slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
VC
2019-09-04 09:06:55 +02:00
commit dded46ff64
144 changed files with 7495 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/bittorrent/files/CACHEDIR.TAG Normal file
View File

@@ -0,0 +1 @@
Signature: 8a477f597d28d172789f06886806bc55

13
roles/bittorrent/files/sonarr.service Normal file
View File

@@ -0,0 +1,13 @@
[Unit]
Description=Sonarr Service
After=network.target
[Service]
User=debian-transmission
Group=debian-transmission
ExecStart=/usr/bin/mono /opt/NzbDrone/NzbDrone.exe -nobrowser
Type=simple
TimeoutStopSec=20
[Install]
WantedBy=multi-user.target

12
roles/bittorrent/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: reload transmission
service:
name: transmission-daemon
state: reloaded
- name: restart sonarr
service:
name: sonarr
state: restarted
- name: export nfs
command: exportfs -a

14
roles/bittorrent/tasks/configdir.yml Normal file
View File

@@ -0,0 +1,14 @@
- name: create Series folder
file:
path: /var/lib/transmission-daemon/downloads/Series
recurse: True
owner: debian-transmission
group: debian-transmission
- name: create Movies folder
file:
path: /var/lib/transmission-daemon/downloads/Movies
recurse: True
owner: debian-transmission
group: debian-transmission

5
roles/bittorrent/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- include_tasks: transmission.yml
- include_tasks: sonarr.yml
- include_tasks: subliminal.yml
- include_tasks: configdir.yml
- include_tasks: nfsserver.yml

15
roles/bittorrent/tasks/nfsserver.yml Normal file
View File

@@ -0,0 +1,15 @@
- getent:
database: passwd
key: debian-transmission
- name: install nfs server
package:
name: nfs-kernel-server
state: present
- name: copy exports file
template:
src: exports.j2
dest: /etc/exports
notify:
- export nfs

34
roles/bittorrent/tasks/sonarr.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: install sonarr repokey
apt_key:
keyserver: keyserver.ubuntu.com
id: "0xa236c58f409091a18aca53cbebff6b99d9b78493"
- name: install sonarr repo
apt_repository:
repo: deb http://apt.sonarr.tv/ master main
state: present
- name: create sonarr conf dir
file:
path: /var/lib/transmission-daemon/.config/NzbDrone
recurse: True
owner: debian-transmission
group: debian-transmission
mode: "a-rwx,u+rwX,g+rX"
- name: install sonarr
package:
name: nzbdrone
state: present
- name: copy systemd file
copy:
src: files/sonarr.service
dest: /etc/systemd/system/sonarr.service
notify:
- restart sonarr
- name: enable sonarr service
service:
name: sonarr
enabled: True

17
roles/bittorrent/tasks/subliminal.yml Normal file
View File

@@ -0,0 +1,17 @@
- name: install pip3
package:
name: python3-pip
state: present
- name: install subliminal
pip:
name: subliminal
state: present
- name: install subliminal crontab
cron:
name: "Sub DL"
user: "debian-transmission"
minute: "15"
hour: "20"
job: "/usr/local/bin/subliminal download /var/lib/transmission-daemon/downloads/Series/ --language fr &> /dev/null"

26
roles/bittorrent/tasks/transmission.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: install transmission
package:
name: "{{ item }}"
state: present
loop:
- transmission-daemon
- transmission-cli
- name: transmission config file
template:
src: settings.json.j2
dest: /etc/transmission-daemon/settings.json
owner: debian-transmission
group: debian-transmission
mode: "a-rwx,u+rw"
notify:
- reload transmission
- name: Add cachedir file
copy:
src: files/CACHEDIR.TAG
dest: /var/lib/transmission-daemon/downloads/CACHEDIR.TAG
owner: debian-transmission
group: debian-transmission
mode: '0755'

1
roles/bittorrent/templates/exports.j2 Normal file
View File

@@ -0,0 +1 @@
/var/lib/transmission-daemon/downloads 10.233.212.64/26(ro,async,no_subtree_check,all_squash,anonuid={{ getent_passwd['debian-transmission'][1] }},anongid={{ getent_passwd['debian-transmission'][2] }})

83
roles/bittorrent/templates/settings.json.j2 Normal file
View File

@@ -0,0 +1,83 @@
{
"alt-speed-down": 2000,
"alt-speed-enabled": false,
"alt-speed-time-begin": 450,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1350,
"alt-speed-up": 2000,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": true,
"blocklist-url": "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz",
"cache-size-mb": 8,
"dht-enabled": true,
"download-dir": "/var/lib/transmission-daemon/downloads/",
"download-limit": 100,
"download-limit-enabled": 0,
"download-queue-enabled": false,
"download-queue-size": 5,
"encryption": 0,
"idle-seeding-limit": 14400,
"idle-seeding-limit-enabled": true,
"incomplete-dir": "/root/Downloads",
"incomplete-dir-enabled": false,
"lazy-bitfield-enabled": true,
"lpd-enabled": true,
"max-peers-global": 200,
"max-peers-per-torrent": 200,
"message-level": 1,
"open-file-limit": 32,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 1000,
"peer-limit-per-torrent": 200,
"peer-port": 10010,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": false,
"preallocation": 1,
"prefetch-enabled": true,
"proxy": "",
"proxy-auth-enabled": false,
"proxy-auth-password": "",
"proxy-auth-username": "",
"proxy-enabled": false,
"proxy-port": 80,
"proxy-type": 0,
"queue-stalled-enabled": false,
"queue-stalled-minutes": 30,
"ratio-limit": 5,
"ratio-limit-enabled": true,
"rename-partial-files": true,
"rpc-authentication-required": true,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-host-whitelist": "",
"rpc-host-whitelist-enabled": true,
"rpc-password": "{{ transmission_pass }}",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "{{ transmission_user }}",
"rpc-whitelist": "127.0.0.1",
"rpc-whitelist-enabled": true,
"scrape-paused-torrents-enabled": true,
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 4,
"speed-limit-down": 4000,
"speed-limit-down-enabled": false,
"speed-limit-up": 4000,
"speed-limit-up-enabled": false,
"start-added-torrents": true,
"trash-original-torrent-files": false,
"umask": 18,
"upload-limit": 100,
"upload-limit-enabled": 0,
"upload-slots-per-torrent": 20,
"utp-enabled": true
}

11
roles/borg-client/defaults/main.yml Normal file
View File

@@ -0,0 +1,11 @@
borg_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
62333166623737363731663766353330633335306532306366356536376232396664376430613434
3966376539303238376461386262663066376338386537660a376365643761653463393539316232
30653130383761653432306136333733653062356635643662616133366663646132383136313530
3866343664393330610a623930316330626166343934623230313232626131386132393866373661
6336
borg_backup_path: ["/srv", "/home", "/etc"]
borg_backup_excluded_path: ["/srv/NOBACKUP"]
borg_backup_hour: 6
borg_backup_minute: 0

26
roles/borg-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: create SSH key
openssh_keypair:
path: ~/.ssh/id_rsa
- name: get SSH pub key
command: cat ~/.ssh/id_rsa.pub
register: ssh_keys
- name: put backup script
template:
src: borgbackup.sh.j2
dest: /usr/local/bin/borgbackup.sh
owner: root
group: root
mode: '0750'
- name: cron the backup script
cron:
name: "borg backup script"
hour: "{{ borg_backup_hour }}"
minute: "{{ borg_backup_minute }}"
job: /usr/local/bin/borgbackup.sh
- name: warns about borg init
debug:
msg: "Borg has been installed. Dont forget to init with: \nborg init --encryption=repokey-blake2 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home"

20
roles/borg-client/templates/borgbackup.sh.j2 Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
## Variable
export BORG_PASSPHRASE="{{ borg_pass }}"
## lancement de la sauvegarde
borg create --exclude-caches {% for f in borg_backup_excluded_path %}-e {{ f }} {% endfor %} -s backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home::{now:%Y-%m-%d} {% for f in borg_backup_path %}{{ f }} {% endfor %}
## récupération de l'espace
borg prune -d 7 -w 4 -m 3 backup@{{ hostvars[groups['borg_server'][0]]['ansible_fqdn'] }}:home
{% if inventory_hostname == 'n0box2.mateu.be' %}
## la sauvegarde mais chez Holaf
borg create -s ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home::{now:%Y-%m-%d} /etc /home /srv
## la sauvegarde mais chez Holaf
borg prune -d 7 -w 4 -m 3 ssh://mortal@holaf.duckdns.org:22222/home/mortal/repos/n0box2.mateu.be/home
{% endif %}

34
roles/borg-server/tasks/main.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: mount backup disk
mount:
path: /backup
src: LABEL=BACKUP
fstype: btrfs
opts: noatime
state: mounted
- name: create backup user
user:
name: backup
comment: Backup
create_home: yes
home: /backup
shell: /bin/bash
system: yes
state: present
- name: "create directory for borg clients"
file:
path: "/backup/repos/{{ hostvars[item]['ansible_fqdn'] }}"
state: directory
mode: '0750'
owner: backup
group: backup
loop: "{{ groups['borg_client'] }}"
- name: "set authorized_keys for borg clients"
authorized_key:
user: backup
key: "{{ hostvars[item]['ssh_keys']['stdout'] }}"
key_options: "command=\"cd /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}; borg serve --restrict-to-path /backup/repos/{{ hostvars[item]['ansible_fqdn'] }}\""
state: present
loop: "{{ groups['borg_client'] }}"

10
roles/borgbackup/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
- set_fact:
borgbackup: borg
when: ansible_facts['distribution'] == "Archlinux"
- set_fact:
borgbackup: borgbackup
when: ansible_facts['distribution'] == "Debian"
- name: install borg package
package:
name: "{{ borgbackup }}"
state: present

1
roles/common/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
localtime: "Europe/Paris"

0
roles/common/handlers/main.yml Normal file
View File

26
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
- name: docker repo key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: docker repo install
apt_repository:
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
state: present
- name: install docker and docker-compose
package:
name: "{{ item }}"
state: present
loop:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-compose
- name: docker directory
file:
path: /srv/docker
owner: root
group: root
state: directory

4
roles/firewall/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: reload firewall
openwrt_init:
name: firewall
state: reloaded

5
roles/firewall/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: generate firewall file
template:
src: firewall.j2
dest: /etc/config/firewall
notify: reload firewall

506
roles/firewall/templates/firewall.j2 Normal file
View File

@@ -0,0 +1,506 @@
## General WAN Rules
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option src_ip 'fe80::/10'
option src_port '547'
option proto 'udp'
option dest_ip 'fe80::/10'
option dest_port '546'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option target 'ACCEPT'
option family 'ipv6'
option limit '1000/sec'
## Deny IPv6 SMTP
config rule
option name 'Deny-SMTP'
option src 'lan'
option proto 'tcp'
option dest 'wan'
option dest_port '25'
option target 'REJECT'
option family 'ipv6'
## SSH from VINCI rules
config rule
option name 'Allow-Input-SSH-VINCI'
option src 'wan'
option src_ip '{{ vinci_ipv6_out }}'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-SSH-VINCI'
option src 'wan'
option src_ip '{{ vinci_ipv6_out }}'
option proto 'tcp'
option dest 'lan'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
## Traffic for n0box2 server
config rule
option name 'n0box2-SMTP+SMTPS+SUBMISSION'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-IMAP+IMAPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-HTTP+HTTPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-XMPP-c2s+s2s'
option src 'wan'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '5222 5269'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-TS-com+com2'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '10011 30033'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-TS-signal'
option src 'wan'
option proto 'udp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '9987'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-mumble'
option src 'wan'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '64738'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'n0box2-SMTP'
option src 'wan'
option src_dport '25'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
config redirect
option name 'n0box2-SMTPS'
option src 'wan'
option src_dport '465'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
config redirect
option name 'n0box2-SUBMISSION'
option src 'wan'
option src_dport '587'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
config redirect
option name 'n0box2-IMAP'
option src 'wan'
option src_dport '143'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
config redirect
option name 'n0box2-IMAPS'
option src 'wan'
option src_dport '993'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
config redirect
option name 'n0box2-XMPP-c2s'
option src 'wan'
option src_dport '5222'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '5222'
option target 'DNAT'
config redirect
option name 'n0box2-XMPP-s2s'
option src 'wan'
option src_dport '5269'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '5269'
option target 'DNAT'
config redirect
option name 'n0box2-TS-com'
option src 'wan'
option src_dport '10011'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '10011'
option target 'DNAT'
config redirect
option name 'n0box2-TS-com2'
option src 'wan'
option src_dport '30033'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '30033'
option target 'DNAT'
config redirect
option name 'n0box2-TS-signal'
option src 'wan'
option src_dport '9987'
option proto 'udp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '9987'
option target 'DNAT'
config redirect
option name 'n0box2-mumble'
option src 'wan'
option src_dport '64738'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '64738'
option target 'DNAT'
### DMZ Rules
## General Rules
# ICMP
config rule
option name 'Allow-ICMP'
option dest 'dmz'
option proto 'icmp'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP'
option src 'dmz'
option proto 'icmp'
option target 'ACCEPT'
config rule
option name 'Allow-ICMP'
option src 'dmz'
option proto 'icmp'
option dest '*'
option target 'ACCEPT'
# DHCP rules
config rule
option name 'Allow-DMZ-DHCP'
option dest 'dmz'
option dest_port '67-68'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DMZ-DHCP'
option src 'dmz'
option proto 'tcpudp'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
# DNS Resolution
config rule
option name 'Allow-INPUT-DNS'
option src 'dmz'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
# NTP
config rule
option name 'Allow-OUTPUT-NTP'
option src 'dmz'
option proto 'udp'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
# Web traffic OUT
config rule
option name 'Allow-OUTPUT-Web'
option src 'dmz'
option proto 'tcpudp'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
# SSH traffic IN
config rule
option name 'Allow-INPUT-SSH'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv6'
# Allow traffic to n0box2
config rule
option name 'Allow-OUTPUT-to-n0box2'
option src 'dmz'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25 80 443 465 587 143 993'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-to-n0box2'
option src 'dmz'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 80 443 465 587 143 993'
option target 'ACCEPT'
option family 'ipv6'
## Specific rules
# Allow IPv4 Web traffic IN
config redirect
option name 'Allow-INPUT-v4-HTTP'
option src 'wan'
option src_dport '80'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '80'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-v4-HTTPS'
option src 'wan'
option src_dport '443'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '443'
option target 'DNAT'
# Allow Web traffic IN
{% for host in groups['webservers'] %}
config rule
option name 'Allow-INPUT-{{ host }}-Web'
option src 'wan'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
{% endfor %}
# Allow traffic to and from bt.dmz.mateu.be
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option proto 'tcpudp'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option proto 'tcpudp'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-INPUT-BT'
option src 'wan'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '10010'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-BT'
option src 'wan'
option src_dport '10010'
option proto 'tcpudp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '10010'
option target 'DNAT'
# Allow traffic to Proxmox VE interface
{% for host in groups['hypervisors'] %}
config rule
option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '8006'
option target 'ACCEPT'
option family 'ipv6'
{% endfor %}
## Default configuration
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
## Zone configuration
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'dmz'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
option network 'dmz'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'dmz'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

1
roles/firewall/vars/main.yml Normal file
View File

@@ -0,0 +1 @@
vinci_ipv6_out: "2a02:2098:8711:920:740c:70c0:e153:55b6"

4
roles/haproxy/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart haproxy
service:
name: haproxy
state: restarted

11
roles/haproxy/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: install haproxy package
package:
name: haproxy
state: present
- name: haproxy config
template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify:
- restart haproxy

97
roles/haproxy/templates/haproxy.cfg.j2 Normal file
View File

@@ -0,0 +1,97 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
mode http
bind *:80 name frontend-http
tcp-request inspect-delay 3s
acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt
{% for server in groups['webservers'] %}
{% for hostname in hostvars[server]['web_hostname'] %}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
{% endfor %}
{% endfor %}
use_backend http_default
frontend https
mode tcp
option tcplog
bind *:443 name frontend-https
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in groups['webservers'] %}
{% for hostname in hostvars[server]['web_hostname'] %}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
use_backend https_{{ server }} if host_{{ hostname }}
{% endfor %}
{% endfor %}
use_backend https_default
{% for server in groups['webservers'] %}
## {{ server }} configuration
backend http_{{ server }}
mode http
server host_{{ server }} {{ server }}:80
backend https_{{ server }}
mode tcp
server host_{{ server }} {{ server }}:443
{% endfor %}
backend http_default
mode http
server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:80
backend https_default
mode tcp
server host_n0box2 {{ lookup('dig', 'n0box2.mateu.be.', 'qtype=AAAA') }}:443
## Stats
listen stats
bind *:8080
mode http
log global
stats enable
stats uri /
stats hide-version

2
roles/mariadb/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
mariadb_backup_hour: 5
mariadb_backup_minute: 0

137
roles/mariadb/files/50-server.cnf Normal file
View File

@@ -0,0 +1,137 @@
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /srv/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
default-storage-engine = InnoDB
#skip-external-locking
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer_size = 32M
max_allowed_packet = 64M
thread_stack = 256K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam_recover_options = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 16M
query_cache_size = 64M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mariadb-slow.log
#long_query_time = 10
#log_slow_rate_limit = 1000
#log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = exclude_database_name
#
# * Security Features
#
# Read the manual, too, if you want chroot!
#chroot = /srv/mysql/
#
# For generating SSL certificates you can use for example the GUI tool "tinyca".
#
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
#ssl-cipher = TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
#ssl = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
#
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /srv/mysql/.
# Read the manual for more InnoDB related options. There are many!
innodb_file_per_table
innodb_data_file_path=ibdata1:10M:autoextend
#
# * Unix socket authentication plugin is built-in since 10.0.22-6
#
# Needed so the root database user can authenticate without a password but
# only when running as the unix root user.
#
# Also available for other users if required.
# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.3 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.3]

43
roles/mariadb/files/backup_mysql.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
##############################################
# Nom : backup_mysql.sh
# Objet : Dump les bases mysql
# listees dans $backup_db_list
# dans le dossier $backup_dump_path, un sous-dossier par base
###############################################
# Chemin de stockage des dump
backup_dump_path="/srv/backup/mysql/"
# Liste des bases a sauvegarder séparées par des espaces
backup_db_list=`echo -n 'show databases' | mysql | grep -v Database | grep -v _schema`
# Verifie que backup_dump_path existe, on crée sinon
if [ ! -d $backup_dump_path ] ; then mkdir -p $backup_dump_path ; fi
# On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age
cd $backup_dump_path
mysqlcheck --all-databases > /srv/mysql/check
# Pour chaque base a sauvegarder
for backup_db_name in $backup_db_list
do
# Verifie si un dossier existe pour cette base, on cree si non
if [ ! -d ./$backup_db_name ] ; then mkdir ./$backup_db_name ; fi
cd ./$backup_db_name
# On dump
mysqldump --events $backup_db_name | gzip > $backup_db_name.sql.gz
cd ..
done
# On s'assure que nimporte qui ne peut lire les dump
chmod a-rwx,u+rwX -R $backup_dump_path

4
roles/mariadb/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart mariadb
service:
name: mariadb
state: restarted

87
roles/mariadb/tasks/main.yml Normal file
View File

@@ -0,0 +1,87 @@
- name: install mariadb
package:
name: mariadb-server
state: present
- name: create mysql directory
file:
path: /srv/mysql
owner: mysql
group: mysql
state: directory
- name: populate mysql directory
command: /usr/bin/mysql_install_db --datadir=/srv/mysql
args:
creates: /srv/mysql/ibdata1
notify: restart mariadb
- name: replace conffile
copy:
src: files/50-server.cnf
dest: /etc/mysql/mariadb.conf.d/50-server.cnf
notify: restart mariadb
- name: debian upgrade file conf
template:
src: debian.cnf.j2
dest: /etc/mysql/debian.cnf
owner: root
group: root
mode: '0600'
notify: restart mariadb
- name: force handlers
meta: flush_handlers
- name: install python-mysql
package:
name: "{{ item }}"
state: present
loop:
- python-pymysql
- python3-pymysql
- name: root password
mysql_user:
login_user: root
host: "{{ item }}"
name: root
password: "{{ mariadb_root_pass }}"
loop:
- "localhost"
- "127.0.0.1"
- "::1"
- name: put .my.cnf file
template:
src: dot.my.cnf.j2
dest: ~/.my.cnf
mode: '0600'
- name: scripted version of mysql_secure_installation
command: "{{ item }}"
args:
warn: false
creates: ~/mysql_secure_installation
loop:
- "mysql -e \"DELETE FROM mysql.user WHERE User='';\""
- "mysql -e \"DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\""
- "mysql -e \"DROP DATABASE IF EXISTS test;\""
- "mysql -e \"DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';\""
- "mysql -e \"FLUSH PRIVILEGES;\""
- touch ~/mysql_secure_installation
- name: install backup script
copy:
src: files/backup_mysql.sh
dest: /usr/local/bin/backup_mysql.sh
mode: '0755'
- name: cron backup script
cron:
name: "MariaDB backup"
hour: "{{ mariadb_backup_hour }}"
minute: "{{ mariadb_backup_minute }}"
job: "/usr/local/bin/backup_mysql.sh"
state: present

12
roles/mariadb/templates/debian.cnf.j2 Normal file
View File

@@ -0,0 +1,12 @@
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = {{ mariadb_root_pass }}
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = {{ mariadb_root_pass }}
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

3
roles/mariadb/templates/dot.my.cnf.j2 Normal file
View File

@@ -0,0 +1,3 @@
[client]
user = root
password = {{ mariadb_root_pass }}

4
roles/nginx/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart nginx
service:
name: nginx
state: restarted

46
roles/nginx/tasks/main.yml Normal file
View File

@@ -0,0 +1,46 @@
- name: install nginx package
package:
name: nginx-full
state: present
- name: create dhparam
shell: /usr/bin/openssl dhparam -out /etc/nginx/dhparam.pem 2048
args:
creates: /etc/nginx/dhparam.pem
- name: service nginx
service:
name: nginx
enabled: True
state: started
- name: put configuration files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
notify:
- restart nginx
loop:
- { src: nginx.conf.j2, dest: /etc/nginx/nginx.conf }
- { src: nginx.ssl.conf.j2, dest: /etc/nginx/nginx.ssl.conf }
- { src: fastcgi_params.j2, dest: /etc/nginx/fastcgi_params }
- { src: proxy_params.j2, dest: /etc/nginx/proxy_params }
- { src: default.j2, dest: /etc/nginx/sites-available/default }
- name: create base dir
file:
path: /srv/http
owner: root
group: www-data
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- name: create letsencrypt dir
file:
path: /srv/http/common/letsencrypt
owner: root
group: www-data
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- include_tasks: vhosts.yml

18
roles/nginx/tasks/vhosts.yml Normal file
View File

@@ -0,0 +1,18 @@
- name: symlink vhosts
file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
force: True
follow: False
state: link
notify:
- restart nginx
loop: "{{ web_hostname }}"
- name: install vhosts
template:
src: "vhosts/{{ item }}.conf.j2"
dest: "/etc/nginx/sites-available/{{ item }}.conf"
notify:
- restart nginx
loop: "{{ web_hostname }}"

25
roles/nginx/templates/default.j2 Normal file
View File

@@ -0,0 +1,25 @@
server {
listen *:80;
listen [::]:80;
server_name localhost;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
location /.well-known/acme-challenge {
root /srv/http/common/letsencrypt/;
}
location / {
return 301 https://$host$request_uri;
}
}

31
roles/nginx/templates/fastcgi_params.j2 Normal file
View File

@@ -0,0 +1,31 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
# PHP only
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

8
roles/nginx/templates/header.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
server_name {{ item }};
access_log /var/log/nginx/{{ item }}.access.log combined_port;
error_log /var/log/nginx/{{ item }}.error.log;

67
roles/nginx/templates/nginx.conf.j2 Normal file
View File

@@ -0,0 +1,67 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
log_format combined_port
'$remote_addr:$remote_port - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log combined_port;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
include nginx.ssl.conf;
##
# Virtual Host Configs
##
client_max_body_size 1G;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

26
roles/nginx/templates/nginx.ssl.conf.j2 Normal file
View File

@@ -0,0 +1,26 @@
##########
# THIS FILE IS MANAGED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

9
roles/nginx/templates/proxy_params.j2 Normal file
View File

@@ -0,0 +1,9 @@
##########
# THIS FILE IS HANDLED BY ANSIBLE
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header Strict-Transport-Security;

33
roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,33 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/analyse.nintendojo.fr/;
index index.html index.htm index.php;
location ~ ^/(status|ping|apc_info.php)$ {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/tmp {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

40
roles/nginx/templates/vhosts/blog.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/blog.libertus.eu/;
index index.html index.htm index.php;
## Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
## blocage équivalent HTTPS
location ~ (\.htaccess|\.inc)$ {
deny all;
}
location ~ ^/(inc|plugins|db|cache)/ {
deny all;
}
## Inter PHP en path_info
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
## Inter PHP brute
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
## redirection des zolies URLs vers index.php
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

8
roles/nginx/templates/vhosts/bt.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://127.0.0.1:9091;
}
}

12
roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
server {
{% include './templates/header.conf.j2' %}
location / {
root /var/lib/transmission-daemon/downloads/;
autoindex on;
allow 2a01:cb0c:8516:7f00::/64;
allow 83.167.52.81;
allow 2001:1b48:2:103::/64;
allow 2001:bc8:26c1:101::/64;
deny all;
}
}

22
roles/nginx/templates/vhosts/coince.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/coince.mateu.be/;
index index.htm index.html index.php;
allow 2001:bc8:26c1:101:0:0:0:0/64;
allow 2001:bc8:26c1:105:0:0:0:0/64;
allow 2001:1b48:2:103::6d:2;
allow 83.167.52.81;
deny all;
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
location /var {
deny all;
}
}

22
roles/nginx/templates/vhosts/fav.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,22 @@
## Shaarli
server {
{% include './templates/header.conf.j2' %}
root /srv/http/fav.libertus.eu/;
index index.html index.htm index.php;
location ^/(cache|data)/ {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

38
roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,38 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/forum.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 10M;
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/(files|store|cache|images/avatars/upload)/ {
deny all;
}
location ~ ^/(config|common)\.php$ {
deny all;
}
location ~ /(app).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/intendo.fr.conf.j2 Normal file
View File

61
roles/nginx/templates/vhosts/m.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,61 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
{% include './templates/header.conf.j2' %}
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
large_client_header_buffers 4 32k;
# Referrer-Policy, même si Chrome ne comprendra pas
add_header Referrer-Policy "same-origin";
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_pass http://localhost:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
}

40
roles/nginx/templates/vhosts/mail.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/mail.libertus.eu/;
index index.html index.htm index.php;
client_max_body_size 512M;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
## Dossiers et fichiers interdits d'accès
location ~ (README|INSTALL|LICENSE|SQL|bin|CHANGELOG|\.htaccess|\.inc)$ {
deny all;
}
location ~ ^/(config|logs|temp) {
deny all;
}
location ~ ^/program/js {
#autorise le dossier program/js
}
location ~ ^/program/.*\.gif$ {
#autorise les gifs du dossier program
}
location ~ ^/program {
deny all;
}
location = /favicon.ico {
rewrite ^(.*)$ skins/default/images/favicon.ico;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 Normal file
View File

82
roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,82 @@
server {
{% include './templates/header.conf.j2' %}
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
fastcgi_hide_header X-Powered-By;
root /srv/http/o.libertus.eu/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 1000M;
fastcgi_buffers 64 4k;
# Avoid E-Tag error on text file
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-oc.sock;
include fastcgi_params;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
}
}

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 Normal file
View File

25
roles/nginx/templates/vhosts/r.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,25 @@
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined_port;
error_log /var/log/nginx/r.mateu.be.error.log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/http/r.mateu.be/;
location / {
autoindex on;
}
location ~ ^/~mortal/(.*)$ {
return 301 https://r.mateu.be/$1;
}
location ~ ^/~clement\.veret/(.*)$ {
return 301 https://r.mateu.be/$1;
}
}

20
roles/nginx/templates/vhosts/rss.libertus.eu.conf.j2 Normal file
View File

@@ -0,0 +1,20 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/rss.libertus.eu/;
index index.html index.htm index.php;
location ~ \.(js|css|png|jpg|jpeg|gif|svg|svgz)$ {
expires 2w;
log_not_found off;
}
location ~ /\.git {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

8
roles/nginx/templates/vhosts/sonarr.mateu.be.conf.j2 Normal file
View File

@@ -0,0 +1,8 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8989;
}
}

14
roles/nginx/templates/vhosts/www.intendo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,14 @@
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/intendo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/intendo.fr/intendo.fr.key;
server_name intendo.fr www.intendo.fr;
access_log /var/log/intendo.fr.access.log combined_port;
error_log /var/log/intendo.fr.error.log;
location / {
return 302 https://www.nintendojo.fr$request_uri;
}
}

83
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,83 @@
## WP NintendojoFR
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined_port;
error_log /var/log/nginx/nintendojo.fr.error.log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /srv/http/www.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 2G;
# couper les fichiers cachés
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# couper les fichiers textes du captcha
location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
deny all;
}
# Images de la v6
location ~ ^/images/(.*)$ {
expires 2w;
alias /srv/http/archives.nintendojo.fr/v6/images/$1;
}
# Images de la v6.7
location ~ ^/public/(.*)$ {
expires 2w;
alias /srv/http/archives.nintendojo.fr/$1;
}
# Zolie tweet
location /tweet {
rewrite ^/tweet/([0-9]+)$ /index.php/tweet/?id=$1 last;
rewrite ^/tweet/embed/([0-9]+)$ /index.php/tweetembed/?id=$1 last;
return 403;
}
# Zolie wallpapers
location /wallpapers {
rewrite ^/wallpapers$ /index.php/wallpapers last;
rewrite ^/wallpapers/([0-9]+) /index.php/wallpapers/?id=$1 last;
location ~ ^/wallpapers/files(.*)(/.*\.jpg)$ {
expires 1w;
alias /srv/http/www.nintendojo.fr/wp-content/plugins/dojomurpapier/files$2;
}
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_cache wpdojo;
fastcgi_cache_key $request_method$host$request_uri;
fastcgi_cache_valid any 15m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

1
roles/nut-client/files/nut.conf Normal file
View File

@@ -0,0 +1 @@
MODE=netclient

4
roles/nut-client/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart nut-client
service:
name: nut-client
state: restarted

19
roles/nut-client/tasks/main.yml Normal file
View File

@@ -0,0 +1,19 @@
- name: install nut client
package:
name: nut-client
state: present
- name: upsmon.conf file
template:
src: upsmon.conf.j2
dest: /etc/nut/upsmon.conf
mode: '0640'
notify: restart nut-client
- name: nut.conf file
copy:
src: files/nut.conf
dest: /etc/nut/nut.conf
mode: '0640'
when: inventory_hostname not in groups['nut_server']
notify: restart nut-client

15
roles/nut-client/templates/upsmon.conf.j2 Normal file
View File

@@ -0,0 +1,15 @@
MONITOR eaton3s@{{ hostvars[groups['nut_server'][0]]['ansible_default_ipv4']['address'] }}:3493 1 {% if inventory_hostname in groups['nut_server'] %}monuser {{ nut_pass }} master{% else %}slaveuser {{ nut_pass }} slave{% endif %}
MINSUPPLIES 1
SHUTDOWNCMD "/sbin/shutdown -h +0"
POLLFREQ 5
POLLFREQALERT 5
HOSTSYNC 15
DEADTIME 15
POWERDOWNFLAG /etc/killpower
NOTIFYFLAG ONBATT SYSLOG+WALL
NOTIFYFLAG ONLINE SYSLOG+WALL
RBWARNTIME 43200
NOCOMMWARNTIME 300
FINALDELAY 5

2
roles/nut-server/files/90-nut-ups.rules Normal file
View File

@@ -0,0 +1,2 @@
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0463", ATTR{idProduct}=="ffff", MODE="0660", GROUP="nut"

1
roles/nut-server/files/nut.conf Normal file
View File

@@ -0,0 +1 @@
MODE=standalone

5
roles/nut-server/files/ups.conf Normal file
View File

@@ -0,0 +1,5 @@
maxretry = 3
[eaton3s]
driver=usbhid-ups
port=auto
default.battery.charge.low=10

1
roles/nut-server/files/upsd.conf Normal file
View File

@@ -0,0 +1 @@
LISTEN * 3493

12
roles/nut-server/handlers/main.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: restart nut-server
service:
name: nut-server
state: restarted
- name: udev
command: "udevadm control --reload-rules && udevadm trigger"
- name: restart nut-driver
service:
name: nut-driver
state: restarted

40
roles/nut-server/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
- name: install nut server
package:
name: nut-server
state: present
- name: udev conf file for nut
copy:
src: files/90-nut-ups.rules
dest: /etc/udev/rules.d/90-nut-ups.rules
notify:
- udev
- restart nut-driver
- name: nut.conf file
copy:
src: files/nut.conf
dest: /etc/nut/nut.conf
mode: '0640'
notify: restart nut-server
- name: ups.conf file
copy:
src: files/ups.conf
dest: /etc/nut/ups.conf
mode: '0640'
notify: restart nut-server
- name: upsd.conf file
copy:
src: files/upsd.conf
dest: /etc/nut/upsd.conf
mode: '0640'
notify: restart nut-server
- name: upsd.users file
template:
src: upsd.users.j2
dest: /etc/nut/upsd.users
mode: '0640'
notify: restart nut-server

7
roles/nut-server/templates/upsd.users.j2 Normal file
View File

@@ -0,0 +1,7 @@
[monuser]
password={{ nut_pass }}
upsmon master
[slaveuser]
password={{ nut_pass }}
upsmon slave

1
roles/php/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
php_modules: "['opcache', 'mysql', 'mbstring', 'gd']"

1944
roles/php/files/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

430
roles/php/files/www.conf Normal file
View File

@@ -0,0 +1,430 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 100
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 10
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 10
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 30
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

4
roles/php/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart php-fpm
service:
name: "php{{ php_version }}-fpm"
state: restarted

27
roles/php/tasks/main.yml Normal file
View File

@@ -0,0 +1,27 @@
- name: install php-fpm
package:
name: php-fpm
state: present
- name: configure php-fpm
copy:
src: ./files/www.conf
dest: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
notify:
- restart php-fpm
- name: configure php
copy:
src: ./files/php.ini
dest: /etc/php/{{ php_version }}/fpm/php.ini
notify:
- restart php-fpm
- name: install lib for php
package:
name: "php-{{ item }}"
state: present
loop: "{{ php_modules }}"
notify:
- restart php-fpm

1
roles/postgres/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
pg_version: "{% if ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '9' %}9.6{% elif ansible_facts['os_family'] == 'Debian' and ansible_facts['distribution_major_version'] == '10' %}11{% endif %}"

99
roles/postgres/files/pg_hba.conf Normal file
View File

@@ -0,0 +1,99 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can
# use "pg_ctl reload" to do that.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5

690
roles/postgres/files/postgresql.conf Normal file
View File

@@ -0,0 +1,690 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
data_directory = '/srv/postgresql' # use data in another directory
# (change requires restart)
hba_file = '/etc/postgresql/11/main/pg_hba.conf' # host-based authentication file
# (change requires restart)
ident_file = '/etc/postgresql/11/main/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
external_pid_file = '/var/run/postgresql/11-main.pid' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP Keepalives -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
ssl = on
#ssl_ca_file = ''
ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#ssl_crl_file = ''
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# use none to disable dynamic shared memory
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = off # allow JIT compilation
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
log_line_prefix = '%m [%p] %q%u@%d ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'Europe/Paris'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
cluster_name = '11/main' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
stats_temp_directory = '/var/run/postgresql/11-main.pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, dmy'
#intervalstyle = 'postgres'
timezone = 'Europe/Paris'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 0 # min -15, max 3
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'fr_FR.UTF-8' # locale for system error message
# strings
lc_monetary = 'fr_FR.UTF-8' # locale for monetary formatting
lc_numeric = 'fr_FR.UTF-8' # locale for number formatting
lc_time = 'fr_FR.UTF-8' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.french'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#default_with_oids = off
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf.
include_dir = 'conf.d' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '' # include file only if it exists
#include = '' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

4
roles/postgres/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart postgres
service:
name: "postgresql@{{ pg_version }}-main"
state: restarted

46
roles/postgres/tasks/main.yml Normal file
View File

@@ -0,0 +1,46 @@
- name: install postgresql
package:
name: postgresql
state: present
- name: create pgsql directory
file:
path: /srv/postgresql
owner: postgres
group: postgres
state: directory
- name: populate postgresql directory
command: "/usr/lib/postgresql/{{ pg_version }}/bin/initdb -E UTF-8 /srv/postgresql/"
become: yes
become_user: postgres
args:
creates: /srv/postgresql/PG_VERSION
notify: restart postgres
- name: replace main conffile
copy:
src: files/postgresql.conf
dest: "/etc/postgresql/{{ pg_version }}/main/postgresql.conf"
notify: restart postgres
- name: replace pg_hba file
copy:
src: files/pg_hba.conf
dest: "/etc/postgresql/{{ pg_version }}/main/pg_hba.conf"
notify: restart postgres
- name: create backup dir
file:
path: /srv/backup/pgsql
owner: postgres
group: postgres
state: directory
- name: backup pg databases
cron:
user: postgres
minute: "0"
hour: "4"
name: PG Backup
job: "/usr/bin/pg_dumpall | gzip -c > /srv/backup/pgsql/all.dbs.gz"

1
roles/system/files/5-install Normal file
View File

@@ -0,0 +1 @@
dist-upgrade -y -o APT::Get::Show-Upgraded=true -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold

19
roles/system/files/dotbashrc Normal file
View File

@@ -0,0 +1,19 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
. "/etc/x509/acme.sh.env"

1
roles/system/files/ssh/home.id_rsa.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1pahc4fTbyave6S4Y5co9yYKelnUbHjhHkA2yiHdgauwwvcMqHu+JbHSJyXjkyhDlVA0gXexa/rDE9XJyVw5KGKsz5l05K21YhiDC0btYyA1RBju3b6lEdl43MasWDhZPB+HU06jUTgGXqobfjiPkGy9CEhPSzNZd7fDy60BwqS7KNLE3PWQ46j3HTDmw6yJUGBmICIhu8wSmJ5qcnzAAF5tnBGAENBMuRrkhOFts/FPBnn6sUmXOO4X3DecTRPE8Fwchn+RlVHc/tKt+hUtak4enVIKfNsRRTAR1yZKwBJkqrpDI509tZRmvcmawP9/p25yAUD2PBi2Ft+nlqxz

1
roles/system/files/ssh/work.id_rsa.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib

1117
roles/system/files/vim/colors/solarized.vim Normal file
View File

File diff suppressed because it is too large Load Diff

12
roles/system/files/vim/vimrc Normal file
View File

@@ -0,0 +1,12 @@
set nocompatible
set paste
set smartindent
set noexpandtab
set tabstop=4
set shiftwidth=4
set softtabstop=-1
syntax on
set background=dark
set list listchars=tab:»\ ,extends:,precedes:,nbsp,trail
colorscheme solarized
filetype plugin indent on

4
roles/system/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: restart sshd
service:
name: sshd
state: restarted

4
roles/system/tasks/apt-transport-https.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: install https transport for apt
package:
name: apt-transport-https
state: present

5
roles/system/tasks/aptitude.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: install aptitude
package:
name: aptitude
state: present
when: ansible_facts['os_family'] == 'Debian'

6
roles/system/tasks/bashrc.yml Normal file
View File

@@ -0,0 +1,6 @@
- name: copy basic bashrc files
copy:
src: files/dotbashrc
dest: /root/.bashrc
owner: root
group: root

10
roles/system/tasks/cron-apt.yml Normal file
View File

@@ -0,0 +1,10 @@
- name: install cron-apt
package:
name: cron-apt
state: present
- name: default configuration file
copy:
src: files/5-install
dest: /etc/cron-apt/action.d/5-install

4
roles/system/tasks/cron.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: install cron
package:
name: cron
state: present

4
roles/system/tasks/curl.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: install curl
package:
name: curl
state: present

4
roles/system/tasks/gpg.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: install gpg package
package:
name: gpg
state: present

22
roles/system/tasks/locales.yml Normal file
View File

@@ -0,0 +1,22 @@
- name: Set default locale to fr_FR.UTF-8
debconf:
name: locales
question: locales/default_environment_locale
value: fr_FR.UTF-8
vtype: select
- name: set to generate locales fr_FR/en_US
debconf:
name: locales
question: locales/locales_to_be_generated
value: en_US.UTF-8 UTF-8, fr_FR.UTF-8 UTF-8
vtype: multiselect
- name: delete original locale.gen
file:
path: /etc/locale.gen
state: absent
when: ansible_facts['env']['LANG'] != 'fr_FR.UTF-8'
- name: update original locale.gen
command: dpkg-reconfigure -f noninteractive locales
when: ansible_facts['env']['LANG'] != 'fr_FR.UTF-8'

4
roles/system/tasks/localtime.yml Normal file
View File

@@ -0,0 +1,4 @@
- file:
src: /usr/share/zoneinfo/Europe/Paris
dest: /etc/localtime
state: link

14
roles/system/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
- include_tasks: aptitude.yml
- include_tasks: localtime.yml
- include_tasks: locales.yml
- include_tasks: ping.yml
- include_tasks: telnet.yml
- include_tasks: bashrc.yml
- include_tasks: vimrc.yml
- include_tasks: sshd.yml
- include_tasks: curl.yml
- include_tasks: wget.yml
- include_tasks: cron.yml
- include_tasks: apt-transport-https.yml
- include_tasks: gpg.yml
- include_tasks: cron-apt.yml

4
roles/system/tasks/ping.yml Normal file
View File

@@ -0,0 +1,4 @@
- name: install ping utility
package:
name: iputils-ping
state: present

Some files were not shown because too many files have changed in this diff Show More