forked from infra/ansible
Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
a9899061d8 |
|
@ -1,6 +1,5 @@
|
||||||
[defaults]
|
[defaults]
|
||||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||||
interpreter_python = auto
|
|
||||||
inventory = ./hosts
|
inventory = ./hosts
|
||||||
nocows = 1
|
nocows = 1
|
||||||
remote_user = root
|
remote_user = root
|
||||||
|
|
|
@ -34,19 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
|
||||||
gitea_secret: "{{ vault_gitea_secret }}"
|
gitea_secret: "{{ vault_gitea_secret }}"
|
||||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||||
|
|
||||||
hedgedoc_domain: pad.binary-kitchen.de
|
hackmd_domain: pad.binary-kitchen.de
|
||||||
hedgedoc_dbname: hackmd
|
hackmd_dbname: hackmd
|
||||||
hedgedoc_dbuser: hackmd
|
hackmd_dbuser: hackmd
|
||||||
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||||
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||||
|
|
||||||
icinga_domain: icinga.binary.kitchen
|
|
||||||
icinga_dbname: icinga
|
|
||||||
icinga_dbuser: icinga
|
|
||||||
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
|
||||||
icingaweb_dbname: icingaweb
|
|
||||||
icingaweb_dbuser: icingaweb
|
|
||||||
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
|
||||||
|
|
||||||
jitsi_domain: jitsi.binary-kitchen.de
|
jitsi_domain: jitsi.binary-kitchen.de
|
||||||
jitsi_admin_email: exxess@binary-kitchen.de
|
jitsi_admin_email: exxess@binary-kitchen.de
|
||||||
|
@ -72,14 +64,10 @@ mail_server: mail.binary-kitchen.de
|
||||||
mailman_domain: lists.binary-kitchen.de
|
mailman_domain: lists.binary-kitchen.de
|
||||||
mail_trusted:
|
mail_trusted:
|
||||||
- 213.166.246.0/28
|
- 213.166.246.0/28
|
||||||
- 213.166.246.45/32
|
|
||||||
- 213.166.246.250/32
|
- 213.166.246.250/32
|
||||||
- 2a02:958:0:f6::/124
|
- 2a02:958:0:f6::/124
|
||||||
- 2a02:958:0:f6::45/128
|
|
||||||
mail_aliases:
|
mail_aliases:
|
||||||
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
|
||||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||||
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
|
||||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||||
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
||||||
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||||
|
@ -92,7 +80,7 @@ mail_aliases:
|
||||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||||
|
@ -112,28 +100,19 @@ matrix_dbname: matrix
|
||||||
matrix_dbuser: matrix
|
matrix_dbuser: matrix
|
||||||
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||||
|
|
||||||
mc_domain: minecraft.binary-kitchen.de
|
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||||
|
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||||
netbox_domain: netbox.binary.kitchen
|
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||||
netbox_dbname: netbox
|
|
||||||
netbox_dbuser: netbox
|
|
||||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
|
||||||
netbox_secret: "{{ vault_netbox_secret }}"
|
|
||||||
|
|
||||||
nextcloud_domain: oc.binary-kitchen.de
|
nextcloud_domain: oc.binary-kitchen.de
|
||||||
nextcloud_dbname: owncloud
|
nextcloud_dbname: owncloud
|
||||||
nextcloud_dbuser: owncloud
|
nextcloud_dbuser: owncloud
|
||||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||||
|
|
||||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
plk_domain: plk-regensburg.de
|
||||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
plk_dbuser: plkdbuser
|
||||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
plk_dbname: plkdb
|
||||||
|
plk_dbpass: "{{ vault_plk_dbpass }}"
|
||||||
pretix_domain: pretix.rc3.binary-kitchen.de
|
|
||||||
pretix_dbname: pretix
|
|
||||||
pretix_dbuser: pretix
|
|
||||||
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
|
||||||
pretix_mail: rc3@binary-kitchen.de
|
|
||||||
|
|
||||||
prometheus_pve_user: prometheus@pve
|
prometheus_pve_user: prometheus@pve
|
||||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||||
|
@ -147,6 +126,8 @@ pve_targets:
|
||||||
|
|
||||||
radius_secret: "{{ vault_radius_secret }}"
|
radius_secret: "{{ vault_radius_secret }}"
|
||||||
|
|
||||||
|
rocketchat_domain: chat.binary-kitchen.de
|
||||||
|
|
||||||
root_keys:
|
root_keys:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
||||||
|
@ -154,5 +135,3 @@ root_keys:
|
||||||
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||||
slapd_san: ldap.binary.kitchen
|
slapd_san: ldap.binary.kitchen
|
||||||
|
|
||||||
workadventure_domain: wa.binary-kitchen.de
|
|
||||||
|
|
|
@ -1,70 +1,59 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
34303237313431646264363034353637613836633432633638333963363037663435626166663630
|
37303932343462623335393066643531373533636435356462326537373532613534353266396435
|
||||||
6338393164366434386334313664386166373031326538350a396639373163646666376462373662
|
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
|
||||||
36623863356436356635303263643239666162333863613831326630303363346137653234323838
|
34633863333930316564633632313939643664373163373833636139366537646530383736343130
|
||||||
3639623464303131350a653162336338626665393534623063623330323162373935353939303631
|
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
|
||||||
64333363373563343336643764306563376461393430643631366133353836646363363166653233
|
31316362353439393838363666613932313635313864333135636530653238653162353033356437
|
||||||
38323331386165366334656630626138383131323664333266353164323164373364303161653365
|
33353063363639346266313631393463623864636133623264613865336536613536343365386230
|
||||||
30333339646139626434636365653666636534346266636262613938656665343634363563663366
|
65396263393862626139396430623134316632313637623631623762656139623664356331623066
|
||||||
32306663653930613762663534613635616663613130613933626331663861643439323664353739
|
30323430613963313162616135303164663364336634326533346438373635366238356531613461
|
||||||
31316531653562646363376233636464396262313132343234303933343066373862633235383333
|
30333736633965333163616437303566666239313962353531393530613265363833396136646262
|
||||||
31313431336464663163343835646430323664373166363465343037333130343636646363393231
|
62633662666532396535316361303934613138373365633161393664313234663533363736323335
|
||||||
34613162386637306539663431636137353039383037333937613035393332353933333134346335
|
38613762376234663564333333386265633138613839636132346638313430653639636339336239
|
||||||
31616561636533383639366634316164343466613634643130353437393664336332316132363934
|
38633564333831326331326166666362353364303933393532643936313564386565643162623435
|
||||||
61333961613530333536613034386332646136313939356339633334353333326661393231343261
|
36356437356631666137323039316430656566613436623062656562666139383635653039636463
|
||||||
62653463316662376134663965383030636639356637393237653362616561616238653637623039
|
35393438323765303431333737356339343730303531333834306239366533393537626239376163
|
||||||
65653139373633323766356362613239316165393966623932346561363363393138653032366439
|
31663332343136323264376234363264343136623365383833666638656531306362663462383033
|
||||||
64303463306132363261333936653763353833386337303763316362666134306264306464306362
|
31633838643562613762363634653865353361303666363139636337386439626235336462653036
|
||||||
30343364393539636565633861386261373661623061333733353635336133373162636465376137
|
30376461643839313665383430386534656265626139313034646438323861653530383637316139
|
||||||
61316465306534623337383631663538336632383832343132333862316336323961623637383838
|
35313539636137303561646564616362313435666262343137616263396465356434363862323137
|
||||||
65363832646138376233653264373535633437376162326361313863333839343236343966393839
|
38626464383039386139343665363538326539613837366437623362336639336133323463666235
|
||||||
32323361666264373466396130666465303032393364633134343264643731323438646562333361
|
36346333356434363838363634343233323363333762653264333062656133623434666162356433
|
||||||
63376266616430643135326430366266633332633333646134313736316139386232333965346331
|
37623862653862643335333931663063623166353534636430323230663838653532356335306632
|
||||||
61663964653931333730643435303637666563316133373831336566303361383736666139626562
|
33646265343834363839653565326538353930663061376461646534386637376234646264343933
|
||||||
38623031303533396632613361323533313334333631316434646232383136393433323466383330
|
65653763343236653630396238333232633461663333646531323337626235396231383931663264
|
||||||
65666530616466623933393936613963663766653361643733326330643162346635613835633736
|
34363564366134663036643332346238373639646336396261316133326235636265323636663335
|
||||||
64393064326233313035316130353563623639303665623064303831376332353264633930363364
|
35363537346466396432396162383131306438396431336138666663633132646662316165643333
|
||||||
33623137353130353962323964396130646230393335386434346130663064613434643136656466
|
64633434623166343262623038623431343631333962663566303566393761653536303638643037
|
||||||
63623666376165653961666539383335356163316131353966613036643530663835313766366533
|
63363963306139336235363537396432383131303763643966313937353537333739393031616439
|
||||||
31656633633331636535316234653561326465623562393632623062383935336530383133626236
|
35343361646234663062633631323238656137373464386561656439313636613630323632616332
|
||||||
66323366306366623631373861346635303063376264613734643039363137613837333534616362
|
39346239666266623038363066643865373762633532323431373431373165643662663661633365
|
||||||
37633462373538313562666639613031343866383234633438373936623437333666343731633735
|
35353361383339623535336362313430616139396561623934346264323462663663383566393165
|
||||||
33386666313531613734643431333332346439386465303531306365386537613933623636643237
|
35366637313861386465333530613530623832643333616538336436356134313832306139336361
|
||||||
35653434303433633533356662623965383133383838613361303832326130343938393561393935
|
32393162373235356236343332363038393631626534643237383232323735633265333562633231
|
||||||
38313533643830633432303464306561643233303866316130616531623230393366323264626165
|
61613164363962323236666365353830346664643263393532343562383736336535353364343638
|
||||||
33653230366138376533376166393466656233353061343338393433386332333361353063323634
|
62386465323331653565306234646664393164666334383765336630346438633636353264636138
|
||||||
66366561646466616566336265363037616433616231353739613538633765343235323637303535
|
31316231326236313839353465353230353935363330393035373234393039386134366534653636
|
||||||
34373739306130313536633338353130656632666536356535636265333335303730333031323436
|
63323730383931353763383739393330316335373563393039366166313031373664636335363363
|
||||||
39633466353139663361646265656334633461346564616633643030383662353762643237333761
|
38363131363565326431636361316562313037373664306333313366646336333162663664306539
|
||||||
31326435313361366163353836633535303462623533373363376433613139373135393566333937
|
64636530363561393037373766383937616435313333653836363835383231633130396133663635
|
||||||
64313838373366383432376430643236633030623736643435363038616261333364366139666435
|
36613531323732623264646666656139333766656562623430313964366236373663626135383437
|
||||||
66623661643032633931623539383136373138636333323737323165333831333764363137393562
|
31643663663637613762313465656636396264623362643538323166356636303430613133383664
|
||||||
62663335353265353535643666356632663736343039333965653639653764646261323736313430
|
66383332326437333638663562376665386237313533303437623765353661393561373338636130
|
||||||
39656366356130326363363133383062333530316165643430383161306135346663623861313030
|
30383665333366643331366536646330633133643566393962633164643563613536363434393234
|
||||||
65346430353230363561633239623330623265666336616133326263323063333132323764343735
|
66323931316535353632356432373262623962616264383430623436303637616165386433326231
|
||||||
63346230373339343062393035356565376265643463326366326535313130663163366435323339
|
38633730636633643634343833313964653530663034333063313334636134646634363437346161
|
||||||
62363339313332663333653336633331343161363432393639316630633365643037653739613132
|
32613061363032383732323263303830363532326239316538393739313730383530633862313039
|
||||||
63316662336630626366363662333061353539333133653732646330643065333430316333316131
|
37653865303932313635656332663039376331393161623731623039653865623436363061626538
|
||||||
33363662653465306531666435363932663432373932353466383364383634643634313736303931
|
32383934613335363534666461343135303235373262343634306130633536323839393139346662
|
||||||
63353632353836663263616137353031643238663632363563656137313961656534663137613061
|
31623265323138353963623938616665383765366230656461383835346230346261623866366630
|
||||||
37636530306334613639326363383665373061383634326630653366386632636634653638653330
|
65303965353432386136373562306434623739666262356663656266346439356435613362333563
|
||||||
32366438623635363833343566353365373762646162393637326433656438663066663766333761
|
34366539353366346636376662363837303332373866323434366261326164633033353930383038
|
||||||
65363136666238623439663764363266363731613261326566653035303265623736353331376562
|
36666433656365366663326163343034306439653262353733323232373133386436333637346563
|
||||||
36646435353134613363316236383938613032626562646237366337376433326334386330646266
|
32626533336530633731336631333334353366306538663936643637346335303965626631316562
|
||||||
66333365323133616466646164353262653830313764376562636164326163623463373863373630
|
33333061656234393661363766663630316662613764333231326434383465666234653238393965
|
||||||
31623264373330386136396130626133323762363262336337396562613166646132386362383635
|
31636561396665383063613433653837363634623337623330666466353532633434383864343464
|
||||||
61333637373462316463303962396162383039373265303939306132323533393236343965613835
|
38303436306165353433356536326466306530373635616531393462666336666435633235613937
|
||||||
32646361383938383337653264323766363130613264613463386432306238316531653437323939
|
37343832333864643636366632623062363234633365326635386663376439383332306333653161
|
||||||
39353866313834393933623630303539633334663239343865313264616664656464646631623934
|
34353830396165366534313334616161323461613066383561343563393330613464373862623062
|
||||||
33623230643633353361343965396236393939343765653161643530626133663236383135343934
|
3536303066343262636636393861313539616636643339353562
|
||||||
37353231626339323866613237663463656239326335643035313730363133616538613866386162
|
|
||||||
65623335393462633130353965343533616261636261656162626639323231623934663765386166
|
|
||||||
37353665643363386662646538306530326161653461393236616531343935393639386432633437
|
|
||||||
63643561646337616138633063646261323937333262333535626235373561336339346661353365
|
|
||||||
30396365376566616538353866383266666436636131656535363062633237313266366639373536
|
|
||||||
64316435316234313365306332383637636263376563393464303566313566636238626434393364
|
|
||||||
62316263353733636136393034616362643764346536373533363937633938383037376261656330
|
|
||||||
30333738616232616566643335353161636466643830393464643263653633373662623437643332
|
|
||||||
61396430636631396134393064633131636233653664373363386638366138343435613438303330
|
|
||||||
61366234663461333331623961393834643233623862323861346163343934303838666232626639
|
|
||||||
6139
|
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
dhcpd_failover: false
|
|
||||||
dhcpd_primary: 172.23.13.3
|
|
||||||
|
|
||||||
dns_primary: 172.23.13.3
|
|
||||||
|
|
||||||
name_servers:
|
|
||||||
- 172.23.13.3
|
|
||||||
|
|
||||||
ntp_servers:
|
|
||||||
- 172.23.12.61
|
|
||||||
|
|
||||||
radius_cn: radius.binary.kitchen
|
|
|
@ -4,9 +4,6 @@ dhcpd_failover: true
|
||||||
dhcpd_primary: 172.23.2.3
|
dhcpd_primary: 172.23.2.3
|
||||||
dhcpd_secondary: 172.23.2.4
|
dhcpd_secondary: 172.23.2.4
|
||||||
|
|
||||||
dns_primary: 172.23.2.3
|
|
||||||
dns_secondary: 172.23.2.4
|
|
||||||
|
|
||||||
name_servers:
|
name_servers:
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
- 172.23.2.4
|
- 172.23.2.4
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
radius_hostname: radius3.binary.kitchen
|
|
||||||
|
|
||||||
slapd_hostname: ldap3.binary.kitchen
|
|
||||||
slapd_role: slave
|
|
|
@ -1,11 +1,9 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- ptbtime2.ptb.de
|
- ptbtime2.ptb.de
|
||||||
- ntp1.rrze.uni-erlangen.de
|
- ntp1.rrze.uni-erlangen.de
|
||||||
- rustime01.rus.uni-stuttgart.de
|
- ntps1-0.cs.tu-berlin.de
|
||||||
|
|
||||||
ntp_peers:
|
ntp_peers:
|
||||||
- 172.23.1.60
|
- 172.23.1.60
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
root_keys_host:
|
|
||||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
nfs_exports:
|
|
||||||
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
|
|
||||||
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
|
|
||||||
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
|
|
||||||
|
|
||||||
uau_reboot: "false"
|
|
|
@ -3,5 +3,3 @@
|
||||||
root_keys_host:
|
root_keys_host:
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
||||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
||||||
|
|
||||||
nginx_anonymize: True
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
|
||||||
ntp_servers:
|
|
||||||
- ptbtime1.ptb.de
|
|
||||||
- ntp1.rrze.uni-erlangen.de
|
|
||||||
- rustime01.rus.uni-stuttgart.de
|
|
|
@ -1,11 +1,9 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
ntp_server: true
|
|
||||||
|
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- ptbtime1.ptb.de
|
- ptbtime1.ptb.de
|
||||||
- ntp1.rrze.uni-erlangen.de
|
- ntp1.rrze.uni-erlangen.de
|
||||||
- rustime01.rus.uni-stuttgart.de
|
- ntps1-0.cs.tu-berlin.de
|
||||||
|
|
||||||
ntp_peers:
|
ntp_peers:
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
|
|
9
hosts
9
hosts
|
@ -4,14 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
|
||||||
aveta.binary.kitchen ansible_host=172.23.2.4
|
aveta.binary.kitchen ansible_host=172.23.2.4
|
||||||
sulis.binary.kitchen ansible_host=172.23.2.5
|
sulis.binary.kitchen ansible_host=172.23.2.5
|
||||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||||
epona.binary.kitchen ansible_host=172.23.2.7
|
|
||||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||||
bob.binary.kitchen ansible_host=172.23.2.37
|
bob.binary.kitchen ansible_host=172.23.2.37
|
||||||
bowle.binary.kitchen ansible_host=172.23.2.62
|
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
|
||||||
salat.binary.kitchen ansible_host=172.23.9.61
|
salat.binary.kitchen ansible_host=172.23.9.61
|
||||||
[auweg]
|
|
||||||
aeron.binary.kitchen ansible_host=172.23.13.3
|
|
||||||
weizen.binary.kitchen ansible_host=172.23.12.61
|
|
||||||
[fan_rz]
|
[fan_rz]
|
||||||
helium.binary-kitchen.net
|
helium.binary-kitchen.net
|
||||||
lithium.binary-kitchen.net
|
lithium.binary-kitchen.net
|
||||||
|
@ -27,6 +23,5 @@ krypton.binary-kitchen.net
|
||||||
yttrium.binary-kitchen.net
|
yttrium.binary-kitchen.net
|
||||||
zirconium.binary-kitchen.net
|
zirconium.binary-kitchen.net
|
||||||
molybdenum.binary-kitchen.net
|
molybdenum.binary-kitchen.net
|
||||||
|
technetium.binary-kitchen.net
|
||||||
ruthenium.binary-kitchen.net
|
ruthenium.binary-kitchen.net
|
||||||
rhodium.binary-kitchen.net
|
|
||||||
barium.binary-kitchen.net
|
|
||||||
|
|
10
roles/common/files/50-virtio-kernel-names.link
Normal file
10
roles/common/files/50-virtio-kernel-names.link
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# udev 226 introduced predictable interface names for virtio;
|
||||||
|
# disable this for upgrades. You can remove this file if you update your
|
||||||
|
# network configuration to move to the ens* names instead.
|
||||||
|
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
|
||||||
|
# network interface names.
|
||||||
|
[Match]
|
||||||
|
Driver=virtio_net
|
||||||
|
|
||||||
|
[Link]
|
||||||
|
NamePolicy=onboard kernel
|
6
roles/common/files/99-default.link
Normal file
6
roles/common/files/99-default.link
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# This machine is most likely a virtualized guest, where the old persistent
|
||||||
|
# network interface mechanism (75-persistent-net-generator.rules) did not work.
|
||||||
|
# This file disables /lib/systemd/network/99-default.link to avoid
|
||||||
|
# changing network interface names on upgrade. Please read
|
||||||
|
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
|
||||||
|
# supported mechanism.
|
|
@ -1,13 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Restart chrony
|
|
||||||
service: name=chrony state=restarted
|
|
||||||
|
|
||||||
- name: Restart journald
|
- name: Restart journald
|
||||||
service: name=systemd-journald state=restarted
|
service: name=systemd-journald state=restarted
|
||||||
|
|
||||||
- name: update-grub
|
|
||||||
command: update-grub
|
|
||||||
|
|
||||||
- name: update-initramfs
|
- name: update-initramfs
|
||||||
command: update-initramfs -u -k all
|
command: update-initramfs -u -k all
|
||||||
|
|
|
@ -3,9 +3,7 @@
|
||||||
- name: Install misc software
|
- name: Install misc software
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- apt-transport-https
|
|
||||||
- dnsutils
|
- dnsutils
|
||||||
- gnupg2
|
|
||||||
- htop
|
- htop
|
||||||
- less
|
- less
|
||||||
- net-tools
|
- net-tools
|
||||||
|
@ -36,18 +34,21 @@
|
||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
|
- name: Create LDAP client config
|
||||||
|
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||||
|
|
||||||
- name: Disable hibernation/resume
|
- name: Disable hibernation/resume
|
||||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||||
notify: update-initramfs
|
notify: update-initramfs
|
||||||
|
|
||||||
- name: Enable serial console on KVM VMs
|
# TODO template /etc/network/interfaces
|
||||||
lineinfile:
|
|
||||||
path: "/etc/default/grub"
|
- name: Fix network interface names
|
||||||
state: "present"
|
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
|
||||||
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
with_items:
|
||||||
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
- 50-virtio-kernel-names.link
|
||||||
notify: update-grub
|
- 99-default.link
|
||||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
notify: update-initramfs
|
||||||
|
|
||||||
- name: Prevent normal users from running su
|
- name: Prevent normal users from running su
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
14
roles/common/tasks/FreeBSD.yml
Normal file
14
roles/common/tasks/FreeBSD.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install misc software
|
||||||
|
pkgng:
|
||||||
|
name:
|
||||||
|
- vim-lite
|
||||||
|
- htop
|
||||||
|
- zsh
|
||||||
|
|
||||||
|
- name: Configure misc software
|
||||||
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
|
with_items:
|
||||||
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
|
@ -13,7 +13,6 @@
|
||||||
|
|
||||||
- name: Configure misc software
|
- name: Configure misc software
|
||||||
copy: src={{ item.src }} dest={{ item.dest }}
|
copy: src={{ item.src }} dest={{ item.dest }}
|
||||||
diff: no
|
|
||||||
with_items:
|
with_items:
|
||||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Install chrony
|
|
||||||
apt: name=chrony
|
|
||||||
|
|
||||||
- name: Configure chrony
|
|
||||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
|
||||||
notify: Restart chrony
|
|
|
@ -17,5 +17,6 @@
|
||||||
include: Debian.yml
|
include: Debian.yml
|
||||||
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
||||||
|
|
||||||
- name: Setup chrony
|
- name: FreeBSD
|
||||||
include: chrony.yml
|
include: FreeBSD.yml
|
||||||
|
when: ansible_distribution == 'FreeBSD'
|
||||||
|
|
|
@ -1,46 +0,0 @@
|
||||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
|
||||||
# information about usable directives.
|
|
||||||
|
|
||||||
{% for srv in ntp_servers %}
|
|
||||||
server {{ srv }} iburst
|
|
||||||
{% endfor %}
|
|
||||||
{% if ntp_peers is defined %}
|
|
||||||
|
|
||||||
{% for peer in ntp_peers %}
|
|
||||||
peer {{ peer }}
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if ntp_server is defined and ntp_server is true %}
|
|
||||||
allow 172.23.0.0/16
|
|
||||||
{% endif -%}
|
|
||||||
|
|
||||||
# This directive specify the location of the file containing ID/key pairs for
|
|
||||||
# NTP authentication.
|
|
||||||
keyfile /etc/chrony/chrony.keys
|
|
||||||
|
|
||||||
# This directive specify the file into which chronyd will store the rate
|
|
||||||
# information.
|
|
||||||
driftfile /var/lib/chrony/chrony.drift
|
|
||||||
|
|
||||||
# Uncomment the following line to turn logging on.
|
|
||||||
#log tracking measurements statistics
|
|
||||||
|
|
||||||
# Log files location.
|
|
||||||
logdir /var/log/chrony
|
|
||||||
|
|
||||||
# Stop bad estimates upsetting machine clock.
|
|
||||||
maxupdateskew 100.0
|
|
||||||
|
|
||||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
|
||||||
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
|
|
||||||
rtcsync
|
|
||||||
|
|
||||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
|
||||||
# one second, but only in the first three clock updates.
|
|
||||||
makestep 1 3
|
|
||||||
|
|
||||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
|
||||||
# This directive must be commented out when using time sources serving
|
|
||||||
# leap-smeared time.
|
|
||||||
leapsectz right/UTC
|
|
19
roles/common/templates/ldap.conf.j2
Normal file
19
roles/common/templates/ldap.conf.j2
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
#
|
||||||
|
# LDAP Defaults
|
||||||
|
#
|
||||||
|
|
||||||
|
# See ldap.conf(5) for details
|
||||||
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
|
BASE {{ ldap_base }}
|
||||||
|
URI {{ ldap_uri }}
|
||||||
|
|
||||||
|
#SIZELIMIT 12
|
||||||
|
#TIMELIMIT 15
|
||||||
|
#DEREF never
|
||||||
|
|
||||||
|
# TLS certificates (needed for GnuTLS)
|
||||||
|
TLS_REQCERT demand
|
||||||
|
TLS_CACERTDIR /etc/ssl/certs
|
||||||
|
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
|
@ -1,60 +1,52 @@
|
||||||
# Coturn TURN SERVER configuration file
|
# Coturn TURN SERVER configuration file
|
||||||
#
|
#
|
||||||
# Boolean values note: where a boolean value is supposed to be used,
|
# Boolean values note: where boolean value is supposed to be used,
|
||||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
|
||||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
|
||||||
# If the value is missing, then it means 'true' by default.
|
# If the value is missed, then it means 'true'.
|
||||||
#
|
#
|
||||||
|
|
||||||
# Listener interface device (optional, Linux only).
|
# Listener interface device (optional, Linux only).
|
||||||
# NOT RECOMMENDED.
|
# NOT RECOMMENDED.
|
||||||
#
|
#
|
||||||
#listening-device=eth0
|
#listening-device=eth0
|
||||||
|
|
||||||
# TURN listener port for UDP and TCP (Default: 3478).
|
# TURN listener port for UDP and TCP (Default: 3478).
|
||||||
# Note: actually, TLS & DTLS sessions can connect to the
|
# Note: actually, TLS & DTLS sessions can connect to the
|
||||||
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
# "plain" TCP & UDP port(s), too - if allowed by configuration.
|
||||||
#
|
#
|
||||||
#listening-port=3478
|
#listening-port=3478
|
||||||
|
|
||||||
# TURN listener port for TLS (Default: 5349).
|
# TURN listener port for TLS (Default: 5349).
|
||||||
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
|
||||||
# port(s), too - if allowed by configuration. The TURN server
|
# port(s), too - if allowed by configuration. The TURN server
|
||||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
|
||||||
# For secure TCP connections, Coturn currently supports
|
# For secure TCP connections, we currently support SSL version 3 and
|
||||||
# TLS version 1.0, 1.1 and 1.2.
|
# TLS version 1.0, 1.1 and 1.2.
|
||||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
# For secure UDP connections, we support DTLS version 1.
|
||||||
#
|
#
|
||||||
#tls-listening-port=5349
|
#tls-listening-port=5349
|
||||||
|
|
||||||
# Alternative listening port for UDP and TCP listeners;
|
# Alternative listening port for UDP and TCP listeners;
|
||||||
# default (or zero) value means "listening port plus one".
|
# default (or zero) value means "listening port plus one".
|
||||||
# This is needed for RFC 5780 support
|
# This is needed for RFC 5780 support
|
||||||
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
# (STUN extension specs, NAT behavior discovery). The TURN Server
|
||||||
# supports RFC 5780 only if it is started with more than one
|
# supports RFC 5780 only if it is started with more than one
|
||||||
# listening IP address of the same family (IPv4 or IPv6).
|
# listening IP address of the same family (IPv4 or IPv6).
|
||||||
# RFC 5780 is supported only by UDP protocol, other protocols
|
# RFC 5780 is supported only by UDP protocol, other protocols
|
||||||
# are listening to that endpoint only for "symmetry".
|
# are listening to that endpoint only for "symmetry".
|
||||||
#
|
#
|
||||||
#alt-listening-port=0
|
#alt-listening-port=0
|
||||||
|
|
||||||
# Alternative listening port for TLS and DTLS protocols.
|
# Alternative listening port for TLS and DTLS protocols.
|
||||||
# Default (or zero) value means "TLS listening port plus one".
|
# Default (or zero) value means "TLS listening port plus one".
|
||||||
#
|
#
|
||||||
#alt-tls-listening-port=0
|
#alt-tls-listening-port=0
|
||||||
|
|
||||||
# Some network setups will require using a TCP reverse proxy in front
|
|
||||||
# of the STUN server. If the proxy port option is set a single listener
|
|
||||||
# is started on the given port that accepts connections using the
|
|
||||||
# haproxy proxy protocol v2.
|
|
||||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
|
||||||
#
|
|
||||||
#tcp-proxy-port=5555
|
|
||||||
|
|
||||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||||
# If no IP(s) specified in the config file or in the command line options,
|
# If no IP(s) specified in the config file or in the command line options,
|
||||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||||
#
|
#
|
||||||
#listening-ip=172.17.19.101
|
#listening-ip=172.17.19.101
|
||||||
|
@ -69,7 +61,7 @@
|
||||||
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
|
||||||
#
|
#
|
||||||
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
|
||||||
#
|
#
|
||||||
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
|
||||||
#
|
#
|
||||||
# There may be multiple aux-server options, each will be used for listening
|
# There may be multiple aux-server options, each will be used for listening
|
||||||
|
@ -81,7 +73,7 @@
|
||||||
# (recommended for older Linuxes only)
|
# (recommended for older Linuxes only)
|
||||||
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
# Automatically balance UDP traffic over auxiliary servers (if configured).
|
||||||
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
# The load balancing is using the ALTERNATE-SERVER mechanism.
|
||||||
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
# The TURN client must support 300 ALTERNATE-SERVER response for this
|
||||||
# functionality.
|
# functionality.
|
||||||
#
|
#
|
||||||
#udp-self-balance
|
#udp-self-balance
|
||||||
|
@ -91,13 +83,13 @@
|
||||||
#
|
#
|
||||||
#relay-device=eth1
|
#relay-device=eth1
|
||||||
|
|
||||||
# Relay address (the local IP address that will be used to relay the
|
# Relay address (the local IP address that will be used to relay the
|
||||||
# packets to the peer).
|
# packets to the peer).
|
||||||
# Multiple relay addresses may be used.
|
# Multiple relay addresses may be used.
|
||||||
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
|
||||||
#
|
#
|
||||||
# If no relay IP(s) specified, then the turnserver will apply the default
|
# If no relay IP(s) specified, then the turnserver will apply the default
|
||||||
# policy: it will decide itself which relay addresses to be used, and it
|
# policy: it will decide itself which relay addresses to be used, and it
|
||||||
# will always be using the client socket IP address as the relay IP address
|
# will always be using the client socket IP address as the relay IP address
|
||||||
# of the TURN session (if the requested relay address family is the same
|
# of the TURN session (if the requested relay address family is the same
|
||||||
# as the family of the client socket).
|
# as the family of the client socket).
|
||||||
|
@ -120,7 +112,7 @@
|
||||||
# that option must be used several times, each entry must
|
# that option must be used several times, each entry must
|
||||||
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
# have form "-X <public-ip/private-ip>", to map all involved addresses.
|
||||||
# RFC5780 NAT discovery STUN functionality will work correctly,
|
# RFC5780 NAT discovery STUN functionality will work correctly,
|
||||||
# if the addresses are mapped properly, even when the TURN server itself
|
# if the addresses are mapped properly, even when the TURN server itself
|
||||||
# is behind A NAT.
|
# is behind A NAT.
|
||||||
#
|
#
|
||||||
# By default, this value is empty, and no address mapping is used.
|
# By default, this value is empty, and no address mapping is used.
|
||||||
|
@ -135,18 +127,18 @@
|
||||||
|
|
||||||
# Number of the relay threads to handle the established connections
|
# Number of the relay threads to handle the established connections
|
||||||
# (in addition to authentication thread and the listener thread).
|
# (in addition to authentication thread and the listener thread).
|
||||||
# If explicitly set to 0 then application runs relay process in a
|
# If explicitly set to 0 then application runs relay process in a
|
||||||
# single thread, in the same thread with the listener process
|
# single thread, in the same thread with the listener process
|
||||||
# (the authentication thread will still be a separate thread).
|
# (the authentication thread will still be a separate thread).
|
||||||
#
|
#
|
||||||
# If this parameter is not set, then the default OS-dependent
|
# If this parameter is not set, then the default OS-dependent
|
||||||
# thread pattern algorithm will be employed. Usually the default
|
# thread pattern algorithm will be employed. Usually the default
|
||||||
# algorithm is optimal, so you have to change this option
|
# algorithm is the most optimal, so you have to change this option
|
||||||
# if you want to make some fine tweaks.
|
# only if you want to make some fine tweaks.
|
||||||
#
|
#
|
||||||
# In the older systems (Linux kernel before 3.9),
|
# In the older systems (Linux kernel before 3.9),
|
||||||
# the number of UDP threads is always one thread per network listening
|
# the number of UDP threads is always one thread per network listening
|
||||||
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
|
||||||
# 1 (one) value is set.
|
# 1 (one) value is set.
|
||||||
#
|
#
|
||||||
#relay-threads=0
|
#relay-threads=0
|
||||||
|
@ -156,15 +148,15 @@
|
||||||
#
|
#
|
||||||
#min-port=49152
|
#min-port=49152
|
||||||
#max-port=65535
|
#max-port=65535
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
|
||||||
# By default the verbose mode is off.
|
# By default the verbose mode is off.
|
||||||
#verbose
|
#verbose
|
||||||
|
|
||||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||||
# This mode is very annoying and produces lots of output.
|
# This mode is very annoying and produces lots of output.
|
||||||
# Not recommended under normal circumstances.
|
# Not recommended under any normal circumstances.
|
||||||
#
|
#
|
||||||
#Verbose
|
#Verbose
|
||||||
|
|
||||||
# Uncomment to use fingerprints in the TURN messages.
|
# Uncomment to use fingerprints in the TURN messages.
|
||||||
|
@ -177,69 +169,58 @@ fingerprint
|
||||||
#
|
#
|
||||||
#lt-cred-mech
|
#lt-cred-mech
|
||||||
|
|
||||||
# This option is the opposite of lt-cred-mech.
|
# This option is opposite to lt-cred-mech.
|
||||||
# (TURN Server with no-auth option allows anonymous access).
|
# (TURN Server with no-auth option allows anonymous access).
|
||||||
# If neither option is defined, and no users are defined,
|
# If neither option is defined, and no users are defined,
|
||||||
# then no-auth is default. If at least one user is defined,
|
# then no-auth is default. If at least one user is defined,
|
||||||
# in this file, in command line or in usersdb file, then
|
# in this file or in command line or in usersdb file, then
|
||||||
# lt-cred-mech is default.
|
# lt-cred-mech is default.
|
||||||
#
|
#
|
||||||
#no-auth
|
#no-auth
|
||||||
|
|
||||||
# Enable prometheus exporter
|
|
||||||
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
|
||||||
# this endpoint is listening on a different port to not conflict with other configurations.
|
|
||||||
#
|
|
||||||
# You can simply run the turnserver and access the port 9641 and path /metrics
|
|
||||||
#
|
|
||||||
# For mor info on the prometheus exporter and metrics
|
|
||||||
# https://prometheus.io/docs/introduction/overview/
|
|
||||||
# https://prometheus.io/docs/concepts/data_model/
|
|
||||||
#
|
|
||||||
#prometheus
|
|
||||||
|
|
||||||
# TURN REST API flag.
|
# TURN REST API flag.
|
||||||
# (Time Limited Long Term Credential)
|
# (Time Limited Long Term Credential)
|
||||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||||
#
|
#
|
||||||
# This feature's purpose is to support "TURN Server REST API", see
|
# This feature's purpose is to support "TURN Server REST API", see
|
||||||
# "TURN REST API" link in the project's page
|
# "TURN REST API" link in the project's page
|
||||||
# https://github.com/coturn/coturn/
|
# https://github.com/coturn/coturn/
|
||||||
#
|
#
|
||||||
# This option is used with timestamp:
|
# This option is used with timestamp:
|
||||||
#
|
#
|
||||||
# usercombo -> "timestamp:userid"
|
# usercombo -> "timestamp:userid"
|
||||||
# turn user -> usercombo
|
# turn user -> usercombo
|
||||||
# turn password -> base64(hmac(secret key, usercombo))
|
# turn password -> base64(hmac(secret key, usercombo))
|
||||||
#
|
#
|
||||||
# This allows TURN credentials to be accounted for a specific user id.
|
# This allows TURN credentials to be accounted for a specific user id.
|
||||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
# If you don't have a suitable id, the timestamp alone can be used.
|
||||||
# This option is enabled by turning on secret-based authentication.
|
# This option is just turning on secret-based authentication.
|
||||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
# The actual value of the secret is defined either by option static-auth-secret,
|
||||||
# or can be found in the turn_secret table in the database (see below).
|
# or can be found in the turn_secret table in the database (see below).
|
||||||
#
|
#
|
||||||
# Read more about it:
|
# Read more about it:
|
||||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||||
#
|
#
|
||||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
|
||||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
# Notice that this feature depends internally on lt-cred-mech, so if you set
|
||||||
# this option then it automatically enables lt-cred-mech internally
|
# use-auth-secret then it enables internally automatically lt-cred-mech option
|
||||||
# as if you had enabled both.
|
# like if you enable both.
|
||||||
#
|
#
|
||||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
# You can use only one of the to auth mechanisms in the same time because,
|
||||||
# both mechanisms conduct username and password validation in different ways.
|
# both mechanism use the username and password validation in different way.
|
||||||
#
|
#
|
||||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
# This way be aware that you can't use both auth mechnaism in the same time!
|
||||||
|
# Use in config either the lt-cred-mech or the use-auth-secret
|
||||||
# to avoid any confusion.
|
# to avoid any confusion.
|
||||||
#
|
#
|
||||||
use-auth-secret
|
use-auth-secret
|
||||||
|
|
||||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||||
# If not set, then the turn server
|
# If not set, then the turn server
|
||||||
# will try to use the 'dynamic' value in the turn_secret table
|
# will try to use the 'dynamic' value in turn_secret table
|
||||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
# in user database (if present). The database-stored value can be changed on-the-fly
|
||||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
# by a separate program, so this is why that other mode is 'dynamic'.
|
||||||
#
|
#
|
||||||
static-auth-secret={{ coturn_secret }}
|
static-auth-secret={{ coturn_secret }}
|
||||||
|
|
||||||
|
@ -253,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
|
||||||
#
|
#
|
||||||
#oauth
|
#oauth
|
||||||
|
|
||||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
# 'Static' user accounts for long term credentials mechanism, only.
|
||||||
# This option cannot be used with TURN REST API.
|
# This option cannot be used with TURN REST API.
|
||||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||||
# so they can NOT be changed while the turnserver is running.
|
# so that they can NOT be changed while the turnserver is running.
|
||||||
#
|
#
|
||||||
#user=username1:key1
|
#user=username1:key1
|
||||||
#user=username2:key2
|
#user=username2:key2
|
||||||
|
@ -274,7 +255,7 @@ static-auth-secret={{ coturn_secret }}
|
||||||
# password. If it has 0x then it is a key, otherwise it is a password).
|
# password. If it has 0x then it is a key, otherwise it is a password).
|
||||||
#
|
#
|
||||||
# The corresponding user account entry in the config file will be:
|
# The corresponding user account entry in the config file will be:
|
||||||
#
|
#
|
||||||
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
|
||||||
# Or, equivalently, with open clear password (less secure):
|
# Or, equivalently, with open clear password (less secure):
|
||||||
#user=ninefingers:youhavetoberealistic
|
#user=ninefingers:youhavetoberealistic
|
||||||
|
@ -282,83 +263,83 @@ static-auth-secret={{ coturn_secret }}
|
||||||
|
|
||||||
# SQLite database file name.
|
# SQLite database file name.
|
||||||
#
|
#
|
||||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||||
# /var/lib/turn/turndb.
|
# /var/lib/turn/turndb.
|
||||||
#
|
#
|
||||||
#userdb=/var/db/turndb
|
#userdb=/var/db/turndb
|
||||||
|
|
||||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
# PostgreSQL database connection string in the case that we are using PostgreSQL
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for the long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||||
# versions connection string format, see
|
# versions connection string format, see
|
||||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||||
# for 9.x and newer connection string formats.
|
# for 9.x and newer connection string formats.
|
||||||
#
|
#
|
||||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||||
|
|
||||||
# MySQL database connection string in the case that you are using MySQL
|
# MySQL database connection string in the case that we are using MySQL
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for the long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||||
#
|
#
|
||||||
# Optional connection string parameters for the secure communications (SSL):
|
# Optional connection string parameters for the secure communications (SSL):
|
||||||
# ca, capath, cert, key, cipher
|
# ca, capath, cert, key, cipher
|
||||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||||
# command options description).
|
# command options description).
|
||||||
#
|
#
|
||||||
# Use the string format below (space separated parameters, all optional):
|
# Use string format as below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||||
|
|
||||||
# If you want to use an encrypted password in the MySQL connection string,
|
# If you want to use in the MySQL connection string the password in encrypted format,
|
||||||
# then set the MySQL password encryption secret key file with this option.
|
# then set in this option the MySQL password encryption secret key file.
|
||||||
#
|
#
|
||||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
|
||||||
# If you want to use a cleartext password then do not set this option!
|
# If you want to use cleartext password then do not set this option!
|
||||||
#
|
#
|
||||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
# This is the file path which contain secret key of aes encryption while using password encryption.
|
||||||
#
|
#
|
||||||
#secret-key-file=/path/
|
#secret-key-file=/path/
|
||||||
|
|
||||||
# MongoDB database connection string in the case that you are using MongoDB
|
# MongoDB database connection string in the case that we are using MongoDB
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||||
#
|
#
|
||||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||||
|
|
||||||
# Redis database connection string in the case that you are using Redis
|
# Redis database connection string in the case that we are using Redis
|
||||||
# as the user database.
|
# as the user database.
|
||||||
# This database can be used for long-term credential mechanism
|
# This database can be used for long-term credential mechanism
|
||||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||||
# Use the string format below (space separated parameters, all optional):
|
# Use string format as below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||||
|
|
||||||
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
|
||||||
# This database keeps allocations status information, and it can be also used for publishing
|
# This database keeps allocations status information, and it can be also used for publishing
|
||||||
# and delivering traffic and allocation event notifications.
|
# and delivering traffic and allocation event notifications.
|
||||||
# The connection string has the same parameters as redis-userdb connection string.
|
# The connection string has the same parameters as redis-userdb connection string.
|
||||||
# Use the string format below (space separated parameters, all optional):
|
# Use string format as below (space separated parameters, all optional):
|
||||||
#
|
#
|
||||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||||
|
|
||||||
# The default realm to be used for the users when no explicit
|
# The default realm to be used for the users when no explicit
|
||||||
# origin/realm relationship is found in the database, or if the TURN
|
# origin/realm relationship was found in the database, or if the TURN
|
||||||
# server is not using any database (just the commands-line settings
|
# server is not using any database (just the commands-line settings
|
||||||
# and the userdb file). Must be used with long-term credentials
|
# and the userdb file). Must be used with long-term credentials
|
||||||
# mechanism or with TURN REST API.
|
# mechanism or with TURN REST API.
|
||||||
#
|
#
|
||||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
|
||||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
|
||||||
#
|
#
|
||||||
realm={{ coturn_realm }}
|
realm={{ coturn_realm }}
|
||||||
|
|
||||||
# This flag sets the origin consistency
|
# The flag that sets the origin consistency
|
||||||
# check. Across the session, all requests must have the same
|
# check: across the session, all requests must have the same
|
||||||
# main ORIGIN attribute value (if the ORIGIN was
|
# main ORIGIN attribute value (if the ORIGIN was
|
||||||
# initially used by the session).
|
# initially used by the session).
|
||||||
#
|
#
|
||||||
|
@ -378,7 +359,7 @@ realm={{ coturn_realm }}
|
||||||
|
|
||||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||||
# (input and output network streams are treated separately). Anything above
|
# (input and output network streams are treated separately). Anything above
|
||||||
# that limit will be dropped or temporarily suppressed (within
|
# that limit will be dropped or temporary suppressed (within
|
||||||
# the available buffer limits).
|
# the available buffer limits).
|
||||||
# This option can also be set through the database, for a particular realm.
|
# This option can also be set through the database, for a particular realm.
|
||||||
#
|
#
|
||||||
|
@ -422,11 +403,11 @@ no-dtls
|
||||||
#no-tcp-relay
|
#no-tcp-relay
|
||||||
|
|
||||||
# Uncomment if extra security is desired,
|
# Uncomment if extra security is desired,
|
||||||
# with nonce value having a limited lifetime.
|
# with nonce value having limited lifetime.
|
||||||
# The nonce value is unique for a session.
|
# By default, the nonce value is unique for a session,
|
||||||
# Set this option to limit the nonce lifetime.
|
# and has unlimited lifetime.
|
||||||
# Set it to 0 for unlimited lifetime.
|
# Set this option to limit the nonce lifetime.
|
||||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||||
# the client will get 438 error and will have to re-authenticate itself.
|
# the client will get 438 error and will have to re-authenticate itself.
|
||||||
#
|
#
|
||||||
#stale-nonce=600
|
#stale-nonce=600
|
||||||
|
@ -452,14 +433,13 @@ no-dtls
|
||||||
#permission-lifetime=300
|
#permission-lifetime=300
|
||||||
|
|
||||||
# Certificate file.
|
# Certificate file.
|
||||||
# Use an absolute path or path relative to the
|
# Use an absolute path or path relative to the
|
||||||
# configuration file.
|
# configuration file.
|
||||||
# Use PEM file format.
|
|
||||||
#
|
#
|
||||||
#cert=/usr/local/etc/turn_server_cert.pem
|
#cert=/usr/local/etc/turn_server_cert.pem
|
||||||
|
|
||||||
# Private key file.
|
# Private key file.
|
||||||
# Use an absolute path or path relative to the
|
# Use an absolute path or path relative to the
|
||||||
# configuration file.
|
# configuration file.
|
||||||
# Use PEM file format.
|
# Use PEM file format.
|
||||||
#
|
#
|
||||||
|
@ -475,29 +455,29 @@ no-dtls
|
||||||
#
|
#
|
||||||
#cipher-list="DEFAULT"
|
#cipher-list="DEFAULT"
|
||||||
|
|
||||||
# CA file in OpenSSL format.
|
# CA file in OpenSSL format.
|
||||||
# Forces TURN server to verify the client SSL certificates.
|
# Forces TURN server to verify the client SSL certificates.
|
||||||
# By default this is not set: there is no default value and the client
|
# By default it is not set: there is no default value and the client
|
||||||
# certificate is not checked.
|
# certificate is not checked.
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#CA-file=/etc/ssh/id_rsa.cert
|
#CA-file=/etc/ssh/id_rsa.cert
|
||||||
|
|
||||||
# Curve name for EC ciphers, if supported by OpenSSL
|
# Curve name for EC ciphers, if supported by OpenSSL
|
||||||
# library (TLS and DTLS). The default value is prime256v1,
|
# library (TLS and DTLS). The default value is prime256v1,
|
||||||
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
|
||||||
# an optimal curve will be automatically calculated, if not defined
|
# an optimal curve will be automatically calculated, if not defined
|
||||||
# by this option.
|
# by this option.
|
||||||
#
|
#
|
||||||
#ec-curve-name=prime256v1
|
#ec-curve-name=prime256v1
|
||||||
|
|
||||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
|
||||||
#
|
#
|
||||||
#dh566
|
#dh566
|
||||||
|
|
||||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
|
||||||
#
|
#
|
||||||
#dh1066
|
#dh2066
|
||||||
|
|
||||||
# Use custom DH TLS key, stored in PEM format in the file.
|
# Use custom DH TLS key, stored in PEM format in the file.
|
||||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||||
|
@ -505,21 +485,21 @@ no-dtls
|
||||||
#dh-file=<DH-PEM-file-name>
|
#dh-file=<DH-PEM-file-name>
|
||||||
|
|
||||||
# Flag to prevent stdout log messages.
|
# Flag to prevent stdout log messages.
|
||||||
# By default, all log messages go to both stdout and to
|
# By default, all log messages are going to both stdout and to
|
||||||
# the configured log file. With this option everything will
|
# the configured log file. With this option everything will be
|
||||||
# go to the configured log only (unless the log file itself is stdout).
|
# going to the configured log only (unless the log file itself is stdout).
|
||||||
#
|
#
|
||||||
#no-stdout-log
|
#no-stdout-log
|
||||||
|
|
||||||
# Option to set the log file name.
|
# Option to set the log file name.
|
||||||
# By default, the turnserver tries to open a log file in
|
# By default, the turnserver tries to open a log file in
|
||||||
# /var/log, /var/tmp, /tmp and the current directory
|
# /var/log, /var/tmp, /tmp and current directories directories
|
||||||
# (Whichever file open operation succeeds first will be used).
|
# (which open operation succeeds first that file will be used).
|
||||||
# With this option you can set the definite log file name.
|
# With this option you can set the definite log file name.
|
||||||
# The special names are "stdout" and "-" - they will force everything
|
# The special names are "stdout" and "-" - they will force everything
|
||||||
# to the stdout. Also, the "syslog" name will force everything to
|
# to the stdout. Also, the "syslog" name will force everything to
|
||||||
# the system log (syslog).
|
# the system log (syslog).
|
||||||
# In the runtime, the logfile can be reset with the SIGHUP signal
|
# In the runtime, the logfile can be reset with the SIGHUP signal
|
||||||
# to the turnserver process.
|
# to the turnserver process.
|
||||||
#
|
#
|
||||||
#log-file=/var/tmp/turn.log
|
#log-file=/var/tmp/turn.log
|
||||||
|
@ -534,51 +514,41 @@ syslog
|
||||||
#
|
#
|
||||||
#simple-log
|
#simple-log
|
||||||
|
|
||||||
# Enable full ISO-8601 timestamp in all logs.
|
|
||||||
#new-log-timestamp
|
|
||||||
|
|
||||||
# Set timestamp format (in strftime(1) format)
|
|
||||||
#new-log-timestamp-format "%FT%T%z"
|
|
||||||
|
|
||||||
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
|
||||||
# Enable binding logging and UDP endpoint logs in verbose log mode.
|
|
||||||
#log-binding
|
|
||||||
|
|
||||||
# Option to set the "redirection" mode. The value of this option
|
# Option to set the "redirection" mode. The value of this option
|
||||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
# will be the address of the alternate server for UDP & TCP service in form of
|
||||||
# <ip>[:<port>]. The server will send this value in the attribute
|
# <ip>[:<port>]. The server will send this value in the attribute
|
||||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||||
# Client will receive only values with the same address family
|
# Client will receive only values with the same address family
|
||||||
# as the client network endpoint address family.
|
# as the client network endpoint address family.
|
||||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
|
||||||
# The client must use the obtained value for subsequent TURN communications.
|
# The client must use the obtained value for subsequent TURN communications.
|
||||||
# If more than one --alternate-server option is provided, then the functionality
|
# If more than one --alternate-server options are provided, then the functionality
|
||||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||||
# If the port number is omitted, then the default port
|
# If the port number is omitted, then the default port
|
||||||
# number 3478 for the UDP/TCP protocols will be used.
|
# number 3478 for the UDP/TCP protocols will be used.
|
||||||
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
|
||||||
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
|
||||||
# in square brackets in such resource identifiers, for example:
|
# in square brackets in such resource identifiers, for example:
|
||||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||||
# Multiple alternate servers can be set. They will be used in the
|
# Multiple alternate servers can be set. They will be used in the
|
||||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
# the load will be distributed equally. For example, if we have 4 alternate servers,
|
||||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||||
# address can be used more than one time with the alternate-server option, so this
|
# address can be used more than one time with the alternate-server option, so this
|
||||||
# can emulate "weighting" of the servers.
|
# can emulate "weighting" of the servers.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#alternate-server=1.2.3.4:5678
|
#alternate-server=1.2.3.4:5678
|
||||||
#alternate-server=11.22.33.44:56789
|
#alternate-server=11.22.33.44:56789
|
||||||
#alternate-server=5.6.7.8
|
#alternate-server=5.6.7.8
|
||||||
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||||
|
|
||||||
# Option to set alternative server for TLS & DTLS services in form of
|
# Option to set alternative server for TLS & DTLS services in form of
|
||||||
# <ip>:<port>. If the port number is omitted, then the default port
|
# <ip>:<port>. If the port number is omitted, then the default port
|
||||||
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
# number 5349 for the TLS/DTLS protocols will be used. See the previous
|
||||||
# option for the functionality description.
|
# option for the functionality description.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#tls-alternate-server=1.2.3.4:5678
|
#tls-alternate-server=1.2.3.4:5678
|
||||||
#tls-alternate-server=11.22.33.44:56789
|
#tls-alternate-server=11.22.33.44:56789
|
||||||
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
|
||||||
|
@ -589,15 +559,6 @@ syslog
|
||||||
#
|
#
|
||||||
#stun-only
|
#stun-only
|
||||||
|
|
||||||
# Option to hide software version. Enhance security when used in production.
|
|
||||||
# Revealing the specific software version of the agent through the
|
|
||||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
|
||||||
# attacks against software that is known to contain security holes.
|
|
||||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
|
||||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
|
||||||
#
|
|
||||||
#no-software-attribute
|
|
||||||
|
|
||||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||||
# Run as TURN server only, all STUN requests will be ignored.
|
# Run as TURN server only, all STUN requests will be ignored.
|
||||||
# By default, this option is NOT set.
|
# By default, this option is NOT set.
|
||||||
|
@ -606,7 +567,7 @@ syslog
|
||||||
|
|
||||||
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
# This is the timestamp/username separator symbol (character) in TURN REST API.
|
||||||
# The default value is ':'.
|
# The default value is ':'.
|
||||||
# rest-api-separator=:
|
# rest-api-separator=:
|
||||||
|
|
||||||
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
|
||||||
# This is an extra security measure.
|
# This is an extra security measure.
|
||||||
|
@ -614,9 +575,9 @@ syslog
|
||||||
# (To avoid any security issue that allowing loopback access may raise,
|
# (To avoid any security issue that allowing loopback access may raise,
|
||||||
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
# the no-loopback-peers option is replaced by allow-loopback-peers.)
|
||||||
#
|
#
|
||||||
# Allow it only for testing in a development environment!
|
# Allow it only for testing in a development environment!
|
||||||
# In production it adds a possible security vulnerability, so for security reasons
|
# In production it adds a possible security vulnerability, so for security reasons
|
||||||
# it is not allowed using it together with empty cli-password.
|
# it is not allowed using it together with empty cli-password.
|
||||||
#
|
#
|
||||||
#allow-loopback-peers
|
#allow-loopback-peers
|
||||||
|
|
||||||
|
@ -625,18 +586,18 @@ syslog
|
||||||
#
|
#
|
||||||
no-multicast-peers
|
no-multicast-peers
|
||||||
|
|
||||||
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
# Option to set the max time, in seconds, allowed for full allocation establishment.
|
||||||
# Default is 60 seconds.
|
# Default is 60 seconds.
|
||||||
#
|
#
|
||||||
#max-allocate-timeout=60
|
#max-allocate-timeout=60
|
||||||
|
|
||||||
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
# Option to allow or ban specific ip addresses or ranges of ip addresses.
|
||||||
# If an ip address is specified as both allowed and denied, then the ip address is
|
# If an ip address is specified as both allowed and denied, then the ip address is
|
||||||
# considered to be allowed. This is useful when you wish to ban a range of ip
|
# considered to be allowed. This is useful when you wish to ban a range of ip
|
||||||
# addresses, except for a few specific ips within that range.
|
# addresses, except for a few specific ips within that range.
|
||||||
#
|
#
|
||||||
# This can be used when you do not want users of the turn server to be able to access
|
# This can be used when you do not want users of the turn server to be able to access
|
||||||
# machines reachable by the turn server, but would otherwise be unreachable from the
|
# machines reachable by the turn server, but would otherwise be unreachable from the
|
||||||
# internet (e.g. when the turn server is sitting behind a NAT)
|
# internet (e.g. when the turn server is sitting behind a NAT)
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
|
@ -658,22 +619,22 @@ no-multicast-peers
|
||||||
#
|
#
|
||||||
mobility
|
mobility
|
||||||
|
|
||||||
# Allocate Address Family according
|
# Allocate Address Family according
|
||||||
# If enabled then TURN server allocates address family according the TURN
|
# If enabled then TURN server allocates address family according the TURN
|
||||||
# Client <=> Server communication address family.
|
# Client <=> Server communication address family.
|
||||||
# (By default Coturn works according RFC 6156.)
|
# (By default coTURN works according RFC 6156.)
|
||||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||||
#
|
#
|
||||||
#keep-address-family
|
#keep-address-family
|
||||||
|
|
||||||
|
|
||||||
# User name to run the process. After the initialization, the turnserver process
|
# User name to run the process. After the initialization, the turnserver process
|
||||||
# will attempt to change the current user ID to that user.
|
# will make an attempt to change the current user ID to that user.
|
||||||
#
|
#
|
||||||
#proc-user=<user-name>
|
#proc-user=<user-name>
|
||||||
|
|
||||||
# Group name to run the process. After the initialization, the turnserver process
|
# Group name to run the process. After the initialization, the turnserver process
|
||||||
# will attempt to change the current group ID to that group.
|
# will make an attempt to change the current group ID to that group.
|
||||||
#
|
#
|
||||||
#proc-group=<group-name>
|
#proc-group=<group-name>
|
||||||
|
|
||||||
|
@ -693,8 +654,8 @@ mobility
|
||||||
#cli-port=5766
|
#cli-port=5766
|
||||||
|
|
||||||
# CLI access password. Default is empty (no password).
|
# CLI access password. Default is empty (no password).
|
||||||
# For the security reasons, it is recommended that you use the encrypted
|
# For the security reasons, it is recommended to use the encrypted
|
||||||
# form of the password (see the -P command in the turnadmin utility).
|
# for of the password (see the -P command in the turnadmin utility).
|
||||||
#
|
#
|
||||||
# Secure form for password 'qwerty':
|
# Secure form for password 'qwerty':
|
||||||
#
|
#
|
||||||
|
@ -723,14 +684,10 @@ mobility
|
||||||
#
|
#
|
||||||
#web-admin-listen-on-workers
|
#web-admin-listen-on-workers
|
||||||
|
|
||||||
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||||
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
# Only for those applications when we want to run
|
||||||
# Default is '', i.e. no special handling for such requests.
|
|
||||||
|
|
||||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
|
||||||
# Only for those applications when you want to run
|
|
||||||
# server applications on the relay endpoints.
|
# server applications on the relay endpoints.
|
||||||
# This option eliminates the IP permissions check on
|
# This option eliminates the IP permissions check on
|
||||||
# the packets incoming to the relay endpoints.
|
# the packets incoming to the relay endpoints.
|
||||||
#
|
#
|
||||||
#server-relay
|
#server-relay
|
||||||
|
|
|
@ -3,12 +3,10 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||||
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
||||||
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
|
||||||
|
|
||||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||||
#DHCPDv4_PID=/var/run/dhcpd.pid
|
#DHCPD_PID=/var/run/dhcpd.pid
|
||||||
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
|
||||||
|
|
||||||
# Additional options to start dhcpd with.
|
# Additional options to start dhcpd with.
|
||||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||||
|
@ -16,6 +14,4 @@
|
||||||
|
|
||||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||||
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
|
INTERFACES="eth0"
|
||||||
INTERFACESv6=""
|
|
||||||
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
|
|
||||||
|
|
|
@ -3,15 +3,13 @@
|
||||||
# option definitions common to all supported networks...
|
# option definitions common to all supported networks...
|
||||||
option domain-name "binary.kitchen";
|
option domain-name "binary.kitchen";
|
||||||
option domain-name-servers {{ name_servers | join(', ') }};
|
option domain-name-servers {{ name_servers | join(', ') }};
|
||||||
option domain-search "binary.kitchen";
|
|
||||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||||
|
|
||||||
default-lease-time 7200;
|
default-lease-time 7200;
|
||||||
max-lease-time 28800;
|
max-lease-time 28800;
|
||||||
|
|
||||||
# Use this to enble / disable dynamic dns updates globally.
|
# Use this to enble / disable dynamic dns updates globally.
|
||||||
ddns-update-style interim;
|
ddns-update-style none;
|
||||||
ddns-updates on;
|
|
||||||
|
|
||||||
# If this DHCP server is the official DHCP server for the local
|
# If this DHCP server is the official DHCP server for the local
|
||||||
# network, the authoritative directive should be uncommented.
|
# network, the authoritative directive should be uncommented.
|
||||||
|
@ -63,8 +61,6 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
|
||||||
# Users
|
# Users
|
||||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||||
option routers 172.23.3.1;
|
option routers 172.23.3.1;
|
||||||
ddns-domainname "users.binary.kitchen";
|
|
||||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
|
||||||
pool {
|
pool {
|
||||||
{% if dhcpd_failover == true %}
|
{% if dhcpd_failover == true %}
|
||||||
failover peer "failover-partner";
|
failover peer "failover-partner";
|
||||||
|
@ -84,47 +80,6 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Management Auweg
|
|
||||||
subnet 172.23.12.0 netmask 255.255.255.0 {
|
|
||||||
option routers 172.23.12.1;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Services Auweg
|
|
||||||
subnet 172.23.13.0 netmask 255.255.255.0 {
|
|
||||||
allow bootp;
|
|
||||||
option routers 172.23.13.1;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Users Auweg
|
|
||||||
subnet 172.23.14.0 netmask 255.255.255.0 {
|
|
||||||
option routers 172.23.3.1;
|
|
||||||
ddns-domainname "users.binary.kitchen";
|
|
||||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
|
||||||
pool {
|
|
||||||
{% if dhcpd_failover == true %}
|
|
||||||
failover peer "failover-partner";
|
|
||||||
{% endif %}
|
|
||||||
range 172.23.14.10 172.23.14.230;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# MQTT Auweg
|
|
||||||
subnet 172.23.15.0 netmask 255.255.255.0 {
|
|
||||||
option routers 172.23.4.1;
|
|
||||||
pool {
|
|
||||||
{% if dhcpd_failover == true %}
|
|
||||||
failover peer "failover-partner";
|
|
||||||
{% endif %}
|
|
||||||
range 172.23.15.10 172.23.15.240;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# DDNS zones
|
|
||||||
|
|
||||||
zone users.binary.kitchen {
|
|
||||||
primary {{ dns_primary }};
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Fixed IPs
|
# Fixed IPs
|
||||||
|
|
||||||
|
@ -143,11 +98,6 @@ host ap05 {
|
||||||
fixed-address ap05.binary.kitchen;
|
fixed-address ap05.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host ap06 {
|
|
||||||
hardware ethernet 94:b4:0f:c0:1d:a0;
|
|
||||||
fixed-address ap06.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host bowle {
|
host bowle {
|
||||||
hardware ethernet ac:1f:6b:25:16:b6;
|
hardware ethernet ac:1f:6b:25:16:b6;
|
||||||
fixed-address bowle.binary.kitchen;
|
fixed-address bowle.binary.kitchen;
|
||||||
|
@ -158,6 +108,11 @@ host cannelloni {
|
||||||
fixed-address cannelloni.binary.kitchen;
|
fixed-address cannelloni.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host cashdesk {
|
||||||
|
hardware ethernet 00:0b:ca:94:13:f1;
|
||||||
|
fixed-address cashdesk.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
host fusilli {
|
host fusilli {
|
||||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||||
fixed-address fusilli.binary.kitchen;
|
fixed-address fusilli.binary.kitchen;
|
||||||
|
@ -168,14 +123,9 @@ host garlic {
|
||||||
fixed-address garlic.binary.kitchen;
|
fixed-address garlic.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host habdisplay1 {
|
host homer {
|
||||||
hardware ethernet b8:27:eb:b6:62:be;
|
hardware ethernet b8:27:eb:24:b2:12;
|
||||||
fixed-address habdisplay1.mqtt.binary.kitchen;
|
fixed-address homer.binary.kitchen;
|
||||||
}
|
|
||||||
|
|
||||||
host habdisplay2 {
|
|
||||||
hardware ethernet b8:27:eb:df:0b:7b;
|
|
||||||
fixed-address habdisplay2.mqtt.binary.kitchen;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
host klopi {
|
host klopi {
|
||||||
|
@ -213,16 +163,16 @@ host noodlehub {
|
||||||
fixed-address noodlehub.binary.kitchen;
|
fixed-address noodlehub.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
host openhabgw1 {
|
|
||||||
hardware ethernet dc:a6:32:bf:e2:3e;
|
|
||||||
fixed-address openhabgw1.mqtt.binary.kitchen;
|
|
||||||
}
|
|
||||||
|
|
||||||
host pizza {
|
host pizza {
|
||||||
hardware ethernet 52:54:00:17:02:21;
|
hardware ethernet 52:54:00:17:02:21;
|
||||||
fixed-address pizza.binary.kitchen;
|
fixed-address pizza.binary.kitchen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
host punsch {
|
||||||
|
hardware ethernet 00:21:85:1b:7f:3d;
|
||||||
|
fixed-address punsch.binary.kitchen;
|
||||||
|
}
|
||||||
|
|
||||||
host spaghetti {
|
host spaghetti {
|
||||||
hardware ethernet b8:27:eb:e3:e9:f1;
|
hardware ethernet b8:27:eb:e3:e9:f1;
|
||||||
fixed-address spaghetti.binary.kitchen;
|
fixed-address spaghetti.binary.kitchen;
|
||||||
|
|
|
@ -5,21 +5,11 @@
|
||||||
name:
|
name:
|
||||||
- pdns-server
|
- pdns-server
|
||||||
- pdns-backend-sqlite3
|
- pdns-backend-sqlite3
|
||||||
- sqlite3
|
|
||||||
|
|
||||||
- name: Configure powerdns
|
- name: Configure powerdns
|
||||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||||
notify: Restart powerdns
|
notify: Restart powerdns
|
||||||
|
|
||||||
- name: Initialize database
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
|
||||||
/var/lib/powerdns/powerdns.sqlite3
|
|
||||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
|
||||||
become: true
|
|
||||||
become_user: pdns
|
|
||||||
|
|
||||||
- name: Copy update policy script
|
- name: Copy update policy script
|
||||||
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
||||||
notify: Restart powerdns
|
notify: Restart powerdns
|
||||||
|
|
|
@ -11,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
|
||||||
{% endif %}
|
{% endif %}
|
||||||
allow-dnsupdate-from=0.0.0.0/0,::/0
|
allow-dnsupdate-from=0.0.0.0/0,::/0
|
||||||
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
||||||
security-poll-suffix=
|
|
||||||
|
|
|
@ -5,6 +5,3 @@
|
||||||
with_items:
|
with_items:
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
||||||
- name: Restart dnsdist
|
|
||||||
service: name=dnsdist state=restarted
|
|
||||||
|
|
|
@ -3,11 +3,8 @@
|
||||||
- name: Install powerdns
|
- name: Install powerdns
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- dnsdist
|
|
||||||
- pdns-backend-sqlite3
|
|
||||||
- pdns-server
|
- pdns-server
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
- sqlite3
|
|
||||||
|
|
||||||
- name: Create zone directory
|
- name: Create zone directory
|
||||||
file: path=/etc/powerdns/bind/ state=directory
|
file: path=/etc/powerdns/bind/ state=directory
|
||||||
|
@ -22,28 +19,8 @@
|
||||||
- bind/23.172.in-addr.arpa.zone
|
- bind/23.172.in-addr.arpa.zone
|
||||||
- bind/binary.kitchen.zone
|
- bind/binary.kitchen.zone
|
||||||
|
|
||||||
- name: Initialize database
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
|
||||||
/var/lib/powerdns/pdns.sqlite3
|
|
||||||
creates: /var/lib/powerdns/pdns.sqlite3
|
|
||||||
become: true
|
|
||||||
become_user: pdns
|
|
||||||
|
|
||||||
# TODO
|
|
||||||
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
|
||||||
|
|
||||||
# TODO
|
|
||||||
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
|
||||||
|
|
||||||
- name: Configure dnsdist
|
|
||||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
|
||||||
notify: Restart dnsdist
|
|
||||||
|
|
||||||
- name: Start the powerdns services
|
- name: Start the powerdns services
|
||||||
service: name={{ item }} state=started enabled=yes
|
service: name={{ item }} state=started enabled=yes
|
||||||
with_items:
|
with_items:
|
||||||
- dnsdist
|
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2021091301; serial
|
2020051101; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns1.binary.kitchen.
|
IN NS ns.binary.kitchen.
|
||||||
IN NS ns2.binary.kitchen.
|
|
||||||
; Loopback
|
; Loopback
|
||||||
1.0 IN PTR core.binary.kitchen.
|
1.0 IN PTR core.binary.kitchen.
|
||||||
2.0 IN PTR erx-bk.binary.kitchen.
|
2.0 IN PTR erx-bk.binary.kitchen.
|
||||||
3.0 IN PTR erx-rz.binary.kitchen.
|
3.0 IN PTR erx-rz.binary.kitchen.
|
||||||
4.0 IN PTR erx-auweg.binary.kitchen.
|
4.0 IN PTR pf-bk.binary.kitchen.
|
||||||
|
5.0 IN PTR pf-rz.binary.kitchen.
|
||||||
; Management
|
; Management
|
||||||
1.1 IN PTR v2301.core.binary.kitchen.
|
1.1 IN PTR v2301.core.binary.kitchen.
|
||||||
11.1 IN PTR ups1.binary.kitchen.
|
11.1 IN PTR ups1.binary.kitchen.
|
||||||
|
@ -28,7 +28,6 @@ $TTL 1h ; default time-to-live
|
||||||
43.1 IN PTR ap03.binary.kitchen.
|
43.1 IN PTR ap03.binary.kitchen.
|
||||||
44.1 IN PTR ap04.binary.kitchen.
|
44.1 IN PTR ap04.binary.kitchen.
|
||||||
45.1 IN PTR ap05.binary.kitchen.
|
45.1 IN PTR ap05.binary.kitchen.
|
||||||
46.1 IN PTR ap06.binary.kitchen.
|
|
||||||
51.1 IN PTR modem.binary.kitchen.
|
51.1 IN PTR modem.binary.kitchen.
|
||||||
60.1 IN PTR wurst.binary.kitchen.
|
60.1 IN PTR wurst.binary.kitchen.
|
||||||
80.1 IN PTR wurst-bmc.binary.kitchen.
|
80.1 IN PTR wurst-bmc.binary.kitchen.
|
||||||
|
@ -37,16 +36,17 @@ $TTL 1h ; default time-to-live
|
||||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||||
; Services
|
; Services
|
||||||
1.2 IN PTR v2302.core.binary.kitchen.
|
1.2 IN PTR v2302.core.binary.kitchen.
|
||||||
|
2.2 IN PTR ns.binary.kitchen.
|
||||||
3.2 IN PTR bacon.binary.kitchen.
|
3.2 IN PTR bacon.binary.kitchen.
|
||||||
4.2 IN PTR aveta.binary.kitchen.
|
4.2 IN PTR aveta.binary.kitchen.
|
||||||
5.2 IN PTR sulis.binary.kitchen.
|
5.2 IN PTR sulis.binary.kitchen.
|
||||||
6.2 IN PTR nabia.binary.kitchen.
|
6.2 IN PTR nabia.binary.kitchen.
|
||||||
7.2 IN PTR epona.binary.kitchen.
|
11.2 IN PTR homer.binary.kitchen.
|
||||||
12.2 IN PTR lock.binary.kitchen.
|
12.2 IN PTR lock.binary.kitchen.
|
||||||
13.2 IN PTR matrix.binary.kitchen.
|
13.2 IN PTR matrix.binary.kitchen.
|
||||||
33.2 IN PTR pizza.binary.kitchen.
|
33.2 IN PTR pizza.binary.kitchen.
|
||||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||||
37.2 IN PTR bob.binary.kitchen.
|
44.2 IN PTR cashdesk.binary.kitchen.
|
||||||
62.2 IN PTR bowle.binary.kitchen.
|
62.2 IN PTR bowle.binary.kitchen.
|
||||||
91.2 IN PTR strammermax.binary.kitchen.
|
91.2 IN PTR strammermax.binary.kitchen.
|
||||||
92.2 IN PTR obatzda.binary.kitchen.
|
92.2 IN PTR obatzda.binary.kitchen.
|
||||||
|
@ -60,39 +60,28 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||||
244.3 IN PTR mirror.binary.kitchen.
|
244.3 IN PTR mirror.binary.kitchen.
|
||||||
245.3 IN PTR spaghetti.binary.kitchen.
|
245.3 IN PTR spaghetti.binary.kitchen.
|
||||||
246.3 IN PTR maccaroni.binary.kitchen.
|
246.3 IN PTR maccaroni.binary.kitchen.
|
||||||
|
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
|
||||||
|
248.3 IN PTR pve02.tmp.binary.kitchen.
|
||||||
|
249.3 IN PTR ffrgb.binary.kitchen.
|
||||||
250.3 IN PTR cannelloni.binary.kitchen.
|
250.3 IN PTR cannelloni.binary.kitchen.
|
||||||
251.3 IN PTR noodlehub.binary.kitchen.
|
251.3 IN PTR noodlehub.binary.kitchen.
|
||||||
; MQTT
|
; MQTT
|
||||||
1.4 IN PTR v2304.core.binary.kitchen.
|
1.4 IN PTR v2304.core.binary.kitchen.
|
||||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||||
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
|
||||||
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
|
||||||
245.4 IN PTR logo1.mqtt.binary.kitchen.
|
|
||||||
246.4 IN PTR logo2.mqtt.binary.kitchen.
|
|
||||||
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
|
|
||||||
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
|
|
||||||
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
|
|
||||||
; Management RZ
|
; Management RZ
|
||||||
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
||||||
61.9 IN PTR salat.binary.kitchen.
|
61.9 IN PTR salat.binary.kitchen.
|
||||||
81.9 IN PTR salat-bmc.binary.kitchen.
|
81.9 IN PTR salat-bmc.binary.kitchen.
|
||||||
; Services RZ
|
; Services RZ
|
||||||
|
23.8 IN PTR cernunnos.binary.kitchen.
|
||||||
; VPN RZ (ER-X)
|
; VPN RZ (ER-X)
|
||||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
1.10 IN PTR wg1.erx-rz.binary.kitchen.
|
||||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||||
; Management Auweg
|
; VPN RZ (pf)
|
||||||
61.12 IN PTR weizen.binary.kitchen.
|
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
|
||||||
; Services Auweg
|
|
||||||
3.13 IN PTR aeron.binary.kitchen.
|
|
||||||
; Clients Auweg
|
|
||||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
|
||||||
; MQTT
|
|
||||||
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
|
||||||
; Point-to-Point
|
; Point-to-Point
|
||||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||||
2.96 IN PTR v400.core.binary.kitchen.
|
2.96 IN PTR v400.core.binary.kitchen.
|
||||||
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
1.97 IN PTR wg0.erx-rz.binary.kitchen.
|
||||||
2.97 IN PTR wg1.erx-bk.binary.kitchen.
|
2.97 IN PTR wg0.erx-bk.binary.kitchen.
|
||||||
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
|
||||||
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
|
|
||||||
|
|
|
@ -1,34 +1,25 @@
|
||||||
$ORIGIN binary.kitchen ; base for unqualified names
|
$ORIGIN binary.kitchen ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2021091301; serial
|
2020051101; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns1.binary.kitchen.
|
IN NS ns.binary.kitchen.
|
||||||
IN NS ns2.binary.kitchen.
|
|
||||||
; Subdomains
|
|
||||||
users IN NS ns1.binary.kitchen.
|
|
||||||
users IN NS ns2.binary.kitchen.
|
|
||||||
; External
|
; External
|
||||||
IN A 213.166.246.4
|
IN A 213.166.246.4
|
||||||
www IN A 213.166.246.4
|
www IN A 213.166.246.4
|
||||||
; Aliases
|
; Aliases
|
||||||
3dprinter IN A 172.23.3.251
|
3dprinter IN A 172.23.3.251
|
||||||
icinga IN A 172.23.2.6
|
|
||||||
ldap IN A 172.23.2.3
|
ldap IN A 172.23.2.3
|
||||||
ldap IN A 172.23.2.4
|
ldap IN A 172.23.2.4
|
||||||
ldap IN A 213.166.246.2
|
ldap IN A 213.166.246.2
|
||||||
ldap1 IN A 172.23.2.3
|
ldap1 IN A 172.23.2.3
|
||||||
ldap2 IN A 172.23.2.4
|
ldap2 IN A 172.23.2.4
|
||||||
ldap3 IN A 172.23.13.3
|
|
||||||
ldapm IN A 213.166.246.2
|
ldapm IN A 213.166.246.2
|
||||||
librenms IN A 172.23.2.6
|
librenms IN A 172.23.2.6
|
||||||
netbox IN A 172.23.2.7
|
|
||||||
ns1 IN A 172.23.2.3
|
|
||||||
ns2 IN A 172.23.2.4
|
|
||||||
racktables IN A 172.23.2.6
|
racktables IN A 172.23.2.6
|
||||||
radius IN A 172.23.2.3
|
radius IN A 172.23.2.3
|
||||||
radius IN A 172.23.2.4
|
radius IN A 172.23.2.4
|
||||||
|
@ -36,7 +27,8 @@ radius IN A 172.23.2.4
|
||||||
core IN A 172.23.0.1
|
core IN A 172.23.0.1
|
||||||
erx-bk IN A 172.23.0.2
|
erx-bk IN A 172.23.0.2
|
||||||
erx-rz IN A 172.23.0.3
|
erx-rz IN A 172.23.0.3
|
||||||
erx-auweg IN A 172.23.0.4
|
pf-bk IN A 172.23.0.4
|
||||||
|
pf-rz IN A 172.23.0.5
|
||||||
; Management
|
; Management
|
||||||
v2301.core IN A 172.23.1.1
|
v2301.core IN A 172.23.1.1
|
||||||
ups1 IN A 172.23.1.11
|
ups1 IN A 172.23.1.11
|
||||||
|
@ -51,7 +43,6 @@ ap02 IN A 172.23.1.42
|
||||||
ap03 IN A 172.23.1.43
|
ap03 IN A 172.23.1.43
|
||||||
ap04 IN A 172.23.1.44
|
ap04 IN A 172.23.1.44
|
||||||
ap05 IN A 172.23.1.45
|
ap05 IN A 172.23.1.45
|
||||||
ap06 IN A 172.23.1.46
|
|
||||||
modem IN A 172.23.1.51
|
modem IN A 172.23.1.51
|
||||||
wurst IN A 172.23.1.60
|
wurst IN A 172.23.1.60
|
||||||
wurst-bmc IN A 172.23.1.80
|
wurst-bmc IN A 172.23.1.80
|
||||||
|
@ -60,16 +51,17 @@ nbe-w13b IN A 172.23.1.101
|
||||||
nbe-tr8 IN A 172.23.1.102
|
nbe-tr8 IN A 172.23.1.102
|
||||||
; Services
|
; Services
|
||||||
v2302.core IN A 172.23.2.1
|
v2302.core IN A 172.23.2.1
|
||||||
|
ns IN A 172.23.2.2
|
||||||
bacon IN A 172.23.2.3
|
bacon IN A 172.23.2.3
|
||||||
aveta IN A 172.23.2.4
|
aveta IN A 172.23.2.4
|
||||||
sulis IN A 172.23.2.5
|
sulis IN A 172.23.2.5
|
||||||
nabia IN A 172.23.2.6
|
nabia IN A 172.23.2.6
|
||||||
epona IN A 172.23.2.7
|
homer IN A 172.23.2.11
|
||||||
lock IN A 172.23.2.12
|
lock IN A 172.23.2.12
|
||||||
matrix IN A 172.23.2.13
|
matrix IN A 172.23.2.13
|
||||||
pizza IN A 172.23.2.33
|
pizza IN A 172.23.2.33
|
||||||
schweinshaxn IN A 172.23.2.36
|
schweinshaxn IN A 172.23.2.36
|
||||||
bob IN A 172.23.2.37
|
cashdesk IN A 172.23.2.44
|
||||||
bowle IN A 172.23.2.62
|
bowle IN A 172.23.2.62
|
||||||
strammermax IN A 172.23.2.91
|
strammermax IN A 172.23.2.91
|
||||||
obatzda IN A 172.23.2.92
|
obatzda IN A 172.23.2.92
|
||||||
|
@ -83,39 +75,28 @@ garlic IN A 172.23.3.243
|
||||||
mirror IN A 172.23.3.244
|
mirror IN A 172.23.3.244
|
||||||
spaghetti IN A 172.23.3.245
|
spaghetti IN A 172.23.3.245
|
||||||
maccaroni IN A 172.23.3.246
|
maccaroni IN A 172.23.3.246
|
||||||
|
pve02-bmc.tmp IN A 172.23.3.247
|
||||||
|
pve02.tmp IN A 172.23.3.248
|
||||||
|
ffrgb IN A 172.23.3.249
|
||||||
cannelloni IN A 172.23.3.250
|
cannelloni IN A 172.23.3.250
|
||||||
noodlehub IN A 172.23.3.251
|
noodlehub IN A 172.23.3.251
|
||||||
; MQTT
|
; MQTT
|
||||||
v2304.core IN A 172.23.4.1
|
v2304.core IN A 172.23.4.1
|
||||||
pizza.mqtt IN A 172.23.4.6
|
pizza.mqtt IN A 172.23.4.6
|
||||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||||
habdisplay1.mqtt IN A 172.23.4.241
|
|
||||||
habdisplay2.mqtt IN A 172.23.4.242
|
|
||||||
logo1.mqtt IN A 172.23.4.245
|
|
||||||
logo2.mqtt IN A 172.23.4.246
|
|
||||||
moodlights1.mqtt IN A 172.23.4.250
|
|
||||||
openhabgw1.mqtt IN A 172.23.4.251
|
|
||||||
homematic-ccu2.mqtt IN A 172.23.4.252
|
|
||||||
; Management RZ
|
; Management RZ
|
||||||
switch0.erx-rz IN A 172.23.9.1
|
switch0.erx-rz IN A 172.23.9.1
|
||||||
salat IN A 172.23.9.61
|
salat IN A 172.23.9.61
|
||||||
salat-bmc IN A 172.23.9.81
|
salat-bmc IN A 172.23.9.81
|
||||||
; Services RZ
|
; Services RZ
|
||||||
; Management Auweg
|
cernunnos IN A 172.23.8.23
|
||||||
weizen IN A 172.23.12.61
|
|
||||||
; Services Auweg
|
|
||||||
aeron IN A 172.23.13.3
|
|
||||||
; Clients Auweg
|
|
||||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
|
||||||
; MQTT Auweg
|
|
||||||
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
|
||||||
; VPN RZ (ER-X)
|
; VPN RZ (ER-X)
|
||||||
wg0.erx-rz IN A 172.23.10.1
|
wg1.erx-rz IN A 172.23.10.1
|
||||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||||
|
; VPN RZ (pf)
|
||||||
|
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
|
||||||
; Point-to-Point
|
; Point-to-Point
|
||||||
v400.erx-bk IN A 172.23.96.1
|
v400.erx-bk IN A 172.23.96.1
|
||||||
v400.core IN A 172.23.96.2
|
v400.core IN A 172.23.96.2
|
||||||
wg1.erx-rz IN A 172.23.97.1
|
wg0.erx-rz IN A 172.23.97.1
|
||||||
wg1.erx-bk IN A 172.23.97.2
|
wg0.erx-bk IN A 172.23.97.2
|
||||||
wg2.erx-rz IN A 172.23.97.5
|
|
||||||
wg2.erx-auweg IN A 172.23.97.6
|
|
||||||
|
|
|
@ -1,27 +0,0 @@
|
||||||
-- {{ ansible_managed }}
|
|
||||||
|
|
||||||
setLocal('127.0.0.1')
|
|
||||||
addLocal('::1')
|
|
||||||
addLocal('{{ ansible_default_ipv4.address }}')
|
|
||||||
|
|
||||||
-- define downstream servers/pools
|
|
||||||
newServer({address='127.0.0.1:5300', pool='authdns'})
|
|
||||||
newServer({address='127.0.0.1:5353', pool='resolve'})
|
|
||||||
|
|
||||||
{% if dns_secondary is defined %}
|
|
||||||
-- allow AXFR/IXFR only from slaves
|
|
||||||
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
-- allow NOTIFY only from master
|
|
||||||
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
|
|
||||||
|
|
||||||
-- use auth servers for own zones
|
|
||||||
addAction('binary.kitchen', PoolAction('authdns'))
|
|
||||||
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
|
||||||
|
|
||||||
-- use resolver for anything else
|
|
||||||
addAction(AllRule(), PoolAction('resolve'))
|
|
||||||
|
|
||||||
-- disable security status polling via DNS
|
|
||||||
setSecurityPollSuffix('')
|
|
|
@ -1,96 +1,46 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
{% if ansible_default_ipv4.address == dns_primary %}
|
|
||||||
#################################
|
#################################
|
||||||
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
# launch Which backends to launch and order to query them in
|
||||||
#
|
|
||||||
# allow-dnsupdate-from=127.0.0.0/8,::1
|
|
||||||
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
|
||||||
#
|
|
||||||
# dnsupdate=no
|
|
||||||
dnsupdate=yes
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# launch Which backends to launch and order to query them in
|
|
||||||
#
|
#
|
||||||
# launch=
|
# launch=
|
||||||
launch=bind,gsqlite3
|
launch=bind
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address Local IP addresses to which we bind
|
# local-address Local IP addresses to which we bind
|
||||||
#
|
#
|
||||||
# local-address=0.0.0.0
|
# local-address=0.0.0.0
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-ipv6 Local IP address to which we bind
|
# local-ipv6 Local IP address to which we bind
|
||||||
#
|
#
|
||||||
# local-ipv6=::
|
# local-ipv6=::
|
||||||
local-ipv6=
|
local-ipv6=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port The port on which we listen
|
# local-port The port on which we listen
|
||||||
#
|
#
|
||||||
# local-port=53
|
# local-port=53
|
||||||
local-port=5300
|
local-port=5300
|
||||||
|
|
||||||
{% if ansible_default_ipv4.address == dns_primary %}
|
|
||||||
#################################
|
#################################
|
||||||
# master Act as a master
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
|
||||||
# master=no
|
|
||||||
master=yes
|
|
||||||
|
|
||||||
{% if dns_secondary is defined %}
|
|
||||||
#################################
|
|
||||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
|
||||||
#
|
|
||||||
# only-notify=0.0.0.0/0,::/0
|
|
||||||
only-notify={{ dns_secondary }}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
|
||||||
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
|
|
||||||
#################################
|
#################################
|
||||||
# slave Act as a slave
|
# bind-config Location of the Bind configuration file to parse.
|
||||||
#
|
|
||||||
# slave=no
|
|
||||||
slave=yes
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# trusted-notification-proxy IP address of incoming notification proxy
|
|
||||||
#
|
|
||||||
# trusted-notification-proxy=
|
|
||||||
trusted-notification-proxy=127.0.0.1,::1
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# bind-config Location of named.conf
|
|
||||||
#
|
#
|
||||||
bind-config=/etc/powerdns/bindbackend.conf
|
bind-config=/etc/powerdns/bindbackend.conf
|
||||||
|
|
||||||
#################################
|
|
||||||
# gsqlite3-database Filename of the SQLite3 database
|
|
||||||
#
|
|
||||||
# gsqlite3-database=
|
|
||||||
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
|
||||||
|
|
|
@ -1,55 +1,61 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||||
#
|
#
|
||||||
# allow-from=127.0.0.0/8
|
#allow-from=127.0.0.0/8
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# config-dir Location of configuration directory (recursor.conf)
|
# config-dir Location of configuration directory (recursor.conf)
|
||||||
#
|
#
|
||||||
config-dir=/etc/powerdns
|
config-dir=/etc/powerdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||||
#
|
#
|
||||||
# dnssec=process-no-validate
|
# dnssec=process-no-validate
|
||||||
dnssec=off
|
dnssec=off
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||||
#
|
#
|
||||||
local-address=127.0.0.1
|
# forward-zones=
|
||||||
|
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port port to listen on
|
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||||
#
|
#
|
||||||
local-port=5353
|
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
# local-port port to listen on
|
||||||
|
#
|
||||||
|
local-port=53
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
||||||
#
|
#
|
||||||
{% if global_ipv6 is defined %}
|
{% if global_ipv6 is defined %}
|
||||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# quiet Suppress logging of questions and answers
|
# quiet Suppress logging of questions and answers
|
||||||
#
|
#
|
||||||
quiet=yes
|
quiet=yes
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
- name: Enable docker repository
|
- name: Enable docker repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||||
filename: docker
|
filename: docker
|
||||||
|
|
||||||
- name: Install docker
|
- name: Install docker
|
||||||
|
@ -14,4 +14,4 @@
|
||||||
- docker-ce
|
- docker-ce
|
||||||
- docker-ce-cli
|
- docker-ce-cli
|
||||||
- containerd.io
|
- containerd.io
|
||||||
- python3-docker
|
- python-docker
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ drone_dbname }}
|
postgresql_db: name={{ drone_dbname }}
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
||||||
ports:
|
ports:
|
||||||
- "3000:3000"
|
- "3000:3000"
|
||||||
pull: yes
|
|
||||||
restart_policy: unless-stopped
|
restart_policy: unless-stopped
|
||||||
state: started
|
state: started
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Reload nfs-server
|
|
||||||
service: name=nfs-server state=reloaded
|
|
||||||
|
|
||||||
- name: Reload smbd
|
|
||||||
service: name=smbd state=reloaded
|
|
|
@ -1,30 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
# TODO also enable contrib for $release-security
|
|
||||||
- name: Enable contrib repositories
|
|
||||||
apt_repository:
|
|
||||||
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
|
|
||||||
|
|
||||||
- name: Install zfs-dkms
|
|
||||||
apt:
|
|
||||||
name: zfs-dkms
|
|
||||||
|
|
||||||
# creating the ZFS pool is not part of this role
|
|
||||||
|
|
||||||
- name: Install NFS and samba
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- nfs-kernel-server
|
|
||||||
- samba
|
|
||||||
|
|
||||||
- name: Configure NFS
|
|
||||||
template:
|
|
||||||
src: exports.j2
|
|
||||||
dest: /etc/exports
|
|
||||||
notify: Reload nfs-server
|
|
||||||
|
|
||||||
- name: Configure samba
|
|
||||||
template:
|
|
||||||
src: smb.conf.j2
|
|
||||||
dest: /etc/samba/smb.conf
|
|
||||||
notify: Reload smbd
|
|
|
@ -1,4 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
{% for item in nfs_exports %}
|
|
||||||
{{ item }}
|
|
||||||
{% endfor %}
|
|
|
@ -1,244 +0,0 @@
|
||||||
#
|
|
||||||
# Sample configuration file for the Samba suite for Debian GNU/Linux.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# This is the main Samba configuration file. You should read the
|
|
||||||
# smb.conf(5) manual page in order to understand the options listed
|
|
||||||
# here. Samba has a huge number of configurable options most of which
|
|
||||||
# are not shown in this example
|
|
||||||
#
|
|
||||||
# Some options that are often worth tuning have been included as
|
|
||||||
# commented-out examples in this file.
|
|
||||||
# - When such options are commented with ";", the proposed setting
|
|
||||||
# differs from the default Samba behaviour
|
|
||||||
# - When commented with "#", the proposed setting is the default
|
|
||||||
# behaviour of Samba but the option is considered important
|
|
||||||
# enough to be mentioned here
|
|
||||||
#
|
|
||||||
# NOTE: Whenever you modify this file you should run the command
|
|
||||||
# "testparm" to check that you have not made any basic syntactic
|
|
||||||
# errors.
|
|
||||||
|
|
||||||
#======================= Global Settings =======================
|
|
||||||
|
|
||||||
[global]
|
|
||||||
|
|
||||||
## Browsing/Identification ###
|
|
||||||
|
|
||||||
# Change this to the workgroup/NT-domain name your Samba server will part of
|
|
||||||
workgroup = WORKGROUP
|
|
||||||
|
|
||||||
#### Networking ####
|
|
||||||
|
|
||||||
# The specific set of interfaces / networks to bind to
|
|
||||||
# This can be either the interface name or an IP address/netmask;
|
|
||||||
# interface names are normally preferred
|
|
||||||
; interfaces = 127.0.0.0/8 eth0
|
|
||||||
|
|
||||||
# Only bind to the named interfaces and/or networks; you must use the
|
|
||||||
# 'interfaces' option above to use this.
|
|
||||||
# It is recommended that you enable this feature if your Samba machine is
|
|
||||||
# not protected by a firewall or is a firewall itself. However, this
|
|
||||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
|
||||||
; bind interfaces only = yes
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#### Debugging/Accounting ####
|
|
||||||
|
|
||||||
# This tells Samba to use a separate log file for each machine
|
|
||||||
# that connects
|
|
||||||
log file = /var/log/samba/log.%m
|
|
||||||
|
|
||||||
# Cap the size of the individual log files (in KiB).
|
|
||||||
max log size = 1000
|
|
||||||
|
|
||||||
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
|
|
||||||
# Append syslog@1 if you want important messages to be sent to syslog too.
|
|
||||||
logging = file
|
|
||||||
|
|
||||||
# Do something sensible when Samba crashes: mail the admin a backtrace
|
|
||||||
panic action = /usr/share/samba/panic-action %d
|
|
||||||
|
|
||||||
|
|
||||||
####### Authentication #######
|
|
||||||
|
|
||||||
# Server role. Defines in which mode Samba will operate. Possible
|
|
||||||
# values are "standalone server", "member server", "classic primary
|
|
||||||
# domain controller", "classic backup domain controller", "active
|
|
||||||
# directory domain controller".
|
|
||||||
#
|
|
||||||
# Most people will want "standalone server" or "member server".
|
|
||||||
# Running as "active directory domain controller" will require first
|
|
||||||
# running "samba-tool domain provision" to wipe databases and create a
|
|
||||||
# new domain.
|
|
||||||
server role = standalone server
|
|
||||||
|
|
||||||
obey pam restrictions = yes
|
|
||||||
|
|
||||||
# This boolean parameter controls whether Samba attempts to sync the Unix
|
|
||||||
# password with the SMB password when the encrypted SMB password in the
|
|
||||||
# passdb is changed.
|
|
||||||
unix password sync = yes
|
|
||||||
|
|
||||||
# For Unix password sync to work on a Debian GNU/Linux system, the following
|
|
||||||
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
|
|
||||||
# sending the correct chat script for the passwd program in Debian Sarge).
|
|
||||||
passwd program = /usr/bin/passwd %u
|
|
||||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
|
||||||
|
|
||||||
# This boolean controls whether PAM will be used for password changes
|
|
||||||
# when requested by an SMB client instead of the program listed in
|
|
||||||
# 'passwd program'. The default is 'no'.
|
|
||||||
pam password change = yes
|
|
||||||
|
|
||||||
# This option controls how unsuccessful authentication attempts are mapped
|
|
||||||
# to anonymous connections
|
|
||||||
map to guest = bad user
|
|
||||||
|
|
||||||
########## Domains ###########
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following settings only takes effect if 'server role = classic
|
|
||||||
# primary domain controller', 'server role = classic backup domain controller'
|
|
||||||
# or 'domain logons' is set
|
|
||||||
#
|
|
||||||
|
|
||||||
# It specifies the location of the user's
|
|
||||||
# profile directory from the client point of view) The following
|
|
||||||
# required a [profiles] share to be setup on the samba server (see
|
|
||||||
# below)
|
|
||||||
; logon path = \\%N\profiles\%U
|
|
||||||
# Another common choice is storing the profile in the user's home directory
|
|
||||||
# (this is Samba's default)
|
|
||||||
# logon path = \\%N\%U\profile
|
|
||||||
|
|
||||||
# The following setting only takes effect if 'domain logons' is set
|
|
||||||
# It specifies the location of a user's home directory (from the client
|
|
||||||
# point of view)
|
|
||||||
; logon drive = H:
|
|
||||||
# logon home = \\%N\%U
|
|
||||||
|
|
||||||
# The following setting only takes effect if 'domain logons' is set
|
|
||||||
# It specifies the script to run during logon. The script must be stored
|
|
||||||
# in the [netlogon] share
|
|
||||||
# NOTE: Must be store in 'DOS' file format convention
|
|
||||||
; logon script = logon.cmd
|
|
||||||
|
|
||||||
# This allows Unix users to be created on the domain controller via the SAMR
|
|
||||||
# RPC pipe. The example command creates a user account with a disabled Unix
|
|
||||||
# password; please adapt to your needs
|
|
||||||
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
|
|
||||||
|
|
||||||
# This allows machine accounts to be created on the domain controller via the
|
|
||||||
# SAMR RPC pipe.
|
|
||||||
# The following assumes a "machines" group exists on the system
|
|
||||||
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
|
|
||||||
|
|
||||||
# This allows Unix groups to be created on the domain controller via the SAMR
|
|
||||||
# RPC pipe.
|
|
||||||
; add group script = /usr/sbin/addgroup --force-badname %g
|
|
||||||
|
|
||||||
############ Misc ############
|
|
||||||
|
|
||||||
# Using the following line enables you to customise your configuration
|
|
||||||
# on a per machine basis. The %m gets replaced with the netbios name
|
|
||||||
# of the machine that is connecting
|
|
||||||
; include = /home/samba/etc/smb.conf.%m
|
|
||||||
|
|
||||||
# Some defaults for winbind (make sure you're not using the ranges
|
|
||||||
# for something else.)
|
|
||||||
; idmap config * : backend = tdb
|
|
||||||
; idmap config * : range = 3000-7999
|
|
||||||
; idmap config YOURDOMAINHERE : backend = tdb
|
|
||||||
; idmap config YOURDOMAINHERE : range = 100000-999999
|
|
||||||
; template shell = /bin/bash
|
|
||||||
|
|
||||||
# Setup usershare options to enable non-root users to share folders
|
|
||||||
# with the net usershare command.
|
|
||||||
|
|
||||||
# Maximum number of usershare. 0 means that usershare is disabled.
|
|
||||||
# usershare max shares = 100
|
|
||||||
|
|
||||||
# Allow users who've been granted usershare privileges to create
|
|
||||||
# public shares, not just authenticated ones
|
|
||||||
usershare allow guests = yes
|
|
||||||
|
|
||||||
#======================= Share Definitions =======================
|
|
||||||
|
|
||||||
;[homes]
|
|
||||||
; comment = Home Directories
|
|
||||||
; browseable = no
|
|
||||||
|
|
||||||
# By default, the home directories are exported read-only. Change the
|
|
||||||
# next parameter to 'no' if you want to be able to write to them.
|
|
||||||
; read only = yes
|
|
||||||
|
|
||||||
# File creation mask is set to 0700 for security reasons. If you want to
|
|
||||||
# create files with group=rw permissions, set next parameter to 0775.
|
|
||||||
; create mask = 0700
|
|
||||||
|
|
||||||
# Directory creation mask is set to 0700 for security reasons. If you want to
|
|
||||||
# create dirs. with group=rw permissions, set next parameter to 0775.
|
|
||||||
; directory mask = 0700
|
|
||||||
|
|
||||||
# By default, \\server\username shares can be connected to by anyone
|
|
||||||
# with access to the samba server.
|
|
||||||
# The following parameter makes sure that only "username" can connect
|
|
||||||
# to \\server\username
|
|
||||||
# This might need tweaking when using external authentication schemes
|
|
||||||
; valid users = %S
|
|
||||||
|
|
||||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
|
||||||
# (you need to configure Samba to act as a domain controller too.)
|
|
||||||
;[netlogon]
|
|
||||||
; comment = Network Logon Service
|
|
||||||
; path = /home/samba/netlogon
|
|
||||||
; guest ok = yes
|
|
||||||
; read only = yes
|
|
||||||
|
|
||||||
# Un-comment the following and create the profiles directory to store
|
|
||||||
# users profiles (see the "logon path" option above)
|
|
||||||
# (you need to configure Samba to act as a domain controller too.)
|
|
||||||
# The path below should be writable by all users so that their
|
|
||||||
# profile directory may be created the first time they log on
|
|
||||||
;[profiles]
|
|
||||||
; comment = Users profiles
|
|
||||||
; path = /home/samba/profiles
|
|
||||||
; guest ok = no
|
|
||||||
; browseable = no
|
|
||||||
; create mask = 0600
|
|
||||||
; directory mask = 0700
|
|
||||||
|
|
||||||
;[printers]
|
|
||||||
; comment = All Printers
|
|
||||||
; browseable = no
|
|
||||||
; path = /var/spool/samba
|
|
||||||
; printable = yes
|
|
||||||
; guest ok = no
|
|
||||||
; read only = yes
|
|
||||||
; create mask = 0700
|
|
||||||
|
|
||||||
# Windows clients look for this share name as a source of downloadable
|
|
||||||
# printer drivers
|
|
||||||
;[print$]
|
|
||||||
; comment = Printer Drivers
|
|
||||||
; path = /var/lib/samba/printers
|
|
||||||
; browseable = yes
|
|
||||||
; read only = yes
|
|
||||||
; guest ok = no
|
|
||||||
# Uncomment to allow remote administration of Windows print drivers.
|
|
||||||
# You may need to replace 'lpadmin' with the name of the group your
|
|
||||||
# admin users are members of.
|
|
||||||
# Please note that you also need to set appropriate Unix permissions
|
|
||||||
# to the drivers directory for these users to have write rights in it
|
|
||||||
; write list = root, @lpadmin
|
|
||||||
|
|
||||||
# Binary Kitchen public share
|
|
||||||
[tank]
|
|
||||||
path = /exports/tank
|
|
||||||
browseable = yes
|
|
||||||
read only = no
|
|
||||||
guest ok = yes
|
|
||||||
create mask = 0600
|
|
||||||
directory mask = 0700
|
|
|
@ -3,6 +3,6 @@
|
||||||
gitea_user: gogs
|
gitea_user: gogs
|
||||||
gitea_group: gogs
|
gitea_group: gogs
|
||||||
|
|
||||||
gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
|
gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
|
||||||
gitea_version: 1.15.6
|
gitea_version: 1.12.6
|
||||||
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ gitea_dbname }}
|
postgresql_db: name={{ gitea_dbname }}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
hedgedoc_version: 1.8.2
|
hackmd_version: 1.5.0
|
||||||
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz
|
hackmd_archive: https://github.com/codimd/server/archive/{{ hackmd_version }}.tar.gz
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
- name: Reload systemd
|
- name: Reload systemd
|
||||||
systemd: daemon_reload=yes
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: Restart hedgedoc
|
- name: Restart hackmd
|
||||||
service: name=hedgedoc state=restarted
|
service: name=hackmd state=restarted
|
||||||
|
|
||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
||||||
|
|
|
@ -3,11 +3,14 @@
|
||||||
- name: Create user
|
- name: Create user
|
||||||
user: name=hackmd
|
user: name=hackmd
|
||||||
|
|
||||||
|
- name: Enable https for apt
|
||||||
|
apt: name=apt-transport-https
|
||||||
|
|
||||||
- name: Enable nodesource apt-key
|
- name: Enable nodesource apt-key
|
||||||
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
||||||
|
|
||||||
- name: Enable nodesource repository
|
- name: Enable nodesource repository
|
||||||
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
|
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
|
||||||
|
|
||||||
- name: Enable yarnpkg apt-key
|
- name: Enable yarnpkg apt-key
|
||||||
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
|
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||||
|
@ -31,75 +34,82 @@
|
||||||
- git
|
- git
|
||||||
- nodejs
|
- nodejs
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
- yarn
|
- yarn
|
||||||
|
|
||||||
- name: Unpack hedgedoc
|
- name: Unpack hackmd
|
||||||
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
|
unarchive: src={{ hackmd_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/codimd-{{ hackmd_version }}
|
||||||
register: hedgedoc_unarchive
|
register: hackmd_unarchive
|
||||||
|
|
||||||
- name: Create hedgedoc upload path
|
- name: Rename hackmd
|
||||||
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
command: mv /opt/server-{{ hackmd_version }} /opt/codimd-{{ hackmd_version }}
|
||||||
|
when: hackmd_unarchive.changed
|
||||||
|
|
||||||
- name: Remove old hedgedoc upload path
|
- name: Create hackmd upload path
|
||||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
|
file: path=/opt/codimd/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||||
|
|
||||||
- name: Link hedgedoc upload path
|
- name: Remove old hackmd upload path
|
||||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
|
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads state=absent force=yes
|
||||||
|
|
||||||
- name: Setup hedgedoc
|
- name: Link hackmd upload path
|
||||||
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
|
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads src=/opt/codimd/uploads state=link owner=hackmd group=hackmd
|
||||||
|
|
||||||
|
- name: Setup hackmd
|
||||||
|
command: bin/setup chdir=/opt/codimd-{{ hackmd_version }} creates=/opt/codimd-{{ hackmd_version }}/config.json
|
||||||
become: true
|
become: true
|
||||||
become_user: hackmd
|
become_user: hackmd
|
||||||
|
|
||||||
- name: Configure hedgedoc
|
- name: Configure hackmd
|
||||||
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
|
template: src=config.json.j2 dest=/opt/codimd-{{ hackmd_version }}/config.json owner=hackmd
|
||||||
register: hedgedoc_config
|
register: hackmd_config
|
||||||
notify: Restart hedgedoc
|
notify: Restart hackmd
|
||||||
|
|
||||||
- name: Install hedgedoc frontend deps
|
- name: Build hackmd frontend
|
||||||
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
command: /usr/bin/npm run build chdir=/opt/codimd-{{ hackmd_version }}
|
||||||
become: true
|
become: true
|
||||||
become_user: hackmd
|
become_user: hackmd
|
||||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||||
|
|
||||||
- name: Build hedgedoc frontend
|
|
||||||
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
|
||||||
become: true
|
|
||||||
become_user: hackmd
|
|
||||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ hedgedoc_dbname }}
|
postgresql_db: name={{ hackmd_dbname }}
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
- name: Configure PostgreSQL user
|
||||||
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
|
postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
|
- name: Configure sequelize
|
||||||
|
template: src=_sequelizerc.j2 dest=/opt/codimd-{{ hackmd_version }}/.sequelizerc owner=hackmd
|
||||||
|
|
||||||
|
- name: Upgrade database schema
|
||||||
|
command: node_modules/.bin/sequelize db:migrate chdir=/opt/codimd-{{ hackmd_version }}
|
||||||
|
become: true
|
||||||
|
become_user: hackmd
|
||||||
|
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
- name: Ensure certificates are available
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Configure certificate manager for hedgedoc
|
- name: Configure certificate manager for hackmd
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
|
template: src=certs.j2 dest=/etc/acertmgr/{{ hackmd_domain }}.conf
|
||||||
notify: Run acertmgr
|
notify: Run acertmgr
|
||||||
|
|
||||||
- name: Configure vhost
|
- name: Configure vhost
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Enable vhost
|
- name: Enable vhost
|
||||||
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
|
file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Systemd unit for hedgedoc
|
- name: Systemd unit for hackmd
|
||||||
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
|
template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
|
||||||
notify:
|
notify:
|
||||||
- Reload systemd
|
- Reload systemd
|
||||||
- Restart hedgedoc
|
- Restart hackmd
|
||||||
|
|
||||||
- name: Start the hedgedoc service
|
- name: Start the hackmd service
|
||||||
service: name=hedgedoc state=started enabled=yes
|
service: name=hackmd state=started enabled=yes
|
||||||
|
|
8
roles/hackmd/templates/_sequelizerc.j2
Normal file
8
roles/hackmd/templates/_sequelizerc.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
var path = require('path');
|
||||||
|
|
||||||
|
module.exports = {
|
||||||
|
'config': path.resolve('config.json'),
|
||||||
|
'migrations-path': path.resolve('lib', 'migrations'),
|
||||||
|
'models-path': path.resolve('lib', 'models'),
|
||||||
|
'url': 'postgres://{{ hackmd_dbuser }}:{{ hackmd_dbpass }}@localhost:5432/{{ hackmd_dbname }}'
|
||||||
|
}
|
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ hedgedoc_domain }}:
|
{{ hackmd_domain }}:
|
||||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.key
|
- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
action: '/usr/sbin/service nginx restart'
|
action: '/usr/sbin/service nginx restart'
|
||||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
{
|
{
|
||||||
"production": {
|
"production": {
|
||||||
"domain": "{{ hedgedoc_domain }}",
|
"domain": "{{ hackmd_domain }}",
|
||||||
"protocolUseSSL": true,
|
"protocolUseSSL": true,
|
||||||
"allowAnonymous": false,
|
"allowAnonymous": false,
|
||||||
"allowAnonymousEdits": true,
|
"allowAnonymousEdits": true,
|
||||||
"allowFreeURL": true,
|
"allowFreeURL": true,
|
||||||
"sessionSecret": "{{ hedgedoc_secret }}",
|
"sessionSecret": "{{ hackmd_secret }}",
|
||||||
"hsts": {
|
"hsts": {
|
||||||
"enable": true,
|
"enable": true,
|
||||||
"maxAgeSeconds": 2592000,
|
"maxAgeSeconds": 2592000,
|
||||||
|
@ -22,9 +22,9 @@
|
||||||
"addGoogleAnalytics": true
|
"addGoogleAnalytics": true
|
||||||
},
|
},
|
||||||
"db": {
|
"db": {
|
||||||
"username": "{{ hedgedoc_dbuser }}",
|
"username": "{{ hackmd_dbuser }}",
|
||||||
"password": "{{ hedgedoc_dbpass }}",
|
"password": "{{ hackmd_dbpass }}",
|
||||||
"database": "{{ hedgedoc_dbname }}",
|
"database": "{{ hackmd_dbname }}",
|
||||||
"host": "localhost",
|
"host": "localhost",
|
||||||
"port": "5432",
|
"port": "5432",
|
||||||
"dialect": "postgres"
|
"dialect": "postgres"
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=HedgeDoc
|
Description=HackMD
|
||||||
After=network.target
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Environment=NODE_ENV=production
|
Environment=NODE_ENV=production
|
||||||
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
|
WorkingDirectory=/opt/codimd-{{ hackmd_version }}
|
||||||
Type=simple
|
Type=simple
|
||||||
User=hackmd
|
User=hackmd
|
||||||
ExecStart=/usr/bin/yarn start
|
ExecStart=/usr/bin/node /opt/codimd-{{ hackmd_version }}/app.js
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
||||||
[Install]
|
[Install]
|
|
@ -1,13 +1,8 @@
|
||||||
map $http_upgrade $connection_upgrade {
|
|
||||||
default upgrade;
|
|
||||||
'' close;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
server_name {{ hedgedoc_domain }};
|
server_name {{ hackmd_domain }};
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
default_type "text/plain";
|
default_type "text/plain";
|
||||||
|
@ -15,7 +10,7 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 301 https://{{ hedgedoc_domain }}$request_uri;
|
return 301 https://{{ hackmd_domain }}$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -23,30 +18,21 @@ server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
server_name {{ hedgedoc_domain }};
|
server_name {{ hackmd_domain }};
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ hedgedoc_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ hedgedoc_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
|
||||||
|
|
||||||
# set max upload size
|
# set max upload size
|
||||||
client_max_body_size 8M;
|
client_max_body_size 8M;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_pass http://localhost:3000;
|
proxy_pass http://localhost:3000;
|
||||||
proxy_set_header Host $host;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
location /socket.io/ {
|
|
||||||
proxy_pass http://127.0.0.1:3000;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection "Upgrade";
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
icinga_user: nagios
|
|
||||||
icinga_group: nagios
|
|
|
@ -1,98 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Enable icinga apt-key
|
|
||||||
apt_key: url='https://packages.icinga.com/icinga.key'
|
|
||||||
|
|
||||||
- name: Enable icinga repository
|
|
||||||
apt_repository:
|
|
||||||
repo: 'deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main'
|
|
||||||
filename: icinga
|
|
||||||
|
|
||||||
- name: Install icinga
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- php-fpm
|
|
||||||
- php-pgsql
|
|
||||||
- icinga2
|
|
||||||
- icinga2-ido-pgsql
|
|
||||||
- icingaweb2
|
|
||||||
|
|
||||||
- name: Install PostgreSQL
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postgresql
|
|
||||||
- python3-psycopg2
|
|
||||||
|
|
||||||
- name: Configure icinga database
|
|
||||||
postgresql_db: name={{ icinga_dbname }}
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
register: icinga_ido_db
|
|
||||||
|
|
||||||
- name: Configure icinga database user
|
|
||||||
postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
|
|
||||||
# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
|
|
||||||
- name: Configure database schema
|
|
||||||
postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
when: icinga_ido_db.changed
|
|
||||||
|
|
||||||
- name: Configure icingaweb database
|
|
||||||
postgresql_db: name={{ icingaweb_dbname }}
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Configure icingaweb database user
|
|
||||||
postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Configure icinga ido pgsql
|
|
||||||
template: src=icinga2/features-available/ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
|
|
||||||
notify: Restart icinga2
|
|
||||||
|
|
||||||
- name: Enable icinga ido PostgreSQL
|
|
||||||
command: "icinga2 feature enable ido-pgsql"
|
|
||||||
register: features_result
|
|
||||||
changed_when: "'for these changes to take effect' in features_result.stdout"
|
|
||||||
notify: Restart icinga2
|
|
||||||
|
|
||||||
- name: Configure known hosts for icinga
|
|
||||||
template: src=icinga2/conf.d/hosts.conf.j2 dest=/etc/icinga2/conf.d/hosts.conf owner={{ icinga_user }} group={{ icinga_group }}
|
|
||||||
notify: Restart icinga2
|
|
||||||
|
|
||||||
- name: Create group icingaweb2
|
|
||||||
group: name=icingaweb2 system=yes
|
|
||||||
|
|
||||||
- name: Add www-data to icingaweb2
|
|
||||||
user: name=www-data append=yes groups=icingaweb2
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt -days 730 -subj "/CN={{ icinga_domain }}" creates=/etc/nginx/ssl/{{ icinga_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Request nsupdate key for certificate
|
|
||||||
include_role: name=acme-dnskey-generate
|
|
||||||
vars:
|
|
||||||
acme_dnskey_san_domains:
|
|
||||||
- "{{ icinga_domain }}"
|
|
||||||
|
|
||||||
- name: Configure certificate manager for icinga
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Start php7.4-fpm
|
|
||||||
service: name=php7.4-fpm state=started enabled=yes
|
|
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
{{ icinga_domain }}:
|
|
||||||
- mode: dns.nsupdate
|
|
||||||
nsupdate_server: {{ acme_dnskey_server }}
|
|
||||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
|
||||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.key
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: key
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
||||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.crt
|
|
||||||
user: root
|
|
||||||
group: root
|
|
||||||
perm: '400'
|
|
||||||
format: crt,ca
|
|
||||||
action: '/usr/sbin/service nginx restart'
|
|
|
@ -1,12 +0,0 @@
|
||||||
{% for host in groups['all'] %}
|
|
||||||
object Host "{{ host }}" {
|
|
||||||
/* Import the default host template defined in `templates.conf`. */
|
|
||||||
import "generic-host"
|
|
||||||
|
|
||||||
/* Specify the address attributes for checks e.g. `ssh` or `http`. */
|
|
||||||
address = "{{ host }}"
|
|
||||||
|
|
||||||
/* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
|
|
||||||
vars.os = "Linux"
|
|
||||||
}
|
|
||||||
{% endfor %}
|
|
|
@ -1,13 +0,0 @@
|
||||||
/**
|
|
||||||
* The db_ido_pgsql library implements IDO functionality
|
|
||||||
* for PostgreSQL.
|
|
||||||
*/
|
|
||||||
|
|
||||||
library "db_ido_pgsql"
|
|
||||||
|
|
||||||
object IdoPgsqlConnection "ido-pgsql" {
|
|
||||||
user = "{{ icinga_dbuser}}",
|
|
||||||
password = "{{ icinga_dbpass }}",
|
|
||||||
host = "localhost",
|
|
||||||
database = "{{ icinga_dbname }}"
|
|
||||||
}
|
|
|
@ -1,36 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ icinga_domain }};
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ icinga_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ icinga_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
|
|
||||||
|
|
||||||
location ~ ^/icingaweb2/index\.php(.*)$ {
|
|
||||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
|
|
||||||
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
|
|
||||||
fastcgi_param REMOTE_USER $remote_user;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/icingaweb2(.+)? {
|
|
||||||
alias /usr/share/icingaweb2/public;
|
|
||||||
index index.php;
|
|
||||||
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Ensure apt over https is available
|
||||||
|
apt: name=apt-transport-https
|
||||||
|
|
||||||
- name: Add Jitsi repo key
|
- name: Add Jitsi repo key
|
||||||
apt_key:
|
apt_key:
|
||||||
id: EF8B479E2DC1389C
|
id: EF8B479E2DC1389C
|
||||||
|
|
|
@ -7,20 +7,20 @@
|
||||||
- git
|
- git
|
||||||
- graphviz
|
- graphviz
|
||||||
- imagemagick
|
- imagemagick
|
||||||
- mariadb-server
|
|
||||||
- mtr-tiny
|
- mtr-tiny
|
||||||
|
- mariadb-server
|
||||||
- nmap
|
- nmap
|
||||||
- php-cli
|
|
||||||
- php-curl
|
|
||||||
- php-fpm
|
|
||||||
- php-gd
|
|
||||||
- php-json
|
|
||||||
- php-mbstring
|
|
||||||
- php-mysql
|
|
||||||
- php-net-ipv4
|
- php-net-ipv4
|
||||||
- php-net-ipv6
|
- php-net-ipv6
|
||||||
- php-pear
|
- php-pear
|
||||||
- php-snmp
|
- php7.3-cli
|
||||||
|
- php7.3-curl
|
||||||
|
- php7.3-fpm
|
||||||
|
- php7.3-gd
|
||||||
|
- php7.3-json
|
||||||
|
- php7.3-mbstring
|
||||||
|
- php7.3-mysql
|
||||||
|
- php7.3-snmp
|
||||||
- python3-dotenv
|
- python3-dotenv
|
||||||
- python3-pymysql
|
- python3-pymysql
|
||||||
- python3-redis
|
- python3-redis
|
||||||
|
@ -51,8 +51,8 @@
|
||||||
regexp: ';?date\.timezone'
|
regexp: ';?date\.timezone'
|
||||||
line: 'date.timezone = Europe/Berlin'
|
line: 'date.timezone = Europe/Berlin'
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/php/7.4/cli/php.ini
|
- /etc/php/7.3/cli/php.ini
|
||||||
- /etc/php/7.4/fpm/php.ini
|
- /etc/php/7.3/fpm/php.ini
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
- name: Ensure certificates are available
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||||
|
@ -76,5 +76,5 @@
|
||||||
file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
|
file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Start php7.4-fpm
|
- name: Start php7.3-fpm
|
||||||
service: name=php7.4-fpm state=started enabled=yes
|
service: name=php7.3-fpm state=started enabled=yes
|
||||||
|
|
|
@ -31,7 +31,7 @@ server {
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||||
fastcgi_intercept_errors on;
|
fastcgi_intercept_errors on;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,10 +11,10 @@ SRS_DOMAIN={{ mail_srs_domain }}
|
||||||
# If a domain name starts with a dot, it matches all subdomains, but not
|
# If a domain name starts with a dot, it matches all subdomains, but not
|
||||||
# the domain itself. Separate multiple domains by space or comma.
|
# the domain itself. Separate multiple domains by space or comma.
|
||||||
#
|
#
|
||||||
SRS_EXCLUDE_DOMAINS=".{{ mail_domain }} {{ mail_domain }}
|
SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
|
||||||
{%- for domain in mail_domains %}
|
{%- for domain in mail_domains %}
|
||||||
.{{ domain }} {{ domain }}
|
.{{ domain }} {{ domain }}
|
||||||
{%- endfor %}"
|
{%- endfor %}
|
||||||
|
|
||||||
# First separator character after SRS0 or SRS1.
|
# First separator character after SRS0 or SRS1.
|
||||||
# Can be one of: -+=
|
# Can be one of: -+=
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Enable https for apt
|
||||||
|
apt: name=apt-transport-https
|
||||||
|
|
||||||
- name: Enable matrix apt-key
|
- name: Enable matrix apt-key
|
||||||
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
|
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
|
||||||
|
|
||||||
|
@ -11,7 +14,7 @@
|
||||||
name:
|
name:
|
||||||
- matrix-synapse-py3
|
- matrix-synapse-py3
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ matrix_dbname }} lc_collate=C lc_ctype=C template=template0
|
postgresql_db: name={{ matrix_dbname }} lc_collate=C lc_ctype=C template=template0
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -23,14 +23,11 @@ server {
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||||
|
|
||||||
access_log off;
|
|
||||||
client_max_body_size 25M;
|
client_max_body_size 25M;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:8008;
|
proxy_pass http://localhost:8008;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -43,13 +40,10 @@ server {
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||||
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||||
|
|
||||||
access_log off;
|
|
||||||
client_max_body_size 25M;
|
client_max_body_size 25M;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://localhost:8008;
|
proxy_pass http://localhost:8008;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- ansible
|
- ansible
|
||||||
- gcc
|
|
||||||
- git
|
- git
|
||||||
- irssi
|
- irssi
|
||||||
- netcat6
|
- netcat6
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
netbox_group: netbox
|
|
||||||
netbox_user: netbox
|
|
||||||
netbox_version: 3.0.7
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart netbox
|
|
||||||
service: name=netbox state=restarted
|
|
||||||
|
|
||||||
- name: Restart netbox-rq
|
|
||||||
service: name=netbox-rq state=restarted
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- { role: acertmgr }
|
|
||||||
- { role: nginx, nginx_ssl: True }
|
|
|
@ -1,145 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Create group
|
|
||||||
group: name={{ netbox_group }}
|
|
||||||
|
|
||||||
- name: Create user
|
|
||||||
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- build-essential
|
|
||||||
- libffi-dev
|
|
||||||
- libpq-dev
|
|
||||||
- libssl-dev
|
|
||||||
- libxml2-dev
|
|
||||||
- libxslt1-dev
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-dev
|
|
||||||
- python3-pip
|
|
||||||
- python3-venv
|
|
||||||
- zlib1g-dev
|
|
||||||
|
|
||||||
- name: Install PostgreSQL
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postgresql
|
|
||||||
- python3-psycopg2
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
|
||||||
postgresql_db:
|
|
||||||
name: '{{ netbox_dbname }}'
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
|
||||||
postgresql_user:
|
|
||||||
db: '{{ netbox_dbname }}'
|
|
||||||
name: '{{ netbox_dbuser }}'
|
|
||||||
password: '{{ netbox_dbpass }}'
|
|
||||||
priv: ALL
|
|
||||||
state: present
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Install redis
|
|
||||||
apt: name=redis-server
|
|
||||||
|
|
||||||
- name: Unpack netbox
|
|
||||||
unarchive:
|
|
||||||
src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
|
|
||||||
dest: /opt
|
|
||||||
remote_src: yes
|
|
||||||
creates: '/opt/netbox-{{ netbox_version }}'
|
|
||||||
register: netbox_unarchive
|
|
||||||
|
|
||||||
- name: Configure netbox
|
|
||||||
template:
|
|
||||||
src: configuration.py.j2
|
|
||||||
dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
|
|
||||||
owner: '{{ netbox_user }}'
|
|
||||||
group: '{{ netbox_group }}'
|
|
||||||
|
|
||||||
- name: Configure gunicorn
|
|
||||||
template:
|
|
||||||
src: gunicorn.py.j2
|
|
||||||
dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
|
|
||||||
owner: '{{ netbox_user }}'
|
|
||||||
group: '{{ netbox_group }}'
|
|
||||||
|
|
||||||
- name: Netbox file permissions
|
|
||||||
file:
|
|
||||||
path: '/opt/netbox-{{ netbox_version }}'
|
|
||||||
owner: '{{ netbox_user }}'
|
|
||||||
group: '{{ netbox_group }}'
|
|
||||||
recurse: yes
|
|
||||||
|
|
||||||
- name: Run upgrade script
|
|
||||||
command:
|
|
||||||
cmd: ./upgrade.sh
|
|
||||||
chdir: '/opt/netbox-{{ netbox_version }}'
|
|
||||||
become: true
|
|
||||||
become_user: '{{ netbox_user }}'
|
|
||||||
when: netbox_unarchive.changed
|
|
||||||
|
|
||||||
# TODO - still manual work
|
|
||||||
# * Create a super user
|
|
||||||
# * Migrate media files
|
|
||||||
|
|
||||||
- name: Install netbox housekeeping cronjob
|
|
||||||
template:
|
|
||||||
src: netbox-housekeeping.sh.j2
|
|
||||||
dest: /etc/cron.daily/netbox-housekeeping.sh
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command:
|
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
|
||||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
|
||||||
creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Request nsupdate key for certificate
|
|
||||||
include_role: name=acme-dnskey-generate
|
|
||||||
vars:
|
|
||||||
acme_dnskey_san_domains:
|
|
||||||
- "{{ netbox_domain }}"
|
|
||||||
when: "'kitchen' in group_names"
|
|
||||||
|
|
||||||
- name: Configure certificate manager for netbox
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template:
|
|
||||||
src: vhost.j2
|
|
||||||
dest: /etc/nginx/sites-available/netbox
|
|
||||||
owner: root
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file:
|
|
||||||
src: /etc/nginx/sites-available/netbox
|
|
||||||
dest: /etc/nginx/sites-enabled/netbox
|
|
||||||
state: link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Install systemd units
|
|
||||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
|
||||||
with_items:
|
|
||||||
- netbox
|
|
||||||
- netbox-rq
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart netbox
|
|
||||||
- Restart netbox-rq
|
|
||||||
|
|
||||||
- name: Enable services
|
|
||||||
service: name={{ item }} state=started enabled=yes
|
|
||||||
with_items:
|
|
||||||
- netbox
|
|
||||||
- netbox-rq
|
|
|
@ -1,282 +0,0 @@
|
||||||
#########################
|
|
||||||
# #
|
|
||||||
# Required settings #
|
|
||||||
# #
|
|
||||||
#########################
|
|
||||||
|
|
||||||
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
|
|
||||||
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
|
|
||||||
#
|
|
||||||
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
|
|
||||||
ALLOWED_HOSTS = ['{{ netbox_domain }}']
|
|
||||||
|
|
||||||
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
|
|
||||||
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
|
|
||||||
DATABASE = {
|
|
||||||
'NAME': '{{ netbox_dbname }}', # Database name
|
|
||||||
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
|
|
||||||
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
|
|
||||||
'HOST': 'localhost', # Database server
|
|
||||||
'PORT': '', # Database port (leave blank for default)
|
|
||||||
'CONN_MAX_AGE': 300, # Max database connection age
|
|
||||||
}
|
|
||||||
|
|
||||||
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
|
|
||||||
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
|
|
||||||
# to use two separate database IDs.
|
|
||||||
REDIS = {
|
|
||||||
'tasks': {
|
|
||||||
'HOST': 'localhost',
|
|
||||||
'PORT': 6379,
|
|
||||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
|
||||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
|
||||||
# 'SENTINEL_SERVICE': 'netbox',
|
|
||||||
'PASSWORD': '',
|
|
||||||
'DATABASE': 0,
|
|
||||||
'SSL': False,
|
|
||||||
# Set this to True to skip TLS certificate verification
|
|
||||||
# This can expose the connection to attacks, be careful
|
|
||||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
|
||||||
},
|
|
||||||
'caching': {
|
|
||||||
'HOST': 'localhost',
|
|
||||||
'PORT': 6379,
|
|
||||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
|
||||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
|
||||||
# 'SENTINEL_SERVICE': 'netbox',
|
|
||||||
'PASSWORD': '',
|
|
||||||
'DATABASE': 1,
|
|
||||||
'SSL': False,
|
|
||||||
# Set this to True to skip TLS certificate verification
|
|
||||||
# This can expose the connection to attacks, be careful
|
|
||||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
|
|
||||||
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
|
|
||||||
# symbols. NetBox will not run without this defined. For more information, see
|
|
||||||
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
|
|
||||||
SECRET_KEY = '{{ netbox_secret }}'
|
|
||||||
|
|
||||||
|
|
||||||
#########################
|
|
||||||
# #
|
|
||||||
# Optional settings #
|
|
||||||
# #
|
|
||||||
#########################
|
|
||||||
|
|
||||||
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
|
||||||
# application errors (assuming correct email settings are provided).
|
|
||||||
ADMINS = [
|
|
||||||
# ['John Doe', 'jdoe@example.com'],
|
|
||||||
]
|
|
||||||
|
|
||||||
# URL schemes that are allowed within links in NetBox
|
|
||||||
ALLOWED_URL_SCHEMES = (
|
|
||||||
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
|
||||||
)
|
|
||||||
|
|
||||||
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
|
|
||||||
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
|
|
||||||
BANNER_TOP = ''
|
|
||||||
BANNER_BOTTOM = ''
|
|
||||||
|
|
||||||
# Text to include on the login page above the login form. HTML is allowed.
|
|
||||||
BANNER_LOGIN = ''
|
|
||||||
|
|
||||||
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
|
||||||
# BASE_PATH = 'netbox/'
|
|
||||||
BASE_PATH = ''
|
|
||||||
|
|
||||||
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
|
|
||||||
CHANGELOG_RETENTION = 90
|
|
||||||
|
|
||||||
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
|
||||||
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
|
||||||
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
|
||||||
CORS_ORIGIN_ALLOW_ALL = False
|
|
||||||
CORS_ORIGIN_WHITELIST = [
|
|
||||||
# 'https://hostname.example.com',
|
|
||||||
]
|
|
||||||
CORS_ORIGIN_REGEX_WHITELIST = [
|
|
||||||
# r'^(https?://)?(\w+\.)?example\.com$',
|
|
||||||
]
|
|
||||||
|
|
||||||
# Specify any custom validators here, as a mapping of model to a list of validators classes. Validators should be
|
|
||||||
# instances of or inherit from CustomValidator.
|
|
||||||
# from extras.validators import CustomValidator
|
|
||||||
CUSTOM_VALIDATORS = {
|
|
||||||
# 'dcim.site': [
|
|
||||||
# CustomValidator({
|
|
||||||
# 'name': {
|
|
||||||
# 'min_length': 10,
|
|
||||||
# 'regex': r'\d{3}$',
|
|
||||||
# }
|
|
||||||
# })
|
|
||||||
# ],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
|
|
||||||
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
|
|
||||||
# on a production system.
|
|
||||||
DEBUG = False
|
|
||||||
|
|
||||||
# Email settings
|
|
||||||
EMAIL = {
|
|
||||||
'SERVER': 'localhost',
|
|
||||||
'PORT': 25,
|
|
||||||
'USERNAME': '',
|
|
||||||
'PASSWORD': '',
|
|
||||||
'USE_SSL': False,
|
|
||||||
'USE_TLS': False,
|
|
||||||
'TIMEOUT': 10, # seconds
|
|
||||||
'FROM_EMAIL': '',
|
|
||||||
}
|
|
||||||
|
|
||||||
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
|
||||||
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
|
|
||||||
ENFORCE_GLOBAL_UNIQUE = False
|
|
||||||
|
|
||||||
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
|
||||||
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
|
||||||
EXEMPT_VIEW_PERMISSIONS = [
|
|
||||||
# 'dcim.site',
|
|
||||||
# 'dcim.region',
|
|
||||||
# 'ipam.prefix',
|
|
||||||
]
|
|
||||||
|
|
||||||
# Enable the GraphQL API
|
|
||||||
GRAPHQL_ENABLED = True
|
|
||||||
|
|
||||||
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
|
|
||||||
# HTTP_PROXIES = {
|
|
||||||
# 'http': 'http://10.10.1.10:3128',
|
|
||||||
# 'https': 'http://10.10.1.10:1080',
|
|
||||||
# }
|
|
||||||
|
|
||||||
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
|
|
||||||
# NetBox from an internal IP.
|
|
||||||
INTERNAL_IPS = ('127.0.0.1', '::1')
|
|
||||||
|
|
||||||
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
|
|
||||||
# https://docs.djangoproject.com/en/stable/topics/logging/
|
|
||||||
LOGGING = {}
|
|
||||||
|
|
||||||
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
|
|
||||||
# authenticated to NetBox indefinitely.
|
|
||||||
LOGIN_PERSISTENCE = False
|
|
||||||
|
|
||||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
|
||||||
# are permitted to access most data in NetBox but not make any changes.
|
|
||||||
LOGIN_REQUIRED = True
|
|
||||||
|
|
||||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
|
||||||
# re-authenticate. (Default: 1209600 [14 days])
|
|
||||||
LOGIN_TIMEOUT = None
|
|
||||||
|
|
||||||
# Setting this to True will display a "maintenance mode" banner at the top of every page.
|
|
||||||
MAINTENANCE_MODE = False
|
|
||||||
|
|
||||||
# The URL to use when mapping physical addresses or GPS coordinates
|
|
||||||
MAPS_URL = 'https://maps.google.com/?q='
|
|
||||||
|
|
||||||
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
|
|
||||||
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
|
|
||||||
# all objects by specifying "?limit=0".
|
|
||||||
MAX_PAGE_SIZE = 1000
|
|
||||||
|
|
||||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
|
||||||
# the default value of this setting is derived from the installed location.
|
|
||||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
|
||||||
|
|
||||||
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
|
|
||||||
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
|
|
||||||
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
|
|
||||||
# STORAGE_CONFIG = {
|
|
||||||
# 'AWS_ACCESS_KEY_ID': 'Key ID',
|
|
||||||
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
|
|
||||||
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
|
|
||||||
# 'AWS_S3_REGION_NAME': 'eu-west-1',
|
|
||||||
# }
|
|
||||||
|
|
||||||
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
|
||||||
METRICS_ENABLED = False
|
|
||||||
|
|
||||||
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
|
|
||||||
NAPALM_USERNAME = ''
|
|
||||||
NAPALM_PASSWORD = ''
|
|
||||||
|
|
||||||
# NAPALM timeout (in seconds). (Default: 30)
|
|
||||||
NAPALM_TIMEOUT = 30
|
|
||||||
|
|
||||||
# NAPALM optional arguments (see https://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
|
|
||||||
# be provided as a dictionary.
|
|
||||||
NAPALM_ARGS = {}
|
|
||||||
|
|
||||||
# Determine how many objects to display per page within a list. (Default: 50)
|
|
||||||
PAGINATE_COUNT = 50
|
|
||||||
|
|
||||||
# Enable installed plugins. Add the name of each plugin to the list.
|
|
||||||
PLUGINS = []
|
|
||||||
|
|
||||||
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
|
|
||||||
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
|
|
||||||
# PLUGINS_CONFIG = {
|
|
||||||
# 'my_plugin': {
|
|
||||||
# 'foo': 'bar',
|
|
||||||
# 'buzz': 'bazz'
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
||||||
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
|
|
||||||
# prefer IPv4 instead.
|
|
||||||
PREFER_IPV4 = False
|
|
||||||
|
|
||||||
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
|
|
||||||
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
|
||||||
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
|
||||||
|
|
||||||
# Remote authentication support
|
|
||||||
REMOTE_AUTH_ENABLED = False
|
|
||||||
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
|
||||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
|
||||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
|
||||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
|
||||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
|
||||||
|
|
||||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
|
||||||
# version check or use the URL below to check for release in the official NetBox repository.
|
|
||||||
RELEASE_CHECK_URL = None
|
|
||||||
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
|
|
||||||
|
|
||||||
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
|
|
||||||
# this setting is derived from the installed location.
|
|
||||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
|
||||||
|
|
||||||
# Maximum execution time for background tasks, in seconds.
|
|
||||||
RQ_DEFAULT_TIMEOUT = 300
|
|
||||||
|
|
||||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
|
||||||
# this setting is derived from the installed location.
|
|
||||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
|
||||||
|
|
||||||
# The name to use for the session cookie.
|
|
||||||
SESSION_COOKIE_NAME = 'sessionid'
|
|
||||||
|
|
||||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
|
||||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
|
||||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
|
||||||
SESSION_FILE_PATH = None
|
|
||||||
|
|
||||||
# Time zone (default: UTC)
|
|
||||||
TIME_ZONE = 'Europe/Berlin'
|
|
||||||
|
|
||||||
# Date/time formatting. See the following link for supported formats:
|
|
||||||
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
|
|
||||||
DATE_FORMAT = 'N j, Y'
|
|
||||||
SHORT_DATE_FORMAT = 'Y-m-d'
|
|
||||||
TIME_FORMAT = 'g:i a'
|
|
||||||
SHORT_TIME_FORMAT = 'H:i:s'
|
|
||||||
DATETIME_FORMAT = 'N j, Y g:i a'
|
|
||||||
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
|
|
|
@ -1,16 +0,0 @@
|
||||||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
|
||||||
bind = '127.0.0.1:8001'
|
|
||||||
|
|
||||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
|
||||||
# n is the number of CPU cores present.
|
|
||||||
workers = 5
|
|
||||||
|
|
||||||
# Number of threads per worker process
|
|
||||||
threads = 3
|
|
||||||
|
|
||||||
# Timeout (in seconds) for a request to complete
|
|
||||||
timeout = 120
|
|
||||||
|
|
||||||
# The maximum number of requests a worker can handle before being respawned
|
|
||||||
max_requests = 5000
|
|
||||||
max_requests_jitter = 500
|
|
|
@ -1,9 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# This shell script invokes NetBox's housekeeping management command, which
|
|
||||||
# intended to be run nightly. This script can be copied into your system's
|
|
||||||
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
|
|
||||||
# within the cron configuration file.
|
|
||||||
#
|
|
||||||
# If NetBox has been installed into a nonstandard location, update the paths
|
|
||||||
# below.
|
|
||||||
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
|
|
|
@ -1,21 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=NetBox Request Queue Worker
|
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User=netbox
|
|
||||||
Group=netbox
|
|
||||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
|
||||||
|
|
||||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
|
|
||||||
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=30
|
|
||||||
PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,22 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=NetBox WSGI Service
|
|
||||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
|
|
||||||
User=netbox
|
|
||||||
Group=netbox
|
|
||||||
PIDFile=/var/tmp/netbox.pid
|
|
||||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
|
||||||
|
|
||||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
|
|
||||||
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=30
|
|
||||||
PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,38 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
server_name {{ netbox_domain }};
|
|
||||||
|
|
||||||
location /.well-known/acme-challenge {
|
|
||||||
default_type "text/plain";
|
|
||||||
alias /var/www/acme-challenge;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 301 https://{{ netbox_domain }}$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
server_name {{ netbox_domain }};
|
|
||||||
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
|
|
||||||
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
|
|
||||||
|
|
||||||
location /static/ {
|
|
||||||
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
client_max_body_size 32M;
|
|
||||||
|
|
||||||
proxy_pass http://localhost:8001;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -9,4 +9,3 @@ opcache.max_accelerated_files=10000
|
||||||
opcache.memory_consumption=128
|
opcache.memory_consumption=128
|
||||||
opcache.save_comments=1
|
opcache.save_comments=1
|
||||||
opcache.revalidate_freq=1
|
opcache.revalidate_freq=1
|
||||||
opcache.jit_buffer_size=100M
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
; Start a new pool named 'www'.
|
; Start a new pool named 'www'.
|
||||||
; the variable $pool can be used in any directive and will be replaced by the
|
; the variable $pool can we used in any directive and will be replaced by the
|
||||||
; pool name ('www' here)
|
; pool name ('www' here)
|
||||||
[www]
|
[www]
|
||||||
|
|
||||||
|
@ -29,20 +29,21 @@ group = www-data
|
||||||
; a specific port;
|
; a specific port;
|
||||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||||
; a specific port;
|
; a specific port;
|
||||||
; 'port' - to listen on a TCP socket to all addresses
|
; 'port' - to listen on a TCP socket to all IPv4 addresses on a
|
||||||
|
; specific port;
|
||||||
|
; '[::]:port' - to listen on a TCP socket to all addresses
|
||||||
; (IPv6 and IPv4-mapped) on a specific port;
|
; (IPv6 and IPv4-mapped) on a specific port;
|
||||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||||
; Note: This value is mandatory.
|
; Note: This value is mandatory.
|
||||||
listen = /run/php/php-fpm.sock
|
listen = /var/run/php-fpm.sock
|
||||||
|
|
||||||
; Set listen(2) backlog.
|
; Set listen(2) backlog.
|
||||||
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
|
; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
|
||||||
;listen.backlog = 511
|
;listen.backlog = 65535
|
||||||
|
|
||||||
; Set permissions for unix socket, if one is used. In Linux, read/write
|
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||||
; permissions must be set in order to allow connections from a web server. Many
|
; permissions must be set in order to allow connections from a web server. Many
|
||||||
; BSD-derived systems allow connections regardless of permissions. The owner
|
; BSD-derived systems allow connections regardless of permissions.
|
||||||
; and group can be specified either by name or by their numeric IDs.
|
|
||||||
; Default Values: user and group are set as the running user
|
; Default Values: user and group are set as the running user
|
||||||
; mode is set to 0660
|
; mode is set to 0660
|
||||||
listen.owner = www-data
|
listen.owner = www-data
|
||||||
|
@ -53,7 +54,7 @@ listen.group = www-data
|
||||||
; When set, listen.owner and listen.group are ignored
|
; When set, listen.owner and listen.group are ignored
|
||||||
;listen.acl_users =
|
;listen.acl_users =
|
||||||
;listen.acl_groups =
|
;listen.acl_groups =
|
||||||
|
|
||||||
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
|
||||||
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
||||||
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
||||||
|
@ -70,12 +71,6 @@ listen.group = www-data
|
||||||
; Default Value: no set
|
; Default Value: no set
|
||||||
; process.priority = -19
|
; process.priority = -19
|
||||||
|
|
||||||
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
|
|
||||||
; or group is different than the master process user. It allows to create process
|
|
||||||
; core dump and ptrace the process for the pool user.
|
|
||||||
; Default Value: no
|
|
||||||
; process.dumpable = yes
|
|
||||||
|
|
||||||
; Choose how the process manager will control the number of child processes.
|
; Choose how the process manager will control the number of child processes.
|
||||||
; Possible Values:
|
; Possible Values:
|
||||||
; static - a fixed number (pm.max_children) of child processes;
|
; static - a fixed number (pm.max_children) of child processes;
|
||||||
|
@ -111,28 +106,28 @@ pm = dynamic
|
||||||
; forget to tweak pm.* to fit your needs.
|
; forget to tweak pm.* to fit your needs.
|
||||||
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||||
; Note: This value is mandatory.
|
; Note: This value is mandatory.
|
||||||
pm.max_children = 80
|
pm.max_children = 5
|
||||||
|
|
||||||
; The number of child processes created on startup.
|
; The number of child processes created on startup.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Default Value: (min_spare_servers + max_spare_servers) / 2
|
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
|
||||||
pm.start_servers = 10
|
pm.start_servers = 2
|
||||||
|
|
||||||
; The desired minimum number of idle server processes.
|
; The desired minimum number of idle server processes.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Note: Mandatory when pm is set to 'dynamic'
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
pm.min_spare_servers = 10
|
pm.min_spare_servers = 1
|
||||||
|
|
||||||
; The desired maximum number of idle server processes.
|
; The desired maximum number of idle server processes.
|
||||||
; Note: Used only when pm is set to 'dynamic'
|
; Note: Used only when pm is set to 'dynamic'
|
||||||
; Note: Mandatory when pm is set to 'dynamic'
|
; Note: Mandatory when pm is set to 'dynamic'
|
||||||
pm.max_spare_servers = 15
|
pm.max_spare_servers = 3
|
||||||
|
|
||||||
; The number of seconds after which an idle process will be killed.
|
; The number of seconds after which an idle process will be killed.
|
||||||
; Note: Used only when pm is set to 'ondemand'
|
; Note: Used only when pm is set to 'ondemand'
|
||||||
; Default Value: 10s
|
; Default Value: 10s
|
||||||
;pm.process_idle_timeout = 10s;
|
;pm.process_idle_timeout = 10s;
|
||||||
|
|
||||||
; The number of requests each child process should execute before respawning.
|
; The number of requests each child process should execute before respawning.
|
||||||
; This can be useful to work around memory leaks in 3rd party libraries. For
|
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||||
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||||
|
@ -140,7 +135,7 @@ pm.max_spare_servers = 15
|
||||||
;pm.max_requests = 500
|
;pm.max_requests = 500
|
||||||
|
|
||||||
; The URI to view the FPM status page. If this value is not set, no URI will be
|
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||||
; recognized as a status page. It shows the following information:
|
; recognized as a status page. It shows the following informations:
|
||||||
; pool - the name of the pool;
|
; pool - the name of the pool;
|
||||||
; process manager - static, dynamic or ondemand;
|
; process manager - static, dynamic or ondemand;
|
||||||
; start time - the date and time FPM has started;
|
; start time - the date and time FPM has started;
|
||||||
|
@ -185,7 +180,7 @@ pm.max_spare_servers = 15
|
||||||
;
|
;
|
||||||
; By default the status page only outputs short status. Passing 'full' in the
|
; By default the status page only outputs short status. Passing 'full' in the
|
||||||
; query string will also return status for each pool process.
|
; query string will also return status for each pool process.
|
||||||
; Example:
|
; Example:
|
||||||
; http://www.foo.bar/status?full
|
; http://www.foo.bar/status?full
|
||||||
; http://www.foo.bar/status?json&full
|
; http://www.foo.bar/status?json&full
|
||||||
; http://www.foo.bar/status?html&full
|
; http://www.foo.bar/status?html&full
|
||||||
|
@ -230,30 +225,14 @@ pm.max_spare_servers = 15
|
||||||
; last request memory: 0
|
; last request memory: 0
|
||||||
;
|
;
|
||||||
; Note: There is a real-time FPM status monitoring sample web page available
|
; Note: There is a real-time FPM status monitoring sample web page available
|
||||||
; It's available in: /usr/share/php/8.0/fpm/status.html
|
; It's available in: /usr/share/php/7.0/fpm/status.html
|
||||||
;
|
;
|
||||||
; Note: The value must start with a leading slash (/). The value can be
|
; Note: The value must start with a leading slash (/). The value can be
|
||||||
; anything, but it may not be a good idea to use the .php extension or it
|
; anything, but it may not be a good idea to use the .php extension or it
|
||||||
; may conflict with a real PHP file.
|
; may conflict with a real PHP file.
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
;pm.status_path = /status
|
;pm.status_path = /status
|
||||||
|
|
||||||
; The address on which to accept FastCGI status request. This creates a new
|
|
||||||
; invisible pool that can handle requests independently. This is useful
|
|
||||||
; if the main pool is busy with long running requests because it is still possible
|
|
||||||
; to get the status before finishing the long running requests.
|
|
||||||
;
|
|
||||||
; Valid syntaxes are:
|
|
||||||
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
|
||||||
; a specific port;
|
|
||||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
|
||||||
; a specific port;
|
|
||||||
; 'port' - to listen on a TCP socket to all addresses
|
|
||||||
; (IPv6 and IPv4-mapped) on a specific port;
|
|
||||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
|
||||||
; Default Value: value of the listen option
|
|
||||||
;pm.status_listen = 127.0.0.1:9001
|
|
||||||
|
|
||||||
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||||
; URI will be recognized as a ping page. This could be used to test from outside
|
; URI will be recognized as a ping page. This could be used to test from outside
|
||||||
; that FPM is alive and responding, or to
|
; that FPM is alive and responding, or to
|
||||||
|
@ -286,13 +265,13 @@ pm.max_spare_servers = 15
|
||||||
; %d: time taken to serve the request
|
; %d: time taken to serve the request
|
||||||
; it can accept the following format:
|
; it can accept the following format:
|
||||||
; - %{seconds}d (default)
|
; - %{seconds}d (default)
|
||||||
; - %{milliseconds}d
|
; - %{miliseconds}d
|
||||||
; - %{mili}d
|
; - %{mili}d
|
||||||
; - %{microseconds}d
|
; - %{microseconds}d
|
||||||
; - %{micro}d
|
; - %{micro}d
|
||||||
; %e: an environment variable (same as $_ENV or $_SERVER)
|
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||||
; it must be associated with embraces to specify the name of the env
|
; it must be associated with embraces to specify the name of the env
|
||||||
; variable. Some examples:
|
; variable. Some exemples:
|
||||||
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||||
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||||
; %f: script filename
|
; %f: script filename
|
||||||
|
@ -314,7 +293,7 @@ pm.max_spare_servers = 15
|
||||||
; - ....
|
; - ....
|
||||||
; %p: PID of the child that serviced the request
|
; %p: PID of the child that serviced the request
|
||||||
; %P: PID of the parent of the child that serviced the request
|
; %P: PID of the parent of the child that serviced the request
|
||||||
; %q: the query string
|
; %q: the query string
|
||||||
; %Q: the '?' character if query string exists
|
; %Q: the '?' character if query string exists
|
||||||
; %r: the request URI (without the query string, see %q and %Q)
|
; %r: the request URI (without the query string, see %q and %Q)
|
||||||
; %R: remote IP address
|
; %R: remote IP address
|
||||||
|
@ -322,87 +301,64 @@ pm.max_spare_servers = 15
|
||||||
; %t: server time the request was received
|
; %t: server time the request was received
|
||||||
; it can accept a strftime(3) format:
|
; it can accept a strftime(3) format:
|
||||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
|
||||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
|
||||||
; %T: time the log has been written (the request has finished)
|
; %T: time the log has been written (the request has finished)
|
||||||
; it can accept a strftime(3) format:
|
; it can accept a strftime(3) format:
|
||||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
|
||||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
|
||||||
; %u: remote user
|
; %u: remote user
|
||||||
;
|
;
|
||||||
; Default: "%R - %u %t \"%m %r\" %s"
|
; Default: "%R - %u %t \"%m %r\" %s"
|
||||||
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
||||||
|
|
||||||
; The log file for slow requests
|
; The log file for slow requests
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
||||||
;slowlog = log/$pool.log.slow
|
;slowlog = log/$pool.log.slow
|
||||||
|
|
||||||
; The timeout for serving a single request after which a PHP backtrace will be
|
; The timeout for serving a single request after which a PHP backtrace will be
|
||||||
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
||||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
; Default Value: 0
|
; Default Value: 0
|
||||||
;request_slowlog_timeout = 0
|
;request_slowlog_timeout = 0
|
||||||
|
|
||||||
; Depth of slow log stack trace.
|
|
||||||
; Default Value: 20
|
|
||||||
;request_slowlog_trace_depth = 20
|
|
||||||
|
|
||||||
; The timeout for serving a single request after which the worker process will
|
; The timeout for serving a single request after which the worker process will
|
||||||
; be killed. This option should be used when the 'max_execution_time' ini option
|
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||||
; does not stop script execution for some reason. A value of '0' means 'off'.
|
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||||
; Default Value: 0
|
; Default Value: 0
|
||||||
;request_terminate_timeout = 0
|
;request_terminate_timeout = 0
|
||||||
|
|
||||||
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
|
|
||||||
; application calls 'fastcgi_finish_request' or when application has finished and
|
|
||||||
; shutdown functions are being called (registered via register_shutdown_function).
|
|
||||||
; This option will enable timeout limit to be applied unconditionally
|
|
||||||
; even in such cases.
|
|
||||||
; Default Value: no
|
|
||||||
;request_terminate_timeout_track_finished = no
|
|
||||||
|
|
||||||
; Set open file descriptor rlimit.
|
; Set open file descriptor rlimit.
|
||||||
; Default Value: system defined value
|
; Default Value: system defined value
|
||||||
;rlimit_files = 1024
|
;rlimit_files = 1024
|
||||||
|
|
||||||
; Set max core size rlimit.
|
; Set max core size rlimit.
|
||||||
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||||
; Default Value: system defined value
|
; Default Value: system defined value
|
||||||
;rlimit_core = 0
|
;rlimit_core = 0
|
||||||
|
|
||||||
; Chroot to this directory at the start. This value must be defined as an
|
; Chroot to this directory at the start. This value must be defined as an
|
||||||
; absolute path. When this value is not set, chroot is not used.
|
; absolute path. When this value is not set, chroot is not used.
|
||||||
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
|
||||||
; of its subdirectories. If the pool prefix is not set, the global prefix
|
; of its subdirectories. If the pool prefix is not set, the global prefix
|
||||||
; will be used instead.
|
; will be used instead.
|
||||||
; Note: chrooting is a great security feature and should be used whenever
|
; Note: chrooting is a great security feature and should be used whenever
|
||||||
; possible. However, all PHP paths will be relative to the chroot
|
; possible. However, all PHP paths will be relative to the chroot
|
||||||
; (error_log, sessions.save_path, ...).
|
; (error_log, sessions.save_path, ...).
|
||||||
; Default Value: not set
|
; Default Value: not set
|
||||||
;chroot =
|
;chroot =
|
||||||
|
|
||||||
; Chdir to this directory at the start.
|
; Chdir to this directory at the start.
|
||||||
; Note: relative path can be used.
|
; Note: relative path can be used.
|
||||||
; Default Value: current directory or / when chroot
|
; Default Value: current directory or / when chroot
|
||||||
;chdir = /var/www
|
chdir = /
|
||||||
|
|
||||||
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||||
; stderr will be redirected to /dev/null according to FastCGI specs.
|
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||||
; Note: on highloaded environment, this can cause some delay in the page
|
; Note: on highloaded environement, this can cause some delay in the page
|
||||||
; process time (several ms).
|
; process time (several ms).
|
||||||
; Default Value: no
|
; Default Value: no
|
||||||
;catch_workers_output = yes
|
;catch_workers_output = yes
|
||||||
|
|
||||||
; Decorate worker output with prefix and suffix containing information about
|
|
||||||
; the child that writes to the log and if stdout or stderr is used as well as
|
|
||||||
; log level and time. This options is used only if catch_workers_output is yes.
|
|
||||||
; Settings to "no" will output data as written to the stdout or stderr.
|
|
||||||
; Default value: yes
|
|
||||||
;decorate_workers_output = no
|
|
||||||
|
|
||||||
; Clear environment in FPM workers
|
; Clear environment in FPM workers
|
||||||
; Prevents arbitrary environment variables from reaching FPM worker processes
|
; Prevents arbitrary environment variables from reaching FPM worker processes
|
||||||
; by clearing the environment in workers before env vars specified in this
|
; by clearing the environment in workers before env vars specified in this
|
||||||
|
@ -415,26 +371,25 @@ pm.max_spare_servers = 15
|
||||||
; Limits the extensions of the main script FPM will allow to parse. This can
|
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||||
; prevent configuration mistakes on the web server side. You should only limit
|
; prevent configuration mistakes on the web server side. You should only limit
|
||||||
; FPM to .php extensions to prevent malicious users to use other extensions to
|
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||||
; execute php code.
|
; exectute php code.
|
||||||
; Note: set an empty value to allow all extensions.
|
; Note: set an empty value to allow all extensions.
|
||||||
; Default Value: .php
|
; Default Value: .php
|
||||||
;security.limit_extensions = .php .php3 .php4 .php5 .php7
|
;security.limit_extensions = .php .php3 .php4 .php5
|
||||||
|
|
||||||
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||||
; the current environment.
|
; the current environment.
|
||||||
; Default Value: clean env
|
; Default Value: clean env
|
||||||
;env[HOSTNAME] = $HOSTNAME
|
env[HOSTNAME] = $HOSTNAME
|
||||||
;env[PATH] = /usr/local/bin:/usr/bin:/bin
|
|
||||||
;env[TMP] = /tmp
|
|
||||||
;env[TMPDIR] = /tmp
|
|
||||||
;env[TEMP] = /tmp
|
|
||||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||||
|
env[TMP] = /tmp
|
||||||
|
env[TMPDIR] = /tmp
|
||||||
|
env[TEMP] = /tmp
|
||||||
|
|
||||||
; Additional php.ini defines, specific to this pool of workers. These settings
|
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||||
; overwrite the values previously defined in the php.ini. The directives are the
|
; overwrite the values previously defined in the php.ini. The directives are the
|
||||||
; same as the PHP SAPI:
|
; same as the PHP SAPI:
|
||||||
; php_value/php_flag - you can set classic ini defines which can
|
; php_value/php_flag - you can set classic ini defines which can
|
||||||
; be overwritten from PHP call 'ini_set'.
|
; be overwritten from PHP call 'ini_set'.
|
||||||
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
||||||
; PHP call 'ini_set'
|
; PHP call 'ini_set'
|
||||||
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
||||||
|
@ -454,5 +409,3 @@ env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||||
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
||||||
;php_admin_flag[log_errors] = on
|
;php_admin_flag[log_errors] = on
|
||||||
;php_admin_value[memory_limit] = 32M
|
;php_admin_value[memory_limit] = 32M
|
||||||
php_admin_value[memory_limit] = 512M
|
|
||||||
|
|
||||||
|
|
|
@ -3,5 +3,5 @@
|
||||||
- name: Restart nginx
|
- name: Restart nginx
|
||||||
service: name=nginx state=restarted
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
- name: Restart php8.0-fpm
|
- name: Restart php7.4-fpm
|
||||||
service: name=php8.0-fpm state=restarted
|
service: name=php7.4-fpm state=restarted
|
||||||
|
|
|
@ -1,56 +1,53 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Enable https for apt
|
||||||
|
apt: name=apt-transport-https
|
||||||
|
|
||||||
- name: Enable sury php apt-key
|
- name: Enable sury php apt-key
|
||||||
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
||||||
|
|
||||||
- name: Enable sury php repository
|
- name: Enable sury php repository
|
||||||
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
|
apt_repository: repo="deb https://packages.sury.org/php/ stretch main"
|
||||||
|
|
||||||
- name: Enable collaboraoffice apt-key
|
|
||||||
apt_key: url="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg"
|
|
||||||
|
|
||||||
- name: Enable collaboraoffice repository
|
|
||||||
apt_repository: repo="deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11 ./"
|
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- php-redis
|
- php-redis
|
||||||
- php8.0
|
- php7.4
|
||||||
- php8.0-apcu
|
- php7.4-bcmath
|
||||||
- php8.0-bcmath
|
- php7.4-bz2
|
||||||
- php8.0-bz2
|
- php7.4-cli
|
||||||
- php8.0-cli
|
- php7.4-common
|
||||||
- php8.0-common
|
- php7.4-curl
|
||||||
- php8.0-curl
|
- php7.4-dev
|
||||||
- php8.0-dev
|
- php7.4-fpm
|
||||||
- php8.0-fpm
|
- php7.4-gd
|
||||||
- php8.0-gd
|
- php7.4-gmp
|
||||||
- php8.0-gmp
|
- php7.4-imap
|
||||||
- php8.0-imap
|
- php7.4-intl
|
||||||
- php8.0-intl
|
- php7.4-json
|
||||||
- php8.0-ldap
|
- php7.4-ldap
|
||||||
- php8.0-mbstring
|
- php7.4-mbstring
|
||||||
- php8.0-mysql
|
- php7.4-mysql
|
||||||
- php8.0-opcache
|
- php7.4-opcache
|
||||||
- php8.0-pgsql
|
- php7.4-pgsql
|
||||||
- php8.0-readline
|
- php7.4-readline
|
||||||
- php8.0-soap
|
- php7.4-soap
|
||||||
- php8.0-sqlite3
|
- php7.4-sqlite3
|
||||||
- php8.0-tidy
|
- php7.4-tidy
|
||||||
- php8.0-xml
|
- php7.4-xml
|
||||||
- php8.0-xmlrpc
|
- php7.4-xmlrpc
|
||||||
- php8.0-zip
|
- php7.4-zip
|
||||||
- postgresql
|
- postgresql
|
||||||
- python3-psycopg2
|
- python-psycopg2
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
- name: Configure PostgreSQL database
|
||||||
postgresql_db: name={{ nextcloud_dbname }}
|
postgresql_db: name={{ owncloud_dbname }}
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
- name: Configure PostgreSQL user
|
||||||
postgresql_user: db={{ nextcloud_dbname }} name={{ nextcloud_dbuser }} password={{ nextcloud_dbpass }} priv=ALL state=present
|
postgresql_user: db={{ owncloud_dbname }} name={{ owncloud_dbuser }} password={{ owncloud_dbpass }} priv=ALL state=present
|
||||||
become: true
|
become: true
|
||||||
become_user: postgres
|
become_user: postgres
|
||||||
|
|
||||||
|
@ -69,20 +66,22 @@
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Configure php8.0-fpm
|
# FIXME currently PHP handled out of ansible
|
||||||
copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf
|
#- name: Configure php7.4-fpm
|
||||||
notify: Restart php8.0-fpm
|
# copy: src=www.conf dest=/etc/php/7.4/fpm/pool.d/www.conf
|
||||||
|
# notify: Restart php7.4-fpm
|
||||||
|
|
||||||
- name: Configure php8.0 opcache
|
# FIXME currently PHP handled out of ansible
|
||||||
copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini
|
#- name: Configure php7.4 opcache
|
||||||
notify: Restart php8.0-fpm
|
# copy: src=opcache.ini dest=/etc/php/7.4/mods-available/opcache.ini
|
||||||
|
# notify: Restart php7.4-fpm
|
||||||
|
|
||||||
- name: Enable vhost
|
- name: Enable vhost
|
||||||
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
|
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Start php8.0-fpm
|
- name: Start php7.4-fpm
|
||||||
service: name=php8.0-fpm state=started enabled=yes
|
service: name=php7.4-fpm state=started enabled=yes
|
||||||
|
|
||||||
- name: Start PostgreSQL
|
- name: Start PostgreSQL
|
||||||
service: name=postgresql state=started enabled=yes
|
service: name=postgresql state=started enabled=yes
|
||||||
|
|
|
@ -1,7 +1,3 @@
|
||||||
upstream php-handler {
|
|
||||||
server unix:/run/php/php-fpm.sock;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
@ -30,7 +26,7 @@ server {
|
||||||
# Add headers to serve security related headers
|
# Add headers to serve security related headers
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
#add_header X-Frame-Options "SAMEORIGIN";
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header X-Robots-Tag none;
|
add_header X-Robots-Tag none;
|
||||||
add_header X-Download-Options noopen;
|
add_header X-Download-Options noopen;
|
||||||
|
@ -46,52 +42,9 @@ server {
|
||||||
client_max_body_size 1G;
|
client_max_body_size 1G;
|
||||||
fastcgi_buffers 64 4K;
|
fastcgi_buffers 64 4K;
|
||||||
|
|
||||||
index index.php index.html /index.php$request_uri;
|
index index.php;
|
||||||
|
error_page 403 /core/templates/403.php;
|
||||||
|
error_page 404 /core/templates/404.php;
|
||||||
location ^~ /loleaflet {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ^~ /hosting/discovery {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ^~ /hosting/capabilities {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/lool/(.*)/ws$ {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_read_timeout 36000s;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/lool {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ^~ /lool/adminws {
|
|
||||||
proxy_pass http://localhost:9980;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_read_timeout 36000s;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
|
||||||
location = / {
|
|
||||||
if ( $http_user_agent ~ ^DavClnt ) {
|
|
||||||
return 302 /remote.php/webdav/$is_args$args;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
location = /robots.txt {
|
location = /robots.txt {
|
||||||
allow all;
|
allow all;
|
||||||
|
@ -99,65 +52,96 @@ server {
|
||||||
access_log off;
|
access_log off;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Make a regex exception for `/.well-known` so that clients can still
|
location = /.well-known/carddav {
|
||||||
# access it despite the existence of the regex rule
|
return 301 $scheme://$host/remote.php/dav;
|
||||||
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
|
||||||
# for `/.well-known`.
|
|
||||||
location ^~ /.well-known {
|
|
||||||
# The following 6 rules are borrowed from `.htaccess`
|
|
||||||
|
|
||||||
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
|
||||||
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
|
||||||
# Anything else is dynamically handled by Nextcloud
|
|
||||||
location ^~ /.well-known { return 301 /index.php$uri; }
|
|
||||||
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
}
|
||||||
|
location = /.well-known/caldav {
|
||||||
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
return 301 $scheme://$host/remote.php/dav;
|
||||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
|
||||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
|
||||||
|
|
||||||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
|
||||||
# which handle static assets (as seen below). If this block is not declared first,
|
|
||||||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
|
||||||
# to the URI, resulting in a HTTP 500 error response.
|
|
||||||
location ~ \.php(?:$|/) {
|
|
||||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
||||||
set $path_info $fastcgi_path_info;
|
|
||||||
|
|
||||||
try_files $fastcgi_script_name =404;
|
|
||||||
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_param PATH_INFO $path_info;
|
|
||||||
fastcgi_param HTTPS on;
|
|
||||||
|
|
||||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
|
||||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
|
||||||
fastcgi_pass php-handler;
|
|
||||||
|
|
||||||
fastcgi_intercept_errors on;
|
|
||||||
fastcgi_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.(?:css|js|svg|gif)$ {
|
|
||||||
try_files $uri /index.php$request_uri;
|
|
||||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
|
||||||
access_log off; # Optional: Don't log access to assets
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.woff2?$ {
|
|
||||||
try_files $uri /index.php$request_uri;
|
|
||||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
|
||||||
access_log off; # Optional: Don't log access to assets
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ /index.php$request_uri;
|
rewrite ^ /index.php$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
|
||||||
|
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
|
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||||
|
fastcgi_param HTTPS on;
|
||||||
|
#Avoid sending the security headers twice
|
||||||
|
fastcgi_param modHeadersAvailable true;
|
||||||
|
fastcgi_param front_controller_active true;
|
||||||
|
fastcgi_intercept_errors on;
|
||||||
|
fastcgi_request_buffering off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
|
||||||
|
try_files $uri/ =404;
|
||||||
|
index index.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Adding the cache control header for js and css files
|
||||||
|
# Make sure it is BELOW the PHP block
|
||||||
|
location ~ \.(?:css|js|woff2?|svg|gif)$ {
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
add_header Cache-Control "public, max-age=15778463";
|
||||||
|
# Add headers to serve security related headers (It is intended to
|
||||||
|
# have those duplicated to the ones above)
|
||||||
|
# Before enabling Strict-Transport-Security headers please read into
|
||||||
|
# this topic first.
|
||||||
|
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||||
|
#
|
||||||
|
# WARNING: Only add the preload option once you read about
|
||||||
|
# the consequences in https://hstspreload.org/. This option
|
||||||
|
# will add the domain to a hardcoded list that is shipped
|
||||||
|
# in all major browsers and getting removed from this list
|
||||||
|
# could take several months.
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header X-Robots-Tag none;
|
||||||
|
add_header X-Download-Options noopen;
|
||||||
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
|
add_header Referrer-Policy no-referrer;
|
||||||
|
# Optional: Don't log access to assets
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
|
||||||
|
try_files $uri /index.php$request_uri;
|
||||||
|
# Optional: Don't log access to other assets
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
|
||||||
|
# collabora static files
|
||||||
|
location ^~ /loleaflet {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
# collabora WOPI discovery URL
|
||||||
|
location ^~ /hosting/discovery {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
|
# collabora websockets, download, presentation and image upload
|
||||||
|
location ^~ /lool {
|
||||||
|
proxy_pass http://localhost:9980;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
}
|
||||||
|
|
||||||
# collabora static files
|
# collabora static files
|
||||||
location /drawio {
|
location /drawio {
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
nginx_anonymize: False
|
|
|
@ -47,32 +47,7 @@ http {
|
||||||
# Logging Settings
|
# Logging Settings
|
||||||
##
|
##
|
||||||
|
|
||||||
{% if nginx_anonymize %}
|
|
||||||
map $remote_addr $ip_anonym1 {
|
|
||||||
default 0.0.0;
|
|
||||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
|
||||||
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $remote_addr $ip_anonym2 {
|
|
||||||
default .0;
|
|
||||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
|
||||||
"~(?P<ip>[^:]+:[^:]+):" ::;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
|
||||||
default 0.0.0.0;
|
|
||||||
"~(?P<ip>.*)" $ip;
|
|
||||||
}
|
|
||||||
|
|
||||||
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log anonymized;
|
|
||||||
{% else %}
|
|
||||||
access_log /var/log/nginx/access.log;
|
access_log /var/log/nginx/access.log;
|
||||||
{% endif %}
|
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
##
|
##
|
|
@ -8,13 +8,7 @@
|
||||||
when: nginx_ssl
|
when: nginx_ssl
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
- name: Ensure certificates are available
|
||||||
command:
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||||
cmd: >
|
|
||||||
openssl req -x509 -nodes -newkey rsa:2048
|
|
||||||
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
|
|
||||||
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
|
||||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
|
||||||
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
|
||||||
when: nginx_ssl
|
when: nginx_ssl
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
|
@ -30,7 +24,7 @@
|
||||||
- /etc/nginx/dhparam.pem
|
- /etc/nginx/dhparam.pem
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
|
||||||
- name: Configure default vhost
|
- name: Configure default vhost
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
|
7
roles/ntp/handlers/main.yml
Normal file
7
roles/ntp/handlers/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart ntp
|
||||||
|
service: name=ntp state=restarted
|
||||||
|
|
||||||
|
- name: Restart ntpd
|
||||||
|
service: name=ntpd state=restarted
|
11
roles/ntp/tasks/Debian.yml
Normal file
11
roles/ntp/tasks/Debian.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install ntp
|
||||||
|
apt: name=ntp
|
||||||
|
|
||||||
|
- name: Configure ntp
|
||||||
|
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||||
|
notify: Restart ntp
|
||||||
|
|
||||||
|
- name: Start the ntp service
|
||||||
|
service: name=ntp state=started enabled=yes
|
10
roles/ntp/tasks/FreeBSD.yml
Normal file
10
roles/ntp/tasks/FreeBSD.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# ntp is already installed on FreeBSD
|
||||||
|
|
||||||
|
- name: Configure ntp
|
||||||
|
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||||
|
notify: Restart ntpd
|
||||||
|
|
||||||
|
- name: Start the ntp service
|
||||||
|
service: name=ntpd state=started enabled=yes
|
9
roles/ntp/tasks/main.yml
Normal file
9
roles/ntp/tasks/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Debian
|
||||||
|
include: Debian.yml
|
||||||
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
|
- name: FreeBSD
|
||||||
|
include: FreeBSD.yml
|
||||||
|
when: ansible_distribution == 'FreeBSD'
|
15
roles/ntp/templates/ntp.conf.j2
Normal file
15
roles/ntp/templates/ntp.conf.j2
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{% for srv in ntp_servers %}
|
||||||
|
server {{ srv }} iburst
|
||||||
|
{% endfor %}
|
||||||
|
{% if ntp_peers is defined %}
|
||||||
|
|
||||||
|
{% for peer in ntp_peers %}
|
||||||
|
peer {{ peer }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
restrict default kod nomodify notrap nopeer noquery
|
||||||
|
restrict -6 default kod nomodify notrap nopeer noquery
|
||||||
|
|
||||||
|
restrict 127.0.0.1
|
||||||
|
restrict -6 ::1
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Enable PBS apt-key
|
|
||||||
apt_key:
|
|
||||||
url: "https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg"
|
|
||||||
|
|
||||||
- name: Enable PBS repository
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription"
|
|
||||||
filename: pbs
|
|
||||||
|
|
||||||
- name: Install PBS
|
|
||||||
apt:
|
|
||||||
name: proxmox-backup-server
|
|
3
roles/pizza/defaults/main.yml
Normal file
3
roles/pizza/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
pizza_domain: pizza.binary.kitchen
|
|
@ -2,4 +2,3 @@
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- { role: acertmgr }
|
- { role: acertmgr }
|
||||||
- { role: nginx, nginx_ssl: True }
|
|
15
roles/pizza/tasks/main.yml
Normal file
15
roles/pizza/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
#- name: Ensure certificates are available
|
||||||
|
# command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pizza_domain }}.key -out /etc/nginx/ssl/{{ pizza_domain }}.crt -days 730 -subj "/CN={{ pizza_domain }}" creates=/etc/nginx/ssl/{{ pizza_domain }}.crt
|
||||||
|
# notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ pizza_domain }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for pizza
|
||||||
|
template: src=certs.j2 dest=/etc/acertmgr/{{ pizza_domain }}.conf
|
||||||
|
notify: Run acertmgr
|
|
@ -1,16 +1,16 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
{{ netbox_domain }}:
|
{{ pizza_domain }}:
|
||||||
- mode: dns.nsupdate
|
- mode: dns.nsupdate
|
||||||
nsupdate_server: {{ acme_dnskey_server }}
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
|
- path: /etc/nginx/ssl/{{ pizza_domain }}.key
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
||||||
format: key
|
format: key
|
||||||
action: '/usr/sbin/service nginx restart'
|
action: '/usr/sbin/service nginx restart'
|
||||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
|
- path: /etc/nginx/ssl/{{ pizza_domain }}.crt
|
||||||
user: root
|
user: root
|
||||||
group: root
|
group: root
|
||||||
perm: '400'
|
perm: '400'
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
pretix_user: pretix
|
|
||||||
pretix_group: pretix
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Run acertmgr
|
|
||||||
command: /usr/bin/acertmgr
|
|
||||||
|
|
||||||
- name: Reload systemd
|
|
||||||
systemd: daemon_reload=yes
|
|
||||||
|
|
||||||
- name: Restart pretix-web
|
|
||||||
service: name=pretix-web state=restarted
|
|
||||||
|
|
||||||
- name: Restart pretix-worker
|
|
||||||
service: name=pretix-worker state=restarted
|
|
|
@ -1,127 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: Create group
|
|
||||||
group: name={{ pretix_group }}
|
|
||||||
|
|
||||||
- name: Create user
|
|
||||||
user: name={{ pretix_user }} home=/home/{{ pretix_user }} group={{ pretix_group }}
|
|
||||||
|
|
||||||
- name: Create pretix directories
|
|
||||||
file: path={{ item }} state=directory owner={{ pretix_user }} group={{ pretix_group }}
|
|
||||||
with_items:
|
|
||||||
- /etc/pretix
|
|
||||||
- /opt/pretix
|
|
||||||
- /opt/pretix/data
|
|
||||||
- /opt/pretix/data/media
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- build-essential
|
|
||||||
- gettext
|
|
||||||
- libffi-dev
|
|
||||||
- libpq-dev
|
|
||||||
- libssl-dev
|
|
||||||
- libxml2-dev
|
|
||||||
- libxslt1-dev
|
|
||||||
- nodejs
|
|
||||||
- python3-setuptools
|
|
||||||
- python3-dev
|
|
||||||
- python3-pip
|
|
||||||
- python3-venv
|
|
||||||
- zlib1g-dev
|
|
||||||
|
|
||||||
- name: Install PostgreSQL
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- postgresql
|
|
||||||
- python3-psycopg2
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL database
|
|
||||||
postgresql_db: name={{ pretix_dbname }}
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Configure PostgreSQL user
|
|
||||||
postgresql_user: db={{ pretix_dbname }} name={{ pretix_dbuser }} password={{ pretix_dbpass }} priv=ALL state=present
|
|
||||||
become: true
|
|
||||||
become_user: postgres
|
|
||||||
|
|
||||||
- name: Install redis
|
|
||||||
apt: name=redis-server
|
|
||||||
|
|
||||||
- name: Install pretix
|
|
||||||
pip:
|
|
||||||
name:
|
|
||||||
- gunicorn
|
|
||||||
- pretix
|
|
||||||
virtualenv: /opt/pretix/venv
|
|
||||||
virtualenv_command: "python3 -m venv"
|
|
||||||
become: true
|
|
||||||
become_user: "{{ pretix_user }}"
|
|
||||||
register: pretix_install
|
|
||||||
|
|
||||||
- name: Configure pretix
|
|
||||||
template:
|
|
||||||
src: pretix.cfg.j2
|
|
||||||
dest: /etc/pretix/pretix.cfg
|
|
||||||
owner: "{{ pretix_user }}"
|
|
||||||
group: "{{ pretix_group }}"
|
|
||||||
notify:
|
|
||||||
- Restart pretix-web
|
|
||||||
- Restart pretix-worker
|
|
||||||
|
|
||||||
- name: Run migration script
|
|
||||||
command:
|
|
||||||
cmd: "./venv/bin/python3 -m pretix migrate"
|
|
||||||
chdir: "/opt/pretix"
|
|
||||||
become: true
|
|
||||||
become_user: "{{ pretix_user }}"
|
|
||||||
when: pretix_install.changed
|
|
||||||
|
|
||||||
- name: Run rebuild script
|
|
||||||
command:
|
|
||||||
cmd: "./venv/bin/python3 -m pretix rebuild"
|
|
||||||
chdir: "/opt/pretix"
|
|
||||||
become: true
|
|
||||||
become_user: "{{ pretix_user }}"
|
|
||||||
when: pretix_install.changed
|
|
||||||
|
|
||||||
- name: Enable pretix cronjob
|
|
||||||
cron:
|
|
||||||
user: "{{ pretix_user }}"
|
|
||||||
name: pretix
|
|
||||||
minute: "*/5"
|
|
||||||
job: "export PATH=/opt/pretix/venv/bin:$PATH && cd /opt/pretix && python -m pretix runperiodic"
|
|
||||||
|
|
||||||
- name: Ensure certificates are available
|
|
||||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretix_domain }}.key -out /etc/nginx/ssl/{{ pretix_domain }}.crt -days 730 -subj "/CN={{ pretix_domain }}" creates=/etc/nginx/ssl/{{ pretix_domain }}.crt
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Configure certificate manager for pretix
|
|
||||||
template: src=certs.j2 dest=/etc/acertmgr/{{ pretix_domain }}.conf
|
|
||||||
notify: Run acertmgr
|
|
||||||
|
|
||||||
- name: Configure vhost
|
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/pretix
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Enable vhost
|
|
||||||
file: src=/etc/nginx/sites-available/pretix dest=/etc/nginx/sites-enabled/pretix state=link
|
|
||||||
notify: Restart nginx
|
|
||||||
|
|
||||||
- name: Install systemd units
|
|
||||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
|
||||||
with_items:
|
|
||||||
- pretix-web
|
|
||||||
- pretix-worker
|
|
||||||
notify:
|
|
||||||
- Reload systemd
|
|
||||||
- Restart pretix-web
|
|
||||||
- Restart pretix-worker
|
|
||||||
|
|
||||||
- name: Enable services
|
|
||||||
service: name={{ item }} state=started enabled=yes
|
|
||||||
with_items:
|
|
||||||
- pretix-web
|
|
||||||
- pretix-worker
|
|
|
@ -1,18 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=pretix web service
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User={{ pretix_user }}
|
|
||||||
Group={{ pretix_group }}
|
|
||||||
Environment="VIRTUAL_ENV=/opt/pretix/venv"
|
|
||||||
Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
|
||||||
ExecStart=/opt/pretix/venv/bin/gunicorn pretix.wsgi \
|
|
||||||
--name pretix --workers 5 \
|
|
||||||
--max-requests 1200 --max-requests-jitter 50 \
|
|
||||||
--log-level=info --bind=127.0.0.1:8345
|
|
||||||
WorkingDirectory=/opt/pretix
|
|
||||||
Restart=on-failure
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user