From 112fd6053d57d8588aafb6ae8962bbdf03d859b8 Mon Sep 17 00:00:00 2001
From: Yves G <theYinYeti@yalis.fr>
Date: Thu, 6 May 2021 16:10:20 +0200
Subject: [PATCH] miscellaneous fixes

---
 README.adoc                             |  2 +-
 group_vars/all                          | 24 ++++-----
 roles/dmz_dotclear_front/tasks/main.yml |  2 +-
 roles/dmz_exim/tasks/main.yml           |  6 +--
 roles/dmz_nginx/templates/10.conf.j2    |  3 ++
 roles/dovecot/tasks/main.yml            |  6 +++
 roles/init/tasks/main.yml               | 14 +++---
 roles/motion_back/handlers/main.yml     |  4 +-
 roles/nextcloud_back/tasks/main.yml     | 65 +++++++++++++++----------
 roles/php/tasks/main.yml                | 20 ++++++--
 roles/slapd/tasks/main.yml              | 11 ++---
 roles/ssowat/meta.OK/main.yml           |  1 +
 site.yml                                |  4 +-
 13 files changed, 99 insertions(+), 63 deletions(-)

diff --git a/README.adoc b/README.adoc
index 5621839..9c86652 100644
--- a/README.adoc
+++ b/README.adoc
@@ -111,7 +111,7 @@ Last but not least, the machine that will run the Ansible playbook should:
 * have a version of Ansible greater than 2.2:
 ** module `include_role` runs dynamically (available since version 2.4),
 ** modules `ini_file`, `lineinfile`, `mount`, and `replace` use the `path` parameter (available since version 2.3),
-** modules `ldap_attr` and `ldap_entry` are used (available since version 2.3),
+** module `ldap_attrs` is used (available since version 3.4),
 ** module `lineinfile` uses the `firstmatch` parameter (available since version 2.5),
 ** module `user` uses the `create_home` parameter (available since version 2.5);
 
diff --git a/group_vars/all b/group_vars/all
index 90c3619..fc6ce97 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -317,22 +317,24 @@ ldap_virtual_user_gid: 65534
 # These settings are enforced at each run. Examples:
 # — gecos: the full name that typically appears on the login screen;
 # — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
-ldap_users_attrs: '[
-    {"uid": "you", "attr": "gecos", "value": "Y-O. Udel"},
-    {"uid": "you", "attr": "shadowLastChange", "value": "16000"},
-    {"uid": "you", "attr": "shadowMax", "value": "99999"},
-    {"uid": "you", "attr": "shadowWarning", "value": "7"},
-    {"uid": "me", "attr": "gecos", "value": "M. Ellen"},
-    {"uid": "me", "attr": "shadowLastChange", "value": "16000"},
-    {"uid": "me", "attr": "shadowMax", "value": "99999"},
-    {"uid": "me", "attr": "shadowWarning", "value": "7"}
-  ]'
+ldap_users_attrs:
+  - {uid: "you", attr: "gecos", value: "Y-O. Udel"}
+  - {uid: "you", attr: "shadowLastChange", value: "16000"}
+  - {uid: "you", attr: "shadowMax", value: "99999"}
+  - {uid: "you", attr: "shadowWarning", value: "7"}
+  - {uid: "me", attr: "gecos", value: "M. Ellen"}
+  - {uid: "me", attr: "shadowLastChange", value: "16000"}
+  - {uid: "me", attr: "shadowMax", value: "99999"}
+  - {uid: "me", attr: "shadowWarning", value: "7"}
 
 # Login name and password of the LibreOffice OnLine web services’ administrator.
 # Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
 loolwsd_admin_user: nextcloud_admin
 loolwsd_admin_password: nextcloud_admin
 
+# Language used by LibreOffice OnLine (LOOL), either 2 or 5 characters, packaged with CollaboraOnline.
+loolwsd_lang: en
+
 # LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
 # by all of the LibreOffice Online, after which we start cleaning up idle documents”.
 loolwsd_maxmem_asdouble: '80.0'
@@ -537,7 +539,7 @@ prosody_db_password: prosody
 sane_drivers: epson2
 
 # Space-separated list of pacman mirrors to use.
-software_mirrors: 'archlinux.de-labrusse.fr mirror.archlinux.ikoula.com'
+software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'
 
 # Software that will get removed if present, on next run of the playbook (JSON list).
 software_to_del: '["dhcpcd"]'
diff --git a/roles/dmz_dotclear_front/tasks/main.yml b/roles/dmz_dotclear_front/tasks/main.yml
index b93721b..0fb982b 100644
--- a/roles/dmz_dotclear_front/tasks/main.yml
+++ b/roles/dmz_dotclear_front/tasks/main.yml
@@ -46,7 +46,7 @@
   copy:
     content: |
       location = / {
-        rewrite ^ $scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
+        rewrite ^ $proxy_scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
       }
       location {{http_pfx_dotclear}} {
         alias {{dotclear_root}};
diff --git a/roles/dmz_exim/tasks/main.yml b/roles/dmz_exim/tasks/main.yml
index e08f0b3..a321a5e 100644
--- a/roles/dmz_exim/tasks/main.yml
+++ b/roles/dmz_exim/tasks/main.yml
@@ -171,13 +171,13 @@
   with_items: "{{mail_alias_memberships}}"
 
 - name: declare existing aliases’ members
-  ldap_attr:
+  ldap_attrs:
     server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
     bind_dn: "cn=root,{{ldap_root}}"
     bind_pw: "{{ldap_rootpw}}"
     dn: "cn={{item.alias}},ou=Aliases,{{ldap_root}}"
-    name: rfc822MailMember
-    values: "{{item.member}}"
+    attributes:
+      rfc822MailMember: "{{item.member}}"
     state: present
   with_items: "{{mail_alias_memberships}}"
 
diff --git a/roles/dmz_nginx/templates/10.conf.j2 b/roles/dmz_nginx/templates/10.conf.j2
index 0b3c5fb..e539224 100644
--- a/roles/dmz_nginx/templates/10.conf.j2
+++ b/roles/dmz_nginx/templates/10.conf.j2
@@ -19,6 +19,7 @@ server {
 	access_log /var/log/nginx/http_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "http";
 	set $proxy_https "off";
 	set $proxy_port "80";
 	include inc.d/{{nickname}}_php-full.inc;
@@ -32,6 +33,7 @@ server {
 	access_log /var/log/nginx/https_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "https";
 	set $proxy_https "on";
 	set $proxy_port "443";
 	include inc.d/{{nickname}}_php-full.inc;
@@ -46,6 +48,7 @@ server {
 	access_log /var/log/nginx/https_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "https";
 	set $proxy_https "on";
 	set $proxy_port "443";
 	include inc.d/{{nickname}}_php-full.inc;
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index 978be59..0b5709b 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -51,6 +51,12 @@
   notify:
     - restart dovecot.service
 
+- name: create the configuration directory
+  file:
+    name: /etc/dovecot
+    state: directory
+    mode: 0755
+
 - name: main configuration
   template:
     src: templates/dovecot.conf.j2
diff --git a/roles/init/tasks/main.yml b/roles/init/tasks/main.yml
index e7d121d..0e8cd7e 100644
--- a/roles/init/tasks/main.yml
+++ b/roles/init/tasks/main.yml
@@ -6,6 +6,13 @@
 # WARNING: This file may be used inside a mounted chroot.
 # The running system should not be assumed to be the target system.
 
+- name: set hostname (needed by etckeeper)
+  copy:
+    content: |
+      {{hostname}}
+    dest: "{{chroot}}/etc/hostname"
+    mode: 0644
+
 ### INIT ⇒ ###
 - name: init EtcKeeper
   include_role: name=etckeeper.inc allow_duplicates=true tasks_from=init.yml
@@ -74,13 +81,6 @@
     mode: 0644
 
 # Host names
-- name: set hostname
-  copy:
-    content: |
-      {{hostname}}
-    dest: "{{chroot}}/etc/hostname"
-    mode: 0644
-
 - name: set the hosts file
   copy:
     src: files/hosts
diff --git a/roles/motion_back/handlers/main.yml b/roles/motion_back/handlers/main.yml
index 757a8c1..a92a1dc 100644
--- a/roles/motion_back/handlers/main.yml
+++ b/roles/motion_back/handlers/main.yml
@@ -12,11 +12,11 @@
 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
   systemd:
     daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\\x3alocalhost\\x3a1080.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
     state: restarted
 
 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
   systemd:
     daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\\x3alocalhost\\x3a1081.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
     state: restarted
diff --git a/roles/nextcloud_back/tasks/main.yml b/roles/nextcloud_back/tasks/main.yml
index dfffd15..4ba936c 100644
--- a/roles/nextcloud_back/tasks/main.yml
+++ b/roles/nextcloud_back/tasks/main.yml
@@ -27,7 +27,12 @@
     allow_duplicates: true
   vars:
     packages:
-      - collabora-online-server-nodocker
+      - pkg: collabora-online-server-nodocker
+        pre: |
+          LANG=C sed -ri '
+            s/^(_I18N_EREGEX=).*$/\1{{loolwsd_lang}}/
+          ' PKGBUILD
+          cat PKGBUILD
     aur_user: git
 
 - name: create the nextcloud user
@@ -87,8 +92,10 @@
   with_dict:
     server_name: '{{net_soa}}:443'
     memproportion: '{{loolwsd_maxmem_asdouble}}'
-    'enable\s[^>]*browser': 'false'
+    'enable\s[^>]*SSL[^>]*between loolwsd and the network': 'false'
     termination: 'true'
+    'as_scheme\s[^>]*SSL': 'false'
+    'enable\s[^>]*SSL[^>]*between storage and loolwsd': 'false'
     username: '{{loolwsd_admin_user}}'
     password: '{{loolwsd_admin_password}}'
   notify:
@@ -103,33 +110,37 @@
   notify:
     - restart loolwsd.service
 
-- name: ensure ownership of the nextcloud home directory
-  file:
-    path: "{{nextcloud_data}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    recurse: true
+- name: ensure Nextcloud ownership
+  block:
 
-- name: ensure ownership of the nextcloud configuration directory
-  file:
-    path: "{{nextcloud_conf}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    mode: 0750
+    - name: ensure Nextcloud ownership — prepare file
+      shell: >
+        sed -r '
+          /%[CL]/ d;
+          s#%S/nextcloud#{{nextcloud_data}}#g;
+          s#%t#/var/tmp#g;
+          s/([[:blank:]]+nextcloud){2}$/ {{nextcloud_user}} {{nextcloud_user}}/
+        '
+        </usr/lib/tmpfiles.d/nextcloud.conf
+        >/tmp/nextcloud.conf
+      changed_when: false
 
-- name: create extra directories
-  file:
-    path: "{{item}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    mode: 0750
-  with_items:
-    - /var/tmp/nextcloud
-    - "{{nextcloud_data}}/data"
-    - "{{nextcloud_data}}/apps"
+    - name: ensure Nextcloud ownership — install file
+      copy:
+        src: /tmp/nextcloud.conf
+        dest: /etc/tmpfiles.d/nextcloud.conf
+        remote_src: true
+
+  always:
+    - name: ensure Nextcloud ownership — cleanup
+      file:
+        path: /tmp/nextcloud.conf
+        state: absent
+      changed_when: false
+
+- name: ensure Nextcloud ownership — apply
+  command: systemd-tmpfiles --create
+  changed_when: false
 
 - name: send initial configuration
   copy:
diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml
index 96d427b..c04e431 100644
--- a/roles/php/tasks/main.yml
+++ b/roles/php/tasks/main.yml
@@ -33,12 +33,26 @@
     msg: php
 ### ⇐ UPSTREAM END ###
 
-- name: enable PHP extension imagick
+- name: enable PHP extensions
   lineinfile:
-    path: /etc/php/conf.d/imagick.ini
+    path: /etc/php/conf.d/{{item}}.ini
     backrefs: true
-    regexp: '^;*(extension=imagick)\s*$'
+    regexp: '^;\s*(extension\s*=\s*{{item}}).*$'
     line: '\1'
+  with_items:
+    - apcu
+    - geoip
+    - imagick
+
+- name: alter PHP APCu configuration lines
+  lineinfile:
+    path: /etc/php/conf.d/apcu.ini
+    regexp: '^;*{{item.name}}\s*='
+    line: '{{item.name}}={{item.value}}'
+  with_items:
+    - {name: 'apc.enable_cli', value: 1}
+  notify:
+    - restart php-fpm.service (front)
 
 - name: activate PHP extensions
   lineinfile:
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index 4e858a0..65ca322 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -226,13 +226,12 @@
   with_items: "{{ldap_virtual_users}}"
 
 - name: all users’ properties LDIF
-  ldap_attr:
+  ldap_attrs:
     server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
     bind_dn: "cn=root,{{ldap_root}}"
     bind_pw: "{{ldap_rootpw}}"
     dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
-    name: "{{item.attr}}"
-    values: "{{item.value}}"
+    attributes: '{"{{item.attr}}": "{{item.value}}"}'
     state: exact
   with_items: "{{ldap_users_attrs}}"
 
@@ -250,13 +249,13 @@
   with_items: "{{ldap_system_groups}}"
 
 - name: declare existing groups’ members
-  ldap_attr:
+  ldap_attrs:
     server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
     bind_dn: "cn=root,{{ldap_root}}"
     bind_pw: "{{ldap_rootpw}}"
     dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
-    name: memberuid
-    values: "{{item.member}}"
+    attributes:
+      memberuid: "{{item.member}}"
     state: present
   with_items: "{{ldap_system_group_members}}"
 
diff --git a/roles/ssowat/meta.OK/main.yml b/roles/ssowat/meta.OK/main.yml
index 511dd25..d65c8b6 100644
--- a/roles/ssowat/meta.OK/main.yml
+++ b/roles/ssowat/meta.OK/main.yml
@@ -5,3 +5,4 @@
 
 dependencies:
   - role: cleanupdate
+  - role: dmz_nginx
diff --git a/site.yml b/site.yml
index 1136c84..c25dee0 100644
--- a/site.yml
+++ b/site.yml
@@ -46,15 +46,15 @@
     - init
     - cleanupdate
     - postinstall
+    - ldap
     - iodine
     - ddclient_HE_example
     - ddclient_FreeDNS_example
+    - dmz_nginx
     - ssowat
-    - ldap
     - php
     - ssh
     - transmission
-    - dmz_nginx
     - dmz_exim
     - dmz_haproxy
     - dmz_ihmgit_front