raven/ansible
1
0
Fork 0
forked from infra/ansible
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: raven:master
Branches Tags
raven:master
raven:sip-dect
raven:pizza
infra:kea
infra:master
infra:pizza
..
compare: raven:pizza
Branches Tags
raven:master
raven:sip-dect
raven:pizza
infra:kea
infra:master
infra:pizza

1 Commits
master ... pizza

Author SHA1 Message Date
Markus Hauschild
a9899061d8 [WIP] role for pizza 2020-11-21 22:14:53 +01:00
186 changed files with 1718 additions and 5543 deletions
Show Stats Expand all files Collapse all files

1
ansible.cfg
View File

@ -1,6 +1,5 @@
[defaults]
ansible_managed = This file is managed by ansible, do not make manual changes - they may be overridden at any time.
interpreter_python = auto
inventory = ./hosts
nocows = 1
remote_user = root

59
group_vars/all/vars.yml
View File

@ -34,20 +34,11 @@ gitea_dbpass: "{{ vault_gitea_dbpass }}"
gitea_secret: "{{ vault_gitea_secret }}"
gitea_jwt_secret: "{{ vault_gitea_jwt_secret }}"
hedgedoc_domain: pad.binary-kitchen.de
hedgedoc_dbname: hackmd
hedgedoc_dbuser: hackmd
hedgedoc_dbpass: "{{ vault_hedgedoc_dbpass }}"
hedgedoc_secret: "{{ vault_hedgedoc_secret }}"
icinga_domain: icinga.binary.kitchen
icinga_dbname: icinga
icinga_dbuser: icinga
icinga_dbpass: "{{ vault_icinga_dbpass }}"
icinga_server: nabia.binary.kitchen
icingaweb_dbname: icingaweb
icingaweb_dbuser: icingaweb
icingaweb_dbpass: "{{ vault_icingaweb_dbpass }}"
hackmd_domain: pad.binary-kitchen.de
hackmd_dbname: hackmd
hackmd_dbuser: hackmd
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
hackmd_secret: "{{ vault_hackmd_secret }}"
jitsi_domain: jitsi.binary-kitchen.de
jitsi_admin_email: exxess@binary-kitchen.de
@ -73,18 +64,10 @@ mail_server: mail.binary-kitchen.de
mailman_domain: lists.binary-kitchen.de
mail_trusted:
- 213.166.246.0/28
- 213.166.246.37/32
- 213.166.246.45/32
- 213.166.246.250/32
- 2a02:958:0:f6::/124
- 2a02:958:0:f6::37/128
- 2a02:958:0:f6::45/128
mail_aliases:
- "auweg@binary-kitchen.de venti@binary-kitchen.de,anti@binary-kitchen.de,anke@binary-kitchen.de,gruenewald.clemens@gmail.com"
- "bbb@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "dasfilament@binary-kitchen.de taxx@binary-kitchen.de"
- "epvpn@binary-kitchen.de noby@binary-kitchen.de"
- "google@binary-kitchen.de vorstand@binary-kitchen.de"
- "info@binary-kitchen.de vorstand@binary-kitchen.de"
- "lebercast@binary-kitchen.de anti@binary-kitchen.de,dragonchaser@binary-kitchen.de,moepman@binary-kitchen.de,philmacfly@binary-kitchen.de,ralf@binary-kitchen.de"
- "loetworkshop@binary-kitchen.de timo.schindler@binary-kitchen.de,venti@binary-kitchen.de"
@ -92,13 +75,12 @@ mail_aliases:
- "openhab@binary-kitchen.de noby@binary-kitchen.de"
- "orga@ccc-r.de orga@ccc-regensburg.de"
- "orga@ccc-regensburg.de anti@binary-kitchen.de"
- "paypal@binary-kitchen.de ralf@binary-kitchen.de"
- "paypal@binary-kitchen.de timo.schindler@binary-kitchen.de"
- "post@makerspace-regensburg.de vorstand@binary-kitchen.de"
- "pretix@binary-kitchen.de moepman@binary-kitchen.de"
- "root@binary-kitchen.de moepman@binary-kitchen.de,kishi@binary-kitchen.de"
- "seife@binary-kitchen.de anke@binary-kitchen.de"
- "siebdruck@binary-kitchen.de anke@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,ralf@binary-kitchen.de,zaesa@binary-kitchen.de"
- "vorstand@binary-kitchen.de anti@binary-kitchen.de,avarrish@binary-kitchen.de,timo.schindler@binary-kitchen.de,zaesa@binary-kitchen.de"
- "voucher1@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher2@binary-kitchen.de exxess@binary-kitchen.de"
- "voucher3@binary-kitchen.de exxess@binary-kitchen.de"
@ -118,28 +100,19 @@ matrix_dbname: matrix
matrix_dbuser: matrix
matrix_dbpass: "{{ vault_matrix_dbpass }}"
mc_domain: minecraft.binary-kitchen.de
netbox_domain: netbox.binary.kitchen
netbox_dbname: netbox
netbox_dbuser: netbox
netbox_dbpass: "{{ vault_netbox_dbpass }}"
netbox_secret: "{{ vault_netbox_secret }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
nextcloud_domain: oc.binary-kitchen.de
nextcloud_dbname: owncloud
nextcloud_dbuser: owncloud
nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
pretix_domain: pretix.events.binary-kitchen.de
pretix_dbname: pretix
pretix_dbuser: pretix
pretix_dbpass: "{{ vault_pretix_dbpass }}"
pretix_mail: pretix@binary-kitchen.de
plk_domain: plk-regensburg.de
plk_dbuser: plkdbuser
plk_dbname: plkdb
plk_dbpass: "{{ vault_plk_dbpass }}"
prometheus_pve_user: prometheus@pve
prometheus_pve_pass: "{{ vault_prometheus_pve_pass }}"
@ -153,6 +126,8 @@ pve_targets:
radius_secret: "{{ vault_radius_secret }}"
rocketchat_domain: chat.binary-kitchen.de
root_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBmZnJLG1WRppbLtOAJw3E4LgLRK0NirfCgpovhhU6h moepman"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPlktM2x11cNBMKurf57MLE1XcOm2sGQXguc0tl1vYd kishi"
@ -160,5 +135,3 @@ root_keys:
slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
slapd_root_pass: "{{ vault_slapd_root_pass }}"
slapd_san: ldap.binary.kitchen
workadventure_domain: wa.binary-kitchen.de

159
group_vars/all/vault.yml
View File

@ -1,102 +1,59 @@
$ANSIBLE_VAULT;1.1;AES256
34313430623638333161613331623835666163626232326164366136373833633138373733333231
6563336334663666373235313064363364646361643033310a663033616232363434306230313765
31386338646433393334663031623261353661333565663763363834313264363463383562633934
3663623932356635360a306231613431623763663130656634623365643730336564663862336536
34663863313364613831656162663663646634636432656539643531326163653363376662393935
61343934313135623265646539616136306231633566616534383562393964663565323534386162
31646233313339383863313334353031386166653264353831383133633761306539636533656336
37643866646538316234633736613136356166613037383638303465663639633432326533653832
30313862646132393063393239656561646566336362643466386435613734623632613361323266
64316166313635306631396166303132626139386563613231646439356637393662623530353261
62326661663064393362653136346262313762376130623461313563613161623838356363306263
38376438333632623962646535313239343038383030383736313536303935346236326631616632
65376162613630343064356361336535623030316435333036363635623461626330663635653631
61313435373839366363613338666630366333383962393734333662646239663237386437373333
31373065336139643033643666653737306664626134643937343264646539616264393530343462
38366232393832666439383066383738643966363132663832396562646238306638343266353934
38396236373830303661336635646137306236386436343033383764666535323834313534346533
35333665303534383634303732346164616666643731313839353462343365356338386561613231
35333965353736386531356565376434393563653562373261633664623438346638613765303736
65336230636539613332616433326335326436333136636566383731306437663438306636363930
31376230353230613038636662623432646361383263663532396234656133333237333738666233
61613961343963393437393664393265306564373164316265363232303831663331393130356662
39313230616463636163386261353431356338353833393161313861643137646166363864313861
64306161653565396339656333346235346365373836373633376231333833313034353864656434
33623861326664356339336333663365663663353061323037346330653133396235363831623136
63343662356235633332373733626232353437373263343038663932636232363030336436616131
65376436663962363631386664353531303963313263633261633766326566383262643334646466
65363664306332656134633039643135323134616535613834313533626633353066343762646132
31353761373366313365373632366661646235333039656231323030366338326264333162646562
39343265376234363635306537636464323030316231306564316635656563303565336539326237
36393632386564343730616566373535616263383564343866353665373363363333343935346464
31646338353235356231353135663062323766663231383730396235373934303465346239303961
66646463663762633963336365356431323431383938373839346364303464633031633633663937
36646165633661633361313635393134646133363334373863663132376266336233336435356435
38303862613564363731313062316533633465353830316436326431656132353431373231646337
33343464353039623236643633636239343965643633343966326562343934313664633563613730
63313930643936393838636634613331633835656434646163386661663037376330646366656232
32623461633935353134343533626266653031666335336236343039363066396337633639363235
38626233383461356264616534656537633931663936383330386532363434383833613835613439
64306262626539623136376630646439353335623266306139306434663331346237306331666533
37363433343433363632336333633065313865626564633134616462393831626237333638333739
61623030386235666132666661623462323332393666623539636139326530623233396533373939
32396261306661663739333138353335663734316232303661353166376133653934306233343739
33353833323739343163396234633264373139346264653933633433393132363966636135393365
36363530396166363630643764633436663037666631343535366132373334663938333930396133
36303864303961333664653635343935353266396231313964646262363038626561653466646438
62306434373136393738303835656130333936663430636139383137633536383131616533613634
62343464636332343031326365383964326666636466666636663236633935356635336435313437
33626137326238356537353762613164653731326563663239316537646338643131643564663632
33353536383265303030343735616530666236343064323337623232396130393366363161356636
61333862313432323139313963386538393365373335373139353533356537383739373539646134
37623936653933326633643961313530663533326532383133353238303336643432353833393338
31633065666336373236386537636536326236636639376465346136326535653764373131636135
61393932643639383234396163326633393733616563343637613661326432623461393934653965
32643162386238316261633733613366323834393365633430643964666262306339633766613533
65366264313431333132303063393564383062346365633133383463376631303933643065613137
61383231393339363465363064633862633135326536663163366234623764626439346461303164
32373738636533306362333138643832643862656239303464373434303537653336646430356633
36626436356231616166666163346539633738623734343031373735346165303664346137343132
31663230343934333138656333626339623133323630336266353831653135616363333432616361
33613236623538333663366136656563663331366237303763653238336139363163366635646532
37316430623433336436376462656331373336303831393333626166346135333737326435353834
37636162646438313162303462633830353239623565393331316662616535343138613437653665
31316563346234633031653131666531333266306139346566383263303835343532363633373665
30336462626434393063343234356633636433356164363163363564383263623364386435383239
33323738366534633730666436303433343731306662393863323633653263316138386365376666
35316365303361623030383836316436323663646464386231346432396563663133643834383636
61326534313237316130393538613834656231303732656163346237643535663239366536636633
36306137616664623735613966343264653932363035373336636465323163393539363064386562
31626138316163393466323333613530376265386136376330636364363166323061383034623336
38643166363864383264373665323238326232376633653565356536376466303834313733613531
65333734353036303935333533306334306231373731353463346461353930316562316439356562
38336435366335333230323766626134376131323435323735653736336662313962393766383435
39323734643037643066363338373332653830393337306633336131663131616164336536393837
35383366316130343162663231343763373331613261393566366133346564636334643464373535
37633536323531613831656662323263316630623061383930363637346438623735383430366538
39303961326461323661346630313636643531303265393461373036306435353863643036623665
66333965303032653537613232633162303138343632396134336130333430636666376430323466
61323535313463653866666265313765623831376633666534623033643063386231623238656439
63323166373764306162613233323466366363666535643339646361306638343762393834343131
31393437373733343138306563363032353831616334383631656266346131303161633265343461
62343234383936303664643234323665343635626435613766343737396564656137393061666165
66313531666562303030323764356632626233333432343461393362303563643661336335366339
62346366643835303563646161366434386532363265313531303634336136653062613464376138
66336333623565623263363561303537303337623137656430353830353937323265313837333237
62343132326665326130376566626661366534353335366532623539303536323762646462306261
63383133633462376162316338663765393933663536663239636439643733376434333030616131
63326332336563326232346430643534336133376334646635653862333133306135666132353839
37336136346464363365633262623630343463343035666161626665663030346533303266313837
32323566393630626566393334353832383235626161343532323930656430343739663432333866
62663136333637663563366536303437363964666638326134373766313837383431663733383630
63336432656239393465353666383131326536643531663337396234396663373432303163653331
33626237386237626433653637313835376632613131663235353037336231613134633065323035
31366531343131303937663561336262623062313961366233633430323639383332656236363535
35353639633366366439666532326539666230323338643931383264306436386634316331393133
33393963303734303037353139356436313036343766646131333735356266333434333039363339
62396231303137303236626439633331306663313630653437363733656130653863646537316536
39346233633436323565363466653862333630633030666136613237333663643339306334613532
63343565393632353138616637356339623639373135636334333130323032346536626465323430
63383363313338636466316464303039633236343038613734633632633234313837656436663137
62643130383463333137363537646233613366653664613137623130333330636362
37303932343462623335393066643531373533636435356462326537373532613534353266396435
3636666364306637306266393933383963633032383265650a656563303332303134323135353239
34633863333930316564633632313939643664373163373833636139366537646530383736343130
6239373931306234620a353966346262646538306631656461613431636230333430663931643933
31316362353439393838363666613932313635313864333135636530653238653162353033356437
33353063363639346266313631393463623864636133623264613865336536613536343365386230
65396263393862626139396430623134316632313637623631623762656139623664356331623066
30323430613963313162616135303164663364336634326533346438373635366238356531613461
30333736633965333163616437303566666239313962353531393530613265363833396136646262
62633662666532396535316361303934613138373365633161393664313234663533363736323335
38613762376234663564333333386265633138613839636132346638313430653639636339336239
38633564333831326331326166666362353364303933393532643936313564386565643162623435
36356437356631666137323039316430656566613436623062656562666139383635653039636463
35393438323765303431333737356339343730303531333834306239366533393537626239376163
31663332343136323264376234363264343136623365383833666638656531306362663462383033
31633838643562613762363634653865353361303666363139636337386439626235336462653036
30376461643839313665383430386534656265626139313034646438323861653530383637316139
35313539636137303561646564616362313435666262343137616263396465356434363862323137
38626464383039386139343665363538326539613837366437623362336639336133323463666235
36346333356434363838363634343233323363333762653264333062656133623434666162356433
37623862653862643335333931663063623166353534636430323230663838653532356335306632
33646265343834363839653565326538353930663061376461646534386637376234646264343933
65653763343236653630396238333232633461663333646531323337626235396231383931663264
34363564366134663036643332346238373639646336396261316133326235636265323636663335
35363537346466396432396162383131306438396431336138666663633132646662316165643333
64633434623166343262623038623431343631333962663566303566393761653536303638643037
63363963306139336235363537396432383131303763643966313937353537333739393031616439
35343361646234663062633631323238656137373464386561656439313636613630323632616332
39346239666266623038363066643865373762633532323431373431373165643662663661633365
35353361383339623535336362313430616139396561623934346264323462663663383566393165
35366637313861386465333530613530623832643333616538336436356134313832306139336361
32393162373235356236343332363038393631626534643237383232323735633265333562633231
61613164363962323236666365353830346664643263393532343562383736336535353364343638
62386465323331653565306234646664393164666334383765336630346438633636353264636138
31316231326236313839353465353230353935363330393035373234393039386134366534653636
63323730383931353763383739393330316335373563393039366166313031373664636335363363
38363131363565326431636361316562313037373664306333313366646336333162663664306539
64636530363561393037373766383937616435313333653836363835383231633130396133663635
36613531323732623264646666656139333766656562623430313964366236373663626135383437
31643663663637613762313465656636396264623362643538323166356636303430613133383664
66383332326437333638663562376665386237313533303437623765353661393561373338636130
30383665333366643331366536646330633133643566393962633164643563613536363434393234
66323931316535353632356432373262623962616264383430623436303637616165386433326231
38633730636633643634343833313964653530663034333063313334636134646634363437346161
32613061363032383732323263303830363532326239316538393739313730383530633862313039
37653865303932313635656332663039376331393161623731623039653865623436363061626538
32383934613335363534666461343135303235373262343634306130633536323839393139346662
31623265323138353963623938616665383765366230656461383835346230346261623866366630
65303965353432386136373562306434623739666262356663656266346439356435613362333563
34366539353366346636376662363837303332373866323434366261326164633033353930383038
36666433656365366663326163343034306439653262353733323232373133386436333637346563
32626533336530633731336631333334353366306538663936643637346335303965626631316562
33333061656234393661363766663630316662613764333231326434383465666234653238393965
31636561396665383063613433653837363634623337623330666466353532633434383864343464
38303436306165353433356536326466306530373635616531393462666336666435633235613937
37343832333864643636366632623062363234633365326635386663376439383332306333653161
34353830396165366534313334616161323461613066383561343563393330613464373862623062
3536303066343262636636393861313539616636643339353562

14
group_vars/auweg
View File

@ -1,14 +0,0 @@
---
dhcpd_failover: false
dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3
name_servers:
- 172.23.13.3
ntp_servers:
- 172.23.12.61
radius_cn: radius.binary.kitchen

3
group_vars/kitchen
View File

@ -4,9 +4,6 @@ dhcpd_failover: true
dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4
dns_primary: 172.23.2.3
dns_secondary: 172.23.2.4
name_servers:
- 172.23.2.3
- 172.23.2.4

6
host_vars/aeron.binary.kitchen
View File

@ -1,6 +0,0 @@
---
radius_hostname: radius3.binary.kitchen
slapd_hostname: ldap3.binary.kitchen
slapd_role: slave

4
host_vars/bacon.binary.kitchen
View File

@ -1,11 +1,9 @@
---
ntp_server: true
ntp_servers:
- ptbtime2.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de
- ntps1-0.cs.tu-berlin.de
ntp_peers:
- 172.23.1.60

2
host_vars/barium.binary-kitchen.net
View File

@ -1,2 +0,0 @@
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

8
host_vars/bowle.binary.kitchen
View File

@ -1,8 +0,0 @@
---
nfs_exports:
- /exports/backup/bk 172.23.1.60(rw,sync,no_subtree_check)
- /exports/backup/rz 172.23.9.61(rw,sync,no_subtree_check)
- /exports/tank 172.23.0.0/22(rw,sync,no_subtree_check)
uau_reboot: "false"

4
host_vars/knoedel.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

5
host_vars/lock-auweg.binary.kitchen
View File

@ -1,5 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAkXY3fQFMG7LkTBWtBNY7q7RCwb/R4Z8Y96e3pToddfXbtmtVxMZfd6hC+3kGt3NnPYDFmZf/RXblNBPwL/n8bEjA0bmfU60LMjFT0mG99bLU+5CgDxaSf34jzgtzLbHKqeSYxNpXNebbDZRw+cxuDjxJ+lYbc/hNQTy6hqKXUSQ25LAqplKVYbxlPWPxxKnJCvWj2pCdJGj1EK/Y+saafNOhA7uEPNt8HtWWNMhxNi+P9OkkLpYqRM8V0miR7aAYOY+RllMn+H5DIJg2gk319AHhlBDP7NXd/tmWg+bI7xYPDe9Q6gMrV8OnQmuNjWsLNhp8ktwQxpsv71t6ztXLpceIkV9yfDSeBpZG5QnsMOy/ua91S6hmMg4bIEBsqkPUYEwEIDFaV0TrlKeXMkU+ovthZnw0CWgV5KEWDHtuGu8nBBpks/geclh+0yqeFEaacnlTTNEhvCcp7vOsqDJnZSn1L4O6C+u/A4NJGRH7XQMWrXBdeTVIT9KLsdZJsoPIH8BRaw/qOYPY6wZzHcLvrsayUBBiiLDIN1lE/3OV70dKX7F0Q7hyl8o9EoGdEYnGBonWGC58hroiAE4FTVdWLKtHzHSG2AdTWf53sJzGVEh5swm44KD/Dh52bE4YjUxC0b68Twb3/L1QpH8KZNUVEcRNmiRshefMPSXbPv3bNzc= 20170818Tobias@Teubl.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

3
host_vars/magnesium.binary-kitchen.net
View File

@ -1,3 +0,0 @@
---
acertmgr_mode: standalone

1
host_vars/molybdenum.binary-kitchen.net
View File

@ -4,4 +4,3 @@ grafana_domain: zelle.binary-kitchen.de
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAib/9jl5oDkCF0g9Z2m0chruxA779TmQLy9nYFWq5qwxhCrBwgPBsHjyYJoA9vE6o+MB2Uc76hPNHxrY5WqOp+3L6z7B8I7CDww8gUBcvLXWFeQ8Qq5jjvtJfT6ziIRlEfJBHn7mQEZ6ekuOOraWXSt7EVJPYcTtSz/aqbSHNF6/iYLqK/qJQdrzwKF8aMbJk9+68XE5pPTyk+Ak9wpFtiKA+u1b0JAJr2Z0nZGVpe+QlMkgwysjcJik+ZOFfVRplJQSn7lEnG5tkKxySb3ewaTCmk5nkeV40ETiyXs6DGxw0ImVdsAZ2gjBlCVMUhiCgznREzGmlkSTQSPw7f62edw== venti"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa tom"

2
host_vars/nitrogen.binary-kitchen.net
View File

@ -3,5 +3,3 @@
root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJu4xYKnnAhXf2Fe+cI+U4EVkePw3cbPbSR4iPhY2fQf xaver@xm.1drop.de"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGC1Cn/tEqpZKEgLzT3bGrhYibQy0bc21rtoDqm4+elZ xaver@home"
nginx_anonymize: True

4
host_vars/pancake.binary.kitchen
View File

@ -1,4 +0,0 @@
---
root_keys_host:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMJDyq3veSnK+6hSw+Ml6lvTQTPC6vRFqtDXvPBnOtId8F9+/N0ADcPa5UTesnTkQgSAY7WpSoN5D6clYzdcPR55e5WZwZfMSkX14D7v7mrGxUcE4HshTorfEYv5XBd11Tvu0ruMdxlFQ+VFHkZIF305xgyx32INA3zUfnhzHJlKEdIAy8iSbERUV+X5kB59aep6xSpitCHJtsTT5Ky+EsvAhndKB5hDBuwVVr0+Sg5PypeTQ4zzWFyR6DFBEvyEj6bs/pQff9WxSRIXEuLffXOXdRLGHWqX7PfhWcH9WNH55WT7ZKCMGVuG4kYLkZ633c296ISg9q0eNKn99oHuwvzVg/wV3wndHINE+iUKKJjaRUpDUwd9DftFqMbFGATpf8en6KPs/7bgZUGACIfDO6Uy59V75cntiMFZc+BnnpV2qLVBFFD5ClRBCRdqH5D0px+jpuQFo9EUhggL4jzlj9wQf26zv0E4zSGTqbM1jfO3zcXlxSjg3H3Og2GAO5fCQiodpsqkW9Hby/p4s5l+P97tlVlgapnZlSA/1em4lmYshmRk/9scN8PMSXfW9uhncv9qXqp0ypEqEuNfj5u/1Eu8zmayIA9V23xyPn92LMT6MP2BB1kC7jeAXfXHdKBhTYW6bLQJKMs9nypH6RODK1fb9JlIrB61ZDJ9L5K++o2Q== noby"

8
host_vars/weizen.binary.kitchen
View File

@ -1,8 +0,0 @@
---
ntp_server: true
ntp_servers:
- ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de

4
host_vars/wurst.binary.kitchen
View File

@ -1,11 +1,9 @@
---
ntp_server: true
ntp_servers:
- ptbtime1.ptb.de
- ntp1.rrze.uni-erlangen.de
- rustime01.rus.uni-stuttgart.de
- ntps1-0.cs.tu-berlin.de
ntp_peers:
- 172.23.2.3

13
hosts
View File

@ -4,17 +4,10 @@ bacon.binary.kitchen ansible_host=172.23.2.3
aveta.binary.kitchen ansible_host=172.23.2.4
sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6
epona.binary.kitchen ansible_host=172.23.2.7
pizza.binary.kitchen ansible_host=172.23.2.33
pancake.binary.kitchen ansible_host=172.23.2.34
knoedel.binary.kitchen ansible_host=172.23.2.35
bob.binary.kitchen ansible_host=172.23.2.37
bowle.binary.kitchen ansible_host=172.23.2.62
bowle.binary.kitchen ansible_host=172.23.2.62 ansible_python_interpreter=/usr/local/bin/python2.7
salat.binary.kitchen ansible_host=172.23.9.61
[auweg]
weizen.binary.kitchen ansible_host=172.23.12.61
aeron.binary.kitchen ansible_host=172.23.13.3
lock-auweg.binary.kitchen ansible_host=172.23.13.12
[fan_rz]
helium.binary-kitchen.net
lithium.binary-kitchen.net
@ -26,11 +19,9 @@ oxygen.binary-kitchen.net
fluorine.binary-kitchen.net
neon.binary-kitchen.net
sodium.binary-kitchen.net
magnesium.binary-kitchen.net
krypton.binary-kitchen.net
yttrium.binary-kitchen.net
zirconium.binary-kitchen.net
molybdenum.binary-kitchen.net
technetium.binary-kitchen.net
ruthenium.binary-kitchen.net
rhodium.binary-kitchen.net
barium.binary-kitchen.net

5
roles/bk_dss/tasks/main.yml
View File

@ -44,8 +44,3 @@
- name: Enable vhosts
file: src=/etc/nginx/sites-available/dss dest=/etc/nginx/sites-enabled/dss state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ dss_domain }}"

3
roles/common/defaults/main.yml
View File

@ -6,6 +6,3 @@ logrotate_excludes:
- "/etc/logrotate.d/dbconfig-common"
- "/etc/logrotate.d/btmp"
- "/etc/logrotate.d/wtmp"
sshd_password_authentication: "no"
sshd_permit_root_login: "prohibit-password"

10
roles/common/files/50-virtio-kernel-names.link Normal file
View File

@ -0,0 +1,10 @@
# udev 226 introduced predictable interface names for virtio;
# disable this for upgrades. You can remove this file if you update your
# network configuration to move to the ens* names instead.
# See /usr/share/doc/udev/README.Debian.gz for details about predictable
# network interface names.
[Match]
Driver=virtio_net
[Link]
NamePolicy=onboard kernel

6
roles/common/files/99-default.link Normal file
View File

@ -0,0 +1,6 @@
# This machine is most likely a virtualized guest, where the old persistent
# network interface mechanism (75-persistent-net-generator.rules) did not work.
# This file disables /lib/systemd/network/99-default.link to avoid
# changing network interface names on upgrade. Please read
# /usr/share/doc/udev/README.Debian.gz about how to migrate to the currently
# supported mechanism.

9
roles/common/handlers/main.yml
View File

@ -1,16 +1,7 @@
---
- name: Restart chrony
service: name=chrony state=restarted
- name: Restart journald
service: name=systemd-journald state=restarted
- name: Restart sshd
service: name=sshd state=restarted
- name: update-grub
command: update-grub
- name: update-initramfs
command: update-initramfs -u -k all

47
roles/common/tasks/Debian.yml
View File

@ -3,10 +3,7 @@
- name: Install misc software
apt:
name:
- apt-transport-https
- dnsutils
- fdisk
- gnupg2
- htop
- less
- net-tools
@ -29,32 +26,35 @@
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh
- name: Create LDAP client config
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
- name: Disable hibernation/resume
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
notify: update-initramfs
- name: Enable serial console on KVM VMs
lineinfile:
path: "/etc/default/grub"
state: "present"
regexp: "^#?GRUB_CMDLINE_LINUX=.*"
line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
notify: update-grub
when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"
# TODO template /etc/network/interfaces
- name: Fix network interface names
copy: src={{ item }} dest=/etc/systemd/network/{{ item }}
with_items:
- 50-virtio-kernel-names.link
- 99-default.link
notify: update-initramfs
- name: Prevent normal users from running su
lineinfile:
path: /etc/pam.d/su
regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
line: "auth required pam_wheel.so"
regexp: '^.*auth\s+required\s+pam_wheel.so$'
line: 'auth required pam_wheel.so'
- name: Configure journald retention
lineinfile:
@ -89,25 +89,16 @@
set_fact:
logrotateconfigpaths: "{{ alllogrotateconfigpaths | difference(logrotate_excludes) }}"
- name: "Set logrotate.d/* to daily"
- name: 'Set logrotate.d/* to daily'
replace:
path: "{{ item }}"
regexp: "(?:weekly|monthly)"
replace: "daily"
loop: "{{ logrotateconfigpaths }}"
- name: "Set /etc/logrotate.d/* rotation to 7"
- name: 'Set /etc/logrotate.d/* rotation to 7'
replace:
path: "{{ item }}"
regexp: "rotate [0-9]+"
replace: "rotate 7"
loop: "{{ logrotateconfigpaths }}"
- name: Configure ssh password login
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
notify: Restart sshd

14
roles/common/tasks/FreeBSD.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Install misc software
pkgng:
name:
- vim-lite
- htop
- zsh
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
with_items:
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }

9
roles/common/tasks/Proxmox.yml
View File

@ -13,12 +13,11 @@
- name: Configure misc software
copy: src={{ item.src }} dest={{ item.dest }}
diff: no
with_items:
- { src: ".zshrc", dest: "/root/.zshrc" }
- { src: ".zshrc.local", dest: "/root/.zshrc.local" }
- { src: "motd", dest: "/etc/motd" }
- { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }
- { src: '.zshrc', dest: '/root/.zshrc' }
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
- { src: 'motd', dest: '/etc/motd' }
- { src: 'vimrc.local', dest: '/etc/vim/vimrc.local' }
- name: Set shell for root user
user: name=root shell=/bin/zsh

8
roles/common/tasks/chrony.yml
View File

@ -1,8 +0,0 @@
---
- name: Install chrony
apt: name=chrony
- name: Configure chrony
template: src=chrony.conf.j2 dest=/etc/chrony/chrony.conf
notify: Restart chrony

13
roles/common/tasks/main.yml
View File

@ -2,20 +2,21 @@
- name: Cleanup
apt: autoclean=yes
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Gather package facts
package_facts:
manager: apt
when: ansible_os_family == "Debian"
when: ansible_os_family == 'Debian'
- name: Proxmox
include: Proxmox.yml
when: ansible_os_family == "Debian" and "pve-manager" in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' in ansible_facts.packages
- name: Debian
include: Debian.yml
when: ansible_os_family == "Debian" and "pve-manager" not in ansible_facts.packages
when: ansible_os_family == 'Debian' and 'pve-manager' not in ansible_facts.packages
- name: Setup chrony
include: chrony.yml
- name: FreeBSD
include: FreeBSD.yml
when: ansible_distribution == 'FreeBSD'

46
roles/common/templates/chrony.conf.j2
View File

@ -1,46 +0,0 @@
# Welcome to the chrony configuration file. See chrony.conf(5) for more
# information about usable directives.
{% for srv in ntp_servers %}
server {{ srv }} iburst
{% endfor %}
{% if ntp_peers is defined %}
{% for peer in ntp_peers %}
peer {{ peer }}
{% endfor %}
{% endif %}
{% if ntp_server is defined and ntp_server is true %}
allow 172.23.0.0/16
{% endif -%}
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# This directive specify the file into which chronyd will store the rate
# information.
driftfile /var/lib/chrony/chrony.drift
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Log files location.
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it cant be used along with the 'rtcfile' directive.
rtcsync
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
# Get TAI-UTC offset and leap seconds from the system tz database.
# This directive must be commented out when using time sources serving
# leap-smeared time.
leapsectz right/UTC

19
roles/common/templates/ldap.conf.j2 Normal file
View File

@ -0,0 +1,19 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE {{ ldap_base }}
URI {{ ldap_uri }}
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_REQCERT demand
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

123
roles/common/templates/sshd_config.j2
View File

@ -1,123 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin {{ sshd_permit_root_login }}
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication {{ sshd_password_authentication }}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

6
roles/coturn/handlers/main.yml
View File

@ -1,10 +1,4 @@
---
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart coturn
service: name=coturn state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

22
roles/coturn/tasks/main.yml
View File

@ -3,28 +3,6 @@
- name: Install coturn
apt: name=coturn
- name: Create coturn service override directory
file: path=/etc/systemd/system/coturn.service.d state=directory
- name: Configure coturn service override
template: src=coturn.override.j2 dest=/etc/systemd/system/coturn.service.d/override.conf
notify:
- Reload systemd
- Restart coturn
- name: Create gitea directories
file: path={{ item }} state=directory owner=turnserver
with_items:
- /etc/turnserver
- /etc/turnserver/certs
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/turnserver/certs/{{ coturn_realm }}.key -out /etc/turnserver/certs/{{ coturn_realm }}.crt -days 730 -subj "/CN={{ coturn_realm }}" creates=/etc/turnserver/certs/{{ coturn_realm }}.crt
- name: Configure certificate manager
template: src=certs.j2 dest=/etc/acertmgr/{{ coturn_realm }}.conf
notify: Run acertmgr
- name: Configure coturn
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:

15
roles/coturn/templates/certs.j2
View File

@ -1,15 +0,0 @@
---
{{ coturn_realm }}:
- path: /etc/turnserver/certs/{{ coturn_realm }}.key
user: turnserver
group: turnserver
perm: '400'
format: key
action: '/usr/sbin/service coturn restart'
- path: /etc/turnserver/certs/{{ coturn_realm }}.crt
user: turnserver
group: turnserver
perm: '400'
format: crt,ca
action: '/usr/sbin/service coturn restart'

2
roles/coturn/templates/coturn.override.j2
View File

@ -1,2 +0,0 @@
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE

368
roles/coturn/templates/turnserver.conf.j2
View File

@ -1,60 +1,52 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where a boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
# If the value is missing, then it means 'true' by default.
# Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missed, then it means 'true'.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=443
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, Coturn currently supports
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, Coturn supports DTLS version 1.
# For secure UDP connections, we support DTLS version 1.
#
tls-listening-port=443
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
#listening-ip=172.17.19.101
@ -69,7 +61,7 @@ tls-listening-port=443
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
@ -81,7 +73,7 @@ tls-listening-port=443
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
@ -91,13 +83,13 @@ tls-listening-port=443
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
@ -120,15 +112,12 @@ tls-listening-port=443
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
external-ip={{ ansible_default_ipv4.address }}
{% if ansible_default_ipv6.address is defined %}
external-ip={{ ansible_default_ipv6.address }}
{% endif %}
#external-ip=60.70.80.91
#
#OR:
#
@ -138,18 +127,18 @@ external-ip={{ ansible_default_ipv6.address }}
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is optimal, so you have to change this option
# if you want to make some fine tweaks.
# algorithm is the most optimal, so you have to change this option
# only if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
@ -159,15 +148,15 @@ external-ip={{ ansible_default_ipv6.address }}
#
#min-port=49152
#max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
#verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under normal circumstances.
#
# Not recommended under any normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
@ -180,69 +169,58 @@ fingerprint
#
#lt-cred-mech
# This option is the opposite of lt-cred-mech.
# This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file, in command line or in usersdb file, then
# then no-auth is default. If at least one user is defined,
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# Enable prometheus exporter
# If enabled the turnserver will expose an endpoint with stats on a prometheus format
# this endpoint is listening on a different port to not conflict with other configurations.
#
# You can simply run the turnserver and access the port 9641 and path /metrics
#
# For mor info on the prometheus exporter and metrics
# https://prometheus.io/docs/introduction/overview/
# https://prometheus.io/docs/concepts/data_model/
#
#prometheus
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, then the timestamp alone can be used.
# This option is enabled by turning on secret-based authentication.
# The actual value of the secret is defined either by the option static-auth-secret,
# If you don't have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# Note that you can use only one auth mechanism at the same time! This is because,
# both mechanisms conduct username and password validation in different ways.
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# Use either lt-cred-mech or use-auth-secret in the conf
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
# will try to use the 'dynamic' value in turn_secret table
# in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that other mode is 'dynamic'.
#
static-auth-secret={{ coturn_secret }}
@ -256,10 +234,10 @@ static-auth-secret={{ coturn_secret }}
#
#oauth
# 'Static' user accounts for the long term credentials mechanism, only.
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so they can NOT be changed while the turnserver is running.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
@ -277,7 +255,7 @@ static-auth-secret={{ coturn_secret }}
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
@ -285,83 +263,83 @@ static-auth-secret={{ coturn_secret }}
# SQLite database file name.
#
# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that you are using PostgreSQL
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that you are using MySQL
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for the long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use the string format below (space separated parameters, all optional):
# Use string format as below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use an encrypted password in the MySQL connection string,
# then set the MySQL password encryption secret key file with this option.
# If you want to use in the MySQL connection string the password in encrypted format,
# then set in this option the MySQL password encryption secret key file.
#
# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
# If you want to use a cleartext password then do not set this option!
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use cleartext password then do not set this option!
#
# This is the file path for the aes encrypted secret key used for password encryption.
# This is the file path which contain secret key of aes encryption while using password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that you are using MongoDB
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that you are using Redis
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN REST API.
# Use the string format below (space separated parameters, all optional):
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use the string format below (space separated parameters, all optional):
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
# The default realm to be used for the users when no explicit
# origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If the default realm is not specified, then realm falls back to the host domain name.
# If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
#
realm={{ coturn_realm }}
# This flag sets the origin consistency
# check. Across the session, all requests must have the same
# The flag that sets the origin consistency
# check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
@ -381,7 +359,7 @@ realm={{ coturn_realm }}
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporarily suppressed (within
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
@ -402,17 +380,17 @@ realm={{ coturn_realm }}
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
@ -425,11 +403,11 @@ realm={{ coturn_realm }}
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having a limited lifetime.
# The nonce value is unique for a session.
# Set this option to limit the nonce lifetime.
# Set it to 0 for unlimited lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
#stale-nonce=600
@ -455,14 +433,13 @@ realm={{ coturn_realm }}
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#cert=/usr/local/etc/turn_server_cert.pem
# Private key file.
# Use an absolute path or path relative to the
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
@ -478,29 +455,29 @@ realm={{ coturn_realm }}
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default this is not set: there is no default value and the client
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh566
# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh1066
#dh2066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
@ -508,21 +485,21 @@ realm={{ coturn_realm }}
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages go to both stdout and to
# the configured log file. With this option everything will
# go to the configured log only (unless the log file itself is stdout).
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and the current directory
# (Whichever file open operation succeeds first will be used).
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
#log-file=/var/tmp/turn.log
@ -537,51 +514,41 @@ syslog
#
#simple-log
# Enable full ISO-8601 timestamp in all logs.
#new-log-timestamp
# Set timestamp format (in strftime(1) format)
#new-log-timestamp-format "%FT%T%z"
# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
# Enable binding logging and UDP endpoint logs in verbose log mode.
#log-binding
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in the form of
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server option is provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if you have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
@ -592,15 +559,6 @@ syslog
#
#stun-only
# Option to hide software version. Enhance security when used in production.
# Revealing the specific software version of the agent through the
# SOFTWARE attribute might allow them to become more vulnerable to
# attacks against software that is known to contain security holes.
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
@ -609,7 +567,7 @@ syslog
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
@ -617,9 +575,9 @@ syslog
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
@ -628,18 +586,18 @@ syslog
#
no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
@ -661,22 +619,22 @@ no-multicast-peers
#
mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default Coturn works according RFC 6156.)
# (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will attempt to change the current user ID to that user.
# will make an attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will attempt to change the current group ID to that group.
# will make an attempt to change the current group ID to that group.
#
#proc-group=<group-name>
@ -696,8 +654,8 @@ mobility
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended that you use the encrypted
# form of the password (see the -P command in the turnadmin utility).
# For the security reasons, it is recommended to use the encrypted
# for of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
@ -726,14 +684,10 @@ mobility
#
#web-admin-listen-on-workers
#acme-redirect=http://redirectserver/.well-known/acme-challenge/
# Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
# Default is '', i.e. no special handling for such requests.
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when you want to run
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
@ -749,6 +703,6 @@ mobility
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
no-tlsv1
no-tlsv1_1
no-tlsv1_2

10
roles/dhcpd/templates/default/isc-dhcp-server.j2
View File

@ -3,12 +3,10 @@
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
@ -16,6 +14,4 @@
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="{{ ansible_default_ipv4['interface'] }}"
INTERFACESv6=""
INTERFACES="{{ ansible_default_ipv4['interface'] }}"
INTERFACES="eth0"

134
roles/dhcpd/templates/dhcp/dhcpd.conf.j2
View File

@ -3,24 +3,13 @@
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
# options related to Mitel SIP-DECT
option space sipdect;
option local-encapsulation code 43 = encapsulate sipdect;
option sipdect.ommip1 code 10 = ip-address;
option sipdect.ommip2 code 19 = ip-address;
option sipdect.syslogip code 14 = ip-address;
option sipdect.syslogport code 15 = integer 16;
option magic_str code 224 = text;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
ddns-updates on;
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
@ -72,8 +61,6 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
@ -93,47 +80,6 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
}
}
# Management Auweg
subnet 172.23.12.0 netmask 255.255.255.0 {
option routers 172.23.12.1;
}
# Services Auweg
subnet 172.23.13.0 netmask 255.255.255.0 {
allow bootp;
option routers 172.23.13.1;
}
# Users Auweg
subnet 172.23.14.0 netmask 255.255.255.0 {
option routers 172.23.14.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.14.10 172.23.14.230;
}
}
# MQTT Auweg
subnet 172.23.15.0 netmask 255.255.255.0 {
option routers 172.23.15.1;
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
{% endif %}
range 172.23.15.10 172.23.15.240;
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs
@ -152,44 +98,34 @@ host ap05 {
fixed-address ap05.binary.kitchen;
}
host ap06 {
hardware ethernet 94:b4:0f:c0:1d:a0;
fixed-address ap06.binary.kitchen;
}
host ap11 {
hardware ethernet 18:64:72:c6:c2:0c;
fixed-address ap11.binary.kitchen;
}
host ap12 {
hardware ethernet 18:64:72:c6:c4:98;
fixed-address ap12.binary.kitchen;
}
host bowle {
hardware ethernet ac:1f:6b:25:16:b6;
fixed-address bowle.binary.kitchen;
}
host cannelloni {
hardware ethernet b8:27:eb:18:5c:11;
hardware ethernet 00:10:f3:15:88:ac;
fixed-address cannelloni.binary.kitchen;
}
host cashdesk {
hardware ethernet 00:0b:ca:94:13:f1;
fixed-address cashdesk.binary.kitchen;
}
host fusilli {
hardware ethernet b8:27:eb:1d:b9:bf;
fixed-address fusilli.binary.kitchen;
}
host habdisplay1 {
hardware ethernet b8:27:eb:b6:62:be;
fixed-address habdisplay1.mqtt.binary.kitchen;
host garlic {
hardware ethernet b8:27:eb:56:2b:7c;
fixed-address garlic.binary.kitchen;
}
host habdisplay2 {
hardware ethernet b8:27:eb:df:0b:7b;
fixed-address habdisplay2.mqtt.binary.kitchen;
host homer {
hardware ethernet b8:27:eb:24:b2:12;
fixed-address homer.binary.kitchen;
}
host klopi {
@ -203,7 +139,7 @@ host lock {
}
host maccaroni {
hardware ethernet b8:27:eb:f5:9e:a1;
hardware ethernet b8:27:eb:18:5c:11;
fixed-address maccaroni.binary.kitchen;
}
@ -223,22 +159,22 @@ host mpcnc {
}
host noodlehub {
hardware ethernet b8:27:eb:56:2b:7c;
hardware ethernet b8:27:eb:eb:e5:88;
fixed-address noodlehub.binary.kitchen;
}
host openhabgw1 {
hardware ethernet dc:a6:32:bf:e2:3e;
fixed-address openhabgw1.mqtt.binary.kitchen;
}
host pizza {
hardware ethernet 52:54:00:17:02:21;
fixed-address pizza.binary.kitchen;
}
host punsch {
hardware ethernet 00:21:85:1b:7f:3d;
fixed-address punsch.binary.kitchen;
}
host spaghetti {
hardware ethernet b8:27:eb:eb:e5:88;
hardware ethernet b8:27:eb:e3:e9:f1;
fixed-address spaghetti.binary.kitchen;
}
@ -281,34 +217,6 @@ host voip04 {
}
# Mitel SIP-DECT
host rfp01 {
hardware ethernet 00:30:42:1B:73:5A;
fixed-address 172.23.1.111;
option host-name "rfp01";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp02 {
hardware ethernet 00:30:42:21:D4:D5;
fixed-address 172.23.1.112;
option host-name "rfp02";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
host rfp11 {
hardware ethernet 00:30:42:1B:8B:9B;
fixed-address 172.23.12.111;
option host-name "rfp11";
option sipdect.ommip1 172.23.2.35;
option magic_str = "OpenMobilitySIP-DECT";
}
# OMAPI
omapi-port 7911;

10
roles/dns_extern/tasks/main.yml
View File

@ -5,21 +5,11 @@
name:
- pdns-server
- pdns-backend-sqlite3
- sqlite3
- name: Configure powerdns
template: src=pdns.conf.j2 dest=/etc/powerdns/pdns.conf
notify: Restart powerdns
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/powerdns.sqlite3
creates: /var/lib/powerdns/powerdns.sqlite3
become: true
become_user: pdns
- name: Copy update policy script
copy: src=updatepolicy.lua dest=/etc/powerdns/updatepolicy.lua
notify: Restart powerdns

1
roles/dns_extern/templates/pdns.conf.j2
View File

@ -11,4 +11,3 @@ allow-axfr-ips=127.0.0.1,::1{% if dns_axfr_ips is defined %},{{ dns_axfr_ips | j
{% endif %}
allow-dnsupdate-from=0.0.0.0/0,::/0
lua-dnsupdate-policy-script=/etc/powerdns/updatepolicy.lua
security-poll-suffix=

3
roles/dns_intern/handlers/main.yml
View File

@ -5,6 +5,3 @@
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

23
roles/dns_intern/tasks/main.yml
View File

@ -3,11 +3,8 @@
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-backend-sqlite3
- pdns-server
- pdns-recursor
- sqlite3
- name: Create zone directory
file: path=/etc/powerdns/bind/ state=directory
@ -22,28 +19,8 @@
- bind/23.172.in-addr.arpa.zone
- bind/binary.kitchen.zone
- name: Initialize database
command:
cmd: >
sqlite3 -init /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql
/var/lib/powerdns/pdns.sqlite3
creates: /var/lib/powerdns/pdns.sqlite3
become: true
become_user: pdns
# TODO
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
# TODO
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

62
roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
View File

@ -1,55 +1,52 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2022071600; serial
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2020051101; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
IN NS ns.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
3.0 IN PTR erx-rz.binary.kitchen.
4.0 IN PTR erx-auweg.binary.kitchen.
4.0 IN PTR pf-bk.binary.kitchen.
5.0 IN PTR pf-rz.binary.kitchen.
; Management
1.1 IN PTR v2301.core.binary.kitchen.
11.1 IN PTR ups1.binary.kitchen.
21.1 IN PTR pdu1.binary.kitchen.
22.1 IN PTR pdu2.binary.kitchen.
23.1 IN PTR pdu3.binary.kitchen.
31.1 IN PTR sw-butchery.binary.kitchen.
32.1 IN PTR sw-mini.binary.kitchen.
33.1 IN PTR sw-rack.binary.kitchen.
31.1 IN PTR sw01.binary.kitchen.
32.1 IN PTR sw02.binary.kitchen.
33.1 IN PTR sw03.binary.kitchen.
41.1 IN PTR ap01.binary.kitchen.
42.1 IN PTR ap02.binary.kitchen.
43.1 IN PTR ap03.binary.kitchen.
44.1 IN PTR ap04.binary.kitchen.
45.1 IN PTR ap05.binary.kitchen.
46.1 IN PTR ap06.binary.kitchen.
51.1 IN PTR modem.binary.kitchen.
60.1 IN PTR wurst.binary.kitchen.
80.1 IN PTR wurst-bmc.binary.kitchen.
82.1 IN PTR bowle-bmc.binary.kitchen.
101.1 IN PTR nbe-w13b.binary.kitchen.
102.1 IN PTR nbe-tr8.binary.kitchen.
111.1 IN PTR rfp01.binary.kitchen.
112.1 IN PTR rfp02.binary.kitchen.
; Services
1.2 IN PTR v2302.core.binary.kitchen.
2.2 IN PTR ns.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen.
4.2 IN PTR aveta.binary.kitchen.
5.2 IN PTR sulis.binary.kitchen.
6.2 IN PTR nabia.binary.kitchen.
7.2 IN PTR epona.binary.kitchen.
11.2 IN PTR homer.binary.kitchen.
12.2 IN PTR lock.binary.kitchen.
13.2 IN PTR matrix.binary.kitchen.
33.2 IN PTR pizza.binary.kitchen.
34.2 IN PTR pancake.binary.kitchen.
35.2 IN PTR knoedel.binary.kitchen.
36.2 IN PTR schweinshaxn.binary.kitchen.
37.2 IN PTR bob.binary.kitchen.
44.2 IN PTR cashdesk.binary.kitchen.
62.2 IN PTR bowle.binary.kitchen.
91.2 IN PTR strammermax.binary.kitchen.
92.2 IN PTR obatzda.binary.kitchen.
@ -59,47 +56,32 @@ $GENERATE 10-230 $.3 IN PTR dhcp-${0,3,d}-03.binary.kitchen.
240.3 IN PTR fusilli.binary.kitchen.
241.3 IN PTR klopi.binary.kitchen.
242.3 IN PTR mpcnc.binary.kitchen.
243.3 IN PTR garlic.binary.kitchen.
244.3 IN PTR mirror.binary.kitchen.
245.3 IN PTR spaghetti.binary.kitchen.
246.3 IN PTR maccaroni.binary.kitchen.
247.3 IN PTR pve02-bmc.tmp.binary.kitchen.
248.3 IN PTR pve02.tmp.binary.kitchen.
249.3 IN PTR ffrgb.binary.kitchen.
250.3 IN PTR cannelloni.binary.kitchen.
251.3 IN PTR noodlehub.binary.kitchen.
; MQTT
1.4 IN PTR v2304.core.binary.kitchen.
6.4 IN PTR pizza.mqtt.binary.kitchen.
$GENERATE 10-240 $.4 IN PTR dhcp-${0,3,d}-04.binary.kitchen.
241.4 IN PTR habdisplay1.mqtt.binary.kitchen.
242.4 IN PTR habdisplay2.mqtt.binary.kitchen.
245.4 IN PTR logo1.mqtt.binary.kitchen.
246.4 IN PTR logo2.mqtt.binary.kitchen.
250.4 IN PTR moodlights1.mqtt.binary.kitchen.
251.4 IN PTR openhabgw1.mqtt.binary.kitchen.
252.4 IN PTR homematic-ccu2.mqtt.binary.kitchen.
; Management RZ
1.9 IN PTR switch0.erx-rz.binary.kitchen.
61.9 IN PTR salat.binary.kitchen.
81.9 IN PTR salat-bmc.binary.kitchen.
; Services RZ
23.8 IN PTR cernunnos.binary.kitchen.
; VPN RZ (ER-X)
1.10 IN PTR wg0.erx-rz.binary.kitchen.
1.10 IN PTR wg1.erx-rz.binary.kitchen.
$GENERATE 2-254 $.10 IN PTR vpn-${0,3,d}-10.binary.kitchen.
; Management Auweg
31.12 IN PTR sw-auweg.binary.kitchen.
41.12 IN PTR ap11.binary.kitchen.
42.12 IN PTR ap12.binary.kitchen.
61.12 IN PTR weizen.binary.kitchen.
111.12 IN PTR rfp11.binary.kitchen.
; Services Auweg
3.13 IN PTR aeron.binary.kitchen.
12.13 IN PTR lock-auweg.binary.kitchen.
; Clients Auweg
$GENERATE 10-230 $.14 IN PTR dhcp-${0,3,d}-14.binary.kitchen.
; MQTT
$GENERATE 10-240 $.15 IN PTR dhcp-${0,3,d}-15.binary.kitchen.
; VPN RZ (pf)
$GENERATE 2-254 $.11 IN PTR vpn-${0,3,d}-11.binary.kitchen.
; Point-to-Point
1.96 IN PTR v400.erx-bk.binary.kitchen.
2.96 IN PTR v400.core.binary.kitchen.
1.97 IN PTR wg1.erx-rz.binary.kitchen.
2.97 IN PTR wg1.erx-bk.binary.kitchen.
5.97 IN PTR wg2.erx-rz.binary.kitchen.
6.97 IN PTR wg2.erx-auweg.binary.kitchen.
1.97 IN PTR wg0.erx-rz.binary.kitchen.
2.97 IN PTR wg0.erx-bk.binary.kitchen.

71
roles/dns_intern/templates/bind/binary.kitchen.zone.j2
View File

@ -1,35 +1,25 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2022071600; serial
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2020051101; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
IN NS ns.binary.kitchen.
; External
IN A 213.166.246.4
www IN A 213.166.246.4
; Aliases
3dprinter IN A 172.23.3.251
icinga IN A 172.23.2.6
ldap IN A 172.23.2.3
ldap IN A 172.23.2.4
ldap IN A 213.166.246.2
ldap1 IN A 172.23.2.3
ldap2 IN A 172.23.2.4
ldap3 IN A 172.23.13.3
ldapm IN A 213.166.246.2
librenms IN A 172.23.2.6
netbox IN A 172.23.2.7
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
omm IN A 172.23.2.35
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
@ -37,43 +27,41 @@ radius IN A 172.23.2.4
core IN A 172.23.0.1
erx-bk IN A 172.23.0.2
erx-rz IN A 172.23.0.3
erx-auweg IN A 172.23.0.4
pf-bk IN A 172.23.0.4
pf-rz IN A 172.23.0.5
; Management
v2301.core IN A 172.23.1.1
ups1 IN A 172.23.1.11
pdu1 IN A 172.23.1.21
pdu2 IN A 172.23.1.22
pdu3 IN A 172.23.1.23
sw-butchery IN A 172.23.1.31
sw-mini IN A 172.23.1.32
sw-rack IN A 172.23.1.33
sw01 IN A 172.23.1.31
sw02 IN A 172.23.1.32
sw03 IN A 172.23.1.33
ap01 IN A 172.23.1.41
ap02 IN A 172.23.1.42
ap03 IN A 172.23.1.43
ap04 IN A 172.23.1.44
ap05 IN A 172.23.1.45
ap06 IN A 172.23.1.46
modem IN A 172.23.1.51
wurst IN A 172.23.1.60
wurst-bmc IN A 172.23.1.80
bowle-bmc IN A 172.23.1.82
nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102
rfp01 IN A 172.23.1.111
rfp02 IN A 172.23.1.112
; Services
v2302.core IN A 172.23.2.1
ns IN A 172.23.2.2
bacon IN A 172.23.2.3
aveta IN A 172.23.2.4
sulis IN A 172.23.2.5
nabia IN A 172.23.2.6
epona IN A 172.23.2.7
homer IN A 172.23.2.11
lock IN A 172.23.2.12
matrix IN A 172.23.2.13
pizza IN A 172.23.2.33
pancake IN A 172.23.2.34
knoedel IN A 172.23.2.35
schweinshaxn IN A 172.23.2.36
bob IN A 172.23.2.37
cashdesk IN A 172.23.2.44
bowle IN A 172.23.2.62
strammermax IN A 172.23.2.91
obatzda IN A 172.23.2.92
@ -83,47 +71,32 @@ $GENERATE 10-230 dhcp-${0,3,d}-03 IN A 172.23.3.$
fusilli IN A 172.23.3.240
klopi IN A 172.23.3.241
mpcnc IN A 172.23.3.242
garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
pve02-bmc.tmp IN A 172.23.3.247
pve02.tmp IN A 172.23.3.248
ffrgb IN A 172.23.3.249
cannelloni IN A 172.23.3.250
noodlehub IN A 172.23.3.251
; MQTT
v2304.core IN A 172.23.4.1
pizza.mqtt IN A 172.23.4.6
$GENERATE 10-240 dhcp-${0,3,d}-04 IN A 172.23.4.$
habdisplay1.mqtt IN A 172.23.4.241
habdisplay2.mqtt IN A 172.23.4.242
logo1.mqtt IN A 172.23.4.245
logo2.mqtt IN A 172.23.4.246
moodlights1.mqtt IN A 172.23.4.250
openhabgw1.mqtt IN A 172.23.4.251
homematic-ccu2.mqtt IN A 172.23.4.252
; Management RZ
switch0.erx-rz IN A 172.23.9.1
salat IN A 172.23.9.61
salat-bmc IN A 172.23.9.81
; Services RZ
; Management Auweg
sw-auweg IN A 172.23.12.31
ap11 IN A 172.23.12.41
ap12 IN A 172.23.12.42
weizen IN A 172.23.12.61
rfp11 IN A 172.23.12.111
; Services Auweg
aeron IN A 172.23.13.3
lock-auweg IN A 172.23.13.12
; Clients Auweg
$GENERATE 10-230 dhcp-${0,3,d}-14 IN A 172.23.14.$
; MQTT Auweg
$GENERATE 10-240 dhcp-${0,3,d}-15 IN A 172.23.15.$
cernunnos IN A 172.23.8.23
; VPN RZ (ER-X)
wg0.erx-rz IN A 172.23.10.1
wg1.erx-rz IN A 172.23.10.1
$GENERATE 2-254 vpn-${0,3,d}-10 IN A 172.23.10.$
; VPN RZ (pf)
$GENERATE 2-254 vpn-${0,3,d}-11 IN A 172.23.11.$
; Point-to-Point
v400.erx-bk IN A 172.23.96.1
v400.core IN A 172.23.96.2
wg1.erx-rz IN A 172.23.97.1
wg1.erx-bk IN A 172.23.97.2
wg2.erx-rz IN A 172.23.97.5
wg2.erx-auweg IN A 172.23.97.6
wg0.erx-rz IN A 172.23.97.1
wg0.erx-bk IN A 172.23.97.2

27
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -1,27 +0,0 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
{% endif %}
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))
-- disable security status polling via DNS
setSecurityPollSuffix('')

68
roles/dns_intern/templates/pdns.conf.j2
View File

@ -1,96 +1,46 @@
# {{ ansible_managed }}
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }}{% if dhcpd_secondary is defined %},{{ dhcpd_secondary }}{% endif %}
#################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# dnsupdate=no
dnsupdate=yes
{% endif %}
#################################
# launch Which backends to launch and order to query them in
# launch Which backends to launch and order to query them in
#
# launch=
launch=bind,gsqlite3
launch=bind
#################################
# local-address Local IP addresses to which we bind
# local-address Local IP addresses to which we bind
#
# local-address=0.0.0.0
local-address=127.0.0.1
#################################
# local-ipv6 Local IP address to which we bind
# local-ipv6 Local IP address to which we bind
#
# local-ipv6=::
local-ipv6=
#################################
# local-port The port on which we listen
# local-port The port on which we listen
#
# local-port=53
local-port=5300
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# master Act as a master
#
# master=no
master=yes
{% if dns_secondary is defined %}
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }}
{% endif %}
{% endif %}
#################################
# security-poll-suffix Domain name from which to query security update notifications
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
# setuid If set, change user id to this uid for more security
#
setuid=pdns
{% if dns_secondary is defined and ansible_default_ipv4.address == dns_secondary %}
#################################
# slave Act as a slave
#
# slave=no
slave=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
trusted-notification-proxy=127.0.0.1,::1
{% endif %}
#################################
# bind-config Location of named.conf
# bind-config Location of the Bind configuration file to parse.
#
bind-config=/etc/powerdns/bindbackend.conf
#################################
# gsqlite3-database Filename of the SQLite3 database
#
# gsqlite3-database=
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

32
roles/dns_intern/templates/recursor.conf.j2
View File

@ -1,55 +1,61 @@
# {{ ansible_managed }}
#################################
# allow-from If set, only allow these comma separated netmasks to recurse
# allow-from If set, only allow these comma separated netmasks to recurse
#
# allow-from=127.0.0.0/8
#allow-from=127.0.0.0/8
#################################
# config-dir Location of configuration directory (recursor.conf)
# config-dir Location of configuration directory (recursor.conf)
#
config-dir=/etc/powerdns
#################################
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
#
# dnssec=process-no-validate
dnssec=off
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
local-address=127.0.0.1
# forward-zones=
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
#################################
# local-port port to listen on
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-port=5353
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
#################################
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
# local-port port to listen on
#
local-port=53
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
#
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}
{% endif %}
#################################
# quiet Suppress logging of questions and answers
# quiet Suppress logging of questions and answers
#
quiet=yes
#################################
# security-poll-suffix Domain name from which to query security update notifications
# security-poll-suffix Domain name from which to query security update notifications
#
# security-poll-suffix=secpoll.powerdns.com.
security-poll-suffix=
#################################
# setgid If set, change group id to this gid for more security
# setgid If set, change group id to this gid for more security
#
setgid=pdns
#################################
# setuid If set, change user id to this uid for more security
# setuid If set, change user id to this uid for more security
#
setuid=pdns

4
roles/docker/tasks/main.yml
View File

@ -5,7 +5,7 @@
- name: Enable docker repository
apt_repository:
repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
repo: 'deb https://download.docker.com/linux/debian buster stable'
filename: docker
- name: Install docker
@ -14,4 +14,4 @@
- docker-ce
- docker-ce-cli
- containerd.io
- python3-docker
- python-docker

7
roles/drone/tasks/main.yml
View File

@ -14,7 +14,7 @@
apt:
name:
- postgresql
- python3-psycopg2
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ drone_dbname }}
@ -50,8 +50,3 @@
- name: Enable drone
service: name=drone enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ drone_domain }}"

1
roles/drone_runner/tasks/main.yml
View File

@ -14,7 +14,6 @@
DRONE_UI_PASSWORD: "{{ drone_uipass }}"
ports:
- "3000:3000"
pull: yes
restart_policy: unless-stopped
state: started
volumes:

7
roles/fileserver/handlers/main.yml
View File

@ -1,7 +0,0 @@
---
- name: Reload nfs-server
service: name=nfs-server state=reloaded
- name: Reload smbd
service: name=smbd state=reloaded

30
roles/fileserver/tasks/main.yml
View File

@ -1,30 +0,0 @@
---
# TODO also enable contrib for $release-security
- name: Enable contrib repositories
apt_repository:
repo: deb http://deb.debian.org/debian {{ ansible_distribution_release }} contrib
- name: Install zfs-dkms
apt:
name: zfs-dkms
# creating the ZFS pool is not part of this role
- name: Install NFS and samba
apt:
name:
- nfs-kernel-server
- samba
- name: Configure NFS
template:
src: exports.j2
dest: /etc/exports
notify: Reload nfs-server
- name: Configure samba
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify: Reload smbd

4
roles/fileserver/templates/exports.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
{% for item in nfs_exports %}
{{ item }}
{% endfor %}

244
roles/fileserver/templates/smb.conf.j2
View File

@ -1,244 +0,0 @@
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = classic
# primary domain controller', 'server role = classic backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
;[printers]
; comment = All Printers
; browseable = no
; path = /var/spool/samba
; printable = yes
; guest ok = no
; read only = yes
; create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
# Binary Kitchen public share
[tank]
path = /exports/tank
browseable = yes
read only = no
guest ok = yes
create mask = 0600
directory mask = 0700

6
roles/gitea/defaults/main.yml
View File

@ -3,6 +3,6 @@
gitea_user: gogs
gitea_group: gogs
gitea_checksum: sha256:bc4a8e1f5d5f64d4be2e50c387de08d07c062aecdba2f742c2f61c20accfcc46
gitea_version: 1.17.0
gitea_url: https://github.com/go-gitea/gitea/releases/download/v{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
gitea_checksum: sha256:74417bc8e950b685de79c3a39655029f28d27c99e94adbe83c0ec22325d8771f
gitea_version: 1.12.6
gitea_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64

10
roles/gitea/tasks/main.yml
View File

@ -30,7 +30,7 @@
apt:
name:
- postgresql
- python3-psycopg2
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ gitea_dbname }}
@ -50,9 +50,6 @@
template: src=certs.j2 dest=/etc/acertmgr/{{ gitea_domain }}.conf
notify: Run acertmgr
- name: Configure robots.txt for gitea
template: src=robots.txt.j2 dest=/opt/gitea/custom/robots.txt owner={{ gitea_user }}
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/gitea
notify: Restart nginx
@ -63,8 +60,3 @@
- name: Enable gitea
service: name=gitea enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ gitea_domain }}"

7
roles/gitea/templates/app.ini.j2
View File

@ -43,10 +43,3 @@ LEVEL = warn
[oauth2]
JWT_SECRET = {{ gitea_jwt_secret }}
[cron]
ENABLED = true
[cron.archive_cleanup]
SCHEDULE = @midnight
OLDER_THAN = 168h

4
roles/gitea/templates/robots.txt.j2
View File

@ -1,4 +0,0 @@
User-agent: *
Disallow: /*/*/archive/*.bundle$
Disallow: /*/*/archive/*.tar.gz$
Disallow: /*/*/archive/*.zip$

4
roles/gitea/templates/vhost.j2
View File

@ -23,10 +23,6 @@ server {
ssl_certificate_key /etc/nginx/ssl/{{ gitea_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ gitea_domain }}.crt;
location /robots.txt {
alias /opt/gitea/custom/robots.txt;
}
location / {
client_max_body_size 1024M;
proxy_set_header X-Real-IP $remote_addr;

9
roles/grafana/tasks/main.yml
View File

@ -1,10 +1,10 @@
---
- name: Enable grafana apt-key
apt_key: url="https://packages.grafana.com/gpg.key"
apt_key: url='https://packages.grafana.com/gpg.key'
- name: Enable grafana repository
apt_repository: repo="deb https://packages.grafana.com/oss/deb stable main"
apt_repository: repo='deb https://packages.grafana.com/oss/deb stable main'
- name: Install grafana
apt: name=grafana
@ -34,8 +34,3 @@
- name: Start grafana
service: name=grafana-server state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ grafana_domain }}"

3
roles/grafana/templates/vhost.j2
View File

@ -25,8 +25,7 @@ server {
location / {
client_max_body_size 1024M;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:3000;
}
}

4
roles/hackmd/defaults/main.yml
View File

@ -1,4 +1,4 @@
---
hedgedoc_version: 1.9.3
hedgedoc_archive: https://github.com/hedgedoc/hedgedoc/archive/{{ hedgedoc_version }}.tar.gz
hackmd_version: 1.5.0
hackmd_archive: https://github.com/codimd/server/archive/{{ hackmd_version }}.tar.gz

4
roles/hackmd/handlers/main.yml
View File

@ -3,8 +3,8 @@
- name: Reload systemd
systemd: daemon_reload=yes
- name: Restart hedgedoc
service: name=hedgedoc state=restarted
- name: Restart hackmd
service: name=hackmd state=restarted
- name: Restart nginx
service: name=nginx state=restarted

91
roles/hackmd/tasks/main.yml
View File

@ -3,11 +3,14 @@
- name: Create user
user: name=hackmd
- name: Enable https for apt
apt: name=apt-transport-https
- name: Enable nodesource apt-key
apt_key: url="https://deb.nodesource.com/gpgkey/nodesource.gpg.key"
- name: Enable nodesource repository
apt_repository: repo="deb https://deb.nodesource.com/node_14.x/ {{ ansible_distribution_release }} main"
apt_repository: repo="deb https://deb.nodesource.com/node_8.x/ {{ ansible_distribution_release }} main"
- name: Enable yarnpkg apt-key
apt_key: url="https://dl.yarnpkg.com/debian/pubkey.gpg"
@ -31,80 +34,82 @@
- git
- nodejs
- postgresql
- python3-psycopg2
- python-psycopg2
- yarn
- name: Unpack hedgedoc
unarchive: src={{ hedgedoc_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/hedgedoc-{{ hedgedoc_version }}
register: hedgedoc_unarchive
- name: Unpack hackmd
unarchive: src={{ hackmd_archive }} dest=/opt owner=hackmd group=hackmd remote_src=yes creates=/opt/codimd-{{ hackmd_version }}
register: hackmd_unarchive
- name: Create hedgedoc upload path
file: path=/opt/hedgedoc/uploads state=directory recurse=yes owner=hackmd group=hackmd
- name: Rename hackmd
command: mv /opt/server-{{ hackmd_version }} /opt/codimd-{{ hackmd_version }}
when: hackmd_unarchive.changed
- name: Remove old hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads state=absent force=yes
- name: Create hackmd upload path
file: path=/opt/codimd/uploads state=directory recurse=yes owner=hackmd group=hackmd
- name: Link hedgedoc upload path
file: path=/opt/hedgedoc-{{ hedgedoc_version }}/public/uploads src=/opt/hedgedoc/uploads state=link owner=hackmd group=hackmd
- name: Remove old hackmd upload path
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads state=absent force=yes
- name: Setup hedgedoc
command: bin/setup chdir=/opt/hedgedoc-{{ hedgedoc_version }} creates=/opt/hedgedoc-{{ hedgedoc_version }}/config.json
- name: Link hackmd upload path
file: path=/opt/codimd-{{ hackmd_version }}/public/uploads src=/opt/codimd/uploads state=link owner=hackmd group=hackmd
- name: Setup hackmd
command: bin/setup chdir=/opt/codimd-{{ hackmd_version }} creates=/opt/codimd-{{ hackmd_version }}/config.json
become: true
become_user: hackmd
- name: Configure hedgedoc
template: src=config.json.j2 dest=/opt/hedgedoc-{{ hedgedoc_version }}/config.json owner=hackmd
register: hedgedoc_config
notify: Restart hedgedoc
- name: Configure hackmd
template: src=config.json.j2 dest=/opt/codimd-{{ hackmd_version }}/config.json owner=hackmd
register: hackmd_config
notify: Restart hackmd
- name: Install hedgedoc frontend deps
command: /usr/bin/yarn install chdir=/opt/hedgedoc-{{ hedgedoc_version }}
- name: Build hackmd frontend
command: /usr/bin/npm run build chdir=/opt/codimd-{{ hackmd_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
- name: Build hedgedoc frontend
command: /usr/bin/yarn build chdir=/opt/hedgedoc-{{ hedgedoc_version }}
become: true
become_user: hackmd
when: hedgedoc_unarchive.changed or hedgedoc_config.changed
when: hackmd_unarchive.changed or hackmd_config.changed
- name: Configure PostgreSQL database
postgresql_db: name={{ hedgedoc_dbname }}
postgresql_db: name={{ hackmd_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ hedgedoc_dbname }} name={{ hedgedoc_dbuser }} password={{ hedgedoc_dbpass }} priv=ALL state=present
postgresql_user: db={{ hackmd_dbname }} name={{ hackmd_dbuser }} password={{ hackmd_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Configure sequelize
template: src=_sequelizerc.j2 dest=/opt/codimd-{{ hackmd_version }}/.sequelizerc owner=hackmd
- name: Upgrade database schema
command: node_modules/.bin/sequelize db:migrate chdir=/opt/codimd-{{ hackmd_version }}
become: true
become_user: hackmd
when: hackmd_unarchive.changed or hackmd_config.changed
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hedgedoc_domain }}.key -out /etc/nginx/ssl/{{ hedgedoc_domain }}.crt -days 730 -subj "/CN={{ hedgedoc_domain }}" creates=/etc/nginx/ssl/{{ hedgedoc_domain }}.crt
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ hackmd_domain }}.key -out /etc/nginx/ssl/{{ hackmd_domain }}.crt -days 730 -subj "/CN={{ hackmd_domain }}" creates=/etc/nginx/ssl/{{ hackmd_domain }}.crt
notify: Restart nginx
- name: Configure certificate manager for hedgedoc
template: src=certs.j2 dest=/etc/acertmgr/{{ hedgedoc_domain }}.conf
- name: Configure certificate manager for hackmd
template: src=certs.j2 dest=/etc/acertmgr/{{ hackmd_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/hedgedoc
template: src=vhost.j2 dest=/etc/nginx/sites-available/hackmd
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/hedgedoc dest=/etc/nginx/sites-enabled/hedgedoc state=link
file: src=/etc/nginx/sites-available/hackmd dest=/etc/nginx/sites-enabled/hackmd state=link
notify: Restart nginx
- name: Systemd unit for hedgedoc
template: src=hedgedoc.service.j2 dest=/etc/systemd/system/hedgedoc.service
- name: Systemd unit for hackmd
template: src=hackmd.service.j2 dest=/etc/systemd/system/hackmd.service
notify:
- Reload systemd
- Restart hedgedoc
- Restart hackmd
- name: Start the hedgedoc service
service: name=hedgedoc state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ hedgedoc_domain }}"
- name: Start the hackmd service
service: name=hackmd state=started enabled=yes

8
roles/hackmd/templates/_sequelizerc.j2 Normal file
View File

@ -0,0 +1,8 @@
var path = require('path');
module.exports = {
'config': path.resolve('config.json'),
'migrations-path': path.resolve('lib', 'migrations'),
'models-path': path.resolve('lib', 'models'),
'url': 'postgres://{{ hackmd_dbuser }}:{{ hackmd_dbpass }}@localhost:5432/{{ hackmd_dbname }}'
}

6
roles/hackmd/templates/certs.j2
View File

@ -1,13 +1,13 @@
---
{{ hedgedoc_domain }}:
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.key
{{ hackmd_domain }}:
- path: /etc/nginx/ssl/{{ hackmd_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ hedgedoc_domain }}.crt
- path: /etc/nginx/ssl/{{ hackmd_domain }}.crt
user: root
group: root
perm: '400'

10
roles/hackmd/templates/config.json.j2
View File

@ -1,11 +1,11 @@
{
"production": {
"domain": "{{ hedgedoc_domain }}",
"domain": "{{ hackmd_domain }}",
"protocolUseSSL": true,
"allowAnonymous": false,
"allowAnonymousEdits": true,
"allowFreeURL": true,
"sessionSecret": "{{ hedgedoc_secret }}",
"sessionSecret": "{{ hackmd_secret }}",
"hsts": {
"enable": true,
"maxAgeSeconds": 2592000,
@ -22,9 +22,9 @@
"addGoogleAnalytics": true
},
"db": {
"username": "{{ hedgedoc_dbuser }}",
"password": "{{ hedgedoc_dbpass }}",
"database": "{{ hedgedoc_dbname }}",
"username": "{{ hackmd_dbuser }}",
"password": "{{ hackmd_dbpass }}",
"database": "{{ hackmd_dbname }}",
"host": "localhost",
"port": "5432",
"dialect": "postgres"

6
roles/hackmd/templates/hedgedoc.service.j2 → roles/hackmd/templates/hackmd.service.j2
View File

@ -1,13 +1,13 @@
[Unit]
Description=HedgeDoc
Description=HackMD
After=network.target
[Service]
Environment=NODE_ENV=production
WorkingDirectory=/opt/hedgedoc-{{ hedgedoc_version }}
WorkingDirectory=/opt/codimd-{{ hackmd_version }}
Type=simple
User=hackmd
ExecStart=/usr/bin/yarn start
ExecStart=/usr/bin/node /opt/codimd-{{ hackmd_version }}/app.js
Restart=on-failure
[Install]

34
roles/hackmd/templates/vhost.j2
View File

@ -1,13 +1,8 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name {{ hedgedoc_domain }};
server_name {{ hackmd_domain }};
location /.well-known/acme-challenge {
default_type "text/plain";
@ -15,7 +10,7 @@ server {
}
location / {
return 301 https://{{ hedgedoc_domain }}$request_uri;
return 301 https://{{ hackmd_domain }}$request_uri;
}
}
@ -23,30 +18,21 @@ server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ hedgedoc_domain }};
server_name {{ hackmd_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ hedgedoc_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ hedgedoc_domain }}.crt;
ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;
# set max upload size
client_max_body_size 8M;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io/ {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "Upgrade";
}
}

4
roles/icinga-monitor/defaults/main.yml
View File

@ -1,4 +0,0 @@
---
icinga_user: nagios
icinga_group: nagios

5
roles/icinga-monitor/handlers/main.yml
View File

@ -1,5 +0,0 @@
---
- name: Restart icinga2
service: name=icinga2 state=restarted
delegate_to: "{{ icinga_server }}"

17
roles/icinga-monitor/tasks/http.yml
View File

@ -1,17 +0,0 @@
---
- name: Configure monitoring for vhost
template:
src: http.j2
dest: /etc/icinga2/conf.d/hosts/{{ inventory_hostname }}.http_{{ vhost }}
owner: "{{ icinga_user }}"
group: "{{ icinga_group }}"
delegate_to: "{{ icinga_server }}"
- name: Regenerate hosts.conf
assemble:
src: /etc/icinga2/conf.d/hosts
dest: /etc/icinga2/conf.d/hosts.conf
# validate: /usr/sbin/icinga2 daemon -c %s --validate
notify: Restart icinga2
delegate_to: "{{ icinga_server }}"

13
roles/icinga-monitor/templates/http.j2
View File

@ -1,13 +0,0 @@
vars.http_vhosts["{{ vhost }}"] = {
http_sni = "true"
http_ssl = "true"
http_vhost = "{{ vhost }}"
}
vars.http_vhosts["{{ vhost }} cert"] = {
http_certificate = "25,15"
http_sni = "true"
http_ssl = "true"
http_vhost = "{{ vhost }}"
}

4
roles/icinga/defaults/main.yml
View File

@ -1,4 +0,0 @@
---
icinga_user: nagios
icinga_group: nagios

114
roles/icinga/tasks/main.yml
View File

@ -1,114 +0,0 @@
---
- name: Enable icinga apt-key
apt_key: url="https://packages.icinga.com/icinga.key"
- name: Enable icinga repository
apt_repository:
repo: "deb https://packages.icinga.com/debian icinga-{{ ansible_distribution_release }} main"
filename: icinga
- name: Install icinga
apt:
name:
- php-fpm
- php-pgsql
- icinga2
- icinga2-ido-pgsql
- icingaweb2
- name: Install PostgreSQL
apt:
name:
- postgresql
- python3-psycopg2
- name: Configure icinga database
postgresql_db: name={{ icinga_dbname }}
become: true
become_user: postgres
register: icinga_ido_db
- name: Configure icinga database user
postgresql_user: db={{ icinga_dbname }} name={{ icinga_dbuser }} password={{ icinga_dbpass }} priv=ALL state=present
become: true
become_user: postgres
# FIXME it is not possible to use login_username and login_password here in order to change the role to icinga
# so as a workaround you have to insert "SET ROLE icinga;" manually at the top of the referred sql file
- name: Configure database schema
postgresql_db: name={{ icinga_dbname }} target=/usr/share/icinga2-ido-pgsql/schema/pgsql.sql state=restore
become: true
become_user: postgres
when: icinga_ido_db.changed
- name: Configure icingaweb database
postgresql_db: name={{ icingaweb_dbname }}
become: true
become_user: postgres
- name: Configure icingaweb database user
postgresql_user: db={{ icingaweb_dbname }} name={{ icingaweb_dbuser }} password={{ icingaweb_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Configure icinga ido pgsql
template: src=icinga2/features-available/ido-pgsql.conf.j2 dest=/etc/icinga2/features-available/ido-pgsql.conf owner={{ icinga_user }} group={{ icinga_group }}
notify: Restart icinga2
- name: Enable icinga ido PostgreSQL
command: "icinga2 feature enable ido-pgsql"
register: features_result
changed_when: "'for these changes to take effect' in features_result.stdout"
notify: Restart icinga2
- name: Ensure directory for host snippets exists
file:
path: /etc/icinga2/conf.d/hosts
state: directory
owner: "{{ icinga_user }}"
group: "{{ icinga_group }}"
- name: Prepare host snippets
template: src=icinga2/conf.d/hosts.header.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.00_header owner={{ icinga_user }} group={{ icinga_group }}
loop: "{{ groups['all'] }}"
- name: Prepare host snippets
template: src=icinga2/conf.d/hosts.footer.j2 dest=/etc/icinga2/conf.d/hosts/{{ item }}.zz_footer owner={{ icinga_user }} group={{ icinga_group }}
loop: "{{ groups['all'] }}"
- name: Create group icingaweb2
group: name=icingaweb2 system=yes
- name: Add www-data to icingaweb2
user: name=www-data append=yes groups=icingaweb2
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ icinga_domain }}.key -out /etc/nginx/ssl/{{ icinga_domain }}.crt
-days 730 -subj "/CN={{ icinga_domain }}"
creates: /etc/nginx/ssl/{{ icinga_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ icinga_domain }}"
- name: Configure certificate manager for icinga
template: src=certs.j2 dest=/etc/acertmgr/{{ icinga_domain }}.conf
notify: Run acertmgr
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/icinga
notify: Restart nginx
- name: Enable vhost
file: src=/etc/nginx/sites-available/icinga dest=/etc/nginx/sites-enabled/icinga state=link
notify: Restart nginx
- name: Start php7.4-fpm
service: name=php7.4-fpm state=started enabled=yes

2
roles/icinga/templates/icinga2/conf.d/hosts.footer.j2
View File

@ -1,2 +0,0 @@
}

9
roles/icinga/templates/icinga2/conf.d/hosts.header.j2
View File

@ -1,9 +0,0 @@
object Host "{{ item }}" {
/* Import the default host template defined in `templates.conf`. */
import "generic-host"
/* Specify the address attributes for checks e.g. `ssh` or `http`. */
address = "{{ item }}"
/* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
vars.os = "Linux"

13
roles/icinga/templates/icinga2/features-available/ido-pgsql.conf.j2
View File

@ -1,13 +0,0 @@
/**
* The db_ido_pgsql library implements IDO functionality
* for PostgreSQL.
*/
library "db_ido_pgsql"
object IdoPgsqlConnection "ido-pgsql" {
user = "{{ icinga_dbuser}}",
password = "{{ icinga_dbpass }}",
host = "localhost",
database = "{{ icinga_dbname }}"
}

36
roles/icinga/templates/vhost.j2
View File

@ -1,36 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name {{ icinga_domain }};
location / {
return 301 https://{{ icinga_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ icinga_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ icinga_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ icinga_domain }}.crt;
location ~ ^/icingaweb2/index\.php(.*)$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $remote_user;
}
location ~ ^/icingaweb2(.+)? {
alias /usr/share/icingaweb2/public;
index index.php;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
}
}

3
roles/jitsi/tasks/main.yml
View File

@ -1,5 +1,8 @@
---
- name: Ensure apt over https is available
apt: name=apt-transport-https
- name: Add Jitsi repo key
apt_key:
id: EF8B479E2DC1389C

31
roles/librenms/tasks/main.yml
View File

@ -7,20 +7,20 @@
- git
- graphviz
- imagemagick
- mariadb-server
- mtr-tiny
- mariadb-server
- nmap
- php-cli
- php-curl
- php-fpm
- php-gd
- php-json
- php-mbstring
- php-mysql
- php-net-ipv4
- php-net-ipv6
- php-pear
- php-snmp
- php7.3-cli
- php7.3-curl
- php7.3-fpm
- php7.3-gd
- php7.3-json
- php7.3-mbstring
- php7.3-mysql
- php7.3-snmp
- python3-dotenv
- python3-pymysql
- python3-redis
@ -51,8 +51,8 @@
regexp: ';?date\.timezone'
line: 'date.timezone = Europe/Berlin'
with_items:
- /etc/php/7.4/cli/php.ini
- /etc/php/7.4/fpm/php.ini
- /etc/php/7.3/cli/php.ini
- /etc/php/7.3/fpm/php.ini
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
@ -76,10 +76,5 @@
file: src=/etc/nginx/sites-available/librenms dest=/etc/nginx/sites-enabled/librenms state=link
notify: Restart nginx
- name: Start php7.4-fpm
service: name=php7.4-fpm state=started enabled=yes
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ librenms_domain }}"
- name: Start php7.3-fpm
service: name=php7.3-fpm state=started enabled=yes

2
roles/librenms/templates/vhost.j2
View File

@ -31,7 +31,7 @@ server {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_intercept_errors on;
}

9
roles/mail/defaults/main.yml
View File

@ -1,12 +1,3 @@
---
mail_srs_domain: "srs.{{ mail_domain }}"
mailman3_site_owner: "mailman3@binary-kitchen.de"
mailman3_dbname: "mailman3"
mailman3web_dbname: "mailman3web"
mailman3_dbuser: "mailman3"
mailman3_dbpass: "{{ vault_mail_mailman3_dbpass }}"
mailman3_restadminpass: "{{ vault_mail_mailman3_restadminpass }}"
mailman3_archiverkey: "{{ vault_mail_mailman3_archiverkey }}"
mailman3_secretkey: "{{ vault_mail_mailman3_secretkey }}"

52
roles/mail/files/mailman/uwsgi.ini
View File

@ -1,52 +0,0 @@
[uwsgi]
# Port on which uwsgi will be listening.
uwsgi-socket = /run/mailman3-web/uwsgi.sock
#Enable threading for python
enable-threads = true
# Move to the directory wher the django files are.
chdir = /usr/share/mailman3-web
# Use the wsgi file provided with the django project.
#wsgi-file = wsgi.py
mount = /mailman3=wsgi.py
manage-script-name = true
# Setup default number of processes and threads per process.
master = true
process = 2
threads = 2
# Drop privielges and don't run as root.
uid = www-data
gid = www-data
plugins = python3
# Setup the django_q related worker processes.
attach-daemon = python3 manage.py qcluster
# Setup hyperkitty's cron jobs.
#unique-cron = -1 -1 -1 -1 -1 ./manage.py runjobs minutely
#unique-cron = -15 -1 -1 -1 -1 ./manage.py runjobs quarter_hourly
#unique-cron = 0 -1 -1 -1 -1 ./manage.py runjobs hourly
#unique-cron = 0 0 -1 -1 -1 ./manage.py runjobs daily
#unique-cron = 0 0 1 -1 -1 ./manage.py runjobs monthly
#unique-cron = 0 0 -1 -1 0 ./manage.py runjobs weekly
#unique-cron = 0 0 1 1 -1 ./manage.py runjobs yearly
# Setup the request log.
#req-logger = file:/var/log/mailman3/web/mailman-web.log
# Log cron seperately.
#logger = cron file:/var/log/mailman3/web/mailman-web-cron.log
#log-route = cron uwsgi-cron
# Log qcluster commands seperately.
#logger = qcluster file:/var/log/mailman3/web/mailman-web-qcluster.log
#log-route = qcluster uwsgi-daemons
# Last log and it logs the rest of the stuff.
#logger = file:/var/log/mailman3/web/mailman-web-error.log
logto = /var/log/mailman3/web/mailman-web.log

6
roles/mail/handlers/main.yml
View File

@ -17,12 +17,6 @@
- name: Restart rspamd
service: name=rspamd state=restarted
- name: Restart mailman3
service: name=mailman3 state=restarted
- name: Restart mailman3web
service: name=mailman3-web state=restarted
- name: Run acertmgr
command: /usr/bin/acertmgr

54
roles/mail/tasks/main.yml
View File

@ -16,9 +16,9 @@
- dovecot-ldap
- dovecot-managesieved
- dovecot-sieve
- mailman3-full
- python3-psycopg2
- postgresql
- fcgiwrap
- mailman
- mailman3
- postfix
- postsrsd
- redis-server
@ -99,6 +99,12 @@
file: path=/etc/dovecot/ssl/{{ mail_server }}.key owner=dovecot mode=0400
notify: Restart dovecot
- name: Configure mailman
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- mailman/mm_cfg.py
notify: Restart postfix
- name: Configure mailman vhost
template: src=nginx/vhost.j2 dest=/etc/nginx/sites-available/mailman
notify: Restart nginx
@ -115,44 +121,6 @@
file: path=/etc/nginx/ssl/{{ mailman_domain }}.key owner=root mode=0400
notify: Restart nginx
- name: Configure PostgreSQL database for mailman3
postgresql_db: name={{ mailman3_dbname }}
become: true
become_user: postgres
- name: Configure PostgreSQL user
postgresql_user: db={{ mailman3_dbname }} name={{ mailman3_dbuser }} password={{ mailman3_dbpass }} priv=ALL state=present
become: true
become_user: postgres
- name: Configure PostgreSQL database for mailman3-web
postgresql_db: name={{ mailman3web_dbname }} owner={{ mailman3_dbuser }}
become: true
become_user: postgres
register: mailman_createdb
- name: Configure mailman3
template: src=mailman/mailman.cfg.j2 dest=/etc/mailman3/mailman.cfg
notify: Restart mailman3
- name: Configure mailman3 hyperkitty plugin
template: src=mailman/mailman-hyperkitty.cfg.j2 dest=/etc/mailman3/mailman-hyperkitty.cfg
notify: Restart mailman3
- name: Configure mailman3-web
template: src=mailman/mailman-web.py.j2 dest=/etc/mailman3/mailman-web.py
notify: Restart mailman3web
- name: Configure mailman3-web uwsgi
copy: src=mailman/uwsgi.ini dest=/etc/mailman3/uwsgi.ini
notify: Restart mailman3web
- name: Run mailman3-web migration script
command:
cmd: ./manage.py migrate
chdir: /usr/share/mailman3-web
when: mailman_createdb.changed
- name: Create postfix ssl directory
file: path=/etc/postfix/ssl state=directory mode=0750 owner=postfix group=postfix
@ -174,6 +142,7 @@
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- postfix/helo_access
- postfix/transport
- postfix/virtual-alias
notify: Run postmap
@ -213,6 +182,3 @@
- name: Start rspamd
service: name=rspamd state=started enabled=yes
- name: Start mailman3
service: name=mailman3 state=started enabled=yes

4
roles/mail/templates/default/postsrsd.j2
View File

@ -11,10 +11,10 @@ SRS_DOMAIN={{ mail_srs_domain }}
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.
#
SRS_EXCLUDE_DOMAINS=".{{ mail_domain }} {{ mail_domain }}
SRS_EXCLUDE_DOMAINS=.{{ mail_domain }} {{ mail_domain }}
{%- for domain in mail_domains %}
.{{ domain }} {{ domain }}
{%- endfor %}"
{%- endfor %}
# First separator character after SRS0 or SRS1.
# Can be one of: -+=

5
roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
View File

@ -31,7 +31,8 @@ dn = {{ ldap_binddn }}
dnpass = {{ ldap_bindpw }}
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower.
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
@ -45,7 +46,7 @@ dnpass = {{ ldap_bindpw }}
#tls = no
# TLS options, currently supported only with OpenLDAP:
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
#tls_ca_cert_dir =
#tls_ca_cert_dir = /etc/ssl/certs
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =

21
roles/mail/templates/mailman/mailman-hyperkitty.cfg.j2
View File

@ -1,21 +0,0 @@
# This is the mailman extension configuration file to enable HyperKitty as an
# archiver. Remember to add the following lines in the mailman.cfg file:
#
# [archiver.hyperkitty]
# class: mailman_hyperkitty.Archiver
# enable: yes
# configuration: /etc/mailman3/mailman-hyperkitty.cfg
#
[general]
# This is your HyperKitty installation, preferably on the localhost. This
# address will be used by Mailman to forward incoming emails to HyperKitty
# for archiving. It does not need to be publicly available, in fact it's
# better if it is not.
#base_url: http://localhost/mailman3/hyperkitty/
base_url: https://{{ mailman_domain }}/mailman3/hyperkitty/
# Shared API key, must be the identical to the value in HyperKitty's
# settings.
api_key: {{ mailman3_archiverkey }}

204
roles/mail/templates/mailman/mailman-web.py.j2
View File

@ -1,204 +0,0 @@
# This file is imported by the Mailman Suite. It is used to override
# the default settings from /usr/share/mailman3-web/settings.py.
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '{{ mailman3_secretkey }}'
ADMINS = (
('Mailman Suite Admin', 'root@localhost'),
)
# Hosts/domain names that are valid for this site; required if DEBUG is False
# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
# Set to '*' per default in the Deian package to allow all hostnames. Mailman3
# is meant to run behind a webserver reverse proxy anyway.
ALLOWED_HOSTS = [
#"localhost", # Archiving API from Mailman, keep it.
# "lists.your-domain.org",
# Add here all production URLs you may have.
'localhost',
'{{ mailman_domain }}'
]
# Mailman API credentials
MAILMAN_REST_API_URL = 'http://localhost:8001'
MAILMAN_REST_API_USER = 'restadmin'
MAILMAN_REST_API_PASS = '{{ mailman3_restadminpass }}'
MAILMAN_ARCHIVER_KEY = '{{ mailman3_archiverkey }}'
MAILMAN_ARCHIVER_FROM = (
'127.0.0.1',
'::1',
{% if hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined %}
'{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}',
{% endif%}
{% if hostvars[inventory_hostname]['ansible_default_ipv6']['address'] is defined %}
'{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address']}}',
{% endif%}
)
# Application definition
INSTALLED_APPS = (
'hyperkitty',
'postorius',
'django_mailman3',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'django_gravatar',
'compressor',
'haystack',
'django_extensions',
'django_q',
'allauth',
'allauth.account',
'allauth.socialaccount',
'django_mailman3.lib.auth.fedora',
#'allauth.socialaccount.providers.openid',
#'allauth.socialaccount.providers.github',
#'allauth.socialaccount.providers.gitlab',
#'allauth.socialaccount.providers.google',
#'allauth.socialaccount.providers.facebook',
#'allauth.socialaccount.providers.twitter',
#'allauth.socialaccount.providers.stackexchange',
)
# Database
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
DATABASES = {
'default': {
# Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
#'ENGINE': 'django.db.backends.sqlite3',
'ENGINE': 'django.db.backends.postgresql_psycopg2',
#'ENGINE': 'django.db.backends.mysql',
# DB name or path to database file if using sqlite3.
#'NAME': '/var/lib/mailman3/web/mailman3web.db',
'NAME': '{{ mailman3web_dbname }}',
# The following settings are not used with sqlite3:
'USER': '{{ mailman3_dbuser }}',
'PASSWORD': '{{ mailman3_dbpass }}',
# HOST: empty for localhost through domain sockets or '127.0.0.1' for
# localhost through TCP.
'HOST': 'localhost',
# PORT: set to empty string for default.
'PORT': '5432',
# OPTIONS: Extra parameters to use when connecting to the database.
'OPTIONS': {
# Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See
# https://docs.djangoproject.com/en/1.11/ref/
# databases/#setting-sql-mode
#'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
},
}
}
# If you're behind a proxy, use the X-Forwarded-Host header
# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
USE_X_FORWARDED_HOST = True
# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
# Other security settings
# SECURE_SSL_REDIRECT = True
# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
# contains at least this line:
# SECURE_REDIRECT_EXEMPT = [
# "archives/api/mailman/.*", # Request from Mailman.
# ]
# SESSION_COOKIE_SECURE = True
# SECURE_CONTENT_TYPE_NOSNIFF = True
# SECURE_BROWSER_XSS_FILTER = True
# CSRF_COOKIE_SECURE = True
# CSRF_COOKIE_HTTPONLY = True
# X_FRAME_OPTIONS = 'DENY'
# Internationalization
# https://docs.djangoproject.com/en/1.8/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Set default domain for email addresses.
EMAILNAME = '{{ mail_domain }}'
# If you enable internal authentication, this is the address that the emails
# will appear to be coming from. Make sure you set a valid domain name,
# otherwise the emails may get rejected.
# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
# If you enable email reporting for error messages, this is where those emails
# will appear to be coming from. Make sure you set a valid domain name,
# otherwise the emails may get rejected.
# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
# SERVER_EMAIL = 'root@your-domain.org'
SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
# Django Allauth
ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
#
# Social auth
#
SOCIALACCOUNT_PROVIDERS = {
#'openid': {
# 'SERVERS': [
# dict(id='yahoo',
# name='Yahoo',
# openid_url='http://me.yahoo.com'),
# ],
#},
#'google': {
# 'SCOPE': ['profile', 'email'],
# 'AUTH_PARAMS': {'access_type': 'online'},
#},
#'facebook': {
# 'METHOD': 'oauth2',
# 'SCOPE': ['email'],
# 'FIELDS': [
# 'email',
# 'name',
# 'first_name',
# 'last_name',
# 'locale',
# 'timezone',
# ],
# 'VERSION': 'v2.4',
#},
}
# On a production setup, setting COMPRESS_OFFLINE to True will bring a
# significant performance improvement, as CSS files will not need to be
# recompiled on each requests. It means running an additional "compress"
# management command after each code upgrade.
# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
COMPRESS_OFFLINE = True
POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
# This is a quick and dirty hack - maybe there is a way to reliably retrieve the right ID?
SITE_ID = 2

75
roles/mail/templates/mailman/mailman.cfg.j2
View File

@ -1,75 +0,0 @@
[mailman]
site_owner: {{ mailman3_site_owner }}
noreply_address: noreply
default_language: en
sender_headers: from from_ reply-to sender
email_commands_max_lines: 10
pending_request_life: 3d
cache_life: 7d
pre_hook:
post_hook:
layout: debian
filtered_messages_are_preservable: no
html_to_plain_text_command: /usr/bin/lynx -dump $filename
listname_chars: [-_.0-9a-z]
[shell]
prompt: >>>
banner: Welcome to the GNU Mailman shell
use_ipython: no
history_file:
[paths.debian]
var_dir: /var/lib/mailman3
queue_dir: $var_dir/queue
bin_dir: /usr/lib/mailman3/bin
list_data_dir: $var_dir/lists
log_dir: /var/log/mailman3
lock_dir: $var_dir/locks
data_dir: $var_dir/data
cache_dir: $var_dir/cache
etc_dir: /etc/mailman3
ext_dir: $var_dir/ext
messages_dir: $var_dir/messages
archive_dir: $var_dir/archives
template_dir: $var_dir/templates
pid_file: /run/mailman3/master.pid
lock_file: $lock_dir/master.lck
[database]
class: mailman.database.postgresql.PostgreSQLDatabase
url: postgres://{{ mailman3_dbuser }}:{{ mailman3_dbpass }}@localhost/{{ mailman3_dbname }}
debug: no
[logging.debian]
format: %(asctime)s (%(process)d) %(message)s
datefmt: %b %d %H:%M:%S %Y
propagate: no
level: info
path: mailman.log
[webservice]
hostname: localhost
port: 8001
use_https: no
show_tracebacks: yes
api_version: 3.1
admin_user: restadmin
admin_pass: {{ mailman3_restadminpass }}
[mta]
remove_dkim_headers: yes
dmarc_mitigate_action: wrap_message
incoming: mailman.mta.postfix.LMTP
outgoing: mailman.mta.deliver.deliver
smtp_host: localhost
smtp_port: 25
smtp_user:
smtp_pass:
lmtp_host: 127.0.0.1
lmtp_port: 8024
configuration: python:mailman.config.postfix
[archiver.hyperkitty]
class: mailman_hyperkitty.Archiver
enable: yes
configuration: /etc/mailman3/mailman-hyperkitty.cfg

115
roles/mail/templates/mailman/mm_cfg.py.j2 Normal file
View File

@ -0,0 +1,115 @@
# -*- python -*-
# Copyright (C) 1998,1999,2000 by the Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
"""This is the module which takes your site-specific settings.
From a raw distribution it should be copied to mm_cfg.py. If you
already have an mm_cfg.py, be careful to add in only the new settings
you want. The complete set of distributed defaults, with annotation,
are in ./Defaults. In mm_cfg, override only those you want to
change, after the
from Defaults import *
line (see below).
Note that these are just default settings - many can be overridden via the
admin and user interfaces on a per-list or per-user basis.
Note also that some of the settings are resolved against the active list
setting by using the value as a format string against the
list-instance-object's dictionary - see the distributed value of
DEFAULT_MSG_FOOTER for an example."""
#######################################################
# Here's where we get the distributed defaults. #
from Defaults import *
##############################################################
# Put YOUR site-specific configuration below, in mm_cfg.py . #
# See Defaults.py for explanations of the values. #
#-------------------------------------------------------------
# The name of the list Mailman uses to send password reminders
# and similar. Don't change if you want mailman-owner to be
# a valid local part.
MAILMAN_SITE_LIST = 'mailman'
#-------------------------------------------------------------
# If you change these, you have to configure your http server
# accordingly (Alias and ScriptAlias directives in most httpds)
#DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/'
DEFAULT_URL_PATTERN = 'https://%s/'
IMAGE_LOGOS = '/images/mailman/'
#-------------------------------------------------------------
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = '{{ mailman_domain }}'
#-------------------------------------------------------------
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST = '{{ mailman_domain }}'
#-------------------------------------------------------------
# Required when setting any of its arguments.
add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
#-------------------------------------------------------------
# The default language for this server.
DEFAULT_SERVER_LANGUAGE = 'en'
#-------------------------------------------------------------
# Iirc this was used in pre 2.1, leave it for now
USE_ENVELOPE_SENDER = 0 # Still used?
#-------------------------------------------------------------
# Unset send_reminders on newly created lists
DEFAULT_SEND_REMINDERS = 0
#-------------------------------------------------------------
# Uncomment this if you configured your MTA such that it
# automatically recognizes newly created lists.
# (see /usr/share/doc/mailman/README.Exim4.Debian or
# /usr/share/mailman/postfix-to-mailman.py)
# MTA=None # Misnomer, suppresses alias output on newlist
#-------------------------------------------------------------
# Uncomment if you use Postfix virtual domains (but not
# postfix-to-mailman.py), but be sure to see
# /usr/share/doc/mailman/README.Debian first.
MTA='Postfix'
#-------------------------------------------------------------
# Uncomment if you want to filter mail with SpamAssassin. For
# more information please visit this website:
# http://www.jamesh.id.au/articles/mailman-spamassassin/
# GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['{{ mailman_domain }}']
# alias for postmaster, abuse and mailer-daemon
DEB_LISTMASTER = 'postmaster@{{ mail_domain }}'
# Remove, rename and preserve DKIM headers
REMOVE_DKIM_HEADERS = 3
# Munge From for DMARC
DEFAULT_DMARC_MODERATION_ACTION = 1
# Note - if you're looking for something that is imported from mm_cfg, but you
# didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.

31
roles/mail/templates/nginx/vhost.j2
View File

@ -7,7 +7,7 @@ server {
server_name {{ mailman_domain }};
root /var/www/html/;
root /usr/lib/cgi-bin/mailman/;
location /.well-known/acme-challenge {
default_type "text/plain";
@ -15,27 +15,24 @@ server {
}
location = / {
rewrite ^ /mailman3 redirect;
rewrite ^ /listinfo permanent;
}
location / {
rewrite ^ /mailman3 redirect;
root /usr/lib/cgi-bin/mailman;
fastcgi_split_path_info (^/[^/]*)(.*)$;
fastcgi_pass unix:///var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location = /listinfo {
rewrite ^ /mailman3 redirect;
location /images/mailman {
alias /usr/share/images/mailman;
}
location /mailman3/ {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/run/mailman3-web/uwsgi.sock;
}
location /mailman3/static {
alias /var/lib/mailman3/web/static;
}
location /mailman3/static/favicon.ico {
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
}
location /pipermail {
alias /var/lib/mailman/archives/public;
autoindex on;
}
}

11
roles/mail/templates/postfix/main.cf.j2
View File

@ -11,7 +11,6 @@ inet_interfaces = all
inet_protocols = all
message_size_limit = 50000000
recipient_delimiter = +
owner_request_special = no
unknown_local_recipient_reject_code = 550
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
@ -116,12 +115,10 @@ unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Recipient unknown
# mailman
relay_domains =
hash:/var/lib/mailman3/data/postfix_domains
local_recipient_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
transport_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
relay_domains = {{ mailman_domain }}
relay_recipient_maps = hash:/var/lib/mailman/data/virtual-mailman
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
# postsrsd
# sender_canonical_maps = tcp:localhost:10001 - > see master.cf

2
roles/mail/templates/postfix/master.cf.j2
View File

@ -131,3 +131,5 @@ bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

1
roles/mail/templates/postfix/transport.j2 Normal file
View File

@ -0,0 +1 @@
{{ mailman_domain }} mailman:

3
roles/mail/templates/rspamd/local.d/arc.conf.j2
View File

@ -2,8 +2,5 @@ allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted | join(", ") }}];
check_pubkey = true;
try_fallback = false;
use_esld = false;
allow_hdrfrom_mismatch = true;
use_domain = "envelope";
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/arc_selectors.map";

3
roles/mail/templates/rspamd/local.d/dkim_signing.conf.j2
View File

@ -2,8 +2,5 @@ allow_username_mismatch = true;
sign_networks = [127.0.0.1, ::1, {{ mail_trusted | join(", ") }}];
check_pubkey = true;
try_fallback = false;
use_esld = false;
allow_hdrfrom_mismatch = true;
use_domain = "envelope";
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/local.d/dkim_selectors.map";

2
roles/mail/templates/rspamd/local.d/settings.conf.j2
View File

@ -9,7 +9,7 @@ localhost_mail {
reject = null;
greylist = null;
"add header" = null;
"rewrite subject" = null;
spam = null;
}
}
}

10
roles/matrix/tasks/main.yml
View File

@ -1,5 +1,8 @@
---
- name: Enable https for apt
apt: name=apt-transport-https
- name: Enable matrix apt-key
apt_key: url="https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg"
@ -11,7 +14,7 @@
name:
- matrix-synapse-py3
- postgresql
- python3-psycopg2
- python-psycopg2
- name: Configure PostgreSQL database
postgresql_db: name={{ matrix_dbname }} lc_collate=C lc_ctype=C template=template0
@ -46,8 +49,3 @@
- name: Enable vhost
file: src=/etc/nginx/sites-available/matrix dest=/etc/nginx/sites-enabled/matrix state=link
notify: Restart nginx
- name: Enable monitoring
include_role: name=icinga-monitor tasks_from=http
vars:
vhost: "{{ matrix_domain }}"

Some files were not shown because too many files have changed in this diff Show More