🚨: fix ansible-lint

.ansible-lint-ignore

@@ -0,0 +1 @@
+roles/nsd/tasks/zones.yml no-tabs

inventory/group_vars/all/global.yml

@@ -0,0 +1,3 @@
+---
+
+global_public_ip_address: 82.66.135.228

inventory/group_vars/nsdservers.yml

@@ -2,7 +2,6 @@
 
 zones:
   - name: giteu.be
-    parking: true
   - name: libertus.eu
   - name: mateu.be
   - name: monder.ch
@@ -13,7 +12,6 @@ zones:
     parking: true
   - name: pipoworld.fr
     parking: true
-  - name: sebicomics.com
 
 tsig_key: !vault |
           $ANSIBLE_VAULT;1.1;AES256

inventory/host_vars/bt.yml

@@ -6,6 +6,7 @@ web_hostname:
   - host: btf.mateu.be
     allowlistv4:
       - 88.175.123.77/32
+      - 109.9.84.47/32
     allowlistv6:
       - 2a01:e0a:9bd:2811::/64
       - 2a01:e0a:9bd:2810::/64
@@ -15,6 +16,7 @@ web_hostname:
       - 2001:910:13c8::/48
       - 2a01:e0a:bde:d350::/64
       - 2a01:cb00:f55:2d00::/64
+      - 2a01:cb00:89e3:2c00::/64
 nginx_extra_mods:
   - fancyindex
 

inventory/host_vars/dc1.yml

@@ -0,0 +1,4 @@
+---
+web_hostname:
+  - host: kck.test.mateu.be
+  - host: vlt.test.mateu.be

inventory/host_vars/dns1.yml

@@ -0,0 +1,3 @@
+---
+
+natted_ipv4: "{{ global_public_ip_address }}"

inventory/host_vars/jabber.yml

@@ -1,6 +1,7 @@
 ---
 web_hostname:
   - host: libertus.eu
+    acme_reload_cmd: "systemctl restart prosody.service"
   - host: upload.libertus.eu
   - host: xmpp.libertus.eu
 

inventory/host_vars/ks3370405.yml

@@ -1,6 +1,13 @@
 ---
 
-allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+web_hostname:
+  - host: mail-relay.mateu.be
+    acme_reload_cmd: "systemctl restart postfix.service"
+
+allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}"
 
 global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
 ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
+
+nsd_master: true
+nsd_ansible_host: "nsd-master1.ext.mateu.be"

inventory/host_vars/mail.yml

@@ -1,4 +1,6 @@
 ---
 web_hostname:
   - host: imap.libertus.eu
+    acme_reload_cmd: "systemctl restart dovecot.service"
   - host: smtp.libertus.eu
+    acme_reload_cmd: "systemctl restart postfix.service"

inventory/host_vars/web1.yml

@@ -13,9 +13,10 @@ web_hostname:
     type: bac
   - host: mail.libertus.eu
     type: roundcube
-  - host: perso.nintendojo.fr
-  - host: perso.libertus.eu
   - host: r.mateu.be
+    san:
+      - perso.libertus.eu
+      - perso.nintendojo.fr
   - host: ff.libertus.eu
     type: firefly3
   - host: koi.libertus.eu

inventory/host_vars/web2.yml

@@ -2,13 +2,16 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 
 web_hostname:
-  - host: nintendojo.fr
   - host: www.nintendojo.fr
-  - host: wwwdev.nintendojo.fr
+    type: wordpress
+    san:
+      - nintendojo.fr
   - host: forum.nintendojo.fr
-  - host: nintendojofr.com
+    type: phpbb
   - host: www.nintendojofr.com
     type: retrodojo
+    san:
+      - nintendojofr.com
   - host: forum.nintendojofr.com
 
 mariadb_root_pass: !vault |
@@ -19,6 +22,16 @@ mariadb_root_pass: !vault |
           3437653064323138310a663363373736623931336432376466316666616234356133383263373136
           31343534663063663134306464306234366430323762656165653930333134326231
 
+phpbb_maria_database: "dojo_forum"
+phpbb_maria_user: "adm_forum"
+phpbb_maria_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65306237643235363962653566336537303632386466646462656234333836396630306438336632
+          3334663566303963646135313265643235623538633463650a663637386436306538616266626232
+          36373332396338326437663832383237623836643137323432323435333231633363386432303830
+          3465306161666563630a356462363561653431303438653935346564343861303962363030323633
+          3632
+
 wordpress_maria_database: "dojo_wp"
 wordpress_maria_user: "adm_wp"
 wordpress_maria_password: !vault |
@@ -38,12 +51,3 @@ retrodojo_maria_password: !vault |
         65386530353032336161353330313863623231646632643861666562353764373066663337353063
         6364633734323732390a363539333537396164633965346637313532666366336362346663326661
         6663
-
-webapps_htpasswd_editeurs: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          63663638356139373663646639633762393761333536393331363066353039393266306638326336
-          3235353238666261373032363633626333646662343461330a393534633530353330323637386239
-          63336532646235663732623561333963643436353165633165663430313132626561363361333736
-          6662313535333063390a386532313335663836393562656564306633303933633234393139316131
-          61376332373961303961303963656565633639333130346565386361313338346235623434616239
-          6637613630333963363963646465633939663863356633373264

inventory/host_vars/web3.yml

@@ -2,16 +2,23 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 
 web_hostname:
-  - host: sebicomics.com
-  - host: www.sebicomics.com
+  - host: wwwdev.nintendojo.fr
+    type: wordpress
 
 mariadb_root_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          66613630653961396639336136333837343866646263353135303233383336356166663466623438
-          6438653832313536363631336363306337366165616561370a316466353535313164623934626563
-          65343238333661333765636131323962316637613036393366343161343162393337376232633432
-          3233653232353534370a393962663766623237313166333638343561306134663062333230333635
-          63343339363833626136646134353365393734346561613262633531386135366634
+          65373663323065306532306235313032383331353337396131383766323535633831383062393632
+          3438613735613365333264356465336162346263666236300a306234336566303863346539343531
+          37313932653964366233393038306235353134356230653336306232373430386662306634616431
+          6332333837663064340a643535386465626636343436303263666333383461383730396135396666
+          3539
 
-# 283M of base memory + 20MB/connection -> 1267M of RAM max
-mariadb_max_connections: 50
+wordpress_maria_database: "dojo_wpdev"
+wordpress_maria_user: "adm_wpdev"
+wordpress_maria_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66613837353166633536656166383232646232303535643931313531636230353265633638626231
+          6231323738656466333164326238666166383931633133380a633764366462323261376632666565
+          63646365636133363338383233653930663139343238313131313365646663393761656361333332
+          6634333736356438390a316237373836373132666334306661363863383665663139623935646437
+          6331

inventory/static.yml

@@ -25,6 +25,15 @@ physicalservers:
   hosts:
     frederica:
     serenor:
+    ks3370405:
+
+nsdservers:
+  hosts:
+    ks3370405:
+
+webservers:
+  hosts:
+    ks3370405:
 
 hypervisors:
   children:
@@ -65,6 +74,7 @@ resticservers:
 
 disabled_loadbalanced_webservers:
   hosts:
+    ks3370405:
 
 disabled_system:
   hosts:

playbooks/docker.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Install docker
+  hosts: dockerservers
+  roles:
+    - docker

playbooks/firewall.yml

@@ -1,7 +1,7 @@
 ---
 
-- name: Retrieve network info
-  hosts: all:!disabled_server_conf:!machinbox
+- name: Retrieve network info for physical machines
+  hosts: physicalservers
   gather_facts: true
   gather_subset:
     - network

playbooks/gitea.yml

@@ -10,5 +10,4 @@
   hosts: actrunnerservers
   diff: true
   roles:
-    - docker
     - act_runner

playbooks/global_smtprelay.yml

@@ -3,5 +3,4 @@
 - name: Install & configure the global SMTP relay
   hosts: ks3370405
   roles:
-    - ufw
     - global_smtp_relay

playbooks/loadbalancinghttp.yml

@@ -1,12 +1,5 @@
 ---
 
-- name: Retrieve network info
-  hosts: webservers:!disabled_loadbalanced_webservers
-  gather_facts: true
-  gather_subset:
-    - network
-  tasks: []
-
 - name: Deploy haproxy
   hosts: lbservers
   diff: true

playbooks/nsd.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Deploy NSD
+  hosts: nsdservers
+  diff: true
+  roles:
+    - nsd

playbooks/site.yml

@@ -18,8 +18,12 @@
   import_playbook: firewall.yml
 - name: Run mail playbook
   import_playbook: mail.yml
+- name: Run ufw plabook
+  import_playbook: ufw.yml
 - name: Run global_smtprelay playbook
   import_playbook: global_smtprelay.yml
+- name: Run nsd playbook
+  import_playbook: nsd.yml
 - name: Run xmpp playbook
   import_playbook: xmpp.yml
 - name: Run webservers playbook
@@ -50,6 +54,8 @@
   import_playbook: peertube.yml
 - name: Run elasticsearch playbook
   import_playbook: elasticsearch.yml
+- name: Run docker playbook
+  import_playbook: docker.yml
 - name: Run gitea playbook
   import_playbook: gitea.yml
 - name: Run vaultwarden playbook

playbooks/ufw.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Install & configure UFW
+  hosts: ks3370405
+  roles:
+    - ufw

playbooks/webapps.yml

@@ -23,5 +23,16 @@
   hosts: web2
   diff: true
   roles:
-    - wordpress
-    - retrodojo
+    - role: wordpress
+      tags: [never, wordpress]
+    - role: phpbb
+      tags: [never, phpbb]
+    - role: retrodojo
+      tags: [never, retrodojo]
+
+- name: Install dojo webapplications
+  hosts: web3
+  diff: true
+  roles:
+    - role: wordpress
+      tags: [never, wordpress]

playbooks/webservers.yml

@@ -1,12 +1,5 @@
 ---
 
-- name: Retrieve network info
-  hosts: lbservers
-  gather_facts: true
-  gather_subset:
-    - network
-  tasks: []
-
 - name: Deploy web servers
   hosts: webservers
   diff: true

roles/act_runner/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-act_runner_version: "0.2.11"
+act_runner_version: "0.2.12"
 act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64"
 act_runner_home: "/var/lib/act_runner"
 act_runner_bin: "/usr/local/bin/act_runner"

roles/firefly3/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-firefly3_version: "6.2.10"
+firefly3_version: "6.2.21"
 firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz"
 
 firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}"

roles/firewall/templates/firewall.j2

@@ -120,7 +120,7 @@ config rule
 config rule
 	option name 'Allow-DMZ-Syslog'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['syslog'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '514'
 	list proto 'udp'
 	option target 'ACCEPT'
@@ -173,7 +173,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '80'
 	option target 'DNAT'
 
@@ -184,19 +184,19 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '443'
 	option target 'DNAT'
 
 # Allow Web traffic IN
-{% for host in groups['webservers'] | sort %}
+{% for host in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
 config rule
 	option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web'
 	option src 'wan'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars[host].ansible_default_ipv6.address | default(hostvars[host].proxmox_net0.ip6 | ansible.utils.ipaddr('address')) }}'
 	option dest_port '80 443'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -207,7 +207,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
-	option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -217,7 +217,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
-	option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
+	option src_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -230,7 +230,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	option dest_port '10010'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -242,7 +242,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '10010'
 	option target 'DNAT'
 
@@ -253,7 +253,7 @@ config rule
 	option src 'wan'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars[host].ansible_default_ipv6.address }}'
 	option dest_port '80 8006'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -267,7 +267,7 @@ config redirect
 	option src_dport '8006'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ first_hypervisor['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ first_hypervisor.ansible_default_ipv4.address }}'
 	option dest_port '8006'
 	option target 'DNAT'
 
@@ -275,7 +275,7 @@ config redirect
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
-	option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}'
+	option src_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address')}}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -286,7 +286,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
-	option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
+	option src_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -301,7 +301,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '5222'
 	option target 'DNAT'
 
@@ -312,7 +312,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '5269'
 	option target 'DNAT'
 
@@ -322,7 +322,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	option dest_port '5222 5269'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -334,7 +334,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	option dest_port '64738'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -346,15 +346,62 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '64738'
 	option target 'DNAT'
 
+# Allow DNS traffic
+config rule
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
+	option dest_port '53'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	option src_dport '53'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
+	option dest_port '53'
+	option target 'DNAT'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
 # Allow mail traffic
 config rule
 	option name 'Allow-OUTPUT-SMTP'
 	option src 'dmz'
-	option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	option dest 'wan'
 	option dest_port '25'
@@ -366,7 +413,7 @@ config rule
 	option src 'wan'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	option dest_port '25 465 587'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -376,7 +423,7 @@ config rule
 	option src 'wan'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
 	option dest_port '143 993'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -387,7 +434,7 @@ config redirect
 	option src_dport '25'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '25'
 	option target 'DNAT'
 
@@ -397,7 +444,7 @@ config redirect
 	option src_dport '465'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '465'
 	option target 'DNAT'
 
@@ -407,7 +454,7 @@ config redirect
 	option src_dport '587'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '587'
 	option target 'DNAT'
 
@@ -417,7 +464,7 @@ config redirect
 	option src_dport '143'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '143'
 	option target 'DNAT'
 
@@ -427,7 +474,7 @@ config redirect
 	option src_dport '993'
 	list proto 'tcp'
 	option dest 'lan'
-	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '993'
 	option target 'DNAT'
 
@@ -435,7 +482,7 @@ config redirect
 config rule
 	option name 'Allow-INPUT-Munin'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	option dest_port '4949'
 	option target 'ACCEPT'
@@ -444,7 +491,7 @@ config rule
 config rule
 	option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'lan'
@@ -456,7 +503,7 @@ config rule
 config rule
 	option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'lan'
@@ -465,6 +512,38 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv4'
 
+# Allow Home Assitant to OpenEVSE
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-OpenEVSE'
+	option src 'iot'
+	option src_ip '{{ lookup('dig', 'evse.mateu.be') }}'
+	list proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	option dest_port '1883'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-Kodi'
+	option src 'dmz'
+	option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	list proto 'tcp'
+	option dest 'lan'
+	option dest_ip '{{ lookup('dig', 'libreelec.mateu.be') }}'
+	option dest_port '8080'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-FORWARD-Home-Assistant-RM4Pro'
+	option src 'dmz'
+	option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
+	option dest 'iot'
+	option dest_ip '{{ lookup('dig', 'rm4pro.mateu.be') }}'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
 ### IoT Rules
 ## General Rules
 # ICMP
@@ -530,7 +609,7 @@ config rule
 	option src 'iot'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['ftp'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
 	option dest_port '21 10100-10110'
 	option target 'ACCEPT'
 

roles/freshrss/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-freshrss_version: "1.26.1"
+freshrss_version: "1.26.3"
 freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz"
 
 freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}"

roles/garage/templates/garage.toml.j2

@@ -10,7 +10,7 @@ db_engine = "lmdb"
 
 block_size = "{{ garage_block_size }}"
 
-replication_mode = "{{ garage_replication_mode }}"
+replication_factor = {{ garage_replication_mode }}
 
 compression_level = 2
 

roles/garage/vars/main.yml

@@ -2,5 +2,5 @@
 
 garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage"
 garage_bin: "/usr/local/bin/garage"
-garage_version: v1.1.0
+garage_version: v2.0.0
 garage_arch: x86_64

roles/gitea/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-gitea_version: "1.23.6"
+gitea_version: "1.24.3"
 gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
 gitea_bin: "/usr/local/bin/gitea"
 gitea_path: "/srv/gitea"

roles/global_smtp_relay/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Restart postfix
-  ansible.bultin.service:
+  ansible.builtin.service:
     name: postfix
     state: restarted
-    enable: true
+    enabled: true

roles/global_smtp_relay/tasks/main.yml

@@ -8,7 +8,7 @@
 - name: Put configuration
   ansible.builtin.template:
     src: main.cf.j2
-    dest: /etc/postfix/main.cf.j2
+    dest: /etc/postfix/main.cf
     owner: root
     group: root
     mode: "0o640"

roles/global_smtp_relay/templates/main.cf.j2

@@ -1,30 +1,16 @@
 compatibility_level = 2
-queue_directory = /var/spool/postfix
-command_directory = /usr/bin
-daemon_directory = /usr/lib/postfix/bin
-data_directory = /var/lib/postfix
 mail_owner = postfix
 myhostname = mail-relay.mateu.be
 myorigin = $myhostname
 mydestination = $myhostname, localhost.$mydomain, localhost
 unknown_local_recipient_reject_code = 550
-mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
-debugger_command =
-	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
-	 ddd $daemon_directory/$process_name $process_id & sleep 5
+mynetworks = 127.0.0.0/8, [::1]/128, {{ global_smtp_relay_allowed_ips | join(', ') }}
 sendmail_path = /usr/bin/sendmail
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
-setgid_group = postdrop
-html_directory = no
 mailbox_size_limit = 104857600
 message_size_limit = 104857600
-manpage_directory = /usr/share/man
-sample_directory = /etc/postfix
-readme_directory = /usr/share/doc/postfix
 inet_protocols = ipv4
-meta_directory = /etc/postfix
-shlib_directory = /usr/lib/postfix
 ## Référence de chiffrement TLS
 # serveur SMTP
 smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer

roles/haproxy/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+
+haproxy_backend_servers: "{{ groups['webservers']
+    | difference(groups['proxmox_all_stopped'])
+    | difference(groups['disabled_loadbalanced_webservers'])
+    | sort }}"

roles/haproxy/templates/haproxy.cfg.j2

@@ -41,11 +41,20 @@ frontend http
 	tcp-request inspect-delay 3s
 	acl letsencrypt path_beg /.well-known/acme-challenge
 	redirect scheme https code 301 if !letsencrypt
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname.host }} configuration
-	acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
-	use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}
+{% for server in haproxy_backend_servers %}
+{% for hostname in (
+        (hostvars[server].web_hostname
+        | map(attribute='host'))
+        +
+        (hostvars[server].web_hostname
+        | selectattr('san', 'defined')
+        | map(attribute='san')
+        | flatten)
+        ) | sort
+%}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
+	use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
 
 {% endfor %}
 {% endfor %}
@@ -56,29 +65,41 @@ frontend https
 	bind *:443 name frontend-https
 	tcp-request inspect-delay 3s
 	tcp-request content accept if { req.ssl_hello_type 1 }
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname.host }} configuration
-	acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
-{% if hostname.allowlistv4 is defined %}
-	acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
+{% for server in haproxy_backend_servers %}
+{% for hostname in (
+        (hostvars[server].web_hostname
+        | map(attribute='host'))
+        +
+        (hostvars[server].web_hostname
+        | selectattr('san', 'defined')
+        | map(attribute='san')
+        | flatten)
+        ) | sort
+%}
+	## {{ hostname }} configuration
+	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
+{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
+{% if host.allowlistv4 is defined %}
+	acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
 
 {% endif %}
-	use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
+	use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
 
 
 {% endfor %}
 {% endfor %}
 
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
+{% for server in haproxy_backend_servers %}
 ## {{ hostvars[server].ansible_host }} configuration
 backend http_{{ hostvars[server].ansible_host }}
 	mode http
-	server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:80
+{% set hostname_slug = hostvars[server].ansible_host.split('.')|join('_') %}
+{% set hostname_ipaddr = hostvars[server]['ansible_default_ipv4']['address'] | default(hostvars[server].proxmox_net0.ip | ansible.utils.ipaddr('address')) %}
+	server host_{{ hostname_slug }} {{ hostname_ipaddr }}:80
 
 backend https_{{ hostvars[server].ansible_host }}
 	mode tcp
-	server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:443
+	server host_{{ hostname_slug }} {{ hostname_ipaddr }}:443
 
 {% endfor %}
 

roles/jackett/vars/main.yml

@@ -1,5 +1,5 @@
 ---
 
-jackett_version: "v0.22.1685"
+jackett_version: "v0.22.2162"
 jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz"
 jackett_home: "/opt/Jackett"

roles/koillection/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-koillection_version: "1.6.12"
+koillection_version: "1.6.15"
 koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz"
 
 koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}"

roles/mariadb/tasks/main.yml

@@ -36,7 +36,7 @@
 - name: Check if .my.cnf file exists
   ansible.builtin.stat:
     path: /root/.my.cnf
-  register: dot_my_cnf
+  register: mariadb_dot_my_cnf
 
 - name: Set root password
   community.mysql.mysql_user:
@@ -44,7 +44,7 @@
     host: localhost
     name: root
     password: "{{ mariadb_root_pass }}"
-  when: not dot_my_cnf.stat.exists
+  when: not mariadb_dot_my_cnf.stat.exists
 
 - name: Put .my.cnf file
   ansible.builtin.template:

roles/mastodon/tasks/cron.yml

@@ -6,4 +6,4 @@
     name: Mastodon tootctl
     minute: "0"
     hour: "2"
-    job: "{{ mastodon_home }}/bin/remove_media.sh"
+    job: "{{ mastodon_home }}/bin/remove_media.sh > /dev/null"

roles/mastodon/tasks/main.yml

@@ -40,6 +40,7 @@
       - git-core
       - g++
       - libprotobuf-dev
+      - libvips-tools
       - protobuf-compiler
       - pkg-config
       - nodejs

roles/mastodon/tasks/mastodon.yml

@@ -6,6 +6,7 @@
     repo: "https://github.com/mastodon/mastodon.git"
     dest: "{{ mastodon_home }}/live"
     version: "v{{ mastodon_version }}"
+  notify: Restart mastodon
 
 - name: Exec bundle
   remote_user: mastodon

roles/mastodon/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-mastodon_version: "4.3.6"
+mastodon_version: "4.4.1"
 
 mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
 mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
@@ -8,7 +8,7 @@ mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
 mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
 mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
 
-mastodon_ruby_version: "3.3.5"
+mastodon_ruby_version: "3.4.4"
 
 mastodon_home: "/srv/mastodon"
 mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"

roles/munin_client/files/garage_bucket

@@ -6,7 +6,7 @@ HEADER="Authorization: Bearer ${BEARER}"
 # Create associative array
 declare -A BUCKETS=()
 
-API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?list" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
+API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/ListBuckets" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
 
 # Populate associative array
 for bucket in ${API_BUCKETS_JSON}
@@ -59,7 +59,7 @@ declare -A REQUESTS
 
 for i in "${!BUCKETS[@]}"
 do
-	REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?id=${i}"))
+	REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/GetBucketInfo?id=${i}"))
 done
 
 echo "multigraph garage_bucket_unfinished"

roles/munin_client/files/nsd

@@ -0,0 +1,127 @@
+#!/bin/sh
+
+: << =cut
+
+=head1 NAME
+
+nsd - Plugin to monitor nsd DNS server
+
+=head1 CONFIGURATION
+
+No configuration
+
+=head1 AUTHOR
+
+Kim Heino <b@bbbs.net>
+
+=head1 LICENSE
+
+GPLv2
+
+=head1 MAGIC MARKERS
+
+ #%# family=auto
+ #%# capabilities=autoconf
+
+=cut
+
+if [ "$1" = "autoconf" ]; then
+	if [ -x /usr/sbin/nsd-control ]; then
+		echo "yes"
+		exit 0
+	else
+		echo "no (no /usr/sbin/nsd-control)"
+		exit 0
+	fi
+fi
+
+if [ "$1" = "config" ]; then
+	echo 'graph_title NSD queries'
+	echo 'graph_vlabel queries / second'
+	echo 'graph_category dns'
+	echo 'graph_info Queries per second, by query type'
+	echo 'a.label A'
+	echo 'a.type DERIVE'
+	echo 'a.min 0'
+	echo 'aaaa.label AAAA'
+	echo 'aaaa.type DERIVE'
+	echo 'aaaa.min 0'
+	echo 'ptr.label PTR'
+	echo 'ptr.type DERIVE'
+	echo 'ptr.min 0'
+	echo 'cname.label CNAME'
+	echo 'cname.type DERIVE'
+	echo 'cname.min 0'
+	echo 'mx.label MX'
+	echo 'mx.type DERIVE'
+	echo 'mx.min 0'
+	echo 'txt.label TXT'
+	echo 'txt.type DERIVE'
+	echo 'txt.min 0'
+	echo 'soa.label SOA'
+	echo 'soa.type DERIVE'
+	echo 'soa.min 0'
+	echo 'ns.label NS'
+	echo 'ns.type DERIVE'
+	echo 'ns.min 0'
+	echo 'srv.label SRV'
+	echo 'srv.type DERIVE'
+	echo 'srv.min 0'
+	echo 'dnskey.label DNSKEY'
+	echo 'dnskey.type DERIVE'
+	echo 'dnskey.min 0'
+	echo 'axfr.label AXFR'
+	echo 'axfr.type DERIVE'
+	echo 'axfr.min 0'
+	echo 'snxd.label NXDOMAIN'
+	echo 'snxd.type DERIVE'
+	echo 'snxd.min 0'
+	echo 'rq.label Total Successful'
+	echo 'rq.type DERIVE'
+	echo 'rq.min 0'
+	exit 0
+fi
+
+/usr/sbin/nsd-control stats_noreset | sed 's/=/ /; s/\.//g' | (
+	numtypeA=0
+	numtypeAAAA=0
+	numtypePTR=0
+	numtypeCNAME=0
+	numtypeMX=0
+	numtypeTXT=0
+	numtypeSOA=0
+	numtypeNS=0
+	numtypeSRV=0
+	numtypeDNSKEY=0
+	numraxfr=0
+	numrcodeNXDOMAIN=0
+	numqueries=0
+	while read -r key value rest; do
+		[ "${key}" = "numtypeA" ] && numtypeA=${value}
+		[ "${key}" = "numtypeAAAA" ] && numtypeAAAA=${value}
+		[ "${key}" = "numtypePTR" ] && numtypePTR=${value}
+		[ "${key}" = "numtypeCNAME" ] && numtypeCNAME=${value}
+		[ "${key}" = "numtypeMX" ] && numtypeMX=${value}
+		[ "${key}" = "numtypeTXT" ] && numtypeTXT=${value}
+		[ "${key}" = "numtypeSOA" ] && numtypeSOA=${value}
+		[ "${key}" = "numtypeNS" ] && numtypeNS=${value}
+		[ "${key}" = "numtypeSRV" ] && numtypeSRV=${value}
+		[ "${key}" = "numtypeDNSKEY" ] && numtypeDNSKEY=${value}
+		[ "${key}" = "numraxfr" ] && numraxfr=${value}
+		[ "${key}" = "numrcodeNXDOMAIN" ] && numrcodeNXDOMAIN=${value}
+		[ "${key}" = "numqueries" ] && numqueries=${value}
+	done
+	echo "a.value ${numtypeA}"
+	echo "aaaa.value ${numtypeAAAA}"
+	echo "ptr.value ${numtypePTR}"
+	echo "cname.value ${numtypeCNAME}"
+	echo "mx.value ${numtypeMX}"
+	echo "txt.value ${numtypeTXT}"
+	echo "soa.value ${numtypeSOA}"
+	echo "ns.value ${numtypeNS}"
+	echo "srv.value ${numtypeSRV}"
+	echo "dnskey.value ${numtypeDNSKEY}"
+	echo "axfr.value ${numraxfr}"
+	echo "snxd.value ${numrcodeNXDOMAIN}"
+	echo "rq.value ${numqueries}"
+)

roles/munin_client/tasks/main.yml

@@ -2,26 +2,25 @@
 
 - name: Set package fact
   ansible.builtin.set_fact:
-    muninpkgs:
+    munin_client_muninpkgs:
       - muninlite
-    munin_need_reconfigure: false
+    munin_client_munin_need_reconfigure: false
   when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt"
 
 - name: Set other packages fact
   ansible.builtin.set_fact:
-    muninpkgs:
+    munin_client_muninpkgs:
       - munin-node
       - munin-plugins-core
       - munin-plugins-extra
-    munin_need_reconfigure: true
+    munin_client_munin_need_reconfigure: true
   when: ansible_facts['distribution'] == "Debian"
 
 - name: Install munin node packages
   ansible.builtin.package:
-    name: "{{ item }}"
+    name: "{{ munin_client_muninpkgs }}"
     state: present
     update_cache: true
-  loop: "{{ muninpkgs }}"
 
 - name: Put munin-node configuration file
   ansible.builtin.template:
@@ -30,7 +29,7 @@
     mode: "0o644"
   notify:
     - Restart munin-node
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
 
 ## Adding modules for specific functions
 # for NginX webservers
@@ -99,14 +98,14 @@
   changed_when: true
   notify:
     - Restart munin-node
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
 
 # Useless junks for everyone
 - name: Delete useless junks for everyone
   ansible.builtin.file:
     path: "/etc/munin/plugins/{{ item }}"
     state: absent
-  when: munin_need_reconfigure
+  when: munin_client_munin_need_reconfigure
   loop:
     - users
 
@@ -136,6 +135,11 @@
   ansible.builtin.include_tasks: garage.yml
   when: "'garageservers' in group_names"
 
+# Specific nsd commands
+- name: Execute specific nsd commands
+  ansible.builtin.include_tasks: nsd.yml
+  when: "'nsdservers' in group_names"
+
 # Specific restic commands
 - name: Execute specific restic commands
   ansible.builtin.include_tasks: restic.yml

roles/munin_client/tasks/nsd.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Put nsd plugin configuration
+  ansible.builtin.template:
+    src: nsd.j2
+    dest: /etc/munin/plugin-conf.d/nsd
+    owner: root
+    group: root
+    mode: "0o640"
+  notify:
+    - Restart munin-node
+
+- name: Put nsd scripts
+  ansible.builtin.copy:
+    src: files/nsd
+    dest: /etc/munin/plugins/nsd
+    owner: root
+    group: root
+    mode: "0o755"
+  notify:
+    - Restart munin-node

roles/munin_client/templates/munin-node.conf.j2

@@ -41,7 +41,7 @@ host_name {{ ansible_host }}
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like
 
-allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
+allow ^{{ hostvars['munin']['proxmox_net0']['ip'] | ansible.utils.ipaddr('address') | split('.') |join('\.') }}
 allow ^127\.0\.0\.1$
 allow ^::1$
 

roles/munin_client/templates/nsd.j2

@@ -0,0 +1,2 @@
+[nsd]
+user root

roles/nextcloud/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-nextcloud_version: "31.0.2"
+nextcloud_version: "31.0.7"
 nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2"
 
 nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"
@@ -19,6 +19,7 @@ nextcloud_userdata_app_dirs:
 # Supplementary modules
 nextcloud_modules:
   - name: calendar
+  - name: contacts
   - name: tasks
   - name: user_external
     force: true

roles/nginx/tasks/acme.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Issue certificate
+  ansible.builtin.command:
+    cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
+    creates: "/etc/x509/{{ host.host }}*"
+  environment:
+    LE_WORKING_DIR: "/etc/x509"
+
+- name: Check if ecc dir
+  ansible.builtin.stat:
+    path: "/etc/x509/{{ host.host }}_ecc"
+  register: _nginx_x509_ecc_dir
+
+- name: Move dir if exists
+  when: _nginx_x509_ecc_dir.stat.exists
+  block:
+    - name: Copy ecc dir
+      ansible.builtin.copy:
+        remote_src: true
+        src: "/etc/x509/{{ host.host }}_ecc/"
+        dest: "/etc/x509/{{ host.host }}"
+        mode: "{{ _nginx_x509_ecc_dir.stat.mode }}"
+
+    - name: Remove ecc dir
+      ansible.builtin.file:
+        path: "/etc/x509/{{ host.host }}_ecc/"
+        state: absent

roles/nginx/tasks/main.yml

@@ -41,5 +41,14 @@
     mode: 'u+rwx,g+rs,o-rwx'
     state: directory
 
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Include acme auto cert
+  ansible.builtin.include_tasks: acme.yml
+  loop: "{{ web_hostname }}"
+  loop_control:
+    loop_var: "host"
+
 - name: Include vhosts
   ansible.builtin.include_tasks: vhosts.yml

roles/nginx/templates/header.conf.j2

@@ -3,13 +3,15 @@
 	
 	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
 	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
-	server_name {{ item.host }};
+	server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
 	access_log /var/log/nginx/{{ item.host }}.access.log combined;
 	access_log syslog:server=unix:/dev/log combined;
 	error_log /var/log/nginx/{{ item.host }}.error.log;
 	error_log syslog:server=unix:/dev/log;
 {% if item.allowlistv4 is defined %}
-	allow {{ hostvars['haproxy']['ansible_default_ipv4']['address'] }};
+{% for host in groups['lbservers'] %}
+	allow {{ hostvars[host].proxmox_net0.ip | ansible.utils.ipaddr('address') }};
+{% endfor %}
 {% endif %}
 {% if item.allowlistv6 is defined %}
 {% for addrv6 in item.allowlistv6 %}

roles/nginx/templates/nginx.ssl.conf.j2

@@ -3,7 +3,7 @@
 # ANY MODIFICATION IS LIKELY TO BE ERASED
 ##########
 	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:50m;
+	ssl_session_cache shared:SSL:10m;
 	ssl_session_tickets off;
 
 	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -11,7 +11,7 @@
 
 	# intermediate configuration. tweak to your needs.
 	ssl_protocols TLSv1.2 TLSv1.3;
-	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 	ssl_prefer_server_ciphers off;
 
 	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2

@@ -1,33 +0,0 @@
-server {
-{% include './templates/header.conf.j2' %}
-	
-	root /srv/http/analyse.nintendojo.fr/;
-	index index.html index.htm index.php;
-	
-	location ~ ^/(status|ping|apc_info.php)$ {
-		access_log off;
-		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		include fastcgi_params;
-		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
-	}
-	
-	location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-		expires 2w;
-		log_not_found off;
-	}
-	
-	location ~ \.htaccess$ {
-		deny all;
-	}
-	
-	location ~ ^/tmp {
-		deny all;
-	}
-	
-	location ~ \.php$ {
-		try_files $uri $uri/ =404;
-		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
-		include fastcgi_params;
-	}
-}
-

roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2

@@ -1,6 +1,6 @@
 server {
 {% include './templates/header.conf.j2' %}
-	root /srv/http/forum.nintendojo.fr/;
+	root /var/www/forum.nintendojo.fr/;
 	index index.html index.htm index.php;
 	
 	client_max_body_size 10M;

roles/nginx/templates/vhosts/forum.nintendojofr.com.conf.j2

@@ -1,6 +1,5 @@
 server {
 {% include './templates/header.conf.j2' %}
-	root /srv/http/forum.nintendojofr.com/;
 	index index.html index.htm index.php;
 	
 	location / {

roles/nginx/templates/vhosts/kck.test.mateu.be.conf.j2

@@ -0,0 +1,8 @@
+server {
+{% include './templates/header.conf.j2' %}
+	
+	location / {
+		proxy_pass http://localhost:8080;
+	}
+}
+

roles/nginx/templates/vhosts/r.mateu.be.conf.j2

@@ -1,15 +1,5 @@
 server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-
-	server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
-	access_log /var/log/nginx/r.mateu.be.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/r.mateu.be.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
-	ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
-
+{% include './templates/header.conf.j2' %}
 	root /srv/www-data/r.mateu.be/;
 
 	location / {

roles/nginx/templates/vhosts/vlt.test.mateu.be.conf.j2

@@ -0,0 +1,8 @@
+server {
+{% include './templates/header.conf.j2' %}
+	
+	location / {
+		proxy_pass http://localhost:8200;
+	}
+}
+

roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2

@@ -1,16 +1,15 @@
 ## WP NintendojoFR
-server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name nintendojo.fr www.nintendojo.fr;
-	access_log /var/log/nginx/nintendojo.fr.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/nintendojo.fr.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
-	ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
+fastcgi_cache_path
+	/dev/shm/nginx
+	levels=1:2
+	keys_zone=wpdojo:25m
+	inactive=1h
+	max_size=250m;
 
-	root /srv/http/www.nintendojo.fr/;
+server {
+{% include './templates/header.conf.j2' %}
+
+	root /var/www/www.nintendojo.fr/;
 	index index.html index.htm index.php;
 
 	client_max_body_size 2G;

roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2

@@ -1,15 +1,7 @@
 server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name nintendojofr.com www.nintendojofr.com;
-	access_log /var/log/nginx/nintendojofr.com.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/nintendojofr.com.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/nintendojofr.com/fullchain.cer;
-	ssl_certificate_key /etc/x509/nintendojofr.com/nintendojofr.com.key;
+{% include './templates/header.conf.j2' %}
 
-	root /srv/http/www.nintendojofr.com/;
+	root /var/www/www.nintendojofr.com/;
 	index index.html index.htm index.php;
 
 	location ~ ^/forum/(.*)$ {

roles/nginx/templates/vhosts/www.sebicomics.com.conf.j2

@@ -1,54 +0,0 @@
-## WP Sebicomics
-server {
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name sebicomics.com www.sebicomics.com;
-	access_log /var/log/nginx/www.sebicomics.com.access.log combined;
-	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/www.sebicomics.com.error.log;
-	error_log syslog:server=unix:/dev/log;
-	ssl_certificate /etc/x509/www.sebicomics.com/fullchain.cer;
-	ssl_certificate_key /etc/x509/www.sebicomics.com/www.sebicomics.com.key;
-
-	root /srv/http/www.sebicomics.com/;
-	index index.html index.htm index.php;
-
-	client_max_body_size 512M;
-
-	# couper les fichiers cachés
-	location ~* /(?:uploads|files)/.*\.php$ {
-		deny all;
-	}
-
-	# couper les fichiers textes du captcha
-	location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
-		deny all;
-	}
-
-	# Optimisation des images
-	location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-		expires 1w;
-		log_not_found off;
-	}
-
-	# Interprétation PHP
-	location ~ ^/(index).php(/.*)+ {
-		fastcgi_split_path_info ^(.+\.php)(/.*)$;
-		try_files $fastcgi_script_name =404;
-		fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
-		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
-		fastcgi_read_timeout 60;
-		include fastcgi_params;
-	}
-
-	location ~ \.php$ {
-		try_files $uri $uri/ =404;
-		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
-		fastcgi_read_timeout 60;
-		include fastcgi_params;
-	}
-
-	location / {
-		try_files $uri $uri/ /index.php$uri?$args;
-	}
-}

roles/nginx/templates/vhosts/wwwdev.nintendojo.fr.conf.j2

@@ -1,11 +1,9 @@
-## WP NintendojoFR
+## WP dev NintendojoFR
 server {
 {% include './templates/header.conf.j2' %}
 
-	root /srv/http/wwwdev.nintendojo.fr/;
+	root /var/www/wwwdev.nintendojo.fr/;
 	index index.html index.htm index.php;
-	auth_basic "Restricted Area";
-	auth_basic_user_file /etc/nginx/wwwdev.htpasswd;
 
 	client_max_body_size 2G;
 
@@ -19,15 +17,17 @@ server {
 		deny all;
 	}
 
-	# redirige twitter
-	location /feed/twitter {
-		return 307 https://m.nintendojo.fr/@nintendojofr.rss;
+	# Optimisation des images
+	location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+		expires 1w;
+		log_not_found off;
 	}
 
 	# Interprétation PHP
 	location ~ ^/(index).php(/.*)+ {
 		fastcgi_split_path_info ^(.+\.php)(/.*)$;
 		try_files $fastcgi_script_name =404;
+		fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
 		fastcgi_read_timeout 60;
 		include fastcgi_params;

roles/nsd/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nsd_master: false

roles/nsd/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Restart nsd
+  ansible.builtin.service:
+    name: nsd
+    state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted

roles/nsd/tasks/cron.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Install cron script
+  ansible.builtin.template:
+    src: resignall.sh.j2
+    dest: "{{ nsd_cron_script }}"
+    owner: root
+    group: root
+    mode: "0o750"
+
+- name: Install cron
+  ansible.builtin.cron:
+    name: "NSD zone resign"
+    hour: "3"
+    minute: "2"
+    weekday: "3"
+    job: "{{ nsd_cron_script }} &> /dev/null"
+    state: present

roles/nsd/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+
+- name: Install & check prerequisites
+  ansible.builtin.include_tasks: prerequisites.yml
+
+- name: Create slave group
+  ansible.builtin.group_by:
+    key: slave_nsdservers
+  when: not nsd_master
+
+- name: Create master group
+  ansible.builtin.group_by:
+    key: master_nsdservers
+  when: nsd_master
+
+- name: Create zone dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}zones"
+    owner: nsd
+    group: nsd
+    mode: "0o755"
+    state: directory
+
+- name: Create key dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}keys"
+    owner: nsd
+    group: nsd
+    mode: "0o700"
+    state: directory
+
+- name: Create nsd.conf
+  ansible.builtin.template:
+    src: nsd.conf.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf"
+    owner: root
+    group: root
+    mode: "0o640"
+  notify:
+    - Restart nsd
+
+- name: Create each zone in NSD
+  ansible.builtin.template:
+    src: zone.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: "0o644"
+  loop: "{{ zones }}"
+  notify:
+    - Restart nsd
+
+- name: Force zone reload
+  ansible.builtin.meta: flush_handlers
+
+- name: Create zone and reload
+  ansible.builtin.include_tasks: zones.yml
+  loop: "{{ zones }}"
+  when: nsd_master
+
+- name: Install renew cron
+  ansible.builtin.include_tasks: cron.yml
+  when: nsd_master
+
+- name: Ensure nsd is started
+  ansible.builtin.service:
+    name: nsd
+    state: started

roles/nsd/tasks/prerequisites.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Gather facts on listening ports
+  community.general.listen_ports_facts:
+
+- name: Detect systemd-resolve
+  ansible.builtin.set_fact:
+    nsd_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
+
+- name: Deactivate DNS stublistener
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regex: '^#DNSStubListener=yes'
+    line: DNSStubListener=no
+  when: nsd_systemd_resolve_enable
+  notify:
+    - Restart systemd-resolved
+
+- name: Force restart for stub resolver
+  ansible.builtin.meta: flush_handlers
+
+- name: Install nsd & utilities
+  ansible.builtin.package:
+    name:
+      - nsd
+      - dnsutils
+      - ldnsutils
+      - cron
+    state: present
+    update_cache: true

roles/nsd/tasks/zones.yml

@@ -0,0 +1,71 @@
+---
+
+- name: Create zone file
+  ansible.builtin.template:
+    src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
+    dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+    owner: nsd
+    group: nsd
+    mode: "0o644"
+  vars:
+    dns_serial: "{{ ansible_date_time.epoch }}"
+    web_hostname_block: |-
+      {% for webserver in groups['webservers'] | sort -%}
+      {% for web_hostname in (
+          (hostvars[webserver]['web_hostname']
+          | selectattr('host', 'match', '.*' ~ item.name)
+          | map(attribute='host')
+          +
+          (hostvars[webserver]['web_hostname']
+          | selectattr('san', 'defined')
+          | map(attribute='san')
+          | flatten
+          | select('match', '.*' ~ item.name)))
+        | sort) -%}
+      {% if web_hostname is match("(\S+\.){2}") %}
+      {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ hostvars[webserver].ansible_host }}.
+      {% else %}
+      @		IN A {{ global_public_ip_address }}
+      @		IN AAAA {{ hostvars[webserver].proxmox_net0.ip6 | default(hostvars[webserver].ansible_default_ipv6.address) | ansible.utils.ipaddr('address') }}
+      {% endif %}
+      {% endfor %}
+      {% endfor %}
+
+- name: Create zone key dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
+    owner: nsd
+    group: nsd
+    mode: "0o750"
+    state: directory
+
+- name: Create the associated keys
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
+
+- name: Check zone file
+  ansible.builtin.command:
+    cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+  changed_when: false
+
+- name: Stat associated keys
+  ansible.builtin.stat:
+    path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
+  register: nsd_stat_keys
+
+- name: Sign zone file
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (nsd_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
+  changed_when: true
+
+- name: Reload zone
+  ansible.builtin.command:
+    cmd: "nsd-control reload {{ item.name }}"
+  changed_when: false

roles/nsd/templates/nsd.conf.j2

@@ -0,0 +1,11 @@
+key:
+	name: "{{ nsd_tsig_key_name }}"
+	algorithm: hmac-sha256
+	secret: "{{ tsig_key }}"
+
+server:
+	log-only-syslog: yes
+	hide-version: yes
+	zonesdir: "/etc/nsd/zones"
+
+include: "/etc/nsd/nsd.conf.d/*.conf"

roles/nsd/templates/resignall.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+for i in {{ nsd_default_etc_path }}keys/*/*.ds
+do
+	# Get the different names
+	FILENAME=${i##*/}
+	KEYNAME=${FILENAME/.ds/}
+	DIRPATH=${i/${FILENAME}/}
+	_ZONEFILEPATH=${DIRPATH/keys/zones}
+	ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
+	_ZONENAME=${_ZONEFILEPATH%/*}
+	ZONENAME=${_ZONENAME##*/}
+
+	cd $DIRPATH
+	sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
+	/usr/sbin/nsd-control reload ${ZONENAME}
+done

roles/nsd/templates/zone.j2

@@ -0,0 +1,23 @@
+{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
+{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
+{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+zone:
+    name: "{{ item.name }}"
+    zonefile: {{ item.name }}.zone.signed
+    {% if nsd_master -%}
+    {% for server in other_server -%}
+    {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
+    notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endfor -%}
+    {% else -%}
+    {% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+    allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endif -%}

roles/nsd/templates/zones/giteu.be.zone.j2

@@ -0,0 +1,21 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+@		IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
+{{ web_hostname_block }}

roles/nsd/templates/zones/libertus.eu.zone.j2

@@ -0,0 +1,32 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+@		IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+_jabber._tcp		IN SRV 0 0 5269 jabber.dmz.mateu.be.
+_xmpp-client._tcp		IN SRV 0 0 5222 jabber.dmz.mateu.be.
+_xmpp-server._tcp		IN SRV 0 0 5269 jabber.dmz.mateu.be.
+_xmppconnect		IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
+altsrv		IN CNAME ks3370405.kimsufi.com.
+p		IN MX 1 mail.dmz.mateu.be.
+p		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+p		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc.p		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey.p		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+{{ web_hostname_block }}

roles/nsd/templates/zones/mateu.be.zone.j2

@@ -0,0 +1,65 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+{% set current_firstserver = hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) %}
+@		IN SOA {{ current_firstserver | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') if current_firstserver.endswith('mateu.be') else current_firstserver }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+{% set current_host = hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) %}
+@		IN NS {{ current_host | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') if current_host.endswith('mateu.be') else current_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+libertus.eu._report._dmarc		3600 IN TXT "v=DMARC1;"
+nintendojo.fr._report._dmarc		3600 IN TXT "v=DMARC1;"
+p.libertus.eu._report._dmarc		3600 IN TXT "v=DMARC1;"
+altsrv		IN CNAME ks3370405.kimsufi.com.
+backup		IN A 10.233.212.60
+baybay-ponay		IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
+ciol		IN A 109.190.68.133
+derdriu		IN A 10.233.212.77
+enbarr.dmz		IN AAAA 2a01:e0a:9bd:2811::50
+evse		IN A 10.233.211.198
+fc		IN A 10.233.211.194
+frederica.dmz		IN A {{ global_public_ip_address }}
+frederica.dmz		IN AAAA 2a01:e0a:9bd:2811::60
+ftp		IN A 10.233.212.14
+garreg-mach		IN A 10.233.212.66
+haos.dmz		IN A {{ global_public_ip_address }}
+haos.dmz		IN AAAA 2a01:e0a:9bd:2811::51
+ha				IN A 10.233.212.51
+libreelec		IN A 10.233.212.91
+machinbox		IN A {{ global_public_ip_address }}
+machinbox		IN AAAA 2a01:e0a:9bd:2810::1
+mailalt		IN CNAME altsrv
+memcardprogc	IN A 10.233.211.199
+nfs		IN A 10.233.212.60
+nsd-master1.ext		IN A 37.187.5.75
+nsd-master1-v4.ext		IN A 37.187.5.75
+nsd-master1.ext		IN AAAA 2001:41d0:a:54b::1
+nsd-master1-v6.ext		IN AAAA 2001:41d0:a:54b::1
+rb		IN A 194.156.203.253
+rc		IN A 10.233.211.195
+rm4pro	IN A 10.233.211.200
+serenor.dmz		IN A {{ global_public_ip_address }}
+serenor.dmz		IN AAAA 2a01:e0a:9bd:2811::59
+{% for proxmox_host in groups['proxmox_all_lxc'] | sort %}
+{{ proxmox_host }}.dmz	IN A {{ global_public_ip_address }}
+{% if proxmox_host.startswith('dns') %}
+{{ proxmox_host }}-v4.dmz	IN A {{ global_public_ip_address }}
+{{ proxmox_host }}-v6.dmz	IN AAAA {{ hostvars[proxmox_host].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}
+{% endif %}
+{{ proxmox_host }}.dmz	IN AAAA {{ hostvars[proxmox_host].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}
+{% endfor %}
+{{ web_hostname_block }}

roles/nsd/templates/zones/nintendojo.fr.zone.j2

@@ -0,0 +1,24 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+@		IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+mumble		IN CNAME voice1.dmz.mateu.be.
+{{ web_hostname_block }}

roles/nsd/templates/zones/nintendojofr.com.zone.j2

@@ -0,0 +1,21 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+@		IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
+{{ web_hostname_block }}

roles/nsd/templates/zones/parking.zone.j2

@@ -0,0 +1,20 @@
+$TTL 86400
+{% set firstserver = groups['master_nsdservers'] | first %}
+@		IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue ";"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"

roles/nsd/vars/main.yml

@@ -0,0 +1,5 @@
+---
+
+nsd_default_etc_path: "/etc/nsd/"
+nsd_tsig_key_name: "tsig0"
+nsd_cron_script: /usr/local/bin/resignall.sh

roles/oolatoocs/vars/main.yml

@@ -2,5 +2,5 @@
 
 oolatoocs_db_dir: /var/lib/oolatoocs
 oolatoocs_url: https://r.mateu.be/oolatoocs/oolatoocs
-oolatoocs_version: v4.2.0
+oolatoocs_version: v4.3.0
 oolatoocs_local_bin_path: /usr/local/bin/oolatoocs

roles/peertube/vars/main.yml

@@ -1,6 +1,6 @@
 ---
 
-peertube_version: "7.1.0"
+peertube_version: "7.2.2"
 peertube_home: "/srv/peertube"
 peertube_url: "https://github.com/Chocobozzz/PeerTube/releases/download/v{{ peertube_version }}/peertube-v{{ peertube_version }}.zip"
 

roles/phpbb/files/dojopeertube.yml

@@ -0,0 +1,7 @@
+---
+name: DojoPeertube
+host: p.nintendojo.fr
+example: https://p.nintendojo.fr/videos/embed/19bc46e8-7640-4417-86a1-03aa2b439508
+extract: "!//p.nintendojo.fr/videos/embed/(?'id'[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12})!"
+iframe:
+    src: "https://p.nintendojo.fr/videos/embed/{@id}"

roles/phpbb/files/mastodon.yml

@@ -0,0 +1,18 @@
+---
+name: "Mastodon"
+host: m.nintendojo.fr
+example: https://mastodon.social/@HackerNewsBot/100181134752056592
+extract: "!//(?'host'[-.\\w]+)/@(?'name'\\w+)/(?'id'\\d+)!"
+oembed:
+    endpoint: https://m.nintendojo.fr/api/oembed
+    scheme: https://m.nintendojo.fr/@{@name}/{@id}
+scrape:
+    - extract: "!\"url\":\"https://(?'host'[-.\\w]+)/@(?'name'\\w+)/(?'id'\\d+)\"!"
+    - match: "!^(?'origin'https://[^/]+)/@\\w+@[-.\\w]+/(?'id'\\d+)!"
+    - url: "{@origin}/api/v1/statuses/{@id}"
+iframe:
+    data-s9e-livepreview-ignore-attrs: "style"
+    onload: "let c=new MessageChannel;c.port1.onmessage=e=>this.style.height=e.data+'px';this.contentWindow.postMessage('s9e:init','*',[c.port2])"
+    width: "550"
+    height: "300"
+    src: https://s9e.github.io/iframe/2/mastodon.min.html#<xsl:value-of select="@name"/><xsl:if test="@host and@host!='mastodon.social'">@<xsl:value-of select="@host"/></xsl:if>/<xsl:value-of select="@id"/>

roles/phpbb/tasks/db.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Create phpbb db user
+  community.mysql.mysql_user:
+    login_unix_socket: "/var/run/mysqld/mysqld.sock"
+    login_user: root
+    login_password: "{{ mariadb_root_pass }}"
+    name: "{{ phpbb_maria_user }}"
+    password: "{{ phpbb_maria_password }}"
+    priv: "{{ phpbb_maria_database }}.*:ALL"

roles/phpbb/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Init db
+  ansible.builtin.include_tasks: db.yml
+
+- name: Install phpbb
+  ansible.builtin.include_tasks: phpbb.yml
+
+- name: Install phpbb’s styles
+  ansible.builtin.include_tasks: phpbb_styles.yml
+  loop: "{{ phpbb_styles }}"
+
+- name: Install phpbb’s languages
+  ansible.builtin.include_tasks: phpbb_languages.yml
+  loop: "{{ phpbb_languages }}"
+
+- name: Install phpbb’s extensions
+  ansible.builtin.include_tasks: phpbb_exts.yml
+  loop: "{{ phpbb_exts }}"
+  loop_control:
+    loop_var: ext
+
+- name: Custom part
+  ansible.builtin.include_tasks: phpbb_customs.yml
+
+- name: Migrate db
+  ansible.builtin.include_tasks: migrate_db.yml

roles/phpbb/tasks/migrate_db.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Migrate db
+  become: true
+  become_user: www-data
+  ansible.builtin.command:
+    cmd: "/usr/bin/php bin/phpbbcli.php db:migrate"
+    chdir: "{{ phpbb_app_home }}"
+  changed_when: false
+
+- name: Remove install directory
+  ansible.builtin.file:
+    dest: "{{ phpbb_app_home }}/install"
+    state: absent

roles/phpbb/tasks/phpbb.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Remove phpbb previous version
+  ansible.builtin.file:
+    state: absent
+    dest: "{{ phpbb_app_home }}"
+
+## Handle app data
+- name: Create app home
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ phpbb_app_home }}"
+    owner: root
+    group: www-data
+    mode: "0o750"
+
+- name: Install phpbb application
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ phpbb_url }}"
+    dest: "{{ phpbb_app_home }}"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+    exclude: "{{ phpbb_userdata_app_dirs | map('regex_replace', '^^', 'phpBB' ~ phpbb_major_version ~ '/') }}"
+
+- name: Check writable dirs
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ phpbb_app_home }}/{{ item }}"
+    owner: www-data
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    recurse: true
+  loop: "{{ phpbb_writable_app_dirs }}"
+
+## Handle user data
+- name: Create data home
+  ansible.builtin.file:
+    state: directory
+    path: "{{ phpbb_data_home }}"
+    owner: www-data
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+
+- name: Get data dir
+  ansible.builtin.stat:
+    path: "{{ phpbb_data_home }}/{{ phpbb_userdata_app_dirs[0] }}"
+  register: _phpbb_userdata_dir_stat
+
+- name: Install phpbb data dir
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ phpbb_url }}"
+    dest: "{{ phpbb_data_home }}"
+    owner: www-data
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+    include: "{{ phpbb_userdata_app_dirs | map('regex_replace', '^^', 'phpBB' ~ phpbb_major_version ~ '/') }}"
+  when: not _phpbb_userdata_dir_stat.stat.exists
+
+- name: Link phpbb userdata dirs
+  ansible.builtin.file:
+    state: link
+    src: "{{ phpbb_data_home }}/{{ item }}"
+    dest: "{{ phpbb_app_home }}/{{ item }}"
+  loop: "{{ phpbb_userdata_app_dirs }}"
+
+- name: Put phpbb config file
+  ansible.builtin.template:
+    src: config.php.j2
+    dest: "{{ phpbb_app_home }}/config.php"
+    owner: root
+    group: www-data
+    mode: "0o640"

roles/phpbb/tasks/phpbb_customs.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Put logo file
+  ansible.builtin.copy:
+    src: files/ndfr_casual.png
+    dest: "{{ phpbb_app_home }}/styles/prosilver/theme/images/ndfr_casual.png"
+    owner: root
+    group: www-data
+    mode: "0o640"
+
+- name: Replace logo
+  ansible.builtin.lineinfile:
+    path: "{{ phpbb_app_home }}/styles/prosilver/theme/colours.css"
+    search_string: "background-image: url(\"./images/site_logo.svg\");"
+    line: "	background-image: url(\"./images/ndfr_casual.png\");"
+
+- name: Stretch logo (width)
+  ansible.builtin.lineinfile:
+    path: "{{ phpbb_app_home }}/styles/prosilver/theme/common.css"
+    search_string: "width: 149px;"
+    line: "	width: 200px;"
+
+- name: Stretch logo (height)
+  ansible.builtin.lineinfile:
+    path: "{{ phpbb_app_home }}/styles/prosilver/theme/common.css"
+    search_string: "height: 52px;"
+    line: "	height: 80px;"

roles/phpbb/tasks/phpbb_exts.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Create phpbb ext path
+  ansible.builtin.file:
+    state: directory
+    dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}"
+    owner: root
+    group: www-data
+    mode: "0o750"
+
+- name: Extract phpbb ext
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ ext.url | replace('%VERSION%', ext.version) }}"
+    dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']
+
+- name: Put extra files
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}/{{ item.dest }}"
+    owner: root
+    group: www-data
+    mode: "0o640"
+  loop: "{{ ext.extra_files }}"
+  when: ext.extra_files is defined

roles/phpbb/tasks/phpbb_languages.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Extract phpbb language
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ item.url | replace('%VERSION%', item.version) }}"
+    dest: "{{ phpbb_app_home }}"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']

roles/phpbb/tasks/phpbb_styles.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Extract style
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: "{{ item.url | replace('%VERSION%', item.version) }}"
+    dest: "{{ phpbb_app_home }}/styles/"
+    owner: root
+    group: www-data
+    mode: "a-rwx,u+rwX,g+rX"
+    extra_opts: ['--strip-components=1']

roles/phpbb/templates/config.php.j2

@@ -0,0 +1,19 @@
+<?php
+// phpBB 3.0.x auto-generated configuration file
+// Do not change anything in this file!
+$dbms = 'mysqli';
+$dbhost = 'localhost';
+$dbport = '';
+$dbname = '{{ phpbb_maria_database }}';
+$dbuser = '{{ phpbb_maria_user }}';
+$dbpasswd = '{{ phpbb_maria_password }}';
+$table_prefix = 'phpbb_';
+$acm_type = 'file';
+$load_extensions = '';
+
+libxml_disable_entity_loader(false);
+
+@define('PHPBB_INSTALLED', true);
+// @define('DEBUG', true);
+// @define('DEBUG_EXTRA', true);
+?>

roles/phpbb/vars/main.yml

@@ -0,0 +1,45 @@
+---
+
+phpbb_version: "3.3.15"
+phpbb_minor_version: "{{ phpbb_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
+phpbb_major_version: "{{ phpbb_version | regex_replace('^([0-9])\\..*', '\\1') }}"
+
+phpbb_url: "https://download.phpbb.com/pub/release/{{ phpbb_minor_version }}/{{ phpbb_version }}/phpBB-{{ phpbb_version }}.tar.bz2"
+phpbb_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'phpbb') | map(attribute='host') | first }}"
+
+# Access path
+phpbb_app_home: "/var/www/{{ phpbb_access_url }}"
+phpbb_data_home: "/srv/www-data/{{ phpbb_access_url }}"
+
+phpbb_writable_app_dirs:
+  - cache
+  - store
+phpbb_userdata_app_dirs:
+  - files
+  - images
+
+phpbb_styles:
+  - name: black
+    version: 3.3.12
+    url: "https://github.com/cabot/black/archive/refs/tags/v%VERSION%.tar.gz"
+
+
+phpbb_languages:
+  - name: fr
+    version: 4.15.0
+    url: "https://github.com/qiaeru/phpbb-language-fr/archive/refs/tags/v%VERSION%.tar.gz"
+
+phpbb_exts:
+  - name: externallink
+    path: martin/externallinkinnewwindow
+    version: 1.2.0
+    url: "https://github.com/Mar-tin-G/ExternalLinkInNewWindow/archive/refs/tags/%VERSION%.tar.gz"
+  - name: mediaembed
+    path: phpbb/mediaembed
+    version: 2.0.2
+    url: "https://github.com/phpbb-extensions/mediaembed/archive/refs/tags/%VERSION%.tar.gz"
+    extra_files:
+      - src: files/mastodon.yml
+        dest: collection/sites/mastodon.yml
+      - src: files/dojopeertube.yml
+        dest: collection/sites/dojopeertube.yml