forked from infra/ansible
Compare commits
110 Commits
Author | SHA1 | Date | |
---|---|---|---|
4af3743d75 | |||
933fa6387e | |||
966e96f2f9 | |||
f367fb6e76 | |||
af2c7e6c2d | |||
e44d76a7be | |||
7ad28a20d0 | |||
8e8b2be194 | |||
cb2887adff | |||
ab82b09431 | |||
75ec080860 | |||
577706dbbe | |||
7bc18ea42f | |||
813d32fd6b | |||
364cda3347 | |||
291a84b65a | |||
61d2b601e9 | |||
9ff860d6ec | |||
60cfb76658 | |||
24e5d5d3fb | |||
f54e173040 | |||
b89409207b | |||
a1ab02769e | |||
10bcd42d02 | |||
d2ad4fe142 | |||
37a8d9c739 | |||
d67048b79b | |||
1de1c7e7ea | |||
6b3f6ae80b | |||
4d67b3fc6e | |||
e8dde1ec94 | |||
35794adb90 | |||
a09942a01e | |||
58e68d1255 | |||
21172dbbd7 | |||
980a705dd6 | |||
7f30b97d69 | |||
51065764da | |||
cdfd65e83f | |||
9a70e83037 | |||
43cf634b96 | |||
77d9ebcd13 | |||
6dceeeb9a4 | |||
f19e8af40f | |||
1f967c2925 | |||
2eb5440c3c | |||
0d288bf6e1 | |||
865c58bd4c | |||
1b0db12005 | |||
36b75e1c6a | |||
0dd467e564 | |||
2438917f79 | |||
26bdefaa10 | |||
de1a36efb1 | |||
ead1afc293 | |||
869a84dc3d | |||
7ac10f0e7d | |||
5e9360bd48 | |||
2f6ae888b5 | |||
be35ad698f | |||
3be8cce6d8 | |||
41a94d7142 | |||
e03d7ab821 | |||
5266df5c52 | |||
f0c55693a8 | |||
241c706625 | |||
1b9b5badd3 | |||
7a4ec7aae1 | |||
09043f39ca | |||
cbee52e0bc | |||
c163f271e3 | |||
870cce1e12 | |||
f96090ca5d | |||
5406efcef1 | |||
046fe91aef | |||
139c8d9904 | |||
1b34fd4944 | |||
d2c46eae8c | |||
b2442be2d8 | |||
7b1f998af2 | |||
3e1cdb6bf5 | |||
e8dcf169e2 | |||
e0a5d012ee | |||
1aebd59435 | |||
66ee1f011e | |||
be3c4f3cf7 | |||
0c1e89c24e | |||
f18c07e9fa | |||
a5620befbe | |||
c93b864f03 | |||
5156bdf33c | |||
9e7f968c7b | |||
e54a60e828 | |||
19242491f5 | |||
1a5f7b7e3f | |||
ae725e673c | |||
8a27fe96b1 | |||
b03c92eba0 | |||
90cbfdb435 | |||
dae9ba85e4 | |||
57709979eb | |||
a7373f86f3 | |||
4cc75159d2 | |||
ac892a93cb | |||
15fbe6c29c | |||
39e5ad9e20 | |||
482ac2078d | |||
2514396745 | |||
b1589a0ec1 | |||
df78e0119f |
@ -1,5 +1,6 @@
|
||||
[defaults]
|
||||
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
|
||||
interpreter_python = auto
|
||||
inventory = ./hosts
|
||||
nocows = 1
|
||||
remote_user = root
|
||||
|
@ -34,11 +34,19 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
|
||||
gitea_secret: "{{ vault_gitea_secret }}"
|
||||
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
|
||||
|
||||
hackmd_domain: pad.binary-kitchen.de
|
||||
hackmd_dbname: hackmd
|
||||
hackmd_dbuser: hackmd
|
||||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
hedgedoc_domain: pad.binary-kitchen.de
|
||||
hedgedoc_dbname: hackmd
|
||||
hedgedoc_dbuser: hackmd
|
||||
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
|
||||
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
|
||||
|
||||
icinga_domain: icinga.binary.kitchen
|
||||
icinga_dbname: icinga
|
||||
icinga_dbuser: icinga
|
||||
icinga_dbpass: "{{ vault_icinga_dbpass }}"
|
||||
icingaweb_dbname: icingaweb
|
||||
icingaweb_dbuser: icingaweb
|
||||
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
|
||||
|
||||
jitsi_domain: jitsi.binary-kitchen.de
|
||||
jitsi_admin_email: exxess@binary-kitchen.de
|
||||
@ -64,10 +72,14 @@ mail_server: mail.binary-kitchen.de
|
||||
mailman_domain: lists.binary-kitchen.de
|
||||
mail_trusted:
|
||||
- 213.166.246.0/28
|
||||
- 213.166.246.45/32
|
||||
- 213.166.246.250/32
|
||||
- 2a02:958:0:f6::/124
|
||||
- 2a02:958:0:f6::45/128
|
||||
mail_aliases:
|
||||
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
|
||||
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
|
||||
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
|
||||
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
|
||||
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
|
||||
@ -80,7 +92,7 @@ mail_aliases:
|
||||
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
|
||||
- "seife@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
|
||||
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
|
||||
@ -100,19 +112,28 @@ matrix_dbname: matrix
|
||||
matrix_dbuser: matrix
|
||||
matrix_dbpass: "{{ vault_matrix_dbpass }}"
|
||||
|
||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||
mc_domain: minecraft.binary-kitchen.de
|
||||
|
||||
netbox_domain: netbox.binary.kitchen
|
||||
netbox_dbname: netbox
|
||||
netbox_dbuser: netbox
|
||||
netbox_dbpass: "{{ vault_netbox_dbpass }}"
|
||||
netbox_secret: "{{ vault_netbox_secret }}"
|
||||
|
||||
nextcloud_domain: oc.binary-kitchen.de
|
||||
nextcloud_dbname: owncloud
|
||||
nextcloud_dbuser: owncloud
|
||||
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
|
||||
|
||||
plk_domain: plk-regensburg.de
|
||||
plk_dbuser: plkdbuser
|
||||
plk_dbname: plkdb
|
||||
plk_dbpass: "{{ vault_plk_dbpass }}"
|
||||
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
|
||||
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
|
||||
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
|
||||
|
||||
pretix_domain: pretix.rc3.binary-kitchen.de
|
||||
pretix_dbname: pretix
|
||||
pretix_dbuser: pretix
|
||||
pretix_dbpass: "{{ vault_pretix_dbpass }}"
|
||||
pretix_mail: rc3@binary-kitchen.de
|
||||
|
||||
prometheus_pve_user: prometheus@pve
|
||||
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
|
||||
@ -126,8 +147,6 @@ pve_targets:
|
||||
|
||||
radius_secret: "{{ vault_radius_secret }}"
|
||||
|
||||
rocketchat_domain: chat.binary-kitchen.de
|
||||
|
||||
root_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
|
||||
@ -135,3 +154,5 @@ root_keys:
|
||||
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
|
||||
slapd_root_pass: "{{ vault_slapd_root_pass }}"
|
||||
slapd_san: ldap.binary.kitchen
|
||||
|
||||
workadventure_domain: wa.binary-kitchen.de
|
||||
|
@ -1,59 +1,70 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37303932343462623335393066643531373533636435356462326537373532613534353266396435
|
||||
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
|
||||
34633863333930316564633632313939643664373163373833636139366537646530383736343130
|
||||
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
|
||||
31316362353439393838363666613932313635313864333135636530653238653162353033356437
|
||||
33353063363639346266313631393463623864636133623264613865336536613536343365386230
|
||||
65396263393862626139396430623134316632313637623631623762656139623664356331623066
|
||||
30323430613963313162616135303164663364336634326533346438373635366238356531613461
|
||||
30333736633965333163616437303566666239313962353531393530613265363833396136646262
|
||||
62633662666532396535316361303934613138373365633161393664313234663533363736323335
|
||||
38613762376234663564333333386265633138613839636132346638313430653639636339336239
|
||||
38633564333831326331326166666362353364303933393532643936313564386565643162623435
|
||||
36356437356631666137323039316430656566613436623062656562666139383635653039636463
|
||||
35393438323765303431333737356339343730303531333834306239366533393537626239376163
|
||||
31663332343136323264376234363264343136623365383833666638656531306362663462383033
|
||||
31633838643562613762363634653865353361303666363139636337386439626235336462653036
|
||||
30376461643839313665383430386534656265626139313034646438323861653530383637316139
|
||||
35313539636137303561646564616362313435666262343137616263396465356434363862323137
|
||||
38626464383039386139343665363538326539613837366437623362336639336133323463666235
|
||||
36346333356434363838363634343233323363333762653264333062656133623434666162356433
|
||||
37623862653862643335333931663063623166353534636430323230663838653532356335306632
|
||||
33646265343834363839653565326538353930663061376461646534386637376234646264343933
|
||||
65653763343236653630396238333232633461663333646531323337626235396231383931663264
|
||||
34363564366134663036643332346238373639646336396261316133326235636265323636663335
|
||||
35363537346466396432396162383131306438396431336138666663633132646662316165643333
|
||||
64633434623166343262623038623431343631333962663566303566393761653536303638643037
|
||||
63363963306139336235363537396432383131303763643966313937353537333739393031616439
|
||||
35343361646234663062633631323238656137373464386561656439313636613630323632616332
|
||||
39346239666266623038363066643865373762633532323431373431373165643662663661633365
|
||||
35353361383339623535336362313430616139396561623934346264323462663663383566393165
|
||||
35366637313861386465333530613530623832643333616538336436356134313832306139336361
|
||||
32393162373235356236343332363038393631626534643237383232323735633265333562633231
|
||||
61613164363962323236666365353830346664643263393532343562383736336535353364343638
|
||||
62386465323331653565306234646664393164666334383765336630346438633636353264636138
|
||||
31316231326236313839353465353230353935363330393035373234393039386134366534653636
|
||||
63323730383931353763383739393330316335373563393039366166313031373664636335363363
|
||||
38363131363565326431636361316562313037373664306333313366646336333162663664306539
|
||||
64636530363561393037373766383937616435313333653836363835383231633130396133663635
|
||||
36613531323732623264646666656139333766656562623430313964366236373663626135383437
|
||||
31643663663637613762313465656636396264623362643538323166356636303430613133383664
|
||||
66383332326437333638663562376665386237313533303437623765353661393561373338636130
|
||||
30383665333366643331366536646330633133643566393962633164643563613536363434393234
|
||||
66323931316535353632356432373262623962616264383430623436303637616165386433326231
|
||||
38633730636633643634343833313964653530663034333063313334636134646634363437346161
|
||||
32613061363032383732323263303830363532326239316538393739313730383530633862313039
|
||||
37653865303932313635656332663039376331393161623731623039653865623436363061626538
|
||||
32383934613335363534666461343135303235373262343634306130633536323839393139346662
|
||||
31623265323138353963623938616665383765366230656461383835346230346261623866366630
|
||||
65303965353432386136373562306434623739666262356663656266346439356435613362333563
|
||||
34366539353366346636376662363837303332373866323434366261326164633033353930383038
|
||||
36666433656365366663326163343034306439653262353733323232373133386436333637346563
|
||||
32626533336530633731336631333334353366306538663936643637346335303965626631316562
|
||||
33333061656234393661363766663630316662613764333231326434383465666234653238393965
|
||||
31636561396665383063613433653837363634623337623330666466353532633434383864343464
|
||||
38303436306165353433356536326466306530373635616531393462666336666435633235613937
|
||||
37343832333864643636366632623062363234633365326635386663376439383332306333653161
|
||||
34353830396165366534313334616161323461613066383561343563393330613464373862623062
|
||||
3536303066343262636636393861313539616636643339353562
|
||||
34303237313431646264363034353637613836633432633638333963363037663435626166663630
|
||||
6338393164366434386334313664386166373031326538350a396639373163646666376462373662
|
||||
36623863356436356635303263643239666162333863613831326630303363346137653234323838
|
||||
3639623464303131350a653162336338626665393534623063623330323162373935353939303631
|
||||
64333363373563343336643764306563376461393430643631366133353836646363363166653233
|
||||
38323331386165366334656630626138383131323664333266353164323164373364303161653365
|
||||
30333339646139626434636365653666636534346266636262613938656665343634363563663366
|
||||
32306663653930613762663534613635616663613130613933626331663861643439323664353739
|
||||
31316531653562646363376233636464396262313132343234303933343066373862633235383333
|
||||
31313431336464663163343835646430323664373166363465343037333130343636646363393231
|
||||
34613162386637306539663431636137353039383037333937613035393332353933333134346335
|
||||
31616561636533383639366634316164343466613634643130353437393664336332316132363934
|
||||
61333961613530333536613034386332646136313939356339633334353333326661393231343261
|
||||
62653463316662376134663965383030636639356637393237653362616561616238653637623039
|
||||
65653139373633323766356362613239316165393966623932346561363363393138653032366439
|
||||
64303463306132363261333936653763353833386337303763316362666134306264306464306362
|
||||
30343364393539636565633861386261373661623061333733353635336133373162636465376137
|
||||
61316465306534623337383631663538336632383832343132333862316336323961623637383838
|
||||
65363832646138376233653264373535633437376162326361313863333839343236343966393839
|
||||
32323361666264373466396130666465303032393364633134343264643731323438646562333361
|
||||
63376266616430643135326430366266633332633333646134313736316139386232333965346331
|
||||
61663964653931333730643435303637666563316133373831336566303361383736666139626562
|
||||
38623031303533396632613361323533313334333631316434646232383136393433323466383330
|
||||
65666530616466623933393936613963663766653361643733326330643162346635613835633736
|
||||
64393064326233313035316130353563623639303665623064303831376332353264633930363364
|
||||
33623137353130353962323964396130646230393335386434346130663064613434643136656466
|
||||
63623666376165653961666539383335356163316131353966613036643530663835313766366533
|
||||
31656633633331636535316234653561326465623562393632623062383935336530383133626236
|
||||
66323366306366623631373861346635303063376264613734643039363137613837333534616362
|
||||
37633462373538313562666639613031343866383234633438373936623437333666343731633735
|
||||
33386666313531613734643431333332346439386465303531306365386537613933623636643237
|
||||
35653434303433633533356662623965383133383838613361303832326130343938393561393935
|
||||
38313533643830633432303464306561643233303866316130616531623230393366323264626165
|
||||
33653230366138376533376166393466656233353061343338393433386332333361353063323634
|
||||
66366561646466616566336265363037616433616231353739613538633765343235323637303535
|
||||
34373739306130313536633338353130656632666536356535636265333335303730333031323436
|
||||
39633466353139663361646265656334633461346564616633643030383662353762643237333761
|
||||
31326435313361366163353836633535303462623533373363376433613139373135393566333937
|
||||
64313838373366383432376430643236633030623736643435363038616261333364366139666435
|
||||
66623661643032633931623539383136373138636333323737323165333831333764363137393562
|
||||
62663335353265353535643666356632663736343039333965653639653764646261323736313430
|
||||
39656366356130326363363133383062333530316165643430383161306135346663623861313030
|
||||
65346430353230363561633239623330623265666336616133326263323063333132323764343735
|
||||
63346230373339343062393035356565376265643463326366326535313130663163366435323339
|
||||
62363339313332663333653336633331343161363432393639316630633365643037653739613132
|
||||
63316662336630626366363662333061353539333133653732646330643065333430316333316131
|
||||
33363662653465306531666435363932663432373932353466383364383634643634313736303931
|
||||
63353632353836663263616137353031643238663632363563656137313961656534663137613061
|
||||
37636530306334613639326363383665373061383634326630653366386632636634653638653330
|
||||
32366438623635363833343566353365373762646162393637326433656438663066663766333761
|
||||
65363136666238623439663764363266363731613261326566653035303265623736353331376562
|
||||
36646435353134613363316236383938613032626562646237366337376433326334386330646266
|
||||
66333365323133616466646164353262653830313764376562636164326163623463373863373630
|
||||
31623264373330386136396130626133323762363262336337396562613166646132386362383635
|
||||
61333637373462316463303962396162383039373265303939306132323533393236343965613835
|
||||
32646361383938383337653264323766363130613264613463386432306238316531653437323939
|
||||
39353866313834393933623630303539633334663239343865313264616664656464646631623934
|
||||
33623230643633353361343965396236393939343765653161643530626133663236383135343934
|
||||
37353231626339323866613237663463656239326335643035313730363133616538613866386162
|
||||
65623335393462633130353965343533616261636261656162626639323231623934663765386166
|
||||
37353665643363386662646538306530326161653461393236616531343935393639386432633437
|
||||
63643561646337616138633063646261323937333262333535626235373561336339346661353365
|
||||
30396365376566616538353866383266666436636131656535363062633237313266366639373536
|
||||
64316435316234313365306332383637636263376563393464303566313566636238626434393364
|
||||
62316263353733636136393034616362643764346536373533363937633938383037376261656330
|
||||
30333738616232616566643335353161636466643830393464643263653633373662623437643332
|
||||
61396430636631396134393064633131636233653664373363386638366138343435613438303330
|
||||
61366234663461333331623961393834643233623862323861346163343934303838666232626639
|
||||
6139
|
||||
|
14
group_vars/auweg
Normal file
14
group_vars/auweg
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
dhcpd_failover: false
|
||||
dhcpd_primary: 172.23.13.3
|
||||
|
||||
dns_primary: 172.23.13.3
|
||||
|
||||
name_servers:
|
||||
- 172.23.13.3
|
||||
|
||||
ntp_servers:
|
||||
- 172.23.12.61
|
||||
|
||||
radius_cn: radius.binary.kitchen
|
@ -4,6 +4,9 @@ dhcpd_failover: true
|
||||
dhcpd_primary: 172.23.2.3
|
||||
dhcpd_secondary: 172.23.2.4
|
||||
|
||||
dns_primary: 172.23.2.3
|
||||
dns_secondary: 172.23.2.4
|
||||
|
||||
name_servers:
|
||||
- 172.23.2.3
|
||||
- 172.23.2.4
|
||||
|
6
host_vars/aeron.binary.kitchen
Normal file
6
host_vars/aeron.binary.kitchen
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
|
||||
radius_hostname: radius3.binary.kitchen
|
||||
|
||||
slapd_hostname: ldap3.binary.kitchen
|
||||
slapd_role: slave
|
@ -1,9 +1,11 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime2.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.1.60
|
||||
|
2
host_vars/barium.binary-kitchen.net
Normal file
2
host_vars/barium.binary-kitchen.net
Normal file
@ -0,0 +1,2 @@
|
||||
root_keys_host:
|
||||
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"
|
8
host_vars/bowle.binary.kitchen
Normal file
8
host_vars/bowle.binary.kitchen
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
nfs_exports:
|
||||
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
|
||||
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
|
||||
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
|
||||
|
||||
uau_reboot: "false"
|
@ -3,3 +3,5 @@
|
||||
root_keys_host:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
|
||||
|
||||
nginx_anonymize: True
|
||||
|
8
host_vars/weizen.binary.kitchen
Normal file
8
host_vars/weizen.binary.kitchen
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
@ -1,9 +1,11 @@
|
||||
---
|
||||
|
||||
ntp_server: true
|
||||
|
||||
ntp_servers:
|
||||
- ptbtime1.ptb.de
|
||||
- ntp1.rrze.uni-erlangen.de
|
||||
- ntps1-0.cs.tu-berlin.de
|
||||
- rustime01.rus.uni-stuttgart.de
|
||||
|
||||
ntp_peers:
|
||||
- 172.23.2.3
|
||||
|
9
hosts
9
hosts
@ -4,10 +4,14 @@ bacon.binary.kitchen ansible_host=172.23.2.3
|
||||
aveta.binary.kitchen ansible_host=172.23.2.4
|
||||
sulis.binary.kitchen ansible_host=172.23.2.5
|
||||
nabia.binary.kitchen ansible_host=172.23.2.6
|
||||
epona.binary.kitchen ansible_host=172.23.2.7
|
||||
pizza.binary.kitchen ansible_host=172.23.2.33
|
||||
bob.binary.kitchen ansible_host=172.23.2.37
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
|
||||
bowle.binary.kitchen ansible_host=172.23.2.62
|
||||
salat.binary.kitchen ansible_host=172.23.9.61
|
||||
[auweg]
|
||||
aeron.binary.kitchen ansible_host=172.23.13.3
|
||||
weizen.binary.kitchen ansible_host=172.23.12.61
|
||||
[fan_rz]
|
||||
helium.binary-kitchen.net
|
||||
lithium.binary-kitchen.net
|
||||
@ -23,5 +27,6 @@ krypton.binary-kitchen.net
|
||||
yttrium.binary-kitchen.net
|
||||
zirconium.binary-kitchen.net
|
||||
molybdenum.binary-kitchen.net
|
||||
technetium.binary-kitchen.net
|
||||
ruthenium.binary-kitchen.net
|
||||
rhodium.binary-kitchen.net
|
||||
barium.binary-kitchen.net
|
||||
|
@ -1,10 +0,0 @@
|
||||
# udev 226 introduced predictable interface names for virtio;
|
||||
# disable this for upgrades. You can remove this file if you update your
|
||||
# network configuration to move to the ens* names instead.
|
||||
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
|
||||
# network interface names.
|
||||
[Match]
|
||||
Driver=virtio_net
|
||||
|
||||
[Link]
|
||||
NamePolicy=onboard kernel
|
@ -1,6 +0,0 @@
|
||||
# This machine is most likely a virtualized guest, where the old persistent
|
||||
# network interface mechanism (75-persistent-net-generator.rules) did not work.
|
||||
# This file disables /lib/systemd/network/99-default.link to avoid
|
||||
# changing network interface names on upgrade. Please read
|
||||
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
|
||||
# supported mechanism.
|
@ -1,7 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Restart chrony
|
||||
service: name=chrony state=restarted
|
||||
|
||||
- name: Restart journald
|
||||
service: name=systemd-journald state=restarted
|
||||
|
||||
- name: update-grub
|
||||
command: update-grub
|
||||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
@ -3,7 +3,9 @@
|
||||
- name: Install misc software
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- dnsutils
|
||||
- gnupg2
|
||||
- htop
|
||||
- less
|
||||
- net-tools
|
||||
@ -34,21 +36,18 @@
|
||||
- name: Set shell for root user
|
||||
user: name=root shell=/bin/zsh
|
||||
|
||||
- name: Create LDAP client config
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
notify: update-initramfs
|
||||
|
||||
# TODO template /etc/network/interfaces
|
||||
|
||||
- name: Fix network interface names
|
||||
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
|
||||
with_items:
|
||||
- 50-virtio-kernel-names.link
|
||||
- 99-default.link
|
||||
notify: update-initramfs
|
||||
- name: Enable serial console on KVM VMs
|
||||
lineinfile:
|
||||
path: "/etc/default/grub"
|
||||
state: "present"
|
||||
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
|
||||
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
|
||||
notify: update-grub
|
||||
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
|
||||
|
||||
- name: Prevent normal users from running su
|
||||
lineinfile:
|
||||
|
@ -1,14 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install misc software
|
||||
pkgng:
|
||||
name:
|
||||
- vim-lite
|
||||
- htop
|
||||
- zsh
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
@ -13,6 +13,7 @@
|
||||
|
||||
- name: Configure misc software
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
diff: no
|
||||
with_items:
|
||||
- { src: '.zshrc', dest: '/root/.zshrc' }
|
||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||
|
8
roles/common/tasks/chrony.yml
Normal file
8
roles/common/tasks/chrony.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
- name: Install chrony
|
||||
apt: name=chrony
|
||||
|
||||
- name: Configure chrony
|
||||
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
|
||||
notify: Restart chrony
|
@ -17,6 +17,5 @@
|
||||
include: Debian.yml
|
||||
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
|
||||
|
||||
- name: FreeBSD
|
||||
include: FreeBSD.yml
|
||||
when: ansible_distribution == 'FreeBSD'
|
||||
- name: Setup chrony
|
||||
include: chrony.yml
|
||||
|
46
roles/common/templates/chrony.conf.j2
Normal file
46
roles/common/templates/chrony.conf.j2
Normal file
@ -0,0 +1,46 @@
|
||||
# Welcome to the chrony configuration file. See chrony.conf(5) for more
|
||||
# information about usable directives.
|
||||
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ntp_server is defined and ntp_server is true %}
|
||||
allow 172.23.0.0/16
|
||||
{% endif -%}
|
||||
|
||||
# This directive specify the location of the file containing ID/key pairs for
|
||||
# NTP authentication.
|
||||
keyfile /etc/chrony/chrony.keys
|
||||
|
||||
# This directive specify the file into which chronyd will store the rate
|
||||
# information.
|
||||
driftfile /var/lib/chrony/chrony.drift
|
||||
|
||||
# Uncomment the following line to turn logging on.
|
||||
#log tracking measurements statistics
|
||||
|
||||
# Log files location.
|
||||
logdir /var/log/chrony
|
||||
|
||||
# Stop bad estimates upsetting machine clock.
|
||||
maxupdateskew 100.0
|
||||
|
||||
# This directive enables kernel synchronisation (every 11 minutes) of the
|
||||
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
|
||||
rtcsync
|
||||
|
||||
# Step the system clock instead of slewing it if the adjustment is larger than
|
||||
# one second, but only in the first three clock updates.
|
||||
makestep 1 3
|
||||
|
||||
# Get TAI-UTC offset and leap seconds from the system tz database.
|
||||
# This directive must be commented out when using time sources serving
|
||||
# leap-smeared time.
|
||||
leapsectz right/UTC
|
@ -1,19 +0,0 @@
|
||||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE {{ ldap_base }}
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_REQCERT demand
|
||||
TLS_CACERTDIR /etc/ssl/certs
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
@ -1,9 +1,9 @@
|
||||
# Coturn TURN SERVER configuration file
|
||||
#
|
||||
# Boolean values note: where boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
|
||||
# If the value is missed, then it means 'true'.
|
||||
# Boolean values note: where a boolean value is supposed to be used,
|
||||
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
|
||||
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
|
||||
# If the value is missing, then it means 'true' by default.
|
||||
#
|
||||
|
||||
# Listener interface device (optional, Linux only).
|
||||
@ -22,10 +22,10 @@
|
||||
# port(s), too - if allowed by configuration. The TURN server
|
||||
# "automatically" recognizes the type of traffic. Actually, two listening
|
||||
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
|
||||
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, we currently support SSL version 3 and
|
||||
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
|
||||
# For secure TCP connections, Coturn currently supports
|
||||
# TLS version 1.0, 1.1 and 1.2.
|
||||
# For secure UDP connections, we support DTLS version 1.
|
||||
# For secure UDP connections, Coturn supports DTLS version 1.
|
||||
#
|
||||
#tls-listening-port=5349
|
||||
|
||||
@ -45,6 +45,14 @@
|
||||
#
|
||||
#alt-tls-listening-port=0
|
||||
|
||||
# Some network setups will require using a TCP reverse proxy in front
|
||||
# of the STUN server. If the proxy port option is set a single listener
|
||||
# is started on the given port that accepts connections using the
|
||||
# haproxy proxy protocol v2.
|
||||
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
|
||||
#
|
||||
#tcp-proxy-port=5555
|
||||
|
||||
# Listener IP address of relay server. Multiple listeners can be specified.
|
||||
# If no IP(s) specified in the config file or in the command line options,
|
||||
# then all IPv4 and IPv6 system IPs will be used for listening.
|
||||
@ -133,8 +141,8 @@
|
||||
#
|
||||
# If this parameter is not set, then the default OS-dependent
|
||||
# thread pattern algorithm will be employed. Usually the default
|
||||
# algorithm is the most optimal, so you have to change this option
|
||||
# only if you want to make some fine tweaks.
|
||||
# algorithm is optimal, so you have to change this option
|
||||
# if you want to make some fine tweaks.
|
||||
#
|
||||
# In the older systems (Linux kernel before 3.9),
|
||||
# the number of UDP threads is always one thread per network listening
|
||||
@ -155,7 +163,7 @@
|
||||
|
||||
# Uncomment to run TURN server in 'extra' verbose mode.
|
||||
# This mode is very annoying and produces lots of output.
|
||||
# Not recommended under any normal circumstances.
|
||||
# Not recommended under normal circumstances.
|
||||
#
|
||||
#Verbose
|
||||
|
||||
@ -169,15 +177,27 @@ fingerprint
|
||||
#
|
||||
#lt-cred-mech
|
||||
|
||||
# This option is opposite to lt-cred-mech.
|
||||
# This option is the opposite of lt-cred-mech.
|
||||
# (TURN Server with no-auth option allows anonymous access).
|
||||
# If neither option is defined, and no users are defined,
|
||||
# then no-auth is default. If at least one user is defined,
|
||||
# in this file or in command line or in usersdb file, then
|
||||
# in this file, in command line or in usersdb file, then
|
||||
# lt-cred-mech is default.
|
||||
#
|
||||
#no-auth
|
||||
|
||||
# Enable prometheus exporter
|
||||
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
|
||||
# this endpoint is listening on a different port to not conflict with other configurations.
|
||||
#
|
||||
# You can simply run the turnserver and access the port 9641 and path /metrics
|
||||
#
|
||||
# For mor info on the prometheus exporter and metrics
|
||||
# https://prometheus.io/docs/introduction/overview/
|
||||
# https://prometheus.io/docs/concepts/data_model/
|
||||
#
|
||||
#prometheus
|
||||
|
||||
# TURN REST API flag.
|
||||
# (Time Limited Long Term Credential)
|
||||
# Flag that sets a special authorization option that is based upon authentication secret.
|
||||
@ -193,34 +213,33 @@ fingerprint
|
||||
# turn password -> base64(hmac(secret key, usercombo))
|
||||
#
|
||||
# This allows TURN credentials to be accounted for a specific user id.
|
||||
# If you don't have a suitable id, the timestamp alone can be used.
|
||||
# This option is just turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by option static-auth-secret,
|
||||
# If you don't have a suitable id, then the timestamp alone can be used.
|
||||
# This option is enabled by turning on secret-based authentication.
|
||||
# The actual value of the secret is defined either by the option static-auth-secret,
|
||||
# or can be found in the turn_secret table in the database (see below).
|
||||
#
|
||||
# Read more about it:
|
||||
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
|
||||
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
|
||||
#
|
||||
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
|
||||
# Notice that this feature depends internally on lt-cred-mech, so if you set
|
||||
# use-auth-secret then it enables internally automatically lt-cred-mech option
|
||||
# like if you enable both.
|
||||
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
|
||||
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
|
||||
# this option then it automatically enables lt-cred-mech internally
|
||||
# as if you had enabled both.
|
||||
#
|
||||
# You can use only one of the to auth mechanisms in the same time because,
|
||||
# both mechanism use the username and password validation in different way.
|
||||
# Note that you can use only one auth mechanism at the same time! This is because,
|
||||
# both mechanisms conduct username and password validation in different ways.
|
||||
#
|
||||
# This way be aware that you can't use both auth mechnaism in the same time!
|
||||
# Use in config either the lt-cred-mech or the use-auth-secret
|
||||
# Use either lt-cred-mech or use-auth-secret in the conf
|
||||
# to avoid any confusion.
|
||||
#
|
||||
use-auth-secret
|
||||
|
||||
# 'Static' authentication secret value (a string) for TURN REST API only.
|
||||
# If not set, then the turn server
|
||||
# will try to use the 'dynamic' value in turn_secret table
|
||||
# in user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that other mode is 'dynamic'.
|
||||
# will try to use the 'dynamic' value in the turn_secret table
|
||||
# in the user database (if present). The database-stored value can be changed on-the-fly
|
||||
# by a separate program, so this is why that mode is considered 'dynamic'.
|
||||
#
|
||||
static-auth-secret={{ coturn_secret }}
|
||||
|
||||
@ -234,10 +253,10 @@ static-auth-secret={{ coturn_secret }}
|
||||
#
|
||||
#oauth
|
||||
|
||||
# 'Static' user accounts for long term credentials mechanism, only.
|
||||
# 'Static' user accounts for the long term credentials mechanism, only.
|
||||
# This option cannot be used with TURN REST API.
|
||||
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
|
||||
# so that they can NOT be changed while the turnserver is running.
|
||||
# so they can NOT be changed while the turnserver is running.
|
||||
#
|
||||
#user=username1:key1
|
||||
#user=username2:key2
|
||||
@ -263,15 +282,15 @@ static-auth-secret={{ coturn_secret }}
|
||||
|
||||
# SQLite database file name.
|
||||
#
|
||||
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
|
||||
# /var/lib/turn/turndb.
|
||||
#
|
||||
#userdb=/var/db/turndb
|
||||
|
||||
# PostgreSQL database connection string in the case that we are using PostgreSQL
|
||||
# PostgreSQL database connection string in the case that you are using PostgreSQL
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
|
||||
# versions connection string format, see
|
||||
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
|
||||
@ -279,43 +298,43 @@ static-auth-secret={{ coturn_secret }}
|
||||
#
|
||||
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
|
||||
|
||||
# MySQL database connection string in the case that we are using MySQL
|
||||
# MySQL database connection string in the case that you are using MySQL
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# This database can be used for the long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
#
|
||||
# Optional connection string parameters for the secure communications (SSL):
|
||||
# ca, capath, cert, key, cipher
|
||||
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
|
||||
# command options description).
|
||||
#
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
|
||||
|
||||
# If you want to use in the MySQL connection string the password in encrypted format,
|
||||
# then set in this option the MySQL password encryption secret key file.
|
||||
# If you want to use an encrypted password in the MySQL connection string,
|
||||
# then set the MySQL password encryption secret key file with this option.
|
||||
#
|
||||
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
|
||||
# If you want to use cleartext password then do not set this option!
|
||||
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
|
||||
# If you want to use a cleartext password then do not set this option!
|
||||
#
|
||||
# This is the file path which contain secret key of aes encryption while using password encryption.
|
||||
# This is the file path for the aes encrypted secret key used for password encryption.
|
||||
#
|
||||
#secret-key-file=/path/
|
||||
|
||||
# MongoDB database connection string in the case that we are using MongoDB
|
||||
# MongoDB database connection string in the case that you are using MongoDB
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
|
||||
#
|
||||
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
|
||||
|
||||
# Redis database connection string in the case that we are using Redis
|
||||
# Redis database connection string in the case that you are using Redis
|
||||
# as the user database.
|
||||
# This database can be used for long-term credential mechanism
|
||||
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# and it can store the secret value for secret-based timed authentication in TURN REST API.
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
@ -323,23 +342,23 @@ static-auth-secret={{ coturn_secret }}
|
||||
# This database keeps allocations status information, and it can be also used for publishing
|
||||
# and delivering traffic and allocation event notifications.
|
||||
# The connection string has the same parameters as redis-userdb connection string.
|
||||
# Use string format as below (space separated parameters, all optional):
|
||||
# Use the string format below (space separated parameters, all optional):
|
||||
#
|
||||
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
|
||||
|
||||
# The default realm to be used for the users when no explicit
|
||||
# origin/realm relationship was found in the database, or if the TURN
|
||||
# origin/realm relationship is found in the database, or if the TURN
|
||||
# server is not using any database (just the commands-line settings
|
||||
# and the userdb file). Must be used with long-term credentials
|
||||
# mechanism or with TURN REST API.
|
||||
#
|
||||
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
|
||||
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
|
||||
# Note: If the default realm is not specified, then realm falls back to the host domain name.
|
||||
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
|
||||
#
|
||||
realm={{ coturn_realm }}
|
||||
|
||||
# The flag that sets the origin consistency
|
||||
# check: across the session, all requests must have the same
|
||||
# This flag sets the origin consistency
|
||||
# check. Across the session, all requests must have the same
|
||||
# main ORIGIN attribute value (if the ORIGIN was
|
||||
# initially used by the session).
|
||||
#
|
||||
@ -359,7 +378,7 @@ realm={{ coturn_realm }}
|
||||
|
||||
# Max bytes-per-second bandwidth a TURN session is allowed to handle
|
||||
# (input and output network streams are treated separately). Anything above
|
||||
# that limit will be dropped or temporary suppressed (within
|
||||
# that limit will be dropped or temporarily suppressed (within
|
||||
# the available buffer limits).
|
||||
# This option can also be set through the database, for a particular realm.
|
||||
#
|
||||
@ -403,10 +422,10 @@ no-dtls
|
||||
#no-tcp-relay
|
||||
|
||||
# Uncomment if extra security is desired,
|
||||
# with nonce value having limited lifetime.
|
||||
# By default, the nonce value is unique for a session,
|
||||
# and has unlimited lifetime.
|
||||
# with nonce value having a limited lifetime.
|
||||
# The nonce value is unique for a session.
|
||||
# Set this option to limit the nonce lifetime.
|
||||
# Set it to 0 for unlimited lifetime.
|
||||
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
|
||||
# the client will get 438 error and will have to re-authenticate itself.
|
||||
#
|
||||
@ -435,6 +454,7 @@ no-dtls
|
||||
# Certificate file.
|
||||
# Use an absolute path or path relative to the
|
||||
# configuration file.
|
||||
# Use PEM file format.
|
||||
#
|
||||
#cert=/usr/local/etc/turn_server_cert.pem
|
||||
|
||||
@ -457,7 +477,7 @@ no-dtls
|
||||
|
||||
# CA file in OpenSSL format.
|
||||
# Forces TURN server to verify the client SSL certificates.
|
||||
# By default it is not set: there is no default value and the client
|
||||
# By default this is not set: there is no default value and the client
|
||||
# certificate is not checked.
|
||||
#
|
||||
# Example:
|
||||
@ -471,13 +491,13 @@ no-dtls
|
||||
#
|
||||
#ec-curve-name=prime256v1
|
||||
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh566
|
||||
|
||||
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
|
||||
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
|
||||
#
|
||||
#dh2066
|
||||
#dh1066
|
||||
|
||||
# Use custom DH TLS key, stored in PEM format in the file.
|
||||
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
|
||||
@ -485,16 +505,16 @@ no-dtls
|
||||
#dh-file=<DH-PEM-file-name>
|
||||
|
||||
# Flag to prevent stdout log messages.
|
||||
# By default, all log messages are going to both stdout and to
|
||||
# the configured log file. With this option everything will be
|
||||
# going to the configured log only (unless the log file itself is stdout).
|
||||
# By default, all log messages go to both stdout and to
|
||||
# the configured log file. With this option everything will
|
||||
# go to the configured log only (unless the log file itself is stdout).
|
||||
#
|
||||
#no-stdout-log
|
||||
|
||||
# Option to set the log file name.
|
||||
# By default, the turnserver tries to open a log file in
|
||||
# /var/log, /var/tmp, /tmp and current directories directories
|
||||
# (which open operation succeeds first that file will be used).
|
||||
# /var/log, /var/tmp, /tmp and the current directory
|
||||
# (Whichever file open operation succeeds first will be used).
|
||||
# With this option you can set the definite log file name.
|
||||
# The special names are "stdout" and "-" - they will force everything
|
||||
# to the stdout. Also, the "syslog" name will force everything to
|
||||
@ -514,15 +534,25 @@ syslog
|
||||
#
|
||||
#simple-log
|
||||
|
||||
# Enable full ISO-8601 timestamp in all logs.
|
||||
#new-log-timestamp
|
||||
|
||||
# Set timestamp format (in strftime(1) format)
|
||||
#new-log-timestamp-format "%FT%T%z"
|
||||
|
||||
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
|
||||
# Enable binding logging and UDP endpoint logs in verbose log mode.
|
||||
#log-binding
|
||||
|
||||
# Option to set the "redirection" mode. The value of this option
|
||||
# will be the address of the alternate server for UDP & TCP service in form of
|
||||
# will be the address of the alternate server for UDP & TCP service in the form of
|
||||
# <ip>[:<port>]. The server will send this value in the attribute
|
||||
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
|
||||
# Client will receive only values with the same address family
|
||||
# as the client network endpoint address family.
|
||||
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
|
||||
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
|
||||
# The client must use the obtained value for subsequent TURN communications.
|
||||
# If more than one --alternate-server options are provided, then the functionality
|
||||
# If more than one --alternate-server option is provided, then the functionality
|
||||
# can be more accurately described as "load-balancing" than a mere "redirection".
|
||||
# If the port number is omitted, then the default port
|
||||
# number 3478 for the UDP/TCP protocols will be used.
|
||||
@ -532,7 +562,7 @@ syslog
|
||||
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
|
||||
# Multiple alternate servers can be set. They will be used in the
|
||||
# round-robin manner. All servers in the pool are considered of equal weight and
|
||||
# the load will be distributed equally. For example, if we have 4 alternate servers,
|
||||
# the load will be distributed equally. For example, if you have 4 alternate servers,
|
||||
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
|
||||
# address can be used more than one time with the alternate-server option, so this
|
||||
# can emulate "weighting" of the servers.
|
||||
@ -559,6 +589,15 @@ syslog
|
||||
#
|
||||
#stun-only
|
||||
|
||||
# Option to hide software version. Enhance security when used in production.
|
||||
# Revealing the specific software version of the agent through the
|
||||
# SOFTWARE attribute might allow them to become more vulnerable to
|
||||
# attacks against software that is known to contain security holes.
|
||||
# Implementers SHOULD make usage of the SOFTWARE attribute a
|
||||
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
|
||||
#
|
||||
#no-software-attribute
|
||||
|
||||
# Option to suppress STUN functionality, only TURN requests will be processed.
|
||||
# Run as TURN server only, all STUN requests will be ignored.
|
||||
# By default, this option is NOT set.
|
||||
@ -622,19 +661,19 @@ mobility
|
||||
# Allocate Address Family according
|
||||
# If enabled then TURN server allocates address family according the TURN
|
||||
# Client <=> Server communication address family.
|
||||
# (By default coTURN works according RFC 6156.)
|
||||
# (By default Coturn works according RFC 6156.)
|
||||
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
|
||||
#
|
||||
#keep-address-family
|
||||
|
||||
|
||||
# User name to run the process. After the initialization, the turnserver process
|
||||
# will make an attempt to change the current user ID to that user.
|
||||
# will attempt to change the current user ID to that user.
|
||||
#
|
||||
#proc-user=<user-name>
|
||||
|
||||
# Group name to run the process. After the initialization, the turnserver process
|
||||
# will make an attempt to change the current group ID to that group.
|
||||
# will attempt to change the current group ID to that group.
|
||||
#
|
||||
#proc-group=<group-name>
|
||||
|
||||
@ -654,8 +693,8 @@ mobility
|
||||
#cli-port=5766
|
||||
|
||||
# CLI access password. Default is empty (no password).
|
||||
# For the security reasons, it is recommended to use the encrypted
|
||||
# for of the password (see the -P command in the turnadmin utility).
|
||||
# For the security reasons, it is recommended that you use the encrypted
|
||||
# form of the password (see the -P command in the turnadmin utility).
|
||||
#
|
||||
# Secure form for password 'qwerty':
|
||||
#
|
||||
@ -684,8 +723,12 @@ mobility
|
||||
#
|
||||
#web-admin-listen-on-workers
|
||||
|
||||
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
|
||||
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
|
||||
# Default is '', i.e. no special handling for such requests.
|
||||
|
||||
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
|
||||
# Only for those applications when we want to run
|
||||
# Only for those applications when you want to run
|
||||
# server applications on the relay endpoints.
|
||||
# This option eliminates the IP permissions check on
|
||||
# the packets incoming to the relay endpoints.
|
||||
|
@ -3,10 +3,12 @@
|
||||
#
|
||||
|
||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||
|
||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||
#DHCPD_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv4_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||
|
||||
# Additional options to start dhcpd with.
|
||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||
@ -14,4 +16,6 @@
|
||||
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACES="eth0"
|
||||
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
|
||||
INTERFACESv6=""
|
||||
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
|
||||
|
@ -3,13 +3,15 @@
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name "binary.kitchen";
|
||||
option domain-name-servers {{ name_servers | join(', ') }};
|
||||
option domain-search "binary.kitchen";
|
||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||
|
||||
default-lease-time 7200;
|
||||
max-lease-time 28800;
|
||||
|
||||
# Use this to enble / disable dynamic dns updates globally.
|
||||
ddns-update-style none;
|
||||
ddns-update-style interim;
|
||||
ddns-updates on;
|
||||
|
||||
# If this DHCP server is the official DHCP server for the local
|
||||
# network, the authoritative directive should be uncommented.
|
||||
@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
|
||||
# Users
|
||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.3.1;
|
||||
ddns-domainname "users.binary.kitchen";
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
@ -80,6 +84,47 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
|
||||
}
|
||||
}
|
||||
|
||||
# Management Auweg
|
||||
subnet 172.23.12.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.12.1;
|
||||
}
|
||||
|
||||
# Services Auweg
|
||||
subnet 172.23.13.0 netmask 255.255.255.0 {
|
||||
allow bootp;
|
||||
option routers 172.23.13.1;
|
||||
}
|
||||
|
||||
# Users Auweg
|
||||
subnet 172.23.14.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.3.1;
|
||||
ddns-domainname "users.binary.kitchen";
|
||||
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.14.10 172.23.14.230;
|
||||
}
|
||||
}
|
||||
|
||||
# MQTT Auweg
|
||||
subnet 172.23.15.0 netmask 255.255.255.0 {
|
||||
option routers 172.23.4.1;
|
||||
pool {
|
||||
{% if dhcpd_failover == true %}
|
||||
failover peer "failover-partner";
|
||||
{% endif %}
|
||||
range 172.23.15.10 172.23.15.240;
|
||||
}
|
||||
}
|
||||
|
||||
# DDNS zones
|
||||
|
||||
zone users.binary.kitchen {
|
||||
primary {{ dns_primary }};
|
||||
}
|
||||
|
||||
|
||||
# Fixed IPs
|
||||
|
||||
@ -98,6 +143,11 @@ host ap05 {
|
||||
fixed-address ap05.binary.kitchen;
|
||||
}
|
||||
|
||||
host ap06 {
|
||||
hardware ethernet 94:b4:0f:c0:1d:a0;
|
||||
fixed-address ap06.binary.kitchen;
|
||||
}
|
||||
|
||||
host bowle {
|
||||
hardware ethernet ac:1f:6b:25:16:b6;
|
||||
fixed-address bowle.binary.kitchen;
|
||||
@ -108,11 +158,6 @@ host cannelloni {
|
||||
fixed-address cannelloni.binary.kitchen;
|
||||
}
|
||||
|
||||
host cashdesk {
|
||||
hardware ethernet 00:0b:ca:94:13:f1;
|
||||
fixed-address cashdesk.binary.kitchen;
|
||||
}
|
||||
|
||||
host fusilli {
|
||||
hardware ethernet b8:27:eb:1d:b9:bf;
|
||||
fixed-address fusilli.binary.kitchen;
|
||||
@ -123,9 +168,14 @@ host garlic {
|
||||
fixed-address garlic.binary.kitchen;
|
||||
}
|
||||
|
||||
host homer {
|
||||
hardware ethernet b8:27:eb:24:b2:12;
|
||||
fixed-address homer.binary.kitchen;
|
||||
host habdisplay1 {
|
||||
hardware ethernet b8:27:eb:b6:62:be;
|
||||
fixed-address habdisplay1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host habdisplay2 {
|
||||
hardware ethernet b8:27:eb:df:0b:7b;
|
||||
fixed-address habdisplay2.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host klopi {
|
||||
@ -163,16 +213,16 @@ host noodlehub {
|
||||
fixed-address noodlehub.binary.kitchen;
|
||||
}
|
||||
|
||||
host openhabgw1 {
|
||||
hardware ethernet dc:a6:32:bf:e2:3e;
|
||||
fixed-address openhabgw1.mqtt.binary.kitchen;
|
||||
}
|
||||
|
||||
host pizza {
|
||||
hardware ethernet 52:54:00:17:02:21;
|
||||
fixed-address pizza.binary.kitchen;
|
||||
}
|
||||
|
||||
host punsch {
|
||||
hardware ethernet 00:21:85:1b:7f:3d;
|
||||
fixed-address punsch.binary.kitchen;
|
||||
}
|
||||
|
||||
host spaghetti {
|
||||
hardware ethernet b8:27:eb:e3:e9:f1;
|
||||
fixed-address spaghetti.binary.kitchen;
|
||||
|
@ -5,11 +5,21 @@
|
||||
name:
|
||||
- pdns-server
|
||||
- pdns-backend-sqlite3
|
||||
- sqlite3
|
||||
|
||||
- name: Configure powerdns
|
||||
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
|
||||
notify: Restart powerdns
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/powerdns.sqlite3
|
||||
creates: /var/lib/powerdns/powerdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
- name: Copy update policy script
|
||||
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
|
||||
notify: Restart powerdns
|
||||
|
@ -11,3 +11,4 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
|
||||
{% endif %}
|
||||
allow-dnsupdate-from=0.0.0.0/0,::/0
|
||||
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
|
||||
security-poll-suffix=
|
||||
|
@ -5,3 +5,6 @@
|
||||
with_items:
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
||||
- name: Restart dnsdist
|
||||
service: name=dnsdist state=restarted
|
||||
|
@ -3,8 +3,11 @@
|
||||
- name: Install powerdns
|
||||
apt:
|
||||
name:
|
||||
- dnsdist
|
||||
- pdns-backend-sqlite3
|
||||
- pdns-server
|
||||
- pdns-recursor
|
||||
- sqlite3
|
||||
|
||||
- name: Create zone directory
|
||||
file: path=/etc/powerdns/bind/ state=directory
|
||||
@ -19,8 +22,28 @@
|
||||
- bind/23.172.in-addr.arpa.zone
|
||||
- bind/binary.kitchen.zone
|
||||
|
||||
- name: Initialize database
|
||||
command:
|
||||
cmd: >
|
||||
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
|
||||
/var/lib/powerdns/pdns.sqlite3
|
||||
creates: /var/lib/powerdns/pdns.sqlite3
|
||||
become: true
|
||||
become_user: pdns
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
||||
|
||||
# TODO
|
||||
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
||||
|
||||
- name: Configure dnsdist
|
||||
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||
notify: Restart dnsdist
|
||||
|
||||
- name: Start the powerdns services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- dnsdist
|
||||
- pdns
|
||||
- pdns-recursor
|
||||
|
@ -1,19 +1,19 @@
|
||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2021091301; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns.binary.kitchen.
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
; Loopback
|
||||
1.0 IN PTR core.binary.kitchen.
|
||||
2.0 IN PTR erx-bk.binary.kitchen.
|
||||
3.0 IN PTR erx-rz.binary.kitchen.
|
||||
4.0 IN PTR pf-bk.binary.kitchen.
|
||||
5.0 IN PTR pf-rz.binary.kitchen.
|
||||
4.0 IN PTR erx-auweg.binary.kitchen.
|
||||
; Management
|
||||
1.1 IN PTR v2301.core.binary.kitchen.
|
||||
11.1 IN PTR ups1.binary.kitchen.
|
||||
@ -28,6 +28,7 @@ $TTL 1h ; default time-to-live
|
||||
43.1 IN PTR ap03.binary.kitchen.
|
||||
44.1 IN PTR ap04.binary.kitchen.
|
||||
45.1 IN PTR ap05.binary.kitchen.
|
||||
46.1 IN PTR ap06.binary.kitchen.
|
||||
51.1 IN PTR modem.binary.kitchen.
|
||||
60.1 IN PTR wurst.binary.kitchen.
|
||||
80.1 IN PTR wurst-bmc.binary.kitchen.
|
||||
@ -36,17 +37,16 @@ $TTL 1h ; default time-to-live
|
||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||
; Services
|
||||
1.2 IN PTR v2302.core.binary.kitchen.
|
||||
2.2 IN PTR ns.binary.kitchen.
|
||||
3.2 IN PTR bacon.binary.kitchen.
|
||||
4.2 IN PTR aveta.binary.kitchen.
|
||||
5.2 IN PTR sulis.binary.kitchen.
|
||||
6.2 IN PTR nabia.binary.kitchen.
|
||||
11.2 IN PTR homer.binary.kitchen.
|
||||
7.2 IN PTR epona.binary.kitchen.
|
||||
12.2 IN PTR lock.binary.kitchen.
|
||||
13.2 IN PTR matrix.binary.kitchen.
|
||||
33.2 IN PTR pizza.binary.kitchen.
|
||||
36.2 IN PTR schweinshaxn.binary.kitchen.
|
||||
44.2 IN PTR cashdesk.binary.kitchen.
|
||||
37.2 IN PTR bob.binary.kitchen.
|
||||
62.2 IN PTR bowle.binary.kitchen.
|
||||
91.2 IN PTR strammermax.binary.kitchen.
|
||||
92.2 IN PTR obatzda.binary.kitchen.
|
||||
@ -60,28 +60,39 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
|
||||
244.3 IN PTR mirror.binary.kitchen.
|
||||
245.3 IN PTR spaghetti.binary.kitchen.
|
||||
246.3 IN PTR maccaroni.binary.kitchen.
|
||||
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
|
||||
248.3 IN PTR pve02.tmp.binary.kitchen.
|
||||
249.3 IN PTR ffrgb.binary.kitchen.
|
||||
250.3 IN PTR cannelloni.binary.kitchen.
|
||||
251.3 IN PTR noodlehub.binary.kitchen.
|
||||
; MQTT
|
||||
1.4 IN PTR v2304.core.binary.kitchen.
|
||||
6.4 IN PTR pizza.mqtt.binary.kitchen.
|
||||
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
|
||||
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
|
||||
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
|
||||
245.4 IN PTR logo1.mqtt.binary.kitchen.
|
||||
246.4 IN PTR logo2.mqtt.binary.kitchen.
|
||||
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
|
||||
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
|
||||
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
|
||||
; Management RZ
|
||||
1.9 IN PTR switch0.erx-rz.binary.kitchen.
|
||||
61.9 IN PTR salat.binary.kitchen.
|
||||
81.9 IN PTR salat-bmc.binary.kitchen.
|
||||
; Services RZ
|
||||
23.8 IN PTR cernunnos.binary.kitchen.
|
||||
; VPN RZ (ER-X)
|
||||
1.10 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
1.10 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
|
||||
; Management Auweg
|
||||
61.12 IN PTR weizen.binary.kitchen.
|
||||
; Services Auweg
|
||||
3.13 IN PTR aeron.binary.kitchen.
|
||||
; Clients Auweg
|
||||
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
|
||||
; MQTT
|
||||
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
|
||||
; Point-to-Point
|
||||
1.96 IN PTR v400.erx-bk.binary.kitchen.
|
||||
2.96 IN PTR v400.core.binary.kitchen.
|
||||
1.97 IN PTR wg0.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg0.erx-bk.binary.kitchen.
|
||||
1.97 IN PTR wg1.erx-rz.binary.kitchen.
|
||||
2.97 IN PTR wg1.erx-bk.binary.kitchen.
|
||||
5.97 IN PTR wg2.erx-rz.binary.kitchen.
|
||||
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
|
||||
|
@ -1,25 +1,34 @@
|
||||
$ORIGIN binary.kitchen ; base for unqualified names
|
||||
$TTL 1h ; default time-to-live
|
||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2020051101; serial
|
||||
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||
2021091301; serial
|
||||
1d; refresh
|
||||
2h; retry
|
||||
4w; expire
|
||||
1h; minimum time-to-live
|
||||
)
|
||||
IN NS ns.binary.kitchen.
|
||||
IN NS ns1.binary.kitchen.
|
||||
IN NS ns2.binary.kitchen.
|
||||
; Subdomains
|
||||
users IN NS ns1.binary.kitchen.
|
||||
users IN NS ns2.binary.kitchen.
|
||||
; External
|
||||
IN A 213.166.246.4
|
||||
www IN A 213.166.246.4
|
||||
; Aliases
|
||||
3dprinter IN A 172.23.3.251
|
||||
icinga IN A 172.23.2.6
|
||||
ldap IN A 172.23.2.3
|
||||
ldap IN A 172.23.2.4
|
||||
ldap IN A 213.166.246.2
|
||||
ldap1 IN A 172.23.2.3
|
||||
ldap2 IN A 172.23.2.4
|
||||
ldap3 IN A 172.23.13.3
|
||||
ldapm IN A 213.166.246.2
|
||||
librenms IN A 172.23.2.6
|
||||
netbox IN A 172.23.2.7
|
||||
ns1 IN A 172.23.2.3
|
||||
ns2 IN A 172.23.2.4
|
||||
racktables IN A 172.23.2.6
|
||||
radius IN A 172.23.2.3
|
||||
radius IN A 172.23.2.4
|
||||
@ -27,8 +36,7 @@ radius IN A 172.23.2.4
|
||||
core IN A 172.23.0.1
|
||||
erx-bk IN A 172.23.0.2
|
||||
erx-rz IN A 172.23.0.3
|
||||
pf-bk IN A 172.23.0.4
|
||||
pf-rz IN A 172.23.0.5
|
||||
erx-auweg IN A 172.23.0.4
|
||||
; Management
|
||||
v2301.core IN A 172.23.1.1
|
||||
ups1 IN A 172.23.1.11
|
||||
@ -43,6 +51,7 @@ ap02 IN A 172.23.1.42
|
||||
ap03 IN A 172.23.1.43
|
||||
ap04 IN A 172.23.1.44
|
||||
ap05 IN A 172.23.1.45
|
||||
ap06 IN A 172.23.1.46
|
||||
modem IN A 172.23.1.51
|
||||
wurst IN A 172.23.1.60
|
||||
wurst-bmc IN A 172.23.1.80
|
||||
@ -51,17 +60,16 @@ nbe-w13b IN A 172.23.1.101
|
||||
nbe-tr8 IN A 172.23.1.102
|
||||
; Services
|
||||
v2302.core IN A 172.23.2.1
|
||||
ns IN A 172.23.2.2
|
||||
bacon IN A 172.23.2.3
|
||||
aveta IN A 172.23.2.4
|
||||
sulis IN A 172.23.2.5
|
||||
nabia IN A 172.23.2.6
|
||||
homer IN A 172.23.2.11
|
||||
epona IN A 172.23.2.7
|
||||
lock IN A 172.23.2.12
|
||||
matrix IN A 172.23.2.13
|
||||
pizza IN A 172.23.2.33
|
||||
schweinshaxn IN A 172.23.2.36
|
||||
cashdesk IN A 172.23.2.44
|
||||
bob IN A 172.23.2.37
|
||||
bowle IN A 172.23.2.62
|
||||
strammermax IN A 172.23.2.91
|
||||
obatzda IN A 172.23.2.92
|
||||
@ -75,28 +83,39 @@ garlic IN A 172.23.3.243
|
||||
mirror IN A 172.23.3.244
|
||||
spaghetti IN A 172.23.3.245
|
||||
maccaroni IN A 172.23.3.246
|
||||
pve02-bmc.tmp IN A 172.23.3.247
|
||||
pve02.tmp IN A 172.23.3.248
|
||||
ffrgb IN A 172.23.3.249
|
||||
cannelloni IN A 172.23.3.250
|
||||
noodlehub IN A 172.23.3.251
|
||||
; MQTT
|
||||
v2304.core IN A 172.23.4.1
|
||||
pizza.mqtt IN A 172.23.4.6
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
|
||||
habdisplay1.mqtt IN A 172.23.4.241
|
||||
habdisplay2.mqtt IN A 172.23.4.242
|
||||
logo1.mqtt IN A 172.23.4.245
|
||||
logo2.mqtt IN A 172.23.4.246
|
||||
moodlights1.mqtt IN A 172.23.4.250
|
||||
openhabgw1.mqtt IN A 172.23.4.251
|
||||
homematic-ccu2.mqtt IN A 172.23.4.252
|
||||
; Management RZ
|
||||
switch0.erx-rz IN A 172.23.9.1
|
||||
salat IN A 172.23.9.61
|
||||
salat-bmc IN A 172.23.9.81
|
||||
; Services RZ
|
||||
cernunnos IN A 172.23.8.23
|
||||
; Management Auweg
|
||||
weizen IN A 172.23.12.61
|
||||
; Services Auweg
|
||||
aeron IN A 172.23.13.3
|
||||
; Clients Auweg
|
||||
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
|
||||
; MQTT Auweg
|
||||
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
|
||||
; VPN RZ (ER-X)
|
||||
wg1.erx-rz IN A 172.23.10.1
|
||||
wg0.erx-rz IN A 172.23.10.1
|
||||
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
|
||||
; VPN RZ (pf)
|
||||
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
|
||||
; Point-to-Point
|
||||
v400.erx-bk IN A 172.23.96.1
|
||||
v400.core IN A 172.23.96.2
|
||||
wg0.erx-rz IN A 172.23.97.1
|
||||
wg0.erx-bk IN A 172.23.97.2
|
||||
wg1.erx-rz IN A 172.23.97.1
|
||||
wg1.erx-bk IN A 172.23.97.2
|
||||
wg2.erx-rz IN A 172.23.97.5
|
||||
wg2.erx-auweg IN A 172.23.97.6
|
||||
|
27
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
27
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
@ -0,0 +1,27 @@
|
||||
-- {{ ansible_managed }}
|
||||
|
||||
setLocal('127.0.0.1')
|
||||
addLocal('::1')
|
||||
addLocal('{{ ansible_default_ipv4.address }}')
|
||||
|
||||
-- define downstream servers/pools
|
||||
newServer({address='127.0.0.1:5300', pool='authdns'})
|
||||
newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
-- allow AXFR/IXFR only from slaves
|
||||
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||
{% endif %}
|
||||
|
||||
-- allow NOTIFY only from master
|
||||
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||
|
||||
-- use auth servers for own zones
|
||||
addAction('binary.kitchen', PoolAction('authdns'))
|
||||
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
||||
|
||||
-- use resolver for anything else
|
||||
addAction(AllRule(), PoolAction('resolve'))
|
||||
|
||||
-- disable security status polling via DNS
|
||||
setSecurityPollSuffix('')
|
@ -1,10 +1,24 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
||||
#
|
||||
# allow-dnsupdate-from=127.0.0.0/8,::1
|
||||
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
|
||||
|
||||
#################################
|
||||
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
||||
#
|
||||
# dnsupdate=no
|
||||
dnsupdate=yes
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# launch Which backends to launch and order to query them in
|
||||
#
|
||||
# launch=
|
||||
launch=bind
|
||||
launch=bind,gsqlite3
|
||||
|
||||
#################################
|
||||
# local-address Local IP addresses to which we bind
|
||||
@ -24,6 +38,22 @@ local-ipv6=
|
||||
# local-port=53
|
||||
local-port=5300
|
||||
|
||||
{% if ansible_default_ipv4.address == dns_primary %}
|
||||
#################################
|
||||
# master Act as a master
|
||||
#
|
||||
# master=no
|
||||
master=yes
|
||||
|
||||
{% if dns_secondary is defined %}
|
||||
#################################
|
||||
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||
#
|
||||
# only-notify=0.0.0.0/0,::/0
|
||||
only-notify={{ dns_secondary }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# security-poll-suffix Domain name from which to query security update notifications
|
||||
#
|
||||
@ -40,7 +70,27 @@ setgid=pdns
|
||||
#
|
||||
setuid=pdns
|
||||
|
||||
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
|
||||
#################################
|
||||
# bind-config Location of the Bind configuration file to parse.
|
||||
# slave Act as a slave
|
||||
#
|
||||
# slave=no
|
||||
slave=yes
|
||||
|
||||
#################################
|
||||
# trusted-notification-proxy IP address of incoming notification proxy
|
||||
#
|
||||
# trusted-notification-proxy=
|
||||
trusted-notification-proxy=127.0.0.1,::1
|
||||
{% endif %}
|
||||
|
||||
#################################
|
||||
# bind-config Location of named.conf
|
||||
#
|
||||
bind-config=/etc/powerdns/bindbackend.conf
|
||||
|
||||
#################################
|
||||
# gsqlite3-database Filename of the SQLite3 database
|
||||
#
|
||||
# gsqlite3-database=
|
||||
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
||||
|
@ -16,24 +16,18 @@ config-dir=/etc/powerdns
|
||||
# dnssec=process-no-validate
|
||||
dnssec=off
|
||||
|
||||
#################################
|
||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
||||
#
|
||||
# forward-zones=
|
||||
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
||||
|
||||
#################################
|
||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||
#
|
||||
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
||||
local-address=127.0.0.1
|
||||
|
||||
#################################
|
||||
# local-port port to listen on
|
||||
#
|
||||
local-port=53
|
||||
local-port=5353
|
||||
|
||||
#################################
|
||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
||||
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
||||
#
|
||||
{% if global_ipv6 is defined %}
|
||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
- name: Enable docker repository
|
||||
apt_repository:
|
||||
repo: 'deb https://download.docker.com/linux/debian buster stable'
|
||||
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
|
||||
filename: docker
|
||||
|
||||
- name: Install docker
|
||||
@ -14,4 +14,4 @@
|
||||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- containerd.io
|
||||
- python-docker
|
||||
- python3-docker
|
||||
|
@ -14,7 +14,7 @@
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ drone_dbname }}
|
||||
|
@ -14,6 +14,7 @@
|
||||
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
|
||||
ports:
|
||||
- "3000:3000"
|
||||
pull: yes
|
||||
restart_policy: unless-stopped
|
||||
state: started
|
||||
volumes:
|
||||
|
7
roles/fileserver/handlers/main.yml
Normal file
7
roles/fileserver/handlers/main.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
|
||||
- name: Reload nfs-server
|
||||
service: name=nfs-server state=reloaded
|
||||
|
||||
- name: Reload smbd
|
||||
service: name=smbd state=reloaded
|
30
roles/fileserver/tasks/main.yml
Normal file
30
roles/fileserver/tasks/main.yml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
|
||||
# TODO also enable contrib for $release-security
|
||||
- name: Enable contrib repositories
|
||||
apt_repository:
|
||||
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
|
||||
|
||||
- name: Install zfs-dkms
|
||||
apt:
|
||||
name: zfs-dkms
|
||||
|
||||
# creating the ZFS pool is not part of this role
|
||||
|
||||
- name: Install NFS and samba
|
||||
apt:
|
||||
name:
|
||||
- nfs-kernel-server
|
||||
- samba
|
||||
|
||||
- name: Configure NFS
|
||||
template:
|
||||
src: exports.j2
|
||||
dest: /etc/exports
|
||||
notify: Reload nfs-server
|
||||
|
||||
- name: Configure samba
|
||||
template:
|
||||
src: smb.conf.j2
|
||||
dest: /etc/samba/smb.conf
|
||||
notify: Reload smbd
|
4
roles/fileserver/templates/exports.j2
Normal file
4
roles/fileserver/templates/exports.j2
Normal file
@ -0,0 +1,4 @@
|
||||
# {{ ansible_managed }}
|
||||
{% for item in nfs_exports %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
244
roles/fileserver/templates/smb.conf.j2
Normal file
244
roles/fileserver/templates/smb.conf.j2
Normal file
@ -0,0 +1,244 @@
|
||||
#
|
||||
# Sample configuration file for the Samba suite for Debian GNU/Linux.
|
||||
#
|
||||
#
|
||||
# This is the main Samba configuration file. You should read the
|
||||
# smb.conf(5) manual page in order to understand the options listed
|
||||
# here. Samba has a huge number of configurable options most of which
|
||||
# are not shown in this example
|
||||
#
|
||||
# Some options that are often worth tuning have been included as
|
||||
# commented-out examples in this file.
|
||||
# - When such options are commented with ";", the proposed setting
|
||||
# differs from the default Samba behaviour
|
||||
# - When commented with "#", the proposed setting is the default
|
||||
# behaviour of Samba but the option is considered important
|
||||
# enough to be mentioned here
|
||||
#
|
||||
# NOTE: Whenever you modify this file you should run the command
|
||||
# "testparm" to check that you have not made any basic syntactic
|
||||
# errors.
|
||||
|
||||
#======================= Global Settings =======================
|
||||
|
||||
[global]
|
||||
|
||||
## Browsing/Identification ###
|
||||
|
||||
# Change this to the workgroup/NT-domain name your Samba server will part of
|
||||
workgroup = WORKGROUP
|
||||
|
||||
#### Networking ####
|
||||
|
||||
# The specific set of interfaces / networks to bind to
|
||||
# This can be either the interface name or an IP address/netmask;
|
||||
# interface names are normally preferred
|
||||
; interfaces = 127.0.0.0/8 eth0
|
||||
|
||||
# Only bind to the named interfaces and/or networks; you must use the
|
||||
# 'interfaces' option above to use this.
|
||||
# It is recommended that you enable this feature if your Samba machine is
|
||||
# not protected by a firewall or is a firewall itself. However, this
|
||||
# option cannot handle dynamic or non-broadcast interfaces correctly.
|
||||
; bind interfaces only = yes
|
||||
|
||||
|
||||
|
||||
#### Debugging/Accounting ####
|
||||
|
||||
# This tells Samba to use a separate log file for each machine
|
||||
# that connects
|
||||
log file = /var/log/samba/log.%m
|
||||
|
||||
# Cap the size of the individual log files (in KiB).
|
||||
max log size = 1000
|
||||
|
||||
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
|
||||
# Append syslog@1 if you want important messages to be sent to syslog too.
|
||||
logging = file
|
||||
|
||||
# Do something sensible when Samba crashes: mail the admin a backtrace
|
||||
panic action = /usr/share/samba/panic-action %d
|
||||
|
||||
|
||||
####### Authentication #######
|
||||
|
||||
# Server role. Defines in which mode Samba will operate. Possible
|
||||
# values are "standalone server", "member server", "classic primary
|
||||
# domain controller", "classic backup domain controller", "active
|
||||
# directory domain controller".
|
||||
#
|
||||
# Most people will want "standalone server" or "member server".
|
||||
# Running as "active directory domain controller" will require first
|
||||
# running "samba-tool domain provision" to wipe databases and create a
|
||||
# new domain.
|
||||
server role = standalone server
|
||||
|
||||
obey pam restrictions = yes
|
||||
|
||||
# This boolean parameter controls whether Samba attempts to sync the Unix
|
||||
# password with the SMB password when the encrypted SMB password in the
|
||||
# passdb is changed.
|
||||
unix password sync = yes
|
||||
|
||||
# For Unix password sync to work on a Debian GNU/Linux system, the following
|
||||
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
|
||||
# sending the correct chat script for the passwd program in Debian Sarge).
|
||||
passwd program = /usr/bin/passwd %u
|
||||
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
|
||||
|
||||
# This boolean controls whether PAM will be used for password changes
|
||||
# when requested by an SMB client instead of the program listed in
|
||||
# 'passwd program'. The default is 'no'.
|
||||
pam password change = yes
|
||||
|
||||
# This option controls how unsuccessful authentication attempts are mapped
|
||||
# to anonymous connections
|
||||
map to guest = bad user
|
||||
|
||||
########## Domains ###########
|
||||
|
||||
#
|
||||
# The following settings only takes effect if 'server role = classic
|
||||
# primary domain controller', 'server role = classic backup domain controller'
|
||||
# or 'domain logons' is set
|
||||
#
|
||||
|
||||
# It specifies the location of the user's
|
||||
# profile directory from the client point of view) The following
|
||||
# required a [profiles] share to be setup on the samba server (see
|
||||
# below)
|
||||
; logon path = \\%N\profiles\%U
|
||||
# Another common choice is storing the profile in the user's home directory
|
||||
# (this is Samba's default)
|
||||
# logon path = \\%N\%U\profile
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the location of a user's home directory (from the client
|
||||
# point of view)
|
||||
; logon drive = H:
|
||||
# logon home = \\%N\%U
|
||||
|
||||
# The following setting only takes effect if 'domain logons' is set
|
||||
# It specifies the script to run during logon. The script must be stored
|
||||
# in the [netlogon] share
|
||||
# NOTE: Must be store in 'DOS' file format convention
|
||||
; logon script = logon.cmd
|
||||
|
||||
# This allows Unix users to be created on the domain controller via the SAMR
|
||||
# RPC pipe. The example command creates a user account with a disabled Unix
|
||||
# password; please adapt to your needs
|
||||
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
|
||||
|
||||
# This allows machine accounts to be created on the domain controller via the
|
||||
# SAMR RPC pipe.
|
||||
# The following assumes a "machines" group exists on the system
|
||||
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
|
||||
|
||||
# This allows Unix groups to be created on the domain controller via the SAMR
|
||||
# RPC pipe.
|
||||
; add group script = /usr/sbin/addgroup --force-badname %g
|
||||
|
||||
############ Misc ############
|
||||
|
||||
# Using the following line enables you to customise your configuration
|
||||
# on a per machine basis. The %m gets replaced with the netbios name
|
||||
# of the machine that is connecting
|
||||
; include = /home/samba/etc/smb.conf.%m
|
||||
|
||||
# Some defaults for winbind (make sure you're not using the ranges
|
||||
# for something else.)
|
||||
; idmap config * : backend = tdb
|
||||
; idmap config * : range = 3000-7999
|
||||
; idmap config YOURDOMAINHERE : backend = tdb
|
||||
; idmap config YOURDOMAINHERE : range = 100000-999999
|
||||
; template shell = /bin/bash
|
||||
|
||||
# Setup usershare options to enable non-root users to share folders
|
||||
# with the net usershare command.
|
||||
|
||||
# Maximum number of usershare. 0 means that usershare is disabled.
|
||||
# usershare max shares = 100
|
||||
|
||||
# Allow users who've been granted usershare privileges to create
|
||||
# public shares, not just authenticated ones
|
||||
usershare allow guests = yes
|
||||
|
||||
#======================= Share Definitions =======================
|
||||
|
||||
;[homes]
|
||||
; comment = Home Directories
|
||||
; browseable = no
|
||||
|
||||
# By default, the home directories are exported read-only. Change the
|
||||
# next parameter to 'no' if you want to be able to write to them.
|
||||
; read only = yes
|
||||
|
||||
# File creation mask is set to 0700 for security reasons. If you want to
|
||||
# create files with group=rw permissions, set next parameter to 0775.
|
||||
; create mask = 0700
|
||||
|
||||
# Directory creation mask is set to 0700 for security reasons. If you want to
|
||||
# create dirs. with group=rw permissions, set next parameter to 0775.
|
||||
; directory mask = 0700
|
||||
|
||||
# By default, \\server\username shares can be connected to by anyone
|
||||
# with access to the samba server.
|
||||
# The following parameter makes sure that only "username" can connect
|
||||
# to \\server\username
|
||||
# This might need tweaking when using external authentication schemes
|
||||
; valid users = %S
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
;[netlogon]
|
||||
; comment = Network Logon Service
|
||||
; path = /home/samba/netlogon
|
||||
; guest ok = yes
|
||||
; read only = yes
|
||||
|
||||
# Un-comment the following and create the profiles directory to store
|
||||
# users profiles (see the "logon path" option above)
|
||||
# (you need to configure Samba to act as a domain controller too.)
|
||||
# The path below should be writable by all users so that their
|
||||
# profile directory may be created the first time they log on
|
||||
;[profiles]
|
||||
; comment = Users profiles
|
||||
; path = /home/samba/profiles
|
||||
; guest ok = no
|
||||
; browseable = no
|
||||
; create mask = 0600
|
||||
; directory mask = 0700
|
||||
|
||||
;[printers]
|
||||
; comment = All Printers
|
||||
; browseable = no
|
||||
; path = /var/spool/samba
|
||||
; printable = yes
|
||||
; guest ok = no
|
||||
; read only = yes
|
||||
; create mask = 0700
|
||||
|
||||
# Windows clients look for this share name as a source of downloadable
|
||||
# printer drivers
|
||||
;[print$]
|
||||
; comment = Printer Drivers
|
||||
; path = /var/lib/samba/printers
|
||||
; browseable = yes
|
||||
; read only = yes
|
||||
; guest ok = no
|
||||
# Uncomment to allow remote administration of Windows print drivers.
|
||||
# You may need to replace 'lpadmin' with the name of the group your
|
||||
# admin users are members of.
|
||||
# Please note that you also need to set appropriate Unix permissions
|
||||
# to the drivers directory for these users to have write rights in it
|
||||
; write list = root, @lpadmin
|
||||
|
||||
# Binary Kitchen public share
|
||||
[tank]
|
||||
path = /exports/tank
|
||||
browseable = yes
|
||||
read only = no
|
||||
guest ok = yes
|
||||
create mask = 0600
|
||||
directory mask = 0700
|
@ -3,6 +3,6 @@
|
||||
gitea_user: gogs
|
||||
gitea_group: gogs
|
||||
|
||||
gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
|
||||
gitea_version: 1.12.6
|
||||
gitea_checksum: sha256:1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be
|
||||
gitea_version: 1.15.6
|
||||
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
|
||||
|
@ -30,7 +30,7 @@
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ gitea_dbname }}
|
||||
|
@ -1,4 +1,4 @@
|
||||
---
|
||||
|
||||
hackmd_version: 1.5.0
|
||||
hackmd_archive: https://github.com/codimd/server/archive/{{ hackmd_version }}.tar.gz
|
||||
hedgedoc_version: 1.8.2
|
||||
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz
|
||||
|
@ -3,8 +3,8 @@
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart hackmd
|
||||
service: name=hackmd state=restarted
|
||||
- name: Restart hedgedoc
|
||||
service: name=hedgedoc state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
@ -3,14 +3,11 @@
|
||||
- name: Create user
|
||||
user: name=hackmd
|
||||
|
||||
- name: Enable https for apt
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Enable nodesource apt-key
|
||||
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
|
||||
|
||||
- name: Enable nodesource repository
|
||||
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
|
||||
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
|
||||
|
||||
- name: Enable yarnpkg apt-key
|
||||
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
|
||||
@ -34,82 +31,75 @@
|
||||
- git
|
||||
- nodejs
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
- yarn
|
||||
|
||||
- name: Unpack hackmd
|
||||
unarchive: src={{ hackmd_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/codimd-{{ hackmd_version }}
|
||||
register: hackmd_unarchive
|
||||
- name: Unpack hedgedoc
|
||||
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
register: hedgedoc_unarchive
|
||||
|
||||
- name: Rename hackmd
|
||||
command: mv /opt/server-{{ hackmd_version }} /opt/codimd-{{ hackmd_version }}
|
||||
when: hackmd_unarchive.changed
|
||||
- name: Create hedgedoc upload path
|
||||
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||
|
||||
- name: Create hackmd upload path
|
||||
file: path=/opt/codimd/uploads state=directory recurse=yes owner=hackmd group=hackmd
|
||||
- name: Remove old hedgedoc upload path
|
||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
|
||||
|
||||
- name: Remove old hackmd upload path
|
||||
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads state=absent force=yes
|
||||
- name: Link hedgedoc upload path
|
||||
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
|
||||
|
||||
- name: Link hackmd upload path
|
||||
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads src=/opt/codimd/uploads state=link owner=hackmd group=hackmd
|
||||
|
||||
- name: Setup hackmd
|
||||
command: bin/setup chdir=/opt/codimd-{{ hackmd_version }} creates=/opt/codimd-{{ hackmd_version }}/config.json
|
||||
- name: Setup hedgedoc
|
||||
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
|
||||
become: true
|
||||
become_user: hackmd
|
||||
|
||||
- name: Configure hackmd
|
||||
template: src=config.json.j2 dest=/opt/codimd-{{ hackmd_version }}/config.json owner=hackmd
|
||||
register: hackmd_config
|
||||
notify: Restart hackmd
|
||||
- name: Configure hedgedoc
|
||||
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
|
||||
register: hedgedoc_config
|
||||
notify: Restart hedgedoc
|
||||
|
||||
- name: Build hackmd frontend
|
||||
command: /usr/bin/npm run build chdir=/opt/codimd-{{ hackmd_version }}
|
||||
- name: Install hedgedoc frontend deps
|
||||
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||
|
||||
- name: Build hedgedoc frontend
|
||||
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ hackmd_dbname }}
|
||||
postgresql_db: name={{ hedgedoc_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
|
||||
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure sequelize
|
||||
template: src=_sequelizerc.j2 dest=/opt/codimd-{{ hackmd_version }}/.sequelizerc owner=hackmd
|
||||
|
||||
- name: Upgrade database schema
|
||||
command: node_modules/.bin/sequelize db:migrate chdir=/opt/codimd-{{ hackmd_version }}
|
||||
become: true
|
||||
become_user: hackmd
|
||||
when: hackmd_unarchive.changed or hackmd_config.changed
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for hackmd
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ hackmd_domain }}.conf
|
||||
- name: Configure certificate manager for hedgedoc
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
|
||||
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Systemd unit for hackmd
|
||||
template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
|
||||
- name: Systemd unit for hedgedoc
|
||||
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart hackmd
|
||||
- Restart hedgedoc
|
||||
|
||||
- name: Start the hackmd service
|
||||
service: name=hackmd state=started enabled=yes
|
||||
- name: Start the hedgedoc service
|
||||
service: name=hedgedoc state=started enabled=yes
|
||||
|
@ -1,8 +0,0 @@
|
||||
var path = require('path');
|
||||
|
||||
module.exports = {
|
||||
'config': path.resolve('config.json'),
|
||||
'migrations-path': path.resolve('lib', 'migrations'),
|
||||
'models-path': path.resolve('lib', 'models'),
|
||||
'url': 'postgres://{{ hackmd_dbuser }}:{{ hackmd_dbpass }}@localhost:5432/{{ hackmd_dbname }}'
|
||||
}
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
|
||||
{{ hackmd_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
|
||||
{{ hedgedoc_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
|
||||
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
|
@ -1,11 +1,11 @@
|
||||
{
|
||||
"production": {
|
||||
"domain": "{{ hackmd_domain }}",
|
||||
"domain": "{{ hedgedoc_domain }}",
|
||||
"protocolUseSSL": true,
|
||||
"allowAnonymous": false,
|
||||
"allowAnonymousEdits": true,
|
||||
"allowFreeURL": true,
|
||||
"sessionSecret": "{{ hackmd_secret }}",
|
||||
"sessionSecret": "{{ hedgedoc_secret }}",
|
||||
"hsts": {
|
||||
"enable": true,
|
||||
"maxAgeSeconds": 2592000,
|
||||
@ -22,9 +22,9 @@
|
||||
"addGoogleAnalytics": true
|
||||
},
|
||||
"db": {
|
||||
"username": "{{ hackmd_dbuser }}",
|
||||
"password": "{{ hackmd_dbpass }}",
|
||||
"database": "{{ hackmd_dbname }}",
|
||||
"username": "{{ hedgedoc_dbuser }}",
|
||||
"password": "{{ hedgedoc_dbpass }}",
|
||||
"database": "{{ hedgedoc_dbname }}",
|
||||
"host": "localhost",
|
||||
"port": "5432",
|
||||
"dialect": "postgres"
|
||||
|
@ -1,13 +1,13 @@
|
||||
[Unit]
|
||||
Description=HackMD
|
||||
Description=HedgeDoc
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Environment=NODE_ENV=production
|
||||
WorkingDirectory=/opt/codimd-{{ hackmd_version }}
|
||||
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
|
||||
Type=simple
|
||||
User=hackmd
|
||||
ExecStart=/usr/bin/node /opt/codimd-{{ hackmd_version }}/app.js
|
||||
ExecStart=/usr/bin/yarn start
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
@ -1,8 +1,13 @@
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ hackmd_domain }};
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
@ -10,7 +15,7 @@ server {
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ hackmd_domain }}$request_uri;
|
||||
return 301 https://{{ hedgedoc_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
@ -18,21 +23,30 @@ server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ hackmd_domain }};
|
||||
server_name {{ hedgedoc_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ hedgedoc_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ hedgedoc_domain }}.crt;
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 8M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
|
||||
location /socket.io/ {
|
||||
proxy_pass http://127.0.0.1:3000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
||||
|
4
roles/icinga/defaults/main.yml
Normal file
4
roles/icinga/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
icinga_user: nagios
|
||||
icinga_group: nagios
|
10
roles/icinga/handlers/main.yml
Normal file
10
roles/icinga/handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Restart icinga2
|
||||
service: name=icinga2 state=restarted
|
||||
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
98
roles/icinga/tasks/main.yml
Normal file
98
roles/icinga/tasks/main.yml
Normal file
@ -0,0 +1,98 @@
|
||||
---
|
||||
|
||||
- name: Enable icinga apt-key
|
||||
apt_key: url='https://packages.icinga.com/icinga.key'
|
||||
|
||||
- name: Enable icinga repository
|
||||
apt_repository:
|
||||
repo: 'deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main'
|
||||
filename: icinga
|
||||
|
||||
- name: Install icinga
|
||||
apt:
|
||||
name:
|
||||
- php-fpm
|
||||
- php-pgsql
|
||||
- icinga2
|
||||
- icinga2-ido-pgsql
|
||||
- icingaweb2
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure icinga database
|
||||
postgresql_db: name={{ icinga_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
register: icinga_ido_db
|
||||
|
||||
- name: Configure icinga database user
|
||||
postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
|
||||
# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
|
||||
- name: Configure database schema
|
||||
postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
|
||||
become: true
|
||||
become_user: postgres
|
||||
when: icinga_ido_db.changed
|
||||
|
||||
- name: Configure icingaweb database
|
||||
postgresql_db: name={{ icingaweb_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure icingaweb database user
|
||||
postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure icinga ido pgsql
|
||||
template: src=icinga2/features-available/ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
|
||||
notify: Restart icinga2
|
||||
|
||||
- name: Enable icinga ido PostgreSQL
|
||||
command: "icinga2 feature enable ido-pgsql"
|
||||
register: features_result
|
||||
changed_when: "'for these changes to take effect' in features_result.stdout"
|
||||
notify: Restart icinga2
|
||||
|
||||
- name: Configure known hosts for icinga
|
||||
template: src=icinga2/conf.d/hosts.conf.j2 dest=/etc/icinga2/conf.d/hosts.conf owner={{ icinga_user }} group={{ icinga_group }}
|
||||
notify: Restart icinga2
|
||||
|
||||
- name: Create group icingaweb2
|
||||
group: name=icingaweb2 system=yes
|
||||
|
||||
- name: Add www-data to icingaweb2
|
||||
user: name=www-data append=yes groups=icingaweb2
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt -days 730 -subj "/CN={{ icinga_domain }}" creates=/etc/nginx/ssl/{{ icinga_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ icinga_domain }}"
|
||||
|
||||
- name: Configure certificate manager for icinga
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php7.4-fpm
|
||||
service: name=php7.4-fpm state=started enabled=yes
|
18
roles/icinga/templates/certs.j2
Normal file
18
roles/icinga/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ icinga_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ icinga_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
12
roles/icinga/templates/icinga2/conf.d/hosts.conf.j2
Normal file
12
roles/icinga/templates/icinga2/conf.d/hosts.conf.j2
Normal file
@ -0,0 +1,12 @@
|
||||
{% for host in groups['all'] %}
|
||||
object Host "{{ host }}" {
|
||||
/* Import the default host template defined in `templates.conf`. */
|
||||
import "generic-host"
|
||||
|
||||
/* Specify the address attributes for checks e.g. `ssh` or `http`. */
|
||||
address = "{{ host }}"
|
||||
|
||||
/* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
|
||||
vars.os = "Linux"
|
||||
}
|
||||
{% endfor %}
|
@ -0,0 +1,13 @@
|
||||
/**
|
||||
* The db_ido_pgsql library implements IDO functionality
|
||||
* for PostgreSQL.
|
||||
*/
|
||||
|
||||
library "db_ido_pgsql"
|
||||
|
||||
object IdoPgsqlConnection "ido-pgsql" {
|
||||
user = "{{ icinga_dbuser}}",
|
||||
password = "{{ icinga_dbpass }}",
|
||||
host = "localhost",
|
||||
database = "{{ icinga_dbname }}"
|
||||
}
|
36
roles/icinga/templates/vhost.j2
Normal file
36
roles/icinga/templates/vhost.j2
Normal file
@ -0,0 +1,36 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ icinga_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://{{ icinga_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ icinga_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
|
||||
|
||||
location ~ ^/icingaweb2/index\.php(.*)$ {
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
|
||||
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
|
||||
fastcgi_param REMOTE_USER $remote_user;
|
||||
}
|
||||
|
||||
location ~ ^/icingaweb2(.+)? {
|
||||
alias /usr/share/icingaweb2/public;
|
||||
index index.php;
|
||||
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
|
||||
}
|
||||
|
||||
}
|
@ -1,8 +1,5 @@
|
||||
---
|
||||
|
||||
- name: Ensure apt over https is available
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Add Jitsi repo key
|
||||
apt_key:
|
||||
id: EF8B479E2DC1389C
|
||||
|
@ -7,20 +7,20 @@
|
||||
- git
|
||||
- graphviz
|
||||
- imagemagick
|
||||
- mtr-tiny
|
||||
- mariadb-server
|
||||
- mtr-tiny
|
||||
- nmap
|
||||
- php-cli
|
||||
- php-curl
|
||||
- php-fpm
|
||||
- php-gd
|
||||
- php-json
|
||||
- php-mbstring
|
||||
- php-mysql
|
||||
- php-net-ipv4
|
||||
- php-net-ipv6
|
||||
- php-pear
|
||||
- php7.3-cli
|
||||
- php7.3-curl
|
||||
- php7.3-fpm
|
||||
- php7.3-gd
|
||||
- php7.3-json
|
||||
- php7.3-mbstring
|
||||
- php7.3-mysql
|
||||
- php7.3-snmp
|
||||
- php-snmp
|
||||
- python3-dotenv
|
||||
- python3-pymysql
|
||||
- python3-redis
|
||||
@ -51,8 +51,8 @@
|
||||
regexp: ';?date\.timezone'
|
||||
line: 'date.timezone = Europe/Berlin'
|
||||
with_items:
|
||||
- /etc/php/7.3/cli/php.ini
|
||||
- /etc/php/7.3/fpm/php.ini
|
||||
- /etc/php/7.4/cli/php.ini
|
||||
- /etc/php/7.4/fpm/php.ini
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||
@ -76,5 +76,5 @@
|
||||
file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php7.3-fpm
|
||||
service: name=php7.3-fpm state=started enabled=yes
|
||||
- name: Start php7.4-fpm
|
||||
service: name=php7.4-fpm state=started enabled=yes
|
||||
|
@ -31,7 +31,7 @@ server {
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
|
||||
fastcgi_intercept_errors on;
|
||||
}
|
||||
|
||||
|
@ -11,10 +11,10 @@ SRS_DOMAIN={{ mail_srs_domain }}
|
||||
# If a domain name starts with a dot, it matches all subdomains, but not
|
||||
# the domain itself. Separate multiple domains by space or comma.
|
||||
#
|
||||
SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
|
||||
SRS_EXCLUDE_DOMAINS=".{{ mail_domain }} {{ mail_domain }}
|
||||
{%- for domain in mail_domains %}
|
||||
.{{ domain }} {{ domain }}
|
||||
{%- endfor %}
|
||||
{%- endfor %}"
|
||||
|
||||
# First separator character after SRS0 or SRS1.
|
||||
# Can be one of: -+=
|
||||
|
@ -1,8 +1,5 @@
|
||||
---
|
||||
|
||||
- name: Enable https for apt
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Enable matrix apt-key
|
||||
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
|
||||
|
||||
@ -14,7 +11,7 @@
|
||||
name:
|
||||
- matrix-synapse-py3
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ matrix_dbname }} lc_collate=C lc_ctype=C template=template0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -23,11 +23,14 @@ server {
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||
|
||||
access_log off;
|
||||
client_max_body_size 25M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
||||
|
||||
@ -40,10 +43,13 @@ server {
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ matrix_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ matrix_domain }}.crt;
|
||||
|
||||
access_log off;
|
||||
client_max_body_size 25M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:8008;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
||||
|
@ -4,6 +4,7 @@
|
||||
apt:
|
||||
name:
|
||||
- ansible
|
||||
- gcc
|
||||
- git
|
||||
- irssi
|
||||
- netcat6
|
||||
|
5
roles/netbox/defaults/main.yml
Normal file
5
roles/netbox/defaults/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
netbox_group: netbox
|
||||
netbox_user: netbox
|
||||
netbox_version: 3.0.7
|
13
roles/netbox/handlers/main.yml
Normal file
13
roles/netbox/handlers/main.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart netbox
|
||||
service: name=netbox state=restarted
|
||||
|
||||
- name: Restart netbox-rq
|
||||
service: name=netbox-rq state=restarted
|
5
roles/netbox/meta/main.yml
Normal file
5
roles/netbox/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
145
roles/netbox/tasks/main.yml
Normal file
145
roles/netbox/tasks/main.yml
Normal file
@ -0,0 +1,145 @@
|
||||
---
|
||||
|
||||
- name: Create group
|
||||
group: name={{ netbox_group }}
|
||||
|
||||
- name: Create user
|
||||
user: name={{ netbox_user }} home=/home/{{ netbox_user }} group={{ netbox_group }}
|
||||
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- build-essential
|
||||
- libffi-dev
|
||||
- libpq-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- python3-setuptools
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-venv
|
||||
- zlib1g-dev
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db:
|
||||
name: '{{ netbox_dbname }}'
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user:
|
||||
db: '{{ netbox_dbname }}'
|
||||
name: '{{ netbox_dbuser }}'
|
||||
password: '{{ netbox_dbpass }}'
|
||||
priv: ALL
|
||||
state: present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Install redis
|
||||
apt: name=redis-server
|
||||
|
||||
- name: Unpack netbox
|
||||
unarchive:
|
||||
src: 'https://github.com/netbox-community/netbox/archive/v{{ netbox_version }}.tar.gz'
|
||||
dest: /opt
|
||||
remote_src: yes
|
||||
creates: '/opt/netbox-{{ netbox_version }}'
|
||||
register: netbox_unarchive
|
||||
|
||||
- name: Configure netbox
|
||||
template:
|
||||
src: configuration.py.j2
|
||||
dest: '/opt/netbox-{{ netbox_version }}/netbox/netbox/configuration.py'
|
||||
owner: '{{ netbox_user }}'
|
||||
group: '{{ netbox_group }}'
|
||||
|
||||
- name: Configure gunicorn
|
||||
template:
|
||||
src: gunicorn.py.j2
|
||||
dest: '/opt/netbox-{{ netbox_version }}/gunicorn.py'
|
||||
owner: '{{ netbox_user }}'
|
||||
group: '{{ netbox_group }}'
|
||||
|
||||
- name: Netbox file permissions
|
||||
file:
|
||||
path: '/opt/netbox-{{ netbox_version }}'
|
||||
owner: '{{ netbox_user }}'
|
||||
group: '{{ netbox_group }}'
|
||||
recurse: yes
|
||||
|
||||
- name: Run upgrade script
|
||||
command:
|
||||
cmd: ./upgrade.sh
|
||||
chdir: '/opt/netbox-{{ netbox_version }}'
|
||||
become: true
|
||||
become_user: '{{ netbox_user }}'
|
||||
when: netbox_unarchive.changed
|
||||
|
||||
# TODO - still manual work
|
||||
# * Create a super user
|
||||
# * Migrate media files
|
||||
|
||||
- name: Install netbox housekeeping cronjob
|
||||
template:
|
||||
src: netbox-housekeeping.sh.j2
|
||||
dest: /etc/cron.daily/netbox-housekeeping.sh
|
||||
mode: 0755
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ netbox_domain }}.key -out /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
-days 730 -subj "/CN={{ netbox_domain }}"
|
||||
creates: '/etc/nginx/ssl/{{ netbox_domain }}.crt'
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ netbox_domain }}"
|
||||
when: "'kitchen' in group_names"
|
||||
|
||||
- name: Configure certificate manager for netbox
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ netbox_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template:
|
||||
src: vhost.j2
|
||||
dest: /etc/nginx/sites-available/netbox
|
||||
owner: root
|
||||
mode: '0644'
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file:
|
||||
src: /etc/nginx/sites-available/netbox
|
||||
dest: /etc/nginx/sites-enabled/netbox
|
||||
state: link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Install systemd units
|
||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart netbox
|
||||
- Restart netbox-rq
|
||||
|
||||
- name: Enable services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- netbox
|
||||
- netbox-rq
|
18
roles/netbox/templates/certs.j2
Normal file
18
roles/netbox/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ netbox_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ netbox_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
282
roles/netbox/templates/configuration.py.j2
Normal file
282
roles/netbox/templates/configuration.py.j2
Normal file
@ -0,0 +1,282 @@
|
||||
#########################
|
||||
# #
|
||||
# Required settings #
|
||||
# #
|
||||
#########################
|
||||
|
||||
# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
|
||||
# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
|
||||
#
|
||||
# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
|
||||
ALLOWED_HOSTS = ['{{ netbox_domain }}']
|
||||
|
||||
# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
|
||||
# https://docs.djangoproject.com/en/stable/ref/settings/#databases
|
||||
DATABASE = {
|
||||
'NAME': '{{ netbox_dbname }}', # Database name
|
||||
'USER': '{{ netbox_dbuser }}', # PostgreSQL username
|
||||
'PASSWORD': '{{ netbox_dbpass }}', # PostgreSQL password
|
||||
'HOST': 'localhost', # Database server
|
||||
'PORT': '', # Database port (leave blank for default)
|
||||
'CONN_MAX_AGE': 300, # Max database connection age
|
||||
}
|
||||
|
||||
# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
|
||||
# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
|
||||
# to use two separate database IDs.
|
||||
REDIS = {
|
||||
'tasks': {
|
||||
'HOST': 'localhost',
|
||||
'PORT': 6379,
|
||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 0,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
},
|
||||
'caching': {
|
||||
'HOST': 'localhost',
|
||||
'PORT': 6379,
|
||||
# Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
|
||||
# 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
|
||||
# 'SENTINEL_SERVICE': 'netbox',
|
||||
'PASSWORD': '',
|
||||
'DATABASE': 1,
|
||||
'SSL': False,
|
||||
# Set this to True to skip TLS certificate verification
|
||||
# This can expose the connection to attacks, be careful
|
||||
# 'INSECURE_SKIP_TLS_VERIFY': False,
|
||||
}
|
||||
}
|
||||
|
||||
# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
|
||||
# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
|
||||
# symbols. NetBox will not run without this defined. For more information, see
|
||||
# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
|
||||
SECRET_KEY = '{{ netbox_secret }}'
|
||||
|
||||
|
||||
#########################
|
||||
# #
|
||||
# Optional settings #
|
||||
# #
|
||||
#########################
|
||||
|
||||
# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
|
||||
# application errors (assuming correct email settings are provided).
|
||||
ADMINS = [
|
||||
# ['John Doe', 'jdoe@example.com'],
|
||||
]
|
||||
|
||||
# URL schemes that are allowed within links in NetBox
|
||||
ALLOWED_URL_SCHEMES = (
|
||||
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||
)
|
||||
|
||||
# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
|
||||
# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
|
||||
BANNER_TOP = ''
|
||||
BANNER_BOTTOM = ''
|
||||
|
||||
# Text to include on the login page above the login form. HTML is allowed.
|
||||
BANNER_LOGIN = ''
|
||||
|
||||
# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set:
|
||||
# BASE_PATH = 'netbox/'
|
||||
BASE_PATH = ''
|
||||
|
||||
# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
|
||||
CHANGELOG_RETENTION = 90
|
||||
|
||||
# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
|
||||
# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
|
||||
# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
|
||||
CORS_ORIGIN_ALLOW_ALL = False
|
||||
CORS_ORIGIN_WHITELIST = [
|
||||
# 'https://hostname.example.com',
|
||||
]
|
||||
CORS_ORIGIN_REGEX_WHITELIST = [
|
||||
# r'^(https?://)?(\w+\.)?example\.com$',
|
||||
]
|
||||
|
||||
# Specify any custom validators here, as a mapping of model to a list of validators classes. Validators should be
|
||||
# instances of or inherit from CustomValidator.
|
||||
# from extras.validators import CustomValidator
|
||||
CUSTOM_VALIDATORS = {
|
||||
# 'dcim.site': [
|
||||
# CustomValidator({
|
||||
# 'name': {
|
||||
# 'min_length': 10,
|
||||
# 'regex': r'\d{3}$',
|
||||
# }
|
||||
# })
|
||||
# ],
|
||||
}
|
||||
|
||||
# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
|
||||
# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
|
||||
# on a production system.
|
||||
DEBUG = False
|
||||
|
||||
# Email settings
|
||||
EMAIL = {
|
||||
'SERVER': 'localhost',
|
||||
'PORT': 25,
|
||||
'USERNAME': '',
|
||||
'PASSWORD': '',
|
||||
'USE_SSL': False,
|
||||
'USE_TLS': False,
|
||||
'TIMEOUT': 10, # seconds
|
||||
'FROM_EMAIL': '',
|
||||
}
|
||||
|
||||
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
|
||||
# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
|
||||
ENFORCE_GLOBAL_UNIQUE = False
|
||||
|
||||
# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
|
||||
# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
|
||||
EXEMPT_VIEW_PERMISSIONS = [
|
||||
# 'dcim.site',
|
||||
# 'dcim.region',
|
||||
# 'ipam.prefix',
|
||||
]
|
||||
|
||||
# Enable the GraphQL API
|
||||
GRAPHQL_ENABLED = True
|
||||
|
||||
# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
|
||||
# HTTP_PROXIES = {
|
||||
# 'http': 'http://10.10.1.10:3128',
|
||||
# 'https': 'http://10.10.1.10:1080',
|
||||
# }
|
||||
|
||||
# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
|
||||
# NetBox from an internal IP.
|
||||
INTERNAL_IPS = ('127.0.0.1', '::1')
|
||||
|
||||
# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
|
||||
# https://docs.djangoproject.com/en/stable/topics/logging/
|
||||
LOGGING = {}
|
||||
|
||||
# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
|
||||
# authenticated to NetBox indefinitely.
|
||||
LOGIN_PERSISTENCE = False
|
||||
|
||||
# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
|
||||
# are permitted to access most data in NetBox but not make any changes.
|
||||
LOGIN_REQUIRED = True
|
||||
|
||||
# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
|
||||
# re-authenticate. (Default: 1209600 [14 days])
|
||||
LOGIN_TIMEOUT = None
|
||||
|
||||
# Setting this to True will display a "maintenance mode" banner at the top of every page.
|
||||
MAINTENANCE_MODE = False
|
||||
|
||||
# The URL to use when mapping physical addresses or GPS coordinates
|
||||
MAPS_URL = 'https://maps.google.com/?q='
|
||||
|
||||
# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
|
||||
# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
|
||||
# all objects by specifying "?limit=0".
|
||||
MAX_PAGE_SIZE = 1000
|
||||
|
||||
# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
|
||||
# the default value of this setting is derived from the installed location.
|
||||
# MEDIA_ROOT = '/opt/netbox/netbox/media'
|
||||
|
||||
# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
|
||||
# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
|
||||
# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
|
||||
# STORAGE_CONFIG = {
|
||||
# 'AWS_ACCESS_KEY_ID': 'Key ID',
|
||||
# 'AWS_SECRET_ACCESS_KEY': 'Secret',
|
||||
# 'AWS_STORAGE_BUCKET_NAME': 'netbox',
|
||||
# 'AWS_S3_REGION_NAME': 'eu-west-1',
|
||||
# }
|
||||
|
||||
# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
|
||||
METRICS_ENABLED = False
|
||||
|
||||
# Credentials that NetBox will uses to authenticate to devices when connecting via NAPALM.
|
||||
NAPALM_USERNAME = ''
|
||||
NAPALM_PASSWORD = ''
|
||||
|
||||
# NAPALM timeout (in seconds). (Default: 30)
|
||||
NAPALM_TIMEOUT = 30
|
||||
|
||||
# NAPALM optional arguments (see https://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must
|
||||
# be provided as a dictionary.
|
||||
NAPALM_ARGS = {}
|
||||
|
||||
# Determine how many objects to display per page within a list. (Default: 50)
|
||||
PAGINATE_COUNT = 50
|
||||
|
||||
# Enable installed plugins. Add the name of each plugin to the list.
|
||||
PLUGINS = []
|
||||
|
||||
# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
|
||||
# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
|
||||
# PLUGINS_CONFIG = {
|
||||
# 'my_plugin': {
|
||||
# 'foo': 'bar',
|
||||
# 'buzz': 'bazz'
|
||||
# }
|
||||
# }
|
||||
|
||||
# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
|
||||
# prefer IPv4 instead.
|
||||
PREFER_IPV4 = False
|
||||
|
||||
# Rack elevation size defaults, in pixels. For best results, the ratio of width to height should be roughly 10:1.
|
||||
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT = 22
|
||||
RACK_ELEVATION_DEFAULT_UNIT_WIDTH = 220
|
||||
|
||||
# Remote authentication support
|
||||
REMOTE_AUTH_ENABLED = False
|
||||
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
|
||||
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
|
||||
REMOTE_AUTH_AUTO_CREATE_USER = True
|
||||
REMOTE_AUTH_DEFAULT_GROUPS = []
|
||||
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
|
||||
|
||||
# This repository is used to check whether there is a new release of NetBox available. Set to None to disable the
|
||||
# version check or use the URL below to check for release in the official NetBox repository.
|
||||
RELEASE_CHECK_URL = None
|
||||
# RELEASE_CHECK_URL = 'https://api.github.com/repos/netbox-community/netbox/releases'
|
||||
|
||||
# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
|
||||
# this setting is derived from the installed location.
|
||||
# REPORTS_ROOT = '/opt/netbox/netbox/reports'
|
||||
|
||||
# Maximum execution time for background tasks, in seconds.
|
||||
RQ_DEFAULT_TIMEOUT = 300
|
||||
|
||||
# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
|
||||
# this setting is derived from the installed location.
|
||||
# SCRIPTS_ROOT = '/opt/netbox/netbox/scripts'
|
||||
|
||||
# The name to use for the session cookie.
|
||||
SESSION_COOKIE_NAME = 'sessionid'
|
||||
|
||||
# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
|
||||
# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
|
||||
# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
|
||||
SESSION_FILE_PATH = None
|
||||
|
||||
# Time zone (default: UTC)
|
||||
TIME_ZONE = 'Europe/Berlin'
|
||||
|
||||
# Date/time formatting. See the following link for supported formats:
|
||||
# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
|
||||
DATE_FORMAT = 'N j, Y'
|
||||
SHORT_DATE_FORMAT = 'Y-m-d'
|
||||
TIME_FORMAT = 'g:i a'
|
||||
SHORT_TIME_FORMAT = 'H:i:s'
|
||||
DATETIME_FORMAT = 'N j, Y g:i a'
|
||||
SHORT_DATETIME_FORMAT = 'Y-m-d H:i'
|
16
roles/netbox/templates/gunicorn.py.j2
Normal file
16
roles/netbox/templates/gunicorn.py.j2
Normal file
@ -0,0 +1,16 @@
|
||||
# The IP address (typically localhost) and port that the Netbox WSGI process should listen on
|
||||
bind = '127.0.0.1:8001'
|
||||
|
||||
# Number of gunicorn workers to spawn. This should typically be 2n+1, where
|
||||
# n is the number of CPU cores present.
|
||||
workers = 5
|
||||
|
||||
# Number of threads per worker process
|
||||
threads = 3
|
||||
|
||||
# Timeout (in seconds) for a request to complete
|
||||
timeout = 120
|
||||
|
||||
# The maximum number of requests a worker can handle before being respawned
|
||||
max_requests = 5000
|
||||
max_requests_jitter = 500
|
9
roles/netbox/templates/netbox-housekeeping.sh.j2
Normal file
9
roles/netbox/templates/netbox-housekeeping.sh.j2
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
# This shell script invokes NetBox's housekeeping management command, which
|
||||
# intended to be run nightly. This script can be copied into your system's
|
||||
# daily cron directory (e.g. /etc/cron.daily), or referenced directly from
|
||||
# within the cron configuration file.
|
||||
#
|
||||
# If NetBox has been installed into a nonstandard location, update the paths
|
||||
# below.
|
||||
/opt/netbox-{{ netbox_version }}/venv/bin/python /opt/netbox-{{ netbox_version }}/netbox/manage.py housekeeping
|
21
roles/netbox/templates/netbox-rq.service.j2
Normal file
21
roles/netbox/templates/netbox-rq.service.j2
Normal file
@ -0,0 +1,21 @@
|
||||
[Unit]
|
||||
Description=NetBox Request Queue Worker
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=netbox
|
||||
Group=netbox
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/python3 /opt/netbox-{{ netbox_version }}/netbox/manage.py rqworker
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
22
roles/netbox/templates/netbox.service.j2
Normal file
22
roles/netbox/templates/netbox.service.j2
Normal file
@ -0,0 +1,22 @@
|
||||
[Unit]
|
||||
Description=NetBox WSGI Service
|
||||
Documentation=https://netbox.readthedocs.io/en/stable/
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
User=netbox
|
||||
Group=netbox
|
||||
PIDFile=/var/tmp/netbox.pid
|
||||
WorkingDirectory=/opt/netbox-{{ netbox_version }}
|
||||
|
||||
ExecStart=/opt/netbox-{{ netbox_version }}/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox-{{ netbox_version }}/netbox --config /opt/netbox-{{ netbox_version }}/gunicorn.py netbox.wsgi
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=30
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
38
roles/netbox/templates/vhost.j2
Normal file
38
roles/netbox/templates/vhost.j2
Normal file
@ -0,0 +1,38 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name {{ netbox_domain }};
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
default_type "text/plain";
|
||||
alias /var/www/acme-challenge;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://{{ netbox_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ netbox_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ netbox_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ netbox_domain }}.crt;
|
||||
|
||||
location /static/ {
|
||||
alias /opt/netbox-{{ netbox_version }}/netbox/static/;
|
||||
}
|
||||
|
||||
location / {
|
||||
client_max_body_size 32M;
|
||||
|
||||
proxy_pass http://localhost:8001;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
@ -9,3 +9,4 @@ opcache.max_accelerated_files=10000
|
||||
opcache.memory_consumption=128
|
||||
opcache.save_comments=1
|
||||
opcache.revalidate_freq=1
|
||||
opcache.jit_buffer_size=100M
|
||||
|
@ -1,5 +1,5 @@
|
||||
; Start a new pool named 'www'.
|
||||
; the variable $pool can we used in any directive and will be replaced by the
|
||||
; the variable $pool can be used in any directive and will be replaced by the
|
||||
; pool name ('www' here)
|
||||
[www]
|
||||
|
||||
@ -29,21 +29,20 @@ group = www-data
|
||||
; a specific port;
|
||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||
; a specific port;
|
||||
; 'port' - to listen on a TCP socket to all IPv4 addresses on a
|
||||
; specific port;
|
||||
; '[::]:port' - to listen on a TCP socket to all addresses
|
||||
; 'port' - to listen on a TCP socket to all addresses
|
||||
; (IPv6 and IPv4-mapped) on a specific port;
|
||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||
; Note: This value is mandatory.
|
||||
listen = /var/run/php-fpm.sock
|
||||
listen = /run/php/php-fpm.sock
|
||||
|
||||
; Set listen(2) backlog.
|
||||
; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
|
||||
;listen.backlog = 65535
|
||||
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
|
||||
;listen.backlog = 511
|
||||
|
||||
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||
; permissions must be set in order to allow connections from a web server. Many
|
||||
; BSD-derived systems allow connections regardless of permissions.
|
||||
; BSD-derived systems allow connections regardless of permissions. The owner
|
||||
; and group can be specified either by name or by their numeric IDs.
|
||||
; Default Values: user and group are set as the running user
|
||||
; mode is set to 0660
|
||||
listen.owner = www-data
|
||||
@ -71,6 +70,12 @@ listen.group = www-data
|
||||
; Default Value: no set
|
||||
; process.priority = -19
|
||||
|
||||
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
|
||||
; or group is different than the master process user. It allows to create process
|
||||
; core dump and ptrace the process for the pool user.
|
||||
; Default Value: no
|
||||
; process.dumpable = yes
|
||||
|
||||
; Choose how the process manager will control the number of child processes.
|
||||
; Possible Values:
|
||||
; static - a fixed number (pm.max_children) of child processes;
|
||||
@ -106,22 +111,22 @@ pm = dynamic
|
||||
; forget to tweak pm.* to fit your needs.
|
||||
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
|
||||
; Note: This value is mandatory.
|
||||
pm.max_children = 5
|
||||
pm.max_children = 80
|
||||
|
||||
; The number of child processes created on startup.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
|
||||
pm.start_servers = 2
|
||||
; Default Value: (min_spare_servers + max_spare_servers) / 2
|
||||
pm.start_servers = 10
|
||||
|
||||
; The desired minimum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.min_spare_servers = 1
|
||||
pm.min_spare_servers = 10
|
||||
|
||||
; The desired maximum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.max_spare_servers = 3
|
||||
pm.max_spare_servers = 15
|
||||
|
||||
; The number of seconds after which an idle process will be killed.
|
||||
; Note: Used only when pm is set to 'ondemand'
|
||||
@ -135,7 +140,7 @@ pm.max_spare_servers = 3
|
||||
;pm.max_requests = 500
|
||||
|
||||
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||
; recognized as a status page. It shows the following informations:
|
||||
; recognized as a status page. It shows the following information:
|
||||
; pool - the name of the pool;
|
||||
; process manager - static, dynamic or ondemand;
|
||||
; start time - the date and time FPM has started;
|
||||
@ -225,7 +230,7 @@ pm.max_spare_servers = 3
|
||||
; last request memory: 0
|
||||
;
|
||||
; Note: There is a real-time FPM status monitoring sample web page available
|
||||
; It's available in: /usr/share/php/7.0/fpm/status.html
|
||||
; It's available in: /usr/share/php/8.0/fpm/status.html
|
||||
;
|
||||
; Note: The value must start with a leading slash (/). The value can be
|
||||
; anything, but it may not be a good idea to use the .php extension or it
|
||||
@ -233,6 +238,22 @@ pm.max_spare_servers = 3
|
||||
; Default Value: not set
|
||||
;pm.status_path = /status
|
||||
|
||||
; The address on which to accept FastCGI status request. This creates a new
|
||||
; invisible pool that can handle requests independently. This is useful
|
||||
; if the main pool is busy with long running requests because it is still possible
|
||||
; to get the status before finishing the long running requests.
|
||||
;
|
||||
; Valid syntaxes are:
|
||||
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
|
||||
; a specific port;
|
||||
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
|
||||
; a specific port;
|
||||
; 'port' - to listen on a TCP socket to all addresses
|
||||
; (IPv6 and IPv4-mapped) on a specific port;
|
||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||
; Default Value: value of the listen option
|
||||
;pm.status_listen = 127.0.0.1:9001
|
||||
|
||||
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||
; URI will be recognized as a ping page. This could be used to test from outside
|
||||
; that FPM is alive and responding, or to
|
||||
@ -265,13 +286,13 @@ pm.max_spare_servers = 3
|
||||
; %d: time taken to serve the request
|
||||
; it can accept the following format:
|
||||
; - %{seconds}d (default)
|
||||
; - %{miliseconds}d
|
||||
; - %{milliseconds}d
|
||||
; - %{mili}d
|
||||
; - %{microseconds}d
|
||||
; - %{micro}d
|
||||
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||
; it must be associated with embraces to specify the name of the env
|
||||
; variable. Some exemples:
|
||||
; variable. Some examples:
|
||||
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||
; %f: script filename
|
||||
@ -301,9 +322,13 @@ pm.max_spare_servers = 3
|
||||
; %t: server time the request was received
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||
; %T: time the log has been written (the request has finished)
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
|
||||
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
|
||||
; %u: remote user
|
||||
;
|
||||
; Default: "%R - %u %t \"%m %r\" %s"
|
||||
@ -320,6 +345,10 @@ pm.max_spare_servers = 3
|
||||
; Default Value: 0
|
||||
;request_slowlog_timeout = 0
|
||||
|
||||
; Depth of slow log stack trace.
|
||||
; Default Value: 20
|
||||
;request_slowlog_trace_depth = 20
|
||||
|
||||
; The timeout for serving a single request after which the worker process will
|
||||
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||
@ -327,6 +356,14 @@ pm.max_spare_servers = 3
|
||||
; Default Value: 0
|
||||
;request_terminate_timeout = 0
|
||||
|
||||
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
|
||||
; application calls 'fastcgi_finish_request' or when application has finished and
|
||||
; shutdown functions are being called (registered via register_shutdown_function).
|
||||
; This option will enable timeout limit to be applied unconditionally
|
||||
; even in such cases.
|
||||
; Default Value: no
|
||||
;request_terminate_timeout_track_finished = no
|
||||
|
||||
; Set open file descriptor rlimit.
|
||||
; Default Value: system defined value
|
||||
;rlimit_files = 1024
|
||||
@ -350,15 +387,22 @@ pm.max_spare_servers = 3
|
||||
; Chdir to this directory at the start.
|
||||
; Note: relative path can be used.
|
||||
; Default Value: current directory or / when chroot
|
||||
chdir = /
|
||||
;chdir = /var/www
|
||||
|
||||
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||
; Note: on highloaded environement, this can cause some delay in the page
|
||||
; Note: on highloaded environment, this can cause some delay in the page
|
||||
; process time (several ms).
|
||||
; Default Value: no
|
||||
;catch_workers_output = yes
|
||||
|
||||
; Decorate worker output with prefix and suffix containing information about
|
||||
; the child that writes to the log and if stdout or stderr is used as well as
|
||||
; log level and time. This options is used only if catch_workers_output is yes.
|
||||
; Settings to "no" will output data as written to the stdout or stderr.
|
||||
; Default value: yes
|
||||
;decorate_workers_output = no
|
||||
|
||||
; Clear environment in FPM workers
|
||||
; Prevents arbitrary environment variables from reaching FPM worker processes
|
||||
; by clearing the environment in workers before env vars specified in this
|
||||
@ -371,19 +415,20 @@ chdir = /
|
||||
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||
; prevent configuration mistakes on the web server side. You should only limit
|
||||
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||
; exectute php code.
|
||||
; execute php code.
|
||||
; Note: set an empty value to allow all extensions.
|
||||
; Default Value: .php
|
||||
;security.limit_extensions = .php .php3 .php4 .php5
|
||||
;security.limit_extensions = .php .php3 .php4 .php5 .php7
|
||||
|
||||
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||
; the current environment.
|
||||
; Default Value: clean env
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
;env[HOSTNAME] = $HOSTNAME
|
||||
;env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
;env[TMP] = /tmp
|
||||
;env[TMPDIR] = /tmp
|
||||
;env[TEMP] = /tmp
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||
; overwrite the values previously defined in the php.ini. The directives are the
|
||||
@ -409,3 +454,5 @@ env[TEMP] = /tmp
|
||||
;php_admin_value[error_log] = /var/log/fpm-php.www.log
|
||||
;php_admin_flag[log_errors] = on
|
||||
;php_admin_value[memory_limit] = 32M
|
||||
php_admin_value[memory_limit] = 512M
|
||||
|
||||
|
@ -3,5 +3,5 @@
|
||||
- name: Restart nginx
|
||||
service: name=nginx state=restarted
|
||||
|
||||
- name: Restart php7.4-fpm
|
||||
service: name=php7.4-fpm state=restarted
|
||||
- name: Restart php8.0-fpm
|
||||
service: name=php8.0-fpm state=restarted
|
||||
|
@ -1,53 +1,56 @@
|
||||
---
|
||||
|
||||
- name: Enable https for apt
|
||||
apt: name=apt-transport-https
|
||||
|
||||
- name: Enable sury php apt-key
|
||||
apt_key: url="https://packages.sury.org/php/apt.gpg"
|
||||
|
||||
- name: Enable sury php repository
|
||||
apt_repository: repo="deb https://packages.sury.org/php/ stretch main"
|
||||
apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
|
||||
|
||||
- name: Enable collaboraoffice apt-key
|
||||
apt_key: url="https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg"
|
||||
|
||||
- name: Enable collaboraoffice repository
|
||||
apt_repository: repo="deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11 ./"
|
||||
|
||||
- name: Install packages
|
||||
apt:
|
||||
name:
|
||||
- php-redis
|
||||
- php7.4
|
||||
- php7.4-bcmath
|
||||
- php7.4-bz2
|
||||
- php7.4-cli
|
||||
- php7.4-common
|
||||
- php7.4-curl
|
||||
- php7.4-dev
|
||||
- php7.4-fpm
|
||||
- php7.4-gd
|
||||
- php7.4-gmp
|
||||
- php7.4-imap
|
||||
- php7.4-intl
|
||||
- php7.4-json
|
||||
- php7.4-ldap
|
||||
- php7.4-mbstring
|
||||
- php7.4-mysql
|
||||
- php7.4-opcache
|
||||
- php7.4-pgsql
|
||||
- php7.4-readline
|
||||
- php7.4-soap
|
||||
- php7.4-sqlite3
|
||||
- php7.4-tidy
|
||||
- php7.4-xml
|
||||
- php7.4-xmlrpc
|
||||
- php7.4-zip
|
||||
- php8.0
|
||||
- php8.0-apcu
|
||||
- php8.0-bcmath
|
||||
- php8.0-bz2
|
||||
- php8.0-cli
|
||||
- php8.0-common
|
||||
- php8.0-curl
|
||||
- php8.0-dev
|
||||
- php8.0-fpm
|
||||
- php8.0-gd
|
||||
- php8.0-gmp
|
||||
- php8.0-imap
|
||||
- php8.0-intl
|
||||
- php8.0-ldap
|
||||
- php8.0-mbstring
|
||||
- php8.0-mysql
|
||||
- php8.0-opcache
|
||||
- php8.0-pgsql
|
||||
- php8.0-readline
|
||||
- php8.0-soap
|
||||
- php8.0-sqlite3
|
||||
- php8.0-tidy
|
||||
- php8.0-xml
|
||||
- php8.0-xmlrpc
|
||||
- php8.0-zip
|
||||
- postgresql
|
||||
- python-psycopg2
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ owncloud_dbname }}
|
||||
postgresql_db: name={{ nextcloud_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ owncloud_dbname }} name={{ owncloud_dbuser }} password={{ owncloud_dbpass }} priv=ALL state=present
|
||||
postgresql_user: db={{ nextcloud_dbname }} name={{ nextcloud_dbuser }} password={{ nextcloud_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
@ -66,22 +69,20 @@
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
|
||||
notify: Restart nginx
|
||||
|
||||
# FIXME currently PHP handled out of ansible
|
||||
#- name: Configure php7.4-fpm
|
||||
# copy: src=www.conf dest=/etc/php/7.4/fpm/pool.d/www.conf
|
||||
# notify: Restart php7.4-fpm
|
||||
- name: Configure php8.0-fpm
|
||||
copy: src=www.conf dest=/etc/php/8.0/fpm/pool.d/www.conf
|
||||
notify: Restart php8.0-fpm
|
||||
|
||||
# FIXME currently PHP handled out of ansible
|
||||
#- name: Configure php7.4 opcache
|
||||
# copy: src=opcache.ini dest=/etc/php/7.4/mods-available/opcache.ini
|
||||
# notify: Restart php7.4-fpm
|
||||
- name: Configure php8.0 opcache
|
||||
copy: src=opcache.ini dest=/etc/php/8.0/mods-available/opcache.ini
|
||||
notify: Restart php8.0-fpm
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Start php7.4-fpm
|
||||
service: name=php7.4-fpm state=started enabled=yes
|
||||
- name: Start php8.0-fpm
|
||||
service: name=php8.0-fpm state=started enabled=yes
|
||||
|
||||
- name: Start PostgreSQL
|
||||
service: name=postgresql state=started enabled=yes
|
||||
|
@ -1,3 +1,7 @@
|
||||
upstream php-handler {
|
||||
server unix:/run/php/php-fpm.sock;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
@ -26,7 +30,7 @@ server {
|
||||
# Add headers to serve security related headers
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
#add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
@ -42,9 +46,52 @@ server {
|
||||
client_max_body_size 1G;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
index index.php;
|
||||
error_page 403 /core/templates/403.php;
|
||||
error_page 404 /core/templates/404.php;
|
||||
index index.php index.html /index.php$request_uri;
|
||||
|
||||
|
||||
location ^~ /loleaflet {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
location ^~ /hosting/capabilities {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
location ~ ^/lool/(.*)/ws$ {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
location ~ ^/lool {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
location ^~ /lool/adminws {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_read_timeout 36000s;
|
||||
}
|
||||
|
||||
|
||||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||
location = / {
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
@ -52,96 +99,65 @@ server {
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location = /.well-known/carddav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
# Make a regex exception for `/.well-known` so that clients can still
|
||||
# access it despite the existence of the regex rule
|
||||
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
|
||||
# for `/.well-known`.
|
||||
location ^~ /.well-known {
|
||||
# The following 6 rules are borrowed from `.htaccess`
|
||||
|
||||
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
||||
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
||||
# Anything else is dynamically handled by Nextcloud
|
||||
location ^~ /.well-known { return 301 /index.php$uri; }
|
||||
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||
|
||||
location / {
|
||||
rewrite ^ /index.php$request_uri;
|
||||
}
|
||||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||
# which handle static assets (as seen below). If this block is not declared first,
|
||||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||
# to the URI, resulting in a HTTP 500 error response.
|
||||
location ~ \.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
||||
deny all;
|
||||
}
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
#Avoid sending the security headers twice
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass php-handler;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
# Adding the cache control header for js and css files
|
||||
# Make sure it is BELOW the PHP block
|
||||
location ~ \.(?:css|js|woff2?|svg|gif)$ {
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
add_header Cache-Control "public, max-age=15778463";
|
||||
# Add headers to serve security related headers (It is intended to
|
||||
# have those duplicated to the ones above)
|
||||
# Before enabling Strict-Transport-Security headers please read into
|
||||
# this topic first.
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
#
|
||||
# WARNING: Only add the preload option once you read about
|
||||
# the consequences in https://hstspreload.org/. This option
|
||||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header Referrer-Policy no-referrer;
|
||||
# Optional: Don't log access to assets
|
||||
access_log off;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
# Optional: Don't log access to other assets
|
||||
access_log off;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
# collabora static files
|
||||
location ^~ /loleaflet {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
}
|
||||
|
||||
# collabora WOPI discovery URL
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# collabora websockets, download, presentation and image upload
|
||||
location ^~ /lool {
|
||||
proxy_pass http://localhost:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
}
|
||||
|
||||
# collabora static files
|
||||
location /drawio {
|
||||
|
3
roles/nginx/defaults/main.yml
Normal file
3
roles/nginx/defaults/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
|
||||
nginx_anonymize: False
|
@ -8,7 +8,13 @@
|
||||
when: nginx_ssl
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
command:
|
||||
cmd: >
|
||||
openssl req -x509 -nodes -newkey rsa:2048
|
||||
-keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key
|
||||
-out /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
-days 730 -subj "/CN={{ ansible_fqdn }}"
|
||||
creates: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
|
||||
when: nginx_ssl
|
||||
notify: Restart nginx
|
||||
|
||||
@ -24,7 +30,7 @@
|
||||
- /etc/nginx/dhparam.pem
|
||||
|
||||
- name: Configure nginx
|
||||
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
|
||||
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure default vhost
|
||||
|
@ -1,3 +1,5 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
@ -47,7 +47,32 @@ http {
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
{% if nginx_anonymize %}
|
||||
map $remote_addr $ip_anonym1 {
|
||||
default 0.0.0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
|
||||
"~(?P<ip>[^:]+:[^:]+):" $ip;
|
||||
}
|
||||
|
||||
map $remote_addr $ip_anonym2 {
|
||||
default .0;
|
||||
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
|
||||
"~(?P<ip>[^:]+:[^:]+):" ::;
|
||||
}
|
||||
|
||||
map $ip_anonym1$ip_anonym2 $ip_anonymized {
|
||||
default 0.0.0.0;
|
||||
"~(?P<ip>.*)" $ip;
|
||||
}
|
||||
|
||||
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /var/log/nginx/access.log anonymized;
|
||||
{% else %}
|
||||
access_log /var/log/nginx/access.log;
|
||||
{% endif %}
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
@ -1,7 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Restart ntp
|
||||
service: name=ntp state=restarted
|
||||
|
||||
- name: Restart ntpd
|
||||
service: name=ntpd state=restarted
|
@ -1,11 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Install ntp
|
||||
apt: name=ntp
|
||||
|
||||
- name: Configure ntp
|
||||
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||
notify: Restart ntp
|
||||
|
||||
- name: Start the ntp service
|
||||
service: name=ntp state=started enabled=yes
|
@ -1,10 +0,0 @@
|
||||
---
|
||||
|
||||
# ntp is already installed on FreeBSD
|
||||
|
||||
- name: Configure ntp
|
||||
template: src=ntp.conf.j2 dest=/etc/ntp.conf
|
||||
notify: Restart ntpd
|
||||
|
||||
- name: Start the ntp service
|
||||
service: name=ntpd state=started enabled=yes
|
@ -1,9 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Debian
|
||||
include: Debian.yml
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: FreeBSD
|
||||
include: FreeBSD.yml
|
||||
when: ansible_distribution == 'FreeBSD'
|
@ -1,15 +0,0 @@
|
||||
{% for srv in ntp_servers %}
|
||||
server {{ srv }} iburst
|
||||
{% endfor %}
|
||||
{% if ntp_peers is defined %}
|
||||
|
||||
{% for peer in ntp_peers %}
|
||||
peer {{ peer }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
restrict default kod nomodify notrap nopeer noquery
|
||||
restrict -6 default kod nomodify notrap nopeer noquery
|
||||
|
||||
restrict 127.0.0.1
|
||||
restrict -6 ::1
|
14
roles/pbs/tasks/main.yml
Normal file
14
roles/pbs/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
|
||||
- name: Enable PBS apt-key
|
||||
apt_key:
|
||||
url: "https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg"
|
||||
|
||||
- name: Enable PBS repository
|
||||
apt_repository:
|
||||
repo: "deb http://download.proxmox.com/debian/pbs bullseye pbs-no-subscription"
|
||||
filename: pbs
|
||||
|
||||
- name: Install PBS
|
||||
apt:
|
||||
name: proxmox-backup-server
|
4
roles/pretix/defaults/main.yml
Normal file
4
roles/pretix/defaults/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
pretix_user: pretix
|
||||
pretix_group: pretix
|
13
roles/pretix/handlers/main.yml
Normal file
13
roles/pretix/handlers/main.yml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
|
||||
- name: Run acertmgr
|
||||
command: /usr/bin/acertmgr
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
|
||||
- name: Restart pretix-web
|
||||
service: name=pretix-web state=restarted
|
||||
|
||||
- name: Restart pretix-worker
|
||||
service: name=pretix-worker state=restarted
|
5
roles/pretix/meta/main.yml
Normal file
5
roles/pretix/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: acertmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
127
roles/pretix/tasks/main.yml
Normal file
127
roles/pretix/tasks/main.yml
Normal file
@ -0,0 +1,127 @@
|
||||
---
|
||||
|
||||
- name: Create group
|
||||
group: name={{ pretix_group }}
|
||||
|
||||
- name: Create user
|
||||
user: name={{ pretix_user }} home=/home/{{ pretix_user }} group={{ pretix_group }}
|
||||
|
||||
- name: Create pretix directories
|
||||
file: path={{ item }} state=directory owner={{ pretix_user }} group={{ pretix_group }}
|
||||
with_items:
|
||||
- /etc/pretix
|
||||
- /opt/pretix
|
||||
- /opt/pretix/data
|
||||
- /opt/pretix/data/media
|
||||
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
name:
|
||||
- build-essential
|
||||
- gettext
|
||||
- libffi-dev
|
||||
- libpq-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- nodejs
|
||||
- python3-setuptools
|
||||
- python3-dev
|
||||
- python3-pip
|
||||
- python3-venv
|
||||
- zlib1g-dev
|
||||
|
||||
- name: Install PostgreSQL
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- python3-psycopg2
|
||||
|
||||
- name: Configure PostgreSQL database
|
||||
postgresql_db: name={{ pretix_dbname }}
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Configure PostgreSQL user
|
||||
postgresql_user: db={{ pretix_dbname }} name={{ pretix_dbuser }} password={{ pretix_dbpass }} priv=ALL state=present
|
||||
become: true
|
||||
become_user: postgres
|
||||
|
||||
- name: Install redis
|
||||
apt: name=redis-server
|
||||
|
||||
- name: Install pretix
|
||||
pip:
|
||||
name:
|
||||
- gunicorn
|
||||
- pretix
|
||||
virtualenv: /opt/pretix/venv
|
||||
virtualenv_command: "python3 -m venv"
|
||||
become: true
|
||||
become_user: "{{ pretix_user }}"
|
||||
register: pretix_install
|
||||
|
||||
- name: Configure pretix
|
||||
template:
|
||||
src: pretix.cfg.j2
|
||||
dest: /etc/pretix/pretix.cfg
|
||||
owner: "{{ pretix_user }}"
|
||||
group: "{{ pretix_group }}"
|
||||
notify:
|
||||
- Restart pretix-web
|
||||
- Restart pretix-worker
|
||||
|
||||
- name: Run migration script
|
||||
command:
|
||||
cmd: "./venv/bin/python3 -m pretix migrate"
|
||||
chdir: "/opt/pretix"
|
||||
become: true
|
||||
become_user: "{{ pretix_user }}"
|
||||
when: pretix_install.changed
|
||||
|
||||
- name: Run rebuild script
|
||||
command:
|
||||
cmd: "./venv/bin/python3 -m pretix rebuild"
|
||||
chdir: "/opt/pretix"
|
||||
become: true
|
||||
become_user: "{{ pretix_user }}"
|
||||
when: pretix_install.changed
|
||||
|
||||
- name: Enable pretix cronjob
|
||||
cron:
|
||||
user: "{{ pretix_user }}"
|
||||
name: pretix
|
||||
minute: "*/5"
|
||||
job: "export PATH=/opt/pretix/venv/bin:$PATH && cd /opt/pretix && python -m pretix runperiodic"
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ pretix_domain }}.key -out /etc/nginx/ssl/{{ pretix_domain }}.crt -days 730 -subj "/CN={{ pretix_domain }}" creates=/etc/nginx/ssl/{{ pretix_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Configure certificate manager for pretix
|
||||
template: src=certs.j2 dest=/etc/acertmgr/{{ pretix_domain }}.conf
|
||||
notify: Run acertmgr
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/pretix
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Enable vhost
|
||||
file: src=/etc/nginx/sites-available/pretix dest=/etc/nginx/sites-enabled/pretix state=link
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Install systemd units
|
||||
template: src={{ item }}.service.j2 dest=/lib/systemd/system/{{ item }}.service
|
||||
with_items:
|
||||
- pretix-web
|
||||
- pretix-worker
|
||||
notify:
|
||||
- Reload systemd
|
||||
- Restart pretix-web
|
||||
- Restart pretix-worker
|
||||
|
||||
- name: Enable services
|
||||
service: name={{ item }} state=started enabled=yes
|
||||
with_items:
|
||||
- pretix-web
|
||||
- pretix-worker
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
|
||||
www.{{ plk_domain }} {{ plk_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ plk_domain }}.key
|
||||
{{ pretix_domain }}:
|
||||
- path: /etc/nginx/ssl/{{ pretix_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ plk_domain }}.crt
|
||||
- path: /etc/nginx/ssl/{{ pretix_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
18
roles/pretix/templates/pretix-web.service.j2
Normal file
18
roles/pretix/templates/pretix-web.service.j2
Normal file
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=pretix web service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User={{ pretix_user }}
|
||||
Group={{ pretix_group }}
|
||||
Environment="VIRTUAL_ENV=/opt/pretix/venv"
|
||||
Environment="PATH=/opt/pretix/venv/bin:/usr/local/bin:/usr/bin:/bin"
|
||||
ExecStart=/opt/pretix/venv/bin/gunicorn pretix.wsgi \
|
||||
--name pretix --workers 5 \
|
||||
--max-requests 1200 --max-requests-jitter 50 \
|
||||
--log-level=info --bind=127.0.0.1:8345
|
||||
WorkingDirectory=/opt/pretix
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user