yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity

WIP

podman
Yves G. 2023-12-30 16:32:52 +01:00
parent e0087d54f0
commit 2c50b3398e
69 changed files with 1298 additions and 320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bootstrap.adoc
View File

@ -74,8 +74,8 @@ Command (m for help): g
Created a new GPT disklabel…
Command (m for help): n
Partition number (1-128, default 1):
First sector (…):
Partition number (1-128, default 1):
First sector (…):
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
Created a new partition 1…
@ -86,14 +86,14 @@ Hex code (type L to list all codes): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.
Command (m for help): n
Partition number (2-128, default 2):
First sector (…):
Partition number (2-128, default 2):
First sector (…):
Last sector, +sectors or +size{K,M,G,T,P} (…):
Created a new partition 2…
Command (m for help): t
Partition number (1,2, default 2):
Partition number (1,2, default 2):
Hex code (type L to list all codes): 31
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
@ -304,7 +304,7 @@ root@archiso ~ # arch-chroot /mnt
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
> [Match]
> Name=wire
>
>
> [Network]
> IPForward=yes
> Address={back-ip}/{net-bits}
@ -313,7 +313,7 @@ root@archiso ~ # arch-chroot /mnt
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
> [Match]
> Name=en*
>
>
> [Network]
> Bridge=wire
> THEEND
@ -390,12 +390,12 @@ NOTE: Most values and paths here are examples, and shall be adapted.
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
> </backup/dotclear.cdump
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```
@ -404,7 +404,7 @@ NOTE: Most values and paths here are examples, and shall be adapted.
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
> </backup/prosody.cdump
@ -419,7 +419,7 @@ ALTER TABLE
{prosody-db}=# \q
[postgres@{back-name} ~]$ exit
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```
@ -444,7 +444,7 @@ Stop Nextcloud and restore the data::
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
@ -514,7 +514,7 @@ Restart Nextcloud::
```bash
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```

63
env/00_common_all.yaml vendored
View File

@ -43,8 +43,8 @@ locales_enabled: 'en_US.UTF-8 en_GB.UTF-8'
dns_sec: 'no'
# DNS servers to use on the server, for example:
# OpenNIC-1 OpenNIC-2 Google
dns_hosts: '87.98.175.85 5.135.183.146 8.8.8.8'
# OpenNIC-1 OpenNIC-2 Cloudflare-1/-2
dns_hosts: '51.158.108.203 51.77.149.139 1.1.1.1 1.0.0.1'
# Nearest NTP servers (https://www.ntppool.org/).
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
@ -186,7 +186,7 @@ http_pfx_privatebin: /paste
http_pfx_prosody: /xmpp-
# URL prefix of SSOwat (SSO and web portal).
http_pfx_ssowat: /start
http_pfx_sso: /start
# URL prefix of Transmission (web UI for BitTorrent).
http_pfx_transmission: /torrent
@ -376,7 +376,7 @@ net_subdom_ssh: ssh
# Local networks from which network connections are trusted.
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
net_trusted_ranges: '192.168.1.240/28 127.0.0.0/8 ::1'
# Administrator for Nextcloud (not necessarily an LDAP user).
nextcloud_admin_user: nextcloud_admin
@ -525,6 +525,61 @@ transmission_real_todo_at: /mnt/share/p2p/iso.torrent
transmission_nfs_done_at: share/p2p/iso
transmission_nfs_todo_at: share/p2p/iso.torrent
# Name used in file-names to identify the VPN
vpn_name: my_vpn
# IP/CIDR of DMZ no-VPN network namespace when VPN is setup
vpn_avoiding_ip_cidr: 192.168.1.240/24
# OpenVPN credentials
vpn_login: my-vpn-login
vpn_password: my-vpn-password
# OpenVPN settings
vpn_ca_certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
vpn_interface_type: tun # or tap
vpn_protocol: udp6 # or udp, tcp, tcp6
vpn_server_host: vpn.example.org
vpn_server_port: 1194
vpn_tls_auth_key: |
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
# Name of the Wallabag database in PostgreSQL.
wallabag_db: wallabag

46
roles/acme_back/tasks/main.yml
View File

@ -10,6 +10,12 @@
msg: ACME
### ⇐ UPSTREAM BEGIN ###
- name: install software (dev)
package:
# for Ansible crypto
name: python-cryptography
when: (env == 'dev')
- name: install dehydrated (Lets Encrypt)
include_role:
name: aur.inc
@ -68,6 +74,7 @@
src: files/dehydrated.timer
dest: /etc/systemd/system/dehydrated.timer
mode: 0644
when: (env == 'prod')
notify:
- restart dehydrated.service
@ -76,6 +83,45 @@
daemon_reload: true
name: dehydrated.timer
enabled: true
when: (env == 'prod')
## DEV
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
- name: create private key (dev)
community.crypto.openssl_privatekey:
path: /var/lib/acme/self-signed.key
when: (env == 'dev')
- name: create CSR (dev)
community.crypto.openssl_csr:
path: /var/lib/acme/self-signed.csr
privatekey_path: /var/lib/acme/self-signed.key
common_name: "{{net_soa}}"
organization_name: "{{nickname}}"
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
subject_alt_name_critical: true
when: (env == 'dev')
- name: create self-signed certificate (dev)
community.crypto.x509_certificate:
path: /var/lib/acme/self-signed.pem
privatekey_path: /var/lib/acme/self-signed.key
csr_path: /var/lib/acme/self-signed.csr
provider: selfsigned
when: (env == 'dev')
- name: deploy self-signed certificate (dev)
command: >
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
{{net_soa}}
/var/lib/acme/self-signed.key
/var/lib/acme/self-signed.pem
/var/lib/acme/self-signed.pem
/dev/null
{{ansible_date_time.epoch}}
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes

27
roles/acme_back/templates/hook.sh.j2
View File

@ -2,17 +2,20 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
#
# NOTE: on 1st run, DMZ software is NOT YET INSTALLED!
set -e
RSH=/usr/local/bin/{{DMZ}}
ETC_CHANGED_{{hostname}}=
ETC_CHANGED_{{DMZ}}=
ETC_CHANGED_{{hostname | regex_replace('-', '_')}}=
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=
etckeeper_hook() {
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
etc_stop_local 'ACME update'
fi
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
$RSH "etc_stop_local 'ACME update'"
$RSH "etc_stop_local 'ACME update' || true"
fi
}
@ -37,11 +40,11 @@ deploy_exim() {
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
return 0
fi
local copy='cat >$1; chown exim $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/mail ] || mkdir -p /etc/mail; cat >$1; if id exim 2>/dev/null; then chown exim $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
systemctl -M {{DMZ}} reload exim.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload exim.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
@ -51,11 +54,11 @@ deploy_prosody() {
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
return 0
fi
local copy='cat >$1; chown prosody $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/prosody/certs ] || mkdir -p /etc/prosody/certs; cat >$1; if id prosody 2>/dev/null; then chown prosody $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
systemctl -M {{DMZ}} reload prosody.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload prosody.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
@ -65,10 +68,10 @@ deploy_haproxy() {
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
return 0
fi
local copy='cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/haproxy ] || mkdir -p /etc/haproxy; cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
systemctl -M {{DMZ}} reload haproxy.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload haproxy.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
deploy_cert() {

4
roles/acme_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/acme_front/tasks/main.yml
View File

@ -20,7 +20,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/aur.inc/tasks/install.yml
View File

@ -41,7 +41,9 @@
block:
- name: AUR → {{pkg_name}} → run custom pre-processing commands
shell: "{{pre_cmd}}"
shell: |
set -x
{{pre_cmd}}
args:
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
when: pre_cmd

2
roles/ddclient_HE_example/tasks/main.yml
View File

@ -46,7 +46,7 @@
- name: post-update script for he.net
copy:
content: |
#!/bin/bash
#!/usr/bin/env bash
# $1: new IP address
if [ -f /etc/conf.d/iodined ]; then
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined

2
roles/dev.inc/tasks/arch-chroot.yml
View File

@ -1,7 +1,7 @@
- name: replace /usr/bin/arch-chroot in Podman
copy:
content: |
#!/bin/bash
#!/usr/bin/env bash
args=()
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
[ -t 0 ] && t=-t || t=-T

4
roles/dmz_dotclear_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_dotclear_front/tasks/main.yml
View File

@ -58,7 +58,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

73
roles/dmz_exim/tasks/main.yml
View File

@ -193,22 +193,34 @@
regexp: '^(?:#\s*)?root:'
line: "root: {{mail_forward_root_to}}"
- name: send DKIM private key
- name: send DKIM private key (prod)
copy:
src: files/{{net_soa}}_dkim.privk.pem
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
owner: exim
group: exim
mode: 0400
when: (env == 'prod')
notify:
- restart exim.service
- name: set smarthost name
- name: create DKIM private key (dev)
shell: |
# https://dkimcore.org/specification.html
openssl genrsa -out /etc/mail/{{net_soa}}_dkim.privk.pem 1024
openssl rsa -in /etc/mail/{{net_soa}}_dkim.privk.pem -pubout >/etc/mail/{{net_soa}}_dkim.pubk.pem
chown exim:exim /etc/mail/{{net_soa}}_dkim.*.pem
chmod 0400 /etc/mail/{{net_soa}}_dkim.*.pem
when: (env == 'dev')
notify:
- restart exim.service
- name: disable smarthost
lineinfile:
path: /etc/mail/exim.conf
regexp: '^(?:#\s*)?ROUTER_SMARTHOST\s*='
line: |
ROUTER_SMARTHOST={{mail_smtp_smarthost}}
regexp: '^(\s*ROUTER_SMARTHOST\s*=.*)'
backrefs: true
line: '#\\1'
notify:
- restart exim.service
@ -278,18 +290,11 @@
notify:
- restart exim.service
- name: set TLS parameters for OpenSSL (old)
blockinfile:
- name: set TLS parameters for OpenSSL
replace:
path: /etc/mail/exim.conf
marker: '# {mark} OpenSSL parameters'
block: |
insertafter: '^tls_advertise_hosts\s*='
- name: set TLS parameters for OpenSSL (new)
lineinfile:
path: /etc/mail/exim.conf
regexp: '^(?:#\s*)?tls_require_ciphers\s*='
line: 'tls_require_ciphers = {{tls_ciphers}}'
regexp: '(.ifdef\s+_HAVE_OPENSSL\s*\n\s*)#?(\s*)tls_require_ciphers\s*=.*$'
replace: '\1\2tls_require_ciphers = {{tls_ciphers}}'
notify:
- restart exim.service
@ -365,14 +370,15 @@
notify:
- restart exim.service
# 2023-05-20: disabled because too many legitimate rejected emails coming from GMail
- name: deny mail RCPT from SpamHaus SBL
blockinfile:
path: /etc/mail/exim.conf
marker: ' # {mark} SpamHaus SBL ACL'
block: |
deny message = rejected because $sender_host_address is in a \
black list at SpamHaus SBL
dnslists = sbl.spamhaus.org
# deny message = rejected because $sender_host_address is in a \
# black list at SpamHaus SBL
# dnslists = sbl.spamhaus.org
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
notify:
- restart exim.service
@ -399,21 +405,19 @@
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
- name: use remote_smtp for smarthost delivery
lineinfile:
- name: set IP addresses to be ignored (base)
replace:
path: /etc/mail/exim.conf
regexp: '^(\s*transport\s*=)'
backrefs: true
line: "\\1 remote_smtp"
regexp: '^(\s*ignore_target_hosts\s*=)(?! <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1).*$'
replace: "\1 <; 0.0.0.0 ; 127.0.0.0/8 ; ::1"
notify:
- restart exim.service
- name: set IP addresses to be ignored
lineinfile:
- name: set IP addresses to be ignored (addition)
replace:
path: /etc/mail/exim.conf
regexp: '^(\s*ignore_target_hosts\s*=.*::1)(?! ; {{mail_ignore_ip | replace(" ", " ; ")}}$)'
backrefs: true
line: "\\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
regexp: '^(\s*ignore_target_hosts\s*= <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1)$'
replace: "\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
when:
- mail_ignore_ip != ""
notify:
@ -505,16 +509,17 @@
notify:
- restart exim.service
- name: enable DKIM on outgoing emails
blockinfile:
- name: configure remote SMTP for outgoing emails
replace:
path: /etc/mail/exim.conf
marker: ' # {mark} outgoing DKIM signing'
block: |
regexp: '^(remote_smtp:\s*\n\s*driver\s*=\s*smtp\s*)$(?!\n\s*dkim_canon =)
replace: |
\1
dkim_canon = relaxed
dkim_domain = {{net_soa}}
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
dkim_selector = {{mail_dkim_selector}}
insertafter: '^\s*driver\s*=\s*smtp\s*$'
helo_data = {{net_soa}}
notify:
- restart exim.service

4
roles/dmz_haproxy/tasks/main.yml
View File

@ -34,8 +34,8 @@
copy:
content: |
[Unit]
Wants=nginx.service
After=nginx.service
Wants=openresty.service
After=openresty.service
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
mode: 0644
notify:

4
roles/dmz_haproxy/templates/haproxy.conf.j2
View File

@ -27,6 +27,7 @@ defaults
frontend imaps
bind :993 ssl crt /etc/haproxy/tls.pem
bind :::993 ssl crt /etc/haproxy/tls.pem
default_backend imap
backend imap
@ -34,10 +35,12 @@ backend imap
frontend text
bind :80
bind :::80
default_backend http
frontend tls
bind :443 ssl crt /etc/haproxy/tls.pem
bind :::443 ssl crt /etc/haproxy/tls.pem
tcp-request inspect-delay 2s
# check SNI for the SSH domain
@ -57,6 +60,7 @@ frontend tls
frontend tls_plus
bind :444 ssl crt /etc/haproxy/tls.pem
bind :::444 ssl crt /etc/haproxy/tls.pem
default_backend https_plus
backend ssh

4
roles/dmz_ihmgit_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

25
roles/dmz_ihmgit_front/tasks/main.yml
View File

@ -19,7 +19,30 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: configure SSO
copy:
content: |
{ "patterns": [{
"lua_regex": [
"^{{http_pfx_gitea}}/admin",
"^{{http_pfx_gitea}}/repo/create",
"^{{http_pfx_gitea}}/repo/migrate",
"^{{http_pfx_gitea}}/org/create",
"^{{http_pfx_gitea}}/.-/wiki/_new"
],
"allow": ["*"]
},{
"lua_regex": ["^{{http_pfx_gitea}}/"],
"public": true,
"portal": {"{{http_pfx_gitea}}/": "Git"}
}]
}
dest: /etc/nginx/ssso/sites/git.json
when: (is_sso_used is defined)
notify:
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/dmz_ihmldap/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_ihmldap/tasks/main.yml
View File

@ -171,7 +171,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/dmz_motion_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_motion_front/tasks/main.yml
View File

@ -45,7 +45,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/dmz_movim_front/handlers/main.yml
View File

@ -9,8 +9,8 @@
name: movim.service
state: restarted
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_movim_front/tasks/main.yml
View File

@ -122,7 +122,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/dmz_nextcloud_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

4
roles/dmz_nextcloud_front/tasks/main.yml
View File

@ -11,7 +11,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: configure Nginx for LibreOffice OnLine
template:
@ -21,7 +21,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

4
roles/dmz_nginx/handlers/main.yml
View File

@ -6,10 +6,10 @@
- name: create tmpfiles
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted
- name: restart php-fpm.service

227
roles/dmz_nginx/tasks/main.yml
View File

@ -10,13 +10,71 @@
msg: nginx
### ⇐ UPSTREAM BEGIN ###
#- name: install software
# package:
# name: "{{item}}"
# state: present
# with_items:
# - nginx-mainline # nginx-mainline must now be built from official PKGBUILD :-(
# - php-fpm
- name: uninstall software
package:
name: "{{item}}"
state: absent
with_items:
# 2023-05-20: removed
- nginx-mainline
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- pkg: openresty
pre: |
# harden the systemd service
sed -ri '
/\[Unit\]/ a\
After=systemd-tmpfiles-setup.service\
After=php-fpm.service
/\[Service\]/ a\
User=http\
Group=http\
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
PrivateTmp=true\
PrivateDevices=true\
ProtectSystem=full\
ProtectHome=true\
ReadWritePaths=/var/log/nginx\
NoNewPrivileges=true\
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
s|/run/openresty.pid|/run/http/nginx.pid|g
' service
# compute the hash of the new service file
srvHash=$(sha256sum service | awk '{print $1}')
# — choose /etc/nginx as Nginx configuration location
# — choose /run/http/ for Nginx PID and lock files location
# — choose /var/log/nginx/ as Nginx compiled-in logs location
# — choose /var/tmp/ as Nginx runtime temporary folder
# — replace the old service hash with the computed one
# — remove signature source files as they make the build fail
# — disable unused features of OpenResty/Nginx
sed -ri "
s#_cfgdir=.*#_cfgdir=/etc/nginx#
/build\\(\\)/ i\\
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
sha256sums[\$_src]='$srvHash'\\
fi; done\\
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
_last=\$((\${{ '{#source[*]}' }}-1))\\
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
fi; done\\
unset _last _src
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
/^ *--with-mail|^ *#/d
s| +#.*||
" PKGBUILD
cat PKGBUILD
### UPSTREAM END ⇒ ###
- name: merge upstream
@ -25,11 +83,19 @@
msg: nginx
### ⇐ UPSTREAM END ###
- name: create a directory for the PID files
- name: fix logrotate.d/openresty
lineinfile:
path: /etc/logrotate.d/openresty
backrefs: true
regexp: '^(\s*test -r )/run/'
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
- name: create Nginx working directories
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
d /var/log/nginx 775 http http - -
dest: /etc/tmpfiles.d/run_http.conf
mode: 0644
notify:
@ -37,69 +103,15 @@
- meta: flush_handlers
- name: prepare to override systemd settings
file:
name: /etc/systemd/system/{{item}}.service.d
state: directory
mode: 0755
- name: update already-installed OpenResty packages
shell: /opt/openresty/bin/opm update
- name: OPM = install OpenResty packages (if necessary)
include_tasks: opm.yaml
vars:
pkg_name: "{{item}}"
with_items:
- nginx
- php-fpm
- name: secure systemd settings for php-fpm
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=true
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/php-fpm.pid
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart php-fpm.service
- name: secure systemd settings for nginx
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
After=php-fpm.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/nginx.pid
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
ExecStart=
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart nginx.service
- name: set ownership of nginx working directories to nginx
file:
path: /var/{{item}}/nginx
state: directory
owner: http
group: http
recurse: true
with_items:
- lib
- log
- fffonion/lua-resty-openssl
- name: set the number of nginx worker processes
lineinfile:
@ -107,7 +119,7 @@
regexp: '^#?\s*worker_processes\s'
line: "worker_processes auto;"
notify:
- restart nginx.service
- restart openresty.service
- name: log to systemd-journal
lineinfile:
@ -115,7 +127,7 @@
regexp: '^#?\s*error_log\s'
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
notify:
- restart nginx.service
- restart openresty.service
- name: create directories for custom nginx configuration
file:
@ -136,7 +148,7 @@
line: include /etc/nginx/main.inc.d/*.inc;
insertbefore: BOF
notify:
- restart nginx.service
- restart openresty.service
- name: include custom nginx configuration
lineinfile:
@ -145,7 +157,7 @@
line: include /etc/nginx/conf.d/*.conf;
insertbefore: '^\s*#gzip\s'
notify:
- restart nginx.service
- restart openresty.service
- name: set custom nginx configuration
template:
@ -155,7 +167,7 @@
group: http
mode: 0640
notify:
- restart nginx.service
- restart openresty.service
- name: send included conf files
template:
@ -198,54 +210,33 @@
when:
- test_srv.changed
notify:
- restart nginx.service
- restart openresty.service
- name: set the php-fpm settings
lineinfile:
path: /etc/php/php-fpm.d/www.conf
regexp: '^;*{{item.key}}\s*='
line: '{{item.key}} = {{item.value}}'
with_dict:
listen: /run/shared_sockets/php-fpm
pm: dynamic
'pm.max_children': '{{php_max_workers}}'
'pm.start_servers': 1
'pm.min_spare_servers': 1
'pm.max_spare_servers': '{{php_max_workers}}'
'pm.max_requests': '{{php_worker_max_reqs}}'
notify:
- restart php-fpm.service
- name: disable useless user/group specs
lineinfile:
path: /etc/php/php-fpm.d/www.conf
backrefs: true
regexp: '^({{item}}\s*=.*)'
line: ';\1'
- name: create web files locations
file:
path: "{{item}}"
state: directory
with_items:
- user
- group
- 'listen.group'
- /srv/http
- /srv/webapps
- name: set the PID file path for php-fpm
lineinfile:
path: /etc/php/php-fpm.conf
regexp: '^;*pid\s*='
line: 'pid = /run/http/php-fpm.pid'
notify:
- restart php-fpm.service
- name: enable php-fpm.service
- name: enable openresty.service
systemd:
daemon_reload: true
name: php-fpm.service
name: openresty.service
enabled: true
- name: enable nginx.service
systemd:
daemon_reload: true
name: nginx.service
enabled: true
- name: HTML test-page in test environment
copy:
content: |
<!DOCTYPE html>
<html lang="en">
<head><title>TEST</title><meta charset="UTF-8"></head>
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
</html>
dest: /srv/http/index.html
mode: 0644
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes

16
roles/dmz_nginx/tasks/opm.yaml Normal file
View File

@ -0,0 +1,16 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# mandatory parameters: pkg_name
- name: OPM → check existence of {{pkg_name}}
shell: /opt/openresty/bin/opm list | grep -q '^{{pkg_name}}[[:blank:]]'
ignore_errors: true
changed_when: false
register: opm_check
- name: OPM → install {{pkg_name}}
command: /opt/openresty/bin/opm get {{pkg_name}}
when: opm_check is failed

5
roles/dmz_nginx/templates/10.conf.j2
View File

@ -2,6 +2,11 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
client_body_temp_path /var/tmp/client_body_temp;
proxy_temp_path /var/tmp/proxy_temp;
fastcgi_temp_path /var/tmp/fastcgi_temp;
uwsgi_temp_path /var/tmp/uwsgi_temp;
#scgi_temp_path /var/tmp/scgi_temp;
client_max_body_size {{http_max_upload}};
gzip on;
gzip_comp_level 6;

4
roles/dmz_prosody_front/handlers/main.yml
View File

@ -9,8 +9,8 @@
name: prosody.service
state: restarted
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_prosody_front/tasks/main.yml
View File

@ -277,7 +277,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: enable prosody
systemd:

4
roles/transmission/handlers/main.yml → roles/dmz_transmission/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/transmission/meta.OK/main.yml → roles/dmz_transmission/meta.OK/main.yml
View File

@ -6,4 +6,4 @@
dependencies:
- role: cleanupdate
- role: ldap
- role: ssowat
# - role: ssowat #FIXME

60
roles/transmission/tasks/main.yml → roles/dmz_transmission/tasks/main.yml
View File

@ -34,9 +34,10 @@
Requires=nslcd.service
After=nslcd.service
[Service]
{% if is_vpn_used is not defined %}
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
{% endif %}
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
LimitNOFILE=4096
@ -44,6 +45,22 @@
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
mode: 0644
- name: override network settings for transmission
copy:
content: |
[Unit]
Requires=no-vpn-network-namespace.service
After=no-vpn-network-namespace.service
[Service]
Type=exec
User=root
Group=root
ExecStart=
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
mode: 0644
when: (is_vpn_used is defined)
- name: ensure existence and mode of Transmission working directories
file:
path: /var/lib/transmission{{item}}
@ -104,6 +121,18 @@
name: transmission.service
state: stopped
- name: store DMZ IP (direct)
set_fact:
no_vpn_front_IP: "{{DMZ_IP}}"
when:
- (is_vpn_used is not defined)
- name: store DMZ IP (avoid VPN)
set_fact:
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
when:
- (is_vpn_used is defined)
- name: put a JSON terminator to avoid a trailing comma
lineinfile:
path: /var/lib/transmission/.config/transmission-daemon/settings.json
@ -118,7 +147,7 @@
line: ' "{{item.key}}": {{item.value}},'
insertbefore: '"zzz"'
with_dict:
speed-limit-up: '50'
speed-limit-up: '500'
speed-limit-up-enabled: 'true'
download-dir: '"/var/lib/transmission/Done"'
incomplete-dir: '"/var/lib/transmission/Doing"'
@ -130,13 +159,14 @@
watch-dir-enabled: 'true'
encryption: '2'
message-level: '1'
bind-address-ipv4: '"{{DMZ_IP}}"'
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
peer-port: '{{transmission_bt_port}}'
peer-port-random-on-start: 'false'
port-forwarding-enabled: 'false'
port-forwarding-enabled: '{{is_vpn_used is defined}}'
queue-stalled-minutes: '5'
rpc-authentication-required: 'false'
rpc-bind-address: '"127.0.0.1"'
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
rpc-socket-mode: '"0777"'
rpc-port: '{{transmission_rpc_port}}'
rpc-url: '"{{http_pfx_transmission}}/"'
rpc-whitelist-enabled: 'false'
@ -151,13 +181,13 @@
copy:
content: |
location {{http_pfx_transmission}}/web {
alias /usr/share/transmission/web;
alias /usr/share/transmission/public_html;
}
location ~ ^{{http_pfx_transmission}}/?$ {
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
}
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
proxy_pass http://127.0.0.1:{{transmission_rpc_port}};
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
proxy_pass_header X-Transmission-Session-Id;
proxy_hide_header ETag;
proxy_hide_header Cache-Control;
@ -168,7 +198,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: enable transmission.service
systemd:
@ -176,6 +206,20 @@
name: transmission.service
enabled: true
- name: configure SSO
copy:
content: |
{ "patterns": [{
"lua_regex": ["^{{http_pfx_transmission}}"],
"allow": ["me"],
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
}]
}
dest: /etc/nginx/ssso/sites/transm.json
when: (is_sso_used is defined)
notify:
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml

4
roles/dmz_wallabag_front/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_wallabag_front/tasks/main.yml
View File

@ -88,7 +88,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/front/tasks/main.yml
View File

@ -24,7 +24,7 @@
- name: send a remote-exec script to the host
template:
src: templates/DMZ.j2
src: templates/DMZ.{{env}}.j2
dest: "/usr/local/bin/{{DMZ}}"
mode: 0755

11
roles/front/templates/DMZ.dev.j2 Normal file
View File

@ -0,0 +1,11 @@
#!/usr/bin/env bash
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
#
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
cmd="$(printf "%q" "$1")"; shift
args=()
while [ $# -gt 0 ]; do args+=("$(printf "%q" "$1")"); shift; done
exec ssh -i ~/.ssh/id-chroot -o StrictHostKeyChecking=no -p 20022 -T 10.0.2.2 bash -c "$cmd" bash "${args[@]}"

4
roles/front/templates/DMZ.j2 → roles/front/templates/DMZ.prod.j2
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
#
# The home-server project produces a multi-purpose setup using Ansible.
@ -7,4 +7,4 @@
cmd="$1"; shift
nsenter -t $(machinectl status {{DMZ}} | awk '$1=="Leader:"{print $2;exit}') \
-a -F /usr/bin/bash -c "$cmd" bash "$@"
-a -F /usr/usr/bin/env bash -c "$cmd" bash "$@"

2
roles/init/files/bin/etc_start_upstream
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

2
roles/init/files/bin/etc_stop_local
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

2
roles/init/files/bin/etc_stop_upstream
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

2
roles/init/templates/etc_init.j2
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

2
roles/mediaplayer/tasks/main.yml
View File

@ -154,7 +154,7 @@
ProtectSystem=full
ReadWriteDirectories={{kodi_data}}
# the client has 10 seconds to stop sending network packets to the socket
ExecStopPost=/usr/bin/bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
ExecStopPost=/usr/usr/bin/env bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
Restart=no
dest: /etc/systemd/system/lxdm.service.d/{{nickname}}.conf
mode: 0644

2
roles/motion_back/templates/email.sh.j2
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# $1: camera
# $2: event number
# $3: ISO date

2
roles/motion_back/templates/upload.sh.j2
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# $1: file to upload
BASE_URL=https://www.mediafire.com/api

51
roles/nftables_front/templates/nftables.conf.j2
View File

@ -5,6 +5,23 @@
flush ruleset
table arp RateLimiter {
chain ArpIn {
type filter hook input priority 0
policy accept
{% if is_vpn_used is defined %}
meta iif tun0 limit rate 2/second burst 10 packets accept
{% else %}
meta iif host0 limit rate 2/second burst 10 packets accept
{% endif %}
}
chain ArpOut {
type filter hook output priority 0
policy accept
}
}
{% for V in ['4', '6'] %}
{% set v = V | replace('4', '') %}
{% macro trust(list) %}
@ -115,22 +132,30 @@ table ip{{v}} Inet{{V}} {
type filter hook input priority 0
policy drop
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
meta iif lo accept
# allow icmp
{% if V == '4' %}
ip protocol icmp accept
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
meta l4proto icmp limit rate 2/second burst 4 packets accept
{% else %}
ip6 nexthdr icmpv6 accept
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
{% endif %}
# allow established/related connections
ct state {established, related} accept
# allow from loopback
{% if V == '4' %}
meta iif lo ip saddr != 127.0.0.0/8 drop
{% else %}
meta iif lo ip6 saddr != ::1/128 drop
{% endif %}
meta iif lo accept
# allow iodine
meta iifname dns0 accept
@ -181,7 +206,7 @@ table ip{{v}} Inet{{V}} {
{% call(net) trust(net_trusted_ranges) %}
udp dport 5353 ip{{v}} saddr {{net}} accept
{% endcall %}
# remote-help ssh
tcp dport 22000 accept
{% call(net) trust(net_trusted_ranges) %}
@ -196,6 +221,14 @@ table ip{{v}} Inet{{V}} {
chain FilterOut {
type filter hook output priority 0
policy drop
{% if V == '4' %}
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
meta l4proto icmp limit rate 2/second burst 4 packets accept
{% else %}
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
{% endif %}
ct state {established, related} accept
meta oif lo accept
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}

16
roles/openvpn/handlers/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart openvpn-client.service
systemd:
daemon_reload: true
name: openvpn-client@{{vpn_name}}.service
state: restarted
- name: restart no-vpn network namespace
systemd:
daemon_reload: true
name: no-vpn-network-namespace.service
state: restarted

7
roles/openvpn/meta.OK/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:
- role: cleanupdate

195
roles/openvpn/tasks/main.yml Normal file
View File

@ -0,0 +1,195 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: OpenVPN
### ⇐ UPSTREAM BEGIN ###
- name: install software
package:
name: {{item}}
with_items:
- iproute2
- openvpn
# jq is needed by no-VPN network-namespace script
- jq
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: OpenVPN
### ⇐ UPSTREAM END ###
- name: VPN configuration
template:
src: templates/vpn.conf.j2
dest: /etc/openvpn/client/{{vpn_name}}.conf
owner: openvpn
group: network
mode: 0600
notify:
- restart openvpn-client.service
- name: VPN TLS auth key
copy:
content: |
{{vpn_tls_auth_key}}
dest: /etc/openvpn/client/{{vpn_name}}-ta.key
owner: openvpn
group: network
mode: 0600
notify:
- restart openvpn-client.service
- name: VPN credentials
copy:
content: |
{{vpn_login}}
{{vpn_password}}
dest: /etc/openvpn/client/{{vpn_name}}.userpass
owner: openvpn
group: network
mode: 0400
notify:
- restart openvpn-client.service
- name: prepare to override OpenVPN security
file:
path: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d
state: directory
mode: 0755
notify:
- restart openvpn-client.service
- name: override OpenVPN security with systemd
copy:
content: |
[Service]
ExecStart=
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --auth-user-pass /etc/openvpn/client/%i.userpass
dest: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d/auth-user-pass.conf
mode: 0644
notify:
- restart openvpn-client.service
- name: store DMZ IP (front)
set_fact:
current_IP: "{{DMZ_IP}}"
when:
- (inventory_hostname in groups['front'])
- name: store SafeZone IP (back)
set_fact:
current_IP: "{{SafeZone_IP}}"
when:
- (inventory_hostname in groups['back'])
- name: creation script for no-VPN network namespace
copy:
content: |
#!/bin/bash
# https://www.baeldung.com/linux/different-network-interfaces-processes
set -e
# find network settings associated with known IP address
host_if=$(ip -j -4 address | jq -r '.[] | select(any(.addr_info[]; .local == "{{current_IP}}")) | .ifname')
gateway=$(ip -j -4 route | jq -r '.[] | select(.dst == "default") | .gateway')
# create namespace if it does not exist
if ! ip netns list | grep -Fxq no-vpn; then
ip netns add no-vpn
fi
# configure namespace if not done
# $1: interface name; $2: CIDR
function setup() {
if ! ip -n no-vpn link show up dev $1 | grep -q .; then
ip -n no-vpn link set $1 up
fi
if [ -z "$(ip -n no-vpn -4 address show dev $1)" ]; then
ip -n no-vpn address add $2 dev $1
fi
}
if ! ip -n no-vpn link show dev if_isp &>/dev/null; then
ip link add link $host_if if_isp netns no-vpn type ipvlan mode l2
fi
setup if_isp {{vpn_avoiding_ip_cidr}}
setup lo 127.0.0.1/8
# set gateway if not set
if ! ip -n no-vpn -4 route | grep -q ^default; then
ip -n no-vpn route add default via $gateway dev if_isp
fi
dest: /usr/local/bin/create-no-vpn-namespace.sh
mode: 0700
notify:
- restart no-vpn network namespace
- name: removal script for no-VPN network namespace
copy:
content: |
#!/bin/sh
ip netns delete no-vpn
dest: /usr/local/bin/delete-no-vpn-namespace.sh
mode: 0700
notify:
- restart no-vpn network namespace
- name: no-VPN network namespace firewall
template:
src: templates/nftables.conf.j2
dest: /etc/netns/no-vpn/nftables.conf
mode: 0600
notify:
- restart no-vpn network namespace
# https://github.com/mqus/nft-rules/blob/master/files/SSDP_client.md
- name: systemctl service for no-VPN network namespace
copy:
content: |
[Unit]
Description=No-VPN network namespace
After=network-online.target openvpn.service
Wants=network-online.target openvpn.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/bin/create-no-vpn-namespace.sh
ExecStartPost=/usr/bin/ip netns exec no-vpn /usr/bin/nft -f /etc/nftables.conf
ExecStop=/usr/local/bin/delete-no-vpn-namespace.sh
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/no-vpn-network-namespace.service
mode: 0644
notify:
- restart no-vpn network namespace
- name: enable service for no-VPN network namespace
systemd:
daemon_reload: true
name: no-vpn-network-namespace.service
enabled: true
- name: enable OpenVPN client service
systemd:
daemon_reload: true
name: openvpn-client@{{vpn_name}}.service
enabled: true
- name: register the fact that a VPN is enabled
set_fact:
is_vpn_used: true
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: OpenVPN
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers

105
roles/openvpn/templates/nftables.conf.j2 Normal file
View File

@ -0,0 +1,105 @@
#!/usr/bin/env nft -f
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
flush ruleset
table arp RateLimiter {
chain ArpIn {
type filter hook input priority 0
policy accept
meta iif if_isp limit rate 2/second burst 10 packets accept
}
chain ArpOut {
type filter hook output priority 0
policy accept
}
}
{% for V in ['4', '6'] %}
{% set v = V | replace('4', '') %}
{% macro trust(list) %}
{% for net in list.split(' ') %}
{% if not net is match('127(?:\.\d{1,3}){3}(?:/\d+)?|::1|^$') %}
{% if (net is match('\d{1,3}(?:\.\d{1,3}){3}(?:/\d+)?')
and V == '4') or (net is search(':') and V == '6') %}
{{caller(net)}}
{% endif %}
{% endif %}
{% endfor %}
{% endmacro %}
table ip{{v}} Inet{{V}} {
set ssdp_out {
type inet_service
timeout 5s
}
chain FilterIn {
type filter hook input priority 0
policy drop
# early drop of invalid connections
ct state invalid drop
# allow icmp
{% if V == '4' %}
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
meta l4proto icmp limit rate 2/second burst 4 packets accept
{% else %}
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
{% endif %}
# allow established/related connections
ct state {established, related} accept
# allow from loopback
{% if V == '4' %}
meta iif lo ip saddr != 127.0.0.0/8 drop
{% else %}
meta iif lo ip6 saddr != ::1/128 drop
{% endif %}
meta iif lo accept
# allow ssdp replies
udp dport @ssdp_out accept
# zeroconf
{% call(net) trust(net_trusted_ranges) %}
udp dport 5353 ip{{v}} saddr {{net}} accept
{% endcall %}
# transmission
tcp dport {{transmission_bt_port}} accept
udp dport {{transmission_bt_port}} accept
}
chain FilterOut {
type filter hook output priority 0
policy drop
{% if V == '4' %}
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
meta l4proto icmp limit rate 2/second burst 4 packets accept
{% else %}
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
{% endif %}
ct state {established, related} accept
meta oif lo accept
meta oif if_isp udp dport 1900 set add udp sport @ssdp_out accept
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
ip{{v}} daddr {{net}} accept
{% endcall %}
meta skuid transmission tcp dport 443 accept
meta skuid transmission udp dport 443 accept
meta skuid transmission tcp dport > 1024 accept
meta skuid transmission udp dport > 1024 accept
}
}
{% endfor %}

104
roles/openvpn/templates/vpn.conf.j2 Normal file
View File

@ -0,0 +1,104 @@
# Specify that we are a client and that we will be pulling certain config file
# directives from the server.
client
# Use the same setting as you are using on the server.
# On most systems, the VPN will not function unless you partially or fully
# disable the firewall for the TUN/TAP interface.
dev {{vpn_interface_type}}
# Are we connecting to a TCP or UDP server?
# Use the same setting as on the server.
proto {{vpn_protocol}}
port {{vpn_server_port}}
# The hostname/IP and port of the server.
# You can have multiple remote entries to load balance between the servers.
remote {{vpn_server_host}} {{vpn_server_port}}
# Choose a random host from the remote list for load-balancing.
# Otherwise try hosts in the order specified.
remote-random
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
# Very useful on machines which are not permanently connected to the internet
# such as laptops.
resolv-retry infinite
route-delay 2
# Use the VPN as the default network connection
redirect-gateway def1 bypass-dhcp # IPv4
route-ipv6 2000::/3 # IPv6
# Most clients don't need to bind to a specific local port number.
nobind
# Downgrade privileges after initialization.
;user openvpn
;group openvpn
# Try to preserve some state across restarts.
persist-key
persist-tun
# Try and avoid fragmentation issues.
fragment 1300
mssfix 1300
# If you are connecting through an HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and port number here.
# See the man page if your proxy server requires authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot of duplicate packets.
# Set this flag to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more description.
# It's best to use a separate .crt/.key file pair for each client.
# A single ca file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the certificate has the correct
# key usage set.
# This is an important precaution to protect against a potential attack
# discussed here: http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate your server certificates with
# the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server then every client must also have the
# key.
tls-auth {{vpn_name}}-ta.key 1
auth-user-pass
# Select a cryptographic cipher.
# If the cipher option is used on the server then you must also specify it
# here.
# Note that v2.4 client/server will automatically negotiate AES-256-GCM in TLS
# mode.
# See also the data-ciphers option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
<ca>
{{vpn_ca_certificate}}
</ca>

3
roles/php/handlers/main.yml
View File

@ -3,6 +3,9 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: create php-fpm tmpfiles
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_php.conf
- name: restart php-fpm.service (front)
systemd:
daemon_reload: true

103
roles/php/tasks/main.yml
View File

@ -26,6 +26,15 @@
- php-geoip
- geoip-database-extra
- name: install front software
package:
name: "{{item}}"
state: present
with_items:
- php-fpm
when:
- (inventory_hostname in groups['front'])
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
@ -115,6 +124,100 @@
notify:
- restart php-fpm.service (front)
- name: configure php-fpm
block:
- name: create php-fpm working directories
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/php-fpm 775 http http - -
dest: /etc/tmpfiles.d/run_php.conf
mode: 0644
notify:
- create php-fpm tmpfiles
- name: prepare to override systemd settings
file:
name: /etc/systemd/system/{{item}}.service.d
state: directory
mode: 0755
with_items:
- php-fpm
- name: secure systemd settings for php-fpm
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=true
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/php-fpm/php-fpm.pid
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart php-fpm.service (front)
- name: set the php-fpm settings
lineinfile:
path: /etc/php/php-fpm.d/www.conf
regexp: '^;*{{item.key}}\s*='
line: '{{item.key}} = {{item.value}}'
with_dict:
listen: /run/shared_sockets/php-fpm
pm: dynamic
'pm.max_children': '{{php_max_workers}}'
'pm.start_servers': 1
'pm.min_spare_servers': 1
'pm.max_spare_servers': '{{php_max_workers}}'
'pm.max_requests': '{{php_worker_max_reqs}}'
notify:
- restart php-fpm.service (front)
- name: disable useless user/group specs
lineinfile:
path: /etc/php/php-fpm.d/www.conf
backrefs: true
regexp: '^({{item}}\s*=.*)'
line: ';\1'
with_items:
- user
- group
- 'listen.group'
notify:
- restart php-fpm.service (front)
- name: set the PID file path for php-fpm
lineinfile:
path: /etc/php/php-fpm.conf
regexp: '^;*pid\s*='
line: 'pid = /run/php-fpm/php-fpm.pid'
notify:
- restart php-fpm.service (front)
- name: enable php-fpm.service
systemd:
daemon_reload: true
name: php-fpm.service
enabled: true
- name: PHP test-page in test environment
copy:
content: <?php phpinfo();
dest: /srv/http/index.php
mode: 0644
when: (env == 'dev')
when:
- (inventory_hostname in groups['front'])
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml

4
roles/privatebin/handlers/main.yml
View File

@ -3,8 +3,8 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/privatebin/tasks/main.yml
View File

@ -53,7 +53,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/ssh/tasks/main.yml
View File

@ -45,7 +45,7 @@
- name: send Ansibles forced-command
copy:
content: |
#!/bin/bash
#!/usr/bin/env bash
eval $SSH_ORIGINAL_COMMAND
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
mode: 0700

10
roles/sso/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart openresty.service
systemd:
daemon_reload: true
name: openresty.service
state: restarted

8
roles/sso/meta.OK/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:
- role: cleanupdate
- role: dmz_nginx

93
roles/sso/tasks/main.yml Normal file
View File

@ -0,0 +1,93 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: SSO
### ⇐ UPSTREAM BEGIN ###
- name: (SSOwat) uninstall software
package:
name: "{{item}}"
state: absent
with_items:
# 2023-05-20: removed
- ssowat-git
- nginx-mainline-mod-lua
- nginx-mainline-mod-ndk
- lua51-lualdap-git
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- simple-sso-git
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: SSO
### ⇐ UPSTREAM END ###
# 2023-05-20: removed
- name: (SSOwat) remove SSOwat configuration
file:
path: /etc/ssowat
state: absent
notify:
- restart openresty.service
# 2023-05-20: removed
- name: (SSOwat) remove external LUA module from Nginx
file:
path: /etc/nginx/main.inc.d/ndk+lua.inc
state: absent
notify:
- restart openresty.service
- name: init the SSO code in Nginx
copy:
content: |
lua_shared_dict cache 10m;
init_by_lua_file /etc/nginx/ssso/do_init.lua;
dest: /etc/nginx/conf.d/00_sso.conf
group: http
mode: 0640
notify:
- restart openresty.service
- name: enforce SSO checking for each request
copy:
content: |
access_by_lua_file /etc/nginx/ssso/do_access.lua;
dest: /etc/nginx/inc.d/00_sso.https.inc
group: http
mode: 0640
notify:
- restart openresty.service
- name: send the custom SSO configuration
template:
src: templates/conf.json.j2
dest: /etc/nginx/ssso/global.json
group: http
mode: 0640
- name: register the fact that SSO is installed
set_fact:
is_sso_used: true
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: SSO
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers

8
roles/sso/templates/conf.json.j2 Normal file
View File

@ -0,0 +1,8 @@
{
"auth": {
"check": "/usr/bin/ldapsearch -x -D \"uid=\ru.,ou=users,dc=example,dc=org\" -w \"\rp.\" -b 'ou=users,dc=example,dc=org' -s one -LLL -l 1 -z 1 \"(uid=\ru.)\" cn mail | /usr/bin/gawk '/^cn/{n=gensub(/cn: */,\"\",1)};/^mail/{m=gensub(/mail: */,\"\",1)};END{printf(\"%s\\n%s\\n\",n,m)}'"
},
"session_seconds": 300,
"sso_host": "{{net_soa}}",
"sso_prefix": "{{http_pfx_sso}}"
}

134
site.yaml
View File

@ -3,77 +3,77 @@
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- hosts: back
remote_user: root
roles:
- _maintenance_start
- init
- transmission_back
- ntp
- cleanupdate
- printscan
- sockets
- front
- postinstall
- msmtp
- role: nfs
when: (env == 'prod')
- role: transmission_nfs
when: (env == 'prod')
- pyruse
- nftables_back
- postgresql
- slapd
- php
- ldap
# - wallabag_back
- dotclear_back
# - movim_back
- prosody_back
- ihmgit_back
- nextcloud_back
- ssh
- dovecot
- mediaplayer
- motion_back
- role: front_run
when: (env == 'prod')
- role: acme_back
when: (env == 'prod')
- nextcloud_davfs
- _maintenance_stop
#- hosts: back
# remote_user: root
# roles:
# - _maintenance_start
# - init
# - transmission_back
# - ntp
# - cleanupdate
# - printscan
# - sockets
# - front
# - postinstall
# - msmtp
# - role: nfs
# when: (env == 'prod')
# - role: transmission_nfs
# when: (env == 'prod')
## - pyruse
# - nftables_back
# - postgresql
# - slapd
# - php
# - ldap
## - wallabag_back
# - dotclear_back
## - movim_back
# - prosody_back
# - ihmgit_back
# - nextcloud_back
# - ssh
# - dovecot
## - mediaplayer
## - motion_back
# - role: front_run
# when: (env == 'prod')
# - acme_back
# - nextcloud_davfs
# - _maintenance_stop
- hosts: front
remote_user: root
roles:
- _maintenance_start
- init
- cleanupdate
- postinstall
- ldap
- iodine
- role: ddclient.inc
when: (env == 'dev')
- role: ddclient_HE_example
when: (env == 'prod')
- role: ddclient_FreeDNS_example
when: (env == 'prod')
- dmz_nginx
- ssowat
- php
- ssh
# - init
# - cleanupdate
# - postinstall
# - ldap
- openvpn
# - iodine
# - role: ddclient.inc
# when: (env == 'dev')
# - role: ddclient_HE_example
# when: (env == 'prod')
# - role: ddclient_FreeDNS_example
# when: (env == 'prod')
# - dmz_nginx
- sso
# - php
# - ssh
- transmission
- dmz_exim
- dmz_haproxy
# - dmz_exim
# - dmz_haproxy
- dmz_ihmgit_front
- dmz_nextcloud_front
- dmz_dotclear_front
- dmz_ihmldap
- dmz_prosody_front
- dmz_motion_front
# - dmz_wallabag_front
- acme_front
- privatebin
# - dmz_movim_front
- nftables_front
- _maintenance_stop
# - dmz_nextcloud_front
# - dmz_dotclear_front
# - dmz_ihmldap
# - dmz_prosody_front
# - dmz_motion_front
## - dmz_wallabag_front
# - acme_front
# - privatebin
## - dmz_movim_front
# - nftables_front
# - _maintenance_stop

2
tools/graphviz_roles.sh
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

10
tools/podman/Makefile
View File

@ -1,4 +1,10 @@
SHELL := /bin/bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# REQUIRED: make, root-less podman, jq, ssh-keygen
SHELL := /usr/bin/env bash
# https://stackoverflow.com/a/23324703
ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
@ -32,7 +38,7 @@ clean: rmi
podman rmi archlinux; true
ansible: back-dev
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -vvv site.yaml
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -v site.yaml
front-img: Makefile front.Dockerfile id-dev.pub id-chroot.pub
ds=$$(find $^ -maxdepth 0 -printf %T@ | sort -t. -rn | awk -F. 'NR==1{print $$1}'); \

7
tools/podman/id-chroot Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTAAAAJCeYYR6nmGE
egAAAAtzc2gtZWQyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTA
AAAECHIS9x8FuevOopTggeY1jUNXQ8BSDHbqKXY8iC/UnDYkMFbAl0A4pAQsxNPzX2qL4W
QWTcgQY2syt80k9uv15MAAAAC3l2ZXNAanVuaW9yAQI=
-----END OPENSSH PRIVATE KEY-----

1
tools/podman/id-chroot.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMFbAl0A4pAQsxNPzX2qL4WQWTcgQY2syt80k9uv15M yves@junior

7
tools/podman/id-dev Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4VgAAAJiDMF+FgzBf
hQAAAAtzc2gtZWQyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4Vg
AAAEDnXKRHTmIe8L7QuI7ROmmTNSHvAhAtcBguX68/9E9c5fsidHzJhnXXRdWo4NUVmkMO
RcNN9k9RYaU4eSYgZ3hWAAAAD3l2ZXNAc2VkZW50YWlyZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

1
tools/podman/id-dev.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsidHzJhnXXRdWo4NUVmkMORcNN9k9RYaU4eSYgZ3hW me@my-pc

52
yalis.fr.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC40xZlLcT4mE9/
7iwMC628FCREkj8bX4UCHUvc1pcyhLgOZG/wl/3Rk37Bqa2wnqnRQKfGHLoaKQ7I
ZtBlMPGyQIHzHSLYTFpagUC+IdLjQ2x9Tf01gqBRiRXyJ4NRtkupOV2cpOQoYwFE
fOTOURyA+hdu4D1gU9ImTKY+qS45XvEihmW4MgcIlVJgVPL9TOtCqthSGxJVJ/xB
ecpGi9125bTkANKXyW+7E0lGrWh9AQ/DaVOiDst9wewZVwlT2k87cr7cdA4IpwLx
hyHMq+myJS2gVb14hNgy7afJ8ECyi5VfoH2j6PmErT7DxUNNNIAsTj591YyGzW+r
rUa0TURZjAalsrMEstS65mDnC10m6pVCX96VDicyIymfa0COnB0ZxVQUmgfMl+Dt
cR47uXaJPZrbpRzKU+O05RJzA1wysRiEIbwh9bSMOSCkpA7StUZ7zqIdmlm8cTbQ
DCUCMTLIfI1TwrZusM2a6mMXLQssA2gPy7JkSUZvIg5mXPc77jMhdMNjzzQOaLb1
kuP6JgOZTn4mMsHzA41PmnO6K/iVarYaDxEg6A/PdJ/Et4hLxpz18af7XcxVMk5W
S/le2YYlOTTieMDVzPsqcfBb5Kss7MNEoIfMzqQmPIJz7d220nxnx2gLF8wCNc+0
Kjv22+214xI3XAg2ZZOGFMXe/0fPiQIDAQABAoICAAHIq3OfzCyZkhKHfBZELRcO
qzXHDb6gBAQWlWHnkidEdmnQ0Jnwqkbx7rQ5ZOdP4A6jL6ixpDQGhNbh6NLsig1T
l9Apbh8KvUhYbRrAr7zuN0ojfO/dp5o4hwqSqiREDLQmDSLK88xLff/ubtS/yJUv
72wMVESoHnQXQzdW3EQ6Z+b9R4FOU04jByaN9K1FnH4vhl25gZUVPmyBMPbQGLES
IRYzx1SRdvImFXaYtnSBadNpInZi60DMGhEkYMnLRpPpxOY9ZQQdR4xzpqZSRkkd
bdSutdYnqGtfwEHf1KIHMfKDCtS7NeBQ0z/3Y7xHUdGLp55WN7BhOSRogbE8ZIOE
CxZ1+wHNh45iCjB77gCuk8trWqmfJUeBeIgqj+I25CwuFxsosNnbz1NWFwPVCgru
JBTrnnIyUSp5fgx3vJ/nUtpr+2OPg/xrGH8qbBvgtQ2+J7u+LIqe/i+TQ6HYVzYx
RVEUNSurGladAK9ZFOLffbD72lwfFg7R+j/Q3clv8qD7Kfv1Z/qLRSMMoV0S4yEs
rkV/ed4NCn/btpLys+Di79kgFC3BWcuxeoRXEssTaJpFXR7dCgyMMO71PSQjbg0J
waTGHXY9U3vjlQ2AVJCzXUF5em/5XuXfnQHXxsCFVh4YNrravX4JyEQ8pKDAWBP5
8n0Q6eIVhRLFT/f5ZvdhAoIBAQDhS9aZchRi+54jycPMjhMlM5R6uMbPUJ0vOvm9
0JAlDFxHzyehjVTbP7v+PB+6ZoWFaXWHCd/WWo/4w9aFL4LNTm17EBKThTIJjwlc
+cQQ+Eudhuti2tSLVg6QcBTi7n2adFoyS1c8qSO9GLsM8uv1DWuUd9Ci9lKGY6da
tLS/p54JVzxJl66tQ7ktQ8T430DiIdy7s3kzkQSy4YhbcW7C3NZ+99gGhYKLsizY
t3Tn22fmwG9CgetE+CWLT9IGkXR3NcPZzw4IsTOqqDdzF846sgrQnGTTnbufDwok
TwuMgwNjp1V28k7BdyU8IuOg0EZwqWL7sfaKLhjgONSiCr0hAoIBAQDSA0S1ZyMf
bGn4tXKwsPtav47XIotCGWITmlfd0Iq5FHR3r9NwCMozPPvKZVpz1xR1MNFNkGbz
xMFvBWQA8eVRAm4i8jGWRfnHl0074AkztDbAWg2CZ6rBR1c2/VgG5Unt2PShVRFf
mbH5yaLcF4bQJ0lSdWw6gGDbHKOtadB+BzMq0RkulqTN6Nhsz6Dy2ROub3jvmTcW
kj9AGLKSL//tni8R6BPeOzYM6dJh/bgl5adZ2eoJjWSV4ADkgc17gtOKSpZC+nke
TGgJ3UfAfDzp1amwYydwQlVuKgaIrhDn2vcVU1/sw1QzhL+8Jz/LdycX+DY9P5HE
XWZwVdDLg51pAoIBAFKzXQYcq0EebhFjCf23lW2Nfo6B73DAfcKNmolD2vXOkL1H
XJvf3mtQ/Pg5J8hrw82SRbMZO9JakgjWEpP3OcOVa3jGEJuYRCLgH6bChGdaTZ94
nEVAYM74+wWoLvKSawbceROHNnGtANJ0Fo2NSnI8x+XLCYoYc3ijchZIySSlKczx
+c5l4Jf3iS0FeHOGuDGKDpXULsRwElJ7mWs/u1HKcO5QmjrinWYcNHwk88P8dSpu
LykxuaQqltWJqmYA1MjBsq/sYpFsQrP9ZcVY0roXCwNCtXw8pVeg1K85WNruaLsW
/LdaAPDhhIiLohUw/vpyI0STMhXNEBKWqe8FlCECggEAA+mlrQ+H2v0FGGohAeO6
Ox2Yhq+REqEwb5cPjgVloD8eUGCJOuwfAEdhlYq/3aqjKe/H5n8LO/1tcSkTjOT0
1caK0MHcZKVXGv3ZpYTuBvWTk4/Z8pUF3GX83PxpWG+LKhBBtoPEOBi/9RxpmVoi
29vvhMbFRm2/4DUvY3q2NLLjpCeTJYgO9/sflR9lK0EaGcTf5u7e1N/Sp9oN8aVN
SlsJG3dMb3aA8kqk7chxVttpe8YQky78McKjoZ49etCcKlZraEIMYaEgyxZBUPe/
lsexSqT+RhwmRVApIQDFNdyhf9c20U1uUytk+xdsG9lTdCHeuNNnXtYyo2Ml6bTB
CQKCAQEAgW3ap6sAdLdYPuBj9B1QJfbI55o2Jl6P3p/D+c25J4HbHzrTPFu6Z1+6
N8g87eM+Hjl5mg5oDRFI0MGf5pIxRmoQAg925W2xX3OnG8ZPyh8hIrCLTduTpY3w
YsNu7Fcj9J/n6FDdf6AAwDkdGM0pwrPR5kI++wi5BtsCnlsSmdO0lEsBzNhArFPL
S0361/uY81R5MrqHL9WIjgxVlqjiorOZ1zwrZap80mh5LBn84kcGgnJczeQGkmom
f6RcHGNMAX9ibQ1coZX5b0ywcjvDnjMs7G6Cp4A4UiIsFtEgIXHR1NdY2yx2iJO/
EKAnoi5XmjOVCSJKOAlB/yOzNJWC7A==
-----END PRIVATE KEY-----

14
yalis.fr.pubkey Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuNMWZS3E+JhPf+4sDAut
vBQkRJI/G1+FAh1L3NaXMoS4DmRv8Jf90ZN+wamtsJ6p0UCnxhy6GikOyGbQZTDx
skCB8x0i2ExaWoFAviHS40NsfU39NYKgUYkV8ieDUbZLqTldnKTkKGMBRHzkzlEc
gPoXbuA9YFPSJkymPqkuOV7xIoZluDIHCJVSYFTy/UzrQqrYUhsSVSf8QXnKRovd
duW05ADSl8lvuxNJRq1ofQEPw2lTog7LfcHsGVcJU9pPO3K+3HQOCKcC8YchzKvp
siUtoFW9eITYMu2nyfBAsouVX6B9o+j5hK0+w8VDTTSALE4+fdWMhs1vq61GtE1E
WYwGpbKzBLLUuuZg5wtdJuqVQl/elQ4nMiMpn2tAjpwdGcVUFJoHzJfg7XEeO7l2
iT2a26UcylPjtOUScwNcMrEYhCG8IfW0jDkgpKQO0rVGe86iHZpZvHE20AwlAjEy
yHyNU8K2brDNmupjFy0LLANoD8uyZElGbyIOZlz3O+4zIXTDY880Dmi29ZLj+iYD
mU5+JjLB8wONT5pzuiv4lWq2Gg8RIOgPz3SfxLeIS8ac9fGn+13MVTJOVkv5XtmG
JTk04njA1cz7KnHwW+SrLOzDRKCHzM6kJjyCc+3dttJ8Z8doCxfMAjXPtCo79tvt
teMSN1wINmWThhTF3v9Hz4kCAwEAAQ==
-----END PUBLIC KEY-----