initial import from social-coop

.gitignore

@@ -0,0 +1,6 @@
+group_vars/all.yml
+vault-password
+
+# emacs temp/backup files
+*~
+*#

ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+retry_files_enabled = False
+pipelining = True
+inventory = inventory

bootstrap-debian.yml

@@ -0,0 +1,35 @@
+---
+- name: debian bootstrap fact gathering
+  hosts: all
+  user: root
+  gather_facts: False
+
+# Install the basics required to gather facts.
+# This shouldn't be run normally, however, can't find a way to
+# conditionally run it so far.
+  tasks:
+    - name: update apt repository
+      action: raw apt-get -q -y update
+      
+    - name: install python
+      action: raw apt-get -q -y install python
+
+# the command succeeds (returns code 0) if python needs simplejson
+    - name: check if python is old enough to need simplejson
+      action: raw python -c 'import sys; sys.stdout.write("%s" % (sys.version_info<(2,6)))'
+      register: need_simplejson
+
+    - name: ensure other prereqs installed
+      action: raw apt-get -qy install python-simplejson
+      when: need_simplejson.stdout
+
+    - name: ensure other prereqs installed
+      action: raw apt-get -qy install python-paramiko python-yaml python-jinja2 python-apt python-docker 
+
+- name: update packages
+  tags:
+    - update
+  hosts: all
+  user: root
+  roles:
+    - role: apt-upgrade

bootstrap.yml

@@ -0,0 +1,34 @@
+---
+- name: bootstrap fact gathering
+  hosts: all
+  user: root
+  gather_facts: False
+
+# Probe the system for package management type
+  tasks:
+    - name: check package management
+      action: raw apt-get
+      ignore_errors: yes
+      register: has_apt
+
+# For now we don't support other package management systems!
+    - name: fail if no apt package management
+      fail:
+        msg: We currently only support Linux with apt
+      when: not has_apt
+
+- import_playbook: bootstrap-debian.yml
+  when: has_apt
+  
+
+# Maybe add these somewhere later.
+# # Needs to be included before sshd, since root needs to have a key installed
+# # before sshd port changes when bootstrapping
+#     - role: ssh-key
+#       ssh_key_user: root
+#       ssh_key_pubfile: "{{userdefs.root.pubkey}}" 
+
+#     - role: sshd
+#       sshd_port: "{{sshd.port}}"
+#       # ... moves port
+

roles/docker-install/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+## Installs docker-CE
+# Following guide from here:
+# https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-up-the-repository
+
+# The docker apt repo key uri
+docker_compose_install_apt_key_uri: https://download.docker.com/linux/ubuntu/gpg
+
+# The docker apt repo config line
+docker_compose_install_apt_repo: deb https://download.docker.com/linux/ubuntu bionic stable
+
+# Get this version from https://github.com/docker/compose/releases/
+# Check compatibility with docker.
+docker_compose_install_compose_verion: 1.22.0
+

roles/docker-install/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+
+- name: install prereqs (apt)
+  apt:
+    update_cache: true
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - software-properties-common
+      - python-pip
+      - virtualenv
+      - python-setuptools
+      - python-docker
+
+- name: add docker repository key
+  apt_key:
+    url: "{{ docker_compose_install_apt_key_uri }}"
+    state: present
+
+- name: add docker repository
+  apt_repository:
+    repo: "{{ docker_compose_install_apt_repo }}"
+    filename: docker-ce
+    state: present
+    update_cache: true
+
+- name: install docker-ce
+  apt:
+    name:
+      - docker-ce
+
+# Oddly, there is no docker-compose PPA, the suggested linux install
+# method is to download a binary. See:
+# https://docs.docker.com/compose/install/#master-builds
+
+- name: install docker-compose
+  pip:
+    name:
+      - docker-compose
+
+- name: enable docker
+  service:
+    name: docker
+    state: started
+    enabled: yes

server.playbook.yml

@@ -0,0 +1,30 @@
+---
+- name: social.coop | server
+  hosts: all
+  become: yes
+  vars_files:
+    - secrets.vars.yml
+  vars:
+    s3_access_key_id: "{{lookup('passwordstore', 'deployment/backupninja/s3access')}}"
+    s3_secret_access_key: "{{lookup('passwordstore', 'deployment/backupninja/s3sec')}}"
+  roles:
+    - role: server
+    - role: social-coop
+
+    - role: logcheck-custom
+      tags: logcheck-custom
+
+    # Installs a script to dump the mastodon-live PgSQL database, and
+    # copy the GPG encrypted archive to our S3 space with rclone. This
+    # is invoked daily using a systemd timer. Encryption is done with
+    # the public key in the password store
+    # deployment/backupninja/pub. To decrypt, you need to use the
+    # associated private key
+    - role: pg-dump-to-s3
+      tags: pg-dump-to-s3
+      pg_dump_to_s3_systemd_timer_section: OnCalendar=00:40:00
+      pg_dump_to_s3_desturl: "spaces:social-coop-media/backups/{{inventory_hostname_short}}/"
+      pg_dump_to_s3_pgdump_opts: -h localhost -U root -d mastodon-live -Fc 
+      pg_dump_to_s3_pubkey: "{{lookup('passwordstore', 'deployment/backupninja/pub returnall=true')}}"
+      pg_dump_to_s3_rclone_config: "{{lookup('template', 'templates/rclone-conf.j2')}}"
+