miscellaneous fixes

2021-11-05 08:55:44 +01:00
13 changed files with 99 additions and 63 deletions
--- a/README.adoc
+++ b/README.adoc
@ -111,7 +111,7 @@ Last but not least, the machine that will run the Ansible playbook should:
 * have a version of Ansible greater than 2.2:
 ** module `include_role` runs dynamically (available since version 2.4),
 ** modules `ini_file`, `lineinfile`, `mount`, and `replace` use the `path` parameter (available since version 2.3),
-** modules `ldap_attr` and `ldap_entry` are used (available since version 2.3),
+** module `ldap_attrs` is used (available since version 3.4),
 ** module `lineinfile` uses the `firstmatch` parameter (available since version 2.5),
 ** module `user` uses the `create_home` parameter (available since version 2.5);

--- a/group_vars/all
+++ b/group_vars/all
@ -317,22 +317,24 @@ ldap_virtual_user_gid: 65534
 # These settings are enforced at each run. Examples:
 # — gecos: the full name that typically appears on the login screen;
 # — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
-ldap_users_attrs: '[
-    {"uid": "you", "attr": "gecos", "value": "Y-O. Udel"},
-    {"uid": "you", "attr": "shadowLastChange", "value": "16000"},
-    {"uid": "you", "attr": "shadowMax", "value": "99999"},
-    {"uid": "you", "attr": "shadowWarning", "value": "7"},
-    {"uid": "me", "attr": "gecos", "value": "M. Ellen"},
-    {"uid": "me", "attr": "shadowLastChange", "value": "16000"},
-    {"uid": "me", "attr": "shadowMax", "value": "99999"},
-    {"uid": "me", "attr": "shadowWarning", "value": "7"}
-  ]'
+ldap_users_attrs:
+  - {uid: "you", attr: "gecos", value: "Y-O. Udel"}
+  - {uid: "you", attr: "shadowLastChange", value: "16000"}
+  - {uid: "you", attr: "shadowMax", value: "99999"}
+  - {uid: "you", attr: "shadowWarning", value: "7"}
+  - {uid: "me", attr: "gecos", value: "M. Ellen"}
+  - {uid: "me", attr: "shadowLastChange", value: "16000"}
+  - {uid: "me", attr: "shadowMax", value: "99999"}
+  - {uid: "me", attr: "shadowWarning", value: "7"}

 # Login name and password of the LibreOffice OnLine web services’ administrator.
 # Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
 loolwsd_admin_user: nextcloud_admin
 loolwsd_admin_password: nextcloud_admin

+# Language used by LibreOffice OnLine (LOOL), either 2 or 5 characters, packaged with CollaboraOnline.
+loolwsd_lang: en
+
 # LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
 # by all of the LibreOffice Online, after which we start cleaning up idle documents”.
 loolwsd_maxmem_asdouble: '80.0'
@ -537,7 +539,7 @@ prosody_db_password: prosody
 sane_drivers: epson2

 # Space-separated list of pacman mirrors to use.
-software_mirrors: 'archlinux.de-labrusse.fr mirror.archlinux.ikoula.com'
+software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'

 # Software that will get removed if present, on next run of the playbook (JSON list).
 software_to_del: '["dhcpcd"]'
--- a/roles/dmz_dotclear_front/tasks/main.yml
+++ b/roles/dmz_dotclear_front/tasks/main.yml
@ -46,7 +46,7 @@
  copy:
    content: |
      location = / {
-        rewrite ^ $scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
+        rewrite ^ $proxy_scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
      }
      location {{http_pfx_dotclear}} {
        alias {{dotclear_root}};
--- a/roles/dmz_exim/tasks/main.yml
+++ b/roles/dmz_exim/tasks/main.yml
@ -171,13 +171,13 @@
  with_items: "{{mail_alias_memberships}}"

 - name: declare existing aliases’ members
-  ldap_attr:
+  ldap_attrs:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "cn={{item.alias}},ou=Aliases,{{ldap_root}}"
-    name: rfc822MailMember
-    values: "{{item.member}}"
+    attributes:
+      rfc822MailMember: "{{item.member}}"
    state: present
  with_items: "{{mail_alias_memberships}}"

--- a/roles/dmz_nginx/templates/10.conf.j2
+++ b/roles/dmz_nginx/templates/10.conf.j2
@ -19,6 +19,7 @@ server {
 	access_log /var/log/nginx/http_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "http";
 	set $proxy_https "off";
 	set $proxy_port "80";
 	include inc.d/{{nickname}}_php-full.inc;
@ -32,6 +33,7 @@ server {
 	access_log /var/log/nginx/https_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "https";
 	set $proxy_https "on";
 	set $proxy_port "443";
 	include inc.d/{{nickname}}_php-full.inc;
@ -46,6 +48,7 @@ server {
 	access_log /var/log/nginx/https_access.log proxy_log;
 	set_real_ip_from unix:;
 	real_ip_header proxy_protocol;
+	set $proxy_scheme "https";
 	set $proxy_https "on";
 	set $proxy_port "443";
 	include inc.d/{{nickname}}_php-full.inc;
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@ -51,6 +51,12 @@
  notify:
    - restart dovecot.service

+- name: create the configuration directory
+  file:
+    name: /etc/dovecot
+    state: directory
+    mode: 0755
+
 - name: main configuration
  template:
    src: templates/dovecot.conf.j2
--- a/roles/init/tasks/main.yml
+++ b/roles/init/tasks/main.yml
@ -6,6 +6,13 @@
 # WARNING: This file may be used inside a mounted chroot.
 # The running system should not be assumed to be the target system.

+- name: set hostname (needed by etckeeper)
+  copy:
+    content: |
+      {{hostname}}
+    dest: "{{chroot}}/etc/hostname"
+    mode: 0644
+
 ### INIT ⇒ ###
 - name: init EtcKeeper
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=init.yml
@ -74,13 +81,6 @@
    mode: 0644

 # Host names
- name: set hostname
-  copy:
-    content: |
-      {{hostname}}
-    dest: "{{chroot}}/etc/hostname"
-    mode: 0644
-
 - name: set the hosts file
  copy:
    src: files/hosts
--- a/roles/motion_back/handlers/main.yml
+++ b/roles/motion_back/handlers/main.yml
@ -12,11 +12,11 @@
 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
  systemd:
    daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\\x3alocalhost\\x3a1080.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
    state: restarted

 - name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
  systemd:
    daemon_reload: true
-    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\\x3alocalhost\\x3a1081.service
+    name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
    state: restarted
--- a/roles/nextcloud_back/tasks/main.yml
+++ b/roles/nextcloud_back/tasks/main.yml
@ -27,7 +27,12 @@
    allow_duplicates: true
  vars:
    packages:
-      - collabora-online-server-nodocker
+      - pkg: collabora-online-server-nodocker
+        pre: |
+          LANG=C sed -ri '
+            s/^(_I18N_EREGEX=).*$/\1{{loolwsd_lang}}/
+          ' PKGBUILD
+          cat PKGBUILD
    aur_user: git

 - name: create the nextcloud user
@ -87,8 +92,10 @@
  with_dict:
    server_name: '{{net_soa}}:443'
    memproportion: '{{loolwsd_maxmem_asdouble}}'
-    'enable\s[^>]*browser': 'false'
+    'enable\s[^>]*SSL[^>]*between loolwsd and the network': 'false'
    termination: 'true'
+    'as_scheme\s[^>]*SSL': 'false'
+    'enable\s[^>]*SSL[^>]*between storage and loolwsd': 'false'
    username: '{{loolwsd_admin_user}}'
    password: '{{loolwsd_admin_password}}'
  notify:
@ -103,33 +110,37 @@
  notify:
    - restart loolwsd.service

- name: ensure ownership of the nextcloud home directory
-  file:
-    path: "{{nextcloud_data}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    recurse: true
+- name: ensure Nextcloud ownership
+  block:

- name: ensure ownership of the nextcloud configuration directory
-  file:
-    path: "{{nextcloud_conf}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    mode: 0750
+    - name: ensure Nextcloud ownership — prepare file
+      shell: >
+        sed -r '
+          /%[CL]/ d;
+          s#%S/nextcloud#{{nextcloud_data}}#g;
+          s#%t#/var/tmp#g;
+          s/([[:blank:]]+nextcloud){2}$/ {{nextcloud_user}} {{nextcloud_user}}/
+        '
+        </usr/lib/tmpfiles.d/nextcloud.conf
+        >/tmp/nextcloud.conf
+      changed_when: false

- name: create extra directories
-  file:
-    path: "{{item}}"
-    state: directory
-    owner: "{{nextcloud_user}}"
-    group: "{{nextcloud_user}}"
-    mode: 0750
-  with_items:
-    - /var/tmp/nextcloud
-    - "{{nextcloud_data}}/data"
-    - "{{nextcloud_data}}/apps"
+    - name: ensure Nextcloud ownership — install file
+      copy:
+        src: /tmp/nextcloud.conf
+        dest: /etc/tmpfiles.d/nextcloud.conf
+        remote_src: true
+
+  always:
+    - name: ensure Nextcloud ownership — cleanup
+      file:
+        path: /tmp/nextcloud.conf
+        state: absent
+      changed_when: false
+
+- name: ensure Nextcloud ownership — apply
+  command: systemd-tmpfiles --create
+  changed_when: false

 - name: send initial configuration
  copy:
--- a/roles/php/tasks/main.yml
+++ b/roles/php/tasks/main.yml
@ -33,12 +33,26 @@
    msg: php
 ### ⇐ UPSTREAM END ###

- name: enable PHP extension imagick
+- name: enable PHP extensions
  lineinfile:
-    path: /etc/php/conf.d/imagick.ini
+    path: /etc/php/conf.d/{{item}}.ini
    backrefs: true
-    regexp: '^;*(extension=imagick)\s*$'
+    regexp: '^;\s*(extension\s*=\s*{{item}}).*$'
    line: '\1'
+  with_items:
+    - apcu
+    - geoip
+    - imagick
+
+- name: alter PHP APCu configuration lines
+  lineinfile:
+    path: /etc/php/conf.d/apcu.ini
+    regexp: '^;*{{item.name}}\s*='
+    line: '{{item.name}}={{item.value}}'
+  with_items:
+    - {name: 'apc.enable_cli', value: 1}
+  notify:
+    - restart php-fpm.service (front)

 - name: activate PHP extensions
  lineinfile:
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@ -226,13 +226,12 @@
  with_items: "{{ldap_virtual_users}}"

 - name: all users’ properties LDIF
-  ldap_attr:
+  ldap_attrs:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
-    name: "{{item.attr}}"
-    values: "{{item.value}}"
+    attributes: '{"{{item.attr}}": "{{item.value}}"}'
    state: exact
  with_items: "{{ldap_users_attrs}}"

@ -250,13 +249,13 @@
  with_items: "{{ldap_system_groups}}"

 - name: declare existing groups’ members
-  ldap_attr:
+  ldap_attrs:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
-    name: memberuid
-    values: "{{item.member}}"
+    attributes:
+      memberuid: "{{item.member}}"
    state: present
  with_items: "{{ldap_system_group_members}}"

--- a/roles/ssowat/meta.OK/main.yml
+++ b/roles/ssowat/meta.OK/main.yml
@ -5,3 +5,4 @@

 dependencies:
  - role: cleanupdate
+  - role: dmz_nginx
--- a/site.yml
+++ b/site.yml
@ -46,15 +46,15 @@
    - init
    - cleanupdate
    - postinstall
+    - ldap
    - iodine
    - ddclient_HE_example
    - ddclient_FreeDNS_example
+    - dmz_nginx
    - ssowat
-    - ldap
    - php
    - ssh
    - transmission
-    - dmz_nginx
    - dmz_exim
    - dmz_haproxy
    - dmz_ihmgit_front