diff --git a/files/rss2email.cfg b/files/rss2email.cfg index 9c2c570..58b9950 100644 --- a/files/rss2email.cfg +++ b/files/rss2email.cfg @@ -156,3 +156,6 @@ url = https://code.gouv.fr/feed/feed.xml [feed.krebsonsecurity] url = https://krebsonsecurity.com/ +[feed.ycombinator] +url = https://hnrss.org/newest?points=300 + diff --git a/inventory.yml b/inventory.yml index 88e410a..2900a59 100644 --- a/inventory.yml +++ b/inventory.yml @@ -12,12 +12,7 @@ all: mdk.fr: ansible_host: 51.15.187.166 online_server: sd-131717 - grid: + silence: hosts: - bar.local: - ada.local: - windhowl.local: - boole.local: - church.local: - alan.local: - shannon.local: + silence: + ansible_host: 192.168.1.210 diff --git a/rss2email.yml b/rss2email.yml index cf7f42f..c60e2e4 100644 --- a/rss2email.yml +++ b/rss2email.yml @@ -10,7 +10,7 @@ user: mdk name: "rss2email" minute: "0" - hour: "6,18" + hour: "6,12,18" job: "/usr/bin/r2e run" - name: Configure rss2email diff --git a/silence.yml b/silence.yml new file mode 100644 index 0000000..84a560e --- /dev/null +++ b/silence.yml @@ -0,0 +1,172 @@ +--- + +- hosts: silence + tasks: + - name: requirements + apt: + name: + - smokeping + - infinoted + - nginx + - libnginx-mod-http-fancyindex + - go-sendxmpp + - syncthing + - rsync + - transmission-daemon + + - name: Setup nftables + notify: restart nftables + copy: + dest: /etc/nftables.conf + content: | + #!/usr/sbin/nft -f + + table inet filter + flush table inet filter + + table inet filter { + chain input { + type filter hook input priority 0; + iif lo accept + ct state established,related accept + icmp type echo-request counter accept + icmpv6 type echo-request counter accept + ip saddr 192.168.1.0/24 accept + ip6 saddr 2a01:e0a:15:ac20::/64 accept + + udp dport 51413 accept comment "transmission" + tcp dport 51413 accept comment "transmission" + + # accept neighbour discovery otherwise ipv6 connectivity breaks: + icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept + + tcp dport {ssh, http, https} ct state new accept + + counter drop + } + } + + + - name: Infinoted user + user: + name: infinoted + shell: /usr/bin/false + + - name: Make infinoted files directory + file: + path: /home/infinoted/files/ + state: directory + owner: infinoted + mode: 0700 + + - name: Setup infinoted + notify: restart infinoted + copy: + dest: /etc/xdg/infinoted.conf + content: | + [infinoted] + key-file=/home/infinoted/infinoted-key.pem + certificate-file=/home/infinoted/infinoted-cert.pem + security-policy=require-tls + plugins=note-text;autosave + root-directory=/home/infinoted/files/ + + [autosave] + interval=10 + + - name: Setup infinoted service + notify: restart infinoted + copy: + dest: /etc/systemd/system/infinoted.service + content: | + [Unit] + Description=Infinoted + Wants=network.target + + [Service] + # Needs to run `infinoted --create-certificate --create-key` (and kill it) manually first. + ExecStart=/usr/bin/infinoted + Restart=always + RestartSec=60 + User=infinoted + StartLimitIntervalSec=0 + + [Install] + WantedBy=multi-user.target + + - name: Setup nginx + notify: reload nginx + copy: + dest: /etc/nginx/conf.d/silence.conf + content: | + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + upstream grafana { + server localhost:3000; + } + + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name silence; + + location /c-dans-l-air/ { + alias /srv/www/c-dans-l-air/; + fancyindex on; + fancyindex_default_sort date_desc; + } + + location /smokeping/smokeping.cgi { + fastcgi_intercept_errors on; + root /usr/lib; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/smokeping.cgi; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + + location ^~ /smokeping/ { + alias /usr/share/smokeping/www/; + index smokeping.cgi; + gzip off; + } + + location /grafana/ { + proxy_set_header Host $http_host; + proxy_pass http://grafana; + } + + location /api/live/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $http_host; + proxy_pass http://grafana; + } + + location /transmission { + proxy_pass http://127.0.0.1:9091; + proxy_pass_header X-Transmission-Session-Id; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + + handlers: + - name: reload nginx + systemd: + name: nginx + state: reloaded + + - name: restart nftables + systemd: + name: nftables + state: restarted + + - name: restart infinoted + systemd: + name: infinoted + state: restarted diff --git a/wcg.yml b/wcg.yml deleted file mode 100644 index fdda0b4..0000000 --- a/wcg.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- hosts: grid - tasks: - - name: Update and upgrade apt packages - apt: - upgrade: full - update_cache: yes - cache_valid_time: 86400 - - - name: Install boinc - apt: name=boinc-client state=present - - - name: Get client state - command: cat /var/lib/boinc-client/client_state.xml - register: client_state - - - name: Configure boinc - when: '"sizeof" not in client_state.stdout' - command: "boinccmd --project_attach http://www.worldcommunitygrid.org/ {{ wcg_auth }}"