Extract playbook actions to roles

ansible/roles/firewall/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+firewall_interfaces:
+  - name: vio0
+    allowed_tcp:
+      - 22    # SSH
+      - 80    # HTTP
+      - 443   # HTTPS
+    allowed_udp:
+      - 21841 # Wireguard

ansible/roles/firewall/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure firewall
+  template:
+    src: templates/pf.conf.j2
+    dest: /etc/pf.conf
+    validate: pfctl -n -f %s
+  register: pf
+
+- name: Load config to pf if needed
+  command: pfctl -f /etc/pf.conf
+  when: pf.changed

ansible/roles/firewall/templates/pf.conf.j2

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+# Skip filtering on the loopback interface
+set skip on lo
+
+# set up a default deny policy
+block all
+
+# Block remote X11 connections
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+{% for interface in firewall_interfaces %}
+# Pass rules for the specific ports on the {{ interface.name }} interface
+{% if (interface.allowed_tcp is defined) and interface.allowed_tcp %}
+{% for port in interface.allowed_tcp %}
+pass in on {{ interface.name }} proto tcp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+{% if (interface.allowed_udp is defined) and interface.allowed_udp %}
+{% for port in interface.allowed_udp %}
+pass in on {{ interface.name }} proto udp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+pass in on {{ interface.name }} proto icmp
+# Pass out rule to allow outgoing traffic on the {{ interface.name }} interface
+pass out on {{ interface.name }}
+{% endfor %}

ansible/roles/initial-setup/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+ssh_public_key: "ssh-rsa AAAAB3...ak4EsUU="

ansible/roles/initial-setup/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: Apply all available system patches
+  command: syspatch
+  register: syspatch
+  failed_when: syspatch.rc != 0 and syspatch.rc != 2
+  changed_when: syspatch.rc == 0
+
+- name: Update package list and upgrade all packages
+  command: pkg_add -u
+
+- name: Install essential packages
+  community.general.openbsd_pkg:
+    name:
+      - nano
+      - curl
+    state: present
+
+- name: Disable SSH password authentication
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication"
+    line: "PasswordAuthentication no"
+    state: present
+  register: sshd_config
+
+- name: Restart SSH service to apply changes
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+  when: sshd_config.changed
+
+- name: Add SSH public key to authorized_keys
+  ansible.posix.authorized_key:
+    user: root
+    key: "{{ ssh_public_key }}"

ansible/roles/mail-primary/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+server_domain: mx1.example.com
+mail_receive_domains:
+  - example.net
+  - example.com
+mail_users:
+  - user: bob@example.com
+    password: Password123
+    virtuals:
+      - "bob@example.net"
+      - "bob.coolman@example.net"
+  - user: alice@example.com
+    password: Password123
+    virtuals:
+      - "alice@example.net"

ansible/roles/mail-primary/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: reload smtpd
+  service:
+    name: smtpd
+    state: restarted
+
+- name: reload dovecot
+  service:
+    name: dovecot
+    state: reloaded

ansible/roles/mail-primary/tasks/main.yml

@@ -0,0 +1,104 @@
+---
+- name: Install Packages
+  community.general.openbsd_pkg:
+    name:
+      - opensmtpd-filter-dkimsign
+      - dovecot
+      - dovecot-pigeonhole
+      - opensmtpd-extras
+    state: present
+
+- name: Create the vmail group
+  group:
+    name: vmail
+    gid: 2000
+
+- name: Create vmail user
+  user:
+    name: vmail
+    group: vmail
+    shell: /sbin/nologin
+    createhome: yes
+    home: /var/mail/vmail
+    uid: 2000
+
+- name: Generate dkim keys
+  shell: |
+    KEYLEN=1024
+    DOMAIN={{ server_domain }}
+
+    mkdir -p /etc/mail/dkim
+    if [ -f /etc/mail/dkim/$DOMAIN.key ]; then
+      echo "$DOMAIN.key already exists."
+      exit 0
+    fi
+
+    cd /etc/mail/dkim
+    (umask 337; openssl genrsa -out $DOMAIN.key $KEYLEN)
+    openssl rsa -in $DOMAIN.key -pubout -out $DOMAIN.pub
+    group info _dkimsign >/dev/null && chgrp _dkimsign $DOMAIN.key
+    echo "add the $DOMAIN.dns to the zone file"
+    echo "selector1._domainkey.$DOMAIN. 3600 IN TXT \"v=DKIM1; k=rsa; p=$(sed -e '1d' -e '$d' $DOMAIN.pub | tr -d '\n')\"" > ~/$DOMAIN.dns
+
+- name: Configure OpenSMTPD smtpd.conf
+  template:
+    src: "templates/smtpd.conf"
+    dest: /etc/mail/smtpd.conf
+  notify:
+    - reload smtpd
+
+- name: Enable and start OpenSMTPD service
+  service:
+    name: smtpd
+    enabled: yes
+    state: started
+
+- name: Delete default dovecot configs
+  shell: |
+    if [ -f /etc/dovecot/conf.d/10-ssl.conf ]; then
+      cd /etc/dovecot/
+      rm -rf *
+    fi
+
+- name: Install dovecot.conf
+  template:
+    src: "templates/dovecot.conf"
+    dest: "/etc/dovecot/dovecot.conf"
+  notify:
+    - reload dovecot
+
+- name: Configure users
+  block:
+    - name: Remove existing
+      shell: |
+        echo "" > /etc/dovecot/users
+        chmod 640 /etc/dovecot/users
+        chown _smtpd:_dovecot /etc/dovecot/users
+
+        echo "" > /etc/mail/accounts
+        chmod 640 /etc/mail/accounts
+        chown _smtpd: /etc/mail/accounts
+
+        echo "" > /etc/mail/virtuals
+        chown _smtpd: /etc/mail/virtuals
+
+    - name: Add user accounts
+      loop: "{{ mail_users }}"
+      no_log: true
+      shell: |
+        DOVECOT_PASS=$(doveadm pw -p {{ item.password }})
+        SMTP_PASS=$(smtpctl encrypt {{ item.password }})
+
+        echo "{{ item.user }}:$DOVECOT_PASS::::" >> /etc/dovecot/users
+        echo "{{ item.user }}:$SMTP_PASS::::" >> /etc/mail/accounts
+
+    - name: Install dovecot.conf
+      template:
+        src: "templates/virtuals.conf"
+        dest: "/etc/mail/virtuals"
+
+- name: Enable dovecot service
+  service:
+    name: dovecot
+    enabled: true
+    state: started

ansible/roles/mail-primary/templates/dovecot.conf

@@ -0,0 +1,128 @@
+# {{ ansible_managed }}
+# Enable ssl
+ssl = required
+ssl_cert = < /etc/ssl/{{ server_domain }}.fullchain.pem
+ssl_key = < /etc/ssl/private/{{ server_domain }}.key
+
+ssl_min_protocol = TLSv1.2
+ssl_prefer_server_ciphers = yes
+
+disable_plaintext_auth = yes
+
+# Define used protocols
+protocols = lmtp imap sieve
+
+service lmtp {
+    unix_listener lmtp {
+        user  = vmail
+        group = vmail
+    }
+}
+
+service imap-login {
+    inet_listener imap {
+        port = 143
+    }
+    inet_listener imaps {
+        port = 993
+    }
+}
+
+# Setup users
+passdb {
+    driver = passwd-file
+    args = scheme=ARGON2ID-CRYPT username_format=%u /etc/dovecot/users
+}
+
+userdb {
+    driver = passwd-file
+    args = username_format=%u /etc/dovecot/users
+    override_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
+}
+
+# Setup mail location
+mail_location = maildir:~/Maildir
+
+# setup auth listener
+service auth {
+ unix_listener auth-userdb {
+  mode = 0660
+  user = vmail
+  group = vmail
+ }
+}
+
+# change the authworker to run as non-root
+service auth-worker {
+ user = $default_internal_user
+}
+
+# setup local delivery options
+quota_full_tempfail = yes
+protocol lda {
+ mail_plugins = $mail_plugins sieve
+}
+# setup some common mailboxes that are used by different clients to consistent destinations
+namespace inbox {
+ inbox = yes
+ mailbox Spam {
+  special_use = \Junk
+ }
+ mailbox "Deleted Items" {
+  special_use = \Trash
+ }
+}
+
+# setup local delivery protocol
+protocol lmtp {
+ mail_plugins = $mail_plugins sieve
+}
+
+# disable verify quota befor replying rcpt to
+lmtp_rcpt_check_quota = no
+
+# setup stats service
+service stats {
+ unix_listener stats-writer {
+  user =
+  group = $default_internal_group
+  mode = 0660
+ }
+}
+
+# enable mail plugins
+mail_plugins = $mail_plugins notify
+
+# setup metrics
+metric auth_success {
+ filter = event=auth_request_finished AND success=yes
+}
+metric auth_failures {
+ filter = event=auth_request_finished AND NOT success=yes
+}
+metric imap_command {
+ filter = event=imap_command_finished
+ group_by = cmd_name tagged_reply_state
+}
+metric smtp_command {
+ filter = event=smtp_server_command_finished
+ group_by = cmd_name status_code duration:exponential:1:5:10
+}
+metric mail_delivery {
+ filter = event=mail_delivery_finsihed
+ group_by = duration:exponential:1:5:10
+}
+
+# enable IMAP protocol
+protocol imap {
+ mail_plugins = $mail_plugins imap_sieve
+}
+
+# setup sieve plugin options
+# enable if there needs to be default sieve processing
+#plugin {
+#  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
+#  sieve_before = /etc/dovecot/sieve/default.sieve
+#  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+#  sieve_plugins = sieve_imapsieve sieve_extprograms
+#}

ansible/roles/mail-primary/templates/smtpd.conf

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+pki {{ server_domain }} cert "/etc/ssl/{{ server_domain }}.fullchain.pem"
+pki {{ server_domain }} key "/etc/ssl/private/{{ server_domain }}.key"
+
+table aliases file:/etc/mail/aliases
+table users passwd:/etc/mail/accounts
+table virtuals file:/etc/mail/virtuals
+
+filter dkimsign_rsa proc-exec "filter-dkimsign -d {{ server_domain }} -s selector1 \
+    -k /etc/mail/dkim/{{ server_domain }}.key" user _dkimsign group _dkimsign
+
+listen on socket filter dkimsign_rsa
+listen on all tls pki {{ server_domain }}
+listen on all port submission tls-require pki {{ server_domain }} auth <users> filter dkimsign_rsa
+listen on all port smtps tls-require pki {{ server_domain }} auth <users> filter dkimsign_rsa
+
+action "local_mail" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
+action "outbound" relay
+
+{% for domain in mail_receive_domains %}
+match from any for domain {{ domain }} action "local_mail"
+{% endfor %}
+match from local for local action "local_mail"
+match from local for any action "outbound"
+match auth from any for any action "outbound"

ansible/roles/mail-primary/templates/virtuals.conf

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+{% for user in mail_users %}
+{{ user.user }}: vmail
+{% if (user.virtuals is defined) and user.virtuals %}
+{% for virtual in user.virtuals %}
+{{ virtual }}: {{ user.user }}
+{% endfor %}
+{% endif %}
+{% endfor %}

ansible/roles/mail-secondary/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+primary_mail_server: mx1.example.com
+server_domain: mx1.example.com
+mail_receive_domains:
+  - example.net
+  - example.com

ansible/roles/mail-secondary/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload smtpd
+  service:
+    name: smtpd
+    state: restarted

ansible/roles/mail-secondary/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Configure OpenSMTPD smtpd.conf
+  template:
+    src: templates/smtpd.conf
+    dest: /etc/mail/smtpd.conf
+  notify:
+    - reload smtpd
+
+- name: Enable and start OpenSMTPD service
+  service:
+    name: smtpd
+    enabled: yes
+    state: started

ansible/roles/mail-secondary/templates/smtpd.conf

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+pki {{ server_domain }} cert "/etc/ssl/{{ server_domain }}.fullchain.pem"
+pki {{ server_domain }} key "/etc/ssl/private/{{ server_domain }}.key"
+
+listen on all tls pki {{ server_domain }}
+
+table aliases file:/etc/mail/aliases
+
+action "local" mbox alias <aliases>
+action "relay" relay host {{ primary_mail_server }}
+
+{% for domain in mail_receive_domains %}
+match from any for domain {{ domain }} action "relay"
+{% endfor %}
+match from local for local action "local"
+match from local for any action "relay"

ansible/roles/prometheus-exporters/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Install node-exporter
+  community.general.openbsd_pkg:
+    name:
+      - node_exporter
+    state: present
+
+- name: Enable and start node_exporter
+  service:
+    name: node_exporter
+    enabled: yes
+    state: started

ansible/roles/ssl/defaults/main.yml

@@ -0,0 +1,2 @@
+domains:
+  - mx1.example.com

ansible/roles/ssl/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload httpd
+  ansible.builtin.service:
+    name: httpd
+    state: reloaded

ansible/roles/ssl/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Create vhost directories
+  file:
+    path: "/var/www/vhosts/{{ item }}"
+    state: directory
+    owner: www
+  with_items: "{{ domains }}"
+
+- name: Install httpd.conf
+  template:
+    src: "templates/httpd.conf"
+    dest: "/etc/httpd.conf"
+
+- name: Enable and start httpd
+  service:
+    name: httpd
+    enabled: yes
+    state: started
+
+- name: Install acme-client.conf
+  template:
+    src: "templates/acme-client.conf"
+    dest: "/etc/acme-client.conf"
+
+- name: Initial acme-client run
+  command: "/usr/sbin/acme-client {{ item }}"
+  args:
+    creates: "/etc/ssl/{{ item }}.fullchain.pem"
+  with_items: "{{ domains }}"
+  notify:
+    - reload httpd
+
+- name: Renew certificates via root crontab
+  cron:
+    name: "acme-client renew {{ item }}"
+    minute: "0"
+    job: "sleep $((RANDOM \\% 2048)) && acme-client {{ item }} && rcctl reload httpd"
+    user: root
+  with_items: "{{ domains }}"

ansible/roles/ssl/templates/acme-client.conf

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+authority letsencrypt {
+    api url "https://acme-v02.api.letsencrypt.org/directory"
+    account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+{% for domain in domains %}
+domain "{{ domain }}" {
+    domain key "/etc/ssl/private/{{ domain }}.key"
+    domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem"
+    sign with letsencrypt
+}
+{% endfor %}

ansible/roles/ssl/templates/httpd.conf

@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+server "{{ inventory_hostname }}" {
+    listen on * port 80
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        block return 302 "https://$HTTP_HOST$REQUEST_URI"
+    }
+}
+
+{% for vhost in domains %}
+server "{{ vhost }}" {
+    listen on * tls port 443
+    tls {
+        certificate "/etc/ssl/{{ vhost }}.fullchain.pem"
+        key "/etc/ssl/private/{{ vhost }}.key"
+    }
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        root "/vhosts/{{ vhost }}"
+    }
+}
+{% endfor %}

ansible/roles/vpn/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+wireguard:
+  private_key: <wireguard private key>
+  address: <hosts address inside vpn>
+  port: 21841
+  interface: wg0
+  peers:
+    - name: Gateway
+      public_key: <vpn gateway public key>
+      endpoint: <gateway ip>:21841
+      allowed_ips: 10.2.0.1/32

ansible/roles/vpn/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Install wireguard
+  community.general.openbsd_pkg:
+    name:
+      - wireguard-tools
+    state: present
+
+- name: Ensures /etc/wireguard dir exists
+  file:
+    path: /etc/wireguard
+    state: directory
+
+- name: Create wireguard config
+  template:
+    src: templates/wireguard.conf.j2
+    dest: /etc/wireguard/{{ wireguard.interface }}.conf
+    owner: root
+    group: wheel
+    mode: "0600"
+  register: wg_config
+
+- name: Create wireguard interface
+  template:
+    src: "templates/wireguard.if.j2"
+    dest: "/etc/hostname.{{ wireguard.interface }}"
+  register: iface_config
+
+- name: Apply network configuration if changed
+  shell: sh /etc/netstart {{ wireguard.interface }}
+  when: wg_config.changed or iface_config.changed

ansible/roles/vpn/templates/wireguard.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+[Interface]
+PrivateKey = {{ wireguard.private_key }}
+ListenPort = {{ wireguard.port }}
+
+{% for peer in wireguard.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+Endpoint = {{ peer.endpoint }}
+AllowedIPs = {{ peer.allowed_ips }}
+{% endfor %}

ansible/roles/vpn/templates/wireguard.if.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+inet {{ wireguard.address }} 255.255.255.0 NONE
+up
+
+!/usr/local/bin/wg setconf {{ wireguard.interface }} /etc/wireguard/{{ wireguard.interface }}.conf