Minor changes

Reviewed-on: #1

.gitea/workflows/ansible-deploy.yml

@@ -9,10 +9,8 @@ jobs:
     strategy:
       matrix:
         playbook:
-          - Ansible/openssh.yml
-          - Ansible/cloudflare-dns.yml
-          - Ansible/heartbeat.yml
-          - Ansible/debian.yml
+          - ansible/playbooks/debian.yml
+          - ansible/playbooks/proxmox.yml
     steps:
       - name: Copy SSH Key
         run: | 
@@ -26,6 +24,11 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Install Pip
+        run: |
+          apt update -y
+          apt install python3-pip -y
+
       - name: "Cache python packages"
         uses: actions/cache@v3
         with:
@@ -34,13 +37,11 @@ jobs:
 
       - name: Install Ansible
         run: |
-          apt update -y
-          apt install python3-pip -y
           python3 -m pip install ansible==${{ env.ANSIBLE_VERSION }}
 
-      #- name: Install Ansible Galaxy requirements
-      #  run: |
-      #    ansible-galaxy install -r requirements.yaml
+      - name: Install Ansible Galaxy requirements
+        run: |
+          ansible-galaxy install -r ./ansible/requirements.yaml
 
       - name: Run playbook
         uses: dawidd6/action-ansible-playbook@v2
@@ -53,5 +54,5 @@ jobs:
           # requirements: requirements.yaml
 
           options: |
-            --inventory Ansible/inventory.ini
-            --extra-vars "@Ansible/homelab-vault/secrets.yml"
+            --inventory ansible/inventory/homelab.ini
+            --extra-vars "@ansible/homelab-vault/secrets.yml"

.gitea/workflows/ansible-lint.yml

@@ -4,15 +4,19 @@ on: [push]
 jobs:
   build:
     runs-on: ubuntu-latest
+    env:
+      RUNNER_TOOL_CACHE: /toolcache
     steps:
       - name: Install Ansible-Lint
         run: |
           apt update -y
-          apt install python3-pip -y
-          python3 -m pip install ansible
+          apt install python3-pip ansible -y
           python3 -m pip install ansible-lint
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install Ansible Galaxy requirements
+        run: |
+          ansible-galaxy install -r ./ansible/requirements.yaml
       - name: Ansible-Lint
         run: |
-          ansible-lint ./Ansible     
+          ansible-lint ./ansible     

.gitignore

@@ -1,3 +1,4 @@
 .vscode/
 *.log
-nmap.xml
+nmap.xml
+.DS_Store

.gitmodules

@@ -2,5 +2,8 @@
 	path = Configs/elk-stack/docker-elk
 	url = https://github.com/deviantony/docker-elk.git
 [submodule "Ansible/homelab-vault"]
-	path = Ansible/homelab-vault
+	path = ansible/homelab-vault
 	url = gitea@10.0.0.8:BenHays42/homelab-vault.git
+[submodule "ansible/thirdparty/mac-dev-playbook"]
+	path = ansible/thirdparty/mac-dev-playbook
+	url = https://github.com/geerlingguy/mac-dev-playbook.git

Ansible/cloudflare-dns.yml

@@ -1,36 +0,0 @@
----
-- name: Cloudflare Dynamic DNS Script
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Copy Cloudflare IPAM Script
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0700"
-        src: ../Bash/cloudflare-dns.sh
-        dest: /opt/cloudflare-dns.sh
-    - name: Insert API Token
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^cloudflare_zone_api_token=''"
-        replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
-    - name: Insert Zone ID
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^zoneid=''"
-        replace: "zoneid='{{ CF_ZONE_ID }}'"
-    - name: Insert Zone ID
-      ansible.builtin.replace:
-        path: "/opt/cloudflare-dns.sh"
-        regexp: "^dns_record=''"
-        replace: "dns_record='{{ inventory_hostname }}'"
-    - name: Add Cronjob for IPAM Script
-      ansible.builtin.cron:
-        name: "Cloudflare IPAM Script"
-        job: "/opt/cloudflare-dns.sh"
-        special_time: hourly
-        user: bhays

Ansible/debian.yml

@@ -1,20 +0,0 @@
----
-- name: Debian Hardening
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Update/install Debian Utilities
-      ansible.builtin.apt:
-        name:
-          - "apt-listchanges"
-          - "needrestart"
-          - "libpam-tmpdir"
-          - "debsums"
-          - "apt-show-versions"
-        state: latest
-        update_cache: true
-    # TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

Ansible/fail2ban.yml

@@ -1,26 +0,0 @@
----
-- name: Fail2ban Configuration
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  tasks:
-    - name: Update/install Fail2Ban
-      ansible.builtin.apt:
-        name: fail2ban
-        state: latest
-        update_cache: true
-    - name: Copy Secure Configuration File
-      ansible.builtin.copy:
-        mode: "0664"
-        src: ../Configs/jail.local
-        dest: /etc/fail2ban/jail.local
-    - name: Restart Fail2Ban
-      ansible.builtin.systemd:
-        name: fail2ban
-        state: restarted
-    - name: Disable Postfix
-      ansible.builtin.systemd:
-        name: postfix
-        state: stopped
-        enabled: false

Ansible/heartbeat.yml

@@ -1,15 +0,0 @@
----
-- name: Betterstack Heartbeat Cronjob
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  vars_files:
-    - homelab-vault/secrets.yml
-  tasks:
-    - name: Add Cronjob
-      ansible.builtin.cron:
-        name: "Betterstack Heartbeat"
-        job: "curl {{ heartbeat_url }}"
-        special_time: hourly
-        user: bhays

Ansible/homelab-vault

@@ -1 +0,0 @@
-Subproject commit e95c8ff2aef2e919e5bf0fc8133aaec69ea8dc08

Ansible/inventory.ini

@@ -1,10 +0,0 @@
-[proxmox]
-proxmox.benhays.cloud
-
-[linux]
-devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR"
-web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU'
-tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy'
-bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v'
-nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB'
-

Ansible/openssh.yml

@@ -1,51 +0,0 @@
-- name: OpenSSH Configuration Playbook
-  hosts: linux
-  remote_user: bhays
-  become: true
-  become_user: root
-  tasks:
-    - name: Update/install OpenSSH
-      ansible.builtin.apt:
-        name: openssh-server
-        state: latest
-        update_cache: true
-    - name: Add 'bhays' user
-      ansible.builtin.user:
-        name: bhays
-        groups: sudo,adm
-        append: true
-        shell: /bin/bash
-        comment: Benjamin Hays
-    - name: Update/install Sudo
-      ansible.builtin.apt:
-        name: sudo
-        state: latest
-    - name: Ensure .ssh user folder exists
-      ansible.builtin.file:
-        path: "/home/bhays/.ssh/"
-        owner: bhays
-        group: bhays
-        mode: "0770"
-        state: directory
-    - name: Copy public key
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0600"
-        src: ../Configs/authorized_keys
-        dest: /home/bhays/.ssh/authorized_keys
-    - name: Copy secure login banner
-      ansible.builtin.copy:
-        owner: root
-        mode: "0644"
-        src: ../Configs/login_banner
-        dest: /etc/login_banner
-    - name: Copy Secure Configuration File
-      ansible.builtin.copy:
-        owner: bhays
-        mode: "0600"
-        src: ../Configs/sshd_config
-        dest: /etc/ssh/sshd_config
-    - name: Restart OpenSSH
-      ansible.builtin.systemd:
-        name: sshd
-        state: restarted

PowerShell/Find-RDP.ps1

@@ -1,11 +0,0 @@
-# Find-RDP.ps1
-# (c) Ben Hays, 2023
-# Description: Find all the computers joined to an AD domain that are running RDP
-
-$computers = Get-ADComputer -Filter *
-foreach ($Name in $computers.DNSHostName) {
-    $rdpSuccess = Test-Connection -TargetName $Name -TimeoutSeconds 2 -TcpPort 3389 -Quiet
-    if ($rdpSuccess) {
-        Write-Output $Name
-    }
-}

PowerShell/Get-Programs.ps1

@@ -1,15 +0,0 @@
-# Get-Programs.ps1
-# (c) Ben Hays, 2023
-# Description: Get a list of installed programs for backup purposes
-
-$FinalList = @()
-
-# Grab list from common directories
-$ProgramDirs = "C:\Program Files", "C:\Program Files (x86)"
-$FinalList += Get-ChildItem $ProgramDirs | Where-Object { $_.PSIsContainer } | Select-Object -ExpandProperty Name -Unique | Sort-Object
-
-# Grab list from Windows Registry
-$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
-$FinalList += Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName } | Select-Object -ExpandProperty DisplayName -Unique
-
-Write-Output $FinalList

ansible.cfg

@@ -1,7 +1,8 @@
 [defaults]
 nocows = 1
 host_key_checking = False
-inventory = ./Ansible/inventory.ini
+inventory = ./ansible/inventory/homelab.ini
+interpreter_python=auto_silent  
 
 [privilege_escalation]
 #become_ask_pass = True

ansible/ansible.cfg

@@ -1,7 +1,8 @@
 [defaults]
 nocows = 1
 host_key_checking = False
-inventory = ./inventory.ini
+inventory = ./inventory/homelab.ini
+interpreter_python=auto_silent  
 
 [privilege_escalation]
 #become_ask_pass = True

ansible/homelab-vault

@@ -0,0 +1 @@
+Subproject commit db990959c89083a71a90bb7f9ee99890d3e6ce0e

ansible/inventory/homelab.ini

@@ -0,0 +1,12 @@
+[proxmox]
+proxmox.benhays.cloud
+
+[debian_servers]
+web.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/cyWGjSGDk1VFJNtabDB8tchU' # <--- Debian 12
+devops.benhays.cloud heartbeat_url="https://uptime.betterstack.com/api/v1/heartbeat/xVM4MLbQARNndNDcSA5bsnpR"    # <---
+tailscale.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/Sp7CXapJDwtjQmCMVdjeQsMy' # <--- All the rest are Ubuntu 22.04
+bitwarden.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/YUBUtgJjBDJKEqM1qUXroj1v' # <---
+#nextcloud.benhays.cloud heartbeat_url='https://uptime.betterstack.com/api/v1/heartbeat/oijvrZGFtc9Dev2AefP8iTfB' # <---
+#irc.benhays.cloud
+dns01.benhays.cloud
+dns02.benhays.cloud

ansible/playbooks/debian.yml

@@ -0,0 +1,23 @@
+---
+- name: Debian Server Hardening
+  hosts: debian_servers
+  remote_user: bhays
+  become: true
+  become_user: root
+  vars_files:
+    - ../homelab-vault/secrets.yml
+  pre_tasks:
+    - name: Update apt cache if needed.
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+  tasks:
+    # - name: Cloudflare DDNS Cronjob
+    #  ansible.builtin.import_tasks: ../roles/cloudflare-dns.yml
+    - name: Heartbeat Cronjob for Betterstack
+      ansible.builtin.import_tasks: ../roles/heartbeat.yml
+      when: heartbeat_url is defined
+    - name: OpenSSH Hardening
+      ansible.builtin.import_tasks: ../roles/openssh.yml
+    - name: Generic Debian Hardening
+      ansible.builtin.import_tasks: ../roles/debian.yml

ansible/playbooks/desktop.yml

@@ -0,0 +1,45 @@
+- name: Desktop Configuration
+  hosts: localhost
+  gather_facts: true
+  become: true
+  become_method: ansible.builtin.sudo
+  become_user: root
+  vars_files:
+    - ../homelab-vault/secrets.yml
+  tasks:
+    - name: OpenSSH Hardening
+      ansible.builtin.import_tasks: ../roles/openssh.yml
+    - name: Install Homebrew
+      when: ansible_os_family == "Darwin"
+      changed_when: false
+      ansible.builtin.shell:
+        cmd: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+        args:
+          executable: /bin/bash
+    - name: Install Homebrew Packages
+      when: ansible_os_family == "Darwin"
+      community.general.homebrew:
+        name: "{{ item }}"
+        state: latest
+      loop:
+        - git
+        - wget
+        - python3
+        - ansible
+        - neovim
+        - bash-completion
+        - ssh-copy-id
+        - gpg
+    - name: Install Homebrew Cask Apps
+      when: ansible_os_family == "Darwin"
+      community.general.homebrew_cask:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - iterm2
+        - google-chrome
+        - google-drive
+        - visual-studio-code
+        - obsidian
+        - nextcloud
+        - gnucash

ansible/playbooks/pki.yml

@@ -0,0 +1,47 @@
+---
+- name: Public Key Infrastructure
+  hosts: debian_servers
+  remote_user: bhays
+  become: true
+  become_user: root
+  vars_files:
+    - ../homelab-vault/secrets.yml
+  vars:
+    certbot_auto_renew: true
+    certbot_auto_renew_user: root
+    certbot_email: "ben@benhays.org"
+    certbot_cloudflare_api_token: "{{ CF_API_TOKEN }}"
+  roles:
+    - geerlingguy.certbot
+  pre_tasks:
+    - name: Update apt cache if needed.
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+  tasks:
+    - name: Update/install Certbot
+      ansible.builtin.apt:
+        name:
+          - python3-certbot-dns-cloudflare
+        state: latest
+    - name: Create Certbot folder - /etc/letsencrypt
+      ansible.builtin.file:
+        path: /etc/letsencrypt
+        state: directory
+        owner: root
+        group: root
+        mode: "0700"
+    - name: Certbot Template
+      ansible.builtin.template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: root
+        group: root
+        mode: "0600"
+      with_items:
+        - { src: '../templates/dnscloudflare.ini.j2', dest: '/etc/letsencrypt/dnscloudflare.ini' }
+    - name: Generate Certificate
+      # yamllint disable rule:line-length
+      ansible.builtin.command: certbot certonly --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --dns-cloudflare-propagation-seconds 60 -m {{ certbot_email }} -d {{ ansible_host }}
+      args:
+        creates: /etc/letsencrypt/renewal/{{ ansible_host }}.conf

ansible/playbooks/proxmox.yml

@@ -6,7 +6,7 @@
     - name: Adding ansible SSH Pubkey as authorized
       ansible.builtin.copy:
         mode: "0600"
-        src: ~/.ssh/authorized_keys
+        src: ../../configs/authorized_keys
         dest: /root/.ssh/authorized_keys
     - name: Adding PVE-no-subscription repo
       ansible.builtin.blockinfile:
@@ -15,10 +15,10 @@
         block: |
           # PVE pve-no-subscription repository provided by proxmox.com,
           # NOT recommended for production use
-          deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
+          deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
     - name: Upgrading system
       ansible.builtin.apt:
-        upgrade: full
+        upgrade: safe
         update_cache: true
         cache_valid_time: 7200
     - name: Installing sudo

ansible/requirements.yaml

@@ -0,0 +1,9 @@
+---
+roles:
+  - name: geerlingguy.certbot
+  - name: elliotweiser.osx-command-line-tools
+  - name: geerlingguy.dotfiles
+
+collections:
+  - name: geerlingguy.mac
+  - name: community.general

ansible/roles/cloudflare-dns.yml

@@ -0,0 +1,32 @@
+---
+- name: Copy Cloudflare IPAM Script
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0700"
+    src: ../../scripts/cloudflare-dns.sh
+    dest: /opt/cloudflare-dns.sh
+  changed_when: false
+- name: Insert API Token
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^cloudflare_zone_api_token=''"
+    replace: "cloudflare_zone_api_token='{{ CF_API_TOKEN }}'"
+  changed_when: false
+- name: Insert Zone ID
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^zoneid=''"
+    replace: "zoneid='{{ CF_ZONE_ID }}'"
+  changed_when: false
+- name: Insert DNS Record
+  ansible.builtin.replace:
+    path: "/opt/cloudflare-dns.sh"
+    regexp: "^dns_record=''"
+    replace: "dns_record='{{ inventory_hostname }}'"
+  changed_when: false
+- name: Add Cronjob for IPAM Script
+  ansible.builtin.cron:
+    name: "Cloudflare IPAM Script"
+    job: "/opt/cloudflare-dns.sh"
+    special_time: hourly
+    user: bhays

ansible/roles/debian.yml

@@ -0,0 +1,11 @@
+---
+- name: Update/install Debian Utilities
+  ansible.builtin.apt:
+    name:
+      - "apt-listchanges"
+      - "needrestart"
+      - "libpam-tmpdir"
+      - "debsums"
+      - "apt-show-versions"
+    state: latest
+# TODO: Harden /etc/protocols, PAM configuration, /etc/login.defs, pam_cracklib, auto upgrades, banner to /etc/issue, auditd/sysstat, chkrootkit

ansible/roles/fail2ban.yml

@@ -0,0 +1,19 @@
+---
+- name: Update/install Fail2Ban
+  ansible.builtin.apt:
+    name: fail2ban
+    state: latest
+- name: Copy Secure Configuration File
+  ansible.builtin.copy:
+    mode: "0664"
+    src: ../../configs/jail.local
+    dest: /etc/fail2ban/jail.local
+- name: Restart Fail2Ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+- name: Disable Postfix
+  ansible.builtin.systemd:
+    name: postfix
+    state: stopped
+    enabled: false

ansible/roles/heartbeat.yml

@@ -0,0 +1,7 @@
+---
+- name: Add Cronjob
+  ansible.builtin.cron:
+    name: "Betterstack Heartbeat"
+    job: "curl {{ heartbeat_url }}"
+    special_time: hourly
+    user: bhays

ansible/roles/openssh.yml

@@ -0,0 +1,64 @@
+- name: Update/install OpenSSH via apt
+  when: ansible_os_family == "Debian"
+  ansible.builtin.apt:
+    name: openssh-server
+    state: latest
+- name: Add 'bhays' user
+  when: ansible_os_family == "Debian"
+  ansible.builtin.user:
+    name: bhays
+    groups: sudo,adm
+    append: true
+    shell: /bin/bash
+    comment: Benjamin Hays
+- name: Update/install Sudo
+  when: ansible_os_family == "Debian"
+  ansible.builtin.apt:
+    name: sudo
+    state: latest
+- name: Ensure .ssh user folder exists
+  when: ansible_os_family == "Debian"
+  ansible.builtin.file:
+    path: "/home/bhays/.ssh/"
+    owner: bhays
+    mode: "0770"
+    state: directory
+- name: Ensure .ssh user folder exists (macOS)
+  when: ansible_os_family == "Darwin"
+  ansible.builtin.file:
+    path: "/Users/bhays/.ssh/"
+    owner: bhays
+    mode: "0770"
+    state: directory
+- name: Copy public key
+  when: ansible_os_family == "Debian"
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0600"
+    src: ../../config/ssh/authorized_keys
+    dest: /home/bhays/.ssh/authorized_keys
+- name: Copy public key (macOS)
+  when: ansible_os_family == "Darwin"
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0600"
+    src: ../../config/ssh/authorized_keys
+    dest: /Users/bhays/.ssh/authorized_keys
+- name: Copy secure login banner
+  ansible.builtin.copy:
+    owner: root
+    mode: "0644"
+    src: ../../config/ssh/login_banner
+    dest: /etc/login_banner
+- name: Copy Secure Configuration File
+  ansible.builtin.copy:
+    owner: bhays
+    mode: "0600"
+    src: ../../config/ssh/sshd_config
+    dest: /etc/ssh/sshd_config
+- name: Restart OpenSSH
+  when: ansible_os_family == "Debian"
+  ansible.builtin.systemd:
+    name: ssh
+    state: restarted
+  changed_when: false

ansible/roles/rss2email.yml

@@ -0,0 +1,52 @@
+---
+- name: RSS2Email
+  hosts: devops.benhays.cloud
+  remote_user: bhays
+  become: true
+  become_user: root
+  vars_files:
+    - ../homelab-vault/secrets.yml
+  vars:
+    smtp_server: "smtp.mailbox.org"
+    smtp_port: 465   # for SSL/TLS
+    # smtp_port: 587 # for STARTTLS
+    smtp_username: "ben@benhays.org"
+    smtp_password: "{{ SMTP_PASSWORD }}"
+    to_email: "ben@benhays.org"
+    from_email: "ben@benhays.org"
+  pre_tasks:
+    - name: Update apt cache if needed.
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+  tasks:
+    - name: Update/install RSS2Email
+      ansible.builtin.apt:
+        name:
+          - rss2email
+        state: latest
+    - name: Create XDG_CONFIG folder
+      ansible.builtin.file:
+        path: /home/bhays/.config/
+        state: directory
+        owner: bhays
+        group: bhays
+        mode: "0770"
+    - name: Upload Config Template
+      ansible.builtin.template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: bhays
+        group: bhays
+        mode: "0600"
+      with_items:
+        - { src: '../templates/rss2email.cfg.j2', dest: '/home/bhays/.config/rss2email.cfg' }
+    - name: Run r2e for the first time to cache articles
+      ansible.builtin.command: r2e run --no-send
+      changed_when: true
+    - name: Add Cronjob
+      ansible.builtin.cron:
+        name: "RSS2Email"
+        job: "r2e run"
+        special_time: hourly
+        user: bhays

ansible/templates/dnscloudflare.ini.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{certbot_cloudflare_api_token}}

ansible/templates/rss2email.cfg.j2

@@ -0,0 +1,100 @@
+[DEFAULT]
+from = {{ from_email }}
+user-agent = rss2email/__VERSION__ (__URL__)
+use-8bit = False
+force-from = False
+use-publisher-email = False
+name-format = {feed-title}: {author}
+to = {{ to_email }}
+proxy = 
+feed-timeout = 60
+same-server-fetch-interval = 0
+active = True
+digest = False
+date-header = False
+date-header-order = modified, issued, created, expired
+bonus-header = 
+trust-guid = True
+trust-link = False
+reply-changes = False
+encodings = US-ASCII, ISO-8859-1, UTF-8, BIG5, ISO-2022-JP
+post-process =
+digest-post-process = 
+html-mail = False
+multipart-html = False
+use-css = False
+css = h1 {
+          font: 18pt Georgia, "Times New Roman";
+        }
+        body {
+          font: 12pt Arial;
+        }
+        a:link {
+          font: 12pt Arial;
+          font-weight: bold;
+          color: #0000cc;
+        }
+        blockquote {
+          font-family: monospace;
+        }
+        .header {
+          background: #e0ecff;
+          border-bottom: solid 4px #c3d9ff;
+          padding: 5px;
+          margin-top: 0px;
+          color: red;
+        }
+        .header a {
+          font-size: 20px;
+          text-decoration: none;
+        }
+        .footer {
+          background: #c3d9ff;
+          border-top: solid 4px #c3d9ff;
+          padding: 5px;
+          margin-bottom: 0px;
+        }
+        #entry {
+          border: solid 4px #c3d9ff;
+        }
+        #body {
+          margin-left: 5px;
+          margin-right: 5px;
+        }
+
+unicode-snob = False
+links-after-each-paragraph = False
+inline-links = True
+wrap-links = True
+body-width = 0
+email-protocol = smtp
+sendmail = /usr/sbin/sendmail
+sendmail_config = 
+smtp-auth = True
+smtp-username = {{ smtp_username }}
+smtp-password = {{ smtp_password }}
+smtp-server = {{ smtp_server }}
+smtp-port = {{ smtp_port }}
+smtp-ssl = True
+imap-auth = False
+imap-username = username
+imap-password = password
+imap-server = imap.example.net
+imap-port = 143
+imap-ssl = False
+imap-mailbox = INBOX
+maildir-path = ~/Maildir
+maildir-mailbox = INBOX
+verbose = info
+
+[feed.eff]
+url = https://www.eff.org/rss/updates.xml
+
+[feed.lwn-features]
+url = https://benhays.org/lwn-features.xml
+
+[feed.lwn-all]
+url = https://benhays.org/lwn-all.xml
+
+[feed.phoronix]
+url = https://www.phoronix.com/rss.php

config/desktops/geerling-config.yml

@@ -0,0 +1,114 @@
+---
+configure_dotfiles: false
+configure_terminal: true
+configure_osx: false
+
+# Set to 'true' to configure the Dock via dockutil.
+configure_dock: false
+dockitems_remove: []
+# - Launchpad
+# - TV
+# - Podcasts
+# - 'App Store'
+dockitems_persist: []
+# - name: "Sublime Text"
+#   path: "/Applications/Sublime Text.app/"
+#   pos: 5
+
+configure_sudoers: false
+sudoers_custom_config: ""
+# Example:
+# sudoers_custom_config: |
+#   # Allow users in admin group to use sudo with no password.
+#   %admin ALL=(ALL) NOPASSWD: ALL
+
+dotfiles_repo: https://github.com/geerlingguy/dotfiles.git
+dotfiles_repo_accept_hostkey: true
+dotfiles_repo_local_destination: ~/Development/GitHub/dotfiles
+dotfiles_repo_version: master # Replace with your default branch
+dotfiles_files:
+  - .zshrc
+  - .gitignore
+  - .inputrc
+  - .osx
+  - .vimrc
+
+homebrew_installed_packages:
+  # - ansible # Installed via Pip.
+  - autoconf
+  - bash-completion
+  - doxygen
+  - gettext
+  - git
+  - gpg
+  - iperf
+  - libevent
+  - sqlite
+  - nmap
+  - node
+  - nvm
+  - ssh-copy-id
+  - readline
+  - openssl
+  - wget
+  - zsh-history-substring-search
+
+homebrew_taps: []
+
+homebrew_cask_appdir: /Applications
+homebrew_cask_apps:
+  - iterm2
+  - google-chrome
+  - google-drive
+  - nextcloud
+  - gnucash
+  - visual-studio-code
+  - obsidian
+
+# See `geerlingguy.mac.mas` role documentation for usage instructions.
+mas_installed_apps: []
+mas_email: ""
+mas_password: ""
+
+osx_script: "~/.osx --no-restart"
+
+# Install packages from other package managers.
+# Note: You are responsible for making sure the required package managers are
+# installed, eg. through homebrew.
+composer_packages: []
+# - name: drush
+#   state: present # present/absent, default: present
+#   version: "^8.1" # default: N/A
+gem_packages: []
+# - name: bundler
+#   state: present # present/absent/latest, default: present
+#   version: "~> 1.15.1" # default: N/A
+npm_packages: []
+# - name: webpack
+#   state: present # present/absent/latest, default: present
+#   version: "^2.6" # default: N/A
+pip_packages: []
+# - name: mkdocs
+#   state: present # present/absent/latest, default: present
+#   version: "0.16.3" # default: N/A
+
+# Set to 'true' to configure Sublime Text.
+configure_sublime: false
+sublime_base_path: "~/Library/Application Support/Sublime Text"
+sublime_config_path: "Packages/User"
+sublime_package_control:
+  - "DocBlockr"
+  - "Dockerfile Syntax Highlighting"
+  - "FileDiffs"
+  - "GitHub Flavored Markdown Preview"
+  - "Jinja2"
+  - "Package Control"
+  - "Pretty JSON"
+  - "SublimeLinter"
+  - "SublimeLinter-contrib-yamllint"
+  - "Theme - Cobalt2"
+  - "TrailingSpaces"
+  - "WordingStatus"
+
+# Glob pattern to ansible task files to run after all other tasks are finished.
+post_provision_tasks: []

config/ssh/ssh_config

@@ -0,0 +1,2 @@
+Host *.benhays.cloud
+    StrictHostKeyChecking no

config/ssh/sshd_config

@@ -16,7 +16,7 @@ LogLevel VERBOSE
 AuthenticationMethods publickey
 
 MaxAuthTries 3
-MaxSessions 2
+MaxSessions 6
 
 Compression no
 TCPKeepAlive no

scripts/compliance-list.txt

@@ -1,4 +1,5 @@
 devops.benhays.cloud
-wiki.benhays.cloud
 tailscale.benhays.cloud
 web.benhays.cloud
+nextcloud.benhays.cloud
+bitwarden.benhays.cloud