slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Compare commits

base: slfhst:main
Branches Tags
slfhst:main
..
compare: slfhst:0a47e8e602f8ec1cac4bdee0ac9296ce955198d0
Branches Tags
slfhst:main

1 Commits
main ... 0a47e8e602

Author SHA1 Message Date
VC
0a47e8e602 🚨: lint properly acme.yml
Some checks failed
ansible-lint / lint-everything (push) Failing after 14s
Details
2025-04-10 13:31:11 +02:00
89 changed files with 232 additions and 2285 deletions
Expand all files Collapse all files

2
ansible.cfg
View File

@@ -2,5 +2,5 @@
nocows = 1 nocows = 1
callbacks_enabled = profile_tasks callbacks_enabled = profile_tasks
roles_path = roles roles_path = roles
result_format = yaml stdout_callback = yaml
vault_password_file = ~/.ansible-vault vault_password_file = ~/.ansible-vault

2
inventory/group_vars/nsdservers.yml
View File

@@ -8,6 +8,8 @@ zones:
parking: true parking: true
- name: nintendojo.fr - name: nintendojo.fr
- name: nintendojofr.com - name: nintendojofr.com
- name: nouvelempire.net
parking: true
- name: pipoworld.fr - name: pipoworld.fr
parking: true parking: true

2
inventory/host_vars/bt.yml
View File

@@ -6,7 +6,6 @@ web_hostname:
- host: btf.mateu.be - host: btf.mateu.be
allowlistv4: allowlistv4:
- 88.175.123.77/32 - 88.175.123.77/32
- 109.9.84.47/32
allowlistv6: allowlistv6:
- 2a01:e0a:9bd:2811::/64 - 2a01:e0a:9bd:2811::/64
- 2a01:e0a:9bd:2810::/64 - 2a01:e0a:9bd:2810::/64
@@ -16,7 +15,6 @@ web_hostname:
- 2001:910:13c8::/48 - 2001:910:13c8::/48
- 2a01:e0a:bde:d350::/64 - 2a01:e0a:bde:d350::/64
- 2a01:cb00:f55:2d00::/64 - 2a01:cb00:f55:2d00::/64
- 2a01:cb00:89e3:2c00::/64
nginx_extra_mods: nginx_extra_mods:
- fancyindex - fancyindex

1
inventory/host_vars/garage1.yml
View File

@@ -1,7 +1,6 @@
--- ---
web_hostname: web_hostname:
- host: garage.mateu.be - host: garage.mateu.be
- host: admin.garage.mateu.be
- host: mastodon-ndfr.garage.mateu.be - host: mastodon-ndfr.garage.mateu.be
- host: medias.m.nintendojo.fr - host: medias.m.nintendojo.fr
- host: nextcloud-libertus.garage.mateu.be - host: nextcloud-libertus.garage.mateu.be

7
inventory/host_vars/web1.yml
View File

@@ -13,10 +13,11 @@ web_hostname:
type: bac type: bac
- host: mail.libertus.eu - host: mail.libertus.eu
type: roundcube type: roundcube
- host: perso.nintendojo.fr
acme_unmanaged: true
- host: perso.libertus.eu
acme_unmanaged: true
- host: r.mateu.be - host: r.mateu.be
san:
- perso.libertus.eu
- perso.nintendojo.fr
- host: ff.libertus.eu - host: ff.libertus.eu
type: firefly3 type: firefly3
- host: koi.libertus.eu - host: koi.libertus.eu

18
inventory/host_vars/web2.yml
View File

@@ -2,16 +2,15 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick'] php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname: web_hostname:
- host: nintendojo.fr
acme_unmanaged: true
- host: www.nintendojo.fr - host: www.nintendojo.fr
type: wordpress
san:
- nintendojo.fr
- host: forum.nintendojo.fr - host: forum.nintendojo.fr
type: phpbb type: phpbb
- host: nintendojofr.com
acme_unmanaged: true
- host: www.nintendojofr.com - host: www.nintendojofr.com
type: retrodojo type: retrodojo
san:
- nintendojofr.com
- host: forum.nintendojofr.com - host: forum.nintendojofr.com
mariadb_root_pass: !vault | mariadb_root_pass: !vault |
@@ -51,3 +50,12 @@ retrodojo_maria_password: !vault |
65386530353032336161353330313863623231646632643861666562353764373066663337353063 65386530353032336161353330313863623231646632643861666562353764373066663337353063
6364633734323732390a363539333537396164633965346637313532666366336362346663326661 6364633734323732390a363539333537396164633965346637313532666366336362346663326661
6663 6663
webapps_htpasswd_editeurs: !vault |
$ANSIBLE_VAULT;1.1;AES256
63663638356139373663646639633762393761333536393331363066353039393266306638326336
3235353238666261373032363633626333646662343461330a393534633530353330323637386239
63336532646235663732623561333963643436353165633165663430313132626561363361333736
6662313535333063390a386532313335663836393562656564306633303933633234393139316131
61376332373961303961303963656565633639333130346565386361313338346235623434616239
6637613630333963363963646465633939663863356633373264

24
inventory/host_vars/web3.yml
View File

@@ -1,24 +0,0 @@
---
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname:
- host: wwwdev.nintendojo.fr
type: wordpress
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65373663323065306532306235313032383331353337396131383766323535633831383062393632
3438613735613365333264356465336162346263666236300a306234336566303863346539343531
37313932653964366233393038306235353134356230653336306232373430386662306634616431
6332333837663064340a643535386465626636343436303263666333383461383730396135396666
3539
wordpress_maria_database: "dojo_wpdev"
wordpress_maria_user: "adm_wpdev"
wordpress_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66613837353166633536656166383232646232303535643931313531636230353265633638626231
6231323738656466333164326238666166383931633133380a633764366462323261376632666565
63646365636133363338383233653930663139343238313131313365646663393761656361333332
6634333736356438390a316237373836373132666334306661363863383665663139623935646437
6331

48
inventory/host_vars/web4.yml
View File

@@ -1,48 +0,0 @@
---
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'curl']
web_hostname:
- host: amp.mateu.be
type: ampache
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31383364656638313430656537323233316335356361303262623138313364383066343536643961
6332343162326361313039623132373334366436393565340a373137643666333937353339616639
62313461306232383261323363656636623961373462316236396161376466386237376434663165
3739333432313636390a343366626138663361653936306134323539393034316332666431633739
38633832326663623061396131316636336233373939393061363565653233636164
ampache_maria_user: "adm_ampache"
ampache_maria_database: "libertus_ampache"
ampache_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34313061393731613038613462303864626137623631313965356638316465643035373964373765
6633666431663139653832323836306162636465626335610a386535653238333836666162303637
33616535383332626461643634343065653432613063346263363366363733363165343230663436
3231333639313666350a373561613938326631336430346135323438626265666639333234396161
63316432353261653163336638613538383537656635636463393665336332653231
ampache_secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
37353866623062613737313866323261363334633965313064366366333839653862376538363463
3330386361393362306437663163326330373635313063650a633866633032343162393231326266
63393565306465386361373236363135376666323663393966653564393066653039336137663265
6634356164636436610a626362646239343432663037623934393030356131663434303763663337
37323230613639376363346230346261323962616633636632623139656435363838
ampache_musicbrainz_username: !vault |
$ANSIBLE_VAULT;1.1;AES256
39363439306662643164353238343131303764316238663366633737626338306431666133363161
3632346334666466663935323638393065383030353338620a646265326135663266643235376235
36343831376137323661363535366535376430616230316562323131326634633636393432326462
3738303732366366620a633464616266666330386563393133613063333863663037373861366336
65623863393766376365643537636361636332373535393633636465616566366432333636643363
6236653638303435303134626630383634343132336463313565
ampache_musicbrainz_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
37363533353764366533343334383663356431646530633034333036306630376136346238653937
6165353865386239386433323263343636356635646134640a363734336266663833636431353634
61306165376364393563306666306630623538316632633666653732363830626662333336653135
6634656263326230360a323932396639666464353463333063613732363334333763613832366139
33633432346164373164613832326264646463336134336436623765313535376662303063306164
3164363264383832363135646331656537663262323463396137

2
inventory/proxmox.yml
View File

@@ -1,6 +1,6 @@
--- ---
plugin: community.proxmox.proxmox plugin: community.general.proxmox
url: https://serenor.dmz.mateu.be:8006 url: https://serenor.dmz.mateu.be:8006
user: !vault | user: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256

2
inventory/static.yml
View File

@@ -89,7 +89,6 @@ disabled_munin:
muse-HP-EliteBook-820-G2: muse-HP-EliteBook-820-G2:
pinkypie: pinkypie:
ks3370405: ks3370405:
haos:
disabled_syslog: disabled_syslog:
hosts: hosts:
@@ -98,7 +97,6 @@ disabled_syslog:
muse-HP-EliteBook-820-G2: muse-HP-EliteBook-820-G2:
pinkypie: pinkypie:
ks3370405: ks3370405:
haos:
# Those are not servers and should not be configured as such # Those are not servers and should not be configured as such
disabled_server_conf: disabled_server_conf:

1
playbooks/gitea.yml
View File

@@ -10,4 +10,5 @@
hosts: actrunnerservers hosts: actrunnerservers
diff: true diff: true
roles: roles:
- docker
- act_runner - act_runner

6
playbooks/podman.yml
View File

@@ -1,6 +0,0 @@
---
- name: Install podman
hosts: podmanservers
roles:
- podman

2
playbooks/site.yml
View File

@@ -54,8 +54,6 @@
import_playbook: peertube.yml import_playbook: peertube.yml
- name: Run elasticsearch playbook - name: Run elasticsearch playbook
import_playbook: elasticsearch.yml import_playbook: elasticsearch.yml
- name: Run podman playbook
import_playbook: podman.yml
- name: Run gitea playbook - name: Run gitea playbook
import_playbook: gitea.yml import_playbook: gitea.yml
- name: Run vaultwarden playbook - name: Run vaultwarden playbook

14
playbooks/webapps.yml
View File

@@ -29,17 +29,3 @@
tags: [never, phpbb] tags: [never, phpbb]
- role: retrodojo - role: retrodojo
tags: [never, retrodojo] tags: [never, retrodojo]
- name: Install dojo webapplications
hosts: web3
diff: true
roles:
- role: wordpress
tags: [never, wordpress]
- name: Install libertus webapplications
hosts: web4
diff: true
roles:
- role: ampache
tags: [never, ampache]

11
roles/act_runner/tasks/main.yml
View File

@@ -1,7 +1,14 @@
--- ---
- name: Configure act_runner user - name: Create act_runner user
ansible.builtin.include_tasks: user.yml ansible.builtin.user:
name: "{{ act_runner_user }}"
state: present
system: true
create_home: true
home: "{{ act_runner_home }}"
groups:
- docker
- name: Download act_runner executable - name: Download act_runner executable
ansible.builtin.get_url: ansible.builtin.get_url:

33
roles/act_runner/tasks/user.yml
View File

@@ -1,33 +0,0 @@
---
- name: Create act_runner user
ansible.builtin.user:
name: "{{ act_runner_user }}"
state: present
system: true
create_home: true
home: "{{ act_runner_home }}"
register: _act_runner_user
- name: Configure subuid/subgid
ansible.builtin.lineinfile:
path: "/etc/{{ item }}"
state: present
line: "{{ act_runner_user }}:100000:65536"
loop:
- subuid
- subgid
- name: Enable linger
ansible.builtin.command:
cmd: "/usr/bin/loginctl enable-linger {{ act_runner_user }}"
creates: "/var/lib/systemd/linger/{{ act_runner_user }}"
- name: Ensure podman is started
ansible.builtin.systemd_service:
name: podman.socket
state: started
enabled: true
scope: user
become: true
become_user: "{{ act_runner_user }}"

1
roles/act_runner/templates/act_runner.service.j2
View File

@@ -11,7 +11,6 @@ TimeoutSec=0
RestartSec=10 RestartSec=10
Restart=always Restart=always
User={{ act_runner_user }} User={{ act_runner_user }}
Environment=DOCKER_HOST="unix:///run/user/{{ _act_runner_user.uid }}/podman/podman.sock"
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

4
roles/act_runner/vars/main.yml
View File

@@ -1,8 +1,8 @@
--- ---
act_runner_version: "0.2.13" act_runner_version: "0.2.11"
act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64" act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64"
act_runner_home: "/srv/act_runner" act_runner_home: "/var/lib/act_runner"
act_runner_bin: "/usr/local/bin/act_runner" act_runner_bin: "/usr/local/bin/act_runner"
act_runner_user: "act_runner" act_runner_user: "act_runner"

42
roles/ampache/tasks/ampache.yml
View File

@@ -1,42 +0,0 @@
---
## Remove the previous app & install the new version
- name: Remove Ampache previous version
ansible.builtin.file:
state: absent
dest: "{{ ampache_app_home }}"
- name: Create app home
ansible.builtin.file:
state: directory
dest: "{{ ampache_app_home }}"
owner: root
group: www-data
mode: "0o750"
- name: Install ampache application
ansible.builtin.unarchive:
remote_src: true
src: "{{ ampache_url }}"
dest: "{{ ampache_app_home }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
# exclude: "{{ firefly3_userdata_app_dirs | map('regex_replace', '^', './') }}"
- name: Put config file
ansible.builtin.template:
src: "ampache.cfg.php.j2"
dest: "{{ ampache_app_home }}/config/ampache.cfg.php"
owner: root
group: www-data
mode: "0o640"
## Ensure the data dirs exists, populate them if not
- name: Create data home
ansible.builtin.file:
state: directory
path: "{{ ampache_data_home }}"
owner: www-data
group: www-data
mode: "0o750"

20
roles/ampache/tasks/db.yml
View File

@@ -1,20 +0,0 @@
---
- name: Create ampache db
community.mysql.mysql_db:
login_unix_socket: "/var/run/mysqld/mysqld.sock"
login_user: root
login_password: "{{ mariadb_root_pass }}"
name: "{{ ampache_maria_database }}"
state: present
encoding: utf8mb4
collation: utf8mb4_general_ci
- name: Create ampache db read/write user
community.mysql.mysql_user:
login_unix_socket: "/var/run/mysqld/mysqld.sock"
login_user: root
login_password: "{{ mariadb_root_pass }}"
name: "{{ ampache_maria_user }}"
password: "{{ ampache_maria_password }}"
priv: "{{ ampache_maria_database }}.*:ALL"

7
roles/ampache/tasks/main.yml
View File

@@ -1,7 +0,0 @@
---
- name: Init db
ansible.builtin.include_tasks: db.yml
- name: Install ampache
ansible.builtin.include_tasks: ampache.yml

1465
roles/ampache/templates/ampache.cfg.php.j2
View File

File diff suppressed because it is too large Load Diff

10
roles/ampache/vars/main.yml
View File

@@ -1,10 +0,0 @@
---
ampache_version: "7.7.2"
ampache_url: "https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all_php{{ php_version }}.zip"
ampache_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'ampache') | map(attribute='host') | first }}"
# Access path
ampache_app_home: "/var/www/{{ ampache_access_url }}"
ampache_data_home: "/srv/www-data/{{ ampache_access_url }}"

39
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Install prerequired packages
ansible.builtin.package:
name: fuse-overlayfs
state: present
update_cache: true
- name: Download gpg key
ansible.builtin.get_url:
url: "{{ docker_key_url }}"
dest: "{{ docker_key_path }}"
owner: root
group: root
mode: "0o644"
- name: Set docker source repo
ansible.builtin.copy:
content: "deb [arch=amd64 signed-by={{ docker_key_path }}] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
dest: /etc/apt/sources.list.d/docker.list
mode: "0o644"
- name: Install docker packages
ansible.builtin.package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache: true
- name: Ensure docker is started
ansible.builtin.systemd:
name: docker
state: started
enabled: true
daemon_reload: true

4
roles/docker/vars/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
docker_key_url: "https://download.docker.com/linux/debian/gpg"
docker_key_path: "/etc/apt/keyrings/docker.asc"

61
roles/dovecot/files/dovecot.conf
View File

@@ -1,72 +1,62 @@
dovecot_config_version = "2.4.1" # 2.2.13: /etc/dovecot/dovecot.conf
dovecot_storage_version = "2.4.1" # ajout de lmtp (service pour déterminer la socket, protocol pour récupérer les mêmes fonctions que le LDA)
# ajout de auth_username_format = %Ln pour vérifier que l'utilisateur est bien dans la base locale en passant par son nom et non par autre chose…
# 2018-08-20 mortal réintégration du fichier séparé 15-mailbox.conf + nettoyage/réorganisation + réécriture sieve globale
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.0
listen = *,[::] listen = *,[::]
protocols = imap lmtp protocols = imap lmtp
ssl = required ssl_cert = </etc/x509/imap.libertus.eu/fullchain.cer
ssl_server_cert_file = /etc/x509/imap.libertus.eu/fullchain.cer ssl_key = </etc/x509/imap.libertus.eu/imap.libertus.eu.key
ssl_server_key_file = /etc/x509/imap.libertus.eu/imap.libertus.eu.key
#auth_debug=yes #auth_debug=yes
#auth_debug_passwords=yes #auth_debug_passwords=yes
auth_username_format = %{ user | username | lower } auth_username_format = %Ln
mail_driver = maildir passdb {
mail_path = %{home}/Maildir
passdb pam {
driver = pam driver = pam
} }
userdb passwd { userdb {
driver = passwd driver = passwd
} }
sieve_script personal { plugin {
path = ~/sieve sieve = ~/sieve/default.sieve
active_path = ~/sieve/default.sieve sieve_dir = ~/sieve
sieve_before = /etc/dovecot/before.sieve
} }
sieve_script before {
type = before
path = /etc/dovecot/before.sieve
bin_path = ~/sieve
}
service auth { service auth {
inet_listener auth { inet_listener {
address = * [::]
port = 26 port = 26
} }
} }
protocol sieve {
mail_location = maildir:~/Maildir
}
service lmtp { service lmtp {
inet_listener ltmp { inet_listener ltmp {
address = 127.0.0.1 ::1
port = 24 port = 24
} }
} }
protocol sieve {
}
protocol imap {
mail_plugins {
imap_sieve = yes
}
}
protocol lmtp { protocol lmtp {
mail_plugins { mail_location = maildir:~/Maildir
sieve = yes mail_plugins = sieve
}
} }
protocol lda { protocol lda {
mail_plugins { mail_location = maildir:~/Maildir
sieve = yes mail_plugins = sieve
}
postmaster_address = postmaster@example.com postmaster_address = postmaster@example.com
} }
@@ -93,3 +83,4 @@ namespace inbox {
special_use = \Sent special_use = \Sent
} }
} }

2
roles/elasticsearch/tasks/main.yml
View File

@@ -15,7 +15,7 @@
- name: Set elasticsearch source repo - name: Set elasticsearch source repo
ansible.builtin.copy: ansible.builtin.copy:
content: "deb [signed-by={{ elasticsearch_key_path }}] https://artifacts.elastic.co/packages/8.x/apt stable main" content: "deb [signed-by={{ elasticsearch_key_path }}] https://artifacts.elastic.co/packages/7.x/apt stable main"
dest: /etc/apt/sources.list.d/elasticsearch.list dest: /etc/apt/sources.list.d/elasticsearch.list
mode: "0o644" mode: "0o644"

2
roles/firefly3/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
firefly3_version: "6.4.9" firefly3_version: "6.2.10"
firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz" firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz"
firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}" firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}"

30
roles/firewall/templates/firewall.j2
View File

@@ -512,36 +512,6 @@ config rule
option target 'ACCEPT' option target 'ACCEPT'
option family 'ipv4' option family 'ipv4'
# Allow Home Assitant to OpenEVSE
config rule
option name 'Allow-FORWARD-Home-Assistant-OpenEVSE'
option src 'iot'
option src_ip '{{ lookup('dig', 'evse.mateu.be') }}'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest_port '1883'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-Home-Assistant-RM4Pro'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest 'iot'
option dest_ip '{{ lookup('dig', 'rm4pro.mateu.be') }}'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-esp32cc-Home-Assistant'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest 'iot'
option dest_ip '{{ lookup('dig', 'esp32cc.mateu.be') }}'
option target 'ACCEPT'
option family 'ipv4'
### IoT Rules ### IoT Rules
## General Rules ## General Rules
# ICMP # ICMP

2
roles/freshrss/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
freshrss_version: "1.27.1" freshrss_version: "1.26.1"
freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz" freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz"
freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}" freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}"

2
roles/garage/templates/garage.toml.j2
View File

@@ -10,7 +10,7 @@ db_engine = "lmdb"
block_size = "{{ garage_block_size }}" block_size = "{{ garage_block_size }}"
replication_factor = {{ garage_replication_mode }} replication_mode = "{{ garage_replication_mode }}"
compression_level = 2 compression_level = 2

2
roles/garage/vars/main.yml
View File

@@ -2,5 +2,5 @@
garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage" garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage"
garage_bin: "/usr/local/bin/garage" garage_bin: "/usr/local/bin/garage"
garage_version: v2.1.0 garage_version: v1.1.0
garage_arch: x86_64 garage_arch: x86_64

2
roles/gitea/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
gitea_version: "1.25.2" gitea_version: "1.23.7"
gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64" gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
gitea_bin: "/usr/local/bin/gitea" gitea_bin: "/usr/local/bin/gitea"
gitea_path: "/srv/gitea" gitea_path: "/srv/gitea"

39
roles/haproxy/templates/haproxy.cfg.j2
View File

@@ -42,19 +42,10 @@ frontend http
acl letsencrypt path_beg /.well-known/acme-challenge acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt redirect scheme https code 301 if !letsencrypt
{% for server in haproxy_backend_servers %} {% for server in haproxy_backend_servers %}
{% for hostname in ( {% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
(hostvars[server].web_hostname ## {{ hostname.host }} configuration
| map(attribute='host')) acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
+ use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
@@ -66,24 +57,14 @@ frontend https
tcp-request inspect-delay 3s tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in haproxy_backend_servers %} {% for server in haproxy_backend_servers %}
{% for hostname in ( {% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
(hostvars[server].web_hostname ## {{ hostname.host }} configuration
| map(attribute='host')) acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
+ {% if hostname.allowlistv4 is defined %}
(hostvars[server].web_hostname acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
{% if host.allowlistv4 is defined %}
acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
{% endif %} {% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %} use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
{% endfor %} {% endfor %}

2
roles/jackett/vars/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
jackett_version: "v0.24.387" jackett_version: "v0.22.1685"
jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz" jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz"
jackett_home: "/opt/Jackett" jackett_home: "/opt/Jackett"

9
roles/koillection/tasks/db_migration.yml
View File

@@ -1,9 +0,0 @@
---
- name: Run DB migration
become: true
become_user: www-data
ansible.builtin.command:
cmd: "php bin/console doctrine:migrations:migrate -n -q"
chdir: "{{ koillection_app_home }}"
changed_when: false

3
roles/koillection/tasks/main.yml
View File

@@ -81,6 +81,3 @@
- name: Include API activation task - name: Include API activation task
ansible.builtin.include_tasks: api.yml ansible.builtin.include_tasks: api.yml
- name: Include DB migration task
ansible.builtin.include_tasks: db_migration.yml

2
roles/koillection/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
koillection_version: "1.7.0" koillection_version: "1.6.12"
koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz" koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz"
koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}" koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}"

2
roles/mariadb/files/backup_mysql.sh
View File

@@ -22,7 +22,7 @@ if [ ! -d $backup_dump_path ] ; then mkdir -p $backup_dump_path ; fi
# On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age # On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age
cd $backup_dump_path cd $backup_dump_path
mariadb-check --all-databases > /var/lib/mysql/check mysqlcheck --all-databases > /var/lib/mysql/check
# Pour chaque base a sauvegarder # Pour chaque base a sauvegarder
for backup_db_name in $backup_db_list for backup_db_name in $backup_db_list

4
roles/mariadb/tasks/main.yml
View File

@@ -36,7 +36,7 @@
- name: Check if .my.cnf file exists - name: Check if .my.cnf file exists
ansible.builtin.stat: ansible.builtin.stat:
path: /root/.my.cnf path: /root/.my.cnf
register: mariadb_dot_my_cnf register: dot_my_cnf
- name: Set root password - name: Set root password
community.mysql.mysql_user: community.mysql.mysql_user:
@@ -44,7 +44,7 @@
host: localhost host: localhost
name: root name: root
password: "{{ mariadb_root_pass }}" password: "{{ mariadb_root_pass }}"
when: not mariadb_dot_my_cnf.stat.exists when: not dot_my_cnf.stat.exists
- name: Put .my.cnf file - name: Put .my.cnf file
ansible.builtin.template: ansible.builtin.template:

1
roles/mastodon/tasks/main.yml
View File

@@ -40,7 +40,6 @@
- git-core - git-core
- g++ - g++
- libprotobuf-dev - libprotobuf-dev
- libvips-tools
- protobuf-compiler - protobuf-compiler
- pkg-config - pkg-config
- nodejs - nodejs

1
roles/mastodon/tasks/mastodon.yml
View File

@@ -6,7 +6,6 @@
repo: "https://github.com/mastodon/mastodon.git" repo: "https://github.com/mastodon/mastodon.git"
dest: "{{ mastodon_home }}/live" dest: "{{ mastodon_home }}/live"
version: "v{{ mastodon_version }}" version: "v{{ mastodon_version }}"
notify: Restart mastodon
- name: Exec bundle - name: Exec bundle
remote_user: mastodon remote_user: mastodon

4
roles/mastodon/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
mastodon_version: "4.5.2" mastodon_version: "4.3.7"
mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg" mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
@@ -8,7 +8,7 @@ mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg" mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg" mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
mastodon_ruby_version: "3.4.7" mastodon_ruby_version: "3.3.5"
mastodon_home: "/srv/mastodon" mastodon_home: "/srv/mastodon"
mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}" mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"

4
roles/munin_client/files/garage_bucket
View File

@@ -6,7 +6,7 @@ HEADER="Authorization: Bearer ${BEARER}"
# Create associative array # Create associative array
declare -A BUCKETS=() declare -A BUCKETS=()
API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/ListBuckets" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)') API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?list" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
# Populate associative array # Populate associative array
for bucket in ${API_BUCKETS_JSON} for bucket in ${API_BUCKETS_JSON}
@@ -59,7 +59,7 @@ declare -A REQUESTS
for i in "${!BUCKETS[@]}" for i in "${!BUCKETS[@]}"
do do
REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/GetBucketInfo?id=${i}")) REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?id=${i}"))
done done
echo "multigraph garage_bucket_unfinished" echo "multigraph garage_bucket_unfinished"

17
roles/munin_client/tasks/main.yml
View File

@@ -2,25 +2,26 @@
- name: Set package fact - name: Set package fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
munin_client_muninpkgs: muninpkgs:
- muninlite - muninlite
munin_client_munin_need_reconfigure: false munin_need_reconfigure: false
when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt" when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt"
- name: Set other packages fact - name: Set other packages fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
munin_client_muninpkgs: muninpkgs:
- munin-node - munin-node
- munin-plugins-core - munin-plugins-core
- munin-plugins-extra - munin-plugins-extra
munin_client_munin_need_reconfigure: true munin_need_reconfigure: true
when: ansible_facts['distribution'] == "Debian" when: ansible_facts['distribution'] == "Debian"
- name: Install munin node packages - name: Install munin node packages
ansible.builtin.package: ansible.builtin.package:
name: "{{ munin_client_muninpkgs }}" name: "{{ item }}"
state: present state: present
update_cache: true update_cache: true
loop: "{{ muninpkgs }}"
- name: Put munin-node configuration file - name: Put munin-node configuration file
ansible.builtin.template: ansible.builtin.template:
@@ -29,7 +30,7 @@
mode: "0o644" mode: "0o644"
notify: notify:
- Restart munin-node - Restart munin-node
when: munin_client_munin_need_reconfigure when: munin_need_reconfigure
## Adding modules for specific functions ## Adding modules for specific functions
# for NginX webservers # for NginX webservers
@@ -98,14 +99,14 @@
changed_when: true changed_when: true
notify: notify:
- Restart munin-node - Restart munin-node
when: munin_client_munin_need_reconfigure when: munin_need_reconfigure
# Useless junks for everyone # Useless junks for everyone
- name: Delete useless junks for everyone - name: Delete useless junks for everyone
ansible.builtin.file: ansible.builtin.file:
path: "/etc/munin/plugins/{{ item }}" path: "/etc/munin/plugins/{{ item }}"
state: absent state: absent
when: munin_client_munin_need_reconfigure when: munin_need_reconfigure
loop: loop:
- users - users

2
roles/munin_client/templates/munin-node.conf.j2
View File

@@ -41,7 +41,7 @@ host_name {{ ansible_host }}
# network notation unless the perl module Net::CIDR is installed. You # network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like # may repeat the allow line as many times as you'd like
allow ^{{ hostvars['munin']['proxmox_net0']['ip'] | ansible.utils.ipaddr('address') | split('.') |join('\.') }} allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
allow ^127\.0\.0\.1$ allow ^127\.0\.0\.1$
allow ^::1$ allow ^::1$

3
roles/nextcloud/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
nextcloud_version: "31.0.11" nextcloud_version: "31.0.2"
nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2" nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2"
nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}" nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"
@@ -19,7 +19,6 @@ nextcloud_userdata_app_dirs:
# Supplementary modules # Supplementary modules
nextcloud_modules: nextcloud_modules:
- name: calendar - name: calendar
- name: contacts
- name: tasks - name: tasks
- name: user_external - name: user_external
force: true force: true

4
roles/nginx/tasks/acme.yml
View File

@@ -2,7 +2,7 @@
- name: Issue certificate - name: Issue certificate
ansible.builtin.command: ansible.builtin.command:
cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\"" cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
creates: "/etc/x509/{{ host.host }}*" creates: "/etc/x509/{{ host.host }}*"
environment: environment:
LE_WORKING_DIR: "/etc/x509" LE_WORKING_DIR: "/etc/x509"
@@ -20,7 +20,7 @@
remote_src: true remote_src: true
src: "/etc/x509/{{ host.host }}_ecc/" src: "/etc/x509/{{ host.host }}_ecc/"
dest: "/etc/x509/{{ host.host }}" dest: "/etc/x509/{{ host.host }}"
mode: "{{ _nginx_x509_ecc_dir.stat.mode }}" mode: _nginx_x509_ecc_dir.stat.mode
- name: Remove ecc dir - name: Remove ecc dir
ansible.builtin.file: ansible.builtin.file:

2
roles/nginx/tasks/main.yml
View File

@@ -46,7 +46,7 @@
- name: Include acme auto cert - name: Include acme auto cert
ansible.builtin.include_tasks: acme.yml ansible.builtin.include_tasks: acme.yml
loop: "{{ web_hostname }}" loop: "{{ web_hostname | rejectattr('acme_unmanaged', 'defined') }}"
loop_control: loop_control:
loop_var: "host" loop_var: "host"

2
roles/nginx/templates/header.conf.j2
View File

@@ -3,7 +3,7 @@
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer; ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key; ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }}; server_name {{ item.host }};
access_log /var/log/nginx/{{ item.host }}.access.log combined; access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined; access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item.host }}.error.log; error_log /var/log/nginx/{{ item.host }}.error.log;

4
roles/nginx/templates/nginx.ssl.conf.j2
View File

@@ -3,7 +3,7 @@
# ANY MODIFICATION IS LIKELY TO BE ERASED # ANY MODIFICATION IS LIKELY TO BE ERASED
########## ##########
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -11,7 +11,7 @@
# intermediate configuration. tweak to your needs. # intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

9
roles/nginx/templates/vhosts/admin.garage.mateu.be.conf.j2
View File

@@ -1,9 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://[::1]:3903;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}

82
roles/nginx/templates/vhosts/amp.mateu.be.conf.j2
View File

@@ -1,82 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
root /var/www/amp.mateu.be/public/;
index index.php;
# Somebody said this helps, in my setup it doesn't prevent temporary saving in files
proxy_max_temp_file_size 0;
# Rewrite rule for Subsonic backend
if ( !-d $request_filename ) {
rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last;
rewrite ^/rest/fake/(.+)$ /play/$1 last;
}
# Rewrite rule for Channels
if (!-d $request_filename){
rewrite ^/channel/([0-9]+)/(.*)$ /channel/index.php?channel=$1&target=$2 last;
}
# Beautiful URL Rewriting
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&name=$5 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&name=$6 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&player=$6&name=$7 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&bitrate=$6&player=$7&name=$8 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&transcode_to=$6&bitrate=$7&player=$8&name=$9 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&name=$7 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&player=$7&name=$8 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&bitrate=$7&player=$8&name=$9 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&transcode_to=$7&bitrate=$8&player=$9&name=$10 last;
# the following line was needed for me to get downloads of single songs to work
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/action/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4action=$5&name=$6 last;
location /play {
if (!-e $request_filename) {
rewrite ^/play/art/([^/]+)/([^/]+)/([0-9]+)/thumb([0-9]*)\.([a-z]+)$ /image.php?object_type=$2&object_id=$3&auth=$1 last;
}
rewrite ^/([^/]+)/([^/]+)(/.*)?$ /play/$3?$1=$2;
rewrite ^/(/[^/]+|[^/]+/|/?)$ /play/index.php last;
break;
}
location /rest {
limit_except GET POST {
deny all;
}
}
location ^~ /bin/ {
deny all;
return 403;
}
location ^~ /config/ {
deny all;
return 403;
}
location / {
limit_except GET POST HEAD{
deny all;
}
}
location ~ ^/.*.php {
fastcgi_index index.php;
fastcgi_read_timeout 600s;
include fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php/php{{ php_version }}-fpm.sock;
}
# Rewrite rule for WebSocket
location /ws {
rewrite ^/ws/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8100/;
}
}

8
roles/nginx/templates/vhosts/kck.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8080;
}
}

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/nintendojofr.com.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 Normal file
View File

12
roles/nginx/templates/vhosts/r.mateu.be.conf.j2
View File

@@ -1,5 +1,15 @@
server { server {
{% include './templates/header.conf.j2' %} listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/r.mateu.be.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/www-data/r.mateu.be/; root /srv/www-data/r.mateu.be/;
location / { location / {

8
roles/nginx/templates/vhosts/vlt.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8200;
}
}

19
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2
View File

@@ -1,15 +1,16 @@
## WP NintendojoFR ## WP NintendojoFR
fastcgi_cache_path
/dev/shm/nginx
levels=1:2
keys_zone=wpdojo:25m
inactive=1h
max_size=250m;
server { server {
{% include './templates/header.conf.j2' %} listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojo.fr.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /var/www/www.nintendojo.fr/; root /srv/http/www.nintendojo.fr/;
index index.html index.htm index.php; index index.html index.htm index.php;
client_max_body_size 2G; client_max_body_size 2G;

10
roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2
View File

@@ -1,5 +1,13 @@
server { server {
{% include './templates/header.conf.j2' %} listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name www.nintendojofr.com nintendojofr.com;
access_log /var/log/nginx/nintendojofr.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojofr.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojofr.com/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojofr.com/www.nintendojofr.com.key;
root /var/www/www.nintendojofr.com/; root /var/www/www.nintendojofr.com/;
index index.html index.htm index.php; index index.html index.htm index.php;

46
roles/nginx/templates/vhosts/wwwdev.nintendojo.fr.conf.j2
View File

@@ -1,46 +0,0 @@
## WP dev NintendojoFR
server {
{% include './templates/header.conf.j2' %}
root /var/www/wwwdev.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 2G;
# couper les fichiers cachés
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# couper les fichiers textes du captcha
location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
deny all;
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

4
roles/nsd/tasks/prerequisites.yml
View File

@@ -5,14 +5,14 @@
- name: Detect systemd-resolve - name: Detect systemd-resolve
ansible.builtin.set_fact: ansible.builtin.set_fact:
nsd_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}" _systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
- name: Deactivate DNS stublistener - name: Deactivate DNS stublistener
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf path: /etc/systemd/resolved.conf
regex: '^#DNSStubListener=yes' regex: '^#DNSStubListener=yes'
line: DNSStubListener=no line: DNSStubListener=no
when: nsd_systemd_resolve_enable when: _systemd_resolve_enable
notify: notify:
- Restart systemd-resolved - Restart systemd-resolved

16
roles/nsd/tasks/zones.yml
View File

@@ -11,17 +11,7 @@
dns_serial: "{{ ansible_date_time.epoch }}" dns_serial: "{{ ansible_date_time.epoch }}"
web_hostname_block: |- web_hostname_block: |-
{% for webserver in groups['webservers'] | sort -%} {% for webserver in groups['webservers'] | sort -%}
{% for web_hostname in ( {% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.*' ~ item.name) | map(attribute='host') | sort) -%}
(hostvars[webserver]['web_hostname']
| selectattr('host', 'match', '.*' ~ item.name)
| map(attribute='host')
+
(hostvars[webserver]['web_hostname']
| selectattr('san', 'defined')
| map(attribute='san')
| flatten
| select('match', '.*' ~ item.name)))
| sort) -%}
{% if web_hostname is match("(\S+\.){2}") %} {% if web_hostname is match("(\S+\.){2}") %}
{{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}. {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}.
{% else %} {% else %}
@@ -55,14 +45,14 @@
- name: Stat associated keys - name: Stat associated keys
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds" path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
register: nsd_stat_keys register: _stat_keys
- name: Sign zone file - name: Sign zone file
become: true become: true
become_user: nsd become_user: nsd
ansible.builtin.command: ansible.builtin.command:
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/" chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (nsd_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}" cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
changed_when: true changed_when: true
- name: Reload zone - name: Reload zone

10
roles/nsd/templates/zones/mateu.be.zone.j2
View File

@@ -29,18 +29,15 @@ backup IN A 10.233.212.60
baybay-ponay IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88 baybay-ponay IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
ciol IN A 109.190.68.133 ciol IN A 109.190.68.133
derdriu IN A 10.233.212.77 derdriu IN A 10.233.212.77
dom IN A 10.233.212.15
enbarr.dmz IN AAAA 2a01:e0a:9bd:2811::50 enbarr.dmz IN AAAA 2a01:e0a:9bd:2811::50
esp32cc IN A 10.233.211.201
evse IN A 10.233.211.198 evse IN A 10.233.211.198
fc IN A 10.233.211.194 fc IN A 10.233.211.194
frederica.dmz IN A {{ global_public_ip_address }} frederica.dmz IN A {{ global_public_ip_address }}
frederica.dmz IN AAAA 2a01:e0a:9bd:2811::60 frederica.dmz IN AAAA 2a01:e0a:9bd:2811::60
ftp IN A 10.233.212.14 ftp IN A 10.233.212.14
garreg-mach IN A 10.233.212.66 garreg-mach IN A 10.233.212.66
haos.dmz IN A {{ global_public_ip_address }} imprimante IN A 10.233.212.94
haos.dmz IN AAAA 2a01:e0a:9bd:2811::51
ha IN A 10.233.212.51
libreelec IN A 10.233.212.91
machinbox IN A {{ global_public_ip_address }} machinbox IN A {{ global_public_ip_address }}
machinbox IN AAAA 2a01:e0a:9bd:2810::1 machinbox IN AAAA 2a01:e0a:9bd:2810::1
mailalt IN CNAME altsrv mailalt IN CNAME altsrv
@@ -52,10 +49,9 @@ nsd-master1.ext IN AAAA 2001:41d0:a:54b::1
nsd-master1-v6.ext IN AAAA 2001:41d0:a:54b::1 nsd-master1-v6.ext IN AAAA 2001:41d0:a:54b::1
rb IN A 194.156.203.253 rb IN A 194.156.203.253
rc IN A 10.233.211.195 rc IN A 10.233.211.195
rm4pro IN A 10.233.211.200
serenor.dmz IN A {{ global_public_ip_address }} serenor.dmz IN A {{ global_public_ip_address }}
serenor.dmz IN AAAA 2a01:e0a:9bd:2811::59 serenor.dmz IN AAAA 2a01:e0a:9bd:2811::59
{% for proxmox_host in groups['proxmox_all_lxc'] | sort %} {% for proxmox_host in (groups['proxmox_all_lxc'] + groups['proxmox_all_qemu']) | sort %}
{{ proxmox_host }}.dmz IN A {{ global_public_ip_address }} {{ proxmox_host }}.dmz IN A {{ global_public_ip_address }}
{% if proxmox_host.startswith('dns') %} {% if proxmox_host.startswith('dns') %}
{{ proxmox_host }}-v4.dmz IN A {{ global_public_ip_address }} {{ proxmox_host }}-v4.dmz IN A {{ global_public_ip_address }}

2
roles/oolatoocs/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- name: Download oolatoocs exec - name: Download oolatoocs exec
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ oolatoocs_url }}" url: "{{ oolatoocs_url }}.{{ oolatoocs_version }}"
dest: "{{ oolatoocs_local_bin_path }}" dest: "{{ oolatoocs_local_bin_path }}"
owner: root owner: root
group: root group: root

4
roles/oolatoocs/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
oolatoocs_db_dir: /var/lib/oolatoocs oolatoocs_db_dir: /var/lib/oolatoocs
oolatoocs_version: v4.5.3 oolatoocs_url: https://r.mateu.be/oolatoocs/oolatoocs
oolatoocs_url: "https://giteu.be/dojo/oolatoocs/releases/download/{{ oolatoocs_version }}/oolatoocs" oolatoocs_version: v4.2.0
oolatoocs_local_bin_path: /usr/local/bin/oolatoocs oolatoocs_local_bin_path: /usr/local/bin/oolatoocs

2
roles/peertube/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
peertube_version: "7.3.0" peertube_version: "7.1.1"
peertube_home: "/srv/peertube" peertube_home: "/srv/peertube"
peertube_url: "https://github.com/Chocobozzz/PeerTube/releases/download/v{{ peertube_version }}/peertube-v{{ peertube_version }}.zip" peertube_url: "https://github.com/Chocobozzz/PeerTube/releases/download/v{{ peertube_version }}/peertube-v{{ peertube_version }}.zip"

4
roles/phpbb/files/dojopeertube.yml
View File

@@ -1,7 +1,7 @@
--- ---
name: DojoPeertube name: DojoPeertube
host: p.nintendojo.fr host: p.nintendojo.fr
example: https://p.nintendojo.fr/w/ijQXcNFiuEiDi9Dgzr3Xnr example: https://p.nintendojo.fr/videos/embed/19bc46e8-7640-4417-86a1-03aa2b439508
extract: "!//p.nintendojo.fr/w/(?'id'[a-zA-Z0-9_]+)!" extract: "!//p.nintendojo.fr/videos/embed/(?'id'[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12})!"
iframe: iframe:
src: "https://p.nintendojo.fr/videos/embed/{@id}" src: "https://p.nintendojo.fr/videos/embed/{@id}"

2
roles/phpbb/vars/main.yml
View File

@@ -36,7 +36,7 @@ phpbb_exts:
url: "https://github.com/Mar-tin-G/ExternalLinkInNewWindow/archive/refs/tags/%VERSION%.tar.gz" url: "https://github.com/Mar-tin-G/ExternalLinkInNewWindow/archive/refs/tags/%VERSION%.tar.gz"
- name: mediaembed - name: mediaembed
path: phpbb/mediaembed path: phpbb/mediaembed
version: 2.0.3 version: 2.0.2
url: "https://github.com/phpbb-extensions/mediaembed/archive/refs/tags/%VERSION%.tar.gz" url: "https://github.com/phpbb-extensions/mediaembed/archive/refs/tags/%VERSION%.tar.gz"
extra_files: extra_files:
- src: files/mastodon.yml - src: files/mastodon.yml

9
roles/podman/tasks/main.yml
View File

@@ -1,9 +0,0 @@
---
- name: Install podman
ansible.builtin.package:
name:
- podman
- podman-docker
- podman-compose
state: present

2
roles/restic/vars/main.yml
View File

@@ -1,7 +1,7 @@
--- ---
restic_path: "/usr/local/bin/restic" restic_path: "/usr/local/bin/restic"
restic_script_path: "/usr/local/bin/resticbackup.sh" restic_script_path: "/usr/local/bin/resticbackup.sh"
restic_version: "0.18.1" restic_version: "0.18.0"
restic_architecture: "amd64" restic_architecture: "amd64"
restic_system: "{{ ansible_facts['system'] | lower }}" restic_system: "{{ ansible_facts['system'] | lower }}"
restic_download_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_{{ restic_system }}_{{ restic_architecture }}.bz2" restic_download_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_{{ restic_system }}_{{ restic_architecture }}.bz2"

4
roles/roundcube/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
roundcube_version: "1.6.11" roundcube_version: "1.6.10"
roundcube_url: "https://github.com/roundcube/roundcubemail/releases/download/{{ roundcube_version }}/roundcubemail-{{ roundcube_version }}-complete.tar.gz" roundcube_url: "https://github.com/roundcube/roundcubemail/releases/download/{{ roundcube_version }}/roundcubemail-{{ roundcube_version }}-complete.tar.gz"
# calculate the roundcube access URL given the `web_hostname` list # calculate the roundcube access URL given the `web_hostname` list
@@ -16,6 +16,6 @@ roundcube_writable_app_dirs:
- temp - temp
# CardDAV extension # CardDAV extension
roundcube_carddav_version: "5.1.2" roundcube_carddav_version: "5.1.0"
roundcube_carddav_url: "https://github.com/mstilkerich/rcmcarddav/releases/download/v{{ roundcube_carddav_version }}/carddav-v{{ roundcube_carddav_version }}.tar.gz" roundcube_carddav_url: "https://github.com/mstilkerich/rcmcarddav/releases/download/v{{ roundcube_carddav_version }}/carddav-v{{ roundcube_carddav_version }}.tar.gz"
roundcube_carddav_discovery_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}" roundcube_carddav_discovery_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"

1
roles/rsyslog/files/remote.conf
View File

@@ -1,2 +1 @@
## Send everything to central
*.* @syslog.dmz.mateu.be *.* @syslog.dmz.mateu.be

2
roles/rsyslog/files/sys.conf
View File

@@ -1,7 +1,7 @@
template(name="RemoteHost" type="string" string="/srv/log/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log.gz") template(name="RemoteHost" type="string" string="/srv/log/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log.gz")
## Loads UDP ## Loads UDP
module(load="imudp") module(load="imudp" port="514")
ruleset(name="remote") { ruleset(name="remote") {
action(type="omfile" DynaFile="RemoteHost" zipLevel="5") action(type="omfile" DynaFile="RemoteHost" zipLevel="5")

2
roles/shaarli/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
shaarli_version: "0.15.0" shaarli_version: "0.14.0"
shaarli_url: "https://github.com/shaarli/Shaarli/releases/download/v{{ shaarli_version }}/shaarli-v{{ shaarli_version }}-full.tar.gz" shaarli_url: "https://github.com/shaarli/Shaarli/releases/download/v{{ shaarli_version }}/shaarli-v{{ shaarli_version }}-full.tar.gz"
# Access URL # Access URL

2
roles/sonarr/vars/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
sonarr_version: "4.0.16.2944" sonarr_version: "4.0.14.2939"
sonarr_download_url: "https://github.com/Sonarr/Sonarr/releases/download/v{{ sonarr_version }}/Sonarr.main.{{ sonarr_version }}.linux-x64.tar.gz" sonarr_download_url: "https://github.com/Sonarr/Sonarr/releases/download/v{{ sonarr_version }}/Sonarr.main.{{ sonarr_version }}.linux-x64.tar.gz"
sonarr_home: "/opt/Sonarr" sonarr_home: "/opt/Sonarr"

19
roles/spamassassin/files/local.cf
View File

@@ -7,9 +7,6 @@ ok_locales fr
score UNWANTED_LANGUAGE_BODY 5 score UNWANTED_LANGUAGE_BODY 5
score HTML_IMAGE_RATIO_02 3 score HTML_IMAGE_RATIO_02 3
rawbody LOCAL_ryoko /ryoko/i
score LOCAL_ryoko 20.0
rawbody LOCAL_Enhancement_Gummies /Enhancement Gummies/i rawbody LOCAL_Enhancement_Gummies /Enhancement Gummies/i
score LOCAL_Enhancement_Gummies 20.0 score LOCAL_Enhancement_Gummies 20.0
@@ -243,21 +240,6 @@ whitelist_from *@reichelt.de
whitelist_from *@amazon.de whitelist_from *@amazon.de
# Blacklist manuel # Blacklist manuel
blacklist_from *@filstion.nl
blacklist_from *@*.shop
blacklist_from *@*.makeup
blacklist_from *@*.qpon
blacklist_from *@axellseling.eu
blacklist_from *@*.motorcycles
blacklist_from *@startkomto.com
blacklist_from *@todeliv.cloud
blacklist_from *@*.science
blacklist_from *@comaxe.cloud
blacklist_from *@everlustinglife.com
blacklist_from *@*.cash
blacklist_from *@folowaunt.de
blacklist_from *@instarte.online
blacklist_from *@*.org.rs
blacklist_from *@domainadmin.com blacklist_from *@domainadmin.com
blacklist_from *@werstalli.eu blacklist_from *@werstalli.eu
blacklist_from *@moneyempiregroup.com blacklist_from *@moneyempiregroup.com
@@ -333,6 +315,7 @@ blacklist_from *@autosuggest-business.info
blacklist_from *@*.cc blacklist_from *@*.cc
blacklist_from *@maine-edu.us blacklist_from *@maine-edu.us
blacklist_from *@netepase.pl blacklist_from *@netepase.pl
blacklist_from *@pfei.shop
blacklist_from Mike.McDermott@pfizer-group.com blacklist_from Mike.McDermott@pfizer-group.com
blacklist_from *@*.su blacklist_from *@*.su
blacklist_from *@*apoll23-buiss-nl.it blacklist_from *@*apoll23-buiss-nl.it

1
roles/system/tasks/main.yml
View File

@@ -17,7 +17,6 @@
- vim - vim
- wget - wget
- ncdu - ncdu
- unzip
state: present state: present
update_cache: true update_cache: true

6
roles/vaultwarden/vars/main.yml
View File

@@ -1,6 +1,6 @@
--- ---
vaultwarden_version: "1.34.3-2" vaultwarden_version: "1.33.2-0"
vaultwarden_url: "https://github.com/dionysius/vaultwarden-deb/releases/download/debian/{{ vaultwarden_version }}/vaultwarden_{{ vaultwarden_version }}.{{ ansible_distribution_release }}_amd64.deb" vaultwarden_url: "https://github.com/dionysius/vaultwarden-deb/releases/download/debian/{{ vaultwarden_version }}/vaultwarden_{{ vaultwarden_version }}.{{ ansible_distribution_release }}_amd64.deb"
vaultwarden_web_version: "2025.8.0.0-1" vaultwarden_web_version: "2025.1.1-2"
vaultwarden_web_url: "https://github.com/dionysius/vaultwarden-web-vault-deb/releases/download/debian/{{ vaultwarden_web_version }}/vaultwarden-web-vault_{{ vaultwarden_web_version }}.{{ ansible_distribution_release }}_all.deb" vaultwarden_web_url: "https://github.com/dionysius/vaultwarden-web-vault-deb/releases/download/debian/{{ vaultwarden_web_version }}/vaultwarden-web-vault_{{ vaultwarden_web_version }}.bookworm_all.deb"

7
roles/wordpress/files/fastcgi_cache.conf Normal file
View File

@@ -0,0 +1,7 @@
fastcgi_cache_path
/dev/shm/nginx
levels=1:2
keys_zone=wpdojo:25m
inactive=1h
max_size=250m;

6
roles/wordpress/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: Restart nginx
ansible.builtin.service:
name: nginx
state: restarted

4
roles/wordpress/tasks/main.yml
View File

@@ -2,5 +2,5 @@
- name: Init DB - name: Init DB
ansible.builtin.include_tasks: db.yml ansible.builtin.include_tasks: db.yml
- name: Install wordpress - name: WP for NintendojoFR
ansible.builtin.include_tasks: wordpress.yml ansible.builtin.include_tasks: wp_dojo.yml

104
roles/wordpress/tasks/wordpress.yml
View File

@@ -1,104 +0,0 @@
---
## Remove the previous app & install the new version
- name: Remove wordpress previous version
ansible.builtin.file:
state: absent
dest: "{{ wordpress_app_home }}"
- name: Create app home
ansible.builtin.file:
state: directory
dest: "{{ wordpress_app_home }}"
owner: root
group: www-data
mode: "0o750"
- name: Install wordpress application
ansible.builtin.unarchive:
remote_src: true
src: "{{ wordpress_url }}"
dest: "{{ wordpress_app_home }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
exclude: "{{ wordpress_userdata_app_dirs | map('regex_replace', '^', 'wordpress/') }}"
## Ensure the data dirs exist, populate them if not
- name: Create data home
ansible.builtin.file:
state: directory
path: "{{ wordpress_data_home }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
# If the first data dir exists, other should exist too
- name: Get data dir
ansible.builtin.stat:
path: "{{ wordpress_data_home }}/{{ wordpress_userdata_app_dirs[0] }}"
register: _wordpress_userdata_dir_stat
- name: Install wordpress data dir
when: not _wordpress_userdata_dir_stat.stat.exists
block:
- name: Unarchive wp-content
ansible.builtin.unarchive:
remote_src: true
src: "{{ wordpress_url }}"
dest: "{{ wordpress_data_home }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
include: "{{ wordpress_userdata_app_dirs | map('regex_replace', '^', 'wordpress/') | first }}"
## no-wp doesnt exist by default, creating it
- name: Create no-wp
ansible.builtin.file:
state: directory
dest: "{{ wordpress_data_home }}/no-wp"
owner: www-data
group: www-data
mode: "0o750"
- name: Link wordpress userdata dirs
ansible.builtin.file:
state: link
src: "{{ wordpress_data_home }}/{{ item }}"
dest: "{{ wordpress_app_home }}/{{ item }}"
loop: "{{ wordpress_userdata_app_dirs }}"
# Put config file
- name: Get secret-key salt
ansible.builtin.uri:
url: "https://api.wordpress.org/secret-key/1.1/salt/"
return_content: true
register: _wordpress_secret_salt
- name: Put wordpress configuration file
ansible.builtin.template:
src: wp-config.php.j2
dest: "{{ wordpress_config_path }}"
owner: root
group: www-data
mode: "0o640"
vars:
salt_block: "{{ _wordpress_secret_salt.content }}"
# Handle languages
- name: Find & delete default language files inside wp-content
ansible.builtin.command:
cmd: "find {{ wordpress_data_home }}/wp-content/languages/ -type f -maxdepth 1 -delete"
changed_when: true
- name: Reextract language files
ansible.builtin.unarchive:
remote_src: true
src: "{{ wordpress_url }}"
dest: "{{ wordpress_data_home }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
include: "wordpress/wp-content/languages/"

16
roles/wordpress/tasks/wp_dojo.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Put nginx cache configuration file
ansible.builtin.copy:
src: files/fastcgi_cache.conf
dest: /etc/nginx/conf.d/fastcgi_cache.conf
mode: "0o644"
notify:
- Restart nginx
- name: Cron for wordpress
ansible.builtin.cron:
name: "WP Twitter refresh"
user: www-data
minute: "*/2"
job: "/usr/bin/wget -q -O - https://www.nintendojo.fr/wp-cron.php &> /dev/null"

98
roles/wordpress/templates/wp-config.php.j2
View File

@@ -1,98 +0,0 @@
<?php
/**
* La configuration de base de votre installation WordPress.
*
* Ce fichier contient les réglages de configuration suivants : réglages MySQL,
* préfixe de table, clefs secrètes, langue utilisée, et ABSPATH.
* Vous pouvez en savoir plus à leur sujet en allant sur
* {@link http://codex.wordpress.org/Editing_wp-config.php Modifier
* wp-config.php} (en anglais). C'est votre hébergeur qui doit vous donner vos
* codes MySQL.
*
* Ce fichier est utilisé par le script de création de wp-config.php pendant
* le processus d'installation. Vous n'avez pas à utiliser le site web, vous
* pouvez simplement renommer ce fichier en "wp-config.php" et remplir les
* valeurs.
*
* @package WordPress
*/
// ** Réglages MySQL - Votre hébergeur doit vous fournir ces informations. ** //
/** Nom de la base de données de WordPress. */
define('DB_NAME', '{{ wordpress_maria_database }}');
/** Utilisateur de la base de données MySQL. */
define('DB_USER', '{{ wordpress_maria_user }}');
/** Mot de passe de la base de données MySQL. */
define('DB_PASSWORD', '{{ wordpress_maria_password }}');
/** Adresse de l'hébergement MySQL. */
define('DB_HOST', 'localhost');
/** Jeu de caractères à utiliser par la base de données lors de la création des tables. */
define('DB_CHARSET', 'utf8');
/** Type de collation de la base de données.
* N'y touchez que si vous savez ce que vous faites.
*/
define('DB_COLLATE', '');
/**
* Allows direct update of extensions
*/
define('FS_METHOD', 'direct');
/**#@+
* Clefs uniques d'authentification et salage.
*
* Remplacez les valeurs par défaut par des phrases uniques !
* Vous pouvez générer des phrases aléatoires en utilisant
* {@link https://api.wordpress.org/secret-key/1.1/salt/ le service de clefs secrètes de WordPress.org}.
* Vous pouvez modifier ces phrases à n'importe quel moment, afin d'invalider tous les cookies existants.
* Cela forcera également tous les utilisateurs à se reconnecter.
*
* @since 2.6.0
*/
{{ salt_block }}
/**#@-*/
/**
* Préfixe de base de données pour les tables de WordPress.
*
* Vous pouvez installer plusieurs WordPress sur une seule base de données
* si vous leur donnez chacune un préfixe unique.
* N'utilisez que des chiffres, des lettres non-accentuées, et des caractères soulignés!
*/
$table_prefix = 'wp_';
/**
* Langue de localisation de WordPress, par défaut en Anglais.
*
* Modifiez cette valeur pour localiser WordPress. Un fichier MO correspondant
* au langage choisi doit être installé dans le dossier wp-content/languages.
* Par exemple, pour mettre en place une traduction française, mettez le fichier
* fr_FR.mo dans wp-content/languages, et réglez l'option ci-dessous à "fr_FR".
*/
define('WPLANG', 'fr_FR');
/**
* Pour les développeurs : le mode deboguage de WordPress.
*
* En passant la valeur suivante à "true", vous activez l'affichage des
* notifications d'erreurs pendant votre essais.
* Il est fortemment recommandé que les développeurs d'extensions et
* de thèmes se servent de WP_DEBUG dans leur environnement de
* développement.
*/
define('WP_DEBUG', false);
/* C'est tout, ne touchez pas à ce qui suit ! Bon blogging ! */
/** Chemin absolu vers le dossier de WordPress. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Réglage des variables de WordPress et de ses fichiers inclus. */
require_once(ABSPATH . 'wp-settings.php');

17
roles/wordpress/vars/main.yml
View File

@@ -1,17 +0,0 @@
---
wordpress_version: "6.9"
wordpress_url: "https://fr.wordpress.org/wordpress-{{ wordpress_version }}-fr_FR.tar.gz"
wordpress_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'wordpress') | map(attribute='host') | first }}"
# Access path
wordpress_app_home: "/var/www/{{ wordpress_access_url }}"
wordpress_data_home: "/srv/www-data/{{ wordpress_access_url }}"
# App dirs
wordpress_userdata_app_dirs:
- wp-content
- no-wp
wordpress_config_path: "{{ wordpress_app_home }}/wp-config.php"

4
roles/x509/tasks/main.yml
View File

@@ -10,5 +10,5 @@
- name: Set default CA - name: Set default CA
ansible.builtin.command: /etc/x509/acme.sh --set-default-ca --server letsencrypt ansible.builtin.command: /etc/x509/acme.sh --set-default-ca --server letsencrypt
register: x509_acme_output register: acme_output
changed_when: x509_acme_output.rc != 0 changed_when: acme_output.rc != 0