--- # The home-server project produces a multi-purpose setup using Ansible. # Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing. ### UPSTREAM BEGIN ⇒ ### - name: pull prerequisites from upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml vars: msg: movim ### ⇐ UPSTREAM BEGIN ### - name: install AUR software include_role: name: aur.inc allow_duplicates: true vars: packages: - php-zmq - movim aur_user: git register: software ### UPSTREAM END ⇒ ### - name: merge upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml vars: msg: movim ### ⇐ UPSTREAM END ### # https://github.com/movim/movim_ynh/blob/master/scripts/install - name: make sure that Movim works in a subdir lineinfile: path: /usr/share/webapps/movim/app/assets/js/movim_websocket.js backrefs: true regexp: "^(.*'wss://'\\s*\\+\\s*BASE_HOST\\s*\\+\\s*')(/ws/'.*$)" line: '\1{{http_pfx_movim}}\2' notify: - restart movim.service - name: configure movim lineinfile: path: /etc/webapps/movim/db.inc.php regexp: "^\\s*'{{item.key}}'" line: " '{{item.key}}' => {{item.value}}," with_dict: type: "'pgsql'" username: "'{{movim_db_user}}'" password: "'{{movim_db_password}}'" host: "'/run/shared_sockets'" port: 5432 database: "'{{movim_db}}'" notify: - restart movim.service - name: configure movim launch lineinfile: path: /etc/default/movim regexp: "^{{item.key}}=" line: "{{item.key}}={{item.value}}" with_dict: MOVIM_URL: https://{{net_soa}}{{http_pfx_movim}} MOVIM_PORT: '{{movim_private_port}}' MOVIM_INTERFACE: '127.0.0.1' notify: - restart movim.service - name: prepare to override movim security file: path: /etc/systemd/system/movim.service.d state: directory mode: 0755 - name: override movim security with systemd copy: content: | [Service] User=http Group=http CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_NET_BIND_SERVICE CAP_SYS_CHROOT PrivateTmp=true PrivateDevices=true ProtectSystem=true ProtectHome=true NoNewPrivileges=true ExecStartPre=/usr/bin/php mud.php config --username={{movim_admin_user}} --password={{movim_admin_password}} dest: /etc/systemd/system/movim.service.d/secure-{{nickname}}.conf mode: 0644 notify: - restart movim.service - name: enable movim.service systemd: daemon_reload: true name: movim.service enabled: true - name: configure nginx for movim copy: content: | location {{http_pfx_movim}} { alias /usr/share/webapps/movim; autoindex on; include inc.d/{{nickname}}_php-fast.inc; } location {{http_pfx_movim}}/ws/ { proxy_pass http://127.0.0.1:{{movim_private_port}}/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } location ~ ^{{http_pfx_movim}}/(?:log|config)/ { deny all; } dest: /etc/nginx/inc.d/movim.https.inc mode: 0440 owner: http group: http notify: - restart nginx.service ### LOCAL COMMIT ⇒ ### - name: commit local changes include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml vars: msg: movim ### ⇐ LOCAL COMMIT ### - meta: flush_handlers