hosts: Add file0.p.b to burp-client

Adding *file0.pyrocufflink.blue* to enable automatic backups. The
`/home` and `/srv/cifs/Downloads` paths are backed up.

burp-client.yml

@@ -0,0 +1,3 @@
+- hosts: burp-client
+  roles:
+  - burp-client

burp-server.yml

@@ -0,0 +1,4 @@
+- hosts: burp-server
+  roles:
+  - postfix
+  - burp-server

group_vars/all.yml

@@ -1 +1,4 @@
 certbot_account_email: dustin@hatch.name
+smtp:
+  mode: relay
+  host: mail.pyrocufflink.blue

group_vars/burp-client.yml

@@ -0,0 +1,2 @@
+burp_server: burp0.pyrocufflink.blue
+burp_server_cn: burp.pyrocufflink.blue

group_vars/burp-server.yml

@@ -0,0 +1,2 @@
+burp_ca_server_name: burp.pyrocufflink.blue
+burp_notify: gyrfalcon@ebonfire.com

host_vars/file0.pyrocufflink.blue.yml

@@ -11,3 +11,6 @@ samba_shares:
 - name: Videos
   path: /srv/cifs/Videos
   guest_ok: true
+burp_backup:
+- include: /home
+- include: /srv/cifs/Downloads

hosts

@@ -4,6 +4,12 @@ ansible_python_interpreter=/usr/bin/python3
 [ansible]
 cm0.pyrocufflink.blue
 
+[burp-client]
+file0.pyrocufflink.blue
+
+[burp-server]
+burp0.pyrocufflink.blue
+
 [certbot]
 git0.pyrocufflink.blue
 web0.pyrocufflink.blue
@@ -43,6 +49,7 @@ zabbix-server
 web0.pyrocufflink.blue
 
 [pyrocufflink]
+burp0.pyrocufflink.blue
 cm0.pyrocufflink.blue
 dc0.pyrocufflink.blue
 dc1.pyrocufflink.blue

roles/burp-client/defaults/main.yml

@@ -0,0 +1,6 @@
+burp_server: localhost
+burp_password: abcdefgh
+burp_cname: '{{ ansible_fqdn }}'
+burp_backup: []
+burp_client_conf: {}
+burp_server_cn: '{{ burp_server }}'

roles/burp-client/files/burp-backup.cron

@@ -0,0 +1 @@
+18,48 * * * * root /usr/sbin/burp -a t

roles/burp-client/files/burp-backup.fcron

@@ -0,0 +1 @@
+@mail(no) 30 /usr/sbin/burp -a t

roles/burp-client/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: reload system crontab
+  command: /usr/libexec/check_system_crontabs -v -i

roles/burp-client/tasks/main.yml

@@ -0,0 +1,54 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+- name: load burp secrets
+  include_vars: '{{ item }}'
+  with_fileglob: vault/burp/{{ ansible_fqdn }}
+  tags:
+  - always
+
+- name: ensure burp is installed
+  package:
+    name={{ burp_client_packages|join(',') }}
+    state=present
+  tags:
+  - install
+
+- name: ensure burp server is configured for client
+  template:
+    src=server-clientconf.j2
+    dest=/etc/burp/clientconfdir/{{ ansible_fqdn }}
+    mode=0400
+  delegate_to: '{{ burp_server }}'
+
+- name: ensure burp pre-backup script is installed
+  copy:
+    src=scripts/{{ inventory_hostname }}/{{ burp_backup_script_pre|basename }}
+    dest={{ burp_backup_script_pre }}
+    mode=0755
+  when: burp_backup_script_pre is defined
+- name: ensure burp post-backup script is installed
+  copy:
+    src=scripts/{{ inventory_hostname }}/{{ burp_backup_script_post|basename }}
+    dest={{ burp_backup_script_post }}
+    mode=0755
+  when: burp_backup_script_post is defined
+- name: ensure burp client is configured
+  template:
+    src=burp.conf.j2
+    dest=/etc/burp/burp.conf
+    mode=0600
+- name: ensure burp client certificate is available
+  command:
+    burp -c /etc/burp/burp.conf -g
+    creates=/etc/burp/ssl_cert-client.pem
+- name: ensure automatic backup is scheduled
+  copy:
+    src={{ burp_backup_crontab }}
+    dest=/etc/cron.d/burp-backup
+    mode=0644

roles/burp-client/templates/burp.conf.j2

@@ -0,0 +1,123 @@
+# This is an example config file for the burp client.
+
+mode = client
+port = 4971
+server = {{ burp_server }}
+password = {{ burp_password }}
+cname = {{ burp_cname }}
+pidfile = /var/run/burp.client.pid
+syslog = 1
+stdout = 0
+progress_counter = 0
+# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
+# ratelimit = 1.5
+# Network timeout defaults to 7200 seconds (2 hours).
+# network_timeout = 7200
+
+# Set server_can_restore to 0 if you do not want the server to be able to
+# initiate a restore.
+server_can_restore = 0
+
+# Set an encryption password if you do not trust the server with your data.
+# Note that this will mean that network deltas will not be possible. Each time
+# a file changes, the whole file will be transferred on the next backup.
+# encryption_password = My^$pAsswIrD%@
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+# . path/to/more/conf
+
+# Run as different user/group.
+# user=graham
+# group=nogroup
+
+#cross_filesystem=/home
+cross_all_filesystems=0
+
+# Uncomment the following lines to automatically generate a certificate signing
+# request and send it to the server.
+ca_burp_ca = /usr/sbin/burp_ca
+ca_csr_dir = /etc/burp/CA-client
+
+# SSL certificate authority - same file on both server and client
+ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
+
+# Client SSL certificate
+ssl_cert = /etc/burp/ssl_cert-client.pem
+
+# Client SSL key
+ssl_key = /etc/burp/ssl_cert-client.key
+
+# Client SSL ciphers
+#ssl_ciphers = 
+
+# SSL key password
+#ssl_key_password = password
+
+# Common name in the certificate that the server gives us
+ssl_peer_cn = {{ burp_server_cn }}
+{% if burp_backup_script_pre is defined %}
+
+backup_script_pre = {{ burp_backup_script_pre }}
+{% if burp_backup_script_pre_args is defined %}
+{% for arg in burp_backup_script_pre_args %}
+backup_script_pre_arg = {{ arg }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if burp_backup_script_post is defined %}
+
+backup_script_post = {{ burp_backup_script_post }}
+{% if burp_backup_script_post_args is defined %}
+{% for arg in burp_backup_script_post_args %}
+backup_script_post_arg = {{ arg }}
+{% endfor %}
+{% endif %}
+backup_script_post_run_on_fail = {{ burp_backup_script_post_run_on_fail|d(0) }}
+{% endif %}
+
+# The following options specify exactly what to backup.
+# The server will override them if there is at least one 'include=' line on
+# the server side.
+#include = /home
+#exclude = /home/graham/testdir/librsync-0.9.7/testsuite
+#include = /home/graham/testdir/librsync-0.9.7/testsuite/deep
+#include = /home/graham/xdir
+#exclude = /home/graham/testdir/libr
+# Exclude file names ending in '.vdi' or '.vmdk' (case insensitive)
+#exclude_ext = vdi
+#exclude_ext = vmd
+# Exlude file path matching a regular expression
+# (note that 'include_regex' is not yet implemented)
+#exclude_regex = \.cache
+# Exclude various temporary file systems. You may want to add devfs, devpts,
+# proc, ramfs, etc.
+exclude_fs = sysfs
+exclude_fs = tmpfs
+# Exclude files based on size. Defaults are 0, which means no limit.
+#min_file_size = 0 Mb
+#max_file_size = 0 Mb
+# The content of directories containing a filesystem entry named like this
+# will not be backed up.
+nobackup = .nobackup
+# By default, burp backups up the fifos themselves, rather than reading from
+# them. These two options let you choose a particular fifo to read, or read
+# from all fifos.
+#read_fifo=/path/to/a/fifo
+#read_all_fifos=0
+# The same for block device nodes.
+#read_blockdev=/path/to/a/blockdev
+#read_all_blockdevs=0
+# Exclude files from compression by extension.
+exclude_comp=bz2
+exclude_comp=gz
+# When backing up, whether to enable O_NOATIME when opening files and
+# directories. The default is atime=0, which enables O_NOATIME.
+# atime=1
+
+exclude_regex=lost\+_found
+{% for item in burp_backup %}
+{% for key, value in item|dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}
+{% endfor %}

roles/burp-client/templates/server-clientconf.j2

@@ -0,0 +1,3 @@
+{% for key, value in default_burp_client_conf|combine(burp_client_conf)|dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}

roles/burp-client/vars/RedHat.yml

@@ -0,0 +1,4 @@
+burp_client_packages:
+- burp
+- openssl
+burp_backup_crontab: burp-backup.cron

roles/burp-client/vars/defaults.yml

@@ -0,0 +1,3 @@
+burp_client_packages:
+- burp
+burp_backup_crontab: burp-backup.fcron

roles/burp-client/vars/main.yml

@@ -0,0 +1,2 @@
+default_burp_client_conf:
+  password: '{{ burp_password }}'

roles/burp-server/defaults/main.yml

@@ -0,0 +1,10 @@
+burp_keep: 7
+burp_client_conf: {}
+burp_notify_success: '{{ burp_notify is defined }}'
+burp_notify_failure: '{{ burp_notify is defined }}'
+burp_backup_interval: 20h
+burp_hardlinked_archive: false
+burp_ca_server_name: '{{ ansible_fqdn }}'
+burp_notify_script: '{{ burp_script_path }}/notify_script'
+burp_timer_script: '{{ burp_script_path }}/timer_script'
+burp_server_script_pre: '{{ burp_script_path }}/ssl_extra_checks_script'

roles/burp-server/files/burp.tmpfiles.conf

@@ -0,0 +1 @@
+d /run/burp 0755 burp burp -

roles/burp-server/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: process tmpfiles
+  command: '{{ tmpfiles_cmd }} --create'
+- name: restart burp server
+  service:
+    name=burp
+    state=restarted
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent

roles/burp-server/library/burp_version

@@ -0,0 +1,23 @@
+# vim: set ft=python :
+
+def main():
+    module = AnsibleModule(
+        argument_spec={},
+        supports_check_mode=True,
+    )
+
+    burp = module.get_bin_path('burp', required=True)
+    rc, out, err = module.run_command([burp, '-v'], check_rc=True)
+    burp_version = out.strip().split('-')[1]
+
+    module.exit_json(
+        ansible_facts={
+            'burp_version': burp_version,
+        }
+    )
+
+
+from ansible.module_utils.basic import *
+
+if __name__ == '__main__':
+    main()

roles/burp-server/tasks/burp-defaults.yml

@@ -0,0 +1 @@
+burp_script_path: /usr/share/burp/scripts

roles/burp-server/tasks/burp1.yml

@@ -0,0 +1 @@
+burp_script_path: /etc/burp

roles/burp-server/tasks/ca.yml

@@ -0,0 +1,41 @@
+- name: ensure burp ca is configured
+  template:
+    src=CA.cnf.j2
+    dest=/etc/burp/CA.cnf
+    mode=0644
+- name: ensure burp ca is initialized
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --init
+    creates={{ burp_ca_dir }}/CA_burpCA.crt
+- name: ensure burp server private key exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --request --key --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.key
+- name: ensure burp server certificate exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --sign --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.crt
+- name: ensure burp certificate symlinks exist
+  file:
+    path=/etc/burp/{{ item.path }}
+    src={{ burp_ca_dir }}/{{ item.src }}
+    state=link
+  with_items:
+  - path: ssl_cert_ca.pem
+    src: CA_burpCA.crt
+  - path: ssl_cert-server.key
+    src: '{{ burp_ca_server_name }}.key'
+  - path: ssl_cert-server.pem
+    src: '{{ burp_ca_server_name }}.crt'

roles/burp-server/tasks/main.yml

@@ -0,0 +1,108 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+
+- name: ensure burp server is installed
+  package:
+    name={{ burp_server_package }}
+    state=present
+  tags:
+  - install
+- name: check burp version
+  burp_version:
+- debug: var=burp_version
+- name: load burp version-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - burp{{ burp_version[0] }}.yml
+  - burp-defaults.yml
+
+- name: ensure burp user exists
+  user:
+    name=burp
+    system=yes
+    home=/dev/null
+    createhome=no
+    shell=/sbin/nologin
+  tags:
+  - user
+
+- name: ensure tmpfiles.d directory exists
+  file:
+    path=/etc/tmpfiles.d
+    mode=0755
+    state=directory
+- name: ensure burp tmpfiles are configured
+  copy:
+    src=burp.tmpfiles.conf
+    dest=/etc/tmpfiles.d/burp.conf
+    mode=0644
+  notify: process tmpfiles
+- meta: flush_handlers
+- name: ensure burp persistent state directory exists
+  file:
+    path=/var/lib/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp volume is mounted
+  mount:
+    name=/var/spool/burp
+    src={{ burp_backup_volume }}
+    fstype={{ burp_backup_volume_fstype }}
+    opts=noatime
+    state=mounted
+  when: burp_backup_volume is defined
+- name: ensure burp directory permissions are correct
+  file:
+    path=/var/spool/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp server is configured
+  template:
+    src=burp-server.conf.j2
+    dest=/etc/burp/burp-server.conf
+    owner=root
+    group=burp
+    mode=0640
+  notify: restart burp server
+- name: ensure burp dh params are set
+  command:
+    burp_ca --dhfile /etc/burp/dhfile.pem
+    creates=/etc/burp/dhfile.pem
+- name: ensure burp dh params file permissions are correct
+  file:
+    path=/etc/burp/dhfile.pem
+    mode=0600
+    owner=burp
+    group=burp
+
+- import_tasks: ca.yml
+
+- name: ensure burp server starts at boot
+  service:
+    name=burp
+    enabled=yes
+- meta: flush_handlers
+- name: ensure burp server is running
+  service:
+    name=burp
+    state=started
+
+- name: ensure burp is allowed through the firewall
+  firewalld:
+    port=4971/tcp
+    immediate=yes
+    permanent=no
+    state=enabled
+  notify: save firewalld configuration
+  tags:
+  - firewalld

roles/burp-server/templates/CA.cnf.j2

@@ -0,0 +1,33 @@
+# simple config for burp_ca
+
+RANDFILE                = /dev/urandom
+CA_DIR                  = {{ burp_ca_dir }}
+
+
+[ ca ]
+dir                     = $ENV::CA_DIR
+database                = $dir/index.txt
+serial                  = $dir/serial.txt
+certs                   = $dir/certs
+new_certs_dir           = $dir/newcerts
+crlnumber               = $dir/crlnumber.txt
+
+unique_subject          = no
+
+default_md              = sha256
+default_days            = 7300
+default_crl_days        = 7300
+
+#????
+name_opt                = ca_default
+cert_opt                = ca_default
+
+x509_extensions         = usr_cert
+copy_extensions         = copy
+policy                  = policy_anything
+
+[ usr_cert ]
+basicConstraints        = CA:FALSE
+
+[ policy_anything ]
+commonName              = supplied

roles/burp-server/templates/burp-server.conf.j2

@@ -0,0 +1,197 @@
+{% set is_burp2 = burp_version|version_compare('2.0', '>=') %}
+# This is an example config file for the burp server.
+
+mode = server
+{% if is_burp2 %}
+
+# The default addresses to listen on depend upon compile time options.
+# They may be overridden here.
+#address = 0.0.0.0
+{% endif %}
+port = 4971
+{% if is_burp2 %}
+# Think carefully before changing the status port address, as it can be used
+# to view the contents of backups.
+#status_address = 127.0.0.1
+# If you do not wish to run a status server at all, comment status_port out.
+{% endif %}
+status_port = 4972
+directory = /var/spool/burp
+{% if is_burp2 %}
+dedup_group = {{ burp_dedup_group|d('global') }}
+{% endif %}
+{% if is_burp2 %}
+# Choose the protocol to use.
+# 0 to decide automatically, 1 to force protocol1 mode (file level granularity
+# with a pseudo mirrored storage on the server and optional rsync). 2 forces
+# protocol2 mode (inline deduplication with variable length blocks).
+# Like many other settings, this can be set per client in the clientconfdir
+# files.
+# protocol = 0
+{% endif %}
+clientconfdir = /etc/burp/clientconfdir
+pidfile = /run/burp/server.pid
+hardlinked_archive = {{ burp_hardlinked_archive|bool|int }}
+{% if burp_librsync is defined %}
+librsync = {{ burp_librsync|bool|int }}
+{% endif %}
+working_dir_recovery_method = delete
+max_children = 5
+max_status_children = 5
+umask = 0022
+syslog = 1
+stdout = 0
+# The following options can restrict what the client can do.
+# Note that restore_clients will still be able to do all of these operations,
+# except for force_backup.
+client_can_delete = 1
+# Set client_can_force_backup to 0 to only allow timed backups.
+client_can_force_backup = 1
+client_can_list = 1
+# Set client_can_restore to 0 if you want restores to only be initialised by
+# the server.
+client_can_restore = 1
+client_can_verify = 1
+# Ratelimit throttles the send speed. Specified in Megabits per second (Mb/s).
+# ratelimit = 1.5
+# Network timeout defaults to 7200 seconds (2 hours).
+# network_timeout = 7200
+{% if is_burp2 %}
+
+# Server storage compression. Default is zlib9. Set to zlib0 to turn it off.
+#compression = zlib9
+{% endif %}
+
+# When the client version does not match the server version, log a warning.
+# Set to 0 to turn it off.
+version_warn = 1
+
+# More configuration files can be read, using syntax like the following
+# (without the leading '# ').
+# . path/to/more/conf
+
+# You can have as many 'keep' lines as you like.
+# For example, if running backups daily, setting 7, 4, 6 will keep
+# 7 daily backups, 4 weekly, and 6 four-weekly backups.
+{% if burp_keep is iterable and burp_keep is not string %}
+{% for k in burp_keep %}
+keep = {{ k }}
+{% endfor %}
+{% else %}
+keep = {{ burp_keep }}
+{% endif %}
+
+# Run as different user/group.
+user = burp
+group = burp
+
+# CA options.
+# If you want your server to be a certificate authority and generate its own
+# certificates, uncomment the following lines. If the directory specified in
+# ca_conf does not exist, the server will create, populate it, and the paths
+# indicated by ssl_cert_ca, ssl_cert, ssl_key and ssl_dhfile below will be
+# overwritten. See docs/burp_ca.txt for more information.
+ca_conf = /etc/burp/CA.cnf
+ca_name = burpCA
+ca_server_name = {{ burp_ca_server_name }}
+ca_burp_ca = /usr/sbin/burp_ca
+{% if is_burp2 %}
+
+# Check for revoked certificates in the certificate revocation list.
+# Turn this off if you use the old ssl_extra_checks_script server script.
+ca_crl_check = 1
+{% endif %}
+
+# SSL certificate authority - same file on both server and client
+ssl_cert_ca = /etc/burp/ssl_cert_ca.pem
+
+# Server SSL certificate
+ssl_cert = /etc/burp/ssl_cert-server.pem
+
+# Server SSL key
+ssl_key = /etc/burp/ssl_cert-server.key
+
+# Server SSL ciphers
+#ssl_ciphers = 
+{% if is_burp2 %}
+
+# Server SSL compression. Default is zlib5. Set to zlib0 to turn it off.
+#ssl_compression = zlib5
+{% endif %}
+
+# SSL key password
+#ssl_key_password = password
+
+# Server DH file.
+ssl_dhfile = /etc/burp/dhfile.pem
+
+timer_script = {{ burp_timer_script }}
+# Ensure that 20 hours elapse between backups
+# Available units:
+# s (seconds), m (minutes), h (hours), d (days), w (weeks), n (months)
+timer_arg = {{ burp_backup_interval }}
+{% if burp_timebands is defined %}
+{% for timeband in burp_timebands %}
+timer_arg = {{ timeband }}
+{% endfor %}
+{% else %}
+# Allow backups to start in the evenings and nights during weekdays
+timer_arg = Mon,Tue,Wed,Thu,Fri,00,01,02,03,04,05,19,20,21,22,23
+# Allow more hours at the weekend.
+timer_arg = Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23
+{% endif %}
+# Note that, if you specify no timebands, the default timer script will never
+# allow backups.
+
+# Uncomment the notify_success_* lines for email notifications of backups that
+# succeeded.
+# In the subject line, the following are substituted:
+# %b - "backup"/"restore"/"verify"
+# %c - client name
+# %w - number of warnings, if any
+{% if burp_notify_success|bool %}
+notify_success_script = {{ burp_notify_script }}
+notify_success_arg = sendmail -t
+notify_success_arg = To: {{ burp_notify }}
+notify_success_arg = From: burp
+notify_success_arg = Subject: %b succeeded: %c %w
+{% endif %}
+# Uncomment the following to have success notifications only if there were
+# warnings.
+#notify_success_warnings_only = 1
+# Uncomment the following to have success notifications only if there were
+# new or changed files.
+#notify_success_changes_only = 1
+
+# Uncomment the following for email notifications of backups that failed.
+{% if burp_notify_failure|bool %}
+notify_failure_script = {{ burp_notify_script }}
+notify_failure_arg = sendmail -t
+notify_failure_arg = To: {{ burp_notify }}
+notify_failure_arg = From: burp
+notify_failure_arg = Subject: %b failed: %c %w
+{% endif %}
+
+# The server can run scripts on each connection after authentication and before
+# disconnecting.
+#server_script_pre = {{ burp_server_script_pre }}
+#server_script_pre_arg = /etc/burp/crl
+#server_script_pre_arg = /etc/burp/burp-server.conf
+#server_script_pre_arg = /etc/burp/server-pre-script.local
+# Set server_script_pre_notify to 1 to have notifications on server_script_pre
+# returning non-zero. Most people will want to leave this off - it could
+# result in a lot of emails because clients normally connect once every 20
+# minutes. Requires notify_failure_script to be set above.
+#server_script_pre_notify = 0
+#server_script_post = 
+#server_script_post_arg = 
+#server_script_post_arg = 
+#server_script_post_run_on_fail=0
+# As for server_script_pre_notify, but for post.
+#server_script_post_notify = 0
+
+# Clients that are able to list and restore files belonging to any other
+# client. If this is too permissive, you may set a restore_client for
+# individual original clients in the individual clientconfdir files.
+# restore_client = someclient
+# restore_client = someotherclient

roles/burp-server/vars/RedHat.yml

@@ -0,0 +1,3 @@
+burp_server_package: burp-server
+burp_client_package: burp-client
+tmpfiles_cmd: systemd-tmpfiles

roles/burp-server/vars/defaults.yml

@@ -0,0 +1,3 @@
+burp_server_package: burp
+burp_client_package: burp
+tmpfiles_cmd: opentmpfiles

roles/burp-server/vars/main.yml

@@ -0,0 +1 @@
+burp_ca_dir: /var/lib/burp/CA

roles/cronie/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: ensure cronie is installed
+  package:
+    name=cronie
+    state=present
+  tags:
+  - install
+
+- name: ensure cronie starts at boot
+  service:
+    name=crond
+    enabled=yes
+- name: ensure cronie is running
+  service:
+    name=crond
+    state=started

roles/dch-vpn-server/files/vpn.pyrocufflink.net.ipsec.conf

@@ -25,5 +25,5 @@ conn remote-access
 	right = %any
 	rightsourceip = 172.31.0.64/28
 	rightauth = pubkey
-	rightdns = 172.31.0.4,172.31.0.10
+	rightdns = 172.30.0.4
 	auto = add

roles/postfix/tasks/main.yml

@@ -1,3 +1,8 @@
+- name: load architecture-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_architecture }}.yml'
+  - default-architecture.yml
 - name: load distribution-specifc values
   include_vars: '{{ item }}'
   with_first_found:

roles/postfix/vars/default-architecture.yml

@@ -0,0 +1 @@
+arch_libdir: lib

roles/postfix/vars/defaults.yml

@@ -5,4 +5,4 @@ postfix_compatibility_level: 2
 postfix_sample_directory: /usr/share/doc/postfix/samples
 postfix_readme_directory: /usr/share/doc/postfix/README_FILES
 postfix_meta_directory: /etc/postfix
-postfix_shlib_directory: /usr/lib/postfix
+postfix_shlib_directory: /usr/{{ arch_libdir }}/postfix

roles/postfix/vars/x86_64.yml

@@ -0,0 +1 @@
+arch_libdir: lib64

vault/burp/file0.pyrocufflink.blue

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35333737626333633932663438313163643139303833393661393738653036306465353562626533
+3437643431356461383165363837636461356639333738370a656138636361386235396366313036
+36353635396230366337653566303435323565616438373161623936636130656331366462383536
+3162346339356431630a343539353862366162626562303836646532383637653639323265643564
+62633563303963383664356335363533356563643138663163383463386364303965373062643761
+63643366653862306363366430363735333365666161326462613464373364373065396166333363
+306161306335396232346239653163313061