verbose 3
+
+# Same as "verbose" above, but controls the amount of data sent to the
+# logfile, if one is being used. The default is 3.
+#
+loglevel 3
+
+# If you enable this, data will be written to the file you specify. The
+# amount of data written is controlled by the "loglevel" parameter.
+#
+#logfile /var/log/rsnapshot.log (defined in host-specific rsnapshot config file)
+
+# If enabled, rsnapshot will write a lockfile to prevent two instances
+# from running simultaneously (and messing up the snapshot_root).
+# If you enable this, make sure the lockfile directory is not world
+# writable. Otherwise anyone can prevent the program from running.
+#
+#lockfile /var/run/rsnapshot.pid (defined in host-specific rsnapshot config file)
+
+# By default, rsnapshot check lockfile, check if PID is running
+# and if not, consider lockfile as stale, then start
+# Enabling this stop rsnapshot if PID in lockfile is not running
+#
+#stop_on_stale_lockfile 0
+
+# Default rsync args. All rsync commands have at least these options set.
+#
+rsync_short_args -P
+rsync_long_args --archive --delete --delete-excluded --relative --human-readable --stats --filter='dir-merge .rsyncignore'
+
+# ssh has no args passed by default, but you can specify some here.
+#
+ssh_args -p 22
+
+# Default arguments for the "du" program (for disk space reporting).
+# The GNU version of "du" is preferred. See the man page for more details.
+# If your version of "du" doesn't support the -h flag, try -k flag instead.
+#
+du_args -csh
+
+# If this is enabled, rsync won't span filesystem partitions within a
+# backup point. This essentially passes the -x option to rsync.
+# The default is 0 (off).
+#
+#one_fs 0
+
+# The include and exclude parameters, if enabled, simply get passed directly
+# to rsync. If you have multiple include/exclude patterns, put each one on a
+# separate line. Please look up the --include and --exclude options in the
+# rsync man page for more details on how to specify file name patterns.
+#
+#include /usr/local/
+#exclude /boot/
+
+# The include_file and exclude_file parameters, if enabled, simply get
+# passed directly to rsync. Please look up the --include-from and
+# --exclude-from options in the rsync man page for more details.
+#
+#include_file /path/to/include/file
+#exclude_file /path/to/exclude/file
+
+# If your version of rsync supports --link-dest, consider enabling this.
+# This is the best way to support special files (FIFOs, etc) cross-platform.
+# The default is 0 (off).
+#
+#link_dest 0
+
+# When sync_first is enabled, it changes the default behaviour of rsnapshot.
+# Normally, when rsnapshot is called with its lowest interval
+# (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
+# intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
+# and all interval calls simply rotate files. See the man page for more
+# details. The default is 0 (off).
+#
+sync_first 1
+
+# If enabled, rsnapshot will move the oldest directory for each interval
+# to [interval_name].delete, then it will remove the lockfile and delete
+# that directory just before it exits. The default is 0 (off).
+#
+#use_lazy_deletes 0
+
+# Number of rsync re-tries. If you experience any network problems or
+# network card issues that tend to cause ssh to fail with errors like
+# "Corrupted MAC on input", for example, set this to a non-zero value
+# to have the rsync operation re-tried.
+#
+#rsync_numtries 0
+
+# LVM parameters. Used to backup with creating lvm snapshot before backup
+# and removing it after. This should ensure consistency of data in some special
+# cases
+#
+# LVM snapshot(s) size (lvcreate --size option).
+#
+#linux_lvm_snapshotsize 100M
+
+# Name to be used when creating the LVM logical volume snapshot(s).
+#
+#linux_lvm_snapshotname rsnapshot
+
+# Path to the LVM Volume Groups.
+#
+#linux_lvm_vgpath /dev
+
+# Mount point to use to temporarily mount the snapshot(s).
+#
+#linux_lvm_mountpath /path/to/mount/lvm/snapshot/during/backup
+
+###############################
+### BACKUP POINTS / SCRIPTS ###
+###############################
+
+# (defined in host-specific rsnapshot config file) \ No newline at end of file
diff --git a/roles/rsnapshot.notyet/meta/main.yml b/roles/rsnapshot.notyet/meta/main.yml
new file mode 100644
index 0000000..fdda41b
--- /dev/null
+++ b/roles/rsnapshot.notyet/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: common
diff --git a/roles/rsnapshot.notyet/tasks/main.yml b/roles/rsnapshot.notyet/tasks/main.yml
new file mode 100644
index 0000000..81b9d71
--- /dev/null
+++ b/roles/rsnapshot.notyet/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: install rsnapshot
+ apt: name=rsnapshot state=latest
+
+- name: create config directory
+ file: path=/etc/rsnapshot.d state=directory mode=0755
+
+- name: copy parent configuration
+ copy: src=rsnapshot.conf dest=/etc/rsnapshot.conf force=true
+
+- name: copy child configurations
+ template: src=linux.conf.j2 dest="/etc/rsnapshot.d/{{host}}.conf"
+ vars:
+ host: "{{item}}"
+ with_items:
+ - muninn
+ - jodersky-mbp
diff --git a/roles/rsnapshot.notyet/templates/cron.j2 b/roles/rsnapshot.notyet/templates/cron.j2
new file mode 100644
index 0000000..2cdf278
--- /dev/null
+++ b/roles/rsnapshot.notyet/templates/cron.j2
@@ -0,0 +1,5 @@
+# m h dom mon dow command
+00 * * * * rsnapshot -c /home/rsnapshot/$HOST/rsnapshot.conf sync && rsnapshot -c /home/rsnapshot/$HOST/rsnapshot.conf hourly
+00 04 * * * rsnapshot -c /home/rsnapshot/$HOST/rsnapshot.conf daily
+00 02 * * 0 rsnapshot -c /home/rsnapshot/$HOST/rsnapshot.conf weekly
+00 00 1 * * rsnapshot -c /home/rsnapshot/$HOST/rsnapshot.conf monthly \ No newline at end of file
diff --git a/roles/rsnapshot.notyet/templates/linux.conf.j2 b/roles/rsnapshot.notyet/templates/linux.conf.j2
new file mode 100644
index 0000000..26dffb9
--- /dev/null
+++ b/roles/rsnapshot.notyet/templates/linux.conf.j2
@@ -0,0 +1,31 @@
+# This file requires tabs between elements
+
+# Include global rsnapshot configuration
+include_conf /etc/rsnapshot.conf
+
+logfile /var/log/rsnapshot/{{host}}.log
+lockfile /var/run/rsnapshot/{{host}}.pid
+
+snapshot_root /mnt/backup/rsnapshot/{{host}}/
+
+include /usr/local/
+exclude /bin/
+exclude /boot/
+exclude /dev/
+exclude /lib/
+exclude /lib64/
+exclude /lost+found/
+exclude /proc/
+exclude /run/
+exclude /sbin/
+exclude /sys/
+exclude /tmp/
+exclude /usr/
+exclude /var/backups/
+exclude /var/cache/
+exclude /var/lock/
+exclude /var/run/
+exclude /var/spool/
+exclude /var/tmp/
+
+backup backup@{{host}}:/ ./ \ No newline at end of file
diff --git a/roles/webserver/files/default.conf b/roles/webserver/files/default.conf
new file mode 100644
index 0000000..a85589f
--- /dev/null
+++ b/roles/webserver/files/default.conf
@@ -0,0 +1,9 @@
+# Default catch-all configuration, applied when no other configuration matches
+server {
+ server_name _;
+ listen 80 default_server;
+ listen 443 default_server;
+
+ # close the connection without sending a response
+ return 444;
+}
diff --git a/roles/webserver/files/homepage.conf b/roles/webserver/files/homepage.conf
new file mode 100644
index 0000000..9a07687
--- /dev/null
+++ b/roles/webserver/files/homepage.conf
@@ -0,0 +1,8 @@
+# Homepage
+server {
+ server_name jodersky.ch odersky.com www.odersky.com crashbox.io www.crashbox.io;
+ listen 80;
+ listen 443;
+
+ return 301 https://www.jodersky.ch$request_uri;
+}
diff --git a/roles/webserver/meta/main.yml b/roles/webserver/meta/main.yml
new file mode 100644
index 0000000..fdda41b
--- /dev/null
+++ b/roles/webserver/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: common
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
new file mode 100644
index 0000000..34f01b2
--- /dev/null
+++ b/roles/webserver/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: install nginx
+ apt: name=nginx state=latest
+
+- name: disable default nginx site
+ file: path=/etc/nginx/sites-enabled/default state=absent
+
+- name: remove default nginx site
+ file: path=/etc/nginx/sites-available/default state=absent
+
+- name: copy website config
+ copy: src={{item}} dest=/etc/nginx/sites-available/{{item}}
+ with_items:
+ - default.conf
+ - homepage.conf
+
+- name: activate website config
+ file:
+ src=/etc/nginx/sites-available/{{item}}
+ dest=/etc/nginx/sites-enabled/{{item}}
+ state=link
+ with_items:
+ - default.conf
+ - homepage.conf
+
+- name: firewall - allow http traffic
+ ufw: rule=allow port=80 proto=tcp
+
+- name: firewall - allow https traffic
+ ufw: rule=allow port=443 proto=tcp
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..c7595f2
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,8 @@
+---
+- name: crashbox
+ become: true
+ hosts: peter.crashbox.io
+ remote_user: root
+ roles:
+ - openvpn
+ - webserver
diff --git a/vaultpass b/vaultpass
new file mode 100755
index 0000000..f01fbd6
--- /dev/null
+++ b/vaultpass
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/pass infra/ansible-vault \ No newline at end of file