forked from infra/ansible
new host: sodium (matrix) and new role matrix
This commit is contained in:
parent
7950c96da2
commit
6b82d3d92b
@ -23,7 +23,7 @@ hackmd_dbuser: hackmd
|
|||||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||||
|
|
||||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
ldap_uri: ldaps://ldap.binary.kitchen
|
||||||
ldap_host: ldap.binary.kitchen
|
ldap_host: ldap.binary.kitchen
|
||||||
ldap_base: dc=binary-kitchen,dc=de
|
ldap_base: dc=binary-kitchen,dc=de
|
||||||
ldap_binddn: cn=Services,ou=roles,dc=binary-kitchen,dc=de
|
ldap_binddn: cn=Services,ou=roles,dc=binary-kitchen,dc=de
|
||||||
@ -71,6 +71,11 @@ mail_aliases:
|
|||||||
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher12@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
- "workshops@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||||
|
|
||||||
|
matrix_domain: matrix.binary-kitchen.de
|
||||||
|
matrix_dbname: matrix
|
||||||
|
matrix_dbuser: matrix
|
||||||
|
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||||
|
|
||||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||||
|
@ -1,24 +1,26 @@
|
|||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
30656432303661346131643637306565653465333430373264396639383937626533626130346131
|
33626638333634313935343133326261343138306661326433393038396338626562616564393061
|
||||||
3965323538356638613931663034326365626333336364380a373865363966303835376134353336
|
3364316632336666336465633165353164633862616234320a643165666230366332346236363236
|
||||||
37376162383264663332363563343430663137623364613239613338383939376133653662666431
|
31386565393966663365633664633038653034356665316435356335393739356564353534366536
|
||||||
6235613339626636360a326639373535383761343535653136343138383338323733373037636538
|
6438613138393263610a353831666631356561663966376637363233636431386661376537366133
|
||||||
62623437666531656235373133393561323835393330323035656566646632303561366532653039
|
62363038376265323763623833396131633463326264343962643239646363353963653566623035
|
||||||
39636139333833313938643262383331363935616566303461323636343735303238343862303861
|
66316566316437343462393364616162366137363436343537343962333563376139663330373939
|
||||||
62313836323863643533313063323233306337633932393366393264343236366235356662333937
|
31613030303930316464653333653261623136313734616265633338356163386562353066646537
|
||||||
65366431613433336337346530663566613862333161613164633133356561653962326262643735
|
34306665366136633161313930643730323466613736333761336337353464623565623062613833
|
||||||
37636230356233333637623233633236323166616662343732343539376530336135306437313164
|
63316237616632636664623831333865646339623964376137653131373261373433366262643539
|
||||||
61323737353632666137393137356463333532313331633631653538613065303232663434633564
|
35363337653633636637653838386461306236616664393031303962346662393937333763323863
|
||||||
36616562323830373532646236373765623438376661383933646238353833663239653562356431
|
34646266383638323663643565303533316436636138303635353334386236663639643363396162
|
||||||
39623135366533373934363561363532326638363330366330353061333930373032386539636264
|
35633038303438366331383766353366326639376133366362353232353235393337646338343537
|
||||||
32353337653265656232333063653964613230643061653930653861356230363931623736333738
|
65343133343036393333333862303332373137363662343263326461613466323336346138373936
|
||||||
35656365306564313933666139613066633237656538666261613130326163373636636136666161
|
39356137643665343234343861393763396533636236353364333465613864636239646530643866
|
||||||
33633964663834356166343764383439396561393336393662653834396562373530313235363532
|
62643565636564373961653463623936633634303131356462346233663962616536363062323765
|
||||||
65383430663261363163623362663135626334626234356539366132643539323461633632303233
|
31393461613861383263646235396565636236333134316365313137316366353137343837303664
|
||||||
64616230316632356338663537666130396234316562616331316463383563376365326437643735
|
66306634376236396632303666636434386634366262613632346465306132396465353332303636
|
||||||
63666162356163343839636439653437643539636430386238626162373735663831636362646239
|
35323866333232393237353664363262333635353330313434336339326265623165396136373465
|
||||||
65636135343430623233383936326130646436336364636263633066373630386461333631356366
|
38323662353536333330663335656165353065396564386435373638376339386461326436633562
|
||||||
36353832376635303138643830643665643739663364356261633466636637643636613133623633
|
37333064353133376266623661386562376633333864383939306634623066386565383838306230
|
||||||
30316137393464343236326535613935366163613232386131343230336433616266653234323138
|
34326361326366383331633466336464653734646632313732396537353238383066323039316664
|
||||||
31343836306331353134653733383332633661316363343234303639353736306236356365303634
|
34343738356431393337366234643964313438303332373661613032383735383537306136366537
|
||||||
366130346637323334313961613135623663
|
32363037353732643037376263383762633266316339343463343231386439373730316162653365
|
||||||
|
64613737373436376533633536343533623736356564323630343162636539666434366235353836
|
||||||
|
3763
|
||||||
|
1
hosts
1
hosts
@ -18,5 +18,6 @@ nitrogen.binary-kitchen.net
|
|||||||
oxygen.binary-kitchen.net
|
oxygen.binary-kitchen.net
|
||||||
fluorine.binary-kitchen.net
|
fluorine.binary-kitchen.net
|
||||||
neon.binary-kitchen.net
|
neon.binary-kitchen.net
|
||||||
|
sodium.binary-kitchen.net
|
||||||
krypton.binary-kitchen.net
|
krypton.binary-kitchen.net
|
||||||
strontium.binary-kitchen.net
|
strontium.binary-kitchen.net
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
|
|
||||||
- name: Configure misc software
|
- name: Configure misc software
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
|
diff: no
|
||||||
with_items:
|
with_items:
|
||||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
|
@ -3,5 +3,8 @@
|
|||||||
- name: Run acertmgr
|
- name: Run acertmgr
|
||||||
command: /opt/acertmgr/acertmgr.py
|
command: /opt/acertmgr/acertmgr.py
|
||||||
|
|
||||||
|
- name: Restart matrix-synapse
|
||||||
|
service: name=matrix-synapse state=restarted
|
||||||
|
|
||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
50
roles/matrix/tasks/main.yml
Normal file
50
roles/matrix/tasks/main.yml
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Enable https for apt
|
||||||
|
apt: name=apt-transport-https
|
||||||
|
|
||||||
|
- name: Enable matrix apt-key
|
||||||
|
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
|
||||||
|
|
||||||
|
- name: Enable matrix repository
|
||||||
|
apt_repository: repo="deb https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main"
|
||||||
|
|
||||||
|
- name: Install matrix
|
||||||
|
apt: name={{ item }}
|
||||||
|
with_items:
|
||||||
|
- matrix-synapse-py3
|
||||||
|
- postgresql
|
||||||
|
- python-psycopg2
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL database
|
||||||
|
postgresql_db: name={{ matrix_dbname }}
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Configure PostgreSQL user
|
||||||
|
postgresql_user: db={{ matrix_dbname }} name={{ matrix_dbuser }} password={{ matrix_dbpass }} priv=ALL state=present
|
||||||
|
become: true
|
||||||
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Configure matrix
|
||||||
|
template: src=matrix-synapse/{{ item }}.j2 dest=/etc/matrix-synapse/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- homeserver.yaml
|
||||||
|
- conf.d/server_name.yaml
|
||||||
|
notify: Restart matrix-synapse
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ matrix_domain }}.key -out /etc/nginx/ssl/{{ matrix_domain }}.crt -days 730 -subj "/CN={{ matrix_domain }}" creates=/etc/nginx/ssl/{{ matrix_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Configure certificate manager for matrix
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ matrix_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
||||||
|
|
||||||
|
- name: Configure vhost
|
||||||
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/matrix
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Enable vhost
|
||||||
|
file: src=/etc/nginx/sites-available/matrix dest=/etc/nginx/sites-enabled/matrix state=link
|
||||||
|
notify: Restart nginx
|
@ -1,13 +1,13 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
{{ rocketchat_domain }}:
|
{{ matrix_domain }}:
|
||||||
- path: /etc/nginx/ssl/{{ rocketchat_domain }}.key
|
- path: /etc/nginx/ssl/{{ matrix_domain }}.key
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
action: '/usr/sbin/service nginx restart'
|
action: '/usr/sbin/service nginx restart'
|
||||||
- path: /etc/nginx/ssl/{{ rocketchat_domain }}.crt
|
- path: /etc/nginx/ssl/{{ matrix_domain }}.crt
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
@ -0,0 +1,9 @@
|
|||||||
|
# This file is autogenerated, and will be recreated on upgrade if it is deleted.
|
||||||
|
# Any changes you make will be preserved.
|
||||||
|
|
||||||
|
# The domain name of the server, with optional explicit port.
|
||||||
|
# This is used by remote servers to connect to this server,
|
||||||
|
# e.g. matrix.org, localhost:8080, etc.
|
||||||
|
# This is also the last part of your UserID.
|
||||||
|
#
|
||||||
|
server_name: {{ matrix_domain }}
|
1721
roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
Normal file
1721
roles/matrix/templates/matrix-synapse/homeserver.yaml.j2
Normal file
File diff suppressed because it is too large
Load Diff
45
roles/matrix/templates/vhost.j2
Normal file
45
roles/matrix/templates/vhost.j2
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ matrix_domain }};
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
default_type "text/plain";
|
||||||
|
alias /var/www/acme-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ matrix_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ matrix_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 8448 ssl http2 default_server;
|
||||||
|
listen [::]:8448 ssl http2 default_server;
|
||||||
|
|
||||||
|
server_name {{ matrix_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
}
|
||||||
|
}
|
@ -1,60 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Create user
|
|
||||||
user: name=rocketchat
|
|
||||||
|
|
||||||
- name: Enable https for apt
|
|
||||||
apt: name=apt-transport-https
|
|
||||||
|
|
||||||
- name: Enable mongodb apt-key
|
|
||||||
apt_key: url="https://www.mongodb.org/static/pgp/server-4.0.asc"
|
|
||||||
|
|
||||||
- name: Enable mongodb repository
|
|
||||||
apt_repository: repo="deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main"
|
|
||||||
|
|
||||||
# mongodb needs libcurl3 which is no longer available in buster
|
|
||||||
- name: Enable stretch repository
|
|
||||||
apt_repository: repo="deb http://deb.debian.org/debian/ stretch main"
|
|
||||||
|
|
||||||
- name: Enable nodesource apt-key
|
|
||||||
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
|
||||||
|
|
||||||
- name: Enable nodesource repository
|
|
||||||
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
|
|
||||||
|
|
||||||
- name: Pin nodejs repository
|
|
||||||
blockinfile:
|
|
||||||
path: /etc/apt/preferences.d/nodejs
|
|
||||||
create: yes
|
|
||||||
block: |
|
|
||||||
Package: *
|
|
||||||
Pin: origin deb.nodesource.com
|
|
||||||
Pin-Priority: 600
|
|
||||||
|
|
||||||
- name: Install packages
|
|
||||||
apt: name={{ item }}
|
|
||||||
with_items:
|
|
||||||
- build-essential
|
|
||||||
- dirmngr
|
|
||||||
- graphicsmagick
|
|
||||||
- libcurl3
|
|
||||||
- mongodb-org
|
|
||||||
- nodejs
|
|
||||||
|
|
||||||
# rocket.chat itself is not setup here - it is done manually
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ rocketchat_domain }}.key -out /etc/nginx/ssl/{{ rocketchat_domain }}.crt -days 730 -subj "/CN={{ rocketchat_domain }}" creates=/etc/nginx/ssl/{{ rocketchat_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager for rocketchat
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ rocketchat_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/rocketchat
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/rocketchat dest=/etc/nginx/sites-enabled/rocketchat state=link
|
|
||||||
notify: Restart nginx
|
|
@ -1,43 +0,0 @@
|
|||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ rocketchat_domain }};
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ rocketchat_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ rocketchat_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ rocketchat_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ rocketchat_domain }}.crt;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 128M;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:3000;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forward-Proto http;
|
|
||||||
proxy_set_header X-Nginx-Proxy true;
|
|
||||||
|
|
||||||
proxy_redirect off;
|
|
||||||
}
|
|
||||||
}
|
|
14
site.yml
14
site.yml
@ -8,7 +8,7 @@
|
|||||||
- root-keys
|
- root-keys
|
||||||
|
|
||||||
- name: Setup unattended updates
|
- name: Setup unattended updates
|
||||||
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, strontium.binary-kitchen.net]
|
hosts: [sulis.binary.kitchen, nabia.binary.kitchen, beryllium.binary-kitchen.net, boron.binary-kitchen.net, carbon.binary-kitchen.net, nitrogen.binary-kitchen.net, oxygen.binary-kitchen.net, fluorine.binary-kitchen.net, krypton.binary-kitchen.net, strontium.binary-kitchen.net, sodium.binary-kitchen.net]
|
||||||
roles:
|
roles:
|
||||||
- uau
|
- uau
|
||||||
|
|
||||||
@ -17,7 +17,7 @@
|
|||||||
roles:
|
roles:
|
||||||
- pvessl
|
- pvessl
|
||||||
|
|
||||||
- name: Setup BK infrastructure server
|
- name: Setup infrastructure server
|
||||||
hosts: [bacon.binary.kitchen, aveta.binary.kitchen]
|
hosts: [bacon.binary.kitchen, aveta.binary.kitchen]
|
||||||
roles:
|
roles:
|
||||||
- dns-intern
|
- dns-intern
|
||||||
@ -78,12 +78,12 @@
|
|||||||
roles:
|
roles:
|
||||||
- dns-extern
|
- dns-extern
|
||||||
|
|
||||||
|
- name: Setup matrix server
|
||||||
|
hosts: sodium.binary-kitchen.net
|
||||||
|
roles:
|
||||||
|
- matrix
|
||||||
|
|
||||||
- name: Setup partdb server
|
- name: Setup partdb server
|
||||||
hosts: krypton.binary-kitchen.net
|
hosts: krypton.binary-kitchen.net
|
||||||
roles:
|
roles:
|
||||||
- partdb
|
- partdb
|
||||||
|
|
||||||
- name: Setup rocketchat server
|
|
||||||
hosts: strontium.binary-kitchen.net
|
|
||||||
roles:
|
|
||||||
- rocketchat
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user