commit dded46ff64f56b13e9eba08845c4155669fd7f1f Author: VC Date: Wed Sep 4 09:06:55 2019 +0200 First commit diff --git a/bittorrent.yml b/bittorrent.yml new file mode 100644 index 0000000..cafd17a --- /dev/null +++ b/bittorrent.yml @@ -0,0 +1,3 @@ +- hosts: transmission + roles: + - bittorrent diff --git a/borgbackup.yml b/borgbackup.yml new file mode 100644 index 0000000..4ae3c4c --- /dev/null +++ b/borgbackup.yml @@ -0,0 +1,9 @@ +- hosts: borgbackup + roles: + - borgbackup +- hosts: borg_client + roles: + - borg-client +- hosts: borg_server + roles: + - borg-server diff --git a/docker.yml b/docker.yml new file mode 100644 index 0000000..f320eb2 --- /dev/null +++ b/docker.yml @@ -0,0 +1,3 @@ +- hosts: dockerservers + roles: + - docker diff --git a/firewall.yml b/firewall.yml new file mode 100644 index 0000000..82ee02d --- /dev/null +++ b/firewall.yml @@ -0,0 +1,3 @@ +- hosts: router + roles: + - firewall diff --git a/hypervisors/prerequisites.yml b/hypervisors/prerequisites.yml new file mode 100644 index 0000000..1a81552 --- /dev/null +++ b/hypervisors/prerequisites.yml @@ -0,0 +1,3 @@ +- hosts: hypervisors + roles: + - prerequisites diff --git a/hypervisors/proxmox6_installation.yml b/hypervisors/proxmox6_installation.yml new file mode 100644 index 0000000..692ff1e --- /dev/null +++ b/hypervisors/proxmox6_installation.yml @@ -0,0 +1,3 @@ +- hosts: hypervisors + roles: + - proxmox6_installation diff --git a/hypervisors/proxmox6_prerequisite.yml b/hypervisors/proxmox6_prerequisite.yml new file mode 100644 index 0000000..2d1874f --- /dev/null +++ b/hypervisors/proxmox6_prerequisite.yml @@ -0,0 +1,3 @@ +- hosts: hypervisors + roles: + - proxmox6_prerequisite diff --git a/hypervisors/roles/prerequisites/tasks/main.yml b/hypervisors/roles/prerequisites/tasks/main.yml new file mode 100644 index 0000000..534441c --- /dev/null +++ b/hypervisors/roles/prerequisites/tasks/main.yml @@ -0,0 +1,16 @@ +- name: "Check if the distribution is Debian" + assert: + msg: "Proxmox VE 6 can only be installed properly on Debian Buster. You distribution: {{ ansible_os_family }}" + that: + - ansible_os_family == 'Debian' + +- name: "Check if the version is Buster" + assert: + msg: "Proxmox VE 6 can only be installed properly on Debian Buster. Your version: {{ ansible_distribution_release }}" + that: + - ansible_distribution_release == 'buster' + +- name: "Install Aptitude" + apt: + name: aptitude + state: present diff --git a/hypervisors/roles/proxmox6_installation/files/nested_docker.conf b/hypervisors/roles/proxmox6_installation/files/nested_docker.conf new file mode 100644 index 0000000..9668906 --- /dev/null +++ b/hypervisors/roles/proxmox6_installation/files/nested_docker.conf @@ -0,0 +1,2 @@ +overlay +aufs diff --git a/hypervisors/roles/proxmox6_installation/tasks/main.yml b/hypervisors/roles/proxmox6_installation/tasks/main.yml new file mode 100644 index 0000000..9bd3d42 --- /dev/null +++ b/hypervisors/roles/proxmox6_installation/tasks/main.yml @@ -0,0 +1,34 @@ +- name: "Add Proxmox VE 6 recommended packages" + apt: + name: "{{ item }}" + state: present + loop: + - proxmox-ve + - postfix + - open-iscsi + - zfsutils-linux + +- name: "Remove Proxmox VE 6 recommended packages" + apt: + name: "{{ item }}" + state: absent + loop: + - os-prober + +- name: add missing modules for docker + modprobe: + name: "{{ item }}" + state: present + loop: + - overlay + - aufs + +- name: add missing modules to boot + copy: + src: ./files/nested_docker.conf + dest: /etc/modules-load.d/nested_docker.conf + +- name: "Reboot after first Install" + shell: "/sbin/shutdown -r -t 1 > /root/first_install_ok" + args: + creates: /root/first_install_ok diff --git a/hypervisors/roles/proxmox6_prerequisite/tasks/main.yml b/hypervisors/roles/proxmox6_prerequisite/tasks/main.yml new file mode 100644 index 0000000..f129a45 --- /dev/null +++ b/hypervisors/roles/proxmox6_prerequisite/tasks/main.yml @@ -0,0 +1,15 @@ +- name: "Add hosts Proxmox style" + template: + src: hosts.j2 + dest: /etc/hosts +- name: "Add Proxmox VE 6 GPG key" + apt_key: + url: http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg + state: present +- name: "Add Proxmox VE 6 Repo" + apt_repository: + repo: "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" + state: present +- name: "Apt upgrade" + apt: + upgrade: dist diff --git a/hypervisors/roles/proxmox6_prerequisite/templates/hosts.j2 b/hypervisors/roles/proxmox6_prerequisite/templates/hosts.j2 new file mode 100644 index 0000000..53603ef --- /dev/null +++ b/hypervisors/roles/proxmox6_prerequisite/templates/hosts.j2 @@ -0,0 +1,11 @@ +# Default hosts +127.0.0.1 localhost.localdomain localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +# Proxmox specific +{% for host in groups['hypervisors'] %} +{{ hostvars[host]['ansible_default_ipv4']['address'] }} {{ host }} {{ hostvars[host]['ansible_hostname'] }} +{{ hostvars[host]['ansible_default_ipv6']['address'] }} {{ host }} {{ hostvars[host]['ansible_hostname'] }} +{% endfor %} diff --git a/loadbalancinghttp.yml b/loadbalancinghttp.yml new file mode 100644 index 0000000..6c95cde --- /dev/null +++ b/loadbalancinghttp.yml @@ -0,0 +1,3 @@ +- hosts: loadbalancers + roles: + - haproxy diff --git a/mariadb.yml b/mariadb.yml new file mode 100644 index 0000000..797f82c --- /dev/null +++ b/mariadb.yml @@ -0,0 +1,3 @@ +- hosts: mariadbservers + roles: + - mariadb diff --git a/nut.yml b/nut.yml new file mode 100644 index 0000000..36d9e3d --- /dev/null +++ b/nut.yml @@ -0,0 +1,6 @@ +- hosts: nut_client + roles: + - nut-client +- hosts: nut_server + roles: + - nut-server diff --git a/pgsql.yml b/pgsql.yml new file mode 100644 index 0000000..6b8e843 --- /dev/null +++ b/pgsql.yml @@ -0,0 +1,3 @@ +- hosts: pgsqlservers + roles: + - postgres diff --git a/php.yml b/php.yml new file mode 100644 index 0000000..c176bef --- /dev/null +++ b/php.yml @@ -0,0 +1,3 @@ +- hosts: phpservers + roles: + - php diff --git a/production/group_vars/nut.yml b/production/group_vars/nut.yml new file mode 100644 index 0000000..76b35b7 --- /dev/null +++ b/production/group_vars/nut.yml @@ -0,0 +1,8 @@ +nut_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64313965633338626466633664393139313833623763363964666633666335393331643239343933 + 6463336166376161306539353335366630613363623734380a353935656234313032393862323063 + 65376235613531306163313730363262313061346338353635626335333961646330316562343038 + 6238386332613761610a393739366561646336343030336363613365623336383735353838623266 + 3862 + diff --git a/production/group_vars/phpservers.yml b/production/group_vars/phpservers.yml new file mode 100644 index 0000000..1b3f52b --- /dev/null +++ b/production/group_vars/phpservers.yml @@ -0,0 +1 @@ +php_version: "{% if ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '9' %}7.0{% elif ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '10' %}7.3{% endif %}" diff --git a/production/host_vars/bt.dmz.mateu.be.yml b/production/host_vars/bt.dmz.mateu.be.yml new file mode 100644 index 0000000..5f86dd8 --- /dev/null +++ b/production/host_vars/bt.dmz.mateu.be.yml @@ -0,0 +1,31 @@ +sub_login: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62323733666661326134366639353164613864383832613735366530343764663164616364363865 + 3039313232613362323162313733366637343164336464650a303935313836393433326437363565 + 66623139353638616535646365336339646266356437623633383839323162623266386532313337 + 3434323032323933640a313339376535386361616261343530666237353061386533356636613661 + 6532 +sub_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36306330313565303162303662626361356536313630396635346437353231666562303533636339 + 3336323233383639376330383439623135633735623537630a623233306362666537373866643836 + 36383637613033666666313239353536383236343566333539643730393631633161303365303233 + 6230383465336132370a626162353839336139336232656631666539653131623766353030356465 + 3762 +transmission_user: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62636132623037373065646530633937316131303534653734373635313564623430316662383934 + 3333643265343962653862346432353063323666633964640a393537376666656237333132326539 + 32343832386139633235363737353163623838643463333131666336396235346464396233643431 + 6663383134396266310a373564303863326239613062613561636530363866646264363637316263 + 6362 +transmission_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35306537653235346630633431353833623638393737333034326263643239306539383564616534 + 3563356664356661303435393138386666363537393863610a653837303238616330343462303166 + 30656364383861353163613335313239643836626334633934626263656561656137373566363861 + 6133323664393234640a623930386631376235333032616266643833613661323635643333633035 + 33323264343234643965663135306536626539373132356464326133386538653637306237623832 + 65373035613934383166313436383866623430343130633539313936346662663531353662646165 + 613864373639386632313564626666346338 + diff --git a/production/host_vars/web1.dmz.mateu.be.yml b/production/host_vars/web1.dmz.mateu.be.yml new file mode 100644 index 0000000..4c407ff --- /dev/null +++ b/production/host_vars/web1.dmz.mateu.be.yml @@ -0,0 +1,8 @@ +mariadb_root_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66643966366639636466333561363734623563323936613063623133323466393630393135636238 + 3663396465366630333630353563653166623461623935390a613362376538333239343532386231 + 61363465343165366430323033373730356636356462623332616364323265613934383664393461 + 6266393162633761340a613835393138353438656136643132353966646536316563646439336534 + 3064 + diff --git a/production/host_vars/web2.dmz.mateu.be.yml b/production/host_vars/web2.dmz.mateu.be.yml new file mode 100644 index 0000000..edc6539 --- /dev/null +++ b/production/host_vars/web2.dmz.mateu.be.yml @@ -0,0 +1,8 @@ +mariadb_root_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31613236623530306638633935303936393634313565333932373831626161316438626439303165 + 3135326262613532356330373166353439373738336337320a383561613432313763616563366537 + 39396636346563346135313431373630643536363838333964353636373437653166633761363664 + 3437653064323138310a663363373736623931336432376466316666616234356133383263373136 + 31343534663063663134306464306234366430323762656165653930333134326231 + diff --git a/production/hosts b/production/hosts new file mode 100644 index 0000000..30d99a7 --- /dev/null +++ b/production/hosts @@ -0,0 +1,71 @@ +[all:vars] +ansible_python_interpreter=/usr/bin/python3 + +[router] +machinbox.mateu.be + +[hypervisors] +claude.dmz.mateu.be +dimitri.dmz.mateu.be +edelgard.dmz.mateu.be + +[borgbackup:children] +borg_server +borg_client + +[borg_server] +edelgard.dmz.mateu.be + +[borg_client] +n0box2.mateu.be +baybay-ponay.mateu.be borg_backup_path="['/home', '/etc']" borg_backup_excluded_path="['/home/.snapshots']" borg_backup_hour=19 borg_backup_minute=30 +bt.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/transmission-daemon']" +web1.dmz.mateu.be +web2.dmz.mateu.be +mail.dmz.mateu.be +jabber.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/prosody']" +ror.dmz.mateu.be + +[nut:children] +nut_server +nut_client + +[nut_server] +edelgard.dmz.mateu.be + +[nut_client] +n0box2.mateu.be +claude.dmz.mateu.be +dimitri.dmz.mateu.be +edelgard.dmz.mateu.be + +[webservers] +bt.dmz.mateu.be web_hostname="['sonarr.mateu.be','bt.mateu.be','btf.mateu.be']" +web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libertus.eu', 'blog.libertus.eu', 'mail.libertus.eu', 'perso.nintendojo.fr', 'perso.libertus.eu', 'r.mateu.be','coince.mateu.be']" +web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.nintendojo.fr', 'forum.nintendojo.fr', 'intendo.fr', 'www.intendo.fr']" +ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']" +#mail.dmz.mateu.be + +[phpservers] +web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']" +web2.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'xml', 'bcmath', 'curl', 'imagick']" + +[dockerservers] +ror.dmz.mateu.be + +[mariadbservers] +web1.dmz.mateu.be +web2.dmz.mateu.be + +[pgsqlservers] +ror.dmz.mateu.be + +[mailservers] +mail.dmz.mateu.be + +[loadbalancers] +haproxy.dmz.mateu.be + +[transmission] +bt.dmz.mateu.be + diff --git a/proxmox.yml b/proxmox.yml new file mode 100644 index 0000000..781b1b5 --- /dev/null +++ b/proxmox.yml @@ -0,0 +1,3 @@ +- import_playbook: hypervisors/prerequisites.yml +- import_playbook: hypervisors/proxmox6_prerequisite.yml +- import_playbook: hypervisors/proxmox6_installation.yml diff --git a/roles/bittorrent/files/CACHEDIR.TAG b/roles/bittorrent/files/CACHEDIR.TAG new file mode 100644 index 0000000..16ed6b4 --- /dev/null +++ b/roles/bittorrent/files/CACHEDIR.TAG @@ -0,0 +1 @@ +Signature: 8a477f597d28d172789f06886806bc55 diff --git a/roles/bittorrent/files/sonarr.service b/roles/bittorrent/files/sonarr.service new file mode 100644 index 0000000..b0a4522 --- /dev/null +++ b/roles/bittorrent/files/sonarr.service @@ -0,0 +1,13 @@ +[Unit] +Description=Sonarr Service +After=network.target + +[Service] +User=debian-transmission +Group=debian-transmission +ExecStart=/usr/bin/mono /opt/NzbDrone/NzbDrone.exe -nobrowser +Type=simple +TimeoutStopSec=20 + +[Install] +WantedBy=multi-user.target diff --git a/roles/bittorrent/handlers/main.yml b/roles/bittorrent/handlers/main.yml new file mode 100644 index 0000000..5ddd356 --- /dev/null +++ b/roles/bittorrent/handlers/main.yml @@ -0,0 +1,12 @@ +- name: reload transmission + service: + name: transmission-daemon + state: reloaded + +- name: restart sonarr + service: + name: sonarr + state: restarted + +- name: export nfs + command: exportfs -a diff --git a/roles/bittorrent/tasks/configdir.yml b/roles/bittorrent/tasks/configdir.yml new file mode 100644 index 0000000..5fc3dc4 --- /dev/null +++ b/roles/bittorrent/tasks/configdir.yml @@ -0,0 +1,14 @@ +- name: create Series folder + file: + path: /var/lib/transmission-daemon/downloads/Series + recurse: True + owner: debian-transmission + group: debian-transmission + +- name: create Movies folder + file: + path: /var/lib/transmission-daemon/downloads/Movies + recurse: True + owner: debian-transmission + group: debian-transmission + diff --git a/roles/bittorrent/tasks/main.yml b/roles/bittorrent/tasks/main.yml new file mode 100644 index 0000000..e5c5701 --- /dev/null +++ b/roles/bittorrent/tasks/main.yml @@ -0,0 +1,5 @@ +- include_tasks: transmission.yml +- include_tasks: sonarr.yml +- include_tasks: subliminal.yml +- include_tasks: configdir.yml +- include_tasks: nfsserver.yml diff --git a/roles/bittorrent/tasks/nfsserver.yml b/roles/bittorrent/tasks/nfsserver.yml new file mode 100644 index 0000000..aab8e75 --- /dev/null +++ b/roles/bittorrent/tasks/nfsserver.yml @@ -0,0 +1,15 @@ +- getent: + database: passwd + key: debian-transmission + +- name: install nfs server + package: + name: nfs-kernel-server + state: present + +- name: copy exports file + template: + src: exports.j2 + dest: /etc/exports + notify: + - export nfs diff --git a/roles/bittorrent/tasks/sonarr.yml b/roles/bittorrent/tasks/sonarr.yml new file mode 100644 index 0000000..db571d8 --- /dev/null +++ b/roles/bittorrent/tasks/sonarr.yml @@ -0,0 +1,34 @@ +- name: install sonarr repokey + apt_key: + keyserver: keyserver.ubuntu.com + id: "0xa236c58f409091a18aca53cbebff6b99d9b78493" + +- name: install sonarr repo + apt_repository: + repo: deb http://apt.sonarr.tv/ master main + state: present + +- name: create sonarr conf dir + file: + path: /var/lib/transmission-daemon/.config/NzbDrone + recurse: True + owner: debian-transmission + group: debian-transmission + mode: "a-rwx,u+rwX,g+rX" + +- name: install sonarr + package: + name: nzbdrone + state: present + +- name: copy systemd file + copy: + src: files/sonarr.service + dest: /etc/systemd/system/sonarr.service + notify: + - restart sonarr + +- name: enable sonarr service + service: + name: sonarr + enabled: True diff --git a/roles/bittorrent/tasks/subliminal.yml b/roles/bittorrent/tasks/subliminal.yml new file mode 100644 index 0000000..fe888b8 --- /dev/null +++ b/roles/bittorrent/tasks/subliminal.yml @@ -0,0 +1,17 @@ +- name: install pip3 + package: + name: python3-pip + state: present + +- name: install subliminal + pip: + name: subliminal + state: present + +- name: install subliminal crontab + cron: + name: "Sub DL" + user: "debian-transmission" + minute: "15" + hour: "20" + job: "/usr/local/bin/subliminal download /var/lib/transmission-daemon/downloads/Series/ --language fr &> /dev/null" diff --git a/roles/bittorrent/tasks/transmission.yml b/roles/bittorrent/tasks/transmission.yml new file mode 100644 index 0000000..4d57d3a --- /dev/null +++ b/roles/bittorrent/tasks/transmission.yml @@ -0,0 +1,26 @@ +- name: install transmission + package: + name: "{{ item }}" + state: present + loop: + - transmission-daemon + - transmission-cli + +- name: transmission config file + template: + src: settings.json.j2 + dest: /etc/transmission-daemon/settings.json + owner: debian-transmission + group: debian-transmission + mode: "a-rwx,u+rw" + notify: + - reload transmission + +- name: Add cachedir file + copy: + src: files/CACHEDIR.TAG + dest: /var/lib/transmission-daemon/downloads/CACHEDIR.TAG + owner: debian-transmission + group: debian-transmission + mode: '0755' + diff --git a/roles/bittorrent/templates/exports.j2 b/roles/bittorrent/templates/exports.j2 new file mode 100644 index 0000000..c834d53 --- /dev/null +++ b/roles/bittorrent/templates/exports.j2 @@ -0,0 +1 @@ +/var/lib/transmission-daemon/downloads 10.233.212.64/26(ro,async,no_subtree_check,all_squash,anonuid={{ getent_passwd['debian-transmission'][1] }},anongid={{ getent_passwd['debian-transmission'][2] }}) diff --git a/roles/bittorrent/templates/settings.json.j2 b/roles/bittorrent/templates/settings.json.j2 new file mode 100644 index 0000000..1f7ac37 --- /dev/null +++ b/roles/bittorrent/templates/settings.json.j2 @@ -0,0 +1,83 @@ +{ + "alt-speed-down": 2000, + "alt-speed-enabled": false, + "alt-speed-time-begin": 450, + "alt-speed-time-day": 127, + "alt-speed-time-enabled": false, + "alt-speed-time-end": 1350, + "alt-speed-up": 2000, + "bind-address-ipv4": "0.0.0.0", + "bind-address-ipv6": "::", + "blocklist-enabled": true, + "blocklist-url": "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz", + "cache-size-mb": 8, + "dht-enabled": true, + "download-dir": "/var/lib/transmission-daemon/downloads/", + "download-limit": 100, + "download-limit-enabled": 0, + "download-queue-enabled": false, + "download-queue-size": 5, + "encryption": 0, + "idle-seeding-limit": 14400, + "idle-seeding-limit-enabled": true, + "incomplete-dir": "/root/Downloads", + "incomplete-dir-enabled": false, + "lazy-bitfield-enabled": true, + "lpd-enabled": true, + "max-peers-global": 200, + "max-peers-per-torrent": 200, + "message-level": 1, + "open-file-limit": 32, + "peer-congestion-algorithm": "", + "peer-id-ttl-hours": 6, + "peer-limit-global": 1000, + "peer-limit-per-torrent": 200, + "peer-port": 10010, + "peer-port-random-high": 65535, + "peer-port-random-low": 49152, + "peer-port-random-on-start": false, + "peer-socket-tos": "default", + "pex-enabled": true, + "port-forwarding-enabled": false, + "preallocation": 1, + "prefetch-enabled": true, + "proxy": "", + "proxy-auth-enabled": false, + "proxy-auth-password": "", + "proxy-auth-username": "", + "proxy-enabled": false, + "proxy-port": 80, + "proxy-type": 0, + "queue-stalled-enabled": false, + "queue-stalled-minutes": 30, + "ratio-limit": 5, + "ratio-limit-enabled": true, + "rename-partial-files": true, + "rpc-authentication-required": true, + "rpc-bind-address": "0.0.0.0", + "rpc-enabled": true, + "rpc-host-whitelist": "", + "rpc-host-whitelist-enabled": true, + "rpc-password": "{{ transmission_pass }}", + "rpc-port": 9091, + "rpc-url": "/transmission/", + "rpc-username": "{{ transmission_user }}", + "rpc-whitelist": "127.0.0.1", + "rpc-whitelist-enabled": true, + "scrape-paused-torrents-enabled": true, + "script-torrent-done-enabled": false, + "script-torrent-done-filename": "", + "seed-queue-enabled": false, + "seed-queue-size": 4, + "speed-limit-down": 4000, + "speed-limit-down-enabled": false, + "speed-limit-up": 4000, + "speed-limit-up-enabled": false, + "start-added-torrents": true, + "trash-original-torrent-files": false, + "umask": 18, + "upload-limit": 100, + "upload-limit-enabled": 0, + "upload-slots-per-torrent": 20, + "utp-enabled": true +} diff --git a/roles/borg-client/defaults/main.yml b/roles/borg-client/defaults/main.yml new file mode 100644 index 0000000..7ed694e --- /dev/null +++ b/roles/borg-client/defaults/main.yml @@ -0,0 +1,11 @@ +borg_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62333166623737363731663766353330633335306532306366356536376232396664376430613434 + 3966376539303238376461386262663066376338386537660a376365643761653463393539316232 + 30653130383761653432306136333733653062356635643662616133366663646132383136313530 + 3866343664393330610a623930316330626166343934623230313232626131386132393866373661 + 6336 +borg_backup_path: ["/srv", "/home", "/etc"] +borg_backup_excluded_path: ["/srv/NOBACKUP"] +borg_backup_hour: 6 +borg_backup_minute: 0 diff --git a/roles/borg-client/tasks/main.yml b/roles/borg-client/tasks/main.yml new file mode 100644 index 0000000..55a3472 --- /dev/null +++ b/roles/borg-client/tasks/main.yml @@ -0,0 +1,26 @@ +- name: create SSH key + openssh_keypair: + path: ~/.ssh/id_rsa + +- name: get SSH pub key + command: cat ~/.ssh/id_rsa.pub + register: ssh_keys + +- name: put backup script + template: + src: borgbackup.sh.j2 + dest: /usr/local/bin/borgbackup.sh + owner: root + group: root + mode: '0750' + +- name: cron the backup script + cron: + name: "borg backup script" + hour: "{{ borg_backup_hour }}" + minute: "{{ borg_backup_minute }}" + job: /usr/local/bin/borgbackup.sh + +- name: warns about borg init + debug: + msg: "Borg has been installed. Don’t forget to init with: \nborg init --encryption=repokey-blake2 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home" diff --git a/roles/borg-client/templates/borgbackup.sh.j2 b/roles/borg-client/templates/borgbackup.sh.j2 new file mode 100644 index 0000000..ae92c22 --- /dev/null +++ b/roles/borg-client/templates/borgbackup.sh.j2 @@ -0,0 +1,20 @@ +#!/bin/sh + +## Variable +export BORG_PASSPHRASE="{{ borg_pass }}" + +## lancement de la sauvegarde +borg create --exclude-caches {% for f in borg_backup_excluded_path %}-e {{ f }} {% endfor %} -s backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home::{now:%Y-%m-%d} {% for f in borg_backup_path %}{{ f }} {% endfor %} + + +## récupération de l'espace +borg prune -d 7 -w 4 -m 3 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home + +{% if inventory_hostname == 'n0box2.mateu.be' %} +## la sauvegarde mais chez Holaf +borg create -s ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home::{now:%Y-%m-%d} /etc /home /srv + +## la sauvegarde mais chez Holaf +borg prune -d 7 -w 4 -m 3 ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home + +{% endif %} diff --git a/roles/borg-server/tasks/main.yml b/roles/borg-server/tasks/main.yml new file mode 100644 index 0000000..dd4629e --- /dev/null +++ b/roles/borg-server/tasks/main.yml @@ -0,0 +1,34 @@ +- name: mount backup disk + mount: + path: /backup + src: LABEL=BACKUP + fstype: btrfs + opts: noatime + state: mounted + +- name: create backup user + user: + name: backup + comment: Backup + create_home: yes + home: /backup + shell: /bin/bash + system: yes + state: present + +- name: "create directory for borg clients" + file: + path: "/backup/repos/{{ hostvars[item]['ansible_fqdn'] }}" + state: directory + mode: '0750' + owner: backup + group: backup + loop: "{{ groups['borg_client'] }}" + +- name: "set authorized_keys for borg clients" + authorized_key: + user: backup + key: "{{ hostvars[item]['ssh_keys']['stdout'] }}" + key_options: "command=\"cd /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}; borg serve --restrict-to-path /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}\"" + state: present + loop: "{{ groups['borg_client'] }}" diff --git a/roles/borgbackup/tasks/main.yml b/roles/borgbackup/tasks/main.yml new file mode 100644 index 0000000..50f8821 --- /dev/null +++ b/roles/borgbackup/tasks/main.yml @@ -0,0 +1,10 @@ +- set_fact: + borgbackup: borg + when: ansible_facts['distribution'] == "Archlinux" +- set_fact: + borgbackup: borgbackup + when: ansible_facts['distribution'] == "Debian" +- name: install borg package + package: + name: "{{ borgbackup }}" + state: present diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml new file mode 100644 index 0000000..a28fc19 --- /dev/null +++ b/roles/common/defaults/main.yml @@ -0,0 +1 @@ +localtime: "Europe/Paris" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..acc48d2 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,26 @@ +- name: docker repo key + apt_key: + url: https://download.docker.com/linux/debian/gpg + state: present + +- name: docker repo install + apt_repository: + repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" + state: present + +- name: install docker and docker-compose + package: + name: "{{ item }}" + state: present + loop: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose + +- name: docker directory + file: + path: /srv/docker + owner: root + group: root + state: directory diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml new file mode 100644 index 0000000..45a421b --- /dev/null +++ b/roles/firewall/handlers/main.yml @@ -0,0 +1,4 @@ +- name: reload firewall + openwrt_init: + name: firewall + state: reloaded diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..0132c4a --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,5 @@ +- name: generate firewall file + template: + src: firewall.j2 + dest: /etc/config/firewall + notify: reload firewall diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 new file mode 100644 index 0000000..1f7815c --- /dev/null +++ b/roles/firewall/templates/firewall.j2 @@ -0,0 +1,506 @@ +## General WAN Rules +config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-DHCPv6' + option src 'wan' + option src_ip 'fe80::/10' + option src_port '547' + option proto 'udp' + option dest_ip 'fe80::/10' + option dest_port '546' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option target 'ACCEPT' + option family 'ipv6' + option limit '1000/sec' + +config rule + option name 'Allow-ICMPv6-Forward' + option src 'wan' + option dest '*' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + option target 'ACCEPT' + option family 'ipv6' + option limit '1000/sec' + +## Deny IPv6 SMTP +config rule + option name 'Deny-SMTP' + option src 'lan' + option proto 'tcp' + option dest 'wan' + option dest_port '25' + option target 'REJECT' + option family 'ipv6' + +## SSH from VINCI rules +config rule + option name 'Allow-Input-SSH-VINCI' + option src 'wan' + option src_ip '{{ vinci_ipv6_out }}' + option proto 'tcp' + option dest_port '22' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'Allow-SSH-VINCI' + option src 'wan' + option src_ip '{{ vinci_ipv6_out }}' + option proto 'tcp' + option dest 'lan' + option dest_port '22' + option target 'ACCEPT' + option family 'ipv6' + +## Traffic for n0box2 server +config rule + option name 'n0box2-SMTP+SMTPS+SUBMISSION' + option src 'wan' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '25 465 587' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-IMAP+IMAPS' + option src 'wan' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '143 993' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-HTTP+HTTPS' + option src 'wan' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '80 443' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-XMPP-c2s+s2s' + option src 'wan' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '5222 5269' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-TS-com+com2' + option src 'wan' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '10011 30033' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-TS-signal' + option src 'wan' + option proto 'udp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '9987' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'n0box2-mumble' + option src 'wan' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '64738' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'n0box2-SMTP' + option src 'wan' + option src_dport '25' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '25' + option target 'DNAT' + +config redirect + option name 'n0box2-SMTPS' + option src 'wan' + option src_dport '465' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '465' + option target 'DNAT' + +config redirect + option name 'n0box2-SUBMISSION' + option src 'wan' + option src_dport '587' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '587' + option target 'DNAT' + +config redirect + option name 'n0box2-IMAP' + option src 'wan' + option src_dport '143' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '143' + option target 'DNAT' + +config redirect + option name 'n0box2-IMAPS' + option src 'wan' + option src_dport '993' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '993' + option target 'DNAT' + +config redirect + option name 'n0box2-XMPP-c2s' + option src 'wan' + option src_dport '5222' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '5222' + option target 'DNAT' + +config redirect + option name 'n0box2-XMPP-s2s' + option src 'wan' + option src_dport '5269' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '5269' + option target 'DNAT' + +config redirect + option name 'n0box2-TS-com' + option src 'wan' + option src_dport '10011' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '10011' + option target 'DNAT' + +config redirect + option name 'n0box2-TS-com2' + option src 'wan' + option src_dport '30033' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '30033' + option target 'DNAT' + +config redirect + option name 'n0box2-TS-signal' + option src 'wan' + option src_dport '9987' + option proto 'udp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '9987' + option target 'DNAT' + +config redirect + option name 'n0box2-mumble' + option src 'wan' + option src_dport '64738' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '64738' + option target 'DNAT' + +### DMZ Rules +## General Rules +# ICMP +config rule + option name 'Allow-ICMP' + option dest 'dmz' + option proto 'icmp' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMP' + option src 'dmz' + option proto 'icmp' + option target 'ACCEPT' + +config rule + option name 'Allow-ICMP' + option src 'dmz' + option proto 'icmp' + option dest '*' + option target 'ACCEPT' + +# DHCP rules +config rule + option name 'Allow-DMZ-DHCP' + option dest 'dmz' + option dest_port '67-68' + option proto 'tcpudp' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-DMZ-DHCP' + option src 'dmz' + option proto 'tcpudp' + option dest_port '67-68' + option target 'ACCEPT' + option family 'ipv4' + +# DNS Resolution +config rule + option name 'Allow-INPUT-DNS' + option src 'dmz' + option proto 'tcpudp' + option dest_port '53' + option target 'ACCEPT' + option family 'ipv4' + +# NTP +config rule + option name 'Allow-OUTPUT-NTP' + option src 'dmz' + option proto 'udp' + option dest 'wan' + option dest_port '123' + option target 'ACCEPT' + +# Web traffic OUT +config rule + option name 'Allow-OUTPUT-Web' + option src 'dmz' + option proto 'tcpudp' + option dest 'wan' + option dest_port '80 443' + option target 'ACCEPT' + +# SSH traffic IN +config rule + option name 'Allow-INPUT-SSH' + option src 'wan' + option proto 'tcp' + option dest 'dmz' + option dest_port '22' + option target 'ACCEPT' + option family 'ipv6' + +# Allow traffic to n0box2 +config rule + option name 'Allow-OUTPUT-to-n0box2' + option src 'dmz' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '25 80 443 465 587 143 993' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-OUTPUT-to-n0box2' + option src 'dmz' + option proto 'tcpudp' + option dest 'lan' + option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '25 80 443 465 587 143 993' + option target 'ACCEPT' + option family 'ipv6' + +## Specific rules +# Allow IPv4 Web traffic IN +config redirect + option name 'Allow-INPUT-v4-HTTP' + option src 'wan' + option src_dport '80' + option proto 'tcpudp' + option dest 'dmz' + option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '80' + option target 'DNAT' + +config redirect + option name 'Allow-INPUT-v4-HTTPS' + option src 'wan' + option src_dport '443' + option proto 'tcpudp' + option dest 'dmz' + option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '443' + option target 'DNAT' + +# Allow Web traffic IN +{% for host in groups['webservers'] %} +config rule + option name 'Allow-INPUT-{{ host }}-Web' + option src 'wan' + option proto 'tcpudp' + option dest 'dmz' + option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' + option dest_port '80 443' + option target 'ACCEPT' + option family 'ipv6' +{% endfor %} + +# Allow traffic to and from bt.dmz.mateu.be +config rule + option name 'Allow-OUTPUT-BT' + option src 'dmz' + option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option proto 'tcpudp' + option dest 'wan' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-OUTPUT-BT' + option src 'dmz' + option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + option proto 'tcpudp' + option dest 'wan' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'Allow-INPUT-BT' + option src 'wan' + option proto 'tcpudp' + option dest 'dmz' + option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '10010' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'Allow-INPUT-BT' + option src 'wan' + option src_dport '10010' + option proto 'tcpudp' + option dest 'dmz' + option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '10010' + option target 'DNAT' + +# Allow traffic to Proxmox VE interface +{% for host in groups['hypervisors'] %} +config rule + option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}' + option src 'wan' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' + option dest_port '8006' + option target 'ACCEPT' + option family 'ipv6' +{% endfor %} + +## Default configuration +config defaults + option syn_flood '1' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + +## Zone configuration +config zone + option name 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + option network 'lan' + +config zone + option name 'dmz' + option input 'REJECT' + option output 'REJECT' + option forward 'REJECT' + option network 'dmz' + +config zone + option name 'wan' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option network 'vpn' + option masq '1' + option mtu_fix '1' + +config forwarding + option src 'lan' + option dest 'wan' + +config forwarding + option src 'lan' + option dest 'dmz' + +config include + option path '/etc/firewall.user' + +config include 'miniupnpd' + option type 'script' + option path '/usr/share/miniupnpd/firewall.include' + option family 'any' + option reload '1' + diff --git a/roles/firewall/vars/main.yml b/roles/firewall/vars/main.yml new file mode 100644 index 0000000..4c46486 --- /dev/null +++ b/roles/firewall/vars/main.yml @@ -0,0 +1 @@ +vinci_ipv6_out: "2a02:2098:8711:920:740c:70c0:e153:55b6" diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml new file mode 100644 index 0000000..20f905d --- /dev/null +++ b/roles/haproxy/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart haproxy + service: + name: haproxy + state: restarted diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml new file mode 100644 index 0000000..b8b0d68 --- /dev/null +++ b/roles/haproxy/tasks/main.yml @@ -0,0 +1,11 @@ +- name: install haproxy package + package: + name: haproxy + state: present + +- name: haproxy config + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + notify: + - restart haproxy diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..fd950b6 --- /dev/null +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,97 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +frontend http + mode http + bind *:80 name frontend-http + tcp-request inspect-delay 3s + acl letsencrypt path_beg /.well-known/acme-challenge + redirect scheme https code 301 if !letsencrypt +{% for server in groups['webservers'] %} +{% for hostname in hostvars[server]['web_hostname'] %} + ## {{ hostname }} configuration + acl host_{{ hostname }} hdr(host) -i {{ hostname }} + use_backend http_{{ server }} if letsencrypt host_{{ hostname }} + +{% endfor %} +{% endfor %} + use_backend http_default + +frontend https + mode tcp + option tcplog + bind *:443 name frontend-https + tcp-request inspect-delay 3s + tcp-request content accept if { req.ssl_hello_type 1 } +{% for server in groups['webservers'] %} +{% for hostname in hostvars[server]['web_hostname'] %} + ## {{ hostname }} configuration + acl host_{{ hostname }} req.ssl_sni -i {{ hostname }} + use_backend https_{{ server }} if host_{{ hostname }} +{% endfor %} +{% endfor %} + use_backend https_default + + +{% for server in groups['webservers'] %} +## {{ server }} configuration +backend http_{{ server }} + mode http + server host_{{ server }} {{ server }}:80 + +backend https_{{ server }} + mode tcp + server host_{{ server }} {{ server }}:443 + +{% endfor %} + +backend http_default + mode http + server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:80 + +backend https_default + mode tcp + server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:443 + +## Stats +listen stats + bind *:8080 + mode http + log global + stats enable + stats uri / + stats hide-version diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml new file mode 100644 index 0000000..5e0276c --- /dev/null +++ b/roles/mariadb/defaults/main.yml @@ -0,0 +1,2 @@ +mariadb_backup_hour: 5 +mariadb_backup_minute: 0 diff --git a/roles/mariadb/files/50-server.cnf b/roles/mariadb/files/50-server.cnf new file mode 100644 index 0000000..3b50076 --- /dev/null +++ b/roles/mariadb/files/50-server.cnf @@ -0,0 +1,137 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /run/mysqld/mysqld.pid +socket = /run/mysqld/mysqld.sock +#port = 3306 +basedir = /usr +datadir = /srv/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +default-storage-engine = InnoDB +#skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# +key_buffer_size = 32M +max_allowed_packet = 64M +thread_stack = 256K +thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +query_cache_limit = 16M +query_cache_size = 64M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = exclude_database_name + +# +# * Security Features +# +# Read the manual, too, if you want chroot! +#chroot = /srv/mysql/ +# +# For generating SSL certificates you can use for example the GUI tool "tinyca". +# +#ssl-ca = /etc/mysql/cacert.pem +#ssl-cert = /etc/mysql/server-cert.pem +#ssl-key = /etc/mysql/server-key.pem +# +# Accept only connections using the latest and most secure TLS protocol version. +# ..when MariaDB is compiled with OpenSSL: +#ssl-cipher = TLSv1.2 +# ..when MariaDB is compiled with YaSSL (default in Debian): +#ssl = on + +# +# * Character sets +# +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +# +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /srv/mysql/. +# Read the manual for more InnoDB related options. There are many! + +innodb_file_per_table +innodb_data_file_path=ibdata1:10M:autoextend + +# +# * Unix socket authentication plugin is built-in since 10.0.22-6 +# +# Needed so the root database user can authenticate without a password but +# only when running as the unix root user. +# +# Also available for other users if required. +# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-10.3 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.3] diff --git a/roles/mariadb/files/backup_mysql.sh b/roles/mariadb/files/backup_mysql.sh new file mode 100644 index 0000000..3f14faa --- /dev/null +++ b/roles/mariadb/files/backup_mysql.sh @@ -0,0 +1,43 @@ +#!/bin/bash +########## +# THIS FILE IS MANAGED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## +############################################## +# Nom : backup_mysql.sh +# Objet : Dump les bases mysql +# listees dans $backup_db_list +# dans le dossier $backup_dump_path, un sous-dossier par base +############################################### + +# Chemin de stockage des dump +backup_dump_path="/srv/backup/mysql/" + +# Liste des bases a sauvegarder séparées par des espaces +backup_db_list=`echo -n 'show databases' | mysql | grep -v Database | grep -v _schema` + +# Verifie que backup_dump_path existe, on crée sinon +if [ ! -d $backup_dump_path ] ; then mkdir -p $backup_dump_path ; fi + +# On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age +cd $backup_dump_path + +mysqlcheck --all-databases > /srv/mysql/check + +# Pour chaque base a sauvegarder +for backup_db_name in $backup_db_list +do + # Verifie si un dossier existe pour cette base, on cree si non + if [ ! -d ./$backup_db_name ] ; then mkdir ./$backup_db_name ; fi + + cd ./$backup_db_name + + # On dump + mysqldump --events $backup_db_name | gzip > $backup_db_name.sql.gz + + cd .. +done + +# On s'assure que nimporte qui ne peut lire les dump +chmod a-rwx,u+rwX -R $backup_dump_path + diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml new file mode 100644 index 0000000..97d8b02 --- /dev/null +++ b/roles/mariadb/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart mariadb + service: + name: mariadb + state: restarted diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml new file mode 100644 index 0000000..736ae88 --- /dev/null +++ b/roles/mariadb/tasks/main.yml @@ -0,0 +1,87 @@ +- name: install mariadb + package: + name: mariadb-server + state: present + +- name: create mysql directory + file: + path: /srv/mysql + owner: mysql + group: mysql + state: directory + +- name: populate mysql directory + command: /usr/bin/mysql_install_db --datadir=/srv/mysql + args: + creates: /srv/mysql/ibdata1 + notify: restart mariadb + +- name: replace conffile + copy: + src: files/50-server.cnf + dest: /etc/mysql/mariadb.conf.d/50-server.cnf + notify: restart mariadb + +- name: debian upgrade file conf + template: + src: debian.cnf.j2 + dest: /etc/mysql/debian.cnf + owner: root + group: root + mode: '0600' + notify: restart mariadb + +- name: force handlers + meta: flush_handlers + +- name: install python-mysql + package: + name: "{{ item }}" + state: present + loop: + - python-pymysql + - python3-pymysql + +- name: root password + mysql_user: + login_user: root + host: "{{ item }}" + name: root + password: "{{ mariadb_root_pass }}" + loop: + - "localhost" + - "127.0.0.1" + - "::1" + +- name: put .my.cnf file + template: + src: dot.my.cnf.j2 + dest: ~/.my.cnf + mode: '0600' + +- name: scripted version of mysql_secure_installation + command: "{{ item }}" + args: + warn: false + creates: ~/mysql_secure_installation + loop: + - "mysql -e \"DELETE FROM mysql.user WHERE User='';\"" + - "mysql -e \"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\"" + - "mysql -e \"DROP DATABASE IF EXISTS test;\"" + - "mysql -e \"DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';\"" + - "mysql -e \"FLUSH PRIVILEGES;\"" + - touch ~/mysql_secure_installation + +- name: install backup script + copy: + src: files/backup_mysql.sh + dest: /usr/local/bin/backup_mysql.sh + mode: '0755' + +- name: cron backup script + cron: + name: "MariaDB backup" + hour: "{{ mariadb_backup_hour }}" + minute: "{{ mariadb_backup_minute }}" + job: "/usr/local/bin/backup_mysql.sh" + state: present diff --git a/roles/mariadb/templates/debian.cnf.j2 b/roles/mariadb/templates/debian.cnf.j2 new file mode 100644 index 0000000..9b9605b --- /dev/null +++ b/roles/mariadb/templates/debian.cnf.j2 @@ -0,0 +1,12 @@ +# Automatically generated for Debian scripts. DO NOT TOUCH! +[client] +host = localhost +user = root +password = {{ mariadb_root_pass }} +socket = /var/run/mysqld/mysqld.sock +[mysql_upgrade] +host = localhost +user = root +password = {{ mariadb_root_pass }} +socket = /var/run/mysqld/mysqld.sock +basedir = /usr diff --git a/roles/mariadb/templates/dot.my.cnf.j2 b/roles/mariadb/templates/dot.my.cnf.j2 new file mode 100644 index 0000000..bfd5332 --- /dev/null +++ b/roles/mariadb/templates/dot.my.cnf.j2 @@ -0,0 +1,3 @@ +[client] +user = root +password = {{ mariadb_root_pass }} diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..5463835 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..81b9dd8 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,46 @@ +- name: install nginx package + package: + name: nginx-full + state: present + +- name: create dhparam + shell: /usr/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048 + args: + creates: /etc/nginx/dhparam.pem + +- name: service nginx + service: + name: nginx + enabled: True + state: started + +- name: put configuration files + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + notify: + - restart nginx + loop: + - { src: nginx.conf.j2, dest: /etc/nginx/nginx.conf } + - { src: nginx.ssl.conf.j2, dest: /etc/nginx/nginx.ssl.conf } + - { src: fastcgi_params.j2, dest: /etc/nginx/fastcgi_params } + - { src: proxy_params.j2, dest: /etc/nginx/proxy_params } + - { src: default.j2, dest: /etc/nginx/sites-available/default } + +- name: create base dir + file: + path: /srv/http + owner: root + group: www-data + mode: 'u+rwx,g+rs,o-rwx' + state: directory + +- name: create letsencrypt dir + file: + path: /srv/http/common/letsencrypt + owner: root + group: www-data + mode: 'u+rwx,g+rs,o-rwx' + state: directory + +- include_tasks: vhosts.yml diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml new file mode 100644 index 0000000..2efaadd --- /dev/null +++ b/roles/nginx/tasks/vhosts.yml @@ -0,0 +1,18 @@ +- name: symlink vhosts + file: + src: "/etc/nginx/sites-available/{{ item }}.conf" + dest: "/etc/nginx/sites-enabled/{{ item }}.conf" + force: True + follow: False + state: link + notify: + - restart nginx + loop: "{{ web_hostname }}" + +- name: install vhosts + template: + src: "vhosts/{{ item }}.conf.j2" + dest: "/etc/nginx/sites-available/{{ item }}.conf" + notify: + - restart nginx + loop: "{{ web_hostname }}" diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2 new file mode 100644 index 0000000..7e5de81 --- /dev/null +++ b/roles/nginx/templates/default.j2 @@ -0,0 +1,25 @@ +server { + listen *:80; + listen [::]:80; + server_name localhost; + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } +} + +server { + listen *:80 default_server; + listen [::]:80 default_server; + + location /.well-known/acme-challenge { + root /srv/http/common/letsencrypt/; + } + + location / { + return 301 https://$host$request_uri; + } +} + diff --git a/roles/nginx/templates/fastcgi_params.j2 b/roles/nginx/templates/fastcgi_params.j2 new file mode 100644 index 0000000..75f5a48 --- /dev/null +++ b/roles/nginx/templates/fastcgi_params.j2 @@ -0,0 +1,31 @@ +########## +# THIS FILE IS MANAGED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +fastcgi_param HTTPS $https; + +# PHP only +fastcgi_param SCRIPT_FILENAME $request_filename; +fastcgi_param REDIRECT_STATUS 200; +fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; diff --git a/roles/nginx/templates/header.conf.j2 b/roles/nginx/templates/header.conf.j2 new file mode 100644 index 0000000..3483e7b --- /dev/null +++ b/roles/nginx/templates/header.conf.j2 @@ -0,0 +1,8 @@ + listen *:443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/x509/{{ item }}/fullchain.cer; + ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key; + server_name {{ item }}; + access_log /var/log/nginx/{{ item }}.access.log combined_port; + error_log /var/log/nginx/{{ item }}.error.log; diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 new file mode 100644 index 0000000..47774b4 --- /dev/null +++ b/roles/nginx/templates/nginx.conf.j2 @@ -0,0 +1,67 @@ +########## +# THIS FILE IS MANAGED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## +user www-data; +worker_processes 4; +pid /var/run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + log_format combined_port + '$remote_addr:$remote_port - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log combined_port; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; + + include nginx.ssl.conf; + + ## + # Virtual Host Configs + ## + + client_max_body_size 1G; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + diff --git a/roles/nginx/templates/nginx.ssl.conf.j2 b/roles/nginx/templates/nginx.ssl.conf.j2 new file mode 100644 index 0000000..6d50946 --- /dev/null +++ b/roles/nginx/templates/nginx.ssl.conf.j2 @@ -0,0 +1,26 @@ +########## +# THIS FILE IS MANAGED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ssl_dhparam /etc/nginx/dhparam.pem; + + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; diff --git a/roles/nginx/templates/proxy_params.j2 b/roles/nginx/templates/proxy_params.j2 new file mode 100644 index 0000000..d07ddff --- /dev/null +++ b/roles/nginx/templates/proxy_params.j2 @@ -0,0 +1,9 @@ +########## +# THIS FILE IS HANDLED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_hide_header Strict-Transport-Security; diff --git a/roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..46f715b --- /dev/null +++ b/roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 @@ -0,0 +1,33 @@ +server { +{% include './templates/header.conf.j2' %} + + root /srv/http/analyse.nintendojo.fr/; + index index.html index.htm index.php; + + location ~ ^/(status|ping|apc_info.php)$ { + access_log off; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 2w; + log_not_found off; + } + + location ~ \.htaccess$ { + deny all; + } + + location ~ ^/tmp { + deny all; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } +} + diff --git a/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 new file mode 100644 index 0000000..68416cb --- /dev/null +++ b/roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 @@ -0,0 +1,40 @@ +server { +{% include './templates/header.conf.j2' %} + root /srv/http/blog.libertus.eu/; + index index.html index.htm index.php; + + ## Optimisation des images + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 2w; + log_not_found off; + } + + ## blocage équivalent HTTPS + location ~ (\.htaccess|\.inc)$ { + deny all; + } + + location ~ ^/(inc|plugins|db|cache)/ { + deny all; + } + + ## Inter PHP en path_info + location ~ ^/(index).php(/.*)+ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } + + ## Inter PHP brute + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } + + ## redirection des zolies URLs vers index.php + location / { + try_files $uri $uri/ /index.php$uri?$args; + } +} + diff --git a/roles/nginx/templates/vhosts/bt.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/bt.mateu.be.conf.j2 new file mode 100644 index 0000000..ed68738 --- /dev/null +++ b/roles/nginx/templates/vhosts/bt.mateu.be.conf.j2 @@ -0,0 +1,8 @@ +server { +{% include './templates/header.conf.j2' %} + + location / { + proxy_pass http://127.0.0.1:9091; + } +} + diff --git a/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 new file mode 100644 index 0000000..51e55cd --- /dev/null +++ b/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 @@ -0,0 +1,12 @@ +server { +{% include './templates/header.conf.j2' %} + location / { + root /var/lib/transmission-daemon/downloads/; + autoindex on; + allow 2a01:cb0c:8516:7f00::/64; + allow 83.167.52.81; + allow 2001:1b48:2:103::/64; + allow 2001:bc8:26c1:101::/64; + deny all; + } +} diff --git a/roles/nginx/templates/vhosts/coince.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/coince.mateu.be.conf.j2 new file mode 100644 index 0000000..ef373b6 --- /dev/null +++ b/roles/nginx/templates/vhosts/coince.mateu.be.conf.j2 @@ -0,0 +1,22 @@ +server { +{% include './templates/header.conf.j2' %} + root /srv/http/coince.mateu.be/; + index index.htm index.html index.php; + + allow 2001:bc8:26c1:101:0:0:0:0/64; + allow 2001:bc8:26c1:105:0:0:0:0/64; + allow 2001:1b48:2:103::6d:2; + allow 83.167.52.81; + deny all; + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } + + location /var { + deny all; + } +} + diff --git a/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 new file mode 100644 index 0000000..47515eb --- /dev/null +++ b/roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 @@ -0,0 +1,22 @@ +## Shaarli +server { +{% include './templates/header.conf.j2' %} + root /srv/http/fav.libertus.eu/; + index index.html index.htm index.php; + + location ^/(cache|data)/ { + deny all; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 2w; + log_not_found off; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } +} + diff --git a/roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..b72430a --- /dev/null +++ b/roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2 @@ -0,0 +1,38 @@ +server { +{% include './templates/header.conf.j2' %} + root /srv/http/forum.nintendojo.fr/; + index index.html index.htm index.php; + + client_max_body_size 10M; + + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires 2w; + log_not_found off; + } + + location ~ \.htaccess$ { + deny all; + } + + location ~ ^/(files|store|cache|images/avatars/upload)/ { + deny all; + } + + location ~ ^/(config|common)\.php$ { + deny all; + } + + location ~ /(app).php(/.*)+ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + fastcgi_read_timeout 60; + include fastcgi_params; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } +} + diff --git a/roles/nginx/templates/vhosts/intendo.fr.conf.j2 b/roles/nginx/templates/vhosts/intendo.fr.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/m.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/m.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..c214072 --- /dev/null +++ b/roles/nginx/templates/vhosts/m.nintendojo.fr.conf.j2 @@ -0,0 +1,61 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { +{% include './templates/header.conf.j2' %} + keepalive_timeout 70; + sendfile on; + client_max_body_size 0; + large_client_header_buffers 4 32k; + + # Referrer-Policy, même si Chrome ne comprendra pas + add_header Referrer-Policy "same-origin"; + + location / { + try_files $uri @proxy; + } + + location @proxy { + proxy_pass http://localhost:3000; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_buffering off; + proxy_redirect off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_pass http://localhost:4000; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_set_header Proxy ""; + + proxy_buffering off; + proxy_redirect off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } +} + diff --git a/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 new file mode 100644 index 0000000..7fd011b --- /dev/null +++ b/roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 @@ -0,0 +1,40 @@ +server { +{% include './templates/header.conf.j2' %} + root /srv/http/mail.libertus.eu/; + index index.html index.htm index.php; + + client_max_body_size 512M; + + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 2w; + log_not_found off; + } + + ## Dossiers et fichiers interdits d'accès + location ~ (README|INSTALL|LICENSE|SQL|bin|CHANGELOG|\.htaccess|\.inc)$ { + deny all; + } + location ~ ^/(config|logs|temp) { + deny all; + } + location ~ ^/program/js { + #autorise le dossier program/js + } + location ~ ^/program/.*\.gif$ { + #autorise les gifs du dossier program + } + location ~ ^/program { + deny all; + } + + location = /favicon.ico { + rewrite ^(.*)$ skins/default/images/favicon.ico; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } +} + diff --git a/roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 new file mode 100644 index 0000000..1f5fc7c --- /dev/null +++ b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 @@ -0,0 +1,82 @@ +server { +{% include './templates/header.conf.j2' %} + + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + + fastcgi_hide_header X-Powered-By; + + root /srv/http/o.libertus.eu/; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + client_max_body_size 1000M; + fastcgi_buffers 64 4k; + + # Avoid E-Tag error on text file + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-oc.sock; + include fastcgi_params; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~* \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + access_log off; + } +} + diff --git a/roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 new file mode 100644 index 0000000..1c7ef71 --- /dev/null +++ b/roles/nginx/templates/vhosts/r.mateu.be.conf.j2 @@ -0,0 +1,25 @@ +server { + listen *:443 ssl http2; + listen [::]:443 ssl http2; + + server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu; + access_log /var/log/nginx/r.mateu.be.access.log combined_port; + error_log /var/log/nginx/r.mateu.be.error.log; + ssl_certificate /etc/x509/r.mateu.be/fullchain.cer; + ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key; + + root /srv/http/r.mateu.be/; + + location / { + autoindex on; + } + + location ~ ^/~mortal/(.*)$ { + return 301 https://r.mateu.be/$1; + } + + location ~ ^/~clement\.veret/(.*)$ { + return 301 https://r.mateu.be/$1; + } +} + diff --git a/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 new file mode 100644 index 0000000..edf474f --- /dev/null +++ b/roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 @@ -0,0 +1,20 @@ +server { +{% include './templates/header.conf.j2' %} + root /srv/http/rss.libertus.eu/; + index index.html index.htm index.php; + + location ~ \.(js|css|png|jpg|jpeg|gif|svg|svgz)$ { + expires 2w; + log_not_found off; + } + + location ~ /\.git { + deny all; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + include fastcgi_params; + } +} diff --git a/roles/nginx/templates/vhosts/sonarr.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/sonarr.mateu.be.conf.j2 new file mode 100644 index 0000000..98ce0c9 --- /dev/null +++ b/roles/nginx/templates/vhosts/sonarr.mateu.be.conf.j2 @@ -0,0 +1,8 @@ +server { +{% include './templates/header.conf.j2' %} + + location / { + proxy_pass http://localhost:8989; + } +} + diff --git a/roles/nginx/templates/vhosts/www.intendo.fr.conf.j2 b/roles/nginx/templates/vhosts/www.intendo.fr.conf.j2 new file mode 100644 index 0000000..58aa829 --- /dev/null +++ b/roles/nginx/templates/vhosts/www.intendo.fr.conf.j2 @@ -0,0 +1,14 @@ +server { + listen *:443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/x509/intendo.fr/fullchain.cer; + ssl_certificate_key /etc/x509/intendo.fr/intendo.fr.key; + server_name intendo.fr www.intendo.fr; + access_log /var/log/intendo.fr.access.log combined_port; + error_log /var/log/intendo.fr.error.log; + + location / { + return 302 https://www.nintendojo.fr$request_uri; + } +} + diff --git a/roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..f0f689f --- /dev/null +++ b/roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2 @@ -0,0 +1,83 @@ +## WP NintendojoFR +server { + listen *:443 ssl http2; + listen [::]:443 ssl http2; + server_name nintendojo.fr www.nintendojo.fr; + access_log /var/log/nginx/nintendojo.fr.access.log combined_port; + error_log /var/log/nginx/nintendojo.fr.error.log; + ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer; + ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key; + + root /srv/http/www.nintendojo.fr/; + index index.html index.htm index.php; + + client_max_body_size 2G; + + # couper les fichiers cachés + location ~* /(?:uploads|files)/.*\.php$ { + deny all; + } + + # couper les fichiers textes du captcha + location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ { + deny all; + } + + # Images de la v6 + location ~ ^/images/(.*)$ { + expires 2w; + alias /srv/http/archives.nintendojo.fr/v6/images/$1; + } + + # Images de la v6.7 + location ~ ^/public/(.*)$ { + expires 2w; + alias /srv/http/archives.nintendojo.fr/$1; + } + + # Zolie tweet + location /tweet { + rewrite ^/tweet/([0-9]+)$ /index.php/tweet/?id=$1 last; + rewrite ^/tweet/embed/([0-9]+)$ /index.php/tweetembed/?id=$1 last; + return 403; + } + + # Zolie wallpapers + location /wallpapers { + rewrite ^/wallpapers$ /index.php/wallpapers last; + rewrite ^/wallpapers/([0-9]+) /index.php/wallpapers/?id=$1 last; + location ~ ^/wallpapers/files(.*)(/.*\.jpg)$ { + expires 1w; + alias /srv/http/www.nintendojo.fr/wp-content/plugins/dojomurpapier/files$2; + } + } + + # Optimisation des images + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { + expires 1w; + log_not_found off; + } + + # Interprétation PHP + location ~ ^/(index).php(/.*)+ { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_cache wpdojo; + fastcgi_cache_key $request_method$host$request_uri; + fastcgi_cache_valid any 15m; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + fastcgi_read_timeout 60; + include fastcgi_params; + } + + location ~ \.php$ { + try_files $uri $uri/ =404; + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; + fastcgi_read_timeout 60; + include fastcgi_params; + } + + location / { + try_files $uri $uri/ /index.php$uri?$args; + } +} diff --git a/roles/nut-client/files/nut.conf b/roles/nut-client/files/nut.conf new file mode 100644 index 0000000..568ed25 --- /dev/null +++ b/roles/nut-client/files/nut.conf @@ -0,0 +1 @@ +MODE=netclient diff --git a/roles/nut-client/handlers/main.yml b/roles/nut-client/handlers/main.yml new file mode 100644 index 0000000..7afff8c --- /dev/null +++ b/roles/nut-client/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart nut-client + service: + name: nut-client + state: restarted diff --git a/roles/nut-client/tasks/main.yml b/roles/nut-client/tasks/main.yml new file mode 100644 index 0000000..75ae6f0 --- /dev/null +++ b/roles/nut-client/tasks/main.yml @@ -0,0 +1,19 @@ +- name: install nut client + package: + name: nut-client + state: present + +- name: upsmon.conf file + template: + src: upsmon.conf.j2 + dest: /etc/nut/upsmon.conf + mode: '0640' + notify: restart nut-client + +- name: nut.conf file + copy: + src: files/nut.conf + dest: /etc/nut/nut.conf + mode: '0640' + when: inventory_hostname not in groups['nut_server'] + notify: restart nut-client diff --git a/roles/nut-client/templates/upsmon.conf.j2 b/roles/nut-client/templates/upsmon.conf.j2 new file mode 100644 index 0000000..68d735f --- /dev/null +++ b/roles/nut-client/templates/upsmon.conf.j2 @@ -0,0 +1,15 @@ +MONITOR eaton3s@{{ hostvars[groups['nut_server'][0]]['ansible_default_ipv4']['address'] }}:3493 1 {% if inventory_hostname in groups['nut_server'] %}monuser {{ nut_pass }} master{% else %}slaveuser {{ nut_pass }} slave{% endif %} + +MINSUPPLIES 1 +SHUTDOWNCMD "/sbin/shutdown -h +0" +POLLFREQ 5 +POLLFREQALERT 5 +HOSTSYNC 15 +DEADTIME 15 +POWERDOWNFLAG /etc/killpower +NOTIFYFLAG ONBATT SYSLOG+WALL +NOTIFYFLAG ONLINE SYSLOG+WALL +RBWARNTIME 43200 +NOCOMMWARNTIME 300 +FINALDELAY 5 + diff --git a/roles/nut-server/files/90-nut-ups.rules b/roles/nut-server/files/90-nut-ups.rules new file mode 100644 index 0000000..d7464cf --- /dev/null +++ b/roles/nut-server/files/90-nut-ups.rules @@ -0,0 +1,2 @@ +ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0463", ATTR{idProduct}=="ffff", MODE="0660", GROUP="nut" + diff --git a/roles/nut-server/files/nut.conf b/roles/nut-server/files/nut.conf new file mode 100644 index 0000000..6529f5e --- /dev/null +++ b/roles/nut-server/files/nut.conf @@ -0,0 +1 @@ +MODE=standalone diff --git a/roles/nut-server/files/ups.conf b/roles/nut-server/files/ups.conf new file mode 100644 index 0000000..cfffe43 --- /dev/null +++ b/roles/nut-server/files/ups.conf @@ -0,0 +1,5 @@ +maxretry = 3 +[eaton3s] +driver=usbhid-ups +port=auto +default.battery.charge.low=10 diff --git a/roles/nut-server/files/upsd.conf b/roles/nut-server/files/upsd.conf new file mode 100644 index 0000000..80fe475 --- /dev/null +++ b/roles/nut-server/files/upsd.conf @@ -0,0 +1 @@ +LISTEN * 3493 diff --git a/roles/nut-server/handlers/main.yml b/roles/nut-server/handlers/main.yml new file mode 100644 index 0000000..c3aab9c --- /dev/null +++ b/roles/nut-server/handlers/main.yml @@ -0,0 +1,12 @@ +- name: restart nut-server + service: + name: nut-server + state: restarted + +- name: udev + command: "udevadm control --reload-rules && udevadm trigger" + +- name: restart nut-driver + service: + name: nut-driver + state: restarted diff --git a/roles/nut-server/tasks/main.yml b/roles/nut-server/tasks/main.yml new file mode 100644 index 0000000..44d4315 --- /dev/null +++ b/roles/nut-server/tasks/main.yml @@ -0,0 +1,40 @@ +- name: install nut server + package: + name: nut-server + state: present + +- name: udev conf file for nut + copy: + src: files/90-nut-ups.rules + dest: /etc/udev/rules.d/90-nut-ups.rules + notify: + - udev + - restart nut-driver + +- name: nut.conf file + copy: + src: files/nut.conf + dest: /etc/nut/nut.conf + mode: '0640' + notify: restart nut-server + +- name: ups.conf file + copy: + src: files/ups.conf + dest: /etc/nut/ups.conf + mode: '0640' + notify: restart nut-server + +- name: upsd.conf file + copy: + src: files/upsd.conf + dest: /etc/nut/upsd.conf + mode: '0640' + notify: restart nut-server + +- name: upsd.users file + template: + src: upsd.users.j2 + dest: /etc/nut/upsd.users + mode: '0640' + notify: restart nut-server diff --git a/roles/nut-server/templates/upsd.users.j2 b/roles/nut-server/templates/upsd.users.j2 new file mode 100644 index 0000000..a280982 --- /dev/null +++ b/roles/nut-server/templates/upsd.users.j2 @@ -0,0 +1,7 @@ +[monuser] +password={{ nut_pass }} +upsmon master + +[slaveuser] +password={{ nut_pass }} +upsmon slave diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml new file mode 100644 index 0000000..6027867 --- /dev/null +++ b/roles/php/defaults/main.yml @@ -0,0 +1 @@ +php_modules: "['opcache', 'mysql', 'mbstring', 'gd']" diff --git a/roles/php/files/php.ini b/roles/php/files/php.ini new file mode 100644 index 0000000..29694a0 --- /dev/null +++ b/roles/php/files/php.ini @@ -0,0 +1,1944 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (usually C:\windows) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is the php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; html_errors +; Default Value: On +; Development Value: On +; Production value: On + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; track_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to an empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = Off + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +;max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This has only effect in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; This directive is DEPRECATED. +; Default Value: Off +; Development Value: Off +; Production Value: Off +; http://php.net/track-errors +;track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors +html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +; The syslog ident is a string which is prepended to every message logged +; to syslog. Only used when error_log is set to syslog. +;syslog.ident = php + +; The syslog facility is used to specify what type of program is logging +; the message. Only used when error_log is set to syslog. +;syslog.facility = user + +; Set this to disable filtering control characters (the default). +; Some loggers only accept NVT-ASCII, others accept anything that's not +; control characters. If your logger accepts everything, then no filtering +; is needed at all. +; Allowed values are: +; ascii (all printable ASCII characters and NL) +; no-ctrl (all characters except control characters) +; all (all characters) +; http://php.net/syslog.filter +;syslog.filter = ascii + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 1G + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/usr/share/php" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +;extension_dir = "./" +; On windows: +;extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +;sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +;cgi.discard_path=1 + +; FastCGI under IIS supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 1G + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=.so' and +; 'extension='php_.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=) syntax. +; +; Notes for Windows environments : +; +; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) +; extension folders as well as the separate PECL DLL download (PHP 5+). +; Be sure to appropriately set the extension_dir directive. +; +;extension=bz2 +;extension=curl +;extension=fileinfo +;extension=gd2 +;extension=gettext +;extension=gmp +;extension=intl +;extension=imap +;extension=interbase +;extension=ldap +;extension=mbstring +;extension=exif ; Must be after mbstring as it depends on it +;extension=mysqli +;extension=oci8_12c ; Use with Oracle Database 12c Instant Client +;extension=odbc +;extension=openssl +;extension=pdo_firebird +;extension=pdo_mysql +;extension=pdo_oci +;extension=pdo_odbc +;extension=pdo_pgsql +;extension=pdo_sqlite +;extension=pgsql +;extension=shmop + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=snmp + +;extension=soap +;extension=sockets +;extension=sodium +;extension=sqlite3 +;extension=tidy +;extension=xmlrpc +;extension=xsl + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +;date.timezone = + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < input_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +sqlite3.defensive = 1 + +[Pcre] +; PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +; PCRE library recursion limit. +; Please note that if you set this value to a high number you may consume all +; the available process stack and eventually crash PHP (due to reaching the +; stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +; Enables or disables JIT compilation of patterns. This requires the PCRE +; library to be compiled with JIT support. +;pcre.jit=1 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +;mysqlnd.sha256_server_public_key = + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/var/lib/php/sessions" + +; Whether to use strict session mode. +; Strict session mode does not accept an uninitialized session ID, and +; regenerates the session ID if the browser sends an uninitialized session ID. +; Strict mode protects applications from session fixation via a session adoption +; vulnerability. It is disabled by default for maximum compatibility, but +; enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it +; inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) +; Current valid values are "Lax" or "Strict" +; https://tools.ietf.org/html/draft-west-first-party-cookies-07 +session.cookie_samesite = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started +; on every session initialization. The probability is calculated by using +; gc_probability/gc_divisor. Where session.gc_probability is the numerator +; and gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any given request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 0 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using the following equation: +; gc_probability/gc_divisor. Where session.gc_probability is the numerator and +; session.gc_divisor is the denominator in the equation. Setting this value to 100 +; when the session.gc_probability value is 1 will give you approximately a 1% chance +; the gc will run on any given request. Increasing this value to 1000 will give you +; a 0.1% chance the gc will run on any given request. For high volume production servers, +; this is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script would is the equivalent of +; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute paths, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a component's typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_translation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < input_encoding < mbsting.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0x7FFFBFFF + +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Mapping base of shared memory segments (for Windows only). All the PHP +; processes have to map shared memory into the same address space. This +; directive allows to manually fix the "Unable to reattach to base address" +; errors. +;opcache.mmap_base= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +;opcache.huge_code_pages=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +; Local Variables: +; tab-width: 4 +; End: diff --git a/roles/php/files/www.conf b/roles/php/files/www.conf new file mode 100644 index 0000000..62bbb4b --- /dev/null +++ b/roles/php/files/www.conf @@ -0,0 +1,430 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php7.3-fpm.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 100 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 10 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 10 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 30 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/7.3/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/roles/php/handlers/main.yml b/roles/php/handlers/main.yml new file mode 100644 index 0000000..bf892e3 --- /dev/null +++ b/roles/php/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart php-fpm + service: + name: "php{{ php_version }}-fpm" + state: restarted diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml new file mode 100644 index 0000000..246e979 --- /dev/null +++ b/roles/php/tasks/main.yml @@ -0,0 +1,27 @@ +- name: install php-fpm + package: + name: php-fpm + state: present + +- name: configure php-fpm + copy: + src: ./files/www.conf + dest: /etc/php/{{ php_version }}/fpm/pool.d/www.conf + notify: + - restart php-fpm + +- name: configure php + copy: + src: ./files/php.ini + dest: /etc/php/{{ php_version }}/fpm/php.ini + notify: + - restart php-fpm + +- name: install lib for php + package: + name: "php-{{ item }}" + state: present + loop: "{{ php_modules }}" + notify: + - restart php-fpm + diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml new file mode 100644 index 0000000..1706527 --- /dev/null +++ b/roles/postgres/defaults/main.yml @@ -0,0 +1 @@ +pg_version: "{% if ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '9' %}9.6{% elif ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '10' %}11{% endif %}" diff --git a/roles/postgres/files/pg_hba.conf b/roles/postgres/files/pg_hba.conf new file mode 100644 index 0000000..6b80da8 --- /dev/null +++ b/roles/postgres/files/pg_hba.conf @@ -0,0 +1,99 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", +# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that +# "password" sends passwords in clear text; "md5" is preferred since +# it sends encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can +# use "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + + + + +# DO NOT DISABLE! +# If you change this first entry you will need to make sure that the +# database superuser can access the database using some other method. +# Noninteractive access to all databases is required during automatic +# maintenance (custom daily cronjobs, replication, and similar tasks). +# +# Database administrative login by Unix domain socket +local all postgres peer + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all md5 +# IPv4 local connections: +host all all 127.0.0.1/32 md5 +# IPv6 local connections: +host all all ::1/128 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +#local replication postgres peer +#host replication postgres 127.0.0.1/32 md5 +#host replication postgres ::1/128 md5 diff --git a/roles/postgres/files/postgresql.conf b/roles/postgres/files/postgresql.conf new file mode 100644 index 0000000..8cc90a8 --- /dev/null +++ b/roles/postgres/files/postgresql.conf @@ -0,0 +1,690 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +data_directory = '/srv/postgresql' # use data in another directory + # (change requires restart) +hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file + # (change requires restart) +ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +#listen_addresses = 'localhost' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP Keepalives - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +ssl = on +#ssl_ca_file = '' +ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' +#ssl_crl_file = '' +ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # use none to disable dynamic shared memory + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +#synchronous_commit = on # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 1GB +min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = off # allow JIT compilation + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +log_line_prefix = '%m [%p] %q%u@%d ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Europe/Paris' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +cluster_name = '11/main' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, dmy' +#intervalstyle = 'postgres' +timezone = 'Europe/Paris' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 0 # min -15, max 3 +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'fr_FR.UTF-8' # locale for system error message + # strings +lc_monetary = 'fr_FR.UTF-8' # locale for monetary formatting +lc_numeric = 'fr_FR.UTF-8' # locale for number formatting +lc_time = 'fr_FR.UTF-8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.french' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#default_with_oids = off +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. + +include_dir = 'conf.d' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '' # include file only if it exists +#include = '' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml new file mode 100644 index 0000000..b5ed6e7 --- /dev/null +++ b/roles/postgres/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart postgres + service: + name: "postgresql@{{ pg_version }}-main" + state: restarted diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml new file mode 100644 index 0000000..8bfaa0d --- /dev/null +++ b/roles/postgres/tasks/main.yml @@ -0,0 +1,46 @@ +- name: install postgresql + package: + name: postgresql + state: present + +- name: create pgsql directory + file: + path: /srv/postgresql + owner: postgres + group: postgres + state: directory + +- name: populate postgresql directory + command: "/usr/lib/postgresql/{{ pg_version }}/bin/initdb -E UTF-8 /srv/postgresql/" + become: yes + become_user: postgres + args: + creates: /srv/postgresql/PG_VERSION + notify: restart postgres + +- name: replace main conffile + copy: + src: files/postgresql.conf + dest: "/etc/postgresql/{{ pg_version }}/main/postgresql.conf" + notify: restart postgres + +- name: replace pg_hba file + copy: + src: files/pg_hba.conf + dest: "/etc/postgresql/{{ pg_version }}/main/pg_hba.conf" + notify: restart postgres + +- name: create backup dir + file: + path: /srv/backup/pgsql + owner: postgres + group: postgres + state: directory + +- name: backup pg databases + cron: + user: postgres + minute: "0" + hour: "4" + name: PG Backup + job: "/usr/bin/pg_dumpall | gzip -c > /srv/backup/pgsql/all.dbs.gz" diff --git a/roles/system/files/5-install b/roles/system/files/5-install new file mode 100644 index 0000000..0b2693f --- /dev/null +++ b/roles/system/files/5-install @@ -0,0 +1 @@ +dist-upgrade -y -o APT::Get::Show-Upgraded=true -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold diff --git a/roles/system/files/dotbashrc b/roles/system/files/dotbashrc new file mode 100644 index 0000000..a1044f7 --- /dev/null +++ b/roles/system/files/dotbashrc @@ -0,0 +1,19 @@ +# ~/.bashrc: executed by bash(1) for non-login shells. + +# Note: PS1 and umask are already set in /etc/profile. You should not +# need this unless you want different defaults for root. +# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ ' +# umask 022 + +# You may uncomment the following lines if you want `ls' to be colorized: +export LS_OPTIONS='--color=auto' +eval "`dircolors`" +alias ls='ls $LS_OPTIONS' +alias ll='ls $LS_OPTIONS -l' +alias l='ls $LS_OPTIONS -lA' +# +# Some more alias to avoid making mistakes: +alias rm='rm -i' +alias cp='cp -i' +alias mv='mv -i' +. "/etc/x509/acme.sh.env" diff --git a/roles/system/files/ssh/home.id_rsa.pub b/roles/system/files/ssh/home.id_rsa.pub new file mode 100644 index 0000000..7ff0bb0 --- /dev/null +++ b/roles/system/files/ssh/home.id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1pahc4fTbyave6S4Y5co9yYKelnUbHjhHkA2yiHdgauwwvcMqHu+JbHSJyXjkyhDlVA0gXexa/rDE9XJyVw5KGKsz5l05K21YhiDC0btYyA1RBju3b6lEdl43MasWDhZPB+HU06jUTgGXqobfjiPkGy9CEhPSzNZd7fDy60BwqS7KNLE3PWQ46j3HTDmw6yJUGBmICIhu8wSmJ5qcnzAAF5tnBGAENBMuRrkhOFts/FPBnn6sUmXOO4X3DecTRPE8Fwchn+RlVHc/tKt+hUtak4enVIKfNsRRTAR1yZKwBJkqrpDI509tZRmvcmawP9/p25yAUD2PBi2Ft+nlqxz diff --git a/roles/system/files/ssh/work.id_rsa.pub b/roles/system/files/ssh/work.id_rsa.pub new file mode 100644 index 0000000..9e4687b --- /dev/null +++ b/roles/system/files/ssh/work.id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib diff --git a/roles/system/files/vim/colors/solarized.vim b/roles/system/files/vim/colors/solarized.vim new file mode 100644 index 0000000..70f5223 --- /dev/null +++ b/roles/system/files/vim/colors/solarized.vim @@ -0,0 +1,1117 @@ +" Name: Solarized vim colorscheme +" Author: Ethan Schoonover +" URL: http://ethanschoonover.com/solarized +" (see this url for latest release & screenshots) +" License: OSI approved MIT license (see end of this file) +" Created: In the middle of the night +" Modified: 2011 May 05 +" +" Usage "{{{ +" +" --------------------------------------------------------------------- +" ABOUT: +" --------------------------------------------------------------------- +" Solarized is a carefully designed selective contrast colorscheme with dual +" light and dark modes that runs in both GUI, 256 and 16 color modes. +" +" See the homepage above for screenshots and details. +" +" --------------------------------------------------------------------- +" OPTIONS: +" --------------------------------------------------------------------- +" See the "solarized.txt" help file included with this colorscheme (in the +" "doc" subdirectory) for information on options, usage, the Toggle Background +" function and more. If you have already installed Solarized, this is available +" from the Solarized menu and command line as ":help solarized" +" +" --------------------------------------------------------------------- +" INSTALLATION: +" --------------------------------------------------------------------- +" Two options for installation: manual or pathogen +" +" MANUAL INSTALLATION OPTION: +" --------------------------------------------------------------------- +" +" 1. Download the solarized distribution (available on the homepage above) +" and unarchive the file. +" 2. Move `solarized.vim` to your `.vim/colors` directory. +" 3. Move each of the files in each subdirectories to the corresponding .vim +" subdirectory (e.g. autoload/togglebg.vim goes into your .vim/autoload +" directory as .vim/autoload/togglebg.vim). +" +" RECOMMENDED PATHOGEN INSTALLATION OPTION: +" --------------------------------------------------------------------- +" +" 1. Download and install Tim Pope's Pathogen from: +" https://github.com/tpope/vim-pathogen +" +" 2. Next, move or clone the `vim-colors-solarized` directory so that it is +" a subdirectory of the `.vim/bundle` directory. +" +" a. **clone with git:** +" +" $ cd ~/.vim/bundle +" $ git clone git://github.com/altercation/vim-colors-solarized.git +" +" b. **or move manually into the pathogen bundle directory:** +" In the parent directory of vim-colors-solarized: +" +" $ mv vim-colors-solarized ~/.vim/bundle/ +" +" MODIFY VIMRC: +" +" After either Option 1 or Option 2 above, put the following two lines in your +" .vimrc: +" +" syntax enable +" set background=dark +" colorscheme solarized +" +" or, for the light background mode of Solarized: +" +" syntax enable +" set background=light +" colorscheme solarized +" +" I like to have a different background in GUI and terminal modes, so I can use +" the following if-then. However, I find vim's background autodetection to be +" pretty good and, at least with MacVim, I can leave this background value +" assignment out entirely and get the same results. +" +" if has('gui_running') +" set background=light +" else +" set background=dark +" endif +" +" See the Solarized homepage at http://ethanschoonover.com/solarized for +" screenshots which will help you select either the light or dark background. +" +" --------------------------------------------------------------------- +" COLOR VALUES +" --------------------------------------------------------------------- +" Download palettes and files from: http://ethanschoonover.com/solarized +" +" L\*a\*b values are canonical (White D65, Reference D50), other values are +" matched in sRGB space. +" +" SOLARIZED HEX 16/8 TERMCOL XTERM/HEX L*A*B sRGB HSB +" --------- ------- ---- ------- ----------- ---------- ----------- ----------- +" base03 #002b36 8/4 brblack 234 #1c1c1c 15 -12 -12 0 43 54 193 100 21 +" base02 #073642 0/4 black 235 #262626 20 -12 -12 7 54 66 192 90 26 +" base01 #586e75 10/7 brgreen 240 #4e4e4e 45 -07 -07 88 110 117 194 25 46 +" base00 #657b83 11/7 bryellow 241 #585858 50 -07 -07 101 123 131 195 23 51 +" base0 #839496 12/6 brblue 244 #808080 60 -06 -03 131 148 150 186 13 59 +" base1 #93a1a1 14/4 brcyan 245 #8a8a8a 65 -05 -02 147 161 161 180 9 63 +" base2 #eee8d5 7/7 white 254 #d7d7af 92 -00 10 238 232 213 44 11 93 +" base3 #fdf6e3 15/7 brwhite 230 #ffffd7 97 00 10 253 246 227 44 10 99 +" yellow #b58900 3/3 yellow 136 #af8700 60 10 65 181 137 0 45 100 71 +" orange #cb4b16 9/3 brred 166 #d75f00 50 50 55 203 75 22 18 89 80 +" red #dc322f 1/1 red 160 #d70000 50 65 45 220 50 47 1 79 86 +" magenta #d33682 5/5 magenta 125 #af005f 50 65 -05 211 54 130 331 74 83 +" violet #6c71c4 13/5 brmagenta 61 #5f5faf 50 15 -45 108 113 196 237 45 77 +" blue #268bd2 4/4 blue 33 #0087ff 55 -10 -45 38 139 210 205 82 82 +" cyan #2aa198 6/6 cyan 37 #00afaf 60 -35 -05 42 161 152 175 74 63 +" green #859900 2/2 green 64 #5f8700 60 -20 65 133 153 0 68 100 60 +" +" --------------------------------------------------------------------- +" COLORSCHEME HACKING +" --------------------------------------------------------------------- +" +" Useful commands for testing colorschemes: +" :source $VIMRUNTIME/syntax/hitest.vim +" :help highlight-groups +" :help cterm-colors +" :help group-name +" +" Useful links for developing colorschemes: +" http://www.vim.org/scripts/script.php?script_id=2937 +" http://vimcasts.org/episodes/creating-colorschemes-for-vim/ +" http://www.frexx.de/xterm-256-notes/" +" +" }}} +" Environment Specific Overrides "{{{ +" Allow or disallow certain features based on current terminal emulator or +" environment. + +" Terminals that support italics +let s:terms_italic=[ + \"rxvt", + \"gnome-terminal" + \] +" For reference only, terminals are known to be incomptible. +" Terminals that are in neither list need to be tested. +let s:terms_noitalic=[ + \"iTerm.app", + \"Apple_Terminal" + \] +if has("gui_running") + let s:terminal_italic=1 " TODO: could refactor to not require this at all +else + let s:terminal_italic=0 " terminals will be guilty until proven compatible + for term in s:terms_italic + if $TERM_PROGRAM =~ term + let s:terminal_italic=1 + endif + endfor +endif + +" }}} +" Default option values"{{{ +" --------------------------------------------------------------------- +" s:options_list is used to autogenerate a list of all non-default options +" using "call SolarizedOptions()" or with the "Generate .vimrc commands" +" Solarized menu option. See the "Menus" section below for the function itself. +let s:options_list=[ + \'" this block of commands has been autogenerated by solarized.vim and', + \'" includes the current, non-default Solarized option values.', + \'" To use, place these commands in your .vimrc file (replacing any', + \'" existing colorscheme commands). See also ":help solarized"', + \'', + \'" ------------------------------------------------------------------', + \'" Solarized Colorscheme Config', + \'" ------------------------------------------------------------------', + \] +let s:colorscheme_list=[ + \'syntax enable', + \'set background='.&background, + \'colorscheme solarized', + \] +let s:defaults_list=[ + \'" ------------------------------------------------------------------', + \'', + \'" The following items are available options, but do not need to be', + \'" included in your .vimrc as they are currently set to their defaults.', + \'' + \] +let s:lazycat_list=[ + \'" lazy method of appending this onto your .vimrc ":w! >> ~/.vimrc"', + \'" ------------------------------------------------------------------', + \] + +function! s:SetOption(name,default) + if type(a:default) == type(0) + let l:wrap='' + let l:ewrap='' + else + let l:wrap='"' + let l:ewrap='\"' + endif + if !exists("g:solarized_".a:name) || g:solarized_{a:name}==a:default + exe 'let g:solarized_'.a:name.'='.l:wrap.a:default.l:wrap.'"' + exe 'call add(s:defaults_list, "\" let g:solarized_'.a:name.'='.l:ewrap.g:solarized_{a:name}.l:ewrap.'")' + else + exe 'call add(s:options_list, "let g:solarized_'.a:name.'='.l:ewrap.g:solarized_{a:name}.l:ewrap.' \"default value is '.a:default.'")' + endif +endfunction + +if ($TERM_PROGRAM ==? "apple_terminal" && &t_Co < 256) + let s:solarized_termtrans_default = 1 +else + let s:solarized_termtrans_default = 0 +endif +call s:SetOption("termtrans",s:solarized_termtrans_default) +call s:SetOption("degrade",0) +call s:SetOption("bold",1) +call s:SetOption("underline",1) +call s:SetOption("italic",1) " note that we need to override this later if the terminal doesn't support +call s:SetOption("termcolors",16) +call s:SetOption("contrast","normal") +call s:SetOption("visibility","normal") +call s:SetOption("diffmode","normal") +call s:SetOption("hitrail",0) +call s:SetOption("menu",1) + +"}}} +" Colorscheme initialization "{{{ +" --------------------------------------------------------------------- +hi clear +if exists("syntax_on") + syntax reset +endif +let colors_name = "solarized" + +"}}} +" GUI & CSApprox hexadecimal palettes"{{{ +" --------------------------------------------------------------------- +" +" Set both gui and terminal color values in separate conditional statements +" Due to possibility that CSApprox is running (though I suppose we could just +" leave the hex values out entirely in that case and include only cterm colors) +" We also check to see if user has set solarized (force use of the +" neutral gray monotone palette component) +if (has("gui_running") && g:solarized_degrade == 0) + let s:vmode = "gui" + let s:base03 = "#002b36" + let s:base02 = "#073642" + let s:base01 = "#586e75" + let s:base00 = "#657b83" + let s:base0 = "#839496" + let s:base1 = "#93a1a1" + let s:base2 = "#eee8d5" + let s:base3 = "#fdf6e3" + let s:yellow = "#b58900" + let s:orange = "#cb4b16" + let s:red = "#dc322f" + let s:magenta = "#d33682" + let s:violet = "#6c71c4" + let s:blue = "#268bd2" + let s:cyan = "#2aa198" + "let s:green = "#859900" "original + let s:green = "#719e07" "experimental +elseif (has("gui_running") && g:solarized_degrade == 1) + " These colors are identical to the 256 color mode. They may be viewed + " while in gui mode via "let g:solarized_degrade=1", though this is not + " recommened and is for testing only. + let s:vmode = "gui" + let s:base03 = "#1c1c1c" + let s:base02 = "#262626" + let s:base01 = "#4e4e4e" + let s:base00 = "#585858" + let s:base0 = "#808080" + let s:base1 = "#8a8a8a" + let s:base2 = "#d7d7af" + let s:base3 = "#ffffd7" + let s:yellow = "#af8700" + let s:orange = "#d75f00" + let s:red = "#af0000" + let s:magenta = "#af005f" + let s:violet = "#5f5faf" + let s:blue = "#0087ff" + let s:cyan = "#00afaf" + let s:green = "#5f8700" +elseif g:solarized_termcolors != 256 && &t_Co >= 16 + let s:vmode = "cterm" + let s:base03 = "8" + let s:base02 = "0" + let s:base01 = "10" + let s:base00 = "11" + let s:base0 = "12" + let s:base1 = "14" + let s:base2 = "7" + let s:base3 = "15" + let s:yellow = "3" + let s:orange = "9" + let s:red = "1" + let s:magenta = "5" + let s:violet = "13" + let s:blue = "4" + let s:cyan = "6" + let s:green = "2" +elseif g:solarized_termcolors == 256 + let s:vmode = "cterm" + let s:base03 = "234" + let s:base02 = "235" + let s:base01 = "239" + let s:base00 = "240" + let s:base0 = "244" + let s:base1 = "245" + let s:base2 = "187" + let s:base3 = "230" + let s:yellow = "136" + let s:orange = "166" + let s:red = "124" + let s:magenta = "125" + let s:violet = "61" + let s:blue = "33" + let s:cyan = "37" + let s:green = "64" +else + let s:vmode = "cterm" + let s:bright = "* term=bold cterm=bold" +" let s:base03 = "0".s:bright +" let s:base02 = "0" +" let s:base01 = "2".s:bright +" let s:base00 = "3".s:bright +" let s:base0 = "4".s:bright +" let s:base1 = "6".s:bright +" let s:base2 = "7" +" let s:base3 = "7".s:bright +" let s:yellow = "3" +" let s:orange = "1".s:bright +" let s:red = "1" +" let s:magenta = "5" +" let s:violet = "5".s:bright +" let s:blue = "4" +" let s:cyan = "6" +" let s:green = "2" + let s:base03 = "DarkGray" " 0* + let s:base02 = "Black" " 0 + let s:base01 = "LightGreen" " 2* + let s:base00 = "LightYellow" " 3* + let s:base0 = "LightBlue" " 4* + let s:base1 = "LightCyan" " 6* + let s:base2 = "LightGray" " 7 + let s:base3 = "White" " 7* + let s:yellow = "DarkYellow" " 3 + let s:orange = "LightRed" " 1* + let s:red = "DarkRed" " 1 + let s:magenta = "DarkMagenta" " 5 + let s:violet = "LightMagenta" " 5* + let s:blue = "DarkBlue" " 4 + let s:cyan = "DarkCyan" " 6 + let s:green = "DarkGreen" " 2 + +endif +"}}} +" Formatting options and null values for passthrough effect "{{{ +" --------------------------------------------------------------------- + let s:none = "NONE" + let s:none = "NONE" + let s:t_none = "NONE" + let s:n = "NONE" + let s:c = ",undercurl" + let s:r = ",reverse" + let s:s = ",standout" + let s:ou = "" + let s:ob = "" +"}}} +" Background value based on termtrans setting "{{{ +" --------------------------------------------------------------------- +if (has("gui_running") || g:solarized_termtrans == 0) + let s:back = s:base03 +else + let s:back = "NONE" +endif +"}}} +" Alternate light scheme "{{{ +" --------------------------------------------------------------------- +if &background == "light" + let s:temp03 = s:base03 + let s:temp02 = s:base02 + let s:temp01 = s:base01 + let s:temp00 = s:base00 + let s:base03 = s:base3 + let s:base02 = s:base2 + let s:base01 = s:base1 + let s:base00 = s:base0 + let s:base0 = s:temp00 + let s:base1 = s:temp01 + let s:base2 = s:temp02 + let s:base3 = s:temp03 + if (s:back != "NONE") + let s:back = s:base03 + endif +endif +"}}} +" Optional contrast schemes "{{{ +" --------------------------------------------------------------------- +if g:solarized_contrast == "high" + let s:base01 = s:base00 + let s:base00 = s:base0 + let s:base0 = s:base1 + let s:base1 = s:base2 + let s:base2 = s:base3 + let s:back = s:back +endif +if g:solarized_contrast == "low" + let s:back = s:base02 + let s:ou = ",underline" +endif +"}}} +" Overrides dependent on user specified values and environment "{{{ +" --------------------------------------------------------------------- +if (g:solarized_bold == 0 || &t_Co == 8 ) + let s:b = "" + let s:bb = ",bold" +else + let s:b = ",bold" + let s:bb = "" +endif + +if g:solarized_underline == 0 + let s:u = "" +else + let s:u = ",underline" +endif + +if g:solarized_italic == 0 || s:terminal_italic == 0 + let s:i = "" +else + let s:i = ",italic" +endif +"}}} +" Highlighting primitives"{{{ +" --------------------------------------------------------------------- + +exe "let s:bg_none = ' ".s:vmode."bg=".s:none ."'" +exe "let s:bg_back = ' ".s:vmode."bg=".s:back ."'" +exe "let s:bg_base03 = ' ".s:vmode."bg=".s:base03 ."'" +exe "let s:bg_base02 = ' ".s:vmode."bg=".s:base02 ."'" +exe "let s:bg_base01 = ' ".s:vmode."bg=".s:base01 ."'" +exe "let s:bg_base00 = ' ".s:vmode."bg=".s:base00 ."'" +exe "let s:bg_base0 = ' ".s:vmode."bg=".s:base0 ."'" +exe "let s:bg_base1 = ' ".s:vmode."bg=".s:base1 ."'" +exe "let s:bg_base2 = ' ".s:vmode."bg=".s:base2 ."'" +exe "let s:bg_base3 = ' ".s:vmode."bg=".s:base3 ."'" +exe "let s:bg_green = ' ".s:vmode."bg=".s:green ."'" +exe "let s:bg_yellow = ' ".s:vmode."bg=".s:yellow ."'" +exe "let s:bg_orange = ' ".s:vmode."bg=".s:orange ."'" +exe "let s:bg_red = ' ".s:vmode."bg=".s:red ."'" +exe "let s:bg_magenta = ' ".s:vmode."bg=".s:magenta."'" +exe "let s:bg_violet = ' ".s:vmode."bg=".s:violet ."'" +exe "let s:bg_blue = ' ".s:vmode."bg=".s:blue ."'" +exe "let s:bg_cyan = ' ".s:vmode."bg=".s:cyan ."'" + +exe "let s:fg_none = ' ".s:vmode."fg=".s:none ."'" +exe "let s:fg_back = ' ".s:vmode."fg=".s:back ."'" +exe "let s:fg_base03 = ' ".s:vmode."fg=".s:base03 ."'" +exe "let s:fg_base02 = ' ".s:vmode."fg=".s:base02 ."'" +exe "let s:fg_base01 = ' ".s:vmode."fg=".s:base01 ."'" +exe "let s:fg_base00 = ' ".s:vmode."fg=".s:base00 ."'" +exe "let s:fg_base0 = ' ".s:vmode."fg=".s:base0 ."'" +exe "let s:fg_base1 = ' ".s:vmode."fg=".s:base1 ."'" +exe "let s:fg_base2 = ' ".s:vmode."fg=".s:base2 ."'" +exe "let s:fg_base3 = ' ".s:vmode."fg=".s:base3 ."'" +exe "let s:fg_green = ' ".s:vmode."fg=".s:green ."'" +exe "let s:fg_yellow = ' ".s:vmode."fg=".s:yellow ."'" +exe "let s:fg_orange = ' ".s:vmode."fg=".s:orange ."'" +exe "let s:fg_red = ' ".s:vmode."fg=".s:red ."'" +exe "let s:fg_magenta = ' ".s:vmode."fg=".s:magenta."'" +exe "let s:fg_violet = ' ".s:vmode."fg=".s:violet ."'" +exe "let s:fg_blue = ' ".s:vmode."fg=".s:blue ."'" +exe "let s:fg_cyan = ' ".s:vmode."fg=".s:cyan ."'" + +exe "let s:fmt_none = ' ".s:vmode."=NONE". " term=NONE". "'" +exe "let s:fmt_bold = ' ".s:vmode."=NONE".s:b. " term=NONE".s:b."'" +exe "let s:fmt_bldi = ' ".s:vmode."=NONE".s:b. " term=NONE".s:b."'" +exe "let s:fmt_undr = ' ".s:vmode."=NONE".s:u. " term=NONE".s:u."'" +exe "let s:fmt_undb = ' ".s:vmode."=NONE".s:u.s:b. " term=NONE".s:u.s:b."'" +exe "let s:fmt_undi = ' ".s:vmode."=NONE".s:u. " term=NONE".s:u."'" +exe "let s:fmt_uopt = ' ".s:vmode."=NONE".s:ou. " term=NONE".s:ou."'" +exe "let s:fmt_curl = ' ".s:vmode."=NONE".s:c. " term=NONE".s:c."'" +exe "let s:fmt_ital = ' ".s:vmode."=NONE".s:i. " term=NONE".s:i."'" +exe "let s:fmt_stnd = ' ".s:vmode."=NONE".s:s. " term=NONE".s:s."'" +exe "let s:fmt_revr = ' ".s:vmode."=NONE".s:r. " term=NONE".s:r."'" +exe "let s:fmt_revb = ' ".s:vmode."=NONE".s:r.s:b. " term=NONE".s:r.s:b."'" +" revbb (reverse bold for bright colors) is only set to actual bold in low +" color terminals (t_co=8, such as OS X Terminal.app) and should only be used +" with colors 8-15. +exe "let s:fmt_revbb = ' ".s:vmode."=NONE".s:r.s:bb. " term=NONE".s:r.s:bb."'" +exe "let s:fmt_revbbu = ' ".s:vmode."=NONE".s:r.s:bb.s:u." term=NONE".s:r.s:bb.s:u."'" + +if has("gui_running") + exe "let s:sp_none = ' guisp=".s:none ."'" + exe "let s:sp_back = ' guisp=".s:back ."'" + exe "let s:sp_base03 = ' guisp=".s:base03 ."'" + exe "let s:sp_base02 = ' guisp=".s:base02 ."'" + exe "let s:sp_base01 = ' guisp=".s:base01 ."'" + exe "let s:sp_base00 = ' guisp=".s:base00 ."'" + exe "let s:sp_base0 = ' guisp=".s:base0 ."'" + exe "let s:sp_base1 = ' guisp=".s:base1 ."'" + exe "let s:sp_base2 = ' guisp=".s:base2 ."'" + exe "let s:sp_base3 = ' guisp=".s:base3 ."'" + exe "let s:sp_green = ' guisp=".s:green ."'" + exe "let s:sp_yellow = ' guisp=".s:yellow ."'" + exe "let s:sp_orange = ' guisp=".s:orange ."'" + exe "let s:sp_red = ' guisp=".s:red ."'" + exe "let s:sp_magenta = ' guisp=".s:magenta."'" + exe "let s:sp_violet = ' guisp=".s:violet ."'" + exe "let s:sp_blue = ' guisp=".s:blue ."'" + exe "let s:sp_cyan = ' guisp=".s:cyan ."'" +else + let s:sp_none = "" + let s:sp_back = "" + let s:sp_base03 = "" + let s:sp_base02 = "" + let s:sp_base01 = "" + let s:sp_base00 = "" + let s:sp_base0 = "" + let s:sp_base1 = "" + let s:sp_base2 = "" + let s:sp_base3 = "" + let s:sp_green = "" + let s:sp_yellow = "" + let s:sp_orange = "" + let s:sp_red = "" + let s:sp_magenta = "" + let s:sp_violet = "" + let s:sp_blue = "" + let s:sp_cyan = "" +endif + +"}}} +" Basic highlighting"{{{ +" --------------------------------------------------------------------- +" note that link syntax to avoid duplicate configuration doesn't work with the +" exe compiled formats + +exe "hi! Normal" .s:fmt_none .s:fg_base0 .s:bg_back + +exe "hi! Comment" .s:fmt_ital .s:fg_base01 .s:bg_none +" *Comment any comment + +exe "hi! Constant" .s:fmt_none .s:fg_cyan .s:bg_none +" *Constant any constant +" String a string constant: "this is a string" +" Character a character constant: 'c', '\n' +" Number a number constant: 234, 0xff +" Boolean a boolean constant: TRUE, false +" Float a floating point constant: 2.3e10 + +exe "hi! Identifier" .s:fmt_none .s:fg_blue .s:bg_none +" *Identifier any variable name +" Function function name (also: methods for classes) +" +exe "hi! Statement" .s:fmt_none .s:fg_green .s:bg_none +" *Statement any statement +" Conditional if, then, else, endif, switch, etc. +" Repeat for, do, while, etc. +" Label case, default, etc. +" Operator "sizeof", "+", "*", etc. +" Keyword any other keyword +" Exception try, catch, throw + +exe "hi! PreProc" .s:fmt_none .s:fg_orange .s:bg_none +" *PreProc generic Preprocessor +" Include preprocessor #include +" Define preprocessor #define +" Macro same as Define +" PreCondit preprocessor #if, #else, #endif, etc. + +exe "hi! Type" .s:fmt_none .s:fg_yellow .s:bg_none +" *Type int, long, char, etc. +" StorageClass static, register, volatile, etc. +" Structure struct, union, enum, etc. +" Typedef A typedef + +exe "hi! Special" .s:fmt_none .s:fg_red .s:bg_none +" *Special any special symbol +" SpecialChar special character in a constant +" Tag you can use CTRL-] on this +" Delimiter character that needs attention +" SpecialComment special things inside a comment +" Debug debugging statements + +exe "hi! Underlined" .s:fmt_none .s:fg_violet .s:bg_none +" *Underlined text that stands out, HTML links + +exe "hi! Ignore" .s:fmt_none .s:fg_none .s:bg_none +" *Ignore left blank, hidden |hl-Ignore| + +exe "hi! Error" .s:fmt_bold .s:fg_red .s:bg_none +" *Error any erroneous construct + +exe "hi! Todo" .s:fmt_bold .s:fg_magenta.s:bg_none +" *Todo anything that needs extra attention; mostly the +" keywords TODO FIXME and XXX +" +"}}} +" Extended highlighting "{{{ +" --------------------------------------------------------------------- +if (g:solarized_visibility=="high") + exe "hi! SpecialKey" .s:fmt_revr .s:fg_red .s:bg_none + exe "hi! NonText" .s:fmt_bold .s:fg_red .s:bg_none +elseif (g:solarized_visibility=="low") + exe "hi! SpecialKey" .s:fmt_bold .s:fg_base02 .s:bg_none + exe "hi! NonText" .s:fmt_bold .s:fg_base02 .s:bg_none +else + exe "hi! SpecialKey" .s:fmt_bold .s:fg_base00 .s:bg_base02 + exe "hi! NonText" .s:fmt_bold .s:fg_base00 .s:bg_none +endif +exe "hi! StatusLine" .s:fmt_none .s:fg_base1 .s:bg_base02 .s:fmt_revbb +exe "hi! StatusLineNC" .s:fmt_none .s:fg_base00 .s:bg_base02 .s:fmt_revbb +exe "hi! Visual" .s:fmt_none .s:fg_base01 .s:bg_base03 .s:fmt_revbb +exe "hi! Directory" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! ErrorMsg" .s:fmt_revr .s:fg_red .s:bg_none +exe "hi! IncSearch" .s:fmt_stnd .s:fg_orange .s:bg_none +exe "hi! Search" .s:fmt_revr .s:fg_yellow .s:bg_none +exe "hi! MoreMsg" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! ModeMsg" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! LineNr" .s:fmt_none .s:fg_base01 .s:bg_base02 +exe "hi! Question" .s:fmt_bold .s:fg_cyan .s:bg_none +if ( has("gui_running") || &t_Co > 8 ) + exe "hi! VertSplit" .s:fmt_none .s:fg_base00 .s:bg_base00 +else + exe "hi! VertSplit" .s:fmt_revbb .s:fg_base00 .s:bg_base02 +endif +exe "hi! Title" .s:fmt_bold .s:fg_orange .s:bg_none +exe "hi! VisualNOS" .s:fmt_stnd .s:fg_none .s:bg_base02 .s:fmt_revbb +exe "hi! WarningMsg" .s:fmt_bold .s:fg_red .s:bg_none +exe "hi! WildMenu" .s:fmt_none .s:fg_base2 .s:bg_base02 .s:fmt_revbb +exe "hi! Folded" .s:fmt_undb .s:fg_base0 .s:bg_base02 .s:sp_base03 +exe "hi! FoldColumn" .s:fmt_none .s:fg_base0 .s:bg_base02 +if (g:solarized_diffmode=="high") +exe "hi! DiffAdd" .s:fmt_revr .s:fg_green .s:bg_none +exe "hi! DiffChange" .s:fmt_revr .s:fg_yellow .s:bg_none +exe "hi! DiffDelete" .s:fmt_revr .s:fg_red .s:bg_none +exe "hi! DiffText" .s:fmt_revr .s:fg_blue .s:bg_none +elseif (g:solarized_diffmode=="low") +exe "hi! DiffAdd" .s:fmt_undr .s:fg_green .s:bg_none .s:sp_green +exe "hi! DiffChange" .s:fmt_undr .s:fg_yellow .s:bg_none .s:sp_yellow +exe "hi! DiffDelete" .s:fmt_bold .s:fg_red .s:bg_none +exe "hi! DiffText" .s:fmt_undr .s:fg_blue .s:bg_none .s:sp_blue +else " normal + if has("gui_running") +exe "hi! DiffAdd" .s:fmt_bold .s:fg_green .s:bg_base02 .s:sp_green +exe "hi! DiffChange" .s:fmt_bold .s:fg_yellow .s:bg_base02 .s:sp_yellow +exe "hi! DiffDelete" .s:fmt_bold .s:fg_red .s:bg_base02 +exe "hi! DiffText" .s:fmt_bold .s:fg_blue .s:bg_base02 .s:sp_blue + else +exe "hi! DiffAdd" .s:fmt_none .s:fg_green .s:bg_base02 .s:sp_green +exe "hi! DiffChange" .s:fmt_none .s:fg_yellow .s:bg_base02 .s:sp_yellow +exe "hi! DiffDelete" .s:fmt_none .s:fg_red .s:bg_base02 +exe "hi! DiffText" .s:fmt_none .s:fg_blue .s:bg_base02 .s:sp_blue + endif +endif +exe "hi! SignColumn" .s:fmt_none .s:fg_base0 +exe "hi! Conceal" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! SpellBad" .s:fmt_curl .s:fg_none .s:bg_none .s:sp_red +exe "hi! SpellCap" .s:fmt_curl .s:fg_none .s:bg_none .s:sp_violet +exe "hi! SpellRare" .s:fmt_curl .s:fg_none .s:bg_none .s:sp_cyan +exe "hi! SpellLocal" .s:fmt_curl .s:fg_none .s:bg_none .s:sp_yellow +exe "hi! Pmenu" .s:fmt_none .s:fg_base0 .s:bg_base02 .s:fmt_revbb +exe "hi! PmenuSel" .s:fmt_none .s:fg_base01 .s:bg_base2 .s:fmt_revbb +exe "hi! PmenuSbar" .s:fmt_none .s:fg_base2 .s:bg_base0 .s:fmt_revbb +exe "hi! PmenuThumb" .s:fmt_none .s:fg_base0 .s:bg_base03 .s:fmt_revbb +exe "hi! TabLine" .s:fmt_undr .s:fg_base0 .s:bg_base02 .s:sp_base0 +exe "hi! TabLineFill" .s:fmt_undr .s:fg_base0 .s:bg_base02 .s:sp_base0 +exe "hi! TabLineSel" .s:fmt_undr .s:fg_base01 .s:bg_base2 .s:sp_base0 .s:fmt_revbbu +exe "hi! CursorColumn" .s:fmt_none .s:fg_none .s:bg_base02 +exe "hi! CursorLine" .s:fmt_uopt .s:fg_none .s:bg_base02 .s:sp_base1 +exe "hi! ColorColumn" .s:fmt_none .s:fg_none .s:bg_base02 +exe "hi! Cursor" .s:fmt_none .s:fg_base03 .s:bg_base0 +hi! link lCursor Cursor +exe "hi! MatchParen" .s:fmt_bold .s:fg_red .s:bg_base01 + +"}}} +" vim syntax highlighting "{{{ +" --------------------------------------------------------------------- +"exe "hi! vimLineComment" . s:fg_base01 .s:bg_none .s:fmt_ital +"hi! link vimComment Comment +"hi! link vimLineComment Comment +hi! link vimVar Identifier +hi! link vimFunc Function +hi! link vimUserFunc Function +hi! link helpSpecial Special +hi! link vimSet Normal +hi! link vimSetEqual Normal +exe "hi! vimCommentString" .s:fmt_none .s:fg_violet .s:bg_none +exe "hi! vimCommand" .s:fmt_none .s:fg_yellow .s:bg_none +exe "hi! vimCmdSep" .s:fmt_bold .s:fg_blue .s:bg_none +exe "hi! helpExample" .s:fmt_none .s:fg_base1 .s:bg_none +exe "hi! helpOption" .s:fmt_none .s:fg_cyan .s:bg_none +exe "hi! helpNote" .s:fmt_none .s:fg_magenta.s:bg_none +exe "hi! helpVim" .s:fmt_none .s:fg_magenta.s:bg_none +exe "hi! helpHyperTextJump" .s:fmt_undr .s:fg_blue .s:bg_none +exe "hi! helpHyperTextEntry".s:fmt_none .s:fg_green .s:bg_none +exe "hi! vimIsCommand" .s:fmt_none .s:fg_base00 .s:bg_none +exe "hi! vimSynMtchOpt" .s:fmt_none .s:fg_yellow .s:bg_none +exe "hi! vimSynType" .s:fmt_none .s:fg_cyan .s:bg_none +exe "hi! vimHiLink" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! vimHiGroup" .s:fmt_none .s:fg_blue .s:bg_none +exe "hi! vimGroup" .s:fmt_undb .s:fg_blue .s:bg_none +"}}} +" diff highlighting "{{{ +" --------------------------------------------------------------------- +hi! link diffAdded Statement +hi! link diffLine Identifier +"}}} +" git & gitcommit highlighting "{{{ +"git +"exe "hi! gitDateHeader" +"exe "hi! gitIdentityHeader" +"exe "hi! gitIdentityKeyword" +"exe "hi! gitNotesHeader" +"exe "hi! gitReflogHeader" +"exe "hi! gitKeyword" +"exe "hi! gitIdentity" +"exe "hi! gitEmailDelimiter" +"exe "hi! gitEmail" +"exe "hi! gitDate" +"exe "hi! gitMode" +"exe "hi! gitHashAbbrev" +"exe "hi! gitHash" +"exe "hi! gitReflogMiddle" +"exe "hi! gitReference" +"exe "hi! gitStage" +"exe "hi! gitType" +"exe "hi! gitDiffAdded" +"exe "hi! gitDiffRemoved" +"gitcommit +"exe "hi! gitcommitSummary" +exe "hi! gitcommitComment" .s:fmt_ital .s:fg_base01 .s:bg_none +hi! link gitcommitUntracked gitcommitComment +hi! link gitcommitDiscarded gitcommitComment +hi! link gitcommitSelected gitcommitComment +exe "hi! gitcommitUnmerged" .s:fmt_bold .s:fg_green .s:bg_none +exe "hi! gitcommitOnBranch" .s:fmt_bold .s:fg_base01 .s:bg_none +exe "hi! gitcommitBranch" .s:fmt_bold .s:fg_magenta .s:bg_none +hi! link gitcommitNoBranch gitcommitBranch +exe "hi! gitcommitDiscardedType".s:fmt_none .s:fg_red .s:bg_none +exe "hi! gitcommitSelectedType" .s:fmt_none .s:fg_green .s:bg_none +"exe "hi! gitcommitUnmergedType" +"exe "hi! gitcommitType" +"exe "hi! gitcommitNoChanges" +"exe "hi! gitcommitHeader" +exe "hi! gitcommitHeader" .s:fmt_none .s:fg_base01 .s:bg_none +exe "hi! gitcommitUntrackedFile".s:fmt_bold .s:fg_cyan .s:bg_none +exe "hi! gitcommitDiscardedFile".s:fmt_bold .s:fg_red .s:bg_none +exe "hi! gitcommitSelectedFile" .s:fmt_bold .s:fg_green .s:bg_none +exe "hi! gitcommitUnmergedFile" .s:fmt_bold .s:fg_yellow .s:bg_none +exe "hi! gitcommitFile" .s:fmt_bold .s:fg_base0 .s:bg_none +hi! link gitcommitDiscardedArrow gitcommitDiscardedFile +hi! link gitcommitSelectedArrow gitcommitSelectedFile +hi! link gitcommitUnmergedArrow gitcommitUnmergedFile +"exe "hi! gitcommitArrow" +"exe "hi! gitcommitOverflow" +"exe "hi! gitcommitBlank" +" }}} +" html highlighting "{{{ +" --------------------------------------------------------------------- +exe "hi! htmlTag" .s:fmt_none .s:fg_base01 .s:bg_none +exe "hi! htmlEndTag" .s:fmt_none .s:fg_base01 .s:bg_none +exe "hi! htmlTagN" .s:fmt_bold .s:fg_base1 .s:bg_none +exe "hi! htmlTagName" .s:fmt_bold .s:fg_blue .s:bg_none +exe "hi! htmlSpecialTagName".s:fmt_ital .s:fg_blue .s:bg_none +exe "hi! htmlArg" .s:fmt_none .s:fg_base00 .s:bg_none +exe "hi! javaScript" .s:fmt_none .s:fg_yellow .s:bg_none +"}}} +" perl highlighting "{{{ +" --------------------------------------------------------------------- +exe "hi! perlHereDoc" . s:fg_base1 .s:bg_back .s:fmt_none +exe "hi! perlVarPlain" . s:fg_yellow .s:bg_back .s:fmt_none +exe "hi! perlStatementFileDesc". s:fg_cyan.s:bg_back.s:fmt_none + +"}}} +" tex highlighting "{{{ +" --------------------------------------------------------------------- +exe "hi! texStatement" . s:fg_cyan .s:bg_back .s:fmt_none +exe "hi! texMathZoneX" . s:fg_yellow .s:bg_back .s:fmt_none +exe "hi! texMathMatcher" . s:fg_yellow .s:bg_back .s:fmt_none +exe "hi! texMathMatcher" . s:fg_yellow .s:bg_back .s:fmt_none +exe "hi! texRefLabel" . s:fg_yellow .s:bg_back .s:fmt_none +"}}} +" ruby highlighting "{{{ +" --------------------------------------------------------------------- +exe "hi! rubyDefine" . s:fg_base1 .s:bg_back .s:fmt_bold +"rubyInclude +"rubySharpBang +"rubyAccess +"rubyPredefinedVariable +"rubyBoolean +"rubyClassVariable +"rubyBeginEnd +"rubyRepeatModifier +"hi! link rubyArrayDelimiter Special " [ , , ] +"rubyCurlyBlock { , , } + +"hi! link rubyClass Keyword +"hi! link rubyModule Keyword +"hi! link rubyKeyword Keyword +"hi! link rubyOperator Operator +"hi! link rubyIdentifier Identifier +"hi! link rubyInstanceVariable Identifier +"hi! link rubyGlobalVariable Identifier +"hi! link rubyClassVariable Identifier +"hi! link rubyConstant Type +"}}} +" haskell syntax highlighting"{{{ +" --------------------------------------------------------------------- +" For use with syntax/haskell.vim : Haskell Syntax File +" http://www.vim.org/scripts/script.php?script_id=3034 +" See also Steffen Siering's github repository: +" http://github.com/urso/dotrc/blob/master/vim/syntax/haskell.vim +" --------------------------------------------------------------------- +" +" Treat True and False specially, see the plugin referenced above +let hs_highlight_boolean=1 +" highlight delims, see the plugin referenced above +let hs_highlight_delimiters=1 + +exe "hi! cPreCondit". s:fg_orange.s:bg_none .s:fmt_none + +exe "hi! VarId" . s:fg_blue .s:bg_none .s:fmt_none +exe "hi! ConId" . s:fg_yellow .s:bg_none .s:fmt_none +exe "hi! hsImport" . s:fg_magenta.s:bg_none .s:fmt_none +exe "hi! hsString" . s:fg_base00 .s:bg_none .s:fmt_none + +exe "hi! hsStructure" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hs_hlFunctionName" . s:fg_blue .s:bg_none +exe "hi! hsStatement" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hsImportLabel" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hs_OpFunctionName" . s:fg_yellow .s:bg_none .s:fmt_none +exe "hi! hs_DeclareFunction" . s:fg_orange .s:bg_none .s:fmt_none +exe "hi! hsVarSym" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hsType" . s:fg_yellow .s:bg_none .s:fmt_none +exe "hi! hsTypedef" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hsModuleName" . s:fg_green .s:bg_none .s:fmt_undr +exe "hi! hsModuleStartLabel" . s:fg_magenta.s:bg_none .s:fmt_none +hi! link hsImportParams Delimiter +hi! link hsDelimTypeExport Delimiter +hi! link hsModuleStartLabel hsStructure +hi! link hsModuleWhereLabel hsModuleStartLabel + +" following is for the haskell-conceal plugin +" the first two items don't have an impact, but better safe +exe "hi! hsNiceOperator" . s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! hsniceoperator" . s:fg_cyan .s:bg_none .s:fmt_none + +"}}} +" pandoc markdown syntax highlighting "{{{ +" --------------------------------------------------------------------- + +"PandocHiLink pandocNormalBlock +exe "hi! pandocTitleBlock" .s:fg_blue .s:bg_none .s:fmt_none +exe "hi! pandocTitleBlockTitle" .s:fg_blue .s:bg_none .s:fmt_bold +exe "hi! pandocTitleComment" .s:fg_blue .s:bg_none .s:fmt_bold +exe "hi! pandocComment" .s:fg_base01 .s:bg_none .s:fmt_ital +exe "hi! pandocVerbatimBlock" .s:fg_yellow .s:bg_none .s:fmt_none +hi! link pandocVerbatimBlockDeep pandocVerbatimBlock +hi! link pandocCodeBlock pandocVerbatimBlock +hi! link pandocCodeBlockDelim pandocVerbatimBlock +exe "hi! pandocBlockQuote" .s:fg_blue .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader1" .s:fg_blue .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader2" .s:fg_cyan .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader3" .s:fg_yellow .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader4" .s:fg_red .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader5" .s:fg_base0 .s:bg_none .s:fmt_none +exe "hi! pandocBlockQuoteLeader6" .s:fg_base01 .s:bg_none .s:fmt_none +exe "hi! pandocListMarker" .s:fg_magenta.s:bg_none .s:fmt_none +exe "hi! pandocListReference" .s:fg_magenta.s:bg_none .s:fmt_undr + +" Definitions +" --------------------------------------------------------------------- +let s:fg_pdef = s:fg_violet +exe "hi! pandocDefinitionBlock" .s:fg_pdef .s:bg_none .s:fmt_none +exe "hi! pandocDefinitionTerm" .s:fg_pdef .s:bg_none .s:fmt_stnd +exe "hi! pandocDefinitionIndctr" .s:fg_pdef .s:bg_none .s:fmt_bold +exe "hi! pandocEmphasisDefinition" .s:fg_pdef .s:bg_none .s:fmt_ital +exe "hi! pandocEmphasisNestedDefinition" .s:fg_pdef .s:bg_none .s:fmt_bldi +exe "hi! pandocStrongEmphasisDefinition" .s:fg_pdef .s:bg_none .s:fmt_bold +exe "hi! pandocStrongEmphasisNestedDefinition" .s:fg_pdef.s:bg_none.s:fmt_bldi +exe "hi! pandocStrongEmphasisEmphasisDefinition" .s:fg_pdef.s:bg_none.s:fmt_bldi +exe "hi! pandocStrikeoutDefinition" .s:fg_pdef .s:bg_none .s:fmt_revr +exe "hi! pandocVerbatimInlineDefinition" .s:fg_pdef .s:bg_none .s:fmt_none +exe "hi! pandocSuperscriptDefinition" .s:fg_pdef .s:bg_none .s:fmt_none +exe "hi! pandocSubscriptDefinition" .s:fg_pdef .s:bg_none .s:fmt_none + +" Tables +" --------------------------------------------------------------------- +let s:fg_ptable = s:fg_blue +exe "hi! pandocTable" .s:fg_ptable.s:bg_none .s:fmt_none +exe "hi! pandocTableStructure" .s:fg_ptable.s:bg_none .s:fmt_none +hi! link pandocTableStructureTop pandocTableStructre +hi! link pandocTableStructureEnd pandocTableStructre +exe "hi! pandocTableZebraLight" .s:fg_ptable.s:bg_base03.s:fmt_none +exe "hi! pandocTableZebraDark" .s:fg_ptable.s:bg_base02.s:fmt_none +exe "hi! pandocEmphasisTable" .s:fg_ptable.s:bg_none .s:fmt_ital +exe "hi! pandocEmphasisNestedTable" .s:fg_ptable.s:bg_none .s:fmt_bldi +exe "hi! pandocStrongEmphasisTable" .s:fg_ptable.s:bg_none .s:fmt_bold +exe "hi! pandocStrongEmphasisNestedTable" .s:fg_ptable.s:bg_none .s:fmt_bldi +exe "hi! pandocStrongEmphasisEmphasisTable" .s:fg_ptable.s:bg_none .s:fmt_bldi +exe "hi! pandocStrikeoutTable" .s:fg_ptable.s:bg_none .s:fmt_revr +exe "hi! pandocVerbatimInlineTable" .s:fg_ptable.s:bg_none .s:fmt_none +exe "hi! pandocSuperscriptTable" .s:fg_ptable.s:bg_none .s:fmt_none +exe "hi! pandocSubscriptTable" .s:fg_ptable.s:bg_none .s:fmt_none + +" Headings +" --------------------------------------------------------------------- +let s:fg_phead = s:fg_orange +exe "hi! pandocHeading" .s:fg_phead .s:bg_none.s:fmt_bold +exe "hi! pandocHeadingMarker" .s:fg_yellow.s:bg_none.s:fmt_bold +exe "hi! pandocEmphasisHeading" .s:fg_phead .s:bg_none.s:fmt_bldi +exe "hi! pandocEmphasisNestedHeading" .s:fg_phead .s:bg_none.s:fmt_bldi +exe "hi! pandocStrongEmphasisHeading" .s:fg_phead .s:bg_none.s:fmt_bold +exe "hi! pandocStrongEmphasisNestedHeading" .s:fg_phead .s:bg_none.s:fmt_bldi +exe "hi! pandocStrongEmphasisEmphasisHeading".s:fg_phead .s:bg_none.s:fmt_bldi +exe "hi! pandocStrikeoutHeading" .s:fg_phead .s:bg_none.s:fmt_revr +exe "hi! pandocVerbatimInlineHeading" .s:fg_phead .s:bg_none.s:fmt_bold +exe "hi! pandocSuperscriptHeading" .s:fg_phead .s:bg_none.s:fmt_bold +exe "hi! pandocSubscriptHeading" .s:fg_phead .s:bg_none.s:fmt_bold + +" Links +" --------------------------------------------------------------------- +exe "hi! pandocLinkDelim" .s:fg_base01 .s:bg_none .s:fmt_none +exe "hi! pandocLinkLabel" .s:fg_blue .s:bg_none .s:fmt_undr +exe "hi! pandocLinkText" .s:fg_blue .s:bg_none .s:fmt_undb +exe "hi! pandocLinkURL" .s:fg_base00 .s:bg_none .s:fmt_undr +exe "hi! pandocLinkTitle" .s:fg_base00 .s:bg_none .s:fmt_undi +exe "hi! pandocLinkTitleDelim" .s:fg_base01 .s:bg_none .s:fmt_undi .s:sp_base00 +exe "hi! pandocLinkDefinition" .s:fg_cyan .s:bg_none .s:fmt_undr .s:sp_base00 +exe "hi! pandocLinkDefinitionID" .s:fg_blue .s:bg_none .s:fmt_bold +exe "hi! pandocImageCaption" .s:fg_violet .s:bg_none .s:fmt_undb +exe "hi! pandocFootnoteLink" .s:fg_green .s:bg_none .s:fmt_undr +exe "hi! pandocFootnoteDefLink" .s:fg_green .s:bg_none .s:fmt_bold +exe "hi! pandocFootnoteInline" .s:fg_green .s:bg_none .s:fmt_undb +exe "hi! pandocFootnote" .s:fg_green .s:bg_none .s:fmt_none +exe "hi! pandocCitationDelim" .s:fg_magenta.s:bg_none .s:fmt_none +exe "hi! pandocCitation" .s:fg_magenta.s:bg_none .s:fmt_none +exe "hi! pandocCitationID" .s:fg_magenta.s:bg_none .s:fmt_undr +exe "hi! pandocCitationRef" .s:fg_magenta.s:bg_none .s:fmt_none + +" Main Styles +" --------------------------------------------------------------------- +exe "hi! pandocStyleDelim" .s:fg_base01 .s:bg_none .s:fmt_none +exe "hi! pandocEmphasis" .s:fg_base0 .s:bg_none .s:fmt_ital +exe "hi! pandocEmphasisNested" .s:fg_base0 .s:bg_none .s:fmt_bldi +exe "hi! pandocStrongEmphasis" .s:fg_base0 .s:bg_none .s:fmt_bold +exe "hi! pandocStrongEmphasisNested" .s:fg_base0 .s:bg_none .s:fmt_bldi +exe "hi! pandocStrongEmphasisEmphasis" .s:fg_base0 .s:bg_none .s:fmt_bldi +exe "hi! pandocStrikeout" .s:fg_base01 .s:bg_none .s:fmt_revr +exe "hi! pandocVerbatimInline" .s:fg_yellow .s:bg_none .s:fmt_none +exe "hi! pandocSuperscript" .s:fg_violet .s:bg_none .s:fmt_none +exe "hi! pandocSubscript" .s:fg_violet .s:bg_none .s:fmt_none + +exe "hi! pandocRule" .s:fg_blue .s:bg_none .s:fmt_bold +exe "hi! pandocRuleLine" .s:fg_blue .s:bg_none .s:fmt_bold +exe "hi! pandocEscapePair" .s:fg_red .s:bg_none .s:fmt_bold +exe "hi! pandocCitationRef" .s:fg_magenta.s:bg_none .s:fmt_none +exe "hi! pandocNonBreakingSpace" . s:fg_red .s:bg_none .s:fmt_revr +hi! link pandocEscapedCharacter pandocEscapePair +hi! link pandocLineBreak pandocEscapePair + +" Embedded Code +" --------------------------------------------------------------------- +exe "hi! pandocMetadataDelim" .s:fg_base01 .s:bg_none .s:fmt_none +exe "hi! pandocMetadata" .s:fg_blue .s:bg_none .s:fmt_none +exe "hi! pandocMetadataKey" .s:fg_blue .s:bg_none .s:fmt_none +exe "hi! pandocMetadata" .s:fg_blue .s:bg_none .s:fmt_bold +hi! link pandocMetadataTitle pandocMetadata + +"}}} +" Utility autocommand "{{{ +" --------------------------------------------------------------------- +" In cases where Solarized is initialized inside a terminal vim session and +" then transferred to a gui session via the command `:gui`, the gui vim process +" does not re-read the colorscheme (or .vimrc for that matter) so any `has_gui` +" related code that sets gui specific values isn't executed. +" +" Currently, Solarized sets only the cterm or gui values for the colorscheme +" depending on gui or terminal mode. It's possible that, if the following +" autocommand method is deemed excessively poor form, that approach will be +" used again and the autocommand below will be dropped. +" +" However it seems relatively benign in this case to include the autocommand +" here. It fires only in cases where vim is transferring from terminal to gui +" mode (detected with the script scope s:vmode variable). It also allows for +" other potential terminal customizations that might make gui mode suboptimal. +" +autocmd GUIEnter * if (s:vmode != "gui") | exe "colorscheme " . g:colors_name | endif +"}}} +" Highlight Trailing Space {{{ +" Experimental: Different highlight when on cursorline +function! s:SolarizedHiTrail() + if g:solarized_hitrail==0 + hi! clear solarizedTrailingSpace + else + syn match solarizedTrailingSpace "\s*$" + exe "hi! solarizedTrailingSpace " .s:fmt_undr .s:fg_red .s:bg_none .s:sp_red + endif +endfunction +augroup SolarizedHiTrail + autocmd! + if g:solarized_hitrail==1 + autocmd! Syntax * call s:SolarizedHiTrail() + autocmd! ColorScheme * if g:colors_name == "solarized" | call s:SolarizedHiTrail() | else | augroup! s:SolarizedHiTrail | endif + endif +augroup END +" }}} +" Menus "{{{ +" --------------------------------------------------------------------- +" Turn off Solarized menu by including the following assignment in your .vimrc: +" +" let g:solarized_menu=0 + +function! s:SolarizedOptions() + new "new buffer + setf vim "vim filetype + let failed = append(0, s:defaults_list) + let failed = append(0, s:colorscheme_list) + let failed = append(0, s:options_list) + let failed = append(0, s:lazycat_list) + 0 "jump back to the top +endfunction +if !exists(":SolarizedOptions") + command SolarizedOptions :call s:SolarizedOptions() +endif + +function! SolarizedMenu() + if exists("g:loaded_solarized_menu") + try + silent! aunmenu Solarized + endtry + endif + let g:loaded_solarized_menu = 1 + + if g:colors_name == "solarized" && g:solarized_menu != 0 + + amenu &Solarized.&Contrast.&Low\ Contrast :let g:solarized_contrast="low" \| colorscheme solarized + amenu &Solarized.&Contrast.&Normal\ Contrast :let g:solarized_contrast="normal" \| colorscheme solarized + amenu &Solarized.&Contrast.&High\ Contrast :let g:solarized_contrast="high" \| colorscheme solarized + an &Solarized.&Contrast.-sep- + amenu &Solarized.&Contrast.&Help:\ Contrast :help 'solarized_contrast' + + amenu &Solarized.&Visibility.&Low\ Visibility :let g:solarized_visibility="low" \| colorscheme solarized + amenu &Solarized.&Visibility.&Normal\ Visibility :let g:solarized_visibility="normal" \| colorscheme solarized + amenu &Solarized.&Visibility.&High\ Visibility :let g:solarized_visibility="high" \| colorscheme solarized + an &Solarized.&Visibility.-sep- + amenu &Solarized.&Visibility.&Help:\ Visibility :help 'solarized_visibility' + + amenu &Solarized.&Background.&Toggle\ Background :ToggleBG + amenu &Solarized.&Background.&Dark\ Background :set background=dark \| colorscheme solarized + amenu &Solarized.&Background.&Light\ Background :set background=light \| colorscheme solarized + an &Solarized.&Background.-sep- + amenu &Solarized.&Background.&Help:\ ToggleBG :help togglebg + + if g:solarized_bold==0 | let l:boldswitch="On" | else | let l:boldswitch="Off" | endif + exe "amenu &Solarized.&Styling.&Turn\\ Bold\\ ".l:boldswitch." :let g:solarized_bold=(abs(g:solarized_bold-1)) \\| colorscheme solarized" + if g:solarized_italic==0 | let l:italicswitch="On" | else | let l:italicswitch="Off" | endif + exe "amenu &Solarized.&Styling.&Turn\\ Italic\\ ".l:italicswitch." :let g:solarized_italic=(abs(g:solarized_italic-1)) \\| colorscheme solarized" + if g:solarized_underline==0 | let l:underlineswitch="On" | else | let l:underlineswitch="Off" | endif + exe "amenu &Solarized.&Styling.&Turn\\ Underline\\ ".l:underlineswitch." :let g:solarized_underline=(abs(g:solarized_underline-1)) \\| colorscheme solarized" + + amenu &Solarized.&Diff\ Mode.&Low\ Diff\ Mode :let g:solarized_diffmode="low" \| colorscheme solarized + amenu &Solarized.&Diff\ Mode.&Normal\ Diff\ Mode :let g:solarized_diffmode="normal" \| colorscheme solarized + amenu &Solarized.&Diff\ Mode.&High\ Diff\ Mode :let g:solarized_diffmode="high" \| colorscheme solarized + + if g:solarized_hitrail==0 | let l:hitrailswitch="On" | else | let l:hitrailswitch="Off" | endif + exe "amenu &Solarized.&Experimental.&Turn\\ Highlight\\ Trailing\\ Spaces\\ ".l:hitrailswitch." :let g:solarized_hitrail=(abs(g:solarized_hitrail-1)) \\| colorscheme solarized" + an &Solarized.&Experimental.-sep- + amenu &Solarized.&Experimental.&Help:\ HiTrail :help 'solarized_hitrail' + + an &Solarized.-sep1- + + amenu &Solarized.&Autogenerate\ options :SolarizedOptions + + an &Solarized.-sep2- + + amenu &Solarized.&Help.&Solarized\ Help :help solarized + amenu &Solarized.&Help.&Toggle\ Background\ Help :help togglebg + amenu &Solarized.&Help.&Removing\ This\ Menu :help solarized-menu + + an 9999.77 &Help.&Solarized\ Colorscheme :help solarized + an 9999.78 &Help.&Toggle\ Background :help togglebg + an 9999.79 &Help.-sep3- + + endif +endfunction + +autocmd ColorScheme * if g:colors_name != "solarized" | silent! aunmenu Solarized | else | call SolarizedMenu() | endif + +"}}} +" License "{{{ +" --------------------------------------------------------------------- +" +" Copyright (c) 2011 Ethan Schoonover +" +" Permission is hereby granted, free of charge, to any person obtaining a copy +" of this software and associated documentation files (the "Software"), to deal +" in the Software without restriction, including without limitation the rights +" to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +" copies of the Software, and to permit persons to whom the Software is +" furnished to do so, subject to the following conditions: +" +" The above copyright notice and this permission notice shall be included in +" all copies or substantial portions of the Software. +" +" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +" IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +" FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +" AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +" LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +" OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +" THE SOFTWARE. +" +" vim:foldmethod=marker:foldlevel=0 +"}}} diff --git a/roles/system/files/vim/vimrc b/roles/system/files/vim/vimrc new file mode 100644 index 0000000..b1cf145 --- /dev/null +++ b/roles/system/files/vim/vimrc @@ -0,0 +1,12 @@ +set nocompatible +set paste +set smartindent +set noexpandtab +set tabstop=4 +set shiftwidth=4 +set softtabstop=-1 +syntax on +set background=dark +set list listchars=tab:»\ ,extends:›,precedes:‹,nbsp:·,trail:· +colorscheme solarized +filetype plugin indent on diff --git a/roles/system/handlers/main.yml b/roles/system/handlers/main.yml new file mode 100644 index 0000000..0105595 --- /dev/null +++ b/roles/system/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + service: + name: sshd + state: restarted diff --git a/roles/system/tasks/apt-transport-https.yml b/roles/system/tasks/apt-transport-https.yml new file mode 100644 index 0000000..a8220c3 --- /dev/null +++ b/roles/system/tasks/apt-transport-https.yml @@ -0,0 +1,4 @@ +- name: install https transport for apt + package: + name: apt-transport-https + state: present diff --git a/roles/system/tasks/aptitude.yml b/roles/system/tasks/aptitude.yml new file mode 100644 index 0000000..27f4c74 --- /dev/null +++ b/roles/system/tasks/aptitude.yml @@ -0,0 +1,5 @@ +- name: install aptitude + package: + name: aptitude + state: present + when: ansible_facts['os_family'] == 'Debian' diff --git a/roles/system/tasks/bashrc.yml b/roles/system/tasks/bashrc.yml new file mode 100644 index 0000000..21d153a --- /dev/null +++ b/roles/system/tasks/bashrc.yml @@ -0,0 +1,6 @@ +- name: copy basic bashrc files + copy: + src: files/dotbashrc + dest: /root/.bashrc + owner: root + group: root diff --git a/roles/system/tasks/cron-apt.yml b/roles/system/tasks/cron-apt.yml new file mode 100644 index 0000000..7019eb3 --- /dev/null +++ b/roles/system/tasks/cron-apt.yml @@ -0,0 +1,10 @@ +- name: install cron-apt + package: + name: cron-apt + state: present + +- name: default configuration file + copy: + src: files/5-install + dest: /etc/cron-apt/action.d/5-install + diff --git a/roles/system/tasks/cron.yml b/roles/system/tasks/cron.yml new file mode 100644 index 0000000..7420bb6 --- /dev/null +++ b/roles/system/tasks/cron.yml @@ -0,0 +1,4 @@ +- name: install cron + package: + name: cron + state: present diff --git a/roles/system/tasks/curl.yml b/roles/system/tasks/curl.yml new file mode 100644 index 0000000..e5fb8ee --- /dev/null +++ b/roles/system/tasks/curl.yml @@ -0,0 +1,4 @@ +- name: install curl + package: + name: curl + state: present diff --git a/roles/system/tasks/gpg.yml b/roles/system/tasks/gpg.yml new file mode 100644 index 0000000..73de00e --- /dev/null +++ b/roles/system/tasks/gpg.yml @@ -0,0 +1,4 @@ +- name: install gpg package + package: + name: gpg + state: present diff --git a/roles/system/tasks/locales.yml b/roles/system/tasks/locales.yml new file mode 100644 index 0000000..0b2d0a5 --- /dev/null +++ b/roles/system/tasks/locales.yml @@ -0,0 +1,22 @@ +- name: Set default locale to fr_FR.UTF-8 + debconf: + name: locales + question: locales/default_environment_locale + value: fr_FR.UTF-8 + vtype: select + +- name: set to generate locales fr_FR/en_US + debconf: + name: locales + question: locales/locales_to_be_generated + value: en_US.UTF-8 UTF-8, fr_FR.UTF-8 UTF-8 + vtype: multiselect +- name: delete original locale.gen + file: + path: /etc/locale.gen + state: absent + when: ansible_facts['env']['LANG'] != 'fr_FR.UTF-8' + +- name: update original locale.gen + command: dpkg-reconfigure -f noninteractive locales + when: ansible_facts['env']['LANG'] != 'fr_FR.UTF-8' diff --git a/roles/system/tasks/localtime.yml b/roles/system/tasks/localtime.yml new file mode 100644 index 0000000..e421454 --- /dev/null +++ b/roles/system/tasks/localtime.yml @@ -0,0 +1,4 @@ +- file: + src: /usr/share/zoneinfo/Europe/Paris + dest: /etc/localtime + state: link diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml new file mode 100644 index 0000000..04449aa --- /dev/null +++ b/roles/system/tasks/main.yml @@ -0,0 +1,14 @@ +- include_tasks: aptitude.yml +- include_tasks: localtime.yml +- include_tasks: locales.yml +- include_tasks: ping.yml +- include_tasks: telnet.yml +- include_tasks: bashrc.yml +- include_tasks: vimrc.yml +- include_tasks: sshd.yml +- include_tasks: curl.yml +- include_tasks: wget.yml +- include_tasks: cron.yml +- include_tasks: apt-transport-https.yml +- include_tasks: gpg.yml +- include_tasks: cron-apt.yml diff --git a/roles/system/tasks/ping.yml b/roles/system/tasks/ping.yml new file mode 100644 index 0000000..a744efb --- /dev/null +++ b/roles/system/tasks/ping.yml @@ -0,0 +1,4 @@ +- name: install ping utility + package: + name: iputils-ping + state: present diff --git a/roles/system/tasks/sshd.yml b/roles/system/tasks/sshd.yml new file mode 100644 index 0000000..10e3aae --- /dev/null +++ b/roles/system/tasks/sshd.yml @@ -0,0 +1,18 @@ +- name: ssh configuration file + template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + notify: + - restart sshd + +- name: ssh keys home + authorized_key: + user: root + state: present + key: "{{ lookup('file', 'ssh/home.id_rsa.pub') }}" + +- name: ssh keys work + authorized_key: + user: root + state: present + key: "{{ lookup('file', 'ssh/work.id_rsa.pub') }}" diff --git a/roles/system/tasks/telnet.yml b/roles/system/tasks/telnet.yml new file mode 100644 index 0000000..b3907f2 --- /dev/null +++ b/roles/system/tasks/telnet.yml @@ -0,0 +1,4 @@ +- name: install telnet + package: + name: telnet + state: present diff --git a/roles/system/tasks/vimrc.yml b/roles/system/tasks/vimrc.yml new file mode 100644 index 0000000..c69ef03 --- /dev/null +++ b/roles/system/tasks/vimrc.yml @@ -0,0 +1,11 @@ +- name: install vim package + package: + name: vim + state: present + +- name: copy vimrc config file + copy: + src: files/vim/ + dest: /root/.vim + owner: root + group: root diff --git a/roles/system/tasks/wget.yml b/roles/system/tasks/wget.yml new file mode 100644 index 0000000..674a1ac --- /dev/null +++ b/roles/system/tasks/wget.yml @@ -0,0 +1,4 @@ +- name: install wget package + package: + name: wget + state: present diff --git a/roles/system/templates/sshd_config.j2 b/roles/system/templates/sshd_config.j2 new file mode 100644 index 0000000..eddee6d --- /dev/null +++ b/roles/system/templates/sshd_config.j2 @@ -0,0 +1,36 @@ +########## +# THIS FILE IS MANAGED BY ANSIBLE +# ANY MODIFICATION IS LIKELY TO BE ERASED +########## +# Host key pour les différents protocoles possibles +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Algorithmes de chiffrement utilisés +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# Log +SyslogFacility AUTHPRIV +LogLevel VERBOSE +# Log SFTP +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Autorisation et authentification +PasswordAuthentication yes +ChallengeResponseAuthentication no +PermitRootLogin without-password +GSSAPIAuthentication yes +UsePAM yes +X11Forwarding yes + +# Privilège attribué +UsePrivilegeSeparation sandbox # Default for new installations. + +# Variable d'environnement +AcceptEnv LANG LANGUAGE LC_* +AcceptEnv USER_LS_COLORS LS_COLORS +AcceptEnv XMODIFIERS + diff --git a/roles/webapps/files/fastcgi_cache.conf b/roles/webapps/files/fastcgi_cache.conf new file mode 100644 index 0000000..394769b --- /dev/null +++ b/roles/webapps/files/fastcgi_cache.conf @@ -0,0 +1,7 @@ +fastcgi_cache_path + /dev/shm/nginx + levels=1:2 + keys_zone=wpdojo:25m + inactive=1h + max_size=250m; + diff --git a/roles/webapps/files/oc.conf b/roles/webapps/files/oc.conf new file mode 100644 index 0000000..759961a --- /dev/null +++ b/roles/webapps/files/oc.conf @@ -0,0 +1,431 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[oc] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php7.3-fpm-oc.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 50 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 15 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/7.3/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M +php_flag[zlib.output_compression] = Off diff --git a/roles/webapps/files/ttrss_backend.service b/roles/webapps/files/ttrss_backend.service new file mode 100644 index 0000000..2d76723 --- /dev/null +++ b/roles/webapps/files/ttrss_backend.service @@ -0,0 +1,11 @@ +[Unit] +Description=ttrss_backend +After=network.target mysql.service postgresql.service + +[Service] +User=www-data +ExecStart=/srv/http/rss.libertus.eu/update_daemon2.php + +[Install] +WantedBy=multi-user.target + diff --git a/roles/webapps/handlers/main.yml b/roles/webapps/handlers/main.yml new file mode 100644 index 0000000..5dd7aca --- /dev/null +++ b/roles/webapps/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart nginx + service: + name: nginx + state: restarted + +- name: restart php-fpm + service: + name: "php{{ php_version }}-fpm" + state: restarted diff --git a/roles/webapps/tasks/feed2toot.yml b/roles/webapps/tasks/feed2toot.yml new file mode 100644 index 0000000..acc1736 --- /dev/null +++ b/roles/webapps/tasks/feed2toot.yml @@ -0,0 +1,23 @@ +- name: install pip3 + package: + name: python3-pip + state: present + +- name: install feed2toot + pip: + name: feed2toot + state: present + +- name: cron for feed2toot + cron: + name: F2T Dojo + user: www-data + minute: "*/15" + job: "/usr/local/bin/feed2toot -c /srv/docker/m.nintendojo.fr/feed2toot/feed2toot.ini" + +- name: config dir for feed2toot + file: + path: /var/www/.config + owner: www-data + group: www-data + state: directory diff --git a/roles/webapps/tasks/main.yml b/roles/webapps/tasks/main.yml new file mode 100644 index 0000000..36a39c1 --- /dev/null +++ b/roles/webapps/tasks/main.yml @@ -0,0 +1,18 @@ +- name: include ttrss for web1 + include_tasks: ttrss.yml + when: inventory_hostname == 'web1.dmz.mateu.be' +- name: include php flag for NextCloud + include_tasks: nextcloud.yml + when: inventory_hostname == 'web1.dmz.mateu.be' +- name: include matomo for web2 + include_tasks: matomo.yml + when: inventory_hostname == 'web2.dmz.mateu.be' +- name: WP for NintendojoFR + include_tasks: wp_dojo.yml + when: inventory_hostname == 'web2.dmz.mateu.be' +- name: feed2toot for Mastodon + include_tasks: feed2toot.yml + when: inventory_hostname == 'ror.dmz.mateu.be' +- name: tootctl for mastodon + include_tasks: tootctl.yml + when: inventory_hostname == 'ror.dmz.mateu.be' diff --git a/roles/webapps/tasks/matomo.yml b/roles/webapps/tasks/matomo.yml new file mode 100644 index 0000000..9a06e09 --- /dev/null +++ b/roles/webapps/tasks/matomo.yml @@ -0,0 +1,6 @@ +- name: crontab for matomo + cron: + name: Matomo reports + user: www-data + minute: "5" + job: "/usr/bin/php /srv/nginx/nintendojo.fr/analyse/console core:archive > /dev/null" diff --git a/roles/webapps/tasks/nextcloud.yml b/roles/webapps/tasks/nextcloud.yml new file mode 100644 index 0000000..2b02d9f --- /dev/null +++ b/roles/webapps/tasks/nextcloud.yml @@ -0,0 +1,6 @@ +- name: php-fpm nextcloud specific configuration + copy: + src: files/oc.conf + dest: "/etc/php/{{ php_version }}/fpm/pool.d/oc.conf" + notify: + - restart php-fpm diff --git a/roles/webapps/tasks/tootctl.yml b/roles/webapps/tasks/tootctl.yml new file mode 100644 index 0000000..7ae2d1c --- /dev/null +++ b/roles/webapps/tasks/tootctl.yml @@ -0,0 +1,7 @@ +- name: cron for tootctl + cron: + name: Mastodon tootctl + minute: "0" + hour: "19" + weekday: "5" + job: "docker-compose -f /srv/docker/m.nintendojo.fr/docker-compose.yml run --rm web bin/tootctl media remove" diff --git a/roles/webapps/tasks/ttrss.yml b/roles/webapps/tasks/ttrss.yml new file mode 100644 index 0000000..8a34898 --- /dev/null +++ b/roles/webapps/tasks/ttrss.yml @@ -0,0 +1,16 @@ +- name: systemd file for backend + copy: + src: files/ttrss_backend.service + dest: /etc/systemd/system/ttrss_backend.service + +- name: enable and start service ttrss_backend + service: + name: ttrss_backend + enabled: true + state: started + +- name: install git + package: + name: git + state: present + diff --git a/roles/webapps/tasks/wp_dojo.yml b/roles/webapps/tasks/wp_dojo.yml new file mode 100644 index 0000000..bac828f --- /dev/null +++ b/roles/webapps/tasks/wp_dojo.yml @@ -0,0 +1,13 @@ +- name: nginx cache + copy: + src: files/fastcgi_cache.conf + dest: /etc/nginx/conf.d/fastcgi_cache.conf + notify: + - restart nginx + +- name: wordpress cron + cron: + name: "WP Twitter refresh" + user: www-data + minute: "*/2" + job: "/usr/bin/wget -q -O - https://www.nintendojo.fr/wp-cron.php &> /dev/null" diff --git a/roles/x509/tasks/main.yml b/roles/x509/tasks/main.yml new file mode 100644 index 0000000..123aa20 --- /dev/null +++ b/roles/x509/tasks/main.yml @@ -0,0 +1,5 @@ +- name: install acme.sh + shell: curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh | INSTALLONLINE=1 LE_WORKING_DIR=/etc/x509 sh + args: + creates: /etc/x509 + diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..0dd5d75 --- /dev/null +++ b/site.yml @@ -0,0 +1,12 @@ +- import_playbook: system.yml +- import_playbook: proxmox.yml +- import_playbook: borgbackup.yml +- import_playbook: nut.yml +- import_playbook: firewall.yml +- import_playbook: webservers.yml +- import_playbook: loadbalancinghttp.yml +- import_playbook: docker.yml +- import_playbook: php.yml +- import_playbook: mariadb.yml +- import_playbook: pgsql.yml +- import_playbook: bittorrent.yml diff --git a/system.yml b/system.yml new file mode 100644 index 0000000..11d81e5 --- /dev/null +++ b/system.yml @@ -0,0 +1,5 @@ +- hosts: all:!baybay-ponay.mateu.be:!n0box2.mateu.be:!machinbox.mateu.be + roles: + - common + - system + - x509 diff --git a/webservers.yml b/webservers.yml new file mode 100644 index 0000000..2399ee0 --- /dev/null +++ b/webservers.yml @@ -0,0 +1,4 @@ +- hosts: webservers + roles: + - nginx + - webapps