🚨: fix ansible-lint

inventory/host_vars/bt.yml

@@ -6,6 +6,7 @@ web_hostname:
   - host: btf.mateu.be
     allowlistv4:
       - 88.175.123.77/32
+      - 109.9.84.47/32
     allowlistv6:
       - 2a01:e0a:9bd:2811::/64
       - 2a01:e0a:9bd:2810::/64
@@ -15,6 +16,7 @@ web_hostname:
       - 2001:910:13c8::/48
       - 2a01:e0a:bde:d350::/64
       - 2a01:cb00:f55:2d00::/64
+      - 2a01:cb00:89e3:2c00::/64
 nginx_extra_mods:
   - fancyindex
 

inventory/host_vars/dc1.yml

@@ -0,0 +1,4 @@
+---
+web_hostname:
+  - host: kck.test.mateu.be
+  - host: vlt.test.mateu.be

inventory/host_vars/web1.yml

@@ -13,11 +13,10 @@ web_hostname:
     type: bac
   - host: mail.libertus.eu
     type: roundcube
-  - host: perso.nintendojo.fr
-    acme_unmanaged: true
-  - host: perso.libertus.eu
-    acme_unmanaged: true
   - host: r.mateu.be
+    san:
+      - perso.libertus.eu
+      - perso.nintendojo.fr
   - host: ff.libertus.eu
     type: firefly3
   - host: koi.libertus.eu

inventory/host_vars/web2.yml

@@ -2,15 +2,16 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 
 web_hostname:
-  - host: nintendojo.fr
-    acme_unmanaged: true
   - host: www.nintendojo.fr
+    type: wordpress
+    san:
+      - nintendojo.fr
   - host: forum.nintendojo.fr
     type: phpbb
-  - host: nintendojofr.com
-    acme_unmanaged: true
   - host: www.nintendojofr.com
     type: retrodojo
+    san:
+      - nintendojofr.com
   - host: forum.nintendojofr.com
 
 mariadb_root_pass: !vault |
@@ -50,12 +51,3 @@ retrodojo_maria_password: !vault |
         65386530353032336161353330313863623231646632643861666562353764373066663337353063
         6364633734323732390a363539333537396164633965346637313532666366336362346663326661
         6663
-
-webapps_htpasswd_editeurs: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63663638356139373663646639633762393761333536393331363066353039393266306638326336
-          3235353238666261373032363633626333646662343461330a393534633530353330323637386239
-          63336532646235663732623561333963643436353165633165663430313132626561363361333736
-          6662313535333063390a386532313335663836393562656564306633303933633234393139316131
-          61376332373961303961303963656565633639333130346565386361313338346235623434616239
-          6637613630333963363963646465633939663863356633373264

inventory/host_vars/web3.yml

@@ -0,0 +1,24 @@
+---
+php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
+
+web_hostname:
+  - host: wwwdev.nintendojo.fr
+    type: wordpress
+
+mariadb_root_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65373663323065306532306235313032383331353337396131383766323535633831383062393632
+          3438613735613365333264356465336162346263666236300a306234336566303863346539343531
+          37313932653964366233393038306235353134356230653336306232373430386662306634616431
+          6332333837663064340a643535386465626636343436303263666333383461383730396135396666
+          3539
+
+wordpress_maria_database: "dojo_wpdev"
+wordpress_maria_user: "adm_wpdev"
+wordpress_maria_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66613837353166633536656166383232646232303535643931313531636230353265633638626231
+          6231323738656466333164326238666166383931633133380a633764366462323261376632666565
+          63646365636133363338383233653930663139343238313131313365646663393761656361333332
+          6634333736356438390a316237373836373132666334306661363863383665663139623935646437
+          6331

playbooks/docker.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Install docker
+  hosts: dockerservers
+  roles:
+    - docker

playbooks/gitea.yml

@@ -10,5 +10,4 @@
   hosts: actrunnerservers
   diff: true
   roles:
-    - docker
     - act_runner

playbooks/site.yml

@@ -54,6 +54,8 @@
   import_playbook: peertube.yml
 - name: Run elasticsearch playbook
   import_playbook: elasticsearch.yml
+- name: Run docker playbook
+  import_playbook: docker.yml
 - name: Run gitea playbook
   import_playbook: gitea.yml
 - name: Run vaultwarden playbook

playbooks/webapps.yml

@@ -29,3 +29,10 @@
       tags: [never, phpbb]
     - role: retrodojo
       tags: [never, retrodojo]
+
+- name: Install dojo webapplications
+  hosts: web3
+  diff: true
+  roles:
+    - role: wordpress
+      tags: [never, wordpress]

roles/act_runner/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-act_runner_version: "0.2.11"
+act_runner_version: "0.2.12"
 act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64"
 act_runner_home: "/var/lib/act_runner"
 act_runner_bin: "/usr/local/bin/act_runner"

roles/firefly3/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-firefly3_version: "6.2.10"
+firefly3_version: "6.2.21"
 firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz"
 
 firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}"

roles/firewall/templates/firewall.j2

@@ -512,6 +512,38 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv4'
 
+# Allow Home Assitant to OpenEVSE
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-OpenEVSE'
+	option src 'iot'
+	option src_ip '{{ lookup('dig', 'evse.mateu.be') }}'
+	list proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	option dest_port '1883'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-Kodi'
+	option src 'dmz'
+	option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	list proto 'tcp'
+	option dest 'lan'
+	option dest_ip '{{ lookup('dig', 'libreelec.mateu.be') }}'
+	option dest_port '8080'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-RM4Pro'
+	option src 'dmz'
+	option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	option dest 'iot'
+	option dest_ip '{{ lookup('dig', 'rm4pro.mateu.be') }}'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
 ### IoT Rules
 ## General Rules
 # ICMP

roles/freshrss/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-freshrss_version: "1.26.1"
+freshrss_version: "1.26.3"
 freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz"
 
 freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}"

roles/garage/templates/garage.toml.j2

@@ -10,7 +10,7 @@ db_engine = "lmdb"
 
 block_size = "{{ garage_block_size }}"
 
-replication_mode = "{{ garage_replication_mode }}"
+replication_factor = {{ garage_replication_mode }}
 
 compression_level = 2
 

roles/garage/vars/main.yml

@@ -2,5 +2,5 @@
 
 garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage"
 garage_bin: "/usr/local/bin/garage"
-garage_version: v1.1.0
+garage_version: v2.0.0
 garage_arch: x86_64

roles/gitea/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-gitea_version: "1.23.7"
+gitea_version: "1.24.3"
 gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
 gitea_bin: "/usr/local/bin/gitea"
 gitea_path: "/srv/gitea"

roles/haproxy/templates/haproxy.cfg.j2

@@ -42,10 +42,19 @@ frontend http
 	acl letsencrypt path_beg /.well-known/acme-challenge
 	redirect scheme https code 301 if !letsencrypt
 {% for server in haproxy_backend_servers %}
-{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname.host }} configuration
-	acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
-	use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}
+{% for hostname in (
+        (hostvars[server].web_hostname
+        | map(attribute='host'))
+        +
+        (hostvars[server].web_hostname
+        | selectattr('san', 'defined')
+        | map(attribute='san')
+        | flatten)
+        ) | sort
+%}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
+	use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
 
 {% endfor %}
 {% endfor %}
@@ -57,14 +66,24 @@ frontend https
 	tcp-request inspect-delay 3s
 	tcp-request content accept if { req.ssl_hello_type 1 }
 {% for server in haproxy_backend_servers %}
-{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname.host }} configuration
-	acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
-{% if hostname.allowlistv4 is defined %}
-	acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
+{% for hostname in (
+        (hostvars[server].web_hostname
+        | map(attribute='host'))
+        +
+        (hostvars[server].web_hostname
+        | selectattr('san', 'defined')
+        | map(attribute='san')
+        | flatten)
+        ) | sort
+%}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
+{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
+{% if host.allowlistv4 is defined %}
+	acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
 
 {% endif %}
-	use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
+	use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
 
 
 {% endfor %}

roles/jackett/vars/main.yml

@@ -1,5 +1,5 @@
 ---
 
-jackett_version: "v0.22.1685"
+jackett_version: "v0.22.2162"
 jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz"
 jackett_home: "/opt/Jackett"

roles/koillection/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-koillection_version: "1.6.12"
+koillection_version: "1.6.15"
 koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz"
 
 koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}"

roles/mariadb/tasks/main.yml

@@ -36,7 +36,7 @@
 - name: Check if .my.cnf file exists
   ansible.builtin.stat:
     path: /root/.my.cnf
-  register: dot_my_cnf
+  register: mariadb_dot_my_cnf
 
 - name: Set root password
   community.mysql.mysql_user:
@@ -44,7 +44,7 @@
     host: localhost
     name: root
     password: "{{ mariadb_root_pass }}"
-  when: not dot_my_cnf.stat.exists
+  when: not mariadb_dot_my_cnf.stat.exists
 
 - name: Put .my.cnf file
   ansible.builtin.template:

roles/mastodon/tasks/main.yml

@@ -40,6 +40,7 @@
       - git-core
       - g++
       - libprotobuf-dev
+      - libvips-tools
       - protobuf-compiler
       - pkg-config
       - nodejs

roles/mastodon/tasks/mastodon.yml

@@ -6,6 +6,7 @@
     repo: "https://github.com/mastodon/mastodon.git"
     dest: "{{ mastodon_home }}/live"
     version: "v{{ mastodon_version }}"
+  notify: Restart mastodon
 
 - name: Exec bundle
   remote_user: mastodon

roles/mastodon/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-mastodon_version: "4.3.7"
+mastodon_version: "4.4.1"
 
 mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
 mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
@@ -8,7 +8,7 @@ mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
 mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
 mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
 
-mastodon_ruby_version: "3.3.5"
+mastodon_ruby_version: "3.4.4"
 
 mastodon_home: "/srv/mastodon"
 mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"

roles/munin_client/files/garage_bucket

@@ -6,7 +6,7 @@ HEADER="Authorization: Bearer ${BEARER}"
 # Create associative array
 declare -A BUCKETS=()
 
-API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?list" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
+API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/ListBuckets" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
 
 # Populate associative array
 for bucket in ${API_BUCKETS_JSON}
@@ -59,7 +59,7 @@ declare -A REQUESTS
 
 for i in "${!BUCKETS[@]}"
 do
-	REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?id=${i}"))
+	REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/GetBucketInfo?id=${i}"))
 done
 
 echo "multigraph garage_bucket_unfinished"

roles/munin_client/tasks/main.yml

@@ -2,26 +2,25 @@
 
 - name: Set package fact
   ansible.builtin.set_fact:
-    muninpkgs:
+    munin_client_muninpkgs:
       - muninlite
-    munin_need_reconfigure: false
+    munin_client_munin_need_reconfigure: false
   when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt"
 
 - name: Set other packages fact
   ansible.builtin.set_fact:
-    muninpkgs:
+    munin_client_muninpkgs:
       - munin-node
       - munin-plugins-core
       - munin-plugins-extra
-    munin_need_reconfigure: true
+    munin_client_munin_need_reconfigure: true
   when: ansible_facts['distribution'] == "Debian"
 
 - name: Install munin node packages
   ansible.builtin.package:
-    name: "{{ item }}"
+    name: "{{ munin_client_muninpkgs }}"
     state: present
     update_cache: true
-  loop: "{{ muninpkgs }}"
 
 - name: Put munin-node configuration file
   ansible.builtin.template:
@@ -30,7 +29,7 @@
     mode: "0o644"
   notify:
     - Restart munin-node
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
 
 ## Adding modules for specific functions
 # for NginX webservers
@@ -99,14 +98,14 @@
   changed_when: true
   notify:
     - Restart munin-node
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
 
 # Useless junks for everyone
 - name: Delete useless junks for everyone
   ansible.builtin.file:
     path: "/etc/munin/plugins/{{ item }}"
     state: absent
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
   loop:
     - users
 

roles/munin_client/templates/munin-node.conf.j2

@@ -41,7 +41,7 @@ host_name {{ ansible_host }}
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like
 
-allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
+allow ^{{ hostvars['munin']['proxmox_net0']['ip'] | ansible.utils.ipaddr('address') | split('.') |join('\.') }}
 allow ^127\.0\.0\.1$
 allow ^::1$
 

roles/nextcloud/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-nextcloud_version: "31.0.2"
+nextcloud_version: "31.0.7"
 nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2"
 
 nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"
@@ -19,6 +19,7 @@ nextcloud_userdata_app_dirs:
 # Supplementary modules
 nextcloud_modules:
   - name: calendar
+  - name: contacts
   - name: tasks
   - name: user_external
     force: true

roles/nginx/tasks/acme.yml

@@ -2,7 +2,7 @@
 
 - name: Issue certificate
   ansible.builtin.command:
-    cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
+    cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
     creates: "/etc/x509/{{ host.host }}*"
   environment:
     LE_WORKING_DIR: "/etc/x509"
@@ -13,15 +13,16 @@
   register: _nginx_x509_ecc_dir
 
 - name: Move dir if exists
+  when: _nginx_x509_ecc_dir.stat.exists
   block:
     - name: Copy ecc dir
       ansible.builtin.copy:
         remote_src: true
         src: "/etc/x509/{{ host.host }}_ecc/"
         dest: "/etc/x509/{{ host.host }}"
+        mode: "{{ _nginx_x509_ecc_dir.stat.mode }}"
 
     - name: Remove ecc dir
       ansible.builtin.file:
         path: "/etc/x509/{{ host.host }}_ecc/"
         state: absent
-  when: _nginx_x509_ecc_dir.stat.exists

roles/nginx/tasks/main.yml

@@ -46,7 +46,7 @@
 
 - name: Include acme auto cert
   ansible.builtin.include_tasks: acme.yml
-  loop: "{{ web_hostname | rejectattr('acme_unmanaged', 'defined') }}"
+  loop: "{{ web_hostname }}"
   loop_control:
     loop_var: "host"
 

roles/nginx/templates/header.conf.j2

@@ -3,7 +3,7 @@
 	
 	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
 	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
-	server_name {{ item.host }};
+	server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
 	access_log /var/log/nginx/{{ item.host }}.access.log combined;
 	access_log syslog:server=unix:/dev/log combined;
 	error_log /var/log/nginx/{{ item.host }}.error.log;

roles/nginx/templates/nginx.ssl.conf.j2

@@ -3,7 +3,7 @@
 # ANY MODIFICATION IS LIKELY TO BE ERASED
 ##########
 	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:50m;
+	ssl_session_cache shared:SSL:10m;
 	ssl_session_tickets off;
 
 	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -11,7 +11,7 @@
 
 	# intermediate configuration. tweak to your needs.
 	ssl_protocols TLSv1.2 TLSv1.3;
-	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 	ssl_prefer_server_ciphers off;
 
 	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

roles/nginx/templates/vhosts/kck.test.mateu.be.conf.j2

@@ -0,0 +1,8 @@
+server {
+{% include './templates/header.conf.j2' %}
+	
+	location / {
+		proxy_pass http://localhost:8080;
+	}
+}
+

roles/nginx/templates/vhosts/r.mateu.be.conf.j2

@@ -1,15 +1,5 @@
 server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
-	access_log /var/log/nginx/r.mateu.be.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/r.mateu.be.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
-	ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
-
+{% include './templates/header.conf.j2' %}
 	root /srv/www-data/r.mateu.be/;
 
 	location / {

roles/nginx/templates/vhosts/vlt.test.mateu.be.conf.j2

@@ -0,0 +1,8 @@
+server {
+{% include './templates/header.conf.j2' %}
+	
+	location / {
+		proxy_pass http://localhost:8200;
+	}
+}
+

roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2

@@ -1,16 +1,15 @@
 ## WP NintendojoFR
-server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name nintendojo.fr www.nintendojo.fr;
-	access_log /var/log/nginx/nintendojo.fr.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/nintendojo.fr.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
-	ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
+fastcgi_cache_path
+	/dev/shm/nginx
+	levels=1:2
+	keys_zone=wpdojo:25m
+	inactive=1h
+	max_size=250m;
 
-	root /srv/http/www.nintendojo.fr/;
+server {
+{% include './templates/header.conf.j2' %}
+
+	root /var/www/www.nintendojo.fr/;
 	index index.html index.htm index.php;
 
 	client_max_body_size 2G;

roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2

@@ -1,13 +1,5 @@
 server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name www.nintendojofr.com nintendojofr.com;
-	access_log /var/log/nginx/nintendojofr.com.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/nintendojofr.com.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/www.nintendojofr.com/fullchain.cer;
-	ssl_certificate_key /etc/x509/www.nintendojofr.com/www.nintendojofr.com.key;
+{% include './templates/header.conf.j2' %}
 
 	root /var/www/www.nintendojofr.com/;
 	index index.html index.htm index.php;

roles/nginx/templates/vhosts/wwwdev.nintendojo.fr.conf.j2

@@ -0,0 +1,46 @@
+## WP dev NintendojoFR
+server {
+{% include './templates/header.conf.j2' %}
+
+	root /var/www/wwwdev.nintendojo.fr/;
+	index index.html index.htm index.php;
+
+	client_max_body_size 2G;
+
+	# couper les fichiers cachés
+	location ~* /(?:uploads|files)/.*\.php$ {
+		deny all;
+	}
+
+	# couper les fichiers textes du captcha
+	location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
+		deny all;
+	}
+
+	# Optimisation des images
+	location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+		expires 1w;
+		log_not_found off;
+	}
+
+	# Interprétation PHP
+	location ~ ^/(index).php(/.*)+ {
+		fastcgi_split_path_info ^(.+\.php)(/.*)$;
+		try_files $fastcgi_script_name =404;
+		fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
+		fastcgi_read_timeout 60;
+		include fastcgi_params;
+	}
+
+	location ~ \.php$ {
+		try_files $uri $uri/ =404;
+		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
+		fastcgi_read_timeout 60;
+		include fastcgi_params;
+	}
+
+	location / {
+		try_files $uri $uri/ /index.php$uri?$args;
+	}
+}

roles/nsd/tasks/prerequisites.yml

@@ -5,14 +5,14 @@
 
 - name: Detect systemd-resolve
   ansible.builtin.set_fact:
-    _systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
+    nsd_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
 
 - name: Deactivate DNS stublistener
   ansible.builtin.lineinfile:
     path: /etc/systemd/resolved.conf
     regex: '^#DNSStubListener=yes'
     line: DNSStubListener=no
-  when: _systemd_resolve_enable
+  when: nsd_systemd_resolve_enable
   notify:
     - Restart systemd-resolved
 

roles/nsd/tasks/zones.yml

@@ -11,7 +11,17 @@
     dns_serial: "{{ ansible_date_time.epoch }}"
     web_hostname_block: |-
       {% for webserver in groups['webservers'] | sort -%}
-      {% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.*' ~ item.name) | map(attribute='host') | sort) -%}
+      {% for web_hostname in (
+          (hostvars[webserver]['web_hostname']
+          | selectattr('host', 'match', '.*' ~ item.name)
+          | map(attribute='host')
+          +
+          (hostvars[webserver]['web_hostname']
+          | selectattr('san', 'defined')
+          | map(attribute='san')
+          | flatten
+          | select('match', '.*' ~ item.name)))
+        | sort) -%}
       {% if web_hostname is match("(\S+\.){2}") %}
       {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ hostvars[webserver].ansible_host }}.
       {% else %}
@@ -45,14 +55,14 @@
 - name: Stat associated keys
   ansible.builtin.stat:
     path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
-  register: _stat_keys
+  register: nsd_stat_keys
 
 - name: Sign zone file
   become: true
   become_user: nsd
   ansible.builtin.command:
     chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
-    cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
+    cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (nsd_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
   changed_when: true
 
 - name: Reload zone

roles/nsd/templates/zones/mateu.be.zone.j2

@@ -29,7 +29,6 @@ backup		IN A 10.233.212.60
 baybay-ponay		IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
 ciol		IN A 109.190.68.133
 derdriu		IN A 10.233.212.77
-dom		IN A 10.233.212.15
 enbarr.dmz		IN AAAA 2a01:e0a:9bd:2811::50
 evse		IN A 10.233.211.198
 fc		IN A 10.233.211.194
@@ -37,7 +36,10 @@ frederica.dmz		IN A {{ global_public_ip_address }}
 frederica.dmz		IN AAAA 2a01:e0a:9bd:2811::60
 ftp		IN A 10.233.212.14
 garreg-mach		IN A 10.233.212.66
-imprimante		IN A 10.233.212.94
+haos.dmz		IN A {{ global_public_ip_address }}
+haos.dmz		IN AAAA 2a01:e0a:9bd:2811::51
+ha				IN A 10.233.212.51
+libreelec		IN A 10.233.212.91
 machinbox		IN A {{ global_public_ip_address }}
 machinbox		IN AAAA 2a01:e0a:9bd:2810::1
 mailalt		IN CNAME altsrv
@@ -49,9 +51,10 @@ nsd-master1.ext		IN AAAA 2001:41d0:a:54b::1
 nsd-master1-v6.ext		IN AAAA 2001:41d0:a:54b::1
 rb		IN A 194.156.203.253
 rc		IN A 10.233.211.195
+rm4pro	IN A 10.233.211.200
 serenor.dmz		IN A {{ global_public_ip_address }}
 serenor.dmz		IN AAAA 2a01:e0a:9bd:2811::59
-{% for proxmox_host in (groups['proxmox_all_lxc'] + groups['proxmox_all_qemu']) | sort %}
+{% for proxmox_host in groups['proxmox_all_lxc'] | sort %}
 {{ proxmox_host }}.dmz	IN A {{ global_public_ip_address }}
 {% if proxmox_host.startswith('dns') %}
 {{ proxmox_host }}-v4.dmz	IN A {{ global_public_ip_address }}

roles/oolatoocs/vars/main.yml

@@ -2,5 +2,5 @@
 
 oolatoocs_db_dir: /var/lib/oolatoocs
 oolatoocs_url: https://r.mateu.be/oolatoocs/oolatoocs
-oolatoocs_version: v4.2.0
+oolatoocs_version: v4.3.0
 oolatoocs_local_bin_path: /usr/local/bin/oolatoocs

roles/peertube/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-peertube_version: "7.1.1"
+peertube_version: "7.2.2"
 peertube_home: "/srv/peertube"
 peertube_url: "https://github.com/Chocobozzz/PeerTube/releases/download/v{{ peertube_version }}/peertube-v{{ peertube_version }}.zip"
 

roles/roundcube/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-roundcube_version: "1.6.10"
+roundcube_version: "1.6.11"
 roundcube_url: "https://github.com/roundcube/roundcubemail/releases/download/{{ roundcube_version }}/roundcubemail-{{ roundcube_version }}-complete.tar.gz"
 
 # calculate the roundcube access URL given the `web_hostname` list

roles/sonarr/vars/main.yml

@@ -1,5 +1,5 @@
 ---
 
-sonarr_version: "4.0.14.2939"
+sonarr_version: "4.0.15.2941"
 sonarr_download_url: "https://github.com/Sonarr/Sonarr/releases/download/v{{ sonarr_version }}/Sonarr.main.{{ sonarr_version }}.linux-x64.tar.gz"
 sonarr_home: "/opt/Sonarr"

roles/spamassassin/files/local.cf

@@ -7,6 +7,9 @@ ok_locales      fr
 score   UNWANTED_LANGUAGE_BODY  5
 score	HTML_IMAGE_RATIO_02		3
 
+rawbody		LOCAL_ryoko				/ryoko/i
+score		LOCAL_ryoko				20.0
+
 rawbody		LOCAL_Enhancement_Gummies /Enhancement Gummies/i
 score		LOCAL_Enhancement_Gummies 20.0
 
@@ -240,6 +243,15 @@ whitelist_from *@reichelt.de
 whitelist_from *@amazon.de
 
 # Blacklist manuel
+blacklist_from *@startkomto.com
+blacklist_from *@todeliv.cloud
+blacklist_from *@*.science
+blacklist_from *@comaxe.cloud
+blacklist_from *@everlustinglife.com
+blacklist_from *@*.cash
+blacklist_from *@folowaunt.de
+blacklist_from *@instarte.online
+blacklist_from *@*.org.rs
 blacklist_from *@domainadmin.com
 blacklist_from *@werstalli.eu
 blacklist_from *@moneyempiregroup.com

roles/vaultwarden/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-vaultwarden_version: "1.33.2-0"
+vaultwarden_version: "1.34.1-1"
 vaultwarden_url: "https://github.com/dionysius/vaultwarden-deb/releases/download/debian/{{ vaultwarden_version }}/vaultwarden_{{ vaultwarden_version }}.{{ ansible_distribution_release }}_amd64.deb"
-vaultwarden_web_version: "2025.1.1-2"
+vaultwarden_web_version: "2025.5.0.0-3"
 vaultwarden_web_url: "https://github.com/dionysius/vaultwarden-web-vault-deb/releases/download/debian/{{ vaultwarden_web_version }}/vaultwarden-web-vault_{{ vaultwarden_web_version }}.bookworm_all.deb"

roles/wordpress/files/fastcgi_cache.conf

@@ -1,7 +0,0 @@
-fastcgi_cache_path
-	/dev/shm/nginx
-	levels=1:2
-	keys_zone=wpdojo:25m
-	inactive=1h
-	max_size=250m;
-

roles/wordpress/handlers/main.yml

@@ -1,6 +0,0 @@
----
-
-- name: Restart nginx
-  ansible.builtin.service:
-    name: nginx
-    state: restarted

roles/wordpress/tasks/main.yml

@@ -2,5 +2,5 @@
 
 - name: Init DB
   ansible.builtin.include_tasks: db.yml
-- name: WP for NintendojoFR
-  ansible.builtin.include_tasks: wp_dojo.yml
+- name: Install wordpress
+  ansible.builtin.include_tasks: wordpress.yml

roles/wordpress/tasks/wordpress.yml

@@ -0,0 +1,104 @@
+---
+
+## Remove the previous app & install the new version
+- name: Remove wordpress previous version
+  ansible.builtin.file:
+    state: absent
+    dest: "{{ wordpress_app_home }}"
+
+- name: Create app home
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ wordpress_app_home }}"
+    owner: root
+    group: www-data
+    mode: "0o750"
+
+- name: Install wordpress application
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ wordpress_url }}"
+    dest: "{{ wordpress_app_home }}"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+    exclude: "{{ wordpress_userdata_app_dirs | map('regex_replace', '^', 'wordpress/') }}"
+
+## Ensure the data dirs exist, populate them if not
+- name: Create data home
+  ansible.builtin.file:
+    state: directory
+    path: "{{ wordpress_data_home }}"
+    owner: www-data
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+
+# If the first data dir exists, other should exist too
+- name: Get data dir
+  ansible.builtin.stat:
+    path: "{{ wordpress_data_home }}/{{ wordpress_userdata_app_dirs[0] }}"
+  register: _wordpress_userdata_dir_stat
+
+- name: Install wordpress data dir
+  when: not _wordpress_userdata_dir_stat.stat.exists
+  block:
+    - name: Unarchive wp-content
+      ansible.builtin.unarchive:
+        remote_src: true
+        src: "{{ wordpress_url }}"
+        dest: "{{ wordpress_data_home }}"
+        owner: www-data
+        group: www-data
+        mode: "a-rwx,u+rwX,g+rX"
+        extra_opts: ['--strip-components=1']
+        include: "{{ wordpress_userdata_app_dirs | map('regex_replace', '^', 'wordpress/') | first }}"
+      ## no-wp doesn’t exist by default, creating it
+    - name: Create no-wp
+      ansible.builtin.file:
+        state: directory
+        dest: "{{ wordpress_data_home }}/no-wp"
+        owner: www-data
+        group: www-data
+        mode: "0o750"
+
+- name: Link wordpress userdata dirs
+  ansible.builtin.file:
+    state: link
+    src: "{{ wordpress_data_home }}/{{ item }}"
+    dest: "{{ wordpress_app_home }}/{{ item }}"
+  loop: "{{ wordpress_userdata_app_dirs }}"
+
+# Put config file
+- name: Get secret-key salt
+  ansible.builtin.uri:
+    url: "https://api.wordpress.org/secret-key/1.1/salt/"
+    return_content: true
+  register: _wordpress_secret_salt
+
+- name: Put wordpress configuration file
+  ansible.builtin.template:
+    src: wp-config.php.j2
+    dest: "{{ wordpress_config_path }}"
+    owner: root
+    group: www-data
+    mode: "0o640"
+  vars:
+    salt_block: "{{ _wordpress_secret_salt.content }}"
+
+# Handle languages
+- name: Find & delete default language files inside wp-content
+  ansible.builtin.command:
+    cmd: "find {{ wordpress_data_home }}/wp-content/languages/ -type f -maxdepth 1 -delete"
+  changed_when: true
+
+- name: Reextract language files
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ wordpress_url }}"
+    dest: "{{ wordpress_data_home }}"
+    owner: www-data
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+    include: "wordpress/wp-content/languages/"

roles/wordpress/tasks/wp_dojo.yml

@@ -1,16 +0,0 @@
----
-
-- name: Put nginx cache configuration file
-  ansible.builtin.copy:
-    src: files/fastcgi_cache.conf
-    dest: /etc/nginx/conf.d/fastcgi_cache.conf
-    mode: "0o644"
-  notify:
-    - Restart nginx
-
-- name: Cron for wordpress
-  ansible.builtin.cron:
-    name: "WP Twitter refresh"
-    user: www-data
-    minute: "*/2"
-    job: "/usr/bin/wget -q -O - https://www.nintendojo.fr/wp-cron.php &> /dev/null"

roles/wordpress/templates/wp-config.php.j2

@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * La configuration de base de votre installation WordPress.
+ *
+ * Ce fichier contient les réglages de configuration suivants : réglages MySQL,
+ * préfixe de table, clefs secrètes, langue utilisée, et ABSPATH.
+ * Vous pouvez en savoir plus à leur sujet en allant sur 
+ * {@link http://codex.wordpress.org/Editing_wp-config.php Modifier
+ * wp-config.php} (en anglais). C'est votre hébergeur qui doit vous donner vos
+ * codes MySQL.
+ *
+ * Ce fichier est utilisé par le script de création de wp-config.php pendant
+ * le processus d'installation. Vous n'avez pas à utiliser le site web, vous
+ * pouvez simplement renommer ce fichier en "wp-config.php" et remplir les
+ * valeurs.
+ *
+ * @package WordPress
+ */
+
+// ** Réglages MySQL - Votre hébergeur doit vous fournir ces informations. ** //
+/** Nom de la base de données de WordPress. */
+define('DB_NAME', '{{ wordpress_maria_database }}');
+
+/** Utilisateur de la base de données MySQL. */
+define('DB_USER', '{{ wordpress_maria_user }}');
+
+/** Mot de passe de la base de données MySQL. */
+define('DB_PASSWORD', '{{ wordpress_maria_password }}');
+
+/** Adresse de l'hébergement MySQL. */
+define('DB_HOST', 'localhost');
+
+/** Jeu de caractères à utiliser par la base de données lors de la création des tables. */
+define('DB_CHARSET', 'utf8');
+
+/** Type de collation de la base de données. 
+  * N'y touchez que si vous savez ce que vous faites. 
+  */
+define('DB_COLLATE', '');
+
+/**
+  * Allows direct update of extensions
+  */
+define('FS_METHOD', 'direct');
+
+/**#@+
+ * Clefs uniques d'authentification et salage.
+ *
+ * Remplacez les valeurs par défaut par des phrases uniques !
+ * Vous pouvez générer des phrases aléatoires en utilisant 
+ * {@link https://api.wordpress.org/secret-key/1.1/salt/ le service de clefs secrètes de WordPress.org}.
+ * Vous pouvez modifier ces phrases à n'importe quel moment, afin d'invalider tous les cookies existants.
+ * Cela forcera également tous les utilisateurs à se reconnecter.
+ *
+ * @since 2.6.0
+ */
+{{ salt_block }}
+/**#@-*/
+
+/**
+ * Préfixe de base de données pour les tables de WordPress.
+ *
+ * Vous pouvez installer plusieurs WordPress sur une seule base de données
+ * si vous leur donnez chacune un préfixe unique. 
+ * N'utilisez que des chiffres, des lettres non-accentuées, et des caractères soulignés!
+ */
+$table_prefix  = 'wp_';
+
+/**
+ * Langue de localisation de WordPress, par défaut en Anglais.
+ *
+ * Modifiez cette valeur pour localiser WordPress. Un fichier MO correspondant
+ * au langage choisi doit être installé dans le dossier wp-content/languages.
+ * Par exemple, pour mettre en place une traduction française, mettez le fichier
+ * fr_FR.mo dans wp-content/languages, et réglez l'option ci-dessous à "fr_FR".
+ */
+define('WPLANG', 'fr_FR');
+
+/** 
+ * Pour les développeurs : le mode deboguage de WordPress.
+ * 
+ * En passant la valeur suivante à "true", vous activez l'affichage des
+ * notifications d'erreurs pendant votre essais.
+ * Il est fortemment recommandé que les développeurs d'extensions et
+ * de thèmes se servent de WP_DEBUG dans leur environnement de 
+ * développement.
+ */ 
+define('WP_DEBUG', false); 
+
+/* C'est tout, ne touchez pas à ce qui suit ! Bon blogging ! */
+
+/** Chemin absolu vers le dossier de WordPress. */
+if ( !defined('ABSPATH') )
+	define('ABSPATH', dirname(__FILE__) . '/');
+
+/** Réglage des variables de WordPress et de ses fichiers inclus. */
+require_once(ABSPATH . 'wp-settings.php');

roles/wordpress/vars/main.yml

@@ -0,0 +1,17 @@
+---
+
+wordpress_version: "6.8.2"
+wordpress_url: "https://fr.wordpress.org/wordpress-{{ wordpress_version }}-fr_FR.tar.gz"
+
+wordpress_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'wordpress') | map(attribute='host') | first }}"
+
+# Access path
+wordpress_app_home: "/var/www/{{ wordpress_access_url }}"
+wordpress_data_home: "/srv/www-data/{{ wordpress_access_url }}"
+
+# App dirs
+wordpress_userdata_app_dirs:
+  - wp-content
+  - no-wp
+
+wordpress_config_path: "{{ wordpress_app_home }}/wp-config.php"

roles/x509/tasks/main.yml

@@ -10,5 +10,5 @@
 
 - name: Set default CA
   ansible.builtin.command: /etc/x509/acme.sh --set-default-ca  --server  letsencrypt
-  register: acme_output
-  changed_when: acme_output.rc != 0
+  register: x509_acme_output
+  changed_when: x509_acme_output.rc != 0