yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity
home-server/roles/dmz_movim_front/tasks/main.yml

134 lines
3.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 20182023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: movim
### ⇐ UPSTREAM BEGIN ###
- name: install AUR software
include_role:
name: aur.inc
allow_duplicates: true
vars:
packages:
- php-zmq
- movim
aur_user: git
register: software
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: movim
### ⇐ UPSTREAM END ###
# https://github.com/movim/movim_ynh/blob/master/scripts/install
- name: make sure that Movim works in a subdir
lineinfile:
path: /usr/share/webapps/movim/app/assets/js/movim_websocket.js
backrefs: true
regexp: "^(.*'wss://'\\s*\\+\\s*BASE_HOST\\s*\\+\\s*')(/ws/'.*$)"
line: '\1{{http_pfx_movim}}\2'
notify:
- restart movim.service
- name: configure movim
lineinfile:
path: /etc/webapps/movim/db.inc.php
regexp: "^\\s*'{{item.key}}'"
line: " '{{item.key}}' => {{item.value}},"
with_dict:
type: "'pgsql'"
username: "'{{movim_db_user}}'"
password: "'{{movim_db_password}}'"
host: "'/run/shared_sockets'"
port: 5432
database: "'{{movim_db}}'"
notify:
- restart movim.service
- name: configure movim launch
lineinfile:
path: /etc/default/movim
regexp: "^{{item.key}}="
line: "{{item.key}}={{item.value}}"
with_dict:
MOVIM_URL: https://{{net_soa}}{{http_pfx_movim}}
MOVIM_PORT: '{{movim_private_port}}'
MOVIM_INTERFACE: '127.0.0.1'
notify:
- restart movim.service
- name: prepare to override movim security
file:
path: /etc/systemd/system/movim.service.d
state: directory
mode: 0755
- name: override movim security with systemd
copy:
content: |
[Service]
User=http
Group=http
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_NET_BIND_SERVICE CAP_SYS_CHROOT
PrivateTmp=true
PrivateDevices=true
ProtectSystem=true
ProtectHome=true
NoNewPrivileges=true
ExecStartPre=/usr/bin/php mud.php config --username={{movim_admin_user}} --password={{movim_admin_password}}
dest: /etc/systemd/system/movim.service.d/secure-{{nickname}}.conf
mode: 0644
notify:
- restart movim.service
- name: enable movim.service
systemd:
daemon_reload: true
name: movim.service
enabled: true
- name: configure nginx for movim
copy:
content: |
location {{http_pfx_movim}} {
alias /usr/share/webapps/movim;
autoindex on;
include inc.d/{{nickname}}_php-fast.inc;
}
location {{http_pfx_movim}}/ws/ {
proxy_pass http://127.0.0.1:{{movim_private_port}}/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location ~ ^{{http_pfx_movim}}/(?:log|config)/ {
deny all;
}
dest: /etc/nginx/inc.d/movim.https.inc
mode: 0440
owner: http
group: http
notify:
- restart openresty.service
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: movim
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers
Reference in New Issue View Git Blame Copy Permalink