first commit

.gitignore

@@ -0,0 +1,4 @@
+*/files/*_private
+*.swp
+*_private
+id_rsa

LICENSE

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

add_to_icinga2/defaults/main.yml

@@ -0,0 +1,12 @@
+tcp_port_monitoring:
+    autodetect_ports: true
+    no_autodetect_port_list:
+        - "22"
+        - "ports have to be strings"
+icinga2_monitoring_master:
+    host: monitoring.example.com
+    api_port: 5665
+    api_user: root
+    api_password: SomePassword
+    ssh_user: _icinga2
+    ssh_pubkey: 'ssh-rsa XXXX'

add_to_icinga2/files/check_services_openbsd.sh

@@ -0,0 +1,19 @@
+#!/bin/ksh
+
+failed_services=$(doas /usr/sbin/rcctl ls failed)
+failed_rc=$?
+failed_services_count=$(echo "$failed_services" | wc -w | xargs)
+check_rc=3
+check_output="UNKNOWN - something wrent wrong: $failed_services"
+perfdata="'failed_services'=$failed_services_count"
+
+if [[ $failed_rc -eq 0 && $failed_services_count -eq 0 ]]; then
+        check_output="OK - all services are running"
+        check_rc=0
+elif [[ $failed_rc -eq 1 && $failed_services_count -gt 0  ]]; then
+        check_output="CRITICAL - $failed_services_count service(s) not running: $failed_services"
+        check_rc=2
+fi
+
+echo "$check_output | $perfdata"
+exit $check_rc

add_to_icinga2/files/listening_tcp_openbsd.sh

@@ -0,0 +1,17 @@
+#!/bin/ksh
+ports=$(netstat -lnptcp -finet | awk '{ print $4 }' |grep '\.' | sed 's/*./0.0.0.0./g' | grep -v '127\.0\.0\.1' | cut -f 5 -d '.' | sort | uniq)
+ports_len=$(echo $ports | awk '{ print NF - 1 }')
+
+echo "[ "
+
+i=0
+for port in $ports; do
+    if [[ $i -lt $ports_len ]]; then
+        echo "    \"$port\","
+    else
+        echo "    \"$port\""
+    fi
+    ((i=i+1))
+done
+
+echo " ]"

add_to_icinga2/tasks/common.yml

@@ -0,0 +1,13 @@
+- name: create ssh user
+  become: yes
+  user:
+    name: "{{ icinga2_monitoring_master.ssh_user }}"
+    state: present
+
+- name: set authorized_keys
+  become: yes
+  authorized_key:
+    user: "{{ icinga2_monitoring_master.ssh_user }}"
+    state: present
+    key: "{{ icinga2_monitoring_master.ssh_pubkey }}"
+

add_to_icinga2/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: common setup
+  include: "common.yml"
+- name: ubuntu setup
+  include: "ubuntu.yml"
+  when: ansible_distribution == 'Ubuntu'
+- name: openbsd setup
+  include: "openbsd.yml"
+  when: ansible_distribution | lower == 'openbsd'

add_to_icinga2/tasks/openbsd.yml

@@ -0,0 +1,97 @@
+- name: ensure facts dir exists
+  become: yes
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /etc/ansible
+    - /etc/ansible/facts.d
+
+- name: deploy custom fact for listening tcp ports
+  become: yes
+  copy:
+    src: listening_tcp_openbsd.sh
+    dest: /etc/ansible/facts.d/listening_tcp.fact
+    mode: '0755'
+  register: fact_deploy
+
+- name: reload facts
+  setup:
+  when: fact_deploy.changed
+
+- name: print to be monitored tcp ports
+  debug:
+    msg: "{{ monitored_tcp_ports }}"
+
+- name: copy service check
+  become: yes
+  copy:
+    src: check_services_openbsd.sh
+    dest: /usr/local/libexec/nagios/check_services.sh
+    mode: '0755'
+
+- name: allow list of failed services via doas
+  become: yes
+  lineinfile:
+    path: /etc/doas.conf
+    create: yes
+    regexp: '^permit.*{{ icinga2_monitoring_master.ssh_user }}.*$'
+    line: 'permit nopass {{ icinga2_monitoring_master.ssh_user }} as root cmd /usr/sbin/rcctl args ls failed'
+
+- name: set fact with monitoring config
+  set_fact:
+    api_body: '{ "templates": [ "openbsd" ], "attrs": { "address": "{{ ansible_fqdn }}", "vars.tcp_ipv4": {{ monitored_tcp_ports }}  }, "pretty": true }'
+
+- name: write monitoring config
+  become: yes
+  copy:
+    dest: /etc/monitoring.conf
+    content: "{{ api_body }}"
+  register: monitoring_config
+
+- name: delete host from icinga
+  uri:
+    url: "{{ icinga2_api_url }}/v1/objects/hosts/{{ ansible_fqdn }}?cascade=1"
+    method: DELETE
+    return_content: yes
+    headers:
+        Accept: application/json
+    body_format: json
+    validate_certs: no
+    url_username: "{{ icinga2_monitoring_master.api_user }}"
+    url_password: "{{ icinga2_monitoring_master.api_password }}"
+  when: monitoring_config.changed
+  failed_when: false
+  changed_when: true
+  throttle: 1
+
+- name: add host to icinga
+  uri:
+    url: "{{ icinga2_api_url }}/v1/objects/hosts/{{ ansible_fqdn }}"
+    method: PUT
+    return_content: yes
+    headers:
+        Accept: application/json
+    body_format: json
+    body: "{{ api_body }}"
+    validate_certs: no
+    url_username: "{{ icinga2_monitoring_master.api_user }}"
+    url_password: "{{ icinga2_monitoring_master.api_password }}"
+  when: monitoring_config.changed
+  changed_when: true
+  throttle: 1
+
+- name: trigger icinga restart
+  uri:
+    url: "{{ icinga2_api_url }}/v1/actions/restart-process?pretty=1"
+    method: POST
+    return_content: yes
+    headers:
+        Accept: application/json
+    body_format: json
+    validate_certs: no
+    url_username: "{{ icinga2_monitoring_master.api_user }}"
+    url_password: "{{ icinga2_monitoring_master.api_password }}"
+  when: monitoring_config.changed
+  changed_when: true
+  throttle: 1

add_to_icinga2/tasks/ubuntu.yml

@@ -0,0 +1,26 @@
+- name: add host to icinga
+  uri:
+    url: "{{ icinga2_api_url }}/v1/objects/hosts/{{ ansible_fqdn }}"
+    method: PUT
+    return_content: yes
+    headers:
+        Accept: application/json
+    body_format: json
+    body: '{ "templates": [ "linux" ], "attrs": { "address": "{{ ansible_fqdn }}" }, "pretty": true }'
+    validate_certs: no
+    url_username: "{{ icinga2_monitoring_master.api_user }}"
+    url_password: "{{ icinga2_monitoring_master.api_password }}"
+  failed_when: false
+
+- name: update host information in icinga
+  uri:
+    url: "{{ icinga2_api_url }}/v1/objects/hosts/{{ ansible_fqdn }}"
+    method: POST
+    return_content: yes
+    headers:
+        Accept: application/json
+    body_format: json
+    body: '{ "templates": [ "linux" ], "attrs": { "address": "{{ ansible_fqdn }}" }, "pretty": true }'
+    validate_certs: no
+    url_username: "{{ icinga2_monitoring_master.api_user }}"
+    url_password: "{{ icinga2_monitoring_master.api_password }}"

add_to_icinga2/vars/main.yml

@@ -0,0 +1,2 @@
+icinga2_api_url: "https://{{ icinga2_monitoring_master.host }}:{{ icinga2_monitoring_master.api_port }}"
+monitored_tcp_ports: "{% if tcp_port_monitoring.autodetect_ports %} {{ ansible_local.listening_tcp }} {% else %} {{ tcp_port_monitoring.no_autodetect_port_list }} {% endif %}"

ansible_runner/defaults/main.yml

@@ -0,0 +1,10 @@
+ansible_runner_mailto: root@localhost
+ansible_runner_command: "ansible-playbook playbook.yml -e do_backup=true"
+ansible_runner_user: _runner
+ansible_runner_home: /home/_runner
+ansible_runner_schedule:
+  - name: my-deployment
+    repo: git@gitserver:user/my-deployment
+    minute: "~"
+    hour: "1~5"
+    weekday: "*"

ansible_runner/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: update_aliases
+  become: yes
+  command: smtpctl update table aliases

ansible_runner/tasks/main.yml

@@ -0,0 +1,72 @@
+- name: create user
+  become: yes
+  user:
+    name: "{{ ansible_runner_user }}"
+    shell: "/sbin/nologin"
+    home: "{{ ansible_runner_home }}"
+
+- name: install packages
+  become: yes
+  community.general.openbsd_pkg:
+    name: [ "git", "ansible" ]
+    state: present
+    snapshot: "{{ force_openbsd_snapshot | default(false) }}"
+
+- name: create ssh key
+  become: yes
+  openssh_keypair:
+    path: "{{ ansible_runner_home }}/.ssh/id_rsa"
+    owner: "{{ ansible_runner_user }}"
+
+- name: clone deployments
+  become: yes
+  git:
+    key_file: "{{ ansible_runner_home }}/.ssh/id_rsa"
+    accept_hostkey: yes
+    repo: "{{ deployment.repo }}"
+    dest: "{{ ansible_runner_home }}/{{ deployment.name }}"
+  loop: "{{ ansible_runner_schedule }}"
+  loop_control:
+    loop_var: deployment
+
+- name: set permissions
+  become: yes
+  file:
+    path: "{{ ansible_runner_home }}/{{ deployment.name }}"
+    owner: "{{ ansible_runner_user }}"
+    recurse: yes
+  loop: "{{ ansible_runner_schedule }}"
+  loop_control:
+    loop_var: deployment
+
+- name: setup run scripts
+  become: yes
+  template:
+    src: run_deployment.sh
+    dest: "{{ ansible_runner_home }}/{{ deployment.name }}/run_deployment.sh"
+    mode: '0750'
+    owner: "{{ ansible_runner_user }}"
+  loop: "{{ ansible_runner_schedule }}"
+  loop_control:
+    loop_var: deployment
+
+- name: setup cron jobs
+  become: yes
+  cron:
+    user: "{{ ansible_runner_user }}"
+    name: "{{ deployment.name }}"
+    job: "{{ ansible_runner_home }}/{{ deployment.name }}/run_deployment.sh"
+    minute: "{{ deployment.minute }}"
+    hour: "{{ deployment.hour }}"
+    weekday: "{{ deployment.weekday }}"
+  loop: "{{ ansible_runner_schedule }}"
+  loop_control:
+    loop_var: deployment
+
+- name: setup mail alias
+  become: yes
+  lineinfile:
+    path: /etc/mail/aliases
+    line: "{{ ansible_runner_user }}: {{ ansible_runner_mailto }}"
+    regexp: "^.*{{ ansible_runner_user }}.*$"
+  notify: update_aliases

ansible_runner/templates/run_deployment.sh

@@ -0,0 +1,7 @@
+#!/bin/ksh
+HOME={{ ansible_runner_home }}
+DEPLOYMENT_DIR=$HOME/{{ deployment.name }}
+
+cd $DEPLOYMENT_DIR && \
+    git pull && \
+    {{ ansible_runner_command }}

backup/defaults/main.yml

@@ -0,0 +1,28 @@
+---
+backup_mail_to: "root@localhost"
+backup_mail_from: "backup"
+
+backup_user: "root"
+backup_password: "BACKUP PASSWORD"
+
+backup_directories:
+    - /home
+    - /etc
+    - /var
+
+backup_destination: "sftp:user@host:/path/to/restic-repo"
+
+backup_throttle: 2
+
+backup_keep_policy:
+    daily: 7
+    weekly: 5
+    monthly: 12
+    yearly: 1
+
+backup_pre_commands:
+    - rcctl stop gitea gitdaemon
+
+backup_post_commands:
+    - rcctl start gitdaemon gitea
+

backup/filter_plugins/backup_config.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'parse_backup_destination': self.parse_backup_destination
+        }
+
+    def parse_backup_destination(self, backup_destination):
+        """
+        Parse restic backup destination.
+
+        Args:
+            backup_destination (str): Bbackup destination.
+        Returns:
+            dict: Parsed backup destination.
+        """
+        backup_config = {}
+        backup_config['protocol'] = None
+        backup_config['connection_string'] = None
+        backup_config['path'] = None
+        supported_protocols = ('sftp', 'local')
+
+        if ':' in backup_destination:
+            dest_parts = backup_destination.split(':')
+            backup_config['protocol'] = dest_parts[0]
+            backup_config['connection_string'] = "".join(dest_parts[1:-1])
+            backup_config['path'] = dest_parts[-1]
+        else:
+            backup_config['protocol'] = 'local'
+            backup_config['connection_string'] = None
+            backup_config['path'] = backup_destination
+        if backup_config['protocol'] not in supported_protocols:
+            raise ValueError("Unsupported backup destination")
+
+        return backup_config

backup/tasks/main.yml

@@ -0,0 +1,66 @@
+---
+- name: generate backup config from destination
+  set_fact:
+    backup_config: "{{ backup_destination | parse_backup_destination }}"
+
+- name: generate ssh key for root if sftp backup
+  become: yes
+  openssh_keypair:
+    path: /root/.ssh/id_rsa
+  when: backup_config.protocol == 'sftp'
+
+- name: try to add backup server to known hosts
+  become: yes
+  command: 'ssh -o StrictHostKeyChecking=accept-new {{ backup_config.connection_string }} echo ok'
+  when: backup_config.protocol == 'sftp'
+  failed_when: false
+
+- name: ensure restic is installed
+  become: yes
+  package:
+    name: restic
+    state: latest
+  when: ansible_distribution|lower != 'openbsd'
+
+- name: ensure restic is installed
+  become: yes
+  community.general.openbsd_pkg:
+    name: restic
+    state: latest
+    snapshot: "{{ force_openbsd_snapshot|default(false) }}"
+  when: ansible_distribution|lower == 'openbsd'
+
+- name: copy backup password file to remote host
+  become: yes
+  copy:
+    content: "{{ backup_password }}"
+    dest: "{{ backup_password_file }}"
+    mode: "0400"
+    owner: "{{ backup_user }}"
+
+- name: template backup script
+  become: yes
+  template:
+    src: "backup.sh"
+    dest: "{{ backup_script_path }}"
+    owner: "{{ backup_user }}"
+    mode: "0700"
+
+- name: create backup repository if it does not exist already
+  become: yes
+  shell: "{{ backup_init_command }}"
+  changed_when: "'created restic repositroy' in backup_init_task.stdout"
+  failed_when: "'config file already exists' not in backup_init_task.stderr and backup_init_task.rc != 0"
+  register: backup_init_task
+
+- name: run backup
+  become: yes
+  shell: "{{ backup_job }}"
+  throttle: "{{ backup_throttle }}"
+  when: do_backup | default(false)
+
+- name: run cleanup
+  become: yes
+  shell: "{{ backup_cleanup_job }}"
+  throttle: "{{ backup_throttle }}"
+  when: do_backup | default(false)

backup/templates/backup.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+failed_backups=0
+
+echo "starting backup at $(date)"
+{% for pre_cmd in backup_pre_commands %}
+echo "executing backup pre command: {{ pre_cmd }}"
+
+{{ pre_cmd }} 
+if [ $? -ne 0 ]; then
+    >&2 echo "pre command failed. aborting backup."
+    exit 1
+fi
+{% endfor %}
+
+echo "---"
+
+{% for backup_directory in backup_directories %}
+echo "backing up: {{ backup_directory }}"
+{{ backup_command }} {{ backup_directory }}
+
+if [[ $? != 0 ]]; then
+    ((failed_backups=failed_backups+1))
+    echo "error: backup failed"
+fi
+    
+echo "---"
+{% endfor %}
+
+{% for post_cmd in backup_post_commands %}
+echo "executing backup post command: {{ post_cmd }}"
+{{ post_cmd }} 
+{% endfor %}
+
+echo "finished backup at $(date)"
+echo "failed backups: $failed_backups"

backup/vars/main.yml

@@ -0,0 +1,11 @@
+---
+backup_restic_paths:
+    openbsd: /usr/local/bin/restic
+backup_restic_path: "{{ backup_restic_paths[ansible_distribution|lower]|default('restic') }}"
+backup_password_file: /etc/backup_password
+backup_script_path: "/usr/local/bin/backup.sh"
+backup_command: "{{ backup_restic_path }} -r {{ backup_destination }} -p {{ backup_password_file }} backup"
+backup_init_command: "{{ backup_restic_path }} -r {{ backup_destination }} -p {{ backup_password_file }} init"
+backup_cleanup_command: "{{ backup_restic_path }} -r {{ backup_destination }} -p {{ backup_password_file }} forget --keep-daily {{ backup_keep_policy.daily }} --keep-weekly {{ backup_keep_policy.weekly }} --keep-monthly {{ backup_keep_policy.monthly }} --keep-yearly {{ backup_keep_policy.yearly }}"
+backup_job: "{{ backup_script_path }} | mail -s 'Backup report' -r backup {{ backup_mail_to }}"
+backup_cleanup_job: "{{ backup_cleanup_command }} | mail -s 'Backup cleanup report' -r {{ backup_mail_from }} {{ backup_mail_to }}"

backup_server/defaults/main.yml

@@ -0,0 +1,4 @@
+backup_server_user: _backup
+backup_server_home: /data/backup
+backup_server_authorized_keys:
+- "ssh-rsa...."

backup_server/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: create backup user
+  become: yes
+  user:
+    name: "{{ backup_server_user }}"
+    home: "{{ backup_server_home }}"
+- name: edit authorized_keys
+  become: yes
+  authorized_key:
+    user: "{{ backup_server_user }}"
+    state: present
+    key: "{{ backup_server_authorized_keys | join('\n') }}"

bootstrap/defaults/main.yml

@@ -0,0 +1,49 @@
+bootstrap_hostname: "{{ ansible_hostname }}"
+bootstrap_domain: "{{ ansible_domain }}"
+
+bootstrap_shell:
+  ubuntu: /bin/bash
+  openbsd: /bin/ksh
+  alpine: /bin/ash
+  archlinux: /bin/bash
+
+bootstrap_groups:
+  ubuntu: sudo
+  openbsd: wheel
+  alpine: wheel
+  archlinux: wheel
+
+
+bootstrap_users:
+  - name: ansible
+    shell: "{{ bootstrap_shell[ansible_distribution|lower] }}"
+    groups: "{{ bootstrap_groups[ansible_distribution|lower] }}"
+    state: present
+    authorized_keys: 
+      - "{{ lookup('file', ansible_ssh_public_key_file) }}"
+
+bootstrap_packages:
+  ubuntu:
+    - name: tcpdump
+      state: present
+    - name: htop
+      state: present
+    - name: tmux
+      state: present
+    - name: strace
+      state: present
+    - name: postfix
+      state: present
+    - name: mailutils
+      state: present
+  openbsd:
+    - name: vim--no_x11
+      state: present
+  alpine:
+    - name: vim
+      state: present
+  archlinux:
+    - name: vim
+      state: present
+
+bootstrap_root_mail: root@localhost

bootstrap/handlers/main.yml

@@ -0,0 +1,12 @@
+- name: restart sshd
+  become: yes
+  service:
+    name: "{{ bootstrap_ssh_service_name[ansible_distribution|lower] }}"
+    state: restarted
+
+- name: reload facts
+  setup:
+
+- name: bootstrap_reload_aliases
+  become: yes
+  command: "{{ bootstrap_aliases_reload_command[ansible_distribution|lower] }}"

bootstrap/tasks/alpine.yml

@@ -0,0 +1,20 @@
+- name: Upgrade / replace / downgrade / uninstall all installed packages to the latest versions available
+  community.general.apk:
+    available: yes
+    upgrade: yes
+    update_cache: yes
+
+- name: install doas 
+  community.general.apk:
+    name: doas
+    state: latest
+
+- name: edit doas.conf
+  lineinfile:
+    line: 'permit nopass keepenv :wheel'
+    regexp: '^.*permit nopass keepenv :wheel.*$'
+    path: /etc/doas.conf
+    create: yes
+    owner: root
+    group: wheel
+    mode: 0600

bootstrap/tasks/archlinux.yml

@@ -0,0 +1,26 @@
+- name: Upgrade / replace / downgrade / uninstall all installed packages to the latest versions available
+  community.general.pacman:
+    upgrade: yes
+    update_cache: yes
+
+- name: install doas 
+  community.general.pacman:
+    name: opendoas
+    state: latest
+
+- name: edit doas.conf
+  lineinfile:
+    line: 'permit nopass keepenv :wheel'
+    regexp: '^.*permit nopass keepenv :wheel.*$'
+    path: /etc/doas.conf
+    create: yes
+    owner: root
+    group: wheel
+    mode: 0600
+
+# currently broken; does not find hostnamectl binary
+- name: set hostname (via systemd)
+  hostname:
+    name: "{{ bootstrap_hostname }}.{{ bootstrap_domain }}"
+    use: systemd
+  ignore_errors: yes

bootstrap/tasks/common.yml

@@ -0,0 +1,41 @@
+- name: manage users
+  user:
+    name: "{{ user.name }}"
+    state: "{{ user.state|default('present') }}"
+    groups: "{{ user.groups }}"
+    shell: "{{ user.shell|default('/bin/bash') }}"
+  loop: "{{ bootstrap_users }}"
+  loop_control:
+    loop_var: user
+
+- name: manage authorized_keys
+  authorized_key:
+    user: "{{ user.name }}"
+    state: "{{ user.state }}"
+    key: "{{ user.authorized_keys | join('\n') }}"
+  loop: "{{ bootstrap_users }}"
+  loop_control:
+    loop_var: user
+
+- name: disable ssh password logins
+  lineinfile:
+    path: "{{ bootstrap_sshd_config[ansible_distribution|lower] }}"
+    regex: ^(# *)?PasswordAuthentication
+    line: PasswordAuthentication no
+  notify: restart sshd
+
+- name: disable ssh root login
+  lineinfile:
+    path: "{{ bootstrap_sshd_config[ansible_distribution|lower] }}"
+    regex: ^(# *)?PermitRootLogin
+    line: PermitRootLogin no
+  notify: restart sshd
+
+- name: setup alias for root mails
+  lineinfile:
+    path: "{{ bootstrap_aliases_file[ansible_distribution|lower] }}"
+    regex: '^( *)?root:.*$'
+    line: "root: {{ bootstrap_root_mail }}"
+  register: bootstrap_mail_alias
+  notify: bootstrap_reload_aliases
+  when: "ansible_distribution|lower in bootstrap_aliases_file"

bootstrap/tasks/main.yml

@@ -0,0 +1,12 @@
+- name: gather facts
+  setup:
+
+- name: run distribution specific include taks
+  include_tasks: "{{ ansible_distribution|lower}}.yml"
+  vars:
+    ansible_become: "{{ 'no' if ansible_ssh_user | default('None') == 'root' else 'yes' }}"
+
+- name: run common bootstrap tasks
+  include_tasks: common.yml
+  vars:
+    ansible_become: "{{ 'no' if ansible_ssh_user | default('None') == 'root' else 'yes' }}"

bootstrap/tasks/openbsd.yml

@@ -0,0 +1,41 @@
+- name: edit doas.conf
+  lineinfile:
+    line: 'permit nopass keepenv :wheel'
+    regexp: '^.*permit nopass keepenv :wheel.*$'
+    path: /etc/doas.conf
+    create: yes
+    owner: root
+    group: wheel
+    mode: 0600
+
+- name: Check for available syspatches
+  shell: syspatch -c
+  register: syspatch
+  changed_when: syspatch.stdout_lines|length > 0
+  ignore_errors: yes
+
+- name: Install available syspatches
+  shell: syspatch
+  when: syspatch.changed
+  register: syspatch_install
+  until: syspatch_install.rc == 0
+  retries: 5
+  delay: 10
+
+- name: reboot
+  reboot:
+  when: syspatch.changed
+
+- name: update installed packages
+  community.general.openbsd_pkg:
+    name: "*"
+    state: latest
+    snapshot: "{{ force_openbsd_snapshot | default(false) }}"
+
+- name: install bootstrap packages
+  community.general.openbsd_pkg:
+    name: "{{ package.name }}"
+    state: "{{ package.state }}"
+  loop: "{{ bootstrap_packages[ansible_distribution|lower] }}"
+  loop_control:
+    loop_var: package

bootstrap/tasks/ubuntu.yml

@@ -0,0 +1,21 @@
+- name: refresh apt cache and update packages
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+
+- name: manage packages
+  apt:
+    name: "{{ package.name }}"
+    state: "{{ package.state }}"
+  loop: "{{ bootstrap_packages[ansible_distribution|lower] }}"
+  loop_control:
+    loop_var: package
+
+- name: edit sudoers
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'

bootstrap/vars/main.yml

@@ -0,0 +1,20 @@
+---
+bootstrap_sshd_config:
+  ubuntu: /etc/ssh/sshd_config
+  openbsd: /etc/ssh/sshd_config
+  alpine: /etc/ssh/sshd_config
+  archlinux: /etc/ssh/sshd_config
+
+bootstrap_ssh_service_name:
+  ubuntu: sshd
+  openbsd: sshd
+  alpine: sshd
+  archlinux: sshd
+
+bootstrap_aliases_file:
+    openbsd: /etc/mail/aliases
+    ubuntu: /etc/aliases
+
+bootstrap_aliases_reload_command:
+    openbsd: smtpctl update table aliases
+    ubuntu: newaliases

cronjobs/defaults/main.yml

@@ -0,0 +1,9 @@
+cronjobs:
+    - name: "hourly cronjob"
+      user: root
+      command: "echo Hi, I'm an hourly cronjob"
+      minute: "0"
+      hour: "*"
+      day: "*"
+      month: "*"
+      weekday: "*"

cronjobs/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: setup cronjobs
+  become: yes
+  cron:
+    name: "{{ cronjob.name }}"
+    user: "{{ cronjob.user }}"
+    job: "{{ cronjob.command }}"
+    minute: "{{ cronjob.minute }}"
+    hour: "{{ cronjob.hour }}"
+    day: "{{ cronjob.day }}"
+    month: "{{ cronjob.month }}"
+    weekday: "{{ cronjob.weekday }}"
+  loop: "{{ cronjobs }}"
+  loop_control:
+    loop_var: cronjob

data_sync/defaults/main.yml

@@ -0,0 +1 @@
+data_sync_copy_links: False

data_sync/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+- name: install rsync
+  become: yes
+  package:
+    name: "{{ package }}"
+    state: present
+  loop: "{{ data_sync_packages[ansible_distribution|lower] }}"
+  loop_control:
+    loop_var: package
+- name: synchronize data dir
+  become: yes
+  synchronize:
+    src: "{{ playbook_dir }}/data/"
+    dest: "/"
+    owner: no
+    group: no
+    perms: yes
+    rsync_path: '{{ ansible_become_method }} -u root rsync'
+    copy_links: '{{ data_sync_copy_links }}'

data_sync/vars/main.yml

@@ -0,0 +1,3 @@
+data_sync_packages:
+    openbsd:
+        - rsync-3.2.3

dns_server/defaults/main.yml

@@ -0,0 +1,57 @@
+dns_zone_public: "mydomain.org"
+dns_zone_local: "mydomain.local"
+dns_server_public_ip: "{{ ansible_default_ipv4.address }}"
+dns_server_local_ip: "127.0.0.1"
+dns_zones:
+    - name: "{{ dns_zone_public }}"
+      role: "master"
+      reverse_zone: False
+      peers: ""
+      ttl: "2d"
+      slaves:
+        - 213.239.242.238
+        - 213.133.105.6
+        - 193.47.99.3
+      soa:
+        - ns: "ns.{{ dns_zone_public }}."
+          mail: "admin.{{ dns_zone_public }}."
+          serial: "2018122520"
+          refresh: "1d"
+          retry: "1d"
+          expire: "4w"
+          ttl: "1h"
+      nameservers:
+        - "ns.{{ dns_zone_public }}."
+      records:
+        - name: "ns"
+          type: "A"
+          value: "{{ dns_server_public_ip }}"
+        - name: "*"
+          type: "A"
+          value: "{{ dns_server_public_ip }}"
+        - name: "vmhost"
+          type: "CNAME"
+          value: "ns"
+    - name: "{{ dns_zone_local }}"
+      role: "master"
+      reverse_zone: True
+      ttl: "2d"
+      slaves:
+        - "{{ dns_server_local_ip }}"
+      soa:
+        - ns: "ns.{{ dns_zone_local }}."
+          mail: "admin.{{ dns_zone_public }}."
+          serial: "2018121520"
+          refresh: "1d"
+          retry: "1d"
+          expire: "4w"
+          ttl: "1h"
+      nameservers:
+        - "ns.{{ dns_zone_local }}"
+      records:
+        - name: "ns"
+          type: "A"
+          value: "{{ dns_server_local_ip }}"
+        - name: "git"
+          type: "A"
+          value: "10.1.0.10"

dns_server/handlers/main.yml

@@ -0,0 +1,19 @@
+- name: reload nsd
+  become: yes
+  service: 
+    name: nsd
+    state: reloaded
+    enabled: true
+- name: reload unbound
+  become: yes
+  service: 
+    name: nsd
+    state: reloaded
+    enabled: true
+- name: reload zonefiles
+  become: yes
+  command: nsd-control reload
+  notify: notify slaves
+- name: notify slaves
+  become: yes
+  command: nsd-control notify

dns_server/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: OpenBSD dns
+  include_tasks: openbsd.yml
+  when: ansible_distribution|lower == 'openbsd'
+  vars:
+    ansible_become: yes

dns_server/tasks/openbsd.yml

@@ -0,0 +1,44 @@
+---
+- name: unbound.conf
+  template:
+    src: unbound.conf
+    dest: /var/unbound/etc/unbound.conf
+    owner: root
+    group: wheel
+    mode: 0644
+  notify: reload unbound
+- name: nsd.conf
+  template:
+    src: nsd.conf
+    dest: /var/nsd/etc/nsd.conf
+    owner: root
+    group: _nsd
+    mode: 0640
+  notify: reload nsd
+- name: forward zonefile(s)
+  template: 
+    src: zonefile.forward
+    dest: "/var/nsd/zones/{{ item.role }}/{{ item.name }}"
+    owner: root
+    group: _nsd
+    mode: 0640
+  loop: "{{ dns_zones }}"
+  notify: reload zonefiles
+
+- name: check zone files
+  shell: "nsd-checkzone {{ item.name }} /var/nsd/zones/{{ item.role }}/{{ item.name }}"
+  register: zone_check
+  failed_when: zone_check.rc != 0
+  changed_when: False
+  loop: "{{ dns_zones }}"
+  
+- name: nsd started and enabled
+  service:
+    name: nsd
+    state: started
+    enabled: true
+- name: unbound started and enabled
+  service:
+    name: unbound
+    state: started
+    enabled: true

dns_server/templates/nsd.conf

@@ -0,0 +1,39 @@
+# $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
+
+server:
+	hide-version: yes
+	verbosity: 1
+	database: "" # disable database
+
+remote-control:
+	control-enable: yes
+	control-interface: /var/run/nsd.sock
+
+## tsig key example
+#key:
+#	name: "tsig1.example.com."
+#	algorithm: hmac-sha256
+#	secret: "bWVrbWl0YXNkaWdvYXQ="
+
+{% for zone in dns_zones %}
+zone:
+    name: "{{ zone.name }}"
+    zonefile: "{{ zone.role }}/{{ zone.name }}"
+{% if zone.role == "master" %}
+{% for slave in zone.slaves %}
+	notify: {{ slave }} NOKEY
+	provide-xfr: {{ slave }} NOKEY
+{% endfor %}
+{% elif zone.role == "slave" %}
+#	allow-notify: 192.0.2.2 tsig1.example.com.
+#	request-xfr: 192.0.2.2 tsig1.example.com.
+{% endif %}
+{% endfor %}
+
+## slave zone example
+#zone:
+#	name: "example.net"
+#	zonefile: "slave/example.net"
+#	allow-notify: 192.0.2.2 tsig1.example.com.
+#	request-xfr: 192.0.2.2 tsig1.example.com.
+

dns_server/templates/unbound.conf

@@ -0,0 +1,46 @@
+# $OpenBSD: unbound.conf,v 1.8 2018/03/29 20:40:22 florian Exp $
+
+server:
+	interface: 127.0.0.1@5353	# listen on alternative port
+	interface: ::1@5353
+
+	access-control: 0.0.0.0/0 allow
+	access-control: 127.0.0.0/8 allow
+	access-control: ::0/0 refuse
+	access-control: ::1 allow
+
+	hide-identity: yes
+	hide-version: yes
+
+	auto-trust-anchor-file: "/var/unbound/db/root.key"
+{% for zone in dns_zones %}
+    domain-insecure: "{{ zone.name }}"
+{% endfor %}
+
+remote-control:
+	control-enable: yes
+	control-use-cert: no
+	control-interface: /var/run/unbound.sock
+
+
+{% for zone in dns_zones %}
+stub-zone:
+    name: "{{ zone.name }}"
+    stub-addr: "{{ dns_server_public_ip }}"
+{% endfor %}
+
+stub-zone:
+    name: "10.in-addr.arpa"
+    stub-addr: "{{ dns_server_public_ip }}"
+stub-zone:
+    name: "168.192.in-addr.arpa"
+    stub-addr: "{{ dns_server_public_ip }}"
+
+forward-zone:
+	name: "."				# use for ALL queries
+	forward-addr: 74.82.42.42		# he.net
+	forward-addr: 2001:470:20::2		# he.net v6
+	forward-addr: 8.8.8.8			# google.com
+	forward-addr: 2001:4860:4860::8888	# google.com v6
+	forward-addr: 208.67.222.222		# opendns.com
+	forward-first: yes			# try direct if forwarder fails

dns_server/templates/zonefile.forward

@@ -0,0 +1,21 @@
+$ORIGIN {{ item.name }}.
+$TTL {{ item.ttl }}
+@       IN      SOA     {{ item.soa.0.ns }}      {{ item.soa.0.mail }} (
+                        {{ item.soa.0.serial }}              ; serial
+                        {{ item.soa.0.refresh }}          ; refresh
+                        {{ item.soa.0.retry }}
+                        {{ item.soa.0.expire }} ; expire
+                        {{ item.soa.0.ttl }} ; ttl
+                        )
+; Name servers
+{% for ns in item.nameservers %}
+@                    IN      NS      {{ ns }}
+{% endfor %}
+
+{% for record in item.records %}
+{% if record.type == 'TXT' %}
+{{ record.name }}                 IN      {{ record.type }}       "{{ record.value }}"
+{% else %}
+{{ record.name }}                 IN      {{ record.type }}       {{ record.value }}
+{% endif %}
+{% endfor %}

dns_server/templates/zonefile.reverse

@@ -0,0 +1,17 @@
+$ORIGIN {{ item.name }}.
+$TTL {{ item.ttl }}
+@       IN      SOA     {{ item.soa.ns }}      {{ item.soa.mail }} (
+                        {{ date }}              ; serial
+                        {{ item.soa.refresh }}          ; refresh
+                        {{ item.soa.retry }}
+                        {{ item.soa.expire }} ; expire
+                        {{ item.soa.ttl }} ; ttl
+                        )
+; Name servers
+{% for ns in item.nameservers %}
+@                    IN      NS      {{ ns }}
+{% endfor %}
+
+{% for record in item.records %}
+{{ record.name }}                 IN      {{ record.type }}       {{ record.value }}
+{% endfor %}

firewall/defaults/main.yml

@@ -0,0 +1,13 @@
+firewall_tcp_services:
+    - 80
+    - 443
+firewall_udp_services:
+    - 53
+firewall_max_ssh_src_conn: "35"
+firewall_max_ssh_src_conn_rate: "25/5"
+firewall_max_tcp_src_conn: "150"
+firewall_max_tcp_src_conn_rate: "100/5"
+
+firewall_whitelist_enable: false
+firewall_whitelist:
+    - 127.0.0.1

firewall/files/facts.d-openbsd/tcp_services.fact

@@ -0,0 +1,15 @@
+#!/bin/ksh
+
+exposed_tcp_in=$(netstat -l -n -finet -ptcp |\
+  awk '$4 !~ /^127\.0\.0\.1.*$/ && $1 == "tcp" {print $4}')
+
+output=""
+if [ ! -z "$exposed_tcp_in" ]; then 
+    output=$output"[ "
+    for i in $exposed_tcp_in; do
+        port="${i##*.}"
+        output="$output\"$port\","
+    done
+    output=${output%?}" ]"
+fi
+echo $output

firewall/files/facts.d-openbsd/udp_services.fact

@@ -0,0 +1,15 @@
+#!/bin/ksh
+
+exposed_udp_in=$(netstat -l -n -finet -pudp |\
+  awk '$4 !~ /^127\.0\.0\.1.*$/ && $1 == "udp" {print $4}')
+
+output=""
+if [ ! -z "$exposed_udp_in" ]; then 
+    output=$output"[ "
+    for i in $exposed_udp_in; do
+        port="${i##*.}"
+        output="$output\"$port\","
+    done
+    output=${output%?}" ]"
+fi
+echo $output

firewall/files/tcp_services.fact

@@ -0,0 +1,17 @@
+#!/bin/ksh
+ports=$(netstat -lnptcp -finet | awk '{ print $4 }' |grep '\.' | sed 's/*./0.0.0.0./g' | grep -v '127\.0\.0\.1' | cut -f 5 -d '.' | sort | uniq)
+ports_len=$(echo $ports | awk '{ print NF - 1 }')
+
+echo "[ "
+
+i=0
+for port in $ports; do
+    if [[ $i -lt $ports_len ]]; then
+        echo "    \"$port\","
+    else
+        echo "    \"$port\""
+    fi
+    ((i=i+1))
+done
+
+echo " ]"

firewall/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: reload facts
+  setup:
+- name: reload pf for real
+  shell: pfctl -f /etc/pf.conf
+  become: yes
+- name: reload pf
+  shell: pfctl -nf /etc/pf.conf
+  notify: reload pf for real
+  become: yes
+- name: reload network 
+  shell: sh /etc/netstart
+  become: yes
+- name: iptables-save-ubuntu
+  command: netfilter-persistent save
+  become: yes

firewall/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: OpenBSD pf 
+  include_tasks: openbsd.yml
+  when: ansible_distribution|lower == 'openbsd'
+  vars:
+    ansible_become: yes

firewall/tasks/openbsd.yml

@@ -0,0 +1,127 @@
+---
+- name: deploy custom facts 
+  copy:
+    src: "{{ item }}"
+    dest: /etc/ansible/facts.d/
+    mode: 0755
+  with_fileglob:
+    - facts.d-openbsd/*
+  notify: reload facts
+
+- name: update firewall whitelist
+  lineinfile:
+    line: '{{ item }}'
+    regexp: '^.*{{ item }}.*$'
+    path: /etc/pf.whitelist
+    create: yes
+  loop: "{{ firewall_whitelist }}"
+  when: firewall_whitelist_enable
+
+- meta: flush_handlers
+- name: anchor directory 
+  file:
+    path: "/etc/anchors"
+    state: "directory"
+- name: ansible pf anchor
+  copy:
+    dest: "/etc/anchors/ansible"
+    content: ""
+    force: no
+    owner: "root"
+    mode: "0600"
+- name: custom pf anchor
+  copy:
+    dest: "/etc/anchors/custom"
+    force: no
+    content: ""
+    owner: "root"
+    mode: "0600"
+- name: create pf-badhost user
+  user:
+    name: "{{ pfbadhost_user }}"
+    shell: /sbin/nologin
+    home: /var/empty
+    create_home: no
+- name: install ripgrep and mawk
+  community.general.openbsd_pkg:
+    name: [ "ripgrep", "mawk" ]
+    state: present
+    snapshot: "{{ force_openbsd_snapshot | default(false) }}"
+- name: download pf-badhost
+  get_url:
+    url: "{{ pfbadhost_url }}"
+    dest: "{{ pfbadhost_path }}"
+    owner: root
+    group: wheel
+    mode: "0755"
+  register: pfbadhost_installed
+
+- name: enable authlog scanning
+  lineinfile:
+    path: "{{ pfbadhost_path }}"
+    regexp: '^\s+_HAIL_MARY=[01].*$'
+    line: '_HAIL_MARY=1'
+  changed_when: false
+
+- name: set doas permissions for pf-badhost
+  lineinfile:
+    path: /etc/doas.conf
+    regexp: "^{{ doas_line }}$"
+    line: "{{ doas_line }}"
+  loop:
+    - "permit nopass {{ pfbadhost_user }} cmd /sbin/pfctl args -nf /etc/pf.conf"
+    - "permit nopass {{ pfbadhost_user }} cmd /sbin/pfctl args -t pfbadhost -T replace -f /etc/pf-badhost.txt"
+    - "permit nopass {{ pfbadhost_user }} cmd /usr/bin/zcat args -f /var/log/authlog /var/log/authlog.0.gz"
+  loop_control:
+    loop_var: doas_line
+- name: create pf-badhost log dir
+  file:
+    path: /var/log/pf-badhost
+    state: directory
+    owner: root
+    group: wheel
+    mode: "0755"
+- name: create required files for pf-badhost
+  copy:
+    content: ""
+    dest: "{{ pfbadhost_required_file }}"
+    owner: "{{ pfbadhost_user }}"
+    group: wheel
+    mode: "0640"
+    force: no
+  loop:
+    - /etc/pf-badhost.txt
+    - /var/log/pf-badhost/pf-badhost.log
+    - /var/log/pf-badhost/pf-badhost.log.0.gz
+  loop_control:
+    loop_var: pfbadhost_required_file
+- name: ensure permission for pf-badhost
+  file:
+    path: "{{ pfbadhost_required_file }}"
+    owner: "{{ pfbadhost_user }}"
+    group: wheel
+    mode: "0640"
+  loop:
+    - /etc/pf-badhost.txt
+    - /var/log/pf-badhost/pf-badhost.log
+    - /var/log/pf-badhost/pf-badhost.log.0.gz
+  loop_control:
+    loop_var: pfbadhost_required_file
+- name: setup pf-badhost cronjob
+  cron:
+    name: "update pf-badhosts"
+    user: "{{ pfbadhost_user }}"
+    job: "-s pf-badhost -O openbsd"
+    minute: "~"
+    hour: "0~1"
+- name: run pf badhosts
+  command: "doas -u {{ pfbadhost_user }} pf-badhost -O openbsd"
+  when: pfbadhost_installed.changed
+- name: pf.conf
+  template:
+    src: pf.conf
+    dest: /etc/pf.conf
+    owner: root
+    group: wheel
+    mode: '0600'
+  notify: reload pf

firewall/templates/pf.conf

@@ -0,0 +1,54 @@
+# Options
+set skip on lo
+
+# Macros and Tables
+table <abusive_hosts> persist
+{% if firewall_whitelist_enable %}
+table <whitelist> persist file "/etc/pf.whitelist"
+{% endif %}
+table <pfbadhost> persist file "/etc/pf-badhost.txt"
+{% if firewall_tcp_services|length > 1 %}
+tcp_in = "{ {% for port in firewall_tcp_services  %} {{ port }} {% endfor %} }"
+{% endif %}
+
+{% if firewall_udp_services|length > 1 %}
+udp_in = "{ {% for port in firewall_udp_services  %} {{ port }} {% endfor %} }"
+{% endif %}
+
+{% if firewall_whitelist_enable %}
+pass in quick from <whitelist>
+{% endif %}
+block in quick on egress from <pfbadhost>
+block out quick on egress to <pfbadhost>
+
+# Quick rules
+pass in quick proto tcp to port ssh flags S/SA keep state \
+    (max-src-conn {{ firewall_max_ssh_src_conn }}, \
+    max-src-conn-rate {{ firewall_max_ssh_src_conn_rate }}, \
+    overload <abusive_hosts> flush)
+    
+pass in quick inet proto icmp icmp-type echoreq
+
+# Ruleset
+block log
+pass out on egress
+block in quick log from <abusive_hosts> 
+
+{% if firewall_tcp_services|length > 1 %}
+pass in proto tcp to port $tcp_in flags S/SA keep state \
+    (max-src-conn {{ firewall_max_tcp_src_conn }}, \
+    max-src-conn-rate {{ firewall_max_tcp_src_conn_rate }}, \
+    overload <abusive_hosts> flush)
+{% endif %}
+
+{% if firewall_udp_services|length > 1 %}
+pass in proto udp to port $udp_in 
+{% endif %}
+
+# Ansible Ruleset
+anchor ansible
+load anchor ansible from "/etc/anchors/ansible"
+
+# Custom Rules
+anchor custom
+load anchor custom from "/etc/anchors/custom"

firewall/vars/main.yml

@@ -0,0 +1,3 @@
+pfbadhost_user: _pfbadhost
+pfbadhost_url: https://geoghegan.ca/pub/pf-badhost/0.5/pf-badhost.sh
+pfbadhost_path: /usr/local/bin/pf-badhost

gitea/defaults/main.yml

@@ -0,0 +1,8 @@
+gitea_fqdn: "{{ ansible_fqdn }}"
+gitea_httpd: True
+gitea_admins:
+    - name: gitea_admin
+      email: root@localhost
+      password: CHANGEME
+gitea_tls_cert: "{{ webserver_tls_cert|default(false) }}"
+gitea_tls_key: "{{ webserver_tls_key|default(false) }}"

gitea/handlers/main.yml

@@ -0,0 +1,10 @@
+- name: restart_gitea
+  service:
+    name: gitea
+    state: restarted
+  become: yes
+- name: restart_httpd
+  service:
+    name: httpd
+    state: restarted
+  become: yes

gitea/tasks/common.yml

@@ -0,0 +1,96 @@
+---
+- name: "install package: {{ package }}"
+  package:
+    name: "{{ package }}"
+    state: latest
+  loop: "{{ gitea_packages[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: package
+  when: ansible_distribution|lower != "openbsd"
+
+- name: "install package: {{ package }}"
+  community.general.openbsd_pkg:
+    name: "{{ package }}"
+    state: latest
+    snapshot: "{{ force_openbsd_snapshot|default(false) }}"
+  loop: "{{ gitea_packages[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: package
+  when: ansible_distribution|lower == "openbsd"
+
+- name: set groups
+  user:
+    name: "{{ user.user }}"
+    groups: "{{ user.groups }}"
+    append: yes
+  loop: "{{ gitea_groups[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: user
+
+- name: set gitea permission
+  file:
+    path: "{{ file.path }}"
+    mode: "{{ file.mode }}"
+    state: "{{ file.state }}"
+  loop: "{{ gitea_permissions[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: file
+
+- name: "edit ini files"
+  ini_file:
+    path: "{{ config.path }}"
+    section: "{{ config.section }}"
+    option: "{{ config.option }}"
+    value: "{{ config.value }}"
+  loop: "{{ gitea_ini_values[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: config
+  notify: restart_gitea
+- name: "ensure {{ cfg.line }} is in {{ cfg.path }}"
+  lineinfile:
+    path: "{{ cfg.path }}"
+    line: "{{ cfg.line }}"
+    regexp: "{{ cfg.regexp }}"
+  loop: "{{ gitea_config_insertions[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: cfg
+  notify: restart_gitea
+
+- name: "template {{ cfg.path }}"
+  template:
+    src: "{{ cfg.template }}"
+    dest: "{{ cfg.path }}"
+  loop: "{{ gitea_config_templates[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: cfg
+  notify: restart_httpd
+  when: gitea_httpd
+
+- name: create initialization lock file
+  copy:
+    dest: /etc/gitea/initialized
+    content: ""
+  register: gitea_init
+    
+- name: "initialize database"
+  shell: doas -u _gitea gitea migrate -c /etc/gitea/app.ini
+  environment: "{{ gitea_environment[ ansible_distribution|lower ] }}"
+  when: gitea_init.changed
+
+- name: "create admin users"
+  shell: "doas -u _gitea gitea admin user create -c /etc/gitea/app.ini --admin --username {{ user.name }} --email {{ user.email }} --password {{ user.password }}"
+  register: gitea_user_data
+  when: gitea_init.changed
+  notify: restart_gitea
+  loop: "{{ gitea_admins }}"
+  loop_control:
+    loop_var: user
+
+- name: "start and enable: {{ service }}"
+  service:
+    name: "{{ service }}"
+    enabled: True
+    state: started
+  loop: "{{ gitea_services[ ansible_distribution|lower ] }}"
+  loop_control:
+    loop_var: service 

gitea/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: run common tasks
+  include_tasks: common.yml
+  vars:
+    ansible_become: yes
+

gitea/templates/dkim_signing.conf.j2

@@ -0,0 +1,8 @@
+allow_username_mismatch = true;
+
+domain {
+    {{ mailserver_domain }} {
+        path = "{{ mailserver_dkim.key }}";
+        selector = "{{ mailserver_dkim.selector }}";
+    }
+}

gitea/templates/httpd.conf.gitea.j2

@@ -0,0 +1,32 @@
+{% if gitea_tls_cert|default(false) %}
+server "{{ gitea_fqdn }}" {
+    listen on * port 80
+        location "/.well-known/acme-challenge/*" {
+                root "/acme"
+                request strip 2
+        }
+                location * {
+                block return 302 "https://$HTTP_HOST$REQUEST_URI"
+        }
+    }
+
+server "{{ gitea_fqdn }}" {
+        listen on * tls port 443
+        tls {
+                certificate "{{ gitea_tls_cert }}"
+                key "{{ gitea_tls_key }}"
+        }
+        connection { max requests 500, timeout 3600 }
+        location "*" {
+            fastcgi socket "/run/gitea.sock"
+        }
+}
+{% else %}
+server "{{ gitea_fqdn }}" {
+        listen on * port 80
+        connection { max requests 500, timeout 3600 }
+        location "*" {
+            fastcgi socket "/run/gitea.sock"
+        }
+}
+{% endif %}

gitea/templates/smtpd.conf.j2

@@ -0,0 +1,32 @@
+pki {{ mailserver_fqdn }} cert "{{ mailserver_tls_cert }}"
+pki {{ mailserver_fqdn }} key "{{ mailserver_tls_key }}"
+
+filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
+    disconnect "550 no residential connections"
+
+filter check_rdns phase connect match !rdns \
+    disconnect "550 no rDNS is so 80s"
+
+filter check_fcrdns phase connect match !fcrdns \
+    disconnect "550 no FCrDNS is so 80s"
+
+filter senderscore \
+    proc-exec "filter-senderscore -blockBelow {{ mailserver_senderscore_block }} -junkBelow {{ mailserver_senderscore_junk }} -slowFactor 5000"
+
+filter rspamd proc-exec "filter-rspamd"
+
+table aliases file:/etc/mail/aliases
+
+listen on all tls pki {{ mailserver_fqdn }} \
+    filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+
+listen on all port submission tls-require pki {{ mailserver_fqdn }} auth filter rspamd
+
+action "local_mail" maildir junk alias <aliases>
+action "outbound" relay helo {{ mailserver_fqdn }}
+
+match from any for domain "{{ mailserver_domain }}" action "local_mail"
+match for local action "local_mail"
+
+match from any auth for any action "outbound"
+match for any action "outbound"

gitea/vars/main.yml

@@ -0,0 +1,62 @@
+gitea_http: "{{ 'http' if not gitea_tls_cert else 'https' }}"
+gitea_environment:
+    openbsd:
+        HOME: /var/gitea
+        GITEA_WORK_DIR: /usr/local/share/gitea
+        GITEA_CUSTOM: /var/gitea/custom
+        USER: _gitea
+gitea_groups:
+    openbsd:
+        - user: _gitea
+          groups: daemon
+gitea_permissions:
+    openbsd:
+        - path: /var/www/run
+          mode: "0775"
+          state: directory
+gitea_packages:
+    openbsd:
+        - gitea
+
+gitea_services:
+    openbsd:
+        - gitea
+        - gitdaemon
+
+gitea_ini_values:
+    openbsd:
+        - path: /etc/gitea/app.ini
+          section: security
+          option: INSTALL_LOCK
+          value: "true"
+        - path: /etc/gitea/app.ini
+          section: server
+          option: HTTP_ADDR
+          value: /var/www/run/gitea.sock
+        - path: /etc/gitea/app.ini
+          section: server
+          option: PROTOCOL
+          value: fcgi+unix
+        - path: /etc/gitea/app.ini
+          section: server
+          option: DOMAIN
+          value: "{{ gitea_fqdn }}"
+        - path: /etc/gitea/app.ini
+          section: server
+          option: ROOT_URL
+          value: "{{ gitea_http }}://{{ gitea_fqdn }}/"
+        - path: /etc/gitea/app.ini
+          section: server
+          option: LOCAL_ROOT_URL
+          value: "https://{{ gitea_fqdn }}/"
+gitea_config_insertions:
+    openbsd:
+        - path: /etc/httpd.conf
+          line: 'include "/etc/httpd.conf.gitea"'
+          regexp: '^.*include.*"/etc/httpd.conf.gitea".*$'
+
+
+gitea_config_templates:
+    openbsd:
+        - path: /etc/httpd.conf.gitea
+          template: httpd.conf.gitea.j2

icinga2/defaults/main.yml

@@ -0,0 +1,25 @@
+icinga2_admin_mail: root@localhost
+
+icinga2_features:
+  - api
+  - ido-mysql
+
+icinga2_mysql_auth:
+  host: 127.0.0.1
+  user: root
+  password: CHANGEME
+
+icinga2_mysql_db:
+  name: icinga2
+  user: icinga2
+  password: CHANGEME
+  schema: /usr/share/icinga2-ido-mysql/schema/mysql.sql
+  schema_openbsd: /usr/local/share/icinga2-ido-mysql/schema/mysql.sql
+
+icinga2_api_users:
+  - name: root
+    password: CHANGEME
+    permissions: '[ "*" ]'
+  - name: icingaweb2
+    password: CHANGEME
+    permissions: '[ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]'

icinga2/files/commands/openbsd.conf

@@ -0,0 +1,3 @@
+object CheckCommand "openbsd-services" {
+    command = [ PluginDir + "/check_services.sh" ]
+}

icinga2/files/downtimes.conf

@@ -0,0 +1,35 @@
+apply ScheduledDowntime "maintainance-downtime" to Host {
+  author = "icingaadmin"
+  comment = "Scheduled downtime for maintenance"
+
+  ranges = {
+    monday = host.vars.maintenance_downtime
+    tuesday = host.vars.maintenance_downtime
+    wednesday = host.vars.maintenance_downtime
+    thursday = host.vars.maintenance_downtime
+    friday = host.vars.maintenance_downtime
+    saturday = host.vars.maintenance_downtime
+    sunday = host.vars.maintenance_downtime
+  }
+
+  assign where host.vars.maintenance_downtime != ""
+
+}
+
+apply ScheduledDowntime "maintainance-downtime" to Service {
+  author = "icingaadmin"
+  comment = "Scheduled downtime for maintenance"
+
+  ranges = {
+    monday = host.vars.maintenance_downtime
+    tuesday = host.vars.maintenance_downtime
+    wednesday = host.vars.maintenance_downtime
+    thursday = host.vars.maintenance_downtime
+    friday = host.vars.maintenance_downtime
+    saturday = host.vars.maintenance_downtime
+    sunday = host.vars.maintenance_downtime
+  }
+
+  assign where host.vars.maintenance_downtime != ""
+
+}

icinga2/files/notifications.conf

@@ -0,0 +1,27 @@
+apply Notification "mail-icingaadmin" to Host {
+  import "mail-host-notification"
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+  interval = 0
+
+  types = [ Custom, Acknowledgement, Problem, Recovery, FlappingStart, FlappingEnd ]
+
+  //vars.notification_logtosyslog = true
+
+  assign where host.vars.notification.mail
+}
+
+apply Notification "mail-icingaadmin" to Service {
+  import "mail-service-notification"
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+  interval = 0
+
+  types = [ Custom, Acknowledgement, Problem, Recovery, FlappingStart, FlappingEnd ]
+
+  //vars.notification_logtosyslog = true
+
+  assign where host.vars.notification.mail
+}

icinga2/files/services/haproxy_services.conf

@@ -0,0 +1,8 @@
+apply Service "Haproxy Backends" {
+  import "generic-service"
+  check_command = "haproxy.pl"  
+  vars += host.vars.backends
+  vars.haproxy_url = "https://" + host.name + ":" + vars.haproxy_port + "/csv"
+  
+  assign where host.vars.os == "haproxy"
+}

icinga2/files/services/http_services.conf

@@ -0,0 +1,29 @@
+apply Service "Zertifikat: " for ( vhost => config in host.vars.vhosts ) to Host {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars.http_link = true
+  vars.http_certificate = 80
+  vars.http_sni = true
+  vars.http_address = host.address
+
+  vars += config
+
+  assign where host.vars.vhosts[vhost]["http_ssl"]
+}
+
+apply Service "HTTP(S): " for ( vhost => config in host.vars.vhosts ) to Host {
+  import "generic-service"
+
+  check_command = "http"
+
+  vars.http_link = true
+
+  vars += config
+
+  vars.http_address = host.address
+
+  assign where host.vars.vhosts[vhost]["http_uri"] || host.vars.vhosts[vhost]["http_string"] || host.vars.vhosts[vhost]["http_pagesize"] 
+}
+

icinga2/files/services/tcp_services.conf

@@ -0,0 +1,7 @@
+apply Service "tcp port " for ( port in host.vars.tcp_ipv4 ) to Host {
+	check_command = "tcp"
+	vars.tcp_ipv4 = "true"
+	vars.tcp_port = port
+
+	assign where host.address
+}

icinga2/files/services/unix_services.conf

@@ -0,0 +1,44 @@
+apply Service "" for ( disk => config in host.vars.disks ) to Host {
+    check_command = "disk"
+    vars += config
+
+    import "byssh"
+
+    assign where host.vars.os == "Linux" || host.vars.os == "OpenBSD"
+}
+
+apply Service "process: " for ( proc => config in host.vars.procs ) to Host {
+    check_command = "procs"
+    vars += config
+
+    import "byssh"
+
+    assign where host.vars.os == "Linux" || host.vars.os == "OpenBSD"
+}
+
+apply Service "load" {
+    check_command = "load"
+    vars += host.vars.load
+
+    import "byssh"
+
+    assign where host.vars.os == "Linux" || host.vars.os == "OpenBSD"
+}
+
+apply Service "swap" {
+  check_command = "swap"
+  vars += host.vars.swap
+
+  import "byssh"
+
+  assign where host.vars.os == "Linux" || host.vars.os == "OpenBSD"
+}
+
+apply Service "services" {
+  check_command = "openbsd-services"
+
+  import "byssh"
+
+  assign where host.vars.os == "OpenBSD"
+}
+

icinga2/files/services/windows_services.conf

@@ -0,0 +1,53 @@
+apply Service "Windows Disk: " for ( disk => config in host.vars.disks ) to Host {
+    check_command = "disk-windows"
+    vars += config
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Process: " for ( proc => config in host.vars.procs ) to Host {
+    import "byagent"
+    check_command = "procs-windows"
+    vars += config
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Serivces: " for ( service => config in host.vars.services ) to Host {
+    import "byagent"
+    check_command = "service-windows"
+    vars += config
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows CPU" {
+    import "byagent"
+    check_command = "load-windows"
+    vars += host.vars.load
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Memory" {
+    import "byagent"
+    check_command = "memory-windows"
+    vars += host.vars.mem
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Network" {
+    import "byagent"
+    check_command = "network-windows"
+#    vars += host.vars.net
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Swap" {
+    import "byagent"
+    check_command = "swap-windows"
+#    vars += host.vars.swap
+    assign where host.vars.os == "windows"
+}
+
+apply Service "Windows Update" {
+    import "byagent"
+    check_command = "update-windows"
+    assign where host.vars.os == "windows"
+}

icinga2/files/ssh_config

@@ -0,0 +1,2 @@
+Host *
+  StrictHostKeyChecking accept-new

icinga2/files/templates/byssh.conf

@@ -0,0 +1,12 @@
+template Service "byssh" {
+  import "generic-service"
+  vars.original_check_command = check_command
+  check_command = "by_ssh"
+  vars.by_ssh_port = 22
+  vars.by_ssh_logname = "_icinga2"
+  vars.by_ssh_identity = "/var/icinga/.ssh/id_rsa"
+
+  vars.by_ssh_command = {{ get_check_command(service.vars.original_check_command).command }}
+  vars.by_ssh_arguments = {{ get_check_command(service.vars.original_check_command).arguments }}
+
+}

icinga2/files/templates/common.conf

@@ -0,0 +1,7 @@
+template Host "common-host" {
+  import "generic-host"
+
+  vars.notification["mail"] = {
+    groups = [ "icingaadmins" ]
+  }
+}

icinga2/files/templates/linux.conf

@@ -0,0 +1,33 @@
+template Host "linux" {
+  import "common-host"
+
+  vars.os = "Linux"
+
+  vars.tcp_ipv4 += ["22"]
+  vars.load = {
+    load_percpu = true
+    load_wload1 = "0.9"
+    load_wload5 = "0.8"
+    load_wload15 = "0.7"
+    load_cload1 = "1.0"
+    load_cload5 = "0.9"
+    load_cload15 = "0.8"
+  }
+
+  vars.procs["cron"] = {
+    procs_warning = "1:1" # warn range
+    procs_critical = "1:1" # crit range
+    procs_command = "cron" # command name (without path)
+  }
+
+  vars.disks["/"] = {
+    disk_partition = "/"
+    disk_wfree = "20%" # warn free
+    disk_cfree = "10%" # crit free
+  }
+
+  vars.swap = {
+    swap_wfree = "99%"
+    swap_cfree = "20%"
+  }
+}

icinga2/files/templates/openbsd.conf

@@ -0,0 +1,30 @@
+template Host "openbsd" {
+  import "common-host"
+
+  vars.os = "OpenBSD"
+
+  vars.tcp_ipv4 += ["22"]
+  vars.load = {
+    load_percpu = true
+    load_wload1 = "2.9"
+    load_wload5 = "2.8"
+    load_wload15 = "2.7"
+    load_cload1 = "3.0"
+    load_cload5 = "2.9"
+    load_cload15 = "2.8"
+  }
+
+
+  vars.disks["disk"] = {
+    disk_wfree = "20%" # warn free
+    disk_cfree = "10%" # crit free
+  }
+
+
+  vars.swap = {
+    swap_wfree = "99%"
+    swap_cfree = "20%"
+  }
+
+  vars.maintenance_downtime = "01:00-04:00"
+}

icinga2/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart_icinga2
+  become: yes
+  service:
+    name: icinga2
+    state: restarted

icinga2/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: ubuntu install
+  include: "ubuntu.yml"
+  when: ansible_distribution == 'Ubuntu'
+  vars:
+    ansible_become: yes
+- name: openbsd install
+  include: "openbsd.yml"
+  when: ansible_distribution | lower == 'openbsd'
+  vars:
+    ansible_become: yes
+- name: copy templates
+  become: yes
+  copy:
+    src: templates/
+    dest: /etc/icinga2/conf.d/templates/
+  notify: restart_icinga2
+- name: copy services
+  become: yes
+  copy:
+    src: services/
+    dest: /etc/icinga2/conf.d/services/
+  notify: restart_icinga2
+- name: copy commands
+  become: yes
+  copy:
+    src: commands/
+    dest: /etc/icinga2/conf.d/commands/
+  notify: restart_icinga2
+- name: copy notification config
+  become: yes
+  copy:
+    src: notifications.conf
+    dest: /etc/icinga2/conf.d/notifications.conf
+- name: copy downtime config
+  become: yes
+  copy:
+    src: downtimes.conf
+    dest: /etc/icinga2/conf.d/downtimes.conf
+- name: template user config
+  become: yes
+  template:
+    src: users.conf
+    dest: /etc/icinga2/conf.d/users.conf
+  notify: restart_icinga2
+- name: delete default hosts and services
+  become: yes
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/icinga2/conf.d/services.conf
+    - /etc/icinga2/conf.d/hosts.conf

icinga2/tasks/openbsd.yml

@@ -0,0 +1,98 @@
+---
+- name: install prequisities
+  package:
+    name: "{{ item }}"
+  loop: "{{ icinga2_packages_pre_openbsd }}"
+
+- name: reload facts
+  setup:
+
+- name: install packages
+  package:
+    name: "{{ item }}"
+  loop: "{{ icinga2_packages }}"
+
+- name: enable and start rc service
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop: "{{ icinga2_systemd_services }}"
+
+- name: create mysql db
+  mysql_db:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.name }}"
+    state: present
+    target: "{{ icinga2_mysql_db.schema_openbsd }}"
+  register: db_created
+
+- name: import mysql schema
+  mysql_db:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.name }}"
+    state: import
+    target: "{{ icinga2_mysql_db.schema_openbsd }}"
+  when: db_created.changed
+
+- name: create mysql users
+  mysql_user:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.user }}"
+    password: "{{ icinga2_mysql_db.password }}"
+    priv: "{{ icinga2_mysql_db.name }}.*:ALL"
+    state: present
+
+- name: deploy icinga2 ido-mysql config
+  template:
+    src: ido-mysql.conf
+    dest: /etc/icinga2/features-available/ido-mysql.conf
+
+- name: enable icinga2 features
+  command: "icinga2 feature enable {{ item }}"
+  loop: "{{ icinga2_features }}"
+  notify: restart_icinga2
+
+- name: setup icinga2 api
+  command: "icinga2 api setup"
+  when: '"api" in icinga2_features'
+
+- name: configure icinga2 api users
+  template:
+    src: api-users.conf
+    dest: /etc/icinga2/conf.d/api-users.conf
+  when: '"api" in icinga2_features'
+  notify: restart_icinga2
+
+- name: create icinga dirs
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: _icinga
+  loop:
+    - /var/icinga
+    - /var/icinga/.ssh
+
+- name: create ssh key
+  openssh_keypair:
+    path: /var/icinga/.ssh/id_rsa
+
+- name: set ssh key owner
+  file:
+    path: "{{ item }}"
+    owner: _icinga
+  loop:
+    - /var/icinga/.ssh/id_rsa
+    - /var/icinga/.ssh/id_rsa.pub
+
+- name: copy ssh config
+  copy:
+    src: ssh_config
+    dest: /var/icinga/.ssh/config
+    owner: _icinga

icinga2/tasks/ubuntu.yml

@@ -0,0 +1,82 @@
+---
+- name: install prequisities
+  package:
+    name: "{{ item }}"
+  loop: "{{ icinga2_packages_pre }}"
+
+- name: reload facts
+  setup:
+
+- name: add icinga2 repo key
+  apt_key:
+    url: "{{ icinga2_repo.key.url }}"
+    state: present
+  ignore_errors: yes
+
+- name: add icinga2 repo
+  apt_repository:
+    repo: "{{ icinga2_repo.repo }}"
+    state: present
+
+- name: install packages
+  package:
+    name: "{{ item }}"
+  loop: "{{ icinga2_packages }}"
+
+- name: enable and start systemd service
+  systemd:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop: "{{ icinga2_systemd_services }}"
+
+- name: create mysql db
+  mysql_db:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.name }}"
+    state: present
+    target: "{{ icinga2_mysql_db.schema }}"
+  register: db_created
+
+- name: import mysql schema
+  mysql_db:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.name }}"
+    state: import
+    target: "{{ icinga2_mysql_db.schema }}"
+  when: db_created.changed
+
+- name: create mysql users
+  mysql_user:
+    login_host: "{{ icinga2_mysql_auth.host }}"
+    login_user: "{{ icinga2_mysql_auth.user }}"
+    login_password: "{{ icinga2_mysql_auth.password }}"
+    name: "{{ icinga2_mysql_db.user }}"
+    password: "{{ icinga2_mysql_db.password }}"
+    priv: "{{ icinga2_mysql_db.name }}.*:ALL"
+    state: present
+
+- name: deploy icinga2 ido-mysql config
+  template:
+    src: ido-mysql.conf
+    dest: /etc/icinga2/features-available/ido-mysql.conf
+
+- name: enable icinga2 features
+  command: "icinga2 feature enable {{ item }}"
+  loop: "{{ icinga2_features }}"
+  notify: restart_icinga2
+
+- name: setup icinga2 api
+  command: "icinga2 api setup"
+  when: '"api" in icinga2_features'
+
+- name: configure icinga2 api users
+  template:
+    src: api-users.conf
+    dest: /etc/icinga2/conf.d/api-users.conf
+  when: '"api" in icinga2_features'
+  notify: restart_icinga2

icinga2/templates/api-users.conf

@@ -0,0 +1,6 @@
+{% for user in icinga2_api_users %}
+object ApiUser "{{ user.name }}" {
+  password = "{{ user.password }}"
+  permissions = {{ user.permissions }}
+}
+{% endfor %}

icinga2/templates/ido-mysql.conf

@@ -0,0 +1,6 @@
+object IdoMysqlConnection "ido-mysql" {
+  user = "{{ icinga2_mysql_db.user }}"
+  password = "{{ icinga2_mysql_db.password }}"
+  host = "{{ icinga2_mysql_auth.host }}"
+  database = "{{ icinga2_mysql_db.name }}"
+}

icinga2/templates/users.conf

@@ -0,0 +1,13 @@
+object User "icingaadmin" {
+  import "generic-user"
+
+  display_name = "Icinga 2 Admin"
+  groups = [ "icingaadmins" ]
+
+  email = "{{ icinga2_admin_mail }}"
+}
+
+object UserGroup "icingaadmins" {
+  display_name = "Icinga 2 Admin Group"
+}
+

icinga2/vars/main.yml

@@ -0,0 +1,22 @@
+icinga2_repo:
+  name: icinga2-repo
+  key:
+    url: "https://packages.icinga.com:443/icinga.key"
+  repo: "deb https://packages.icinga.com/ubuntu icinga-bionic main"
+
+icinga2_packages_pre:
+  - ca-certificates
+  - wget
+  - python3-mysqldb
+
+icinga2_packages_pre_openbsd:
+  - wget
+  - py3-pymysql
+
+icinga2_packages:
+  - icinga2
+  - monitoring-plugins
+  - icinga2-ido-mysql
+
+icinga2_systemd_services:
+  - icinga2

icinga_director/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+director_mysql_auth:
+  host: "127.0.0.1"
+  user: "root"
+  password: "CHANGEME"
+
+director_password: CHANGEME
+

icinga_director/files/config.ini

@@ -0,0 +1,2 @@
+[db]
+resource = "director"

icinga_director/files/icinga-director.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Icinga Director - Monitoring Configuration
+Documentation=https://icinga.com/docs/director/latest/
+Wants=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/icinga-director
+EnvironmentFile=-/etc/sysconfig/icinga-director
+ExecStart=/usr/bin/icingacli director daemon run
+ExecReload=/bin/kill -HUP ${MAINPID}
+User=icingadirector
+SyslogIdentifier=icingadirector
+Type=notify
+
+NotifyAccess=main
+WatchdogSec=10
+RestartSec=30
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

icinga_director/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: ubuntu install
+  include: "ubuntu.yml"
+  when: ansible_distribution == 'Ubuntu'
+  vars:
+    ansible_become: yes
+- name: openbsd install
+  include: "openbsd.yml"
+  when: ansible_distribution | lower == 'openbsd'
+  vars:
+    ansible_become: yes

icinga_director/tasks/openbsd.yml

@@ -0,0 +1,84 @@
+---
+- name: Install dependencies
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ director_packages_openbsd }}"
+
+- name: reload facts
+  setup:
+
+- name: Download modules from github
+  git:
+    repo: "https://github.com/Icinga/icingaweb2-module-{{ item.name }}.git"
+    dest: "{{ director_modules_dir_openbsd }}/{{ item.name }}"
+    update: no
+    version: "{{ item.version }}"
+  loop: "{{ director_modules }}"
+  ignore_errors: yes
+  tags: minimal
+
+- name: enable modules
+  shell: "icingacli module enable {{ item.name }}"
+  loop: "{{ director_modules }}"
+  tags: minimal
+
+- name: create mysql dbs
+  mysql_db:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.name }}"
+    state: present
+    target: "{{ item.schema_openbsd }}"
+  loop: "{{ director_mysql_dbs }}"
+  register: dbs_created
+- name: import mysql schema
+  mysql_db:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.name }}"
+    state: import
+    target: "{{ item.schema_openbsd }}"
+  loop: "{{ director_mysql_dbs }}"
+  when: dbs_created.changed
+
+- name: create mysql users
+  mysql_user:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.user }}"
+    password: "{{ item.password }}"
+    priv: "{{ item.name }}.*:ALL"
+    state: present
+  loop: "{{ director_mysql_dbs }}"
+
+- name: create icingaweb2 resource
+  ini_file:
+    path: /var/www/etc/icingaweb2/resources.ini
+    section: "{{ item.name }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ director_icingaweb_resources }}"
+
+- name: create icingadirector user
+  user:
+    name: "{{ director_user.name }}"
+    group: "{{ director_user.group }}"
+    home: "{{ director_user.home }}"
+    shell: "{{ director_user.shell }}"
+    create_home: yes
+
+- name: ensure icinga director config dir exists
+  file:
+    path: /var/www/etc/icingaweb2/modules/director
+    state: directory
+
+- name: copy icinga director config.ini
+  copy:
+    src: config.ini
+    dest: /var/www/etc/icingaweb2/modules/director/config.ini
+    owner: www-data
+    group: icingaweb2

icinga_director/tasks/ubuntu.yml

@@ -0,0 +1,98 @@
+---
+- name: Install dependencies
+  package:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ director_packages }}"
+
+- name: reload facts
+  setup:
+
+- name: Download modules from github
+  git:
+    repo: "https://github.com/Icinga/icingaweb2-module-{{ item.name }}.git"
+    dest: "{{ director_modules_dir }}/{{ item.name }}"
+    update: no
+    version: "{{ item.version }}"
+  loop: "{{ director_modules }}"
+  ignore_errors: yes
+  tags: minimal
+
+- name: enable modules
+  shell: "icingacli module enable {{ item.name }}"
+  loop: "{{ director_modules }}"
+  tags: minimal
+
+- name: create mysql dbs
+  mysql_db:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.name }}"
+    state: present
+    target: "{{ item.schema }}"
+  loop: "{{ director_mysql_dbs }}"
+  register: dbs_created
+- name: import mysql schema
+  mysql_db:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.name }}"
+    state: import
+    target: "{{ item.schema }}"
+  loop: "{{ director_mysql_dbs }}"
+  when: dbs_created.changed
+
+- name: create mysql users
+  mysql_user:
+    login_host: "{{ director_mysql_auth.host }}"
+    login_user: "{{ director_mysql_auth.user }}"
+    login_password: "{{ director_mysql_auth.password }}"
+    name: "{{ item.user }}"
+    password: "{{ item.password }}"
+    priv: "{{ item.name }}.*:ALL"
+    state: present
+  loop: "{{ director_mysql_dbs }}"
+
+- name: create icingaweb2 resource
+  ini_file:
+    path: /etc/icingaweb2/resources.ini
+    section: "{{ item.name }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ director_icingaweb_resources }}"
+
+- name: create icingadirector user
+  user:
+    name: "{{ director_user.name }}"
+    group: "{{ director_user.group }}"
+    home: "{{ director_user.home }}"
+    shell: "{{ director_user.shell }}"
+    create_home: yes
+
+- name: ensure icinga director config dir exists
+  file:
+    path: /etc/icingaweb2/modules/director
+    state: directory
+
+- name: copy icinga director config.ini
+  copy:
+    src: config.ini
+    dest: /etc/icingaweb2/modules/director/config.ini
+    owner: www-data
+    group: icingaweb2
+
+- name: copy systemd unit file
+  copy:
+    src: icinga-director.service
+    dest: /etc/systemd/system/icinga-director.service
+  register: unitfile
+
+- name: reload systemd
+  systemd:
+    name: icinga-director
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  when: unitfile.changed

icinga_director/vars/main.yml

@@ -0,0 +1,64 @@
+director_user:
+  name: icingadirector
+  group: icingaweb2
+  home: /var/lib/icingadirector
+  shell: /bin/false
+
+director_modules_dir: "/usr/share/icingaweb2/modules"
+director_modules_dir_openbsd: "/var/www/icinga-web2/modules"
+
+director_modules:
+  - name: reactbundle
+    version: v0.9.0
+  - name: ipl
+    version: v0.5.0
+  - name: incubator
+    version: v0.6.0
+  - name: director
+    version: v1.8.0
+
+director_packages:
+  - git
+  - python3-mysqldb
+  - php-curl
+  - php-posix
+  - php-sockets
+
+director_packages_openbsd:
+  - git
+
+director_mysql_dbs:
+  - name: director
+    user: director 
+    password: "{{ director_password }}"
+    schema: "{{ director_modules_dir }}/director/schema/mysql.sql"
+    schema_openbsd: "{{ director_modules_dir_openbsd }}/director/schema/mysql.sql"
+
+director_icingaweb_resources:
+  - name: director
+    option: type
+    value: db
+  - name: director
+    option: db
+    value: mysql
+  - name: director
+    option: host
+    value: "127.0.0.1"
+  - name: director
+    option: port
+    value: ""
+  - name: director
+    option: dbname
+    value: director
+  - name: director
+    option: username
+    value: director
+  - name: director
+    option: password
+    value: "{{ director_password }}"
+  - name: director
+    option: charset
+    value: utf8
+  - name: director
+    option: use_ssl
+    value: "0"

icingaweb2-grafana/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart_grafana
+  become: yes
+  service:
+    name: grafana
+    state: restarted

icingaweb2-grafana/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: ubuntu install
+  include: "ubuntu.yml"
+  when: ansible_distribution == 'Ubuntu'
+  vars:
+    ansible_become: yes
+
+- name: openbsd install
+  include: "openbsd.yml"
+  when: ansible_distribution | lower == 'openbsd'
+  vars:
+    ansible_become: yes

icingaweb2-grafana/tasks/openbsd.yml

@@ -0,0 +1,47 @@
+---
+- name: install packages
+  package:
+    name: "{{ grafana_packages_openbsd }}"
+
+- name: enable and start services
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop: "{{ grafana_openbsd_services }}"
+
+- name: Download and install grafana icingaweb2 module
+  git:                                                                             
+    repo: "{{ grafana_icingaweb2_module.repo }}"
+    dest: "{{ grafana_icingaweb2_modules_dir_openbsd }}/{{ grafana_icingaweb2_module.name }}"
+    update: no
+    version: "{{ grafana_icingaweb2_module.version }}"
+  ignore_errors: yes
+
+- name: icinga2 influxdb config template
+  template:
+    src: influxdb.conf
+    dest: /etc/icinga2/features-available/influxdb.conf
+
+- name: enable modules
+  shell: "icingacli module enable {{ grafana_icingaweb2_module.name }}"
+
+- name: create influxdb
+  influxdb_database:
+    hostname: "{{ grafana_influxdb.bindaddr }}"
+    database_name: "{{ grafana_influxdb.database }}"
+    username: "{{ grafana_influxdb.username }}"
+
+- name: enable icinga2 influxdb feature
+  shell: "icinga2 feature enable influxdb"
+
+- name: configure grafana
+  ini_file:
+    path: "{{ grafana_config_file_openbsd }}"
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ grafana_config_values }}"
+  notify: restart_grafana
+
+

icingaweb2-grafana/tasks/ubuntu.yml

@@ -0,0 +1,60 @@
+---
+- name: add repo keys
+  apt_key:
+    url: "{{ item.key.url }}"
+    state: present
+  loop: "{{ grafana_repos }}"
+
+- name: add repos
+  apt_repository:
+    repo: "{{ item.repo }}"
+    state: present
+  loop: "{{ grafana_repos }}"
+
+- name: install packages
+  package:
+    name: "{{ item }}"
+  loop: "{{ grafana_packages }}"
+
+- name: enable and start systemd services
+  systemd:
+    name: "{{ item }}"
+    state: started
+    daemon_reload: yes
+    enabled: yes
+  loop: "{{ grafana_systemd_services }}"
+
+- name: Download and install grafana icingaweb2 module
+  git:                                                                             
+    repo: "{{ grafana_icingaweb2_module.repo }}"
+    dest: "{{ grafana_icingaweb2_modules_dir }}/{{ grafana_icingaweb2_module.name }}"
+    update: no
+    version: "{{ grafana_icingaweb2_module.version }}"
+  ignore_errors: yes
+
+- name: icinga2 influxdb config template
+  template:
+    src: influxdb.conf
+    dest: /etc/icinga2/features-available/influxdb.conf
+
+- name: enable modules
+  shell: "icingacli module enable {{ grafana_icingaweb2_module.name }}"
+
+- name: create influxdb
+  influxdb_database:
+    hostname: "{{ grafana_influxdb.bindaddr }}"
+    database_name: "{{ grafana_influxdb.database }}"
+    username: "{{ grafana_influxdb.username }}"
+
+- name: enable icinga2 influxdb feature
+  shell: "icinga2 feature enable influxdb"
+
+- name: enable anonymous grafana auth
+  ini_file:
+    path: "{{ grafana_config_file }}"
+    section: "{{ item.section }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ grafana_config_values }}"
+
+

icingaweb2-grafana/templates/influxdb.conf

@@ -0,0 +1,25 @@
+/**
+ * The InfluxdbWriter type writes check result metrics and
+ * performance data to an InfluxDB HTTP API
+ */
+
+object InfluxdbWriter "influxdb" {
+  host = "{{ grafana_influxdb.bindaddr }}"
+  port = "{{ grafana_influxdb.bindport }}"
+  database = "{{ grafana_influxdb.database }}"
+  flush_threshold = 1024
+  flush_interval = 10s
+  host_template = {
+    measurement = "$host.check_command$"
+    tags = {
+      hostname = "$host.name$"
+    }
+  }
+  service_template = {
+    measurement = "$service.check_command$"
+    tags = {
+      hostname = "$host.name$"
+      service = "$service.name$"
+    }
+  }
+}

icingaweb2-grafana/vars/main.yml

@@ -0,0 +1,80 @@
+grafana_icingaweb2_modules_dir: /usr/share/icingaweb2/modules
+grafana_icingaweb2_modules_dir_openbsd: /var/www/icinga-web2/modules/
+grafana_icingaweb2_module:
+  repo: https://github.com/Mikesch-mp/icingaweb2-module-grafana
+  version: v1.3.6
+  name: grafana
+
+grafana_packages:
+  - python3-apt
+  - python3-influxdb
+  - python3-requests
+  - grafana
+  - influxdb
+
+grafana_packages_openbsd:
+  - git
+  - influxdb
+  - py3-influxdb
+  - py3-requests
+  - grafana
+
+grafana_repos:
+  - name: grafana-repo
+    key:
+      url: https://packages.grafana.com/gpg.key
+    state: present
+    repo: "deb https://packages.grafana.com/oss/deb stable main"
+  - name: influxdb-repo
+    key:
+      url: https://repos.influxdata.com/influxdb.key
+    repo: "deb https://repos.influxdata.com/ubuntu bionic stable"
+    state: present
+
+grafana_systemd_services:
+  - influxdb
+  - grafana-server
+
+grafana_openbsd_services:
+  - influxdb
+  - grafana
+
+grafana_influxdb:
+  bindaddr: 127.0.0.1
+  bindport: 8086
+  database: icinga2
+  username: icinga2
+
+grafana_config_file: /etc/grafana/grafana.ini
+grafana_config_file_openbsd: /etc/grafana/config.ini
+grafana_config_values: 
+  - section: server
+    option: http_addr
+    value: 127.0.0.1
+  - section: server
+    option: http_port
+    value: 3000
+  - section: server
+    option: root_url
+    value: "%(protocol)s://%(domain)s:%(http_port)s/grafana-dashboards/"
+  - section: server
+    option: serve_from_sub_path
+    value: true
+  - section: database
+    option: type
+    value: sqlite3
+  - section: database
+    option: host
+    value: 127.0.0.1
+  - section: database
+    option: name
+    value: grafana
+  - section: database
+    option: user
+    value: grafana
+  - section: database
+    option: password
+    value: "{{ lookup('password', '/dev/null length=32') }}"
+  - section: auth.anonymous
+    option: enabled
+    value: true

icingaweb2-theme/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+theme_modules_dir: "/usr/share/icingaweb2/modules"
+
+theme_modules:
+  - name: company
+    version: v1.0.0

icingaweb2-theme/files/icinga-director.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Icinga Director - Monitoring Configuration
+Documentation=https://icinga.com/docs/director/latest/
+Wants=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/icinga-director
+EnvironmentFile=-/etc/sysconfig/icinga-director
+ExecStart=/usr/bin/icingacli director daemon run
+ExecReload=/bin/kill -HUP ${MAINPID}
+User=icingadirector
+SyslogIdentifier=icingadirector
+Type=notify
+
+NotifyAccess=main
+WatchdogSec=10
+RestartSec=30
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

icingaweb2-theme/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- name: ubuntu install
+  include: "ubuntu.yml"
+  when: ansible_distribution == 'Ubuntu'

icingaweb2-theme/tasks/ubuntu.yml

@@ -0,0 +1,15 @@
+---
+- name: Download theme modules from github
+  git:
+    repo: "https://github.com/Icinga/icingaweb2-theme-{{ item.name }}.git"
+    dest: "{{ theme_modules_dir }}/{{ item.name }}"
+    update: no
+    version: "{{ item.version }}"
+  loop: "{{ theme_modules }}"
+  ignore_errors: yes
+  tags: minimal
+
+- name: enable modules
+  shell: "icingacli module enable {{ item.name }}"
+  loop: "{{ theme_modules }}"
+  tags: minimal

icingaweb2/defaults/main.yml

@@ -0,0 +1,34 @@
+icingaweb2_vhost: "{{ ansible_fqdn }}"
+icingaweb2_mysql_auth:
+  host: 127.0.0.1
+  user: root
+  password: CHANGEME
+
+icingaweb2_tls_cert: "{{ webserver_tls_certificate | default(false) }}"
+icingaweb2_tls_key: "{{ webserver_tls_key | default(false) }}"
+
+icingaweb2_mysql_db:
+  name: icingaweb2
+  user: icingaweb2
+  password: CHANGEME
+  schema: /usr/share/icingaweb2/etc/schema/mysql.schema.sql
+  schema_openbsd: /var/www/icinga-web2/etc/schema/mysql.schema.sql
+
+icingaweb2_mysql_ido_db:
+  host: 127.0.0.1
+  name: icinga2
+  user: icinga2
+  password: CHANGEME
+
+icingaweb2_modules:
+  - monitoring
+
+icingaweb2_web_user:
+  name: icingaadmin
+  password: CHANGEME
+
+icingaweb2_api_transport:
+  user: icingaweb2
+  password: CHANGEME
+  host: localhost
+  port: 5665