slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Compare commits

base: slfhst:main
Branches Tags
slfhst:main
..
compare: slfhst:ed61026b454d1feb59d0a9cd16c77ef44ed3484d
Branches Tags
slfhst:main

1 Commits
main ... ed61026b45

Author SHA1 Message Date
VC
ed61026b45 : add smtp global relay
Some checks failed
ansible-lint / lint-everything (push) Failing after 1m22s
Details
2025-03-29 11:44:21 +01:00
144 changed files with 411 additions and 3316 deletions
Expand all files Collapse all files

1
.ansible-lint-ignore
View File

@@ -1 +0,0 @@
roles/nsd/tasks/zones.yml no-tabs

2
ansible.cfg
View File

@@ -2,5 +2,5 @@
nocows = 1
callbacks_enabled = profile_tasks
roles_path = roles
result_format = yaml
stdout_callback = yaml
vault_password_file = ~/.ansible-vault

3
inventory/group_vars/all/global.yml
View File

@@ -1,3 +0,0 @@
---
global_public_ip_address: 82.66.135.228

4
inventory/group_vars/nsdservers.yml
View File

@@ -2,14 +2,18 @@
zones:
- name: giteu.be
parking: true
- name: libertus.eu
- name: mateu.be
- name: monder.ch
parking: true
- name: nintendojo.fr
- name: nintendojofr.com
- name: nouvelempire.net
parking: true
- name: pipoworld.fr
parking: true
- name: sebicomics.com
tsig_key: !vault |
$ANSIBLE_VAULT;1.1;AES256

2
inventory/host_vars/bt.yml
View File

@@ -6,7 +6,6 @@ web_hostname:
- host: btf.mateu.be
allowlistv4:
- 88.175.123.77/32
- 109.9.84.47/32
allowlistv6:
- 2a01:e0a:9bd:2811::/64
- 2a01:e0a:9bd:2810::/64
@@ -16,7 +15,6 @@ web_hostname:
- 2001:910:13c8::/48
- 2a01:e0a:bde:d350::/64
- 2a01:cb00:f55:2d00::/64
- 2a01:cb00:89e3:2c00::/64
nginx_extra_mods:
- fancyindex

3
inventory/host_vars/dns1.yml
View File

@@ -1,3 +0,0 @@
---
natted_ipv4: "{{ global_public_ip_address }}"

1
inventory/host_vars/garage1.yml
View File

@@ -1,7 +1,6 @@
---
web_hostname:
- host: garage.mateu.be
- host: admin.garage.mateu.be
- host: mastodon-ndfr.garage.mateu.be
- host: medias.m.nintendojo.fr
- host: nextcloud-libertus.garage.mateu.be

1
inventory/host_vars/jabber.yml
View File

@@ -1,7 +1,6 @@
---
web_hostname:
- host: libertus.eu
acme_reload_cmd: "systemctl restart prosody.service"
- host: upload.libertus.eu
- host: xmpp.libertus.eu

9
inventory/host_vars/ks3370405.yml
View File

@@ -1,13 +1,6 @@
---
web_hostname:
- host: mail-relay.mateu.be
acme_reload_cmd: "systemctl restart postfix.service"
allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}"
allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
nsd_master: true
nsd_ansible_host: "nsd-master1.ext.mateu.be"

2
inventory/host_vars/mail.yml
View File

@@ -1,6 +1,4 @@
---
web_hostname:
- host: imap.libertus.eu
acme_reload_cmd: "systemctl restart dovecot.service"
- host: smtp.libertus.eu
acme_reload_cmd: "systemctl restart postfix.service"

5
inventory/host_vars/web1.yml
View File

@@ -13,10 +13,9 @@ web_hostname:
type: bac
- host: mail.libertus.eu
type: roundcube
- host: perso.nintendojo.fr
- host: perso.libertus.eu
- host: r.mateu.be
san:
- perso.libertus.eu
- perso.nintendojo.fr
- host: ff.libertus.eu
type: firefly3
- host: koi.libertus.eu

28
inventory/host_vars/web2.yml
View File

@@ -2,16 +2,13 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname:
- host: nintendojo.fr
- host: www.nintendojo.fr
type: wordpress
san:
- nintendojo.fr
- host: wwwdev.nintendojo.fr
- host: forum.nintendojo.fr
type: phpbb
- host: nintendojofr.com
- host: www.nintendojofr.com
type: retrodojo
san:
- nintendojofr.com
- host: forum.nintendojofr.com
mariadb_root_pass: !vault |
@@ -22,16 +19,6 @@ mariadb_root_pass: !vault |
3437653064323138310a663363373736623931336432376466316666616234356133383263373136
31343534663063663134306464306234366430323762656165653930333134326231
phpbb_maria_database: "dojo_forum"
phpbb_maria_user: "adm_forum"
phpbb_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
65306237643235363962653566336537303632386466646462656234333836396630306438336632
3334663566303963646135313265643235623538633463650a663637386436306538616266626232
36373332396338326437663832383237623836643137323432323435333231633363386432303830
3465306161666563630a356462363561653431303438653935346564343861303962363030323633
3632
wordpress_maria_database: "dojo_wp"
wordpress_maria_user: "adm_wp"
wordpress_maria_password: !vault |
@@ -51,3 +38,12 @@ retrodojo_maria_password: !vault |
65386530353032336161353330313863623231646632643861666562353764373066663337353063
6364633734323732390a363539333537396164633965346637313532666366336362346663326661
6663
webapps_htpasswd_editeurs: !vault |
$ANSIBLE_VAULT;1.1;AES256
63663638356139373663646639633762393761333536393331363066353039393266306638326336
3235353238666261373032363633626333646662343461330a393534633530353330323637386239
63336532646235663732623561333963643436353165633165663430313132626561363361333736
6662313535333063390a386532313335663836393562656564306633303933633234393139316131
61376332373961303961303963656565633639333130346565386361313338346235623434616239
6637613630333963363963646465633939663863356633373264

25
inventory/host_vars/web3.yml
View File

@@ -2,23 +2,16 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname:
- host: wwwdev.nintendojo.fr
type: wordpress
- host: sebicomics.com
- host: www.sebicomics.com
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65373663323065306532306235313032383331353337396131383766323535633831383062393632
3438613735613365333264356465336162346263666236300a306234336566303863346539343531
37313932653964366233393038306235353134356230653336306232373430386662306634616431
6332333837663064340a643535386465626636343436303263666333383461383730396135396666
3539
66613630653961396639336136333837343866646263353135303233383336356166663466623438
6438653832313536363631336363306337366165616561370a316466353535313164623934626563
65343238333661333765636131323962316637613036393366343161343162393337376232633432
3233653232353534370a393962663766623237313166333638343561306134663062333230333635
63343339363833626136646134353365393734346561613262633531386135366634
wordpress_maria_database: "dojo_wpdev"
wordpress_maria_user: "adm_wpdev"
wordpress_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66613837353166633536656166383232646232303535643931313531636230353265633638626231
6231323738656466333164326238666166383931633133380a633764366462323261376632666565
63646365636133363338383233653930663139343238313131313365646663393761656361333332
6634333736356438390a316237373836373132666334306661363863383665663139623935646437
6331
# 283M of base memory + 20MB/connection -> 1267M of RAM max
mariadb_max_connections: 50

48
inventory/host_vars/web4.yml
View File

@@ -1,48 +0,0 @@
---
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'curl']
web_hostname:
- host: amp.mateu.be
type: ampache
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
31383364656638313430656537323233316335356361303262623138313364383066343536643961
6332343162326361313039623132373334366436393565340a373137643666333937353339616639
62313461306232383261323363656636623961373462316236396161376466386237376434663165
3739333432313636390a343366626138663361653936306134323539393034316332666431633739
38633832326663623061396131316636336233373939393061363565653233636164
ampache_maria_user: "adm_ampache"
ampache_maria_database: "libertus_ampache"
ampache_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
34313061393731613038613462303864626137623631313965356638316465643035373964373765
6633666431663139653832323836306162636465626335610a386535653238333836666162303637
33616535383332626461643634343065653432613063346263363366363733363165343230663436
3231333639313666350a373561613938326631336430346135323438626265666639333234396161
63316432353261653163336638613538383537656635636463393665336332653231
ampache_secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
37353866623062613737313866323261363334633965313064366366333839653862376538363463
3330386361393362306437663163326330373635313063650a633866633032343162393231326266
63393565306465386361373236363135376666323663393966653564393066653039336137663265
6634356164636436610a626362646239343432663037623934393030356131663434303763663337
37323230613639376363346230346261323962616633636632623139656435363838
ampache_musicbrainz_username: !vault |
$ANSIBLE_VAULT;1.1;AES256
39363439306662643164353238343131303764316238663366633737626338306431666133363161
3632346334666466663935323638393065383030353338620a646265326135663266643235376235
36343831376137323661363535366535376430616230316562323131326634633636393432326462
3738303732366366620a633464616266666330386563393133613063333863663037373861366336
65623863393766376365643537636361636332373535393633636465616566366432333636643363
6236653638303435303134626630383634343132336463313565
ampache_musicbrainz_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
37363533353764366533343334383663356431646530633034333036306630376136346238653937
6165353865386239386433323263343636356635646134640a363734336266663833636431353634
61306165376364393563306666306630623538316632633666653732363830626662333336653135
6634656263326230360a323932396639666464353463333063613732363334333763613832366139
33633432346164373164613832326264646463336134336436623765313535376662303063306164
3164363264383832363135646331656537663262323463396137

2
inventory/proxmox.yml
View File

@@ -1,6 +1,6 @@
---
plugin: community.proxmox.proxmox
plugin: community.general.proxmox
url: https://serenor.dmz.mateu.be:8006
user: !vault |
$ANSIBLE_VAULT;1.1;AES256

12
inventory/static.yml
View File

@@ -25,15 +25,6 @@ physicalservers:
hosts:
frederica:
serenor:
ks3370405:
nsdservers:
hosts:
ks3370405:
webservers:
hosts:
ks3370405:
hypervisors:
children:
@@ -74,7 +65,6 @@ resticservers:
disabled_loadbalanced_webservers:
hosts:
ks3370405:
disabled_system:
hosts:
@@ -89,7 +79,6 @@ disabled_munin:
muse-HP-EliteBook-820-G2:
pinkypie:
ks3370405:
haos:
disabled_syslog:
hosts:
@@ -98,7 +87,6 @@ disabled_syslog:
muse-HP-EliteBook-820-G2:
pinkypie:
ks3370405:
haos:
# Those are not servers and should not be configured as such
disabled_server_conf:

4
playbooks/firewall.yml
View File

@@ -1,7 +1,7 @@
---
- name: Retrieve network info for physical machines
hosts: physicalservers
- name: Retrieve network info
hosts: all:!disabled_server_conf:!machinbox
gather_facts: true
gather_subset:
- network

1
playbooks/gitea.yml
View File

@@ -10,4 +10,5 @@
hosts: actrunnerservers
diff: true
roles:
- docker
- act_runner

1
playbooks/global_smtprelay.yml
View File

@@ -3,4 +3,5 @@
- name: Install & configure the global SMTP relay
hosts: ks3370405
roles:
- ufw
- global_smtp_relay

7
playbooks/loadbalancinghttp.yml
View File

@@ -1,5 +1,12 @@
---
- name: Retrieve network info
hosts: webservers:!disabled_loadbalanced_webservers
gather_facts: true
gather_subset:
- network
tasks: []
- name: Deploy haproxy
hosts: lbservers
diff: true

7
playbooks/nsd.yml
View File

@@ -1,7 +0,0 @@
---
- name: Deploy NSD
hosts: nsdservers
diff: true
roles:
- nsd

6
playbooks/podman.yml
View File

@@ -1,6 +0,0 @@
---
- name: Install podman
hosts: podmanservers
roles:
- podman

6
playbooks/site.yml
View File

@@ -18,12 +18,8 @@
import_playbook: firewall.yml
- name: Run mail playbook
import_playbook: mail.yml
- name: Run ufw plabook
import_playbook: ufw.yml
- name: Run global_smtprelay playbook
import_playbook: global_smtprelay.yml
- name: Run nsd playbook
import_playbook: nsd.yml
- name: Run xmpp playbook
import_playbook: xmpp.yml
- name: Run webservers playbook
@@ -54,8 +50,6 @@
import_playbook: peertube.yml
- name: Run elasticsearch playbook
import_playbook: elasticsearch.yml
- name: Run podman playbook
import_playbook: podman.yml
- name: Run gitea playbook
import_playbook: gitea.yml
- name: Run vaultwarden playbook

6
playbooks/ufw.yml
View File

@@ -1,6 +0,0 @@
---
- name: Install & configure UFW
hosts: ks3370405
roles:
- ufw

22
playbooks/webapps.yml
View File

@@ -23,23 +23,5 @@
hosts: web2
diff: true
roles:
- role: wordpress
tags: [never, wordpress]
- role: phpbb
tags: [never, phpbb]
- role: retrodojo
tags: [never, retrodojo]
- name: Install dojo webapplications
hosts: web3
diff: true
roles:
- role: wordpress
tags: [never, wordpress]
- name: Install libertus webapplications
hosts: web4
diff: true
roles:
- role: ampache
tags: [never, ampache]
- wordpress
- retrodojo

7
playbooks/webservers.yml
View File

@@ -1,5 +1,12 @@
---
- name: Retrieve network info
hosts: lbservers
gather_facts: true
gather_subset:
- network
tasks: []
- name: Deploy web servers
hosts: webservers
diff: true

11
roles/act_runner/tasks/main.yml
View File

@@ -1,7 +1,14 @@
---
- name: Configure act_runner user
ansible.builtin.include_tasks: user.yml
- name: Create act_runner user
ansible.builtin.user:
name: "{{ act_runner_user }}"
state: present
system: true
create_home: true
home: "{{ act_runner_home }}"
groups:
- docker
- name: Download act_runner executable
ansible.builtin.get_url:

33
roles/act_runner/tasks/user.yml
View File

@@ -1,33 +0,0 @@
---
- name: Create act_runner user
ansible.builtin.user:
name: "{{ act_runner_user }}"
state: present
system: true
create_home: true
home: "{{ act_runner_home }}"
register: _act_runner_user
- name: Configure subuid/subgid
ansible.builtin.lineinfile:
path: "/etc/{{ item }}"
state: present
line: "{{ act_runner_user }}:100000:65536"
loop:
- subuid
- subgid
- name: Enable linger
ansible.builtin.command:
cmd: "/usr/bin/loginctl enable-linger {{ act_runner_user }}"
creates: "/var/lib/systemd/linger/{{ act_runner_user }}"
- name: Ensure podman is started
ansible.builtin.systemd_service:
name: podman.socket
state: started
enabled: true
scope: user
become: true
become_user: "{{ act_runner_user }}"

1
roles/act_runner/templates/act_runner.service.j2
View File

@@ -11,7 +11,6 @@ TimeoutSec=0
RestartSec=10
Restart=always
User={{ act_runner_user }}
Environment=DOCKER_HOST="unix:///run/user/{{ _act_runner_user.uid }}/podman/podman.sock"
[Install]
WantedBy=multi-user.target

4
roles/act_runner/vars/main.yml
View File

@@ -1,8 +1,8 @@
---
act_runner_version: "0.2.13"
act_runner_version: "0.2.11"
act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64"
act_runner_home: "/srv/act_runner"
act_runner_home: "/var/lib/act_runner"
act_runner_bin: "/usr/local/bin/act_runner"
act_runner_user: "act_runner"

42
roles/ampache/tasks/ampache.yml
View File

@@ -1,42 +0,0 @@
---
## Remove the previous app & install the new version
- name: Remove Ampache previous version
ansible.builtin.file:
state: absent
dest: "{{ ampache_app_home }}"
- name: Create app home
ansible.builtin.file:
state: directory
dest: "{{ ampache_app_home }}"
owner: root
group: www-data
mode: "0o750"
- name: Install ampache application
ansible.builtin.unarchive:
remote_src: true
src: "{{ ampache_url }}"
dest: "{{ ampache_app_home }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
# exclude: "{{ firefly3_userdata_app_dirs | map('regex_replace', '^', './') }}"
- name: Put config file
ansible.builtin.template:
src: "ampache.cfg.php.j2"
dest: "{{ ampache_app_home }}/config/ampache.cfg.php"
owner: root
group: www-data
mode: "0o640"
## Ensure the data dirs exists, populate them if not
- name: Create data home
ansible.builtin.file:
state: directory
path: "{{ ampache_data_home }}"
owner: www-data
group: www-data
mode: "0o750"

20
roles/ampache/tasks/db.yml
View File

@@ -1,20 +0,0 @@
---
- name: Create ampache db
community.mysql.mysql_db:
login_unix_socket: "/var/run/mysqld/mysqld.sock"
login_user: root
login_password: "{{ mariadb_root_pass }}"
name: "{{ ampache_maria_database }}"
state: present
encoding: utf8mb4
collation: utf8mb4_general_ci
- name: Create ampache db read/write user
community.mysql.mysql_user:
login_unix_socket: "/var/run/mysqld/mysqld.sock"
login_user: root
login_password: "{{ mariadb_root_pass }}"
name: "{{ ampache_maria_user }}"
password: "{{ ampache_maria_password }}"
priv: "{{ ampache_maria_database }}.*:ALL"

7
roles/ampache/tasks/main.yml
View File

@@ -1,7 +0,0 @@
---
- name: Init db
ansible.builtin.include_tasks: db.yml
- name: Install ampache
ansible.builtin.include_tasks: ampache.yml

1465
roles/ampache/templates/ampache.cfg.php.j2
View File

File diff suppressed because it is too large Load Diff

10
roles/ampache/vars/main.yml
View File

@@ -1,10 +0,0 @@
---
ampache_version: "7.7.2"
ampache_url: "https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all_php{{ php_version }}.zip"
ampache_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'ampache') | map(attribute='host') | first }}"
# Access path
ampache_app_home: "/var/www/{{ ampache_access_url }}"
ampache_data_home: "/srv/www-data/{{ ampache_access_url }}"

39
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,39 @@
---
- name: Install prerequired packages
ansible.builtin.package:
name: fuse-overlayfs
state: present
update_cache: true
- name: Download gpg key
ansible.builtin.get_url:
url: "{{ docker_key_url }}"
dest: "{{ docker_key_path }}"
owner: root
group: root
mode: "0o644"
- name: Set docker source repo
ansible.builtin.copy:
content: "deb [arch=amd64 signed-by={{ docker_key_path }}] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
dest: /etc/apt/sources.list.d/docker.list
mode: "0o644"
- name: Install docker packages
ansible.builtin.package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update_cache: true
- name: Ensure docker is started
ansible.builtin.systemd:
name: docker
state: started
enabled: true
daemon_reload: true

4
roles/docker/vars/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
docker_key_url: "https://download.docker.com/linux/debian/gpg"
docker_key_path: "/etc/apt/keyrings/docker.asc"

61
roles/dovecot/files/dovecot.conf
View File

@@ -1,72 +1,62 @@
dovecot_config_version = "2.4.1"
dovecot_storage_version = "2.4.1"
# 2.2.13: /etc/dovecot/dovecot.conf
# ajout de lmtp (service pour déterminer la socket, protocol pour récupérer les mêmes fonctions que le LDA)
# ajout de auth_username_format = %Ln pour vérifier que l'utilisateur est bien dans la base locale en passant par son nom et non par autre chose…
# 2018-08-20 mortal réintégration du fichier séparé 15-mailbox.conf + nettoyage/réorganisation + réécriture sieve globale
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.0
listen = *,[::]
protocols = imap lmtp
ssl = required
ssl_server_cert_file = /etc/x509/imap.libertus.eu/fullchain.cer
ssl_server_key_file = /etc/x509/imap.libertus.eu/imap.libertus.eu.key
ssl_cert = </etc/x509/imap.libertus.eu/fullchain.cer
ssl_key = </etc/x509/imap.libertus.eu/imap.libertus.eu.key
#auth_debug=yes
#auth_debug_passwords=yes
auth_username_format = %{ user | username | lower }
auth_username_format = %Ln
mail_driver = maildir
mail_path = %{home}/Maildir
passdb pam {
passdb {
driver = pam
}
userdb passwd {
userdb {
driver = passwd
}
sieve_script personal {
path = ~/sieve
active_path = ~/sieve/default.sieve
plugin {
sieve = ~/sieve/default.sieve
sieve_dir = ~/sieve
sieve_before = /etc/dovecot/before.sieve
}
sieve_script before {
type = before
path = /etc/dovecot/before.sieve
bin_path = ~/sieve
}
service auth {
inet_listener auth {
inet_listener {
address = * [::]
port = 26
}
}
protocol sieve {
mail_location = maildir:~/Maildir
}
service lmtp {
inet_listener ltmp {
address = 127.0.0.1 ::1
port = 24
}
}
protocol sieve {
}
protocol imap {
mail_plugins {
imap_sieve = yes
}
}
protocol lmtp {
mail_plugins {
sieve = yes
}
mail_location = maildir:~/Maildir
mail_plugins = sieve
}
protocol lda {
mail_plugins {
sieve = yes
}
mail_location = maildir:~/Maildir
mail_plugins = sieve
postmaster_address = postmaster@example.com
}
@@ -93,3 +83,4 @@ namespace inbox {
special_use = \Sent
}
}

2
roles/elasticsearch/tasks/main.yml
View File

@@ -15,7 +15,7 @@
- name: Set elasticsearch source repo
ansible.builtin.copy:
content: "deb [signed-by={{ elasticsearch_key_path }}] https://artifacts.elastic.co/packages/8.x/apt stable main"
content: "deb [signed-by={{ elasticsearch_key_path }}] https://artifacts.elastic.co/packages/7.x/apt stable main"
dest: /etc/apt/sources.list.d/elasticsearch.list
mode: "0o644"

2
roles/firefly3/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
firefly3_version: "6.4.9"
firefly3_version: "6.2.10"
firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz"
firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}"

137
roles/firewall/templates/firewall.j2
View File

@@ -120,7 +120,7 @@ config rule
config rule
option name 'Allow-DMZ-Syslog'
option dest 'dmz'
option dest_ip '{{ hostvars['syslog'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}'
option dest_port '514'
list proto 'udp'
option target 'ACCEPT'
@@ -173,7 +173,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
option dest_port '80'
option target 'DNAT'
@@ -184,19 +184,19 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
option dest_port '443'
option target 'DNAT'
# Allow Web traffic IN
{% for host in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for host in groups['webservers'] | sort %}
config rule
option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web'
option src 'wan'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars[host].ansible_default_ipv6.address | default(hostvars[host].proxmox_net0.ip6 | ansible.utils.ipaddr('address')) }}'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
@@ -207,7 +207,7 @@ config rule
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -217,7 +217,7 @@ config rule
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -230,7 +230,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
option dest_port '10010'
option target 'ACCEPT'
option family 'ipv6'
@@ -242,7 +242,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
option dest_port '10010'
option target 'DNAT'
@@ -253,7 +253,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars[host].ansible_default_ipv6.address }}'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 8006'
option target 'ACCEPT'
option family 'ipv6'
@@ -267,7 +267,7 @@ config redirect
option src_dport '8006'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ first_hypervisor.ansible_default_ipv4.address }}'
option dest_ip '{{ first_hypervisor['ansible_default_ipv4']['address'] }}'
option dest_port '8006'
option target 'DNAT'
@@ -275,7 +275,7 @@ config redirect
config rule
option name 'Allow-OUTPUT-XMPP-s2s'
option src 'dmz'
option src_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address')}}'
option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -286,7 +286,7 @@ config rule
config rule
option name 'Allow-OUTPUT-XMPP-s2s'
option src 'dmz'
option src_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -301,7 +301,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
option dest_port '5222'
option target 'DNAT'
@@ -312,7 +312,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
option dest_port '5269'
option target 'DNAT'
@@ -322,7 +322,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
option dest_port '5222 5269'
option target 'ACCEPT'
option family 'ipv6'
@@ -334,7 +334,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}'
option dest_port '64738'
option target 'ACCEPT'
option family 'ipv6'
@@ -346,62 +346,15 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}'
option dest_port '64738'
option target 'DNAT'
# Allow DNS traffic
config rule
option name 'Allow-INPUT-DNS'
option src 'wan'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-DNS'
option src 'wan'
option src_dport '53'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_port '53'
option target 'DNAT'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}'
option target 'ACCEPT'
option family 'ipv6'
# Allow mail traffic
config rule
option name 'Allow-OUTPUT-SMTP'
option src 'dmz'
option src_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
option dest 'wan'
option dest_port '25'
@@ -413,7 +366,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
@@ -423,7 +376,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
@@ -434,7 +387,7 @@ config redirect
option src_dport '25'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
@@ -444,7 +397,7 @@ config redirect
option src_dport '465'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
@@ -454,7 +407,7 @@ config redirect
option src_dport '587'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
@@ -464,7 +417,7 @@ config redirect
option src_dport '143'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
@@ -474,7 +427,7 @@ config redirect
option src_dport '993'
list proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
@@ -482,7 +435,7 @@ config redirect
config rule
option name 'Allow-INPUT-Munin'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
option dest_port '4949'
option target 'ACCEPT'
@@ -491,7 +444,7 @@ config rule
config rule
option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'lan'
@@ -503,7 +456,7 @@ config rule
config rule
option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'lan'
@@ -512,36 +465,6 @@ config rule
option target 'ACCEPT'
option family 'ipv4'
# Allow Home Assitant to OpenEVSE
config rule
option name 'Allow-FORWARD-Home-Assistant-OpenEVSE'
option src 'iot'
option src_ip '{{ lookup('dig', 'evse.mateu.be') }}'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest_port '1883'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-Home-Assistant-RM4Pro'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest 'iot'
option dest_ip '{{ lookup('dig', 'rm4pro.mateu.be') }}'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-esp32cc-Home-Assistant'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest 'iot'
option dest_ip '{{ lookup('dig', 'esp32cc.mateu.be') }}'
option target 'ACCEPT'
option family 'ipv4'
### IoT Rules
## General Rules
# ICMP
@@ -607,7 +530,7 @@ config rule
option src 'iot'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['ftp'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}'
option dest_port '21 10100-10110'
option target 'ACCEPT'

2
roles/freshrss/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
freshrss_version: "1.27.1"
freshrss_version: "1.26.1"
freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz"
freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}"

2
roles/garage/templates/garage.toml.j2
View File

@@ -10,7 +10,7 @@ db_engine = "lmdb"
block_size = "{{ garage_block_size }}"
replication_factor = {{ garage_replication_mode }}
replication_mode = "{{ garage_replication_mode }}"
compression_level = 2

2
roles/garage/vars/main.yml
View File

@@ -2,5 +2,5 @@
garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage"
garage_bin: "/usr/local/bin/garage"
garage_version: v2.1.0
garage_version: v1.1.0
garage_arch: x86_64

2
roles/gitea/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
gitea_version: "1.25.2"
gitea_version: "1.23.6"
gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
gitea_bin: "/usr/local/bin/gitea"
gitea_path: "/srv/gitea"

4
roles/global_smtp_relay/handlers/main.yml
View File

@@ -1,6 +1,6 @@
---
- name: Restart postfix
ansible.builtin.service:
ansible.bultin.service:
name: postfix
state: restarted
enabled: true
enable: true

2
roles/global_smtp_relay/tasks/main.yml
View File

@@ -8,7 +8,7 @@
- name: Put configuration
ansible.builtin.template:
src: main.cf.j2
dest: /etc/postfix/main.cf
dest: /etc/postfix/main.cf.j2
owner: root
group: root
mode: "0o640"

16
roles/global_smtp_relay/templates/main.cf.j2
View File

@@ -1,16 +1,30 @@
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/bin
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail-relay.mateu.be
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, [::1]/128, {{ global_smtp_relay_allowed_ips | join(', ') }}
mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/bin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
mailbox_size_limit = 104857600
message_size_limit = 104857600
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
## Référence de chiffrement TLS
# serveur SMTP
smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer

6
roles/haproxy/defaults/main.yml
View File

@@ -1,6 +0,0 @@
---
haproxy_backend_servers: "{{ groups['webservers']
| difference(groups['proxmox_all_stopped'])
| difference(groups['disabled_loadbalanced_webservers'])
| sort }}"

51
roles/haproxy/templates/haproxy.cfg.j2
View File

@@ -41,20 +41,11 @@ frontend http
tcp-request inspect-delay 3s
acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
## {{ hostname.host }} configuration
acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}
{% endfor %}
{% endfor %}
@@ -65,41 +56,29 @@ frontend https
bind *:443 name frontend-https
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
{% if host.allowlistv4 is defined %}
acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
## {{ hostname.host }} configuration
acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
{% if hostname.allowlistv4 is defined %}
acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
{% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
{% endfor %}
{% endfor %}
{% for server in haproxy_backend_servers %}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
## {{ hostvars[server].ansible_host }} configuration
backend http_{{ hostvars[server].ansible_host }}
mode http
{% set hostname_slug = hostvars[server].ansible_host.split('.')|join('_') %}
{% set hostname_ipaddr = hostvars[server]['ansible_default_ipv4']['address'] | default(hostvars[server].proxmox_net0.ip | ansible.utils.ipaddr('address')) %}
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:80
server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:80
backend https_{{ hostvars[server].ansible_host }}
mode tcp
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:443
server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:443
{% endfor %}

2
roles/jackett/vars/main.yml
View File

@@ -1,5 +1,5 @@
---
jackett_version: "v0.24.387"
jackett_version: "v0.22.1685"
jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz"
jackett_home: "/opt/Jackett"

9
roles/koillection/tasks/db_migration.yml
View File

@@ -1,9 +0,0 @@
---
- name: Run DB migration
become: true
become_user: www-data
ansible.builtin.command:
cmd: "php bin/console doctrine:migrations:migrate -n -q"
chdir: "{{ koillection_app_home }}"
changed_when: false

3
roles/koillection/tasks/main.yml
View File

@@ -81,6 +81,3 @@
- name: Include API activation task
ansible.builtin.include_tasks: api.yml
- name: Include DB migration task
ansible.builtin.include_tasks: db_migration.yml

2
roles/koillection/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
koillection_version: "1.7.0"
koillection_version: "1.6.12"
koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz"
koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}"

2
roles/mariadb/files/backup_mysql.sh
View File

@@ -22,7 +22,7 @@ if [ ! -d $backup_dump_path ] ; then mkdir -p $backup_dump_path ; fi
# On se deplace dans le dossier, et on purge les fichiers plus vieux que backup_max_age
cd $backup_dump_path
mariadb-check --all-databases > /var/lib/mysql/check
mysqlcheck --all-databases > /var/lib/mysql/check
# Pour chaque base a sauvegarder
for backup_db_name in $backup_db_list

4
roles/mariadb/tasks/main.yml
View File

@@ -36,7 +36,7 @@
- name: Check if .my.cnf file exists
ansible.builtin.stat:
path: /root/.my.cnf
register: mariadb_dot_my_cnf
register: dot_my_cnf
- name: Set root password
community.mysql.mysql_user:
@@ -44,7 +44,7 @@
host: localhost
name: root
password: "{{ mariadb_root_pass }}"
when: not mariadb_dot_my_cnf.stat.exists
when: not dot_my_cnf.stat.exists
- name: Put .my.cnf file
ansible.builtin.template:

2
roles/mastodon/tasks/cron.yml
View File

@@ -6,4 +6,4 @@
name: Mastodon tootctl
minute: "0"
hour: "2"
job: "{{ mastodon_home }}/bin/remove_media.sh > /dev/null"
job: "{{ mastodon_home }}/bin/remove_media.sh"

1
roles/mastodon/tasks/main.yml
View File

@@ -40,7 +40,6 @@
- git-core
- g++
- libprotobuf-dev
- libvips-tools
- protobuf-compiler
- pkg-config
- nodejs

1
roles/mastodon/tasks/mastodon.yml
View File

@@ -6,7 +6,6 @@
repo: "https://github.com/mastodon/mastodon.git"
dest: "{{ mastodon_home }}/live"
version: "v{{ mastodon_version }}"
notify: Restart mastodon
- name: Exec bundle
remote_user: mastodon

4
roles/mastodon/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
mastodon_version: "4.5.2"
mastodon_version: "4.3.6"
mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
@@ -8,7 +8,7 @@ mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
mastodon_ruby_version: "3.4.7"
mastodon_ruby_version: "3.3.5"
mastodon_home: "/srv/mastodon"
mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"

4
roles/munin_client/files/garage_bucket
View File

@@ -6,7 +6,7 @@ HEADER="Authorization: Bearer ${BEARER}"
# Create associative array
declare -A BUCKETS=()
API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/ListBuckets" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?list" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
# Populate associative array
for bucket in ${API_BUCKETS_JSON}
@@ -59,7 +59,7 @@ declare -A REQUESTS
for i in "${!BUCKETS[@]}"
do
REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/GetBucketInfo?id=${i}"))
REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?id=${i}"))
done
echo "multigraph garage_bucket_unfinished"

127
roles/munin_client/files/nsd
View File

@@ -1,127 +0,0 @@
#!/bin/sh
: << =cut
=head1 NAME
nsd - Plugin to monitor nsd DNS server
=head1 CONFIGURATION
No configuration
=head1 AUTHOR
Kim Heino <b@bbbs.net>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=cut
if [ "$1" = "autoconf" ]; then
if [ -x /usr/sbin/nsd-control ]; then
echo "yes"
exit 0
else
echo "no (no /usr/sbin/nsd-control)"
exit 0
fi
fi
if [ "$1" = "config" ]; then
echo 'graph_title NSD queries'
echo 'graph_vlabel queries / second'
echo 'graph_category dns'
echo 'graph_info Queries per second, by query type'
echo 'a.label A'
echo 'a.type DERIVE'
echo 'a.min 0'
echo 'aaaa.label AAAA'
echo 'aaaa.type DERIVE'
echo 'aaaa.min 0'
echo 'ptr.label PTR'
echo 'ptr.type DERIVE'
echo 'ptr.min 0'
echo 'cname.label CNAME'
echo 'cname.type DERIVE'
echo 'cname.min 0'
echo 'mx.label MX'
echo 'mx.type DERIVE'
echo 'mx.min 0'
echo 'txt.label TXT'
echo 'txt.type DERIVE'
echo 'txt.min 0'
echo 'soa.label SOA'
echo 'soa.type DERIVE'
echo 'soa.min 0'
echo 'ns.label NS'
echo 'ns.type DERIVE'
echo 'ns.min 0'
echo 'srv.label SRV'
echo 'srv.type DERIVE'
echo 'srv.min 0'
echo 'dnskey.label DNSKEY'
echo 'dnskey.type DERIVE'
echo 'dnskey.min 0'
echo 'axfr.label AXFR'
echo 'axfr.type DERIVE'
echo 'axfr.min 0'
echo 'snxd.label NXDOMAIN'
echo 'snxd.type DERIVE'
echo 'snxd.min 0'
echo 'rq.label Total Successful'
echo 'rq.type DERIVE'
echo 'rq.min 0'
exit 0
fi
/usr/sbin/nsd-control stats_noreset | sed 's/=/ /; s/\.//g' | (
numtypeA=0
numtypeAAAA=0
numtypePTR=0
numtypeCNAME=0
numtypeMX=0
numtypeTXT=0
numtypeSOA=0
numtypeNS=0
numtypeSRV=0
numtypeDNSKEY=0
numraxfr=0
numrcodeNXDOMAIN=0
numqueries=0
while read -r key value rest; do
[ "${key}" = "numtypeA" ] && numtypeA=${value}
[ "${key}" = "numtypeAAAA" ] && numtypeAAAA=${value}
[ "${key}" = "numtypePTR" ] && numtypePTR=${value}
[ "${key}" = "numtypeCNAME" ] && numtypeCNAME=${value}
[ "${key}" = "numtypeMX" ] && numtypeMX=${value}
[ "${key}" = "numtypeTXT" ] && numtypeTXT=${value}
[ "${key}" = "numtypeSOA" ] && numtypeSOA=${value}
[ "${key}" = "numtypeNS" ] && numtypeNS=${value}
[ "${key}" = "numtypeSRV" ] && numtypeSRV=${value}
[ "${key}" = "numtypeDNSKEY" ] && numtypeDNSKEY=${value}
[ "${key}" = "numraxfr" ] && numraxfr=${value}
[ "${key}" = "numrcodeNXDOMAIN" ] && numrcodeNXDOMAIN=${value}
[ "${key}" = "numqueries" ] && numqueries=${value}
done
echo "a.value ${numtypeA}"
echo "aaaa.value ${numtypeAAAA}"
echo "ptr.value ${numtypePTR}"
echo "cname.value ${numtypeCNAME}"
echo "mx.value ${numtypeMX}"
echo "txt.value ${numtypeTXT}"
echo "soa.value ${numtypeSOA}"
echo "ns.value ${numtypeNS}"
echo "srv.value ${numtypeSRV}"
echo "dnskey.value ${numtypeDNSKEY}"
echo "axfr.value ${numraxfr}"
echo "snxd.value ${numrcodeNXDOMAIN}"
echo "rq.value ${numqueries}"
)

22
roles/munin_client/tasks/main.yml
View File

@@ -2,25 +2,26 @@
- name: Set package fact
ansible.builtin.set_fact:
munin_client_muninpkgs:
muninpkgs:
- muninlite
munin_client_munin_need_reconfigure: false
munin_need_reconfigure: false
when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt"
- name: Set other packages fact
ansible.builtin.set_fact:
munin_client_muninpkgs:
muninpkgs:
- munin-node
- munin-plugins-core
- munin-plugins-extra
munin_client_munin_need_reconfigure: true
munin_need_reconfigure: true
when: ansible_facts['distribution'] == "Debian"
- name: Install munin node packages
ansible.builtin.package:
name: "{{ munin_client_muninpkgs }}"
name: "{{ item }}"
state: present
update_cache: true
loop: "{{ muninpkgs }}"
- name: Put munin-node configuration file
ansible.builtin.template:
@@ -29,7 +30,7 @@
mode: "0o644"
notify:
- Restart munin-node
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
## Adding modules for specific functions
# for NginX webservers
@@ -98,14 +99,14 @@
changed_when: true
notify:
- Restart munin-node
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
# Useless junks for everyone
- name: Delete useless junks for everyone
ansible.builtin.file:
path: "/etc/munin/plugins/{{ item }}"
state: absent
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
loop:
- users
@@ -135,11 +136,6 @@
ansible.builtin.include_tasks: garage.yml
when: "'garageservers' in group_names"
# Specific nsd commands
- name: Execute specific nsd commands
ansible.builtin.include_tasks: nsd.yml
when: "'nsdservers' in group_names"
# Specific restic commands
- name: Execute specific restic commands
ansible.builtin.include_tasks: restic.yml

21
roles/munin_client/tasks/nsd.yml
View File

@@ -1,21 +0,0 @@
---
- name: Put nsd plugin configuration
ansible.builtin.template:
src: nsd.j2
dest: /etc/munin/plugin-conf.d/nsd
owner: root
group: root
mode: "0o640"
notify:
- Restart munin-node
- name: Put nsd scripts
ansible.builtin.copy:
src: files/nsd
dest: /etc/munin/plugins/nsd
owner: root
group: root
mode: "0o755"
notify:
- Restart munin-node

2
roles/munin_client/templates/munin-node.conf.j2
View File

@@ -41,7 +41,7 @@ host_name {{ ansible_host }}
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
allow ^{{ hostvars['munin']['proxmox_net0']['ip'] | ansible.utils.ipaddr('address') | split('.') |join('\.') }}
allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
allow ^127\.0\.0\.1$
allow ^::1$

2
roles/munin_client/templates/nsd.j2
View File

@@ -1,2 +0,0 @@
[nsd]
user root

3
roles/nextcloud/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
nextcloud_version: "31.0.11"
nextcloud_version: "31.0.2"
nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2"
nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"
@@ -19,7 +19,6 @@ nextcloud_userdata_app_dirs:
# Supplementary modules
nextcloud_modules:
- name: calendar
- name: contacts
- name: tasks
- name: user_external
force: true

28
roles/nginx/tasks/acme.yml
View File

@@ -1,28 +0,0 @@
---
- name: Issue certificate
ansible.builtin.command:
cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
creates: "/etc/x509/{{ host.host }}*"
environment:
LE_WORKING_DIR: "/etc/x509"
- name: Check if ecc dir
ansible.builtin.stat:
path: "/etc/x509/{{ host.host }}_ecc"
register: _nginx_x509_ecc_dir
- name: Move dir if exists
when: _nginx_x509_ecc_dir.stat.exists
block:
- name: Copy ecc dir
ansible.builtin.copy:
remote_src: true
src: "/etc/x509/{{ host.host }}_ecc/"
dest: "/etc/x509/{{ host.host }}"
mode: "{{ _nginx_x509_ecc_dir.stat.mode }}"
- name: Remove ecc dir
ansible.builtin.file:
path: "/etc/x509/{{ host.host }}_ecc/"
state: absent

9
roles/nginx/tasks/main.yml
View File

@@ -41,14 +41,5 @@
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Include acme auto cert
ansible.builtin.include_tasks: acme.yml
loop: "{{ web_hostname }}"
loop_control:
loop_var: "host"
- name: Include vhosts
ansible.builtin.include_tasks: vhosts.yml

6
roles/nginx/templates/header.conf.j2
View File

@@ -3,15 +3,13 @@
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
server_name {{ item.host }};
access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item.host }}.error.log;
error_log syslog:server=unix:/dev/log;
{% if item.allowlistv4 is defined %}
{% for host in groups['lbservers'] %}
allow {{ hostvars[host].proxmox_net0.ip | ansible.utils.ipaddr('address') }};
{% endfor %}
allow {{ hostvars['haproxy']['ansible_default_ipv4']['address'] }};
{% endif %}
{% if item.allowlistv6 is defined %}
{% for addrv6 in item.allowlistv6 %}

4
roles/nginx/templates/nginx.ssl.conf.j2
View File

@@ -3,7 +3,7 @@
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -11,7 +11,7 @@
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

9
roles/nginx/templates/vhosts/admin.garage.mateu.be.conf.j2
View File

@@ -1,9 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://[::1]:3903;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}

82
roles/nginx/templates/vhosts/amp.mateu.be.conf.j2
View File

@@ -1,82 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
root /var/www/amp.mateu.be/public/;
index index.php;
# Somebody said this helps, in my setup it doesn't prevent temporary saving in files
proxy_max_temp_file_size 0;
# Rewrite rule for Subsonic backend
if ( !-d $request_filename ) {
rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last;
rewrite ^/rest/fake/(.+)$ /play/$1 last;
}
# Rewrite rule for Channels
if (!-d $request_filename){
rewrite ^/channel/([0-9]+)/(.*)$ /channel/index.php?channel=$1&target=$2 last;
}
# Beautiful URL Rewriting
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&name=$5 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&name=$6 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&player=$6&name=$7 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&bitrate=$6&player=$7&name=$8 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&transcode_to=$6&bitrate=$7&player=$8&name=$9 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&name=$7 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&player=$7&name=$8 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&bitrate=$7&player=$8&name=$9 last;
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(\w+)/noscrobble/([0-1])/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&transcode_to=$7&bitrate=$8&player=$9&name=$10 last;
# the following line was needed for me to get downloads of single songs to work
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/action/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4action=$5&name=$6 last;
location /play {
if (!-e $request_filename) {
rewrite ^/play/art/([^/]+)/([^/]+)/([0-9]+)/thumb([0-9]*)\.([a-z]+)$ /image.php?object_type=$2&object_id=$3&auth=$1 last;
}
rewrite ^/([^/]+)/([^/]+)(/.*)?$ /play/$3?$1=$2;
rewrite ^/(/[^/]+|[^/]+/|/?)$ /play/index.php last;
break;
}
location /rest {
limit_except GET POST {
deny all;
}
}
location ^~ /bin/ {
deny all;
return 403;
}
location ^~ /config/ {
deny all;
return 403;
}
location / {
limit_except GET POST HEAD{
deny all;
}
}
location ~ ^/.*.php {
fastcgi_index index.php;
fastcgi_read_timeout 600s;
include fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php/php{{ php_version }}-fpm.sock;
}
# Rewrite rule for WebSocket
location /ws {
rewrite ^/ws/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8100/;
}
}

33
roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,33 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/analyse.nintendojo.fr/;
index index.html index.htm index.php;
location ~ ^/(status|ping|apc_info.php)$ {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/tmp {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/mail-relay.mateu.be.conf.j2 → roles/nginx/templates/vhosts/autodiscover.libertus.eu.conf.j2
View File

2
roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2
View File

@@ -1,6 +1,6 @@
server {
{% include './templates/header.conf.j2' %}
root /var/www/forum.nintendojo.fr/;
root /srv/http/forum.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 10M;

1
roles/nginx/templates/vhosts/forum.nintendojofr.com.conf.j2
View File

@@ -1,5 +1,6 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/forum.nintendojofr.com/;
index index.html index.htm index.php;
location / {

8
roles/nginx/templates/vhosts/kck.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8080;
}
}

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/nintendojofr.com.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 Normal file
View File

12
roles/nginx/templates/vhosts/r.mateu.be.conf.j2
View File

@@ -1,5 +1,15 @@
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/r.mateu.be.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/www-data/r.mateu.be/;
location / {

0
roles/nginx/templates/vhosts/sebicomics.com.conf.j2 Normal file
View File

8
roles/nginx/templates/vhosts/vlt.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8200;
}
}

19
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2
View File

@@ -1,15 +1,16 @@
## WP NintendojoFR
fastcgi_cache_path
/dev/shm/nginx
levels=1:2
keys_zone=wpdojo:25m
inactive=1h
max_size=250m;
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojo.fr.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /var/www/www.nintendojo.fr/;
root /srv/http/www.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 2G;

12
roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2
View File

@@ -1,7 +1,15 @@
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojofr.com www.nintendojofr.com;
access_log /var/log/nginx/nintendojofr.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojofr.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/nintendojofr.com/fullchain.cer;
ssl_certificate_key /etc/x509/nintendojofr.com/nintendojofr.com.key;
root /var/www/www.nintendojofr.com/;
root /srv/http/www.nintendojofr.com/;
index index.html index.htm index.php;
location ~ ^/forum/(.*)$ {

54
roles/nginx/templates/vhosts/www.sebicomics.com.conf.j2 Normal file
View File

@@ -0,0 +1,54 @@
## WP Sebicomics
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name sebicomics.com www.sebicomics.com;
access_log /var/log/nginx/www.sebicomics.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/www.sebicomics.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.sebicomics.com/fullchain.cer;
ssl_certificate_key /etc/x509/www.sebicomics.com/www.sebicomics.com.key;
root /srv/http/www.sebicomics.com/;
index index.html index.htm index.php;
client_max_body_size 512M;
# couper les fichiers cachés
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# couper les fichiers textes du captcha
location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
deny all;
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

14
roles/nginx/templates/vhosts/wwwdev.nintendojo.fr.conf.j2
View File

@@ -1,9 +1,11 @@
## WP dev NintendojoFR
## WP NintendojoFR
server {
{% include './templates/header.conf.j2' %}
root /var/www/wwwdev.nintendojo.fr/;
root /srv/http/wwwdev.nintendojo.fr/;
index index.html index.htm index.php;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/wwwdev.htpasswd;
client_max_body_size 2G;
@@ -17,17 +19,15 @@ server {
deny all;
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
# redirige twitter
location /feed/twitter {
return 307 https://m.nintendojo.fr/@nintendojofr.rss;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;

3
roles/nsd/defaults/main.yml
View File

@@ -1,3 +0,0 @@
---
nsd_master: false

11
roles/nsd/handlers/main.yml
View File

@@ -1,11 +0,0 @@
---
- name: Restart nsd
ansible.builtin.service:
name: nsd
state: restarted
- name: Restart systemd-resolved
ansible.builtin.service:
name: systemd-resolved
state: restarted

18
roles/nsd/tasks/cron.yml
View File

@@ -1,18 +0,0 @@
---
- name: Install cron script
ansible.builtin.template:
src: resignall.sh.j2
dest: "{{ nsd_cron_script }}"
owner: root
group: root
mode: "0o750"
- name: Install cron
ansible.builtin.cron:
name: "NSD zone resign"
hour: "3"
minute: "2"
weekday: "3"
job: "{{ nsd_cron_script }} &> /dev/null"
state: present

68
roles/nsd/tasks/main.yml
View File

@@ -1,68 +0,0 @@
---
- name: Install & check prerequisites
ansible.builtin.include_tasks: prerequisites.yml
- name: Create slave group
ansible.builtin.group_by:
key: slave_nsdservers
when: not nsd_master
- name: Create master group
ansible.builtin.group_by:
key: master_nsdservers
when: nsd_master
- name: Create zone dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}zones"
owner: nsd
group: nsd
mode: "0o755"
state: directory
- name: Create key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys"
owner: nsd
group: nsd
mode: "0o700"
state: directory
- name: Create nsd.conf
ansible.builtin.template:
src: nsd.conf.j2
dest: "{{ nsd_default_etc_path }}nsd.conf"
owner: root
group: root
mode: "0o640"
notify:
- Restart nsd
- name: Create each zone in NSD
ansible.builtin.template:
src: zone.j2
dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item.name }}.conf"
owner: root
group: root
mode: "0o644"
loop: "{{ zones }}"
notify:
- Restart nsd
- name: Force zone reload
ansible.builtin.meta: flush_handlers
- name: Create zone and reload
ansible.builtin.include_tasks: zones.yml
loop: "{{ zones }}"
when: nsd_master
- name: Install renew cron
ansible.builtin.include_tasks: cron.yml
when: nsd_master
- name: Ensure nsd is started
ansible.builtin.service:
name: nsd
state: started

30
roles/nsd/tasks/prerequisites.yml
View File

@@ -1,30 +0,0 @@
---
- name: Gather facts on listening ports
community.general.listen_ports_facts:
- name: Detect systemd-resolve
ansible.builtin.set_fact:
nsd_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
- name: Deactivate DNS stublistener
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regex: '^#DNSStubListener=yes'
line: DNSStubListener=no
when: nsd_systemd_resolve_enable
notify:
- Restart systemd-resolved
- name: Force restart for stub resolver
ansible.builtin.meta: flush_handlers
- name: Install nsd & utilities
ansible.builtin.package:
name:
- nsd
- dnsutils
- ldnsutils
- cron
state: present
update_cache: true

71
roles/nsd/tasks/zones.yml
View File

@@ -1,71 +0,0 @@
---
- name: Create zone file
ansible.builtin.template:
src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
owner: nsd
group: nsd
mode: "0o644"
vars:
dns_serial: "{{ ansible_date_time.epoch }}"
web_hostname_block: |-
{% for webserver in groups['webservers'] | sort -%}
{% for web_hostname in (
(hostvars[webserver]['web_hostname']
| selectattr('host', 'match', '.*' ~ item.name)
| map(attribute='host')
+
(hostvars[webserver]['web_hostname']
| selectattr('san', 'defined')
| map(attribute='san')
| flatten
| select('match', '.*' ~ item.name)))
| sort) -%}
{% if web_hostname is match("(\S+\.){2}") %}
{{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}.
{% else %}
@ IN A {{ global_public_ip_address }}
@ IN AAAA {{ hostvars[webserver].proxmox_net0.ip6 | default(hostvars[webserver].ansible_default_ipv6.address) | ansible.utils.ipaddr('address') }}
{% endif %}
{% endfor %}
{% endfor %}
- name: Create zone key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
owner: nsd
group: nsd
mode: "0o750"
state: directory
- name: Create the associated keys
become: true
become_user: nsd
ansible.builtin.command:
cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
- name: Check zone file
ansible.builtin.command:
cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
changed_when: false
- name: Stat associated keys
ansible.builtin.stat:
path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
register: nsd_stat_keys
- name: Sign zone file
become: true
become_user: nsd
ansible.builtin.command:
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (nsd_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
changed_when: true
- name: Reload zone
ansible.builtin.command:
cmd: "nsd-control reload {{ item.name }}"
changed_when: false

11
roles/nsd/templates/nsd.conf.j2
View File

@@ -1,11 +0,0 @@
key:
name: "{{ nsd_tsig_key_name }}"
algorithm: hmac-sha256
secret: "{{ tsig_key }}"
server:
log-only-syslog: yes
hide-version: yes
zonesdir: "/etc/nsd/zones"
include: "/etc/nsd/nsd.conf.d/*.conf"

17
roles/nsd/templates/resignall.sh.j2
View File

@@ -1,17 +0,0 @@
#!/bin/bash
for i in {{ nsd_default_etc_path }}keys/*/*.ds
do
# Get the different names
FILENAME=${i##*/}
KEYNAME=${FILENAME/.ds/}
DIRPATH=${i/${FILENAME}/}
_ZONEFILEPATH=${DIRPATH/keys/zones}
ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
_ZONENAME=${_ZONEFILEPATH%/*}
ZONENAME=${_ZONENAME##*/}
cd $DIRPATH
sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
/usr/sbin/nsd-control reload ${ZONENAME}
done

23
roles/nsd/templates/zone.j2
View File

@@ -1,23 +0,0 @@
{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
zone:
name: "{{ item.name }}"
zonefile: {{ item.name }}.zone.signed
{% if nsd_master -%}
{% for server in other_server -%}
{% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endfor -%}
{% else -%}
{% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endif -%}

21
roles/nsd/templates/zones/giteu.be.zone.j2
View File

@@ -1,21 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 0 .
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
{{ web_hostname_block }}

32
roles/nsd/templates/zones/libertus.eu.zone.j2
View File

@@ -1,32 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
_jabber._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmpp-client._tcp IN SRV 0 0 5222 jabber.dmz.mateu.be.
_xmpp-server._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmppconnect IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
altsrv IN CNAME ks3370405.kimsufi.com.
p IN MX 1 mail.dmz.mateu.be.
p 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
p 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc.p 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey.p 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
{{ web_hostname_block }}

Some files were not shown because too many files have changed in this diff Show More