Optimized .mds and meta/main.yml for postfix,python-pip,restart-docker & sshd

2025-03-31 14:24:16 +02:00 · 2025-03-14 13:33:28 +01:00 · 2025-03-14 13:33:28 +01:00 · 26abfd441a
commit 26abfd441a
parent efa139705a
8 changed files with 185 additions and 46 deletions
--- a/roles/postfix/README.md
+++ b/roles/postfix/README.md
@ -0,0 +1,22 @@
+# Postfix
+
+## Description
+
+This role installs and configures [Postfix](https://en.wikipedia.org/wiki/Postfix_(software)) – a mail transfer agent – on the target system. It deploys a preconfigured aliases file (using a Jinja2 template) that defines mail redirections and standard aliases for local mail delivery.
+
+## Overview
+
+Optimized for secure and reliable mail delivery, this role:
+- Installs Postfix via [pacman](https://wiki.archlinux.org/title/Pacman).
+- Provides a default aliases file to route system mail appropriately.
+- Configures essential Postfix parameters via a templated main configuration file (if needed).
+
+## Purpose
+
+The primary purpose of this role is to set up a robust mail transfer agent configuration for local mail delivery. It ensures that system-generated mail (such as error messages) is delivered to the correct administrative address.
+
+## Features
+
+- **Postfix Installation:** Ensures the [Postfix](https://en.wikipedia.org/wiki/Postfix_(software)) package is installed.
+- **Aliases Configuration:** Deploys a default aliases file to direct system mail.
+- **System Integration:** Works in conjunction with the administrator user role for secure mail routing.
--- a/roles/postfix/meta/main.yml
+++ b/roles/postfix/meta/main.yml
@ -1,2 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Installs and configures Postfix to provide a robust mail transfer agent setup with a preconfigured aliases file for local mail delivery."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - postfix
+    - mail
+    - aliases
+    - configuration
+    - security
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
- user-administrator
+  - user-administrator
--- a/roles/python-pip/README.md
+++ b/roles/python-pip/README.md
@ -0,0 +1,20 @@
+# Python-Pip
+
+## Description
+
+This role installs the [python-pip](https://en.wikipedia.org/wiki/Pip_(package_manager)) package on the target system. It ensures that the pip package manager is available for installing Python packages.
+
+## Overview
+
+Optimized for simplicity and idempotency, this role:
+- Installs the python-pip package using [pacman](https://wiki.archlinux.org/title/Pacman).
+- Sets a flag to ensure the installation tasks run only once.
+
+## Purpose
+
+The primary purpose of this role is to provide a reliable installation of the Python package manager, pip, ensuring that subsequent Python package installations can proceed without issues.
+
+## Features
+
+- **Pip Installation:** Installs python-pip if not already present.
+- **Idempotency:** Ensures tasks are executed only once.
--- a/roles/python-pip/meta/main.yml
+++ b/roles/python-pip/meta/main.yml
@ -0,0 +1,25 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Installs the python-pip package to provide the Python package manager, ensuring that Python packages can be installed reliably on the target system."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - python
+    - pip
+    - package
+    - installation
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies: []
--- a/roles/restart-docker/README.md
+++ b/roles/restart-docker/README.md
@ -1,47 +1,30 @@
 # Docker Auto Restart
+## Description

-This role was implemented to address the classic issue: ["Have you tried turning it off and on again?"](https://www.youtube.com/watch?v=rksCTVFtjM4). The problem initially arose with the `fetchmail` container in [Mailu](../roles/docker/mailu), which fails if only some containers, and not the full docker-compose composition, are restarted.
+This role automates the restart process for Docker Compose instances within a specified directory. It deploys a Python script that checks for the presence of docker-compose.yml files and restarts the associated services—using a hard restart for certain directories if needed.

 ## Overview

-This role automates the restart process for all `docker-compose` instances within a specified directory. It ensures consistent restarts of services while avoiding issues caused by partial restarts.
+Optimized for containerized environments, this role:
+- Sets up the necessary directories and scripts for restarting Docker Compose instances.
+- Configures a systemd service (and optionally a timer) to execute the restart script.
+- Handles both standard restarts and hard restarts for specific containers (e.g., for Mailu).
+
+## Purpose
+
+The primary purpose of this role is to ensure that all Docker Compose services are restarted consistently, resolving issues that may arise from partial restarts. This helps maintain overall service stability and minimizes downtime.

 ## Features
- Automatically detects and restarts `docker-compose` instances in the given directory.
- Uses a Python script to perform service restarts with `docker-compose restart`.
- Integrates with `systemd` for scheduled or manual execution.
- Designed for idempotency and ease of integration.

-## Requirements
- `docker-compose` must be installed on the target system.
- Python 3.x is required to execute the provided script.
- This role depends on the `system-maintenance-lock` role for handling system-wide locking during restarts.
+- **Automated Detection:** Scans a specified parent directory for docker-compose.yml files.
+- **Service Restart:** Executes a Python script to restart Docker services via docker-compose.
+- **Conditional Hard Restart:** Applies a hard restart procedure for specific directories (e.g., Mailu).
+- **Systemd Integration:** Configures a systemd service and optionally a timer for scheduled restarts.

-## Installation
-1. Clone or include this role in your Ansible project.
-2. Define the required variables in your playbook or inventory:
-   ```yaml
-   path_administrator_scripts: "/path/to/administrator/scripts/"
-   restart_docker_folder: "/path/to/restart/volumes/"
-   on_calendar_restart_dockers: "daily"
-   ```

-## Usage
-Include this role in your playbook:
-```yaml
- hosts: all
-  roles:
-    - docker-auto-restart
-```

-The role will:
-1. Set up the necessary directories and scripts.
-2. Configure a `systemd` service to restart docker-compose instances.
-3. Optionally schedule restarts via a systemd timer.
+# Context
+This role was implemented to address the classic issue: ["Have you tried turning it off and on again?"](https://www.youtube.com/watch?v=rksCTVFtjM4). The problem initially arose with the `fetchmail` container in [Mailu](../roles/docker/mailu), which fails if only some containers, and not the full docker-compose composition, are restarted.

-## Acknowledgments
-This role was developed with the assistance of [ChatGPT](https://openai.com/chatgpt), including insights and optimizations from this [conversation](https://chatgpt.com/share/674c6870-fcc4-800f-a19e-b20621b24317). Special thanks for providing guidance on error handling, Ansible best practices, and Python integration.
-
---
-
-Feel free to contribute or provide feedback via the [repository issues page](https://github.com/kevinveenbirkenbach/cymais/issues).
+## Credits
+This role was developed with the assistance of [ChatGPT](https://openai.com/chatgpt), including insights and optimizations from this [conversation](https://chatgpt.com/share/674c6870-fcc4-800f-a19e-b20621b24317). Special thanks for providing guidance on error handling, Ansible best practices, and Python integration.
--- a/roles/restart-docker/meta/main.yml
+++ b/roles/restart-docker/meta/main.yml
@ -1,2 +1,29 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Automates the restart of Docker Compose instances by detecting docker-compose.yml files and executing a restart script, ensuring consistent service availability."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+    - name: Ubuntu
+      versions:
+        - all
+  galaxy_tags:
+    - docker
+    - restart
+    - update
+    - systemd
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-  - system-maintenance-lock
+  - system-maintenance-lock
--- a/roles/sshd/README.md
+++ b/roles/sshd/README.md
@ -1,11 +1,26 @@
-# role sshd
-## dependencies
-This role depends on that a well configured user administrator exist.
-For this reason this role depends on the role user-administrator.
-A wrong configuration of this role can lead to an lockout of the system which just will be reversal via chroot.  
+# SSHD

-## PAM
+## Description
+
+This role configures the SSH daemon ([sshd](https://man7.org/linux/man-pages/man5/sshd_config.5.html)) on the target system by deploying a templated configuration file. It ensures that secure and proper SSH settings are applied, reducing the risk of misconfiguration and potential lockout.
+
+## Overview
+
+Optimized for secure remote access, this role:
+- Generates an SSH daemon configuration file from a Jinja2 template.
+- Sets appropriate ownership and permissions on the configuration file.
+- Notifies systemd to restart the SSH daemon when changes are made.
+
+## Purpose
+
+The primary purpose of this role is to establish a secure SSH environment by deploying a well-configured sshd_config file. This helps prevent unauthorized access and potential system lockouts, while ensuring that the SSH service runs smoothly.
+
+## Features
+
+- **SSH Configuration Deployment:** Creates an sshd_config file with best-practice settings.
+- **Systemd Integration:** Automatically restarts the SSH service upon configuration changes.
+- **Security Enhancements:** Enforces secure defaults such as disabled root login and public key authentication.
+
+## Further Information
 - https://www.google.com/search?client=firefox-b-d&q=sshd+why+to+deactivate+pam
-
-# see
 - https://man7.org/linux/man-pages/man5/sshd_config.5.html
--- a/roles/sshd/meta/main.yml
+++ b/roles/sshd/meta/main.yml
@ -1,2 +1,25 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Configures a secure SSH daemon environment by deploying a templated sshd_config file and restarting the SSH service as needed."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - sshd
+    - ssh
+    - security
+    - configuration
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
- user-administrator
+  - user-administrator