WIP
parent
e0087d54f0
commit
2c50b3398e
|
@ -74,8 +74,8 @@ Command (m for help): g
|
||||||
Created a new GPT disklabel…
|
Created a new GPT disklabel…
|
||||||
|
|
||||||
Command (m for help): n
|
Command (m for help): n
|
||||||
Partition number (1-128, default 1):
|
Partition number (1-128, default 1):
|
||||||
First sector (…):
|
First sector (…):
|
||||||
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
|
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
|
||||||
|
|
||||||
Created a new partition 1…
|
Created a new partition 1…
|
||||||
|
@ -86,14 +86,14 @@ Hex code (type L to list all codes): 1
|
||||||
Changed type of partition 'Linux filesystem' to 'EFI System'.
|
Changed type of partition 'Linux filesystem' to 'EFI System'.
|
||||||
|
|
||||||
Command (m for help): n
|
Command (m for help): n
|
||||||
Partition number (2-128, default 2):
|
Partition number (2-128, default 2):
|
||||||
First sector (…):
|
First sector (…):
|
||||||
Last sector, +sectors or +size{K,M,G,T,P} (…):
|
Last sector, +sectors or +size{K,M,G,T,P} (…):
|
||||||
|
|
||||||
Created a new partition 2…
|
Created a new partition 2…
|
||||||
|
|
||||||
Command (m for help): t
|
Command (m for help): t
|
||||||
Partition number (1,2, default 2):
|
Partition number (1,2, default 2):
|
||||||
Hex code (type L to list all codes): 31
|
Hex code (type L to list all codes): 31
|
||||||
|
|
||||||
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
|
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
|
||||||
|
@ -304,7 +304,7 @@ root@archiso ~ # arch-chroot /mnt
|
||||||
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
|
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
|
||||||
> [Match]
|
> [Match]
|
||||||
> Name=wire
|
> Name=wire
|
||||||
>
|
>
|
||||||
> [Network]
|
> [Network]
|
||||||
> IPForward=yes
|
> IPForward=yes
|
||||||
> Address={back-ip}/{net-bits}
|
> Address={back-ip}/{net-bits}
|
||||||
|
@ -313,7 +313,7 @@ root@archiso ~ # arch-chroot /mnt
|
||||||
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
|
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
|
||||||
> [Match]
|
> [Match]
|
||||||
> Name=en*
|
> Name=en*
|
||||||
>
|
>
|
||||||
> [Network]
|
> [Network]
|
||||||
> Bridge=wire
|
> Bridge=wire
|
||||||
> THEEND
|
> THEEND
|
||||||
|
@ -390,12 +390,12 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
||||||
[subs="+attributes"]
|
[subs="+attributes"]
|
||||||
```bash
|
```bash
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
|
||||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||||
> </backup/dotclear.cdump
|
> </backup/dotclear.cdump
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
|
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -404,7 +404,7 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
||||||
[subs="+attributes"]
|
[subs="+attributes"]
|
||||||
```bash
|
```bash
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
|
||||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||||
> </backup/prosody.cdump
|
> </backup/prosody.cdump
|
||||||
|
@ -419,7 +419,7 @@ ALTER TABLE
|
||||||
{prosody-db}=# \q
|
{prosody-db}=# \q
|
||||||
[postgres@{back-name} ~]$ exit
|
[postgres@{back-name} ~]$ exit
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
|
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -444,7 +444,7 @@ Stop Nextcloud and restore the data::
|
||||||
[subs="+attributes"]
|
[subs="+attributes"]
|
||||||
```bash
|
```bash
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||||
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
|
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
|
||||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
|
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
|
||||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
|
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
|
||||||
|
@ -514,7 +514,7 @@ Restart Nextcloud::
|
||||||
```bash
|
```bash
|
||||||
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
|
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
|
||||||
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
|
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -43,8 +43,8 @@ locales_enabled: 'en_US.UTF-8 en_GB.UTF-8'
|
||||||
dns_sec: 'no'
|
dns_sec: 'no'
|
||||||
|
|
||||||
# DNS servers to use on the server, for example:
|
# DNS servers to use on the server, for example:
|
||||||
# OpenNIC-1 OpenNIC-2 Google
|
# OpenNIC-1 OpenNIC-2 Cloudflare-1/-2
|
||||||
dns_hosts: '87.98.175.85 5.135.183.146 8.8.8.8'
|
dns_hosts: '51.158.108.203 51.77.149.139 1.1.1.1 1.0.0.1'
|
||||||
|
|
||||||
# Nearest NTP servers (https://www.ntppool.org/).
|
# Nearest NTP servers (https://www.ntppool.org/).
|
||||||
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
|
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
|
||||||
|
@ -186,7 +186,7 @@ http_pfx_privatebin: /paste
|
||||||
http_pfx_prosody: /xmpp-
|
http_pfx_prosody: /xmpp-
|
||||||
|
|
||||||
# URL prefix of SSOwat (SSO and web portal).
|
# URL prefix of SSOwat (SSO and web portal).
|
||||||
http_pfx_ssowat: /start
|
http_pfx_sso: /start
|
||||||
|
|
||||||
# URL prefix of Transmission (web UI for BitTorrent).
|
# URL prefix of Transmission (web UI for BitTorrent).
|
||||||
http_pfx_transmission: /torrent
|
http_pfx_transmission: /torrent
|
||||||
|
@ -376,7 +376,7 @@ net_subdom_ssh: ssh
|
||||||
|
|
||||||
# Local networks from which network connections are trusted.
|
# Local networks from which network connections are trusted.
|
||||||
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
|
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
|
||||||
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
|
net_trusted_ranges: '192.168.1.240/28 127.0.0.0/8 ::1'
|
||||||
|
|
||||||
# Administrator for Nextcloud (not necessarily an LDAP user).
|
# Administrator for Nextcloud (not necessarily an LDAP user).
|
||||||
nextcloud_admin_user: nextcloud_admin
|
nextcloud_admin_user: nextcloud_admin
|
||||||
|
@ -525,6 +525,61 @@ transmission_real_todo_at: /mnt/share/p2p/iso.torrent
|
||||||
transmission_nfs_done_at: share/p2p/iso
|
transmission_nfs_done_at: share/p2p/iso
|
||||||
transmission_nfs_todo_at: share/p2p/iso.torrent
|
transmission_nfs_todo_at: share/p2p/iso.torrent
|
||||||
|
|
||||||
|
# Name used in file-names to identify the VPN
|
||||||
|
vpn_name: my_vpn
|
||||||
|
|
||||||
|
# IP/CIDR of DMZ’ no-VPN network namespace when VPN is setup
|
||||||
|
vpn_avoiding_ip_cidr: 192.168.1.240/24
|
||||||
|
|
||||||
|
# OpenVPN credentials
|
||||||
|
vpn_login: my-vpn-login
|
||||||
|
vpn_password: my-vpn-password
|
||||||
|
|
||||||
|
# OpenVPN settings
|
||||||
|
vpn_ca_certificate: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
vpn_interface_type: tun # or tap
|
||||||
|
vpn_protocol: udp6 # or udp, tcp, tcp6
|
||||||
|
vpn_server_host: vpn.example.org
|
||||||
|
vpn_server_port: 1194
|
||||||
|
vpn_tls_auth_key: |
|
||||||
|
-----BEGIN OpenVPN Static key V1-----
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
…
|
||||||
|
-----END OpenVPN Static key V1-----
|
||||||
|
|
||||||
# Name of the Wallabag database in PostgreSQL.
|
# Name of the Wallabag database in PostgreSQL.
|
||||||
wallabag_db: wallabag
|
wallabag_db: wallabag
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,12 @@
|
||||||
msg: ACME
|
msg: ACME
|
||||||
### ⇐ UPSTREAM BEGIN ###
|
### ⇐ UPSTREAM BEGIN ###
|
||||||
|
|
||||||
|
- name: install software (dev)
|
||||||
|
package:
|
||||||
|
# for Ansible crypto
|
||||||
|
name: python-cryptography
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
- name: install dehydrated (Let’s Encrypt)
|
- name: install dehydrated (Let’s Encrypt)
|
||||||
include_role:
|
include_role:
|
||||||
name: aur.inc
|
name: aur.inc
|
||||||
|
@ -68,6 +74,7 @@
|
||||||
src: files/dehydrated.timer
|
src: files/dehydrated.timer
|
||||||
dest: /etc/systemd/system/dehydrated.timer
|
dest: /etc/systemd/system/dehydrated.timer
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
when: (env == 'prod')
|
||||||
notify:
|
notify:
|
||||||
- restart dehydrated.service
|
- restart dehydrated.service
|
||||||
|
|
||||||
|
@ -76,6 +83,45 @@
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: dehydrated.timer
|
name: dehydrated.timer
|
||||||
enabled: true
|
enabled: true
|
||||||
|
when: (env == 'prod')
|
||||||
|
|
||||||
|
## DEV
|
||||||
|
|
||||||
|
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
|
||||||
|
|
||||||
|
- name: create private key (dev)
|
||||||
|
community.crypto.openssl_privatekey:
|
||||||
|
path: /var/lib/acme/self-signed.key
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
|
- name: create CSR (dev)
|
||||||
|
community.crypto.openssl_csr:
|
||||||
|
path: /var/lib/acme/self-signed.csr
|
||||||
|
privatekey_path: /var/lib/acme/self-signed.key
|
||||||
|
common_name: "{{net_soa}}"
|
||||||
|
organization_name: "{{nickname}}"
|
||||||
|
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
|
||||||
|
subject_alt_name_critical: true
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
|
- name: create self-signed certificate (dev)
|
||||||
|
community.crypto.x509_certificate:
|
||||||
|
path: /var/lib/acme/self-signed.pem
|
||||||
|
privatekey_path: /var/lib/acme/self-signed.key
|
||||||
|
csr_path: /var/lib/acme/self-signed.csr
|
||||||
|
provider: selfsigned
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
|
- name: deploy self-signed certificate (dev)
|
||||||
|
command: >
|
||||||
|
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
|
||||||
|
{{net_soa}}
|
||||||
|
/var/lib/acme/self-signed.key
|
||||||
|
/var/lib/acme/self-signed.pem
|
||||||
|
/var/lib/acme/self-signed.pem
|
||||||
|
/dev/null
|
||||||
|
{{ansible_date_time.epoch}}
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -2,17 +2,20 @@
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
#
|
||||||
|
# NOTE: on 1st run, DMZ software is NOT YET INSTALLED!
|
||||||
|
set -e
|
||||||
|
|
||||||
RSH=/usr/local/bin/{{DMZ}}
|
RSH=/usr/local/bin/{{DMZ}}
|
||||||
ETC_CHANGED_{{hostname}}=
|
ETC_CHANGED_{{hostname | regex_replace('-', '_')}}=
|
||||||
ETC_CHANGED_{{DMZ}}=
|
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=
|
||||||
|
|
||||||
etckeeper_hook() {
|
etckeeper_hook() {
|
||||||
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
|
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
|
||||||
etc_stop_local 'ACME update'
|
etc_stop_local 'ACME update'
|
||||||
fi
|
fi
|
||||||
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
|
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
|
||||||
$RSH "etc_stop_local 'ACME update'"
|
$RSH "etc_stop_local 'ACME update' || true"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,11 +40,11 @@ deploy_exim() {
|
||||||
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
local copy='cat >$1; chown exim $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
local copy='[ -d /etc/mail ] || mkdir -p /etc/mail; cat >$1; if id exim 2>/dev/null; then chown exim $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||||
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
|
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
|
||||||
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
|
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
|
||||||
systemctl -M {{DMZ}} reload exim.service
|
$RSH 'systemctl reload exim.service || true'
|
||||||
ETC_CHANGED_{{DMZ}}=1
|
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||||
}
|
}
|
||||||
|
|
||||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||||
|
@ -51,11 +54,11 @@ deploy_prosody() {
|
||||||
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
local copy='cat >$1; chown prosody $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
local copy='[ -d /etc/prosody/certs ] || mkdir -p /etc/prosody/certs; cat >$1; if id prosody 2>/dev/null; then chown prosody $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
|
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
|
||||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
|
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
|
||||||
systemctl -M {{DMZ}} reload prosody.service
|
$RSH 'systemctl reload prosody.service || true'
|
||||||
ETC_CHANGED_{{DMZ}}=1
|
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||||
}
|
}
|
||||||
|
|
||||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||||
|
@ -65,10 +68,10 @@ deploy_haproxy() {
|
||||||
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
|
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
local copy='cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
local copy='[ -d /etc/haproxy ] || mkdir -p /etc/haproxy; cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||||
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
|
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
|
||||||
systemctl -M {{DMZ}} reload haproxy.service
|
$RSH 'systemctl reload haproxy.service || true'
|
||||||
ETC_CHANGED_{{DMZ}}=1
|
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||||
}
|
}
|
||||||
|
|
||||||
deploy_cert() {
|
deploy_cert() {
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -41,7 +41,9 @@
|
||||||
block:
|
block:
|
||||||
|
|
||||||
- name: AUR → {{pkg_name}} → run custom pre-processing commands
|
- name: AUR → {{pkg_name}} → run custom pre-processing commands
|
||||||
shell: "{{pre_cmd}}"
|
shell: |
|
||||||
|
set -x
|
||||||
|
{{pre_cmd}}
|
||||||
args:
|
args:
|
||||||
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
|
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
|
||||||
when: pre_cmd
|
when: pre_cmd
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
- name: post-update script for he.net
|
- name: post-update script for he.net
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# $1: new IP address
|
# $1: new IP address
|
||||||
if [ -f /etc/conf.d/iodined ]; then
|
if [ -f /etc/conf.d/iodined ]; then
|
||||||
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined
|
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
- name: replace /usr/bin/arch-chroot in Podman
|
- name: replace /usr/bin/arch-chroot in Podman
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
args=()
|
args=()
|
||||||
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
|
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
|
||||||
[ -t 0 ] && t=-t || t=-T
|
[ -t 0 ] && t=-t || t=-T
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -58,7 +58,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -193,22 +193,34 @@
|
||||||
regexp: '^(?:#\s*)?root:'
|
regexp: '^(?:#\s*)?root:'
|
||||||
line: "root: {{mail_forward_root_to}}"
|
line: "root: {{mail_forward_root_to}}"
|
||||||
|
|
||||||
- name: send DKIM private key
|
- name: send DKIM private key (prod)
|
||||||
copy:
|
copy:
|
||||||
src: files/{{net_soa}}_dkim.privk.pem
|
src: files/{{net_soa}}_dkim.privk.pem
|
||||||
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
|
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||||
owner: exim
|
owner: exim
|
||||||
group: exim
|
group: exim
|
||||||
mode: 0400
|
mode: 0400
|
||||||
|
when: (env == 'prod')
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
- name: set smarthost name
|
- name: create DKIM private key (dev)
|
||||||
|
shell: |
|
||||||
|
# https://dkimcore.org/specification.html
|
||||||
|
openssl genrsa -out /etc/mail/{{net_soa}}_dkim.privk.pem 1024
|
||||||
|
openssl rsa -in /etc/mail/{{net_soa}}_dkim.privk.pem -pubout >/etc/mail/{{net_soa}}_dkim.pubk.pem
|
||||||
|
chown exim:exim /etc/mail/{{net_soa}}_dkim.*.pem
|
||||||
|
chmod 0400 /etc/mail/{{net_soa}}_dkim.*.pem
|
||||||
|
when: (env == 'dev')
|
||||||
|
notify:
|
||||||
|
- restart exim.service
|
||||||
|
|
||||||
|
- name: disable smarthost
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
regexp: '^(?:#\s*)?ROUTER_SMARTHOST\s*='
|
regexp: '^(\s*ROUTER_SMARTHOST\s*=.*)'
|
||||||
line: |
|
backrefs: true
|
||||||
ROUTER_SMARTHOST={{mail_smtp_smarthost}}
|
line: '#\\1'
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
|
@ -278,18 +290,11 @@
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
- name: set TLS parameters for OpenSSL (old)
|
- name: set TLS parameters for OpenSSL
|
||||||
blockinfile:
|
replace:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
marker: '# {mark} OpenSSL parameters'
|
regexp: '(.ifdef\s+_HAVE_OPENSSL\s*\n\s*)#?(\s*)tls_require_ciphers\s*=.*$'
|
||||||
block: |
|
replace: '\1\2tls_require_ciphers = {{tls_ciphers}}'
|
||||||
insertafter: '^tls_advertise_hosts\s*='
|
|
||||||
|
|
||||||
- name: set TLS parameters for OpenSSL (new)
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/mail/exim.conf
|
|
||||||
regexp: '^(?:#\s*)?tls_require_ciphers\s*='
|
|
||||||
line: 'tls_require_ciphers = {{tls_ciphers}}'
|
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
|
@ -365,14 +370,15 @@
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
|
# 2023-05-20: disabled because too many legitimate rejected emails coming from GMail
|
||||||
- name: deny mail RCPT from SpamHaus SBL
|
- name: deny mail RCPT from SpamHaus SBL
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
marker: ' # {mark} SpamHaus SBL ACL'
|
marker: ' # {mark} SpamHaus SBL ACL'
|
||||||
block: |
|
block: |
|
||||||
deny message = rejected because $sender_host_address is in a \
|
# deny message = rejected because $sender_host_address is in a \
|
||||||
black list at SpamHaus SBL
|
# black list at SpamHaus SBL
|
||||||
dnslists = sbl.spamhaus.org
|
# dnslists = sbl.spamhaus.org
|
||||||
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
|
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
@ -399,21 +405,19 @@
|
||||||
|
|
||||||
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
|
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
|
||||||
|
|
||||||
- name: use remote_smtp for smarthost delivery
|
- name: set IP addresses to be ignored (base)
|
||||||
lineinfile:
|
replace:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
regexp: '^(\s*transport\s*=)'
|
regexp: '^(\s*ignore_target_hosts\s*=)(?! <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1).*$'
|
||||||
backrefs: true
|
replace: "\1 <; 0.0.0.0 ; 127.0.0.0/8 ; ::1"
|
||||||
line: "\\1 remote_smtp"
|
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
- name: set IP addresses to be ignored
|
- name: set IP addresses to be ignored (addition)
|
||||||
lineinfile:
|
replace:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
regexp: '^(\s*ignore_target_hosts\s*=.*::1)(?! ; {{mail_ignore_ip | replace(" ", " ; ")}}$)'
|
regexp: '^(\s*ignore_target_hosts\s*= <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1)$'
|
||||||
backrefs: true
|
replace: "\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
||||||
line: "\\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
|
||||||
when:
|
when:
|
||||||
- mail_ignore_ip != ""
|
- mail_ignore_ip != ""
|
||||||
notify:
|
notify:
|
||||||
|
@ -505,16 +509,17 @@
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
- name: enable DKIM on outgoing emails
|
- name: configure remote SMTP for outgoing emails
|
||||||
blockinfile:
|
replace:
|
||||||
path: /etc/mail/exim.conf
|
path: /etc/mail/exim.conf
|
||||||
marker: ' # {mark} outgoing DKIM signing'
|
regexp: '^(remote_smtp:\s*\n\s*driver\s*=\s*smtp\s*)$(?!\n\s*dkim_canon =)
|
||||||
block: |
|
replace: |
|
||||||
|
\1
|
||||||
dkim_canon = relaxed
|
dkim_canon = relaxed
|
||||||
dkim_domain = {{net_soa}}
|
dkim_domain = {{net_soa}}
|
||||||
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
|
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||||
dkim_selector = {{mail_dkim_selector}}
|
dkim_selector = {{mail_dkim_selector}}
|
||||||
insertafter: '^\s*driver\s*=\s*smtp\s*$'
|
helo_data = {{net_soa}}
|
||||||
notify:
|
notify:
|
||||||
- restart exim.service
|
- restart exim.service
|
||||||
|
|
||||||
|
|
|
@ -34,8 +34,8 @@
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Wants=nginx.service
|
Wants=openresty.service
|
||||||
After=nginx.service
|
After=openresty.service
|
||||||
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
|
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify:
|
notify:
|
||||||
|
|
|
@ -27,6 +27,7 @@ defaults
|
||||||
|
|
||||||
frontend imaps
|
frontend imaps
|
||||||
bind :993 ssl crt /etc/haproxy/tls.pem
|
bind :993 ssl crt /etc/haproxy/tls.pem
|
||||||
|
bind :::993 ssl crt /etc/haproxy/tls.pem
|
||||||
default_backend imap
|
default_backend imap
|
||||||
|
|
||||||
backend imap
|
backend imap
|
||||||
|
@ -34,10 +35,12 @@ backend imap
|
||||||
|
|
||||||
frontend text
|
frontend text
|
||||||
bind :80
|
bind :80
|
||||||
|
bind :::80
|
||||||
default_backend http
|
default_backend http
|
||||||
|
|
||||||
frontend tls
|
frontend tls
|
||||||
bind :443 ssl crt /etc/haproxy/tls.pem
|
bind :443 ssl crt /etc/haproxy/tls.pem
|
||||||
|
bind :::443 ssl crt /etc/haproxy/tls.pem
|
||||||
|
|
||||||
tcp-request inspect-delay 2s
|
tcp-request inspect-delay 2s
|
||||||
# check SNI for the SSH domain
|
# check SNI for the SSH domain
|
||||||
|
@ -57,6 +60,7 @@ frontend tls
|
||||||
|
|
||||||
frontend tls_plus
|
frontend tls_plus
|
||||||
bind :444 ssl crt /etc/haproxy/tls.pem
|
bind :444 ssl crt /etc/haproxy/tls.pem
|
||||||
|
bind :::444 ssl crt /etc/haproxy/tls.pem
|
||||||
default_backend https_plus
|
default_backend https_plus
|
||||||
|
|
||||||
backend ssh
|
backend ssh
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -19,7 +19,30 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
|
- name: configure SSO
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
{ "patterns": [{
|
||||||
|
"lua_regex": [
|
||||||
|
"^{{http_pfx_gitea}}/admin",
|
||||||
|
"^{{http_pfx_gitea}}/repo/create",
|
||||||
|
"^{{http_pfx_gitea}}/repo/migrate",
|
||||||
|
"^{{http_pfx_gitea}}/org/create",
|
||||||
|
"^{{http_pfx_gitea}}/.-/wiki/_new"
|
||||||
|
],
|
||||||
|
"allow": ["*"]
|
||||||
|
},{
|
||||||
|
"lua_regex": ["^{{http_pfx_gitea}}/"],
|
||||||
|
"public": true,
|
||||||
|
"portal": {"{{http_pfx_gitea}}/": "Git"}
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
dest: /etc/nginx/ssso/sites/git.json
|
||||||
|
when: (is_sso_used is defined)
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -171,7 +171,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
name: movim.service
|
name: movim.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -122,7 +122,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: configure Nginx for LibreOffice OnLine
|
- name: configure Nginx for LibreOffice OnLine
|
||||||
template:
|
template:
|
||||||
|
@ -21,7 +21,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -6,10 +6,10 @@
|
||||||
- name: create tmpfiles
|
- name: create tmpfiles
|
||||||
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
|
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart php-fpm.service
|
- name: restart php-fpm.service
|
||||||
|
|
|
@ -10,13 +10,71 @@
|
||||||
msg: nginx
|
msg: nginx
|
||||||
### ⇐ UPSTREAM BEGIN ###
|
### ⇐ UPSTREAM BEGIN ###
|
||||||
|
|
||||||
#- name: install software
|
- name: uninstall software
|
||||||
# package:
|
package:
|
||||||
# name: "{{item}}"
|
name: "{{item}}"
|
||||||
# state: present
|
state: absent
|
||||||
# with_items:
|
with_items:
|
||||||
# - nginx-mainline # nginx-mainline must now be built from official PKGBUILD :-(
|
# 2023-05-20: removed
|
||||||
# - php-fpm
|
- nginx-mainline
|
||||||
|
|
||||||
|
- name: install AUR software
|
||||||
|
include_role:
|
||||||
|
name: aur.inc
|
||||||
|
allow_duplicates: true
|
||||||
|
vars:
|
||||||
|
packages:
|
||||||
|
- pkg: openresty
|
||||||
|
pre: |
|
||||||
|
# harden the systemd service
|
||||||
|
sed -ri '
|
||||||
|
/\[Unit\]/ a\
|
||||||
|
After=systemd-tmpfiles-setup.service\
|
||||||
|
After=php-fpm.service
|
||||||
|
/\[Service\]/ a\
|
||||||
|
User=http\
|
||||||
|
Group=http\
|
||||||
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
|
||||||
|
PrivateTmp=true\
|
||||||
|
PrivateDevices=true\
|
||||||
|
ProtectSystem=full\
|
||||||
|
ProtectHome=true\
|
||||||
|
ReadWritePaths=/var/log/nginx\
|
||||||
|
NoNewPrivileges=true\
|
||||||
|
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
|
||||||
|
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
|
||||||
|
s|/run/openresty.pid|/run/http/nginx.pid|g
|
||||||
|
' service
|
||||||
|
# compute the hash of the new service file
|
||||||
|
srvHash=$(sha256sum service | awk '{print $1}')
|
||||||
|
# — choose /etc/nginx as Nginx configuration location
|
||||||
|
# — choose /run/http/ for Nginx PID and lock files location
|
||||||
|
# — choose /var/log/nginx/ as Nginx compiled-in logs location
|
||||||
|
# — choose /var/tmp/ as Nginx runtime temporary folder
|
||||||
|
# — replace the old service hash with the computed one
|
||||||
|
# — remove signature source files as they make the build fail
|
||||||
|
# — disable unused features of OpenResty/Nginx
|
||||||
|
sed -ri "
|
||||||
|
s#_cfgdir=.*#_cfgdir=/etc/nginx#
|
||||||
|
/build\\(\\)/ i\\
|
||||||
|
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
|
||||||
|
sha256sums[\$_src]='$srvHash'\\
|
||||||
|
fi; done\\
|
||||||
|
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
|
||||||
|
_last=\$((\${{ '{#source[*]}' }}-1))\\
|
||||||
|
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
|
||||||
|
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
|
||||||
|
fi; done\\
|
||||||
|
unset _last _src
|
||||||
|
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
|
||||||
|
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
|
||||||
|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
|
||||||
|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
|
||||||
|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
|
||||||
|
/^ *--with-mail|^ *#/d
|
||||||
|
s| +#.*||
|
||||||
|
" PKGBUILD
|
||||||
|
cat PKGBUILD
|
||||||
|
|
||||||
### UPSTREAM END ⇒ ###
|
### UPSTREAM END ⇒ ###
|
||||||
- name: merge upstream
|
- name: merge upstream
|
||||||
|
@ -25,11 +83,19 @@
|
||||||
msg: nginx
|
msg: nginx
|
||||||
### ⇐ UPSTREAM END ###
|
### ⇐ UPSTREAM END ###
|
||||||
|
|
||||||
- name: create a directory for the PID files
|
- name: fix logrotate.d/openresty
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/logrotate.d/openresty
|
||||||
|
backrefs: true
|
||||||
|
regexp: '^(\s*test -r )/run/'
|
||||||
|
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
|
||||||
|
|
||||||
|
- name: create Nginx working directories
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
#Type Path Mode UID GID Age Argument
|
#Type Path Mode UID GID Age Argument
|
||||||
d /run/http 775 http http - -
|
d /run/http 775 http http - -
|
||||||
|
d /var/log/nginx 775 http http - -
|
||||||
dest: /etc/tmpfiles.d/run_http.conf
|
dest: /etc/tmpfiles.d/run_http.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify:
|
notify:
|
||||||
|
@ -37,69 +103,15 @@
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
- name: prepare to override systemd settings
|
- name: update already-installed OpenResty packages
|
||||||
file:
|
shell: /opt/openresty/bin/opm update
|
||||||
name: /etc/systemd/system/{{item}}.service.d
|
|
||||||
state: directory
|
- name: OPM = install OpenResty packages (if necessary)
|
||||||
mode: 0755
|
include_tasks: opm.yaml
|
||||||
|
vars:
|
||||||
|
pkg_name: "{{item}}"
|
||||||
with_items:
|
with_items:
|
||||||
- nginx
|
- fffonion/lua-resty-openssl
|
||||||
- php-fpm
|
|
||||||
|
|
||||||
- name: secure systemd settings for php-fpm
|
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
[Unit]
|
|
||||||
After=systemd-tmpfiles-setup.service
|
|
||||||
[Service]
|
|
||||||
User=http
|
|
||||||
Group=http
|
|
||||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
||||||
PrivateTmp=true
|
|
||||||
PrivateDevices=true
|
|
||||||
ProtectSystem=true
|
|
||||||
ProtectHome=true
|
|
||||||
NoNewPrivileges=true
|
|
||||||
PIDFile=/run/http/php-fpm.pid
|
|
||||||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
|
||||||
mode: 0644
|
|
||||||
notify:
|
|
||||||
- restart php-fpm.service
|
|
||||||
|
|
||||||
- name: secure systemd settings for nginx
|
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
[Unit]
|
|
||||||
After=systemd-tmpfiles-setup.service
|
|
||||||
After=php-fpm.service
|
|
||||||
[Service]
|
|
||||||
User=http
|
|
||||||
Group=http
|
|
||||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
||||||
PrivateTmp=true
|
|
||||||
PrivateDevices=true
|
|
||||||
ProtectSystem=full
|
|
||||||
ProtectHome=true
|
|
||||||
NoNewPrivileges=true
|
|
||||||
PIDFile=/run/http/nginx.pid
|
|
||||||
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
|
|
||||||
ExecStart=
|
|
||||||
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
|
|
||||||
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
|
|
||||||
mode: 0644
|
|
||||||
notify:
|
|
||||||
- restart nginx.service
|
|
||||||
|
|
||||||
- name: set ownership of nginx’ working directories to nginx
|
|
||||||
file:
|
|
||||||
path: /var/{{item}}/nginx
|
|
||||||
state: directory
|
|
||||||
owner: http
|
|
||||||
group: http
|
|
||||||
recurse: true
|
|
||||||
with_items:
|
|
||||||
- lib
|
|
||||||
- log
|
|
||||||
|
|
||||||
- name: set the number of nginx worker processes
|
- name: set the number of nginx worker processes
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -107,7 +119,7 @@
|
||||||
regexp: '^#?\s*worker_processes\s'
|
regexp: '^#?\s*worker_processes\s'
|
||||||
line: "worker_processes auto;"
|
line: "worker_processes auto;"
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: log to systemd-journal
|
- name: log to systemd-journal
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -115,7 +127,7 @@
|
||||||
regexp: '^#?\s*error_log\s'
|
regexp: '^#?\s*error_log\s'
|
||||||
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: create directories for custom nginx configuration
|
- name: create directories for custom nginx configuration
|
||||||
file:
|
file:
|
||||||
|
@ -136,7 +148,7 @@
|
||||||
line: include /etc/nginx/main.inc.d/*.inc;
|
line: include /etc/nginx/main.inc.d/*.inc;
|
||||||
insertbefore: BOF
|
insertbefore: BOF
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: include custom nginx configuration
|
- name: include custom nginx configuration
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -145,7 +157,7 @@
|
||||||
line: include /etc/nginx/conf.d/*.conf;
|
line: include /etc/nginx/conf.d/*.conf;
|
||||||
insertbefore: '^\s*#gzip\s'
|
insertbefore: '^\s*#gzip\s'
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: set custom nginx configuration
|
- name: set custom nginx configuration
|
||||||
template:
|
template:
|
||||||
|
@ -155,7 +167,7 @@
|
||||||
group: http
|
group: http
|
||||||
mode: 0640
|
mode: 0640
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: send included conf files
|
- name: send included conf files
|
||||||
template:
|
template:
|
||||||
|
@ -198,54 +210,33 @@
|
||||||
when:
|
when:
|
||||||
- test_srv.changed
|
- test_srv.changed
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: set the php-fpm settings
|
- name: create web files locations
|
||||||
lineinfile:
|
file:
|
||||||
path: /etc/php/php-fpm.d/www.conf
|
path: "{{item}}"
|
||||||
regexp: '^;*{{item.key}}\s*='
|
state: directory
|
||||||
line: '{{item.key}} = {{item.value}}'
|
|
||||||
with_dict:
|
|
||||||
listen: /run/shared_sockets/php-fpm
|
|
||||||
pm: dynamic
|
|
||||||
'pm.max_children': '{{php_max_workers}}'
|
|
||||||
'pm.start_servers': 1
|
|
||||||
'pm.min_spare_servers': 1
|
|
||||||
'pm.max_spare_servers': '{{php_max_workers}}'
|
|
||||||
'pm.max_requests': '{{php_worker_max_reqs}}'
|
|
||||||
notify:
|
|
||||||
- restart php-fpm.service
|
|
||||||
|
|
||||||
- name: disable useless user/group specs
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/php/php-fpm.d/www.conf
|
|
||||||
backrefs: true
|
|
||||||
regexp: '^({{item}}\s*=.*)'
|
|
||||||
line: ';\1'
|
|
||||||
with_items:
|
with_items:
|
||||||
- user
|
- /srv/http
|
||||||
- group
|
- /srv/webapps
|
||||||
- 'listen.group'
|
|
||||||
|
|
||||||
- name: set the PID file path for php-fpm
|
- name: enable openresty.service
|
||||||
lineinfile:
|
|
||||||
path: /etc/php/php-fpm.conf
|
|
||||||
regexp: '^;*pid\s*='
|
|
||||||
line: 'pid = /run/http/php-fpm.pid'
|
|
||||||
notify:
|
|
||||||
- restart php-fpm.service
|
|
||||||
|
|
||||||
- name: enable php-fpm.service
|
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: php-fpm.service
|
name: openresty.service
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
- name: enable nginx.service
|
- name: HTML test-page in test environment
|
||||||
systemd:
|
copy:
|
||||||
daemon_reload: true
|
content: |
|
||||||
name: nginx.service
|
<!DOCTYPE html>
|
||||||
enabled: true
|
<html lang="en">
|
||||||
|
<head><title>TEST</title><meta charset="UTF-8"></head>
|
||||||
|
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
|
||||||
|
</html>
|
||||||
|
dest: /srv/http/index.html
|
||||||
|
mode: 0644
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
# mandatory parameters: pkg_name
|
||||||
|
|
||||||
|
- name: OPM → check existence of {{pkg_name}}
|
||||||
|
shell: /opt/openresty/bin/opm list | grep -q '^{{pkg_name}}[[:blank:]]'
|
||||||
|
ignore_errors: true
|
||||||
|
changed_when: false
|
||||||
|
register: opm_check
|
||||||
|
|
||||||
|
- name: OPM → install {{pkg_name}}
|
||||||
|
command: /opt/openresty/bin/opm get {{pkg_name}}
|
||||||
|
when: opm_check is failed
|
|
@ -2,6 +2,11 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
client_body_temp_path /var/tmp/client_body_temp;
|
||||||
|
proxy_temp_path /var/tmp/proxy_temp;
|
||||||
|
fastcgi_temp_path /var/tmp/fastcgi_temp;
|
||||||
|
uwsgi_temp_path /var/tmp/uwsgi_temp;
|
||||||
|
#scgi_temp_path /var/tmp/scgi_temp;
|
||||||
client_max_body_size {{http_max_upload}};
|
client_max_body_size {{http_max_upload}};
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_comp_level 6;
|
gzip_comp_level 6;
|
||||||
|
|
|
@ -9,8 +9,8 @@
|
||||||
name: prosody.service
|
name: prosody.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -277,7 +277,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: enable prosody
|
- name: enable prosody
|
||||||
systemd:
|
systemd:
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
|
@ -6,4 +6,4 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: cleanupdate
|
- role: cleanupdate
|
||||||
- role: ldap
|
- role: ldap
|
||||||
- role: ssowat
|
# - role: ssowat #FIXME
|
|
@ -34,9 +34,10 @@
|
||||||
Requires=nslcd.service
|
Requires=nslcd.service
|
||||||
After=nslcd.service
|
After=nslcd.service
|
||||||
[Service]
|
[Service]
|
||||||
|
{% if is_vpn_used is not defined %}
|
||||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
|
||||||
|
{% endif %}
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
LimitNOFILE=4096
|
LimitNOFILE=4096
|
||||||
|
@ -44,6 +45,22 @@
|
||||||
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
|
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
- name: override network settings for transmission
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Requires=no-vpn-network-namespace.service
|
||||||
|
After=no-vpn-network-namespace.service
|
||||||
|
[Service]
|
||||||
|
Type=exec
|
||||||
|
User=root
|
||||||
|
Group=root
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
|
||||||
|
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
|
||||||
|
mode: 0644
|
||||||
|
when: (is_vpn_used is defined)
|
||||||
|
|
||||||
- name: ensure existence and mode of Transmission working directories
|
- name: ensure existence and mode of Transmission working directories
|
||||||
file:
|
file:
|
||||||
path: /var/lib/transmission{{item}}
|
path: /var/lib/transmission{{item}}
|
||||||
|
@ -104,6 +121,18 @@
|
||||||
name: transmission.service
|
name: transmission.service
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
||||||
|
- name: store DMZ IP (direct)
|
||||||
|
set_fact:
|
||||||
|
no_vpn_front_IP: "{{DMZ_IP}}"
|
||||||
|
when:
|
||||||
|
- (is_vpn_used is not defined)
|
||||||
|
|
||||||
|
- name: store DMZ IP (avoid VPN)
|
||||||
|
set_fact:
|
||||||
|
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
|
||||||
|
when:
|
||||||
|
- (is_vpn_used is defined)
|
||||||
|
|
||||||
- name: put a JSON terminator to avoid a trailing comma
|
- name: put a JSON terminator to avoid a trailing comma
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||||||
|
@ -118,7 +147,7 @@
|
||||||
line: ' "{{item.key}}": {{item.value}},'
|
line: ' "{{item.key}}": {{item.value}},'
|
||||||
insertbefore: '"zzz"'
|
insertbefore: '"zzz"'
|
||||||
with_dict:
|
with_dict:
|
||||||
speed-limit-up: '50'
|
speed-limit-up: '500'
|
||||||
speed-limit-up-enabled: 'true'
|
speed-limit-up-enabled: 'true'
|
||||||
download-dir: '"/var/lib/transmission/Done"'
|
download-dir: '"/var/lib/transmission/Done"'
|
||||||
incomplete-dir: '"/var/lib/transmission/Doing"'
|
incomplete-dir: '"/var/lib/transmission/Doing"'
|
||||||
|
@ -130,13 +159,14 @@
|
||||||
watch-dir-enabled: 'true'
|
watch-dir-enabled: 'true'
|
||||||
encryption: '2'
|
encryption: '2'
|
||||||
message-level: '1'
|
message-level: '1'
|
||||||
bind-address-ipv4: '"{{DMZ_IP}}"'
|
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
|
||||||
peer-port: '{{transmission_bt_port}}'
|
peer-port: '{{transmission_bt_port}}'
|
||||||
peer-port-random-on-start: 'false'
|
peer-port-random-on-start: 'false'
|
||||||
port-forwarding-enabled: 'false'
|
port-forwarding-enabled: '{{is_vpn_used is defined}}'
|
||||||
queue-stalled-minutes: '5'
|
queue-stalled-minutes: '5'
|
||||||
rpc-authentication-required: 'false'
|
rpc-authentication-required: 'false'
|
||||||
rpc-bind-address: '"127.0.0.1"'
|
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
|
||||||
|
rpc-socket-mode: '"0777"'
|
||||||
rpc-port: '{{transmission_rpc_port}}'
|
rpc-port: '{{transmission_rpc_port}}'
|
||||||
rpc-url: '"{{http_pfx_transmission}}/"'
|
rpc-url: '"{{http_pfx_transmission}}/"'
|
||||||
rpc-whitelist-enabled: 'false'
|
rpc-whitelist-enabled: 'false'
|
||||||
|
@ -151,13 +181,13 @@
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
location {{http_pfx_transmission}}/web {
|
location {{http_pfx_transmission}}/web {
|
||||||
alias /usr/share/transmission/web;
|
alias /usr/share/transmission/public_html;
|
||||||
}
|
}
|
||||||
location ~ ^{{http_pfx_transmission}}/?$ {
|
location ~ ^{{http_pfx_transmission}}/?$ {
|
||||||
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
|
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
|
||||||
}
|
}
|
||||||
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
|
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
|
||||||
proxy_pass http://127.0.0.1:{{transmission_rpc_port}};
|
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
|
||||||
proxy_pass_header X-Transmission-Session-Id;
|
proxy_pass_header X-Transmission-Session-Id;
|
||||||
proxy_hide_header ETag;
|
proxy_hide_header ETag;
|
||||||
proxy_hide_header Cache-Control;
|
proxy_hide_header Cache-Control;
|
||||||
|
@ -168,7 +198,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
- name: enable transmission.service
|
- name: enable transmission.service
|
||||||
systemd:
|
systemd:
|
||||||
|
@ -176,6 +206,20 @@
|
||||||
name: transmission.service
|
name: transmission.service
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
- name: configure SSO
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
{ "patterns": [{
|
||||||
|
"lua_regex": ["^{{http_pfx_transmission}}"],
|
||||||
|
"allow": ["me"],
|
||||||
|
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
dest: /etc/nginx/ssso/sites/transm.json
|
||||||
|
when: (is_sso_used is defined)
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -88,7 +88,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
|
|
||||||
- name: send a remote-exec script to the host
|
- name: send a remote-exec script to the host
|
||||||
template:
|
template:
|
||||||
src: templates/DMZ.j2
|
src: templates/DMZ.{{env}}.j2
|
||||||
dest: "/usr/local/bin/{{DMZ}}"
|
dest: "/usr/local/bin/{{DMZ}}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
|
||||||
|
#
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
cmd="$(printf "%q" "$1")"; shift
|
||||||
|
args=()
|
||||||
|
while [ $# -gt 0 ]; do args+=("$(printf "%q" "$1")"); shift; done
|
||||||
|
exec ssh -i ~/.ssh/id-chroot -o StrictHostKeyChecking=no -p 20022 -T 10.0.2.2 bash -c "$cmd" bash "${args[@]}"
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
|
# $1: bash script; $2…: arguments (bash -c "…script…" 'bash' …arguments…)
|
||||||
#
|
#
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
@ -7,4 +7,4 @@
|
||||||
|
|
||||||
cmd="$1"; shift
|
cmd="$1"; shift
|
||||||
nsenter -t $(machinectl status {{DMZ}} | awk '$1=="Leader:"{print $2;exit}') \
|
nsenter -t $(machinectl status {{DMZ}} | awk '$1=="Leader:"{print $2;exit}') \
|
||||||
-a -F /usr/bin/bash -c "$cmd" bash "$@"
|
-a -F /usr/usr/bin/env bash -c "$cmd" bash "$@"
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
|
@ -154,7 +154,7 @@
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
ReadWriteDirectories={{kodi_data}}
|
ReadWriteDirectories={{kodi_data}}
|
||||||
# the client has 10 seconds to stop sending network packets to the socket
|
# the client has 10 seconds to stop sending network packets to the socket
|
||||||
ExecStopPost=/usr/bin/bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
|
ExecStopPost=/usr/usr/bin/env bash -c "/usr/bin/sleep 10s; exec /usr/bin/systemctl --no-block start lxdm.socket"
|
||||||
Restart=no
|
Restart=no
|
||||||
dest: /etc/systemd/system/lxdm.service.d/{{nickname}}.conf
|
dest: /etc/systemd/system/lxdm.service.d/{{nickname}}.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# $1: camera
|
# $1: camera
|
||||||
# $2: event number
|
# $2: event number
|
||||||
# $3: ISO date
|
# $3: ISO date
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# $1: file to upload
|
# $1: file to upload
|
||||||
|
|
||||||
BASE_URL=https://www.mediafire.com/api
|
BASE_URL=https://www.mediafire.com/api
|
||||||
|
|
|
@ -5,6 +5,23 @@
|
||||||
|
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
|
table arp RateLimiter {
|
||||||
|
chain ArpIn {
|
||||||
|
type filter hook input priority 0
|
||||||
|
policy accept
|
||||||
|
{% if is_vpn_used is defined %}
|
||||||
|
meta iif tun0 limit rate 2/second burst 10 packets accept
|
||||||
|
{% else %}
|
||||||
|
meta iif host0 limit rate 2/second burst 10 packets accept
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
chain ArpOut {
|
||||||
|
type filter hook output priority 0
|
||||||
|
policy accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
{% for V in ['4', '6'] %}
|
{% for V in ['4', '6'] %}
|
||||||
{% set v = V | replace('4', '') %}
|
{% set v = V | replace('4', '') %}
|
||||||
{% macro trust(list) %}
|
{% macro trust(list) %}
|
||||||
|
@ -115,22 +132,30 @@ table ip{{v}} Inet{{V}} {
|
||||||
type filter hook input priority 0
|
type filter hook input priority 0
|
||||||
policy drop
|
policy drop
|
||||||
|
|
||||||
# allow established/related connections
|
|
||||||
ct state {established, related} accept
|
|
||||||
|
|
||||||
# early drop of invalid connections
|
# early drop of invalid connections
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
|
|
||||||
# allow from loopback
|
|
||||||
meta iif lo accept
|
|
||||||
|
|
||||||
# allow icmp
|
# allow icmp
|
||||||
{% if V == '4' %}
|
{% if V == '4' %}
|
||||||
ip protocol icmp accept
|
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||||
|
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||||
|
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||||
{% else %}
|
{% else %}
|
||||||
ip6 nexthdr icmpv6 accept
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||||
|
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# allow established/related connections
|
||||||
|
ct state {established, related} accept
|
||||||
|
|
||||||
|
# allow from loopback
|
||||||
|
{% if V == '4' %}
|
||||||
|
meta iif lo ip saddr != 127.0.0.0/8 drop
|
||||||
|
{% else %}
|
||||||
|
meta iif lo ip6 saddr != ::1/128 drop
|
||||||
|
{% endif %}
|
||||||
|
meta iif lo accept
|
||||||
|
|
||||||
# allow iodine
|
# allow iodine
|
||||||
meta iifname dns0 accept
|
meta iifname dns0 accept
|
||||||
|
|
||||||
|
@ -181,7 +206,7 @@ table ip{{v}} Inet{{V}} {
|
||||||
{% call(net) trust(net_trusted_ranges) %}
|
{% call(net) trust(net_trusted_ranges) %}
|
||||||
udp dport 5353 ip{{v}} saddr {{net}} accept
|
udp dport 5353 ip{{v}} saddr {{net}} accept
|
||||||
{% endcall %}
|
{% endcall %}
|
||||||
|
|
||||||
# remote-help ssh
|
# remote-help ssh
|
||||||
tcp dport 22000 accept
|
tcp dport 22000 accept
|
||||||
{% call(net) trust(net_trusted_ranges) %}
|
{% call(net) trust(net_trusted_ranges) %}
|
||||||
|
@ -196,6 +221,14 @@ table ip{{v}} Inet{{V}} {
|
||||||
chain FilterOut {
|
chain FilterOut {
|
||||||
type filter hook output priority 0
|
type filter hook output priority 0
|
||||||
policy drop
|
policy drop
|
||||||
|
{% if V == '4' %}
|
||||||
|
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||||
|
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||||
|
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% else %}
|
||||||
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||||
|
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% endif %}
|
||||||
ct state {established, related} accept
|
ct state {established, related} accept
|
||||||
meta oif lo accept
|
meta oif lo accept
|
||||||
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
|
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
- name: restart openvpn-client.service
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: openvpn-client@{{vpn_name}}.service
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart no-vpn network namespace
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: no-vpn-network-namespace.service
|
||||||
|
state: restarted
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- role: cleanupdate
|
|
@ -0,0 +1,195 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
### UPSTREAM BEGIN ⇒ ###
|
||||||
|
- name: pull prerequisites from upstream
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||||||
|
vars:
|
||||||
|
msg: OpenVPN
|
||||||
|
### ⇐ UPSTREAM BEGIN ###
|
||||||
|
|
||||||
|
- name: install software
|
||||||
|
package:
|
||||||
|
name: {{item}}
|
||||||
|
with_items:
|
||||||
|
- iproute2
|
||||||
|
- openvpn
|
||||||
|
# jq is needed by no-VPN network-namespace script
|
||||||
|
- jq
|
||||||
|
|
||||||
|
### UPSTREAM END ⇒ ###
|
||||||
|
- name: merge upstream
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||||
|
vars:
|
||||||
|
msg: OpenVPN
|
||||||
|
### ⇐ UPSTREAM END ###
|
||||||
|
|
||||||
|
- name: VPN configuration
|
||||||
|
template:
|
||||||
|
src: templates/vpn.conf.j2
|
||||||
|
dest: /etc/openvpn/client/{{vpn_name}}.conf
|
||||||
|
owner: openvpn
|
||||||
|
group: network
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- restart openvpn-client.service
|
||||||
|
|
||||||
|
- name: VPN TLS auth key
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
{{vpn_tls_auth_key}}
|
||||||
|
dest: /etc/openvpn/client/{{vpn_name}}-ta.key
|
||||||
|
owner: openvpn
|
||||||
|
group: network
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- restart openvpn-client.service
|
||||||
|
|
||||||
|
- name: VPN credentials
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
{{vpn_login}}
|
||||||
|
{{vpn_password}}
|
||||||
|
dest: /etc/openvpn/client/{{vpn_name}}.userpass
|
||||||
|
owner: openvpn
|
||||||
|
group: network
|
||||||
|
mode: 0400
|
||||||
|
notify:
|
||||||
|
- restart openvpn-client.service
|
||||||
|
|
||||||
|
- name: prepare to override OpenVPN security
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
notify:
|
||||||
|
- restart openvpn-client.service
|
||||||
|
|
||||||
|
- name: override OpenVPN security with systemd
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --auth-user-pass /etc/openvpn/client/%i.userpass
|
||||||
|
dest: /etc/systemd/system/openvpn-client@{{vpn_name}}.service.d/auth-user-pass.conf
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- restart openvpn-client.service
|
||||||
|
|
||||||
|
- name: store DMZ IP (front)
|
||||||
|
set_fact:
|
||||||
|
current_IP: "{{DMZ_IP}}"
|
||||||
|
when:
|
||||||
|
- (inventory_hostname in groups['front'])
|
||||||
|
|
||||||
|
- name: store SafeZone IP (back)
|
||||||
|
set_fact:
|
||||||
|
current_IP: "{{SafeZone_IP}}"
|
||||||
|
when:
|
||||||
|
- (inventory_hostname in groups['back'])
|
||||||
|
|
||||||
|
- name: creation script for no-VPN network namespace
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
#!/bin/bash
|
||||||
|
# https://www.baeldung.com/linux/different-network-interfaces-processes
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# find network settings associated with known IP address
|
||||||
|
host_if=$(ip -j -4 address | jq -r '.[] | select(any(.addr_info[]; .local == "{{current_IP}}")) | .ifname')
|
||||||
|
gateway=$(ip -j -4 route | jq -r '.[] | select(.dst == "default") | .gateway')
|
||||||
|
|
||||||
|
# create namespace if it does not exist
|
||||||
|
if ! ip netns list | grep -Fxq no-vpn; then
|
||||||
|
ip netns add no-vpn
|
||||||
|
fi
|
||||||
|
|
||||||
|
# configure namespace if not done
|
||||||
|
# $1: interface name; $2: CIDR
|
||||||
|
function setup() {
|
||||||
|
if ! ip -n no-vpn link show up dev $1 | grep -q .; then
|
||||||
|
ip -n no-vpn link set $1 up
|
||||||
|
fi
|
||||||
|
if [ -z "$(ip -n no-vpn -4 address show dev $1)" ]; then
|
||||||
|
ip -n no-vpn address add $2 dev $1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
if ! ip -n no-vpn link show dev if_isp &>/dev/null; then
|
||||||
|
ip link add link $host_if if_isp netns no-vpn type ipvlan mode l2
|
||||||
|
fi
|
||||||
|
setup if_isp {{vpn_avoiding_ip_cidr}}
|
||||||
|
setup lo 127.0.0.1/8
|
||||||
|
|
||||||
|
# set gateway if not set
|
||||||
|
if ! ip -n no-vpn -4 route | grep -q ^default; then
|
||||||
|
ip -n no-vpn route add default via $gateway dev if_isp
|
||||||
|
fi
|
||||||
|
dest: /usr/local/bin/create-no-vpn-namespace.sh
|
||||||
|
mode: 0700
|
||||||
|
notify:
|
||||||
|
- restart no-vpn network namespace
|
||||||
|
|
||||||
|
- name: removal script for no-VPN network namespace
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
#!/bin/sh
|
||||||
|
ip netns delete no-vpn
|
||||||
|
dest: /usr/local/bin/delete-no-vpn-namespace.sh
|
||||||
|
mode: 0700
|
||||||
|
notify:
|
||||||
|
- restart no-vpn network namespace
|
||||||
|
|
||||||
|
- name: no-VPN network namespace firewall
|
||||||
|
template:
|
||||||
|
src: templates/nftables.conf.j2
|
||||||
|
dest: /etc/netns/no-vpn/nftables.conf
|
||||||
|
mode: 0600
|
||||||
|
notify:
|
||||||
|
- restart no-vpn network namespace
|
||||||
|
|
||||||
|
# https://github.com/mqus/nft-rules/blob/master/files/SSDP_client.md
|
||||||
|
- name: systemctl service for no-VPN network namespace
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=No-VPN network namespace
|
||||||
|
After=network-online.target openvpn.service
|
||||||
|
Wants=network-online.target openvpn.service
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=true
|
||||||
|
ExecStart=/usr/local/bin/create-no-vpn-namespace.sh
|
||||||
|
ExecStartPost=/usr/bin/ip netns exec no-vpn /usr/bin/nft -f /etc/nftables.conf
|
||||||
|
ExecStop=/usr/local/bin/delete-no-vpn-namespace.sh
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
dest: /etc/systemd/system/no-vpn-network-namespace.service
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- restart no-vpn network namespace
|
||||||
|
|
||||||
|
- name: enable service for no-VPN network namespace
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: no-vpn-network-namespace.service
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: enable OpenVPN client service
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: openvpn-client@{{vpn_name}}.service
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: register the fact that a VPN is enabled
|
||||||
|
set_fact:
|
||||||
|
is_vpn_used: true
|
||||||
|
|
||||||
|
### LOCAL COMMIT ⇒ ###
|
||||||
|
- name: commit local changes
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||||
|
vars:
|
||||||
|
msg: OpenVPN
|
||||||
|
### ⇐ LOCAL COMMIT ###
|
||||||
|
- meta: flush_handlers
|
|
@ -0,0 +1,105 @@
|
||||||
|
#!/usr/bin/env nft -f
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
|
||||||
|
table arp RateLimiter {
|
||||||
|
chain ArpIn {
|
||||||
|
type filter hook input priority 0
|
||||||
|
policy accept
|
||||||
|
meta iif if_isp limit rate 2/second burst 10 packets accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain ArpOut {
|
||||||
|
type filter hook output priority 0
|
||||||
|
policy accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% for V in ['4', '6'] %}
|
||||||
|
{% set v = V | replace('4', '') %}
|
||||||
|
{% macro trust(list) %}
|
||||||
|
{% for net in list.split(' ') %}
|
||||||
|
{% if not net is match('127(?:\.\d{1,3}){3}(?:/\d+)?|::1|^$') %}
|
||||||
|
{% if (net is match('\d{1,3}(?:\.\d{1,3}){3}(?:/\d+)?')
|
||||||
|
and V == '4') or (net is search(':') and V == '6') %}
|
||||||
|
{{caller(net)}}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endmacro %}
|
||||||
|
|
||||||
|
table ip{{v}} Inet{{V}} {
|
||||||
|
set ssdp_out {
|
||||||
|
type inet_service
|
||||||
|
timeout 5s
|
||||||
|
}
|
||||||
|
|
||||||
|
chain FilterIn {
|
||||||
|
type filter hook input priority 0
|
||||||
|
policy drop
|
||||||
|
|
||||||
|
# early drop of invalid connections
|
||||||
|
ct state invalid drop
|
||||||
|
|
||||||
|
# allow icmp
|
||||||
|
{% if V == '4' %}
|
||||||
|
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||||
|
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||||
|
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% else %}
|
||||||
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||||
|
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# allow established/related connections
|
||||||
|
ct state {established, related} accept
|
||||||
|
|
||||||
|
# allow from loopback
|
||||||
|
{% if V == '4' %}
|
||||||
|
meta iif lo ip saddr != 127.0.0.0/8 drop
|
||||||
|
{% else %}
|
||||||
|
meta iif lo ip6 saddr != ::1/128 drop
|
||||||
|
{% endif %}
|
||||||
|
meta iif lo accept
|
||||||
|
|
||||||
|
# allow ssdp replies
|
||||||
|
udp dport @ssdp_out accept
|
||||||
|
|
||||||
|
# zeroconf
|
||||||
|
{% call(net) trust(net_trusted_ranges) %}
|
||||||
|
udp dport 5353 ip{{v}} saddr {{net}} accept
|
||||||
|
{% endcall %}
|
||||||
|
|
||||||
|
# transmission
|
||||||
|
tcp dport {{transmission_bt_port}} accept
|
||||||
|
udp dport {{transmission_bt_port}} accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain FilterOut {
|
||||||
|
type filter hook output priority 0
|
||||||
|
policy drop
|
||||||
|
{% if V == '4' %}
|
||||||
|
icmp type { echo-reply, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
||||||
|
icmp type { source-quench, redirect, info-request, info-reply, address-mask-request, address-mask-reply } drop
|
||||||
|
meta l4proto icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% else %}
|
||||||
|
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
|
||||||
|
meta l4proto ipv6-icmp limit rate 2/second burst 4 packets accept
|
||||||
|
{% endif %}
|
||||||
|
ct state {established, related} accept
|
||||||
|
meta oif lo accept
|
||||||
|
meta oif if_isp udp dport 1900 set add udp sport @ssdp_out accept
|
||||||
|
{% call(net) trust(SafeZone_IP + ' ' + dns_hosts + ' ' + allowed_domains_ip + ' ' + ntp_hosts) %}
|
||||||
|
ip{{v}} daddr {{net}} accept
|
||||||
|
{% endcall %}
|
||||||
|
meta skuid transmission tcp dport 443 accept
|
||||||
|
meta skuid transmission udp dport 443 accept
|
||||||
|
meta skuid transmission tcp dport > 1024 accept
|
||||||
|
meta skuid transmission udp dport > 1024 accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
{% endfor %}
|
|
@ -0,0 +1,104 @@
|
||||||
|
# Specify that we are a client and that we will be pulling certain config file
|
||||||
|
# directives from the server.
|
||||||
|
client
|
||||||
|
|
||||||
|
# Use the same setting as you are using on the server.
|
||||||
|
# On most systems, the VPN will not function unless you partially or fully
|
||||||
|
# disable the firewall for the TUN/TAP interface.
|
||||||
|
dev {{vpn_interface_type}}
|
||||||
|
|
||||||
|
# Are we connecting to a TCP or UDP server?
|
||||||
|
# Use the same setting as on the server.
|
||||||
|
proto {{vpn_protocol}}
|
||||||
|
port {{vpn_server_port}}
|
||||||
|
|
||||||
|
# The hostname/IP and port of the server.
|
||||||
|
# You can have multiple remote entries to load balance between the servers.
|
||||||
|
remote {{vpn_server_host}} {{vpn_server_port}}
|
||||||
|
|
||||||
|
# Choose a random host from the remote list for load-balancing.
|
||||||
|
# Otherwise try hosts in the order specified.
|
||||||
|
remote-random
|
||||||
|
|
||||||
|
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
|
||||||
|
# Very useful on machines which are not permanently connected to the internet
|
||||||
|
# such as laptops.
|
||||||
|
resolv-retry infinite
|
||||||
|
route-delay 2
|
||||||
|
|
||||||
|
# Use the VPN as the default network connection
|
||||||
|
redirect-gateway def1 bypass-dhcp # IPv4
|
||||||
|
route-ipv6 2000::/3 # IPv6
|
||||||
|
|
||||||
|
# Most clients don't need to bind to a specific local port number.
|
||||||
|
nobind
|
||||||
|
|
||||||
|
# Downgrade privileges after initialization.
|
||||||
|
;user openvpn
|
||||||
|
;group openvpn
|
||||||
|
|
||||||
|
# Try to preserve some state across restarts.
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
|
||||||
|
# Try and avoid fragmentation issues.
|
||||||
|
fragment 1300
|
||||||
|
mssfix 1300
|
||||||
|
|
||||||
|
# If you are connecting through an HTTP proxy to reach the actual OpenVPN
|
||||||
|
# server, put the proxy server/IP and port number here.
|
||||||
|
# See the man page if your proxy server requires authentication.
|
||||||
|
;http-proxy-retry # retry on connection failures
|
||||||
|
;http-proxy [proxy server] [proxy port #]
|
||||||
|
|
||||||
|
# Wireless networks often produce a lot of duplicate packets.
|
||||||
|
# Set this flag to silence duplicate packet warnings.
|
||||||
|
;mute-replay-warnings
|
||||||
|
|
||||||
|
# SSL/TLS parms.
|
||||||
|
# See the server config file for more description.
|
||||||
|
# It's best to use a separate .crt/.key file pair for each client.
|
||||||
|
# A single ca file can be used for all clients.
|
||||||
|
#ca ca.crt
|
||||||
|
#cert client.crt
|
||||||
|
#key client.key
|
||||||
|
|
||||||
|
# Verify server certificate by checking that the certificate has the correct
|
||||||
|
# key usage set.
|
||||||
|
# This is an important precaution to protect against a potential attack
|
||||||
|
# discussed here: http://openvpn.net/howto.html#mitm
|
||||||
|
#
|
||||||
|
# To use this feature, you will need to generate your server certificates with
|
||||||
|
# the keyUsage set to
|
||||||
|
# digitalSignature, keyEncipherment
|
||||||
|
# and the extendedKeyUsage to
|
||||||
|
# serverAuth
|
||||||
|
# EasyRSA can do this for you.
|
||||||
|
remote-cert-tls server
|
||||||
|
|
||||||
|
# If a tls-auth key is used on the server then every client must also have the
|
||||||
|
# key.
|
||||||
|
tls-auth {{vpn_name}}-ta.key 1
|
||||||
|
auth-user-pass
|
||||||
|
|
||||||
|
# Select a cryptographic cipher.
|
||||||
|
# If the cipher option is used on the server then you must also specify it
|
||||||
|
# here.
|
||||||
|
# Note that v2.4 client/server will automatically negotiate AES-256-GCM in TLS
|
||||||
|
# mode.
|
||||||
|
# See also the data-ciphers option in the manpage
|
||||||
|
cipher AES-256-CBC
|
||||||
|
|
||||||
|
# Enable compression on the VPN link.
|
||||||
|
# Don't enable this unless it is also enabled in the server config file.
|
||||||
|
comp-lzo
|
||||||
|
|
||||||
|
# Set log file verbosity.
|
||||||
|
verb 3
|
||||||
|
|
||||||
|
# Silence repeating messages
|
||||||
|
;mute 20
|
||||||
|
|
||||||
|
<ca>
|
||||||
|
{{vpn_ca_certificate}}
|
||||||
|
</ca>
|
|
@ -3,6 +3,9 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
- name: create php-fpm tmpfiles
|
||||||
|
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_php.conf
|
||||||
|
|
||||||
- name: restart php-fpm.service (front)
|
- name: restart php-fpm.service (front)
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
|
|
|
@ -26,6 +26,15 @@
|
||||||
- php-geoip
|
- php-geoip
|
||||||
- geoip-database-extra
|
- geoip-database-extra
|
||||||
|
|
||||||
|
- name: install front software
|
||||||
|
package:
|
||||||
|
name: "{{item}}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- php-fpm
|
||||||
|
when:
|
||||||
|
- (inventory_hostname in groups['front'])
|
||||||
|
|
||||||
### UPSTREAM END ⇒ ###
|
### UPSTREAM END ⇒ ###
|
||||||
- name: merge upstream
|
- name: merge upstream
|
||||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||||
|
@ -115,6 +124,100 @@
|
||||||
notify:
|
notify:
|
||||||
- restart php-fpm.service (front)
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
|
- name: configure php-fpm
|
||||||
|
block:
|
||||||
|
|
||||||
|
- name: create php-fpm working directories
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
#Type Path Mode UID GID Age Argument
|
||||||
|
d /run/php-fpm 775 http http - -
|
||||||
|
dest: /etc/tmpfiles.d/run_php.conf
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- create php-fpm tmpfiles
|
||||||
|
|
||||||
|
- name: prepare to override systemd settings
|
||||||
|
file:
|
||||||
|
name: /etc/systemd/system/{{item}}.service.d
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
with_items:
|
||||||
|
- php-fpm
|
||||||
|
|
||||||
|
- name: secure systemd settings for php-fpm
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
After=systemd-tmpfiles-setup.service
|
||||||
|
[Service]
|
||||||
|
User=http
|
||||||
|
Group=http
|
||||||
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectSystem=true
|
||||||
|
ProtectHome=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PIDFile=/run/php-fpm/php-fpm.pid
|
||||||
|
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||||||
|
mode: 0644
|
||||||
|
notify:
|
||||||
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
|
- name: set the php-fpm settings
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/php/php-fpm.d/www.conf
|
||||||
|
regexp: '^;*{{item.key}}\s*='
|
||||||
|
line: '{{item.key}} = {{item.value}}'
|
||||||
|
with_dict:
|
||||||
|
listen: /run/shared_sockets/php-fpm
|
||||||
|
pm: dynamic
|
||||||
|
'pm.max_children': '{{php_max_workers}}'
|
||||||
|
'pm.start_servers': 1
|
||||||
|
'pm.min_spare_servers': 1
|
||||||
|
'pm.max_spare_servers': '{{php_max_workers}}'
|
||||||
|
'pm.max_requests': '{{php_worker_max_reqs}}'
|
||||||
|
notify:
|
||||||
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
|
- name: disable useless user/group specs
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/php/php-fpm.d/www.conf
|
||||||
|
backrefs: true
|
||||||
|
regexp: '^({{item}}\s*=.*)'
|
||||||
|
line: ';\1'
|
||||||
|
with_items:
|
||||||
|
- user
|
||||||
|
- group
|
||||||
|
- 'listen.group'
|
||||||
|
notify:
|
||||||
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
|
- name: set the PID file path for php-fpm
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/php/php-fpm.conf
|
||||||
|
regexp: '^;*pid\s*='
|
||||||
|
line: 'pid = /run/php-fpm/php-fpm.pid'
|
||||||
|
notify:
|
||||||
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
|
- name: enable php-fpm.service
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: php-fpm.service
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
- name: PHP test-page in test environment
|
||||||
|
copy:
|
||||||
|
content: <?php phpinfo();
|
||||||
|
dest: /srv/http/index.php
|
||||||
|
mode: 0644
|
||||||
|
when: (env == 'dev')
|
||||||
|
|
||||||
|
when:
|
||||||
|
- (inventory_hostname in groups['front'])
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- name: restart nginx.service
|
- name: restart openresty.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: nginx.service
|
name: openresty.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
owner: http
|
owner: http
|
||||||
group: http
|
group: http
|
||||||
notify:
|
notify:
|
||||||
- restart nginx.service
|
- restart openresty.service
|
||||||
|
|
||||||
### LOCAL COMMIT ⇒ ###
|
### LOCAL COMMIT ⇒ ###
|
||||||
- name: commit local changes
|
- name: commit local changes
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
- name: send Ansible’s forced-command
|
- name: send Ansible’s forced-command
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
eval $SSH_ORIGINAL_COMMAND
|
eval $SSH_ORIGINAL_COMMAND
|
||||||
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
|
dest: "{{chroot}}/root/.ssh/force_ansible.sh"
|
||||||
mode: 0700
|
mode: 0700
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
- name: restart openresty.service
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: openresty.service
|
||||||
|
state: restarted
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- role: cleanupdate
|
||||||
|
- role: dmz_nginx
|
|
@ -0,0 +1,93 @@
|
||||||
|
---
|
||||||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
### UPSTREAM BEGIN ⇒ ###
|
||||||
|
- name: pull prerequisites from upstream
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||||||
|
vars:
|
||||||
|
msg: SSO
|
||||||
|
### ⇐ UPSTREAM BEGIN ###
|
||||||
|
|
||||||
|
- name: (SSOwat) uninstall software
|
||||||
|
package:
|
||||||
|
name: "{{item}}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
# 2023-05-20: removed
|
||||||
|
- ssowat-git
|
||||||
|
- nginx-mainline-mod-lua
|
||||||
|
- nginx-mainline-mod-ndk
|
||||||
|
- lua51-lualdap-git
|
||||||
|
|
||||||
|
- name: install AUR software
|
||||||
|
include_role:
|
||||||
|
name: aur.inc
|
||||||
|
allow_duplicates: true
|
||||||
|
vars:
|
||||||
|
packages:
|
||||||
|
- simple-sso-git
|
||||||
|
|
||||||
|
### UPSTREAM END ⇒ ###
|
||||||
|
- name: merge upstream
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||||
|
vars:
|
||||||
|
msg: SSO
|
||||||
|
### ⇐ UPSTREAM END ###
|
||||||
|
|
||||||
|
# 2023-05-20: removed
|
||||||
|
- name: (SSOwat) remove SSOwat configuration
|
||||||
|
file:
|
||||||
|
path: /etc/ssowat
|
||||||
|
state: absent
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
|
# 2023-05-20: removed
|
||||||
|
- name: (SSOwat) remove external LUA module from Nginx
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/main.inc.d/ndk+lua.inc
|
||||||
|
state: absent
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
|
- name: init the SSO code in Nginx
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
lua_shared_dict cache 10m;
|
||||||
|
init_by_lua_file /etc/nginx/ssso/do_init.lua;
|
||||||
|
dest: /etc/nginx/conf.d/00_sso.conf
|
||||||
|
group: http
|
||||||
|
mode: 0640
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
|
- name: enforce SSO checking for each request
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
access_by_lua_file /etc/nginx/ssso/do_access.lua;
|
||||||
|
dest: /etc/nginx/inc.d/00_sso.https.inc
|
||||||
|
group: http
|
||||||
|
mode: 0640
|
||||||
|
notify:
|
||||||
|
- restart openresty.service
|
||||||
|
|
||||||
|
- name: send the custom SSO configuration
|
||||||
|
template:
|
||||||
|
src: templates/conf.json.j2
|
||||||
|
dest: /etc/nginx/ssso/global.json
|
||||||
|
group: http
|
||||||
|
mode: 0640
|
||||||
|
|
||||||
|
- name: register the fact that SSO is installed
|
||||||
|
set_fact:
|
||||||
|
is_sso_used: true
|
||||||
|
|
||||||
|
### LOCAL COMMIT ⇒ ###
|
||||||
|
- name: commit local changes
|
||||||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||||||
|
vars:
|
||||||
|
msg: SSO
|
||||||
|
### ⇐ LOCAL COMMIT ###
|
||||||
|
- meta: flush_handlers
|
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"auth": {
|
||||||
|
"check": "/usr/bin/ldapsearch -x -D \"uid=\ru.,ou=users,dc=example,dc=org\" -w \"\rp.\" -b 'ou=users,dc=example,dc=org' -s one -LLL -l 1 -z 1 \"(uid=\ru.)\" cn mail | /usr/bin/gawk '/^cn/{n=gensub(/cn: */,\"\",1)};/^mail/{m=gensub(/mail: */,\"\",1)};END{printf(\"%s\\n%s\\n\",n,m)}'"
|
||||||
|
},
|
||||||
|
"session_seconds": 300,
|
||||||
|
"sso_host": "{{net_soa}}",
|
||||||
|
"sso_prefix": "{{http_pfx_sso}}"
|
||||||
|
}
|
134
site.yaml
134
site.yaml
|
@ -3,77 +3,77 @@
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
- hosts: back
|
#- hosts: back
|
||||||
remote_user: root
|
# remote_user: root
|
||||||
roles:
|
# roles:
|
||||||
- _maintenance_start
|
# - _maintenance_start
|
||||||
- init
|
# - init
|
||||||
- transmission_back
|
# - transmission_back
|
||||||
- ntp
|
# - ntp
|
||||||
- cleanupdate
|
# - cleanupdate
|
||||||
- printscan
|
# - printscan
|
||||||
- sockets
|
# - sockets
|
||||||
- front
|
# - front
|
||||||
- postinstall
|
# - postinstall
|
||||||
- msmtp
|
# - msmtp
|
||||||
- role: nfs
|
# - role: nfs
|
||||||
when: (env == 'prod')
|
# when: (env == 'prod')
|
||||||
- role: transmission_nfs
|
# - role: transmission_nfs
|
||||||
when: (env == 'prod')
|
# when: (env == 'prod')
|
||||||
- pyruse
|
## - pyruse
|
||||||
- nftables_back
|
# - nftables_back
|
||||||
- postgresql
|
# - postgresql
|
||||||
- slapd
|
# - slapd
|
||||||
- php
|
# - php
|
||||||
- ldap
|
# - ldap
|
||||||
# - wallabag_back
|
## - wallabag_back
|
||||||
- dotclear_back
|
# - dotclear_back
|
||||||
# - movim_back
|
## - movim_back
|
||||||
- prosody_back
|
# - prosody_back
|
||||||
- ihmgit_back
|
# - ihmgit_back
|
||||||
- nextcloud_back
|
# - nextcloud_back
|
||||||
- ssh
|
# - ssh
|
||||||
- dovecot
|
# - dovecot
|
||||||
- mediaplayer
|
## - mediaplayer
|
||||||
- motion_back
|
## - motion_back
|
||||||
- role: front_run
|
# - role: front_run
|
||||||
when: (env == 'prod')
|
# when: (env == 'prod')
|
||||||
- role: acme_back
|
# - acme_back
|
||||||
when: (env == 'prod')
|
# - nextcloud_davfs
|
||||||
- nextcloud_davfs
|
# - _maintenance_stop
|
||||||
- _maintenance_stop
|
|
||||||
|
|
||||||
- hosts: front
|
- hosts: front
|
||||||
remote_user: root
|
remote_user: root
|
||||||
roles:
|
roles:
|
||||||
- _maintenance_start
|
- _maintenance_start
|
||||||
- init
|
# - init
|
||||||
- cleanupdate
|
# - cleanupdate
|
||||||
- postinstall
|
# - postinstall
|
||||||
- ldap
|
# - ldap
|
||||||
- iodine
|
- openvpn
|
||||||
- role: ddclient.inc
|
# - iodine
|
||||||
when: (env == 'dev')
|
# - role: ddclient.inc
|
||||||
- role: ddclient_HE_example
|
# when: (env == 'dev')
|
||||||
when: (env == 'prod')
|
# - role: ddclient_HE_example
|
||||||
- role: ddclient_FreeDNS_example
|
# when: (env == 'prod')
|
||||||
when: (env == 'prod')
|
# - role: ddclient_FreeDNS_example
|
||||||
- dmz_nginx
|
# when: (env == 'prod')
|
||||||
- ssowat
|
# - dmz_nginx
|
||||||
- php
|
- sso
|
||||||
- ssh
|
# - php
|
||||||
|
# - ssh
|
||||||
- transmission
|
- transmission
|
||||||
- dmz_exim
|
# - dmz_exim
|
||||||
- dmz_haproxy
|
# - dmz_haproxy
|
||||||
- dmz_ihmgit_front
|
- dmz_ihmgit_front
|
||||||
- dmz_nextcloud_front
|
# - dmz_nextcloud_front
|
||||||
- dmz_dotclear_front
|
# - dmz_dotclear_front
|
||||||
- dmz_ihmldap
|
# - dmz_ihmldap
|
||||||
- dmz_prosody_front
|
# - dmz_prosody_front
|
||||||
- dmz_motion_front
|
# - dmz_motion_front
|
||||||
# - dmz_wallabag_front
|
## - dmz_wallabag_front
|
||||||
- acme_front
|
# - acme_front
|
||||||
- privatebin
|
# - privatebin
|
||||||
# - dmz_movim_front
|
## - dmz_movim_front
|
||||||
- nftables_front
|
# - nftables_front
|
||||||
- _maintenance_stop
|
# - _maintenance_stop
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
# The home-server project produces a multi-purpose setup using Ansible.
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
|
@ -1,4 +1,10 @@
|
||||||
SHELL := /bin/bash
|
# The home-server project produces a multi-purpose setup using Ansible.
|
||||||
|
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||||
|
|
||||||
|
# REQUIRED: make, root-less podman, jq, ssh-keygen
|
||||||
|
|
||||||
|
SHELL := /usr/bin/env bash
|
||||||
|
|
||||||
# https://stackoverflow.com/a/23324703
|
# https://stackoverflow.com/a/23324703
|
||||||
ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
|
ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
|
||||||
|
@ -32,7 +38,7 @@ clean: rmi
|
||||||
podman rmi archlinux; true
|
podman rmi archlinux; true
|
||||||
|
|
||||||
ansible: back-dev
|
ansible: back-dev
|
||||||
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -vvv site.yaml
|
cd "${ROOT_DIR}/../.." && ansible-playbook -i env/dev -v site.yaml
|
||||||
|
|
||||||
front-img: Makefile front.Dockerfile id-dev.pub id-chroot.pub
|
front-img: Makefile front.Dockerfile id-dev.pub id-chroot.pub
|
||||||
ds=$$(find $^ -maxdepth 0 -printf %T@ | sort -t. -rn | awk -F. 'NR==1{print $$1}'); \
|
ds=$$(find $^ -maxdepth 0 -printf %T@ | sort -t. -rn | awk -F. 'NR==1{print $$1}'); \
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTAAAAJCeYYR6nmGE
|
||||||
|
egAAAAtzc2gtZWQyNTUxOQAAACBDBWwJdAOKQELMTT819qi+FkFk3IEGNrMrfNJPbr9eTA
|
||||||
|
AAAECHIS9x8FuevOopTggeY1jUNXQ8BSDHbqKXY8iC/UnDYkMFbAl0A4pAQsxNPzX2qL4W
|
||||||
|
QWTcgQY2syt80k9uv15MAAAAC3l2ZXNAanVuaW9yAQI=
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMFbAl0A4pAQsxNPzX2qL4WQWTcgQY2syt80k9uv15M yves@junior
|
|
@ -0,0 +1,7 @@
|
||||||
|
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||||
|
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||||
|
QyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4VgAAAJiDMF+FgzBf
|
||||||
|
hQAAAAtzc2gtZWQyNTUxOQAAACD7InR8yYZ110XVqODVFZpDDkXDTfZPUWGlOHkmIGd4Vg
|
||||||
|
AAAEDnXKRHTmIe8L7QuI7ROmmTNSHvAhAtcBguX68/9E9c5fsidHzJhnXXRdWo4NUVmkMO
|
||||||
|
RcNN9k9RYaU4eSYgZ3hWAAAAD3l2ZXNAc2VkZW50YWlyZQECAwQFBg==
|
||||||
|
-----END OPENSSH PRIVATE KEY-----
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsidHzJhnXXRdWo4NUVmkMORcNN9k9RYaU4eSYgZ3hW me@my-pc
|
|
@ -0,0 +1,52 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC40xZlLcT4mE9/
|
||||||
|
7iwMC628FCREkj8bX4UCHUvc1pcyhLgOZG/wl/3Rk37Bqa2wnqnRQKfGHLoaKQ7I
|
||||||
|
ZtBlMPGyQIHzHSLYTFpagUC+IdLjQ2x9Tf01gqBRiRXyJ4NRtkupOV2cpOQoYwFE
|
||||||
|
fOTOURyA+hdu4D1gU9ImTKY+qS45XvEihmW4MgcIlVJgVPL9TOtCqthSGxJVJ/xB
|
||||||
|
ecpGi9125bTkANKXyW+7E0lGrWh9AQ/DaVOiDst9wewZVwlT2k87cr7cdA4IpwLx
|
||||||
|
hyHMq+myJS2gVb14hNgy7afJ8ECyi5VfoH2j6PmErT7DxUNNNIAsTj591YyGzW+r
|
||||||
|
rUa0TURZjAalsrMEstS65mDnC10m6pVCX96VDicyIymfa0COnB0ZxVQUmgfMl+Dt
|
||||||
|
cR47uXaJPZrbpRzKU+O05RJzA1wysRiEIbwh9bSMOSCkpA7StUZ7zqIdmlm8cTbQ
|
||||||
|
DCUCMTLIfI1TwrZusM2a6mMXLQssA2gPy7JkSUZvIg5mXPc77jMhdMNjzzQOaLb1
|
||||||
|
kuP6JgOZTn4mMsHzA41PmnO6K/iVarYaDxEg6A/PdJ/Et4hLxpz18af7XcxVMk5W
|
||||||
|
S/le2YYlOTTieMDVzPsqcfBb5Kss7MNEoIfMzqQmPIJz7d220nxnx2gLF8wCNc+0
|
||||||
|
Kjv22+214xI3XAg2ZZOGFMXe/0fPiQIDAQABAoICAAHIq3OfzCyZkhKHfBZELRcO
|
||||||
|
qzXHDb6gBAQWlWHnkidEdmnQ0Jnwqkbx7rQ5ZOdP4A6jL6ixpDQGhNbh6NLsig1T
|
||||||
|
l9Apbh8KvUhYbRrAr7zuN0ojfO/dp5o4hwqSqiREDLQmDSLK88xLff/ubtS/yJUv
|
||||||
|
72wMVESoHnQXQzdW3EQ6Z+b9R4FOU04jByaN9K1FnH4vhl25gZUVPmyBMPbQGLES
|
||||||
|
IRYzx1SRdvImFXaYtnSBadNpInZi60DMGhEkYMnLRpPpxOY9ZQQdR4xzpqZSRkkd
|
||||||
|
bdSutdYnqGtfwEHf1KIHMfKDCtS7NeBQ0z/3Y7xHUdGLp55WN7BhOSRogbE8ZIOE
|
||||||
|
CxZ1+wHNh45iCjB77gCuk8trWqmfJUeBeIgqj+I25CwuFxsosNnbz1NWFwPVCgru
|
||||||
|
JBTrnnIyUSp5fgx3vJ/nUtpr+2OPg/xrGH8qbBvgtQ2+J7u+LIqe/i+TQ6HYVzYx
|
||||||
|
RVEUNSurGladAK9ZFOLffbD72lwfFg7R+j/Q3clv8qD7Kfv1Z/qLRSMMoV0S4yEs
|
||||||
|
rkV/ed4NCn/btpLys+Di79kgFC3BWcuxeoRXEssTaJpFXR7dCgyMMO71PSQjbg0J
|
||||||
|
waTGHXY9U3vjlQ2AVJCzXUF5em/5XuXfnQHXxsCFVh4YNrravX4JyEQ8pKDAWBP5
|
||||||
|
8n0Q6eIVhRLFT/f5ZvdhAoIBAQDhS9aZchRi+54jycPMjhMlM5R6uMbPUJ0vOvm9
|
||||||
|
0JAlDFxHzyehjVTbP7v+PB+6ZoWFaXWHCd/WWo/4w9aFL4LNTm17EBKThTIJjwlc
|
||||||
|
+cQQ+Eudhuti2tSLVg6QcBTi7n2adFoyS1c8qSO9GLsM8uv1DWuUd9Ci9lKGY6da
|
||||||
|
tLS/p54JVzxJl66tQ7ktQ8T430DiIdy7s3kzkQSy4YhbcW7C3NZ+99gGhYKLsizY
|
||||||
|
t3Tn22fmwG9CgetE+CWLT9IGkXR3NcPZzw4IsTOqqDdzF846sgrQnGTTnbufDwok
|
||||||
|
TwuMgwNjp1V28k7BdyU8IuOg0EZwqWL7sfaKLhjgONSiCr0hAoIBAQDSA0S1ZyMf
|
||||||
|
bGn4tXKwsPtav47XIotCGWITmlfd0Iq5FHR3r9NwCMozPPvKZVpz1xR1MNFNkGbz
|
||||||
|
xMFvBWQA8eVRAm4i8jGWRfnHl0074AkztDbAWg2CZ6rBR1c2/VgG5Unt2PShVRFf
|
||||||
|
mbH5yaLcF4bQJ0lSdWw6gGDbHKOtadB+BzMq0RkulqTN6Nhsz6Dy2ROub3jvmTcW
|
||||||
|
kj9AGLKSL//tni8R6BPeOzYM6dJh/bgl5adZ2eoJjWSV4ADkgc17gtOKSpZC+nke
|
||||||
|
TGgJ3UfAfDzp1amwYydwQlVuKgaIrhDn2vcVU1/sw1QzhL+8Jz/LdycX+DY9P5HE
|
||||||
|
XWZwVdDLg51pAoIBAFKzXQYcq0EebhFjCf23lW2Nfo6B73DAfcKNmolD2vXOkL1H
|
||||||
|
XJvf3mtQ/Pg5J8hrw82SRbMZO9JakgjWEpP3OcOVa3jGEJuYRCLgH6bChGdaTZ94
|
||||||
|
nEVAYM74+wWoLvKSawbceROHNnGtANJ0Fo2NSnI8x+XLCYoYc3ijchZIySSlKczx
|
||||||
|
+c5l4Jf3iS0FeHOGuDGKDpXULsRwElJ7mWs/u1HKcO5QmjrinWYcNHwk88P8dSpu
|
||||||
|
LykxuaQqltWJqmYA1MjBsq/sYpFsQrP9ZcVY0roXCwNCtXw8pVeg1K85WNruaLsW
|
||||||
|
/LdaAPDhhIiLohUw/vpyI0STMhXNEBKWqe8FlCECggEAA+mlrQ+H2v0FGGohAeO6
|
||||||
|
Ox2Yhq+REqEwb5cPjgVloD8eUGCJOuwfAEdhlYq/3aqjKe/H5n8LO/1tcSkTjOT0
|
||||||
|
1caK0MHcZKVXGv3ZpYTuBvWTk4/Z8pUF3GX83PxpWG+LKhBBtoPEOBi/9RxpmVoi
|
||||||
|
29vvhMbFRm2/4DUvY3q2NLLjpCeTJYgO9/sflR9lK0EaGcTf5u7e1N/Sp9oN8aVN
|
||||||
|
SlsJG3dMb3aA8kqk7chxVttpe8YQky78McKjoZ49etCcKlZraEIMYaEgyxZBUPe/
|
||||||
|
lsexSqT+RhwmRVApIQDFNdyhf9c20U1uUytk+xdsG9lTdCHeuNNnXtYyo2Ml6bTB
|
||||||
|
CQKCAQEAgW3ap6sAdLdYPuBj9B1QJfbI55o2Jl6P3p/D+c25J4HbHzrTPFu6Z1+6
|
||||||
|
N8g87eM+Hjl5mg5oDRFI0MGf5pIxRmoQAg925W2xX3OnG8ZPyh8hIrCLTduTpY3w
|
||||||
|
YsNu7Fcj9J/n6FDdf6AAwDkdGM0pwrPR5kI++wi5BtsCnlsSmdO0lEsBzNhArFPL
|
||||||
|
S0361/uY81R5MrqHL9WIjgxVlqjiorOZ1zwrZap80mh5LBn84kcGgnJczeQGkmom
|
||||||
|
f6RcHGNMAX9ibQ1coZX5b0ywcjvDnjMs7G6Cp4A4UiIsFtEgIXHR1NdY2yx2iJO/
|
||||||
|
EKAnoi5XmjOVCSJKOAlB/yOzNJWC7A==
|
||||||
|
-----END PRIVATE KEY-----
|
|
@ -0,0 +1,14 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuNMWZS3E+JhPf+4sDAut
|
||||||
|
vBQkRJI/G1+FAh1L3NaXMoS4DmRv8Jf90ZN+wamtsJ6p0UCnxhy6GikOyGbQZTDx
|
||||||
|
skCB8x0i2ExaWoFAviHS40NsfU39NYKgUYkV8ieDUbZLqTldnKTkKGMBRHzkzlEc
|
||||||
|
gPoXbuA9YFPSJkymPqkuOV7xIoZluDIHCJVSYFTy/UzrQqrYUhsSVSf8QXnKRovd
|
||||||
|
duW05ADSl8lvuxNJRq1ofQEPw2lTog7LfcHsGVcJU9pPO3K+3HQOCKcC8YchzKvp
|
||||||
|
siUtoFW9eITYMu2nyfBAsouVX6B9o+j5hK0+w8VDTTSALE4+fdWMhs1vq61GtE1E
|
||||||
|
WYwGpbKzBLLUuuZg5wtdJuqVQl/elQ4nMiMpn2tAjpwdGcVUFJoHzJfg7XEeO7l2
|
||||||
|
iT2a26UcylPjtOUScwNcMrEYhCG8IfW0jDkgpKQO0rVGe86iHZpZvHE20AwlAjEy
|
||||||
|
yHyNU8K2brDNmupjFy0LLANoD8uyZElGbyIOZlz3O+4zIXTDY880Dmi29ZLj+iYD
|
||||||
|
mU5+JjLB8wONT5pzuiv4lWq2Gg8RIOgPz3SfxLeIS8ac9fGn+13MVTJOVkv5XtmG
|
||||||
|
JTk04njA1cz7KnHwW+SrLOzDRKCHzM6kJjyCc+3dttJ8Z8doCxfMAjXPtCo79tvt
|
||||||
|
teMSN1wINmWThhTF3v9Hz4kCAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
Loading…
Reference in New Issue