caddy: Use firewalld

roles/automatic_updates/README.md

@@ -0,0 +1,2 @@
+This role enables automatic package updates.
+It currently supports Debian and Ubuntu.

roles/borgmatic/README.md

@@ -0,0 +1 @@
+Installs borgmatic

roles/borgmatic/tasks/target.yaml

@@ -2,6 +2,7 @@
 - name: Gather facts
   ansible.builtin.setup:
   delegate_facts: true
+  ignore_unreachable: true
   retries: 3
 
 - name: Add ssh key to authorized_keys

roles/borgmatic_config/README.md

@@ -0,0 +1 @@
+Creates a bormatic configuration in /etc/borgmatic.d/ and creates the repos

roles/borgmatic_config/handlers/main.yaml

@@ -1,4 +1,10 @@
 ---
+- name: Initialize borgmatic
+  ansible.builtin.command:
+    cmd: borgmatic init --encryption repokey
+  register: _borgmatic_init_out
+  changed_when: _borgmatic_init_out.stdout | length > 0
+
 - name: Restart borgmatic timer {{ borgmatic_config_name }}
   ansible.builtin.systemd_service:
     name: "borgmatic@{{ borgmatic_config_name }}.timer"

roles/borgmatic_config/tasks/main.yaml

@@ -18,6 +18,7 @@
     dest: /etc/borgmatic.d/{{ borgmatic_config_name }}.yaml
     mode: "0600"
   no_log: true
+  notify: Initialize borgmatic
 
 - name: Add systemd timer for borgmatic {{ borgmatic_config_name }}
   ansible.builtin.template:

roles/caddy/meta/main.yaml

@@ -4,6 +4,7 @@ dependencies:
     vars:
       compatcheck_supported_distributions:
         - name: debian
-          version_min: 11
+          version_min: 12
         - name: ubuntu
           version_min: 22
+  - role: uumas.general.firewalld

roles/caddy/tasks/main.yaml

@@ -41,3 +41,14 @@
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true
   notify: Reload caddy
+
+- name: Open ports for caddy
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - http
+    - https
+    - http3

roles/compatcheck/meta/argument_specs.yaml

@@ -22,6 +22,7 @@ argument_specs:
               - ubuntu
               - fedora
               - archlinux
+              - macosx
           version_min:
             description: Earliest supported major version. Allows any version if not specified.
             type: int
@@ -31,7 +32,9 @@ argument_specs:
             type: int
             required: false
           package_managers:
-            description: List of supported package managers. Defaults to apt for debian and ubuntu, dnf for fedora, pacman for archlinux
+            description: >-
+              List of supported package managers. Defaults to apt for debian and ubuntu,
+              dnf for fedora, pacman for archlinux, homebrew for macosx
             type: list
             required: false
             elements: str
@@ -40,3 +43,4 @@ argument_specs:
               - dnf
               - pacman
               - atomic_container
+              - homebrew

roles/compatcheck/vars/main.yaml

@@ -5,4 +5,5 @@ _compatcheck_default_package_managers:
   ubuntu: apt
   fedora: dnf
   archlinux: pacman
+  macosx: homebrew
 _compatcheck_default_package_manager: "{{ _compatcheck_default_package_managers[ansible_distribution | lower] }}"

roles/firewalld/README.md

@@ -0,0 +1 @@
+Installs firewalld

roles/firewalld/meta/argument_specs.yaml

@@ -0,0 +1,5 @@
+---
+argument_specs:
+  main:
+    description: Installs firewalld
+    options: {}

roles/firewalld/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 12
+        - name: ubuntu
+          version_min: 22

roles/firewalld/tasks/main.yaml

@@ -0,0 +1,4 @@
+---
+- name: Install firewalld
+  ansible.builtin.apt:
+    name: firewalld

roles/prometheus_node_exporter/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+prometheus_node_exporter_local_network: ""

roles/prometheus_node_exporter/meta/argument_specs.yaml

@@ -6,5 +6,7 @@ argument_specs:
       prometheus_node_exporter_local_network:
         description: >-
           The local ipv4 network block, listen address is taken from this block.
+          If empty, listens on 0.0.0.0
         type: str
-        required: true
+        required: false
+        default: ""

roles/prometheus_node_exporter/meta/main.yaml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: uumas.general.firewalld

roles/prometheus_node_exporter/tasks/main.yaml

@@ -7,11 +7,12 @@
       - name: debian
         version_min: 11
       - name: ubuntu
-        version_min: 24
+        version_min: 22
 
 - name: Install prometheus node exporter
   ansible.builtin.apt:
     name: prometheus-node-exporter
+    install_recommends: false
 
 - name: Set prometheus options in /etc/default/prometheus-node-exporter
   ansible.builtin.template:

roles/prometheus_node_exporter/templates/prometheus-node-exporter.j2

@@ -1 +1 @@
-ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(prometheus_node_exporter_local_network))[0] }}:9100 --collector.logind --collector.systemd --collector.processes"
+ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(prometheus_node_exporter_local_network))[0] if prometheus_node_exporter_local_network | length > 0 else '0.0.0.0' }}:9100 --collector.logind --collector.systemd --collector.processes"