yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity

Compare commits

merge into: yves:master
Branches Tags
yves:podman
yves:master
...
pull from: yves:podman
Branches Tags
yves:podman
yves:master

3 Commits
master ... podman

Author SHA1 Message Date
Yves G. 2c50b3398e WIP 2023-12-30 16:32:52 +01:00
Yves G e0087d54f0 env-management (dev/prod) + podman 2023-07-30 19:38:12 +02:00
Yves G 87936b77fd fixes - temporary, now incomplete! 2023-07-30 19:38:12 +02:00
231 changed files with 2151 additions and 723 deletions
Show Stats Expand all files Collapse all files

19
.editorconfig Normal file
View File

@ -0,0 +1,19 @@
# EditorConfig is awesome: https://EditorConfig.org
# top-most EditorConfig file
root = true
[*]
indent_style = space
indent_size = 2
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
[Makefile]
indent_style = tab
tab_width = 2
[*.md]
trim_trailing_whitespace = false

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
target

4
README.adoc
View File

@ -1,6 +1,6 @@
/////
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
/////
@ -132,6 +132,6 @@ $ ansible-playbook -i production site.yml
[literal.small]
.....
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
.....

30
bootstrap.adoc
View File

@ -1,6 +1,6 @@
/////
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
/////
@ -74,8 +74,8 @@ Command (m for help): g
Created a new GPT disklabel…
Command (m for help): n
Partition number (1-128, default 1):
First sector (…):
Partition number (1-128, default 1):
First sector (…):
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
Created a new partition 1…
@ -86,14 +86,14 @@ Hex code (type L to list all codes): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.
Command (m for help): n
Partition number (2-128, default 2):
First sector (…):
Partition number (2-128, default 2):
First sector (…):
Last sector, +sectors or +size{K,M,G,T,P} (…):
Created a new partition 2…
Command (m for help): t
Partition number (1,2, default 2):
Partition number (1,2, default 2):
Hex code (type L to list all codes): 31
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
@ -304,7 +304,7 @@ root@archiso ~ # arch-chroot /mnt
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
> [Match]
> Name=wire
>
>
> [Network]
> IPForward=yes
> Address={back-ip}/{net-bits}
@ -313,7 +313,7 @@ root@archiso ~ # arch-chroot /mnt
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
> [Match]
> Name=en*
>
>
> [Network]
> Bridge=wire
> THEEND
@ -390,12 +390,12 @@ NOTE: Most values and paths here are examples, and shall be adapted.
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
> </backup/dotclear.cdump
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```
@ -404,7 +404,7 @@ NOTE: Most values and paths here are examples, and shall be adapted.
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
> </backup/prosody.cdump
@ -419,7 +419,7 @@ ALTER TABLE
{prosody-db}=# \q
[postgres@{back-name} ~]$ exit
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```
@ -444,7 +444,7 @@ Stop Nextcloud and restore the data::
[subs="+attributes"]
```bash
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
@ -514,7 +514,7 @@ Restart Nextcloud::
```bash
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
```
@ -538,6 +538,6 @@ I decided to do a clean import, especially since I configured Dovecot in a way
[literal.small]
.....
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
.....

155
group_vars/all → env/00_common_all.yaml vendored
View File

@ -1,27 +1,8 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# Short personal nickname that will be mostly used as part of filenames under /etc.
nickname: personal
# Hostname and IPv4 address of the DMZ.
DMZ: dmz
DMZ_IP: 192.168.1.254
# Hostname and IPv4 address of the back-end server (with all the data).
SafeZone: home
SafeZone_IP: 192.168.1.253
# Domain names that the certificate should cover.
acme_domains: 'example.org www.example.org pubsub.example.org'
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
ansible_master: 192.168.1.252
# System user that will build packages from AUR (https://aur.archlinux.org/).
aur_user: git
@ -53,17 +34,17 @@ dotclear_master_key: 0123456789abcdefghijklmnopqrstuvwxyz
dotclear_root: /srv/webapps/dotclear
# The default locale (https://wiki.archlinux.org/index.php/Locale).
locales_default: 'en_US.UTF-8'
locales_default: 'en_GB.UTF-8'
# All installed locales on the server.
locales_enabled: 'en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro'
locales_enabled: 'en_US.UTF-8 en_GB.UTF-8'
# Enable DNSSEC in systemd-resolved (“yes” or “no”, as a character string); experimental!
dns_sec: 'no'
# DNS servers to use on the server, for example:
# FDN-1 (v4) FDN-2 (v4) FDN-1 (v6) FDN-2 (v6) OpenNIC-1 OpenNIC-2 Google
dns_hosts: '80.67.169.12 80.67.169.40 2001:910:800::12 2001:910:800::40 87.98.175.85 5.135.183.146 8.8.8.8'
# OpenNIC-1 OpenNIC-2 Cloudflare-1/-2
dns_hosts: '51.158.108.203 51.77.149.139 1.1.1.1 1.0.0.1'
# Nearest NTP servers (https://www.ntppool.org/).
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
@ -79,9 +60,6 @@ fw_knock_timeout_min: 2
# Port-knocking sequence. A port may appear multiple times, but not next to each-other.
fw_portknock_seq: 1 22 333 4444 333 22 1
# The email address associated to root, for commits in the git repository that stores changes to /etc.
git_contact_email: hostmaster@example.org
# Watch new repositories inside the already-watched perimeter by default.
gitea_auto_watch_new_repos: 'true'
@ -208,7 +186,7 @@ http_pfx_privatebin: /paste
http_pfx_prosody: /xmpp-
# URL prefix of SSOwat (SSO and web portal).
http_pfx_ssowat: /start
http_pfx_sso: /start
# URL prefix of Transmission (web UI for BitTorrent).
http_pfx_transmission: /torrent
@ -216,14 +194,11 @@ http_pfx_transmission: /torrent
# URL prefix of Wallabag (social sharing of bookmarks).
http_pfx_wallabag: /bookmarks
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
iodine_domain: dt.example.org
# Network associated with the DNS tunnel (IP address of the server on this network, “/”, bits for the network-mask).
iodine_net: '172.16.12.1/28'
# Password of the DNS tunnel.
iodine_password: '_t_r___e@6358'
iodine_password: 'dns-passwd'
# Location of Kodi state data (not the media contents).
kodi_data: /var/lib/kodi
@ -249,20 +224,9 @@ lam_passwordMustNotContainUser: 'true'
# Title for LDAP-Account-Manager in the SSOwat portal.
lam_sso_title: Directory
# Additional ACL for LDAP.
# This is typically used to give extra powers to users, for example regarding aliases management.
ldap_extra_acl: |
access to dn.subtree="ou=Aliases,dc=example,dc=org"
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
by self read
by * read
# Organization-name for this home-server LDAP directory.
ldap_o_name: 'Home'
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
ldap_root: dc=example,dc=org
# Password of the root user (administrator) in OpenLDAP.
ldap_rootpw: 'OE104995à6&o_zKR4'
@ -273,7 +237,7 @@ ldap_rootpw_sha: '{SSHA}Raa3TlvDPZTjdM44nKZQt+hDvQRvaMDC'
# Custom system groups and memberships, declared in LDAP.
# This is the right place to declare a group in which to put all real and system users, who will be allowed to read media contents.
ldap_system_groups: '[
{"cn": "registered", "gidNumber": 1200}
{"cn": "registered", "gidNumber": 1200},
{"cn": "media", "gidNumber": 1201}
]'
ldap_system_group_members: '[
@ -339,30 +303,12 @@ loolwsd_lang: en
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
loolwsd_maxmem_asdouble: '80.0'
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
# Each entry in the list contains:
# — alias: a unique mail alias, either new or with existing associated recipients;
# — member: the login name of the user to add as a recipient for the alias.
mail_alias_memberships: '[
{"alias": "shop", "member": "you"},
{"alias": "throwable", "member": "me"},
{"alias": "family", "member": "me"},
{"alias": "family", "member": "you"}
]'
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
# See the “dmz_exim” role for the storage of the private and public keys.
mail_dkim_selector: home
# Actual Linux user, that receives all system emails (for root, postmaster, hostmaster…).
mail_forward_root_to: me
# IPv6 address of the ISPs smarthost when the ISP does not handle SMTP on IPv6 (example: smtp.bbox.fr).
mail_ignore_ip: '2001:860:e2ef::f503:0:2'
# All local mail destinations, which include managed domains, as well as host names.
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
# Maximum number of SPAM-filter workers.
mail_max_spam_workers: 5
@ -392,22 +338,6 @@ motion_cloud_password: password
motion_cloud_id: app_id_xxxxx
motion_cloud_key: xxxxxxxxxx…xxxxxxxxxx
motion_email_recipient: hostmaster@localhost
motion_cameras: '[
{
"id": 1, "name": "street door",
"url": "rtsp://user:password@street.example.org:554/videoMain",
"width": 640, "height": 360,
"mask_file": "example_mask_640_360.pgm",
"framerate": 5
},
{
"id": 2, "name": "garden door",
"url": "rtsp://user:password@garden.example.org:554/videoMain",
"width": 640, "height": 360,
"mask_file": null,
"framerate": 5
}
]'
motion_web_title: "Video surveillance"
# Name of the Movim database in PostgreSQL.
@ -435,9 +365,6 @@ movim_private_port: 33333
# — the web address for updating web applications…
net_allowed_domains: 'checkip.dns.he.net dyn.dns.he.net freedns.afraid.org download.dotclear.org dotaddict.org api.movim.eu'
# Start Of Authority: the root domain name configured on the server.
net_soa: example.org
# Subdomain for the XMPP multi-user chat component.
net_subdom_muc: muc
@ -449,7 +376,7 @@ net_subdom_ssh: ssh
# Local networks from which network connections are trusted.
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
net_trusted_ranges: '192.168.1.240/28 127.0.0.0/8 ::1'
# Administrator for Nextcloud (not necessarily an LDAP user).
nextcloud_admin_user: nextcloud_admin
@ -539,13 +466,13 @@ prosody_db_password: prosody
sane_drivers: epson2
# Space-separated list of pacman mirrors to use.
software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'
software_mirrors: 'mirror.cyberbits.eu archlinux.vi-di.fr'
# Software that will get removed if present, on next run of the playbook (JSON list).
software_to_del: '["dhcpcd"]'
# Comma-separated list of software that pacman should not automatically upgrade.
software_to_ignore: 'linux,linux-firmware,linux-headers'
software_to_ignore: 'linux,linux-firmware,linux-headers,nginx-mainline'
# Environment variables that SSH may keep for remote connections.
ssh_accept_env: 'LANG LC_*'
@ -573,7 +500,7 @@ ssh_bastion_pwd_sha512: '$6$ZN4I.yIVUj0amxqe$5dBx1d34tNm9NMmmFV3UxZ0V2ecmOjefK5d
ssh_clientalive_interval: 600
# Servers timezone.
timezone: Europe/Paris
timezone: Europe/Dublin
# TLS ciphers to enable in TLS-terminating software (HAProxy, Nginx…).
# See https://wiki.mozilla.org/Security/Server_Side_TLS.
@ -598,6 +525,61 @@ transmission_real_todo_at: /mnt/share/p2p/iso.torrent
transmission_nfs_done_at: share/p2p/iso
transmission_nfs_todo_at: share/p2p/iso.torrent
# Name used in file-names to identify the VPN
vpn_name: my_vpn
# IP/CIDR of DMZ no-VPN network namespace when VPN is setup
vpn_avoiding_ip_cidr: 192.168.1.240/24
# OpenVPN credentials
vpn_login: my-vpn-login
vpn_password: my-vpn-password
# OpenVPN settings
vpn_ca_certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
vpn_interface_type: tun # or tap
vpn_protocol: udp6 # or udp, tcp, tcp6
vpn_server_host: vpn.example.org
vpn_server_port: 1194
vpn_tls_auth_key: |
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
# Name of the Wallabag database in PostgreSQL.
wallabag_db: wallabag
@ -607,9 +589,6 @@ wallabag_db_user: wallabag
# Password for the PostgreSQL user who owns the Wallabag database.
wallabag_db_password: wallabag
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
xmpp_admins: 'me@example.org'
# Network hosts from which registration is possible (else it is forbidden).
# Registration of hosted users is automatic.
xmpp_registration_hosts: '127.0.0.1 192.168.1.254 192.168.1.253 192.168.1.252'

1
env/dev/group_vars/all/00_common_all.yaml vendored Symbolic link
View File

@ -0,0 +1 @@
../../../00_common_all.yaml

67
env/dev/group_vars/all/all.yaml vendored Normal file
View File

@ -0,0 +1,67 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
env: dev
# Short personal nickname that will be mostly used as part of filenames under /etc.
nickname: mydev
# Hostname and IPv4 address of the DMZ.
DMZ: front-dev
DMZ_IP: 10.0.2.4
# Hostname and IPv4 address of the back-end server (with all the data).
SafeZone: back-dev
SafeZone_IP: 10.0.2.3
# Domain names that the certificate should cover.
acme_domains: 'mydev.uk muc.mydev.uk pubsub.mydev.uk ssh.mydev.uk'
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
ansible_authorized_key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsidHzJhnXXRdWo4NUVmkMORcNN9k9RYaU4eSYgZ3hW me@my-pc'
ansible_master: 192.168.1.252
# The email address associated to root, for commits in the git repository that stores changes to /etc.
git_contact_email: hostmaster@mydev.uk
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
iodine_domain: dt.mydev.uk
# Additional ACL for LDAP.
# This is typically used to give extra powers to users, for example regarding aliases management.
ldap_extra_acl: |
access to dn.subtree="ou=Aliases,dc=mydev,dc=uk"
by dn.base="uid=me,ou=Users,dc=mydev,dc=uk" write
by self read
by * read
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
ldap_root: dc=mydev,dc=uk
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
# Each entry in the list contains:
# — alias: a unique mail alias, either new or with existing associated recipients;
# — member: the login name of the user to add as a recipient for the alias.
mail_alias_memberships: '[
{"alias": "us", "member": "me"},
{"alias": "us", "member": "you"}
]'
# DKIM selector to use (see http://yalis.uk/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
# See the “dmz_exim” role for the storage of the private and public keys.
mail_dkim_selector: back-dev
# All local mail destinations, which include managed domains, as well as host names.
mail_local_domains: 'back-dev front-dev localhost mydev.uk *.mydev.uk *.local'
# Motion monitored cameras
motion_cameras: '[
]'
# Start Of Authority: the root domain name configured on the server.
net_soa: mydev.uk
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
xmpp_admins: 'me@mydev.uk you@mydev.uk'

8
env/dev/group_vars/back.yaml vendored Normal file
View File

@ -0,0 +1,8 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: back-dev
ssh_allowed_users: 'root me you'
software_to_add: '[]'

8
env/dev/group_vars/front.yaml vendored Normal file
View File

@ -0,0 +1,8 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: front-dev
ssh_allowed_users: 'root {{ssh_bastion_user}}'
software_to_add: '[]'

9
env/dev/group_vars/front_chroot.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: front-dev
chroot: "/var/lib/machines/{{DMZ}}"
ssh_allowed_users: 'root {{ssh_bastion_user}}'
software_to_add: '[]'

9
env/dev/hosts vendored Normal file
View File

@ -0,0 +1,9 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
[back]
back-dev ansible_connection=containers.podman.podman
[front]
front-dev ansible_connection=containers.podman.podman

1
env/prod/group_vars/all/00_common_all.yaml vendored Symbolic link
View File

@ -0,0 +1 @@
../../../00_common_all.yaml

83
env/prod/group_vars/all/all.yaml vendored Normal file
View File

@ -0,0 +1,83 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
env: prod
# Short personal nickname that will be mostly used as part of filenames under /etc.
nickname: personal
# Hostname and IPv4 address of the DMZ.
DMZ: dmz
DMZ_IP: 192.168.1.254
# Hostname and IPv4 address of the back-end server (with all the data).
SafeZone: home
SafeZone_IP: 192.168.1.253
# Domain names that the certificate should cover.
acme_domains: 'example.org muc.example.org pubsub.example.org ssh.example.org'
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
ansible_master: 192.168.1.252
# The email address associated to root, for commits in the git repository that stores changes to /etc.
git_contact_email: hostmaster@example.org
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
iodine_domain: dt.example.org
# Additional ACL for LDAP.
# This is typically used to give extra powers to users, for example regarding aliases management.
ldap_extra_acl: |
access to dn.subtree="ou=Aliases,dc=example,dc=org"
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
by self read
by * read
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
ldap_root: dc=example,dc=org
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
# Each entry in the list contains:
# — alias: a unique mail alias, either new or with existing associated recipients;
# — member: the login name of the user to add as a recipient for the alias.
mail_alias_memberships: '[
{"alias": "shop", "member": "you"},
{"alias": "throwable", "member": "me"},
{"alias": "family", "member": "me"},
{"alias": "family", "member": "you"}
]'
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
# See the “dmz_exim” role for the storage of the private and public keys.
mail_dkim_selector: home
# All local mail destinations, which include managed domains, as well as host names.
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
# Motion monitored cameras
motion_cameras: '[
{
"id": 1, "name": "street door",
"url": "rtsp://user:password@street.example.org:554/videoMain",
"width": 640, "height": 360,
"mask_file": "example_mask_640_360.pgm",
"framerate": 5
},
{
"id": 2, "name": "garden door",
"url": "rtsp://user:password@garden.example.org:554/videoMain",
"width": 640, "height": 360,
"mask_file": null,
"framerate": 5
}
]'
# Start Of Authority: the root domain name configured on the server.
net_soa: example.org
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
xmpp_admins: 'me@example.org'

2
group_vars/back → env/prod/group_vars/back.yaml vendored
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: home

2
group_vars/front → env/prod/group_vars/front.yaml vendored
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: dmz

2
group_vars/front_chroot → env/prod/group_vars/front_chroot.yaml vendored
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
hostname: dmz

2
production → env/prod/hosts vendored
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
[back]

2
roles/_maintenance_start/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: stop some services

2
roles/_maintenance_stop/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: stop again services that may got started by handlers

2
roles/acme_back/files/dehydrated.timer
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
[Unit]

2
roles/acme_back/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart dehydrated.service

2
roles/acme_back/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

48
roles/acme_back/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -10,6 +10,12 @@
msg: ACME
### ⇐ UPSTREAM BEGIN ###
- name: install software (dev)
package:
# for Ansible crypto
name: python-cryptography
when: (env == 'dev')
- name: install dehydrated (Lets Encrypt)
include_role:
name: aur.inc
@ -68,6 +74,7 @@
src: files/dehydrated.timer
dest: /etc/systemd/system/dehydrated.timer
mode: 0644
when: (env == 'prod')
notify:
- restart dehydrated.service
@ -76,6 +83,45 @@
daemon_reload: true
name: dehydrated.timer
enabled: true
when: (env == 'prod')
## DEV
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
- name: create private key (dev)
community.crypto.openssl_privatekey:
path: /var/lib/acme/self-signed.key
when: (env == 'dev')
- name: create CSR (dev)
community.crypto.openssl_csr:
path: /var/lib/acme/self-signed.csr
privatekey_path: /var/lib/acme/self-signed.key
common_name: "{{net_soa}}"
organization_name: "{{nickname}}"
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
subject_alt_name_critical: true
when: (env == 'dev')
- name: create self-signed certificate (dev)
community.crypto.x509_certificate:
path: /var/lib/acme/self-signed.pem
privatekey_path: /var/lib/acme/self-signed.key
csr_path: /var/lib/acme/self-signed.csr
provider: selfsigned
when: (env == 'dev')
- name: deploy self-signed certificate (dev)
command: >
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
{{net_soa}}
/var/lib/acme/self-signed.key
/var/lib/acme/self-signed.pem
/var/lib/acme/self-signed.pem
/dev/null
{{ansible_date_time.epoch}}
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/acme_back/templates/dehydrated.config.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
#CA="https://acme-staging.api.letsencrypt.org/directory"

29
roles/acme_back/templates/hook.sh.j2
View File

@ -1,18 +1,21 @@
#!/usr/bin/env bash
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
#
# NOTE: on 1st run, DMZ software is NOT YET INSTALLED!
set -e
RSH=/usr/local/bin/{{DMZ}}
ETC_CHANGED_{{hostname}}=
ETC_CHANGED_{{DMZ}}=
ETC_CHANGED_{{hostname | regex_replace('-', '_')}}=
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=
etckeeper_hook() {
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
etc_stop_local 'ACME update'
fi
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
$RSH "etc_stop_local 'ACME update'"
$RSH "etc_stop_local 'ACME update' || true"
fi
}
@ -37,11 +40,11 @@ deploy_exim() {
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
return 0
fi
local copy='cat >$1; chown exim $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/mail ] || mkdir -p /etc/mail; cat >$1; if id exim 2>/dev/null; then chown exim $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
systemctl -M {{DMZ}} reload exim.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload exim.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
@ -51,11 +54,11 @@ deploy_prosody() {
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
return 0
fi
local copy='cat >$1; chown prosody $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/prosody/certs ] || mkdir -p /etc/prosody/certs; cat >$1; if id prosody 2>/dev/null; then chown prosody $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
systemctl -M {{DMZ}} reload prosody.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload prosody.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
@ -65,10 +68,10 @@ deploy_haproxy() {
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
return 0
fi
local copy='cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
local copy='[ -d /etc/haproxy ] || mkdir -p /etc/haproxy; cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
systemctl -M {{DMZ}} reload haproxy.service
ETC_CHANGED_{{DMZ}}=1
$RSH 'systemctl reload haproxy.service || true'
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
}
deploy_cert() {

6
roles/acme_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/acme_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/acme_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: ensure /srv/acme exists
@ -20,7 +20,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

20
roles/aur.inc/tasks/install.yml
View File

@ -1,9 +1,9 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# mandatory parameters: pkg_name, pre_cmd, aur_user
# mandatory parameters: pkg_name, pre_cmd, aur_name, aur_home
- name: AUR → {{pkg_name}} → read current version
shell: |
@ -14,7 +14,7 @@
- name: AUR → {{pkg_name}} → get metadata from AurJson
uri:
url: https://aur.archlinux.org/rpc/?v=5&type=info&arg={{pkg_name | mandatory}}
connection: local
delegate_to: localhost
register: aurjson
changed_when: false
@ -22,7 +22,7 @@
get_url:
url: https://aur.archlinux.org{{aurjson.json.results[0].URLPath}}
dest: /tmp/
connection: local
delegate_to: localhost
when:
- (aurjson.json.results[0].Version != (pacmanQi.stdout | default()))
register: aur_recipe
@ -41,10 +41,14 @@
block:
- name: AUR → {{pkg_name}} → run custom pre-processing commands
shell: "{{pre_cmd}}"
shell: |
set -x
{{pre_cmd}}
args:
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
when: pre_cmd
environment:
HOME: "{{aur_home}}"
register: debugCustom
- name: AUR → {{pkg_name}} → see custom pre-processing commands result
@ -86,6 +90,8 @@
- (pacman_output.stdout is defined)
- (pacman_output.stdout.find('there is nothing to do') == -1)
environment:
HOME: "{{aur_home}}"
when:
- (realVersion.stdout != (pacmanQi.stdout | default()))
@ -97,7 +103,7 @@
changed_when: false
become: true
become_user: "{{aur_user}}"
become_user: "{{aur_name}}"
when:
- (aurjson.json.results[0].Version != (pacmanQi.stdout | default()))
@ -106,6 +112,6 @@
file:
path: '{{aur_recipe.dest}}'
state: absent
connection: local
delegate_to: localhost
become: false
changed_when: false

65
roles/aur.inc/tasks/main.yml
View File

@ -1,28 +1,61 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# mandatory parameters:
# - pkg_names (json-encoded list)
# - aur_user
- name: AUR → base-devel needed while building
become: false
command: |
pacman -S --noconfirm --noprogressbar --asdeps --needed base-devel
- name: AUR → read (or create) requested HOME while running AUR tasks
shell: |
case "$aur_requested_home" in
'') printf '%s' "$HOME" ;;
'!mktemp') sudo -u "$aur_user_name" mktemp -d /tmp/AUR-TEMP-HOME-XXXX ;;
*) printf '%s' "$aur_requested_home" ;;
esac
environment:
aur_requested_home: "{{(aur_user is mapping) | ternary(aur_user.home, '')}}"
aur_user_name: "{{(aur_user is mapping) | ternary(aur_user.name, aur_user)}}"
register: requestedHome
changed_when: false
- name: AUR → proceed with installation
- name: AUR → run AUR tasks
block:
- name: AUR → installation
include_tasks: install.yml
vars:
pkg_name: "{{(item is mapping) | ternary(item.pkg, item)}}"
pre_cmd: "{{(item is mapping) | ternary(item.pre, '')}}"
with_items: "{{packages}}"
always:
- name: AUR → remove base-devel and dependencies
shell: |
pacman -Rns --noconfirm --noprogressbar $(pacman -Qtdqg base-devel) || true
- name: AUR → see effective HOME
debug:
var: requestedHome
changed_when: false
- name: AUR → base-devel needed while building
become: false
command: |
pacman -S --noconfirm --noprogressbar --asdeps --needed base-devel
changed_when: false
- name: AUR → proceed with installation
block:
- name: AUR → installation
include_tasks: install.yml
vars:
aur_name: "{{(aur_user is mapping) | ternary(aur_user.name, aur_user)}}"
aur_home: "{{requestedHome.stdout}}"
pkg_name: "{{(item is mapping) | ternary(item.pkg, item)}}"
pre_cmd: "{{(item is mapping) | ternary(item.pre, '')}}"
with_items: "{{packages}}"
always:
- name: AUR → remove base-devel and dependencies
shell: |
pacman -Rns --noconfirm --noprogressbar base-devel || true
changed_when: false
always:
- name: AUR → remove temporary HOME
file:
path: "{{requestedHome.stdout}}"
state: absent
when:
- (aur_user is mapping)
- (aur_user.home == '!mktemp')
changed_when: false

2
roles/cleanupdate/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

6
roles/cleanupdate/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -36,6 +36,10 @@
- (update_result.stdout is defined)
- (update_result.stdout.find('there is nothing to do') == -1)
- name: setup arch-chroot (dev)
include_role: name=dev.inc allow_duplicates=true tasks_from=arch-chroot.yml
when: (env == 'dev')
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml

2
roles/ddclient.inc/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

2
roles/ddclient.inc/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###

2
roles/ddclient_FreeDNS_example/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart ddclient@fdns.service

2
roles/ddclient_FreeDNS_example/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

2
roles/ddclient_FreeDNS_example/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: initialize the ddclient software

2
roles/ddclient_HE_example/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart ddclient@henet.service

2
roles/ddclient_HE_example/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/ddclient_HE_example/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: initialize the ddclient software
@ -46,7 +46,7 @@
- name: post-update script for he.net
copy:
content: |
#!/bin/bash
#!/usr/bin/env bash
# $1: new IP address
if [ -f /etc/conf.d/iodined ]; then
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined

10
roles/dev.inc/tasks/arch-chroot.yml Normal file
View File

@ -0,0 +1,10 @@
- name: replace /usr/bin/arch-chroot in Podman
copy:
content: |
#!/usr/bin/env bash
args=()
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
[ -t 0 ] && t=-t || t=-T
exec ssh -i ~/.ssh/id-chroot -o StrictHostKeyChecking=no $t -p 20022 -t 10.0.2.2 "${args[@]}"
dest: /usr/bin/arch-chroot
mode: 0755

6
roles/dmz_dotclear_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_dotclear_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

6
roles/dmz_dotclear_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: make sure the path to dotclear exists
@ -13,7 +13,7 @@
get_url:
url: 'http://download.dotclear.org/latest.tar.gz'
dest: /tmp/
connection: local
delegate_to: localhost
register: targz
changed_when: false
@ -58,7 +58,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/dmz_dotclear_front/templates/config.php.j2
View File

@ -1,6 +1,6 @@
<?php
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
if (!defined('DC_RC_PATH')) { return; }

2
roles/dmz_dotclear_front/templates/ldap_auth.php.j2
View File

@ -1,6 +1,6 @@
<?php
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# https://fr.dotclear.org/documentation/2.0/resources/authentication

2
roles/dmz_exim/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart spamassassin-update.timer

2
roles/dmz_exim/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

82
roles/dmz_exim/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -193,22 +193,34 @@
regexp: '^(?:#\s*)?root:'
line: "root: {{mail_forward_root_to}}"
- name: send DKIM private key
- name: send DKIM private key (prod)
copy:
src: files/{{net_soa}}_dkim.privk.pem
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
owner: exim
group: exim
mode: 0400
when: (env == 'prod')
notify:
- restart exim.service
- name: set smarthost name
- name: create DKIM private key (dev)
shell: |
# https://dkimcore.org/specification.html
openssl genrsa -out /etc/mail/{{net_soa}}_dkim.privk.pem 1024
openssl rsa -in /etc/mail/{{net_soa}}_dkim.privk.pem -pubout >/etc/mail/{{net_soa}}_dkim.pubk.pem
chown exim:exim /etc/mail/{{net_soa}}_dkim.*.pem
chmod 0400 /etc/mail/{{net_soa}}_dkim.*.pem
when: (env == 'dev')
notify:
- restart exim.service
- name: disable smarthost
lineinfile:
path: /etc/mail/exim.conf
regexp: '^(?:#\s*)?ROUTER_SMARTHOST\s*='
line: |
ROUTER_SMARTHOST={{mail_smtp_smarthost}}
regexp: '^(\s*ROUTER_SMARTHOST\s*=.*)'
backrefs: true
line: '#\\1'
notify:
- restart exim.service
@ -278,18 +290,11 @@
notify:
- restart exim.service
- name: set TLS parameters for OpenSSL (old)
blockinfile:
- name: set TLS parameters for OpenSSL
replace:
path: /etc/mail/exim.conf
marker: '# {mark} OpenSSL parameters'
block: |
insertafter: '^tls_advertise_hosts\s*='
- name: set TLS parameters for OpenSSL (new)
lineinfile:
path: /etc/mail/exim.conf
regexp: '^(?:#\s*)?tls_require_ciphers\s*='
line: 'tls_require_ciphers = {{tls_ciphers}}'
regexp: '(.ifdef\s+_HAVE_OPENSSL\s*\n\s*)#?(\s*)tls_require_ciphers\s*=.*$'
replace: '\1\2tls_require_ciphers = {{tls_ciphers}}'
notify:
- restart exim.service
@ -365,14 +370,15 @@
notify:
- restart exim.service
# 2023-05-20: disabled because too many legitimate rejected emails coming from GMail
- name: deny mail RCPT from SpamHaus SBL
blockinfile:
path: /etc/mail/exim.conf
marker: ' # {mark} SpamHaus SBL ACL'
block: |
deny message = rejected because $sender_host_address is in a \
black list at SpamHaus SBL
dnslists = sbl.spamhaus.org
# deny message = rejected because $sender_host_address is in a \
# black list at SpamHaus SBL
# dnslists = sbl.spamhaus.org
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
notify:
- restart exim.service
@ -399,21 +405,19 @@
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
- name: use remote_smtp for smarthost delivery
lineinfile:
- name: set IP addresses to be ignored (base)
replace:
path: /etc/mail/exim.conf
regexp: '^(\s*transport\s*=)'
backrefs: true
line: "\\1 remote_smtp"
regexp: '^(\s*ignore_target_hosts\s*=)(?! <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1).*$'
replace: "\1 <; 0.0.0.0 ; 127.0.0.0/8 ; ::1"
notify:
- restart exim.service
- name: set IP addresses to be ignored
lineinfile:
- name: set IP addresses to be ignored (addition)
replace:
path: /etc/mail/exim.conf
regexp: '^(\s*ignore_target_hosts\s*=.*::1)(?! ; {{mail_ignore_ip | replace(" ", " ; ")}}$)'
backrefs: true
line: "\\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
regexp: '^(\s*ignore_target_hosts\s*= <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1)$'
replace: "\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
when:
- mail_ignore_ip != ""
notify:
@ -498,24 +502,24 @@
marker: ' # {mark} LMTP transport'
block: |
lmtp_transport:
driver = smtp
protocol = lmtp
rcpt_include_affixes
port = 24
driver = lmtp
socket = /run/shared_sockets/lmtp
timeout = 1m
insertbefore: '^# This transport is used'
notify:
- restart exim.service
- name: enable DKIM on outgoing emails
blockinfile:
- name: configure remote SMTP for outgoing emails
replace:
path: /etc/mail/exim.conf
marker: ' # {mark} outgoing DKIM signing'
block: |
regexp: '^(remote_smtp:\s*\n\s*driver\s*=\s*smtp\s*)$(?!\n\s*dkim_canon =)
replace: |
\1
dkim_canon = relaxed
dkim_domain = {{net_soa}}
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
dkim_selector = {{mail_dkim_selector}}
insertafter: '^\s*driver\s*=\s*smtp\s*$'
helo_data = {{net_soa}}
notify:
- restart exim.service

2
roles/dmz_haproxy/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart haproxy.service

2
roles/dmz_haproxy/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

6
roles/dmz_haproxy/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -34,8 +34,8 @@
copy:
content: |
[Unit]
Wants=nginx.service
After=nginx.service
Wants=openresty.service
After=openresty.service
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
mode: 0644
notify:

6
roles/dmz_haproxy/templates/haproxy.conf.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
global
@ -27,6 +27,7 @@ defaults
frontend imaps
bind :993 ssl crt /etc/haproxy/tls.pem
bind :::993 ssl crt /etc/haproxy/tls.pem
default_backend imap
backend imap
@ -34,10 +35,12 @@ backend imap
frontend text
bind :80
bind :::80
default_backend http
frontend tls
bind :443 ssl crt /etc/haproxy/tls.pem
bind :::443 ssl crt /etc/haproxy/tls.pem
tcp-request inspect-delay 2s
# check SNI for the SSH domain
@ -57,6 +60,7 @@ frontend tls
frontend tls_plus
bind :444 ssl crt /etc/haproxy/tls.pem
bind :::444 ssl crt /etc/haproxy/tls.pem
default_backend https_plus
backend ssh

6
roles/dmz_ihmgit_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_ihmgit_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

27
roles/dmz_ihmgit_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: configure nginx for Gitea
@ -19,7 +19,30 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: configure SSO
copy:
content: |
{ "patterns": [{
"lua_regex": [
"^{{http_pfx_gitea}}/admin",
"^{{http_pfx_gitea}}/repo/create",
"^{{http_pfx_gitea}}/repo/migrate",
"^{{http_pfx_gitea}}/org/create",
"^{{http_pfx_gitea}}/.-/wiki/_new"
],
"allow": ["*"]
},{
"lua_regex": ["^{{http_pfx_gitea}}/"],
"public": true,
"portal": {"{{http_pfx_gitea}}/": "Git"}
}]
}
dest: /etc/nginx/ssso/sites/git.json
when: (is_sso_used is defined)
notify:
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

6
roles/dmz_ihmldap/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_ihmldap/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/dmz_ihmldap/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -171,7 +171,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

6
roles/dmz_motion_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_motion_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/dmz_motion_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: create a directory for the Motion web page
@ -45,7 +45,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

6
roles/dmz_movim_front/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart movim.service
@ -9,8 +9,8 @@
name: movim.service
state: restarted
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_movim_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/dmz_movim_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -122,7 +122,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

6
roles/dmz_nextcloud_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_nextcloud_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

6
roles/dmz_nextcloud_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: configure Nginx for Nextcloud
@ -11,7 +11,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: configure Nginx for LibreOffice OnLine
template:
@ -21,7 +21,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/dmz_nextcloud_front/templates/nginx_lool.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# Nextcloud BUG

2
roles/dmz_nextcloud_front/templates/nginx_nextcloud.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html

8
roles/dmz_nginx/handlers/main.yml
View File

@ -1,15 +1,15 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: create tmpfiles
command: systemd-tmpfiles --create
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted
- name: restart php-fpm.service

2
roles/dmz_nginx/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

223
roles/dmz_nginx/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -10,13 +10,71 @@
msg: nginx
### ⇐ UPSTREAM BEGIN ###
- name: install software
- name: uninstall software
package:
name: "{{item}}"
state: present
state: absent
with_items:
# - nginx-mainline # nginx-mainline must now be built from official PKGBUILD :-(
- php-fpm
# 2023-05-20: removed
- nginx-mainline
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- pkg: openresty
pre: |
# harden the systemd service
sed -ri '
/\[Unit\]/ a\
After=systemd-tmpfiles-setup.service\
After=php-fpm.service
/\[Service\]/ a\
User=http\
Group=http\
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
PrivateTmp=true\
PrivateDevices=true\
ProtectSystem=full\
ProtectHome=true\
ReadWritePaths=/var/log/nginx\
NoNewPrivileges=true\
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
s|/run/openresty.pid|/run/http/nginx.pid|g
' service
# compute the hash of the new service file
srvHash=$(sha256sum service | awk '{print $1}')
# — choose /etc/nginx as Nginx configuration location
# — choose /run/http/ for Nginx PID and lock files location
# — choose /var/log/nginx/ as Nginx compiled-in logs location
# — choose /var/tmp/ as Nginx runtime temporary folder
# — replace the old service hash with the computed one
# — remove signature source files as they make the build fail
# — disable unused features of OpenResty/Nginx
sed -ri "
s#_cfgdir=.*#_cfgdir=/etc/nginx#
/build\\(\\)/ i\\
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
sha256sums[\$_src]='$srvHash'\\
fi; done\\
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
_last=\$((\${{ '{#source[*]}' }}-1))\\
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
fi; done\\
unset _last _src
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
/^ *--with-mail|^ *#/d
s| +#.*||
" PKGBUILD
cat PKGBUILD
### UPSTREAM END ⇒ ###
- name: merge upstream
@ -25,11 +83,19 @@
msg: nginx
### ⇐ UPSTREAM END ###
- name: create a directory for the PID files
- name: fix logrotate.d/openresty
lineinfile:
path: /etc/logrotate.d/openresty
backrefs: true
regexp: '^(\s*test -r )/run/'
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
- name: create Nginx working directories
copy:
content: |
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
#Type Path Mode UID GID Age Argument
d /run/http 775 http http - -
d /var/log/nginx 775 http http - -
dest: /etc/tmpfiles.d/run_http.conf
mode: 0644
notify:
@ -37,69 +103,15 @@
- meta: flush_handlers
- name: prepare to override systemd settings
file:
name: /etc/systemd/system/{{item}}.service.d
state: directory
mode: 0755
- name: update already-installed OpenResty packages
shell: /opt/openresty/bin/opm update
- name: OPM = install OpenResty packages (if necessary)
include_tasks: opm.yaml
vars:
pkg_name: "{{item}}"
with_items:
- nginx
- php-fpm
- name: secure systemd settings for php-fpm
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=true
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/php-fpm.pid
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart php-fpm.service
- name: secure systemd settings for nginx
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
After=php-fpm.service
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
PIDFile=/run/http/nginx.pid
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
ExecStart=
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart nginx.service
- name: set ownership of nginx working directories to nginx
file:
path: /var/{{item}}/nginx
state: directory
owner: http
group: http
recurse: true
with_items:
- lib
- log
- fffonion/lua-resty-openssl
- name: set the number of nginx worker processes
lineinfile:
@ -107,7 +119,7 @@
regexp: '^#?\s*worker_processes\s'
line: "worker_processes auto;"
notify:
- restart nginx.service
- restart openresty.service
- name: log to systemd-journal
lineinfile:
@ -115,7 +127,7 @@
regexp: '^#?\s*error_log\s'
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
notify:
- restart nginx.service
- restart openresty.service
- name: create directories for custom nginx configuration
file:
@ -136,7 +148,7 @@
line: include /etc/nginx/main.inc.d/*.inc;
insertbefore: BOF
notify:
- restart nginx.service
- restart openresty.service
- name: include custom nginx configuration
lineinfile:
@ -145,7 +157,7 @@
line: include /etc/nginx/conf.d/*.conf;
insertbefore: '^\s*#gzip\s'
notify:
- restart nginx.service
- restart openresty.service
- name: set custom nginx configuration
template:
@ -155,7 +167,7 @@
group: http
mode: 0640
notify:
- restart nginx.service
- restart openresty.service
- name: send included conf files
template:
@ -198,54 +210,33 @@
when:
- test_srv.changed
notify:
- restart nginx.service
- restart openresty.service
- name: set the php-fpm settings
lineinfile:
path: /etc/php/php-fpm.d/www.conf
regexp: '^;*{{item.key}}\s*='
line: '{{item.key}} = {{item.value}}'
with_dict:
listen: /run/shared_sockets/php-fpm
pm: dynamic
'pm.max_children': '{{php_max_workers}}'
'pm.start_servers': 1
'pm.min_spare_servers': 1
'pm.max_spare_servers': '{{php_max_workers}}'
'pm.max_requests': '{{php_worker_max_reqs}}'
notify:
- restart php-fpm.service
- name: disable useless user/group specs
lineinfile:
path: /etc/php/php-fpm.d/www.conf
backrefs: true
regexp: '^({{item}}\s*=.*)'
line: ';\1'
- name: create web files locations
file:
path: "{{item}}"
state: directory
with_items:
- user
- group
- 'listen.group'
- name: set the PID file path for php-fpm
lineinfile:
path: /etc/php/php-fpm.conf
regexp: '^;*pid\s*='
line: 'pid = /run/http/php-fpm.pid'
notify:
- restart php-fpm.service
- /srv/http
- /srv/webapps
- name: enable php-fpm.service
- name: enable openresty.service
systemd:
daemon_reload: true
name: php-fpm.service
name: openresty.service
enabled: true
- name: enable nginx.service
systemd:
daemon_reload: true
name: nginx.service
enabled: true
- name: HTML test-page in test environment
copy:
content: |
<!DOCTYPE html>
<html lang="en">
<head><title>TEST</title><meta charset="UTF-8"></head>
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
</html>
dest: /srv/http/index.html
mode: 0644
when: (env == 'dev')
### LOCAL COMMIT ⇒ ###
- name: commit local changes

16
roles/dmz_nginx/tasks/opm.yaml Normal file
View File

@ -0,0 +1,16 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# mandatory parameters: pkg_name
- name: OPM → check existence of {{pkg_name}}
shell: /opt/openresty/bin/opm list | grep -q '^{{pkg_name}}[[:blank:]]'
ignore_errors: true
changed_when: false
register: opm_check
- name: OPM → install {{pkg_name}}
command: /opt/openresty/bin/opm get {{pkg_name}}
when: opm_check is failed

2
roles/dmz_nginx/templates/00.http.inc.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
location / {

7
roles/dmz_nginx/templates/10.conf.j2
View File

@ -1,7 +1,12 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
client_body_temp_path /var/tmp/client_body_temp;
proxy_temp_path /var/tmp/proxy_temp;
fastcgi_temp_path /var/tmp/fastcgi_temp;
uwsgi_temp_path /var/tmp/uwsgi_temp;
#scgi_temp_path /var/tmp/scgi_temp;
client_max_body_size {{http_max_upload}};
gzip on;
gzip_comp_level 6;

2
roles/dmz_nginx/templates/filters.inc.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
location ~ (?i)(?<!{{http_pfx_dotclear}}/)admin|(?<!{{http_pfx_lam}}/templates/)login|(?<!{{http_pfx_dotclear}}/admin/)auth(?!or) {

2
roles/dmz_nginx/templates/php-fast.inc.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

2
roles/dmz_nginx/templates/php-full.inc.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# function /php...(doc_root /... prefix /... script /... pathinfo) {

6
roles/dmz_prosody_front/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart prosody.service
@ -9,8 +9,8 @@
name: prosody.service
state: restarted
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_prosody_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/dmz_prosody_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -277,7 +277,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: enable prosody
systemd:

2
roles/dmz_prosody_front/templates/xep0363_http_upload.php.j2
View File

@ -1,6 +1,6 @@
<?php
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
/*

6
roles/transmission/handlers/main.yml → roles/dmz_transmission/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

4
roles/transmission/meta.OK/main.yml → roles/dmz_transmission/meta.OK/main.yml
View File

@ -1,9 +1,9 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:
- role: cleanupdate
- role: ldap
- role: ssowat
# - role: ssowat #FIXME

62
roles/transmission/tasks/main.yml → roles/dmz_transmission/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -34,9 +34,10 @@
Requires=nslcd.service
After=nslcd.service
[Service]
{% if is_vpn_used is not defined %}
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
{% endif %}
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
LimitNOFILE=4096
@ -44,6 +45,22 @@
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
mode: 0644
- name: override network settings for transmission
copy:
content: |
[Unit]
Requires=no-vpn-network-namespace.service
After=no-vpn-network-namespace.service
[Service]
Type=exec
User=root
Group=root
ExecStart=
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
mode: 0644
when: (is_vpn_used is defined)
- name: ensure existence and mode of Transmission working directories
file:
path: /var/lib/transmission{{item}}
@ -104,6 +121,18 @@
name: transmission.service
state: stopped
- name: store DMZ IP (direct)
set_fact:
no_vpn_front_IP: "{{DMZ_IP}}"
when:
- (is_vpn_used is not defined)
- name: store DMZ IP (avoid VPN)
set_fact:
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
when:
- (is_vpn_used is defined)
- name: put a JSON terminator to avoid a trailing comma
lineinfile:
path: /var/lib/transmission/.config/transmission-daemon/settings.json
@ -118,7 +147,7 @@
line: ' "{{item.key}}": {{item.value}},'
insertbefore: '"zzz"'
with_dict:
speed-limit-up: '50'
speed-limit-up: '500'
speed-limit-up-enabled: 'true'
download-dir: '"/var/lib/transmission/Done"'
incomplete-dir: '"/var/lib/transmission/Doing"'
@ -130,13 +159,14 @@
watch-dir-enabled: 'true'
encryption: '2'
message-level: '1'
bind-address-ipv4: '"{{DMZ_IP}}"'
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
peer-port: '{{transmission_bt_port}}'
peer-port-random-on-start: 'false'
port-forwarding-enabled: 'false'
port-forwarding-enabled: '{{is_vpn_used is defined}}'
queue-stalled-minutes: '5'
rpc-authentication-required: 'false'
rpc-bind-address: '"127.0.0.1"'
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
rpc-socket-mode: '"0777"'
rpc-port: '{{transmission_rpc_port}}'
rpc-url: '"{{http_pfx_transmission}}/"'
rpc-whitelist-enabled: 'false'
@ -151,13 +181,13 @@
copy:
content: |
location {{http_pfx_transmission}}/web {
alias /usr/share/transmission/web;
alias /usr/share/transmission/public_html;
}
location ~ ^{{http_pfx_transmission}}/?$ {
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
}
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
proxy_pass http://127.0.0.1:{{transmission_rpc_port}};
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
proxy_pass_header X-Transmission-Session-Id;
proxy_hide_header ETag;
proxy_hide_header Cache-Control;
@ -168,7 +198,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
- name: enable transmission.service
systemd:
@ -176,6 +206,20 @@
name: transmission.service
enabled: true
- name: configure SSO
copy:
content: |
{ "patterns": [{
"lua_regex": ["^{{http_pfx_transmission}}"],
"allow": ["me"],
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
}]
}
dest: /etc/nginx/ssso/sites/transm.json
when: (is_sso_used is defined)
notify:
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml

6
roles/dmz_wallabag_front/handlers/main.yml
View File

@ -1,10 +1,10 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart nginx.service
- name: restart openresty.service
systemd:
daemon_reload: true
name: nginx.service
name: openresty.service
state: restarted

2
roles/dmz_wallabag_front/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

4
roles/dmz_wallabag_front/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
@ -88,7 +88,7 @@
owner: http
group: http
notify:
- restart nginx.service
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes

2
roles/dotclear_back/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

2
roles/dotclear_back/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: PostgreSQL user for dotClear

2
roles/dovecot/handlers/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: restart dovecot.service

2
roles/dovecot/meta.OK/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
dependencies:

2
roles/dovecot/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###

2
roles/dovecot/templates/dovecot-ldap-passdb.conf.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
# This file is opened as root, so it should be owned by root and mode 0600.

20
roles/dovecot/templates/dovecot.conf.j2
View File

@ -1,5 +1,5 @@
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
## Dovecot configuration file (/usr/share/doc/dovecot/example-config)
@ -51,15 +51,15 @@ service imap-login {
}
}
service lmtp {
#unix_listener /run/shared_sockets/lmtp {
# mode = 0666
#}
unix_listener /run/shared_sockets/lmtp {
mode = 0666
}
# Create inet listener only if you can't use the above UNIX socket
# https://yalis.fr/git/yves/home-server/issues/6
inet_listener lmtp {
address = {{SafeZone_IP}}
port = 24
}
#inet_listener lmtp {
# address = {{SafeZone_IP}}
# port = 24
#}
}
service imap {
}
@ -75,8 +75,8 @@ service auth-worker {
# # For example: mode=0660, group=vmail and global mail_access_groups=vmail
# unix_listener dict {
# #mode = 0600
# #user =
# #group =
# #user =
# #group =
# }
#}

2
roles/etckeeper.inc/tasks/init.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: install etckeeper

2
roles/etckeeper.inc/tasks/local.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: store /etc changes

2
roles/etckeeper.inc/tasks/merge.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: switch Git to run

2
roles/etckeeper.inc/tasks/upstream.yml
View File

@ -1,6 +1,6 @@
---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
- name: switch Git to master

Some files were not shown because too many files have changed in this diff Show More