diff --git a/group_vars/all b/group_vars/all index ba7b9dd..90c3619 100644 --- a/group_vars/all +++ b/group_vars/all @@ -82,6 +82,9 @@ fw_portknock_seq: 1 22 333 4444 333 22 1 # The email address associated to root, for commits in the git repository that stores changes to /etc. git_contact_email: hostmaster@example.org +# Watch new repositories inside the already-watched perimeter by default. +gitea_auto_watch_new_repos: 'true' + # Name of the Gitea (web UI for Git) database in PostgreSQL. gitea_db: gitea @@ -91,18 +94,83 @@ gitea_db_user: gitea # Password for the PostgreSQL user who owns the Gitea database. gitea_db_password: gitea +# Disable Gravatar pictures. +gitea_disable_gravatar: 'false' + +# Disable HTTP for Git access. +gitea_disable_http_git: 'false' + +# Disable mirrors. +gitea_disable_mirrors: 'true' + # Disable creation of organisations in Gitea (“true” or “false”, as a character string). gitea_disable_org_creation: 'true' # Disable self-registration in Gitea (“true” or “false”, as a character string). gitea_disable_registration: 'false' +# Disable logs by Gitea router. +gitea_disable_router_log: 'false' + +# Enable API and Swagger UI. +gitea_enable_api: 'true' + +# Enable caching for the web UI. +gitea_enable_cache: 'true' + # Enable email notifications in Gitea (“true” or “false”, as a character string). gitea_enable_notify_email: 'true' +# Enable OAuth2 provider. +gitea_enable_oauth2_provider: 'false' + +# Index repositories. +gitea_enable_repo_indexer: 'true' + +# Enable user heat-map. +gitea_enable_user_heatmap: 'true' + +# Enable the time-tracking feature. +gitea_enable_timetracking: 'true' + +# Available languages. +gitea_i18n: [ + {"code": "en-US", "label": "English"}, + {"code": "zh-CN", "label": "简体中文"}, + {"code": "zh-HK", "label": "繁體中文(香港)"}, + {"code": "zh-TW", "label": "繁體中文(台灣)"}, + {"code": "de-DE", "label": "Deutsch"}, + {"code": "fr-FR", "label": "français"}, + {"code": "nl-NL", "label": "Nederlands"}, + {"code": "lv-LV", "label": "latviešu"}, + {"code": "ru-RU", "label": "русский"}, + {"code": "uk-UA", "label": "Українська"}, + {"code": "ja-JP", "label": "日本語"}, + {"code": "es-ES", "label": "español"}, + {"code": "pt-BR", "label": "português do Brasil"}, + {"code": "pt-PT", "label": "Português de Portugal"}, + {"code": "pl-PL", "label": "polski"}, + {"code": "bg-BG", "label": "български"}, + {"code": "it-IT", "label": "italiano"}, + {"code": "fi-FI", "label": "suomi"}, + {"code": "tr-TR", "label": "Türkçe"}, + {"code": "cs-CZ", "label": "čeština"}, + {"code": "sr-SP", "label": "српски"}, + {"code": "sv-SE", "label": "svenska"}, + {"code": "ko-KR", "label": "한국어"} + ] + +# JWT secret for OAuth2 +gitea_jwt_secret: az09ZA_az09ZA_az09ZA_az09ZA_az09ZA_az09ZA + # Space-separated list of mime types to accept for attachments (“*/*” means: “anything”). gitea_mime_attach: 'image/jpeg image/png application/zip application/gzip' +# Notifications refresh in seconds. +gitea_notif_min_timeout: 10 +gitea_notif_max_timeout: 60 +gitea_notif_timeout_step: 10 + # A random salt-string for internal encryption (change it!). gitea_security_secret: '!#@FDEWREWR&*(' @@ -293,6 +361,9 @@ mail_ignore_ip: '2001:860:e2ef::f503:0:2' # All local mail destinations, which include managed domains, as well as host names. mail_local_domains: 'home dmz localhost example.org *.example.org *.local' +# Maximum number of SPAM-filter workers. +mail_max_spam_workers: 5 + # The ISP’s smarthost (which listens on port 25). mail_smtp_smarthost: smtp.bbox.fr @@ -426,6 +497,12 @@ nginx_loglevel: info # Administrator password for PostgreSQL. pgpassword: PostgreSQL +# Maximum number of PHP-handling processes. +php_max_workers: 5 + +# Maximum number of requests a PHP-handling process can handle before being reset (0: never reset). +php_worker_max_reqs: 0 + # Maximum number of bytes in a Privatebin paste (or image). privatebin_bytes_limit: 10485760 diff --git a/roles/dmz_exim/tasks/main.yml b/roles/dmz_exim/tasks/main.yml index b90f112..e08f0b3 100644 --- a/roles/dmz_exim/tasks/main.yml +++ b/roles/dmz_exim/tasks/main.yml @@ -106,7 +106,7 @@ content: | [Service] ExecStart= - ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/shared_sockets/spamd + ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/shared_sockets/spamd --max-children={{mail_max_spam_workers}} CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT PrivateTmp=true PrivateDevices=true diff --git a/roles/dmz_motion_front/tasks/main.yml b/roles/dmz_motion_front/tasks/main.yml index 68ee7e8..26de783 100644 --- a/roles/dmz_motion_front/tasks/main.yml +++ b/roles/dmz_motion_front/tasks/main.yml @@ -51,6 +51,6 @@ - name: commit local changes include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml vars: - msg: Gitea + msg: Motion ### ⇐ LOCAL COMMIT ### - meta: flush_handlers diff --git a/roles/dmz_nginx/tasks/main.yml b/roles/dmz_nginx/tasks/main.yml index 0e51387..98dabb7 100644 --- a/roles/dmz_nginx/tasks/main.yml +++ b/roles/dmz_nginx/tasks/main.yml @@ -200,15 +200,23 @@ notify: - restart nginx.service -- name: set the php-fpm socket path +- name: set the php-fpm settings lineinfile: path: /etc/php/php-fpm.d/www.conf - regexp: '^;*listen\s*=' - line: 'listen = /run/shared_sockets/php-fpm' + regexp: '^;*{{item.key}}\s*=' + line: '{{item.key}} = {{item.value}}' + with_dict: + listen: /run/shared_sockets/php-fpm + pm: dynamic + 'pm.max_children': '{{php_max_workers}}' + 'pm.start_servers': 1 + 'pm.min_spare_servers': 1 + 'pm.max_spare_servers': '{{php_max_workers}}' + 'pm.max_requests': '{{php_worker_max_reqs}}' notify: - restart php-fpm.service -- name: remove useless user/group specs +- name: disable useless user/group specs lineinfile: path: /etc/php/php-fpm.d/www.conf backrefs: true diff --git a/roles/ihmgit_back/tasks/main.yml b/roles/ihmgit_back/tasks/main.yml index 6422707..4fa1d8c 100644 --- a/roles/ihmgit_back/tasks/main.yml +++ b/roles/ihmgit_back/tasks/main.yml @@ -48,6 +48,7 @@ owner: '{{gitea_user}}' recurse: true with_items: + - /etc/gitea - /var/lib/gitea - /var/log/gitea @@ -61,8 +62,15 @@ - {s: null, o: RUN_USER, v: '{{gitea_user}}'} - {s: null, o: RUN_MODE, v: prod} - {s: repository, o: ROOT, v: /var/lib/gitea/repos} + - {s: repository, o: DISABLE_HTTP_GIT, v: '{{gitea_disable_http_git}}'} + - {s: repository, o: DISABLE_MIRRORS, v: '{{gitea_disable_mirrors}}'} - {s: repository.editor, o: LINE_WRAP_EXTENSIONS, v: '.txt,.md,.markdown,.mdown,.mkd,.adoc,.asciidoc,'} - {s: ui, o: SHOW_USER_EMAIL, v: 'false'} + - {s: ui, o: USE_SERVICE_WORKER, v: '{{gitea_enable_cache}}'} + - {s: ui.meta, o: MIN_TIMEOUT, v: '{{gitea_notif_min_timeout}}s'} + - {s: ui.meta, o: MAX_TIMEOUT, v: '{{gitea_notif_max_timeout}}s'} + - {s: ui.meta, o: TIMEOUT_STEP, v: '{{gitea_notif_timeout_step}}s'} + - {s: ui.meta, o: EVENT_SOURCE_UPDATE_TIME, v: '{{gitea_notif_min_timeout}}s'} - {s: server, o: PROTOCOL, v: unix} - {s: server, o: DOMAIN, v: '{{net_soa}}'} - {s: server, o: ROOT_URL, v: 'https://{{net_soa}}{{http_pfx_gitea}}/'} @@ -73,6 +81,7 @@ - {s: server, o: SSH_PORT, v: 2222} - {s: server, o: SSH_ROOT_PATH, v: /var/lib/gitea/.ssh} - {s: server, o: MINIMUM_KEY_SIZE_CHECK, v: 'true'} + - {s: server, o: DISABLE_ROUTER_LOG, v: '{{gitea_disable_router_log}}'} - {s: server, o: LFS_START_SERVER, v: 'false'} - {s: ssh.minimum_key_sizes, o: ECDSA, v: '-1'} - {s: ssh.minimum_key_sizes, o: DSA, v: '-1'} @@ -82,7 +91,8 @@ - {s: database, o: USER, v: '{{gitea_db_user}}'} - {s: database, o: PASSWD, v: '{{gitea_db_password}}'} - {s: database, o: LOG_SQL, v: 'false'} - - {s: indexer, o: REPO_INDEXER_ENABLED, v: 'true'} + - {s: indexer, o: ISSUE_INDEXER_TYPE, v: 'db'} + - {s: indexer, o: REPO_INDEXER_ENABLED, v: '{{gitea_enable_repo_indexer}}'} - {s: admin, o: DISABLE_REGULAR_ORG_CREATION, v: '{{gitea_disable_org_creation}}'} - {s: security, o: INSTALL_LOCK, v: 'true'} - {s: security, o: SECRET_KEY, v: '{{gitea_security_secret}}'} @@ -93,19 +103,66 @@ - {s: service, o: ENABLE_REVERSE_PROXY_AUTHENTICATION, v: 'true'} - {s: service, o: ENABLE_REVERSE_PROXY_AUTO_REGISTRATION, v: 'true'} - {s: service, o: DEFAULT_KEEP_EMAIL_PRIVATE, v: 'true'} + - {s: service, o: ENABLE_USER_HEATMAP, v: '{{gitea_enable_user_heatmap}}'} + - {s: service, o: ENABLE_TIMETRACKING, v: '{{gitea_enable_timetracking}}'} - {s: service, o: NO_REPLY_ADDRESS, v: masked.invalid} + - {s: service, o: AUTO_WATCH_NEW_REPOS, v: '{{gitea_auto_watch_new_repos}}'} - {s: mailer, o: ENABLED, v: 'true'} - {s: mailer, o: FROM, v: 'git@{{net_soa}}'} - - {s: mailer, o: USE_SENDMAIL, v: 'true'} + - {s: mailer, o: MAILER_TYPE, v: 'sendmail'} + - {s: cache, o: ENABLED, v: '{{gitea_enable_cache}}'} + - {s: cache.last_commit, o: ENABLED, v: '{{gitea_enable_cache}}'} - {s: session, o: PROVIDER, v: file} - {s: session, o: COOKIE_SECURE, v: 'true'} + - {s: picture, o: DISABLE_GRAVATAR, v: '{{gitea_disable_gravatar}}'} - {s: attachment, o: ALLOWED_TYPES, v: '{{gitea_mime_attach | replace(" ", "|")}}'} - {s: log, o: ROOT_PATH, v: /var/log/gitea/} - {s: log, o: MODE, v: console} + - {s: log, o: ROUTER_LOG_LEVEL, v: Warn} - {s: log, o: LEVEL, v: Warn} - {s: log.console, o: LEVEL, v: Warn} + - {s: cron, o: ENABLED, v: 'true'} + - {s: cron, o: RUN_AT_START, v: 'true'} + - {s: cron.update_mirrors, o: ENABLED, v: 'false'} + - {s: cron.update_mirrors, o: RUN_AT_START, v: 'true'} + - {s: cron.repo_health_check, o: ENABLED, v: 'false'} + - {s: cron.repo_health_check, o: RUN_AT_START, v: 'true'} + - {s: cron.repo_health_check, o: SCHEDULE, v: '@every 168h'} + - {s: cron.check_repo_stats, o: ENABLED, v: 'true'} + - {s: cron.check_repo_stats, o: RUN_AT_START, v: 'true'} + - {s: cron.check_repo_stats, o: SCHEDULE, v: '@every 168h'} + - {s: cron.archive_cleanup, o: ENABLED, v: 'false'} + - {s: cron.archive_cleanup, o: RUN_AT_START, v: 'true'} + - {s: cron.archive_cleanup, o: SCHEDULE, v: '@every 168h'} + - {s: cron.sync_external_users, o: ENABLED, v: 'false'} + - {s: cron.sync_external_users, o: RUN_AT_START, v: 'false'} + - {s: cron.deleted_branches_cleanup, o: ENABLED, v: 'false'} + - {s: cron.deleted_branches_cleanup, o: RUN_AT_START, v: 'true'} + - {s: cron.update_migration_poster_id, o: ENABLED, v: 'false'} + - {s: cron.update_migration_poster_id, o: RUN_AT_START, v: 'true'} + - {s: cron.delete_inactive_accounts, o: ENABLED, v: 'false'} + - {s: cron.delete_inactive_accounts, o: RUN_AT_START, v: 'false'} + - {s: cron.delete_repo_archives, o: ENABLED, v: 'false'} + - {s: cron.delete_repo_archives, o: RUN_AT_START, v: 'false'} + - {s: cron.git_gc_repos, o: ENABLED, v: 'false'} + - {s: cron.git_gc_repos, o: RUN_AT_START, v: 'true'} + - {s: cron.resync_all_sshkeys, o: ENABLED, v: 'false'} + - {s: cron.resync_all_sshkeys, o: RUN_AT_START, v: 'true'} + - {s: cron.resync_all_hooks, o: ENABLED, v: 'false'} + - {s: cron.resync_all_hooks, o: RUN_AT_START, v: 'false'} + - {s: cron.reinit_missing_repos, o: ENABLED, v: 'false'} + - {s: cron.reinit_missing_repos, o: RUN_AT_START, v: 'true'} + - {s: cron.delete_missing_repos, o: ENABLED, v: 'false'} + - {s: cron.delete_missing_repos, o: RUN_AT_START, v: 'true'} + - {s: cron.delete_generated_repository_avatars, o: ENABLED, v: 'false'} + - {s: cron.delete_generated_repository_avatars, o: RUN_AT_START, v: 'true'} + - {s: api, o: ENABLE_SWAGGER, v: '{{gitea_enable_api}}'} + - {s: oauth2, o: ENABLE, v: '{{gitea_enable_oauth2_provider}}'} + - {s: oauth2, o: JWT_SECRET, v: '{{gitea_jwt_secret}}'} + - {s: i18n, o: LANGS, v: '{{gitea_i18n | map(attribute="code") | join(",")}}'} + - {s: i18n, o: NAMES, v: '{{gitea_i18n | map(attribute="label") | join(",")}}'} - {s: markup.asciidoc, o: ENABLED, v: 'true'} - - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --out-file=- -'} + - {s: markup.asciidoc, o: RENDER_COMMAND, v: 'asciidoctor --backend=html5 --no-header-footer --attribute source-highlighter=highlightjs --out-file=- -'} - {s: other, o: SHOW_FOOTER_VERSION, v: 'false'} - {s: other, o: SHOW_FOOTER_TEMPLATE_LOAD_TIME, v: 'false'} notify: diff --git a/roles/motion_back/handlers/main.yml b/roles/motion_back/handlers/main.yml index a92a1dc..757a8c1 100644 --- a/roles/motion_back/handlers/main.yml +++ b/roles/motion_back/handlers/main.yml @@ -12,11 +12,11 @@ - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service systemd: daemon_reload: true - name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service + name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\\x3alocalhost\\x3a1080.service state: restarted - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service systemd: daemon_reload: true - name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service + name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\\x3alocalhost\\x3a1081.service state: restarted diff --git a/roles/nextcloud_back/tasks/main.yml b/roles/nextcloud_back/tasks/main.yml index 72908d5..f04bf4b 100644 --- a/roles/nextcloud_back/tasks/main.yml +++ b/roles/nextcloud_back/tasks/main.yml @@ -328,9 +328,12 @@ dbpassword: "'{{nextcloud_db_password}}'" dbtype: "'pgsql'" dbuser: "'{{nextcloud_db_user}}'" + default_phone_region: "'{{locales_default | truncate(2, True, '', 0) | upper}}'" filelocking.enabled: 'false' + localstorage.allowsymlinks: 'true' log.condition: " array ( )" log_type: "'syslog'" + loglevel: 1 mail_domain: "'{{net_soa}}'" mail_smtphost: "'{{DMZ}}'" mail_smtpmode: "'smtp'" diff --git a/roles/printscan/tasks/main.yml b/roles/printscan/tasks/main.yml index e69e9ee..5efbca0 100644 --- a/roles/printscan/tasks/main.yml +++ b/roles/printscan/tasks/main.yml @@ -42,7 +42,7 @@ - name: enable and start cups systemd: daemon_reload: true - name: org.cups.cupsd.service + name: cups.service enabled: true state: started