infra
/
ansible
4
5
Fork 5
Code Issues 6 Pull Requests Activity

Compare commits

base: infra:master
Branches Tags
infra:master
infra:kea
infra:pizza
..
compare: infra:kea
Branches Tags
infra:master
infra:kea
infra:pizza

3 Commits
master ... kea

Author SHA1 Message Date
Kishi85 065f105f9f kea: Configure control agent necessary for HA 2024-05-13 18:32:00 +02:00
Kishi85 9235672954 kea: Add DHCP4 HA config (hot-standby) 2024-05-13 18:06:35 +02:00
Markus e185703198 kea: new role (replaces dhcpd) [WIP] 2024-04-19 15:10:44 +02:00
18 changed files with 448 additions and 1158 deletions
Show Stats Expand all files Collapse all files

3
group_vars/all/vars.yml
View File

@ -25,9 +25,6 @@ dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}"
dss_domain: dss.binary-kitchen.de
dss_secret: "{{ vault_dss_secret }}"
fpm_status_user: admin
fpm_status_pass: "{{ vault_fpm_status_pass }}"
gitea_domain: git.binary-kitchen.de
gitea_dbname: gogs
gitea_dbuser: gogs

213
group_vars/all/vault.yml
View File

@ -1,109 +1,106 @@
$ANSIBLE_VAULT;1.1;AES256
63626562396631623335303064393137396262393239366236373634323333343264343335306330
3861326430303265376564306139323064356339653039330a613335323233356361303066663139
34386465306537666464643736656230356632633239363865386166373834653030363736613834
6339303364363166620a626134303835346130386238653232316663346633313631653164336336
34653639363635663537356639646333616438336438333463656537326134343531393435663266
64366333346130653730613865346134356161373237343539373965623036656231653939303365
62326638666431333265343639326461313433656639393839396366633431616435393263336231
66303634656536636165636462396637656331666336623734333139316533636664306262326566
36616366663933613561336164386463393635636264613737316464666535366361613065363362
30316566323663623133346130393032646237353934363531326530396263363130326638393032
30633832663134613964323733623230363831636664373661633966366264373766326161623862
39396331313231633237313735636261653531313961616230626565623633636638643936326237
62333066366439643163336233353361343662326237376332396461393663623761613962333237
65633039363636323235356632326563376163386161373362383466346339356463636437646262
38313164393036393661336633373265303536316165623330643236313936666139376237366164
31373364663136356139356433386132343630396531373961616131343333663463616262373439
34393161323334333732383866653463656265393761346533663530613530313062626330356535
65393037636665303564316536376531386561366466643961666439326462353864643635353934
66616432303966643731386133613430313737356539386331623832656132663461393538363962
64313935613063373832343862373734316634663333313835323836386466336663643661656436
61353663646165623165663035383461376331373439666433386433376234613163396234373632
61646230363163366338653332373834386534333436373737383463363335356436313463626333
63393166316663323066323863373830393937353864376366313535663565613031643932383364
62623633353662323965393563363261623564396632643662663032613032666162616132336130
39376430663833303264306135643832383231623336613734373964653736376235653334333639
63376661636561383236633365303031326630356661633062663564396133313633323738333539
66303235613562313636343766356263383132643962393232396263393665666334633438383632
38646635643030303464396634356161333836376364333361356461346664303563346463333838
34356139373233313631653533356633643730663438646630373331313065363136663938306439
38336563363966653632613436356530316234326365666438326635313537343665663233363731
36646565393937326336626333383863656565323832303937323536346366303839633236663566
32373632646463363634363031626635383233656361336532636366653434623562623937656137
66303663316165633932643365623732323430376334303036303961396264303664616433356361
64366135376232313265376563633163373933343066653939313433366539396163656163346663
30626331333034316131343361636364653936373235623562336366336237353966613536316637
61343530326139636365613434386263383430626663333932386431313164346532666562346537
32623538353365383030396332386133343464643732653038623337353135663964643566396439
64633435623763666461356331306539373638383034343735373765373333656562326338613763
63633732373765316238633539316665623431616333363364316531306630343735393335616630
36613362336566393866623566666430336639376662633233656130653837313161653462346335
63396532663633393363626136373161303235613761373235633831393736343630353031613364
32353463383934313961313638613533623638383062343936616336646431383935393938623138
31383032326365333136666165633832333836346231636332353830336264636235383162356630
38316137623935633863363162376239623932373233663663323830363162313665613830623763
63656237343662616130326339386231376564613164666163393232653762613932343561343031
66386431343139373734626430656139353635636233336236653438353066393732663637323435
63303434376634366262646662616162343664666365373934346530343239653330356234373065
31373934363731373136346665623334306631626134613334633135666461636462303164653662
36323132376532613431653063643965636233373165333639323966663333633563303438396466
64633761376164383835613038633630623439643364323232633437386334346138343361306638
38626632326137303839306531633536643161656231636662383461373964646333303936343733
36333863316162393134646563316235663164613062303734346662386466656461346364356564
35326234336439623961383938316136633037343863363933616663366536613866666165376664
30306438666365333333636632643832303463356533343033623938653365663732336164303033
65653936363839323239306463366533653439663437343536393564336163313962313935636534
34346330393637343834323931353762613839366166353139303535376230356466646261363464
33386337616230623537376665663835373766316332363433313234326461313935636666363261
30653433333436306564653461303165656163363331643536323535623062396561643662323334
35626565616538396566363433363732656538313531636632643163633637303339656431346466
61353030666638393361613833353532656130643866636135643434366562386363656434323366
36343764316136316630353338363735646533346362386266643136626366356331656363393133
35636633353662393435346365663432656166646136346331363563363539326162633166393164
34303164353632373437613564336266373934396236383962376530613631633932626431333864
64623439336638613337383763353531376133343436346330373362313034616166616537636366
30306132613333633261326630323038323431643163373365376662623339396136313531366332
66663037643036303836376632646132383563316262393438636432666661333836376663666130
31316135366562633134306633333834636132623739373131626161633636313737646334376434
33376337393630663338643366316465353266346365333830613533393139333235366237323339
66346465313462373334316535383633343165373733313230373461366336353664306537306538
32653538366565663764353031303763613835366461666163336665656436333563613835653438
65376265303131376239616536353933346633393438643466343439643039313236373033323034
64316364663139353664653564393262323565646235356431326331343433373639316234363938
65633034666532306137353431613732663166323936356433323733376261386161383265663264
35643038663565646135343233623530396165336263303931653037393934343833623337343834
31343631343563626561393763356463393930616338623861363835343635376238653337653133
31393834343536396536363533363739306639646333313836393331306566393534383265613234
31623238306531383936343836336466343336396530633033323063346261366633343936316637
30343165333861346635623934363537383531323637313461663964353338653639366562306236
30363265393038633564626463393166333665396538663639346665353736336134643862663630
62393037363963613263313939613865393066323830656362656464643730636535623639636131
63343263333134336364323236656639613635323165383164636465353438653134646334643962
35306463626336626664383638323865633631346437613139623239663538666363313237323663
39323734353363643334343538303635366637373530383832393861346164666666306631643563
63306565306337383539636330623933666266353635396238656435373563383830666636616335
39386134383938626439366437383138303062333236306436336163393832613532303332303833
39323539396235383765613234303765303136653064336361333035643365386232613766356362
30656437376537623165626530623365393463626337383139663734396331396363396162383330
31663636383037613563346330323063393637616334356439666263623662383666376265313732
63343837306336313264313934653836363665616264396662633761363237366437653962626664
38383462313435383133613465656435363563373765313361623565636564616236313666633264
37393165386163393666376636343963333932346463303661373339303765303938636135323363
35663731656431656330336366383330616163353934333564356633613165396463393066396533
32396264653265333865643365346233633863333335383735396134663062343166656233613931
35633133336337343531313266323663363830353236323035313031646434303761343737633139
30343439323330353531633337353365363031666635653364326235316435383835663139376136
39343361636662346166363432366162666631366431623563363936336164323836376232326162
39316337343436386363643064653337613131346266353636333664373262326563386264303831
65343534616464633232373532313865363732663235376534396436333531633261393066313263
38316437643232336234343663666536353134626139623138636234396661613261326437303065
36383331323061643632323339383530626430343132613039393434333939383065623464646362
65303135313962613564666261356533313961323464623535393631613337663366626136343364
61363035333636366439313961326462633463616237343133356437303234323363306337343237
61376138323336663839623539633866313133346338313165623039336335663666313532636261
36383332346636373936366632393364323331303866623533643062666361613133383262383538
64343665333761326134303566656638633362643031306535333661623437636139353565623435
39323631393132336636653731636264356637373031633037653466383163663865626339323731
34623137386338343038373464613832363761643362623434373136376638663537623762646266
63306439363039303461
61333062333563653966393334326633643564313063346266663461633538366662623937373738
3732396164303638643362316564393236353737346235380a666361396631656563303733343032
66396531313139343062363639636334373836306237363733393635346261313832366330303436
6362383638363931380a323066343834363138356662656439343131353330366532626538653434
64663834333563333263356532326262333938613432356233656238313365663661636334333066
63653561316239356638653834646261643564316535306133633832666365383238303364346466
63393164646330623061633039316638656566346663616661633464303237386261316262623533
63306266333063373333323030666264323564663032333637343134306231373964666630333538
63626363383836363639663830643530376361613466613666303933363563663763636635363132
36666432646233313663613563663565313537316164313964656461666336326331303035343062
35323363373130333935373035663635626666613236376261623934366235633738323430666330
33323130363839386331613334636531396665316336376265333231343763656637396437653733
64366565336132333131346463356236343934663332633830373939616434613561613564313837
34333039363962643333343961636165323766343531336465306438306365636137636662303165
35346530313134346432303862643735376331376432616136306537653266333434336663373931
35373235333937646165663238636232656336393330386161636435666637356632333832646137
30333233636266623165663538303639663466363337323330383962383139643532623462663564
63313262366236623232303732373136393139323562313733623763363864646432653037316465
34306261303035306436396262333131366562643166333130393438393636623034656163653131
65363530613064633462633238343834336538353766353766336132303333383164326363316365
31303532363838306338626662313234343134306531353765333237303962303339366233366632
35643565353766353962386135323765356130393731363633373238626332356637363339356437
30386361363837373434363939373361343862393364316537633463653862666164613730306565
36343762326337333235643862626566346235333934656631306461633934306230333365343731
64643835323061613230336234343438383938653761393133656137626434653532636466313439
31363362306539643635386237353466343733616334303762343964636533636662333661653839
34663264613033373965336635663131396334616432653462346634626535393761666237623936
31666439356261303134343938333433323538653337653937333830656163633965353235653539
65353937333463343236636237313736313565613833653530333135623233363564393266353363
33323236643634616263303133663631386638356561373730653930646265616634356364366361
37666362363230313664343633343464383334386539616132636562626465326364353436356338
61383736663733643132656266633837646366343637303264363465633536633962353235303336
38376430343733386631623334386564616264386234613664366631313334626436313865356565
33663433663963653835376666303664656438623337663536376234356465396534306362346162
62323262323933336232376636353831633834656536633666643961396365306464303730626463
36363631336236353730393035613333666465653861373766393731373863353330656366306263
62316636333230366563623836316232323831393233366539363662646564373436623230343761
61626235656438373566646365353761376139383962353635393439666365333332313035653433
64316638363061613561306534616465646661326637633332333734626562353664666432616137
32643636356261613430376535633837646437626132373735323366313738633134303962306163
30366230333533663433616664343862346232363733623239353035656134366437313662353933
32663261663937663437643233383562656537333364643435356639616136623036306231633839
38386631643264636535323766643661626566323661313831326530636532383330633066336130
39306631636433376361636637633135316662306636306137366531333662303238613434333534
35633162316363333934623663303839343366376263343536333563663833323734356566623663
64646437343935306230333034636431396439366237643839363035313164393666616235393034
33323333626537633730303961613263363835343030363331633165663035336633613831326632
35363738336534663934616338363764353562306139613464663533323863326331646464333533
36363962653830613864393565623561646233313135386163623932363865343861313534663234
32313466656532616638376238363937613264346265316135336137363961386161376364343063
33316662343066336438336137353262646264656434333364343334373762303062386165663530
63313666356633633936366162366332333163656164306533356530666166353635616364643830
66336339663737616664616430373162386238636134303137386331393837353462623336663335
34303038323037363165613935376262376464383265323462373638313530396537633031653530
63613135373639623138333635343035303734383932336333303063666662333164643430393637
64393262363235616666303366346137633132313066613731333064346139646361363832343730
39666338303339663665363033653735346130313431306131306261636430396465323937623062
32343433376438623965363338633639383738326561376665623461653539383666636535656663
37353665363663356464366331313236653430313034613733363665633239656361623931646432
30653632643062366333663830326663623766646535666534613933663333366466333033383165
33373039303564656562636432303934383132666665656161323535333930346265623639316366
38393764346265653734373136636538346361363966393732323362323733386631623762313366
63313733653730336536393335623138383365303934303730343136613734663062326166316461
35313363656335643531343561336662663434353031623733353035633063396366376664303364
36643262633832363362306263376135346632386631346432333137623631343234333337643536
35353135303330626663663963366139363265666434363364303266613564373337616564366566
30646635633834616536333361303361313934316434393330333231613038346466306531646537
39303131396562656334303536613964363936643435613035623065323963633764623432373235
37393564626239333761626131643366306131346339356364373061353865653966326362613164
62366562326234303865323934353734613364653161316131363964666439636561663361396239
30353266303764396265656635616462653563613630616537353530613835656333353364333632
39663939376633613133623839353133613066633333633135316132636435363330393966396431
30656638653662356164393038323538643661333734623937653430643931623061666330633631
63323834313733353635363535613666643361356363386465383961626331303435333363396230
37313835633136323134623261626432653965366230656266356333653437386463396563613563
62656562626131336230383965303962383464643832333361343838393338353365663766373031
31633265653262356139323564663834616164313439346133386135333563323264313261336336
39393166613865353164376130303536373931643436633133313361356166393432363631666361
36366537363630333830333432333466363266666636643932636565613738346239383736306533
32333838396638656134643538313033336137316638326232303837386537393737316237356237
62646561333430303765656537373738316131306664626533646461333261306665626336376537
35633736303262656236303230653564386130666362303132646166306432393962306366663432
64353366353839643366376433646661376434313266326665343063653534343531623033316461
37306439373366303236666338616364343163663165626665613761333838333366336238343633
38663066623532353464653164616237353464363539313762396162653139393133323438643331
66306562346136346363396235356264303164636662386166666436316338323462656537386335
36373763313935666539643834653237336130336530653834643263373264353233643938393965
30313637366236383433313161386531623936356161333462636566633036383635616638316434
66313434393365333633336231656536353138303235616439643535376338326262663632313564
65306534356531303835373231623234356337623234366137386437303864643764613731326137
65376337386133353739376661353766343931383135363038353839376666306337323835613935
33303730623132613462363538666638313533333564656164363731323463613230366230373664
31303331396264353162383138643063313737366635333664343836346338353537366362613937
35623934646239356339343339653337656330616565616232633232373036383562393362343332
39316661623563333234656633666365303964366338303862333730656366626533326334613038
39663332623862626230373135623235363064636163373737316262613233663031383366363563
34613730343564373230306237656662636130333736393136366138333864313636343362613631
64636266626637366530363763323930643336313339613930623835326431643663356365353865
35653238333131363262346565653066383834633131303466636232653234363366646635656338
31386163616237316361643134396230386338643339633562376436333238346665363938323462
32336435663138393230366632633132333834303539303439313764623163383661396536383461
31636365633765346262616235336666363932336366373438643531663539333431663231326362
32326230363965356434343833383662393430333535636536323066373439653330373937636565
61306565663734636630633730383736653736383765326638656433646637393033356665633831
66353338633833346436666134343465623236626339613363623834333261313531

2
host_vars/beryllium.binary-kitchen.net
View File

@ -1,5 +1,5 @@
---
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqSDdYNxbI3C5PMtjBHmTukbapSzpXDY0x3aICQkZhl toffy"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB+wC+Lik9TNbRo40+e2BmJzJY8EuwRiJzKKvGCHlMmagOmZVf+zUmjc1uMvrgoA4UPJyKlkW1HqRhKLmsoccD2wg1JLlnjx6KBhiPGjPt833eWv0CyfJVqoHVPUs14BwCRGzuFZPXh8LC1XWiDlo23RC0RgPpk+wcOzf79ZivYSL4UNMcBIMIKmPlRwBLRUUXjYU2jgv1mWvIQVdKRbwmLk7FajREANKiLj+Tk+D4VmkDq6gUqXZHYbyUauwrtpYSv2JM6YQYhWz+eNXIID1NmlopAf66RwFxAaane6qMUMSCQw3HUBL2BjFGgmmdJPvsEfrj+S1CYh61iC1NHmPhP6DDnQO7aiP6dWLnRXLg4qcUaN0XGNZmhScls/jNbN4U+w6gIlR12KyoCJOK4pXiifBiuqmFGucyETex1jdKoaLPeB8Smu4HkFksmRgTZHbiYVvkgI/iW9KjBBzxCc8cwehabUpQ0DVN4chpFiFNHb3SfCh6W/3IKFcu4ou4lbvVowq+v/M7aDhjSqGEBMS/HRMQ8KteNTngFBcpTzMPBz1RQIOqlWUGp8yqu1SwZ/ZG1nMyUehchfkw/n+ML676UYMCZX2m7hqWXVccCnJLzFApv+0Lzqf3TNSbeLS1N/MDdjg+uejtj1889/leIF1/CnaHIs7WJN1qmdeVGw== anti"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

2
roles/act_runner/defaults/main.yml
View File

@ -3,5 +3,5 @@
actrunner_user: act_runner
actrunner_group: act_runner
actrunner_version: 0.2.10
actrunner_version: 0.2.6
actrunner_url: https://gitea.com/gitea/act_runner/releases/download/v{{ actrunner_version }}/act_runner-{{ actrunner_version }}-linux-amd64

4
roles/authentik/templates/docker-compose.yml.j2
View File

@ -29,7 +29,7 @@ services:
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
restart: unless-stopped
command: server
environment:
@ -48,7 +48,7 @@ services:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
restart: unless-stopped
command: worker
environment:

4
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
2024030100; serial
1d; refresh
2h; retry
4w; expire
@ -11,7 +11,7 @@ $TTL 1h ; default time-to-live
IN NS ns2.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR rt-w13b.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
; Management

4
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,7 +1,7 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2024051300; serial
2024030100; serial
1d; refresh
2h; retry
4w; expire
@ -34,7 +34,7 @@ radius IN A 172.23.2.3
radius IN A 172.23.2.4
; Loopback
core IN A 172.23.0.1
rt-w13b IN A 172.23.0.2
erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3
erx-auweg IN A 172.23.0.4
; Management

7
roles/kea/handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Restart kea-dhcp4-server
service: name=kea-dhcp4-server state=restarted
- name: Restart kea-ctrl-agent
service: name=kea-ctrl-agent state=restarted

28
roles/kea/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install the kea dhcp server
apt:
name:
- kea-ctrl-agent
- kea-dhcp4-server
- kea-dhcp-ddns-server
- name: Configure the kea dhcp4 server
template:
src: kea/kea-dhcp4.conf.j2
dest: /etc/kea/kea-dhcp4.conf
# validate: kea-dhcp4 -t %s
notify: Restart kea-dhcp4-server
- name: Start the kea dhcp server
service: name=kea-dhcp4-server state=started enabled=yes
- name: Configure the kea control agent
template:
src: kea/kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
# validate: kea-ctrl-agent -t %s
notify: Restart kea-ctrl-agent
- name: Start the kea control agent
service: name=kea-ctrl-agent state=started enabled=yes

67
roles/kea/templates/kea/kea-ctrl-agent.conf.j2 Normal file
View File

@ -0,0 +1,67 @@
// This is an example of a configuration for Control-Agent (CA) listening
// for incoming HTTP traffic. This is necessary for handling API commands,
// in particular lease update commands needed for HA setup.
{
"Control-agent":
{
// We need to specify where the agent should listen to incoming HTTP
// queries.
"http-host": "0.0.0.0",
// This specifies the port CA will listen on.
"http-port": 8000,
"control-sockets":
{
// This is how the Agent can communicate with the DHCPv4 server.
"dhcp4":
{
"comment": "socket to DHCP4 server",
"socket-type": "unix",
"socket-name": "/tmp/kea4-ctrl-socket"
},
// Location of the DHCPv6 command channel socket.
//"dhcp6":
//{
// "socket-type": "unix",
// "socket-name": "/tmp/kea6-ctrl-socket"
//},
// Location of the D2 command channel socket.
//"d2":
//{
// "socket-type": "unix",
// "socket-name": "/tmp/kea-ddns-ctrl-socket",
// "user-context": { "in-use": false }
//}
},
// Similar to other Kea components, CA also uses logging.
"loggers": [
{
"name": "kea-ctrl-agent",
"output_options": [
{
"output": "/var/log/kea-ctrl-agent.log",
// Several additional parameters are possible in addition
// to the typical output. Flush determines whether logger
// flushes output to a file. Maxsize determines maximum
// filesize before the file is being rotated. maxver
// specifies the maximum number of rotated files being
// kept.
"flush": true,
"maxsize": 204800,
"maxver": 4,
// We use pattern to specify custom log message layout
"pattern": "%d{%y.%m.%d %H:%M:%S.%q} %-5p [%c/%i] %m\n"
}
],
"severity": "INFO",
"debuglevel": 0 // debug level only applies when severity is set to DEBUG.
}
]
}
}

231
roles/kea/templates/kea/kea-dhcp4.conf.j2 Normal file
View File

@ -0,0 +1,231 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "{{ ansible_default_ipv4['interface'] }}" ]
},
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
// HA requires two hooks libraries to be loaded: libdhcp_lease_cmds.so and
// libdhcp_ha.so. The former handles incoming lease updates from the HA peers.
// The latter implements high availability feature for Kea. Note the library name
// should be the same, but the path is OS specific.
"hooks-libraries": [
// The lease_cmds library must be loaded because HA makes use of it to
// deliver lease updates to the server as well as synchronize the
// lease database after failure.
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_lease_cmds.so"
},
{
// The HA hooks library should be loaded.
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_ha.so",
"parameters": {
// Each server should have the same HA configuration, except for the
// "this-server-name" parameter.
"high-availability": [ {
// This parameter points to this server instance. The respective
// HA peers must have this parameter set to their own names.
"this-server-name": "{{ inventory_hostname.split('.')[0] }}",
// The HA mode is set to hot-standby. In this mode, the active server handles
// all the traffic. The standby takes over if the primary becomes unavailable.
"mode": "hot-standby",
// Heartbeat is to be sent every 10 seconds if no other control
// commands are transmitted.
"heartbeat-delay": 10000,
// Maximum time for partner's response to a heartbeat, after which
// failure detection is started. This is specified in milliseconds.
// If we don't hear from the partner in 60 seconds, it's time to
// start worrying.
"max-response-delay": 60000,
// The following parameters control how the server detects the
// partner's failure. The ACK delay sets the threshold for the
// 'secs' field of the received discovers. This is specified in
// milliseconds.
"max-ack-delay": 5000,
// This specifies the number of clients which send messages to
// the partner but appear to not receive any response.
"max-unacked-clients": 5,
// This specifies the maximum timeout (in milliseconds) for the server
// to complete sync. If you have a large deployment (high tens or
// hundreds of thousands of clients), you may need to increase it
// further. The default value is 60000ms (60 seconds).
"sync-timeout": 60000,
"peers": [
// This is the configuration of this server instance.
{
"name": "{{ lookup('dig', dhcpd_primary+'/PTR').split('.')[0] }}",
// This specifies the URL of our server instance. The
// Control Agent must run along with our DHCPv4 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
"url": "http://{{ dhcpd_primary }}:8000/",
// This server is primary. The other one must be
// secondary.
"role": "primary"
},
// This is the configuration of our HA peer.
{
"name": "{{ lookup('dig', dhcpd_secondary+'/PTR').split('.')[0] }}",
// Specifies the URL on which the partner's control
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
"url": "http://{{ dhcpd_secondary }}:8000/",
// The partner is a secondary. Our is primary.
"role": "standby"
}
]
} ]
}
}
],
"lease-database": {
"type": "memfile",
"lfc-interval": 3600
},
"expired-leases-processing": {
"reclaim-timer-wait-time": 10,
"flush-reclaimed-timer-wait-time": 25,
"hold-reclaimed-time": 3600,
"max-reclaim-leases": 100,
"max-reclaim-time": 250,
"unwarned-reclaim-cycles": 5
},
"renew-timer": 900,
"rebind-timer": 1800,
"valid-lifetime": 3600,
"option-data": [
{
"name": "domain-name-servers",
"data": "{{ name_servers | join(', ') }}"
},
{
"name": "domain-name",
"data": "binary.kitchen"
},
{
"name": "domain-search",
"data": "binary.kitchen"
}
],
"subnet4": [
{
"subnet": "172.23.1.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.1.1"
}
],
"reservations": [
{
"hw-address": "44:48:c1:ce:a9:00",
"ip-address": "172.23.1.41",
"hostname": "ap01"
},
{
"hw-address": "74:9e:75:ce:93:54",
"ip-address": "172.23.1.44",
"hostname": "ap04"
},
{
"hw-address": "bc:9f:e4:c3:6f:aa",
"ip-address": "172.23.1.45",
"hostname": "ap05"
},
{
"hw-address": "94:b4:0f:c0:1d:a0",
"ip-address": "172.23.1.46",
"hostname": "ap06"
}
]
},
{
"subnet": "172.23.2.0/24",
"option-data": [
{
"name": "routers",
"data": "172.23.2.1"
}
]
},
{
"subnet": "172.23.3.0/24",
"pools": [ { "pool": "172.23.3.10 - 172.23.3.230" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.3.1"
},
{
"name": "domain-search",
"data": "binary.kitchen, users.binary.kitchen"
}
],
"reservations": [
{
"hw-address": "1a:1b:1c:1d:1e:1f",
"ip-address": "172.23.3.201",
"hostname": "special-snowflake",
"option-data": [ {
"name": "domain-name-servers",
"data": "10.1.1.202, 10.1.1.203"
} ]
}
]
},
{
"subnet": "172.23.4.0/24",
"pools": [ { "pool": "172.23.4.10 - 172.23.4.240" } ],
"option-data": [
{
"name": "routers",
"data": "172.23.4.1"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
"pattern": "%-5p %m\n"
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

2
roles/mail/files/rspamd/local.d/phishing.conf
View File

@ -1,2 +0,0 @@
openphish_enabled = true;
phishtank_enabled = false;

2
roles/netbox/defaults/main.yml
View File

@ -2,4 +2,4 @@
netbox_group: netbox
netbox_user: netbox
netbox_version: 3.7.8
netbox_version: 3.7.5

491
roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf
View File

@ -1,491 +0,0 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[spaceapi]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.2-fpm-spaceapi.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 20
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 5
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 15
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
pm.status_path = /fpmstatus-spaceapi
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
pm.status_listen = /run/php/php8.2-fpm-spaceapi-status.sock
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

491
roles/web/files/php/8.2/fpm/pool.d/www.conf
View File

@ -1,491 +0,0 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.2-fpm-www.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 20
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 5
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 15
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/8.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
pm.status_path = /fpmstatus-www
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
pm.status_listen = /run/php/php8.2-fpm-www-status.sock
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

37
roles/web/files/vhost
View File

@ -75,48 +75,13 @@ server {
rewrite ^/wiki/(.*) /wiki/doku.php?id=$1&$args last;
}
location ~ ^/fpmstatus-spaceapi {
auth_basic "Admin";
auth_basic_user_file /etc/nginx/fpm_status.htaccess;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi-status.sock;
fastcgi_intercept_errors on;
fastcgi_read_timeout 10s;
}
location ~ ^/fpmstatus-www {
auth_basic "Admin";
auth_basic_user_file /etc/nginx/fpm_status.htaccess;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php/php8.2-fpm-www-status.sock;
fastcgi_intercept_errors on;
fastcgi_read_timeout 10s;
}
location ~ ^/spaceapi.php {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi.sock;
fastcgi_intercept_errors on;
fastcgi_read_timeout 10s;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php/php8.2-fpm-www.sock;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_intercept_errors on;
# fastcgi_read_timeout intentionally not reduced, since Wiki etc. might perform long-running operations (file uploads etc.)
}
}

3
roles/web/handlers/main.yml
View File

@ -3,8 +3,5 @@
- name: Restart nginx
service: name=nginx state=restarted
- name: Restart php8.2-fpm
service: name=php8.2-fpm state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

15
roles/web/tasks/main.yml
View File

@ -7,7 +7,6 @@
- php-ldap
- php-sqlite3
- php-xml
- python3-passlib
- name: Create vhost directories
file: path=/var/www/{{ item }} state=directory owner=www-data group=www-data
@ -37,20 +36,6 @@
- name: Place Thunderbird autoconfig file
template: src=auto_mail.xml.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml
- name: Configure php-fpm
copy: src={{ item }} dest=/etc/php/8.2/fpm/pool.d/
notify: Restart php8.2-fpm
with_fileglob: "php/8.2/fpm/pool.d/*.conf"
- name: Configure htaccess for fpm status
htpasswd:
path: /etc/nginx/fpm_status.htaccess
name: "{{ fpm_status_user}}"
password: "{{ fpm_status_pass }}"
owner: root
group: www-data
mode: 0640
- name: Configure certificate manager
copy: src=certs dest=/etc/acertmgr/www.binary-kitchen.de.conf
notify: Run acertmgr