Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
Yves G. | 2c50b3398e | |
Yves G | e0087d54f0 | |
Yves G | 87936b77fd |
|
@ -0,0 +1,19 @@
|
|||
# EditorConfig is awesome: https://EditorConfig.org
|
||||
|
||||
# top-most EditorConfig file
|
||||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
end_of_line = lf
|
||||
charset = utf-8
|
||||
trim_trailing_whitespace = true
|
||||
insert_final_newline = true
|
||||
|
||||
[Makefile]
|
||||
indent_style = tab
|
||||
tab_width = 2
|
||||
|
||||
[*.md]
|
||||
trim_trailing_whitespace = false
|
|
@ -0,0 +1 @@
|
|||
target
|
|
@ -1,6 +1,6 @@
|
|||
/////
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
/////
|
||||
|
||||
|
@ -132,6 +132,6 @@ $ ansible-playbook -i production site.yml
|
|||
[literal.small]
|
||||
.....
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
.....
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/////
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
/////
|
||||
|
||||
|
@ -74,8 +74,8 @@ Command (m for help): g
|
|||
Created a new GPT disklabel…
|
||||
|
||||
Command (m for help): n
|
||||
Partition number (1-128, default 1):
|
||||
First sector (…):
|
||||
Partition number (1-128, default 1):
|
||||
First sector (…):
|
||||
Last sector, +sectors or +size{K,M,G,T,P} (…): +128M
|
||||
|
||||
Created a new partition 1…
|
||||
|
@ -86,14 +86,14 @@ Hex code (type L to list all codes): 1
|
|||
Changed type of partition 'Linux filesystem' to 'EFI System'.
|
||||
|
||||
Command (m for help): n
|
||||
Partition number (2-128, default 2):
|
||||
First sector (…):
|
||||
Partition number (2-128, default 2):
|
||||
First sector (…):
|
||||
Last sector, +sectors or +size{K,M,G,T,P} (…):
|
||||
|
||||
Created a new partition 2…
|
||||
|
||||
Command (m for help): t
|
||||
Partition number (1,2, default 2):
|
||||
Partition number (1,2, default 2):
|
||||
Hex code (type L to list all codes): 31
|
||||
|
||||
Changed type of partition 'Linux filesystem' to 'Linux LVM'.
|
||||
|
@ -304,7 +304,7 @@ root@archiso ~ # arch-chroot /mnt
|
|||
[root@archiso /]# cat >/etc/systemd/network/bridge.network <<-"THEEND"
|
||||
> [Match]
|
||||
> Name=wire
|
||||
>
|
||||
>
|
||||
> [Network]
|
||||
> IPForward=yes
|
||||
> Address={back-ip}/{net-bits}
|
||||
|
@ -313,7 +313,7 @@ root@archiso ~ # arch-chroot /mnt
|
|||
[root@archiso /]# cat >/etc/systemd/network/wired.network <<-"THEEND"
|
||||
> [Match]
|
||||
> Name=en*
|
||||
>
|
||||
>
|
||||
> [Network]
|
||||
> Bridge=wire
|
||||
> THEEND
|
||||
|
@ -390,12 +390,12 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop php-fpm.service
|
||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||
> </backup/dotclear.cdump
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start php-fpm.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
@ -404,7 +404,7 @@ NOTE: Most values and paths here are examples, and shall be adapted.
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop prosody.service
|
||||
[root@{back-name} ~]# sudo -u postgres pg_restore -c -C -F c -d postgres \
|
||||
> </backup/prosody.cdump
|
||||
|
@ -419,7 +419,7 @@ ALTER TABLE
|
|||
{prosody-db}=# \q
|
||||
[postgres@{back-name} ~]$ exit
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start prosody.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
@ -444,7 +444,7 @@ Stop Nextcloud and restore the data::
|
|||
[subs="+attributes"]
|
||||
```bash
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop haproxy.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} stop openresty.service
|
||||
[root@{back-name} ~]# systemctl stop nextcloud-maintenance.timer
|
||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.socket
|
||||
[root@{back-name} ~]# systemctl stop uwsgi@nextcloud.service
|
||||
|
@ -514,7 +514,7 @@ Restart Nextcloud::
|
|||
```bash
|
||||
[root@{back-name} ~]# systemctl start uwsgi@nextcloud.socket
|
||||
[root@{back-name} ~]# systemctl start nextcloud-maintenance.timer
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start nginx.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start openresty.service
|
||||
[root@{back-name} ~]# systemctl -M {front-name} start haproxy.service
|
||||
```
|
||||
|
||||
|
@ -538,6 +538,6 @@ I decided to do a clean import, especially since I configured Dovecot in a way
|
|||
[literal.small]
|
||||
.....
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
.....
|
||||
|
|
|
@ -1,27 +1,8 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# Short personal nickname that will be mostly used as part of filenames under /etc.
|
||||
nickname: personal
|
||||
|
||||
# Hostname and IPv4 address of the DMZ.
|
||||
DMZ: dmz
|
||||
DMZ_IP: 192.168.1.254
|
||||
|
||||
# Hostname and IPv4 address of the back-end server (with all the data).
|
||||
SafeZone: home
|
||||
SafeZone_IP: 192.168.1.253
|
||||
|
||||
# Domain names that the certificate should cover.
|
||||
acme_domains: 'example.org www.example.org pubsub.example.org'
|
||||
|
||||
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
|
||||
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
|
||||
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
|
||||
ansible_master: 192.168.1.252
|
||||
|
||||
# System user that will build packages from AUR (https://aur.archlinux.org/).
|
||||
aur_user: git
|
||||
|
||||
|
@ -53,17 +34,17 @@ dotclear_master_key: 0123456789abcdefghijklmnopqrstuvwxyz
|
|||
dotclear_root: /srv/webapps/dotclear
|
||||
|
||||
# The default locale (https://wiki.archlinux.org/index.php/Locale).
|
||||
locales_default: 'en_US.UTF-8'
|
||||
locales_default: 'en_GB.UTF-8'
|
||||
|
||||
# All installed locales on the server.
|
||||
locales_enabled: 'en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro'
|
||||
locales_enabled: 'en_US.UTF-8 en_GB.UTF-8'
|
||||
|
||||
# Enable DNSSEC in systemd-resolved (“yes” or “no”, as a character string); experimental!
|
||||
dns_sec: 'no'
|
||||
|
||||
# DNS servers to use on the server, for example:
|
||||
# FDN-1 (v4) FDN-2 (v4) FDN-1 (v6) FDN-2 (v6) OpenNIC-1 OpenNIC-2 Google
|
||||
dns_hosts: '80.67.169.12 80.67.169.40 2001:910:800::12 2001:910:800::40 87.98.175.85 5.135.183.146 8.8.8.8'
|
||||
# OpenNIC-1 OpenNIC-2 Cloudflare-1/-2
|
||||
dns_hosts: '51.158.108.203 51.77.149.139 1.1.1.1 1.0.0.1'
|
||||
|
||||
# Nearest NTP servers (https://www.ntppool.org/).
|
||||
ntp_hosts: '0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org'
|
||||
|
@ -79,9 +60,6 @@ fw_knock_timeout_min: 2
|
|||
# Port-knocking sequence. A port may appear multiple times, but not next to each-other.
|
||||
fw_portknock_seq: 1 22 333 4444 333 22 1
|
||||
|
||||
# The email address associated to root, for commits in the git repository that stores changes to /etc.
|
||||
git_contact_email: hostmaster@example.org
|
||||
|
||||
# Watch new repositories inside the already-watched perimeter by default.
|
||||
gitea_auto_watch_new_repos: 'true'
|
||||
|
||||
|
@ -208,7 +186,7 @@ http_pfx_privatebin: /paste
|
|||
http_pfx_prosody: /xmpp-
|
||||
|
||||
# URL prefix of SSOwat (SSO and web portal).
|
||||
http_pfx_ssowat: /start
|
||||
http_pfx_sso: /start
|
||||
|
||||
# URL prefix of Transmission (web UI for BitTorrent).
|
||||
http_pfx_transmission: /torrent
|
||||
|
@ -216,14 +194,11 @@ http_pfx_transmission: /torrent
|
|||
# URL prefix of Wallabag (social sharing of bookmarks).
|
||||
http_pfx_wallabag: /bookmarks
|
||||
|
||||
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
|
||||
iodine_domain: dt.example.org
|
||||
|
||||
# Network associated with the DNS tunnel (IP address of the server on this network, “/”, bits for the network-mask).
|
||||
iodine_net: '172.16.12.1/28'
|
||||
|
||||
# Password of the DNS tunnel.
|
||||
iodine_password: '_t_r___e@6358'
|
||||
iodine_password: 'dns-passwd'
|
||||
|
||||
# Location of Kodi state data (not the media contents).
|
||||
kodi_data: /var/lib/kodi
|
||||
|
@ -249,20 +224,9 @@ lam_passwordMustNotContainUser: 'true'
|
|||
# Title for LDAP-Account-Manager in the SSOwat portal.
|
||||
lam_sso_title: Directory
|
||||
|
||||
# Additional ACL for LDAP.
|
||||
# This is typically used to give extra powers to users, for example regarding aliases management.
|
||||
ldap_extra_acl: |
|
||||
access to dn.subtree="ou=Aliases,dc=example,dc=org"
|
||||
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
|
||||
by self read
|
||||
by * read
|
||||
|
||||
# Organization-name for this home-server LDAP directory.
|
||||
ldap_o_name: 'Home'
|
||||
|
||||
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
|
||||
ldap_root: dc=example,dc=org
|
||||
|
||||
# Password of the root user (administrator) in OpenLDAP.
|
||||
ldap_rootpw: 'OE104995à6&o_zKR4'
|
||||
|
||||
|
@ -273,7 +237,7 @@ ldap_rootpw_sha: '{SSHA}Raa3TlvDPZTjdM44nKZQt+hDvQRvaMDC'
|
|||
# Custom system groups and memberships, declared in LDAP.
|
||||
# This is the right place to declare a group in which to put all real and system users, who will be allowed to read media contents.
|
||||
ldap_system_groups: '[
|
||||
{"cn": "registered", "gidNumber": 1200}
|
||||
{"cn": "registered", "gidNumber": 1200},
|
||||
{"cn": "media", "gidNumber": 1201}
|
||||
]'
|
||||
ldap_system_group_members: '[
|
||||
|
@ -339,30 +303,12 @@ loolwsd_lang: en
|
|||
# by all of the LibreOffice Online, after which we start cleaning up idle documents”.
|
||||
loolwsd_maxmem_asdouble: '80.0'
|
||||
|
||||
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
|
||||
# Each entry in the list contains:
|
||||
# — alias: a unique mail alias, either new or with existing associated recipients;
|
||||
# — member: the login name of the user to add as a recipient for the alias.
|
||||
mail_alias_memberships: '[
|
||||
{"alias": "shop", "member": "you"},
|
||||
{"alias": "throwable", "member": "me"},
|
||||
{"alias": "family", "member": "me"},
|
||||
{"alias": "family", "member": "you"}
|
||||
]'
|
||||
|
||||
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
|
||||
# See the “dmz_exim” role for the storage of the private and public keys.
|
||||
mail_dkim_selector: home
|
||||
|
||||
# Actual Linux user, that receives all system emails (for root, postmaster, hostmaster…).
|
||||
mail_forward_root_to: me
|
||||
|
||||
# IPv6 address of the ISP’s smarthost when the ISP does not handle SMTP on IPv6 (example: smtp.bbox.fr).
|
||||
mail_ignore_ip: '2001:860:e2ef::f503:0:2'
|
||||
|
||||
# All local mail destinations, which include managed domains, as well as host names.
|
||||
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
|
||||
|
||||
# Maximum number of SPAM-filter workers.
|
||||
mail_max_spam_workers: 5
|
||||
|
||||
|
@ -392,22 +338,6 @@ motion_cloud_password: password
|
|||
motion_cloud_id: app_id_xxxxx
|
||||
motion_cloud_key: xxxxxxxxxx…xxxxxxxxxx
|
||||
motion_email_recipient: hostmaster@localhost
|
||||
motion_cameras: '[
|
||||
{
|
||||
"id": 1, "name": "street door",
|
||||
"url": "rtsp://user:password@street.example.org:554/videoMain",
|
||||
"width": 640, "height": 360,
|
||||
"mask_file": "example_mask_640_360.pgm",
|
||||
"framerate": 5
|
||||
},
|
||||
{
|
||||
"id": 2, "name": "garden door",
|
||||
"url": "rtsp://user:password@garden.example.org:554/videoMain",
|
||||
"width": 640, "height": 360,
|
||||
"mask_file": null,
|
||||
"framerate": 5
|
||||
}
|
||||
]'
|
||||
motion_web_title: "Video surveillance"
|
||||
|
||||
# Name of the Movim database in PostgreSQL.
|
||||
|
@ -435,9 +365,6 @@ movim_private_port: 33333
|
|||
# — the web address for updating web applications…
|
||||
net_allowed_domains: 'checkip.dns.he.net dyn.dns.he.net freedns.afraid.org download.dotclear.org dotaddict.org api.movim.eu'
|
||||
|
||||
# Start Of Authority: the root domain name configured on the server.
|
||||
net_soa: example.org
|
||||
|
||||
# Subdomain for the XMPP multi-user chat component.
|
||||
net_subdom_muc: muc
|
||||
|
||||
|
@ -449,7 +376,7 @@ net_subdom_ssh: ssh
|
|||
|
||||
# Local networks from which network connections are trusted.
|
||||
# OpenSSH requires that the IP in front of the “/” character is the first IP of the range!
|
||||
net_trusted_ranges: '192.168.1.248/28 127.0.0.0/8 ::1'
|
||||
net_trusted_ranges: '192.168.1.240/28 127.0.0.0/8 ::1'
|
||||
|
||||
# Administrator for Nextcloud (not necessarily an LDAP user).
|
||||
nextcloud_admin_user: nextcloud_admin
|
||||
|
@ -539,13 +466,13 @@ prosody_db_password: prosody
|
|||
sane_drivers: epson2
|
||||
|
||||
# Space-separated list of pacman mirrors to use.
|
||||
software_mirrors: 'mirror.archlinux.ikoula.com archlinux.vi-di.fr'
|
||||
software_mirrors: 'mirror.cyberbits.eu archlinux.vi-di.fr'
|
||||
|
||||
# Software that will get removed if present, on next run of the playbook (JSON list).
|
||||
software_to_del: '["dhcpcd"]'
|
||||
|
||||
# Comma-separated list of software that pacman should not automatically upgrade.
|
||||
software_to_ignore: 'linux,linux-firmware,linux-headers'
|
||||
software_to_ignore: 'linux,linux-firmware,linux-headers,nginx-mainline'
|
||||
|
||||
# Environment variables that SSH may keep for remote connections.
|
||||
ssh_accept_env: 'LANG LC_*'
|
||||
|
@ -573,7 +500,7 @@ ssh_bastion_pwd_sha512: '$6$ZN4I.yIVUj0amxqe$5dBx1d34tNm9NMmmFV3UxZ0V2ecmOjefK5d
|
|||
ssh_clientalive_interval: 600
|
||||
|
||||
# Server’s timezone.
|
||||
timezone: Europe/Paris
|
||||
timezone: Europe/Dublin
|
||||
|
||||
# TLS ciphers to enable in TLS-terminating software (HAProxy, Nginx…).
|
||||
# See https://wiki.mozilla.org/Security/Server_Side_TLS.
|
||||
|
@ -598,6 +525,61 @@ transmission_real_todo_at: /mnt/share/p2p/iso.torrent
|
|||
transmission_nfs_done_at: share/p2p/iso
|
||||
transmission_nfs_todo_at: share/p2p/iso.torrent
|
||||
|
||||
# Name used in file-names to identify the VPN
|
||||
vpn_name: my_vpn
|
||||
|
||||
# IP/CIDR of DMZ’ no-VPN network namespace when VPN is setup
|
||||
vpn_avoiding_ip_cidr: 192.168.1.240/24
|
||||
|
||||
# OpenVPN credentials
|
||||
vpn_login: my-vpn-login
|
||||
vpn_password: my-vpn-password
|
||||
|
||||
# OpenVPN settings
|
||||
vpn_ca_certificate: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
-----END CERTIFICATE-----
|
||||
vpn_interface_type: tun # or tap
|
||||
vpn_protocol: udp6 # or udp, tcp, tcp6
|
||||
vpn_server_host: vpn.example.org
|
||||
vpn_server_port: 1194
|
||||
vpn_tls_auth_key: |
|
||||
-----BEGIN OpenVPN Static key V1-----
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
…
|
||||
-----END OpenVPN Static key V1-----
|
||||
|
||||
# Name of the Wallabag database in PostgreSQL.
|
||||
wallabag_db: wallabag
|
||||
|
||||
|
@ -607,9 +589,6 @@ wallabag_db_user: wallabag
|
|||
# Password for the PostgreSQL user who owns the Wallabag database.
|
||||
wallabag_db_password: wallabag
|
||||
|
||||
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
|
||||
xmpp_admins: 'me@example.org'
|
||||
|
||||
# Network hosts from which registration is possible (else it is forbidden).
|
||||
# Registration of hosted users is automatic.
|
||||
xmpp_registration_hosts: '127.0.0.1 192.168.1.254 192.168.1.253 192.168.1.252'
|
|
@ -0,0 +1 @@
|
|||
../../../00_common_all.yaml
|
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
env: dev
|
||||
|
||||
# Short personal nickname that will be mostly used as part of filenames under /etc.
|
||||
nickname: mydev
|
||||
|
||||
# Hostname and IPv4 address of the DMZ.
|
||||
DMZ: front-dev
|
||||
DMZ_IP: 10.0.2.4
|
||||
|
||||
# Hostname and IPv4 address of the back-end server (with all the data).
|
||||
SafeZone: back-dev
|
||||
SafeZone_IP: 10.0.2.3
|
||||
|
||||
# Domain names that the certificate should cover.
|
||||
acme_domains: 'mydev.uk muc.mydev.uk pubsub.mydev.uk ssh.mydev.uk'
|
||||
|
||||
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
|
||||
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
|
||||
ansible_authorized_key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsidHzJhnXXRdWo4NUVmkMORcNN9k9RYaU4eSYgZ3hW me@my-pc'
|
||||
ansible_master: 192.168.1.252
|
||||
|
||||
# The email address associated to root, for commits in the git repository that stores changes to /etc.
|
||||
git_contact_email: hostmaster@mydev.uk
|
||||
|
||||
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
|
||||
iodine_domain: dt.mydev.uk
|
||||
|
||||
# Additional ACL for LDAP.
|
||||
# This is typically used to give extra powers to users, for example regarding aliases management.
|
||||
ldap_extra_acl: |
|
||||
access to dn.subtree="ou=Aliases,dc=mydev,dc=uk"
|
||||
by dn.base="uid=me,ou=Users,dc=mydev,dc=uk" write
|
||||
by self read
|
||||
by * read
|
||||
|
||||
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
|
||||
ldap_root: dc=mydev,dc=uk
|
||||
|
||||
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
|
||||
# Each entry in the list contains:
|
||||
# — alias: a unique mail alias, either new or with existing associated recipients;
|
||||
# — member: the login name of the user to add as a recipient for the alias.
|
||||
mail_alias_memberships: '[
|
||||
{"alias": "us", "member": "me"},
|
||||
{"alias": "us", "member": "you"}
|
||||
]'
|
||||
|
||||
# DKIM selector to use (see http://yalis.uk/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
|
||||
# See the “dmz_exim” role for the storage of the private and public keys.
|
||||
mail_dkim_selector: back-dev
|
||||
|
||||
# All local mail destinations, which include managed domains, as well as host names.
|
||||
mail_local_domains: 'back-dev front-dev localhost mydev.uk *.mydev.uk *.local'
|
||||
|
||||
# Motion monitored cameras
|
||||
motion_cameras: '[
|
||||
]'
|
||||
|
||||
# Start Of Authority: the root domain name configured on the server.
|
||||
net_soa: mydev.uk
|
||||
|
||||
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
|
||||
xmpp_admins: 'me@mydev.uk you@mydev.uk'
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: back-dev
|
||||
ssh_allowed_users: 'root me you'
|
||||
software_to_add: '[]'
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: front-dev
|
||||
ssh_allowed_users: 'root {{ssh_bastion_user}}'
|
||||
software_to_add: '[]'
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: front-dev
|
||||
chroot: "/var/lib/machines/{{DMZ}}"
|
||||
ssh_allowed_users: 'root {{ssh_bastion_user}}'
|
||||
software_to_add: '[]'
|
|
@ -0,0 +1,9 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
[back]
|
||||
back-dev ansible_connection=containers.podman.podman
|
||||
|
||||
[front]
|
||||
front-dev ansible_connection=containers.podman.podman
|
|
@ -0,0 +1 @@
|
|||
../../../00_common_all.yaml
|
|
@ -0,0 +1,83 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
env: prod
|
||||
|
||||
# Short personal nickname that will be mostly used as part of filenames under /etc.
|
||||
nickname: personal
|
||||
|
||||
# Hostname and IPv4 address of the DMZ.
|
||||
DMZ: dmz
|
||||
DMZ_IP: 192.168.1.254
|
||||
|
||||
# Hostname and IPv4 address of the back-end server (with all the data).
|
||||
SafeZone: home
|
||||
SafeZone_IP: 192.168.1.253
|
||||
|
||||
# Domain names that the certificate should cover.
|
||||
acme_domains: 'example.org muc.example.org pubsub.example.org ssh.example.org'
|
||||
|
||||
# Public key that Ansible will use to manage the server, and IP address of the controller PC.
|
||||
# The public key (`….pub` file) is generated as the result of running `ssh-keygen -t ed25519`.
|
||||
ansible_authorized_key: 'ssh-ed25519 AAAA0000bbbb1111CCCC2222dddd3333EEEE4444ffff5555GGGG6666hhhh7777IIII me@my-pc'
|
||||
ansible_master: 192.168.1.252
|
||||
|
||||
# The email address associated to root, for commits in the git repository that stores changes to /etc.
|
||||
git_contact_email: hostmaster@example.org
|
||||
|
||||
# Subdomain-name that will serve DNS packets for Iodine (DNS tunnel). Choose it short!
|
||||
iodine_domain: dt.example.org
|
||||
|
||||
# Additional ACL for LDAP.
|
||||
# This is typically used to give extra powers to users, for example regarding aliases management.
|
||||
ldap_extra_acl: |
|
||||
access to dn.subtree="ou=Aliases,dc=example,dc=org"
|
||||
by dn.base="uid=me,ou=Users,dc=example,dc=org" write
|
||||
by self read
|
||||
by * read
|
||||
|
||||
# Root of the LDAP directory. Usually the domain-name with commas instead of dots, and “dc=” in front of each level.
|
||||
ldap_root: dc=example,dc=org
|
||||
|
||||
# Non-system mail aliases (stored in LDAP, in contrast to system aliases, which are stored in /etc/mail/aliases).
|
||||
# Each entry in the list contains:
|
||||
# — alias: a unique mail alias, either new or with existing associated recipients;
|
||||
# — member: the login name of the user to add as a recipient for the alias.
|
||||
mail_alias_memberships: '[
|
||||
{"alias": "shop", "member": "you"},
|
||||
{"alias": "throwable", "member": "me"},
|
||||
{"alias": "family", "member": "me"},
|
||||
{"alias": "family", "member": "you"}
|
||||
]'
|
||||
|
||||
# DKIM selector to use (see http://yalis.fr/cms/index.php/post/2014/01/31/Why-buy-a-domain-name-Secure-mail%2E).
|
||||
# See the “dmz_exim” role for the storage of the private and public keys.
|
||||
mail_dkim_selector: home
|
||||
|
||||
# All local mail destinations, which include managed domains, as well as host names.
|
||||
mail_local_domains: 'home dmz localhost example.org *.example.org *.local'
|
||||
|
||||
# Motion monitored cameras
|
||||
motion_cameras: '[
|
||||
{
|
||||
"id": 1, "name": "street door",
|
||||
"url": "rtsp://user:password@street.example.org:554/videoMain",
|
||||
"width": 640, "height": 360,
|
||||
"mask_file": "example_mask_640_360.pgm",
|
||||
"framerate": 5
|
||||
},
|
||||
{
|
||||
"id": 2, "name": "garden door",
|
||||
"url": "rtsp://user:password@garden.example.org:554/videoMain",
|
||||
"width": 640, "height": 360,
|
||||
"mask_file": null,
|
||||
"framerate": 5
|
||||
}
|
||||
]'
|
||||
|
||||
# Start Of Authority: the root domain name configured on the server.
|
||||
net_soa: example.org
|
||||
|
||||
# Space-separated list of the XMPP accounts that are considered administrators of the XMPP service.
|
||||
xmpp_admins: 'me@example.org'
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: home
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: dmz
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
hostname: dmz
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
[back]
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: stop some services
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: stop again services that may got started by handlers
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
[Unit]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart dehydrated.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -10,6 +10,12 @@
|
|||
msg: ACME
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
- name: install software (dev)
|
||||
package:
|
||||
# for Ansible crypto
|
||||
name: python-cryptography
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: install dehydrated (Let’s Encrypt)
|
||||
include_role:
|
||||
name: aur.inc
|
||||
|
@ -68,6 +74,7 @@
|
|||
src: files/dehydrated.timer
|
||||
dest: /etc/systemd/system/dehydrated.timer
|
||||
mode: 0644
|
||||
when: (env == 'prod')
|
||||
notify:
|
||||
- restart dehydrated.service
|
||||
|
||||
|
@ -76,6 +83,45 @@
|
|||
daemon_reload: true
|
||||
name: dehydrated.timer
|
||||
enabled: true
|
||||
when: (env == 'prod')
|
||||
|
||||
## DEV
|
||||
|
||||
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
|
||||
|
||||
- name: create private key (dev)
|
||||
community.crypto.openssl_privatekey:
|
||||
path: /var/lib/acme/self-signed.key
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: create CSR (dev)
|
||||
community.crypto.openssl_csr:
|
||||
path: /var/lib/acme/self-signed.csr
|
||||
privatekey_path: /var/lib/acme/self-signed.key
|
||||
common_name: "{{net_soa}}"
|
||||
organization_name: "{{nickname}}"
|
||||
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
|
||||
subject_alt_name_critical: true
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: create self-signed certificate (dev)
|
||||
community.crypto.x509_certificate:
|
||||
path: /var/lib/acme/self-signed.pem
|
||||
privatekey_path: /var/lib/acme/self-signed.key
|
||||
csr_path: /var/lib/acme/self-signed.csr
|
||||
provider: selfsigned
|
||||
when: (env == 'dev')
|
||||
|
||||
- name: deploy self-signed certificate (dev)
|
||||
command: >
|
||||
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
|
||||
{{net_soa}}
|
||||
/var/lib/acme/self-signed.key
|
||||
/var/lib/acme/self-signed.pem
|
||||
/var/lib/acme/self-signed.pem
|
||||
/dev/null
|
||||
{{ansible_date_time.epoch}}
|
||||
when: (env == 'dev')
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
#CA="https://acme-staging.api.letsencrypt.org/directory"
|
||||
|
|
|
@ -1,18 +1,21 @@
|
|||
#!/usr/bin/env bash
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
#
|
||||
# NOTE: on 1st run, DMZ software is NOT YET INSTALLED!
|
||||
set -e
|
||||
|
||||
RSH=/usr/local/bin/{{DMZ}}
|
||||
ETC_CHANGED_{{hostname}}=
|
||||
ETC_CHANGED_{{DMZ}}=
|
||||
ETC_CHANGED_{{hostname | regex_replace('-', '_')}}=
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=
|
||||
|
||||
etckeeper_hook() {
|
||||
if [ -n "$ETC_CHANGED_{{hostname}}" ]; then
|
||||
etc_stop_local 'ACME update'
|
||||
fi
|
||||
if [ -n "$ETC_CHANGED_{{DMZ}}" ]; then
|
||||
$RSH "etc_stop_local 'ACME update'"
|
||||
$RSH "etc_stop_local 'ACME update' || true"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -37,11 +40,11 @@ deploy_exim() {
|
|||
&& $RSH 'find /etc/mail/exim.{pem,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chown exim $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/mail ] || mkdir -p /etc/mail; cat >$1; if id exim 2>/dev/null; then chown exim $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
$RSH "$copy" /etc/mail/exim.pem $6 <"$2"
|
||||
$RSH "$copy" /etc/mail/exim.crt $6 <"$4"
|
||||
systemctl -M {{DMZ}} reload exim.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload exim.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||
|
@ -51,11 +54,11 @@ deploy_prosody() {
|
|||
&& $RSH 'find /etc/prosody/certs/{{net_soa}}.{key,crt} -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q ..' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chown prosody $1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/prosody/certs ] || mkdir -p /etc/prosody/certs; cat >$1; if id prosody 2>/dev/null; then chown prosody $1; chmod 400 $1; else chmod 444 $1; fi; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.key $6 <"$2"
|
||||
$RSH "$copy" /etc/prosody/certs/{{net_soa}}.crt $6 <"$4"
|
||||
systemctl -M {{DMZ}} reload prosody.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload prosody.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
# $1: force|test; $2: KEYFILE; $3: CERTFILE; $4: FULLCHAINFILE; $5: CHAINFILE; $6: TIMESTAMP
|
||||
|
@ -65,10 +68,10 @@ deploy_haproxy() {
|
|||
&& $RSH 'find /etc/haproxy/tls.pem -mmin -$((1+($(date +%s)-${1})/60)) -printf . | grep -q .' ${6%.*}; then
|
||||
return 0
|
||||
fi
|
||||
local copy='cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
local copy='[ -d /etc/haproxy ] || mkdir -p /etc/haproxy; cat >$1; chmod 400 $1; touch -t $(date +%Y%m%d%H%M -d @$2) $1'
|
||||
cat "$4" "$2" | $RSH "$copy" /etc/haproxy/tls.pem $6
|
||||
systemctl -M {{DMZ}} reload haproxy.service
|
||||
ETC_CHANGED_{{DMZ}}=1
|
||||
$RSH 'systemctl reload haproxy.service || true'
|
||||
ETC_CHANGED_{{DMZ | regex_replace('-', '_')}}=1
|
||||
}
|
||||
|
||||
deploy_cert() {
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: ensure /srv/acme exists
|
||||
|
@ -20,7 +20,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# mandatory parameters: pkg_name, pre_cmd, aur_user
|
||||
# mandatory parameters: pkg_name, pre_cmd, aur_name, aur_home
|
||||
|
||||
- name: AUR → {{pkg_name}} → read current version
|
||||
shell: |
|
||||
|
@ -14,7 +14,7 @@
|
|||
- name: AUR → {{pkg_name}} → get metadata from AurJson
|
||||
uri:
|
||||
url: https://aur.archlinux.org/rpc/?v=5&type=info&arg={{pkg_name | mandatory}}
|
||||
connection: local
|
||||
delegate_to: localhost
|
||||
register: aurjson
|
||||
changed_when: false
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
|||
get_url:
|
||||
url: https://aur.archlinux.org{{aurjson.json.results[0].URLPath}}
|
||||
dest: /tmp/
|
||||
connection: local
|
||||
delegate_to: localhost
|
||||
when:
|
||||
- (aurjson.json.results[0].Version != (pacmanQi.stdout | default()))
|
||||
register: aur_recipe
|
||||
|
@ -41,10 +41,14 @@
|
|||
block:
|
||||
|
||||
- name: AUR → {{pkg_name}} → run custom pre-processing commands
|
||||
shell: "{{pre_cmd}}"
|
||||
shell: |
|
||||
set -x
|
||||
{{pre_cmd}}
|
||||
args:
|
||||
chdir: /var/tmp/{{aurjson.json.results[0].PackageBase}}
|
||||
when: pre_cmd
|
||||
environment:
|
||||
HOME: "{{aur_home}}"
|
||||
register: debugCustom
|
||||
|
||||
- name: AUR → {{pkg_name}} → see custom pre-processing commands’ result
|
||||
|
@ -86,6 +90,8 @@
|
|||
- (pacman_output.stdout is defined)
|
||||
- (pacman_output.stdout.find('there is nothing to do') == -1)
|
||||
|
||||
environment:
|
||||
HOME: "{{aur_home}}"
|
||||
when:
|
||||
- (realVersion.stdout != (pacmanQi.stdout | default()))
|
||||
|
||||
|
@ -97,7 +103,7 @@
|
|||
changed_when: false
|
||||
|
||||
become: true
|
||||
become_user: "{{aur_user}}"
|
||||
become_user: "{{aur_name}}"
|
||||
when:
|
||||
- (aurjson.json.results[0].Version != (pacmanQi.stdout | default()))
|
||||
|
||||
|
@ -106,6 +112,6 @@
|
|||
file:
|
||||
path: '{{aur_recipe.dest}}'
|
||||
state: absent
|
||||
connection: local
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
changed_when: false
|
||||
|
|
|
@ -1,28 +1,61 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# mandatory parameters:
|
||||
# - pkg_names (json-encoded list)
|
||||
# - aur_user
|
||||
|
||||
- name: AUR → base-devel needed while building
|
||||
become: false
|
||||
command: |
|
||||
pacman -S --noconfirm --noprogressbar --asdeps --needed base-devel
|
||||
- name: AUR → read (or create) requested HOME while running AUR tasks
|
||||
shell: |
|
||||
case "$aur_requested_home" in
|
||||
'') printf '%s' "$HOME" ;;
|
||||
'!mktemp') sudo -u "$aur_user_name" mktemp -d /tmp/AUR-TEMP-HOME-XXXX ;;
|
||||
*) printf '%s' "$aur_requested_home" ;;
|
||||
esac
|
||||
environment:
|
||||
aur_requested_home: "{{(aur_user is mapping) | ternary(aur_user.home, '')}}"
|
||||
aur_user_name: "{{(aur_user is mapping) | ternary(aur_user.name, aur_user)}}"
|
||||
register: requestedHome
|
||||
changed_when: false
|
||||
|
||||
- name: AUR → proceed with installation
|
||||
- name: AUR → run AUR tasks
|
||||
block:
|
||||
- name: AUR → installation
|
||||
include_tasks: install.yml
|
||||
vars:
|
||||
pkg_name: "{{(item is mapping) | ternary(item.pkg, item)}}"
|
||||
pre_cmd: "{{(item is mapping) | ternary(item.pre, '')}}"
|
||||
with_items: "{{packages}}"
|
||||
always:
|
||||
- name: AUR → remove base-devel and dependencies
|
||||
shell: |
|
||||
pacman -Rns --noconfirm --noprogressbar $(pacman -Qtdqg base-devel) || true
|
||||
|
||||
- name: AUR → see effective HOME
|
||||
debug:
|
||||
var: requestedHome
|
||||
changed_when: false
|
||||
|
||||
- name: AUR → base-devel needed while building
|
||||
become: false
|
||||
command: |
|
||||
pacman -S --noconfirm --noprogressbar --asdeps --needed base-devel
|
||||
changed_when: false
|
||||
|
||||
- name: AUR → proceed with installation
|
||||
block:
|
||||
- name: AUR → installation
|
||||
include_tasks: install.yml
|
||||
vars:
|
||||
aur_name: "{{(aur_user is mapping) | ternary(aur_user.name, aur_user)}}"
|
||||
aur_home: "{{requestedHome.stdout}}"
|
||||
pkg_name: "{{(item is mapping) | ternary(item.pkg, item)}}"
|
||||
pre_cmd: "{{(item is mapping) | ternary(item.pre, '')}}"
|
||||
with_items: "{{packages}}"
|
||||
always:
|
||||
- name: AUR → remove base-devel and dependencies
|
||||
shell: |
|
||||
pacman -Rns --noconfirm --noprogressbar base-devel || true
|
||||
changed_when: false
|
||||
|
||||
always:
|
||||
- name: AUR → remove temporary HOME
|
||||
file:
|
||||
path: "{{requestedHome.stdout}}"
|
||||
state: absent
|
||||
when:
|
||||
- (aur_user is mapping)
|
||||
- (aur_user.home == '!mktemp')
|
||||
changed_when: false
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -36,6 +36,10 @@
|
|||
- (update_result.stdout is defined)
|
||||
- (update_result.stdout.find('there is nothing to do') == -1)
|
||||
|
||||
- name: setup arch-chroot (dev)
|
||||
include_role: name=dev.inc allow_duplicates=true tasks_from=arch-chroot.yml
|
||||
when: (env == 'dev')
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart ddclient@fdns.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: initialize the ddclient software
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart ddclient@henet.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: initialize the ddclient software
|
||||
|
@ -46,7 +46,7 @@
|
|||
- name: post-update script for he.net
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
#!/usr/bin/env bash
|
||||
# $1: new IP address
|
||||
if [ -f /etc/conf.d/iodined ]; then
|
||||
sed -i "s/^IODINE_EXT_IP=.*/IODINE_EXT_IP='$1'/" /etc/conf.d/iodined
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
- name: replace /usr/bin/arch-chroot in Podman
|
||||
copy:
|
||||
content: |
|
||||
#!/usr/bin/env bash
|
||||
args=()
|
||||
while [ $# -gt 1 ]; do shift; args+=("$(printf "%q" "$1")"); done
|
||||
[ -t 0 ] && t=-t || t=-T
|
||||
exec ssh -i ~/.ssh/id-chroot -o StrictHostKeyChecking=no $t -p 20022 -t 10.0.2.2 "${args[@]}"
|
||||
dest: /usr/bin/arch-chroot
|
||||
mode: 0755
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: make sure the path to dotclear exists
|
||||
|
@ -13,7 +13,7 @@
|
|||
get_url:
|
||||
url: 'http://download.dotclear.org/latest.tar.gz'
|
||||
dest: /tmp/
|
||||
connection: local
|
||||
delegate_to: localhost
|
||||
register: targz
|
||||
changed_when: false
|
||||
|
||||
|
@ -58,7 +58,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
if (!defined('DC_RC_PATH')) { return; }
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# https://fr.dotclear.org/documentation/2.0/resources/authentication
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart spamassassin-update.timer
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -193,22 +193,34 @@
|
|||
regexp: '^(?:#\s*)?root:'
|
||||
line: "root: {{mail_forward_root_to}}"
|
||||
|
||||
- name: send DKIM private key
|
||||
- name: send DKIM private key (prod)
|
||||
copy:
|
||||
src: files/{{net_soa}}_dkim.privk.pem
|
||||
dest: /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||
owner: exim
|
||||
group: exim
|
||||
mode: 0400
|
||||
when: (env == 'prod')
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set smarthost name
|
||||
- name: create DKIM private key (dev)
|
||||
shell: |
|
||||
# https://dkimcore.org/specification.html
|
||||
openssl genrsa -out /etc/mail/{{net_soa}}_dkim.privk.pem 1024
|
||||
openssl rsa -in /etc/mail/{{net_soa}}_dkim.privk.pem -pubout >/etc/mail/{{net_soa}}_dkim.pubk.pem
|
||||
chown exim:exim /etc/mail/{{net_soa}}_dkim.*.pem
|
||||
chmod 0400 /etc/mail/{{net_soa}}_dkim.*.pem
|
||||
when: (env == 'dev')
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: disable smarthost
|
||||
lineinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(?:#\s*)?ROUTER_SMARTHOST\s*='
|
||||
line: |
|
||||
ROUTER_SMARTHOST={{mail_smtp_smarthost}}
|
||||
regexp: '^(\s*ROUTER_SMARTHOST\s*=.*)'
|
||||
backrefs: true
|
||||
line: '#\\1'
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
@ -278,18 +290,11 @@
|
|||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set TLS parameters for OpenSSL (old)
|
||||
blockinfile:
|
||||
- name: set TLS parameters for OpenSSL
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: '# {mark} OpenSSL parameters'
|
||||
block: |
|
||||
insertafter: '^tls_advertise_hosts\s*='
|
||||
|
||||
- name: set TLS parameters for OpenSSL (new)
|
||||
lineinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(?:#\s*)?tls_require_ciphers\s*='
|
||||
line: 'tls_require_ciphers = {{tls_ciphers}}'
|
||||
regexp: '(.ifdef\s+_HAVE_OPENSSL\s*\n\s*)#?(\s*)tls_require_ciphers\s*=.*$'
|
||||
replace: '\1\2tls_require_ciphers = {{tls_ciphers}}'
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
@ -365,14 +370,15 @@
|
|||
notify:
|
||||
- restart exim.service
|
||||
|
||||
# 2023-05-20: disabled because too many legitimate rejected emails coming from GMail
|
||||
- name: deny mail RCPT from SpamHaus SBL
|
||||
blockinfile:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: ' # {mark} SpamHaus SBL ACL'
|
||||
block: |
|
||||
deny message = rejected because $sender_host_address is in a \
|
||||
black list at SpamHaus SBL
|
||||
dnslists = sbl.spamhaus.org
|
||||
# deny message = rejected because $sender_host_address is in a \
|
||||
# black list at SpamHaus SBL
|
||||
# dnslists = sbl.spamhaus.org
|
||||
insertbefore: '^\s*#\s*warn\s+dnslists\s*='
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
@ -399,21 +405,19 @@
|
|||
|
||||
# TODO: https://github.com/Exim/exim/wiki/SimpleGreylisting (with SPAM≥1.0)
|
||||
|
||||
- name: use remote_smtp for smarthost delivery
|
||||
lineinfile:
|
||||
- name: set IP addresses to be ignored (base)
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(\s*transport\s*=)'
|
||||
backrefs: true
|
||||
line: "\\1 remote_smtp"
|
||||
regexp: '^(\s*ignore_target_hosts\s*=)(?! <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1).*$'
|
||||
replace: "\1 <; 0.0.0.0 ; 127.0.0.0/8 ; ::1"
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: set IP addresses to be ignored
|
||||
lineinfile:
|
||||
- name: set IP addresses to be ignored (addition)
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
regexp: '^(\s*ignore_target_hosts\s*=.*::1)(?! ; {{mail_ignore_ip | replace(" ", " ; ")}}$)'
|
||||
backrefs: true
|
||||
line: "\\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
||||
regexp: '^(\s*ignore_target_hosts\s*= <; 0\.0\.0\.0 ; 127\.0\.0\.0/8 ; ::1)$'
|
||||
replace: "\1 ; {{mail_ignore_ip | replace(' ', ' ; ')}}"
|
||||
when:
|
||||
- mail_ignore_ip != ""
|
||||
notify:
|
||||
|
@ -498,24 +502,24 @@
|
|||
marker: ' # {mark} LMTP transport'
|
||||
block: |
|
||||
lmtp_transport:
|
||||
driver = smtp
|
||||
protocol = lmtp
|
||||
rcpt_include_affixes
|
||||
port = 24
|
||||
driver = lmtp
|
||||
socket = /run/shared_sockets/lmtp
|
||||
timeout = 1m
|
||||
insertbefore: '^# This transport is used'
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
- name: enable DKIM on outgoing emails
|
||||
blockinfile:
|
||||
- name: configure remote SMTP for outgoing emails
|
||||
replace:
|
||||
path: /etc/mail/exim.conf
|
||||
marker: ' # {mark} outgoing DKIM signing'
|
||||
block: |
|
||||
regexp: '^(remote_smtp:\s*\n\s*driver\s*=\s*smtp\s*)$(?!\n\s*dkim_canon =)
|
||||
replace: |
|
||||
\1
|
||||
dkim_canon = relaxed
|
||||
dkim_domain = {{net_soa}}
|
||||
dkim_private_key = /etc/mail/{{net_soa}}_dkim.privk.pem
|
||||
dkim_selector = {{mail_dkim_selector}}
|
||||
insertafter: '^\s*driver\s*=\s*smtp\s*$'
|
||||
helo_data = {{net_soa}}
|
||||
notify:
|
||||
- restart exim.service
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart haproxy.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -34,8 +34,8 @@
|
|||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
Wants=nginx.service
|
||||
After=nginx.service
|
||||
Wants=openresty.service
|
||||
After=openresty.service
|
||||
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
global
|
||||
|
@ -27,6 +27,7 @@ defaults
|
|||
|
||||
frontend imaps
|
||||
bind :993 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::993 ssl crt /etc/haproxy/tls.pem
|
||||
default_backend imap
|
||||
|
||||
backend imap
|
||||
|
@ -34,10 +35,12 @@ backend imap
|
|||
|
||||
frontend text
|
||||
bind :80
|
||||
bind :::80
|
||||
default_backend http
|
||||
|
||||
frontend tls
|
||||
bind :443 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::443 ssl crt /etc/haproxy/tls.pem
|
||||
|
||||
tcp-request inspect-delay 2s
|
||||
# check SNI for the SSH domain
|
||||
|
@ -57,6 +60,7 @@ frontend tls
|
|||
|
||||
frontend tls_plus
|
||||
bind :444 ssl crt /etc/haproxy/tls.pem
|
||||
bind :::444 ssl crt /etc/haproxy/tls.pem
|
||||
default_backend https_plus
|
||||
|
||||
backend ssh
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: configure nginx for Gitea
|
||||
|
@ -19,7 +19,30 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: configure SSO
|
||||
copy:
|
||||
content: |
|
||||
{ "patterns": [{
|
||||
"lua_regex": [
|
||||
"^{{http_pfx_gitea}}/admin",
|
||||
"^{{http_pfx_gitea}}/repo/create",
|
||||
"^{{http_pfx_gitea}}/repo/migrate",
|
||||
"^{{http_pfx_gitea}}/org/create",
|
||||
"^{{http_pfx_gitea}}/.-/wiki/_new"
|
||||
],
|
||||
"allow": ["*"]
|
||||
},{
|
||||
"lua_regex": ["^{{http_pfx_gitea}}/"],
|
||||
"public": true,
|
||||
"portal": {"{{http_pfx_gitea}}/": "Git"}
|
||||
}]
|
||||
}
|
||||
dest: /etc/nginx/ssso/sites/git.json
|
||||
when: (is_sso_used is defined)
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -171,7 +171,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: create a directory for the Motion web page
|
||||
|
@ -45,7 +45,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart movim.service
|
||||
|
@ -9,8 +9,8 @@
|
|||
name: movim.service
|
||||
state: restarted
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -122,7 +122,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: configure Nginx for Nextcloud
|
||||
|
@ -11,7 +11,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: configure Nginx for LibreOffice OnLine
|
||||
template:
|
||||
|
@ -21,7 +21,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# Nextcloud BUG
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: create tmpfiles
|
||||
command: systemd-tmpfiles --create
|
||||
command: systemd-tmpfiles --create /etc/tmpfiles.d/run_http.conf
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
||||
- name: restart php-fpm.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -10,13 +10,71 @@
|
|||
msg: nginx
|
||||
### ⇐ UPSTREAM BEGIN ###
|
||||
|
||||
- name: install software
|
||||
- name: uninstall software
|
||||
package:
|
||||
name: "{{item}}"
|
||||
state: present
|
||||
state: absent
|
||||
with_items:
|
||||
# - nginx-mainline # nginx-mainline must now be built from official PKGBUILD :-(
|
||||
- php-fpm
|
||||
# 2023-05-20: removed
|
||||
- nginx-mainline
|
||||
|
||||
- name: install AUR software
|
||||
include_role:
|
||||
name: aur.inc
|
||||
allow_duplicates: true
|
||||
vars:
|
||||
packages:
|
||||
- pkg: openresty
|
||||
pre: |
|
||||
# harden the systemd service
|
||||
sed -ri '
|
||||
/\[Unit\]/ a\
|
||||
After=systemd-tmpfiles-setup.service\
|
||||
After=php-fpm.service
|
||||
/\[Service\]/ a\
|
||||
User=http\
|
||||
Group=http\
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT\
|
||||
PrivateTmp=true\
|
||||
PrivateDevices=true\
|
||||
ProtectSystem=full\
|
||||
ProtectHome=true\
|
||||
ReadWritePaths=/var/log/nginx\
|
||||
NoNewPrivileges=true\
|
||||
ExecStartPre=-/usr/bin/find /var/log/nginx/ -type f -user root -delete\
|
||||
ExecStartPre=/usr/bin/sh -c '"'"'rm -f /run/shared_sockets/http*.pp'"'"'
|
||||
s|/run/openresty.pid|/run/http/nginx.pid|g
|
||||
' service
|
||||
# compute the hash of the new service file
|
||||
srvHash=$(sha256sum service | awk '{print $1}')
|
||||
# — choose /etc/nginx as Nginx configuration location
|
||||
# — choose /run/http/ for Nginx PID and lock files location
|
||||
# — choose /var/log/nginx/ as Nginx compiled-in logs location
|
||||
# — choose /var/tmp/ as Nginx runtime temporary folder
|
||||
# — replace the old service hash with the computed one
|
||||
# — remove signature source files as they make the build fail
|
||||
# — disable unused features of OpenResty/Nginx
|
||||
sed -ri "
|
||||
s#_cfgdir=.*#_cfgdir=/etc/nginx#
|
||||
/build\\(\\)/ i\\
|
||||
for ((_src=0; _src<\${{ '{#source[*]}' }}; _src++)); do if [ "\${source[\$_src]}" == service ]; then\\
|
||||
sha256sums[\$_src]='$srvHash'\\
|
||||
fi; done\\
|
||||
for ((_src=\${{ '{#source[*]}' }}-1; _src>=0; _src--)); do if [[ "\${source[\$_src]}" =~ \\\\.asc\$ ]]; then\\
|
||||
_last=\$((\${{ '{#source[*]}' }}-1))\\
|
||||
source[\$_src]=\"\${source[\$_last]}\"; unset source[\$_last]\\
|
||||
sha256sums[\$_src]=\"\${sha256sums[\$_last]}\"; unset sha256sums[\$_last]\\
|
||||
fi; done\\
|
||||
unset _last _src
|
||||
s/^( *)#( *--(without-.*redis|without-lua_rds|without-.*mysql|without-.*scgi))/\\1\\2/
|
||||
s|^( *)#( *--pid-path=).*|\\1\\2/run/http/nginx.pid \\\\|
|
||||
s|^( *)#( *--lock-path=).*|\\1\\2/run/http/nginx.lock \\\\|
|
||||
s|^( *)#( *--error-log-path=).*|\\1\\2/var/log/nginx/error.log \\\\|
|
||||
s|^( *)#( *--http-log-path=).*|\\1\\2/var/log/nginx/access.log \\\\|
|
||||
/^ *--with-mail|^ *#/d
|
||||
s| +#.*||
|
||||
" PKGBUILD
|
||||
cat PKGBUILD
|
||||
|
||||
### UPSTREAM END ⇒ ###
|
||||
- name: merge upstream
|
||||
|
@ -25,11 +83,19 @@
|
|||
msg: nginx
|
||||
### ⇐ UPSTREAM END ###
|
||||
|
||||
- name: create a directory for the PID files
|
||||
- name: fix logrotate.d/openresty
|
||||
lineinfile:
|
||||
path: /etc/logrotate.d/openresty
|
||||
backrefs: true
|
||||
regexp: '^(\s*test -r )/run/'
|
||||
line: '\1/run/http/nginx.pid && kill -USR1 `cat /run/http/nginx.pid`'
|
||||
|
||||
- name: create Nginx working directories
|
||||
copy:
|
||||
content: |
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /run/http 775 http http - -
|
||||
#Type Path Mode UID GID Age Argument
|
||||
d /run/http 775 http http - -
|
||||
d /var/log/nginx 775 http http - -
|
||||
dest: /etc/tmpfiles.d/run_http.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
|
@ -37,69 +103,15 @@
|
|||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: prepare to override systemd settings
|
||||
file:
|
||||
name: /etc/systemd/system/{{item}}.service.d
|
||||
state: directory
|
||||
mode: 0755
|
||||
- name: update already-installed OpenResty packages
|
||||
shell: /opt/openresty/bin/opm update
|
||||
|
||||
- name: OPM = install OpenResty packages (if necessary)
|
||||
include_tasks: opm.yaml
|
||||
vars:
|
||||
pkg_name: "{{item}}"
|
||||
with_items:
|
||||
- nginx
|
||||
- php-fpm
|
||||
|
||||
- name: secure systemd settings for php-fpm
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
After=systemd-tmpfiles-setup.service
|
||||
[Service]
|
||||
User=http
|
||||
Group=http
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectSystem=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
PIDFile=/run/http/php-fpm.pid
|
||||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
|
||||
- name: secure systemd settings for nginx
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
After=systemd-tmpfiles-setup.service
|
||||
After=php-fpm.service
|
||||
[Service]
|
||||
User=http
|
||||
Group=http
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
PIDFile=/run/http/nginx.pid
|
||||
ExecStartPre=/usr/bin/sh -c 'rm -f /run/shared_sockets/http*.pp'
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/nginx -g 'pid /run/http/nginx.pid; error_log stderr;'
|
||||
dest: /etc/systemd/system/nginx.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
notify:
|
||||
- restart nginx.service
|
||||
|
||||
- name: set ownership of nginx’ working directories to nginx
|
||||
file:
|
||||
path: /var/{{item}}/nginx
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
recurse: true
|
||||
with_items:
|
||||
- lib
|
||||
- log
|
||||
- fffonion/lua-resty-openssl
|
||||
|
||||
- name: set the number of nginx worker processes
|
||||
lineinfile:
|
||||
|
@ -107,7 +119,7 @@
|
|||
regexp: '^#?\s*worker_processes\s'
|
||||
line: "worker_processes auto;"
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: log to systemd-journal
|
||||
lineinfile:
|
||||
|
@ -115,7 +127,7 @@
|
|||
regexp: '^#?\s*error_log\s'
|
||||
line: "error_log syslog:server=unix:/dev/log,nohostname {{nginx_loglevel}};"
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: create directories for custom nginx configuration
|
||||
file:
|
||||
|
@ -136,7 +148,7 @@
|
|||
line: include /etc/nginx/main.inc.d/*.inc;
|
||||
insertbefore: BOF
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: include custom nginx configuration
|
||||
lineinfile:
|
||||
|
@ -145,7 +157,7 @@
|
|||
line: include /etc/nginx/conf.d/*.conf;
|
||||
insertbefore: '^\s*#gzip\s'
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: set custom nginx configuration
|
||||
template:
|
||||
|
@ -155,7 +167,7 @@
|
|||
group: http
|
||||
mode: 0640
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: send included conf files
|
||||
template:
|
||||
|
@ -198,54 +210,33 @@
|
|||
when:
|
||||
- test_srv.changed
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: set the php-fpm settings
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
regexp: '^;*{{item.key}}\s*='
|
||||
line: '{{item.key}} = {{item.value}}'
|
||||
with_dict:
|
||||
listen: /run/shared_sockets/php-fpm
|
||||
pm: dynamic
|
||||
'pm.max_children': '{{php_max_workers}}'
|
||||
'pm.start_servers': 1
|
||||
'pm.min_spare_servers': 1
|
||||
'pm.max_spare_servers': '{{php_max_workers}}'
|
||||
'pm.max_requests': '{{php_worker_max_reqs}}'
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
|
||||
- name: disable useless user/group specs
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.d/www.conf
|
||||
backrefs: true
|
||||
regexp: '^({{item}}\s*=.*)'
|
||||
line: ';\1'
|
||||
- name: create web files locations
|
||||
file:
|
||||
path: "{{item}}"
|
||||
state: directory
|
||||
with_items:
|
||||
- user
|
||||
- group
|
||||
- 'listen.group'
|
||||
|
||||
- name: set the PID file path for php-fpm
|
||||
lineinfile:
|
||||
path: /etc/php/php-fpm.conf
|
||||
regexp: '^;*pid\s*='
|
||||
line: 'pid = /run/http/php-fpm.pid'
|
||||
notify:
|
||||
- restart php-fpm.service
|
||||
- /srv/http
|
||||
- /srv/webapps
|
||||
|
||||
- name: enable php-fpm.service
|
||||
- name: enable openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: php-fpm.service
|
||||
name: openresty.service
|
||||
enabled: true
|
||||
|
||||
- name: enable nginx.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
enabled: true
|
||||
- name: HTML test-page in test environment
|
||||
copy:
|
||||
content: |
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head><title>TEST</title><meta charset="UTF-8"></head>
|
||||
<body><h1>HTML served by Nginx</h1><p>It works!</p></body>
|
||||
</html>
|
||||
dest: /srv/http/index.html
|
||||
mode: 0644
|
||||
when: (env == 'dev')
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# mandatory parameters: pkg_name
|
||||
|
||||
- name: OPM → check existence of {{pkg_name}}
|
||||
shell: /opt/openresty/bin/opm list | grep -q '^{{pkg_name}}[[:blank:]]'
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
register: opm_check
|
||||
|
||||
- name: OPM → install {{pkg_name}}
|
||||
command: /opt/openresty/bin/opm get {{pkg_name}}
|
||||
when: opm_check is failed
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
location / {
|
||||
|
|
|
@ -1,7 +1,12 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
client_body_temp_path /var/tmp/client_body_temp;
|
||||
proxy_temp_path /var/tmp/proxy_temp;
|
||||
fastcgi_temp_path /var/tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /var/tmp/uwsgi_temp;
|
||||
#scgi_temp_path /var/tmp/scgi_temp;
|
||||
client_max_body_size {{http_max_upload}};
|
||||
gzip on;
|
||||
gzip_comp_level 6;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
location ~ (?i)(?<!{{http_pfx_dotclear}}/)admin|(?<!{{http_pfx_lam}}/templates/)login|(?<!{{http_pfx_dotclear}}/admin/)auth(?!or) {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# function /php...(doc_root /... prefix /... script /... pathinfo) {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart prosody.service
|
||||
|
@ -9,8 +9,8 @@
|
|||
name: prosody.service
|
||||
state: restarted
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -277,7 +277,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: enable prosody
|
||||
systemd:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
<?php
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
- role: cleanupdate
|
||||
- role: ldap
|
||||
- role: ssowat
|
||||
# - role: ssowat #FIXME
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -34,9 +34,10 @@
|
|||
Requires=nslcd.service
|
||||
After=nslcd.service
|
||||
[Service]
|
||||
{% if is_vpn_used is not defined %}
|
||||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT CAP_SYS_NICE
|
||||
{% endif %}
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=full
|
||||
LimitNOFILE=4096
|
||||
|
@ -44,6 +45,22 @@
|
|||
dest: /etc/systemd/system/transmission.service.d/secure-{{nickname}}.conf
|
||||
mode: 0644
|
||||
|
||||
- name: override network settings for transmission
|
||||
copy:
|
||||
content: |
|
||||
[Unit]
|
||||
Requires=no-vpn-network-namespace.service
|
||||
After=no-vpn-network-namespace.service
|
||||
[Service]
|
||||
Type=exec
|
||||
User=root
|
||||
Group=root
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/ip netns exec no-vpn /usr/bin/sudo -g {{media_group}} -u transmission -H -n /usr/bin/transmission-daemon -f --log-level=error
|
||||
dest: /etc/systemd/system/transmission.service.d/zz-no-vpn.conf
|
||||
mode: 0644
|
||||
when: (is_vpn_used is defined)
|
||||
|
||||
- name: ensure existence and mode of Transmission working directories
|
||||
file:
|
||||
path: /var/lib/transmission{{item}}
|
||||
|
@ -104,6 +121,18 @@
|
|||
name: transmission.service
|
||||
state: stopped
|
||||
|
||||
- name: store DMZ IP (direct)
|
||||
set_fact:
|
||||
no_vpn_front_IP: "{{DMZ_IP}}"
|
||||
when:
|
||||
- (is_vpn_used is not defined)
|
||||
|
||||
- name: store DMZ IP (avoid VPN)
|
||||
set_fact:
|
||||
no_vpn_front_IP: "{{vpn_avoiding_ip_cidr | replace('/.*', '')}}"
|
||||
when:
|
||||
- (is_vpn_used is defined)
|
||||
|
||||
- name: put a JSON terminator to avoid a trailing comma
|
||||
lineinfile:
|
||||
path: /var/lib/transmission/.config/transmission-daemon/settings.json
|
||||
|
@ -118,7 +147,7 @@
|
|||
line: ' "{{item.key}}": {{item.value}},'
|
||||
insertbefore: '"zzz"'
|
||||
with_dict:
|
||||
speed-limit-up: '50'
|
||||
speed-limit-up: '500'
|
||||
speed-limit-up-enabled: 'true'
|
||||
download-dir: '"/var/lib/transmission/Done"'
|
||||
incomplete-dir: '"/var/lib/transmission/Doing"'
|
||||
|
@ -130,13 +159,14 @@
|
|||
watch-dir-enabled: 'true'
|
||||
encryption: '2'
|
||||
message-level: '1'
|
||||
bind-address-ipv4: '"{{DMZ_IP}}"'
|
||||
bind-address-ipv4: '"{{no_vpn_front_IP}}"'
|
||||
peer-port: '{{transmission_bt_port}}'
|
||||
peer-port-random-on-start: 'false'
|
||||
port-forwarding-enabled: 'false'
|
||||
port-forwarding-enabled: '{{is_vpn_used is defined}}'
|
||||
queue-stalled-minutes: '5'
|
||||
rpc-authentication-required: 'false'
|
||||
rpc-bind-address: '"127.0.0.1"'
|
||||
rpc-bind-address: '"unix:/run/shared_sockets/transmission-rpc.sock"'
|
||||
rpc-socket-mode: '"0777"'
|
||||
rpc-port: '{{transmission_rpc_port}}'
|
||||
rpc-url: '"{{http_pfx_transmission}}/"'
|
||||
rpc-whitelist-enabled: 'false'
|
||||
|
@ -151,13 +181,13 @@
|
|||
copy:
|
||||
content: |
|
||||
location {{http_pfx_transmission}}/web {
|
||||
alias /usr/share/transmission/web;
|
||||
alias /usr/share/transmission/public_html;
|
||||
}
|
||||
location ~ ^{{http_pfx_transmission}}/?$ {
|
||||
return 307 https://{{net_soa}}{{http_pfx_transmission}}/web/;
|
||||
}
|
||||
location ~ ^{{http_pfx_transmission}}.*$(?<!\.css|\.js)$ {
|
||||
proxy_pass http://127.0.0.1:{{transmission_rpc_port}};
|
||||
proxy_pass http://unix:/run/shared_sockets/transmission-rpc.sock;
|
||||
proxy_pass_header X-Transmission-Session-Id;
|
||||
proxy_hide_header ETag;
|
||||
proxy_hide_header Cache-Control;
|
||||
|
@ -168,7 +198,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
- name: enable transmission.service
|
||||
systemd:
|
||||
|
@ -176,6 +206,20 @@
|
|||
name: transmission.service
|
||||
enabled: true
|
||||
|
||||
- name: configure SSO
|
||||
copy:
|
||||
content: |
|
||||
{ "patterns": [{
|
||||
"lua_regex": ["^{{http_pfx_transmission}}"],
|
||||
"allow": ["me"],
|
||||
"portal": {"{{http_pfx_transmission}}": "BitTorrent"}
|
||||
}]
|
||||
}
|
||||
dest: /etc/nginx/ssso/sites/transm.json
|
||||
when: (is_sso_used is defined)
|
||||
notify:
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart nginx.service
|
||||
- name: restart openresty.service
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
name: nginx.service
|
||||
name: openresty.service
|
||||
state: restarted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
@ -88,7 +88,7 @@
|
|||
owner: http
|
||||
group: http
|
||||
notify:
|
||||
- restart nginx.service
|
||||
- restart openresty.service
|
||||
|
||||
### LOCAL COMMIT ⇒ ###
|
||||
- name: commit local changes
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: PostgreSQL user for dotClear
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: restart dovecot.service
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
dependencies:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
### UPSTREAM BEGIN ⇒ ###
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
# This file is opened as root, so it should be owned by root and mode 0600.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
## Dovecot configuration file (/usr/share/doc/dovecot/example-config)
|
||||
|
@ -51,15 +51,15 @@ service imap-login {
|
|||
}
|
||||
}
|
||||
service lmtp {
|
||||
#unix_listener /run/shared_sockets/lmtp {
|
||||
# mode = 0666
|
||||
#}
|
||||
unix_listener /run/shared_sockets/lmtp {
|
||||
mode = 0666
|
||||
}
|
||||
# Create inet listener only if you can't use the above UNIX socket
|
||||
# https://yalis.fr/git/yves/home-server/issues/6
|
||||
inet_listener lmtp {
|
||||
address = {{SafeZone_IP}}
|
||||
port = 24
|
||||
}
|
||||
#inet_listener lmtp {
|
||||
# address = {{SafeZone_IP}}
|
||||
# port = 24
|
||||
#}
|
||||
}
|
||||
service imap {
|
||||
}
|
||||
|
@ -75,8 +75,8 @@ service auth-worker {
|
|||
# # For example: mode=0660, group=vmail and global mail_access_groups=vmail
|
||||
# unix_listener dict {
|
||||
# #mode = 0600
|
||||
# #user =
|
||||
# #group =
|
||||
# #user =
|
||||
# #group =
|
||||
# }
|
||||
#}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: install etckeeper
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: store /etc changes
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: switch Git to run
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# The home-server project produces a multi-purpose setup using Ansible.
|
||||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||||
|
||||
- name: switch Git to master
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue