slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: slfhst:main
Branches Tags
slfhst:main
..
compare: slfhst:ed61026b454d1feb59d0a9cd16c77ef44ed3484d
Branches Tags
slfhst:main

1 Commits
main ... ed61026b45

Author SHA1 Message Date
VC
ed61026b45 : add smtp global relay
Some checks failed
ansible-lint / lint-everything (push) Failing after 1m22s
Details
2025-03-29 11:44:21 +01:00
117 changed files with 318 additions and 1516 deletions
Expand all files Collapse all files

1
.ansible-lint-ignore
View File

@@ -1 +0,0 @@
roles/nsd/tasks/zones.yml no-tabs

3
inventory/group_vars/all/global.yml
View File

@@ -1,3 +0,0 @@
---
global_public_ip_address: 82.66.135.228

2
inventory/group_vars/nsdservers.yml
View File

@@ -2,6 +2,7 @@
zones:
- name: giteu.be
parking: true
- name: libertus.eu
- name: mateu.be
- name: monder.ch
@@ -12,6 +13,7 @@ zones:
parking: true
- name: pipoworld.fr
parking: true
- name: sebicomics.com
tsig_key: !vault |
$ANSIBLE_VAULT;1.1;AES256

2
inventory/host_vars/bt.yml
View File

@@ -6,7 +6,6 @@ web_hostname:
- host: btf.mateu.be
allowlistv4:
- 88.175.123.77/32
- 109.9.84.47/32
allowlistv6:
- 2a01:e0a:9bd:2811::/64
- 2a01:e0a:9bd:2810::/64
@@ -16,7 +15,6 @@ web_hostname:
- 2001:910:13c8::/48
- 2a01:e0a:bde:d350::/64
- 2a01:cb00:f55:2d00::/64
- 2a01:cb00:89e3:2c00::/64
nginx_extra_mods:
- fancyindex

4
inventory/host_vars/dc1.yml
View File

@@ -1,4 +0,0 @@
---
web_hostname:
- host: kck.test.mateu.be
- host: vlt.test.mateu.be

3
inventory/host_vars/dns1.yml
View File

@@ -1,3 +0,0 @@
---
natted_ipv4: "{{ global_public_ip_address }}"

1
inventory/host_vars/jabber.yml
View File

@@ -1,7 +1,6 @@
---
web_hostname:
- host: libertus.eu
acme_reload_cmd: "systemctl restart prosody.service"
- host: upload.libertus.eu
- host: xmpp.libertus.eu

9
inventory/host_vars/ks3370405.yml
View File

@@ -1,13 +1,6 @@
---
web_hostname:
- host: mail-relay.mateu.be
acme_reload_cmd: "systemctl restart postfix.service"
allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}"
allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
nsd_master: true
nsd_ansible_host: "nsd-master1.ext.mateu.be"

2
inventory/host_vars/mail.yml
View File

@@ -1,6 +1,4 @@
---
web_hostname:
- host: imap.libertus.eu
acme_reload_cmd: "systemctl restart dovecot.service"
- host: smtp.libertus.eu
acme_reload_cmd: "systemctl restart postfix.service"

5
inventory/host_vars/web1.yml
View File

@@ -13,10 +13,9 @@ web_hostname:
type: bac
- host: mail.libertus.eu
type: roundcube
- host: perso.nintendojo.fr
- host: perso.libertus.eu
- host: r.mateu.be
san:
- perso.libertus.eu
- perso.nintendojo.fr
- host: ff.libertus.eu
type: firefly3
- host: koi.libertus.eu

28
inventory/host_vars/web2.yml
View File

@@ -2,16 +2,13 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname:
- host: nintendojo.fr
- host: www.nintendojo.fr
type: wordpress
san:
- nintendojo.fr
- host: wwwdev.nintendojo.fr
- host: forum.nintendojo.fr
type: phpbb
- host: nintendojofr.com
- host: www.nintendojofr.com
type: retrodojo
san:
- nintendojofr.com
- host: forum.nintendojofr.com
mariadb_root_pass: !vault |
@@ -22,16 +19,6 @@ mariadb_root_pass: !vault |
3437653064323138310a663363373736623931336432376466316666616234356133383263373136
31343534663063663134306464306234366430323762656165653930333134326231
phpbb_maria_database: "dojo_forum"
phpbb_maria_user: "adm_forum"
phpbb_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
65306237643235363962653566336537303632386466646462656234333836396630306438336632
3334663566303963646135313265643235623538633463650a663637386436306538616266626232
36373332396338326437663832383237623836643137323432323435333231633363386432303830
3465306161666563630a356462363561653431303438653935346564343861303962363030323633
3632
wordpress_maria_database: "dojo_wp"
wordpress_maria_user: "adm_wp"
wordpress_maria_password: !vault |
@@ -51,3 +38,12 @@ retrodojo_maria_password: !vault |
65386530353032336161353330313863623231646632643861666562353764373066663337353063
6364633734323732390a363539333537396164633965346637313532666366336362346663326661
6663
webapps_htpasswd_editeurs: !vault |
$ANSIBLE_VAULT;1.1;AES256
63663638356139373663646639633762393761333536393331363066353039393266306638326336
3235353238666261373032363633626333646662343461330a393534633530353330323637386239
63336532646235663732623561333963643436353165633165663430313132626561363361333736
6662313535333063390a386532313335663836393562656564306633303933633234393139316131
61376332373961303961303963656565633639333130346565386361313338346235623434616239
6637613630333963363963646465633939663863356633373264

25
inventory/host_vars/web3.yml
View File

@@ -2,23 +2,16 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname:
- host: wwwdev.nintendojo.fr
type: wordpress
- host: sebicomics.com
- host: www.sebicomics.com
mariadb_root_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65373663323065306532306235313032383331353337396131383766323535633831383062393632
3438613735613365333264356465336162346263666236300a306234336566303863346539343531
37313932653964366233393038306235353134356230653336306232373430386662306634616431
6332333837663064340a643535386465626636343436303263666333383461383730396135396666
3539
66613630653961396639336136333837343866646263353135303233383336356166663466623438
6438653832313536363631336363306337366165616561370a316466353535313164623934626563
65343238333661333765636131323962316637613036393366343161343162393337376232633432
3233653232353534370a393962663766623237313166333638343561306134663062333230333635
63343339363833626136646134353365393734346561613262633531386135366634
wordpress_maria_database: "dojo_wpdev"
wordpress_maria_user: "adm_wpdev"
wordpress_maria_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66613837353166633536656166383232646232303535643931313531636230353265633638626231
6231323738656466333164326238666166383931633133380a633764366462323261376632666565
63646365636133363338383233653930663139343238313131313365646663393761656361333332
6634333736356438390a316237373836373132666334306661363863383665663139623935646437
6331
# 283M of base memory + 20MB/connection -> 1267M of RAM max
mariadb_max_connections: 50

10
inventory/static.yml
View File

@@ -25,15 +25,6 @@ physicalservers:
hosts:
frederica:
serenor:
ks3370405:
nsdservers:
hosts:
ks3370405:
webservers:
hosts:
ks3370405:
hypervisors:
children:
@@ -74,7 +65,6 @@ resticservers:
disabled_loadbalanced_webservers:
hosts:
ks3370405:
disabled_system:
hosts:

6
playbooks/docker.yml
View File

@@ -1,6 +0,0 @@
---
- name: Install docker
hosts: dockerservers
roles:
- docker

4
playbooks/firewall.yml
View File

@@ -1,7 +1,7 @@
---
- name: Retrieve network info for physical machines
hosts: physicalservers
- name: Retrieve network info
hosts: all:!disabled_server_conf:!machinbox
gather_facts: true
gather_subset:
- network

1
playbooks/gitea.yml
View File

@@ -10,4 +10,5 @@
hosts: actrunnerservers
diff: true
roles:
- docker
- act_runner

1
playbooks/global_smtprelay.yml
View File

@@ -3,4 +3,5 @@
- name: Install & configure the global SMTP relay
hosts: ks3370405
roles:
- ufw
- global_smtp_relay

7
playbooks/loadbalancinghttp.yml
View File

@@ -1,5 +1,12 @@
---
- name: Retrieve network info
hosts: webservers:!disabled_loadbalanced_webservers
gather_facts: true
gather_subset:
- network
tasks: []
- name: Deploy haproxy
hosts: lbservers
diff: true

7
playbooks/nsd.yml
View File

@@ -1,7 +0,0 @@
---
- name: Deploy NSD
hosts: nsdservers
diff: true
roles:
- nsd

6
playbooks/site.yml
View File

@@ -18,12 +18,8 @@
import_playbook: firewall.yml
- name: Run mail playbook
import_playbook: mail.yml
- name: Run ufw plabook
import_playbook: ufw.yml
- name: Run global_smtprelay playbook
import_playbook: global_smtprelay.yml
- name: Run nsd playbook
import_playbook: nsd.yml
- name: Run xmpp playbook
import_playbook: xmpp.yml
- name: Run webservers playbook
@@ -54,8 +50,6 @@
import_playbook: peertube.yml
- name: Run elasticsearch playbook
import_playbook: elasticsearch.yml
- name: Run docker playbook
import_playbook: docker.yml
- name: Run gitea playbook
import_playbook: gitea.yml
- name: Run vaultwarden playbook

6
playbooks/ufw.yml
View File

@@ -1,6 +0,0 @@
---
- name: Install & configure UFW
hosts: ks3370405
roles:
- ufw

15
playbooks/webapps.yml
View File

@@ -23,16 +23,5 @@
hosts: web2
diff: true
roles:
- role: wordpress
tags: [never, wordpress]
- role: phpbb
tags: [never, phpbb]
- role: retrodojo
tags: [never, retrodojo]
- name: Install dojo webapplications
hosts: web3
diff: true
roles:
- role: wordpress
tags: [never, wordpress]
- wordpress
- retrodojo

7
playbooks/webservers.yml
View File

@@ -1,5 +1,12 @@
---
- name: Retrieve network info
hosts: lbservers
gather_facts: true
gather_subset:
- network
tasks: []
- name: Deploy web servers
hosts: webservers
diff: true

2
roles/act_runner/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
act_runner_version: "0.2.12"
act_runner_version: "0.2.11"
act_runner_url: "https://gitea.com/gitea/act_runner/releases/download/v{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-amd64"
act_runner_home: "/var/lib/act_runner"
act_runner_bin: "/usr/local/bin/act_runner"

2
roles/firefly3/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
firefly3_version: "6.2.21"
firefly3_version: "6.2.10"
firefly3_url: "https://github.com/firefly-iii/firefly-iii/releases/download/v{{ firefly3_version }}/FireflyIII-v{{ firefly3_version }}.tar.gz"
firefly3_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'firefly3') | map(attribute='host') | first }}"

139
roles/firewall/templates/firewall.j2
View File

@@ -120,7 +120,7 @@ config rule
config rule
option name 'Allow-DMZ-Syslog'
option dest 'dmz'
option dest_ip '{{ hostvars['syslog'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}'
option dest_port '514'
list proto 'udp'
option target 'ACCEPT'
@@ -173,7 +173,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
option dest_port '80'
option target 'DNAT'
@@ -184,19 +184,19 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['haproxy'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
option dest_port '443'
option target 'DNAT'
# Allow Web traffic IN
{% for host in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for host in groups['webservers'] | sort %}
config rule
option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web'
option src 'wan'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars[host].ansible_default_ipv6.address | default(hostvars[host].proxmox_net0.ip6 | ansible.utils.ipaddr('address')) }}'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
@@ -207,7 +207,7 @@ config rule
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -217,7 +217,7 @@ config rule
config rule
option name 'Allow-OUTPUT-BT'
option src 'dmz'
option src_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -230,7 +230,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
option dest_port '10010'
option target 'ACCEPT'
option family 'ipv6'
@@ -242,7 +242,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['bt'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
option dest_port '10010'
option target 'DNAT'
@@ -253,7 +253,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars[host].ansible_default_ipv6.address }}'
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
option dest_port '80 8006'
option target 'ACCEPT'
option family 'ipv6'
@@ -267,7 +267,7 @@ config redirect
option src_dport '8006'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ first_hypervisor.ansible_default_ipv4.address }}'
option dest_ip '{{ first_hypervisor['ansible_default_ipv4']['address'] }}'
option dest_port '8006'
option target 'DNAT'
@@ -275,7 +275,7 @@ config redirect
config rule
option name 'Allow-OUTPUT-XMPP-s2s'
option src 'dmz'
option src_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address')}}'
option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -286,7 +286,7 @@ config rule
config rule
option name 'Allow-OUTPUT-XMPP-s2s'
option src 'dmz'
option src_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
@@ -301,7 +301,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
option dest_port '5222'
option target 'DNAT'
@@ -312,7 +312,7 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
option dest_port '5269'
option target 'DNAT'
@@ -322,7 +322,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['jabber'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
option dest_port '5222 5269'
option target 'ACCEPT'
option family 'ipv6'
@@ -334,7 +334,7 @@ config rule
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}'
option dest_port '64738'
option target 'ACCEPT'
option family 'ipv6'
@@ -346,62 +346,15 @@ config redirect
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['voice1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}'
option dest_port '64738'
option target 'DNAT'
# Allow DNS traffic
config rule
option name 'Allow-INPUT-DNS'
option src 'wan'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-DNS'
option src 'wan'
option src_dport '53'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_port '53'
option target 'DNAT'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}'
option target 'ACCEPT'
option family 'ipv6'
# Allow mail traffic
config rule
option name 'Allow-OUTPUT-SMTP'
option src 'dmz'
option src_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
option dest 'wan'
option dest_port '25'
@@ -413,7 +366,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
@@ -423,7 +376,7 @@ config rule
option src 'wan'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
@@ -434,7 +387,7 @@ config redirect
option src_dport '25'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
@@ -444,7 +397,7 @@ config redirect
option src_dport '465'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
@@ -454,7 +407,7 @@ config redirect
option src_dport '587'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
@@ -464,7 +417,7 @@ config redirect
option src_dport '143'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
@@ -474,7 +427,7 @@ config redirect
option src_dport '993'
list proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['mail'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
@@ -482,7 +435,7 @@ config redirect
config rule
option name 'Allow-INPUT-Munin'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
option dest_port '4949'
option target 'ACCEPT'
@@ -491,7 +444,7 @@ config rule
config rule
option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'lan'
@@ -503,7 +456,7 @@ config rule
config rule
option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu'
option src 'dmz'
option src_ip '{{ hostvars['munin'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'lan'
@@ -512,38 +465,6 @@ config rule
option target 'ACCEPT'
option family 'ipv4'
# Allow Home Assitant to OpenEVSE
config rule
option name 'Allow-FORWARD-Home-Assistant-OpenEVSE'
option src 'iot'
option src_ip '{{ lookup('dig', 'evse.mateu.be') }}'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest_port '1883'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-Home-Assistant-Kodi'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
list proto 'tcp'
option dest 'lan'
option dest_ip '{{ lookup('dig', 'libreelec.mateu.be') }}'
option dest_port '8080'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-FORWARD-Home-Assistant-RM4Pro'
option src 'dmz'
option src_ip '{{ lookup('dig', 'ha.mateu.be') }}'
option dest 'iot'
option dest_ip '{{ lookup('dig', 'rm4pro.mateu.be') }}'
option target 'ACCEPT'
option family 'ipv4'
### IoT Rules
## General Rules
# ICMP
@@ -609,7 +530,7 @@ config rule
option src 'iot'
list proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['ftp'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}'
option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}'
option dest_port '21 10100-10110'
option target 'ACCEPT'

2
roles/freshrss/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
freshrss_version: "1.26.3"
freshrss_version: "1.26.1"
freshrss_url: "https://github.com/FreshRSS/FreshRSS/archive/refs/tags/{{ freshrss_version }}.tar.gz"
freshrss_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'freshrss') | map(attribute='host') | first }}"

2
roles/garage/templates/garage.toml.j2
View File

@@ -10,7 +10,7 @@ db_engine = "lmdb"
block_size = "{{ garage_block_size }}"
replication_factor = {{ garage_replication_mode }}
replication_mode = "{{ garage_replication_mode }}"
compression_level = 2

2
roles/garage/vars/main.yml
View File

@@ -2,5 +2,5 @@
garage_url: "https://garagehq.deuxfleurs.fr/_releases/{{ garage_version }}/{{ garage_arch }}-unknown-linux-musl/garage"
garage_bin: "/usr/local/bin/garage"
garage_version: v2.0.0
garage_version: v1.1.0
garage_arch: x86_64

2
roles/gitea/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
gitea_version: "1.24.3"
gitea_version: "1.23.6"
gitea_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64"
gitea_bin: "/usr/local/bin/gitea"
gitea_path: "/srv/gitea"

4
roles/global_smtp_relay/handlers/main.yml
View File

@@ -1,6 +1,6 @@
---
- name: Restart postfix
ansible.builtin.service:
ansible.bultin.service:
name: postfix
state: restarted
enabled: true
enable: true

2
roles/global_smtp_relay/tasks/main.yml
View File

@@ -8,7 +8,7 @@
- name: Put configuration
ansible.builtin.template:
src: main.cf.j2
dest: /etc/postfix/main.cf
dest: /etc/postfix/main.cf.j2
owner: root
group: root
mode: "0o640"

16
roles/global_smtp_relay/templates/main.cf.j2
View File

@@ -1,16 +1,30 @@
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/bin
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail-relay.mateu.be
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, [::1]/128, {{ global_smtp_relay_allowed_ips | join(', ') }}
mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/bin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
mailbox_size_limit = 104857600
message_size_limit = 104857600
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
## Référence de chiffrement TLS
# serveur SMTP
smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer

6
roles/haproxy/defaults/main.yml
View File

@@ -1,6 +0,0 @@
---
haproxy_backend_servers: "{{ groups['webservers']
| difference(groups['proxmox_all_stopped'])
| difference(groups['disabled_loadbalanced_webservers'])
| sort }}"

51
roles/haproxy/templates/haproxy.cfg.j2
View File

@@ -41,20 +41,11 @@ frontend http
tcp-request inspect-delay 3s
acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
## {{ hostname.host }} configuration
acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}
{% endfor %}
{% endfor %}
@@ -65,41 +56,29 @@ frontend https
bind *:443 name frontend-https
tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in haproxy_backend_servers %}
{% for hostname in (
(hostvars[server].web_hostname
| map(attribute='host'))
+
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
{% if host.allowlistv4 is defined %}
acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %} {{ addrv4 }}{% endfor %}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
## {{ hostname.host }} configuration
acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
{% if hostname.allowlistv4 is defined %}
acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
{% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
{% endfor %}
{% endfor %}
{% for server in haproxy_backend_servers %}
{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
## {{ hostvars[server].ansible_host }} configuration
backend http_{{ hostvars[server].ansible_host }}
mode http
{% set hostname_slug = hostvars[server].ansible_host.split('.')|join('_') %}
{% set hostname_ipaddr = hostvars[server]['ansible_default_ipv4']['address'] | default(hostvars[server].proxmox_net0.ip | ansible.utils.ipaddr('address')) %}
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:80
server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:80
backend https_{{ hostvars[server].ansible_host }}
mode tcp
server host_{{ hostname_slug }} {{ hostname_ipaddr }}:443
server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:443
{% endfor %}

2
roles/jackett/vars/main.yml
View File

@@ -1,5 +1,5 @@
---
jackett_version: "v0.22.2162"
jackett_version: "v0.22.1685"
jackett_download_url: "https://github.com/Jackett/Jackett/releases/download/{{ jackett_version }}/Jackett.Binaries.LinuxAMDx64.tar.gz"
jackett_home: "/opt/Jackett"

2
roles/koillection/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
koillection_version: "1.6.15"
koillection_version: "1.6.12"
koillection_url: "https://giteu.be/koillection/koillection/releases/download/{{ koillection_version }}/koillection-{{ koillection_version }}.tar.gz"
koillection_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'koillection') | map(attribute='host') | first }}"

4
roles/mariadb/tasks/main.yml
View File

@@ -36,7 +36,7 @@
- name: Check if .my.cnf file exists
ansible.builtin.stat:
path: /root/.my.cnf
register: mariadb_dot_my_cnf
register: dot_my_cnf
- name: Set root password
community.mysql.mysql_user:
@@ -44,7 +44,7 @@
host: localhost
name: root
password: "{{ mariadb_root_pass }}"
when: not mariadb_dot_my_cnf.stat.exists
when: not dot_my_cnf.stat.exists
- name: Put .my.cnf file
ansible.builtin.template:

2
roles/mastodon/tasks/cron.yml
View File

@@ -6,4 +6,4 @@
name: Mastodon tootctl
minute: "0"
hour: "2"
job: "{{ mastodon_home }}/bin/remove_media.sh > /dev/null"
job: "{{ mastodon_home }}/bin/remove_media.sh"

1
roles/mastodon/tasks/main.yml
View File

@@ -40,7 +40,6 @@
- git-core
- g++
- libprotobuf-dev
- libvips-tools
- protobuf-compiler
- pkg-config
- nodejs

1
roles/mastodon/tasks/mastodon.yml
View File

@@ -6,7 +6,6 @@
repo: "https://github.com/mastodon/mastodon.git"
dest: "{{ mastodon_home }}/live"
version: "v{{ mastodon_version }}"
notify: Restart mastodon
- name: Exec bundle
remote_user: mastodon

4
roles/mastodon/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
mastodon_version: "4.4.1"
mastodon_version: "4.3.6"
mastodon_nodejs_key_url: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
@@ -8,7 +8,7 @@ mastodon_nodejs_key_path: "/usr/share/keyrings/nodesource.gpg"
mastodon_yarn_key_url: "https://dl.yarnpkg.com/debian/pubkey.gpg"
mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
mastodon_ruby_version: "3.4.4"
mastodon_ruby_version: "3.3.5"
mastodon_home: "/srv/mastodon"
mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"

4
roles/munin_client/files/garage_bucket
View File

@@ -6,7 +6,7 @@ HEADER="Authorization: Bearer ${BEARER}"
# Create associative array
declare -A BUCKETS=()
API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/ListBuckets" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
API_BUCKETS_JSON=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?list" | jq -r '.[] | .id + "," + (if (.globalAliases[0]|test("\\.")) then .globalAliases[1] else .globalAliases[0] end)')
# Populate associative array
for bucket in ${API_BUCKETS_JSON}
@@ -59,7 +59,7 @@ declare -A REQUESTS
for i in "${!BUCKETS[@]}"
do
REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v2/GetBucketInfo?id=${i}"))
REQUESTS+=([${BUCKETS[${i}]}]=$(curl -s -H "${HEADER}" "http://[::1]:3903/v1/bucket?id=${i}"))
done
echo "multigraph garage_bucket_unfinished"

127
roles/munin_client/files/nsd
View File

@@ -1,127 +0,0 @@
#!/bin/sh
: << =cut
=head1 NAME
nsd - Plugin to monitor nsd DNS server
=head1 CONFIGURATION
No configuration
=head1 AUTHOR
Kim Heino <b@bbbs.net>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=cut
if [ "$1" = "autoconf" ]; then
if [ -x /usr/sbin/nsd-control ]; then
echo "yes"
exit 0
else
echo "no (no /usr/sbin/nsd-control)"
exit 0
fi
fi
if [ "$1" = "config" ]; then
echo 'graph_title NSD queries'
echo 'graph_vlabel queries / second'
echo 'graph_category dns'
echo 'graph_info Queries per second, by query type'
echo 'a.label A'
echo 'a.type DERIVE'
echo 'a.min 0'
echo 'aaaa.label AAAA'
echo 'aaaa.type DERIVE'
echo 'aaaa.min 0'
echo 'ptr.label PTR'
echo 'ptr.type DERIVE'
echo 'ptr.min 0'
echo 'cname.label CNAME'
echo 'cname.type DERIVE'
echo 'cname.min 0'
echo 'mx.label MX'
echo 'mx.type DERIVE'
echo 'mx.min 0'
echo 'txt.label TXT'
echo 'txt.type DERIVE'
echo 'txt.min 0'
echo 'soa.label SOA'
echo 'soa.type DERIVE'
echo 'soa.min 0'
echo 'ns.label NS'
echo 'ns.type DERIVE'
echo 'ns.min 0'
echo 'srv.label SRV'
echo 'srv.type DERIVE'
echo 'srv.min 0'
echo 'dnskey.label DNSKEY'
echo 'dnskey.type DERIVE'
echo 'dnskey.min 0'
echo 'axfr.label AXFR'
echo 'axfr.type DERIVE'
echo 'axfr.min 0'
echo 'snxd.label NXDOMAIN'
echo 'snxd.type DERIVE'
echo 'snxd.min 0'
echo 'rq.label Total Successful'
echo 'rq.type DERIVE'
echo 'rq.min 0'
exit 0
fi
/usr/sbin/nsd-control stats_noreset | sed 's/=/ /; s/\.//g' | (
numtypeA=0
numtypeAAAA=0
numtypePTR=0
numtypeCNAME=0
numtypeMX=0
numtypeTXT=0
numtypeSOA=0
numtypeNS=0
numtypeSRV=0
numtypeDNSKEY=0
numraxfr=0
numrcodeNXDOMAIN=0
numqueries=0
while read -r key value rest; do
[ "${key}" = "numtypeA" ] && numtypeA=${value}
[ "${key}" = "numtypeAAAA" ] && numtypeAAAA=${value}
[ "${key}" = "numtypePTR" ] && numtypePTR=${value}
[ "${key}" = "numtypeCNAME" ] && numtypeCNAME=${value}
[ "${key}" = "numtypeMX" ] && numtypeMX=${value}
[ "${key}" = "numtypeTXT" ] && numtypeTXT=${value}
[ "${key}" = "numtypeSOA" ] && numtypeSOA=${value}
[ "${key}" = "numtypeNS" ] && numtypeNS=${value}
[ "${key}" = "numtypeSRV" ] && numtypeSRV=${value}
[ "${key}" = "numtypeDNSKEY" ] && numtypeDNSKEY=${value}
[ "${key}" = "numraxfr" ] && numraxfr=${value}
[ "${key}" = "numrcodeNXDOMAIN" ] && numrcodeNXDOMAIN=${value}
[ "${key}" = "numqueries" ] && numqueries=${value}
done
echo "a.value ${numtypeA}"
echo "aaaa.value ${numtypeAAAA}"
echo "ptr.value ${numtypePTR}"
echo "cname.value ${numtypeCNAME}"
echo "mx.value ${numtypeMX}"
echo "txt.value ${numtypeTXT}"
echo "soa.value ${numtypeSOA}"
echo "ns.value ${numtypeNS}"
echo "srv.value ${numtypeSRV}"
echo "dnskey.value ${numtypeDNSKEY}"
echo "axfr.value ${numraxfr}"
echo "snxd.value ${numrcodeNXDOMAIN}"
echo "rq.value ${numqueries}"
)

22
roles/munin_client/tasks/main.yml
View File

@@ -2,25 +2,26 @@
- name: Set package fact
ansible.builtin.set_fact:
munin_client_muninpkgs:
muninpkgs:
- muninlite
munin_client_munin_need_reconfigure: false
munin_need_reconfigure: false
when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT" or ansible_facts['distribution'] == "OpenWrt"
- name: Set other packages fact
ansible.builtin.set_fact:
munin_client_muninpkgs:
muninpkgs:
- munin-node
- munin-plugins-core
- munin-plugins-extra
munin_client_munin_need_reconfigure: true
munin_need_reconfigure: true
when: ansible_facts['distribution'] == "Debian"
- name: Install munin node packages
ansible.builtin.package:
name: "{{ munin_client_muninpkgs }}"
name: "{{ item }}"
state: present
update_cache: true
loop: "{{ muninpkgs }}"
- name: Put munin-node configuration file
ansible.builtin.template:
@@ -29,7 +30,7 @@
mode: "0o644"
notify:
- Restart munin-node
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
## Adding modules for specific functions
# for NginX webservers
@@ -98,14 +99,14 @@
changed_when: true
notify:
- Restart munin-node
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
# Useless junks for everyone
- name: Delete useless junks for everyone
ansible.builtin.file:
path: "/etc/munin/plugins/{{ item }}"
state: absent
when: munin_client_munin_need_reconfigure
when: munin_need_reconfigure
loop:
- users
@@ -135,11 +136,6 @@
ansible.builtin.include_tasks: garage.yml
when: "'garageservers' in group_names"
# Specific nsd commands
- name: Execute specific nsd commands
ansible.builtin.include_tasks: nsd.yml
when: "'nsdservers' in group_names"
# Specific restic commands
- name: Execute specific restic commands
ansible.builtin.include_tasks: restic.yml

21
roles/munin_client/tasks/nsd.yml
View File

@@ -1,21 +0,0 @@
---
- name: Put nsd plugin configuration
ansible.builtin.template:
src: nsd.j2
dest: /etc/munin/plugin-conf.d/nsd
owner: root
group: root
mode: "0o640"
notify:
- Restart munin-node
- name: Put nsd scripts
ansible.builtin.copy:
src: files/nsd
dest: /etc/munin/plugins/nsd
owner: root
group: root
mode: "0o755"
notify:
- Restart munin-node

2
roles/munin_client/templates/munin-node.conf.j2
View File

@@ -41,7 +41,7 @@ host_name {{ ansible_host }}
# network notation unless the perl module Net::CIDR is installed. You
# may repeat the allow line as many times as you'd like
allow ^{{ hostvars['munin']['proxmox_net0']['ip'] | ansible.utils.ipaddr('address') | split('.') |join('\.') }}
allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
allow ^127\.0\.0\.1$
allow ^::1$

2
roles/munin_client/templates/nsd.j2
View File

@@ -1,2 +0,0 @@
[nsd]
user root

3
roles/nextcloud/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
nextcloud_version: "31.0.7"
nextcloud_version: "31.0.2"
nextcloud_url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud_version }}.tar.bz2"
nextcloud_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'nextcloud') | map(attribute='host') | first }}"
@@ -19,7 +19,6 @@ nextcloud_userdata_app_dirs:
# Supplementary modules
nextcloud_modules:
- name: calendar
- name: contacts
- name: tasks
- name: user_external
force: true

28
roles/nginx/tasks/acme.yml
View File

@@ -1,28 +0,0 @@
---
- name: Issue certificate
ansible.builtin.command:
cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
creates: "/etc/x509/{{ host.host }}*"
environment:
LE_WORKING_DIR: "/etc/x509"
- name: Check if ecc dir
ansible.builtin.stat:
path: "/etc/x509/{{ host.host }}_ecc"
register: _nginx_x509_ecc_dir
- name: Move dir if exists
when: _nginx_x509_ecc_dir.stat.exists
block:
- name: Copy ecc dir
ansible.builtin.copy:
remote_src: true
src: "/etc/x509/{{ host.host }}_ecc/"
dest: "/etc/x509/{{ host.host }}"
mode: "{{ _nginx_x509_ecc_dir.stat.mode }}"
- name: Remove ecc dir
ansible.builtin.file:
path: "/etc/x509/{{ host.host }}_ecc/"
state: absent

9
roles/nginx/tasks/main.yml
View File

@@ -41,14 +41,5 @@
mode: 'u+rwx,g+rs,o-rwx'
state: directory
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Include acme auto cert
ansible.builtin.include_tasks: acme.yml
loop: "{{ web_hostname }}"
loop_control:
loop_var: "host"
- name: Include vhosts
ansible.builtin.include_tasks: vhosts.yml

6
roles/nginx/templates/header.conf.j2
View File

@@ -3,15 +3,13 @@
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
server_name {{ item.host }};
access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item.host }}.error.log;
error_log syslog:server=unix:/dev/log;
{% if item.allowlistv4 is defined %}
{% for host in groups['lbservers'] %}
allow {{ hostvars[host].proxmox_net0.ip | ansible.utils.ipaddr('address') }};
{% endfor %}
allow {{ hostvars['haproxy']['ansible_default_ipv4']['address'] }};
{% endif %}
{% if item.allowlistv6 is defined %}
{% for addrv6 in item.allowlistv6 %}

4
roles/nginx/templates/nginx.ssl.conf.j2
View File

@@ -3,7 +3,7 @@
# ANY MODIFICATION IS LIKELY TO BE ERASED
##########
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -11,7 +11,7 @@
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

33
roles/nginx/templates/vhosts/analyse.nintendojo.fr.conf.j2 Normal file
View File

@@ -0,0 +1,33 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/analyse.nintendojo.fr/;
index index.html index.htm index.php;
location ~ ^/(status|ping|apc_info.php)$ {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 2w;
log_not_found off;
}
location ~ \.htaccess$ {
deny all;
}
location ~ ^/tmp {
deny all;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
include fastcgi_params;
}
}

0
roles/nginx/templates/vhosts/mail-relay.mateu.be.conf.j2 → roles/nginx/templates/vhosts/autodiscover.libertus.eu.conf.j2
View File

2
roles/nginx/templates/vhosts/forum.nintendojo.fr.conf.j2
View File

@@ -1,6 +1,6 @@
server {
{% include './templates/header.conf.j2' %}
root /var/www/forum.nintendojo.fr/;
root /srv/http/forum.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 10M;

1
roles/nginx/templates/vhosts/forum.nintendojofr.com.conf.j2
View File

@@ -1,5 +1,6 @@
server {
{% include './templates/header.conf.j2' %}
root /srv/http/forum.nintendojofr.com/;
index index.html index.htm index.php;
location / {

8
roles/nginx/templates/vhosts/kck.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8080;
}
}

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/nintendojofr.com.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2 Normal file
View File

12
roles/nginx/templates/vhosts/r.mateu.be.conf.j2
View File

@@ -1,5 +1,15 @@
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/r.mateu.be.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/www-data/r.mateu.be/;
location / {

0
roles/nginx/templates/vhosts/sebicomics.com.conf.j2 Normal file
View File

8
roles/nginx/templates/vhosts/vlt.test.mateu.be.conf.j2
View File

@@ -1,8 +0,0 @@
server {
{% include './templates/header.conf.j2' %}
location / {
proxy_pass http://localhost:8200;
}
}

19
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2
View File

@@ -1,15 +1,16 @@
## WP NintendojoFR
fastcgi_cache_path
/dev/shm/nginx
levels=1:2
keys_zone=wpdojo:25m
inactive=1h
max_size=250m;
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojo.fr.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /var/www/www.nintendojo.fr/;
root /srv/http/www.nintendojo.fr/;
index index.html index.htm index.php;
client_max_body_size 2G;

12
roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2
View File

@@ -1,7 +1,15 @@
server {
{% include './templates/header.conf.j2' %}
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name nintendojofr.com www.nintendojofr.com;
access_log /var/log/nginx/nintendojofr.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojofr.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/nintendojofr.com/fullchain.cer;
ssl_certificate_key /etc/x509/nintendojofr.com/nintendojofr.com.key;
root /var/www/www.nintendojofr.com/;
root /srv/http/www.nintendojofr.com/;
index index.html index.htm index.php;
location ~ ^/forum/(.*)$ {

54
roles/nginx/templates/vhosts/www.sebicomics.com.conf.j2 Normal file
View File

@@ -0,0 +1,54 @@
## WP Sebicomics
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name sebicomics.com www.sebicomics.com;
access_log /var/log/nginx/www.sebicomics.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/www.sebicomics.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.sebicomics.com/fullchain.cer;
ssl_certificate_key /etc/x509/www.sebicomics.com/www.sebicomics.com.key;
root /srv/http/www.sebicomics.com/;
index index.html index.htm index.php;
client_max_body_size 512M;
# couper les fichiers cachés
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# couper les fichiers textes du captcha
location ~* /wp-content/uploads/wpcf7_captcha/.*\.txt$ {
deny all;
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location ~ \.php$ {
try_files $uri $uri/ =404;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php$uri?$args;
}
}

14
roles/nginx/templates/vhosts/wwwdev.nintendojo.fr.conf.j2
View File

@@ -1,9 +1,11 @@
## WP dev NintendojoFR
## WP NintendojoFR
server {
{% include './templates/header.conf.j2' %}
root /var/www/wwwdev.nintendojo.fr/;
root /srv/http/wwwdev.nintendojo.fr/;
index index.html index.htm index.php;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/wwwdev.htpasswd;
client_max_body_size 2G;
@@ -17,17 +19,15 @@ server {
deny all;
}
# Optimisation des images
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1w;
log_not_found off;
# redirige twitter
location /feed/twitter {
return 307 https://m.nintendojo.fr/@nintendojofr.rss;
}
# Interprétation PHP
location ~ ^/(index).php(/.*)+ {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
fastcgi_read_timeout 60;
include fastcgi_params;

3
roles/nsd/defaults/main.yml
View File

@@ -1,3 +0,0 @@
---
nsd_master: false

11
roles/nsd/handlers/main.yml
View File

@@ -1,11 +0,0 @@
---
- name: Restart nsd
ansible.builtin.service:
name: nsd
state: restarted
- name: Restart systemd-resolved
ansible.builtin.service:
name: systemd-resolved
state: restarted

18
roles/nsd/tasks/cron.yml
View File

@@ -1,18 +0,0 @@
---
- name: Install cron script
ansible.builtin.template:
src: resignall.sh.j2
dest: "{{ nsd_cron_script }}"
owner: root
group: root
mode: "0o750"
- name: Install cron
ansible.builtin.cron:
name: "NSD zone resign"
hour: "3"
minute: "2"
weekday: "3"
job: "{{ nsd_cron_script }} &> /dev/null"
state: present

68
roles/nsd/tasks/main.yml
View File

@@ -1,68 +0,0 @@
---
- name: Install & check prerequisites
ansible.builtin.include_tasks: prerequisites.yml
- name: Create slave group
ansible.builtin.group_by:
key: slave_nsdservers
when: not nsd_master
- name: Create master group
ansible.builtin.group_by:
key: master_nsdservers
when: nsd_master
- name: Create zone dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}zones"
owner: nsd
group: nsd
mode: "0o755"
state: directory
- name: Create key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys"
owner: nsd
group: nsd
mode: "0o700"
state: directory
- name: Create nsd.conf
ansible.builtin.template:
src: nsd.conf.j2
dest: "{{ nsd_default_etc_path }}nsd.conf"
owner: root
group: root
mode: "0o640"
notify:
- Restart nsd
- name: Create each zone in NSD
ansible.builtin.template:
src: zone.j2
dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item.name }}.conf"
owner: root
group: root
mode: "0o644"
loop: "{{ zones }}"
notify:
- Restart nsd
- name: Force zone reload
ansible.builtin.meta: flush_handlers
- name: Create zone and reload
ansible.builtin.include_tasks: zones.yml
loop: "{{ zones }}"
when: nsd_master
- name: Install renew cron
ansible.builtin.include_tasks: cron.yml
when: nsd_master
- name: Ensure nsd is started
ansible.builtin.service:
name: nsd
state: started

30
roles/nsd/tasks/prerequisites.yml
View File

@@ -1,30 +0,0 @@
---
- name: Gather facts on listening ports
community.general.listen_ports_facts:
- name: Detect systemd-resolve
ansible.builtin.set_fact:
nsd_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
- name: Deactivate DNS stublistener
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regex: '^#DNSStubListener=yes'
line: DNSStubListener=no
when: nsd_systemd_resolve_enable
notify:
- Restart systemd-resolved
- name: Force restart for stub resolver
ansible.builtin.meta: flush_handlers
- name: Install nsd & utilities
ansible.builtin.package:
name:
- nsd
- dnsutils
- ldnsutils
- cron
state: present
update_cache: true

71
roles/nsd/tasks/zones.yml
View File

@@ -1,71 +0,0 @@
---
- name: Create zone file
ansible.builtin.template:
src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
owner: nsd
group: nsd
mode: "0o644"
vars:
dns_serial: "{{ ansible_date_time.epoch }}"
web_hostname_block: |-
{% for webserver in groups['webservers'] | sort -%}
{% for web_hostname in (
(hostvars[webserver]['web_hostname']
| selectattr('host', 'match', '.*' ~ item.name)
| map(attribute='host')
+
(hostvars[webserver]['web_hostname']
| selectattr('san', 'defined')
| map(attribute='san')
| flatten
| select('match', '.*' ~ item.name)))
| sort) -%}
{% if web_hostname is match("(\S+\.){2}") %}
{{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}.
{% else %}
@ IN A {{ global_public_ip_address }}
@ IN AAAA {{ hostvars[webserver].proxmox_net0.ip6 | default(hostvars[webserver].ansible_default_ipv6.address) | ansible.utils.ipaddr('address') }}
{% endif %}
{% endfor %}
{% endfor %}
- name: Create zone key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
owner: nsd
group: nsd
mode: "0o750"
state: directory
- name: Create the associated keys
become: true
become_user: nsd
ansible.builtin.command:
cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
- name: Check zone file
ansible.builtin.command:
cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
changed_when: false
- name: Stat associated keys
ansible.builtin.stat:
path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
register: nsd_stat_keys
- name: Sign zone file
become: true
become_user: nsd
ansible.builtin.command:
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (nsd_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
changed_when: true
- name: Reload zone
ansible.builtin.command:
cmd: "nsd-control reload {{ item.name }}"
changed_when: false

11
roles/nsd/templates/nsd.conf.j2
View File

@@ -1,11 +0,0 @@
key:
name: "{{ nsd_tsig_key_name }}"
algorithm: hmac-sha256
secret: "{{ tsig_key }}"
server:
log-only-syslog: yes
hide-version: yes
zonesdir: "/etc/nsd/zones"
include: "/etc/nsd/nsd.conf.d/*.conf"

17
roles/nsd/templates/resignall.sh.j2
View File

@@ -1,17 +0,0 @@
#!/bin/bash
for i in {{ nsd_default_etc_path }}keys/*/*.ds
do
# Get the different names
FILENAME=${i##*/}
KEYNAME=${FILENAME/.ds/}
DIRPATH=${i/${FILENAME}/}
_ZONEFILEPATH=${DIRPATH/keys/zones}
ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
_ZONENAME=${_ZONEFILEPATH%/*}
ZONENAME=${_ZONENAME##*/}
cd $DIRPATH
sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
/usr/sbin/nsd-control reload ${ZONENAME}
done

23
roles/nsd/templates/zone.j2
View File

@@ -1,23 +0,0 @@
{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
zone:
name: "{{ item.name }}"
zonefile: {{ item.name }}.zone.signed
{% if nsd_master -%}
{% for server in other_server -%}
{% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endfor -%}
{% else -%}
{% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endif -%}

21
roles/nsd/templates/zones/giteu.be.zone.j2
View File

@@ -1,21 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 0 .
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
{{ web_hostname_block }}

32
roles/nsd/templates/zones/libertus.eu.zone.j2
View File

@@ -1,32 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
_jabber._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmpp-client._tcp IN SRV 0 0 5222 jabber.dmz.mateu.be.
_xmpp-server._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmppconnect IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
altsrv IN CNAME ks3370405.kimsufi.com.
p IN MX 1 mail.dmz.mateu.be.
p 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
p 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc.p 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey.p 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
{{ web_hostname_block }}

65
roles/nsd/templates/zones/mateu.be.zone.j2
View File

@@ -1,65 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
{% set current_firstserver = hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) %}
@ IN SOA {{ current_firstserver | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') if current_firstserver.endswith('mateu.be') else current_firstserver }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
{% set current_host = hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) %}
@ IN NS {{ current_host | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') if current_host.endswith('mateu.be') else current_host }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
libertus.eu._report._dmarc 3600 IN TXT "v=DMARC1;"
nintendojo.fr._report._dmarc 3600 IN TXT "v=DMARC1;"
p.libertus.eu._report._dmarc 3600 IN TXT "v=DMARC1;"
altsrv IN CNAME ks3370405.kimsufi.com.
backup IN A 10.233.212.60
baybay-ponay IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
ciol IN A 109.190.68.133
derdriu IN A 10.233.212.77
enbarr.dmz IN AAAA 2a01:e0a:9bd:2811::50
evse IN A 10.233.211.198
fc IN A 10.233.211.194
frederica.dmz IN A {{ global_public_ip_address }}
frederica.dmz IN AAAA 2a01:e0a:9bd:2811::60
ftp IN A 10.233.212.14
garreg-mach IN A 10.233.212.66
haos.dmz IN A {{ global_public_ip_address }}
haos.dmz IN AAAA 2a01:e0a:9bd:2811::51
ha IN A 10.233.212.51
libreelec IN A 10.233.212.91
machinbox IN A {{ global_public_ip_address }}
machinbox IN AAAA 2a01:e0a:9bd:2810::1
mailalt IN CNAME altsrv
memcardprogc IN A 10.233.211.199
nfs IN A 10.233.212.60
nsd-master1.ext IN A 37.187.5.75
nsd-master1-v4.ext IN A 37.187.5.75
nsd-master1.ext IN AAAA 2001:41d0:a:54b::1
nsd-master1-v6.ext IN AAAA 2001:41d0:a:54b::1
rb IN A 194.156.203.253
rc IN A 10.233.211.195
rm4pro IN A 10.233.211.200
serenor.dmz IN A {{ global_public_ip_address }}
serenor.dmz IN AAAA 2a01:e0a:9bd:2811::59
{% for proxmox_host in groups['proxmox_all_lxc'] | sort %}
{{ proxmox_host }}.dmz IN A {{ global_public_ip_address }}
{% if proxmox_host.startswith('dns') %}
{{ proxmox_host }}-v4.dmz IN A {{ global_public_ip_address }}
{{ proxmox_host }}-v6.dmz IN AAAA {{ hostvars[proxmox_host].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}
{% endif %}
{{ proxmox_host }}.dmz IN AAAA {{ hostvars[proxmox_host].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}
{% endfor %}
{{ web_hostname_block }}

24
roles/nsd/templates/zones/nintendojo.fr.zone.j2
View File

@@ -1,24 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
mumble IN CNAME voice1.dmz.mateu.be.
{{ web_hostname_block }}

21
roles/nsd/templates/zones/nintendojofr.com.zone.j2
View File

@@ -1,21 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 0 .
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
{{ web_hostname_block }}

20
roles/nsd/templates/zones/parking.zone.j2
View File

@@ -1,20 +0,0 @@
$TTL 86400
{% set firstserver = groups['master_nsdservers'] | first %}
@ IN SOA {{ hostvars[firstserver].nsd_ansible_host | default(hostvars[firstserver].ansible_host) }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ hostvars[server].nsd_ansible_host | default(hostvars[server].ansible_host) }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue ";"
@ IN MX 0 .
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"

5
roles/nsd/vars/main.yml
View File

@@ -1,5 +0,0 @@
---
nsd_default_etc_path: "/etc/nsd/"
nsd_tsig_key_name: "tsig0"
nsd_cron_script: /usr/local/bin/resignall.sh

2
roles/oolatoocs/vars/main.yml
View File

@@ -2,5 +2,5 @@
oolatoocs_db_dir: /var/lib/oolatoocs
oolatoocs_url: https://r.mateu.be/oolatoocs/oolatoocs
oolatoocs_version: v4.3.0
oolatoocs_version: v4.2.0
oolatoocs_local_bin_path: /usr/local/bin/oolatoocs

2
roles/peertube/vars/main.yml
View File

@@ -1,6 +1,6 @@
---
peertube_version: "7.2.2"
peertube_version: "7.1.0"
peertube_home: "/srv/peertube"
peertube_url: "https://github.com/Chocobozzz/PeerTube/releases/download/v{{ peertube_version }}/peertube-v{{ peertube_version }}.zip"

7
roles/phpbb/files/dojopeertube.yml
View File

@@ -1,7 +0,0 @@
---
name: DojoPeertube
host: p.nintendojo.fr
example: https://p.nintendojo.fr/videos/embed/19bc46e8-7640-4417-86a1-03aa2b439508
extract: "!//p.nintendojo.fr/videos/embed/(?'id'[0-9a-fA-F]{8}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{4}\\b-[0-9a-fA-F]{12})!"
iframe:
src: "https://p.nintendojo.fr/videos/embed/{@id}"

18
roles/phpbb/files/mastodon.yml
View File

@@ -1,18 +0,0 @@
---
name: "Mastodon"
host: m.nintendojo.fr
example: https://mastodon.social/@HackerNewsBot/100181134752056592
extract: "!//(?'host'[-.\\w]+)/@(?'name'\\w+)/(?'id'\\d+)!"
oembed:
endpoint: https://m.nintendojo.fr/api/oembed
scheme: https://m.nintendojo.fr/@{@name}/{@id}
scrape:
- extract: "!\"url\":\"https://(?'host'[-.\\w]+)/@(?'name'\\w+)/(?'id'\\d+)\"!"
- match: "!^(?'origin'https://[^/]+)/@\\w+@[-.\\w]+/(?'id'\\d+)!"
- url: "{@origin}/api/v1/statuses/{@id}"
iframe:
data-s9e-livepreview-ignore-attrs: "style"
onload: "let c=new MessageChannel;c.port1.onmessage=e=>this.style.height=e.data+'px';this.contentWindow.postMessage('s9e:init','*',[c.port2])"
width: "550"
height: "300"
src: https://s9e.github.io/iframe/2/mastodon.min.html#<xsl:value-of select="@name"/><xsl:if test="@host and@host!='mastodon.social'">@<xsl:value-of select="@host"/></xsl:if>/<xsl:value-of select="@id"/>

BIN
roles/phpbb/files/ndfr_casual.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.9 KiB

10
roles/phpbb/tasks/db.yml
View File

@@ -1,10 +0,0 @@
---
- name: Create phpbb db user
community.mysql.mysql_user:
login_unix_socket: "/var/run/mysqld/mysqld.sock"
login_user: root
login_password: "{{ mariadb_root_pass }}"
name: "{{ phpbb_maria_user }}"
password: "{{ phpbb_maria_password }}"
priv: "{{ phpbb_maria_database }}.*:ALL"

27
roles/phpbb/tasks/main.yml
View File

@@ -1,27 +0,0 @@
---
- name: Init db
ansible.builtin.include_tasks: db.yml
- name: Install phpbb
ansible.builtin.include_tasks: phpbb.yml
- name: Install phpbbs styles
ansible.builtin.include_tasks: phpbb_styles.yml
loop: "{{ phpbb_styles }}"
- name: Install phpbbs languages
ansible.builtin.include_tasks: phpbb_languages.yml
loop: "{{ phpbb_languages }}"
- name: Install phpbbs extensions
ansible.builtin.include_tasks: phpbb_exts.yml
loop: "{{ phpbb_exts }}"
loop_control:
loop_var: ext
- name: Custom part
ansible.builtin.include_tasks: phpbb_customs.yml
- name: Migrate db
ansible.builtin.include_tasks: migrate_db.yml

14
roles/phpbb/tasks/migrate_db.yml
View File

@@ -1,14 +0,0 @@
---
- name: Migrate db
become: true
become_user: www-data
ansible.builtin.command:
cmd: "/usr/bin/php bin/phpbbcli.php db:migrate"
chdir: "{{ phpbb_app_home }}"
changed_when: false
- name: Remove install directory
ansible.builtin.file:
dest: "{{ phpbb_app_home }}/install"
state: absent

77
roles/phpbb/tasks/phpbb.yml
View File

@@ -1,77 +0,0 @@
---
- name: Remove phpbb previous version
ansible.builtin.file:
state: absent
dest: "{{ phpbb_app_home }}"
## Handle app data
- name: Create app home
ansible.builtin.file:
state: directory
dest: "{{ phpbb_app_home }}"
owner: root
group: www-data
mode: "0o750"
- name: Install phpbb application
ansible.builtin.unarchive:
remote_src: true
src: "{{ phpbb_url }}"
dest: "{{ phpbb_app_home }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
exclude: "{{ phpbb_userdata_app_dirs | map('regex_replace', '^^', 'phpBB' ~ phpbb_major_version ~ '/') }}"
- name: Check writable dirs
ansible.builtin.file:
state: directory
dest: "{{ phpbb_app_home }}/{{ item }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
recurse: true
loop: "{{ phpbb_writable_app_dirs }}"
## Handle user data
- name: Create data home
ansible.builtin.file:
state: directory
path: "{{ phpbb_data_home }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
- name: Get data dir
ansible.builtin.stat:
path: "{{ phpbb_data_home }}/{{ phpbb_userdata_app_dirs[0] }}"
register: _phpbb_userdata_dir_stat
- name: Install phpbb data dir
ansible.builtin.unarchive:
remote_src: true
src: "{{ phpbb_url }}"
dest: "{{ phpbb_data_home }}"
owner: www-data
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
include: "{{ phpbb_userdata_app_dirs | map('regex_replace', '^^', 'phpBB' ~ phpbb_major_version ~ '/') }}"
when: not _phpbb_userdata_dir_stat.stat.exists
- name: Link phpbb userdata dirs
ansible.builtin.file:
state: link
src: "{{ phpbb_data_home }}/{{ item }}"
dest: "{{ phpbb_app_home }}/{{ item }}"
loop: "{{ phpbb_userdata_app_dirs }}"
- name: Put phpbb config file
ansible.builtin.template:
src: config.php.j2
dest: "{{ phpbb_app_home }}/config.php"
owner: root
group: www-data
mode: "0o640"

27
roles/phpbb/tasks/phpbb_customs.yml
View File

@@ -1,27 +0,0 @@
---
- name: Put logo file
ansible.builtin.copy:
src: files/ndfr_casual.png
dest: "{{ phpbb_app_home }}/styles/prosilver/theme/images/ndfr_casual.png"
owner: root
group: www-data
mode: "0o640"
- name: Replace logo
ansible.builtin.lineinfile:
path: "{{ phpbb_app_home }}/styles/prosilver/theme/colours.css"
search_string: "background-image: url(\"./images/site_logo.svg\");"
line: " background-image: url(\"./images/ndfr_casual.png\");"
- name: Stretch logo (width)
ansible.builtin.lineinfile:
path: "{{ phpbb_app_home }}/styles/prosilver/theme/common.css"
search_string: "width: 149px;"
line: " width: 200px;"
- name: Stretch logo (height)
ansible.builtin.lineinfile:
path: "{{ phpbb_app_home }}/styles/prosilver/theme/common.css"
search_string: "height: 52px;"
line: " height: 80px;"

29
roles/phpbb/tasks/phpbb_exts.yml
View File

@@ -1,29 +0,0 @@
---
- name: Create phpbb ext path
ansible.builtin.file:
state: directory
dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}"
owner: root
group: www-data
mode: "0o750"
- name: Extract phpbb ext
ansible.builtin.unarchive:
remote_src: true
src: "{{ ext.url | replace('%VERSION%', ext.version) }}"
dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']
- name: Put extra files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ phpbb_app_home }}/ext/{{ ext.path }}/{{ item.dest }}"
owner: root
group: www-data
mode: "0o640"
loop: "{{ ext.extra_files }}"
when: ext.extra_files is defined

11
roles/phpbb/tasks/phpbb_languages.yml
View File

@@ -1,11 +0,0 @@
---
- name: Extract phpbb language
ansible.builtin.unarchive:
remote_src: true
src: "{{ item.url | replace('%VERSION%', item.version) }}"
dest: "{{ phpbb_app_home }}"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']

11
roles/phpbb/tasks/phpbb_styles.yml
View File

@@ -1,11 +0,0 @@
---
- name: Extract style
ansible.builtin.unarchive:
remote_src: true
src: "{{ item.url | replace('%VERSION%', item.version) }}"
dest: "{{ phpbb_app_home }}/styles/"
owner: root
group: www-data
mode: "a-rwx,u+rwX,g+rX"
extra_opts: ['--strip-components=1']

19
roles/phpbb/templates/config.php.j2
View File

@@ -1,19 +0,0 @@
<?php
// phpBB 3.0.x auto-generated configuration file
// Do not change anything in this file!
$dbms = 'mysqli';
$dbhost = 'localhost';
$dbport = '';
$dbname = '{{ phpbb_maria_database }}';
$dbuser = '{{ phpbb_maria_user }}';
$dbpasswd = '{{ phpbb_maria_password }}';
$table_prefix = 'phpbb_';
$acm_type = 'file';
$load_extensions = '';
libxml_disable_entity_loader(false);
@define('PHPBB_INSTALLED', true);
// @define('DEBUG', true);
// @define('DEBUG_EXTRA', true);
?>

45
roles/phpbb/vars/main.yml
View File

@@ -1,45 +0,0 @@
---
phpbb_version: "3.3.15"
phpbb_minor_version: "{{ phpbb_version | regex_replace('^([0-9])\\.([0-9]*).*', '\\1.\\2') }}"
phpbb_major_version: "{{ phpbb_version | regex_replace('^([0-9])\\..*', '\\1') }}"
phpbb_url: "https://download.phpbb.com/pub/release/{{ phpbb_minor_version }}/{{ phpbb_version }}/phpBB-{{ phpbb_version }}.tar.bz2"
phpbb_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'phpbb') | map(attribute='host') | first }}"
# Access path
phpbb_app_home: "/var/www/{{ phpbb_access_url }}"
phpbb_data_home: "/srv/www-data/{{ phpbb_access_url }}"
phpbb_writable_app_dirs:
- cache
- store
phpbb_userdata_app_dirs:
- files
- images
phpbb_styles:
- name: black
version: 3.3.12
url: "https://github.com/cabot/black/archive/refs/tags/v%VERSION%.tar.gz"
phpbb_languages:
- name: fr
version: 4.15.0
url: "https://github.com/qiaeru/phpbb-language-fr/archive/refs/tags/v%VERSION%.tar.gz"
phpbb_exts:
- name: externallink
path: martin/externallinkinnewwindow
version: 1.2.0
url: "https://github.com/Mar-tin-G/ExternalLinkInNewWindow/archive/refs/tags/%VERSION%.tar.gz"
- name: mediaembed
path: phpbb/mediaembed
version: 2.0.2
url: "https://github.com/phpbb-extensions/mediaembed/archive/refs/tags/%VERSION%.tar.gz"
extra_files:
- src: files/mastodon.yml
dest: collection/sites/mastodon.yml
- src: files/dojopeertube.yml
dest: collection/sites/dojopeertube.yml

Some files were not shown because too many files have changed in this diff Show More