updates/fixes + allow some performance tuning

group_vars/all

@@ -82,6 +82,9 @@ fw_portknock_seq: 1 22 333 4444 333 22 1
 # The email address associated to root, for commits in the git repository that stores changes to /etc.
 git_contact_email: hostmaster@example.org
 
+# Watch new repositories inside the already-watched perimeter by default.
+gitea_auto_watch_new_repos: 'true'
+
 # Name of the Gitea (web UI for Git) database in PostgreSQL.
 gitea_db: gitea
 
@@ -91,18 +94,83 @@ gitea_db_user: gitea
 # Password for the PostgreSQL user who owns the Gitea database.
 gitea_db_password: gitea
 
+# Disable Gravatar pictures.
+gitea_disable_gravatar: 'false'
+
+# Disable HTTP for Git access.
+gitea_disable_http_git: 'false'
+
+# Disable mirrors.
+gitea_disable_mirrors: 'true'
+
 # Disable creation of organisations in Gitea (“true” or “false”, as a character string).
 gitea_disable_org_creation: 'true'
 
 # Disable self-registration in Gitea (“true” or “false”, as a character string).
 gitea_disable_registration: 'false'
 
+# Disable logs by Gitea router.
+gitea_disable_router_log: 'false'
+
+# Enable API and Swagger UI.
+gitea_enable_api: 'true'
+
+# Enable caching for the web UI.
+gitea_enable_cache: 'true'
+
 # Enable email notifications in Gitea (“true” or “false”, as a character string).
 gitea_enable_notify_email: 'true'
 
+# Enable OAuth2 provider.
+gitea_enable_oauth2_provider: 'false'
+
+# Index repositories.
+gitea_enable_repo_indexer: 'true'
+
+# Enable user heat-map.
+gitea_enable_user_heatmap: 'true'
+
+# Enable the time-tracking feature.
+gitea_enable_timetracking: 'true'
+
+# Available languages.
+gitea_i18n: [
+    {"code": "en-US", "label": "English"},
+    {"code": "zh-CN", "label": "简体中文"},
+    {"code": "zh-HK", "label": "繁體中文（香港）"},
+    {"code": "zh-TW", "label": "繁體中文（台灣）"},
+    {"code": "de-DE", "label": "Deutsch"},
+    {"code": "fr-FR", "label": "français"},
+    {"code": "nl-NL", "label": "Nederlands"},
+    {"code": "lv-LV", "label": "latviešu"},
+    {"code": "ru-RU", "label": "русский"},
+    {"code": "uk-UA", "label": "Українська"},
+    {"code": "ja-JP", "label": "日本語"},
+    {"code": "es-ES", "label": "español"},
+    {"code": "pt-BR", "label": "português do Brasil"},
+    {"code": "pt-PT", "label": "Português de Portugal"},
+    {"code": "pl-PL", "label": "polski"},
+    {"code": "bg-BG", "label": "български"},
+    {"code": "it-IT", "label": "italiano"},
+    {"code": "fi-FI", "label": "suomi"},
+    {"code": "tr-TR", "label": "Türkçe"},
+    {"code": "cs-CZ", "label": "čeština"},
+    {"code": "sr-SP", "label": "српски"},
+    {"code": "sv-SE", "label": "svenska"},
+    {"code": "ko-KR", "label": "한국어"}
+  ]
+
+# JWT secret for OAuth2
+gitea_jwt_secret: az09ZA_az09ZA_az09ZA_az09ZA_az09ZA_az09ZA
+
 # Space-separated list of mime types to accept for attachments (“*/*” means: “anything”).
 gitea_mime_attach: 'image/jpeg image/png application/zip application/gzip'
 
+# Notifications refresh in seconds.
+gitea_notif_min_timeout: 10
+gitea_notif_max_timeout: 60
+gitea_notif_timeout_step: 10
+
 # A random salt-string for internal encryption (change it!).
 gitea_security_secret: '!#@FDEWREWR&*('
 
@@ -293,6 +361,9 @@ mail_ignore_ip: '2001:860:e2ef::f503:0:2'
 # All local mail destinations, which include managed domains, as well as host names.
 mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
 
+# Maximum number of SPAM-filter workers.
+mail_max_spam_workers: 5
+
 # The ISP’s smarthost (which listens on port 25).
 mail_smtp_smarthost: smtp.bbox.fr
 
@@ -426,6 +497,12 @@ nginx_loglevel: info
 # Administrator password for PostgreSQL.
 pgpassword: PostgreSQL
 
+# Maximum number of PHP-handling processes.
+php_max_workers: 5
+
+# Maximum number of requests a PHP-handling process can handle before being reset (0: never reset).
+php_worker_max_reqs: 0
+
 # Maximum number of bytes in a Privatebin paste (or image).
 privatebin_bytes_limit: 10485760
 

roles/dmz_exim/tasks/main.yml

@@ -106,7 +106,7 @@
     content: |
       [Service]
       ExecStart=
-      ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/shared_sockets/spamd
+      ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/shared_sockets/spamd --max-children={{mail_max_spam_workers}}
       CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
       PrivateTmp=true
       PrivateDevices=true

roles/dmz_motion_front/tasks/main.yml

@@ -51,6 +51,6 @@
 - name: commit local changes
   include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
   vars:
-    msg: Gitea
+    msg: Motion
 ### ⇐ LOCAL COMMIT ###
 - meta: flush_handlers

roles/dmz_nginx/tasks/main.yml

@@ -200,15 +200,23 @@
   notify:
     - restart nginx.service
 
-- name: set the php-fpm socket path
+- name: set the php-fpm settings
   lineinfile:
     path: /etc/php/php-fpm.d/www.conf
-    regexp: '^;*listen\s*='
-    line: 'listen = /run/shared_sockets/php-fpm'
+    regexp: '^;*{{item.key}}\s*='
+    line: '{{item.key}} = {{item.value}}'
+  with_dict:
+    listen: /run/shared_sockets/php-fpm
+    pm: dynamic
+    'pm.max_children': '{{php_max_workers}}'
+    'pm.start_servers': 1
+    'pm.min_spare_servers': 1
+    'pm.max_spare_servers': '{{php_max_workers}}'
+    'pm.max_requests': '{{php_worker_max_reqs}}'
   notify:
     - restart php-fpm.service
 
-- name: remove useless user/group specs
+- name: disable useless user/group specs
   lineinfile:
     path: /etc/php/php-fpm.d/www.conf
     backrefs: true

roles/ihmgit_back/tasks/main.yml

@@ -48,6 +48,7 @@
     owner: '{{gitea_user}}'
     recurse: true
   with_items:
+    - /etc/gitea
     - /var/lib/gitea
     - /var/log/gitea
 
@@ -61,8 +62,15 @@
     - {s: null, o: RUN_USER, v: '{{gitea_user}}'}
     - {s: null, o: RUN_MODE, v: prod}
     - {s: repository, o: ROOT, v: /var/lib/gitea/repos}
+    - {s: repository, o: DISABLE_HTTP_GIT, v: '{{gitea_disable_http_git}}'}
+    - {s: repository, o: DISABLE_MIRRORS, v: '{{gitea_disable_mirrors}}'}
     - {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'}
     - {s: ui, o: SHOW_USER_EMAIL, v: 'false'}
+    - {s: ui, o: USE_SERVICE_WORKER, v: '{{gitea_enable_cache}}'}
+    - {s: ui.meta, o: MIN_TIMEOUT, v: '{{gitea_notif_min_timeout}}s'}
+    - {s: ui.meta, o: MAX_TIMEOUT, v: '{{gitea_notif_max_timeout}}s'}
+    - {s: ui.meta, o: TIMEOUT_STEP, v: '{{gitea_notif_timeout_step}}s'}
+    - {s: ui.meta, o: EVENT_SOURCE_UPDATE_TIME, v: '{{gitea_notif_min_timeout}}s'}
     - {s: server, o: PROTOCOL, v: unix}
     - {s: server, o: DOMAIN, v: '{{net_soa}}'}
     - {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'}
@@ -73,6 +81,7 @@
     - {s: server, o: SSH_PORT, v: 2222}
     - {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/.ssh}
     - {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'}
+    - {s: server, o: DISABLE_ROUTER_LOG, v: '{{gitea_disable_router_log}}'}
     - {s: server, o: LFS_START_SERVER, v: 'false'}
     - {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'}
     - {s: ssh.minimum_key_sizes, o: DSA, v: '-1'}
@@ -82,7 +91,8 @@
     - {s: database, o: USER, v: '{{gitea_db_user}}'}
     - {s: database, o: PASSWD, v: '{{gitea_db_password}}'}
     - {s: database, o: LOG_SQL, v: 'false'}
-    - {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'}
+    - {s: indexer, o: ISSUE_INDEXER_TYPE, v: 'db'}
+    - {s: indexer, o: REPO_INDEXER_ENABLED, v: '{{gitea_enable_repo_indexer}}'}
     - {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'}
     - {s: security, o: INSTALL_LOCK, v: 'true'}
     - {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'}
@@ -93,19 +103,66 @@
     - {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'}
     - {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'}
     - {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'}
+    - {s: service, o: ENABLE_USER_HEATMAP, v: '{{gitea_enable_user_heatmap}}'}
+    - {s: service, o: ENABLE_TIMETRACKING, v: '{{gitea_enable_timetracking}}'}
     - {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid}
+    - {s: service, o: AUTO_WATCH_NEW_REPOS, v: '{{gitea_auto_watch_new_repos}}'}
     - {s: mailer, o: ENABLED, v: 'true'}
     - {s: mailer, o: FROM, v: 'git@{{net_soa}}'}
-    - {s: mailer, o: USE_SENDMAIL, v: 'true'}
+    - {s: mailer, o: MAILER_TYPE, v: 'sendmail'}
+    - {s: cache, o: ENABLED, v: '{{gitea_enable_cache}}'}
+    - {s: cache.last_commit, o: ENABLED, v: '{{gitea_enable_cache}}'}
     - {s: session, o: PROVIDER, v: file}
     - {s: session, o: COOKIE_SECURE, v: 'true'}
+    - {s: picture, o: DISABLE_GRAVATAR, v: '{{gitea_disable_gravatar}}'}
     - {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'}
     - {s: log, o: ROOT_PATH, v: /var/log/gitea/}
     - {s: log, o: MODE, v: console}
+    - {s: log, o: ROUTER_LOG_LEVEL, v: Warn}
     - {s: log, o: LEVEL, v: Warn}
     - {s: log.console, o: LEVEL, v: Warn}
+    - {s: cron, o: ENABLED, v: 'true'}
+    - {s: cron, o: RUN_AT_START, v: 'true'}
+    - {s: cron.update_mirrors, o: ENABLED, v: 'false'}
+    - {s: cron.update_mirrors, o: RUN_AT_START, v: 'true'}
+    - {s: cron.repo_health_check, o: ENABLED, v: 'false'}
+    - {s: cron.repo_health_check, o: RUN_AT_START, v: 'true'}
+    - {s: cron.repo_health_check, o: SCHEDULE, v: '@every 168h'}
+    - {s: cron.check_repo_stats, o: ENABLED, v: 'true'}
+    - {s: cron.check_repo_stats, o: RUN_AT_START, v: 'true'}
+    - {s: cron.check_repo_stats, o: SCHEDULE, v: '@every 168h'}
+    - {s: cron.archive_cleanup, o: ENABLED, v: 'false'}
+    - {s: cron.archive_cleanup, o: RUN_AT_START, v: 'true'}
+    - {s: cron.archive_cleanup, o: SCHEDULE, v: '@every 168h'}
+    - {s: cron.sync_external_users, o: ENABLED, v: 'false'}
+    - {s: cron.sync_external_users, o: RUN_AT_START, v: 'false'}
+    - {s: cron.deleted_branches_cleanup, o: ENABLED, v: 'false'}
+    - {s: cron.deleted_branches_cleanup, o: RUN_AT_START, v: 'true'}
+    - {s: cron.update_migration_poster_id, o: ENABLED, v: 'false'}
+    - {s: cron.update_migration_poster_id, o: RUN_AT_START, v: 'true'}
+    - {s: cron.delete_inactive_accounts, o: ENABLED, v: 'false'}
+    - {s: cron.delete_inactive_accounts, o: RUN_AT_START, v: 'false'}
+    - {s: cron.delete_repo_archives, o: ENABLED, v: 'false'}
+    - {s: cron.delete_repo_archives, o: RUN_AT_START, v: 'false'}
+    - {s: cron.git_gc_repos, o: ENABLED, v: 'false'}
+    - {s: cron.git_gc_repos, o: RUN_AT_START, v: 'true'}
+    - {s: cron.resync_all_sshkeys, o: ENABLED, v: 'false'}
+    - {s: cron.resync_all_sshkeys, o: RUN_AT_START, v: 'true'}
+    - {s: cron.resync_all_hooks, o: ENABLED, v: 'false'}
+    - {s: cron.resync_all_hooks, o: RUN_AT_START, v: 'false'}
+    - {s: cron.reinit_missing_repos, o: ENABLED, v: 'false'}
+    - {s: cron.reinit_missing_repos, o: RUN_AT_START, v: 'true'}
+    - {s: cron.delete_missing_repos, o: ENABLED, v: 'false'}
+    - {s: cron.delete_missing_repos, o: RUN_AT_START, v: 'true'}
+    - {s: cron.delete_generated_repository_avatars, o: ENABLED, v: 'false'}
+    - {s: cron.delete_generated_repository_avatars, o: RUN_AT_START, v: 'true'}
+    - {s: api, o: ENABLE_SWAGGER, v: '{{gitea_enable_api}}'}
+    - {s: oauth2, o: ENABLE, v: '{{gitea_enable_oauth2_provider}}'}
+    - {s: oauth2, o: JWT_SECRET, v: '{{gitea_jwt_secret}}'}
+    - {s: i18n, o: LANGS, v: '{{gitea_i18n | map(attribute="code") | join(",")}}'}
+    - {s: i18n, o: NAMES, v: '{{gitea_i18n | map(attribute="label") | join(",")}}'}
     - {s: markup.asciidoc, o: ENABLED, v: 'true'}
-    - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'}
+    - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --backend=html5 --no-header-footer --attribute source-highlighter=highlightjs --out-file=- -'}
     - {s: other, o: SHOW_FOOTER_VERSION, v: 'false'}
     - {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'}
   notify:

roles/motion_back/handlers/main.yml

@@ -12,11 +12,11 @@
 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
   systemd:
     daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\\x3alocalhost\\x3a1080.service
     state: restarted
 
 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
   systemd:
     daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\\x3alocalhost\\x3a1081.service
     state: restarted

roles/nextcloud_back/tasks/main.yml

@@ -328,9 +328,12 @@
     dbpassword: "'{{nextcloud_db_password}}'"
     dbtype: "'pgsql'"
     dbuser: "'{{nextcloud_db_user}}'"
+    default_phone_region: "'{{locales_default | truncate(2, True, '', 0) | upper}}'"
     filelocking.enabled: 'false'
+    localstorage.allowsymlinks: 'true'
     log.condition: " array ( )"
     log_type: "'syslog'"
+    loglevel: 1
     mail_domain: "'{{net_soa}}'"
     mail_smtphost: "'{{DMZ}}'"
     mail_smtpmode: "'smtp'"

roles/printscan/tasks/main.yml

@@ -42,7 +42,7 @@
 - name: enable and start cups
   systemd:
     daemon_reload: true
-    name: org.cups.cupsd.service
+    name: cups.service
     enabled: true
     state: started