WIP
parent
e0087d54f0
commit
2c50b3398e
|
@ -74,8 +74,8 @@ Command (m for help): g
|
|||
Created a new GPT disklabel…
|
||||
|
||||
Command (m for help): n
|
||||
Partition number (1-128, default 1):
|
||||
First sector (…):
|
||||
Partition number (1-128, default 1):
|
||||
First sector (…):
|
||||
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
|
||||
|
||||
Created a new partition 1…
|
||||
|
@ -86,14 +86,14 @@ Hex code (type L to list all codes): 1
|
|||
Changed type of partition 'Linux filesystem' to 'EFI System'.
|
||||
|
||||
Command (m for help): n
|
||||
Partition number (2-128, default 2):
|
||||
First sector (…):
|
||||
Partition number (2-128, default 2):
|
||||
First sector (…):
|
||||
Last sector, +sectors or +size{K,M,G,T,P} (…):
|
||||
|
||||
Created a new partition 2…
|
||||
|
||||
Command (m for help): t
|
||||
Partition number (1,2, default 2):
|
||||
Partition number (1,2, default 2):
|
||||
Hex code (type L to list all codes): 31
|
||||
|
||||
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
|
||||
|
@ -304,7 +304,7 @@ root@archiso ~ # arch-chroot /mnt
|
|||
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
|
||||
> [Match]
|
||||
> Name=wire
|
||||
>
|
||||
>
|
||||
> [Network]
|
||||
> IPForward=yes
|
||||
> Address={back-ip}/{net-bits}
|
||||
|
@ -313,7 +313,7 @@ root@archiso ~ # arch-chroot /mnt
|
|||
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
|
||||
> [Match]
|
||||
> Name=en*
|
||||
>
|
||||
>
|
||||
> [Network]
|
||||
> Bridge=wire
|
||||
> THEEND
|
||||
|
@ -390,12 +390,12 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
|
||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||
> </backup/dotclear.cdump
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
@ -404,7 +404,7 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
|
||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||
> </backup/prosody.cdump
|
||||
|
@ -419,7 +419,7 @@ ALTER TABLE
|
|||
{prosody-db}=# \q
|
||||
[postgres@{back-name} ~]$ exit
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
@ -444,7 +444,7 @@ Stop Nextcloud and restore the data::
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
|
||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
|
||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
|
||||
|
@ -514,7 +514,7 @@ Restart Nextcloud::
|
|||
```bash
|
||||
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
|
||||
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
|
|
@ -43,8 +43,8 @@ locales_enabled: 'en_US.UTF-8 en_GB.UTF-8'
|
|||
dns_sec: 'no'
|
||||
|
||||
# DNS servers to use on the server, for example:
|
||||
# OpenNIC-1 OpenNIC-2 Google
|
||||
dns_hosts: '87.98.175.85 5.135.183.146 8.8.8.8'
|
||||
# OpenNIC-1 OpenNIC-2 Cloudflare-1/-2
|
||||
dns_hosts: '51.158.108.203 51.77.149.139 1.1.1.1 1.0.0.1'
|
||||
|
||||
# Nearest NTP servers (https://www.ntppool.org/).
|
||||
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
|
||||
|
@ -186,7 +186,7 @@ http_pfx_privatebin: /paste
|
|||
http_pfx_prosody: /xmpp-
|
||||
|
||||
# URL prefix of SSOwat (SSO and web portal).
|
||||
http_pfx_ssowat: /start
|
||||
http_pfx_sso: /start
|
||||
|
||||
# URL prefix of Transmission (web UI for BitTorrent).
|
||||
http_pfx_transmission: /torrent
|
||||
|
@ -376,7 +376,7 @@ net_subdom_ssh: ssh
|
|||
|
||||
# Local networks from which network connections are trusted.
|
||||
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
|
||||
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
|
||||
net_trusted_ranges: '192.168.1.240/28 127.0.0.0/8 ::1'
|
||||
|
||||
# Administrator for Nextcloud (not necessarily an LDAP user).
|
||||
nextcloud_admin_user: nextcloud_admin
|
||||
|
@ -525,6 +525,61 @@ transmission_real_todo_at: /mnt/share/p2p/iso.torrent
|
|||
transmission_nfs_done_at: share/p2p/iso
|
||||
transmission_nfs_todo_at: share/p2p/iso.torrent
|
||||
|
||||
# Name used in file-names to identify the VPN
|
||||
vpn_name: my_vpn
|
||||
|
||||
# IP/CIDR of DMZ’ no-VPN network namespace when VPN is setup
|
||||
vpn_avoiding_ip_cidr: 192.168.1.240/24
|
||||
|
||||
# OpenVPN credentials
|
||||
vpn_login: my-vpn-login
|
||||
vpn_password: my-vpn-password
|
||||
|
||||
# OpenVPN settings
|
||||
vpn_ca_certificate: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
-----END CERTIFICATE-----
|
||||
vpn_interface_type: tun # or tap
|
||||
vpn_protocol: udp6 # or udp, tcp, tcp6
|
||||
vpn_server_host: vpn.example.org
|
||||
vpn_server_port: 1194
|
||||
vpn_tls_auth_key: |
|
||||
-----BEGIN OpenVPN Static key V1-----
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
-----END OpenVPN Static key V1-----
|
||||
|
||||
# Name of the Wallabag database in PostgreSQL.
|
||||
wallabag_db: wallabag
|
||||
|
||||
|
|
|
@ -10,6 +10,12 @@
|
|||
msg: ACME
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
- name: install software (dev)
|
||||
package:
|
||||
# for Ansible crypto
|
||||
name: python-cryptography
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: install dehydrated (Let’s Encrypt)
|
||||
include_role:
|
||||
name: aur.inc
|
||||
|
@ -68,6 +74,7 @@
|
|||
src: files/dehydrated.timer
|
||||
dest: /etc/systemd/system/dehydrated.timer
|
||||
mode: 0644
|
||||
when: (env == 'prod')
|
||||
notify:
|
||||
- restart dehydrated.service
|
||||
|
||||
|
@ -76,6 +83,45 @@
|
|||
daemon_reload: true
|
||||
name: dehydrated.timer
|
||||
enabled: true
|
||||
when: (env == 'prod')
|
||||
|
||||
## DEV
|
||||
|
||||
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
|
||||
|
||||
- name: create private key (dev)
|
||||
community.crypto.openssl_privatekey:
|
||||
path: /var/lib/acme/self-signed.key
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: create CSR (dev)
|
||||
community.crypto.openssl_csr:
|
||||
path: /var/lib/acme/self-signed.csr
|
||||
privatekey_path: /var/lib/acme/self-signed.key
|
||||
common_name: "{{net_soa}}"
|
||||
organization_name: "{{nickname}}"
|
||||
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
|
||||
subject_alt_name_critical: true
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: create self-signed certificate (dev)
|
||||
community.crypto.x509_certificate:
|
||||
path: /var/lib/acme/self-signed.pem
|
||||
privatekey_path: /var/lib/acme/self-signed.key
|
||||
csr_path: /var/lib/acme/self-signed.csr
|
||||
provider: selfsigned
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: deploy self-signed certificate (dev)
|
||||
command: >
|
||||
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
|
||||
{{net_soa}}
|
||||
/var/lib/acme/self-signed.key
|
||||
/var/lib/acme/self-signed.pem
|
||||
/var/lib/acme/self-signed.pem
|
||||
/dev/null
|
||||
{{ansible_date_time.epoch}}
|
||||
when: (env == 'dev')
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -2,17 +2,20 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
#
|
||||
# NOTE: on 1st run, DMZ software is NOT YET INSTALLED!
|
||||
set -e
|
||||
|
||||
RSH=/usr/local/bin/{{DMZ}}
|
||||
ETC_CHANGED_{{hostname}}=
|
||||
ETC_CHANGED_{{DMZ}}=
|
||||
ETC_CHANGED_{{hostname | regex_replace('-', '_')}}=
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=
|
||||
|
||||
etckeeper_hook() {
|
||||
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
|
||||
etc_stop_local 'ACME update'
|
||||
fi
|
||||
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
|
||||
$RSH "etc_stop_local 'ACME update'"
|
||||
$RSH "etc_stop_local 'ACME update' || true"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -37,11 +40,11 @@ deploy_exim() {
|
|||
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chown exim $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/mail ] || mkdir -p /etc/mail; cat >$1; if id exim 2>/dev/null; then chown exim $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
|
||||
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
|
||||
systemctl -M {{DMZ}} reload exim.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload exim.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||
|
@ -51,11 +54,11 @@ deploy_prosody() {
|
|||
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chown prosody $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/prosody/certs ] || mkdir -p /etc/prosody/certs; cat >$1; if id prosody 2>/dev/null; then chown prosody $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
|
||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
|
||||
systemctl -M {{DMZ}} reload prosody.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload prosody.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||
|
@ -65,10 +68,10 @@ deploy_haproxy() {
|
|||
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/haproxy ] || mkdir -p /etc/haproxy; cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
|
||||
systemctl -M {{DMZ}} reload haproxy.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload haproxy.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
deploy_cert() {
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -41,7 +41,9 @@
|
|||
block:
|
||||
|
||||
- name: AUR → {{pkg_name}} → run custom pre-processing commands
|
||||
shell: "{{pre_cmd}}"
|
||||
shell: |
|
||||
set -x
|
||||
{{pre_cmd}}
|
||||
args:
|
||||
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
|
||||
when: pre_cmd
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
- name: post-update script for he.net
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# $1: new IP address
|
||||
if [ -f /etc/conf.d/iodined ]; then
|
||||
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- name: replace /usr/bin/arch-chroot in Podman
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
args=()
|
||||
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
|
||||
[ -t 0 ] && t=-t || t=-T
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -193,22 +193,34 @@
|
|||
regexp: '^(?:#\s*)?root:'
|
||||
line: "root: {{mail_forward_root_to}}"
|
||||
|
||||
- name: send DKIM private key
|
||||
- name: send DKIM private key (prod)
|
||||
copy:
|
||||
src: files/{{net_soa}}_dkim.privk.pem
|
||||
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||
owner: exim
|
||||
group: exim
|
||||
mode: 0400
|
||||
when: (env == 'prod')
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set smarthost name
|
||||
- name: create DKIM private key (dev)
|
||||
shell: |
|
||||
# https://dkimcore.org/specification.html
|
||||
openssl genrsa -out /etc/mail/{{net_soa}}_dkim.privk.pem 1024
|
||||
openssl rsa -in /etc/mail/{{net_soa}}_dkim.privk.pem -pubout >/etc/mail/{{net_soa}}_dkim.pubk.pem
|
||||
chown exim:exim /etc/mail/{{net_soa}}_dkim.*.pem
|
||||
chmod 0400 /etc/mail/{{net_soa}}_dkim.*.pem
|
||||
when: (env == 'dev')
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: disable smarthost
|
||||
lineinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(?:#\s*)?ROUTER_SMARTHOST\s*='
|
||||
line: |
|
||||
ROUTER_SMARTHOST={{mail_smtp_smarthost}}
|
||||
regexp: '^(\s*ROUTER_SMARTHOST\s*=.*)'
|
||||
backrefs: true
|
||||
line: '#\\1'
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
@ -278,18 +290,11 @@
|
|||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set TLS parameters for OpenSSL (old)
|
||||
blockinfile:
|
||||
- name: set TLS parameters for OpenSSL
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: '# {mark} OpenSSL parameters'
|
||||
block: |
|
||||
insertafter: '^tls_advertise_hosts\s*='
|
||||
|
||||
- name: set TLS parameters for OpenSSL (new)
|
||||
lineinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(?:#\s*)?tls_require_ciphers\s*='
|
||||
line: 'tls_require_ciphers = {{tls_ciphers}}'
|
||||
regexp: '(.ifdef\s+_HAVE_OPENSSL\s*\n\s*)#?(\s*)tls_require_ciphers\s*=.*$'
|
||||
replace: '\1\2tls_require_ciphers = {{tls_ciphers}}'
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
@ -365,14 +370,15 @@
|
|||
notify:
|
||||
- restart exim.service
|
||||
|
||||
# 2023-05-20: disabled because too many legitimate rejected emails coming from GMail
|
||||
- name: deny mail RCPT from SpamHaus SBL
|
||||
blockinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: ' # {mark} SpamHaus SBL ACL'
|
||||
block: |
|
||||
deny message = rejected because $sender_host_address is in a \
|
||||
black list at SpamHaus SBL
|
||||
dnslists = sbl.spamhaus.org
|
||||
# deny message = rejected because $sender_host_address is in a \
|
||||
# black list at SpamHaus SBL
|
||||
# dnslists = sbl.spamhaus.org
|
||||
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
@ -399,21 +405,19 @@
|
|||
|
||||
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
|
||||
|
||||
- name: use remote_smtp for smarthost delivery
|
||||
lineinfile:
|
||||
- name: set IP addresses to be ignored (base)
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(\s*transport\s*=)'
|
||||
backrefs: true
|
||||
line: "\\1 remote_smtp"
|
||||
regexp: '^(\s*ignore_target_hosts\s*=)(?! <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1).*$'
|
||||
replace: "\1 <; 0.0.0.0 ; 127.0.0.0/8 ; ::1"
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set IP addresses to be ignored
|
||||
lineinfile:
|
||||
- name: set IP addresses to be ignored (addition)
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(\s*ignore_target_hosts\s*=.*::1)(?! ; {{mail_ignore_ip | replace(" ", " ; ")}}$)'
|
||||
backrefs: true
|
||||
line: "\\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
||||
regexp: '^(\s*ignore_target_hosts\s*= <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1)$'
|
||||
replace: "\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
||||
when:
|
||||
- mail_ignore_ip != ""
|
||||
notify:
|
||||
|
@ -505,16 +509,17 @@
|
|||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: enable DKIM on outgoing emails
|
||||
blockinfile:
|
||||
- name: configure remote SMTP for outgoing emails
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: ' # {mark} outgoing DKIM signing'
|
||||
block: |
|
||||
regexp: '^(remote_smtp:\s*\n\s*driver\s*=\s*smtp\s*)$(?!\n\s*dkim_canon =)
|
||||
replace: |
|
||||
\1
|
||||
dkim_canon = relaxed
|
||||
dkim_domain = {{net_soa}}
|
||||
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||
dkim_selector = {{mail_dkim_selector}}
|
||||
insertafter: '^\s*driver\s*=\s*smtp\s*$'
|
||||
helo_data = {{net_soa}}
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
|
|
@ -34,8 +34,8 @@
|
|||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
Wants=nginx.service
|
||||
After=nginx.service
|
||||
Wants=openresty.service
|
||||
After=openresty.service
|
||||
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
|
|
|
@ -27,6 +27,7 @@ defaults
|
|||
|
||||
frontend imaps
|
||||
bind :993 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::993 ssl crt /etc/haproxy/tls.pem
|
||||
default_backend imap
|
||||
|
||||
backend imap
|
||||
|
@ -34,10 +35,12 @@ backend imap
|
|||
|
||||
frontend text
|
||||
bind :80
|
||||
bind :::80
|
||||
default_backend http
|
||||
|
||||
frontend tls
|
||||
bind :443 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::443 ssl crt /etc/haproxy/tls.pem
|
||||
|
||||
tcp-request inspect-delay 2s
|
||||
# check SNI for the SSH domain
|
||||
|
@ -57,6 +60,7 @@ frontend tls
|
|||
|
||||
frontend tls_plus
|
||||
bind :444 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::444 ssl crt /etc/haproxy/tls.pem
|
||||
default_backend https_plus
|
||||
|
||||
backend ssh
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -19,7 +19,30 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: configure SSO
|
||||
copy:
|
||||
content: |
|
||||
{ "patterns": [{
|
||||
"lua_regex": [
|
||||
"^{{http_pfx_gitea}}/admin",
|
||||
"^{{http_pfx_gitea}}/repo/create",
|
||||
"^{{http_pfx_gitea}}/repo/migrate",
|
||||
"^{{http_pfx_gitea}}/org/create",
|
||||
"^{{http_pfx_gitea}}/.-/wiki/_new"
|
||||
],
|
||||
"allow": ["*"]
|
||||
},{
|
||||
"lua_regex": ["^{{http_pfx_gitea}}/"],
|
||||
"public": true,
|
||||
"portal": {"{{http_pfx_gitea}}/": "Git"}
|
||||
}]
|
||||
}
|
||||
dest: /etc/nginx/ssso/sites/git.json
|
||||
when: (is_sso_used is defined)
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -171,7 +171,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
name: movim.service
|
||||
state: restarted
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -122,7 +122,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: configure Nginx for LibreOffice OnLine
|
||||
template:
|
||||
|
@ -21,7 +21,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
- name: create tmpfiles
|
||||
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
||||
- name: restart php-fpm.service
|
||||
|
|
|
@ -10,13 +10,71 @@
|
|||
msg: nginx
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
#- name: install software
|
||||
# package:
|
||||
# name: "{{item}}"
|
||||
# state: present
|
||||
# with_items:
|
||||
# - nginx-mainline # nginx-mainline must now be built from official PKGBUILD :-(
|
||||
# - php-fpm
|
||||
- name: uninstall software
|
||||
package:
|
||||
name: "{{item}}"
|
||||
state: absent
|
||||
with_items:
|
||||
# 2023-05-20: removed
|
||||
- nginx-mainline
|
||||
|
||||
- name: install AUR software
|
||||
include_role:
|
||||
name: aur.inc
|
||||
allow_duplicates: true
|
||||
vars:
|
||||
packages:
|
||||
- pkg: openresty
|
||||
pre: |
|
||||
# harden the systemd service
|
||||
sed -ri '
|
||||
/\[Unit\]/ a\
|
||||
After=systemd-tmpfiles-setup.service\
|
||||
After=php-fpm.service
|
||||
/\[Service\]/ a\
|
||||
User=http\
|
||||
Group=http\
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
|
||||
PrivateTmp=true\
|
||||
PrivateDevices=true\
|
||||
ProtectSystem=full\
|
||||
ProtectHome=true\
|
||||
ReadWritePaths=/var/log/nginx\
|
||||
NoNewPrivileges=true\
|
||||
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
|
||||
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
|
||||
s|/run/openresty.pid|/run/http/nginx.pid|g
|
||||
' service
|
||||
# compute the hash of the new service file
|
||||
srvHash=$(sha256sum service | awk '{print $1}')
|
||||
# — choose /etc/nginx as Nginx configuration location
|
||||
# — choose /run/http/ for Nginx PID and lock files location
|
||||
# — choose /var/log/nginx/ as Nginx compiled-in logs location
|
||||
# — choose /var/tmp/ as Nginx runtime temporary folder
|
||||
# — replace the old service hash with the computed one
|
||||
# — remove signature source files as they make the build fail
|
||||
# — disable unused features of OpenResty/Nginx
|
||||
sed -ri "
|
||||
s#_cfgdir=.*#_cfgdir=/etc/nginx#
|
||||
/build\\(\\)/ i\\
|
||||
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
|
||||
sha256sums[\$_src]='$srvHash'\\
|
||||
fi; done\\
|
||||
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
|
||||
_last=\$((\${{ '{#source[*]}' }}-1))\\
|
||||
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
|
||||
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
|
||||
fi; done\\
|
||||
unset _last _src
|
||||
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
|
||||
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
|
||||
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
|
||||
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
|
||||
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
|
||||
/^ *--with-mail|^ *#/d
|
||||
s| +#.*||
|
||||
" PKGBUILD
|
||||
cat PKGBUILD
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
|
@ -25,11 +83,19 @@
|
|||
msg: nginx
|
||||
### ⇐ UPSTREAM END ###
|
||||
|
||||
- name: create a directory for the PID files
|
||||
- name: fix logrotate.d/openresty
|
||||
lineinfile:
|
||||
path: /etc/logrotate.d/openresty
|
||||
backrefs: true
|
||||
regexp: '^(\s*test -r )/run/'
|
||||
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
|
||||
|
||||
- name: create Nginx working directories
|
||||
copy:
|
||||
content: |
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /run/http 775 http http - -
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /run/http 775 http http - -
|
||||
d /var/log/nginx 775 http http - -
|
||||
dest: /etc/tmpfiles.d/run_http.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
|
@ -37,69 +103,15 @@
|
|||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: prepare to override systemd settings
|
||||
file:
|
||||
name: /etc/systemd/system/{{item}}.service.d
|
||||
state: directory
|
||||
mode: 0755
|
||||
- name: update already-installed OpenResty packages
|
||||
shell: /opt/openresty/bin/opm update
|
||||
|
||||
- name: OPM = install OpenResty packages (if necessary)
|
||||
include_tasks: opm.yaml
|
||||
vars:
|
||||
pkg_name: "{{item}}"
|
||||
with_items:
|
||||
- nginx
|
||||
- php-fpm
|
||||
|
||||
- name: secure systemd settings for php-fpm
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
After=systemd-tmpfiles-setup.service
|
||||
[Service]
|
||||
User=http
|
||||
Group=http
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectSystem=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
PIDFile=/run/http/php-fpm.pid
|
||||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
|
||||
- name: secure systemd settings for nginx
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
After=systemd-tmpfiles-setup.service
|
||||
After=php-fpm.service
|
||||
[Service]
|
||||
User=http
|
||||
Group=http
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
PIDFile=/run/http/nginx.pid
|
||||
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
|
||||
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart nginx.service
|
||||
|
||||
- name: set ownership of nginx’ working directories to nginx
|
||||
file:
|
||||
path: /var/{{item}}/nginx
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
recurse: true
|
||||
with_items:
|
||||
- lib
|
||||
- log
|
||||
- fffonion/lua-resty-openssl
|
||||
|
||||
- name: set the number of nginx worker processes
|
||||
lineinfile:
|
||||
|
@ -107,7 +119,7 @@
|
|||
regexp: '^#?\s*worker_processes\s'
|
||||
line: "worker_processes auto;"
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: log to systemd-journal
|
||||
lineinfile:
|
||||
|
@ -115,7 +127,7 @@
|
|||
regexp: '^#?\s*error_log\s'
|
||||
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: create directories for custom nginx configuration
|
||||
file:
|
||||
|
@ -136,7 +148,7 @@
|
|||
line: include /etc/nginx/main.inc.d/*.inc;
|
||||
insertbefore: BOF
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: include custom nginx configuration
|
||||
lineinfile:
|
||||
|
@ -145,7 +157,7 @@
|
|||
line: include /etc/nginx/conf.d/*.conf;
|
||||
insertbefore: '^\s*#gzip\s'
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: set custom nginx configuration
|
||||
template:
|
||||
|
@ -155,7 +167,7 @@
|
|||
group: http
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: send included conf files
|
||||
template:
|
||||
|
@ -198,54 +210,33 @@
|
|||
when:
|
||||
- test_srv.changed
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: set the php-fpm settings
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
regexp: '^;*{{item.key}}\s*='
|
||||
line: '{{item.key}} = {{item.value}}'
|
||||
with_dict:
|
||||
listen: /run/shared_sockets/php-fpm
|
||||
pm: dynamic
|
||||
'pm.max_children': '{{php_max_workers}}'
|
||||
'pm.start_servers': 1
|
||||
'pm.min_spare_servers': 1
|
||||
'pm.max_spare_servers': '{{php_max_workers}}'
|
||||
'pm.max_requests': '{{php_worker_max_reqs}}'
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
|
||||
- name: disable useless user/group specs
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
backrefs: true
|
||||
regexp: '^({{item}}\s*=.*)'
|
||||
line: ';\1'
|
||||
- name: create web files locations
|
||||
file:
|
||||
path: "{{item}}"
|
||||
state: directory
|
||||
with_items:
|
||||
- user
|
||||
- group
|
||||
- 'listen.group'
|
||||
- /srv/http
|
||||
- /srv/webapps
|
||||
|
||||
- name: set the PID file path for php-fpm
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.conf
|
||||
regexp: '^;*pid\s*='
|
||||
line: 'pid = /run/http/php-fpm.pid'
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
|
||||
- name: enable php-fpm.service
|
||||
- name: enable openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: php-fpm.service
|
||||
name: openresty.service
|
||||
enabled: true
|
||||
|
||||
- name: enable nginx.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
enabled: true
|
||||
- name: HTML test-page in test environment
|
||||
copy:
|
||||
content: |
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head><title>TEST</title><meta charset="UTF-8"></head>
|
||||
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
|
||||
</html>
|
||||
dest: /srv/http/index.html
|
||||
mode: 0644
|
||||
when: (env == 'dev')
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# mandatory parameters: pkg_name
|
||||
|
||||
- name: OPM → check existence of {{pkg_name}}
|
||||
shell: /opt/openresty/bin/opm list | grep -q '^{{pkg_name}}[[:blank:]]'
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
register: opm_check
|
||||
|
||||
- name: OPM → install {{pkg_name}}
|
||||
command: /opt/openresty/bin/opm get {{pkg_name}}
|
||||
when: opm_check is failed
|
|
@ -2,6 +2,11 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
client_body_temp_path /var/tmp/client_body_temp;
|
||||
proxy_temp_path /var/tmp/proxy_temp;
|
||||
fastcgi_temp_path /var/tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /var/tmp/uwsgi_temp;
|
||||
#scgi_temp_path /var/tmp/scgi_temp;
|
||||
client_max_body_size {{http_max_upload}};
|
||||
gzip on;
|
||||
gzip_comp_level 6;
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
name: prosody.service
|
||||
state: restarted
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -277,7 +277,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: enable prosody
|
||||
systemd:
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
|
@ -6,4 +6,4 @@
|
|||
dependencies:
|
||||
- role: cleanupdate
|
||||
- role: ldap
|
||||
- role: ssowat
|
||||
# - role: ssowat #FIXME
|
|
@ -34,9 +34,10 @@
|
|||
Requires=nslcd.service
|
||||
After=nslcd.service
|
||||
[Service]
|
||||
{% if is_vpn_used is not defined %}
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
|
||||
{% endif %}
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=full
|
||||
LimitNOFILE=4096
|
||||
|
@ -44,6 +45,22 @@
|
|||
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
|
||||
- name: override network settings for transmission
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
Requires=no-vpn-network-namespace.service
|
||||
After=no-vpn-network-namespace.service
|
||||
[Service]
|
||||
Type=exec
|
||||
User=root
|
||||
Group=root
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
|
||||
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
|
||||
mode: 0644
|
||||
when: (is_vpn_used is defined)
|
||||
|
||||
- name: ensure existence and mode of Transmission working directories
|
||||
file:
|
||||
path: /var/lib/transmission{{item}}
|
||||
|
@ -104,6 +121,18 @@
|
|||
name: transmission.service
|
||||
state: stopped
|
||||
|
||||
- name: store DMZ IP (direct)
|
||||
set_fact:
|
||||
no_vpn_front_IP: "{{DMZ_IP}}"
|
||||
when:
|
||||
- (is_vpn_used is not defined)
|
||||
|
||||
- name: store DMZ IP (avoid VPN)
|
||||
set_fact:
|
||||
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
|
||||
when:
|
||||
- (is_vpn_used is defined)
|
||||
|
||||
- name: put a JSON terminator to avoid a trailing comma
|
||||
lineinfile:
|
||||
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||||
|
@ -118,7 +147,7 @@
|
|||
line: ' "{{item.key}}": {{item.value}},'
|
||||
insertbefore: '"zzz"'
|
||||
with_dict:
|
||||
speed-limit-up: '50'
|
||||
speed-limit-up: '500'
|
||||
speed-limit-up-enabled: 'true'
|
||||
download-dir: '"/var/lib/transmission/Done"'
|
||||
incomplete-dir: '"/var/lib/transmission/Doing"'
|
||||
|
@ -130,13 +159,14 @@
|
|||
watch-dir-enabled: 'true'
|
||||
encryption: '2'
|
||||
message-level: '1'
|
||||
bind-address-ipv4: '"{{DMZ_IP}}"'
|
||||
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
|
||||
peer-port: '{{transmission_bt_port}}'
|
||||
peer-port-random-on-start: 'false'
|
||||
port-forwarding-enabled: 'false'
|
||||
port-forwarding-enabled: '{{is_vpn_used is defined}}'
|
||||
queue-stalled-minutes: '5'
|
||||
rpc-authentication-required: 'false'
|
||||
rpc-bind-address: '"127.0.0.1"'
|
||||
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
|
||||
rpc-socket-mode: '"0777"'
|
||||
rpc-port: '{{transmission_rpc_port}}'
|
||||
rpc-url: '"{{http_pfx_transmission}}/"'
|
||||
rpc-whitelist-enabled: 'false'
|
||||
|
@ -151,13 +181,13 @@
|
|||
copy:
|
||||
content: |
|
||||
location {{http_pfx_transmission}}/web {
|
||||
alias /usr/share/transmission/web;
|
||||
alias /usr/share/transmission/public_html;
|
||||
}
|
||||
location ~ ^{{http_pfx_transmission}}/?$ {
|
||||
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
|
||||
}
|
||||
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
|
||||
proxy_pass http://127.0.0.1:{{transmission_rpc_port}};
|
||||
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
|
||||
proxy_pass_header X-Transmission-Session-Id;
|
||||
proxy_hide_header ETag;
|
||||
proxy_hide_header Cache-Control;
|
||||
|
@ -168,7 +198,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: enable transmission.service
|
||||
systemd:
|
||||
|
@ -176,6 +206,20 @@
|
|||
name: transmission.service
|
||||
enabled: true
|
||||
|
||||
- name: configure SSO
|
||||
copy:
|
||||
content: |
|
||||
{ "patterns": [{
|
||||
"lua_regex": ["^{{http_pfx_transmission}}"],
|
||||
"allow": ["me"],
|
||||
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
|
||||
}]
|
||||
}
|
||||
dest: /etc/nginx/ssso/sites/transm.json
|
||||
when: (is_sso_used is defined)
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -88,7 +88,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
|
||||
- name: send a remote-exec script to the host
|
||||
template:
|
||||
src: templates/DMZ.j2
|
||||
src: templates/DMZ.{{env}}.j2
|
||||
dest: "/usr/local/bin/{{DMZ}}"
|
||||
mode: 0755
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
#!/usr/bin/env bash
|
||||
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
|
||||
#
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
cmd="$(printf "%q" "$1")"; shift
|
||||
args=()
|
||||
while [ $# -gt 0 ]; do args+=("$(printf "%q" "$1")"); shift; done
|
||||
exec ssh -i ~/.ssh/id-chroot -o StrictHostKeyChecking=no -p 20022 -T 10.0.2.2 bash -c "$cmd" bash "${args[@]}"
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
|
||||
#
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
|
@ -7,4 +7,4 @@
|
|||
|
||||
cmd="$1"; shift
|
||||
nsenter -t $(machinectl status {{DMZ}} | awk '$1=="Leader:"{print $2;exit}') \
|
||||
-a -F /usr/bin/bash -c "$cmd" bash "$@"
|
||||
-a -F /usr/usr/bin/env bash -c "$cmd" bash "$@"
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
|
|
@ -154,7 +154,7 @@
|
|||
ProtectSystem=full
|
||||
ReadWriteDirectories={{kodi_data}}
|
||||
# the client has 10 seconds to stop sending network packets to the socket
|
||||
ExecStopPost=/usr/bin/bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
|
||||
ExecStopPost=/usr/usr/bin/env bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
|
||||
Restart=no
|
||||
dest: /etc/systemd/system/lxdm.service.d/{{nickname}}.conf
|
||||
mode: 0644
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# $1: camera
|
||||
# $2: event number
|
||||
# $3: ISO date
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# $1: file to upload
|
||||
|
||||
BASE_URL=https://www.mediafire.com/api
|
||||
|
|
|
@ -5,6 +5,23 @@
|
|||
|
||||
flush ruleset
|
||||
|
||||
table arp RateLimiter {
|
||||
chain ArpIn {
|
||||
type filter hook input priority 0
|
||||
policy accept
|
||||
{% if is_vpn_used is defined %}
|
||||
meta iif tun0 limit rate 2/second burst 10 packets accept
|
||||
{% else %}
|
||||
meta iif host0 limit rate 2/second burst 10 packets accept
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
chain ArpOut {
|
||||
type filter hook output priority 0
|
||||
policy accept
|
||||
}
|
||||
}
|
||||
|
||||
{% for V in ['4', '6'] %}
|
||||
{% set v = V | replace('4', '') %}
|
||||
{% macro trust(list) %}
|
||||
|
@ -115,22 +132,30 @@ table ip{{v}} Inet{{V}} {
|
|||
type filter hook input priority 0
|
||||
policy drop
|
||||
|
||||
# allow established/related connections
|
||||
ct state {established, related} accept
|
||||
|
||||
# early drop of invalid connections
|
||||
ct state invalid drop
|
||||
|
||||
# allow from loopback
|
||||
meta iif lo accept
|
||||
|
||||
# allow icmp
|
||||
{% if V == '4' %}
|
||||
ip protocol icmp accept
|
||||
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||
{% else %}
|
||||
ip6 nexthdr icmpv6 accept
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||
{% endif %}
|
||||
|
||||
# allow established/related connections
|
||||
ct state {established, related} accept
|
||||
|
||||
# allow from loopback
|
||||
{% if V == '4' %}
|
||||
meta iif lo ip saddr != 127.0.0.0/8 drop
|
||||
{% else %}
|
||||
meta iif lo ip6 saddr != ::1/128 drop
|
||||
{% endif %}
|
||||
meta iif lo accept
|
||||
|
||||
# allow iodine
|
||||
meta iifname dns0 accept
|
||||
|
||||
|
@ -181,7 +206,7 @@ table ip{{v}} Inet{{V}} {
|
|||
{% call(net) trust(net_trusted_ranges) %}
|
||||
udp dport 5353 ip{{v}} saddr {{net}} accept
|
||||
{% endcall %}
|
||||
|
||||
|
||||
# remote-help ssh
|
||||
tcp dport 22000 accept
|
||||
{% call(net) trust(net_trusted_ranges) %}
|
||||
|
@ -196,6 +221,14 @@ table ip{{v}} Inet{{V}} {
|
|||
chain FilterOut {
|
||||
type filter hook output priority 0
|
||||
policy drop
|
||||
{% if V == '4' %}
|
||||
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||
{% else %}
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||
{% endif %}
|
||||
ct state {established, related} accept
|
||||
meta oif lo accept
|
||||
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart openvpn-client.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: openvpn-client@{{vpn_name}}.service
|
||||
state: restarted
|
||||
|
||||
- name: restart no-vpn network namespace
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: no-vpn-network-namespace.service
|
||||
state: restarted
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
- role: cleanupdate
|
|
@ -0,0 +1,195 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
- name: pull prerequisites from upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||||
vars:
|
||||
msg: OpenVPN
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
- name: install software
|
||||
package:
|
||||
name: {{item}}
|
||||
with_items:
|
||||
- iproute2
|
||||
- openvpn
|
||||
# jq is needed by no-VPN network-namespace script
|
||||
- jq
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||
vars:
|
||||
msg: OpenVPN
|
||||
### ⇐ UPSTREAM END ###
|
||||
|
||||
- name: VPN configuration
|
||||
template:
|
||||
src: templates/vpn.conf.j2
|
||||
dest: /etc/openvpn/client/{{vpn_name}}.conf
|
||||
owner: openvpn
|
||||
group: network
|
||||
mode: 0600
|
||||
notify:
|
||||
- restart openvpn-client.service
|
||||
|
||||
- name: VPN TLS auth key
|
||||
copy:
|
||||
content: |
|
||||
{{vpn_tls_auth_key}}
|
||||
dest: /etc/openvpn/client/{{vpn_name}}-ta.key
|
||||
owner: openvpn
|
||||
group: network
|
||||
mode: 0600
|
||||
notify:
|
||||
- restart openvpn-client.service
|
||||
|
||||
- name: VPN credentials
|
||||
copy:
|
||||
content: |
|
||||
{{vpn_login}}
|
||||
{{vpn_password}}
|
||||
dest: /etc/openvpn/client/{{vpn_name}}.userpass
|
||||
owner: openvpn
|
||||
group: network
|
||||
mode: 0400
|
||||
notify:
|
||||
- restart openvpn-client.service
|
||||
|
||||
- name: prepare to override OpenVPN security
|
||||
file:
|
||||
path: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d
|
||||
state: directory
|
||||
mode: 0755
|
||||
notify:
|
||||
- restart openvpn-client.service
|
||||
|
||||
- name: override OpenVPN security with systemd
|
||||
copy:
|
||||
content: |
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --auth-user-pass /etc/openvpn/client/%i.userpass
|
||||
dest: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d/auth-user-pass.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart openvpn-client.service
|
||||
|
||||
- name: store DMZ IP (front)
|
||||
set_fact:
|
||||
current_IP: "{{DMZ_IP}}"
|
||||
when:
|
||||
- (inventory_hostname in groups['front'])
|
||||
|
||||
- name: store SafeZone IP (back)
|
||||
set_fact:
|
||||
current_IP: "{{SafeZone_IP}}"
|
||||
when:
|
||||
- (inventory_hostname in groups['back'])
|
||||
|
||||
- name: creation script for no-VPN network namespace
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
# https://www.baeldung.com/linux/different-network-interfaces-processes
|
||||
set -e
|
||||
|
||||
# find network settings associated with known IP address
|
||||
host_if=$(ip -j -4 address | jq -r '.[] | select(any(.addr_info[]; .local == "{{current_IP}}")) | .ifname')
|
||||
gateway=$(ip -j -4 route | jq -r '.[] | select(.dst == "default") | .gateway')
|
||||
|
||||
# create namespace if it does not exist
|
||||
if ! ip netns list | grep -Fxq no-vpn; then
|
||||
ip netns add no-vpn
|
||||
fi
|
||||
|
||||
# configure namespace if not done
|
||||
# $1: interface name; $2: CIDR
|
||||
function setup() {
|
||||
if ! ip -n no-vpn link show up dev $1 | grep -q .; then
|
||||
ip -n no-vpn link set $1 up
|
||||
fi
|
||||
if [ -z "$(ip -n no-vpn -4 address show dev $1)" ]; then
|
||||
ip -n no-vpn address add $2 dev $1
|
||||
fi
|
||||
}
|
||||
if ! ip -n no-vpn link show dev if_isp &>/dev/null; then
|
||||
ip link add link $host_if if_isp netns no-vpn type ipvlan mode l2
|
||||
fi
|
||||
setup if_isp {{vpn_avoiding_ip_cidr}}
|
||||
setup lo 127.0.0.1/8
|
||||
|
||||
# set gateway if not set
|
||||
if ! ip -n no-vpn -4 route | grep -q ^default; then
|
||||
ip -n no-vpn route add default via $gateway dev if_isp
|
||||
fi
|
||||
dest: /usr/local/bin/create-no-vpn-namespace.sh
|
||||
mode: 0700
|
||||
notify:
|
||||
- restart no-vpn network namespace
|
||||
|
||||
- name: removal script for no-VPN network namespace
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/sh
|
||||
ip netns delete no-vpn
|
||||
dest: /usr/local/bin/delete-no-vpn-namespace.sh
|
||||
mode: 0700
|
||||
notify:
|
||||
- restart no-vpn network namespace
|
||||
|
||||
- name: no-VPN network namespace firewall
|
||||
template:
|
||||
src: templates/nftables.conf.j2
|
||||
dest: /etc/netns/no-vpn/nftables.conf
|
||||
mode: 0600
|
||||
notify:
|
||||
- restart no-vpn network namespace
|
||||
|
||||
# https://github.com/mqus/nft-rules/blob/master/files/SSDP_client.md
|
||||
- name: systemctl service for no-VPN network namespace
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
Description=No-VPN network namespace
|
||||
After=network-online.target openvpn.service
|
||||
Wants=network-online.target openvpn.service
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
ExecStart=/usr/local/bin/create-no-vpn-namespace.sh
|
||||
ExecStartPost=/usr/bin/ip netns exec no-vpn /usr/bin/nft -f /etc/nftables.conf
|
||||
ExecStop=/usr/local/bin/delete-no-vpn-namespace.sh
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
dest: /etc/systemd/system/no-vpn-network-namespace.service
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart no-vpn network namespace
|
||||
|
||||
- name: enable service for no-VPN network namespace
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: no-vpn-network-namespace.service
|
||||
enabled: true
|
||||
|
||||
- name: enable OpenVPN client service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: openvpn-client@{{vpn_name}}.service
|
||||
enabled: true
|
||||
|
||||
- name: register the fact that a VPN is enabled
|
||||
set_fact:
|
||||
is_vpn_used: true
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||
vars:
|
||||
msg: OpenVPN
|
||||
### ⇐ LOCAL COMMIT ###
|
||||
- meta: flush_handlers
|
|
@ -0,0 +1,105 @@
|
|||
#!/usr/bin/env nft -f
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
flush ruleset
|
||||
|
||||
|
||||
table arp RateLimiter {
|
||||
chain ArpIn {
|
||||
type filter hook input priority 0
|
||||
policy accept
|
||||
meta iif if_isp limit rate 2/second burst 10 packets accept
|
||||
}
|
||||
|
||||
chain ArpOut {
|
||||
type filter hook output priority 0
|
||||
policy accept
|
||||
}
|
||||
}
|
||||
|
||||
{% for V in ['4', '6'] %}
|
||||
{% set v = V | replace('4', '') %}
|
||||
{% macro trust(list) %}
|
||||
{% for net in list.split(' ') %}
|
||||
{% if not net is match('127(?:\.\d{1,3}){3}(?:/\d+)?|::1|^$') %}
|
||||
{% if (net is match('\d{1,3}(?:\.\d{1,3}){3}(?:/\d+)?')
|
||||
and V == '4') or (net is search(':') and V == '6') %}
|
||||
{{caller(net)}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endmacro %}
|
||||
|
||||
table ip{{v}} Inet{{V}} {
|
||||
set ssdp_out {
|
||||
type inet_service
|
||||
timeout 5s
|
||||
}
|
||||
|
||||
chain FilterIn {
|
||||
type filter hook input priority 0
|
||||
policy drop
|
||||
|
||||
# early drop of invalid connections
|
||||
ct state invalid drop
|
||||
|
||||
# allow icmp
|
||||
{% if V == '4' %}
|
||||
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||
{% else %}
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||
{% endif %}
|
||||
|
||||
# allow established/related connections
|
||||
ct state {established, related} accept
|
||||
|
||||
# allow from loopback
|
||||
{% if V == '4' %}
|
||||
meta iif lo ip saddr != 127.0.0.0/8 drop
|
||||
{% else %}
|
||||
meta iif lo ip6 saddr != ::1/128 drop
|
||||
{% endif %}
|
||||
meta iif lo accept
|
||||
|
||||
# allow ssdp replies
|
||||
udp dport @ssdp_out accept
|
||||
|
||||
# zeroconf
|
||||
{% call(net) trust(net_trusted_ranges) %}
|
||||
udp dport 5353 ip{{v}} saddr {{net}} accept
|
||||
{% endcall %}
|
||||
|
||||
# transmission
|
||||
tcp dport {{transmission_bt_port}} accept
|
||||
udp dport {{transmission_bt_port}} accept
|
||||
}
|
||||
|
||||
chain FilterOut {
|
||||
type filter hook output priority 0
|
||||
policy drop
|
||||
{% if V == '4' %}
|
||||
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||
{% else %}
|
||||
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||
{% endif %}
|
||||
ct state {established, related} accept
|
||||
meta oif lo accept
|
||||
meta oif if_isp udp dport 1900 set add udp sport @ssdp_out accept
|
||||
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
|
||||
ip{{v}} daddr {{net}} accept
|
||||
{% endcall %}
|
||||
meta skuid transmission tcp dport 443 accept
|
||||
meta skuid transmission udp dport 443 accept
|
||||
meta skuid transmission tcp dport > 1024 accept
|
||||
meta skuid transmission udp dport > 1024 accept
|
||||
}
|
||||
}
|
||||
{% endfor %}
|
|
@ -0,0 +1,104 @@
|
|||
# Specify that we are a client and that we will be pulling certain config file
|
||||
# directives from the server.
|
||||
client
|
||||
|
||||
# Use the same setting as you are using on the server.
|
||||
# On most systems, the VPN will not function unless you partially or fully
|
||||
# disable the firewall for the TUN/TAP interface.
|
||||
dev {{vpn_interface_type}}
|
||||
|
||||
# Are we connecting to a TCP or UDP server?
|
||||
# Use the same setting as on the server.
|
||||
proto {{vpn_protocol}}
|
||||
port {{vpn_server_port}}
|
||||
|
||||
# The hostname/IP and port of the server.
|
||||
# You can have multiple remote entries to load balance between the servers.
|
||||
remote {{vpn_server_host}} {{vpn_server_port}}
|
||||
|
||||
# Choose a random host from the remote list for load-balancing.
|
||||
# Otherwise try hosts in the order specified.
|
||||
remote-random
|
||||
|
||||
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
|
||||
# Very useful on machines which are not permanently connected to the internet
|
||||
# such as laptops.
|
||||
resolv-retry infinite
|
||||
route-delay 2
|
||||
|
||||
# Use the VPN as the default network connection
|
||||
redirect-gateway def1 bypass-dhcp # IPv4
|
||||
route-ipv6 2000::/3 # IPv6
|
||||
|
||||
# Most clients don't need to bind to a specific local port number.
|
||||
nobind
|
||||
|
||||
# Downgrade privileges after initialization.
|
||||
;user openvpn
|
||||
;group openvpn
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Try and avoid fragmentation issues.
|
||||
fragment 1300
|
||||
mssfix 1300
|
||||
|
||||
# If you are connecting through an HTTP proxy to reach the actual OpenVPN
|
||||
# server, put the proxy server/IP and port number here.
|
||||
# See the man page if your proxy server requires authentication.
|
||||
;http-proxy-retry # retry on connection failures
|
||||
;http-proxy [proxy server] [proxy port #]
|
||||
|
||||
# Wireless networks often produce a lot of duplicate packets.
|
||||
# Set this flag to silence duplicate packet warnings.
|
||||
;mute-replay-warnings
|
||||
|
||||
# SSL/TLS parms.
|
||||
# See the server config file for more description.
|
||||
# It's best to use a separate .crt/.key file pair for each client.
|
||||
# A single ca file can be used for all clients.
|
||||
#ca ca.crt
|
||||
#cert client.crt
|
||||
#key client.key
|
||||
|
||||
# Verify server certificate by checking that the certificate has the correct
|
||||
# key usage set.
|
||||
# This is an important precaution to protect against a potential attack
|
||||
# discussed here: http://openvpn.net/howto.html#mitm
|
||||
#
|
||||
# To use this feature, you will need to generate your server certificates with
|
||||
# the keyUsage set to
|
||||
# digitalSignature, keyEncipherment
|
||||
# and the extendedKeyUsage to
|
||||
# serverAuth
|
||||
# EasyRSA can do this for you.
|
||||
remote-cert-tls server
|
||||
|
||||
# If a tls-auth key is used on the server then every client must also have the
|
||||
# key.
|
||||
tls-auth {{vpn_name}}-ta.key 1
|
||||
auth-user-pass
|
||||
|
||||
# Select a cryptographic cipher.
|
||||
# If the cipher option is used on the server then you must also specify it
|
||||
# here.
|
||||
# Note that v2.4 client/server will automatically negotiate AES-256-GCM in TLS
|
||||
# mode.
|
||||
# See also the data-ciphers option in the manpage
|
||||
cipher AES-256-CBC
|
||||
|
||||
# Enable compression on the VPN link.
|
||||
# Don't enable this unless it is also enabled in the server config file.
|
||||
comp-lzo
|
||||
|
||||
# Set log file verbosity.
|
||||
verb 3
|
||||
|
||||
# Silence repeating messages
|
||||
;mute 20
|
||||
|
||||
<ca>
|
||||
{{vpn_ca_certificate}}
|
||||
</ca>
|
|
@ -3,6 +3,9 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: create php-fpm tmpfiles
|
||||
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_php.conf
|
||||
|
||||
- name: restart php-fpm.service (front)
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
|
|
@ -26,6 +26,15 @@
|
|||
- php-geoip
|
||||
- geoip-database-extra
|
||||
|
||||
- name: install front software
|
||||
package:
|
||||
name: "{{item}}"
|
||||
state: present
|
||||
with_items:
|
||||
- php-fpm
|
||||
when:
|
||||
- (inventory_hostname in groups['front'])
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||
|
@ -115,6 +124,100 @@
|
|||
notify:
|
||||
- restart php-fpm.service (front)
|
||||
|
||||
- name: configure php-fpm
|
||||
block:
|
||||
|
||||
- name: create php-fpm working directories
|
||||
copy:
|
||||
content: |
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /run/php-fpm 775 http http - -
|
||||
dest: /etc/tmpfiles.d/run_php.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- create php-fpm tmpfiles
|
||||
|
||||
- name: prepare to override systemd settings
|
||||
file:
|
||||
name: /etc/systemd/system/{{item}}.service.d
|
||||
state: directory
|
||||
mode: 0755
|
||||
with_items:
|
||||
- php-fpm
|
||||
|
||||
- name: secure systemd settings for php-fpm
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
After=systemd-tmpfiles-setup.service
|
||||
[Service]
|
||||
User=http
|
||||
Group=http
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectSystem=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
PIDFile=/run/php-fpm/php-fpm.pid
|
||||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart php-fpm.service (front)
|
||||
|
||||
- name: set the php-fpm settings
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
regexp: '^;*{{item.key}}\s*='
|
||||
line: '{{item.key}} = {{item.value}}'
|
||||
with_dict:
|
||||
listen: /run/shared_sockets/php-fpm
|
||||
pm: dynamic
|
||||
'pm.max_children': '{{php_max_workers}}'
|
||||
'pm.start_servers': 1
|
||||
'pm.min_spare_servers': 1
|
||||
'pm.max_spare_servers': '{{php_max_workers}}'
|
||||
'pm.max_requests': '{{php_worker_max_reqs}}'
|
||||
notify:
|
||||
- restart php-fpm.service (front)
|
||||
|
||||
- name: disable useless user/group specs
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
backrefs: true
|
||||
regexp: '^({{item}}\s*=.*)'
|
||||
line: ';\1'
|
||||
with_items:
|
||||
- user
|
||||
- group
|
||||
- 'listen.group'
|
||||
notify:
|
||||
- restart php-fpm.service (front)
|
||||
|
||||
- name: set the PID file path for php-fpm
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.conf
|
||||
regexp: '^;*pid\s*='
|
||||
line: 'pid = /run/php-fpm/php-fpm.pid'
|
||||
notify:
|
||||
- restart php-fpm.service (front)
|
||||
|
||||
- name: enable php-fpm.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: php-fpm.service
|
||||
enabled: true
|
||||
|
||||
- name: PHP test-page in test environment
|
||||
copy:
|
||||
content: <?php phpinfo();
|
||||
dest: /srv/http/index.php
|
||||
mode: 0644
|
||||
when: (env == 'dev')
|
||||
|
||||
when:
|
||||
- (inventory_hostname in groups['front'])
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -53,7 +53,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
- name: send Ansible’s forced-command
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
eval $SSH_ORIGINAL_COMMAND
|
||||
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
|
||||
mode: 0700
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: openresty.service
|
||||
state: restarted
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
- role: cleanupdate
|
||||
- role: dmz_nginx
|
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
- name: pull prerequisites from upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||||
vars:
|
||||
msg: SSO
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
- name: (SSOwat) uninstall software
|
||||
package:
|
||||
name: "{{item}}"
|
||||
state: absent
|
||||
with_items:
|
||||
# 2023-05-20: removed
|
||||
- ssowat-git
|
||||
- nginx-mainline-mod-lua
|
||||
- nginx-mainline-mod-ndk
|
||||
- lua51-lualdap-git
|
||||
|
||||
- name: install AUR software
|
||||
include_role:
|
||||
name: aur.inc
|
||||
allow_duplicates: true
|
||||
vars:
|
||||
packages:
|
||||
- simple-sso-git
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||
vars:
|
||||
msg: SSO
|
||||
### ⇐ UPSTREAM END ###
|
||||
|
||||
# 2023-05-20: removed
|
||||
- name: (SSOwat) remove SSOwat configuration
|
||||
file:
|
||||
path: /etc/ssowat
|
||||
state: absent
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
# 2023-05-20: removed
|
||||
- name: (SSOwat) remove external LUA module from Nginx
|
||||
file:
|
||||
path: /etc/nginx/main.inc.d/ndk+lua.inc
|
||||
state: absent
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
- name: init the SSO code in Nginx
|
||||
copy:
|
||||
content: |
|
||||
lua_shared_dict cache 10m;
|
||||
init_by_lua_file /etc/nginx/ssso/do_init.lua;
|
||||
dest: /etc/nginx/conf.d/00_sso.conf
|
||||
group: http
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
- name: enforce SSO checking for each request
|
||||
copy:
|
||||
content: |
|
||||
access_by_lua_file /etc/nginx/ssso/do_access.lua;
|
||||
dest: /etc/nginx/inc.d/00_sso.https.inc
|
||||
group: http
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
- name: send the custom SSO configuration
|
||||
template:
|
||||
src: templates/conf.json.j2
|
||||
dest: /etc/nginx/ssso/global.json
|
||||
group: http
|
||||
mode: 0640
|
||||
|
||||
- name: register the fact that SSO is installed
|
||||
set_fact:
|
||||
is_sso_used: true
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||
vars:
|
||||
msg: SSO
|
||||
### ⇐ LOCAL COMMIT ###
|
||||
- meta: flush_handlers
|
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"auth": {
|
||||
"check": "/usr/bin/ldapsearch -x -D \"uid=\ru.,ou=users,dc=example,dc=org\" -w \"\rp.\" -b 'ou=users,dc=example,dc=org' -s one -LLL -l 1 -z 1 \"(uid=\ru.)\" cn mail | /usr/bin/gawk '/^cn/{n=gensub(/cn: */,\"\",1)};/^mail/{m=gensub(/mail: */,\"\",1)};END{printf(\"%s\\n%s\\n\",n,m)}'"
|
||||
},
|
||||
"session_seconds": 300,
|
||||
"sso_host": "{{net_soa}}",
|
||||
"sso_prefix": "{{http_pfx_sso}}"
|
||||
}
|
134
site.yaml
134
site.yaml
|
@ -3,77 +3,77 @@
|
|||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- hosts: back
|
||||
remote_user: root
|
||||
roles:
|
||||
- _maintenance_start
|
||||
- init
|
||||
- transmission_back
|
||||
- ntp
|
||||
- cleanupdate
|
||||
- printscan
|
||||
- sockets
|
||||
- front
|
||||
- postinstall
|
||||
- msmtp
|
||||
- role: nfs
|
||||
when: (env == 'prod')
|
||||
- role: transmission_nfs
|
||||
when: (env == 'prod')
|
||||
- pyruse
|
||||
- nftables_back
|
||||
- postgresql
|
||||
- slapd
|
||||
- php
|
||||
- ldap
|
||||
# - wallabag_back
|
||||
- dotclear_back
|
||||
# - movim_back
|
||||
- prosody_back
|
||||
- ihmgit_back
|
||||
- nextcloud_back
|
||||
- ssh
|
||||
- dovecot
|
||||
- mediaplayer
|
||||
- motion_back
|
||||
- role: front_run
|
||||
when: (env == 'prod')
|
||||
- role: acme_back
|
||||
when: (env == 'prod')
|
||||
- nextcloud_davfs
|
||||
- _maintenance_stop
|
||||
#- hosts: back
|
||||
# remote_user: root
|
||||
# roles:
|
||||
# - _maintenance_start
|
||||
# - init
|
||||
# - transmission_back
|
||||
# - ntp
|
||||
# - cleanupdate
|
||||
# - printscan
|
||||
# - sockets
|
||||
# - front
|
||||
# - postinstall
|
||||
# - msmtp
|
||||
# - role: nfs
|
||||
# when: (env == 'prod')
|
||||
# - role: transmission_nfs
|
||||
# when: (env == 'prod')
|
||||
## - pyruse
|
||||
# - nftables_back
|
||||
# - postgresql
|
||||
# - slapd
|
||||
# - php
|
||||
# - ldap
|
||||
## - wallabag_back
|
||||
# - dotclear_back
|
||||
## - movim_back
|
||||
# - prosody_back
|
||||
# - ihmgit_back
|
||||
# - nextcloud_back
|
||||
# - ssh
|
||||
# - dovecot
|
||||
## - mediaplayer
|
||||
## - motion_back
|
||||
# - role: front_run
|
||||
# when: (env == 'prod')
|
||||
# - acme_back
|
||||
# - nextcloud_davfs
|
||||
# - _maintenance_stop
|
||||
|
||||
- hosts: front
|
||||
remote_user: root
|
||||
roles:
|
||||
- _maintenance_start
|
||||
- init
|
||||
- cleanupdate
|
||||
- postinstall
|
||||
- ldap
|
||||
- iodine
|
||||
- role: ddclient.inc
|
||||
when: (env == 'dev')
|
||||
- role: ddclient_HE_example
|
||||
when: (env == 'prod')
|
||||
- role: ddclient_FreeDNS_example
|
||||
when: (env == 'prod')
|
||||
- dmz_nginx
|
||||
- ssowat
|
||||
- php
|
||||
- ssh
|
||||
# - init
|
||||
# - cleanupdate
|
||||
# - postinstall
|
||||
# - ldap
|
||||
- openvpn
|
||||
# - iodine
|
||||
# - role: ddclient.inc
|
||||
# when: (env == 'dev')
|
||||
# - role: ddclient_HE_example
|
||||
# when: (env == 'prod')
|
||||
# - role: ddclient_FreeDNS_example
|
||||
# when: (env == 'prod')
|
||||
# - dmz_nginx
|
||||
- sso
|
||||
# - php
|
||||
# - ssh
|
||||
- transmission
|
||||
- dmz_exim
|
||||
- dmz_haproxy
|
||||
# - dmz_exim
|
||||
# - dmz_haproxy
|
||||
- dmz_ihmgit_front
|
||||
- dmz_nextcloud_front
|
||||
- dmz_dotclear_front
|
||||
- dmz_ihmldap
|
||||
- dmz_prosody_front
|
||||
- dmz_motion_front
|
||||
# - dmz_wallabag_front
|
||||
- acme_front
|
||||
- privatebin
|
||||
# - dmz_movim_front
|
||||
- nftables_front
|
||||
- _maintenance_stop
|
||||
# - dmz_nextcloud_front
|
||||
# - dmz_dotclear_front
|
||||
# - dmz_ihmldap
|
||||
# - dmz_prosody_front
|
||||
# - dmz_motion_front
|
||||
## - dmz_wallabag_front
|
||||
# - acme_front
|
||||
# - privatebin
|
||||
## - dmz_movim_front
|
||||
# - nftables_front
|
||||
# - _maintenance_stop
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
SHELL := /bin/bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# REQUIRED: make, root-less podman, jq, ssh-keygen
|
||||
|
||||
SHELL := /usr/bin/env bash
|
||||
|
||||
# https://stackoverflow.com/a/23324703
|
||||
ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
|
||||
|
@ -32,7 +38,7 @@ clean: rmi
|
|||
podman rmi archlinux; true
|
||||
|
||||
ansible: back-dev
|
||||
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -vvv site.yaml
|
||||
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -v site.yaml
|
||||
|
||||
front-img: Makefile front.Dockerfile id-dev.pub id-chroot.pub
|
||||
ds=$$(find $^ -maxdepth 0 -printf %T@ | sort -t. -rn | awk -F. 'NR==1{print $$1}'); \
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTAAAAJCeYYR6nmGE
|
||||
egAAAAtzc2gtZWQyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTA
|
||||
AAAECHIS9x8FuevOopTggeY1jUNXQ8BSDHbqKXY8iC/UnDYkMFbAl0A4pAQsxNPzX2qL4W
|
||||
QWTcgQY2syt80k9uv15MAAAAC3l2ZXNAanVuaW9yAQI=
|
||||
-----END OPENSSH PRIVATE KEY-----
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMFbAl0A4pAQsxNPzX2qL4WQWTcgQY2syt80k9uv15M yves@junior
|
|
@ -0,0 +1,7 @@
|
|||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4VgAAAJiDMF+FgzBf
|
||||
hQAAAAtzc2gtZWQyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4Vg
|
||||
AAAEDnXKRHTmIe8L7QuI7ROmmTNSHvAhAtcBguX68/9E9c5fsidHzJhnXXRdWo4NUVmkMO
|
||||
RcNN9k9RYaU4eSYgZ3hWAAAAD3l2ZXNAc2VkZW50YWlyZQECAwQFBg==
|
||||
-----END OPENSSH PRIVATE KEY-----
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsidHzJhnXXRdWo4NUVmkMORcNN9k9RYaU4eSYgZ3hW me@my-pc
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC40xZlLcT4mE9/
|
||||
7iwMC628FCREkj8bX4UCHUvc1pcyhLgOZG/wl/3Rk37Bqa2wnqnRQKfGHLoaKQ7I
|
||||
ZtBlMPGyQIHzHSLYTFpagUC+IdLjQ2x9Tf01gqBRiRXyJ4NRtkupOV2cpOQoYwFE
|
||||
fOTOURyA+hdu4D1gU9ImTKY+qS45XvEihmW4MgcIlVJgVPL9TOtCqthSGxJVJ/xB
|
||||
ecpGi9125bTkANKXyW+7E0lGrWh9AQ/DaVOiDst9wewZVwlT2k87cr7cdA4IpwLx
|
||||
hyHMq+myJS2gVb14hNgy7afJ8ECyi5VfoH2j6PmErT7DxUNNNIAsTj591YyGzW+r
|
||||
rUa0TURZjAalsrMEstS65mDnC10m6pVCX96VDicyIymfa0COnB0ZxVQUmgfMl+Dt
|
||||
cR47uXaJPZrbpRzKU+O05RJzA1wysRiEIbwh9bSMOSCkpA7StUZ7zqIdmlm8cTbQ
|
||||
DCUCMTLIfI1TwrZusM2a6mMXLQssA2gPy7JkSUZvIg5mXPc77jMhdMNjzzQOaLb1
|
||||
kuP6JgOZTn4mMsHzA41PmnO6K/iVarYaDxEg6A/PdJ/Et4hLxpz18af7XcxVMk5W
|
||||
S/le2YYlOTTieMDVzPsqcfBb5Kss7MNEoIfMzqQmPIJz7d220nxnx2gLF8wCNc+0
|
||||
Kjv22+214xI3XAg2ZZOGFMXe/0fPiQIDAQABAoICAAHIq3OfzCyZkhKHfBZELRcO
|
||||
qzXHDb6gBAQWlWHnkidEdmnQ0Jnwqkbx7rQ5ZOdP4A6jL6ixpDQGhNbh6NLsig1T
|
||||
l9Apbh8KvUhYbRrAr7zuN0ojfO/dp5o4hwqSqiREDLQmDSLK88xLff/ubtS/yJUv
|
||||
72wMVESoHnQXQzdW3EQ6Z+b9R4FOU04jByaN9K1FnH4vhl25gZUVPmyBMPbQGLES
|
||||
IRYzx1SRdvImFXaYtnSBadNpInZi60DMGhEkYMnLRpPpxOY9ZQQdR4xzpqZSRkkd
|
||||
bdSutdYnqGtfwEHf1KIHMfKDCtS7NeBQ0z/3Y7xHUdGLp55WN7BhOSRogbE8ZIOE
|
||||
CxZ1+wHNh45iCjB77gCuk8trWqmfJUeBeIgqj+I25CwuFxsosNnbz1NWFwPVCgru
|
||||
JBTrnnIyUSp5fgx3vJ/nUtpr+2OPg/xrGH8qbBvgtQ2+J7u+LIqe/i+TQ6HYVzYx
|
||||
RVEUNSurGladAK9ZFOLffbD72lwfFg7R+j/Q3clv8qD7Kfv1Z/qLRSMMoV0S4yEs
|
||||
rkV/ed4NCn/btpLys+Di79kgFC3BWcuxeoRXEssTaJpFXR7dCgyMMO71PSQjbg0J
|
||||
waTGHXY9U3vjlQ2AVJCzXUF5em/5XuXfnQHXxsCFVh4YNrravX4JyEQ8pKDAWBP5
|
||||
8n0Q6eIVhRLFT/f5ZvdhAoIBAQDhS9aZchRi+54jycPMjhMlM5R6uMbPUJ0vOvm9
|
||||
0JAlDFxHzyehjVTbP7v+PB+6ZoWFaXWHCd/WWo/4w9aFL4LNTm17EBKThTIJjwlc
|
||||
+cQQ+Eudhuti2tSLVg6QcBTi7n2adFoyS1c8qSO9GLsM8uv1DWuUd9Ci9lKGY6da
|
||||
tLS/p54JVzxJl66tQ7ktQ8T430DiIdy7s3kzkQSy4YhbcW7C3NZ+99gGhYKLsizY
|
||||
t3Tn22fmwG9CgetE+CWLT9IGkXR3NcPZzw4IsTOqqDdzF846sgrQnGTTnbufDwok
|
||||
TwuMgwNjp1V28k7BdyU8IuOg0EZwqWL7sfaKLhjgONSiCr0hAoIBAQDSA0S1ZyMf
|
||||
bGn4tXKwsPtav47XIotCGWITmlfd0Iq5FHR3r9NwCMozPPvKZVpz1xR1MNFNkGbz
|
||||
xMFvBWQA8eVRAm4i8jGWRfnHl0074AkztDbAWg2CZ6rBR1c2/VgG5Unt2PShVRFf
|
||||
mbH5yaLcF4bQJ0lSdWw6gGDbHKOtadB+BzMq0RkulqTN6Nhsz6Dy2ROub3jvmTcW
|
||||
kj9AGLKSL//tni8R6BPeOzYM6dJh/bgl5adZ2eoJjWSV4ADkgc17gtOKSpZC+nke
|
||||
TGgJ3UfAfDzp1amwYydwQlVuKgaIrhDn2vcVU1/sw1QzhL+8Jz/LdycX+DY9P5HE
|
||||
XWZwVdDLg51pAoIBAFKzXQYcq0EebhFjCf23lW2Nfo6B73DAfcKNmolD2vXOkL1H
|
||||
XJvf3mtQ/Pg5J8hrw82SRbMZO9JakgjWEpP3OcOVa3jGEJuYRCLgH6bChGdaTZ94
|
||||
nEVAYM74+wWoLvKSawbceROHNnGtANJ0Fo2NSnI8x+XLCYoYc3ijchZIySSlKczx
|
||||
+c5l4Jf3iS0FeHOGuDGKDpXULsRwElJ7mWs/u1HKcO5QmjrinWYcNHwk88P8dSpu
|
||||
LykxuaQqltWJqmYA1MjBsq/sYpFsQrP9ZcVY0roXCwNCtXw8pVeg1K85WNruaLsW
|
||||
/LdaAPDhhIiLohUw/vpyI0STMhXNEBKWqe8FlCECggEAA+mlrQ+H2v0FGGohAeO6
|
||||
Ox2Yhq+REqEwb5cPjgVloD8eUGCJOuwfAEdhlYq/3aqjKe/H5n8LO/1tcSkTjOT0
|
||||
1caK0MHcZKVXGv3ZpYTuBvWTk4/Z8pUF3GX83PxpWG+LKhBBtoPEOBi/9RxpmVoi
|
||||
29vvhMbFRm2/4DUvY3q2NLLjpCeTJYgO9/sflR9lK0EaGcTf5u7e1N/Sp9oN8aVN
|
||||
SlsJG3dMb3aA8kqk7chxVttpe8YQky78McKjoZ49etCcKlZraEIMYaEgyxZBUPe/
|
||||
lsexSqT+RhwmRVApIQDFNdyhf9c20U1uUytk+xdsG9lTdCHeuNNnXtYyo2Ml6bTB
|
||||
CQKCAQEAgW3ap6sAdLdYPuBj9B1QJfbI55o2Jl6P3p/D+c25J4HbHzrTPFu6Z1+6
|
||||
N8g87eM+Hjl5mg5oDRFI0MGf5pIxRmoQAg925W2xX3OnG8ZPyh8hIrCLTduTpY3w
|
||||
YsNu7Fcj9J/n6FDdf6AAwDkdGM0pwrPR5kI++wi5BtsCnlsSmdO0lEsBzNhArFPL
|
||||
S0361/uY81R5MrqHL9WIjgxVlqjiorOZ1zwrZap80mh5LBn84kcGgnJczeQGkmom
|
||||
f6RcHGNMAX9ibQ1coZX5b0ywcjvDnjMs7G6Cp4A4UiIsFtEgIXHR1NdY2yx2iJO/
|
||||
EKAnoi5XmjOVCSJKOAlB/yOzNJWC7A==
|
||||
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,14 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuNMWZS3E+JhPf+4sDAut
|
||||
vBQkRJI/G1+FAh1L3NaXMoS4DmRv8Jf90ZN+wamtsJ6p0UCnxhy6GikOyGbQZTDx
|
||||
skCB8x0i2ExaWoFAviHS40NsfU39NYKgUYkV8ieDUbZLqTldnKTkKGMBRHzkzlEc
|
||||
gPoXbuA9YFPSJkymPqkuOV7xIoZluDIHCJVSYFTy/UzrQqrYUhsSVSf8QXnKRovd
|
||||
duW05ADSl8lvuxNJRq1ofQEPw2lTog7LfcHsGVcJU9pPO3K+3HQOCKcC8YchzKvp
|
||||
siUtoFW9eITYMu2nyfBAsouVX6B9o+j5hK0+w8VDTTSALE4+fdWMhs1vq61GtE1E
|
||||
WYwGpbKzBLLUuuZg5wtdJuqVQl/elQ4nMiMpn2tAjpwdGcVUFJoHzJfg7XEeO7l2
|
||||
iT2a26UcylPjtOUScwNcMrEYhCG8IfW0jDkgpKQO0rVGe86iHZpZvHE20AwlAjEy
|
||||
yHyNU8K2brDNmupjFy0LLANoD8uyZElGbyIOZlz3O+4zIXTDY880Dmi29ZLj+iYD
|
||||
mU5+JjLB8wONT5pzuiv4lWq2Gg8RIOgPz3SfxLeIS8ac9fGn+13MVTJOVkv5XtmG
|
||||
JTk04njA1cz7KnHwW+SrLOzDRKCHzM6kJjyCc+3dttJ8Z8doCxfMAjXPtCo79tvt
|
||||
teMSN1wINmWThhTF3v9Hz4kCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
Loading…
Reference in New Issue