slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
VC
2019-09-04 09:06:55 +02:00
commit dded46ff64
144 changed files with 7495 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bittorrent.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: transmission
roles:
- bittorrent

9
borgbackup.yml Normal file
View File

@@ -0,0 +1,9 @@
- hosts: borgbackup
roles:
- borgbackup
- hosts: borg_client
roles:
- borg-client
- hosts: borg_server
roles:
- borg-server

3
docker.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: dockerservers
roles:
- docker

3
firewall.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: router
roles:
- firewall

3
hypervisors/prerequisites.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: hypervisors
roles:
- prerequisites

3
hypervisors/proxmox6_installation.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: hypervisors
roles:
- proxmox6_installation

3
hypervisors/proxmox6_prerequisite.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: hypervisors
roles:
- proxmox6_prerequisite

16
hypervisors/roles/prerequisites/tasks/main.yml Normal file
View File

@@ -0,0 +1,16 @@
- name: "Check if the distribution is Debian"
assert:
msg: "Proxmox VE 6 can only be installed properly on Debian Buster. You distribution: {{ ansible_os_family }}"
that:
- ansible_os_family == 'Debian'
- name: "Check if the version is Buster"
assert:
msg: "Proxmox VE 6 can only be installed properly on Debian Buster. Your version: {{ ansible_distribution_release }}"
that:
- ansible_distribution_release == 'buster'
- name: "Install Aptitude"
apt:
name: aptitude
state: present

2
hypervisors/roles/proxmox6_installation/files/nested_docker.conf Normal file
View File

@@ -0,0 +1,2 @@
overlay
aufs

34
hypervisors/roles/proxmox6_installation/tasks/main.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: "Add Proxmox VE 6 recommended packages"
apt:
name: "{{ item }}"
state: present
loop:
- proxmox-ve
- postfix
- open-iscsi
- zfsutils-linux
- name: "Remove Proxmox VE 6 recommended packages"
apt:
name: "{{ item }}"
state: absent
loop:
- os-prober
- name: add missing modules for docker
modprobe:
name: "{{ item }}"
state: present
loop:
- overlay
- aufs
- name: add missing modules to boot
copy:
src: ./files/nested_docker.conf
dest: /etc/modules-load.d/nested_docker.conf
- name: "Reboot after first Install"
shell: "/sbin/shutdown -r -t 1 > /root/first_install_ok"
args:
creates: /root/first_install_ok

15
hypervisors/roles/proxmox6_prerequisite/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
- name: "Add hosts Proxmox style"
template:
src: hosts.j2
dest: /etc/hosts
- name: "Add Proxmox VE 6 GPG key"
apt_key:
url: http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg
state: present
- name: "Add Proxmox VE 6 Repo"
apt_repository:
repo: "deb http://download.proxmox.com/debian/pve buster pve-no-subscription"
state: present
- name: "Apt upgrade"
apt:
upgrade: dist

11
hypervisors/roles/proxmox6_prerequisite/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,11 @@
# Default hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# Proxmox specific
{% for host in groups['hypervisors'] %}
{{ hostvars[host]['ansible_default_ipv4']['address'] }} {{ host }} {{ hostvars[host]['ansible_hostname'] }}
{{ hostvars[host]['ansible_default_ipv6']['address'] }} {{ host }} {{ hostvars[host]['ansible_hostname'] }}
{% endfor %}

3
loadbalancinghttp.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: loadbalancers
roles:
- haproxy

3
mariadb.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: mariadbservers
roles:
- mariadb

6
nut.yml Normal file
View File

@@ -0,0 +1,6 @@
- hosts: nut_client
roles:
- nut-client
- hosts: nut_server
roles:
- nut-server

3
pgsql.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: pgsqlservers
roles:
- postgres

3
php.yml Normal file
View File

@@ -0,0 +1,3 @@
- hosts: phpservers
roles:
- php

8
production/group_vars/nut.yml Normal file
View File

@@ -0,0 +1,8 @@
nut_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
64313965633338626466633664393139313833623763363964666633666335393331643239343933
6463336166376161306539353335366630613363623734380a353935656234313032393862323063
65376235613531306163313730363262313061346338353635626335333961646330316562343038
6238386332613761610a393739366561646336343030336363613365623336383735353838623266
3862

1
production/group_vars/phpservers.yml Normal file
View File

@@ -0,0 +1 @@
php_version: "{% if ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '9' %}7.0{% elif ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '10' %}7.3{% endif %}"

31
production/host_vars/bt.dmz.mateu.be.yml Normal file
View File

@@ -0,0 +1,31 @@
sub_login: !vault |
$ANSIBLE_VAULT;1.1;AES256
62323733666661326134366639353164613864383832613735366530343764663164616364363865
3039313232613362323162313733366637343164336464650a303935313836393433326437363565
66623139353638616535646365336339646266356437623633383839323162623266386532313337
3434323032323933640a313339376535386361616261343530666237353061386533356636613661
6532
sub_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
36306330313565303162303662626361356536313630396635346437353231666562303533636339
3336323233383639376330383439623135633735623537630a623233306362666537373866643836
36383637613033666666313239353536383236343566333539643730393631633161303365303233
6230383465336132370a626162353839336139336232656631666539653131623766353030356465
3762
transmission_user: !vault |
$ANSIBLE_VAULT;1.1;AES256
62636132623037373065646530633937316131303534653734373635313564623430316662383934
3333643265343962653862346432353063323666633964640a393537376666656237333132326539
32343832386139633235363737353163623838643463333131666336396235346464396233643431
6663383134396266310a373564303863326239613062613561636530363866646264363637316263
6362
transmission_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
35306537653235346630633431353833623638393737333034326263643239306539383564616534
3563356664356661303435393138386666363537393863610a653837303238616330343462303166
30656364383861353163613335313239643836626334633934626263656561656137373566363861
6133323664393234640a623930386631376235333032616266643833613661323635643333633035
33323264343234643965663135306536626539373132356464326133386538653637306237623832
65373035613934383166313436383866623430343130633539313936346662663531353662646165
613864373639386632313564626666346338

8
production/host_vars/web1.dmz.mateu.be.yml Normal file
View File

@@ -0,0 +1,8 @@
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
66643966366639636466333561363734623563323936613063623133323466393630393135636238
3663396465366630333630353563653166623461623935390a613362376538333239343532386231
61363465343165366430323033373730356636356462623332616364323265613934383664393461
6266393162633761340a613835393138353438656136643132353966646536316563646439336534
3064

8
production/host_vars/web2.dmz.mateu.be.yml Normal file
View File

@@ -0,0 +1,8 @@
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31613236623530306638633935303936393634313565333932373831626161316438626439303165
3135326262613532356330373166353439373738336337320a383561613432313763616563366537
39396636346563346135313431373630643536363838333964353636373437653166633761363664
3437653064323138310a663363373736623931336432376466316666616234356133383263373136
31343534663063663134306464306234366430323762656165653930333134326231

71
production/hosts Normal file
View File

@@ -0,0 +1,71 @@
[all:vars]
ansible_python_interpreter=/usr/bin/python3
[router]
machinbox.mateu.be
[hypervisors]
claude.dmz.mateu.be
dimitri.dmz.mateu.be
edelgard.dmz.mateu.be
[borgbackup:children]
borg_server
borg_client
[borg_server]
edelgard.dmz.mateu.be
[borg_client]
n0box2.mateu.be
baybay-ponay.mateu.be borg_backup_path="['/home', '/etc']" borg_backup_excluded_path="['/home/.snapshots']" borg_backup_hour=19 borg_backup_minute=30
bt.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/transmission-daemon']"
web1.dmz.mateu.be
web2.dmz.mateu.be
mail.dmz.mateu.be
jabber.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/prosody']"
ror.dmz.mateu.be
[nut:children]
nut_server
nut_client
[nut_server]
edelgard.dmz.mateu.be
[nut_client]
n0box2.mateu.be
claude.dmz.mateu.be
dimitri.dmz.mateu.be
edelgard.dmz.mateu.be
[webservers]
bt.dmz.mateu.be web_hostname="['sonarr.mateu.be','bt.mateu.be','btf.mateu.be']"
web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libertus.eu', 'blog.libertus.eu', 'mail.libertus.eu', 'perso.nintendojo.fr', 'perso.libertus.eu', 'r.mateu.be','coince.mateu.be']"
web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.nintendojo.fr', 'forum.nintendojo.fr', 'intendo.fr', 'www.intendo.fr']"
ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
#mail.dmz.mateu.be
[phpservers]
web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']"
web2.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'xml', 'bcmath', 'curl', 'imagick']"
[dockerservers]
ror.dmz.mateu.be
[mariadbservers]
web1.dmz.mateu.be
web2.dmz.mateu.be
[pgsqlservers]
ror.dmz.mateu.be
[mailservers]
mail.dmz.mateu.be
[loadbalancers]
haproxy.dmz.mateu.be
[transmission]
bt.dmz.mateu.be

3
proxmox.yml Normal file
View File

@@ -0,0 +1,3 @@
- import_playbook: hypervisors/prerequisites.yml
- import_playbook: hypervisors/proxmox6_prerequisite.yml
- import_playbook: hypervisors/proxmox6_installation.yml

1
roles/bittorrent/files/CACHEDIR.TAG Normal file
View File

@@ -0,0 +1 @@
Signature: 8a477f597d28d172789f06886806bc55

13
roles/bittorrent/files/sonarr.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Sonarr Service
After=network.target
[Service]
User=debian-transmission
Group=debian-transmission
ExecStart=/usr/bin/mono /opt/NzbDrone/NzbDrone.exe -nobrowser
Type=simple
TimeoutStopSec=20
[Install]
WantedBy=multi-user.target

12
roles/bittorrent/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: reload transmission
service:
name: transmission-daemon
state: reloaded
- name: restart sonarr
service:
name: sonarr
state: restarted
- name: export nfs
command: exportfs -a

14
roles/bittorrent/tasks/configdir.yml Normal file
View File

@@ -0,0 +1,14 @@
- name: create Series folder
file:
path: /var/lib/transmission-daemon/downloads/Series
recurse: True
owner: debian-transmission
group: debian-transmission
- name: create Movies folder
file:
path: /var/lib/transmission-daemon/downloads/Movies
recurse: True
owner: debian-transmission
group: debian-transmission

5
roles/bittorrent/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- include_tasks: transmission.yml
- include_tasks: sonarr.yml
- include_tasks: subliminal.yml
- include_tasks: configdir.yml
- include_tasks: nfsserver.yml

15
roles/bittorrent/tasks/nfsserver.yml Normal file
View File

@@ -0,0 +1,15 @@
- getent:
database: passwd
key: debian-transmission
- name: install nfs server
package:
name: nfs-kernel-server
state: present
- name: copy exports file
template:
src: exports.j2
dest: /etc/exports
notify:
- export nfs

34
roles/bittorrent/tasks/sonarr.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: install sonarr repokey
apt_key:
keyserver: keyserver.ubuntu.com
id: "0xa236c58f409091a18aca53cbebff6b99d9b78493"
- name: install sonarr repo
apt_repository:
repo: deb http://apt.sonarr.tv/ master main
state: present
- name: create sonarr conf dir
file:
path: /var/lib/transmission-daemon/.config/NzbDrone
recurse: True
owner: debian-transmission
group: debian-transmission
mode: "a-rwx,u+rwX,g+rX"
- name: install sonarr
package:
name: nzbdrone
state: present
- name: copy systemd file
copy:
src: files/sonarr.service
dest: /etc/systemd/system/sonarr.service
notify:
- restart sonarr
- name: enable sonarr service
service:
name: sonarr
enabled: True

17
roles/bittorrent/tasks/subliminal.yml Normal file
View File

@@ -0,0 +1,17 @@
- name: install pip3
package:
name: python3-pip
state: present
- name: install subliminal
pip:
name: subliminal
state: present
- name: install subliminal crontab
cron:
name: "Sub DL"
user: "debian-transmission"
minute: "15"
hour: "20"
job: "/usr/local/bin/subliminal download /var/lib/transmission-daemon/downloads/Series/ --language fr &> /dev/null"

26
roles/bittorrent/tasks/transmission.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: install transmission
package:
name: "{{ item }}"
state: present
loop:
- transmission-daemon
- transmission-cli
- name: transmission config file
template:
src: settings.json.j2
dest: /etc/transmission-daemon/settings.json
owner: debian-transmission
group: debian-transmission
mode: "a-rwx,u+rw"
notify:
- reload transmission
- name: Add cachedir file
copy:
src: files/CACHEDIR.TAG
dest: /var/lib/transmission-daemon/downloads/CACHEDIR.TAG
owner: debian-transmission
group: debian-transmission
mode: '0755'

1
roles/bittorrent/templates/exports.j2 Normal file
View File

@@ -0,0 +1 @@
/var/lib/transmission-daemon/downloads 10.233.212.64/26(ro,async,no_subtree_check,all_squash,anonuid={{ getent_passwd['debian-transmission'][1] }},anongid={{ getent_passwd['debian-transmission'][2] }})

83
roles/bittorrent/templates/settings.json.j2 Normal file
View File

@@ -0,0 +1,83 @@
{
"alt-speed-down": 2000,
"alt-speed-enabled": false,
"alt-speed-time-begin": 450,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1350,
"alt-speed-up": 2000,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": true,
"blocklist-url": "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz",
"cache-size-mb": 8,
"dht-enabled": true,
"download-dir": "/var/lib/transmission-daemon/downloads/",
"download-limit": 100,
"download-limit-enabled": 0,
"download-queue-enabled": false,
"download-queue-size": 5,
"encryption": 0,
"idle-seeding-limit": 14400,
"idle-seeding-limit-enabled": true,
"incomplete-dir": "/root/Downloads",
"incomplete-dir-enabled": false,
"lazy-bitfield-enabled": true,
"lpd-enabled": true,
"max-peers-global": 200,
"max-peers-per-torrent": 200,
"message-level": 1,
"open-file-limit": 32,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 1000,
"peer-limit-per-torrent": 200,
"peer-port": 10010,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": false,
"preallocation": 1,
"prefetch-enabled": true,
"proxy": "",
"proxy-auth-enabled": false,
"proxy-auth-password": "",
"proxy-auth-username": "",
"proxy-enabled": false,
"proxy-port": 80,
"proxy-type": 0,
"queue-stalled-enabled": false,
"queue-stalled-minutes": 30,
"ratio-limit": 5,
"ratio-limit-enabled": true,
"rename-partial-files": true,
"rpc-authentication-required": true,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-host-whitelist": "",
"rpc-host-whitelist-enabled": true,
"rpc-password": "{{ transmission_pass }}",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "{{ transmission_user }}",
"rpc-whitelist": "127.0.0.1",
"rpc-whitelist-enabled": true,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 4,
"speed-limit-down": 4000,
"speed-limit-down-enabled": false,
"speed-limit-up": 4000,
"speed-limit-up-enabled": false,
"start-added-torrents": true,
"trash-original-torrent-files": false,
"umask": 18,
"upload-limit": 100,
"upload-limit-enabled": 0,
"upload-slots-per-torrent": 20,
"utp-enabled": true
}

11
roles/borg-client/defaults/main.yml Normal file
View File

@@ -0,0 +1,11 @@
borg_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
62333166623737363731663766353330633335306532306366356536376232396664376430613434
3966376539303238376461386262663066376338386537660a376365643761653463393539316232
30653130383761653432306136333733653062356635643662616133366663646132383136313530
3866343664393330610a623930316330626166343934623230313232626131386132393866373661
6336
borg_backup_path: ["/srv", "/home", "/etc"]
borg_backup_excluded_path: ["/srv/NOBACKUP"]
borg_backup_hour: 6
borg_backup_minute: 0

26
roles/borg-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: create SSH key
openssh_keypair:
path: ~/.ssh/id_rsa
- name: get SSH pub key
command: cat ~/.ssh/id_rsa.pub
register: ssh_keys
- name: put backup script
template:
src: borgbackup.sh.j2
dest: /usr/local/bin/borgbackup.sh
owner: root
group: root
mode: '0750'
- name: cron the backup script
cron:
name: "borg backup script"
hour: "{{ borg_backup_hour }}"
minute: "{{ borg_backup_minute }}"
job: /usr/local/bin/borgbackup.sh
- name: warns about borg init
debug:
msg: "Borg has been installed. Dont forget to init with: \nborg init --encryption=repokey-blake2 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home"

20
roles/borg-client/templates/borgbackup.sh.j2 Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
## Variable
export BORG_PASSPHRASE="{{ borg_pass }}"
## lancement de la sauvegarde
borg create --exclude-caches {% for f in borg_backup_excluded_path %}-e {{ f }} {% endfor %} -s backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home::{now:%Y-%m-%d} {% for f in borg_backup_path %}{{ f }} {% endfor %}
## récupération de l'espace
borg prune -d 7 -w 4 -m 3 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home
{% if inventory_hostname == 'n0box2.mateu.be' %}
## la sauvegarde mais chez Holaf
borg create -s ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home::{now:%Y-%m-%d} /etc /home /srv
## la sauvegarde mais chez Holaf
borg prune -d 7 -w 4 -m 3 ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home
{% endif %}

34
roles/borg-server/tasks/main.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: mount backup disk
mount:
path: /backup
src: LABEL=BACKUP
fstype: btrfs
opts: noatime
state: mounted
- name: create backup user
user:
name: backup
comment: Backup
create_home: yes
home: /backup
shell: /bin/bash
system: yes
state: present
- name: "create directory for borg clients"
file:
path: "/backup/repos/{{ hostvars[item]['ansible_fqdn'] }}"
state: directory
mode: '0750'
owner: backup
group: backup
loop: "{{ groups['borg_client'] }}"
- name: "set authorized_keys for borg clients"
authorized_key:
user: backup
key: "{{ hostvars[item]['ssh_keys']['stdout'] }}"
key_options: "command=\"cd /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}; borg serve --restrict-to-path /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}\""
state: present
loop: "{{ groups['borg_client'] }}"

10
roles/borgbackup/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
- set_fact:
borgbackup: borg
when: ansible_facts['distribution'] == "Archlinux"
- set_fact:
borgbackup: borgbackup
when: ansible_facts['distribution'] == "Debian"
- name: install borg package
package:
name: "{{ borgbackup }}"
state: present

1
roles/common/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
localtime: "Europe/Paris"

0
roles/common/handlers/main.yml Normal file
View File

26
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: docker repo key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: docker repo install
apt_repository:
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
state: present
- name: install docker and docker-compose
package:
name: "{{ item }}"
state: present
loop:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose
- name: docker directory
file:
path: /srv/docker
owner: root
group: root
state: directory

4
roles/firewall/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: reload firewall
openwrt_init:
name: firewall
state: reloaded

5
roles/firewall/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: generate firewall file
template:
src: firewall.j2
dest: /etc/config/firewall
notify: reload firewall

506
roles/firewall/templates/firewall.j2 Normal file
View File

@@ -0,0 +1,506 @@
## General WAN Rules
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option src_ip 'fe80::/10'
option src_port '547'
option proto 'udp'
option dest_ip 'fe80::/10'
option dest_port '546'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
## Deny IPv6 SMTP
config rule
option name 'Deny-SMTP'
option src 'lan'
option proto 'tcp'
option dest 'wan'
option dest_port '25'
option target 'REJECT'
option family 'ipv6'
## SSH from VINCI rules
config rule
option name 'Allow-Input-SSH-VINCI'
option src 'wan'
option src_ip '{{ vinci_ipv6_out }}'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-SSH-VINCI'
option src 'wan'
option src_ip '{{ vinci_ipv6_out }}'
option proto 'tcp'
option dest 'lan'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
## Traffic for n0box2 server
config rule
option name 'n0box2-SMTP+SMTPS+SUBMISSION'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-IMAP+IMAPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-HTTP+HTTPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-XMPP-c2s+s2s'
option src 'wan'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '5222 5269'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-TS-com+com2'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '10011 30033'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-TS-signal'
option src 'wan'
option proto 'udp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '9987'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-mumble'
option src 'wan'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '64738'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'n0box2-SMTP'
option src 'wan'
option src_dport '25'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
config redirect
option name 'n0box2-SMTPS'
option src 'wan'
option src_dport '465'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
config redirect
option name 'n0box2-SUBMISSION'
option src 'wan'
option src_dport '587'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
config redirect
option name 'n0box2-IMAP'
option src 'wan'
option src_dport '143'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
config redirect
option name 'n0box2-IMAPS'
option src 'wan'
option src_dport '993'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
config redirect
option name 'n0box2-XMPP-c2s'
option src 'wan'
option src_dport '5222'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '5222'
option target 'DNAT'
config redirect
option name 'n0box2-XMPP-s2s'
option src 'wan'
option src_dport '5269'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '5269'
option target 'DNAT'
config redirect
option name 'n0box2-TS-com'
option src 'wan'
option src_dport '10011'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '10011'
option target 'DNAT'
config redirect
option name 'n0box2-TS-com2'
option src 'wan'
option src_dport '30033'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '30033'
option target 'DNAT'
config redirect
option name 'n0box2-TS-signal'
option src 'wan'
option src_dport '9987'
option proto 'udp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '9987'
option target 'DNAT'
config redirect
option name 'n0box2-mumble'
option src 'wan'
option src_dport '64738'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '64738'
option target 'DNAT'
### DMZ Rules
## General Rules
# ICMP
config rule
option name 'Allow-ICMP'
option dest 'dmz'
option proto 'icmp'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP'
option src 'dmz'
option proto 'icmp'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP'
option src 'dmz'
option proto 'icmp'
option dest '*'
option target 'ACCEPT'
# DHCP rules
config rule
option name 'Allow-DMZ-DHCP'
option dest 'dmz'
option dest_port '67-68'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DMZ-DHCP'
option src 'dmz'
option proto 'tcpudp'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
# DNS Resolution
config rule
option name 'Allow-INPUT-DNS'
option src 'dmz'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
# NTP
config rule
option name 'Allow-OUTPUT-NTP'
option src 'dmz'
option proto 'udp'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
# Web traffic OUT
config rule
option name 'Allow-OUTPUT-Web'
option src 'dmz'
option proto 'tcpudp'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
# SSH traffic IN
config rule
option name 'Allow-INPUT-SSH'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
# Allow traffic to n0box2
config rule
option name 'Allow-OUTPUT-to-n0box2'
option src 'dmz'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25 80 443 465 587 143 993'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-to-n0box2'
option src 'dmz'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 80 443 465 587 143 993'
option target 'ACCEPT'
option family 'ipv6'
## Specific rules
# Allow IPv4 Web traffic IN
config redirect
option name 'Allow-INPUT-v4-HTTP'
option src 'wan'
option src_dport '80'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '80'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-v4-HTTPS'
option src 'wan'
option src_dport '443'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '443'
option target 'DNAT'
# Allow Web traffic IN
{% for host in groups['webservers'] %}
config rule
option name 'Allow-INPUT-{{ host }}-Web'
option src 'wan'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
{% endfor %}
# Allow traffic to and from bt.dmz.mateu.be
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option proto 'tcpudp'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option proto 'tcpudp'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-INPUT-BT'
option src 'wan'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '10010'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-BT'
option src 'wan'
option src_dport '10010'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '10010'
option target 'DNAT'
# Allow traffic to Proxmox VE interface
{% for host in groups['hypervisors'] %}
config rule
option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '8006'
option target 'ACCEPT'
option family 'ipv6'
{% endfor %}
## Default configuration
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
## Zone configuration
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'dmz'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
option network 'dmz'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'dmz'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

1
roles/firewall/vars/main.yml Normal file
View File

@@ -0,0 +1 @@
vinci_ipv6_out: "2a02:2098:8711:920:740c:70c0:e153:55b6"

4
roles/haproxy/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart haproxy
service:
name: haproxy
state: restarted

11
roles/haproxy/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: install haproxy package
package:
name: haproxy
state: present
- name: haproxy config
template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify:
- restart haproxy

97
roles/haproxy/templates/haproxy.cfg.j2 Normal file
View File

@@ -0,0 +1,97 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
mode http
bind *:80 name frontend-http
tcp-request inspect-delay 3s
acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt
{% for server in groups['webservers'] %}
{% for hostname in hostvars[server]['web_hostname'] %}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
{% endfor %}
{% endfor %}
use_backend http_default
frontend https
mode tcp
option tcplog
bind *:443 name frontend-https
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in groups['webservers'] %}
{% for hostname in hostvars[server]['web_hostname'] %}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
use_backend https_{{ server }} if host_{{ hostname }}
{% endfor %}
{% endfor %}
use_backend https_default
{% for server in groups['webservers'] %}
## {{ server }} configuration
backend http_{{ server }}
mode http
server host_{{ server }} {{ server }}:80
backend https_{{ server }}
mode tcp
server host_{{ server }} {{ server }}:443
{% endfor %}
backend http_default
mode http
server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:80
backend https_default
mode tcp
server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:443
## Stats
listen stats
bind *:8080
mode http
log global
stats enable
stats uri /
stats hide-version

2
roles/mariadb/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
mariadb_backup_hour: 5
mariadb_backup_minute: 0

137
roles/mariadb/files/50-server.cnf Normal file
View File

@@ -0,0 +1,137 @@
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /srv/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
default-storage-engine = InnoDB
#skip-external-locking
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer_size = 32M
max_allowed_packet = 64M
thread_stack = 256K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 16M
query_cache_size = 64M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = exclude_database_name
#
# * Security Features
#
# Read the manual, too, if you want chroot!
#chroot = /srv/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
#ssl-cipher = TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
#ssl = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /srv/mysql/.
# Read the manual for more InnoDB related options. There are many!
innodb_file_per_table
innodb_data_file_path=ibdata1:10M:autoextend
#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.3 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.3]

43
roles/mariadb/files/backup_mysql.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
##############################################
# Nom : backup_mysql.sh
# Objet : Dump les bases mysql
# listees dans $backup_db_list
# dans le dossier $backup_dump_path, un sous-dossier par base
###############################################
# Chemin de stockage des dump
backup_dump_path="/srv/backup/mysql/"
# Liste des bases a sauvegarder séparées par des espaces
backup_db_list=`echo -n 'show databases' | mysql | grep -v Database | grep -v _schema`
# Verifie que backup_dump_path existe, on crée sinon
if [ ! -d $backup_dump_path ] ; then mkdir -p $backup_dump_path ; fi
# On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age
cd $backup_dump_path
mysqlcheck --all-databases > /srv/mysql/check
# Pour chaque base a sauvegarder
for backup_db_name in $backup_db_list
do
# Verifie si un dossier existe pour cette base, on cree si non
if [ ! -d ./$backup_db_name ] ; then mkdir ./$backup_db_name ; fi
cd ./$backup_db_name
# On dump
mysqldump --events $backup_db_name | gzip > $backup_db_name.sql.gz
cd ..
done
# On s'assure que nimporte qui ne peut lire les dump
chmod a-rwx,u+rwX -R $backup_dump_path

4
roles/mariadb/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart mariadb
service:
name: mariadb
state: restarted

87
roles/mariadb/tasks/main.yml Normal file
View File

@@ -0,0 +1,87 @@
- name: install mariadb
package:
name: mariadb-server
state: present
- name: create mysql directory
file:
path: /srv/mysql
owner: mysql
group: mysql
state: directory
- name: populate mysql directory
command: /usr/bin/mysql_install_db --datadir=/srv/mysql
args:
creates: /srv/mysql/ibdata1
notify: restart mariadb
- name: replace conffile
copy:
src: files/50-server.cnf
dest: /etc/mysql/mariadb.conf.d/50-server.cnf
notify: restart mariadb
- name: debian upgrade file conf
template:
src: debian.cnf.j2
dest: /etc/mysql/debian.cnf
owner: root
group: root
mode: '0600'
notify: restart mariadb
- name: force handlers
meta: flush_handlers
- name: install python-mysql
package:
name: "{{ item }}"
state: present
loop:
- python-pymysql
- python3-pymysql
- name: root password
mysql_user:
login_user: root
host: "{{ item }}"
name: root
password: "{{ mariadb_root_pass }}"
loop:
- "localhost"
- "127.0.0.1"
- "::1"
- name: put .my.cnf file
template:
src: dot.my.cnf.j2
dest: ~/.my.cnf
mode: '0600'
- name: scripted version of mysql_secure_installation
command: "{{ item }}"
args:
warn: false
creates: ~/mysql_secure_installation
loop:
- "mysql -e \"DELETE FROM mysql.user WHERE User='';\""
- "mysql -e \"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\""
- "mysql -e \"DROP DATABASE IF EXISTS test;\""
- "mysql -e \"DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';\""
- "mysql -e \"FLUSH PRIVILEGES;\""
- touch ~/mysql_secure_installation
- name: install backup script
copy:
src: files/backup_mysql.sh
dest: /usr/local/bin/backup_mysql.sh
mode: '0755'
- name: cron backup script
cron:
name: "MariaDB backup"
hour: "{{ mariadb_backup_hour }}"
minute: "{{ mariadb_backup_minute }}"
job: "/usr/local/bin/backup_mysql.sh"
state: present

12
roles/mariadb/templates/debian.cnf.j2 Normal file
View File

@@ -0,0 +1,12 @@
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = {{ mariadb_root_pass }}
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = {{ mariadb_root_pass }}
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

3
roles/mariadb/templates/dot.my.cnf.j2 Normal file
View File

@@ -0,0 +1,3 @@
[client]
user = root
password = {{ mariadb_root_pass }}

4
roles/nginx/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart nginx
service:
name: nginx
state: restarted

46
roles/nginx/tasks/main.yml Normal file
View File

@@ -0,0 +1,46 @@
- name: install nginx package
package:
name: nginx-full
state: present
- name: create dhparam
shell: /usr/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
args:
creates: /etc/nginx/dhparam.pem
- name: service nginx
service:
name: nginx
enabled: True
state: started
- name: put configuration files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- restart nginx
loop:
- { src: nginx.conf.j2, dest: /etc/nginx/nginx.conf }
- { src: nginx.ssl.conf.j2, dest: /etc/nginx/nginx.ssl.conf }
- { src: fastcgi_params.j2, dest: /etc/nginx/fastcgi_params }
- { src: proxy_params.j2, dest: /etc/nginx/proxy_params }
- { src: default.j2, dest: /etc/nginx/sites-available/default }
- name: create base dir
file:
path: /srv/http
owner: root
group: www-data
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- name: create letsencrypt dir
file:
path: /srv/http/common/letsencrypt
owner: root
group: www-data
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- include_tasks: vhosts.yml

18
roles/nginx/tasks/vhosts.yml Normal file
View File

@@ -0,0 +1,18 @@
- name: symlink vhosts
file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
force: True
follow: False
state: link
notify:
- restart nginx
loop: "{{ web_hostname }}"
- name: install vhosts
template:
src: "vhosts/{{ item }}.conf.j2"
dest: "/etc/nginx/sites-available/{{ item }}.conf"
notify:
- restart nginx
loop: "{{ web_hostname }}"

25
roles/nginx/templates/default.j2 Normal file
View File

@@ -0,0 +1,25 @@
server {
listen *:80;
listen [::]:80;
server_name localhost;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
location /.well-known/acme-challenge {
root /srv/http/common/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
}

31
roles/nginx/templates/fastcgi_params.j2 Normal file
View File

@@ -0,0 +1,31 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

8
roles/nginx/templates/header.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
server_name {{ item }};
access_log /var/log/nginx/{{ item }}.access.log combined_port;
error_log /var/log/nginx/{{ item }}.error.log;

67
roles/nginx/templates/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,67 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
log_format combined_port
'$remote_addr:$remote_port - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log combined_port;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
include nginx.ssl.conf;
##
# Virtual Host Configs
##
client_max_body_size 1G;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

26
roles/nginx/templates/nginx.ssl.conf.j2 Normal file
View File

@@ -0,0 +1,26 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

9
roles/nginx/templates/proxy_params.j2 Normal file
View File

@@ -0,0 +1,9 @@
##########
# THIS FILE IS HANDLED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header Strict-Transport-Security;

33
roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,33 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/analyse.nintendojo.fr/;
index index.html index.htm index.php;
location ~ ^/(status|ping|apc_info.php)$ {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/tmp {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

40
roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/blog.libertus.eu/;
index index.html index.htm index.php;
## Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
## blocage équivalent HTTPS
location ~ (\.htaccess|\.inc)$ {
deny all;
}
location ~ ^/(inc|plugins|db|cache)/ {
deny all;
}
## Inter PHP en path_info
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
## Inter PHP brute
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
## redirection des zolies URLs vers index.php
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

8
roles/nginx/templates/vhosts/bt.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://127.0.0.1:9091;
}
}

12
roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
server {
{% include './templates/header.conf.j2' %}
location / {
root /var/lib/transmission-daemon/downloads/;
autoindex on;
allow 2a01:cb0c:8516:7f00::/64;
allow 83.167.52.81;
allow 2001:1b48:2:103::/64;
allow 2001:bc8:26c1:101::/64;
deny all;
}
}

22
roles/nginx/templates/vhosts/coince.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/coince.mateu.be/;
index index.htm index.html index.php;
allow 2001:bc8:26c1:101:0:0:0:0/64;
allow 2001:bc8:26c1:105:0:0:0:0/64;
allow 2001:1b48:2:103::6d:2;
allow 83.167.52.81;
deny all;
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
location /var {
deny all;
}
}

22
roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
## Shaarli
server {
{% include './templates/header.conf.j2' %}
root /srv/http/fav.libertus.eu/;
index index.html index.htm index.php;
location ^/(cache|data)/ {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

38
roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,38 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/forum.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 10M;
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/(files|store|cache|images/avatars/upload)/ {
deny all;
}
location ~ ^/(config|common)\.php$ {
deny all;
}
location ~ /(app).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/intendo.fr.conf.j2 Normal file
View File

61
roles/nginx/templates/vhosts/m.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,61 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
{% include './templates/header.conf.j2' %}
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
large_client_header_buffers 4 32k;
# Referrer-Policy, même si Chrome ne comprendra pas
add_header Referrer-Policy "same-origin";
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_pass http://localhost:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
}

40
roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/mail.libertus.eu/;
index index.html index.htm index.php;
client_max_body_size 512M;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
## Dossiers et fichiers interdits d'accès
location ~ (README|INSTALL|LICENSE|SQL|bin|CHANGELOG|\.htaccess|\.inc)$ {
deny all;
}
location ~ ^/(config|logs|temp) {
deny all;
}
location ~ ^/program/js {
#autorise le dossier program/js
}
location ~ ^/program/.*\.gif$ {
#autorise les gifs du dossier program
}
location ~ ^/program {
deny all;
}
location = /favicon.ico {
rewrite ^(.*)$ skins/default/images/favicon.ico;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 Normal file
View File

82
roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,82 @@
server {
{% include './templates/header.conf.j2' %}
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
fastcgi_hide_header X-Powered-By;
root /srv/http/o.libertus.eu/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 1000M;
fastcgi_buffers 64 4k;
# Avoid E-Tag error on text file
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-oc.sock;
include fastcgi_params;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
}
}

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 Normal file
View File

25
roles/nginx/templates/vhosts/r.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,25 @@
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined_port;
error_log /var/log/nginx/r.mateu.be.error.log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/http/r.mateu.be/;
location / {
autoindex on;
}
location ~ ^/~mortal/(.*)$ {
return 301 https://r.mateu.be/$1;
}
location ~ ^/~clement\.veret/(.*)$ {
return 301 https://r.mateu.be/$1;
}
}

20
roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/rss.libertus.eu/;
index index.html index.htm index.php;
location ~ \.(js|css|png|jpg|jpeg|gif|svg|svgz)$ {
expires 2w;
log_not_found off;
}
location ~ /\.git {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

8
roles/nginx/templates/vhosts/sonarr.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8989;
}
}

14
roles/nginx/templates/vhosts/www.intendo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,14 @@
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/intendo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/intendo.fr/intendo.fr.key;
server_name intendo.fr www.intendo.fr;
access_log /var/log/intendo.fr.access.log combined_port;
error_log /var/log/intendo.fr.error.log;
location / {
return 302 https://www.nintendojo.fr$request_uri;
}
}

83
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,83 @@
## WP NintendojoFR
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined_port;
error_log /var/log/nginx/nintendojo.fr.error.log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /srv/http/www.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 2G;
# couper les fichiers cachés
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# couper les fichiers textes du captcha
location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
deny all;
}
# Images de la v6
location ~ ^/images/(.*)$ {
expires 2w;
alias /srv/http/archives.nintendojo.fr/v6/images/$1;
}
# Images de la v6.7
location ~ ^/public/(.*)$ {
expires 2w;
alias /srv/http/archives.nintendojo.fr/$1;
}
# Zolie tweet
location /tweet {
rewrite ^/tweet/([0-9]+)$ /index.php/tweet/?id=$1 last;
rewrite ^/tweet/embed/([0-9]+)$ /index.php/tweetembed/?id=$1 last;
return 403;
}
# Zolie wallpapers
location /wallpapers {
rewrite ^/wallpapers$ /index.php/wallpapers last;
rewrite ^/wallpapers/([0-9]+) /index.php/wallpapers/?id=$1 last;
location ~ ^/wallpapers/files(.*)(/.*\.jpg)$ {
expires 1w;
alias /srv/http/www.nintendojo.fr/wp-content/plugins/dojomurpapier/files$2;
}
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_cache wpdojo;
fastcgi_cache_key $request_method$host$request_uri;
fastcgi_cache_valid any 15m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

1
roles/nut-client/files/nut.conf Normal file
View File

@@ -0,0 +1 @@
MODE=netclient

4
roles/nut-client/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart nut-client
service:
name: nut-client
state: restarted

19
roles/nut-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,19 @@
- name: install nut client
package:
name: nut-client
state: present
- name: upsmon.conf file
template:
src: upsmon.conf.j2
dest: /etc/nut/upsmon.conf
mode: '0640'
notify: restart nut-client
- name: nut.conf file
copy:
src: files/nut.conf
dest: /etc/nut/nut.conf
mode: '0640'
when: inventory_hostname not in groups['nut_server']
notify: restart nut-client

15
roles/nut-client/templates/upsmon.conf.j2 Normal file
View File

@@ -0,0 +1,15 @@
MONITOR eaton3s@{{ hostvars[groups['nut_server'][0]]['ansible_default_ipv4']['address'] }}:3493 1 {% if inventory_hostname in groups['nut_server'] %}monuser {{ nut_pass }} master{% else %}slaveuser {{ nut_pass }} slave{% endif %}
MINSUPPLIES 1
SHUTDOWNCMD "/sbin/shutdown -h +0"
POLLFREQ 5
POLLFREQALERT 5
HOSTSYNC 15
DEADTIME 15
POWERDOWNFLAG /etc/killpower
NOTIFYFLAG ONBATT SYSLOG+WALL
NOTIFYFLAG ONLINE SYSLOG+WALL
RBWARNTIME 43200
NOCOMMWARNTIME 300
FINALDELAY 5

2
roles/nut-server/files/90-nut-ups.rules Normal file
View File

@@ -0,0 +1,2 @@
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0463", ATTR{idProduct}=="ffff", MODE="0660", GROUP="nut"

1
roles/nut-server/files/nut.conf Normal file
View File

@@ -0,0 +1 @@
MODE=standalone

5
roles/nut-server/files/ups.conf Normal file
View File

@@ -0,0 +1,5 @@
maxretry = 3
[eaton3s]
driver=usbhid-ups
port=auto
default.battery.charge.low=10

1
roles/nut-server/files/upsd.conf Normal file
View File

@@ -0,0 +1 @@
LISTEN * 3493

12
roles/nut-server/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: restart nut-server
service:
name: nut-server
state: restarted
- name: udev
command: "udevadm control --reload-rules && udevadm trigger"
- name: restart nut-driver
service:
name: nut-driver
state: restarted

40
roles/nut-server/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: install nut server
package:
name: nut-server
state: present
- name: udev conf file for nut
copy:
src: files/90-nut-ups.rules
dest: /etc/udev/rules.d/90-nut-ups.rules
notify:
- udev
- restart nut-driver
- name: nut.conf file
copy:
src: files/nut.conf
dest: /etc/nut/nut.conf
mode: '0640'
notify: restart nut-server
- name: ups.conf file
copy:
src: files/ups.conf
dest: /etc/nut/ups.conf
mode: '0640'
notify: restart nut-server
- name: upsd.conf file
copy:
src: files/upsd.conf
dest: /etc/nut/upsd.conf
mode: '0640'
notify: restart nut-server
- name: upsd.users file
template:
src: upsd.users.j2
dest: /etc/nut/upsd.users
mode: '0640'
notify: restart nut-server

7
roles/nut-server/templates/upsd.users.j2 Normal file
View File

@@ -0,0 +1,7 @@
[monuser]
password={{ nut_pass }}
upsmon master
[slaveuser]
password={{ nut_pass }}
upsmon slave

1
roles/php/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
php_modules: "['opcache', 'mysql', 'mbstring', 'gd']"

1944
roles/php/files/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

430
roles/php/files/www.conf Normal file
View File

@@ -0,0 +1,430 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 100
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 10
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 10
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 30
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

4
roles/php/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart php-fpm
service:
name: "php{{ php_version }}-fpm"
state: restarted

Some files were not shown because too many files have changed in this diff Show More