diff --git a/ffmwu-build.yml b/ffmwu-build.yml
new file mode 100755
index 0000000..1651e02
--- /dev/null
+++ b/ffmwu-build.yml
@@ -0,0 +1,8 @@
+#!/usr/bin/ansible-playbook
+---
+- hosts: build-servers
+ remote_user: admin
+ strategy: linear
+
+ roles:
+ - ffmwu-build
diff --git a/inventory/host_vars/milchreis.freifunk-mwu.de b/inventory/host_vars/milchreis.freifunk-mwu.de
new file mode 100644
index 0000000..96d25ca
--- /dev/null
+++ b/inventory/host_vars/milchreis.freifunk-mwu.de
@@ -0,0 +1,4 @@
+---
+
+h_v_add_auth_keys: |
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS
diff --git a/inventory/hosts b/inventory/hosts
index b91bf82..c45174c 100644
--- a/inventory/hosts
+++ b/inventory/hosts
@@ -27,7 +27,9 @@ simple-ff-servers
[simple-ff-servers] # not meshing
linse.freifunk-mwu.de # ext. DNS-master
-#pudding.freifunk-mwu.de #
+
+[build-servers]
+milchreis.freifunk-mwu.de
[test-vms]
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
diff --git a/roles/ffmwu-build/files/rsync.service b/roles/ffmwu-build/files/rsync.service
new file mode 100644
index 0000000..1ab82ee
--- /dev/null
+++ b/roles/ffmwu-build/files/rsync.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=fast remote file copy program daemon
+ConditionPathExists=/etc/rsyncd.conf
+
+[Service]
+ExecStart=/usr/bin/rsync --daemon -6 --no-detach
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ffmwu-build/files/rsyncd.conf b/roles/ffmwu-build/files/rsyncd.conf
new file mode 100644
index 0000000..ec2c0f2
--- /dev/null
+++ b/roles/ffmwu-build/files/rsyncd.conf
@@ -0,0 +1,17 @@
+use chroot = true
+
+max connections = 10
+timeout = 300
+
+transfer logging = false
+log file = /var/log/rsyncd.log
+
+[firmware]
+comment = gluon firmware builds
+path = /var/www/html/firmware
+read only = yes
+list = yes
+uid = nobody
+gid = nogroup
+strict modes = yes
+ignore nonreadable = yes
diff --git a/roles/ffmwu-build/handlers/main.yml b/roles/ffmwu-build/handlers/main.yml
new file mode 100644
index 0000000..6df1caf
--- /dev/null
+++ b/roles/ffmwu-build/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: check apache syntax
+ shell: apachectl -t
+ become: true
+
+- name: restart systemd unit apache2
+ systemd: name=apache2 state=restarted
+ become: true
diff --git a/roles/ffmwu-build/meta/main.yml b/roles/ffmwu-build/meta/main.yml
new file mode 100644
index 0000000..6743d80
--- /dev/null
+++ b/roles/ffmwu-build/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+- ffmwu-server
diff --git a/roles/ffmwu-build/tasks/ecdsautils.yml b/roles/ffmwu-build/tasks/ecdsautils.yml
new file mode 100644
index 0000000..59ab9b9
--- /dev/null
+++ b/roles/ffmwu-build/tasks/ecdsautils.yml
@@ -0,0 +1,28 @@
+---
+- name: checkout ecdsautils repo
+ git: repo=https://github.com/tcatm/ecdsautils.git
+ dest=/home/admin/clones/ecdsautils
+ version=v0.3.2
+
+- name: create build directory
+ file: path=/home/admin/clones/ecdsautils/build state=directory
+
+- name: build ecdsautils
+ shell: "{{ item }}"
+ args:
+ chdir: /home/admin/clones/ecdsautils/build
+ with_items:
+ - cmake ..
+ - make
+
+- name: install ecdsautils to /usr/local/bin
+ copy:
+ src: "{{ item }}"
+ dest: /usr/local/bin/
+ mode: 0755
+ remote_src: True
+ with_items:
+ - /home/admin/clones/ecdsautils/build/src/ecdsakeygen
+ - /home/admin/clones/ecdsautils/build/src/ecdsaverify
+ - /home/admin/clones/ecdsautils/build/src/ecdsasign
+ become: true
diff --git a/roles/ffmwu-build/tasks/main.yml b/roles/ffmwu-build/tasks/main.yml
new file mode 100644
index 0000000..0b92c72
--- /dev/null
+++ b/roles/ffmwu-build/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- include: tasks/packages.yml
+- include: tasks/ecdsautils.yml
+- include: tasks/repos.yml
+- include: tasks/rsync.yml
+- include: tasks/web.yml
diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml
new file mode 100644
index 0000000..9609f7c
--- /dev/null
+++ b/roles/ffmwu-build/tasks/packages.yml
@@ -0,0 +1,31 @@
+---
+- name: add apt repository of neoraider
+ apt_repository: repo='deb https://repo.universe-factory.net/debian/ sid main' state=present filename='neoraider'
+ become: true
+
+- name: add apt-key of neoraider
+ apt_key: keyserver=keyserver.ubuntu.com id=16EF3F64CB201D9C state=present
+ become: true
+
+- name: install needed packages for build-server
+ apt:
+ state: present
+ name: "{{ item }}"
+ update_cache: yes
+ cache_valid_time: 21600
+ with_items:
+ - apache2
+ - apache2-utils
+ - build-essential
+ - cmake
+ - gawk
+ - git
+ - haveged
+ - libncurses5-dev
+ - libssl-dev
+ - libuecc-dev
+ - pkg-config
+ - subversion
+ - unzip
+ - zlib1g-dev
+ become: true
diff --git a/roles/ffmwu-build/tasks/repos.yml b/roles/ffmwu-build/tasks/repos.yml
new file mode 100644
index 0000000..65e331b
--- /dev/null
+++ b/roles/ffmwu-build/tasks/repos.yml
@@ -0,0 +1,4 @@
+---
+- name: checkout sites-ffmwu repo
+ git: repo=https://github.com/freifunk-mwu/sites-ffmwu.git
+ dest=/home/admin/clones/sites-ffmwu
diff --git a/roles/ffmwu-build/tasks/rsync.yml b/roles/ffmwu-build/tasks/rsync.yml
new file mode 100644
index 0000000..b48cf2a
--- /dev/null
+++ b/roles/ffmwu-build/tasks/rsync.yml
@@ -0,0 +1,15 @@
+---
+- name: install rsnycd configuration file
+ copy: src=rsyncd.conf dest=/etc/rsyncd.conf mode=640
+ become: true
+
+- name: install rsnyc systemd unit
+ copy: src=rsync.service dest=/etc/systemd/system/ mode=644
+ become: true
+
+- name: ensure rsync is started on boot as a daemon
+ systemd:
+ name: rsync
+ state: started
+ enabled: True
+ become: true
diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml
new file mode 100644
index 0000000..4fca1f1
--- /dev/null
+++ b/roles/ffmwu-build/tasks/web.yml
@@ -0,0 +1,90 @@
+---
+- name: ensure webroot owns by user/group admin
+ file: dest=/var/www/html owner=admin group=admin recurse=yes
+ become: true
+
+- name: enable apache module ssl
+ apache2_module: state=present name=ssl
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- name: disable default apache sites and unwanted default configs
+ shell: a2dissite "{{ item }}"
+ with_items:
+ - 000-default
+ - default-ssl
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- shell: a2disconf "{{ item }}"
+ with_items:
+ - other-vhosts-access-log.conf
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- name: configure apache ssl module settings
+ lineinfile: dest=/etc/apache2/mods-enabled/ssl.conf
+ regexp="^([\s\t]+)?SSLCipherSuite"
+ line="SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+ state=present
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- lineinfile: dest=/etc/apache2/mods-available/ssl.conf
+ regexp="^([\s\t]+)?SSLProtocol"
+ line="SSLProtocol all -SSLv2 -SSLv3"
+ state=present
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- name: configure apache security settings
+ lineinfile: dest=/etc/apache2/conf-available/security.conf
+ regexp="^ServerTokens"
+ line="ServerTokens Prod"
+ state=present
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- lineinfile: dest=/etc/apache2/conf-available/security.conf
+ regexp="^ServerSignature"
+ line="ServerSignature EMail"
+ state=present
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- name: write ffmwu apache sites
+ template: src=ffmwu-default-http.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-http.conf
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- template: src=ffmwu-default-https.conf.j2 dest=/etc/apache2/sites-available/ffmwu-default-https.conf
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
+
+- name: enable ffmwu apache sites
+ shell: a2ensite "{{ item }}"
+ with_items:
+ - ffmwu-default-http
+ - ffmwu-default-https
+ become: true
+ notify:
+ - check apache syntax
+ - restart systemd unit apache2
diff --git a/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
new file mode 100644
index 0000000..a48beee
--- /dev/null
+++ b/roles/ffmwu-build/templates/ffmwu-default-http.conf.j2
@@ -0,0 +1,16 @@
+
+ ServerName {{ inventory_hostname }}
+ ServerAdmin webmaster@freifunk-mwu.de
+
+ DocumentRoot /var/www/html/firmware
+
+
+ Options +Indexes +FollowSymlinks
+ IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
+ AllowOverride None
+ Order allow,deny
+ allow from all
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2 b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
new file mode 100644
index 0000000..0f83aaf
--- /dev/null
+++ b/roles/ffmwu-build/templates/ffmwu-default-https.conf.j2
@@ -0,0 +1,36 @@
+
+
+ ServerAdmin webmaster@freifunk-mwu.de
+ ServerName {{ inventory_hostname }}
+
+ DocumentRoot /var/www/html/firmware
+
+
+ Options +Indexes +FollowSymlinks
+ IndexOptions FancyIndexing +FoldersFirst +HTMLTable +NameWidth=*
+ AllowOverride None
+ Order allow,deny
+ allow from all
+
+
+ SSLEngine on
+ SSLCertificateFile /etc/webcerts/{{ inventory_hostname }}/cert.pem
+ SSLCertificateKeyFile /etc/webcerts/{{ inventory_hostname }}/privkey.pem
+ SSLCertificateChainFile /etc/webcerts/{{ inventory_hostname }}/fullchain.pem
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml
index 21bc53a..b94e000 100644
--- a/roles/ffmwu-server/tasks/main.yml
+++ b/roles/ffmwu-server/tasks/main.yml
@@ -3,6 +3,9 @@
#- name: test key concatenation
# debug: msg=" would/will set keys; {{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}"
+- name: ensure needed system users are present
+ user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
+
- name: ensure all wanted ssh keys exclusively
authorized_key: exclusive=True state=present user=admin
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
@@ -27,3 +30,10 @@
loop_control:
loop_var: mwu_s_item
become: True
+
+- name: ensure vim is default editor
+ alternatives: name=editor path=/usr/bin/vim.basic
+
+# enable with ansible version 2.2
+#- name: set timezone to Europe/Berlin
+# timezone: name=Europe/Berlin