136 lines
3.7 KiB
YAML
136 lines
3.7 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: movim
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install AUR software
|
|
include_role:
|
|
name: aur.inc
|
|
allow_duplicates: true
|
|
vars:
|
|
pkg_names: |
|
|
[
|
|
"php-zmq",
|
|
"movim"
|
|
]
|
|
aur_user: git
|
|
register: software
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: movim
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
# https://github.com/movim/movim_ynh/blob/master/scripts/install
|
|
- name: make sure that Movim works in a subdir
|
|
lineinfile:
|
|
path: /usr/share/webapps/movim/app/assets/js/movim_websocket.js
|
|
backrefs: true
|
|
regexp: "^(.*'wss://'\\s*\\+\\s*BASE_HOST\\s*\\+\\s*')(/ws/'.*$)"
|
|
line: '\1{{http_pfx_movim}}\2'
|
|
notify:
|
|
- restart movim.service
|
|
|
|
- name: configure movim
|
|
lineinfile:
|
|
path: /etc/webapps/movim/db.inc.php
|
|
regexp: "^\\s*'{{item.key}}'"
|
|
line: " '{{item.key}}' => {{item.value}},"
|
|
with_dict:
|
|
type: "'pgsql'"
|
|
username: "'{{movim_db_user}}'"
|
|
password: "'{{movim_db_password}}'"
|
|
host: "'/run/shared_sockets'"
|
|
port: 5432
|
|
database: "'{{movim_db}}'"
|
|
notify:
|
|
- restart movim.service
|
|
|
|
- name: configure movim launch
|
|
lineinfile:
|
|
path: /etc/default/movim
|
|
regexp: "^{{item.key}}="
|
|
line: "{{item.key}}={{item.value}}"
|
|
with_dict:
|
|
MOVIM_URL: https://{{net_soa}}{{http_pfx_movim}}
|
|
MOVIM_PORT: '{{movim_private_port}}'
|
|
MOVIM_INTERFACE: '127.0.0.1'
|
|
notify:
|
|
- restart movim.service
|
|
|
|
- name: prepare to override movim security
|
|
file:
|
|
path: /etc/systemd/system/movim.service.d
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: override movim security with systemd
|
|
copy:
|
|
content: |
|
|
[Service]
|
|
User=http
|
|
Group=http
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_NET_BIND_SERVICE CAP_SYS_CHROOT
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectSystem=true
|
|
ProtectHome=true
|
|
NoNewPrivileges=true
|
|
ExecStartPre=/usr/bin/php mud.php config --username={{movim_admin_user}} --password={{movim_admin_password}}
|
|
dest: /etc/systemd/system/movim.service.d/secure-{{nickname}}.conf
|
|
mode: 0644
|
|
notify:
|
|
- restart movim.service
|
|
|
|
- name: enable movim.service
|
|
systemd:
|
|
daemon_reload: true
|
|
name: movim.service
|
|
enabled: true
|
|
|
|
- name: configure nginx for movim
|
|
copy:
|
|
content: |
|
|
location {{http_pfx_movim}} {
|
|
alias /usr/share/webapps/movim;
|
|
autoindex on;
|
|
include inc.d/{{nickname}}_php-fast.inc;
|
|
}
|
|
location {{http_pfx_movim}}/ws/ {
|
|
proxy_pass http://127.0.0.1:{{movim_private_port}}/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_redirect off;
|
|
}
|
|
location ~ ^{{http_pfx_movim}}/(?:log|config)/ {
|
|
deny all;
|
|
}
|
|
dest: /etc/nginx/inc.d/movim.https.inc
|
|
mode: 0440
|
|
owner: http
|
|
group: http
|
|
notify:
|
|
- restart nginx.service
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: movim
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|