The roles are kept as a separate project in hope of making them potentially

useful to wider audience, and for reference purposes.

Roles cover different aspects of infrastructure, such as mail servers, web

servers, web applications etc. The roles are mainly well-suited for smaller

installations.

Roles are written for use with *Debian GNU/Linux*. For more details on

supported releases, see :ref:`rolereference`.

At the moment, the roles have been written for and tested against **Ansible

The roles also utilise the ``ipv4/ipv6`` lookup plugins which require

``netaddr`` package to be installed. The ``passlib`` package is used

for hashing the operating system passwords. Make sure you have the

packages available on controller machine.

Why were these roles created?

-----------------------------

For a long time I have had a couple of Internet-facing servers where I hosted

all the IT infrastructure I needed for my day-to-day life.

The roles are kept as a separate project in hope of making them potentially

useful to wider audience, and for reference purposes.

Roles cover different aspects of infrastructure, such as mail servers, web

servers, web applications etc. The roles are mainly well-suited for smaller

installations.

Roles are written for use with *Debian GNU/Linux*. For more details on

supported releases, see :ref:`rolereference`.

At the moment, the roles have been written for and tested against **Ansible

The roles also utilise the ``ipv4/ipv6`` lookup plugins which require

``netaddr`` package to be installed. The ``passlib`` package is used

for hashing the operating system passwords. Make sure you have the

packages available on controller machine.

Contents

========

.. toctree::

   :maxdepth: 2

Release notes

=============

x.y.z

-----

11 (Bullseye). Minor fixes and improvements.

**Breaking changes:**

* All roles

  * Dropped support for Debian 11 (Bullseye).

  * ``passlib`` Python package is now (explicitly) required for using

    the roles.

**New features/improvements**

* ``backup_client`` role

  * Switched to using Paramiko + SFTP backend (instead of pexpect +

    SFTP), which should improve the backup performance.

**Bug fixes:**

3. Set-up the virtual environment (using the ``ansible`` account):

   .. warning::

      If you are already logged-in as user ``ansible`` in the server, you will

      need to log-out and log-in again in order to be able to use

      ``virtualenvwrapper`` commands!

   ::

     mkdir ~/mysite/

     mkvirtualenv -a ~/mysite/ mysite

     pip install -U pip setuptools

.. warning::

   The ``netaddr`` package is needed for ``ipv4/ipv6`` lookup plugins

   which is used internally by some of the roles. The ``passlib``

   package is required in order to hash passwords when creating system

   users.

Cloning the *Majic Ansible Roles*

---------------------------------

With most of the software pieces in place, the only missing thing is the Majic

# Ansible and role runtime.

netaddr

passlib

python-ldap

# Development and testing.

ansible-lint

defusedxml

flake8

gimmecert

molecule[testinfra]~=24.8.0

molecule-plugins[vagrant]~=23.5.0

paramiko

#

# This file is autogenerated by pip-compile with Python 3.11

# by the following command:

#

#    pip-compile --allow-unsafe

#

alabaster==0.7.16

    # via sphinx

    # via -r requirements.in

    # via

    #   ansible-lint

    #   molecule

    # via

    #   ansible

    #   ansible-compat

    #   ansible-lint

    #   molecule

    # via -r requirements.in

attrs==24.2.0

    # via

    #   jsonschema

    #   referencing

babel==2.16.0

    # via sphinx

bcrypt==4.2.0

    # via paramiko

black==24.8.0

    # via ansible-lint

bracex==2.5

    # via wcmatch

    # via pip-tools

certifi==2024.8.30

    # via requests

    # via

    #   cryptography

    #   pynacl

charset-normalizer==3.3.2

    # via requests

click==8.1.7

    # via

    #   black

    #   click-help-colors

    #   molecule

    #   pip-tools

click-help-colors==0.9.4

    # via

    #   ansible-core

    #   gimmecert

    #   paramiko

defusedxml==0.7.1

    # via -r requirements.in

docutils==0.20.1

    # via

    #   sphinx

    #   sphinx-rtd-theme

enrich==1.2.7

    # via molecule

    # via ansible-lint

flake8==7.1.1

    # via -r requirements.in

gimmecert==1.0.0

    # via -r requirements.in

    # via requests

imagesize==1.4.1

    # via sphinx

    # via ansible-lint

iniconfig==2.0.0

    # via pytest

jinja2==3.1.4

    # via

    #   ansible-core

    #   molecule

    #   sphinx

jsonschema==4.23.0

    # via

    #   ansible-compat

    #   ansible-lint

netaddr==1.3.0

    # via -r requirements.in

packaging==24.1

    # via

    #   ansible-compat

    #   ansible-core

    #   ansible-lint

    #   black

    #   build

    #   molecule

    #   pytest

    #   sphinx

    # via -r requirements.in

pathspec==0.12.1

    # via

    #   ansible-lint

    #   black

    #   yamllint

pip-tools==7.4.1

    # via -r requirements.in

    # via black

pluggy==1.5.0

    # via

    #   molecule

    #   pytest

    # via

    #   pyasn1-modules

    #   python-ldap

    # via python-ldap

pycodestyle==2.12.1

    # via flake8

pycparser==2.22

    # via cffi

pyflakes==3.2.0

    # via flake8

pygments==2.18.0

    # via

    #   rich

    #   sphinx

pynacl==1.5.0

    # via paramiko

pyproject-hooks==1.1.0

    # via

    #   build

    #   pip-tools

    # via pytest-testinfra

pytest-testinfra==10.1.1

    # via molecule

python-dateutil==2.8.2

    # via gimmecert

python-ldap==3.4.4

    # via -r requirements.in

python-vagrant==1.0.0

    # via molecule-plugins

pyyaml==6.0.2

    # via

    #   ansible-compat

    #   ansible-core

    #   ansible-lint

    #   molecule

    #   yamllint

referencing==0.35.1

    # via

    #   jsonschema

    #   jsonschema-specifications

requests==2.32.3

    # via sphinx

resolvelib==1.0.1

    # via ansible-core

    # via

    #   ansible-lint

    #   enrich

    #   molecule

rpds-py==0.20.0

    # via

    #   jsonschema

    #   referencing

ruamel-yaml==0.18.6

    # via ansible-lint

ruamel-yaml-clib==0.2.8

    # via ruamel-yaml

sphinxcontrib-jquery==4.1

    # via sphinx-rtd-theme

sphinxcontrib-jsmath==1.0.1

    # via sphinx

sphinxcontrib-qthelp==2.0.0

    # via sphinx

sphinxcontrib-serializinghtml==2.0.0

    # via sphinx

subprocess-tee==0.4.2

    # via

    #   ansible-compat

    #   ansible-lint

    # via requests

wcmatch==9.0

    # via

    #   ansible-lint

    #   molecule

wheel==0.44.0

    # via pip-tools

yamllint==1.35.1

    # via ansible-lint

    # via importlib-metadata

# The following packages are considered to be unsafe in a requirements file:

pip==24.2

    # via

    #   -r requirements.in

    #   pip-tools

    # via

    #   -r requirements.in

    #   pip-tools

allow_duplicates: true

dependencies:

  - backup_client

galaxy_info:

  role_name: backup

  namespace: azaghal

  author: Branko Majic

  description: Specify what files should be backed-up to the backup server.

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

galaxy_info:

  role_name: backup_client

  namespace: azaghal

  author: Branko Majic

  description: Sets-up backup client (using duplicity/duply)

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

dependencies:

  - common

galaxy_info:

  role_name: backup_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up server to act as backup storage for the backup clients, exposing SFTP on dedicated port with dedicated OpenSSH server instance

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

galaxy_info:

  role_name: bootstrap

  namespace: azaghal

  author: Branko Majic

  description: Performs basic bootstrap of server for use with Ansible

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

      - "/var/spool/cron"

  - role: backup

    when: enable_backup

    backup_patterns_filename: common_extra

    backup_patterns: "{{ extra_backup_patterns }}"

galaxy_info:

  role_name: common

  namespace: azaghal

  author: Branko Majic

  description: Apply common configuration and hardening on server

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

  - role: backup

    when: enable_backup

    backup_patterns_filename: "database_{{ db_name }}"

    backup_patterns:

      - "/srv/backup/mariadb/{{ db_name }}.sql"

galaxy_info:

  role_name: database

  namespace: azaghal

  author: Branko Majic

  description: Creates MariaDB database and accompanying user to access it

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

dependencies:

  - common

galaxy_info:

  role_name: database_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up MariaDB database server

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

galaxy_info:

  role_name: ldap_client

  namespace: azaghal

  author: Branko Majic

  description: Configures OpenLDAP client (default configuration)

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

  - role: backup

    when: enable_backup

    backup_patterns_filename: "ldap_server"

    backup_patterns:

      - "/srv/backup/slapd.bak"

galaxy_info:

  role_name: ldap_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up an OpenLDAP server

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

dependencies:

  - common

galaxy_info:

  role_name: mail_forwarder

  namespace: azaghal

  author: Branko Majic

  description: Sets-up local SMTP server for sending out mails and receiving mails for local users

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

  - role: backup

    when: enable_backup

    backup_patterns_filename: "mail_server"

    backup_patterns:

      - "/var/{{ mail_user }}"

galaxy_info:

  role_name: mail_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up mail server with SMTP and IMAP services, using LDAP as source of allowed destinations (domains, mail addresses)

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

allow_duplicates: true

dependencies:

  - common

  - web_server

galaxy_info:

  role_name: php_website

  namespace: azaghal

  author: Branko Majic

  description: Sets-up a website powered by PHP application

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

galaxy_info:

  role_name: preseed

  namespace: azaghal

  author: Branko Majic

  description: Generates preseed files for Debian

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

---

dependencies:

  - common

galaxy_info:

  role_name: web_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up generic web server

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

allow_duplicates: true

dependencies:

  - common

  - web_server

galaxy_info:

  role_name: wsgi_website

  namespace: azaghal

  author: Branko Majic

  description: Sets-up a website powered by WSGI application

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm

  - role: backup

    when: enable_backup

    backup_patterns_filename: "xmpp_server"

    backup_patterns:

      - "/var/lib/prosody"

galaxy_info:

  role_name: xmpp_server

  namespace: azaghal

  author: Branko Majic

  description: Sets-up a Prosody XMPP server using LDAP directory as source of domain/user information

  license: BSD

  platforms:

    - name: Debian

      versions:

        - bookworm