Add roles for nginx, various fixes

ansible.cfg

@@ -1,9 +1,9 @@
 [defaults]
 inventory=inventories/ffdo/hosts
-vault_password_file=.vault-password
+#vault_password_file=.vault-password
 
-[privilege_escalation]
-become=True
+#[privilege_escalation]
+#become=True
 
 [ssh_connection]
 pipelining=True

roles/common-system/files/rc.local

@@ -0,0 +1,14 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+exit 0

roles/common-system/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 
+- include: rclocal.yml
 - include: sysctl.yml
 - include: crypto.yml
 - include: time.yml

roles/common-system/tasks/rclocal.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Install vanilla rc.local
+  copy: src=rc.local dest=/etc/rc.local

roles/common-system/tasks/tools.yml

@@ -14,6 +14,8 @@
     - aptitude
     - iperf
     - pv
+    - bwm-ng
+    - rsync
 
 - name: Ensure vim is default editor
   alternatives: name=editor path=/usr/bin/vim.basic

roles/mesh-batman/templates/batman-tunnel.cfg.j2

@@ -1,4 +1,4 @@
-{% for host in groups['supernodes'] %}
+{% for host in groups['batman'] %}
 {% if hostvars[host]['inventory_hostname'] != inventory_hostname %}
 auto batman-{{hostvars[host]['inventory_hostname_short']}}
 iface batman-{{hostvars[host]['inventory_hostname_short']}} inet manual

roles/mesh-batman/templates/batman.cfg.j2

@@ -20,7 +20,9 @@ iface bat0 inet static
     pre-up ip rule add to {{batman_mesh_ipv4}} table 42
     pre-up batctl it 5000
     pre-up batctl bl 0
+{% if batman_gateway %}
     pre-up batctl gw server 48mbit/48mbit
+{% endif %}
     pre-up echo 120 > /sys/class/net/$IFACE/mesh/hop_penalty
     post-down ip rule del from {{batman_mesh_ipv4}} table 42
     post-down ip rule del to {{batman_mesh_ipv4}} table 42

roles/service-nginx/files/acmetool.gpg

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFaIhV4BEAChPlb7ZvbMixecLVkpjp5/QAdkOe72XhzPlCND+k+1nQijKJSF
+VQUMMiKI0sWijV+sC0+a3mOQo9kfz/Gya6yg+lNQ8Skg+b8Jd4XWdSEqSwQiuwPF
+2oA9J4Ro3mS/3pEGl7FZOPdpk2AhSFzNDWyhiCN1dgenl4l7VIkO5ZDV1AAwcHrM
+xY6NRgPuonHAV8X1FL0JPM2s/ww4YI8xQc9G+anVNBtcCSOJZX/a4VH510KD20sB
+pB+A3Z6K8Xrf5+xeHc+PfygaiS0ZNmSyXyHGuwWJmOakfvK2SKG5D5pBoAVxNtZY
+UZbGkYHUSgt4lkXUpugxZSVyY5fT8tjgomg3zDz1LQLRcE0mqS9yWB/cWyXbgV6s
+X9oRXrodF0zZm62sQEYvd0+Tpsq4+KUcfayz3XtOJxLpLUfpJDD4aInc4aHlTRhl
++bMUBYG6i+hr4dAoJxb3s3VXDXFbSGblvcENgd7rgOxeg6ij+FJ0SJ0+Nad4k5ZA
+6YqovzNIDKFoQbg50eYpen0ugrFPDuXoKrVsfbsqlu2QXNEFSPmtmOPDo6yVal2f
+o+l9hxexj2IMdKGVmg6mEJFEDLsebKgU2jZdkCrPfIvhyveQMcdL+qN6NgABtOiS
+nkJ0Q6ANgkXhnZQ8njaW0dHt1G8rsCuLwgmCzV2+N3LLhvnTf7Fd2R475wARAQAB
+tB1MYXVuY2hwYWQgUFBBIGZvciBIdWdvIExhbmRhdYkCOAQTAQIAIgUCVoiFXgIb
+AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ9ayWUe21jfqO7RAAlSn3Qqev
+xrsm9LbCkKWvus6MSnmEhx1Jmq1z9r96IFPOZha6HzfHkvJWVgKXcBGTr/eCPpsq
+oAdQbb7cZnW9Pd+VUZXmM+QijCzZxfpvzhW9uxWnkxHWhTfU460+zCQOyFm3GsnC
+XKhd6gQdGb4R6twyK4U3NkvK2PMRfe62fkwqgieQeQN+ZlOdyxcz2HtGSl4KZe6l
+MBuWUaxpx0BsC84FiPqticyFJ9JBaN9sCMk4YWyBeFAkFYCZ+uTiF3WyJRjJ7sgg
+ebwGmMeUf2wAoKSy/oAuD8nZtzb+wStE5Kfhk6lgPAowKgntpVLt6RimI1IJB6AY
+MAJNwYVThSnFcieonoSL5cVajQY1mGirzAkYfvaOELIwZQIWVBvt2S4UgiLDuhm9
+Cv4cNfluAKPzVYMrpaDaEKn/FVoYGr55u070pNXcavwdMEd0ROxtFXm8xttmZ9ky
+NJd/E4ICZU3ZyLsLyjDEviwVmrxwR2NY/Oit+CIXK+29tpg7Td5mnsXRtciOyAQh
+/BxjlhhkN8GuoBU17Cz8KPujY3Cy4D9yKVxACnNOjVQLtXQswUMOrgC4FxoMeuJQ
+iHA5w8bNyBqgWlNGgSTFjvcq6MDCdhzmnLRiJGZyz0i66mauB7sUuWcQXDMJbkPG
+deKlHQ7fRfRA7ORO76MsSkNr7ZZ9x6OqnW4=
+=c52Q
+-----END PGP PUBLIC KEY BLOCK-----
+

roles/service-nginx/tasks/acmetool.yml

@@ -0,0 +1,11 @@
+---
+- name: ensure acmetool repository key is installed
+  apt_key:
+    id: EDB58DFA
+    data: "{{ lookup('file', 'acmetool.gpg') }}"
+
+- name: ensure acmetool apt repository is installed
+  apt_repository: repo='deb http://ppa.launchpad.net/hlandau/rhea/ubuntu xenial main'
+
+- name: ensure acmetool is installed
+  apt: name=acmetool install_recommends=no

roles/service-nginx/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include: nginx.yml
+- include: acmetool.yml

roles/service-nginx/tasks/nginx.yml

@@ -0,0 +1,11 @@
+---
+- name: ensure nginx is installed
+  apt: name=nginx-full state=latest default_release={{ ansible_distribution_release }}-backports install_recommends=no
+
+- name: ensure nginx default configuration is disabled
+  file: name=/etc/nginx/sites-enabled/default state=absent
+  notify: reload nginx
+
+- name: ensure nginx ssl parameters are installed
+  copy: src=ssl.conf dest=/etc/nginx/ssl.conf
+  notify: reload nginx

site.yml

@@ -12,22 +12,35 @@
     - mesh-routing
     - mesh-interfaces
 
+- hosts: batman
+  roles:
+    - mesh-batman
+
 - hosts: supernodes
   roles:
     - gateway-peering
     - gateway-nat
     - gateway-iptables
-    - mesh-batman
     - mesh-vpn-fastd
     - service-ntp
     - service-dns
     - service-dhcp
 
-# - hosts: mapservers
-#   roles:
-#     - common-ntpclient
-#     - service-nginx
-#     - service-map
-#     - service-wiki
-#     - service-gitolite
-#     - service-images
+- hosts: mapservers
+  roles:
+    - common-ntpclient
+    - service-nginx
+    # - service-map
+    # - service-wiki
+    # - service-gitolite
+
+- hosts: imageservers
+  roles:
+    - common-ntpclient
+    - service-nginx
+    # - service-images
+
+- hosts: buildservers
+  roles:
+    - common-ntpclient
+    # - common-docker