Compare commits
1 Commits
fd86da0db5
...
112fd6053d
Author | SHA1 | Date |
---|---|---|
Yves G | 112fd6053d |
|
@ -111,7 +111,7 @@ Last but not least, the machine that will run the Ansible playbook should:
|
||||||
* have a version of Ansible greater than 2.2:
|
* have a version of Ansible greater than 2.2:
|
||||||
** module `include_role` runs dynamically (available since version 2.4),
|
** module `include_role` runs dynamically (available since version 2.4),
|
||||||
** modules `ini_file`, `lineinfile`, `mount`, and `replace` use the `path` parameter (available since version 2.3),
|
** modules `ini_file`, `lineinfile`, `mount`, and `replace` use the `path` parameter (available since version 2.3),
|
||||||
** modules `ldap_attr` and `ldap_entry` are used (available since version 2.3),
|
** module `ldap_attrs` is used (available since version 3.4),
|
||||||
** module `lineinfile` uses the `firstmatch` parameter (available since version 2.5),
|
** module `lineinfile` uses the `firstmatch` parameter (available since version 2.5),
|
||||||
** module `user` uses the `create_home` parameter (available since version 2.5);
|
** module `user` uses the `create_home` parameter (available since version 2.5);
|
||||||
|
|
||||||
|
|
|
@ -317,22 +317,24 @@ ldap_virtual_user_gid: 65534
|
||||||
# These settings are enforced at each run. Examples:
|
# These settings are enforced at each run. Examples:
|
||||||
# — gecos: the full name that typically appears on the login screen;
|
# — gecos: the full name that typically appears on the login screen;
|
||||||
# — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
|
# — http://directory.fedoraproject.org/docs/389ds/design/shadow-account-support.html.
|
||||||
ldap_users_attrs: '[
|
ldap_users_attrs:
|
||||||
{"uid": "you", "attr": "gecos", "value": "Y-O. Udel"},
|
- {uid: "you", attr: "gecos", value: "Y-O. Udel"}
|
||||||
{"uid": "you", "attr": "shadowLastChange", "value": "16000"},
|
- {uid: "you", attr: "shadowLastChange", value: "16000"}
|
||||||
{"uid": "you", "attr": "shadowMax", "value": "99999"},
|
- {uid: "you", attr: "shadowMax", value: "99999"}
|
||||||
{"uid": "you", "attr": "shadowWarning", "value": "7"},
|
- {uid: "you", attr: "shadowWarning", value: "7"}
|
||||||
{"uid": "me", "attr": "gecos", "value": "M. Ellen"},
|
- {uid: "me", attr: "gecos", value: "M. Ellen"}
|
||||||
{"uid": "me", "attr": "shadowLastChange", "value": "16000"},
|
- {uid: "me", attr: "shadowLastChange", value: "16000"}
|
||||||
{"uid": "me", "attr": "shadowMax", "value": "99999"},
|
- {uid: "me", attr: "shadowMax", value: "99999"}
|
||||||
{"uid": "me", "attr": "shadowWarning", "value": "7"}
|
- {uid: "me", attr: "shadowWarning", value: "7"}
|
||||||
]'
|
|
||||||
|
|
||||||
# Login name and password of the LibreOffice OnLine web services’ administrator.
|
# Login name and password of the LibreOffice OnLine web services’ administrator.
|
||||||
# Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
|
# Usefulness not clear; it doesn’t hurt to use the same values as in “nextcloud_admin_user” and “nextcloud_admin_password”…
|
||||||
loolwsd_admin_user: nextcloud_admin
|
loolwsd_admin_user: nextcloud_admin
|
||||||
loolwsd_admin_password: nextcloud_admin
|
loolwsd_admin_password: nextcloud_admin
|
||||||
|
|
||||||
|
# Language used by LibreOffice OnLine (LOOL), either 2 or 5 characters, packaged with CollaboraOnline.
|
||||||
|
loolwsd_lang: en
|
||||||
|
|
||||||
# LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
|
# LibreOffice OnLine’s description: “The maximum percentage of system memory consumed
|
||||||
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
|
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
|
||||||
loolwsd_maxmem_asdouble: '80.0'
|
loolwsd_maxmem_asdouble: '80.0'
|
||||||
|
@ -537,7 +539,7 @@ prosody_db_password: prosody
|
||||||
sane_drivers: epson2
|
sane_drivers: epson2
|
||||||
|
|
||||||
# Space-separated list of pacman mirrors to use.
|
# Space-separated list of pacman mirrors to use.
|
||||||
software_mirrors: 'archlinux.de-labrusse.fr mirror.archlinux.ikoula.com'
|
software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'
|
||||||
|
|
||||||
# Software that will get removed if present, on next run of the playbook (JSON list).
|
# Software that will get removed if present, on next run of the playbook (JSON list).
|
||||||
software_to_del: '["dhcpcd"]'
|
software_to_del: '["dhcpcd"]'
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
location = / {
|
location = / {
|
||||||
rewrite ^ $scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
|
rewrite ^ $proxy_scheme://{{net_soa}}{{http_pfx_dotclear}} redirect;
|
||||||
}
|
}
|
||||||
location {{http_pfx_dotclear}} {
|
location {{http_pfx_dotclear}} {
|
||||||
alias {{dotclear_root}};
|
alias {{dotclear_root}};
|
||||||
|
|
|
@ -171,13 +171,13 @@
|
||||||
with_items: "{{mail_alias_memberships}}"
|
with_items: "{{mail_alias_memberships}}"
|
||||||
|
|
||||||
- name: declare existing aliases’ members
|
- name: declare existing aliases’ members
|
||||||
ldap_attr:
|
ldap_attrs:
|
||||||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||||||
bind_dn: "cn=root,{{ldap_root}}"
|
bind_dn: "cn=root,{{ldap_root}}"
|
||||||
bind_pw: "{{ldap_rootpw}}"
|
bind_pw: "{{ldap_rootpw}}"
|
||||||
dn: "cn={{item.alias}},ou=Aliases,{{ldap_root}}"
|
dn: "cn={{item.alias}},ou=Aliases,{{ldap_root}}"
|
||||||
name: rfc822MailMember
|
attributes:
|
||||||
values: "{{item.member}}"
|
rfc822MailMember: "{{item.member}}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{mail_alias_memberships}}"
|
with_items: "{{mail_alias_memberships}}"
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,7 @@ server {
|
||||||
access_log /var/log/nginx/http_access.log proxy_log;
|
access_log /var/log/nginx/http_access.log proxy_log;
|
||||||
set_real_ip_from unix:;
|
set_real_ip_from unix:;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
set $proxy_scheme "http";
|
||||||
set $proxy_https "off";
|
set $proxy_https "off";
|
||||||
set $proxy_port "80";
|
set $proxy_port "80";
|
||||||
include inc.d/{{nickname}}_php-full.inc;
|
include inc.d/{{nickname}}_php-full.inc;
|
||||||
|
@ -32,6 +33,7 @@ server {
|
||||||
access_log /var/log/nginx/https_access.log proxy_log;
|
access_log /var/log/nginx/https_access.log proxy_log;
|
||||||
set_real_ip_from unix:;
|
set_real_ip_from unix:;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
set $proxy_scheme "https";
|
||||||
set $proxy_https "on";
|
set $proxy_https "on";
|
||||||
set $proxy_port "443";
|
set $proxy_port "443";
|
||||||
include inc.d/{{nickname}}_php-full.inc;
|
include inc.d/{{nickname}}_php-full.inc;
|
||||||
|
@ -46,6 +48,7 @@ server {
|
||||||
access_log /var/log/nginx/https_access.log proxy_log;
|
access_log /var/log/nginx/https_access.log proxy_log;
|
||||||
set_real_ip_from unix:;
|
set_real_ip_from unix:;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
set $proxy_scheme "https";
|
||||||
set $proxy_https "on";
|
set $proxy_https "on";
|
||||||
set $proxy_port "443";
|
set $proxy_port "443";
|
||||||
include inc.d/{{nickname}}_php-full.inc;
|
include inc.d/{{nickname}}_php-full.inc;
|
||||||
|
|
|
@ -51,6 +51,12 @@
|
||||||
notify:
|
notify:
|
||||||
- restart dovecot.service
|
- restart dovecot.service
|
||||||
|
|
||||||
|
- name: create the configuration directory
|
||||||
|
file:
|
||||||
|
name: /etc/dovecot
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
- name: main configuration
|
- name: main configuration
|
||||||
template:
|
template:
|
||||||
src: templates/dovecot.conf.j2
|
src: templates/dovecot.conf.j2
|
||||||
|
|
|
@ -6,6 +6,13 @@
|
||||||
# WARNING: This file may be used inside a mounted chroot.
|
# WARNING: This file may be used inside a mounted chroot.
|
||||||
# The running system should not be assumed to be the target system.
|
# The running system should not be assumed to be the target system.
|
||||||
|
|
||||||
|
- name: set hostname (needed by etckeeper)
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
{{hostname}}
|
||||||
|
dest: "{{chroot}}/etc/hostname"
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
### INIT ⇒ ###
|
### INIT ⇒ ###
|
||||||
- name: init EtcKeeper
|
- name: init EtcKeeper
|
||||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=init.yml
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=init.yml
|
||||||
|
@ -74,13 +81,6 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
# Host names
|
# Host names
|
||||||
- name: set hostname
|
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
{{hostname}}
|
|
||||||
dest: "{{chroot}}/etc/hostname"
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: set the hosts file
|
- name: set the hosts file
|
||||||
copy:
|
copy:
|
||||||
src: files/hosts
|
src: files/hosts
|
||||||
|
|
|
@ -12,11 +12,11 @@
|
||||||
- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
|
- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\\x3alocalhost\\x3a1080.service
|
name: socat-unix-to-tcp4@-run-shared_sockets-motion_control.socket\x3alocalhost\x3a1080.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
|
- name: restart socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: true
|
daemon_reload: true
|
||||||
name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\\x3alocalhost\\x3a1081.service
|
name: socat-unix-to-tcp4@-run-shared_sockets-motion_stream.socket\x3alocalhost\x3a1081.service
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
|
@ -27,7 +27,12 @@
|
||||||
allow_duplicates: true
|
allow_duplicates: true
|
||||||
vars:
|
vars:
|
||||||
packages:
|
packages:
|
||||||
- collabora-online-server-nodocker
|
- pkg: collabora-online-server-nodocker
|
||||||
|
pre: |
|
||||||
|
LANG=C sed -ri '
|
||||||
|
s/^(_I18N_EREGEX=).*$/\1{{loolwsd_lang}}/
|
||||||
|
' PKGBUILD
|
||||||
|
cat PKGBUILD
|
||||||
aur_user: git
|
aur_user: git
|
||||||
|
|
||||||
- name: create the nextcloud user
|
- name: create the nextcloud user
|
||||||
|
@ -87,8 +92,10 @@
|
||||||
with_dict:
|
with_dict:
|
||||||
server_name: '{{net_soa}}:443'
|
server_name: '{{net_soa}}:443'
|
||||||
memproportion: '{{loolwsd_maxmem_asdouble}}'
|
memproportion: '{{loolwsd_maxmem_asdouble}}'
|
||||||
'enable\s[^>]*browser': 'false'
|
'enable\s[^>]*SSL[^>]*between loolwsd and the network': 'false'
|
||||||
termination: 'true'
|
termination: 'true'
|
||||||
|
'as_scheme\s[^>]*SSL': 'false'
|
||||||
|
'enable\s[^>]*SSL[^>]*between storage and loolwsd': 'false'
|
||||||
username: '{{loolwsd_admin_user}}'
|
username: '{{loolwsd_admin_user}}'
|
||||||
password: '{{loolwsd_admin_password}}'
|
password: '{{loolwsd_admin_password}}'
|
||||||
notify:
|
notify:
|
||||||
|
@ -103,33 +110,37 @@
|
||||||
notify:
|
notify:
|
||||||
- restart loolwsd.service
|
- restart loolwsd.service
|
||||||
|
|
||||||
- name: ensure ownership of the nextcloud home directory
|
- name: ensure Nextcloud ownership
|
||||||
file:
|
block:
|
||||||
path: "{{nextcloud_data}}"
|
|
||||||
state: directory
|
|
||||||
owner: "{{nextcloud_user}}"
|
|
||||||
group: "{{nextcloud_user}}"
|
|
||||||
recurse: true
|
|
||||||
|
|
||||||
- name: ensure ownership of the nextcloud configuration directory
|
- name: ensure Nextcloud ownership — prepare file
|
||||||
file:
|
shell: >
|
||||||
path: "{{nextcloud_conf}}"
|
sed -r '
|
||||||
state: directory
|
/%[CL]/ d;
|
||||||
owner: "{{nextcloud_user}}"
|
s#%S/nextcloud#{{nextcloud_data}}#g;
|
||||||
group: "{{nextcloud_user}}"
|
s#%t#/var/tmp#g;
|
||||||
mode: 0750
|
s/([[:blank:]]+nextcloud){2}$/ {{nextcloud_user}} {{nextcloud_user}}/
|
||||||
|
'
|
||||||
|
</usr/lib/tmpfiles.d/nextcloud.conf
|
||||||
|
>/tmp/nextcloud.conf
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: create extra directories
|
- name: ensure Nextcloud ownership — install file
|
||||||
file:
|
copy:
|
||||||
path: "{{item}}"
|
src: /tmp/nextcloud.conf
|
||||||
state: directory
|
dest: /etc/tmpfiles.d/nextcloud.conf
|
||||||
owner: "{{nextcloud_user}}"
|
remote_src: true
|
||||||
group: "{{nextcloud_user}}"
|
|
||||||
mode: 0750
|
always:
|
||||||
with_items:
|
- name: ensure Nextcloud ownership — cleanup
|
||||||
- /var/tmp/nextcloud
|
file:
|
||||||
- "{{nextcloud_data}}/data"
|
path: /tmp/nextcloud.conf
|
||||||
- "{{nextcloud_data}}/apps"
|
state: absent
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: ensure Nextcloud ownership — apply
|
||||||
|
command: systemd-tmpfiles --create
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
- name: send initial configuration
|
- name: send initial configuration
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -33,12 +33,26 @@
|
||||||
msg: php
|
msg: php
|
||||||
### ⇐ UPSTREAM END ###
|
### ⇐ UPSTREAM END ###
|
||||||
|
|
||||||
- name: enable PHP extension imagick
|
- name: enable PHP extensions
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/php/conf.d/imagick.ini
|
path: /etc/php/conf.d/{{item}}.ini
|
||||||
backrefs: true
|
backrefs: true
|
||||||
regexp: '^;*(extension=imagick)\s*$'
|
regexp: '^;\s*(extension\s*=\s*{{item}}).*$'
|
||||||
line: '\1'
|
line: '\1'
|
||||||
|
with_items:
|
||||||
|
- apcu
|
||||||
|
- geoip
|
||||||
|
- imagick
|
||||||
|
|
||||||
|
- name: alter PHP APCu configuration lines
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/php/conf.d/apcu.ini
|
||||||
|
regexp: '^;*{{item.name}}\s*='
|
||||||
|
line: '{{item.name}}={{item.value}}'
|
||||||
|
with_items:
|
||||||
|
- {name: 'apc.enable_cli', value: 1}
|
||||||
|
notify:
|
||||||
|
- restart php-fpm.service (front)
|
||||||
|
|
||||||
- name: activate PHP extensions
|
- name: activate PHP extensions
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
|
@ -226,13 +226,12 @@
|
||||||
with_items: "{{ldap_virtual_users}}"
|
with_items: "{{ldap_virtual_users}}"
|
||||||
|
|
||||||
- name: all users’ properties LDIF
|
- name: all users’ properties LDIF
|
||||||
ldap_attr:
|
ldap_attrs:
|
||||||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||||||
bind_dn: "cn=root,{{ldap_root}}"
|
bind_dn: "cn=root,{{ldap_root}}"
|
||||||
bind_pw: "{{ldap_rootpw}}"
|
bind_pw: "{{ldap_rootpw}}"
|
||||||
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
||||||
name: "{{item.attr}}"
|
attributes: '{"{{item.attr}}": "{{item.value}}"}'
|
||||||
values: "{{item.value}}"
|
|
||||||
state: exact
|
state: exact
|
||||||
with_items: "{{ldap_users_attrs}}"
|
with_items: "{{ldap_users_attrs}}"
|
||||||
|
|
||||||
|
@ -250,13 +249,13 @@
|
||||||
with_items: "{{ldap_system_groups}}"
|
with_items: "{{ldap_system_groups}}"
|
||||||
|
|
||||||
- name: declare existing groups’ members
|
- name: declare existing groups’ members
|
||||||
ldap_attr:
|
ldap_attrs:
|
||||||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||||||
bind_dn: "cn=root,{{ldap_root}}"
|
bind_dn: "cn=root,{{ldap_root}}"
|
||||||
bind_pw: "{{ldap_rootpw}}"
|
bind_pw: "{{ldap_rootpw}}"
|
||||||
dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
|
dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
|
||||||
name: memberuid
|
attributes:
|
||||||
values: "{{item.member}}"
|
memberuid: "{{item.member}}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ldap_system_group_members}}"
|
with_items: "{{ldap_system_group_members}}"
|
||||||
|
|
||||||
|
|
|
@ -5,3 +5,4 @@
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: cleanupdate
|
- role: cleanupdate
|
||||||
|
- role: dmz_nginx
|
||||||
|
|
4
site.yml
4
site.yml
|
@ -46,15 +46,15 @@
|
||||||
- init
|
- init
|
||||||
- cleanupdate
|
- cleanupdate
|
||||||
- postinstall
|
- postinstall
|
||||||
|
- ldap
|
||||||
- iodine
|
- iodine
|
||||||
- ddclient_HE_example
|
- ddclient_HE_example
|
||||||
- ddclient_FreeDNS_example
|
- ddclient_FreeDNS_example
|
||||||
|
- dmz_nginx
|
||||||
- ssowat
|
- ssowat
|
||||||
- ldap
|
|
||||||
- php
|
- php
|
||||||
- ssh
|
- ssh
|
||||||
- transmission
|
- transmission
|
||||||
- dmz_nginx
|
|
||||||
- dmz_exim
|
- dmz_exim
|
||||||
- dmz_haproxy
|
- dmz_haproxy
|
||||||
- dmz_ihmgit_front
|
- dmz_ihmgit_front
|
||||||
|
|
Loading…
Reference in New Issue