134 lines
3.7 KiB
YAML
134 lines
3.7 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: movim
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install AUR software
|
||
include_role:
|
||
name: aur.inc
|
||
allow_duplicates: true
|
||
vars:
|
||
packages:
|
||
- php-zmq
|
||
- movim
|
||
aur_user: git
|
||
register: software
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: movim
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
# https://github.com/movim/movim_ynh/blob/master/scripts/install
|
||
- name: make sure that Movim works in a subdir
|
||
lineinfile:
|
||
path: /usr/share/webapps/movim/app/assets/js/movim_websocket.js
|
||
backrefs: true
|
||
regexp: "^(.*'wss://'\\s*\\+\\s*BASE_HOST\\s*\\+\\s*')(/ws/'.*$)"
|
||
line: '\1{{http_pfx_movim}}\2'
|
||
notify:
|
||
- restart movim.service
|
||
|
||
- name: configure movim
|
||
lineinfile:
|
||
path: /etc/webapps/movim/db.inc.php
|
||
regexp: "^\\s*'{{item.key}}'"
|
||
line: " '{{item.key}}' => {{item.value}},"
|
||
with_dict:
|
||
type: "'pgsql'"
|
||
username: "'{{movim_db_user}}'"
|
||
password: "'{{movim_db_password}}'"
|
||
host: "'/run/shared_sockets'"
|
||
port: 5432
|
||
database: "'{{movim_db}}'"
|
||
notify:
|
||
- restart movim.service
|
||
|
||
- name: configure movim launch
|
||
lineinfile:
|
||
path: /etc/default/movim
|
||
regexp: "^{{item.key}}="
|
||
line: "{{item.key}}={{item.value}}"
|
||
with_dict:
|
||
MOVIM_URL: https://{{net_soa}}{{http_pfx_movim}}
|
||
MOVIM_PORT: '{{movim_private_port}}'
|
||
MOVIM_INTERFACE: '127.0.0.1'
|
||
notify:
|
||
- restart movim.service
|
||
|
||
- name: prepare to override movim security
|
||
file:
|
||
path: /etc/systemd/system/movim.service.d
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: override movim security with systemd
|
||
copy:
|
||
content: |
|
||
[Service]
|
||
User=http
|
||
Group=http
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_NET_BIND_SERVICE CAP_SYS_CHROOT
|
||
PrivateTmp=true
|
||
PrivateDevices=true
|
||
ProtectSystem=true
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
ExecStartPre=/usr/bin/php mud.php config --username={{movim_admin_user}} --password={{movim_admin_password}}
|
||
dest: /etc/systemd/system/movim.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart movim.service
|
||
|
||
- name: enable movim.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: movim.service
|
||
enabled: true
|
||
|
||
- name: configure nginx for movim
|
||
copy:
|
||
content: |
|
||
location {{http_pfx_movim}} {
|
||
alias /usr/share/webapps/movim;
|
||
autoindex on;
|
||
include inc.d/{{nickname}}_php-fast.inc;
|
||
}
|
||
location {{http_pfx_movim}}/ws/ {
|
||
proxy_pass http://127.0.0.1:{{movim_private_port}}/;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection "Upgrade";
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto https;
|
||
proxy_redirect off;
|
||
}
|
||
location ~ ^{{http_pfx_movim}}/(?:log|config)/ {
|
||
deny all;
|
||
}
|
||
dest: /etc/nginx/inc.d/movim.https.inc
|
||
mode: 0440
|
||
owner: http
|
||
group: http
|
||
notify:
|
||
- restart openresty.service
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: movim
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|